def test_match(self): name = Name("/edu/cmu/andrew/user/3498478") name2 = Name(name) self.assertTrue(name.match(name2), 'Name does not match deep copy of itself') name2 = name[:2] self.assertTrue(name2.match(name), 'Name did not match prefix') self.assertFalse(name.match(name2), 'Name should not match shorter name') self.assertTrue(Name().match(name), 'Empty name should always match another')
def test_match(self): name = Name("/edu/cmu/andrew/user/3498478") name2 = Name(name) self.assertTrue(name.match(name2), 'Name does not match deep copy of itself') name2 = name.getPrefix(2) self.assertTrue(name2.match(name), 'Name did not match prefix') self.assertFalse(name.match(name2), 'Name should not match shorter name') self.assertTrue(Name().match(name), 'Empty name should always match another')
def _onCommandReceived(self, prefix, interest, transport, prefixId): # first off, we shouldn't be here if we have no configured environment # just let this interest time out if (self._policyManager.getTrustRootIdentity() is None or self._policyManager.getEnvironmentPrefix() is None): return # if this is a cert request, we can serve it from our store (if it exists) certData = self._identityStorage.getCertificate(interest.getName()) if certData is not None: self.log.info("Serving certificate request") # if we sign the certificate, we lose the controller's signature! self.sendData(certData, transport, False) return # else we must look in our command list to see if this requires verification # we dispatch directly or after verification as necessary # now we look for the first command that matches in our config self.log.debug("Received {}".format(interest.getName().toUri())) for command in self._commands: fullCommandName = Name(self.prefix).append(Name(command.suffix)) if fullCommandName.match(interest.getName()): dispatchFunc = command.function if not command.isSigned: responseData = dispatchFunc(interest) self.sendData(responseData, transport) else: try: self._keyChain.verifyInterest( interest, self._makeVerifiedCommandDispatch( dispatchFunc, transport), self.verificationFailed) return except Exception as e: self.log.exception("Exception while verifying command", exc_info=True) self.verificationFailed(interest) return #if we get here, just let it timeout return
def _onCommandReceived(self, prefix, interest, transport, prefixId): # first off, we shouldn't be here if we have no configured environment # just let this interest time out if (self._policyManager.getTrustRootIdentity() is None or self._policyManager.getEnvironmentPrefix() is None): return # if this is a cert request, we can serve it from our store (if it exists) certData = self._identityStorage.getCertificate(interest.getName()) if certData is not None: self.log.info("Serving certificate request") # if we sign the certificate, we lose the controller's signature! self.sendData(certData, transport, False) return # else we must look in our command list to see if this requires verification # we dispatch directly or after verification as necessary # now we look for the first command that matches in our config self.log.debug("Received {}".format(interest.getName().toUri())) for command in self._commands: fullCommandName = Name(self.prefix).append(Name(command.suffix)) if fullCommandName.match(interest.getName()): dispatchFunc = command.function if not command.isSigned: responseData = dispatchFunc(interest) self.sendData(responseData, transport) else: try: self._keyChain.verifyInterest(interest, self._makeVerifiedCommandDispatch(dispatchFunc, transport), self.verificationFailed) return except Exception as e: self.log.exception("Exception while verifying command", exc_info=True) self.verificationFailed(interest) return #if we get here, just let it timeout return
class IotPolicyManager(ConfigPolicyManager): def __init__(self, identityStorage, configFilename=None): """ :param pyndn.IdentityStorage: A class that stores signing identities and certificates. :param str configFilename: A configuration file specifying validation rules and network name settings. """ # use the default configuration where possible # TODO: use environment variable for this, fall back to default path = os.path.dirname(__file__) templateFilename = os.path.join(path, '.default.conf') self._configTemplate = BoostInfoParser() self._configTemplate.read(templateFilename) if configFilename is None: configFilename = templateFilename certificateCache = CertificateCache() super(IotPolicyManager, self).__init__(configFilename, certificateCache) self._identityStorage = identityStorage self.setEnvironmentPrefix(None) self.setTrustRootIdentity(None) self.setDeviceIdentity(None) def updateTrustRules(self): """ Should be called after either the device identity, trust root or network prefix is changed. Not called automatically in case they are all changing (typical for bootstrapping). Resets the validation rules if we don't have a trust root or enivronment """ validatorTree = self._configTemplate["validator"][0].clone() if (self._environmentPrefix.size() > 0 and self._trustRootIdentity.size() > 0 and self._deviceIdentity.size() > 0): # don't sneak in a bad identity if not self._environmentPrefix.match(self._deviceIdentity): raise SecurityException("Device identity does not belong to configured network!") environmentUri = self._environmentPrefix.toUri() deviceUri = self._deviceIdentity.toUri() for rule in validatorTree["rule"]: ruleId = rule["id"][0].value if ruleId == 'Certificate Trust': #modify the 'Certificate Trust' rule rule["checker/key-locator/name"][0].value = environmentUri elif ruleId == 'Command Interests': rule["filter/name"][0].value = deviceUri rule["checker/key-locator/name"][0].value = environmentUri #remove old validation rules from config # replace with new validator rules self.config._root.subtrees["validator"] = [validatorTree] def inferSigningIdentity(self, fromName): """ Used to map Data or Interest names to identitites. :param pyndn.Name fromName: The name of a Data or Interest packet """ # works if you have an IotIdentityStorage return self._identityStorage.inferIdentityForName(fromName) def setTrustRootIdentity(self, identityName): """ : param pyndn.Name identityName: The new identity to trust as the controller. """ self._trustRootIdentity = Name(identityName) def getTrustRootIdentity(self): """ : return pyndn.Name: The trusted controller's network name. """ return Name(self._trustRootIdentity) def setEnvironmentPrefix(self, name): """ : param pyndn.Name name: The new root of the network namespace (network prefix) """ self._environmentPrefix = Name(name) def getEnvironmentPrefix(self): """ :return: The root of the network namespace :rtype: pyndn.Name """ return Name(self._environmentPrefix) def getDeviceIdentity(self): return self._deviceIdentity def setDeviceIdentity(self, identity): self._deviceIdentity = Name(identity) def hasRootCertificate(self): """ :return: Whether we've downloaded the controller's network certificate :rtype: boolean """ try: rootCertName = self._identityStorage.getDefaultCertificateNameForIdentity( self._trustRootIdentity) except SecurityException: return False try: rootCert = self._identityStorage.getCertificate(rootCertName) if rootCert is not None: return True finally: return False def hasRootSignedCertificate(self): """ :return: Whether we've received a network certificate from our controller :rtype: boolean """ try: myCertName = self._identityStorage.getDefaultCertificateNameForIdentity( self._deviceIdentity) myCert = self._identityStorage.getCertificate(myCertName) if self._trustRootIdentity.match( myCert.getSignature().getKeyLocator().getKeyName()): return True except SecurityException: pass return False def removeTrustRules(self): """ Resets the network prefix, device identity and trust root identity to empty values """ self.setDeviceIdentity(None) self.setTrustRootIdentity(None) self.setEnvironmentPrefix(None) self.updateTrustRules()
class IotPolicyManager(ConfigPolicyManager): def __init__(self, identityStorage, configFilename=None): """ :param pyndn.IdentityStorage: A class that stores signing identities and certificates. :param str configFilename: A configuration file specifying validation rules and network name settings. """ # use the default configuration where possible # TODO: use environment variable for this, fall back to default path = os.path.dirname(__file__) templateFilename = os.path.join(path, '.default.conf') self._configTemplate = BoostInfoParser() self._configTemplate.read(templateFilename) if configFilename is None: configFilename = templateFilename certificateCache = CertificateCache() super(IotPolicyManager, self).__init__(configFilename, certificateCache) self._identityStorage = identityStorage self.setEnvironmentPrefix(None) self.setTrustRootIdentity(None) self.setDeviceIdentity(None) def updateTrustRules(self): """ Should be called after either the device identity, trust root or network prefix is changed. Not called automatically in case they are all changing (typical for bootstrapping). Resets the validation rules if we don't have a trust root or environment """ validatorTree = self._configTemplate["validator"][0].clone() if (self._environmentPrefix.size() > 0 and self._trustRootIdentity.size() > 0 and self._deviceIdentity.size() > 0): # don't sneak in a bad identity if not self._environmentPrefix.match(self._deviceIdentity): raise SecurityException( "Device identity does not belong to configured network!") environmentUri = self._environmentPrefix.toUri() deviceUri = self._deviceIdentity.toUri() for rule in validatorTree["rule"]: ruleId = rule["id"][0].value if ruleId == 'Certificate Trust': #modify the 'Certificate Trust' rule rule["checker/key-locator/name"][0].value = environmentUri elif ruleId == 'Command Interests': rule["filter/name"][0].value = deviceUri rule["checker/key-locator/name"][0].value = environmentUri #debug for adding trust anchor # try: # validatorTree["trust-anchor"][0]["type"][0].value = "base64" # rootCertificate = self._identityStorage.getCertificate(self._identityStorage.getDefaultCertificateNameForIdentity(self._trustRootIdentity)) # validatorTree["trust-anchor"][0]["base64-string"][0].value = Blob(b64encode(rootCertificate.wireEncode().toBytes()), False).toRawStr() # except KeyError as e: # rootCertificate = self._identityStorage.getCertificate(self._identityStorage.getDefaultCertificateNameForIdentity(self._trustRootIdentity)) # treeNode = self.config._root.subtrees["validator"][0].createSubtree("trust-anchor") # # todo: change this! # treeNode.createSubtree("type", "file") # print Blob(b64encode(rootCertificate.wireEncode().toBytes()), False).toRawStr() # treeNode.createSubtree("file-name", "/home/zhehao/.ndn/.iot.root.cert") # self._loadTrustAnchorCertificates() #remove old validation rules from config # replace with new validator rules self.config._root.subtrees["validator"] = [validatorTree] def inferSigningIdentity(self, fromName): """ Used to map Data or Interest names to identitites. :param pyndn.Name fromName: The name of a Data or Interest packet """ # works if you have an IotIdentityStorage return self._identityStorage.inferIdentityForName(fromName) def setTrustRootIdentity(self, identityName): """ : param pyndn.Name identityName: The new identity to trust as the controller. """ self._trustRootIdentity = Name(identityName) def getTrustRootIdentity(self): """ : return pyndn.Name: The trusted controller's network name. """ return Name(self._trustRootIdentity) def setEnvironmentPrefix(self, name): """ : param pyndn.Name name: The new root of the network namespace (network prefix) """ self._environmentPrefix = Name(name) def getEnvironmentPrefix(self): """ :return: The root of the network namespace :rtype: pyndn.Name """ return Name(self._environmentPrefix) def getDeviceIdentity(self): return self._deviceIdentity def setDeviceIdentity(self, identity): self._deviceIdentity = Name(identity) def hasRootCertificate(self): """ :return: Whether we've downloaded the controller's network certificate :rtype: boolean """ try: rootCertName = self._identityStorage.getDefaultCertificateNameForIdentity( self._trustRootIdentity) except SecurityException: return False try: rootCert = self._identityStorage.getCertificate(rootCertName) if rootCert is not None: return True finally: return False def hasRootSignedCertificate(self): """ :return: Whether we've received a network certificate from our controller :rtype: boolean """ try: myCertName = self._identityStorage.getDefaultCertificateNameForIdentity( self._deviceIdentity) myCert = self._identityStorage.getCertificate(myCertName) if self._trustRootIdentity.match( myCert.getSignature().getKeyLocator().getKeyName()): return True except SecurityException: pass return False def removeTrustRules(self): """ Resets the network prefix, device identity and trust root identity to empty values """ self.setDeviceIdentity(None) self.setTrustRootIdentity(None) self.setEnvironmentPrefix(None) self.updateTrustRules()
def findDeviceIdMatching(self, matchPrefix): for d in self._deviceList: devName = Name(d.id) if devName.match(matchPrefix): return devName.toUri() return None