blob: ea596b10fc761d54a64089c36fddcd3fd3338608 [file] [log] [blame]
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -07001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2/**
Alexander Afanasyev9bcbc7c2014-04-06 19:37:37 -07003 * Copyright (c) 2014 Regents of the University of California,
4 * Arizona Board of Regents,
5 * Colorado State University,
6 * University Pierre & Marie Curie, Sorbonne University,
7 * Washington University in St. Louis,
8 * Beijing Institute of Technology
9 *
10 * This file is part of NFD (Named Data Networking Forwarding Daemon).
11 * See AUTHORS.md for complete list of NFD authors and contributors.
12 *
13 * NFD is free software: you can redistribute it and/or modify it under the terms
14 * of the GNU General Public License as published by the Free Software Foundation,
15 * either version 3 of the License, or (at your option) any later version.
16 *
17 * NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
18 * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
19 * PURPOSE. See the GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along with
22 * NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
23 **/
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -070024
25#include "command-validator.hpp"
Steve DiBenedettobf6a93d2014-03-21 14:03:02 -060026#include "core/logger.hpp"
27
Alexander Afanasyev4a771362014-04-24 21:29:33 -070028#include <ndn-cxx/util/io.hpp>
29#include <ndn-cxx/security/identity-certificate.hpp>
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -070030
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060031#include <boost/filesystem.hpp>
Davide Pesavento52a18f92014-04-10 00:55:01 +020032#include <fstream>
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060033
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -070034namespace nfd {
35
36NFD_LOG_INIT("CommandValidator");
37
38CommandValidator::CommandValidator()
39{
40
41}
42
43CommandValidator::~CommandValidator()
44{
45
46}
47
48void
49CommandValidator::setConfigFile(ConfigFile& configFile)
50{
51 configFile.addSectionHandler("authorizations",
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060052 bind(&CommandValidator::onConfig, this, _1, _2, _3));
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -070053}
54
55static inline void
56aggregateErrors(std::stringstream& ss, const std::string& msg)
57{
58 if (!ss.str().empty())
59 {
60 ss << "\n";
61 }
62 ss << msg;
63}
64
65void
66CommandValidator::onConfig(const ConfigSection& section,
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060067 bool isDryRun,
68 const std::string& filename)
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -070069{
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060070 using namespace boost::filesystem;
71
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -070072 const ConfigSection EMPTY_SECTION;
73
74 if (section.begin() == section.end())
75 {
76 throw ConfigFile::Error("No authorize sections found");
77 }
78
79 std::stringstream dryRunErrors;
80 ConfigSection::const_iterator authIt;
81 for (authIt = section.begin(); authIt != section.end(); authIt++)
82 {
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060083 std::string certfile;
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -070084 try
85 {
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060086 certfile = authIt->second.get<std::string>("certfile");
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -070087 }
88 catch (const std::runtime_error& e)
89 {
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -060090 std::string msg = "No certfile specified";
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -070091 if (!isDryRun)
92 {
93 throw ConfigFile::Error(msg);
94 }
95 aggregateErrors(dryRunErrors, msg);
96 continue;
97 }
98
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -070099 shared_ptr<ndn::IdentityCertificate> id;
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -0700100
Yingdi Yuc8f214c2014-04-29 20:39:37 -0700101 if (certfile != "any")
102 {
103 path certfilePath = absolute(certfile, path(filename).parent_path());
104 NFD_LOG_DEBUG("generated certfile path: " << certfilePath.native());
105
106 std::ifstream in;
107 in.open(certfilePath.c_str());
108 if (!in.is_open())
109 {
110 std::string msg = "Unable to open certificate file " + certfilePath.native();
111 if (!isDryRun)
112 {
113 throw ConfigFile::Error(msg);
114 }
115 aggregateErrors(dryRunErrors, msg);
116 continue;
117 }
118
119 try
120 {
121 id = ndn::io::load<ndn::IdentityCertificate>(in);
122 }
123 catch (const std::runtime_error& error)
124 {
125 // do nothing
126 }
127
128 if (!static_cast<bool>(id)) {
129 std::string msg = "Malformed certificate file " + certfilePath.native();
130 if (!isDryRun)
131 {
132 throw ConfigFile::Error(msg);
133 }
134 aggregateErrors(dryRunErrors, msg);
135 continue;
Alexander Afanasyev5d2820d2014-04-24 00:10:31 -0700136 }
Alexander Afanasyev5d2820d2014-04-24 00:10:31 -0700137
Yingdi Yuc8f214c2014-04-29 20:39:37 -0700138 in.close();
139 }
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -0700140
Yingdi Yuc8f214c2014-04-29 20:39:37 -0700141 std::string keyNameForLogging;
142 if (static_cast<bool>(id))
143 keyNameForLogging = id->getPublicKeyName().toUri();
144 else
145 {
146 keyNameForLogging = "wildcard";
147 NFD_LOG_WARN("Wildcard identity is intended for demo purpose only and " <<
148 "SHOULD NOT be used in production environment");
149 }
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -0700150 const ConfigSection* privileges = 0;
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -0700151 try
152 {
153 privileges = &authIt->second.get_child("privileges");
154 }
155 catch (const std::runtime_error& error)
156 {
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -0600157 std::string msg = "No privileges section found for certificate file " +
Yingdi Yuc8f214c2014-04-29 20:39:37 -0700158 certfile + " (" + keyNameForLogging + ")";
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -0700159 if (!isDryRun)
160 {
161 throw ConfigFile::Error(msg);
162 }
163 aggregateErrors(dryRunErrors, msg);
164 continue;
165 }
166
167 if (privileges->begin() == privileges->end())
168 {
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -0600169 NFD_LOG_WARN("No privileges specified for certificate file " << certfile
Yingdi Yuc8f214c2014-04-29 20:39:37 -0700170 << " (" << keyNameForLogging << ")");
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -0700171 }
172
173 ConfigSection::const_iterator privIt;
174 for (privIt = privileges->begin(); privIt != privileges->end(); privIt++)
175 {
176 const std::string& privilegeName = privIt->first;
177 if (m_supportedPrivileges.find(privilegeName) != m_supportedPrivileges.end())
178 {
179 NFD_LOG_INFO("Giving privilege \"" << privilegeName
Yingdi Yuc8f214c2014-04-29 20:39:37 -0700180 << "\" to identity " << keyNameForLogging);
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -0700181 if (!isDryRun)
182 {
183 const std::string regex = "^<localhost><nfd><" + privilegeName + ">";
Yingdi Yuc8f214c2014-04-29 20:39:37 -0700184 if (static_cast<bool>(id))
185 m_validator.addInterestRule(regex, *id);
186 else
187 m_validator.addInterestBypassRule(regex);
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -0700188 }
189 }
190 else
191 {
192 // Invalid configuration
Yingdi Yuc8f214c2014-04-29 20:39:37 -0700193 std::string msg = "Invalid privilege \"" + privilegeName +
194 "\" for certificate file " + certfile + " (" + keyNameForLogging + ")";
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -0700195 if (!isDryRun)
196 {
197 throw ConfigFile::Error(msg);
198 }
199 aggregateErrors(dryRunErrors, msg);
200 }
201 }
202 }
203
204 if (!dryRunErrors.str().empty())
205 {
206 throw ConfigFile::Error(dryRunErrors.str());
207 }
208}
209
210void
211CommandValidator::addSupportedPrivilege(const std::string& privilege)
212{
213 if (m_supportedPrivileges.find(privilege) != m_supportedPrivileges.end())
214 {
Steve DiBenedetto1a3c6732014-03-13 06:44:05 -0600215 throw CommandValidator::Error("Duplicated privilege: " + privilege);
Steve DiBenedetto2c2b8892014-02-27 11:46:48 -0700216 }
217 m_supportedPrivileges.insert(privilege);
218}
219
220} // namespace nfd