blob: 34412a100358e31b820243c3ad38e3d4d089700d [file] [log] [blame]
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -08001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2/*
Davide Pesavento0c526032024-01-31 21:14:01 -05003 * Copyright (c) 2013-2024 Regents of the University of California.
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -08004 *
5 * This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
6 *
7 * ndn-cxx library is free software: you can redistribute it and/or modify it under the
8 * terms of the GNU Lesser General Public License as published by the Free Software
9 * Foundation, either version 3 of the License, or (at your option) any later version.
10 *
11 * ndn-cxx library is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License and GNU Lesser
16 * General Public License along with ndn-cxx, e.g., in COPYING.md file. If not, see
17 * <http://www.gnu.org/licenses/>.
18 *
19 * See AUTHORS.md for complete list of ndn-cxx authors and contributors.
20 */
21
Alexander Afanasyev09236c22020-06-03 13:42:38 -040022#include "ndn-cxx/security/validation-policy-config.hpp"
Davide Pesavento4c1ad4c2020-11-16 21:12:02 -050023
Davide Pesavento7e780642018-11-24 15:51:34 -050024#include "ndn-cxx/security/transform/base64-encode.hpp"
25#include "ndn-cxx/security/transform/buffer-source.hpp"
26#include "ndn-cxx/security/transform/stream-sink.hpp"
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080027
Davide Pesavento7e780642018-11-24 15:51:34 -050028#include "tests/boost-test.hpp"
Alexander Afanasyev09236c22020-06-03 13:42:38 -040029#include "tests/unit/security/validator-config/common.hpp"
30#include "tests/unit/security/validator-fixture.hpp"
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080031
Davide Pesavento49e1e872023-11-11 00:45:23 -050032#include <boost/mp11/list.hpp>
33
Davide Pesavento47ce2ee2023-05-09 01:33:33 -040034namespace ndn::tests {
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080035
Davide Pesavento47ce2ee2023-05-09 01:33:33 -040036using ndn::security::ValidationPolicyConfig;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080037
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080038BOOST_AUTO_TEST_SUITE(Security)
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080039BOOST_AUTO_TEST_SUITE(TestValidationPolicyConfig)
40
Davide Pesavento0a6456c2019-11-14 00:33:11 -050041BOOST_FIXTURE_TEST_CASE(EmptyConfig, HierarchicalValidatorFixture<ValidationPolicyConfig>)
42{
43 this->policy.load(ConfigSection{}, "<empty>");
44
45 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
46 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
47 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 0);
48 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 0);
49
Alexander Afanasyev09236c22020-06-03 13:42:38 -040050 Data d("/Security/ValidationPolicyConfig/D");
Davide Pesavento0a6456c2019-11-14 00:33:11 -050051 this->m_keyChain.sign(d, signingByIdentity(this->identity));
52 VALIDATE_FAILURE(d, "Empty policy should reject everything");
53
Alexander Afanasyev09236c22020-06-03 13:42:38 -040054 Interest i("/Security/ValidationPolicyConfig/I");
Davide Pesavento0a6456c2019-11-14 00:33:11 -050055 this->m_keyChain.sign(i, signingByIdentity(this->identity));
56 VALIDATE_FAILURE(i, "Empty policy should reject everything");
57}
58
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080059template<typename PacketType>
60class ValidationPolicyConfigFixture : public HierarchicalValidatorFixture<ValidationPolicyConfig>
61{
62public:
63 ValidationPolicyConfigFixture()
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080064 {
Davide Pesavento51974f62024-12-21 20:42:45 -050065 std::filesystem::create_directories(path);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080066 baseConfig = R"CONF(
67 rule
68 {
69 id test-rule-id
Davide Pesavento0c526032024-01-31 21:14:01 -050070 for )CONF" + std::string(getPacketName()) + R"CONF(
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080071 filter
72 {
73 type name
74 name )CONF" + identity.getName().toUri() + R"CONF(
75 relation is-prefix-of
76 }
77 checker
78 {
79 type hierarchical
Alexander Afanasyev17d4b932021-03-17 17:58:40 -040080 sig-type ecdsa-sha256
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080081 }
82 }
83 )CONF";
84 }
85
86 ~ValidationPolicyConfigFixture()
87 {
Davide Pesavento51974f62024-12-21 20:42:45 -050088 std::filesystem::remove_all(path);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -080089 }
90
Davide Pesavento0c526032024-01-31 21:14:01 -050091private:
92 static constexpr std::string_view
93 getPacketName()
94 {
95 if constexpr (std::is_same_v<PacketType, Interest>)
96 return "interest";
97 else if constexpr (std::is_same_v<PacketType, Data>)
98 return "data";
99 else
100 return "";
101 }
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800102
Davide Pesavento0c526032024-01-31 21:14:01 -0500103protected:
Davide Pesavento51974f62024-12-21 20:42:45 -0500104 const std::filesystem::path path{std::filesystem::path(UNIT_TESTS_TMPDIR) / "security" / "validation-policy-config"};
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800105 std::string baseConfig;
Davide Pesavento0c526032024-01-31 21:14:01 -0500106
107 using Packet = PacketType;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800108};
109
110template<typename PacketType>
111class LoadStringWithFileAnchor : public ValidationPolicyConfigFixture<PacketType>
112{
113public:
114 LoadStringWithFileAnchor()
115 {
116 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
117
Davide Pesavento51974f62024-12-21 20:42:45 -0500118 this->saveIdentityCert(this->identity, this->path / "identity.ndncert");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800119 this->policy.load(this->baseConfig + R"CONF(
120 trust-anchor
121 {
122 type file
123 file-name "trust-anchor.ndncert"
124 }
Davide Pesavento51974f62024-12-21 20:42:45 -0500125 )CONF", this->path / "test-config");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800126
127 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
128 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
129 }
130};
131
132template<typename PacketType>
133class LoadFileWithFileAnchor : public ValidationPolicyConfigFixture<PacketType>
134{
135public:
136 LoadFileWithFileAnchor()
137 {
Davide Pesavento51974f62024-12-21 20:42:45 -0500138 auto configFile = this->path / "config.conf";
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800139 {
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500140 std::ofstream config(configFile);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800141 config << this->baseConfig << R"CONF(
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500142 trust-anchor
143 {
144 type file
145 file-name "trust-anchor.ndncert"
146 }
147 )CONF";
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800148 }
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500149
Davide Pesavento51974f62024-12-21 20:42:45 -0500150 this->saveIdentityCert(this->identity, this->path / "identity.ndncert");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800151
152 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
153
154 this->policy.load(configFile);
155
156 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
157 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
158 }
159};
160
161template<typename PacketType>
Varun Patil574c3f92020-11-25 09:07:33 +0530162class LoadFileWithMultipleFileAnchors : public ValidationPolicyConfigFixture<PacketType>
163{
164public:
165 LoadFileWithMultipleFileAnchors()
166 {
Davide Pesavento51974f62024-12-21 20:42:45 -0500167 auto configFile = this->path / "config.conf";
Varun Patil574c3f92020-11-25 09:07:33 +0530168 {
169 std::ofstream config(configFile);
170 config << this->baseConfig << R"CONF(
171 trust-anchor
172 {
173 type file
174 file-name "identity.ndncert"
175 }
176 trust-anchor
177 {
178 type file
179 file-name "trust-anchor.ndncert"
180 }
181 )CONF";
182 }
183
Davide Pesavento51974f62024-12-21 20:42:45 -0500184 this->saveIdentityCert(this->identity, this->path / "identity.ndncert");
Varun Patil574c3f92020-11-25 09:07:33 +0530185
186 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
187
188 this->policy.load(configFile);
189
190 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
191 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
192 }
193};
194
195template<typename PacketType>
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800196class LoadSectionWithFileAnchor : public ValidationPolicyConfigFixture<PacketType>
197{
198public:
199 LoadSectionWithFileAnchor()
200 {
201 auto section = makeSection(this->baseConfig + R"CONF(
202 trust-anchor
203 {
204 type file
205 file-name "trust-anchor.ndncert"
206 }
207 )CONF");
208
Davide Pesavento51974f62024-12-21 20:42:45 -0500209 this->saveIdentityCert(this->identity, this->path / "identity.ndncert");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800210
211 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
212
Davide Pesavento51974f62024-12-21 20:42:45 -0500213 this->policy.load(section, this->path / "test-config");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800214
215 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
216 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
217 }
218};
219
220template<typename PacketType>
221class LoadStringWithBase64Anchor : public ValidationPolicyConfigFixture<PacketType>
222{
223public:
224 LoadStringWithBase64Anchor()
225 {
226 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
227
228 std::ostringstream os;
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500229 {
230 using namespace ndn::security::transform;
231 const auto& cert = this->identity.getDefaultKey().getDefaultCertificate().wireEncode();
Davide Pesavento258d51a2022-02-27 21:26:28 -0500232 bufferSource(cert) >> base64Encode(false) >> streamSink(os);
Davide Pesavento0a6456c2019-11-14 00:33:11 -0500233 }
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800234
235 this->policy.load(this->baseConfig + R"CONF(
236 trust-anchor
237 {
238 type base64
239 base64-string ")CONF" + os.str() + R"CONF("
240 }
Davide Pesavento51974f62024-12-21 20:42:45 -0500241 )CONF", this->path / "test-config");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800242
243 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
244 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
245 }
246};
247
Davide Pesavento0c526032024-01-31 21:14:01 -0500248struct NoRefresh
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800249{
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800250 static std::string
251 getRefreshString()
252 {
253 return "";
254 }
255};
256
Davide Pesavento0c526032024-01-31 21:14:01 -0500257struct Refresh1h
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800258{
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800259 static std::string
260 getRefreshString()
261 {
262 return "refresh 1h";
263 }
264
265 static time::milliseconds
266 getRefreshTime()
267 {
Davide Pesavento0f830802018-01-16 23:58:58 -0500268 return 1_h;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800269 }
270};
271
Davide Pesavento0c526032024-01-31 21:14:01 -0500272struct Refresh1m
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800273{
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800274 static std::string
275 getRefreshString()
276 {
277 return "refresh 1m";
278 }
279
280 static time::milliseconds
281 getRefreshTime()
282 {
Davide Pesavento0f830802018-01-16 23:58:58 -0500283 return 1_min;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800284 }
285};
286
Davide Pesavento0c526032024-01-31 21:14:01 -0500287struct Refresh1s
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800288{
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800289 static std::string
290 getRefreshString()
291 {
292 return "refresh 1s";
293 }
294
295 static time::milliseconds
296 getRefreshTime()
297 {
Davide Pesavento0f830802018-01-16 23:58:58 -0500298 return 1_s;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800299 }
300};
301
302template<typename PacketType, typename Refresh = NoRefresh>
303class LoadStringWithDirAnchor : public ValidationPolicyConfigFixture<PacketType>
304{
305public:
306 LoadStringWithDirAnchor()
307 {
308 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
309
Davide Pesavento51974f62024-12-21 20:42:45 -0500310 std::filesystem::create_directories(this->path / "keys");
311 this->saveIdentityCert(this->identity, this->path / "keys" / "identity.ndncert");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800312
313 this->policy.load(this->baseConfig + R"CONF(
314 trust-anchor
315 {
316 type dir
317 dir keys
318 )CONF" + Refresh::getRefreshString() + R"CONF(
319 }
Davide Pesavento51974f62024-12-21 20:42:45 -0500320 )CONF", this->path / "test-config");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800321
322 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
323 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
324 }
325};
326
Davide Pesavento0c526032024-01-31 21:14:01 -0500327template<typename PacketType>
328using Policies = boost::mp11::mp_list<
329 LoadStringWithFileAnchor<PacketType>,
330 LoadFileWithFileAnchor<PacketType>,
331 LoadFileWithMultipleFileAnchors<PacketType>,
332 LoadSectionWithFileAnchor<PacketType>,
333 LoadStringWithBase64Anchor<PacketType>,
334 LoadStringWithDirAnchor<PacketType>,
335 LoadStringWithDirAnchor<PacketType, Refresh1h>,
336 LoadStringWithDirAnchor<PacketType, Refresh1m>,
337 LoadStringWithDirAnchor<PacketType, Refresh1s>
Davide Pesavento49e1e872023-11-11 00:45:23 -0500338>;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800339
Davide Pesavento0c526032024-01-31 21:14:01 -0500340BOOST_FIXTURE_TEST_CASE_TEMPLATE(ValidateData, Policy, Policies<Data>, Policy)
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800341{
342 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 1);
343 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 0);
344
345 using Packet = typename Policy::Packet;
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400346 Packet unsignedPacket("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800347
348 Packet packet = unsignedPacket;
349 VALIDATE_FAILURE(packet, "Unsigned");
350
351 packet = unsignedPacket;
352 this->m_keyChain.sign(packet, signingWithSha256());
Justin Labryaef53b62021-03-10 06:07:27 +0000353 VALIDATE_FAILURE(packet, "Should not be accepted, doesn't pass checker /localhost/identity/digest-sha256");
354
355 packet = Packet("/localhost/identity/digest-sha256/foobar");
356 this->m_keyChain.sign(packet, signingWithSha256());
357 VALIDATE_FAILURE(packet, "Should not be accepted, no rule for the name /localhost/identity/digest-sha256");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800358
359 packet = unsignedPacket;
360 this->m_keyChain.sign(packet, signingByIdentity(this->identity));
361 VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the anchor");
362
363 packet = unsignedPacket;
364 this->m_keyChain.sign(packet, signingByIdentity(this->subIdentity));
365 VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the policy-compliant cert");
366
367 packet = unsignedPacket;
368 this->m_keyChain.sign(packet, signingByIdentity(this->otherIdentity));
369 VALIDATE_FAILURE(packet, "Should fail, as signed by the policy-violating cert");
370
371 packet = unsignedPacket;
372 this->m_keyChain.sign(packet, signingByIdentity(this->subSelfSignedIdentity));
373 VALIDATE_FAILURE(packet, "Should fail, because subSelfSignedIdentity is not a trust anchor");
374}
375
Davide Pesavento0c526032024-01-31 21:14:01 -0500376BOOST_FIXTURE_TEST_CASE_TEMPLATE(ValidateInterest, Policy, Policies<Interest>, Policy)
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800377{
378 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 0);
379 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 1);
380
381 using Packet = typename Policy::Packet;
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400382 Packet unsignedPacket("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800383
384 Packet packet = unsignedPacket;
385 VALIDATE_FAILURE(packet, "Unsigned");
386
387 packet = unsignedPacket;
388 this->m_keyChain.sign(packet, signingWithSha256());
Justin Labryaef53b62021-03-10 06:07:27 +0000389 VALIDATE_FAILURE(packet, "Should not be accepted, doesn't pass checker /localhost/identity/digest-sha256");
390
391 packet = Packet("/localhost/identity/digest-sha256/foobar");
392 this->m_keyChain.sign(packet, signingWithSha256());
393 VALIDATE_FAILURE(packet, "Should not be accepted, no rule for the name /localhost/identity/digest-sha256");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800394
395 packet = unsignedPacket;
396 this->m_keyChain.sign(packet, signingByIdentity(this->identity));
397 VALIDATE_SUCCESS(packet, "Should get accepted, as signed by the anchor");
398
399 packet = unsignedPacket;
400 this->m_keyChain.sign(packet, signingByIdentity(this->subIdentity));
401 VALIDATE_FAILURE(packet, "Should fail, as there is no matching rule for data");
402
403 packet = unsignedPacket;
404 this->m_keyChain.sign(packet, signingByIdentity(this->otherIdentity));
405 VALIDATE_FAILURE(packet, "Should fail, as signed by the policy-violating cert");
406
407 packet = unsignedPacket;
408 this->m_keyChain.sign(packet, signingByIdentity(this->subSelfSignedIdentity));
409 VALIDATE_FAILURE(packet, "Should fail, because subSelfSignedIdentity is not a trust anchor");
410}
411
Justin Labryaef53b62021-03-10 06:07:27 +0000412BOOST_FIXTURE_TEST_CASE(DigestSha256, HierarchicalValidatorFixture<ValidationPolicyConfig>)
413{
414 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
415 this->policy.load(R"CONF(
416 rule
417 {
418 id test-rule-data-id
419 for data
420 filter
421 {
422 type name
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400423 name /Security/ValidatorFixture
424 relation is-prefix-of
425 }
426 checker
427 {
428 type customized
429 sig-type sha256
430 }
431 }
432 rule
433 {
434 id test-rule-interest-id
435 for interest
436 filter
437 {
438 type name
439 name /Security/ValidatorFixture
440 relation is-prefix-of
441 }
442 checker
443 {
444 type customized
445 sig-type sha256
446 }
447 }
448 )CONF", "test-config");
449
450
451 Interest interest("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400452 this->m_keyChain.sign(interest, signingWithSha256());
453 VALIDATE_SUCCESS(interest, "Should be accepted");
454
455 Data data("/Security/ValidatorFixture/Sub1/Sub2/Packet");
456 this->m_keyChain.sign(data, signingWithSha256());
457 VALIDATE_SUCCESS(data, "Should be accepted");
458}
459
460BOOST_FIXTURE_TEST_CASE(DigestSha256WithKeyLocator, HierarchicalValidatorFixture<ValidationPolicyConfig>)
461{
462 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
463 this->policy.load(R"CONF(
464 rule
465 {
466 id test-rule-data-id
467 for data
468 filter
469 {
470 type name
Justin Labryaef53b62021-03-10 06:07:27 +0000471 name /localhost/identity/digest-sha256
472 relation is-prefix-of
473 }
474 checker
475 {
476 type customized
477 sig-type sha256
478 key-locator
479 {
480 type name
481 hyper-relation
482 {
483 k-regex ^(<>*)$
484 k-expand \\1
485 h-relation is-prefix-of
486 p-regex ^(<>*)$
487 p-expand \\1
488 }
489 }
490 }
491 }
492 rule
493 {
494 id test-rule-interest-id
495 for interest
496 filter
497 {
498 type name
499 name /localhost/identity/digest-sha256
500 relation is-prefix-of
501 }
502 checker
503 {
504 type customized
505 sig-type sha256
506 key-locator
507 {
508 type name
509 hyper-relation
510 {
511 k-regex ^(<>*)$
512 k-expand \\1
513 h-relation is-prefix-of
514 p-regex ^(<>*)$
515 p-expand \\1
516 }
517 }
518 }
519 }
520 )CONF", "test-config");
521
522
523 Interest interest("/localhost/identity/digest-sha256/foobar");
Justin Labryaef53b62021-03-10 06:07:27 +0000524 this->m_keyChain.sign(interest, signingWithSha256());
525 VALIDATE_SUCCESS(interest, "Should be accepted");
526
527 Data data("/localhost/identity/digest-sha256/foobar");
528 this->m_keyChain.sign(data, signingWithSha256());
529 VALIDATE_SUCCESS(data, "Should be accepted");
530}
531
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400532BOOST_FIXTURE_TEST_CASE(SigTypeCheck, HierarchicalValidatorFixture<ValidationPolicyConfig>)
533{
534 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
535 this->policy.load(R"CONF(
536 rule
537 {
538 id test-rule-data-id
539 for data
540 filter
541 {
542 type name
543 name /localhost/identity/digest-sha256
544 relation is-prefix-of
545 }
546 checker
547 {
548 type customized
549 sig-type ecdsa-sha256
550 key-locator
551 {
552 type name
553 hyper-relation
554 {
555 k-regex ^(<>*)$
556 k-expand \\1
557 h-relation is-prefix-of
558 p-regex ^(<>*)$
559 p-expand \\1
560 }
561 }
562 }
563 }
564 rule
565 {
566 id test-rule-interest-id
567 for interest
568 filter
569 {
570 type name
571 name /localhost/identity/digest-sha256
572 relation is-prefix-of
573 }
574 checker
575 {
576 type customized
577 sig-type ecdsa-sha256
578 key-locator
579 {
580 type name
581 hyper-relation
582 {
583 k-regex ^(<>*)$
584 k-expand \\1
585 h-relation is-prefix-of
586 p-regex ^(<>*)$
587 p-expand \\1
588 }
589 }
590 }
591 }
592 )CONF", "test-config");
593
594
595 Interest interest("/localhost/identity/digest-sha256/foobar");
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400596 this->m_keyChain.sign(interest, signingWithSha256());
597 VALIDATE_FAILURE(interest, "Signature type check should fail");
598
599 Data data("/localhost/identity/digest-sha256/foobar");
600 this->m_keyChain.sign(data, signingWithSha256());
601 VALIDATE_FAILURE(data, "Signature type check should fail");
602}
603
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400604BOOST_FIXTURE_TEST_CASE(Reload, HierarchicalValidatorFixture<ValidationPolicyConfig>)
605{
606 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, false);
607 this->policy.load(R"CONF(
608 rule
609 {
610 id test-rule-data-id
611 for data
612 filter
613 {
614 type name
615 name /foo/bar
616 relation is-prefix-of
617 }
618 checker
619 {
620 type hierarchical
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400621 sig-type ecdsa-sha256
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400622 }
623 }
624 rule
625 {
626 id test-rule-interest-id
627 for interest
628 filter
629 {
630 type name
631 name /foo/bar
632 relation is-prefix-of
633 }
634 checker
635 {
636 type hierarchical
Alexander Afanasyev17d4b932021-03-17 17:58:40 -0400637 sig-type ecdsa-sha256
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400638 }
639 }
640 trust-anchor
641 {
642 type dir
643 dir keys
644 refresh 1h
645 }
646 )CONF", "test-config");
647 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
648 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, false);
649 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 1);
650 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 1);
651
652 this->policy.load(R"CONF(
653 trust-anchor
654 {
655 type any
656 }
657 )CONF", "test-config");
658 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
659 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, true);
660 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 0);
661 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 0);
662}
663
Davide Pesavento49e1e872023-11-11 00:45:23 -0500664using Packets = boost::mp11::mp_list<Interest, Data>;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800665
666BOOST_FIXTURE_TEST_CASE_TEMPLATE(TrustAnchorWildcard, Packet, Packets, ValidationPolicyConfigFixture<Packet>)
667{
668 this->policy.load(R"CONF(
669 trust-anchor
670 {
671 type any
672 }
673 )CONF", "test-config");
674
675 BOOST_CHECK_EQUAL(this->policy.m_isConfigured, true);
676 BOOST_CHECK_EQUAL(this->policy.m_shouldBypass, true);
677 BOOST_CHECK_EQUAL(this->policy.m_dataRules.size(), 0);
678 BOOST_CHECK_EQUAL(this->policy.m_interestRules.size(), 0);
679
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400680 Packet unsignedPacket("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800681
682 Packet packet = unsignedPacket;
683 VALIDATE_SUCCESS(packet, "Policy should accept everything");
684
685 packet = unsignedPacket;
686 this->m_keyChain.sign(packet, signingWithSha256());
687 VALIDATE_SUCCESS(packet, "Policy should accept everything");
688
689 packet = unsignedPacket;
690 this->m_keyChain.sign(packet, signingByIdentity(this->identity));
691 VALIDATE_SUCCESS(packet, "Policy should accept everything");
692
693 packet = unsignedPacket;
694 this->m_keyChain.sign(packet, signingByIdentity(this->subIdentity));
695 VALIDATE_SUCCESS(packet, "Policy should accept everything");
696
697 packet = unsignedPacket;
698 this->m_keyChain.sign(packet, signingByIdentity(this->otherIdentity));
699 VALIDATE_SUCCESS(packet, "Policy should accept everything");
700
701 packet = unsignedPacket;
702 this->m_keyChain.sign(packet, signingByIdentity(this->subSelfSignedIdentity));
703 VALIDATE_SUCCESS(packet, "Policy should accept everything");
704}
705
Davide Pesavento49e1e872023-11-11 00:45:23 -0500706using RefreshPolicies = boost::mp11::mp_list<Refresh1h, Refresh1m, Refresh1s>;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800707
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400708template<typename RefreshPolicy>
Davide Pesavento0c526032024-01-31 21:14:01 -0500709using RefreshPolicyFixture = LoadStringWithDirAnchor<Data, RefreshPolicy>;
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800710
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400711BOOST_FIXTURE_TEST_CASE_TEMPLATE(ValidateRefresh, Refresh, RefreshPolicies, RefreshPolicyFixture<Refresh>)
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800712{
713 using Packet = Data;
Alexander Afanasyev09236c22020-06-03 13:42:38 -0400714 Packet unsignedPacket("/Security/ValidatorFixture/Sub1/Sub2/Packet");
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800715
Davide Pesavento51974f62024-12-21 20:42:45 -0500716 std::filesystem::remove(this->path / "keys" / "identity.ndncert");
Alexander Afanasyev6aff0242017-08-29 17:14:44 -0400717 this->advanceClocks(Refresh::getRefreshTime(), 3);
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800718
719 Packet packet = unsignedPacket;
720 this->m_keyChain.sign(packet, signingByIdentity(this->identity));
721 VALIDATE_FAILURE(packet, "Should fail, as the trust anchor should no longer exist");
722
723 packet = unsignedPacket;
724 this->m_keyChain.sign(packet, signingByIdentity(this->subIdentity));
725 VALIDATE_FAILURE(packet, "Should fail, as the trust anchor should no longer exist");
726}
727
Davide Pesavento0c526032024-01-31 21:14:01 -0500728BOOST_FIXTURE_TEST_CASE(OrphanedPolicyLoad, HierarchicalValidatorFixture<ValidationPolicyConfig>,
729 * ut::description("test for bug #4758"))
Alexander Afanasyev7b112462018-10-17 11:51:52 -0400730{
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400731 using ndn::security::validator_config::Error;
732
Alexander Afanasyev7b112462018-10-17 11:51:52 -0400733 ValidationPolicyConfig policy1;
734 BOOST_CHECK_THROW(policy1.load("trust-anchor { type any }", "test-config"), Error);
735
736 // Reloading would have triggered a segfault
737 BOOST_CHECK_THROW(policy1.load("trust-anchor { type any }", "test-config"), Error);
738
739 ValidationPolicyConfig policy2;
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400740 const std::string config = R"CONF(
Alexander Afanasyev7b112462018-10-17 11:51:52 -0400741 trust-anchor
742 {
743 type dir
744 dir keys
745 refresh 1h
746 }
747 )CONF";
Alexander Afanasyev7b112462018-10-17 11:51:52 -0400748 // Inserting trust anchor would have triggered a segfault
749 BOOST_CHECK_THROW(policy2.load(config, "test-config"), Error);
750}
751
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800752BOOST_AUTO_TEST_SUITE_END() // TestValidationPolicyConfig
Alexander Afanasyeve5a19b82017-01-30 22:30:46 -0800753BOOST_AUTO_TEST_SUITE_END() // Security
754
Davide Pesavento47ce2ee2023-05-09 01:33:33 -0400755} // namespace ndn::tests