Gitiles
Code Review Sign In
gerrit.named-data.net / ndn-cxx / 502c4c3bd630db275b1fac5feb2f621e5bf18d54 / . / tests / unit / security / validation-policy-config.t.cpp
blob: 07b98e90179729e601f2278ecf4a980a2c6e378d [file] [log] [blame]
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]1/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2/*
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame]3 * Copyright (c) 2013-2023 Regents of the University of California.
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]4 *
5 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6 *
7 * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8 * terms of the GNU Lesser General Public License as published by the Free Software
9 * Foundation, either version 3 of the License, or (at your option) any later version.
10 *
11 * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License and GNU Lesser
16 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17 * <http://www.gnu.org/licenses/>.
18 *
19 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20 */
21
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]22#include "ndn-cxx/security/validation-policy-config.hpp"
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]23
Davide Pesavento7e780642018-11-24 15:51:34 -0500[diff] [blame]24#include "ndn-cxx/security/transform/base64-encode.hpp"
25#include "ndn-cxx/security/transform/buffer-source.hpp"
26#include "ndn-cxx/security/transform/stream-sink.hpp"
Davide Pesavento7e780642018-11-24 15:51:34 -0500[diff] [blame]27#include "ndn-cxx/util/io.hpp"
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]28
Davide Pesavento7e780642018-11-24 15:51:34 -0500[diff] [blame]29#include "tests/boost-test.hpp"
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]30#include "tests/unit/security/validator-config/common.hpp"
31#include "tests/unit/security/validator-fixture.hpp"
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]32
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame]33namespace ndn::tests {
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]34
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame]35using ndn::security::ValidationPolicyConfig;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]36
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]37BOOST_AUTO_TEST_SUITE(Security)
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]38BOOST_AUTO_TEST_SUITE(TestValidationPolicyConfig)
39
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]40BOOST_FIXTURE_TEST_CASE(EmptyConfig, HierarchicalValidatorFixture<ValidationPolicyConfig>)
41{
42 this->policy.load(ConfigSection{}, "<empty>");
43
44 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
45 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
46 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 0);
47 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 0);
48
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]49 Data d("/Security/ValidationPolicyConfig/D");
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]50 this->m_keyChain.sign(d, signingByIdentity(this->identity));
51 VALIDATE_FAILURE(d, "Empty policy should reject everything");
52
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]53 Interest i("/Security/ValidationPolicyConfig/I");
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]54 this->m_keyChain.sign(i, signingByIdentity(this->identity));
55 VALIDATE_FAILURE(i, "Empty policy should reject everything");
56}
57
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]58template<typename Packet>
59class PacketName;
60
61template<>
62class PacketName<Interest>
63{
64public:
65 static std::string
66 getName()
67 {
68 return "interest";
69 }
70};
71
72template<>
73class PacketName<Data>
74{
75public:
76 static std::string
77 getName()
78 {
79 return "data";
80 }
81};
82
83template<typename PacketType>
84class ValidationPolicyConfigFixture : public HierarchicalValidatorFixture<ValidationPolicyConfig>
85{
86public:
87 ValidationPolicyConfigFixture()
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]88 : path(boost::filesystem::path(UNIT_TESTS_TMPDIR) / "security" / "validation-policy-config")
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]89 {
90 boost::filesystem::create_directories(path);
91 baseConfig = R"CONF(
92 rule
93 {
94 id test-rule-id
95 for )CONF" + PacketName<Packet>::getName() + R"CONF(
96 filter
97 {
98 type name
99 name )CONF" + identity.getName().toUri() + R"CONF(
100 relation is-prefix-of
101 }
102 checker
103 {
104 type hierarchical
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400[diff] [blame]105 sig-type ecdsa-sha256
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]106 }
107 }
108 )CONF";
109 }
110
111 ~ValidationPolicyConfigFixture()
112 {
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]113 boost::filesystem::remove_all(path);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]114 }
115
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]116protected:
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]117 using Packet = PacketType;
118
119 const boost::filesystem::path path;
120 std::string baseConfig;
121};
122
123template<typename PacketType>
124class LoadStringWithFileAnchor : public ValidationPolicyConfigFixture<PacketType>
125{
126public:
127 LoadStringWithFileAnchor()
128 {
129 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
130
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]131 this->saveIdentityCert(this->identity, (this->path / "identity.ndncert").string());
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]132 this->policy.load(this->baseConfig + R"CONF(
133 trust-anchor
134 {
135 type file
136 file-name "trust-anchor.ndncert"
137 }
138 )CONF", (this->path / "test-config").string());
139
140 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
141 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
142 }
143};
144
145template<typename PacketType>
146class LoadFileWithFileAnchor : public ValidationPolicyConfigFixture<PacketType>
147{
148public:
149 LoadFileWithFileAnchor()
150 {
151 std::string configFile = (this->path / "config.conf").string();
152 {
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]153 std::ofstream config(configFile);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]154 config << this->baseConfig << R"CONF(
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]155 trust-anchor
156 {
157 type file
158 file-name "trust-anchor.ndncert"
159 }
160 )CONF";
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]161 }
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]162
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]163 this->saveIdentityCert(this->identity, (this->path / "identity.ndncert").string());
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]164
165 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
166
167 this->policy.load(configFile);
168
169 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
170 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
171 }
172};
173
174template<typename PacketType>
Varun Patil574c3f92020-11-25 09:07:33 +0530[diff] [blame]175class LoadFileWithMultipleFileAnchors : public ValidationPolicyConfigFixture<PacketType>
176{
177public:
178 LoadFileWithMultipleFileAnchors()
179 {
180 std::string configFile = (this->path / "config.conf").string();
181 {
182 std::ofstream config(configFile);
183 config << this->baseConfig << R"CONF(
184 trust-anchor
185 {
186 type file
187 file-name "identity.ndncert"
188 }
189 trust-anchor
190 {
191 type file
192 file-name "trust-anchor.ndncert"
193 }
194 )CONF";
195 }
196
197 this->saveIdentityCert(this->identity, (this->path / "identity.ndncert").string());
198
199 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
200
201 this->policy.load(configFile);
202
203 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
204 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
205 }
206};
207
208template<typename PacketType>
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]209class LoadSectionWithFileAnchor : public ValidationPolicyConfigFixture<PacketType>
210{
211public:
212 LoadSectionWithFileAnchor()
213 {
214 auto section = makeSection(this->baseConfig + R"CONF(
215 trust-anchor
216 {
217 type file
218 file-name "trust-anchor.ndncert"
219 }
220 )CONF");
221
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]222 this->saveIdentityCert(this->identity, (this->path / "identity.ndncert").string());
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]223
224 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
225
226 this->policy.load(section, (this->path / "test-config").string());
227
228 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
229 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
230 }
231};
232
233template<typename PacketType>
234class LoadStringWithBase64Anchor : public ValidationPolicyConfigFixture<PacketType>
235{
236public:
237 LoadStringWithBase64Anchor()
238 {
239 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
240
241 std::ostringstream os;
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]242 {
243 using namespace ndn::security::transform;
244 const auto& cert = this->identity.getDefaultKey().getDefaultCertificate().wireEncode();
Davide Pesavento258d51a2022-02-27 21:26:28 -0500[diff] [blame]245 bufferSource(cert) >> base64Encode(false) >> streamSink(os);
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500[diff] [blame]246 }
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]247
248 this->policy.load(this->baseConfig + R"CONF(
249 trust-anchor
250 {
251 type base64
252 base64-string ")CONF" + os.str() + R"CONF("
253 }
254 )CONF", (this->path / "test-config").string());
255
256 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
257 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
258 }
259};
260
261class NoRefresh
262{
263public:
264 static std::string
265 getRefreshString()
266 {
267 return "";
268 }
269};
270
271class Refresh1h
272{
273public:
274 static std::string
275 getRefreshString()
276 {
277 return "refresh 1h";
278 }
279
280 static time::milliseconds
281 getRefreshTime()
282 {
Davide Pesavento0f830802018-01-16 23:58:58 -0500[diff] [blame]283 return 1_h;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]284 }
285};
286
287class Refresh1m
288{
289public:
290 static std::string
291 getRefreshString()
292 {
293 return "refresh 1m";
294 }
295
296 static time::milliseconds
297 getRefreshTime()
298 {
Davide Pesavento0f830802018-01-16 23:58:58 -0500[diff] [blame]299 return 1_min;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]300 }
301};
302
303class Refresh1s
304{
305public:
306 static std::string
307 getRefreshString()
308 {
309 return "refresh 1s";
310 }
311
312 static time::milliseconds
313 getRefreshTime()
314 {
Davide Pesavento0f830802018-01-16 23:58:58 -0500[diff] [blame]315 return 1_s;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]316 }
317};
318
319template<typename PacketType, typename Refresh = NoRefresh>
320class LoadStringWithDirAnchor : public ValidationPolicyConfigFixture<PacketType>
321{
322public:
323 LoadStringWithDirAnchor()
324 {
325 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
326
327 boost::filesystem::create_directories(this->path / "keys");
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -0500[diff] [blame]328 this->saveIdentityCert(this->identity, (this->path / "keys" / "identity.ndncert").string());
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]329
330 this->policy.load(this->baseConfig + R"CONF(
331 trust-anchor
332 {
333 type dir
334 dir keys
335 )CONF" + Refresh::getRefreshString() + R"CONF(
336 }
337 )CONF", (this->path / "test-config").string());
338
339 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
340 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
341 }
342};
343
344using DataPolicies = boost::mpl::vector<LoadStringWithFileAnchor<Data>,
345 LoadFileWithFileAnchor<Data>,
Varun Patil574c3f92020-11-25 09:07:33 +0530[diff] [blame]346 LoadFileWithMultipleFileAnchors<Data>,
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]347 LoadSectionWithFileAnchor<Data>,
348 LoadStringWithBase64Anchor<Data>,
349 LoadStringWithDirAnchor<Data>,
350 LoadStringWithDirAnchor<Data, Refresh1h>,
351 LoadStringWithDirAnchor<Data, Refresh1m>,
352 LoadStringWithDirAnchor<Data, Refresh1s>
353 >;
354
355using InterestPolicies = boost::mpl::vector<LoadStringWithFileAnchor<Interest>,
356 LoadFileWithFileAnchor<Interest>,
Varun Patil574c3f92020-11-25 09:07:33 +0530[diff] [blame]357 LoadFileWithMultipleFileAnchors<Interest>,
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]358 LoadSectionWithFileAnchor<Interest>,
359 LoadStringWithBase64Anchor<Interest>,
360 LoadStringWithDirAnchor<Interest>,
361 LoadStringWithDirAnchor<Interest, Refresh1h>,
362 LoadStringWithDirAnchor<Interest, Refresh1m>,
363 LoadStringWithDirAnchor<Interest, Refresh1s>
364 >;
365
366BOOST_FIXTURE_TEST_CASE_TEMPLATE(ValidateData, Policy, DataPolicies, Policy)
367{
368 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 1);
369 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 0);
370
371 using Packet = typename Policy::Packet;
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]372 Packet unsignedPacket("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]373
374 Packet packet = unsignedPacket;
375 VALIDATE_FAILURE(packet, "Unsigned");
376
377 packet = unsignedPacket;
378 this->m_keyChain.sign(packet, signingWithSha256());
Justin Labryaef53b62021-03-10 06:07:27 +0000[diff] [blame]379 VALIDATE_FAILURE(packet, "Should not be accepted, doesn't pass checker /localhost/identity/digest-sha256");
380
381 packet = Packet("/localhost/identity/digest-sha256/foobar");
382 this->m_keyChain.sign(packet, signingWithSha256());
383 VALIDATE_FAILURE(packet, "Should not be accepted, no rule for the name /localhost/identity/digest-sha256");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]384
385 packet = unsignedPacket;
386 this->m_keyChain.sign(packet, signingByIdentity(this->identity));
387 VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the anchor");
388
389 packet = unsignedPacket;
390 this->m_keyChain.sign(packet, signingByIdentity(this->subIdentity));
391 VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the policy-compliant cert");
392
393 packet = unsignedPacket;
394 this->m_keyChain.sign(packet, signingByIdentity(this->otherIdentity));
395 VALIDATE_FAILURE(packet, "Should fail, as signed by the policy-violating cert");
396
397 packet = unsignedPacket;
398 this->m_keyChain.sign(packet, signingByIdentity(this->subSelfSignedIdentity));
399 VALIDATE_FAILURE(packet, "Should fail, because subSelfSignedIdentity is not a trust anchor");
400}
401
402BOOST_FIXTURE_TEST_CASE_TEMPLATE(ValidateInterest, Policy, InterestPolicies, Policy)
403{
404 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 0);
405 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 1);
406
407 using Packet = typename Policy::Packet;
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]408 Packet unsignedPacket("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]409
410 Packet packet = unsignedPacket;
411 VALIDATE_FAILURE(packet, "Unsigned");
412
413 packet = unsignedPacket;
414 this->m_keyChain.sign(packet, signingWithSha256());
Justin Labryaef53b62021-03-10 06:07:27 +0000[diff] [blame]415 VALIDATE_FAILURE(packet, "Should not be accepted, doesn't pass checker /localhost/identity/digest-sha256");
416
417 packet = Packet("/localhost/identity/digest-sha256/foobar");
418 this->m_keyChain.sign(packet, signingWithSha256());
419 VALIDATE_FAILURE(packet, "Should not be accepted, no rule for the name /localhost/identity/digest-sha256");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]420
421 packet = unsignedPacket;
422 this->m_keyChain.sign(packet, signingByIdentity(this->identity));
423 VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the anchor");
424
425 packet = unsignedPacket;
426 this->m_keyChain.sign(packet, signingByIdentity(this->subIdentity));
427 VALIDATE_FAILURE(packet, "Should fail, as there is no matching rule for data");
428
429 packet = unsignedPacket;
430 this->m_keyChain.sign(packet, signingByIdentity(this->otherIdentity));
431 VALIDATE_FAILURE(packet, "Should fail, as signed by the policy-violating cert");
432
433 packet = unsignedPacket;
434 this->m_keyChain.sign(packet, signingByIdentity(this->subSelfSignedIdentity));
435 VALIDATE_FAILURE(packet, "Should fail, because subSelfSignedIdentity is not a trust anchor");
436}
437
Justin Labryaef53b62021-03-10 06:07:27 +0000[diff] [blame]438BOOST_FIXTURE_TEST_CASE(DigestSha256, HierarchicalValidatorFixture<ValidationPolicyConfig>)
439{
440 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
441 this->policy.load(R"CONF(
442 rule
443 {
444 id test-rule-data-id
445 for data
446 filter
447 {
448 type name
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400[diff] [blame]449 name /Security/ValidatorFixture
450 relation is-prefix-of
451 }
452 checker
453 {
454 type customized
455 sig-type sha256
456 }
457 }
458 rule
459 {
460 id test-rule-interest-id
461 for interest
462 filter
463 {
464 type name
465 name /Security/ValidatorFixture
466 relation is-prefix-of
467 }
468 checker
469 {
470 type customized
471 sig-type sha256
472 }
473 }
474 )CONF", "test-config");
475
476
477 Interest interest("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400[diff] [blame]478 this->m_keyChain.sign(interest, signingWithSha256());
479 VALIDATE_SUCCESS(interest, "Should be accepted");
480
481 Data data("/Security/ValidatorFixture/Sub1/Sub2/Packet");
482 this->m_keyChain.sign(data, signingWithSha256());
483 VALIDATE_SUCCESS(data, "Should be accepted");
484}
485
486BOOST_FIXTURE_TEST_CASE(DigestSha256WithKeyLocator, HierarchicalValidatorFixture<ValidationPolicyConfig>)
487{
488 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
489 this->policy.load(R"CONF(
490 rule
491 {
492 id test-rule-data-id
493 for data
494 filter
495 {
496 type name
Justin Labryaef53b62021-03-10 06:07:27 +0000[diff] [blame]497 name /localhost/identity/digest-sha256
498 relation is-prefix-of
499 }
500 checker
501 {
502 type customized
503 sig-type sha256
504 key-locator
505 {
506 type name
507 hyper-relation
508 {
509 k-regex ^(<>*)$
510 k-expand \\1
511 h-relation is-prefix-of
512 p-regex ^(<>*)$
513 p-expand \\1
514 }
515 }
516 }
517 }
518 rule
519 {
520 id test-rule-interest-id
521 for interest
522 filter
523 {
524 type name
525 name /localhost/identity/digest-sha256
526 relation is-prefix-of
527 }
528 checker
529 {
530 type customized
531 sig-type sha256
532 key-locator
533 {
534 type name
535 hyper-relation
536 {
537 k-regex ^(<>*)$
538 k-expand \\1
539 h-relation is-prefix-of
540 p-regex ^(<>*)$
541 p-expand \\1
542 }
543 }
544 }
545 }
546 )CONF", "test-config");
547
548
549 Interest interest("/localhost/identity/digest-sha256/foobar");
Justin Labryaef53b62021-03-10 06:07:27 +0000[diff] [blame]550 this->m_keyChain.sign(interest, signingWithSha256());
551 VALIDATE_SUCCESS(interest, "Should be accepted");
552
553 Data data("/localhost/identity/digest-sha256/foobar");
554 this->m_keyChain.sign(data, signingWithSha256());
555 VALIDATE_SUCCESS(data, "Should be accepted");
556}
557
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400[diff] [blame]558BOOST_FIXTURE_TEST_CASE(SigTypeCheck, HierarchicalValidatorFixture<ValidationPolicyConfig>)
559{
560 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
561 this->policy.load(R"CONF(
562 rule
563 {
564 id test-rule-data-id
565 for data
566 filter
567 {
568 type name
569 name /localhost/identity/digest-sha256
570 relation is-prefix-of
571 }
572 checker
573 {
574 type customized
575 sig-type ecdsa-sha256
576 key-locator
577 {
578 type name
579 hyper-relation
580 {
581 k-regex ^(<>*)$
582 k-expand \\1
583 h-relation is-prefix-of
584 p-regex ^(<>*)$
585 p-expand \\1
586 }
587 }
588 }
589 }
590 rule
591 {
592 id test-rule-interest-id
593 for interest
594 filter
595 {
596 type name
597 name /localhost/identity/digest-sha256
598 relation is-prefix-of
599 }
600 checker
601 {
602 type customized
603 sig-type ecdsa-sha256
604 key-locator
605 {
606 type name
607 hyper-relation
608 {
609 k-regex ^(<>*)$
610 k-expand \\1
611 h-relation is-prefix-of
612 p-regex ^(<>*)$
613 p-expand \\1
614 }
615 }
616 }
617 }
618 )CONF", "test-config");
619
620
621 Interest interest("/localhost/identity/digest-sha256/foobar");
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400[diff] [blame]622 this->m_keyChain.sign(interest, signingWithSha256());
623 VALIDATE_FAILURE(interest, "Signature type check should fail");
624
625 Data data("/localhost/identity/digest-sha256/foobar");
626 this->m_keyChain.sign(data, signingWithSha256());
627 VALIDATE_FAILURE(data, "Signature type check should fail");
628}
629
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]630BOOST_FIXTURE_TEST_CASE(Reload, HierarchicalValidatorFixture<ValidationPolicyConfig>)
631{
632 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
633 this->policy.load(R"CONF(
634 rule
635 {
636 id test-rule-data-id
637 for data
638 filter
639 {
640 type name
641 name /foo/bar
642 relation is-prefix-of
643 }
644 checker
645 {
646 type hierarchical
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400[diff] [blame]647 sig-type ecdsa-sha256
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]648 }
649 }
650 rule
651 {
652 id test-rule-interest-id
653 for interest
654 filter
655 {
656 type name
657 name /foo/bar
658 relation is-prefix-of
659 }
660 checker
661 {
662 type hierarchical
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400[diff] [blame]663 sig-type ecdsa-sha256
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]664 }
665 }
666 trust-anchor
667 {
668 type dir
669 dir keys
670 refresh 1h
671 }
672 )CONF", "test-config");
673 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
674 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
675 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 1);
676 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 1);
677
678 this->policy.load(R"CONF(
679 trust-anchor
680 {
681 type any
682 }
683 )CONF", "test-config");
684 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
685 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, true);
686 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 0);
687 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 0);
688}
689
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]690using Packets = boost::mpl::vector<Interest, Data>;
691
692BOOST_FIXTURE_TEST_CASE_TEMPLATE(TrustAnchorWildcard, Packet, Packets, ValidationPolicyConfigFixture<Packet>)
693{
694 this->policy.load(R"CONF(
695 trust-anchor
696 {
697 type any
698 }
699 )CONF", "test-config");
700
701 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
702 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, true);
703 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 0);
704 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 0);
705
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]706 Packet unsignedPacket("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]707
708 Packet packet = unsignedPacket;
709 VALIDATE_SUCCESS(packet, "Policy should accept everything");
710
711 packet = unsignedPacket;
712 this->m_keyChain.sign(packet, signingWithSha256());
713 VALIDATE_SUCCESS(packet, "Policy should accept everything");
714
715 packet = unsignedPacket;
716 this->m_keyChain.sign(packet, signingByIdentity(this->identity));
717 VALIDATE_SUCCESS(packet, "Policy should accept everything");
718
719 packet = unsignedPacket;
720 this->m_keyChain.sign(packet, signingByIdentity(this->subIdentity));
721 VALIDATE_SUCCESS(packet, "Policy should accept everything");
722
723 packet = unsignedPacket;
724 this->m_keyChain.sign(packet, signingByIdentity(this->otherIdentity));
725 VALIDATE_SUCCESS(packet, "Policy should accept everything");
726
727 packet = unsignedPacket;
728 this->m_keyChain.sign(packet, signingByIdentity(this->subSelfSignedIdentity));
729 VALIDATE_SUCCESS(packet, "Policy should accept everything");
730}
731
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]732using RefreshPolicies = boost::mpl::vector<Refresh1h, Refresh1m, Refresh1s>;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]733
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]734template<typename RefreshPolicy>
735class RefreshPolicyFixture : public LoadStringWithDirAnchor<Data, RefreshPolicy>
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]736{
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]737};
738
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]739BOOST_FIXTURE_TEST_CASE_TEMPLATE(ValidateRefresh, Refresh, RefreshPolicies, RefreshPolicyFixture<Refresh>)
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]740{
741 using Packet = Data;
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400[diff] [blame]742 Packet unsignedPacket("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]743
744 boost::filesystem::remove(this->path / "keys" / "identity.ndncert");
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400[diff] [blame]745 this->advanceClocks(Refresh::getRefreshTime(), 3);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]746
747 Packet packet = unsignedPacket;
748 this->m_keyChain.sign(packet, signingByIdentity(this->identity));
749 VALIDATE_FAILURE(packet, "Should fail, as the trust anchor should no longer exist");
750
751 packet = unsignedPacket;
752 this->m_keyChain.sign(packet, signingByIdentity(this->subIdentity));
753 VALIDATE_FAILURE(packet, "Should fail, as the trust anchor should no longer exist");
754}
755
Alexander Afanasyev7b112462018-10-17 11:51:52 -0400[diff] [blame]756BOOST_FIXTURE_TEST_CASE(OrphanedPolicyLoad, HierarchicalValidatorFixture<ValidationPolicyConfig>) // Bug #4758
757{
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame]758 using ndn::security::validator_config::Error;
759
Alexander Afanasyev7b112462018-10-17 11:51:52 -0400[diff] [blame]760 ValidationPolicyConfig policy1;
761 BOOST_CHECK_THROW(policy1.load("trust-anchor { type any }", "test-config"), Error);
762
763 // Reloading would have triggered a segfault
764 BOOST_CHECK_THROW(policy1.load("trust-anchor { type any }", "test-config"), Error);
765
766 ValidationPolicyConfig policy2;
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame]767 const std::string config = R"CONF(
Alexander Afanasyev7b112462018-10-17 11:51:52 -0400[diff] [blame]768 trust-anchor
769 {
770 type dir
771 dir keys
772 refresh 1h
773 }
774 )CONF";
Alexander Afanasyev7b112462018-10-17 11:51:52 -0400[diff] [blame]775 // Inserting trust anchor would have triggered a segfault
776 BOOST_CHECK_THROW(policy2.load(config, "test-config"), Error);
777}
778
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]779BOOST_AUTO_TEST_SUITE_END() // TestValidationPolicyConfig
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800[diff] [blame]780BOOST_AUTO_TEST_SUITE_END() // Security
781
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400[diff] [blame]782} // namespace ndn::tests