public void testSimpleRegex()
{
ConfigPolicyManager policyManager = new ConfigPolicyManager(new FileInfo(System.IO.Path.Combine(policyConfigDirectory.FullName, "regex_ruleset.conf")).FullName);
Name dataName1 = new Name("/SecurityTestSecRule/Basic");
Name dataName2 = new Name("/SecurityTestSecRule/Basic/More");
Name dataName3 = new Name("/SecurityTestSecRule/");
Name dataName4 = new Name("/SecurityTestSecRule/Other/TestData");
Name dataName5 = new Name("/Basic/Data");
BoostInfoTree matchedRule1 = friendAccess.findMatchingRule(
policyManager, dataName1, "data");
BoostInfoTree matchedRule2 = friendAccess.findMatchingRule(
policyManager, dataName2, "data");
BoostInfoTree matchedRule3 = friendAccess.findMatchingRule(
policyManager, dataName3, "data");
BoostInfoTree matchedRule4 = friendAccess.findMatchingRule(
policyManager, dataName4, "data");
BoostInfoTree matchedRule5 = friendAccess.findMatchingRule(
policyManager, dataName5, "data");
Assert.AssertNotNull(matchedRule1);
Assert.AssertNull(matchedRule2);
Assert.AssertNotNull(matchedRule3);
Assert.AssertNotSame("Rule regex matched extra components", matchedRule3,
matchedRule1);
Assert.AssertNotNull(matchedRule4);
Assert.AssertNotSame("Rule regex matched with missing component",
matchedRule4, matchedRule1);
Assert.AssertNull(matchedRule5);
}
private static ConfigChecker createHierarchicalChecker(
BoostInfoTree configSection)
{
try {
// Ignore sig-type.
return(new ConfigHyperRelationChecker("^(<>*)$", "\\1",
"^(<>*)<KEY><>$", "\\1",
net.named_data.jndn.security.v2.validator_config.ConfigNameRelation.Relation.IS_PREFIX_OF));
} catch (NdnRegexMatcherBase.Error ex) {
throw new ValidatorConfigError(
"Error creating ConfigHyperRelationChecker: " + ex);
}
}
private static ConfigChecker createCustomizedChecker(
BoostInfoTree configSection)
{
// Ignore sig-type.
// Get checker.key-locator .
ArrayList <BoostInfoTree> keyLocatorSection = configSection
.get("key-locator");
if (keyLocatorSection.Count != 1)
{
throw new ValidatorConfigError("Expected one <checker.key-locator>");
}
return(createKeyLocatorChecker(keyLocatorSection[0]));
}
/// <summary>
/// Load the configuration from the given configSection. This replaces any
/// existing configuration.
/// </summary>
///
/// <param name="configSection"></param>
/// <param name="inputName">Used for log messages, etc.</param>
public void load(BoostInfoTree configSection, String inputName)
{
if (isConfigured_)
{
// Reset the previous configuration.
shouldBypass_ = false;
ILOG.J2CsMapping.Collections.Collections.Clear(dataRules_);
ILOG.J2CsMapping.Collections.Collections.Clear(interestRules_);
validator_.resetAnchors();
validator_.resetVerifiedCertificates();
}
isConfigured_ = true;
ArrayList <BoostInfoTree> validatorList = configSection.get("validator");
if (validatorList.Count != 1)
{
throw new ValidatorConfigError(
"ValidationPolicyConfig: Expected one validator section");
}
BoostInfoTree validatorSection = validatorList[0];
// Get the rules.
ArrayList <BoostInfoTree> ruleList = validatorSection.get("rule");
for (int i = 0; i < ruleList.Count; ++i)
{
ConfigRule rule = net.named_data.jndn.security.v2.validator_config.ConfigRule.create(ruleList[i]);
if (rule.getIsForInterest())
{
ILOG.J2CsMapping.Collections.Collections.Add(interestRules_, rule);
}
else
{
ILOG.J2CsMapping.Collections.Collections.Add(dataRules_, rule);
}
}
// Get the trust anchors.
ArrayList <BoostInfoTree> trustAnchorList = validatorSection
.get("trust-anchor");
for (int i_0 = 0; i_0 < trustAnchorList.Count; ++i_0)
{
processConfigTrustAnchor(trustAnchorList[i_0], inputName);
}
}
public void testHierarchical()
{
ConfigPolicyManager policyManager = new ConfigPolicyManager(
new FileInfo(System.IO.Path.Combine(policyConfigDirectory.FullName, "hierarchical_ruleset.conf")).FullName);
Name dataName1 = new Name("/SecurityTestSecRule/Basic/Data1");
Name dataName2 = new Name("/SecurityTestSecRule/Basic/Longer/Data2");
Data data1 = new Data(dataName1);
Data data2 = new Data(dataName2);
BoostInfoTree matchedRule = friendAccess.findMatchingRule(
policyManager, dataName1, "data");
Assert.AssertSame(matchedRule,
friendAccess.findMatchingRule(policyManager, dataName2, "data"));
keyChain.sign(data1, defaultCertName);
keyChain.sign(data2, defaultCertName);
Name signatureName1 = ((Sha256WithRsaSignature)data1.getSignature())
.getKeyLocator().getKeyName();
Name signatureName2 = ((Sha256WithRsaSignature)data2.getSignature())
.getKeyLocator().getKeyName();
String[] failureReason = new String[] { "unknown" };
Assert.AssertFalse(
"Hierarchical matcher matched short data name to long key name",
friendAccess.checkSignatureMatch(policyManager, signatureName1,
dataName1, matchedRule, failureReason));
Assert.AssertTrue(friendAccess.checkSignatureMatch(policyManager,
signatureName2, dataName2, matchedRule, failureReason));
keyChain.sign(data1, shortCertName);
keyChain.sign(data2, shortCertName);
signatureName1 = ((Sha256WithRsaSignature)data1.getSignature())
.getKeyLocator().getKeyName();
signatureName2 = ((Sha256WithRsaSignature)data1.getSignature())
.getKeyLocator().getKeyName();
Assert.AssertTrue(friendAccess.checkSignatureMatch(policyManager,
signatureName1, dataName1, matchedRule, failureReason));
Assert.AssertTrue(friendAccess.checkSignatureMatch(policyManager,
signatureName2, dataName2, matchedRule, failureReason));
}
/// <summary>
/// Create a filter from the configuration section.
/// </summary>
///
/// <param name="configSection"></param>
/// <returns>A new filter created from the configuration section.</returns>
public static ConfigFilter create(BoostInfoTree configSection)
{
String filterType = configSection.getFirstValue("type");
if (filterType == null)
{
throw new ValidatorConfigError("Expected <filter.type>");
}
if (filterType.Equals("name", StringComparison.InvariantCultureIgnoreCase))
{
return(createNameFilter(configSection));
}
else
{
throw new ValidatorConfigError("Unsupported filter.type: "
+ filterType);
}
}
private static ConfigChecker createKeyLocatorChecker(
BoostInfoTree configSection)
{
// Get checker.key-locator.type .
String keyLocatorType = configSection.getFirstValue("type");
if (keyLocatorType == null)
{
throw new ValidatorConfigError(
"Expected <checker.key-locator.type>");
}
if (keyLocatorType.Equals("name", StringComparison.InvariantCultureIgnoreCase))
{
return(createKeyLocatorNameChecker(configSection));
}
else
{
throw new ValidatorConfigError(
"Unsupported checker.key-locator.type: " + keyLocatorType);
}
}
/// <summary>
/// Get the "refresh" value. If the value is 9, return a period of one hour.
/// </summary>
///
/// <param name="configSection"></param>
/// <returns>The refresh period in milliseconds. However if there is no
/// "refresh" value, return a large number (effectively no refresh).</returns>
private static double getRefreshPeriod(BoostInfoTree configSection)
{
String refreshString = configSection.getFirstValue("refresh");
if (refreshString == null)
{
// Return a large value (effectively no refresh).
return(1e14d);
}
double refreshSeconds = 0;
Pattern regex1 = ILOG.J2CsMapping.Text.Pattern.Compile("(\\d+)([hms])");
Matcher refreshMatch = regex1.Matcher(refreshString);
if (refreshMatch.Find())
{
refreshSeconds = Int32.Parse(refreshMatch.Group(1));
if (!refreshMatch.Group(2).equals("s"))
{
refreshSeconds *= 60;
if (!refreshMatch.Group(2).equals("m"))
{
refreshSeconds *= 60;
}
}
}
if (refreshSeconds == 0.0d)
{
// Use an hour instead of 0.
return(3600 * 1000.0d);
}
else
{
// Convert from seconds to milliseconds.
return(refreshSeconds * 1000.0d);
}
}
/// <summary>
/// This is a helper for create() to create a filter from the configuration
/// section which is type "name".
/// </summary>
///
/// <param name="configSection">The section containing the definition of the filter.</param>
/// <returns>A new filter created from the configuration section.</returns>
private static ConfigFilter createNameFilter(BoostInfoTree configSection)
{
String nameUri = configSection.getFirstValue("name");
if (nameUri != null)
{
// Get the filter.name.
Name name = new Name(nameUri);
// Get the filter.relation.
String relationValue = configSection.getFirstValue("relation");
if (relationValue == null)
{
throw new ValidatorConfigError("Expected <filter.relation>");
}
ConfigNameRelation.Relation relation = net.named_data.jndn.security.v2.validator_config.ConfigNameRelation
.getNameRelationFromString(relationValue);
return(new ConfigRelationNameFilter(name, relation));
}
String regexString = configSection.getFirstValue("regex");
if (regexString != null)
{
try {
return(new ConfigRegexNameFilter(regexString));
} catch (Exception e) {
throw new ValidatorConfigError("Wrong filter.regex: "
+ regexString);
}
}
throw new ValidatorConfigError("Wrong filter(name) properties");
}
/// <summary>
/// Create a checker from the configuration section.
/// </summary>
///
/// <param name="configSection"></param>
/// <returns>A new checker created from the configuration section.</returns>
public static ConfigChecker create(BoostInfoTree configSection)
{
// Get checker.type.
String checkerType = configSection.getFirstValue("type");
if (checkerType == null)
{
throw new ValidatorConfigError("Expected <checker.type>");
}
if (checkerType.Equals("customized", StringComparison.InvariantCultureIgnoreCase))
{
return(createCustomizedChecker(configSection));
}
else if (checkerType.Equals("hierarchical", StringComparison.InvariantCultureIgnoreCase))
{
return(createHierarchicalChecker(configSection));
}
else
{
throw new ValidatorConfigError("Unsupported checker type: "
+ checkerType);
}
}
/// <summary>
/// Load the configuration from the given configSection. This replaces any
/// existing configuration.
/// </summary>
///
/// <param name="configSection"></param>
/// <param name="inputName">Used for log messages, etc.</param>
public void load(BoostInfoTree configSection, String inputName)
{
policyConfig_.load(configSection, inputName);
}
/// <summary>
/// Create a rule from configuration section.
/// </summary>
///
/// <param name="configSection"></param>
/// <returns>A new ConfigRule created from the configuration</returns>
public static ConfigRule create(BoostInfoTree configSection)
{
// Get rule.id .
String ruleId = configSection.getFirstValue("id");
if (ruleId == null)
{
throw new ValidatorConfigError("Expecting <rule.id>");
}
// Get rule.for .
String usage = configSection.getFirstValue("for");
if (usage == null)
{
throw new ValidatorConfigError("Expecting <rule.for> in rule: "
+ ruleId);
}
bool isForInterest;
if (usage.Equals("data", StringComparison.InvariantCultureIgnoreCase))
{
isForInterest = false;
}
else if (usage.Equals("interest", StringComparison.InvariantCultureIgnoreCase))
{
isForInterest = true;
}
else
{
throw new ValidatorConfigError("Unrecognized <rule.for>: " + usage
+ " in rule: " + ruleId);
}
ConfigRule rule = new ConfigRule(ruleId, isForInterest);
// Get rule.filter(s)
ArrayList <BoostInfoTree> filterList = configSection.get("filter");
for (int i = 0; i < filterList.Count; ++i)
{
rule.addFilter(net.named_data.jndn.security.v2.validator_config.ConfigFilter.create(filterList[i]));
}
// Get rule.checker(s)
ArrayList <BoostInfoTree> checkerList = configSection.get("checker");
for (int i_0 = 0; i_0 < checkerList.Count; ++i_0)
{
rule.addChecker(net.named_data.jndn.security.v2.validator_config.ConfigChecker.create(checkerList[i_0]));
}
// Check other stuff.
if (checkerList.Count == 0)
{
throw new ValidatorConfigError(
"No <rule.checker> is specified in rule: " + ruleId);
}
return(rule);
}
private static ConfigChecker createKeyLocatorNameChecker(
BoostInfoTree configSection)
{
String nameUri = configSection.getFirstValue("name");
if (nameUri != null)
{
Name name = new Name(nameUri);
String relationValue = configSection.getFirstValue("relation");
if (relationValue == null)
{
throw new ValidatorConfigError(
"Expected <checker.key-locator.relation>");
}
ConfigNameRelation.Relation relation = net.named_data.jndn.security.v2.validator_config.ConfigNameRelation
.getNameRelationFromString(relationValue);
return(new ConfigNameRelationChecker(name, relation));
}
String regexString = configSection.getFirstValue("regex");
if (regexString != null)
{
try {
return(new ConfigRegexChecker(regexString));
} catch (Exception e) {
throw new ValidatorConfigError(
"Invalid checker.key-locator.regex: " + regexString);
}
}
ArrayList <BoostInfoTree> hyperRelationList = configSection
.get("hyper-relation");
if (hyperRelationList.Count == 1)
{
BoostInfoTree hyperRelation = hyperRelationList[0];
// Get k-regex.
String keyRegex = hyperRelation.getFirstValue("k-regex");
if (keyRegex == null)
{
throw new ValidatorConfigError(
"Expected <checker.key-locator.hyper-relation.k-regex>");
}
// Get k-expand.
String keyExpansion = hyperRelation.getFirstValue("k-expand");
if (keyExpansion == null)
{
throw new ValidatorConfigError(
"Expected <checker.key-locator.hyper-relation.k-expand");
}
// Get h-relation.
String hyperRelationString = hyperRelation
.getFirstValue("h-relation");
if (hyperRelationString == null)
{
throw new ValidatorConfigError(
"Expected <checker.key-locator.hyper-relation.h-relation>");
}
// Get p-regex.
String packetNameRegex = hyperRelation.getFirstValue("p-regex");
if (packetNameRegex == null)
{
throw new ValidatorConfigError(
"Expected <checker.key-locator.hyper-relation.p-regex>");
}
// Get p-expand.
String packetNameExpansion = hyperRelation
.getFirstValue("p-expand");
if (packetNameExpansion == null)
{
throw new ValidatorConfigError(
"Expected <checker.key-locator.hyper-relation.p-expand>");
}
ConfigNameRelation.Relation relation_0 = net.named_data.jndn.security.v2.validator_config.ConfigNameRelation
.getNameRelationFromString(hyperRelationString);
try {
return(new ConfigHyperRelationChecker(packetNameRegex,
packetNameExpansion, keyRegex, keyExpansion, relation_0));
} catch (Exception e_1) {
throw new ValidatorConfigError(
"Invalid regex for key-locator.hyper-relation");
}
}
throw new ValidatorConfigError("Unsupported checker.key-locator");
}
/// <summary>
/// Process the trust-anchor configuration section and call
/// validator_.loadAnchor as needed.
/// </summary>
///
/// <param name="configSection"></param>
/// <param name="inputName">Used for log messages, etc.</param>
private void processConfigTrustAnchor(BoostInfoTree configSection,
String inputName)
{
String anchorType = configSection.getFirstValue("type");
if (anchorType == null)
{
throw new ValidatorConfigError("Expected <trust-anchor.type>");
}
if (anchorType.Equals("file", StringComparison.InvariantCultureIgnoreCase))
{
// Get trust-anchor.file .
String fileName = configSection.getFirstValue("file-name");
if (fileName == null)
{
throw new ValidatorConfigError(
"Expected <trust-anchor.file-name>");
}
double refreshPeriod = getRefreshPeriod(configSection);
try {
validator_.loadAnchor(fileName, fileName, refreshPeriod, false);
} catch (TrustAnchorContainer.Error ex) {
throw new ValidatorConfigError("Error in loadAnchor: " + ex);
}
return;
}
else if (anchorType.Equals("base64", StringComparison.InvariantCultureIgnoreCase))
{
// Get trust-anchor.base64-string .
String base64String = configSection.getFirstValue("base64-string");
if (base64String == null)
{
throw new ValidatorConfigError(
"Expected <trust-anchor.base64-string>");
}
byte[] encoding = net.named_data.jndn.util.Common.base64Decode(base64String);
CertificateV2 certificate = new CertificateV2();
try {
certificate.wireDecode(new Blob(encoding));
} catch (Exception ex_0) {
throw new ValidatorConfigError(
"Cannot decode certificate from base64-string: " + ex_0);
}
try {
validator_.loadAnchor("", certificate);
} catch (TrustAnchorContainer.Error ex_1) {
throw new ValidatorConfigError("Error in loadAnchor: " + ex_1);
}
return;
}
else if (anchorType.Equals("dir", StringComparison.InvariantCultureIgnoreCase))
{
// Get trust-anchor.dir .
String dirString = configSection.getFirstValue("dir");
if (dirString == null)
{
throw new ValidatorConfigError("Expected <trust-anchor.dir>");
}
double refreshPeriod_2 = getRefreshPeriod(configSection);
try {
validator_
.loadAnchor(dirString, dirString, refreshPeriod_2, true);
} catch (TrustAnchorContainer.Error ex_3) {
throw new ValidatorConfigError("Error in loadAnchor: " + ex_3);
}
return;
}
else if (anchorType.Equals("any", StringComparison.InvariantCultureIgnoreCase))
{
shouldBypass_ = true;
}
else
{
throw new ValidatorConfigError("Unsupported trust-anchor.type");
}
}
