blob: db50e4dc7984303ab53eb06c87f88e9d883bb889 [file] [log] [blame]
Junxiao Shid7631272016-08-17 04:16:31 +00001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Davide Pesaventod96744d2018-02-03 19:16:07 -05002/*
Davide Pesavento3db98072021-03-09 23:03:27 -05003 * Copyright (c) 2014-2021, Regents of the University of California,
Junxiao Shid7631272016-08-17 04:16:31 +00004 * Arizona Board of Regents,
5 * Colorado State University,
6 * University Pierre & Marie Curie, Sorbonne University,
7 * Washington University in St. Louis,
8 * Beijing Institute of Technology,
9 * The University of Memphis.
10 *
11 * This file is part of NFD (Named Data Networking Forwarding Daemon).
12 * See AUTHORS.md for complete list of NFD authors and contributors.
13 *
14 * NFD is free software: you can redistribute it and/or modify it under the terms
15 * of the GNU General Public License as published by the Free Software Foundation,
16 * either version 3 of the License, or (at your option) any later version.
17 *
18 * NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
19 * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
20 * PURPOSE. See the GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License along with
23 * NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26#include "command-authenticator.hpp"
Davide Pesavento2cae8ca2019-04-18 20:48:05 -040027#include "common/logger.hpp"
Junxiao Shid7631272016-08-17 04:16:31 +000028
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000029#include <ndn-cxx/tag.hpp>
Alexander Afanasyeva1583702020-06-03 13:55:45 -040030#include <ndn-cxx/security/certificate-fetcher-offline.hpp>
31#include <ndn-cxx/security/certificate-request.hpp>
32#include <ndn-cxx/security/validation-policy.hpp>
33#include <ndn-cxx/security/validation-policy-accept-all.hpp>
34#include <ndn-cxx/security/validation-policy-command-interest.hpp>
35#include <ndn-cxx/security/validator.hpp>
Junxiao Shid7631272016-08-17 04:16:31 +000036#include <ndn-cxx/util/io.hpp>
37
38#include <boost/filesystem.hpp>
39
Alexander Afanasyeva1583702020-06-03 13:55:45 -040040namespace security = ndn::security;
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000041
Junxiao Shid7631272016-08-17 04:16:31 +000042namespace nfd {
43
Davide Pesaventoa3148082018-04-12 18:21:54 -040044NFD_LOG_INIT(CommandAuthenticator);
Junxiao Shid7631272016-08-17 04:16:31 +000045// INFO: configuration change, etc
46// DEBUG: per authentication request result
47
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000048/** \brief an Interest tag to indicate command signer
49 */
50using SignerTag = ndn::SimpleTag<Name, 20>;
51
52/** \brief obtain signer from SignerTag attached to Interest, if available
53 */
Davide Pesavento87fc0f82018-04-11 23:43:51 -040054static optional<std::string>
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000055getSignerFromTag(const Interest& interest)
56{
57 shared_ptr<SignerTag> signerTag = interest.getTag<SignerTag>();
58 if (signerTag == nullptr) {
Davide Pesavento87fc0f82018-04-11 23:43:51 -040059 return nullopt;
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000060 }
61 else {
62 return signerTag->get().toUri();
63 }
64}
65
66/** \brief a validation policy that only permits Interest signed by a trust anchor
67 */
Davide Pesavento3db98072021-03-09 23:03:27 -050068class CommandAuthenticatorValidationPolicy final : public security::ValidationPolicy
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000069{
70public:
71 void
Alexander Afanasyeva1583702020-06-03 13:55:45 -040072 checkPolicy(const Interest& interest, const shared_ptr<security::ValidationState>& state,
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000073 const ValidationContinuation& continueValidation) final
74 {
75 Name klName = getKeyLocatorName(interest, *state);
76 if (!state->getOutcome()) { // already failed
77 return;
78 }
79
80 // SignerTag must be placed on the 'original Interest' in ValidationState to be available for
81 // InterestValidationSuccessCallback. The 'interest' parameter refers to a different instance
82 // which is copied into 'original Interest'.
Alexander Afanasyeva1583702020-06-03 13:55:45 -040083 auto state1 = dynamic_pointer_cast<security::InterestValidationState>(state);
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000084 state1->getOriginalInterest().setTag(make_shared<SignerTag>(klName));
85
Alexander Afanasyeva1583702020-06-03 13:55:45 -040086 continueValidation(make_shared<security::CertificateRequest>(Interest(klName)), state);
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000087 }
88
89 void
Davide Pesavento3db98072021-03-09 23:03:27 -050090 checkPolicy(const Data&, const shared_ptr<security::ValidationState>&,
91 const ValidationContinuation&) final
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000092 {
93 // Non-certificate Data are not handled by CommandAuthenticator.
94 // Non-anchor certificates cannot be retrieved by offline fetcher.
95 BOOST_ASSERT_MSG(false, "Data should not be passed to this policy");
96 }
97};
98
Junxiao Shid7631272016-08-17 04:16:31 +000099shared_ptr<CommandAuthenticator>
100CommandAuthenticator::create()
101{
Junxiao Shidbb6b3e2017-07-03 12:42:07 +0000102 return shared_ptr<CommandAuthenticator>(new CommandAuthenticator);
Junxiao Shid7631272016-08-17 04:16:31 +0000103}
104
Junxiao Shidbb6b3e2017-07-03 12:42:07 +0000105CommandAuthenticator::CommandAuthenticator() = default;
Junxiao Shid7631272016-08-17 04:16:31 +0000106
107void
108CommandAuthenticator::setConfigFile(ConfigFile& configFile)
109{
110 configFile.addSectionHandler("authorizations",
111 bind(&CommandAuthenticator::processConfig, this, _1, _2, _3));
112}
113
114void
115CommandAuthenticator::processConfig(const ConfigSection& section, bool isDryRun, const std::string& filename)
116{
117 if (!isDryRun) {
118 NFD_LOG_INFO("clear-authorizations");
Junxiao Shidbb6b3e2017-07-03 12:42:07 +0000119 for (auto& kv : m_validators) {
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400120 kv.second = make_shared<security::Validator>(
121 make_unique<security::ValidationPolicyCommandInterest>(make_unique<CommandAuthenticatorValidationPolicy>()),
122 make_unique<security::CertificateFetcherOffline>());
Junxiao Shid7631272016-08-17 04:16:31 +0000123 }
124 }
125
126 if (section.empty()) {
Davide Pesavento19779d82019-02-14 13:40:04 -0500127 NDN_THROW(ConfigFile::Error("'authorize' is missing under 'authorizations'"));
Junxiao Shid7631272016-08-17 04:16:31 +0000128 }
129
130 int authSectionIndex = 0;
131 for (const auto& kv : section) {
132 if (kv.first != "authorize") {
Davide Pesavento19779d82019-02-14 13:40:04 -0500133 NDN_THROW(ConfigFile::Error("'" + kv.first + "' section is not permitted under 'authorizations'"));
Junxiao Shid7631272016-08-17 04:16:31 +0000134 }
135 const ConfigSection& authSection = kv.second;
136
137 std::string certfile;
138 try {
139 certfile = authSection.get<std::string>("certfile");
140 }
141 catch (const boost::property_tree::ptree_error&) {
Davide Pesavento19779d82019-02-14 13:40:04 -0500142 NDN_THROW(ConfigFile::Error("'certfile' is missing under authorize[" +
143 to_string(authSectionIndex) + "]"));
Junxiao Shid7631272016-08-17 04:16:31 +0000144 }
145
146 bool isAny = false;
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400147 shared_ptr<security::Certificate> cert;
Junxiao Shid7631272016-08-17 04:16:31 +0000148 if (certfile == "any") {
149 isAny = true;
150 NFD_LOG_WARN("'certfile any' is intended for demo purposes only and "
151 "SHOULD NOT be used in production environments");
152 }
153 else {
154 using namespace boost::filesystem;
155 path certfilePath = absolute(certfile, path(filename).parent_path());
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400156 cert = ndn::io::load<security::Certificate>(certfilePath.string());
Junxiao Shid7631272016-08-17 04:16:31 +0000157 if (cert == nullptr) {
Davide Pesavento19779d82019-02-14 13:40:04 -0500158 NDN_THROW(ConfigFile::Error("cannot load certfile " + certfilePath.string() +
159 " for authorize[" + to_string(authSectionIndex) + "]"));
Junxiao Shid7631272016-08-17 04:16:31 +0000160 }
161 }
162
163 const ConfigSection* privSection = nullptr;
164 try {
165 privSection = &authSection.get_child("privileges");
166 }
167 catch (const boost::property_tree::ptree_error&) {
Davide Pesavento19779d82019-02-14 13:40:04 -0500168 NDN_THROW(ConfigFile::Error("'privileges' is missing under authorize[" +
169 to_string(authSectionIndex) + "]"));
Junxiao Shid7631272016-08-17 04:16:31 +0000170 }
171
172 if (privSection->empty()) {
173 NFD_LOG_WARN("No privileges granted to certificate " << certfile);
174 }
175 for (const auto& kv : *privSection) {
176 const std::string& module = kv.first;
Junxiao Shidbb6b3e2017-07-03 12:42:07 +0000177 auto found = m_validators.find(module);
178 if (found == m_validators.end()) {
Davide Pesavento19779d82019-02-14 13:40:04 -0500179 NDN_THROW(ConfigFile::Error("unknown module '" + module +
180 "' under authorize[" + to_string(authSectionIndex) + "]"));
Junxiao Shid7631272016-08-17 04:16:31 +0000181 }
182
183 if (isDryRun) {
184 continue;
185 }
186
187 if (isAny) {
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400188 found->second = make_shared<security::Validator>(make_unique<security::ValidationPolicyAcceptAll>(),
189 make_unique<security::CertificateFetcherOffline>());
Junxiao Shid7631272016-08-17 04:16:31 +0000190 NFD_LOG_INFO("authorize module=" << module << " signer=any");
191 }
192 else {
Junxiao Shi16a3adf2017-05-26 17:38:51 +0000193 const Name& keyName = cert->getKeyName();
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400194 security::Certificate certCopy = *cert;
Junxiao Shidbb6b3e2017-07-03 12:42:07 +0000195 found->second->loadAnchor(certfile, std::move(certCopy));
Davide Pesavento19779d82019-02-14 13:40:04 -0500196 NFD_LOG_INFO("authorize module=" << module << " signer=" << keyName << " certfile=" << certfile);
Junxiao Shid7631272016-08-17 04:16:31 +0000197 }
198 }
199
200 ++authSectionIndex;
201 }
202}
203
204ndn::mgmt::Authorization
205CommandAuthenticator::makeAuthorization(const std::string& module, const std::string& verb)
206{
Junxiao Shidbb6b3e2017-07-03 12:42:07 +0000207 m_validators[module]; // declares module, so that privilege is recognized
Junxiao Shid7631272016-08-17 04:16:31 +0000208
209 auto self = this->shared_from_this();
Davide Pesaventod96744d2018-02-03 19:16:07 -0500210 return [=] (const Name&, const Interest& interest,
211 const ndn::mgmt::ControlParameters*,
Junxiao Shid7631272016-08-17 04:16:31 +0000212 const ndn::mgmt::AcceptContinuation& accept,
213 const ndn::mgmt::RejectContinuation& reject) {
Davide Pesaventod96744d2018-02-03 19:16:07 -0500214 auto validator = self->m_validators.at(module);
215 auto successCb = [accept, validator] (const Interest& interest1) {
216 auto signer1 = getSignerFromTag(interest1);
217 BOOST_ASSERT(signer1 || // signer must be available unless 'certfile any'
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400218 dynamic_cast<security::ValidationPolicyAcceptAll*>(&validator->getPolicy()) != nullptr);
Davide Pesaventod96744d2018-02-03 19:16:07 -0500219 std::string signer = signer1.value_or("*");
220 NFD_LOG_DEBUG("accept " << interest1.getName() << " signer=" << signer);
221 accept(signer);
222 };
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400223 auto failureCb = [reject] (const Interest& interest1, const security::ValidationError& err) {
Davide Pesaventod96744d2018-02-03 19:16:07 -0500224 using ndn::mgmt::RejectReply;
225 RejectReply reply = RejectReply::STATUS403;
226 switch (err.getCode()) {
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400227 case security::ValidationError::NO_SIGNATURE:
228 case security::ValidationError::INVALID_KEY_LOCATOR:
Davide Pesaventod96744d2018-02-03 19:16:07 -0500229 reply = RejectReply::SILENT;
230 break;
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400231 case security::ValidationError::POLICY_ERROR:
Davide Pesaventod96744d2018-02-03 19:16:07 -0500232 if (interest1.getName().size() < ndn::command_interest::MIN_SIZE) { // "name too short"
233 reply = RejectReply::SILENT;
Junxiao Shidbb6b3e2017-07-03 12:42:07 +0000234 }
Davide Pesaventod96744d2018-02-03 19:16:07 -0500235 break;
236 }
237 NFD_LOG_DEBUG("reject " << interest1.getName() << " signer=" <<
238 getSignerFromTag(interest1).value_or("?") << " reason=" << err);
239 reject(reply);
240 };
241
242 if (validator) {
243 validator->validate(interest, successCb, failureCb);
244 }
245 else {
246 NFD_LOG_DEBUG("reject " << interest.getName() << " signer=" <<
247 getSignerFromTag(interest).value_or("?") << " reason=Unauthorized");
248 reject(ndn::mgmt::RejectReply::STATUS403);
249 }
Junxiao Shid7631272016-08-17 04:16:31 +0000250 };
251}
252
Junxiao Shid7631272016-08-17 04:16:31 +0000253} // namespace nfd