security: Clean up ValidatorConfig when it is re-loaded.
Refs: #1492
Change-Id: I203a57c0cf18c3c5993abfa9c3c7ca9decbed6c2
diff --git a/src/security/certificate-cache-ttl.cpp b/src/security/certificate-cache-ttl.cpp
deleted file mode 100644
index 4ea644e..0000000
--- a/src/security/certificate-cache-ttl.cpp
+++ /dev/null
@@ -1,77 +0,0 @@
-/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
-/**
- * Copyright (c) 2013-2014, Regents of the University of California.
- * All rights reserved.
- *
- * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
- * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
- *
- * This file licensed under New BSD License. See COPYING for detailed information about
- * ndn-cxx library copyright, permissions, and redistribution restrictions.
- *
- * @author Yingdi Yu <http://irl.cs.ucla.edu/~yingdi/>
- */
-
-#include "common.hpp"
-#include "certificate-cache-ttl.hpp"
-
-using namespace std;
-
-namespace ndn {
-
-CertificateCacheTtl::CertificateCacheTtl(shared_ptr<boost::asio::io_service> io,
- const time::seconds& defaultTtl)
- : m_defaultTtl(defaultTtl)
- , m_scheduler(*io)
-{
-}
-
-CertificateCacheTtl::~CertificateCacheTtl()
-{
-}
-
-void
-CertificateCacheTtl::insertCertificate(shared_ptr<const IdentityCertificate> certificate)
-{
- time::milliseconds expire = (certificate->getFreshnessPeriod() >= time::seconds::zero() ?
- certificate->getFreshnessPeriod() : m_defaultTtl);
-
- Name trackerIndex = certificate->getName().getPrefix(-1);
- EventTracker::iterator it = m_tracker.find(trackerIndex);
- if (it != m_tracker.end())
- m_scheduler.cancelEvent(m_tracker[trackerIndex]);
-
- m_scheduler.scheduleEvent(time::seconds(0),
- bind(&CertificateCacheTtl::insert, this, certificate));
- m_tracker[trackerIndex] = m_scheduler.scheduleEvent(expire,
- bind(&CertificateCacheTtl::remove,
- this, certificate->getName()));
-}
-
-void
-CertificateCacheTtl::insert(shared_ptr<const IdentityCertificate> certificate)
-{
- Name name = certificate->getName().getPrefix(-1);
- m_cache[name] = certificate;
-}
-
-void
-CertificateCacheTtl::remove(const Name& certificateName)
-{
- Name name = certificateName.getPrefix(-1);
- Cache::iterator it = m_cache.find(name);
- if (it != m_cache.end())
- m_cache.erase(it);
-}
-
-shared_ptr<const IdentityCertificate>
-CertificateCacheTtl::getCertificate(const Name& certificateName)
-{
- Cache::iterator it = m_cache.find(certificateName);
- if (it != m_cache.end())
- return it->second;
- else
- return shared_ptr<IdentityCertificate>();
-}
-
-} // namespace ndn
diff --git a/src/security/certificate-cache-ttl.hpp b/src/security/certificate-cache-ttl.hpp
index a86ee5e..4cf20e2 100644
--- a/src/security/certificate-cache-ttl.hpp
+++ b/src/security/certificate-cache-ttl.hpp
@@ -24,35 +24,116 @@
class CertificateCacheTtl : public CertificateCache
{
public:
- CertificateCacheTtl(shared_ptr<boost::asio::io_service> io,
- const time::seconds& defaultTtl = time::seconds(3600));
+ CertificateCacheTtl(boost::asio::io_service& io,
+ const time::seconds& defaultTtl = time::seconds(3600))
+ : m_defaultTtl(defaultTtl)
+ , m_scheduler(io)
+ {
+ }
virtual
- ~CertificateCacheTtl();
+ ~CertificateCacheTtl()
+ {
+ }
- virtual void
+ virtual inline void
insertCertificate(shared_ptr<const IdentityCertificate> certificate);
- virtual shared_ptr<const IdentityCertificate>
+ virtual inline shared_ptr<const IdentityCertificate>
getCertificate(const Name& certificateNameWithoutVersion);
+ virtual inline void
+ reset();
+
+ virtual inline size_t
+ getSize();
+
private:
- void
+ inline void
insert(shared_ptr<const IdentityCertificate> certificate);
- void
+ inline void
remove(const Name& certificateName);
+ inline void
+ removeAll();
+
protected:
- typedef std::map<Name, shared_ptr<const IdentityCertificate> > Cache;
- typedef std::map<Name, EventId> EventTracker;
+ typedef std::map<Name, std::pair<shared_ptr<const IdentityCertificate>, EventId> > Cache;
time::seconds m_defaultTtl;
Cache m_cache;
- EventTracker m_tracker;
Scheduler m_scheduler;
};
+inline void
+CertificateCacheTtl::insertCertificate(shared_ptr<const IdentityCertificate> certificate)
+{
+ m_scheduler.scheduleEvent(time::seconds(0),
+ bind(&CertificateCacheTtl::insert, this, certificate));
+}
+
+inline shared_ptr<const IdentityCertificate>
+CertificateCacheTtl::getCertificate(const Name& certificateName)
+{
+ Cache::iterator it = m_cache.find(certificateName);
+ if (it != m_cache.end())
+ return it->second.first;
+ else
+ return shared_ptr<IdentityCertificate>();
+}
+
+inline void
+CertificateCacheTtl::reset()
+{
+ m_scheduler.scheduleEvent(time::seconds(0),
+ bind(&CertificateCacheTtl::removeAll, this));
+}
+
+inline size_t
+CertificateCacheTtl::getSize()
+{
+ return m_cache.size();
+}
+
+inline void
+CertificateCacheTtl::insert(shared_ptr<const IdentityCertificate> certificate)
+{
+ time::milliseconds expire = (certificate->getFreshnessPeriod() >= time::seconds::zero() ?
+ certificate->getFreshnessPeriod() : m_defaultTtl);
+
+ Name index = certificate->getName().getPrefix(-1);
+
+ Cache::iterator it = m_cache.find(index);
+ if (it != m_cache.end())
+ m_scheduler.cancelEvent(it->second.second);
+
+ EventId eventId = m_scheduler.scheduleEvent(expire,
+ bind(&CertificateCacheTtl::remove,
+ this, certificate->getName()));
+
+ m_cache[index] = std::make_pair(certificate, eventId);
+}
+
+inline void
+CertificateCacheTtl::remove(const Name& certificateName)
+{
+ Name name = certificateName.getPrefix(-1);
+ Cache::iterator it = m_cache.find(name);
+ if (it != m_cache.end())
+ m_cache.erase(it);
+}
+
+inline void
+CertificateCacheTtl::removeAll()
+{
+ for(Cache::iterator it = m_cache.begin(); it != m_cache.end(); it++)
+ m_scheduler.cancelEvent(it->second.second);
+
+ m_cache.clear();
+}
+
+
} // namespace ndn
#endif //NDN_SECURITY_CERTIFICATE_CACHE_TTL_HPP
diff --git a/src/security/certificate-cache.hpp b/src/security/certificate-cache.hpp
index 8f2c068..c22de67 100644
--- a/src/security/certificate-cache.hpp
+++ b/src/security/certificate-cache.hpp
@@ -33,6 +33,18 @@
virtual shared_ptr<const IdentityCertificate>
getCertificate(const Name& certificateNameWithoutVersion) = 0;
+
+ virtual void
+ reset() = 0;
+
+ virtual size_t
+ getSize() = 0;
+
+ bool
+ isEmpty()
+ {
+ return (getSize() == 0);
+ }
};
} // namespace ndn
diff --git a/src/security/validator-config.cpp b/src/security/validator-config.cpp
index aa8ec27..054c843 100644
--- a/src/security/validator-config.cpp
+++ b/src/security/validator-config.cpp
@@ -32,7 +32,7 @@
, m_certificateCache(certificateCache)
{
if (!static_cast<bool>(m_certificateCache))
- m_certificateCache = make_shared<CertificateCacheTtl>(m_face.ioService());
+ m_certificateCache = make_shared<CertificateCacheTtl>(boost::ref(m_face.getIoService()));
}
void
@@ -84,6 +84,8 @@
{
BOOST_ASSERT(!filename.empty());
+ reset();
+
if (configSection.begin() == configSection.end())
{
std::string msg = "Error processing configuration file";
diff --git a/src/security/validator-config.hpp b/src/security/validator-config.hpp
index a5a8af1..e22c446 100644
--- a/src/security/validator-config.hpp
+++ b/src/security/validator-config.hpp
@@ -60,6 +60,12 @@
load(const security::conf::ConfigSection& configSection,
const std::string& filename);
+ inline void
+ reset();
+
+ inline bool
+ isEmpty();
+
protected:
virtual void
checkPolicy(const Data& data,
@@ -122,6 +128,26 @@
AnchorList m_anchors;
};
+inline void
+ValidatorConfig::reset()
+{
+ m_certificateCache->reset();
+ m_interestRules.clear();
+ m_dataRules.clear();
+ m_anchors.clear();
+}
+
+inline bool
+ValidatorConfig::isEmpty()
+{
+ if (m_certificateCache->isEmpty() &&
+ m_interestRules.empty() &&
+ m_dataRules.empty() &&
+ m_anchors.empty())
+ return true;
+ return false;
+}
+
template<class Packet, class OnValidated, class OnFailed>
void
ValidatorConfig::checkSignature(const Packet& packet,
diff --git a/src/security/validator-regex.cpp b/src/security/validator-regex.cpp
index d84f897..c0797c7 100644
--- a/src/security/validator-regex.cpp
+++ b/src/security/validator-regex.cpp
@@ -36,7 +36,7 @@
, m_certificateCache(certificateCache)
{
if (!static_cast<bool>(m_certificateCache))
- m_certificateCache = make_shared<CertificateCacheTtl>(m_face.ioService());
+ m_certificateCache = make_shared<CertificateCacheTtl>(boost::ref(m_face.getIoService()));
}
void
diff --git a/tests-integrated/security/test-validator-config.cpp b/tests-integrated/security/test-validator-config.cpp
index 6a7ffd9..360b056 100644
--- a/tests-integrated/security/test-validator-config.cpp
+++ b/tests-integrated/security/test-validator-config.cpp
@@ -891,7 +891,77 @@
boost::filesystem::remove(CERT_PATH);
}
+BOOST_AUTO_TEST_CASE(Reset)
+{
+ KeyChain keyChain;
+ Name root("/TestValidatorConfig/Reload");
+ Name rootCertName = keyChain.createIdentity(root);
+ shared_ptr<IdentityCertificate> rootCert =
+ keyChain.getCertificate(rootCertName);
+ io::save(*rootCert, "trust-anchor-8.cert");
+
+ Face face;
+
+ const std::string CONFIG =
+ "rule\n"
+ "{\n"
+ " id \"NRD Prefix Registration Command Rule\"\n"
+ " for interest\n"
+ " filter\n"
+ " {\n"
+ " type name\n"
+ " regex ^<localhost><nrd>[<register><unregister><advertise><withdraw>]<>{3}$\n"
+ " }\n"
+ " checker\n"
+ " {\n"
+ " type customized\n"
+ " sig-type rsa-sha256\n"
+ " key-locator\n"
+ " {\n"
+ " type name\n"
+ " regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT>$\n"
+ " }\n"
+ " }\n"
+ "}\n"
+ "rule\n"
+ "{\n"
+ " id \"Testbed Hierarchy Rule\"\n"
+ " for data\n"
+ " filter\n"
+ " {\n"
+ " type name\n"
+ " regex ^[^<KEY>]*<KEY><>*<ksk-.*><ID-CERT><>$\n"
+ " }\n"
+ " checker\n"
+ " {\n"
+ " type hierarchical\n"
+ " sig-type rsa-sha256\n"
+ " }\n"
+ "}\n"
+ "trust-anchor\n"
+ "{\n"
+ " type file\n"
+ " file-name \"trust-anchor-8.cert\"\n"
+ "}\n";
+ const boost::filesystem::path CONFIG_PATH =
+ (boost::filesystem::current_path() / std::string("unit-test-nfd.conf"));
+
+
+ shared_ptr<ValidatorConfig> validator = shared_ptr<ValidatorConfig>(new ValidatorConfig(face));
+
+ validator->load(CONFIG, CONFIG_PATH.native());
+ BOOST_CHECK_EQUAL(validator->isEmpty(), false);
+
+ validator->reset();
+ BOOST_CHECK(validator->isEmpty());
+
+ keyChain.deleteIdentity(root);
+
+ const boost::filesystem::path CERT_PATH =
+ (boost::filesystem::current_path() / std::string("trust-anchor-8.cert"));
+ boost::filesystem::remove(CERT_PATH);
+}
BOOST_AUTO_TEST_SUITE_END()
diff --git a/tests/security/test-certificate-cache.cpp b/tests/security/test-certificate-cache.cpp
index 11b20fb..2f8c1a2 100644
--- a/tests/security/test-certificate-cache.cpp
+++ b/tests/security/test-certificate-cache.cpp
@@ -27,12 +27,19 @@
BOOST_CHECK_EQUAL(static_cast<bool>(cache->getCertificate(name)), cached);
}
+void
+checkSize(shared_ptr<CertificateCacheTtl> cache, size_t size)
+{
+ BOOST_CHECK_EQUAL(cache->getSize(), size);
+}
+
BOOST_AUTO_TEST_CASE (Ttl)
{
- shared_ptr<boost::asio::io_service> io = make_shared<boost::asio::io_service>();
- shared_ptr<CertificateCacheTtl> cache = make_shared<CertificateCacheTtl>(io, time::seconds(1));
- Scheduler scheduler(*io);
+ boost::asio::io_service io;
+ shared_ptr<CertificateCacheTtl> cache =
+ make_shared<CertificateCacheTtl>(boost::ref(io), time::seconds(1));
+ Scheduler scheduler(io);
shared_ptr<IdentityCertificate> cert1 = make_shared<IdentityCertificate>();
Name certName1("/tmp/KEY/ksk-1/ID-CERT/1");
@@ -49,15 +56,33 @@
cache->insertCertificate(cert1);
cache->insertCertificate(cert2);
- scheduler.scheduleEvent(time::milliseconds(200), bind(&getCertificateTtl, cache, name1, true));
- scheduler.scheduleEvent(time::milliseconds(200), bind(&getCertificateTtl, cache, name2, true));
- scheduler.scheduleEvent(time::milliseconds(900), bind(&getCertificateTtl, cache, name1, false));
- scheduler.scheduleEvent(time::milliseconds(900), bind(&getCertificateTtl, cache, name2, true));
- scheduler.scheduleEvent(time::milliseconds(900), bind(&CertificateCache::insertCertificate, cache, cert2));
+ scheduler.scheduleEvent(time::milliseconds(200), bind(&checkSize, cache, 2));
+ scheduler.scheduleEvent(time::milliseconds(200), bind(&getCertificateTtl, cache, name1, true));
+ scheduler.scheduleEvent(time::milliseconds(200), bind(&getCertificateTtl, cache, name2, true));
+
+ // cert1 should removed from the cache
+ scheduler.scheduleEvent(time::milliseconds(900), bind(&checkSize, cache, 1));
+ scheduler.scheduleEvent(time::milliseconds(900), bind(&getCertificateTtl, cache, name1, false));
+ scheduler.scheduleEvent(time::milliseconds(900), bind(&getCertificateTtl, cache, name2, true));
+
+ // Refresh certificate in cache
+ scheduler.scheduleEvent(time::milliseconds(900), bind(&CertificateCache::insertCertificate,
+ cache, cert2));
scheduler.scheduleEvent(time::milliseconds(1500), bind(&getCertificateTtl, cache, name2, true));
scheduler.scheduleEvent(time::milliseconds(2500), bind(&getCertificateTtl, cache, name2, false));
- io->run();
+ // Purge
+ scheduler.scheduleEvent(time::milliseconds(3000), bind(&CertificateCache::insertCertificate,
+ cache, cert1));
+ scheduler.scheduleEvent(time::milliseconds(3000), bind(&CertificateCache::insertCertificate,
+ cache, cert2));
+ scheduler.scheduleEvent(time::milliseconds(3100), bind(&checkSize, cache, 2));
+ scheduler.scheduleEvent(time::milliseconds(3200), bind(&CertificateCache::reset, cache));
+ scheduler.scheduleEvent(time::milliseconds(3300), bind(&getCertificateTtl, cache, name1, false));
+ scheduler.scheduleEvent(time::milliseconds(3300), bind(&getCertificateTtl, cache, name2, false));
+ scheduler.scheduleEvent(time::milliseconds(3400), bind(&checkSize, cache, 0));
+
+ io.run();
}
BOOST_AUTO_TEST_SUITE_END()