blob: 2d82079b28bacc6d0c1d0db3bb909def2dca4d06 [file] [log] [blame]
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -08001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2/*
Davide Pesavento0f830802018-01-16 23:58:58 -05003 * Copyright (c) 2013-2018 Regents of the University of California.
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -08004 *
5 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6 *
7 * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8 * terms of the GNU Lesser General Public License as published by the Free Software
9 * Foundation, either version 3 of the License, or (at your option) any later version.
10 *
11 * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License and GNU Lesser
16 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17 * <http://www.gnu.org/licenses/>.
18 *
19 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20 */
21
22#include "validation-policy-config.hpp"
23#include "validator.hpp"
24#include "../../util/io.hpp"
25
Davide Pesavento5df42a82018-03-08 20:06:51 -050026#include <boost/algorithm/string/predicate.hpp>
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080027#include <boost/filesystem.hpp>
28#include <boost/lexical_cast.hpp>
29#include <boost/property_tree/info_parser.hpp>
30
Davide Pesavento5df42a82018-03-08 20:06:51 -050031#include <fstream>
32
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080033namespace ndn {
34namespace security {
35namespace v2 {
36namespace validator_config {
37
38ValidationPolicyConfig::ValidationPolicyConfig()
39 : m_shouldBypass(false)
40 , m_isConfigured(false)
41{
42}
43
44void
45ValidationPolicyConfig::load(const std::string& filename)
46{
Davide Pesavento5df42a82018-03-08 20:06:51 -050047 std::ifstream inputFile(filename);
48 if (!inputFile) {
49 BOOST_THROW_EXCEPTION(Error("Failed to read configuration file: " + filename));
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080050 }
51 load(inputFile, filename);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080052}
53
54void
55ValidationPolicyConfig::load(const std::string& input, const std::string& filename)
56{
57 std::istringstream inputStream(input);
58 load(inputStream, filename);
59}
60
61void
62ValidationPolicyConfig::load(std::istream& input, const std::string& filename)
63{
64 ConfigSection tree;
65 try {
66 boost::property_tree::read_info(input, tree);
67 }
Davide Pesavento5df42a82018-03-08 20:06:51 -050068 catch (const boost::property_tree::info_parser_error& e) {
69 BOOST_THROW_EXCEPTION(Error("Failed to parse configuration file " + filename +
70 " line " + to_string(e.line()) + ": " + e.message()));
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080071 }
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080072 load(tree, filename);
73}
74
75void
Davide Pesavento5df42a82018-03-08 20:06:51 -050076ValidationPolicyConfig::load(const ConfigSection& configSection, const std::string& filename)
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080077{
78 if (m_isConfigured) {
Alexander Afanasyev6aff0242017-08-29 17:14:44 -040079 m_shouldBypass = false;
80 m_dataRules.clear();
81 m_interestRules.clear();
Alexander Afanasyev6aff0242017-08-29 17:14:44 -040082 m_validator->resetAnchors();
83 m_validator->resetVerifiedCertificates();
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080084 }
85 m_isConfigured = true;
86
87 BOOST_ASSERT(!filename.empty());
88
89 if (configSection.begin() == configSection.end()) {
Davide Pesavento5df42a82018-03-08 20:06:51 -050090 BOOST_THROW_EXCEPTION(Error("Error processing configuration file " + filename + ": no data"));
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080091 }
92
93 for (const auto& subSection : configSection) {
94 const std::string& sectionName = subSection.first;
95 const ConfigSection& section = subSection.second;
96
97 if (boost::iequals(sectionName, "rule")) {
98 auto rule = Rule::create(section, filename);
99 if (rule->getPktType() == tlv::Data) {
100 m_dataRules.push_back(std::move(rule));
101 }
102 else if (rule->getPktType() == tlv::Interest) {
103 m_interestRules.push_back(std::move(rule));
104 }
105 }
106 else if (boost::iequals(sectionName, "trust-anchor")) {
107 processConfigTrustAnchor(section, filename);
108 }
109 else {
Davide Pesavento5df42a82018-03-08 20:06:51 -0500110 BOOST_THROW_EXCEPTION(Error("Error processing configuration file " + filename +
111 ": unrecognized section " + sectionName));
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800112 }
113 }
114}
115
116void
Davide Pesavento5df42a82018-03-08 20:06:51 -0500117ValidationPolicyConfig::processConfigTrustAnchor(const ConfigSection& configSection,
118 const std::string& filename)
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800119{
120 using namespace boost::filesystem;
121
Davide Pesavento5df42a82018-03-08 20:06:51 -0500122 auto propertyIt = configSection.begin();
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800123
124 // Get trust-anchor.type
125 if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "type")) {
126 BOOST_THROW_EXCEPTION(Error("Expecting <trust-anchor.type>"));
127 }
128
129 std::string type = propertyIt->second.data();
130 propertyIt++;
131
132 if (boost::iequals(type, "file")) {
133 // Get trust-anchor.file
134 if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "file-name")) {
135 BOOST_THROW_EXCEPTION(Error("Expecting <trust-anchor.file-name>"));
136 }
137
138 std::string file = propertyIt->second.data();
139 propertyIt++;
140
141 time::nanoseconds refresh = getRefreshPeriod(propertyIt, configSection.end());
Davide Pesavento5df42a82018-03-08 20:06:51 -0500142 if (propertyIt != configSection.end())
143 BOOST_THROW_EXCEPTION(Error("Expecting end of <trust-anchor>"));
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800144
145 m_validator->loadAnchor(filename, absolute(file, path(filename).parent_path()).string(),
146 refresh, false);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800147 }
148 else if (boost::iequals(type, "base64")) {
149 // Get trust-anchor.base64-string
150 if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "base64-string"))
151 BOOST_THROW_EXCEPTION(Error("Expecting <trust-anchor.base64-string>"));
152
153 std::stringstream ss(propertyIt->second.data());
154 propertyIt++;
155
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800156 if (propertyIt != configSection.end())
Davide Pesavento5df42a82018-03-08 20:06:51 -0500157 BOOST_THROW_EXCEPTION(Error("Expecting end of <trust-anchor>"));
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800158
159 auto idCert = io::load<Certificate>(ss);
160 if (idCert != nullptr) {
161 m_validator->loadAnchor("", std::move(*idCert));
162 }
163 else {
164 BOOST_THROW_EXCEPTION(Error("Cannot decode certificate from base64-string"));
165 }
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800166 }
167 else if (boost::iequals(type, "dir")) {
168 if (propertyIt == configSection.end() || !boost::iequals(propertyIt->first, "dir"))
Davide Pesavento5df42a82018-03-08 20:06:51 -0500169 BOOST_THROW_EXCEPTION(Error("Expecting <trust-anchor.dir>"));
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800170
171 std::string dirString(propertyIt->second.data());
172 propertyIt++;
173
174 time::nanoseconds refresh = getRefreshPeriod(propertyIt, configSection.end());
Davide Pesavento5df42a82018-03-08 20:06:51 -0500175 if (propertyIt != configSection.end())
176 BOOST_THROW_EXCEPTION(Error("Expecting end of <trust-anchor>"));
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800177
178 path dirPath = absolute(dirString, path(filename).parent_path());
179 m_validator->loadAnchor(dirString, dirPath.string(), refresh, true);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800180 }
181 else if (boost::iequals(type, "any")) {
182 m_shouldBypass = true;
183 }
184 else {
Davide Pesavento5df42a82018-03-08 20:06:51 -0500185 BOOST_THROW_EXCEPTION(Error("Unrecognized <trust-anchor.type>: " + type));
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800186 }
187}
188
189time::nanoseconds
190ValidationPolicyConfig::getRefreshPeriod(ConfigSection::const_iterator& it,
191 const ConfigSection::const_iterator& end)
192{
Davide Pesavento5df42a82018-03-08 20:06:51 -0500193 auto refresh = time::nanoseconds::max();
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800194 if (it == end) {
195 return refresh;
196 }
197
198 if (!boost::iequals(it->first, "refresh")) {
199 BOOST_THROW_EXCEPTION(Error("Expecting <trust-anchor.refresh>"));
200 }
201
202 std::string inputString = it->second.data();
203 ++it;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800204 char unit = inputString[inputString.size() - 1];
205 std::string refreshString = inputString.substr(0, inputString.size() - 1);
206
Davide Pesavento5df42a82018-03-08 20:06:51 -0500207 int32_t refreshPeriod = -1;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800208 try {
Davide Pesavento5df42a82018-03-08 20:06:51 -0500209 refreshPeriod = boost::lexical_cast<int32_t>(refreshString);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800210 }
211 catch (const boost::bad_lexical_cast&) {
Davide Pesavento5df42a82018-03-08 20:06:51 -0500212 // pass
213 }
214 if (refreshPeriod < 0) {
215 BOOST_THROW_EXCEPTION(Error("Bad refresh value: " + refreshString));
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800216 }
217
218 if (refreshPeriod == 0) {
219 return getDefaultRefreshPeriod();
220 }
221
222 switch (unit) {
223 case 'h':
Davide Pesavento0f830802018-01-16 23:58:58 -0500224 return time::hours(refreshPeriod);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800225 case 'm':
Davide Pesavento0f830802018-01-16 23:58:58 -0500226 return time::minutes(refreshPeriod);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800227 case 's':
Davide Pesavento0f830802018-01-16 23:58:58 -0500228 return time::seconds(refreshPeriod);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800229 default:
Davide Pesaventodb4da5e2018-06-15 11:37:52 -0400230 BOOST_THROW_EXCEPTION(Error("Bad refresh time unit: "s + unit));
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800231 }
232}
233
234time::nanoseconds
235ValidationPolicyConfig::getDefaultRefreshPeriod()
236{
Davide Pesavento0f830802018-01-16 23:58:58 -0500237 return 1_h;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800238}
239
240void
241ValidationPolicyConfig::checkPolicy(const Data& data, const shared_ptr<ValidationState>& state,
242 const ValidationContinuation& continueValidation)
243{
244 BOOST_ASSERT_MSG(!hasInnerPolicy(), "ValidationPolicyConfig must be a terminal inner policy");
245
246 if (m_shouldBypass) {
247 return continueValidation(nullptr, state);
248 }
249
250 Name klName = getKeyLocatorName(data, *state);
251 if (!state->getOutcome()) { // already failed
252 return;
253 }
254
255 for (const auto& rule : m_dataRules) {
256 if (rule->match(tlv::Data, data.getName())) {
257 if (rule->check(tlv::Data, data.getName(), klName, state)) {
258 return continueValidation(make_shared<CertificateRequest>(Interest(klName)), state);
259 }
260 // rule->check calls state->fail(...) if the check fails
261 return;
262 }
263 }
264
Davide Pesavento5df42a82018-03-08 20:06:51 -0500265 return state->fail({ValidationError::POLICY_ERROR,
266 "No rule matched for data `" + data.getName().toUri() + "`"});
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800267}
268
269void
270ValidationPolicyConfig::checkPolicy(const Interest& interest, const shared_ptr<ValidationState>& state,
271 const ValidationContinuation& continueValidation)
272{
273 BOOST_ASSERT_MSG(!hasInnerPolicy(), "ValidationPolicyConfig must be a terminal inner policy");
274
275 if (m_shouldBypass) {
276 return continueValidation(nullptr, state);
277 }
278
279 Name klName = getKeyLocatorName(interest, *state);
280 if (!state->getOutcome()) { // already failed
281 return;
282 }
283
284 for (const auto& rule : m_interestRules) {
285 if (rule->match(tlv::Interest, interest.getName())) {
286 if (rule->check(tlv::Interest, interest.getName(), klName, state)) {
287 return continueValidation(make_shared<CertificateRequest>(Interest(klName)), state);
288 }
289 // rule->check calls state->fail(...) if the check fails
290 return;
291 }
292 }
293
Davide Pesavento5df42a82018-03-08 20:06:51 -0500294 return state->fail({ValidationError::POLICY_ERROR,
295 "No rule matched for interest `" + interest.getName().toUri() + "`"});
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800296}
297
298} // namespace validator_config
299} // namespace v2
300} // namespace security
301} // namespace ndn