Gitiles
Code Review Sign In
gerrit.named-data.net / NFD / 635bf20ef55f6da403344cf1a334adb17a63afc5 / . / tests / daemon / mgmt / command-authenticator.t.cpp
blob: 35bc1170133a73de75e13d40dbb48575285e52f8 [file] [log] [blame]
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2/**
Alexander Afanasyev635bf202017-03-09 21:57:34 +0000[diff] [blame^]3 * Copyright (c) 2014-2017, Regents of the University of California,
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]4 * Arizona Board of Regents,
5 * Colorado State University,
6 * University Pierre & Marie Curie, Sorbonne University,
7 * Washington University in St. Louis,
8 * Beijing Institute of Technology,
9 * The University of Memphis.
10 *
11 * This file is part of NFD (Named Data Networking Forwarding Daemon).
12 * See AUTHORS.md for complete list of NFD authors and contributors.
13 *
14 * NFD is free software: you can redistribute it and/or modify it under the terms
15 * of the GNU General Public License as published by the Free Software Foundation,
16 * either version 3 of the License, or (at your option) any later version.
17 *
18 * NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
19 * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
20 * PURPOSE. See the GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License along with
23 * NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26#include "mgmt/command-authenticator.hpp"
27#include <ndn-cxx/security/signing-helpers.hpp>
28#include <boost/filesystem.hpp>
29
30#include "tests/test-common.hpp"
31#include "tests/identity-management-fixture.hpp"
32
33namespace nfd {
34namespace tests {
35
36class CommandAuthenticatorFixture : public IdentityManagementTimeFixture
37{
38protected:
39 CommandAuthenticatorFixture()
40 : authenticator(CommandAuthenticator::create())
41 {
42 }
43
44 void
45 makeModules(std::initializer_list<std::string> modules)
46 {
47 for (const std::string& module : modules) {
48 authorizations.emplace(module, authenticator->makeAuthorization(module, "verb"));
49 }
50 }
51
52 void
53 loadConfig(const std::string& config)
54 {
55 boost::filesystem::path configPath = boost::filesystem::current_path() /=
56 "command-authenticator-test.conf";
57 ConfigFile cf;
58 authenticator->setConfigFile(cf);
59 cf.parse(config, false, configPath.c_str());
60 }
61
62 bool
63 authorize(const std::string& module, const Name& identity,
64 const function<void(Interest&)>& modifyInterest = nullptr)
65 {
66 auto interest = makeInterest(Name("/prefix").append(module).append("verb"));
67 m_keyChain.sign(*interest, signingByIdentity(identity));
68 if (modifyInterest != nullptr) {
69 modifyInterest(*interest);
70 }
71
72 ndn::mgmt::Authorization authorization = authorizations.at(module);
73
74 bool isAccepted = false;
75 bool isRejected = false;
76 authorization(Name("/prefix"), *interest, nullptr,
77 [this, &isAccepted, &isRejected] (const std::string& requester) {
78 BOOST_REQUIRE_MESSAGE(!isAccepted && !isRejected,
79 "authorization function should invoke only one continuation");
80 isAccepted = true;
81 lastRequester = requester;
82 },
83 [this, &isAccepted, &isRejected] (ndn::mgmt::RejectReply act) {
84 BOOST_REQUIRE_MESSAGE(!isAccepted && !isRejected,
85 "authorization function should invoke only one continuation");
86 isRejected = true;
87 lastRejectReply = act;
88 });
89
90 this->advanceClocks(time::milliseconds(1), 10);
91 BOOST_REQUIRE_MESSAGE(isAccepted || isRejected,
92 "authorization function should invoke one continuation");
93 return isAccepted;
94 }
95
96protected:
97 shared_ptr<CommandAuthenticator> authenticator;
98 std::unordered_map<std::string, ndn::mgmt::Authorization> authorizations;
99 std::string lastRequester;
100 ndn::mgmt::RejectReply lastRejectReply;
101};
102
103BOOST_AUTO_TEST_SUITE(Mgmt)
104BOOST_FIXTURE_TEST_SUITE(TestCommandAuthenticator, CommandAuthenticatorFixture)
105
106BOOST_AUTO_TEST_CASE(Certs)
107{
108 Name id0("/localhost/CommandAuthenticator/0");
109 Name id1("/localhost/CommandAuthenticator/1");
110 Name id2("/localhost/CommandAuthenticator/2");
111 BOOST_REQUIRE(addIdentity(id0));
112 BOOST_REQUIRE(saveIdentityCertificate(id1, "1.ndncert", true));
113 BOOST_REQUIRE(saveIdentityCertificate(id2, "2.ndncert", true));
114
115 makeModules({"module0", "module1", "module2", "module3", "module4", "module5", "module6", "module7"});
116 const std::string& config = R"CONFIG(
117 authorizations
118 {
119 authorize
120 {
121 certfile any
122 privileges
123 {
124 module1
125 module3
126 module5
127 module7
128 }
129 }
130 authorize
131 {
132 certfile "1.ndncert"
133 privileges
134 {
135 module2
136 module3
137 module6
138 module7
139 }
140 }
141 authorize
142 {
143 certfile "2.ndncert"
144 privileges
145 {
146 module4
147 module5
148 module6
149 module7
150 }
151 }
152 }
153 )CONFIG";
154 loadConfig(config);
155
156 // module0: none
157 BOOST_CHECK_EQUAL(authorize("module0", id0), false);
158 BOOST_CHECK_EQUAL(authorize("module0", id1), false);
159 BOOST_CHECK_EQUAL(authorize("module0", id2), false);
160
161 // module1: any
162 BOOST_CHECK_EQUAL(authorize("module1", id0), true);
163 BOOST_CHECK_EQUAL(authorize("module1", id1), true);
164 BOOST_CHECK_EQUAL(authorize("module1", id2), true);
165
166 // module2: id1
167 BOOST_CHECK_EQUAL(authorize("module2", id0), false);
168 BOOST_CHECK_EQUAL(authorize("module2", id1), true);
169 BOOST_CHECK_EQUAL(authorize("module2", id2), false);
170
171 // module3: any,id1
172 BOOST_CHECK_EQUAL(authorize("module3", id0), true);
173 BOOST_CHECK_EQUAL(authorize("module3", id1), true);
174 BOOST_CHECK_EQUAL(authorize("module3", id2), true);
175
176 // module4: id2
177 BOOST_CHECK_EQUAL(authorize("module4", id0), false);
178 BOOST_CHECK_EQUAL(authorize("module4", id1), false);
179 BOOST_CHECK_EQUAL(authorize("module4", id2), true);
180
181 // module5: any,id2
182 BOOST_CHECK_EQUAL(authorize("module5", id0), true);
183 BOOST_CHECK_EQUAL(authorize("module5", id1), true);
184 BOOST_CHECK_EQUAL(authorize("module5", id2), true);
185
186 // module6: id1,id2
187 BOOST_CHECK_EQUAL(authorize("module6", id0), false);
188 BOOST_CHECK_EQUAL(authorize("module6", id1), true);
189 BOOST_CHECK_EQUAL(authorize("module6", id2), true);
190
191 // module7: any,id1,id2
192 BOOST_CHECK_EQUAL(authorize("module7", id0), true);
193 BOOST_CHECK_EQUAL(authorize("module7", id1), true);
194 BOOST_CHECK_EQUAL(authorize("module7", id2), true);
195}
196
197BOOST_AUTO_TEST_CASE(Requester)
198{
199 Name id0("/localhost/CommandAuthenticator/0");
200 Name id1("/localhost/CommandAuthenticator/1");
201 BOOST_REQUIRE(addIdentity(id0));
202 BOOST_REQUIRE(saveIdentityCertificate(id1, "1.ndncert", true));
203
204 makeModules({"module0", "module1"});
205 const std::string& config = R"CONFIG(
206 authorizations
207 {
208 authorize
209 {
210 certfile any
211 privileges
212 {
213 module0
214 }
215 }
216 authorize
217 {
218 certfile "1.ndncert"
219 privileges
220 {
221 module1
222 }
223 }
224 }
225 )CONFIG";
226 loadConfig(config);
227
228 // module0: any
229 BOOST_CHECK_EQUAL(authorize("module0", id0), true);
230 BOOST_CHECK_EQUAL(lastRequester, "*");
231 BOOST_CHECK_EQUAL(authorize("module0", id1), true);
232 BOOST_CHECK_EQUAL(lastRequester, "*");
233
234 // module1: id1
235 BOOST_CHECK_EQUAL(authorize("module1", id0), false);
236 BOOST_CHECK_EQUAL(authorize("module1", id1), true);
237 BOOST_CHECK(id1.isPrefixOf(lastRequester));
238}
239
240class IdentityAuthorizedFixture : public CommandAuthenticatorFixture
241{
242protected:
243 IdentityAuthorizedFixture()
244 : id1("/localhost/CommandAuthenticator/1")
245 {
246 BOOST_REQUIRE(saveIdentityCertificate(id1, "1.ndncert", true));
247
248 makeModules({"module1"});
249 const std::string& config = R"CONFIG(
250 authorizations
251 {
252 authorize
253 {
254 certfile "1.ndncert"
255 privileges
256 {
257 module1
258 }
259 }
260 }
261 )CONFIG";
262 loadConfig(config);
263 }
264
265 bool
266 authorize1(const function<void(Interest&)>& modifyInterest)
267 {
268 return authorize("module1", id1, modifyInterest);
269 }
270
271protected:
272 Name id1;
273};
274
275BOOST_FIXTURE_TEST_SUITE(Rejects, IdentityAuthorizedFixture)
276
277BOOST_AUTO_TEST_CASE(BadKeyLocator_NameTooShort)
278{
279 BOOST_CHECK_EQUAL(authorize1(
280 [] (Interest& interest) {
281 interest.setName("/prefix");
282 }
283 ), false);
284 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::SILENT);
285}
286
287BOOST_AUTO_TEST_CASE(BadKeyLocator_BadSigInfo)
288{
289 BOOST_CHECK_EQUAL(authorize1(
290 [] (Interest& interest) {
291 setNameComponent(interest, ndn::signed_interest::POS_SIG_INFO, "not-SignatureInfo");
292 }
293 ), false);
294 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::SILENT);
295}
296
297BOOST_AUTO_TEST_CASE(BadKeyLocator_MissingKeyLocator)
298{
299 BOOST_CHECK_EQUAL(authorize1(
300 [] (Interest& interest) {
301 ndn::SignatureInfo sigInfo;
302 setNameComponent(interest, ndn::signed_interest::POS_SIG_INFO,
303 sigInfo.wireEncode().begin(), sigInfo.wireEncode().end());
304 }
305 ), false);
306 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::SILENT);
307}
308
309BOOST_AUTO_TEST_CASE(BadKeyLocator_BadKeyLocatorType)
310{
311 BOOST_CHECK_EQUAL(authorize1(
312 [] (Interest& interest) {
313 ndn::KeyLocator kl;
314 kl.setKeyDigest(ndn::encoding::makeBinaryBlock(tlv::KeyDigest, "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD", 8));
315 ndn::SignatureInfo sigInfo;
316 sigInfo.setKeyLocator(kl);
317 setNameComponent(interest, ndn::signed_interest::POS_SIG_INFO,
318 sigInfo.wireEncode().begin(), sigInfo.wireEncode().end());
319 }
320 ), false);
321 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::SILENT);
322}
323
324BOOST_AUTO_TEST_CASE(BadKeyLocator_BadCertName)
325{
326 BOOST_CHECK_EQUAL(authorize1(
327 [] (Interest& interest) {
328 ndn::KeyLocator kl;
329 kl.setName("/bad/cert/name");
330 ndn::SignatureInfo sigInfo;
331 sigInfo.setKeyLocator(kl);
332 setNameComponent(interest, ndn::signed_interest::POS_SIG_INFO,
333 sigInfo.wireEncode().begin(), sigInfo.wireEncode().end());
334 }
335 ), false);
336 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::SILENT);
337}
338
339BOOST_AUTO_TEST_CASE(NotAuthorized)
340{
341 Name id0("/localhost/CommandAuthenticator/0");
342 BOOST_REQUIRE(addIdentity(id0));
343
344 BOOST_CHECK_EQUAL(authorize("module1", id0), false);
345 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::STATUS403);
346}
347
348BOOST_AUTO_TEST_CASE(BadSig)
349{
350 BOOST_CHECK_EQUAL(authorize1(
351 [] (Interest& interest) {
Alexander Afanasyev635bf202017-03-09 21:57:34 +0000[diff] [blame^]352 setNameComponent(interest, ndn::command_interest::POS_SIG_VALUE, "bad-signature-bits");
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]353 }
354 ), false);
355 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::STATUS403);
356}
357
358BOOST_AUTO_TEST_CASE(InvalidTimestamp)
359{
360 name::Component timestampComp;
361 BOOST_CHECK_EQUAL(authorize1(
362 [&timestampComp] (const Interest& interest) {
Alexander Afanasyev635bf202017-03-09 21:57:34 +0000[diff] [blame^]363 timestampComp = interest.getName().at(ndn::command_interest::POS_TIMESTAMP);
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]364 }
365 ), true); // accept first command
366 BOOST_CHECK_EQUAL(authorize1(
367 [&timestampComp] (Interest& interest) {
Alexander Afanasyev635bf202017-03-09 21:57:34 +0000[diff] [blame^]368 setNameComponent(interest, ndn::command_interest::POS_TIMESTAMP, timestampComp);
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]369 }
370 ), false); // reject second command because timestamp equals first command
371 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::STATUS403);
372}
373
374BOOST_AUTO_TEST_SUITE_END() // Rejects
375
376BOOST_AUTO_TEST_SUITE(BadConfig)
377
378BOOST_AUTO_TEST_CASE(EmptyAuthorizationsSection)
379{
380 const std::string& config = R"CONFIG(
381 authorizations
382 {
383 }
384 )CONFIG";
385
386 BOOST_CHECK_THROW(loadConfig(config), ConfigFile::Error);
387}
388
389BOOST_AUTO_TEST_CASE(UnrecognizedKey)
390{
391 const std::string& config = R"CONFIG(
392 authorizations
393 {
394 unrecognized_key
395 {
396 }
397 }
398 )CONFIG";
399
400 BOOST_CHECK_THROW(loadConfig(config), ConfigFile::Error);
401}
402
403BOOST_AUTO_TEST_CASE(CertfileMissing)
404{
405 const std::string& config = R"CONFIG(
406 authorizations
407 {
408 authorize
409 {
410 privileges
411 {
412 }
413 }
414 }
415 )CONFIG";
416
417 BOOST_CHECK_THROW(loadConfig(config), ConfigFile::Error);
418}
419
420BOOST_AUTO_TEST_CASE(CertUnreadable)
421{
422 const std::string& config = R"CONFIG(
423 authorizations
424 {
425 authorize
426 {
427 certfile "1.ndncert"
428 privileges
429 {
430 }
431 }
432 }
433 )CONFIG";
434
435 BOOST_CHECK_THROW(loadConfig(config), ConfigFile::Error);
436}
437
438BOOST_AUTO_TEST_CASE(PrivilegesMissing)
439{
440 const std::string& config = R"CONFIG(
441 authorizations
442 {
443 authorize
444 {
445 certfile any
446 }
447 }
448 )CONFIG";
449
450 BOOST_CHECK_THROW(loadConfig(config), ConfigFile::Error);
451}
452
453BOOST_AUTO_TEST_CASE(UnregisteredModule)
454{
455 const std::string& config = R"CONFIG(
456 authorizations
457 {
458 authorize
459 {
460 certfile any
461 privileges
462 {
463 nosuchmodule
464 }
465 }
466 }
467 )CONFIG";
468
469 BOOST_CHECK_THROW(loadConfig(config), ConfigFile::Error);
470}
471
472BOOST_AUTO_TEST_SUITE_END() // BadConfig
473
474BOOST_AUTO_TEST_SUITE_END() // TestCommandAuthenticator
475BOOST_AUTO_TEST_SUITE_END() // Mgmt
476
477} // namespace tests
478} // namespace nfd