29 #include <ndn-cxx/security/identity-certificate.hpp> 30 #include <ndn-cxx/security/validator-null.hpp> 31 #include <ndn-cxx/util/io.hpp> 33 #include <boost/filesystem.hpp> 41 shared_ptr<CommandAuthenticator>
47 CommandAuthenticator::CommandAuthenticator()
48 : m_validator(make_unique<ndn::ValidatorNull>())
56 bind(&CommandAuthenticator::processConfig,
this, _1, _2, _3));
60 CommandAuthenticator::processConfig(
const ConfigSection& section,
bool isDryRun,
const std::string& filename)
64 for (
auto& kv : m_moduleAuth) {
65 kv.second.allowAny =
false;
66 kv.second.certs.clear();
70 if (section.empty()) {
71 BOOST_THROW_EXCEPTION(
ConfigFile::Error(
"'authorize' is missing under 'authorizations'"));
74 int authSectionIndex = 0;
75 for (
const auto& kv : section) {
76 if (kv.first !=
"authorize") {
78 "'" + kv.first +
"' section is not permitted under 'authorizations'"));
84 certfile = authSection.get<std::string>(
"certfile");
86 catch (
const boost::property_tree::ptree_error&) {
88 "'certfile' is missing under authorize[" +
to_string(authSectionIndex) +
"]"));
92 shared_ptr<ndn::IdentityCertificate> cert;
93 if (certfile ==
"any") {
95 NFD_LOG_WARN(
"'certfile any' is intended for demo purposes only and " 96 "SHOULD NOT be used in production environments");
99 using namespace boost::filesystem;
100 path certfilePath = absolute(certfile, path(filename).parent_path());
101 cert = ndn::io::load<ndn::IdentityCertificate>(certfilePath.string());
102 if (cert ==
nullptr) {
104 "cannot load certfile " + certfilePath.string() +
105 " for authorize[" +
to_string(authSectionIndex) +
"]"));
111 privSection = &authSection.get_child(
"privileges");
113 catch (
const boost::property_tree::ptree_error&) {
115 "'privileges' is missing under authorize[" +
to_string(authSectionIndex) +
"]"));
118 if (privSection->empty()) {
119 NFD_LOG_WARN(
"No privileges granted to certificate " << certfile);
121 for (
const auto& kv : *privSection) {
122 const std::string& module = kv.first;
123 auto found = m_moduleAuth.find(module);
124 if (found == m_moduleAuth.end()) {
126 "unknown module '" + module +
"' under authorize[" +
to_string(authSectionIndex) +
"]"));
134 found->second.allowAny =
true;
135 NFD_LOG_INFO(
"authorize module=" << module <<
" signer=any");
138 const Name& keyName = cert->getPublicKeyName();
139 found->second.certs.emplace(keyName, cert->getPublicKeyInfo());
140 NFD_LOG_INFO(
"authorize module=" << module <<
" signer=" << keyName <<
141 " certfile=" << certfile);
152 m_moduleAuth[module];
154 auto self = this->shared_from_this();
155 return [=] (
const Name& prefix,
const Interest& interest,
159 const AuthorizedCerts& authorized =
self->m_moduleAuth.at(module);
160 if (authorized.allowAny) {
161 NFD_LOG_DEBUG(
"accept " << interest.getName() <<
" allowAny");
168 std::tie(isOk, keyName) = CommandAuthenticator::extractKeyName(interest);
170 NFD_LOG_DEBUG(
"reject " << interest.getName() <<
" bad-KeyLocator");
175 auto found = authorized.certs.find(keyName);
176 if (found == authorized.certs.end()) {
177 NFD_LOG_DEBUG(
"reject " << interest.getName() <<
" signer=" << keyName <<
" not-authorized");
184 NFD_LOG_DEBUG(
"reject " << interest.getName() <<
" signer=" << keyName <<
" bad-sig");
189 self->m_validator.validate(interest,
191 NFD_LOG_DEBUG(
"accept " << interest.getName() <<
" signer=" << keyName);
192 accept(keyName.
toUri());
195 NFD_LOG_DEBUG(
"reject " << interest.getName() <<
" signer=" << keyName <<
" invalid-timestamp");
201 std::pair<bool, Name>
202 CommandAuthenticator::extractKeyName(
const Interest& interest)
206 return {
false,
Name()};
214 return {
false,
Name()};
218 return {
false,
Name()};
223 return {
false,
Name()};
230 return {
false,
Name()};
static Name certificateNameToPublicKeyName(const Name &certificateName)
Get the public key name from the full certificate name.
const KeyLocator & getKeyLocator() const
Get KeyLocator.
std::string toUri() const
Encode this name as a URI.
reply with a ControlResponse where StatusCode is 403
configuration file parsing utility
const Name & getName() const
get Name element
represents an Interest packet
#define NFD_LOG_DEBUG(expression)
std::function< void(RejectReply act)> RejectContinuation
a function to be called if authorization is rejected
std::function< void(const std::string &requester)> AcceptContinuation
a function to be called if authorization is successful
indicates KeyLocator contains a Name
#define NFD_LOG_INFO(expression)
void setConfigFile(ConfigFile &configFile)
const size_t MIN_LENGTH
minimal number of components for Command Interest
Copyright (c) 2011-2015 Regents of the University of California.
void addSectionHandler(const std::string §ionName, ConfigSectionHandler subscriber)
setup notification of configuration file sections
bool hasKeyLocator() const
Check if KeyLocator is set.
ndn::mgmt::Authorization makeAuthorization(const std::string &module, const std::string &verb)
boost::property_tree::ptree ConfigSection
Name abstraction to represent an absolute name.
base class for a struct that contains ControlCommand parameters
size_t size() const
Get the number of components.
#define NFD_LOG_WARN(expression)
void wireDecode(const Block &wire)
Decode from a wire format.
provides ControlCommand authorization according to NFD configuration file
static shared_ptr< CommandAuthenticator > create()
const ssize_t POS_SIG_INFO
std::string to_string(const V &v)
static bool verifySignature(const Data &data, const v1::PublicKey &publicKey)
Verify the data using the publicKey.
#define NFD_LOG_INIT(name)
std::function< void(const Name &prefix, const Interest &interest, const ControlParameters *params, const AcceptContinuation &accept, const RejectContinuation &reject)> Authorization
a function that performs authorization
represents an error in TLV encoding or decoding
const Name & getName() const
1.8.13