blob: 17651e9959735ec317b4e737a59cef099faecbb5 [file] [log] [blame]
Junxiao Shid7631272016-08-17 04:16:31 +00001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Davide Pesaventod96744d2018-02-03 19:16:07 -05002/*
Davide Pesaventob7bfcb92022-05-22 23:55:23 -04003 * Copyright (c) 2014-2022, Regents of the University of California,
Junxiao Shid7631272016-08-17 04:16:31 +00004 * Arizona Board of Regents,
5 * Colorado State University,
6 * University Pierre & Marie Curie, Sorbonne University,
7 * Washington University in St. Louis,
8 * Beijing Institute of Technology,
9 * The University of Memphis.
10 *
11 * This file is part of NFD (Named Data Networking Forwarding Daemon).
12 * See AUTHORS.md for complete list of NFD authors and contributors.
13 *
14 * NFD is free software: you can redistribute it and/or modify it under the terms
15 * of the GNU General Public License as published by the Free Software Foundation,
16 * either version 3 of the License, or (at your option) any later version.
17 *
18 * NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
19 * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
20 * PURPOSE. See the GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License along with
23 * NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26#include "command-authenticator.hpp"
Davide Pesavento2cae8ca2019-04-18 20:48:05 -040027#include "common/logger.hpp"
Junxiao Shid7631272016-08-17 04:16:31 +000028
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000029#include <ndn-cxx/tag.hpp>
Alexander Afanasyeva1583702020-06-03 13:55:45 -040030#include <ndn-cxx/security/certificate-fetcher-offline.hpp>
31#include <ndn-cxx/security/certificate-request.hpp>
32#include <ndn-cxx/security/validation-policy.hpp>
33#include <ndn-cxx/security/validation-policy-accept-all.hpp>
34#include <ndn-cxx/security/validation-policy-command-interest.hpp>
Junxiao Shid7631272016-08-17 04:16:31 +000035#include <ndn-cxx/util/io.hpp>
36
37#include <boost/filesystem.hpp>
38
Alexander Afanasyeva1583702020-06-03 13:55:45 -040039namespace security = ndn::security;
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000040
Junxiao Shid7631272016-08-17 04:16:31 +000041namespace nfd {
42
Davide Pesaventoa3148082018-04-12 18:21:54 -040043NFD_LOG_INIT(CommandAuthenticator);
Junxiao Shid7631272016-08-17 04:16:31 +000044// INFO: configuration change, etc
45// DEBUG: per authentication request result
46
Davide Pesaventob83d3df2022-09-13 14:04:34 -040047/**
48 * \brief An Interest tag to store the command signer.
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000049 */
50using SignerTag = ndn::SimpleTag<Name, 20>;
51
Davide Pesaventob83d3df2022-09-13 14:04:34 -040052/**
53 * \brief Obtain signer from a SignerTag attached to \p interest, if available.
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000054 */
Davide Pesaventob7bfcb92022-05-22 23:55:23 -040055static std::optional<std::string>
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000056getSignerFromTag(const Interest& interest)
57{
Davide Pesaventob7bfcb92022-05-22 23:55:23 -040058 auto signerTag = interest.getTag<SignerTag>();
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000059 if (signerTag == nullptr) {
Davide Pesaventob7bfcb92022-05-22 23:55:23 -040060 return std::nullopt;
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000061 }
62 else {
63 return signerTag->get().toUri();
64 }
65}
66
Davide Pesaventob83d3df2022-09-13 14:04:34 -040067/**
68 * \brief A validation policy that only permits Interests signed by a trust anchor.
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000069 */
Davide Pesavento3db98072021-03-09 23:03:27 -050070class CommandAuthenticatorValidationPolicy final : public security::ValidationPolicy
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000071{
72public:
73 void
Alexander Afanasyeva1583702020-06-03 13:55:45 -040074 checkPolicy(const Interest& interest, const shared_ptr<security::ValidationState>& state,
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000075 const ValidationContinuation& continueValidation) final
76 {
Davide Pesaventob83d3df2022-09-13 14:04:34 -040077 auto sigInfo = getSignatureInfo(interest, *state);
78 if (!state->getOutcome()) { // already failed
79 return;
80 }
81 Name klName = getKeyLocatorName(sigInfo, *state);
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000082 if (!state->getOutcome()) { // already failed
83 return;
84 }
85
86 // SignerTag must be placed on the 'original Interest' in ValidationState to be available for
87 // InterestValidationSuccessCallback. The 'interest' parameter refers to a different instance
88 // which is copied into 'original Interest'.
Alexander Afanasyeva1583702020-06-03 13:55:45 -040089 auto state1 = dynamic_pointer_cast<security::InterestValidationState>(state);
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000090 state1->getOriginalInterest().setTag(make_shared<SignerTag>(klName));
91
Davide Pesavento22085362021-03-18 22:08:03 -040092 continueValidation(make_shared<security::CertificateRequest>(klName), state);
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000093 }
94
95 void
Davide Pesavento3db98072021-03-09 23:03:27 -050096 checkPolicy(const Data&, const shared_ptr<security::ValidationState>&,
97 const ValidationContinuation&) final
Junxiao Shidbb6b3e2017-07-03 12:42:07 +000098 {
99 // Non-certificate Data are not handled by CommandAuthenticator.
100 // Non-anchor certificates cannot be retrieved by offline fetcher.
101 BOOST_ASSERT_MSG(false, "Data should not be passed to this policy");
102 }
103};
104
Junxiao Shid7631272016-08-17 04:16:31 +0000105shared_ptr<CommandAuthenticator>
106CommandAuthenticator::create()
107{
Junxiao Shidbb6b3e2017-07-03 12:42:07 +0000108 return shared_ptr<CommandAuthenticator>(new CommandAuthenticator);
Junxiao Shid7631272016-08-17 04:16:31 +0000109}
110
Junxiao Shidbb6b3e2017-07-03 12:42:07 +0000111CommandAuthenticator::CommandAuthenticator() = default;
Junxiao Shid7631272016-08-17 04:16:31 +0000112
113void
114CommandAuthenticator::setConfigFile(ConfigFile& configFile)
115{
Davide Pesavento412c9822021-07-02 00:21:05 -0400116 configFile.addSectionHandler("authorizations", [this] (auto&&... args) {
117 processConfig(std::forward<decltype(args)>(args)...);
118 });
Junxiao Shid7631272016-08-17 04:16:31 +0000119}
120
121void
122CommandAuthenticator::processConfig(const ConfigSection& section, bool isDryRun, const std::string& filename)
123{
124 if (!isDryRun) {
Davide Pesavento22085362021-03-18 22:08:03 -0400125 NFD_LOG_DEBUG("resetting authorizations");
Junxiao Shidbb6b3e2017-07-03 12:42:07 +0000126 for (auto& kv : m_validators) {
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400127 kv.second = make_shared<security::Validator>(
128 make_unique<security::ValidationPolicyCommandInterest>(make_unique<CommandAuthenticatorValidationPolicy>()),
129 make_unique<security::CertificateFetcherOffline>());
Junxiao Shid7631272016-08-17 04:16:31 +0000130 }
131 }
132
133 if (section.empty()) {
Davide Pesavento19779d82019-02-14 13:40:04 -0500134 NDN_THROW(ConfigFile::Error("'authorize' is missing under 'authorizations'"));
Junxiao Shid7631272016-08-17 04:16:31 +0000135 }
136
137 int authSectionIndex = 0;
Davide Pesavento20cafa82022-07-25 01:15:03 -0400138 for (const auto& [sectionName, authSection] : section) {
139 if (sectionName != "authorize") {
140 NDN_THROW(ConfigFile::Error("'" + sectionName + "' section is not permitted under 'authorizations'"));
Junxiao Shid7631272016-08-17 04:16:31 +0000141 }
Junxiao Shid7631272016-08-17 04:16:31 +0000142
143 std::string certfile;
144 try {
145 certfile = authSection.get<std::string>("certfile");
146 }
147 catch (const boost::property_tree::ptree_error&) {
Davide Pesavento19779d82019-02-14 13:40:04 -0500148 NDN_THROW(ConfigFile::Error("'certfile' is missing under authorize[" +
149 to_string(authSectionIndex) + "]"));
Junxiao Shid7631272016-08-17 04:16:31 +0000150 }
151
152 bool isAny = false;
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400153 shared_ptr<security::Certificate> cert;
Junxiao Shid7631272016-08-17 04:16:31 +0000154 if (certfile == "any") {
155 isAny = true;
156 NFD_LOG_WARN("'certfile any' is intended for demo purposes only and "
157 "SHOULD NOT be used in production environments");
158 }
159 else {
160 using namespace boost::filesystem;
161 path certfilePath = absolute(certfile, path(filename).parent_path());
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400162 cert = ndn::io::load<security::Certificate>(certfilePath.string());
Junxiao Shid7631272016-08-17 04:16:31 +0000163 if (cert == nullptr) {
Davide Pesavento19779d82019-02-14 13:40:04 -0500164 NDN_THROW(ConfigFile::Error("cannot load certfile " + certfilePath.string() +
165 " for authorize[" + to_string(authSectionIndex) + "]"));
Junxiao Shid7631272016-08-17 04:16:31 +0000166 }
167 }
168
169 const ConfigSection* privSection = nullptr;
170 try {
171 privSection = &authSection.get_child("privileges");
172 }
173 catch (const boost::property_tree::ptree_error&) {
Davide Pesavento19779d82019-02-14 13:40:04 -0500174 NDN_THROW(ConfigFile::Error("'privileges' is missing under authorize[" +
175 to_string(authSectionIndex) + "]"));
Junxiao Shid7631272016-08-17 04:16:31 +0000176 }
177
178 if (privSection->empty()) {
179 NFD_LOG_WARN("No privileges granted to certificate " << certfile);
180 }
181 for (const auto& kv : *privSection) {
182 const std::string& module = kv.first;
Junxiao Shidbb6b3e2017-07-03 12:42:07 +0000183 auto found = m_validators.find(module);
184 if (found == m_validators.end()) {
Davide Pesavento19779d82019-02-14 13:40:04 -0500185 NDN_THROW(ConfigFile::Error("unknown module '" + module +
186 "' under authorize[" + to_string(authSectionIndex) + "]"));
Junxiao Shid7631272016-08-17 04:16:31 +0000187 }
188
189 if (isDryRun) {
190 continue;
191 }
192
193 if (isAny) {
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400194 found->second = make_shared<security::Validator>(make_unique<security::ValidationPolicyAcceptAll>(),
195 make_unique<security::CertificateFetcherOffline>());
Junxiao Shid7631272016-08-17 04:16:31 +0000196 NFD_LOG_INFO("authorize module=" << module << " signer=any");
197 }
198 else {
Junxiao Shi16a3adf2017-05-26 17:38:51 +0000199 const Name& keyName = cert->getKeyName();
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400200 security::Certificate certCopy = *cert;
Junxiao Shidbb6b3e2017-07-03 12:42:07 +0000201 found->second->loadAnchor(certfile, std::move(certCopy));
Davide Pesavento19779d82019-02-14 13:40:04 -0500202 NFD_LOG_INFO("authorize module=" << module << " signer=" << keyName << " certfile=" << certfile);
Junxiao Shid7631272016-08-17 04:16:31 +0000203 }
204 }
205
206 ++authSectionIndex;
207 }
208}
209
210ndn::mgmt::Authorization
211CommandAuthenticator::makeAuthorization(const std::string& module, const std::string& verb)
212{
Junxiao Shidbb6b3e2017-07-03 12:42:07 +0000213 m_validators[module]; // declares module, so that privilege is recognized
Junxiao Shid7631272016-08-17 04:16:31 +0000214
Davide Pesaventob83d3df2022-09-13 14:04:34 -0400215 return [module, self = shared_from_this()] (const Name&, const Interest& interest,
216 const ndn::mgmt::ControlParameters*,
217 const ndn::mgmt::AcceptContinuation& accept,
218 const ndn::mgmt::RejectContinuation& reject) {
Davide Pesaventod96744d2018-02-03 19:16:07 -0500219 auto validator = self->m_validators.at(module);
Davide Pesavento22085362021-03-18 22:08:03 -0400220
Davide Pesaventod96744d2018-02-03 19:16:07 -0500221 auto successCb = [accept, validator] (const Interest& interest1) {
222 auto signer1 = getSignerFromTag(interest1);
223 BOOST_ASSERT(signer1 || // signer must be available unless 'certfile any'
Alexander Afanasyeva1583702020-06-03 13:55:45 -0400224 dynamic_cast<security::ValidationPolicyAcceptAll*>(&validator->getPolicy()) != nullptr);
Davide Pesaventod96744d2018-02-03 19:16:07 -0500225 std::string signer = signer1.value_or("*");
226 NFD_LOG_DEBUG("accept " << interest1.getName() << " signer=" << signer);
227 accept(signer);
228 };
Davide Pesavento22085362021-03-18 22:08:03 -0400229
Davide Pesaventob83d3df2022-09-13 14:04:34 -0400230 using ndn::security::ValidationError;
231 auto failureCb = [reject] (const Interest& interest1, const ValidationError& err) {
232 auto reply = ndn::mgmt::RejectReply::STATUS403;
233 if (err.getCode() == ValidationError::MALFORMED_SIGNATURE ||
234 err.getCode() == ValidationError::INVALID_KEY_LOCATOR) {
235 // do not waste cycles signing and sending a reply if the command is clearly malformed
236 reply = ndn::mgmt::RejectReply::SILENT;
Davide Pesaventod96744d2018-02-03 19:16:07 -0500237 }
238 NFD_LOG_DEBUG("reject " << interest1.getName() << " signer=" <<
239 getSignerFromTag(interest1).value_or("?") << " reason=" << err);
240 reject(reply);
241 };
242
243 if (validator) {
244 validator->validate(interest, successCb, failureCb);
245 }
246 else {
247 NFD_LOG_DEBUG("reject " << interest.getName() << " signer=" <<
248 getSignerFromTag(interest).value_or("?") << " reason=Unauthorized");
249 reject(ndn::mgmt::RejectReply::STATUS403);
250 }
Junxiao Shid7631272016-08-17 04:16:31 +0000251 };
252}
253
Junxiao Shid7631272016-08-17 04:16:31 +0000254} // namespace nfd