{
TALLOC_CTX *tmp_ctx=talloc_new(NULL);
struct tr_tids_fwd_cookie *args=talloc_get_type_abort(arg, struct tr_tids_fwd_cookie);
- TIDC_INSTANCE *tidc=tidc_create(tmp_ctx);
+ TIDC_INSTANCE *tidc=tidc_create();
TR_MQ_MSG *msg=NULL;
TR_RESP_COOKIE *cookie=NULL;
int rc=0;
talloc_steal(tmp_ctx, args); /* take responsibility for the cookie */
+ if (tidc!=NULL)
+ talloc_steal(tmp_ctx, tidc);
+
/* create the cookie we will use for our response */
cookie=talloc(tmp_ctx, TR_RESP_COOKIE);
if (cookie==NULL) {
return TID_SUCCESS;
}
+/**
+ * Process a TID request
+ *
+ * Return value of -1 means to send a TID_ERROR response. Fill in resp->err_msg or it will
+ * be returned as a generic error.
+ *
+ * @param tids
+ * @param orig_req
+ * @param resp
+ * @param cookie_in
+ * @return
+ */
static int tr_tids_req_handler(TIDS_INSTANCE *tids,
TID_REQ *orig_req,
TID_RESP *resp,
pthread_t aaa_thread[TR_TID_MAX_AAA_SERVERS];
struct tr_tids_fwd_cookie *aaa_cookie[TR_TID_MAX_AAA_SERVERS]={NULL};
TID_RESP *aaa_resp[TR_TID_MAX_AAA_SERVERS]={NULL};
+ TR_RP_CLIENT *rp_client=NULL;
+ TR_RP_CLIENT_ITER *rpc_iter=NULL;
TR_NAME *apc = NULL;
TID_REQ *fwd_req = NULL;
TR_COMM *cfg_comm = NULL;
TR_COMM *cfg_apc = NULL;
- int oaction = TR_FILTER_ACTION_REJECT;
+ TR_FILTER_ACTION oaction = TR_FILTER_ACTION_REJECT;
time_t expiration_interval=0;
struct tr_tids_event_cookie *cookie=talloc_get_type_abort(cookie_in, struct tr_tids_event_cookie);
TR_CFG_MGR *cfg_mgr=cookie->cfg_mgr;
unsigned int resp_frac_numer=cfg_mgr->active->internal->tid_resp_numer;
unsigned int resp_frac_denom=cfg_mgr->active->internal->tid_resp_denom;
TR_RESP_COOKIE *payload=NULL;
+ TR_FILTER_TARGET *target=NULL;
int ii=0;
int retval=-1;
tids->req_count++;
/* Duplicate the request, so we can modify and forward it */
- if (NULL == (fwd_req=tid_dup_req(tmp_ctx, orig_req))) {
+ if (NULL == (fwd_req=tid_dup_req(orig_req))) {
tr_debug("tr_tids_req_handler: Unable to duplicate request.");
- retval=-1;
+ retval=-1; /* response will be a generic internal error */
goto cleanup;
}
+ talloc_steal(tmp_ctx, fwd_req);
if (NULL == (cfg_comm=tr_comm_table_find_comm(cfg_mgr->active->ctable, orig_req->comm))) {
tr_notice("tr_tids_req_hander: Request for unknown comm: %s.", orig_req->comm->buf);
- tids_send_err_response(tids, orig_req, "Unknown community");
+ tid_resp_set_err_msg(resp, tr_new_name("Unknown community"));
retval=-1;
goto cleanup;
}
- /* Check that the rp_realm matches the filter for the GSS name that
- * was received. N.B. that tids->rp_gss was pointed at the correct
- * rp_client when we received its GSS name. It is only set within
- * the TIDS handler subprocess. */
+ /* We now need to apply the filters associated with the RP client handing us the request.
+ * It is possible (or even likely) that more than one client is associated with the GSS
+ * name we got from the authentication. We will apply all of them in an arbitrary order.
+ * For this to result in well-defined behavior, either only accept or only reject filter
+ * lines should be used, or a unique GSS name must be given for each RP realm. */
- if ((!tids->rp_gss) ||
- (!tids->rp_gss->filter)) {
+ if (!tids->gss_name) {
tr_notice("tr_tids_req_handler: No GSS name for incoming request.");
- tids_send_err_response(tids, orig_req, "No GSS name for request");
+ tid_resp_set_err_msg(resp, tr_new_name("No GSS name for request"));
+ retval=-1;
+ goto cleanup;
+ }
+
+ /* Keep original constraints, may add more from the filter. These will be added to orig_req as
+ * well. Need to verify that this is acceptable behavior, but it's what we've always done. */
+ fwd_req->cons=orig_req->cons;
+
+ target=tr_filter_target_tid_req(tmp_ctx, orig_req);
+ if (target==NULL) {
+ tr_crit("tid_req_handler: Unable to allocate filter target, cannot apply filter!");
+ tid_resp_set_err_msg(resp, tr_new_name("Incoming TID request filter error"));
retval=-1;
goto cleanup;
}
- if ((TR_FILTER_NO_MATCH == tr_filter_process_rp_permitted(orig_req->rp_realm,
- tids->rp_gss->filter,
- orig_req->cons,
- &fwd_req->cons,
- &oaction)) ||
- (TR_FILTER_ACTION_REJECT == oaction)) {
- tr_notice("tr_tids_req_handler: RP realm (%s) does not match RP Realm filter for GSS name", orig_req->rp_realm->buf);
- tids_send_err_response(tids, orig_req, "RP Realm filter error");
+ rpc_iter=tr_rp_client_iter_new(tmp_ctx);
+ if (rpc_iter==NULL) {
+ tr_err("tid_req_handler: Unable to allocate RP client iterator.");
retval=-1;
goto cleanup;
}
+ for (rp_client=tr_rp_client_iter_first(rpc_iter, cfg_mgr->active->rp_clients);
+ rp_client != NULL;
+ rp_client=tr_rp_client_iter_next(rpc_iter)) {
+
+ if (!tr_gss_names_matches(rp_client->gss_names, tids->gss_name))
+ continue; /* skip any that don't match the GSS name */
+
+ if (TR_FILTER_MATCH == tr_filter_apply(target,
+ tr_filter_set_get(rp_client->filters,
+ TR_FILTER_TYPE_TID_INBOUND),
+ &(fwd_req->cons),
+ &oaction))
+ break; /* Stop looking, oaction is set */
+ }
+
+ /* We get here whether or not a filter matched. If tr_filter_apply() doesn't match, it returns
+ * a default action of reject, so we don't have to check why we exited the loop. */
+ if (oaction != TR_FILTER_ACTION_ACCEPT) {
+ tr_notice("tr_tids_req_handler: Incoming TID request rejected by filter for GSS name", orig_req->rp_realm->buf);
+ tid_resp_set_err_msg(resp, tr_new_name("Incoming TID request filter error"));
+ retval = -1;
+ goto cleanup;
+ }
+
/* Check that the rp_realm is a member of the community in the request */
if (NULL == tr_comm_find_rp(cfg_mgr->active->ctable, cfg_comm, orig_req->rp_realm)) {
tr_notice("tr_tids_req_handler: RP Realm (%s) not member of community (%s).", orig_req->rp_realm->buf, orig_req->comm->buf);
- tids_send_err_response(tids, orig_req, "RP COI membership error");
+ tid_resp_set_err_msg(resp, tr_new_name("RP COI membership error"));
retval=-1;
goto cleanup;
}
if (orig_req->orig_coi!=NULL) {
tr_notice("tr_tids_req_handler: community %s is COI but COI to APC mapping already occurred. Dropping request.",
orig_req->comm->buf);
- tids_send_err_response(tids, orig_req, "Second COI to APC mapping would result, permitted only once.");
+ tid_resp_set_err_msg(resp, tr_new_name("Second COI to APC mapping would result, permitted only once."));
retval=-1;
goto cleanup;
}
/* TBD -- In theory there can be more than one? How would that work? */
if ((!cfg_comm->apcs) || (!cfg_comm->apcs->id)) {
tr_notice("No valid APC for COI %s.", orig_req->comm->buf);
- tids_send_err_response(tids, orig_req, "No valid APC for community");
+ tid_resp_set_err_msg(resp, tr_new_name("No valid APC for community"));
retval=-1;
goto cleanup;
}
/* Check that the APC is configured */
if (NULL == (cfg_apc = tr_comm_table_find_comm(cfg_mgr->active->ctable, apc))) {
tr_notice("tr_tids_req_hander: Request for unknown comm: %s.", apc->buf);
- tids_send_err_response(tids, orig_req, "Unknown APC");
+ tid_resp_set_err_msg(resp, tr_new_name("Unknown APC"));
retval=-1;
goto cleanup;
}
/* Check that rp_realm is a member of this APC */
if (NULL == (tr_comm_find_rp(cfg_mgr->active->ctable, cfg_apc, orig_req->rp_realm))) {
tr_notice("tr_tids_req_hander: RP Realm (%s) not member of community (%s).", orig_req->rp_realm->buf, orig_req->comm->buf);
- tids_send_err_response(tids, orig_req, "RP APC membership error");
+ tid_resp_set_err_msg(resp, tr_new_name("RP APC membership error"));
retval=-1;
goto cleanup;
}
tr_debug("tr_tids_req_handler: looking up route.");
route=trps_get_selected_route(trps, orig_req->comm, orig_req->realm);
if (route==NULL) {
- tr_notice("tr_tids_req_handler: no route table entry found for realm (%s) in community (%s).",
- orig_req->realm->buf, orig_req->comm->buf);
- tids_send_err_response(tids, orig_req, "Missing trust route error");
- retval=-1;
- goto cleanup;
- }
- tr_debug("tr_tids_req_handler: found route.");
- if (trp_route_is_local(route)) {
- tr_debug("tr_tids_req_handler: route is local.");
- aaa_servers = tr_idp_aaa_server_lookup(cfg_mgr->active->ctable->idp_realms,
- orig_req->realm,
- orig_req->comm,
- &idp_shared);
- } else {
- tr_debug("tr_tids_req_handler: route not local.");
- aaa_servers = tr_aaa_server_new(tmp_ctx, trp_route_get_next_hop(route));
- idp_shared=0;
- }
-
- /* Find the AAA server(s) for this request */
- if (NULL == aaa_servers) {
- tr_debug("tr_tids_req_handler: No AAA Servers for realm %s, defaulting.", orig_req->realm->buf);
- if (NULL == (aaa_servers = tr_default_server_lookup (cfg_mgr->active->default_servers,
- orig_req->comm))) {
+ /* No route. Use default AAA servers if we have them. */
+ tr_debug("tr_tids_req_handler: No route for realm %s, defaulting.", orig_req->realm->buf);
+ if (NULL == (aaa_servers = tr_default_server_lookup(cfg_mgr->active->default_servers,
+ orig_req->comm))) {
tr_notice("tr_tids_req_handler: No default AAA servers, discarded.");
- tids_send_err_response(tids, orig_req, "No path to AAA Server(s) for realm");
- retval=-1;
+ tid_resp_set_err_msg(resp, tr_new_name("No path to AAA Server(s) for realm"));
+ retval = -1;
goto cleanup;
}
- idp_shared=0;
+ idp_shared = 0;
} else {
- /* if we aren't defaulting, check idp coi and apc membership */
+ /* Found a route. Determine the AAA servers or next hop address. */
+ tr_debug("tr_tids_req_handler: found route.");
+ if (trp_route_is_local(route)) {
+ tr_debug("tr_tids_req_handler: route is local.");
+ aaa_servers = tr_idp_aaa_server_lookup(cfg_mgr->active->ctable->idp_realms,
+ orig_req->realm,
+ orig_req->comm,
+ &idp_shared);
+ } else {
+ tr_debug("tr_tids_req_handler: route not local.");
+ aaa_servers = tr_aaa_server_new(tmp_ctx, trp_route_get_next_hop(route));
+ idp_shared = 0;
+ }
+
+ /* Since we aren't defaulting, check idp coi and apc membership */
if (NULL == (tr_comm_find_idp(cfg_mgr->active->ctable, cfg_comm, fwd_req->realm))) {
tr_notice("tr_tids_req_handler: IDP Realm (%s) not member of community (%s).", orig_req->realm->buf, orig_req->comm->buf);
- tids_send_err_response(tids, orig_req, "IDP community membership error");
+ tid_resp_set_err_msg(resp, tr_new_name("IDP community membership error"));
retval=-1;
goto cleanup;
}
if ( cfg_apc && (NULL == (tr_comm_find_idp(cfg_mgr->active->ctable, cfg_apc, fwd_req->realm)))) {
tr_notice("tr_tids_req_handler: IDP Realm (%s) not member of APC (%s).", orig_req->realm->buf, orig_req->comm->buf);
- tids_send_err_response(tids, orig_req, "IDP APC membership error");
+ tid_resp_set_err_msg(resp, tr_new_name("IDP APC membership error"));
retval=-1;
goto cleanup;
}
}
+ /* Make sure we came through with a AAA server. If not, we can't handle the request. */
+ if (NULL == aaa_servers) {
+ tr_notice("tr_tids_req_handler: no route or AAA server for realm (%s) in community (%s).",
+ orig_req->realm->buf, orig_req->comm->buf);
+ tid_resp_set_err_msg(resp, tr_new_name("Missing trust route error"));
+ retval = -1;
+ goto cleanup;
+ }
+
/* send a TID request to the AAA server(s), and get the answer(s) */
tr_debug("tr_tids_req_handler: sending TID request(s).");
if (cfg_apc)
aaa_cookie[n_aaa]->mq=mq;
aaa_cookie[n_aaa]->aaa_hostname=tr_dup_name(this_aaa->hostname);
aaa_cookie[n_aaa]->dh_params=tr_dh_dup(orig_req->tidc_dh);
- aaa_cookie[n_aaa]->fwd_req=tid_dup_req(aaa_cookie[n_aaa], fwd_req);
+ aaa_cookie[n_aaa]->fwd_req=tid_dup_req(fwd_req);
+ talloc_steal(aaa_cookie[n_aaa], aaa_cookie[n_aaa]->fwd_req);
tr_debug("tr_tids_req_handler: cookie %d initialized.", n_aaa);
/* Take the cookie out of tmp_ctx before starting thread. If thread starts, it becomes
}
if (n_responses==0) {
- /* No requests succeeded. Forward an error if we got any error responses. */
+ /* No requests succeeded, so this will be an error */
+ retval = -1;
+
+ /* If we got any error responses, send an arbitrarily chosen one. */
for (ii=0; ii<n_aaa; ii++) {
- if (aaa_resp[ii]!=NULL)
- tids_send_response(tids, orig_req, aaa_resp[ii]);
- else
- tids_send_err_response(tids, orig_req, "Unable to contact AAA server(s).");
+ if (aaa_resp[ii] != NULL) {
+ tid_resp_cpy(resp, aaa_resp[ii]);
+ goto cleanup;
+ }
}
+ /* No error responses at all, so generate our own error. */
+ tid_resp_set_err_msg(resp, tr_new_name("Unable to contact AAA server(s)."));
+ goto cleanup;
}
/* success! */
static int tr_tids_gss_handler(gss_name_t client_name, TR_NAME *gss_name,
void *data)
{
- TR_RP_CLIENT *rp;
struct tr_tids_event_cookie *cookie=talloc_get_type_abort(data, struct tr_tids_event_cookie);
TIDS_INSTANCE *tids = cookie->tids;
TR_CFG_MGR *cfg_mgr = cookie->cfg_mgr;
return -1;
}
- /* look up the RP client matching the GSS name */
- if ((NULL == (rp = tr_rp_client_lookup(cfg_mgr->active->rp_clients, gss_name)))) {
- tr_debug("tr_tids_gss_handler: Unknown GSS name %s", gss_name->buf);
+ /* Ensure at least one client exists using this GSS name */
+ if (NULL == tr_rp_client_lookup(cfg_mgr->active->rp_clients, gss_name)) {
+ tr_debug("tr_tids_gss_handler: Unknown GSS name %.*s", gss_name->len, gss_name->buf);
return -1;
}
- /* Store the rp client */
- tids->rp_gss = rp;
- tr_debug("Client's GSS Name: %s", gss_name->buf);
+ /* Store the GSS name */
+ tids->gss_name = tr_dup_name(gss_name);
+ tr_debug("Client's GSS Name: %.*s", gss_name->len, gss_name->buf);
return 0;
}
TALLOC_CTX *tmp_ctx=talloc_new(NULL);
struct tr_tids_event_cookie *cookie=NULL;
int retval=0;
- size_t ii=0;
+ int ii=0;
if (tids_ev == NULL) {
tr_debug("tr_tids_event_init: Null tids_ev.");
talloc_steal(tids, cookie);
/* get a tids listener */
- tids_ev->n_sock_fd=tids_get_listener(tids,
- tr_tids_req_handler,
- tr_tids_gss_handler,
- cfg_mgr->active->internal->hostname,
- cfg_mgr->active->internal->tids_port,
- (void *)cookie,
- tids_ev->sock_fd,
- TR_MAX_SOCKETS);
+ tids_ev->n_sock_fd = (int)tids_get_listener(tids,
+ tr_tids_req_handler,
+ tr_tids_gss_handler,
+ cfg_mgr->active->internal->hostname,
+ cfg_mgr->active->internal->tids_port,
+ (void *)cookie,
+ tids_ev->sock_fd,
+ TR_MAX_SOCKETS);
if (tids_ev->n_sock_fd==0) {
tr_crit("Error opening TID server socket.");
retval=1;