void
CommandAuthenticator::processConfig(const ConfigSection& section, bool isDryRun, const std::string& filename)
{
if (!isDryRun) {
NFD_LOG_INFO("clear-authorizations");
for (auto& kv : m_moduleAuth) {
kv.second.allowAny = false;
kv.second.certs.clear();
}
}
if (section.empty()) {
BOOST_THROW_EXCEPTION(ConfigFile::Error("'authorize' is missing under 'authorizations'"));
}
int authSectionIndex = 0;
for (const auto& kv : section) {
if (kv.first != "authorize") {
BOOST_THROW_EXCEPTION(ConfigFile::Error(
"'" + kv.first + "' section is not permitted under 'authorizations'"));
}
const ConfigSection& authSection = kv.second;
std::string certfile;
try {
certfile = authSection.get<std::string>("certfile");
}
catch (const boost::property_tree::ptree_error&) {
BOOST_THROW_EXCEPTION(ConfigFile::Error(
"'certfile' is missing under authorize[" + to_string(authSectionIndex) + "]"));
}
bool isAny = false;
shared_ptr<ndn::IdentityCertificate> cert;
if (certfile == "any") {
isAny = true;
NFD_LOG_WARN("'certfile any' is intended for demo purposes only and "
"SHOULD NOT be used in production environments");
}
else {
using namespace boost::filesystem;
path certfilePath = absolute(certfile, path(filename).parent_path());
cert = ndn::io::load<ndn::IdentityCertificate>(certfilePath.string());
if (cert == nullptr) {
BOOST_THROW_EXCEPTION(ConfigFile::Error(
"cannot load certfile " + certfilePath.string() +
" for authorize[" + to_string(authSectionIndex) + "]"));
}
}
const ConfigSection* privSection = nullptr;
try {
privSection = &authSection.get_child("privileges");
}
catch (const boost::property_tree::ptree_error&) {
BOOST_THROW_EXCEPTION(ConfigFile::Error(
"'privileges' is missing under authorize[" + to_string(authSectionIndex) + "]"));
}
if (privSection->empty()) {
NFD_LOG_WARN("No privileges granted to certificate " << certfile);
}
for (const auto& kv : *privSection) {
const std::string& module = kv.first;
auto found = m_moduleAuth.find(module);
if (found == m_moduleAuth.end()) {
BOOST_THROW_EXCEPTION(ConfigFile::Error(
"unknown module '" + module + "' under authorize[" + to_string(authSectionIndex) + "]"));
}
if (isDryRun) {
continue;
}
if (isAny) {
found->second.allowAny = true;
NFD_LOG_INFO("authorize module=" << module << " signer=any");
}
else {
const Name& keyName = cert->getPublicKeyName();
found->second.certs.emplace(keyName, cert->getPublicKeyInfo());
NFD_LOG_INFO("authorize module=" << module << " signer=" << keyName <<
" certfile=" << certfile);
}
}
++authSectionIndex;
}
}
void
CommandAuthenticator::processConfig(const ConfigSection& section, bool isDryRun, const std::string& filename)
{
if (!isDryRun) {
NFD_LOG_INFO("clear-authorizations");
for (auto& kv : m_validators) {
kv.second = make_shared<sec2::Validator>(
make_unique<sec2::ValidationPolicyCommandInterest>(make_unique<CommandAuthenticatorValidationPolicy>()),
make_unique<sec2::CertificateFetcherOffline>());
}
}
if (section.empty()) {
NDN_THROW(ConfigFile::Error("'authorize' is missing under 'authorizations'"));
}
int authSectionIndex = 0;
for (const auto& kv : section) {
if (kv.first != "authorize") {
NDN_THROW(ConfigFile::Error("'" + kv.first + "' section is not permitted under 'authorizations'"));
}
const ConfigSection& authSection = kv.second;
std::string certfile;
try {
certfile = authSection.get<std::string>("certfile");
}
catch (const boost::property_tree::ptree_error&) {
NDN_THROW(ConfigFile::Error("'certfile' is missing under authorize[" +
to_string(authSectionIndex) + "]"));
}
bool isAny = false;
shared_ptr<sec2::Certificate> cert;
if (certfile == "any") {
isAny = true;
NFD_LOG_WARN("'certfile any' is intended for demo purposes only and "
"SHOULD NOT be used in production environments");
}
else {
using namespace boost::filesystem;
path certfilePath = absolute(certfile, path(filename).parent_path());
cert = ndn::io::load<sec2::Certificate>(certfilePath.string());
if (cert == nullptr) {
NDN_THROW(ConfigFile::Error("cannot load certfile " + certfilePath.string() +
" for authorize[" + to_string(authSectionIndex) + "]"));
}
}
const ConfigSection* privSection = nullptr;
try {
privSection = &authSection.get_child("privileges");
}
catch (const boost::property_tree::ptree_error&) {
NDN_THROW(ConfigFile::Error("'privileges' is missing under authorize[" +
to_string(authSectionIndex) + "]"));
}
if (privSection->empty()) {
NFD_LOG_WARN("No privileges granted to certificate " << certfile);
}
for (const auto& kv : *privSection) {
const std::string& module = kv.first;
auto found = m_validators.find(module);
if (found == m_validators.end()) {
NDN_THROW(ConfigFile::Error("unknown module '" + module +
"' under authorize[" + to_string(authSectionIndex) + "]"));
}
if (isDryRun) {
continue;
}
if (isAny) {
found->second = make_shared<sec2::Validator>(make_unique<sec2::ValidationPolicyAcceptAll>(),
make_unique<sec2::CertificateFetcherOffline>());
NFD_LOG_INFO("authorize module=" << module << " signer=any");
}
else {
const Name& keyName = cert->getKeyName();
sec2::Certificate certCopy = *cert;
found->second->loadAnchor(certfile, std::move(certCopy));
NFD_LOG_INFO("authorize module=" << module << " signer=" << keyName << " certfile=" << certfile);
}
}
++authSectionIndex;
}
}
