+ /* Duplicate the request, so we can modify and forward it */
+ if (NULL == (fwd_req = tid_dup_req(orig_req))) {
+ tr_debug("tr_tids_req_handler: Unable to duplicate request.");
+ return -1;
+ }
+
+ if (NULL == (cfg_comm = tr_comm_lookup(tids->cookie, orig_req->comm))) {
+ tr_notice("tr_tids_req_hander: Request for unknown comm: %s.", orig_req->comm->buf);
+ tids_send_err_response(tids, orig_req, "Unknown community");
+ return -1;
+ }
+
+ /* Check that the rp_realm matches the filter for the GSS name that
+ * was received. */
+
+ if ((!(tr)->rp_gss) ||
+ (!(tr)->rp_gss->filter)) {
+ tr_notice("tr_tids_req_handler: No GSS name for incoming request.");
+ tids_send_err_response(tids, orig_req, "No GSS name for request");
+ return -1;
+ }
+
+ if ((TR_FILTER_NO_MATCH == tr_filter_process_rp_permitted(orig_req->rp_realm, (tr)->rp_gss->filter, orig_req->cons, &fwd_req->cons, &oaction)) ||
+ (TR_FILTER_ACTION_REJECT == oaction)) {
+ tr_notice("tr_tids_req_handler: RP realm (%s) does not match RP Realm filter for GSS name", orig_req->rp_realm->buf);
+ tids_send_err_response(tids, orig_req, "RP Realm filter error");
+ return -1;
+ }
+ /* Check that the rp_realm is a member of the community in the request */
+ if (NULL == (tr_find_comm_rp(cfg_comm, orig_req->rp_realm))) {
+ tr_notice("tr_tids_req_handler: RP Realm (%s) not member of community (%s).", orig_req->rp_realm->buf, orig_req->comm->buf);
+ tids_send_err_response(tids, orig_req, "RP COI membership error");
+ return -1;
+ }
+
+ /* Map the comm in the request from a COI to an APC, if needed */
+ if (TR_COMM_COI == cfg_comm->type) {
+ tr_debug("tr_tids_req_handler: Community was a COI, switching.");
+ /* TBD -- In theory there can be more than one? How would that work? */
+ if ((!cfg_comm->apcs) || (!cfg_comm->apcs->id)) {
+ tr_notice("No valid APC for COI %s.", orig_req->comm->buf);
+ tids_send_err_response(tids, orig_req, "No valid APC for community");
+ return -1;
+ }
+ apc = tr_dup_name(cfg_comm->apcs->id);
+
+ /* Check that the APC is configured */
+ if (NULL == (cfg_apc = tr_comm_lookup(tids->cookie, apc))) {
+ tr_notice("tr_tids_req_hander: Request for unknown comm: %s.", apc->buf);
+ tids_send_err_response(tids, orig_req, "Unknown APC");
+ return -1;
+ }
+
+ fwd_req->comm = apc;
+ fwd_req->orig_coi = orig_req->comm;
+
+ /* Check that rp_realm is a member of this APC */
+ if (NULL == (tr_find_comm_rp(cfg_apc, orig_req->rp_realm))) {
+ tr_notice("tr_tids_req_hander: RP Realm (%s) not member of community (%s).", orig_req->rp_realm->buf, orig_req->comm->buf);
+ tids_send_err_response(tids, orig_req, "RP APC membership error");
+ return -1;
+ }
+ }
+
+ /* Find the AAA server(s) for this request */
+ if (NULL == (aaa_servers = tr_idp_aaa_server_lookup((TR_INSTANCE *)tids->cookie,
+ orig_req->realm,
+ orig_req->comm))) {
+ tr_debug("tr_tids_req_handler: No AAA Servers for realm %s, defaulting.", orig_req->realm->buf);
+ if (NULL == (aaa_servers = tr_default_server_lookup ((TR_INSTANCE *)tids->cookie,
+ orig_req->comm))) {
+ tr_notice("tr_tids_req_handler: No default AAA servers, discarded.");
+ tids_send_err_response(tids, orig_req, "No path to AAA Server(s) for realm");
+ return -1;
+ }
+ } else {
+ /* if we aren't defaulting, check idp coi and apc membership */
+ if (NULL == (tr_find_comm_idp(cfg_comm, fwd_req->realm))) {
+ tr_notice("tr_tids_req_handler: IDP Realm (%s) not member of community (%s).", orig_req->realm->buf, orig_req->comm->buf);
+ tids_send_err_response(tids, orig_req, "IDP community membership error");
+ return -1;
+ }
+ if ( cfg_apc && (NULL == (tr_find_comm_idp(cfg_apc, fwd_req->realm)))) {
+ tr_notice("tr_tids_req_handler: IDP Realm (%s) not member of APC (%s).", orig_req->realm->buf, orig_req->comm->buf);
+ tids_send_err_response(tids, orig_req, "IDP APC membership error");
+ return -1;
+ }