GCC Code Coverage Report

Directory: cvmfs/
File: cvmfs/whitelist.h
Date: 2025-10-19 02:35:28
Exec Total Coverage
Lines: 18 19 94.7%
Branches: 0 0 -%
Line Branch Exec Source
1 /**
2 * This file is part of the CernVM File System.
3 */
4
5 #ifndef CVMFS_WHITELIST_H_
6 #define CVMFS_WHITELIST_H_
7
8 #include "duplex_testing.h"
9 #include <inttypes.h>
10
11 #include <ctime>
12 #include <string>
13 #include <vector>
14
15 #include "crypto/hash.h"
16
17 namespace download {
18 class DownloadManager;
19 }
20
21 namespace signature {
22 class SignatureManager;
23 }
24
25
26 namespace whitelist {
27
28 enum Failures {
29 kFailOk = 0,
30 kFailLoad,
31 kFailEmpty,
32 kFailMalformed,
33 kFailNameMismatch,
34 kFailExpired,
35 kFailBadSignature,
36 kFailLoadPkcs7,
37 kFailEmptyPkcs7,
38 kFailMalformedPkcs7,
39 kFailBadSignaturePkcs7,
40 kFailBadPkcs7,
41 kFailBadCaChain,
42 kFailNotListed,
43 kFailBlacklisted,
44
45 kFailNumEntries
46 };
47
48
49 86 inline const char *Code2Ascii(const Failures error) {
50 const char *texts[kFailNumEntries + 1];
51 86 texts[0] = "OK";
52 86 texts[1] = "failed to download whitelist";
53 86 texts[2] = "empty whitelist";
54 86 texts[3] = "malformed whitelist";
55 86 texts[4] = "repository name mismatch on whitelist";
56 86 texts[5] = "expired whitelist";
57 86 texts[6] = "invalid whitelist signature";
58 86 texts[7] = "failed to download whitelist (pkcs7)";
59 86 texts[8] = "empty whitelist (pkcs7)";
60 86 texts[9] = "malformed whitelist (pkcs7)";
61 86 texts[10] = "invalid whitelist signer (pkcs7)";
62 86 texts[11] = "invalid whitelist (pkcs7)";
63 86 texts[12] = "failed to verify CA chain";
64 86 texts[13] = "certificate not on whitelist";
65 86 texts[14] = "certificate blacklisted";
66 86 texts[15] = "no text";
67 86 return texts[error];
68 }
69
70
71 class Whitelist {
72 FRIEND_TEST(T_Whitelist, ParseWhitelist);
73
74 public:
75 enum Status {
76 kStNone,
77 kStAvailable,
78 };
79
80 static std::string CreateString(
81 const std::string &fqrn,
82 int validity_days,
83 shash::Algorithms hash_algorithm,
84 signature::SignatureManager *signature_manager);
85
86 Whitelist(const std::string &fqrn,
87 download::DownloadManager *download_manager,
88 signature::SignatureManager *signature_manager);
89 ~Whitelist();
90 explicit Whitelist(const Whitelist &other);
91 Whitelist &operator=(const Whitelist &other);
92 Failures LoadUrl(const std::string &base_url);
93 Failures LoadMem(const std::string &whitelist);
94
95 void CopyBuffers(unsigned *plain_size, unsigned char **plain_buf,
96 unsigned *pkcs7_size, unsigned char **pkcs7_buf) const;
97 time_t expires() const;
98 bool IsExpired() const;
99 Failures VerifyLoadedCertificate() const;
100
101 std::string ExportString() const;
102
103 Status status() const { return status_; }
104
105 private:
106 Whitelist();
107
108 static const int kFlagVerifyRsa;
109 static const int kFlagVerifyPkcs7;
110 static const int kFlagVerifyCaChain;
111
112 bool IsBefore(time_t now, const struct tm &t_whitelist);
113 Failures VerifyWhitelist();
114 Failures ParseWhitelist(const unsigned char *whitelist,
115 const unsigned whitelist_size);
116 void Reset();
117
118 std::string fqrn_;
119 download::DownloadManager *download_manager_;
120 signature::SignatureManager *signature_manager_;
121
122 Status status_;
123 std::vector<shash::Any> fingerprints_;
124 time_t expires_;
125 int verification_flags_;
126 unsigned char *plain_buf_;
127 unsigned plain_size_;
128 unsigned char *pkcs7_buf_;
129 unsigned pkcs7_size_;
130 };
131
132 } // namespace whitelist
133
134 #endif // CVMFS_WHITELIST_H_
135