Gitiles
Code Review Sign In
gerrit.named-data.net / NFD / d96744d968f7d4011e582cfbb75f92d9d104703b / . / tests / daemon / mgmt / command-authenticator.t.cpp
blob: ce4ab53153dc5f8c3083b0035436579996214dd5 [file] [log] [blame]
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Junxiao Shia9079802017-08-26 14:12:30 +0000[diff] [blame]2/*
Davide Pesaventod96744d2018-02-03 19:16:07 -0500[diff] [blame^]3 * Copyright (c) 2014-2018, Regents of the University of California,
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]4 * Arizona Board of Regents,
5 * Colorado State University,
6 * University Pierre & Marie Curie, Sorbonne University,
7 * Washington University in St. Louis,
8 * Beijing Institute of Technology,
9 * The University of Memphis.
10 *
11 * This file is part of NFD (Named Data Networking Forwarding Daemon).
12 * See AUTHORS.md for complete list of NFD authors and contributors.
13 *
14 * NFD is free software: you can redistribute it and/or modify it under the terms
15 * of the GNU General Public License as published by the Free Software Foundation,
16 * either version 3 of the License, or (at your option) any later version.
17 *
18 * NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
19 * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
20 * PURPOSE. See the GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License along with
23 * NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26#include "mgmt/command-authenticator.hpp"
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]27
28#include "tests/test-common.hpp"
Junxiao Shi8a1f1702017-07-03 00:05:08 +0000[diff] [blame]29#include "tests/manager-common-fixture.hpp"
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]30
Junxiao Shia9079802017-08-26 14:12:30 +0000[diff] [blame]31#include <boost/filesystem.hpp>
32
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]33namespace nfd {
34namespace tests {
35
Junxiao Shi8a1f1702017-07-03 00:05:08 +0000[diff] [blame]36class CommandAuthenticatorFixture : public CommandInterestSignerFixture
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]37{
38protected:
39 CommandAuthenticatorFixture()
40 : authenticator(CommandAuthenticator::create())
41 {
42 }
43
44 void
45 makeModules(std::initializer_list<std::string> modules)
46 {
47 for (const std::string& module : modules) {
48 authorizations.emplace(module, authenticator->makeAuthorization(module, "verb"));
49 }
50 }
51
52 void
53 loadConfig(const std::string& config)
54 {
Davide Pesaventod96744d2018-02-03 19:16:07 -0500[diff] [blame^]55 auto configPath = boost::filesystem::current_path() / "command-authenticator-test.conf";
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]56 ConfigFile cf;
57 authenticator->setConfigFile(cf);
58 cf.parse(config, false, configPath.c_str());
59 }
60
61 bool
62 authorize(const std::string& module, const Name& identity,
63 const function<void(Interest&)>& modifyInterest = nullptr)
64 {
Junxiao Shi8a1f1702017-07-03 00:05:08 +0000[diff] [blame]65 Interest interest = this->makeControlCommandRequest(Name("/prefix/" + module + "/verb"),
Davide Pesaventod96744d2018-02-03 19:16:07 -0500[diff] [blame^]66 ControlParameters(), identity);
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]67 if (modifyInterest != nullptr) {
Junxiao Shi8a1f1702017-07-03 00:05:08 +0000[diff] [blame]68 modifyInterest(interest);
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]69 }
70
71 ndn::mgmt::Authorization authorization = authorizations.at(module);
72
73 bool isAccepted = false;
74 bool isRejected = false;
Junxiao Shi8a1f1702017-07-03 00:05:08 +0000[diff] [blame]75 authorization(Name("/prefix"), interest, nullptr,
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]76 [this, &isAccepted, &isRejected] (const std::string& requester) {
77 BOOST_REQUIRE_MESSAGE(!isAccepted && !isRejected,
78 "authorization function should invoke only one continuation");
79 isAccepted = true;
80 lastRequester = requester;
81 },
82 [this, &isAccepted, &isRejected] (ndn::mgmt::RejectReply act) {
83 BOOST_REQUIRE_MESSAGE(!isAccepted && !isRejected,
84 "authorization function should invoke only one continuation");
85 isRejected = true;
86 lastRejectReply = act;
87 });
88
Davide Pesaventod96744d2018-02-03 19:16:07 -0500[diff] [blame^]89 this->advanceClocks(1_ms, 10);
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]90 BOOST_REQUIRE_MESSAGE(isAccepted || isRejected,
91 "authorization function should invoke one continuation");
92 return isAccepted;
93 }
94
95protected:
96 shared_ptr<CommandAuthenticator> authenticator;
97 std::unordered_map<std::string, ndn::mgmt::Authorization> authorizations;
98 std::string lastRequester;
99 ndn::mgmt::RejectReply lastRejectReply;
100};
101
102BOOST_AUTO_TEST_SUITE(Mgmt)
103BOOST_FIXTURE_TEST_SUITE(TestCommandAuthenticator, CommandAuthenticatorFixture)
104
105BOOST_AUTO_TEST_CASE(Certs)
106{
107 Name id0("/localhost/CommandAuthenticator/0");
108 Name id1("/localhost/CommandAuthenticator/1");
109 Name id2("/localhost/CommandAuthenticator/2");
110 BOOST_REQUIRE(addIdentity(id0));
111 BOOST_REQUIRE(saveIdentityCertificate(id1, "1.ndncert", true));
112 BOOST_REQUIRE(saveIdentityCertificate(id2, "2.ndncert", true));
113
114 makeModules({"module0", "module1", "module2", "module3", "module4", "module5", "module6", "module7"});
115 const std::string& config = R"CONFIG(
116 authorizations
117 {
118 authorize
119 {
120 certfile any
121 privileges
122 {
123 module1
124 module3
125 module5
126 module7
127 }
128 }
129 authorize
130 {
131 certfile "1.ndncert"
132 privileges
133 {
134 module2
135 module3
136 module6
137 module7
138 }
139 }
140 authorize
141 {
142 certfile "2.ndncert"
143 privileges
144 {
145 module4
146 module5
147 module6
148 module7
149 }
150 }
151 }
152 )CONFIG";
153 loadConfig(config);
154
155 // module0: none
156 BOOST_CHECK_EQUAL(authorize("module0", id0), false);
157 BOOST_CHECK_EQUAL(authorize("module0", id1), false);
158 BOOST_CHECK_EQUAL(authorize("module0", id2), false);
159
160 // module1: any
161 BOOST_CHECK_EQUAL(authorize("module1", id0), true);
162 BOOST_CHECK_EQUAL(authorize("module1", id1), true);
163 BOOST_CHECK_EQUAL(authorize("module1", id2), true);
164
165 // module2: id1
166 BOOST_CHECK_EQUAL(authorize("module2", id0), false);
167 BOOST_CHECK_EQUAL(authorize("module2", id1), true);
168 BOOST_CHECK_EQUAL(authorize("module2", id2), false);
169
170 // module3: any,id1
171 BOOST_CHECK_EQUAL(authorize("module3", id0), true);
172 BOOST_CHECK_EQUAL(authorize("module3", id1), true);
173 BOOST_CHECK_EQUAL(authorize("module3", id2), true);
174
175 // module4: id2
176 BOOST_CHECK_EQUAL(authorize("module4", id0), false);
177 BOOST_CHECK_EQUAL(authorize("module4", id1), false);
178 BOOST_CHECK_EQUAL(authorize("module4", id2), true);
179
180 // module5: any,id2
181 BOOST_CHECK_EQUAL(authorize("module5", id0), true);
182 BOOST_CHECK_EQUAL(authorize("module5", id1), true);
183 BOOST_CHECK_EQUAL(authorize("module5", id2), true);
184
185 // module6: id1,id2
186 BOOST_CHECK_EQUAL(authorize("module6", id0), false);
187 BOOST_CHECK_EQUAL(authorize("module6", id1), true);
188 BOOST_CHECK_EQUAL(authorize("module6", id2), true);
189
190 // module7: any,id1,id2
191 BOOST_CHECK_EQUAL(authorize("module7", id0), true);
192 BOOST_CHECK_EQUAL(authorize("module7", id1), true);
193 BOOST_CHECK_EQUAL(authorize("module7", id2), true);
194}
195
196BOOST_AUTO_TEST_CASE(Requester)
197{
198 Name id0("/localhost/CommandAuthenticator/0");
199 Name id1("/localhost/CommandAuthenticator/1");
200 BOOST_REQUIRE(addIdentity(id0));
201 BOOST_REQUIRE(saveIdentityCertificate(id1, "1.ndncert", true));
202
203 makeModules({"module0", "module1"});
204 const std::string& config = R"CONFIG(
205 authorizations
206 {
207 authorize
208 {
209 certfile any
210 privileges
211 {
212 module0
213 }
214 }
215 authorize
216 {
217 certfile "1.ndncert"
218 privileges
219 {
220 module1
221 }
222 }
223 }
224 )CONFIG";
225 loadConfig(config);
226
227 // module0: any
228 BOOST_CHECK_EQUAL(authorize("module0", id0), true);
229 BOOST_CHECK_EQUAL(lastRequester, "*");
230 BOOST_CHECK_EQUAL(authorize("module0", id1), true);
231 BOOST_CHECK_EQUAL(lastRequester, "*");
232
233 // module1: id1
234 BOOST_CHECK_EQUAL(authorize("module1", id0), false);
235 BOOST_CHECK_EQUAL(authorize("module1", id1), true);
236 BOOST_CHECK(id1.isPrefixOf(lastRequester));
237}
238
239class IdentityAuthorizedFixture : public CommandAuthenticatorFixture
240{
241protected:
242 IdentityAuthorizedFixture()
243 : id1("/localhost/CommandAuthenticator/1")
244 {
245 BOOST_REQUIRE(saveIdentityCertificate(id1, "1.ndncert", true));
246
247 makeModules({"module1"});
248 const std::string& config = R"CONFIG(
249 authorizations
250 {
251 authorize
252 {
253 certfile "1.ndncert"
254 privileges
255 {
256 module1
257 }
258 }
259 }
260 )CONFIG";
261 loadConfig(config);
262 }
263
264 bool
265 authorize1(const function<void(Interest&)>& modifyInterest)
266 {
267 return authorize("module1", id1, modifyInterest);
268 }
269
270protected:
271 Name id1;
272};
273
274BOOST_FIXTURE_TEST_SUITE(Rejects, IdentityAuthorizedFixture)
275
276BOOST_AUTO_TEST_CASE(BadKeyLocator_NameTooShort)
277{
278 BOOST_CHECK_EQUAL(authorize1(
279 [] (Interest& interest) {
280 interest.setName("/prefix");
281 }
282 ), false);
283 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::SILENT);
284}
285
286BOOST_AUTO_TEST_CASE(BadKeyLocator_BadSigInfo)
287{
288 BOOST_CHECK_EQUAL(authorize1(
289 [] (Interest& interest) {
290 setNameComponent(interest, ndn::signed_interest::POS_SIG_INFO, "not-SignatureInfo");
291 }
292 ), false);
293 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::SILENT);
294}
295
296BOOST_AUTO_TEST_CASE(BadKeyLocator_MissingKeyLocator)
297{
298 BOOST_CHECK_EQUAL(authorize1(
299 [] (Interest& interest) {
Junxiao Shia9079802017-08-26 14:12:30 +0000[diff] [blame]300 ndn::SignatureInfo sigInfo(tlv::SignatureSha256WithRsa);
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]301 setNameComponent(interest, ndn::signed_interest::POS_SIG_INFO,
302 sigInfo.wireEncode().begin(), sigInfo.wireEncode().end());
303 }
304 ), false);
305 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::SILENT);
306}
307
308BOOST_AUTO_TEST_CASE(BadKeyLocator_BadKeyLocatorType)
309{
310 BOOST_CHECK_EQUAL(authorize1(
311 [] (Interest& interest) {
312 ndn::KeyLocator kl;
313 kl.setKeyDigest(ndn::encoding::makeBinaryBlock(tlv::KeyDigest, "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD", 8));
Junxiao Shia9079802017-08-26 14:12:30 +0000[diff] [blame]314 ndn::SignatureInfo sigInfo(tlv::SignatureSha256WithRsa);
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]315 sigInfo.setKeyLocator(kl);
316 setNameComponent(interest, ndn::signed_interest::POS_SIG_INFO,
317 sigInfo.wireEncode().begin(), sigInfo.wireEncode().end());
318 }
319 ), false);
320 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::SILENT);
321}
322
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]323BOOST_AUTO_TEST_CASE(NotAuthorized)
324{
325 Name id0("/localhost/CommandAuthenticator/0");
326 BOOST_REQUIRE(addIdentity(id0));
327
328 BOOST_CHECK_EQUAL(authorize("module1", id0), false);
329 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::STATUS403);
330}
331
332BOOST_AUTO_TEST_CASE(BadSig)
333{
334 BOOST_CHECK_EQUAL(authorize1(
335 [] (Interest& interest) {
Alexander Afanasyev635bf202017-03-09 21:57:34 +0000[diff] [blame]336 setNameComponent(interest, ndn::command_interest::POS_SIG_VALUE, "bad-signature-bits");
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]337 }
338 ), false);
339 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::STATUS403);
340}
341
342BOOST_AUTO_TEST_CASE(InvalidTimestamp)
343{
344 name::Component timestampComp;
345 BOOST_CHECK_EQUAL(authorize1(
346 [&timestampComp] (const Interest& interest) {
Alexander Afanasyev635bf202017-03-09 21:57:34 +0000[diff] [blame]347 timestampComp = interest.getName().at(ndn::command_interest::POS_TIMESTAMP);
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]348 }
349 ), true); // accept first command
350 BOOST_CHECK_EQUAL(authorize1(
351 [&timestampComp] (Interest& interest) {
Alexander Afanasyev635bf202017-03-09 21:57:34 +0000[diff] [blame]352 setNameComponent(interest, ndn::command_interest::POS_TIMESTAMP, timestampComp);
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]353 }
354 ), false); // reject second command because timestamp equals first command
355 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::STATUS403);
356}
357
Davide Pesaventod96744d2018-02-03 19:16:07 -0500[diff] [blame^]358BOOST_FIXTURE_TEST_CASE(MissingAuthorizationsSection, CommandAuthenticatorFixture)
359{
360 Name id0("/localhost/CommandAuthenticator/0");
361 BOOST_REQUIRE(addIdentity(id0));
362
363 makeModules({"module42"});
364 loadConfig("");
365
366 BOOST_CHECK_EQUAL(authorize("module42", id0), false);
367 BOOST_CHECK(lastRejectReply == ndn::mgmt::RejectReply::STATUS403);
368}
369
Junxiao Shid7631272016-08-17 04:16:31 +0000[diff] [blame]370BOOST_AUTO_TEST_SUITE_END() // Rejects
371
372BOOST_AUTO_TEST_SUITE(BadConfig)
373
374BOOST_AUTO_TEST_CASE(EmptyAuthorizationsSection)
375{
376 const std::string& config = R"CONFIG(
377 authorizations
378 {
379 }
380 )CONFIG";
381
382 BOOST_CHECK_THROW(loadConfig(config), ConfigFile::Error);
383}
384
385BOOST_AUTO_TEST_CASE(UnrecognizedKey)
386{
387 const std::string& config = R"CONFIG(
388 authorizations
389 {
390 unrecognized_key
391 {
392 }
393 }
394 )CONFIG";
395
396 BOOST_CHECK_THROW(loadConfig(config), ConfigFile::Error);
397}
398
399BOOST_AUTO_TEST_CASE(CertfileMissing)
400{
401 const std::string& config = R"CONFIG(
402 authorizations
403 {
404 authorize
405 {
406 privileges
407 {
408 }
409 }
410 }
411 )CONFIG";
412
413 BOOST_CHECK_THROW(loadConfig(config), ConfigFile::Error);
414}
415
416BOOST_AUTO_TEST_CASE(CertUnreadable)
417{
418 const std::string& config = R"CONFIG(
419 authorizations
420 {
421 authorize
422 {
423 certfile "1.ndncert"
424 privileges
425 {
426 }
427 }
428 }
429 )CONFIG";
430
431 BOOST_CHECK_THROW(loadConfig(config), ConfigFile::Error);
432}
433
434BOOST_AUTO_TEST_CASE(PrivilegesMissing)
435{
436 const std::string& config = R"CONFIG(
437 authorizations
438 {
439 authorize
440 {
441 certfile any
442 }
443 }
444 )CONFIG";
445
446 BOOST_CHECK_THROW(loadConfig(config), ConfigFile::Error);
447}
448
449BOOST_AUTO_TEST_CASE(UnregisteredModule)
450{
451 const std::string& config = R"CONFIG(
452 authorizations
453 {
454 authorize
455 {
456 certfile any
457 privileges
458 {
459 nosuchmodule
460 }
461 }
462 }
463 )CONFIG";
464
465 BOOST_CHECK_THROW(loadConfig(config), ConfigFile::Error);
466}
467
468BOOST_AUTO_TEST_SUITE_END() // BadConfig
469
470BOOST_AUTO_TEST_SUITE_END() // TestCommandAuthenticator
471BOOST_AUTO_TEST_SUITE_END() // Mgmt
472
473} // namespace tests
474} // namespace nfd