config-policy-manager.hpp

/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil -*- */
#ifndef NDN_CONFIG_POLICY_MANAGER_HPP
#define NDN_CONFIG_POLICY_MANAGER_HPP

#include <string>
#include <vector>
#include <map>
#include <ndn-cpp/security/policy/certificate-cache.hpp>
#include "policy-manager.hpp"

class TestVerificationRulesFriend;

namespace ndn {

class BoostInfoTree;
class BoostInfoParser;
class IdentityCertificate;

class ConfigPolicyManager : public PolicyManager {
public:
  ConfigPolicyManager
    (const std::string& configFileName = "",
     const ptr_lib::shared_ptr<CertificateCache>& certificateCache =
     ptr_lib::shared_ptr<CertificateCache>(), int searchDepth = 5,
     Milliseconds graceInterval = 3000, Milliseconds keyTimestampTtl = 3600000,
     int maxTrackedKeys = 1000);

  virtual
  ~ConfigPolicyManager();

  void
  reset();

  void
  load(const std::string& configFileName);

  void
  load(const std::string& input, const std::string& inputName);

  virtual bool
  skipVerifyAndTrust(const Data& data);

  virtual bool
  skipVerifyAndTrust(const Interest& interest);

  virtual bool
  requireVerify(const Data& data);

  virtual bool
  requireVerify(const Interest& interest);

  virtual ptr_lib::shared_ptr<ValidationRequest>
  checkVerificationPolicy
    (const ptr_lib::shared_ptr<Data>& data, int stepCount,
     const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed);

  virtual ptr_lib::shared_ptr<ValidationRequest>
  checkVerificationPolicy
    (const ptr_lib::shared_ptr<Interest>& interest, int stepCount,
     const OnVerifiedInterest& onVerified,
     const OnVerifyInterestFailed& onVerifyFailed, WireFormat& wireFormat);

  virtual bool
  checkSigningPolicy(const Name& dataName, const Name& certificateName);

  virtual Name
  inferSigningIdentity(const Name& dataName);

private:
  // Allow the unit tests to call private members.
  friend class ::TestVerificationRulesFriend;

  class TrustAnchorRefreshManager {
  public:
    TrustAnchorRefreshManager()
    {
    }

    static ptr_lib::shared_ptr<IdentityCertificate>
    loadIdentityCertificateFromFile(const std::string& filename);

    ptr_lib::shared_ptr<IdentityCertificate>
    getCertificate(Name certificateName) const
    {
      // Assume the timestamp is already removed.
      return certificateCache_.getCertificate(certificateName);
    }

    void
    addDirectory(const std::string& directoryName, Milliseconds refreshPeriod);

    void
    refreshAnchors();

  private:
    class DirectoryInfo {
    public:
      DirectoryInfo
        (const std::vector<std::string>& certificateNames,
         MillisecondsSince1970 nextRefresh, Milliseconds refreshPeriod)
      : certificateNames_(certificateNames), nextRefresh_(nextRefresh),
        refreshPeriod_(refreshPeriod)
      {
      }

      std::vector<std::string> certificateNames_;
      MillisecondsSince1970 nextRefresh_;
      Milliseconds refreshPeriod_;
    };

    CertificateCache certificateCache_;
    // refreshDirectories_ maps the directory name to certificate names so they
    //   can be deleted when necessary, and the next refresh time.
    std::map<std::string, ptr_lib::shared_ptr<DirectoryInfo> > refreshDirectories_;
  };

  void
  loadTrustAnchorCertificates();

  bool
  checkSignatureMatch
    (const Name& signatureName, const Name& objectName, const BoostInfoTree& rule);

  ptr_lib::shared_ptr<IdentityCertificate>
  lookupCertificate(const std::string& certID, bool isPath);

  const BoostInfoTree*
  findMatchingRule(const Name& objName, const std::string& matchType) const;

  static bool
  matchesRelation
    (const Name& name, const Name& matchName, const std::string& matchRelation);

  static ptr_lib::shared_ptr<Signature>
  extractSignature(const Interest& interest, WireFormat& wireFormat);

  bool
  interestTimestampIsFresh(const Name& keyName, MillisecondsSince1970 timestamp) const;

  void
  updateTimestampForKey(const Name& keyName, MillisecondsSince1970 timestamp);

  bool
  verify(const Signature* signatureInfo, const SignedBlob& signedBlob) const;

  ptr_lib::shared_ptr<Interest>
  getCertificateInterest
    (int stepCount, const std::string& matchType, const Name& objectName,
     const Signature* signature);

  void
  onCertificateDownloadComplete
    (const ptr_lib::shared_ptr<Data> &data,
     const ptr_lib::shared_ptr<Data> &originalData, int stepCount,
     const OnVerified& onVerified, const OnVerifyFailed& onVerifyFailed);

  void
  onCertificateDownloadCompleteForInterest
    (const ptr_lib::shared_ptr<Data> &data,
     const ptr_lib::shared_ptr<Interest> &originalInterest, int stepCount,
     const OnVerifiedInterest& onVerified,
     const OnVerifyInterestFailed& onVerifyFailed, WireFormat& wireFormat);

  ptr_lib::shared_ptr<CertificateCache> certificateCache_;
  int maxDepth_;
  Milliseconds keyGraceInterval_;
  Milliseconds keyTimestampTtl_;
  int maxTrackedKeys_;
  // fixedCertificateCache_ stores the fixed-signer certificate name associated with
  //    validation rules so we don't keep loading from files.
  std::map<std::string, std::string> fixedCertificateCache_;
  // keyTimestamps_ stores the timestamps for each public key used in command
  //   interests to avoid replay attacks.
  // key is the public key name, value is the last timestamp.
  std::map<std::string, MillisecondsSince1970> keyTimestamps_;
  ptr_lib::shared_ptr<BoostInfoParser> config_;
  bool requiresVerification_;
  ptr_lib::shared_ptr<TrustAnchorRefreshManager> refreshManager_;
};

}

#endif