Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / 49e1e87b24da0bfdf61c0cd965bfc11164026192 / . / tests / unit / security / validation-policy-config.t.cpp
blob: 031eff03bce248cd2ec4c557fa2842e67da1a1bb [file] [log] [blame]
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2/*
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame]3 * Copyright (c) 2013-2023 Regents of the University of California.
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]4 *
5 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6 *
7 * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8 * terms of the GNU Lesser General Public License as published by the Free Software
9 * Foundation, either version 3 of the License, or (at your option) any later version.
10 *
11 * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License and GNU Lesser
16 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17 * <http://www.gnu.org/licenses/>.
18 *
19 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20 */
21
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]22#include "ndn-cxx/security/validation-policy-config.hpp"
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]23
Davide Pesavento7e780642018-11-24 15:51:34 -0500[diff] [blame]24#include "ndn-cxx/security/transform/base64-encode.hpp"
25#include "ndn-cxx/security/transform/buffer-source.hpp"
26#include "ndn-cxx/security/transform/stream-sink.hpp"
Davide Pesavento7e780642018-11-24 15:51:34 -0500[diff] [blame]27#include "ndn-cxx/util/io.hpp"
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]28
Davide Pesavento7e780642018-11-24 15:51:34 -0500[diff] [blame]29#include "tests/boost-test.hpp"
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]30#include "tests/unit/security/validator-config/common.hpp"
31#include "tests/unit/security/validator-fixture.hpp"
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]32
Davide Pesavento49e1e872023-11-11 00:45:23 -0500[diff] [blame^]33#include <boost/mp11/list.hpp>
34
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame]35namespace ndn::tests {
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]36
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame]37using ndn::security::ValidationPolicyConfig;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]38
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]39BOOST_AUTO_TEST_SUITE(Security)
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]40BOOST_AUTO_TEST_SUITE(TestValidationPolicyConfig)
41
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]42BOOST_FIXTURE_TEST_CASE(EmptyConfig, HierarchicalValidatorFixture<ValidationPolicyConfig>)
43{
44 this->policy.load(ConfigSection{}, "<empty>");
45
46 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
47 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
48 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 0);
49 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 0);
50
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]51 Data d("/Security/ValidationPolicyConfig/D");
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]52 this->m_keyChain.sign(d, signingByIdentity(this->identity));
53 VALIDATE_FAILURE(d, "Empty policy should reject everything");
54
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]55 Interest i("/Security/ValidationPolicyConfig/I");
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]56 this->m_keyChain.sign(i, signingByIdentity(this->identity));
57 VALIDATE_FAILURE(i, "Empty policy should reject everything");
58}
59
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]60template<typename Packet>
61class PacketName;
62
63template<>
64class PacketName<Interest>
65{
66public:
67 static std::string
68 getName()
69 {
70 return "interest";
71 }
72};
73
74template<>
75class PacketName<Data>
76{
77public:
78 static std::string
79 getName()
80 {
81 return "data";
82 }
83};
84
85template<typename PacketType>
86class ValidationPolicyConfigFixture : public HierarchicalValidatorFixture<ValidationPolicyConfig>
87{
88public:
89 ValidationPolicyConfigFixture()
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]90 : path(boost::filesystem::path(UNIT_TESTS_TMPDIR) / "security" / "validation-policy-config")
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]91 {
92 boost::filesystem::create_directories(path);
93 baseConfig = R"CONF(
94 rule
95 {
96 id test-rule-id
97 for )CONF" + PacketName<Packet>::getName() + R"CONF(
98 filter
99 {
100 type name
101 name )CONF" + identity.getName().toUri() + R"CONF(
102 relation is-prefix-of
103 }
104 checker
105 {
106 type hierarchical
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400[diff] [blame]107 sig-type ecdsa-sha256
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]108 }
109 }
110 )CONF";
111 }
112
113 ~ValidationPolicyConfigFixture()
114 {
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]115 boost::filesystem::remove_all(path);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]116 }
117
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]118protected:
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]119 using Packet = PacketType;
120
121 const boost::filesystem::path path;
122 std::string baseConfig;
123};
124
125template<typename PacketType>
126class LoadStringWithFileAnchor : public ValidationPolicyConfigFixture<PacketType>
127{
128public:
129 LoadStringWithFileAnchor()
130 {
131 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
132
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]133 this->saveIdentityCert(this->identity, (this->path / "identity.ndncert").string());
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]134 this->policy.load(this->baseConfig + R"CONF(
135 trust-anchor
136 {
137 type file
138 file-name "trust-anchor.ndncert"
139 }
140 )CONF", (this->path / "test-config").string());
141
142 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
143 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
144 }
145};
146
147template<typename PacketType>
148class LoadFileWithFileAnchor : public ValidationPolicyConfigFixture<PacketType>
149{
150public:
151 LoadFileWithFileAnchor()
152 {
153 std::string configFile = (this->path / "config.conf").string();
154 {
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]155 std::ofstream config(configFile);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]156 config << this->baseConfig << R"CONF(
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]157 trust-anchor
158 {
159 type file
160 file-name "trust-anchor.ndncert"
161 }
162 )CONF";
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]163 }
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]164
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]165 this->saveIdentityCert(this->identity, (this->path / "identity.ndncert").string());
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]166
167 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
168
169 this->policy.load(configFile);
170
171 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
172 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
173 }
174};
175
176template<typename PacketType>
Varun Patil574c3f92020-11-25 09:07:33 +0530[diff] [blame]177class LoadFileWithMultipleFileAnchors : public ValidationPolicyConfigFixture<PacketType>
178{
179public:
180 LoadFileWithMultipleFileAnchors()
181 {
182 std::string configFile = (this->path / "config.conf").string();
183 {
184 std::ofstream config(configFile);
185 config << this->baseConfig << R"CONF(
186 trust-anchor
187 {
188 type file
189 file-name "identity.ndncert"
190 }
191 trust-anchor
192 {
193 type file
194 file-name "trust-anchor.ndncert"
195 }
196 )CONF";
197 }
198
199 this->saveIdentityCert(this->identity, (this->path / "identity.ndncert").string());
200
201 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
202
203 this->policy.load(configFile);
204
205 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
206 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
207 }
208};
209
210template<typename PacketType>
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]211class LoadSectionWithFileAnchor : public ValidationPolicyConfigFixture<PacketType>
212{
213public:
214 LoadSectionWithFileAnchor()
215 {
216 auto section = makeSection(this->baseConfig + R"CONF(
217 trust-anchor
218 {
219 type file
220 file-name "trust-anchor.ndncert"
221 }
222 )CONF");
223
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]224 this->saveIdentityCert(this->identity, (this->path / "identity.ndncert").string());
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]225
226 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
227
228 this->policy.load(section, (this->path / "test-config").string());
229
230 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
231 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
232 }
233};
234
235template<typename PacketType>
236class LoadStringWithBase64Anchor : public ValidationPolicyConfigFixture<PacketType>
237{
238public:
239 LoadStringWithBase64Anchor()
240 {
241 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
242
243 std::ostringstream os;
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]244 {
245 using namespace ndn::security::transform;
246 const auto& cert = this->identity.getDefaultKey().getDefaultCertificate().wireEncode();
Davide Pesavento258d51a2022-02-27 21:26:28 -0500[diff] [blame]247 bufferSource(cert) >> base64Encode(false) >> streamSink(os);
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]248 }
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]249
250 this->policy.load(this->baseConfig + R"CONF(
251 trust-anchor
252 {
253 type base64
254 base64-string ")CONF" + os.str() + R"CONF("
255 }
256 )CONF", (this->path / "test-config").string());
257
258 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
259 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
260 }
261};
262
263class NoRefresh
264{
265public:
266 static std::string
267 getRefreshString()
268 {
269 return "";
270 }
271};
272
273class Refresh1h
274{
275public:
276 static std::string
277 getRefreshString()
278 {
279 return "refresh 1h";
280 }
281
282 static time::milliseconds
283 getRefreshTime()
284 {
Davide Pesavento0f830802018-01-16 23:58:58 -0500[diff] [blame]285 return 1_h;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]286 }
287};
288
289class Refresh1m
290{
291public:
292 static std::string
293 getRefreshString()
294 {
295 return "refresh 1m";
296 }
297
298 static time::milliseconds
299 getRefreshTime()
300 {
Davide Pesavento0f830802018-01-16 23:58:58 -0500[diff] [blame]301 return 1_min;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]302 }
303};
304
305class Refresh1s
306{
307public:
308 static std::string
309 getRefreshString()
310 {
311 return "refresh 1s";
312 }
313
314 static time::milliseconds
315 getRefreshTime()
316 {
Davide Pesavento0f830802018-01-16 23:58:58 -0500[diff] [blame]317 return 1_s;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]318 }
319};
320
321template<typename PacketType, typename Refresh = NoRefresh>
322class LoadStringWithDirAnchor : public ValidationPolicyConfigFixture<PacketType>
323{
324public:
325 LoadStringWithDirAnchor()
326 {
327 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
328
329 boost::filesystem::create_directories(this->path / "keys");
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]330 this->saveIdentityCert(this->identity, (this->path / "keys" / "identity.ndncert").string());
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]331
332 this->policy.load(this->baseConfig + R"CONF(
333 trust-anchor
334 {
335 type dir
336 dir keys
337 )CONF" + Refresh::getRefreshString() + R"CONF(
338 }
339 )CONF", (this->path / "test-config").string());
340
341 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
342 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
343 }
344};
345
Davide Pesavento49e1e872023-11-11 00:45:23 -0500[diff] [blame^]346using DataPolicies = boost::mp11::mp_list<
347 LoadStringWithFileAnchor<Data>,
348 LoadFileWithFileAnchor<Data>,
349 LoadFileWithMultipleFileAnchors<Data>,
350 LoadSectionWithFileAnchor<Data>,
351 LoadStringWithBase64Anchor<Data>,
352 LoadStringWithDirAnchor<Data>,
353 LoadStringWithDirAnchor<Data, Refresh1h>,
354 LoadStringWithDirAnchor<Data, Refresh1m>,
355 LoadStringWithDirAnchor<Data, Refresh1s>
356>;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]357
Davide Pesavento49e1e872023-11-11 00:45:23 -0500[diff] [blame^]358using InterestPolicies = boost::mp11::mp_list<
359 LoadStringWithFileAnchor<Interest>,
360 LoadFileWithFileAnchor<Interest>,
361 LoadFileWithMultipleFileAnchors<Interest>,
362 LoadSectionWithFileAnchor<Interest>,
363 LoadStringWithBase64Anchor<Interest>,
364 LoadStringWithDirAnchor<Interest>,
365 LoadStringWithDirAnchor<Interest, Refresh1h>,
366 LoadStringWithDirAnchor<Interest, Refresh1m>,
367 LoadStringWithDirAnchor<Interest, Refresh1s>
368>;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]369
370BOOST_FIXTURE_TEST_CASE_TEMPLATE(ValidateData, Policy, DataPolicies, Policy)
371{
372 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 1);
373 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 0);
374
375 using Packet = typename Policy::Packet;
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]376 Packet unsignedPacket("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]377
378 Packet packet = unsignedPacket;
379 VALIDATE_FAILURE(packet, "Unsigned");
380
381 packet = unsignedPacket;
382 this->m_keyChain.sign(packet, signingWithSha256());
Justin Labryaef53b62021-03-10 06:07:27 +0000[diff] [blame]383 VALIDATE_FAILURE(packet, "Should not be accepted, doesn't pass checker /localhost/identity/digest-sha256");
384
385 packet = Packet("/localhost/identity/digest-sha256/foobar");
386 this->m_keyChain.sign(packet, signingWithSha256());
387 VALIDATE_FAILURE(packet, "Should not be accepted, no rule for the name /localhost/identity/digest-sha256");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]388
389 packet = unsignedPacket;
390 this->m_keyChain.sign(packet, signingByIdentity(this->identity));
391 VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the anchor");
392
393 packet = unsignedPacket;
394 this->m_keyChain.sign(packet, signingByIdentity(this->subIdentity));
395 VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the policy-compliant cert");
396
397 packet = unsignedPacket;
398 this->m_keyChain.sign(packet, signingByIdentity(this->otherIdentity));
399 VALIDATE_FAILURE(packet, "Should fail, as signed by the policy-violating cert");
400
401 packet = unsignedPacket;
402 this->m_keyChain.sign(packet, signingByIdentity(this->subSelfSignedIdentity));
403 VALIDATE_FAILURE(packet, "Should fail, because subSelfSignedIdentity is not a trust anchor");
404}
405
406BOOST_FIXTURE_TEST_CASE_TEMPLATE(ValidateInterest, Policy, InterestPolicies, Policy)
407{
408 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 0);
409 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 1);
410
411 using Packet = typename Policy::Packet;
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]412 Packet unsignedPacket("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]413
414 Packet packet = unsignedPacket;
415 VALIDATE_FAILURE(packet, "Unsigned");
416
417 packet = unsignedPacket;
418 this->m_keyChain.sign(packet, signingWithSha256());
Justin Labryaef53b62021-03-10 06:07:27 +0000[diff] [blame]419 VALIDATE_FAILURE(packet, "Should not be accepted, doesn't pass checker /localhost/identity/digest-sha256");
420
421 packet = Packet("/localhost/identity/digest-sha256/foobar");
422 this->m_keyChain.sign(packet, signingWithSha256());
423 VALIDATE_FAILURE(packet, "Should not be accepted, no rule for the name /localhost/identity/digest-sha256");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]424
425 packet = unsignedPacket;
426 this->m_keyChain.sign(packet, signingByIdentity(this->identity));
427 VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the anchor");
428
429 packet = unsignedPacket;
430 this->m_keyChain.sign(packet, signingByIdentity(this->subIdentity));
431 VALIDATE_FAILURE(packet, "Should fail, as there is no matching rule for data");
432
433 packet = unsignedPacket;
434 this->m_keyChain.sign(packet, signingByIdentity(this->otherIdentity));
435 VALIDATE_FAILURE(packet, "Should fail, as signed by the policy-violating cert");
436
437 packet = unsignedPacket;
438 this->m_keyChain.sign(packet, signingByIdentity(this->subSelfSignedIdentity));
439 VALIDATE_FAILURE(packet, "Should fail, because subSelfSignedIdentity is not a trust anchor");
440}
441
Justin Labryaef53b62021-03-10 06:07:27 +0000[diff] [blame]442BOOST_FIXTURE_TEST_CASE(DigestSha256, HierarchicalValidatorFixture<ValidationPolicyConfig>)
443{
444 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
445 this->policy.load(R"CONF(
446 rule
447 {
448 id test-rule-data-id
449 for data
450 filter
451 {
452 type name
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400[diff] [blame]453 name /Security/ValidatorFixture
454 relation is-prefix-of
455 }
456 checker
457 {
458 type customized
459 sig-type sha256
460 }
461 }
462 rule
463 {
464 id test-rule-interest-id
465 for interest
466 filter
467 {
468 type name
469 name /Security/ValidatorFixture
470 relation is-prefix-of
471 }
472 checker
473 {
474 type customized
475 sig-type sha256
476 }
477 }
478 )CONF", "test-config");
479
480
481 Interest interest("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400[diff] [blame]482 this->m_keyChain.sign(interest, signingWithSha256());
483 VALIDATE_SUCCESS(interest, "Should be accepted");
484
485 Data data("/Security/ValidatorFixture/Sub1/Sub2/Packet");
486 this->m_keyChain.sign(data, signingWithSha256());
487 VALIDATE_SUCCESS(data, "Should be accepted");
488}
489
490BOOST_FIXTURE_TEST_CASE(DigestSha256WithKeyLocator, HierarchicalValidatorFixture<ValidationPolicyConfig>)
491{
492 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
493 this->policy.load(R"CONF(
494 rule
495 {
496 id test-rule-data-id
497 for data
498 filter
499 {
500 type name
Justin Labryaef53b62021-03-10 06:07:27 +0000[diff] [blame]501 name /localhost/identity/digest-sha256
502 relation is-prefix-of
503 }
504 checker
505 {
506 type customized
507 sig-type sha256
508 key-locator
509 {
510 type name
511 hyper-relation
512 {
513 k-regex ^(<>*)$
514 k-expand \\1
515 h-relation is-prefix-of
516 p-regex ^(<>*)$
517 p-expand \\1
518 }
519 }
520 }
521 }
522 rule
523 {
524 id test-rule-interest-id
525 for interest
526 filter
527 {
528 type name
529 name /localhost/identity/digest-sha256
530 relation is-prefix-of
531 }
532 checker
533 {
534 type customized
535 sig-type sha256
536 key-locator
537 {
538 type name
539 hyper-relation
540 {
541 k-regex ^(<>*)$
542 k-expand \\1
543 h-relation is-prefix-of
544 p-regex ^(<>*)$
545 p-expand \\1
546 }
547 }
548 }
549 }
550 )CONF", "test-config");
551
552
553 Interest interest("/localhost/identity/digest-sha256/foobar");
Justin Labryaef53b62021-03-10 06:07:27 +0000[diff] [blame]554 this->m_keyChain.sign(interest, signingWithSha256());
555 VALIDATE_SUCCESS(interest, "Should be accepted");
556
557 Data data("/localhost/identity/digest-sha256/foobar");
558 this->m_keyChain.sign(data, signingWithSha256());
559 VALIDATE_SUCCESS(data, "Should be accepted");
560}
561
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400[diff] [blame]562BOOST_FIXTURE_TEST_CASE(SigTypeCheck, HierarchicalValidatorFixture<ValidationPolicyConfig>)
563{
564 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
565 this->policy.load(R"CONF(
566 rule
567 {
568 id test-rule-data-id
569 for data
570 filter
571 {
572 type name
573 name /localhost/identity/digest-sha256
574 relation is-prefix-of
575 }
576 checker
577 {
578 type customized
579 sig-type ecdsa-sha256
580 key-locator
581 {
582 type name
583 hyper-relation
584 {
585 k-regex ^(<>*)$
586 k-expand \\1
587 h-relation is-prefix-of
588 p-regex ^(<>*)$
589 p-expand \\1
590 }
591 }
592 }
593 }
594 rule
595 {
596 id test-rule-interest-id
597 for interest
598 filter
599 {
600 type name
601 name /localhost/identity/digest-sha256
602 relation is-prefix-of
603 }
604 checker
605 {
606 type customized
607 sig-type ecdsa-sha256
608 key-locator
609 {
610 type name
611 hyper-relation
612 {
613 k-regex ^(<>*)$
614 k-expand \\1
615 h-relation is-prefix-of
616 p-regex ^(<>*)$
617 p-expand \\1
618 }
619 }
620 }
621 }
622 )CONF", "test-config");
623
624
625 Interest interest("/localhost/identity/digest-sha256/foobar");
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400[diff] [blame]626 this->m_keyChain.sign(interest, signingWithSha256());
627 VALIDATE_FAILURE(interest, "Signature type check should fail");
628
629 Data data("/localhost/identity/digest-sha256/foobar");
630 this->m_keyChain.sign(data, signingWithSha256());
631 VALIDATE_FAILURE(data, "Signature type check should fail");
632}
633
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]634BOOST_FIXTURE_TEST_CASE(Reload, HierarchicalValidatorFixture<ValidationPolicyConfig>)
635{
636 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
637 this->policy.load(R"CONF(
638 rule
639 {
640 id test-rule-data-id
641 for data
642 filter
643 {
644 type name
645 name /foo/bar
646 relation is-prefix-of
647 }
648 checker
649 {
650 type hierarchical
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400[diff] [blame]651 sig-type ecdsa-sha256
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]652 }
653 }
654 rule
655 {
656 id test-rule-interest-id
657 for interest
658 filter
659 {
660 type name
661 name /foo/bar
662 relation is-prefix-of
663 }
664 checker
665 {
666 type hierarchical
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400[diff] [blame]667 sig-type ecdsa-sha256
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]668 }
669 }
670 trust-anchor
671 {
672 type dir
673 dir keys
674 refresh 1h
675 }
676 )CONF", "test-config");
677 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
678 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
679 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 1);
680 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 1);
681
682 this->policy.load(R"CONF(
683 trust-anchor
684 {
685 type any
686 }
687 )CONF", "test-config");
688 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
689 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, true);
690 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 0);
691 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 0);
692}
693
Davide Pesavento49e1e872023-11-11 00:45:23 -0500[diff] [blame^]694using Packets = boost::mp11::mp_list<Interest, Data>;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]695
696BOOST_FIXTURE_TEST_CASE_TEMPLATE(TrustAnchorWildcard, Packet, Packets, ValidationPolicyConfigFixture<Packet>)
697{
698 this->policy.load(R"CONF(
699 trust-anchor
700 {
701 type any
702 }
703 )CONF", "test-config");
704
705 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
706 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, true);
707 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 0);
708 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 0);
709
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]710 Packet unsignedPacket("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]711
712 Packet packet = unsignedPacket;
713 VALIDATE_SUCCESS(packet, "Policy should accept everything");
714
715 packet = unsignedPacket;
716 this->m_keyChain.sign(packet, signingWithSha256());
717 VALIDATE_SUCCESS(packet, "Policy should accept everything");
718
719 packet = unsignedPacket;
720 this->m_keyChain.sign(packet, signingByIdentity(this->identity));
721 VALIDATE_SUCCESS(packet, "Policy should accept everything");
722
723 packet = unsignedPacket;
724 this->m_keyChain.sign(packet, signingByIdentity(this->subIdentity));
725 VALIDATE_SUCCESS(packet, "Policy should accept everything");
726
727 packet = unsignedPacket;
728 this->m_keyChain.sign(packet, signingByIdentity(this->otherIdentity));
729 VALIDATE_SUCCESS(packet, "Policy should accept everything");
730
731 packet = unsignedPacket;
732 this->m_keyChain.sign(packet, signingByIdentity(this->subSelfSignedIdentity));
733 VALIDATE_SUCCESS(packet, "Policy should accept everything");
734}
735
Davide Pesavento49e1e872023-11-11 00:45:23 -0500[diff] [blame^]736using RefreshPolicies = boost::mp11::mp_list<Refresh1h, Refresh1m, Refresh1s>;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]737
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]738template<typename RefreshPolicy>
739class RefreshPolicyFixture : public LoadStringWithDirAnchor<Data, RefreshPolicy>
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]740{
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]741};
742
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]743BOOST_FIXTURE_TEST_CASE_TEMPLATE(ValidateRefresh, Refresh, RefreshPolicies, RefreshPolicyFixture<Refresh>)
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]744{
745 using Packet = Data;
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]746 Packet unsignedPacket("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]747
748 boost::filesystem::remove(this->path / "keys" / "identity.ndncert");
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]749 this->advanceClocks(Refresh::getRefreshTime(), 3);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]750
751 Packet packet = unsignedPacket;
752 this->m_keyChain.sign(packet, signingByIdentity(this->identity));
753 VALIDATE_FAILURE(packet, "Should fail, as the trust anchor should no longer exist");
754
755 packet = unsignedPacket;
756 this->m_keyChain.sign(packet, signingByIdentity(this->subIdentity));
757 VALIDATE_FAILURE(packet, "Should fail, as the trust anchor should no longer exist");
758}
759
Alexander Afanasyev7b112462018-10-17 11:51:52 -0400[diff] [blame]760BOOST_FIXTURE_TEST_CASE(OrphanedPolicyLoad, HierarchicalValidatorFixture<ValidationPolicyConfig>) // Bug #4758
761{
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame]762 using ndn::security::validator_config::Error;
763
Alexander Afanasyev7b112462018-10-17 11:51:52 -0400[diff] [blame]764 ValidationPolicyConfig policy1;
765 BOOST_CHECK_THROW(policy1.load("trust-anchor { type any }", "test-config"), Error);
766
767 // Reloading would have triggered a segfault
768 BOOST_CHECK_THROW(policy1.load("trust-anchor { type any }", "test-config"), Error);
769
770 ValidationPolicyConfig policy2;
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame]771 const std::string config = R"CONF(
Alexander Afanasyev7b112462018-10-17 11:51:52 -0400[diff] [blame]772 trust-anchor
773 {
774 type dir
775 dir keys
776 refresh 1h
777 }
778 )CONF";
Alexander Afanasyev7b112462018-10-17 11:51:52 -0400[diff] [blame]779 // Inserting trust anchor would have triggered a segfault
780 BOOST_CHECK_THROW(policy2.load(config, "test-config"), Error);
781}
782
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]783BOOST_AUTO_TEST_SUITE_END() // TestValidationPolicyConfig
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]784BOOST_AUTO_TEST_SUITE_END() // Security
785
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame]786} // namespace ndn::tests