command-authenticator.cpp
Go to the documentation of this file.
1 /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
2 /*
3  * Copyright (c) 2014-2020, Regents of the University of California,
4  * Arizona Board of Regents,
5  * Colorado State University,
6  * University Pierre & Marie Curie, Sorbonne University,
7  * Washington University in St. Louis,
8  * Beijing Institute of Technology,
9  * The University of Memphis.
10  *
11  * This file is part of NFD (Named Data Networking Forwarding Daemon).
12  * See AUTHORS.md for complete list of NFD authors and contributors.
13  *
14  * NFD is free software: you can redistribute it and/or modify it under the terms
15  * of the GNU General Public License as published by the Free Software Foundation,
16  * either version 3 of the License, or (at your option) any later version.
17  *
18  * NFD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
19  * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
20  * PURPOSE. See the GNU General Public License for more details.
21  *
22  * You should have received a copy of the GNU General Public License along with
23  * NFD, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
24  */
25 
27 #include "common/logger.hpp"
28 
29 #include <ndn-cxx/tag.hpp>
30 #include <ndn-cxx/security/certificate-fetcher-offline.hpp>
31 #include <ndn-cxx/security/certificate-request.hpp>
32 #include <ndn-cxx/security/validation-policy.hpp>
33 #include <ndn-cxx/security/validation-policy-accept-all.hpp>
34 #include <ndn-cxx/security/validation-policy-command-interest.hpp>
35 #include <ndn-cxx/security/validator.hpp>
36 #include <ndn-cxx/util/io.hpp>
37 
38 #include <boost/filesystem.hpp>
39 
40 namespace security = ndn::security;
41 
42 namespace nfd {
43 
44 NFD_LOG_INIT(CommandAuthenticator);
45 // INFO: configuration change, etc
46 // DEBUG: per authentication request result
47 
50 using SignerTag = ndn::SimpleTag<Name, 20>;
51 
54 static optional<std::string>
55 getSignerFromTag(const Interest& interest)
56 {
57  shared_ptr<SignerTag> signerTag = interest.getTag<SignerTag>();
58  if (signerTag == nullptr) {
59  return nullopt;
60  }
61  else {
62  return signerTag->get().toUri();
63  }
64 }
65 
68 class CommandAuthenticatorValidationPolicy : public security::ValidationPolicy
69 {
70 public:
71  void
72  checkPolicy(const Interest& interest, const shared_ptr<security::ValidationState>& state,
73  const ValidationContinuation& continueValidation) final
74  {
75  Name klName = getKeyLocatorName(interest, *state);
76  if (!state->getOutcome()) { // already failed
77  return;
78  }
79 
80  // SignerTag must be placed on the 'original Interest' in ValidationState to be available for
81  // InterestValidationSuccessCallback. The 'interest' parameter refers to a different instance
82  // which is copied into 'original Interest'.
83  auto state1 = dynamic_pointer_cast<security::InterestValidationState>(state);
84  state1->getOriginalInterest().setTag(make_shared<SignerTag>(klName));
85 
86  continueValidation(make_shared<security::CertificateRequest>(Interest(klName)), state);
87  }
88 
89  void
90  checkPolicy(const Data& data, const shared_ptr<security::ValidationState>& state,
91  const ValidationContinuation& continueValidation) final
92  {
93  // Non-certificate Data are not handled by CommandAuthenticator.
94  // Non-anchor certificates cannot be retrieved by offline fetcher.
95  BOOST_ASSERT_MSG(false, "Data should not be passed to this policy");
96  }
97 };
98 
99 shared_ptr<CommandAuthenticator>
101 {
102  return shared_ptr<CommandAuthenticator>(new CommandAuthenticator);
103 }
104 
105 CommandAuthenticator::CommandAuthenticator() = default;
106 
107 void
109 {
110  configFile.addSectionHandler("authorizations",
111  bind(&CommandAuthenticator::processConfig, this, _1, _2, _3));
112 }
113 
114 void
115 CommandAuthenticator::processConfig(const ConfigSection& section, bool isDryRun, const std::string& filename)
116 {
117  if (!isDryRun) {
118  NFD_LOG_INFO("clear-authorizations");
119  for (auto& kv : m_validators) {
120  kv.second = make_shared<security::Validator>(
121  make_unique<security::ValidationPolicyCommandInterest>(make_unique<CommandAuthenticatorValidationPolicy>()),
122  make_unique<security::CertificateFetcherOffline>());
123  }
124  }
125 
126  if (section.empty()) {
127  NDN_THROW(ConfigFile::Error("'authorize' is missing under 'authorizations'"));
128  }
129 
130  int authSectionIndex = 0;
131  for (const auto& kv : section) {
132  if (kv.first != "authorize") {
133  NDN_THROW(ConfigFile::Error("'" + kv.first + "' section is not permitted under 'authorizations'"));
134  }
135  const ConfigSection& authSection = kv.second;
136 
137  std::string certfile;
138  try {
139  certfile = authSection.get<std::string>("certfile");
140  }
141  catch (const boost::property_tree::ptree_error&) {
142  NDN_THROW(ConfigFile::Error("'certfile' is missing under authorize[" +
143  to_string(authSectionIndex) + "]"));
144  }
145 
146  bool isAny = false;
147  shared_ptr<security::Certificate> cert;
148  if (certfile == "any") {
149  isAny = true;
150  NFD_LOG_WARN("'certfile any' is intended for demo purposes only and "
151  "SHOULD NOT be used in production environments");
152  }
153  else {
154  using namespace boost::filesystem;
155  path certfilePath = absolute(certfile, path(filename).parent_path());
156  cert = ndn::io::load<security::Certificate>(certfilePath.string());
157  if (cert == nullptr) {
158  NDN_THROW(ConfigFile::Error("cannot load certfile " + certfilePath.string() +
159  " for authorize[" + to_string(authSectionIndex) + "]"));
160  }
161  }
162 
163  const ConfigSection* privSection = nullptr;
164  try {
165  privSection = &authSection.get_child("privileges");
166  }
167  catch (const boost::property_tree::ptree_error&) {
168  NDN_THROW(ConfigFile::Error("'privileges' is missing under authorize[" +
169  to_string(authSectionIndex) + "]"));
170  }
171 
172  if (privSection->empty()) {
173  NFD_LOG_WARN("No privileges granted to certificate " << certfile);
174  }
175  for (const auto& kv : *privSection) {
176  const std::string& module = kv.first;
177  auto found = m_validators.find(module);
178  if (found == m_validators.end()) {
179  NDN_THROW(ConfigFile::Error("unknown module '" + module +
180  "' under authorize[" + to_string(authSectionIndex) + "]"));
181  }
182 
183  if (isDryRun) {
184  continue;
185  }
186 
187  if (isAny) {
188  found->second = make_shared<security::Validator>(make_unique<security::ValidationPolicyAcceptAll>(),
189  make_unique<security::CertificateFetcherOffline>());
190  NFD_LOG_INFO("authorize module=" << module << " signer=any");
191  }
192  else {
193  const Name& keyName = cert->getKeyName();
194  security::Certificate certCopy = *cert;
195  found->second->loadAnchor(certfile, std::move(certCopy));
196  NFD_LOG_INFO("authorize module=" << module << " signer=" << keyName << " certfile=" << certfile);
197  }
198  }
199 
200  ++authSectionIndex;
201  }
202 }
203 
204 ndn::mgmt::Authorization
205 CommandAuthenticator::makeAuthorization(const std::string& module, const std::string& verb)
206 {
207  m_validators[module]; // declares module, so that privilege is recognized
208 
209  auto self = this->shared_from_this();
210  return [=] (const Name&, const Interest& interest,
211  const ndn::mgmt::ControlParameters*,
212  const ndn::mgmt::AcceptContinuation& accept,
213  const ndn::mgmt::RejectContinuation& reject) {
214  auto validator = self->m_validators.at(module);
215  auto successCb = [accept, validator] (const Interest& interest1) {
216  auto signer1 = getSignerFromTag(interest1);
217  BOOST_ASSERT(signer1 || // signer must be available unless 'certfile any'
218  dynamic_cast<security::ValidationPolicyAcceptAll*>(&validator->getPolicy()) != nullptr);
219  std::string signer = signer1.value_or("*");
220  NFD_LOG_DEBUG("accept " << interest1.getName() << " signer=" << signer);
221  accept(signer);
222  };
223  auto failureCb = [reject] (const Interest& interest1, const security::ValidationError& err) {
224  using ndn::mgmt::RejectReply;
225  RejectReply reply = RejectReply::STATUS403;
226  switch (err.getCode()) {
227  case security::ValidationError::NO_SIGNATURE:
228  case security::ValidationError::INVALID_KEY_LOCATOR:
229  reply = RejectReply::SILENT;
230  break;
231  case security::ValidationError::POLICY_ERROR:
232  if (interest1.getName().size() < ndn::command_interest::MIN_SIZE) { // "name too short"
233  reply = RejectReply::SILENT;
234  }
235  break;
236  }
237  NFD_LOG_DEBUG("reject " << interest1.getName() << " signer=" <<
238  getSignerFromTag(interest1).value_or("?") << " reason=" << err);
239  reject(reply);
240  };
241 
242  if (validator) {
243  validator->validate(interest, successCb, failureCb);
244  }
245  else {
246  NFD_LOG_DEBUG("reject " << interest.getName() << " signer=" <<
247  getSignerFromTag(interest).value_or("?") << " reason=Unauthorized");
248  reject(ndn::mgmt::RejectReply::STATUS403);
249  }
250  };
251 }
252 
253 } // namespace nfd
ndn::SimpleTag< Name, 20 > SignerTag
an Interest tag to indicate command signer
void addSectionHandler(const std::string &sectionName, ConfigSectionHandler subscriber)
setup notification of configuration file sections
Definition: config-file.cpp:77
configuration file parsing utility
Definition: config-file.hpp:57
ndn::mgmt::Authorization makeAuthorization(const std::string &module, const std::string &verb)
Provides ControlCommand authorization according to NFD configuration file.
boost::property_tree::ptree ConfigSection
a config file section
Definition: config-file.hpp:37
Copyright (c) 2014-2015, Regents of the University of California, Arizona Board of Regents...
Definition: algorithm.hpp:32
static optional< std::string > getSignerFromTag(const Interest &interest)
obtain signer from SignerTag attached to Interest, if available
#define NFD_LOG_WARN
Definition: logger.hpp:40
static shared_ptr< CommandAuthenticator > create()
#define NFD_LOG_INFO
Definition: logger.hpp:39
#define NFD_LOG_DEBUG
Definition: logger.hpp:38
#define NFD_LOG_INIT(name)
Definition: logger.hpp:31
void setConfigFile(ConfigFile &configFile)