Project

General

Profile

Actions

Task #3289

closed

Validator Refactoring

Added by Yingdi Yu about 9 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Category:
Security
Target version:
Start date:
10/26/2015
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)

Description

We have several features and issues about Validator, which is more or less coupled.

We can take this opportunity to refactor Validator to make it simple and modular.

An ideal Validator should consists of three parts:

  • a policy checker which determine if a packet complies with the trust model;
  • key/cert retrieval from cache, trust anchor and network.
  • a list of active validation instances of which each tracks the validation of an original packet.

The top-level class Validator defines the inter-operations between these modules, and virtual interface for others to implement detailed features.

class Validator {
public:
  /** @brief Construct a Validator using @p face
   *    
   *  The policy checking module is implemented as checkPolicy method
   *  The instance management is internally managed by InstancePool
   *  @param enableLoopDetection Enable loop detection if true
   */
  Validator(Face* face, bool enableLoopDetection = false);

  /// @brief Validate data, invoke @p succeed if validated, otherwise invoke @p fail
  void
  validate(const Data& data, const SuccessCallback& succeed, const FailureCallback& fail) 
  {
    auto instance = m_instancePool.allocate(data, succeed, fail);
    reqs = validate(data, instance.succeed, instance.fail, instance.id);
  }

  /// @brief Validate interest, invoke @p succeed if validated, otherwise invoke @p fail
  void
  validate(const Interest& interest, const SuccessCallback& succeed, const FailureCallback& fail)
  {
    auto instance = m_instancePool.allocate(interest, succeed, fail);
    reqs = validate(interest, instance.succeed, instance.fail, instance.id);
  }

protected:
  /** @brief Validate data, invoke @p succeed if validated, otherwise invoke @p fail, 
   *  @param id The id of validation instance.
   */
  template<typename Packet> void
  validate(const Packet& packet, const SuccessCallback& succeed, const FailureCallback& fail, uint32_t id)
  {
    list<KeyRequest> reqs = checkPolicy(packet, succeed, fail, id);

    // retrieve keys
    for (const auto& req : reqs)
      if (m_enableLoopDetection && m_instancePool.isLoopDetected(id, req)) 
        req.FailureCallback();
      else {
        // retrieve keys...
        auto cert = RetrieveTrustedKey(req);
        if (cert != nullptr)
          RetrievalSuccessCallback(cert);
        else
          RetrieveCertificate(req);
      }
  }

private:
  virtual list<KeyRequest>
  checkPolicy(const Data& data, const SuccessCallback& succeed, const FailureCallback& fail) = 0;

  virtual list<KeyRequest>
  checkPolicy(const Data& data, const SuccessCallback& succeed, const FailureCallback& fail) = 0;

protected: 
  // key management;
  TrustAnchorContainer m_anchorCache;
  CertificateCache m_verifiedKeyCache;
  Cache m_unVerifiedKeyCache;

private:
  Face* m_face;

  // loop detection mode
  bool m_enableLoopDetection;

  // instance management;
  InstancePool m_instancePool;
};

Subtasks 2 (0 open2 closed)

Task #3292: Design and Implement TrustAnchorContainerClosedAlex Afanasyev10/26/2015

Actions
Task #3317: Design and Implement validator::CertificateCacheClosedAlex Afanasyev11/04/2015

Actions

Related issues 2 (0 open2 closed)

Related to ndn-cxx - Task #3920: Convert existing validator implementations to v2::ValidatorClosedZhiyi Zhang

Actions
Blocks NFD - Feature #2237: Remote prefix registration: fetch certificates from requesterClosedZhiyi Zhang

Actions
Actions

Also available in: Atom PDF