Yingdi Yu | 77627ab | 2015-07-21 16:13:49 -0700 | [diff] [blame] | 1 | /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ |
| 2 | /** |
Yingdi Yu | 0a312e5 | 2015-07-22 13:14:53 -0700 | [diff] [blame] | 3 | * Copyright (c) 2014-2015, Regents of the University of California. |
Yingdi Yu | 77627ab | 2015-07-21 16:13:49 -0700 | [diff] [blame] | 4 | * |
Yingdi Yu | 0a312e5 | 2015-07-22 13:14:53 -0700 | [diff] [blame] | 5 | * This file is part of ndn-tools (Named Data Networking Essential Tools). |
| 6 | * See AUTHORS.md for complete list of ndn-tools authors and contributors. |
Yingdi Yu | 77627ab | 2015-07-21 16:13:49 -0700 | [diff] [blame] | 7 | * |
Yingdi Yu | 0a312e5 | 2015-07-22 13:14:53 -0700 | [diff] [blame] | 8 | * ndn-tools is free software: you can redistribute it and/or modify it under the terms |
| 9 | * of the GNU General Public License as published by the Free Software Foundation, |
| 10 | * either version 3 of the License, or (at your option) any later version. |
Yingdi Yu | 77627ab | 2015-07-21 16:13:49 -0700 | [diff] [blame] | 11 | * |
Yingdi Yu | 0a312e5 | 2015-07-22 13:14:53 -0700 | [diff] [blame] | 12 | * ndn-tools is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; |
| 13 | * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR |
| 14 | * PURPOSE. See the GNU General Public License for more details. |
Yingdi Yu | 77627ab | 2015-07-21 16:13:49 -0700 | [diff] [blame] | 15 | * |
Yingdi Yu | 0a312e5 | 2015-07-22 13:14:53 -0700 | [diff] [blame] | 16 | * You should have received a copy of the GNU General Public License along with |
| 17 | * ndn-tools, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>. |
Yingdi Yu | 77627ab | 2015-07-21 16:13:49 -0700 | [diff] [blame] | 18 | * |
Yingdi Yu | 0a312e5 | 2015-07-22 13:14:53 -0700 | [diff] [blame] | 19 | * @author Yingdi Yu <yingdi@cs.ucla.edu> |
Yingdi Yu | 77627ab | 2015-07-21 16:13:49 -0700 | [diff] [blame] | 20 | */ |
| 21 | |
Yingdi Yu | 0a312e5 | 2015-07-22 13:14:53 -0700 | [diff] [blame] | 22 | |
Yingdi Yu | 77627ab | 2015-07-21 16:13:49 -0700 | [diff] [blame] | 23 | #include "update-query-processor.hpp" |
| 24 | #include "encoding/pib-encoding.hpp" |
| 25 | #include "pib.hpp" |
| 26 | |
| 27 | #include <boost/lexical_cast.hpp> |
| 28 | |
| 29 | namespace ndn { |
| 30 | namespace pib { |
| 31 | |
| 32 | using std::string; |
| 33 | |
| 34 | const size_t UpdateQueryProcessor::UPDATE_QUERY_LENGTH = 9; |
| 35 | const Name UpdateQueryProcessor::PIB_PREFIX("/localhost/pib"); |
| 36 | |
| 37 | UpdateQueryProcessor::UpdateQueryProcessor(PibDb& db, Pib& pib) |
| 38 | : m_db(db) |
| 39 | , m_pib(pib) |
| 40 | { |
| 41 | } |
| 42 | |
| 43 | std::pair<bool, Block> |
| 44 | UpdateQueryProcessor::operator()(const Interest& interest) |
| 45 | { |
| 46 | const Name& interestName = interest.getName(); |
| 47 | |
| 48 | // handle pib query: /localhost/pib/[UserName]/update/param/<signed_interest_related_components> |
| 49 | if (interestName.size() != UPDATE_QUERY_LENGTH) { |
| 50 | // malformed interest, discard |
| 51 | return std::make_pair(false, Block()); |
| 52 | } |
| 53 | |
| 54 | try { |
| 55 | UpdateParam param; |
| 56 | param.wireDecode(interestName.get(OFFSET_PARAM).blockFromValue()); |
| 57 | |
| 58 | SignatureInfo sigInfo; |
| 59 | sigInfo.wireDecode(interestName.get(OFFSET_SIG_INFO).blockFromValue()); |
| 60 | |
| 61 | // sigInfo must have KeyLocator.Name if the interest passed validation. |
| 62 | Name signerName; |
| 63 | signerName = sigInfo.getKeyLocator().getName(); |
| 64 | |
| 65 | switch (param.getEntityType()) { |
| 66 | case tlv::pib::User: |
| 67 | return processUpdateUserQuery(param, signerName); |
| 68 | case tlv::pib::Identity: |
| 69 | return processUpdateIdQuery(param, signerName); |
| 70 | case tlv::pib::PublicKey: |
| 71 | return processUpdateKeyQuery(param, signerName); |
| 72 | case tlv::pib::Certificate: |
| 73 | return processUpdateCertQuery(param, signerName); |
| 74 | default: |
| 75 | { |
| 76 | PibError error(ERR_WRONG_PARAM, |
| 77 | "entity type is not supported: " + |
| 78 | boost::lexical_cast<string>(param.getEntityType())); |
| 79 | return std::make_pair(true, error.wireEncode()); |
| 80 | } |
| 81 | } |
| 82 | } |
| 83 | catch (const PibDb::Error& e) { |
| 84 | PibError error(ERR_INTERNAL_ERROR, e.what()); |
| 85 | return std::make_pair(true, error.wireEncode()); |
| 86 | } |
| 87 | catch (const tlv::Error& e) { |
| 88 | PibError error(ERR_WRONG_PARAM, "error in parsing param: " + string(e.what())); |
| 89 | return std::make_pair(true, error.wireEncode()); |
| 90 | } |
| 91 | } |
| 92 | |
| 93 | std::pair<bool, Block> |
| 94 | UpdateQueryProcessor::processUpdateUserQuery(const UpdateParam& param, const Name& signerName) |
| 95 | { |
| 96 | Name expectedId = m_db.getMgmtCertificate()->getPublicKeyName().getPrefix(-1); |
| 97 | Name targetId = param.getUser().getMgmtCert().getPublicKeyName().getPrefix(-1); |
| 98 | Name signerId = IdentityCertificate::certificateNameToPublicKeyName(signerName).getPrefix(-1); |
| 99 | |
| 100 | if (expectedId == targetId && expectedId == signerId) { |
| 101 | m_db.updateMgmtCertificate(param.getUser().getMgmtCert()); |
| 102 | m_pib.setMgmtCert(make_shared<IdentityCertificate>(param.getUser().getMgmtCert())); |
| 103 | return std::make_pair(true, PibError(ERR_SUCCESS).wireEncode()); |
| 104 | } |
| 105 | |
| 106 | PibError error(ERR_WRONG_PARAM, "not allowed to update user"); |
| 107 | return std::make_pair(true, error.wireEncode()); |
| 108 | } |
| 109 | |
| 110 | std::pair<bool, Block> |
| 111 | UpdateQueryProcessor::processUpdateIdQuery(const UpdateParam& param, const Name& signerName) |
| 112 | { |
| 113 | const Name& identity = param.getIdentity().getIdentity(); |
| 114 | if (!isUpdateAllowed(TYPE_ID, identity, signerName, param.getDefaultOpt())) { |
| 115 | PibError error(ERR_WRONG_SIGNER, "signer is not trusted for this command"); |
| 116 | return std::make_pair(true, error.wireEncode()); |
| 117 | } |
| 118 | |
| 119 | // add the identity |
| 120 | m_db.addIdentity(identity); |
| 121 | |
| 122 | // set the identity as user default if it is requested. |
| 123 | const pib::DefaultOpt& defaultOpt = param.getDefaultOpt(); |
| 124 | if (DEFAULT_OPT_USER_MASK & defaultOpt) { |
| 125 | m_db.setDefaultIdentity(identity); |
| 126 | } |
| 127 | |
| 128 | return std::make_pair(true, PibError(ERR_SUCCESS).wireEncode()); |
| 129 | } |
| 130 | |
| 131 | std::pair<bool, Block> |
| 132 | UpdateQueryProcessor::processUpdateKeyQuery(const UpdateParam& param, const Name& signerName) |
| 133 | { |
| 134 | const Name& keyName = param.getPublicKey().getKeyName(); |
| 135 | if (!isUpdateAllowed(TYPE_KEY, keyName, signerName, param.getDefaultOpt())) { |
| 136 | PibError error(ERR_WRONG_SIGNER, "signer is not trusted for this command"); |
| 137 | return std::make_pair(true, error.wireEncode()); |
| 138 | } |
| 139 | |
| 140 | Name identity = keyName.getPrefix(-1); |
| 141 | |
| 142 | // add the key |
| 143 | m_db.addKey(keyName, param.getPublicKey().getPublicKey()); |
| 144 | |
| 145 | const pib::DefaultOpt& defaultOpt = param.getDefaultOpt(); |
| 146 | if (DEFAULT_OPT_ID_MASK & defaultOpt) // set the key as identity default if requested. |
| 147 | m_db.setDefaultKeyNameOfIdentity(keyName); |
| 148 | if (DEFAULT_OPT_USER_MASK & defaultOpt) // set the identity as user default if requested. |
| 149 | m_db.setDefaultIdentity(identity); |
| 150 | |
| 151 | return std::make_pair(true, PibError(ERR_SUCCESS).wireEncode()); |
| 152 | } |
| 153 | |
| 154 | std::pair<bool, Block> |
| 155 | UpdateQueryProcessor::processUpdateCertQuery(const UpdateParam& param, const Name& signerName) |
| 156 | { |
| 157 | const IdentityCertificate& cert = param.getCertificate().getCertificate(); |
| 158 | const Name& certName = cert.getName(); |
| 159 | if (!isUpdateAllowed(TYPE_CERT, certName, signerName, param.getDefaultOpt())) { |
| 160 | PibError error(ERR_WRONG_SIGNER, "signer is not trusted for this command"); |
| 161 | return std::make_pair(true, error.wireEncode()); |
| 162 | } |
| 163 | |
| 164 | const Name& keyName = cert.getPublicKeyName(); |
| 165 | Name identity = keyName.getPrefix(-1); |
| 166 | |
| 167 | // add certificate |
| 168 | m_db.addCertificate(cert); |
| 169 | |
| 170 | const pib::DefaultOpt& defaultOpt = param.getDefaultOpt(); |
| 171 | if (DEFAULT_OPT_KEY_MASK & defaultOpt) // set the cert as key default if requested. |
| 172 | m_db.setDefaultCertNameOfKey(certName); |
| 173 | if (DEFAULT_OPT_ID_MASK & defaultOpt) // set the key as identity default if requested. |
| 174 | m_db.setDefaultKeyNameOfIdentity(keyName); |
| 175 | if (DEFAULT_OPT_USER_MASK & defaultOpt) // set the identity as user default if requested. |
| 176 | m_db.setDefaultIdentity(identity); |
| 177 | |
| 178 | return std::make_pair(true, PibError(ERR_SUCCESS).wireEncode()); |
| 179 | } |
| 180 | |
| 181 | bool |
| 182 | UpdateQueryProcessor::isUpdateAllowed(const pib::Type targetType, |
| 183 | const Name& targetName, |
| 184 | const Name& signer, |
| 185 | const pib::DefaultOpt defaultOpt) const |
| 186 | { |
| 187 | // Any identity with prefix /localhost/pib is reserved. Any operation with a targetName under |
| 188 | // that prefix will be rejected. |
| 189 | if (PIB_PREFIX.isPrefixOf(targetName)) |
| 190 | return false; |
| 191 | |
| 192 | // A request is wrong if |
| 193 | // 1) it wants to change the default setting of an identity, but the target is not key nor cert |
| 194 | // 2) it wants to change the default setting of a key, but the target is not cert |
| 195 | if ((defaultOpt == DEFAULT_OPT_ID && (targetType != TYPE_KEY && targetType != TYPE_CERT)) || |
| 196 | (defaultOpt == DEFAULT_OPT_KEY && targetType != TYPE_CERT)) |
| 197 | return false; |
| 198 | |
| 199 | |
| 200 | // Rules for other items: |
| 201 | // |
| 202 | // signer | adding privilege | default setting privilege |
| 203 | // ================+==========================+============================================ |
| 204 | // local mgmt key | any id, key, and cert | the default id, |
| 205 | // | | the default key of any id, |
| 206 | // | | the default cert of any key of any id |
| 207 | // ----------------+--------------------------+-------------------------------------------- |
| 208 | // default key of | any id, key, and cert | the default key of the id and its sub ids, |
| 209 | // an id | under the id's namespace | the default cert of any key of the id |
| 210 | // | | and its sub ids |
| 211 | // ----------------+--------------------------+-------------------------------------------- |
| 212 | // non-default key | any cert of the key | the default cert of the key |
| 213 | // of an id |
| 214 | |
| 215 | const Name& signerKeyName = IdentityCertificate::certificateNameToPublicKeyName(signer); |
| 216 | const Name& signerId = signerKeyName.getPrefix(-1); |
| 217 | |
| 218 | bool hasSignerDefaultKey = true; |
| 219 | Name signerDefaultKeyName; |
| 220 | try { |
| 221 | signerDefaultKeyName = m_db.getDefaultKeyNameOfIdentity(signerId); |
| 222 | } |
| 223 | catch (PibDb::Error&) { |
| 224 | hasSignerDefaultKey = false; |
| 225 | } |
| 226 | |
| 227 | Name mgmtCertName; |
| 228 | try { |
| 229 | mgmtCertName = m_db.getMgmtCertificate()->getName().getPrefix(-1); |
| 230 | } |
| 231 | catch (PibDb::Error&) { |
| 232 | return false; |
| 233 | } |
| 234 | |
| 235 | if (signer == mgmtCertName) { |
| 236 | // signer is current management key, anything is allowed. |
| 237 | return true; |
| 238 | } |
| 239 | else if (hasSignerDefaultKey && signerDefaultKeyName == signerKeyName) { |
| 240 | // signer is an identity's default key |
| 241 | if (!signerId.isPrefixOf(targetName)) |
| 242 | return false; |
| 243 | |
| 244 | // check default setting |
| 245 | // user default setting is not allowed |
| 246 | if (defaultOpt == DEFAULT_OPT_USER) |
| 247 | return false; |
| 248 | else |
| 249 | return true; |
| 250 | } |
| 251 | else { |
| 252 | // non-default key |
| 253 | if (targetType != TYPE_CERT) |
| 254 | return false; |
| 255 | |
| 256 | // check if it is for the key's cert |
| 257 | if (IdentityCertificate::certificateNameToPublicKeyName(targetName) != signerKeyName) |
| 258 | return false; |
| 259 | |
| 260 | if (defaultOpt == DEFAULT_OPT_USER || defaultOpt == DEFAULT_OPT_ID) |
| 261 | return false; |
| 262 | else |
| 263 | return true; |
| 264 | } |
| 265 | } |
| 266 | |
| 267 | } // namespace pib |
| 268 | } // namespace ndn |