df/d3c/validation-policy-config_8cpp_source.html

 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */

 /*

  * Copyright (c) 2013-2021 Regents of the University of California.

  *

  * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).

  *

  * ndn-cxx library is free software: you can redistribute it and/or modify it under the

  * terms of the GNU Lesser General Public License as published by the Free Software

  * Foundation, either version 3 of the License, or (at your option) any later version.

  *

  * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY

  * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A

  * PARTICULAR PURPOSE.  See the GNU Lesser General Public License for more details.

  *

  * You should have received copies of the GNU General Public License and GNU Lesser

  * General Public License along with ndn-cxx, e.g., in COPYING.md file.  If not, see

  * <http://www.gnu.org/licenses/>.

  *

  * See AUTHORS.md for complete list of ndn-cxx authors and contributors.

  */


 #include "ndn-cxx/security/validation-policy-config.hpp"

 #include "ndn-cxx/security/validator.hpp"

 #include "ndn-cxx/util/io.hpp"


 #include <boost/algorithm/string/predicate.hpp>

 #include <boost/filesystem/operations.hpp>

 #include <boost/filesystem/path.hpp>

 #include <boost/lexical_cast.hpp>

 #include <boost/property_tree/info_parser.hpp>


 #include <fstream>


 namespace ndn {

 namespace security {

 inline namespace v2 {

 namespace validator_config {


 void

 ValidationPolicyConfig::load(const std::string& filename)

 {

   std::ifstream inputFile(filename);

   if (!inputFile) {

     NDN_THROW(Error("Failed to read configuration file: " + filename));

   }

   load(inputFile, filename);

 }


 void

 ValidationPolicyConfig::load(const std::string& input, const std::string& filename)

 {

   std::istringstream inputStream(input);

   load(inputStream, filename);

 }


 void

 ValidationPolicyConfig::load(std::istream& input, const std::string& filename)

 {

   ConfigSection tree;

   try {

     boost::property_tree::read_info(input, tree);

   }

   catch (const boost::property_tree::info_parser_error& e) {

     NDN_THROW(Error("Failed to parse configuration file " + filename +

                     " line " + to_string(e.line()) + ": " + e.message()));

   }

   load(tree, filename);

 }


 void

 ValidationPolicyConfig::load(const ConfigSection& configSection, const std::string& filename)

 {

   BOOST_ASSERT(!filename.empty());


   if (m_validator == nullptr) {

     NDN_THROW(Error("Validator instance not assigned on the policy"));

   }

   if (m_isConfigured) {

     m_shouldBypass = false;

     m_dataRules.clear();

     m_interestRules.clear();

     m_validator->resetAnchors();

     m_validator->resetVerifiedCertificates();

   }

   m_isConfigured = true;


   for (const auto& subSection : configSection) {

     const std::string& sectionName = subSection.first;

     const ConfigSection& section = subSection.second;


     if (boost::iequals(sectionName, "rule")) {

       auto rule = Rule::create(section, filename);

       if (rule->getPktType() == tlv::Data) {

         m_dataRules.push_back(std::move(rule));

       }

       else if (rule->getPktType() == tlv::Interest) {

         m_interestRules.push_back(std::move(rule));

       }

     }

     else if (boost::iequals(sectionName, "trust-anchor")) {

       processConfigTrustAnchor(section, filename);

     }

     else {

       NDN_THROW(Error("Error processing configuration file " + filename +

                       ": unrecognized section " + sectionName));

     }

   }

 }


 void

 ValidationPolicyConfig::processConfigTrustAnchor(const ConfigSection& configSection,

                                                  const std::string& filename)

 {

   using namespace boost::filesystem;


   auto propertyIt = configSection.begin();


   // Get trust-anchor.type

   if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "type")) {

     NDN_THROW(Error("Expecting <trust-anchor.type>"));

   }


   std::string type = propertyIt->second.data();

   propertyIt++;


   if (boost::iequals(type, "file")) {

     // Get trust-anchor.file

     if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "file-name")) {

       NDN_THROW(Error("Expecting <trust-anchor.file-name>"));

     }


     std::string file = propertyIt->second.data();

     propertyIt++;


     time::nanoseconds refresh = getRefreshPeriod(propertyIt, configSection.end());

     if (propertyIt != configSection.end())

       NDN_THROW(Error("Expecting end of <trust-anchor>"));


     m_validator->loadAnchor(file, absolute(file, path(filename).parent_path()).string(),

                             refresh, false);

   }

   else if (boost::iequals(type, "base64")) {

     // Get trust-anchor.base64-string

     if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "base64-string"))

       NDN_THROW(Error("Expecting <trust-anchor.base64-string>"));


     std::stringstream ss(propertyIt->second.data());

     propertyIt++;


     if (propertyIt != configSection.end())

       NDN_THROW(Error("Expecting end of <trust-anchor>"));


     auto idCert = io::load<Certificate>(ss);

     if (idCert != nullptr) {

       m_validator->loadAnchor("", std::move(*idCert));

     }

     else {

       NDN_THROW(Error("Cannot decode certificate from base64-string"));

     }

   }

   else if (boost::iequals(type, "dir")) {

     if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "dir"))

       NDN_THROW(Error("Expecting <trust-anchor.dir>"));


     std::string dirString(propertyIt->second.data());

     propertyIt++;


     time::nanoseconds refresh = getRefreshPeriod(propertyIt, configSection.end());

     if (propertyIt != configSection.end())

       NDN_THROW(Error("Expecting end of <trust-anchor>"));


     path dirPath = absolute(dirString, path(filename).parent_path());

     m_validator->loadAnchor(dirString, dirPath.string(), refresh, true);

   }

   else if (boost::iequals(type, "any")) {

     m_shouldBypass = true;

   }

   else {

     NDN_THROW(Error("Unrecognized <trust-anchor.type>: " + type));

   }

 }


 time::nanoseconds

 ValidationPolicyConfig::getRefreshPeriod(ConfigSection::const_iterator& it,

                                          const ConfigSection::const_iterator& end)

 {

   auto refresh = time::nanoseconds::max();

   if (it == end) {

     return refresh;

   }


   if (!boost::iequals(it->first, "refresh")) {

     NDN_THROW(Error("Expecting <trust-anchor.refresh>"));

   }


   std::string inputString = it->second.data();

   ++it;

   char unit = inputString[inputString.size() - 1];

   std::string refreshString = inputString.substr(0, inputString.size() - 1);


   int32_t refreshPeriod = -1;

   try {

     refreshPeriod = boost::lexical_cast<int32_t>(refreshString);

   }

   catch (const boost::bad_lexical_cast&) {

     // pass

   }

   if (refreshPeriod < 0) {

     NDN_THROW(Error("Bad refresh value: " + refreshString));

   }


   if (refreshPeriod == 0) {

     return getDefaultRefreshPeriod();

   }


   switch (unit) {

     case 'h':

       return time::hours(refreshPeriod);

     case 'm':

       return time::minutes(refreshPeriod);

     case 's':

       return time::seconds(refreshPeriod);

     default:

       NDN_THROW(Error("Bad refresh time unit: "s + unit));

   }

 }


 time::nanoseconds

 ValidationPolicyConfig::getDefaultRefreshPeriod()

 {

   return 1_h;

 }


 void

 ValidationPolicyConfig::checkPolicy(const Data& data, const shared_ptr<ValidationState>& state,

                                     const ValidationContinuation& continueValidation)

 {

   BOOST_ASSERT_MSG(!hasInnerPolicy(), "ValidationPolicyConfig must be a terminal inner policy");


   if (m_shouldBypass) {

     return continueValidation(nullptr, state);

   }


   Name klName = getKeyLocatorName(data, *state);

   if (!state->getOutcome()) { // already failed

     return;

   }


   for (const auto& rule : m_dataRules) {

     if (rule->match(tlv::Data, data.getName(), state)) {

       if (rule->check(tlv::Data, tlv::SignatureTypeValue(data.getSignatureType()),

                       data.getName(), klName, state)) {

         return continueValidation(make_shared<CertificateRequest>(klName), state);

       }

       // rule->check calls state->fail(...) if the check fails

       return;

     }

   }


   return state->fail({ValidationError::POLICY_ERROR,

                       "No rule matched for data `" + data.getName().toUri() + "`"});

 }


 void

 ValidationPolicyConfig::checkPolicy(const Interest& interest, const shared_ptr<ValidationState>& state,

                                     const ValidationContinuation& continueValidation)

 {

   BOOST_ASSERT_MSG(!hasInnerPolicy(), "ValidationPolicyConfig must be a terminal inner policy");


   if (m_shouldBypass) {

     return continueValidation(nullptr, state);

   }


   Name klName = getKeyLocatorName(interest, *state);

   if (!state->getOutcome()) { // already failed

     return;

   }


   for (const auto& rule : m_interestRules) {

     if (rule->match(tlv::Interest, interest.getName(), state)) {


       tlv::SignatureTypeValue sigType;

       auto fmt = state->getTag<SignedInterestFormatTag>();

       BOOST_ASSERT(fmt);


       if (*fmt == SignedInterestFormat::V03) {

         sigType = tlv::SignatureTypeValue(interest.getSignatureInfo()->getSignatureType());

       }

       else {

         if (interest.getName().size() < signed_interest::MIN_SIZE) {

           state->fail({ValidationError::INVALID_KEY_LOCATOR, "Invalid signed Interest: name too short"});

           return;

         }


         SignatureInfo si;

         try {

           si.wireDecode(interest.getName().at(signed_interest::POS_SIG_INFO).blockFromValue());

         }

         catch (const tlv::Error& e) {

           state->fail({ValidationError::Code::INVALID_KEY_LOCATOR,

                        "Invalid signed Interest: " + std::string(e.what())});

           return;

         }


         sigType = tlv::SignatureTypeValue(si.getSignatureType());

       }


       if (rule->check(tlv::Interest, sigType, interest.getName(), klName, state)) {

         return continueValidation(make_shared<CertificateRequest>(klName), state);

       }

       // rule->check calls state->fail(...) if the check fails

       return;

     }

   }


   return state->fail({ValidationError::POLICY_ERROR,

                       "No rule matched for interest `" + interest.getName().toUri() + "`"});

 }


 } // namespace validator_config

 } // inline namespace v2

 } // namespace security

 } // namespace ndn

ndn::Block::blockFromValue
Block blockFromValue() const
Definition: block.cpp:329

ndn::Data
Represents a Data packet.
Definition: data.hpp:38

ndn::Data::getSignatureType
int32_t getSignatureType() const noexcept
Get SignatureType.
Definition: data.hpp:304

ndn::Data::getName
const Name & getName() const noexcept
Get name.
Definition: data.hpp:127

ndn::Interest
Represents an Interest packet.
Definition: interest.hpp:50

ndn::Interest::getName
const Name & getName() const noexcept
Definition: interest.hpp:173

ndn::Interest::getSignatureInfo
optional< SignatureInfo > getSignatureInfo() const
Get the InterestSignatureInfo.
Definition: interest.cpp:549

ndn::Name
Represents an absolute name.
Definition: name.hpp:46

ndn::Name::at
const Component & at(ssize_t i) const
Returns an immutable reference to the component at the specified index, with bounds checking.
Definition: name.cpp:171

ndn::Name::size
size_t size() const
Returns the number of components.
Definition: name.hpp:155

ndn::SignatureInfo
Represents a SignatureInfo or InterestSignatureInfo TLV element.
Definition: signature-info.hpp:33

ndn::SignatureInfo::getSignatureType
int32_t getSignatureType() const noexcept
Get SignatureType.
Definition: signature-info.hpp:113

ndn::SignatureInfo::wireDecode
void wireDecode(const Block &wire, Type type=Type::Data)
Decode from wire format.
Definition: signature-info.cpp:117

ndn::SimpleTag
provides a tag type for simple types
Definition: tag.hpp:59

ndn::security::v2::ValidationError::POLICY_ERROR
@ POLICY_ERROR
Definition: validation-error.hpp:51

ndn::security::v2::ValidationError::INVALID_KEY_LOCATOR
@ INVALID_KEY_LOCATOR
Definition: validation-error.hpp:50

ndn::security::v2::ValidationPolicy::ValidationContinuation
std::function< void(const shared_ptr< CertificateRequest > &certRequest, const shared_ptr< ValidationState > &state)> ValidationContinuation
Definition: validation-policy.hpp:41

ndn::security::v2::ValidationPolicy::hasInnerPolicy
bool hasInnerPolicy() const
Check if inner policy is set.
Definition: validation-policy.hpp:67

ndn::security::v2::ValidationPolicy::m_validator
Validator * m_validator
Definition: validation-policy.hpp:146

ndn::security::v2::Validator::resetAnchors
void resetAnchors()
remove any previously loaded static or dynamic trust anchor
Definition: validator.cpp:207

ndn::security::v2::Validator::resetVerifiedCertificates
void resetVerifiedCertificates()
Remove any cached verified certificates.
Definition: validator.cpp:219

ndn::security::v2::Validator::loadAnchor
void loadAnchor(const std::string &groupId, Certificate &&cert)
load static trust anchor.
Definition: validator.cpp:194

ndn::security::v2::validator_config::Error
Definition: common.hpp:39

ndn::security::v2::validator_config::Rule::create
static unique_ptr< Rule > create(const ConfigSection &configSection, const std::string &configFilename)
create a rule from configuration section
Definition: rule.cpp:107

ndn::security::v2::validator_config::ValidationPolicyConfig::load
void load(const std::string &filename)
Load policy from file filename.
Definition: validation-policy-config.cpp:40

ndn::security::v2::validator_config::ValidationPolicyConfig::checkPolicy
void checkPolicy(const Data &data, const shared_ptr< ValidationState > &state, const ValidationContinuation &continueValidation) override
Check data against the policy.
Definition: validation-policy-config.cpp:235

ndn::tlv::Error
represents an error in TLV encoding or decoding
Definition: tlv.hpp:53

NDN_THROW
#define NDN_THROW(e)
Definition: exception.hpp:61

io.hpp

ndn::exception::to_string
std::string to_string(const errinfo_stacktrace &x)
Definition: exception.cpp:31

ndn::security::v2::validator_config::ConfigSection
boost::property_tree::ptree ConfigSection
Definition: common.hpp:36

ndn::security::v2::getKeyLocatorName
Name getKeyLocatorName(const Data &data, ValidationState &state)
extract KeyLocator.Name from a Data packet
Definition: validation-policy.cpp:85

ndn::security::SignedInterestFormat::V03
@ V03
Sign Interest using Packet Specification v0.3 semantics.

ndn::signed_interest::MIN_SIZE
const size_t MIN_SIZE
minimal number of components for Signed Interest
Definition: security-common.hpp:40

ndn::signed_interest::POS_SIG_INFO
const ssize_t POS_SIG_INFO
Definition: security-common.hpp:35

ndn::time::minutes
boost::chrono::minutes minutes
Definition: time.hpp:46

ndn::time::nanoseconds
boost::chrono::nanoseconds nanoseconds
Definition: time.hpp:50

ndn::time::hours
boost::chrono::hours hours
Definition: time.hpp:45

ndn::time::seconds
boost::chrono::seconds seconds
Definition: time.hpp:47

ndn::tlv::Data
@ Data
Definition: tlv.hpp:66

ndn::tlv::Interest
@ Interest
Definition: tlv.hpp:65

ndn::tlv::SignatureTypeValue
SignatureTypeValue
SignatureType values.
Definition: tlv.hpp:132

ndn
Definition: data.cpp:25

validation-policy-config.hpp

validator.hpp