src/util/command-interest-validator.hpp

/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
/**
 * Copyright (C) 2013 Regents of the University of California.
 * See COPYING for copyright and distribution information.
 */

#ifndef NDN_HELPERS_COMMAND_INTEREST_VALIDATOR_HPP
#define NDN_HELPERS_COMMAND_INTEREST_VALIDATOR_HPP

#include "../security/validator.hpp"
#include "../security/identity-certificate.hpp"
#include "../security/sec-rule-specific.hpp"

namespace ndn {

class CommandInterestValidator : public Validator
{
public:
  enum {
    POS_SIG_VALUE = -1,
    POS_SIG_INFO = -2,
    POS_RANDOM_VAL = -3,
    POS_TIMESTAMP = -4,

    GRACE_INTERVAL = 3000 // ms
  };
  
  CommandInterestValidator(int64_t graceInterval = GRACE_INTERVAL/*ms*/) 
  {
    m_graceInterval = (graceInterval < 0 ? GRACE_INTERVAL : graceInterval);
  }

  virtual
  ~CommandInterestValidator()
  {
  }

  void
  addInterestRule(const std::string& regex, const IdentityCertificate& certificate);

  void
  addInterestRule(const std::string& regex, const Name& keyName, const PublicKey& publicKey);

protected:
  virtual void
  checkPolicy (const Data& data, 
               int stepCount, 
               const OnDataValidated &onValidated, 
               const OnDataValidationFailed &onValidationFailed,
               std::vector<shared_ptr<ValidationRequest> > &nextSteps)
  {
    onValidationFailed(data.shared_from_this(), "No policy for data checking");
  }
  
  virtual void
  checkPolicy (const Interest& interest, 
               int stepCount, 
               const OnInterestValidated &onValidated, 
               const OnInterestValidationFailed &onValidationFailed,
               std::vector<shared_ptr<ValidationRequest> > &nextSteps);
private:
  int64_t m_graceInterval; //ms
  std::map<Name, PublicKey> m_trustAnchorsForInterest;
  std::list<SecRuleSpecific> m_trustScopeForInterest;
  std::map<Name, uint64_t> m_lastTimestamp;
};

inline void
CommandInterestValidator::addInterestRule(const std::string& regex, const IdentityCertificate& certificate)
{
  Name keyName = IdentityCertificate::certificateNameToPublicKeyName(certificate.getName());
  addInterestRule(regex, keyName, certificate.getPublicKeyInfo());
}

inline void
CommandInterestValidator::addInterestRule(const std::string& regex, const Name& keyName, const PublicKey& publicKey)
{
  m_trustAnchorsForInterest[keyName] = publicKey;
  shared_ptr<Regex> interestRegex = make_shared<Regex>(regex);
  shared_ptr<Regex> signerRegex = Regex::fromName(keyName, true);
  m_trustScopeForInterest.push_back(SecRuleSpecific(interestRegex, signerRegex));
}

inline void
CommandInterestValidator::checkPolicy (const Interest& interest, 
                                       int stepCount, 
                                       const OnInterestValidated &onValidated, 
                                       const OnInterestValidationFailed &onValidationFailed,
                                       std::vector<shared_ptr<ValidationRequest> > &nextSteps)
{
  const Name& interestName = interest.getName();
  
  //Prepare 
  if (interestName.size() < 4)
    return onValidationFailed(interest.shared_from_this(), 
                              "Interest is not signed: " + interest.getName().toUri());
  
  Signature signature(interestName[POS_SIG_INFO].blockFromValue(), 
                      interestName[POS_SIG_VALUE].blockFromValue());
  
  SignatureSha256WithRsa sig(signature);
  const Name& keyLocatorName = sig.getKeyLocator().getName();
  Name keyName = IdentityCertificate::certificateNameToPublicKeyName(keyLocatorName);
  
  //Check if command is in the trusted scope
  bool inScope = false;  
  for(std::list<SecRuleSpecific>::iterator scopeIt = m_trustScopeForInterest.begin();
      scopeIt != m_trustScopeForInterest.end();
      ++scopeIt)
    {
      if(scopeIt->satisfy(interestName, keyName))
        {
          inScope = true;
          break;
        }
    }
  if(inScope == false)
    return onValidationFailed(interest.shared_from_this(), 
                              "Signer cannot be authorized for the command: " + interest.getName().toUri());

  //Check if timestamp is valid
  uint64_t timestamp = interestName.get(POS_TIMESTAMP).toNumber();
  uint64_t current = static_cast<uint64_t>(time::now()/1000000);
  std::map<Name, uint64_t>::const_iterator timestampIt = m_lastTimestamp.find(keyName);
  if(timestampIt == m_lastTimestamp.end())
    {
      if(timestamp > (current + m_graceInterval) || (timestamp + m_graceInterval) < current)
        return onValidationFailed(interest.shared_from_this(), 
                                  "The command is not in grace interval: " + interest.getName().toUri());
    }
  else 
    {
      if(m_lastTimestamp[keyName] >= timestamp)
        return onValidationFailed(interest.shared_from_this(), 
                                  "The command is outdated: " + interest.getName().toUri());
    }

  //Check signature
  if(!Validator::verifySignature(interestName.wireEncode().value(),
                                 interestName.wireEncode().value_size() - interestName[-1].size(),
                                 sig, m_trustAnchorsForInterest[keyName]))
    return onValidationFailed(interest.shared_from_this(), 
                              "Signature cannot be validated: " + interest.getName().toUri());

  //Update timestamp
  m_lastTimestamp[keyName] = timestamp;

  return onValidated(interest.shared_from_this());
}


} // namespace ndn

#endif // NDN_HELPERS_COMMAND_INTEREST_VALIDATOR_HPP