| Yingdi Yu | 7d77332 | 2015-03-22 21:32:48 -0700 | [diff] [blame] | 1 | /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ |
| 2 | /** |
| 3 | * Copyright (c) 2014, Regents of the University of California |
| 4 | * |
| 5 | * This file is part of NSL (NDN Signature Logger). |
| 6 | * See AUTHORS.md for complete list of NSL authors and contributors. |
| 7 | * |
| 8 | * NSL is free software: you can redistribute it and/or modify it under the terms |
| 9 | * of the GNU General Public License as published by the Free Software Foundation, |
| 10 | * either version 3 of the License, or (at your option) any later version. |
| 11 | * |
| 12 | * NSL is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; |
| 13 | * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR |
| 14 | * PURPOSE. See the GNU General Public License for more details. |
| 15 | * |
| 16 | * You should have received a copy of the GNU General Public License along with |
| 17 | * NSL, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>. |
| 18 | * |
| 19 | * See AUTHORS.md for complete list of nsl authors and contributors. |
| 20 | */ |
| 21 | |
| 22 | #include "policy-checker.hpp" |
| 23 | #include <ndn-cxx/util/time.hpp> |
| 24 | #include <ndn-cxx/security/validator.hpp> |
| 25 | #include <boost/algorithm/string.hpp> |
| 26 | |
| 27 | namespace nsl { |
| 28 | |
| 29 | using ndn::time::system_clock; |
| 30 | |
| 31 | PolicyChecker::PolicyChecker() |
| 32 | { |
| 33 | } |
| 34 | |
| 35 | void |
| 36 | PolicyChecker::reset() |
| 37 | { |
| 38 | m_dataRules.clear(); |
| 39 | } |
| 40 | |
| 41 | void |
| 42 | PolicyChecker::loadPolicy(const conf::ConfigSection& configSection) |
| 43 | { |
| 44 | reset(); |
| 45 | |
| 46 | for (const auto& section : configSection) { |
| 47 | if (boost::iequals(section.first, "rule")) { |
| 48 | onConfigRule(section.second); |
| 49 | } |
| 50 | else |
| 51 | throw Error("Error in loading policy checker: unrecognized section " + section.first); |
| 52 | } |
| 53 | } |
| 54 | |
| 55 | void |
| 56 | PolicyChecker::onConfigRule(const conf::ConfigSection& section) |
| 57 | { |
| 58 | using namespace nsl::conf; |
| 59 | |
| 60 | auto it = section.begin(); |
| 61 | |
| 62 | // Get rule.id |
| 63 | if (it == section.end() || !boost::iequals(it->first, "id")) |
| 64 | throw Error("Expect <rule.id>"); |
| 65 | |
| 66 | std::string ruleId = it->second.data(); |
| 67 | it++; |
| 68 | |
| 69 | // Get rule.for |
| 70 | if (it == section.end() || !boost::iequals(it->first, "for")) |
| 71 | throw Error("Expect <rule.for> in rule: " + ruleId); |
| 72 | |
| 73 | std::string usage = it->second.data(); |
| 74 | it++; |
| 75 | |
| 76 | bool isForData; |
| 77 | if (boost::iequals(usage, "data")) |
| 78 | isForData = true; |
| 79 | else if (boost::iequals(usage, "interest")) |
| 80 | isForData = false; |
| 81 | else |
| 82 | throw Error("Unrecognized <rule.for>: " + usage + " in rule: " + ruleId); |
| 83 | |
| 84 | // Get rule.filter(s) |
| 85 | std::vector<shared_ptr<Filter> > filters; |
| 86 | for (; it != section.end(); it++) { |
| 87 | if (!boost::iequals(it->first, "filter")) { |
| 88 | if (boost::iequals(it->first, "checker")) |
| 89 | break; |
| 90 | throw Error("Expect <rule.filter> in rule: " + ruleId); |
| 91 | } |
| 92 | |
| 93 | filters.push_back(FilterFactory::create(it->second)); |
| 94 | continue; |
| 95 | } |
| 96 | |
| 97 | // Get rule.checker(s) |
| 98 | std::vector<shared_ptr<Checker> > checkers; |
| 99 | for (; it != section.end(); it++) { |
| 100 | if (!boost::iequals(it->first, "checker")) |
| 101 | throw Error("Expect <rule.checker> in rule: " + ruleId); |
| 102 | |
| 103 | checkers.push_back(CheckerFactory::create(it->second)); |
| 104 | continue; |
| 105 | } |
| 106 | |
| 107 | // Check other stuff |
| 108 | if (it != section.end()) |
| 109 | throw Error("Expect the end of rule: " + ruleId); |
| 110 | |
| 111 | if (checkers.size() == 0) |
| 112 | throw Error("No <rule.checker> is specified in rule: " + ruleId); |
| 113 | |
| 114 | if (isForData) { |
| 115 | auto rule = make_shared<conf::Rule>(ruleId); |
| 116 | for (size_t i = 0; i < filters.size(); i++) |
| 117 | rule->addFilter(filters[i]); |
| 118 | for (size_t i = 0; i < checkers.size(); i++) |
| 119 | rule->addChecker(checkers[i]); |
| 120 | |
| 121 | m_dataRules.push_back(rule); |
| 122 | } |
| 123 | } |
| 124 | |
| 125 | bool |
| 126 | PolicyChecker::check(const Timestamp& dataTimestamp, const Data& data, |
| 127 | const Timestamp& keyTimestamp, const ndn::IdentityCertificate& cert) |
| 128 | { |
| 129 | system_clock::TimePoint dataTs((time::seconds(dataTimestamp))); |
| 130 | system_clock::TimePoint keyTs((time::seconds(keyTimestamp))); |
| 131 | system_clock::TimePoint endTs = cert.getNotAfter(); |
| 132 | system_clock::TimePoint startTs = cert.getNotBefore(); |
| 133 | |
| 134 | if (dataTs > endTs || dataTs < keyTs || dataTs < startTs) |
| 135 | return false; |
| 136 | |
| 137 | if (!checkRule(data)) |
| 138 | return false; |
| 139 | |
| 140 | Name keyLocatorName; |
| 141 | try { |
| 142 | keyLocatorName = data.getSignature().getKeyLocator().getName(); |
| 143 | } |
| 144 | catch (tlv::Error&) { |
| 145 | return false; |
| 146 | } |
| 147 | |
| 148 | if (!keyLocatorName.isPrefixOf(cert.getName())) |
| 149 | return false; |
| 150 | |
| 151 | if (!ndn::Validator::verifySignature(data, cert.getPublicKeyInfo())) |
| 152 | return false; |
| 153 | |
| 154 | return true; |
| 155 | } |
| 156 | |
| 157 | bool |
| 158 | PolicyChecker::checkRule(const Data& data) |
| 159 | { |
| 160 | for (auto& rule : m_dataRules) { |
| 161 | if (rule->match(data)) { |
| 162 | return rule->check(data); |
| 163 | } |
| 164 | } |
| 165 | |
| 166 | return false; |
| 167 | } |
| 168 | |
| 169 | |
| 170 | } // namespace nsl |