blob: 73358bf6ecbe87a70cf13a06497995eb9bb4c978 [file] [log] [blame]
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/**
* Copyright (c) 2013-2017 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
* ndn-cxx library is free software: you can redistribute it and/or modify it under the
* terms of the GNU Lesser General Public License as published by the Free Software
* Foundation, either version 3 of the License, or (at your option) any later version.
*
* ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
* PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
*
* You should have received copies of the GNU General Public License and GNU Lesser
* General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
* <http://www.gnu.org/licenses/>.
*
* See AUTHORS.md for complete list of ndn-cxx authors and contributors.
*/
#include "command-interest-validator.hpp"
#include "v1/identity-certificate.hpp"
#include <boost/lexical_cast.hpp>
namespace ndn {
namespace security {
std::ostream&
operator<<(std::ostream& os, CommandInterestValidator::ErrorCode error)
{
switch (error) {
case CommandInterestValidator::ErrorCode::NONE:
return os << "OK";
case CommandInterestValidator::ErrorCode::NAME_TOO_SHORT:
return os << "command Interest name is too short";
case CommandInterestValidator::ErrorCode::BAD_TIMESTAMP:
return os << "cannot parse timestamp";
case CommandInterestValidator::ErrorCode::BAD_SIG_INFO:
return os << "cannot parse SignatureInfo";
case CommandInterestValidator::ErrorCode::MISSING_KEY_LOCATOR:
return os << "KeyLocator is missing";
case CommandInterestValidator::ErrorCode::BAD_KEY_LOCATOR_TYPE:
return os << "KeyLocator type is not Name";
case CommandInterestValidator::ErrorCode::BAD_CERT_NAME:
return os << "cannot parse certificate name";
case CommandInterestValidator::ErrorCode::TIMESTAMP_OUT_OF_GRACE:
return os << "timestamp is out of grace period";
case CommandInterestValidator::ErrorCode::TIMESTAMP_REORDER:
return os << "timestamp is less than or equal to last timestamp";
}
return os;
}
static void
invokeReject(const OnInterestValidationFailed& reject, const Interest& interest,
CommandInterestValidator::ErrorCode error)
{
reject(interest.shared_from_this(), boost::lexical_cast<std::string>(error));
}
CommandInterestValidator::CommandInterestValidator(unique_ptr<Validator> inner,
const Options& options)
: m_inner(std::move(inner))
, m_options(options)
, m_index(m_container.get<0>())
, m_queue(m_container.get<1>())
{
if (m_inner == nullptr) {
BOOST_THROW_EXCEPTION(std::invalid_argument("inner validator is nullptr"));
}
m_options.gracePeriod = std::max(m_options.gracePeriod, time::nanoseconds::zero());
}
void
CommandInterestValidator::checkPolicy(const Interest& interest, int nSteps,
const OnInterestValidated& accept,
const OnInterestValidationFailed& reject,
std::vector<shared_ptr<ValidationRequest>>& nextSteps)
{
BOOST_ASSERT(nSteps == 0);
this->cleanup();
Name keyName;
uint64_t timestamp;
ErrorCode res = this->parseCommandInterest(interest, keyName, timestamp);
if (res != ErrorCode::NONE) {
return invokeReject(reject, interest, res);
}
time::system_clock::TimePoint receiveTime = time::system_clock::now();
m_inner->validate(interest,
[=] (const shared_ptr<const Interest>& interest) {
ErrorCode res = this->checkTimestamp(keyName, timestamp, receiveTime);
if (res != ErrorCode::NONE) {
return invokeReject(reject, *interest, res);
}
accept(interest);
}, reject);
}
void
CommandInterestValidator::cleanup()
{
time::steady_clock::TimePoint expiring = time::steady_clock::now() - m_options.timestampTtl;
while ((!m_queue.empty() && m_queue.front().lastRefreshed <= expiring) ||
(m_options.maxTimestamps >= 0 &&
m_queue.size() > static_cast<size_t>(m_options.maxTimestamps))) {
m_queue.pop_front();
}
}
CommandInterestValidator::ErrorCode
CommandInterestValidator::parseCommandInterest(const Interest& interest, Name& keyName,
uint64_t& timestamp) const
{
const Name& name = interest.getName();
if (name.size() < command_interest::MIN_SIZE) {
return ErrorCode::NAME_TOO_SHORT;
}
const name::Component& timestampComp = name.at(command_interest::POS_TIMESTAMP);
if (!timestampComp.isNumber()) {
return ErrorCode::BAD_TIMESTAMP;
}
timestamp = timestampComp.toNumber();
SignatureInfo sig;
try {
sig.wireDecode(name[signed_interest::POS_SIG_INFO].blockFromValue());
}
catch (const tlv::Error&) {
return ErrorCode::BAD_SIG_INFO;
}
if (!sig.hasKeyLocator()) {
return ErrorCode::MISSING_KEY_LOCATOR;
}
const KeyLocator& keyLocator = sig.getKeyLocator();
if (keyLocator.getType() != KeyLocator::KeyLocator_Name) {
return ErrorCode::BAD_KEY_LOCATOR_TYPE;
}
try {
keyName = v1::IdentityCertificate::certificateNameToPublicKeyName(keyLocator.getName());
}
catch (const v1::IdentityCertificate::Error&) {
return ErrorCode::BAD_CERT_NAME;
}
return ErrorCode::NONE;
}
CommandInterestValidator::ErrorCode
CommandInterestValidator::checkTimestamp(const Name& keyName, uint64_t timestamp,
time::system_clock::TimePoint receiveTime)
{
time::steady_clock::TimePoint now = time::steady_clock::now();
// try to insert new record
Queue::iterator i = m_queue.end();
bool isNew = false;
std::tie(i, isNew) = m_queue.push_back({keyName, timestamp, now});
if (isNew) {
// check grace period
time::system_clock::TimePoint sigTime = time::fromUnixTimestamp(time::milliseconds(timestamp));
if (time::abs(sigTime - receiveTime) > m_options.gracePeriod) {
// out of grace period, delete new record
m_queue.erase(i);
return ErrorCode::TIMESTAMP_OUT_OF_GRACE;
}
}
else {
BOOST_ASSERT(i->keyName == keyName);
// compare timestamp with last timestamp
if (timestamp <= i->timestamp) {
return ErrorCode::TIMESTAMP_REORDER;
}
// set lastRefreshed field, and move to queue tail
m_queue.erase(i);
isNew = m_queue.push_back({keyName, timestamp, now}).second;
BOOST_ASSERT(isNew);
}
return ErrorCode::NONE;
}
void
CommandInterestValidator::checkPolicy(const Data& data, int nSteps,
const OnDataValidated& accept,
const OnDataValidationFailed& reject,
std::vector<shared_ptr<ValidationRequest>>& nextSteps)
{
BOOST_ASSERT(nSteps == 0);
m_inner->validate(data, accept, reject);
}
} // namespace security
} // namespace ndn