mgmt: use a separate validator for prefix announcements
This commit also configures the default prefix_announcement_validation
section in nfd.conf.sample to accept any prefix announcement.
refs: #5031
Change-Id: I82e34ce783dfe77c170dd02e78a4bc86faa0147a
diff --git a/daemon/mgmt/rib-manager.cpp b/daemon/mgmt/rib-manager.cpp
index 81196dd..bf3b194 100644
--- a/daemon/mgmt/rib-manager.cpp
+++ b/daemon/mgmt/rib-manager.cpp
@@ -58,6 +58,7 @@
, m_faceMonitor(face)
, m_localhostValidator(face)
, m_localhopValidator(make_unique<ndn::security::v2::CertificateFetcherDirectFetch>(face))
+ , m_paValidator(make_unique<ndn::security::v2::CertificateFetcherDirectFetch>(face))
, m_isLocalhopEnabled(false)
{
registerCommandHandler<ndn::nfd::RibRegisterCommand>("register",
@@ -88,6 +89,12 @@
}
void
+RibManager::applyPaConfig(const ConfigSection& section, const std::string& filename)
+{
+ m_paValidator.load(section, filename);
+}
+
+void
RibManager::registerWithNfd()
{
registerTopPrefix(LOCALHOST_TOP_PREFIX);
@@ -356,14 +363,7 @@
{
BOOST_ASSERT(pa.getData());
- if (!m_isLocalhopEnabled) {
- NFD_LOG_INFO("slAnnounce " << pa.getAnnouncedName() << " " << faceId <<
- ": localhop_security unconfigured");
- cb(SlAnnounceResult::VALIDATION_FAILURE);
- return;
- }
-
- m_localhopValidator.validate(*pa.getData(),
+ m_paValidator.validate(*pa.getData(),
[=] (const Data&) {
Route route(pa, faceId);
route.expires = std::min(route.annExpires, time::steady_clock::now() + maxLifetime);
diff --git a/daemon/mgmt/rib-manager.hpp b/daemon/mgmt/rib-manager.hpp
index 1be0b81..51f9dfc 100644
--- a/daemon/mgmt/rib-manager.hpp
+++ b/daemon/mgmt/rib-manager.hpp
@@ -72,6 +72,12 @@
disableLocalhop();
/**
+ * @brief Apply prefix_announcement_validation configuration.
+ */
+ void
+ applyPaConfig(const ConfigSection& section, const std::string& filename);
+
+ /**
* @brief Start accepting commands and dataset requests.
*/
void
@@ -245,6 +251,7 @@
ndn::nfd::FaceMonitor m_faceMonitor;
ndn::ValidatorConfig m_localhostValidator;
ndn::ValidatorConfig m_localhopValidator;
+ ndn::ValidatorConfig m_paValidator;
bool m_isLocalhopEnabled;
scheduler::ScopedEventId m_activeFaceFetchEvent;
diff --git a/daemon/rib/service.cpp b/daemon/rib/service.cpp
index 72045bf..f7b4719 100644
--- a/daemon/rib/service.cpp
+++ b/daemon/rib/service.cpp
@@ -48,6 +48,7 @@
const std::string CFG_SECTION = "rib";
const std::string CFG_LOCALHOST_SECURITY = "localhost_security";
const std::string CFG_LOCALHOP_SECURITY = "localhop_security";
+const std::string CFG_PA_VALIDATION = "prefix_announcement_validation";
const std::string CFG_PREFIX_PROPAGATE = "auto_prefix_propagate";
const std::string CFG_READVERTISE_NLSR = "readvertise_nlsr";
const Name READVERTISE_NLSR_PREFIX = "/localhost/nlsr";
@@ -166,7 +167,7 @@
for (const auto& item : section) {
const std::string& key = item.first;
const ConfigSection& value = item.second;
- if (key == CFG_LOCALHOST_SECURITY || key == CFG_LOCALHOP_SECURITY) {
+ if (key == CFG_LOCALHOST_SECURITY || key == CFG_LOCALHOP_SECURITY || key == CFG_PA_VALIDATION) {
hasLocalhop = key == CFG_LOCALHOP_SECURITY;
ndn::ValidatorConfig testValidator(m_face);
testValidator.load(value, filename);
@@ -204,6 +205,9 @@
else if (key == CFG_LOCALHOP_SECURITY) {
m_ribManager.enableLocalhop(value, filename);
}
+ else if (key == CFG_PA_VALIDATION) {
+ m_ribManager.applyPaConfig(value, filename);
+ }
else if (key == CFG_PREFIX_PROPAGATE) {
wantPrefixPropagate = true;
diff --git a/nfd.conf.sample.in b/nfd.conf.sample.in
index eec2bfc..4cd4e26 100644
--- a/nfd.conf.sample.in
+++ b/nfd.conf.sample.in
@@ -414,6 +414,15 @@
; }
; }
+ ; The following prefix_announcement_validation accepts any prefix announcement
+ prefix_announcement_validation
+ {
+ trust-anchor
+ {
+ type any
+ }
+ }
+
auto_prefix_propagate
{
cost 15 ; forwarding cost of prefix registered on remote router
diff --git a/tests/daemon/mgmt/rib-manager-sl-announce.t.cpp b/tests/daemon/mgmt/rib-manager-sl-announce.t.cpp
index 83d7a64..9c8b87a 100644
--- a/tests/daemon/mgmt/rib-manager-sl-announce.t.cpp
+++ b/tests/daemon/mgmt/rib-manager-sl-announce.t.cpp
@@ -32,11 +32,22 @@
#include <ndn-cxx/util/dummy-client-face.hpp>
+#include <boost/property_tree/info_parser.hpp>
+
namespace nfd {
namespace tests {
using rib::Route;
+static ConfigSection
+makeSection(const std::string& config)
+{
+ std::istringstream inputStream(config);
+ ConfigSection section;
+ boost::property_tree::read_info(inputStream, section);
+ return section;
+}
+
class RibManagerSlAnnounceFixture : public GlobalIoTimeFixture, public KeyChainFixture
{
public:
@@ -55,7 +66,7 @@
// rule 1.4 violation.
manager = make_unique<RibManager>(rib, m_face, m_keyChain, m_nfdController, m_dispatcher);
- loadTrustSchema();
+ loadDefaultPaConfig();
}
template<typename ...T>
@@ -135,24 +146,16 @@
}
private:
- /** \brief Prepare a trust schema and load as localhop_security.
- *
- * Test case may revert this operation with ribManager->disableLocalhop().
- */
void
- loadTrustSchema()
+ loadDefaultPaConfig()
{
- ConfigSection section;
- section.put("rule.id", "PA");
- section.put("rule.for", "data");
- section.put("rule.checker.type", "customized");
- section.put("rule.checker.sig-type", "rsa-sha256");
- section.put("rule.checker.key-locator.type", "name");
- section.put("rule.checker.key-locator.name", "/trusted");
- section.put("rule.checker.key-locator.relation", "is-prefix-of");
- section.put("trust-anchor.type", "base64");
- section.put("trust-anchor.base64-string", getIdentityCertificateBase64("/trusted"));
- manager->enableLocalhop(section, "trust-schema.section");
+ const std::string CONFIG = R"CONFIG(
+ trust-anchor
+ {
+ type any
+ }
+ )CONFIG";
+ manager->applyPaConfig(makeSection(CONFIG), "default");
}
public:
@@ -173,17 +176,44 @@
BOOST_AUTO_TEST_SUITE(TestRibManager)
BOOST_FIXTURE_TEST_SUITE(SlAnnounce, RibManagerSlAnnounceFixture)
-BOOST_AUTO_TEST_CASE(AnnounceUnconfigured)
+BOOST_AUTO_TEST_CASE(AnnounceWithDefaultConfig)
{
- manager->disableLocalhop();
+ auto pa = makeTrustedAnn("/fMXN7UeB", 1_h);
+ BOOST_CHECK_EQUAL(slAnnounceSync(pa, 3275, 1_h), SlAnnounceResult::OK);
+ BOOST_CHECK(findAnnRoute("/fMXN7UeB", 3275) != nullptr);
+
+ auto pa2 = makeUntrustedAnn("/1nzAe0Y4", 1_h);
+ BOOST_CHECK_EQUAL(slAnnounceSync(pa2, 2959, 1_h), SlAnnounceResult::OK);
+ BOOST_CHECK(findAnnRoute("/1nzAe0Y4", 2959) != nullptr);
+}
+
+BOOST_AUTO_TEST_CASE(AnnounceWithEmptyConfig)
+{
+ manager->applyPaConfig(makeSection(""), "empty");
+
auto pa = makeTrustedAnn("/fMXN7UeB", 1_h);
BOOST_CHECK_EQUAL(slAnnounceSync(pa, 3275, 1_h), SlAnnounceResult::VALIDATION_FAILURE);
-
BOOST_CHECK(findAnnRoute("/fMXN7UeB", 3275) == nullptr);
+
+ auto pa2 = makeUntrustedAnn("/1nzAe0Y4", 1_h);
+ BOOST_CHECK_EQUAL(slAnnounceSync(pa2, 2959, 1_h), SlAnnounceResult::VALIDATION_FAILURE);
+ BOOST_CHECK(findAnnRoute("/1nzAe0Y4", 2959) == nullptr);
}
BOOST_AUTO_TEST_CASE(AnnounceValidationError)
{
+ ConfigSection section;
+ section.put("rule.id", "PA");
+ section.put("rule.for", "data");
+ section.put("rule.checker.type", "customized");
+ section.put("rule.checker.sig-type", "rsa-sha256");
+ section.put("rule.checker.key-locator.type", "name");
+ section.put("rule.checker.key-locator.name", "/trusted");
+ section.put("rule.checker.key-locator.relation", "is-prefix-of");
+ section.put("trust-anchor.type", "base64");
+ section.put("trust-anchor.base64-string", getIdentityCertificateBase64("/trusted"));
+ manager->applyPaConfig(section, "trust-schema.section");
+
auto pa = makeUntrustedAnn("/1nzAe0Y4", 1_h);
BOOST_CHECK_EQUAL(slAnnounceSync(pa, 2959, 1_h), SlAnnounceResult::VALIDATION_FAILURE);
diff --git a/tests/daemon/rib/service.t.cpp b/tests/daemon/rib/service.t.cpp
index 4832afd..caa59d3 100644
--- a/tests/daemon/rib/service.t.cpp
+++ b/tests/daemon/rib/service.t.cpp
@@ -80,6 +80,36 @@
BOOST_AUTO_TEST_SUITE(ProcessConfig)
+BOOST_AUTO_TEST_CASE(EmptyLocalhostSecurity)
+{
+ const std::string CONFIG = R"CONFIG(
+ rib
+ {
+ localhost_security
+ }
+ )CONFIG";
+
+ runOnRibIoService([&] {
+ BOOST_CHECK_NO_THROW(Service(makeSection(CONFIG), m_ribKeyChain));
+ });
+ poll();
+}
+
+BOOST_AUTO_TEST_CASE(EmptyPrefixAnnouncementValidation)
+{
+ const std::string CONFIG = R"CONFIG(
+ rib
+ {
+ prefix_announcement_validation
+ }
+ )CONFIG";
+
+ runOnRibIoService([&] {
+ BOOST_CHECK_NO_THROW(Service(makeSection(CONFIG), m_ribKeyChain));
+ });
+ poll();
+}
+
BOOST_AUTO_TEST_CASE(LocalhopAndPropagate)
{
const std::string CONFIG = R"CONFIG(