mgmt: use v2 ValidationPolicy in CommandAuthenticator

refs #4089

Change-Id: I9a1cc77a960abe1e58a744f9d065634ab7597d15
diff --git a/daemon/mgmt/command-authenticator.cpp b/daemon/mgmt/command-authenticator.cpp
index 63ab319..30ee829 100644
--- a/daemon/mgmt/command-authenticator.cpp
+++ b/daemon/mgmt/command-authenticator.cpp
@@ -26,28 +26,83 @@
 #include "command-authenticator.hpp"
 #include "core/logger.hpp"
 
-#include <ndn-cxx/security/security-common.hpp>
-#include <ndn-cxx/security/verification-helpers.hpp>
+#include <ndn-cxx/tag.hpp>
+#include <ndn-cxx/security/v2/certificate-fetcher-offline.hpp>
+#include <ndn-cxx/security/v2/certificate-request.hpp>
+#include <ndn-cxx/security/v2/validation-policy.hpp>
+#include <ndn-cxx/security/v2/validation-policy-accept-all.hpp>
+#include <ndn-cxx/security/v2/validation-policy-command-interest.hpp>
+#include <ndn-cxx/security/v2/validator.hpp>
 #include <ndn-cxx/util/io.hpp>
 
 #include <boost/filesystem.hpp>
 
+namespace sec2 = ndn::security::v2;
+
 namespace nfd {
 
 NFD_LOG_INIT("CommandAuthenticator");
 // INFO: configuration change, etc
 // DEBUG: per authentication request result
 
+/** \brief an Interest tag to indicate command signer
+ */
+using SignerTag = ndn::SimpleTag<Name, 20>;
+
+/** \brief obtain signer from SignerTag attached to Interest, if available
+ */
+static ndn::optional<std::string>
+getSignerFromTag(const Interest& interest)
+{
+  shared_ptr<SignerTag> signerTag = interest.getTag<SignerTag>();
+  if (signerTag == nullptr) {
+    return ndn::nullopt;
+  }
+  else {
+    return signerTag->get().toUri();
+  }
+}
+
+/** \brief a validation policy that only permits Interest signed by a trust anchor
+ */
+class CommandAuthenticatorValidationPolicy : public sec2::ValidationPolicy
+{
+public:
+  void
+  checkPolicy(const Interest& interest, const shared_ptr<sec2::ValidationState>& state,
+              const ValidationContinuation& continueValidation) final
+  {
+    Name klName = getKeyLocatorName(interest, *state);
+    if (!state->getOutcome()) { // already failed
+      return;
+    }
+
+    // SignerTag must be placed on the 'original Interest' in ValidationState to be available for
+    // InterestValidationSuccessCallback. The 'interest' parameter refers to a different instance
+    // which is copied into 'original Interest'.
+    auto state1 = dynamic_pointer_cast<sec2::InterestValidationState>(state);
+    state1->getOriginalInterest().setTag(make_shared<SignerTag>(klName));
+
+    continueValidation(make_shared<sec2::CertificateRequest>(Interest(klName)), state);
+  }
+
+  void
+  checkPolicy(const Data& data, const shared_ptr<sec2::ValidationState>& state,
+              const ValidationContinuation& continueValidation) final
+  {
+    // Non-certificate Data are not handled by CommandAuthenticator.
+    // Non-anchor certificates cannot be retrieved by offline fetcher.
+    BOOST_ASSERT_MSG(false, "Data should not be passed to this policy");
+  }
+};
+
 shared_ptr<CommandAuthenticator>
 CommandAuthenticator::create()
 {
-  return shared_ptr<CommandAuthenticator>(new CommandAuthenticator());
+  return shared_ptr<CommandAuthenticator>(new CommandAuthenticator);
 }
 
-CommandAuthenticator::CommandAuthenticator()
-{
-  NFD_LOG_WARN("Command Interest timestamp checking is currently bypassed.");
-}
+CommandAuthenticator::CommandAuthenticator() = default;
 
 void
 CommandAuthenticator::setConfigFile(ConfigFile& configFile)
@@ -61,9 +116,10 @@
 {
   if (!isDryRun) {
     NFD_LOG_INFO("clear-authorizations");
-    for (auto& kv : m_moduleAuth) {
-      kv.second.allowAny = false;
-      kv.second.certs.clear();
+    for (auto& kv : m_validators) {
+      kv.second = make_shared<sec2::Validator>(
+        make_unique<sec2::ValidationPolicyCommandInterest>(make_unique<CommandAuthenticatorValidationPolicy>()),
+        make_unique<sec2::CertificateFetcherOffline>());
     }
   }
 
@@ -89,7 +145,7 @@
     }
 
     bool isAny = false;
-    shared_ptr<ndn::security::v2::Certificate> cert;
+    shared_ptr<sec2::Certificate> cert;
     if (certfile == "any") {
       isAny = true;
       NFD_LOG_WARN("'certfile any' is intended for demo purposes only and "
@@ -98,7 +154,7 @@
     else {
       using namespace boost::filesystem;
       path certfilePath = absolute(certfile, path(filename).parent_path());
-      cert = ndn::io::load<ndn::security::v2::Certificate>(certfilePath.string());
+      cert = ndn::io::load<sec2::Certificate>(certfilePath.string());
       if (cert == nullptr) {
         BOOST_THROW_EXCEPTION(ConfigFile::Error(
           "cannot load certfile " + certfilePath.string() +
@@ -120,8 +176,8 @@
     }
     for (const auto& kv : *privSection) {
       const std::string& module = kv.first;
-      auto found = m_moduleAuth.find(module);
-      if (found == m_moduleAuth.end()) {
+      auto found = m_validators.find(module);
+      if (found == m_validators.end()) {
         BOOST_THROW_EXCEPTION(ConfigFile::Error(
           "unknown module '" + module + "' under authorize[" + to_string(authSectionIndex) + "]"));
       }
@@ -131,12 +187,14 @@
       }
 
       if (isAny) {
-        found->second.allowAny = true;
+        found->second = make_shared<sec2::Validator>(make_unique<sec2::ValidationPolicyAcceptAll>(),
+                                                     make_unique<sec2::CertificateFetcherOffline>());
         NFD_LOG_INFO("authorize module=" << module << " signer=any");
       }
       else {
         const Name& keyName = cert->getKeyName();
-        found->second.certs.emplace(keyName, *cert);
+        sec2::Certificate certCopy = *cert;
+        found->second->loadAnchor(certfile, std::move(certCopy));
         NFD_LOG_INFO("authorize module=" << module << " signer=" << keyName <<
                      " certfile=" << certfile);
       }
@@ -149,90 +207,46 @@
 ndn::mgmt::Authorization
 CommandAuthenticator::makeAuthorization(const std::string& module, const std::string& verb)
 {
-  m_moduleAuth[module]; // declares module, so that privilege is recognized
+  m_validators[module]; // declares module, so that privilege is recognized
 
   auto self = this->shared_from_this();
   return [=] (const Name& prefix, const Interest& interest,
               const ndn::mgmt::ControlParameters* params,
               const ndn::mgmt::AcceptContinuation& accept,
               const ndn::mgmt::RejectContinuation& reject) {
-    const AuthorizedCerts& authorized = self->m_moduleAuth.at(module);
-    if (authorized.allowAny) {
-      NFD_LOG_DEBUG("accept " << interest.getName() << " allowAny");
-      accept("*");
-      return;
-    }
+    shared_ptr<sec2::Validator> validator = self->m_validators.at(module);
+    validator->validate(interest,
+      [accept, validator] (const Interest& interest1) {
+        auto signer1 = getSignerFromTag(interest1);
+        BOOST_ASSERT(signer1 || // signer must be available unless 'certfile any'
+          dynamic_cast<sec2::ValidationPolicyAcceptAll*>(&validator->getPolicy()) != nullptr);
+        std::string signer = signer1.value_or("*");
+        NFD_LOG_DEBUG("accept " << interest1.getName() << " signer=" << signer);
+        accept(signer);
+      },
+      [reject] (const Interest& interest1, const sec2::ValidationError& err) {
+        NFD_LOG_DEBUG("reject " << interest1.getName() << " signer=" <<
+                      getSignerFromTag(interest1).value_or("?") << ' ' << err);
 
-    bool isOk = false;
-    Name keyName;
-    std::tie(isOk, keyName) = CommandAuthenticator::extractKeyName(interest);
-    if (!isOk) {
-      NFD_LOG_DEBUG("reject " << interest.getName() << " bad-KeyLocator");
-      reject(ndn::mgmt::RejectReply::SILENT);
-      return;
-    }
-
-    auto found = authorized.certs.find(keyName);
-    if (found == authorized.certs.end()) {
-      NFD_LOG_DEBUG("reject " << interest.getName() << " signer=" << keyName << " not-authorized");
-      reject(ndn::mgmt::RejectReply::STATUS403);
-      return;
-    }
-
-    bool hasGoodSig = ndn::security::verifySignature(interest, found->second);
-    if (!hasGoodSig) {
-      NFD_LOG_DEBUG("reject " << interest.getName() << " signer=" << keyName << " bad-sig");
-      reject(ndn::mgmt::RejectReply::STATUS403);
-      return;
-    }
-
-    //self->m_validator.validate(interest,
-    //  bind([=] {
-    //    NFD_LOG_DEBUG("accept " << interest.getName() << " signer=" << keyName);
-    //    accept(keyName.toUri());
-    //  }),
-    //  bind([=] {
-    //    NFD_LOG_DEBUG("reject " << interest.getName() << " signer=" << keyName << " invalid-timestamp");
-    //    reject(ndn::mgmt::RejectReply::STATUS403);
-    //  }));
-
-    /// \todo restore timestamp checking
-    NFD_LOG_DEBUG("accept " << interest.getName() << " signer=" << keyName);
-    accept(keyName.toUri());
+        using ndn::mgmt::RejectReply;
+        RejectReply reply = RejectReply::STATUS403;
+        using ErrCode = sec2::ValidationError::Code;
+        switch (err.getCode()) {
+          case ErrCode::NO_SIGNATURE:
+          case ErrCode::INVALID_KEY_LOCATOR:
+            reply = RejectReply::SILENT;
+            break;
+          case ErrCode::POLICY_ERROR:
+            if (interest1.getName().size() < ndn::command_interest::MIN_SIZE) { // "name too short"
+              reply = RejectReply::SILENT;
+            }
+            break;
+          default:
+            break;
+        }
+        reject(reply);
+      });
   };
 }
 
-std::pair<bool, Name>
-CommandAuthenticator::extractKeyName(const Interest& interest)
-{
-  const Name& name = interest.getName();
-  if (name.size() < ndn::command_interest::MIN_SIZE) {
-    return {false, Name()};
-  }
-
-  ndn::SignatureInfo sig;
-  try {
-    sig.wireDecode(name[ndn::command_interest::POS_SIG_INFO].blockFromValue());
-  }
-  catch (const tlv::Error&) {
-    return {false, Name()};
-  }
-
-  if (!sig.hasKeyLocator()) {
-    return {false, Name()};
-  }
-
-  const ndn::KeyLocator& keyLocator = sig.getKeyLocator();
-  if (keyLocator.getType() != ndn::KeyLocator::KeyLocator_Name) {
-    return {false, Name()};
-  }
-
-  try {
-    return {true, keyLocator.getName()};
-  }
-  catch (const std::invalid_argument&) {
-    return {false, Name()};
-  }
-}
-
 } // namespace nfd