| /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ |
| /* |
| * Copyright (c) 2014-2025, Regents of the University of California, |
| * Arizona Board of Regents, |
| * Colorado State University, |
| * University Pierre & Marie Curie, Sorbonne University, |
| * Washington University in St. Louis, |
| * Beijing Institute of Technology, |
| * The University of Memphis. |
| * |
| * This file is part of NFD (Named Data Networking Forwarding Daemon). |
| * See AUTHORS.md for complete list of NFD authors and contributors. |
| * |
| * NFD is free software: you can redistribute it and/or modify it under the terms |
| * of the GNU General Public License as published by the Free Software Foundation, |
| * either version 3 of the License, or (at your option) any later version. |
| * |
| * NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; |
| * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR |
| * PURPOSE. See the GNU General Public License for more details. |
| * |
| * You should have received a copy of the GNU General Public License along with |
| * NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>. |
| */ |
| |
| #include "command-authenticator.hpp" |
| #include "common/logger.hpp" |
| |
| #include <ndn-cxx/security/certificate-fetcher-offline.hpp> |
| #include <ndn-cxx/security/certificate-request.hpp> |
| #include <ndn-cxx/security/validation-policy.hpp> |
| #include <ndn-cxx/security/validation-policy-accept-all.hpp> |
| #include <ndn-cxx/security/validation-policy-command-interest.hpp> |
| #include <ndn-cxx/tag.hpp> |
| #include <ndn-cxx/util/io.hpp> |
| |
| #include <filesystem> |
| |
| namespace security = ndn::security; |
| |
| namespace nfd { |
| |
| NFD_LOG_INIT(CommandAuthenticator); |
| // INFO: configuration change, etc |
| // DEBUG: per authentication request result |
| |
| /** |
| * \brief An Interest tag to store the command signer. |
| */ |
| using SignerTag = ndn::SimpleTag<Name, 20>; |
| |
| /** |
| * \brief Obtain signer from a SignerTag attached to \p interest, if available. |
| */ |
| static std::optional<std::string> |
| getSignerFromTag(const Interest& interest) |
| { |
| auto signerTag = interest.getTag<SignerTag>(); |
| if (signerTag == nullptr) { |
| return std::nullopt; |
| } |
| else { |
| return signerTag->get().toUri(); |
| } |
| } |
| |
| /** |
| * \brief A validation policy that only permits Interests signed by a trust anchor. |
| */ |
| class CommandAuthenticatorValidationPolicy final : public security::ValidationPolicy |
| { |
| public: |
| void |
| checkPolicy(const Interest& interest, const shared_ptr<security::ValidationState>& state, |
| const ValidationContinuation& continueValidation) final |
| { |
| auto sigInfo = getSignatureInfo(interest, *state); |
| if (!state->getOutcome()) { // already failed |
| return; |
| } |
| Name klName = getKeyLocatorName(sigInfo, *state); |
| if (!state->getOutcome()) { // already failed |
| return; |
| } |
| |
| // SignerTag must be placed on the 'original Interest' in ValidationState to be available for |
| // InterestValidationSuccessCallback. The 'interest' parameter refers to a different instance |
| // which is copied into 'original Interest'. |
| auto state1 = std::dynamic_pointer_cast<security::InterestValidationState>(state); |
| state1->getOriginalInterest().setTag(make_shared<SignerTag>(klName)); |
| |
| continueValidation(make_shared<security::CertificateRequest>(klName), state); |
| } |
| |
| void |
| checkPolicy(const Data&, const shared_ptr<security::ValidationState>&, |
| const ValidationContinuation&) final |
| { |
| // Non-certificate Data are not handled by CommandAuthenticator. |
| // Non-anchor certificates cannot be retrieved by offline fetcher. |
| BOOST_ASSERT_MSG(false, "Data should not be passed to this policy"); |
| } |
| }; |
| |
| shared_ptr<CommandAuthenticator> |
| CommandAuthenticator::create() |
| { |
| return shared_ptr<CommandAuthenticator>(new CommandAuthenticator); |
| } |
| |
| CommandAuthenticator::CommandAuthenticator() = default; |
| |
| void |
| CommandAuthenticator::setConfigFile(ConfigFile& configFile) |
| { |
| configFile.addSectionHandler("authorizations", [this] (auto&&... args) { |
| processConfig(std::forward<decltype(args)>(args)...); |
| }); |
| } |
| |
| void |
| CommandAuthenticator::processConfig(const ConfigSection& section, bool isDryRun, const std::string& filename) |
| { |
| if (!isDryRun) { |
| NFD_LOG_DEBUG("resetting authorizations"); |
| for (auto& kv : m_validators) { |
| kv.second = make_shared<security::Validator>( |
| make_unique<security::ValidationPolicyCommandInterest>(make_unique<CommandAuthenticatorValidationPolicy>()), |
| make_unique<security::CertificateFetcherOffline>()); |
| } |
| } |
| |
| if (section.empty()) { |
| NDN_THROW(ConfigFile::Error("'authorize' is missing under 'authorizations'")); |
| } |
| |
| int authSectionIndex = 0; |
| for (const auto& [sectionName, authSection] : section) { |
| if (sectionName != "authorize") { |
| NDN_THROW(ConfigFile::Error("'" + sectionName + "' section is not permitted under 'authorizations'")); |
| } |
| |
| std::string certfile; |
| try { |
| certfile = authSection.get<std::string>("certfile"); |
| } |
| catch (const boost::property_tree::ptree_error&) { |
| NDN_THROW(ConfigFile::Error("'certfile' is missing under authorize[" + |
| std::to_string(authSectionIndex) + "]")); |
| } |
| |
| bool isAny = false; |
| shared_ptr<security::Certificate> cert; |
| if (certfile == "any") { |
| isAny = true; |
| NFD_LOG_WARN("'certfile any' is intended for demo purposes only and " |
| "SHOULD NOT be used in production environments"); |
| } |
| else { |
| auto certfilePath = std::filesystem::absolute(filename).parent_path() / certfile; |
| certfilePath = certfilePath.lexically_normal(); |
| cert = ndn::io::load<security::Certificate>(certfilePath); |
| if (cert == nullptr) { |
| NDN_THROW(ConfigFile::Error("cannot load certfile '" + certfilePath.native() + |
| "' for authorize[" + std::to_string(authSectionIndex) + "]")); |
| } |
| } |
| |
| const ConfigSection* privSection = nullptr; |
| try { |
| privSection = &authSection.get_child("privileges"); |
| } |
| catch (const boost::property_tree::ptree_error&) { |
| NDN_THROW(ConfigFile::Error("'privileges' is missing under authorize[" + |
| std::to_string(authSectionIndex) + "]")); |
| } |
| |
| if (privSection->empty()) { |
| NFD_LOG_WARN("No privileges granted to certificate " << certfile); |
| } |
| for (const auto& kv : *privSection) { |
| const std::string& module = kv.first; |
| auto found = m_validators.find(module); |
| if (found == m_validators.end()) { |
| NDN_THROW(ConfigFile::Error("unknown module '" + module + |
| "' under authorize[" + std::to_string(authSectionIndex) + "]")); |
| } |
| |
| if (isDryRun) { |
| continue; |
| } |
| |
| if (isAny) { |
| found->second = make_shared<security::Validator>(make_unique<security::ValidationPolicyAcceptAll>(), |
| make_unique<security::CertificateFetcherOffline>()); |
| NFD_LOG_INFO("authorize module=" << module << " signer=any"); |
| } |
| else { |
| const Name& keyName = cert->getKeyName(); |
| security::Certificate certCopy = *cert; |
| found->second->loadAnchor(certfile, std::move(certCopy)); |
| NFD_LOG_INFO("authorize module=" << module << " signer=" << keyName << " certfile=" << certfile); |
| } |
| } |
| |
| ++authSectionIndex; |
| } |
| } |
| |
| ndn::mgmt::Authorization |
| CommandAuthenticator::makeAuthorization(const std::string& module, const std::string& verb) |
| { |
| m_validators[module]; // declares module, so that privilege is recognized |
| |
| return [module, self = shared_from_this()] (const Name&, const Interest& interest, |
| const ndn::mgmt::ControlParametersBase*, |
| const ndn::mgmt::AcceptContinuation& accept, |
| const ndn::mgmt::RejectContinuation& reject) { |
| auto validator = self->m_validators.at(module); |
| |
| auto successCb = [accept, validator] (const Interest& interest1) { |
| auto signer1 = getSignerFromTag(interest1); |
| BOOST_ASSERT(signer1 || // signer must be available unless 'certfile any' |
| dynamic_cast<security::ValidationPolicyAcceptAll*>(&validator->getPolicy()) != nullptr); |
| std::string signer = signer1.value_or("*"); |
| NFD_LOG_DEBUG("accept " << interest1.getName() << " signer=" << signer); |
| accept(signer); |
| }; |
| |
| using ndn::security::ValidationError; |
| auto failureCb = [reject] (const Interest& interest1, const ValidationError& err) { |
| auto reply = ndn::mgmt::RejectReply::STATUS403; |
| if (err.getCode() == ValidationError::MALFORMED_SIGNATURE || |
| err.getCode() == ValidationError::INVALID_KEY_LOCATOR) { |
| // do not waste cycles signing and sending a reply if the command is clearly malformed |
| reply = ndn::mgmt::RejectReply::SILENT; |
| } |
| NFD_LOG_DEBUG("reject " << interest1.getName() << " signer=" << |
| getSignerFromTag(interest1).value_or("?") << " reason=" << err); |
| reject(reply); |
| }; |
| |
| if (validator) { |
| validator->validate(interest, successCb, failureCb); |
| } |
| else { |
| NFD_LOG_DEBUG("reject " << interest.getName() << " signer=" << |
| getSignerFromTag(interest).value_or("?") << " reason=Unauthorized"); |
| reject(ndn::mgmt::RejectReply::STATUS403); |
| } |
| }; |
| } |
| |
| } // namespace nfd |