29 #include <ndn-cxx/tag.hpp> 30 #include <ndn-cxx/security/v2/certificate-fetcher-offline.hpp> 31 #include <ndn-cxx/security/v2/certificate-request.hpp> 32 #include <ndn-cxx/security/v2/validation-policy.hpp> 33 #include <ndn-cxx/security/v2/validation-policy-accept-all.hpp> 34 #include <ndn-cxx/security/v2/validation-policy-command-interest.hpp> 35 #include <ndn-cxx/security/v2/validator.hpp> 36 #include <ndn-cxx/util/io.hpp> 38 #include <boost/filesystem.hpp> 58 if (signerTag ==
nullptr) {
62 return signerTag->get().toUri();
76 if (!state->getOutcome()) {
86 continueValidation(make_shared<sec2::CertificateRequest>(
Interest(klName)), state);
95 BOOST_ASSERT_MSG(
false,
"Data should not be passed to this policy");
99 shared_ptr<CommandAuthenticator>
105 CommandAuthenticator::CommandAuthenticator() =
default;
111 bind(&CommandAuthenticator::processConfig,
this, _1, _2, _3));
115 CommandAuthenticator::processConfig(
const ConfigSection& section,
bool isDryRun,
const std::string& filename)
119 for (
auto& kv : m_validators) {
120 kv.second = make_shared<sec2::Validator>(
121 make_unique<sec2::ValidationPolicyCommandInterest>(make_unique<CommandAuthenticatorValidationPolicy>()),
122 make_unique<sec2::CertificateFetcherOffline>());
126 if (section.empty()) {
127 BOOST_THROW_EXCEPTION(ConfigFile::Error(
"'authorize' is missing under 'authorizations'"));
130 int authSectionIndex = 0;
131 for (
const auto& kv : section) {
132 if (kv.first !=
"authorize") {
133 BOOST_THROW_EXCEPTION(ConfigFile::Error(
134 "'" + kv.first +
"' section is not permitted under 'authorizations'"));
138 std::string certfile;
140 certfile = authSection.get<std::string>(
"certfile");
142 catch (
const boost::property_tree::ptree_error&) {
143 BOOST_THROW_EXCEPTION(ConfigFile::Error(
144 "'certfile' is missing under authorize[" +
to_string(authSectionIndex) +
"]"));
148 shared_ptr<sec2::Certificate> cert;
149 if (certfile ==
"any") {
151 NFD_LOG_WARN(
"'certfile any' is intended for demo purposes only and " 152 "SHOULD NOT be used in production environments");
155 using namespace boost::filesystem;
156 path certfilePath = absolute(certfile, path(filename).parent_path());
157 cert = ndn::io::load<sec2::Certificate>(certfilePath.string());
158 if (cert ==
nullptr) {
159 BOOST_THROW_EXCEPTION(ConfigFile::Error(
160 "cannot load certfile " + certfilePath.string() +
161 " for authorize[" +
to_string(authSectionIndex) +
"]"));
167 privSection = &authSection.get_child(
"privileges");
169 catch (
const boost::property_tree::ptree_error&) {
170 BOOST_THROW_EXCEPTION(ConfigFile::Error(
171 "'privileges' is missing under authorize[" +
to_string(authSectionIndex) +
"]"));
174 if (privSection->empty()) {
175 NFD_LOG_WARN(
"No privileges granted to certificate " << certfile);
177 for (
const auto& kv : *privSection) {
178 const std::string& module = kv.first;
179 auto found = m_validators.find(module);
180 if (found == m_validators.end()) {
181 BOOST_THROW_EXCEPTION(ConfigFile::Error(
182 "unknown module '" + module +
"' under authorize[" +
to_string(authSectionIndex) +
"]"));
190 found->second = make_shared<sec2::Validator>(make_unique<sec2::ValidationPolicyAcceptAll>(),
191 make_unique<sec2::CertificateFetcherOffline>());
192 NFD_LOG_INFO(
"authorize module=" << module <<
" signer=any");
195 const Name& keyName = cert->getKeyName();
197 found->second->loadAnchor(certfile, std::move(certCopy));
198 NFD_LOG_INFO(
"authorize module=" << module <<
" signer=" << keyName <<
199 " certfile=" << certfile);
210 m_validators[module];
212 auto self = this->shared_from_this();
217 auto validator =
self->m_validators.at(module);
218 auto successCb = [accept, validator] (
const Interest& interest1) {
220 BOOST_ASSERT(signer1 ||
221 dynamic_cast<sec2::ValidationPolicyAcceptAll*>(&validator->getPolicy()) !=
nullptr);
222 std::string signer = signer1.value_or(
"*");
223 NFD_LOG_DEBUG(
"accept " << interest1.getName() <<
" signer=" << signer);
229 switch (err.getCode()) {
232 reply = RejectReply::SILENT;
236 reply = RejectReply::SILENT;
246 validator->validate(interest, successCb, failureCb);
249 NFD_LOG_DEBUG(
"reject " << interest.getName() <<
" signer=" <<
constexpr nullopt_t nullopt
void setTag(shared_ptr< T > tag) const
set a tag item
shared_ptr< T > getTag() const
get a tag item
The certificate following the certificate format naming convention.
const Interest & getOriginalInterest() const
RejectReply
indicate how to reply in case authorization is rejected
reply with a ControlResponse where StatusCode is 403
configuration file parsing utility
a validation policy that only permits Interest signed by a trust anchor
void checkPolicy(const Interest &interest, const shared_ptr< sec2::ValidationState > &state, const ValidationContinuation &continueValidation) final
Check interest against the policy.
Represents an Interest packet.
#define NFD_LOG_DEBUG(expression)
std::function< void(const std::string &requester)> AcceptContinuation
a function to be called if authorization is successful
Abstraction that implements validation policy for Data and Interest packets.
#define NFD_LOG_INFO(expression)
void setConfigFile(ConfigFile &configFile)
provides a tag type for simple types
std::function< void(const shared_ptr< CertificateRequest > &certRequest, const shared_ptr< ValidationState > &state)> ValidationContinuation
static Name getKeyLocatorName(const SignatureInfo &si, ValidationState &state)
std::function< void(RejectReply reply)> RejectContinuation
a function to be called if authorization is rejected
Validation state for an interest packet.
Copyright (c) 2011-2015 Regents of the University of California.
void addSectionHandler(const std::string §ionName, ConfigSectionHandler subscriber)
setup notification of configuration file sections
ndn::mgmt::Authorization makeAuthorization(const std::string &module, const std::string &verb)
static optional< std::string > getSignerFromTag(const Interest &interest)
obtain signer from SignerTag attached to Interest, if available
const size_t MIN_SIZE
minimal number of components for Command Interest
boost::property_tree::ptree ConfigSection
a config file section
Represents an absolute name.
base class for a struct that contains ControlCommand parameters
size_t size() const
Get number of components.
#define NFD_LOG_WARN(expression)
provides ControlCommand authorization according to NFD configuration file
static shared_ptr< CommandAuthenticator > create()
Validation error code and optional detailed error message.
std::string to_string(const V &v)
#define NFD_LOG_INIT(name)
Represents a Data packet.
std::function< void(const Name &prefix, const Interest &interest, const ControlParameters *params, const AcceptContinuation &accept, const RejectContinuation &reject)> Authorization
a function that performs authorization
void checkPolicy(const Data &data, const shared_ptr< sec2::ValidationState > &state, const ValidationContinuation &continueValidation) final
Check data against the policy.
const Name & getName() const