2 * Copyright (c) 2012-2018, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
31 * OF THE POSSIBILITY OF SUCH DAMAGE.
41 #include <tr_cfgwatch.h>
43 #include <tr_config.h>
44 #include <tr_gss_names.h>
46 #include <tr_filter.h>
47 #include <trust_router/tr_constraint.h>
50 #include <trust_router/trp.h>
52 #if JANSSON_VERSION_HEX < 0x020500
53 #include "jansson_iterators.h"
56 TR_AAA_SERVER *tr_cfg_parse_one_aaa_server(TALLOC_CTX *mem_ctx, json_t *jaddr, TR_CFG_RC *rc)
58 TALLOC_CTX *tmp_ctx = talloc_new(NULL);
59 TR_AAA_SERVER *aaa = NULL;
61 if ((!jaddr) || (!json_is_string(jaddr))) {
62 tr_debug("tr_cfg_parse_one_aaa_server: Bad parameters.");
63 *rc = TR_CFG_BAD_PARAMS;
67 aaa = tr_aaa_server_from_string(mem_ctx, json_string_value(jaddr));
69 tr_debug("tr_cfg_parse_one_aaa_server: Out of memory allocating AAA server.");
74 if (tr_aaa_server_get_hostname(aaa)->len == 0) {
75 tr_debug("tr_cfg_parse_one_aaa_server: Invalid hostname for AAA server (%s)",
76 json_string_value(jaddr));
81 if ((tr_aaa_server_get_port(aaa) <= 0)
82 || (tr_aaa_server_get_port(aaa) > 65535)) {
83 tr_debug("tr_cfg_parse_one_aaa_server: Invalid AAA server port (%s)",
84 json_string_value(jaddr));
91 talloc_steal(mem_ctx, aaa);
94 if (*rc != TR_CFG_SUCCESS)
100 static TR_AAA_SERVER *tr_cfg_parse_aaa_servers(TALLOC_CTX *mem_ctx, json_t *jaaas, TR_CFG_RC *rc)
102 TALLOC_CTX *tmp_ctx=NULL;
103 TR_AAA_SERVER *aaa = NULL;
104 TR_AAA_SERVER *temp_aaa = NULL;
107 for (i = 0; i < json_array_size(jaaas); i++) {
108 /* rc gets set in here */
109 if (NULL == (temp_aaa = tr_cfg_parse_one_aaa_server(tmp_ctx, json_array_get(jaaas, i), rc))) {
110 talloc_free(tmp_ctx);
113 /* TBD -- IPv6 addresses */
114 // tr_debug("tr_cfg_parse_aaa_servers: Configuring AAA Server: ip_addr = %s.", inet_ntoa(temp_aaa->aaa_server_addr));
115 temp_aaa->next = aaa;
118 tr_debug("tr_cfg_parse_aaa_servers: Finished (rc=%d)", *rc);
120 for (temp_aaa=aaa; temp_aaa!=NULL; temp_aaa=temp_aaa->next)
121 talloc_steal(mem_ctx, temp_aaa);
122 talloc_free(tmp_ctx);
126 static TR_APC *tr_cfg_parse_one_apc(TALLOC_CTX *mem_ctx, json_t *japc, TR_CFG_RC *rc)
131 *rc = TR_CFG_SUCCESS; /* presume success */
133 if ((!japc) || (!rc) || (!json_is_string(japc))) {
134 tr_debug("tr_cfg_parse_one_apc: Bad parameters.");
136 *rc = TR_CFG_BAD_PARAMS;
140 apc=tr_apc_new(mem_ctx);
142 tr_debug("tr_cfg_parse_one_apc: Out of memory.");
147 name=tr_new_name(json_string_value(japc));
149 tr_debug("tr_cfg_parse_one_apc: No memory for APC name.");
154 tr_apc_set_id(apc, name); /* apc is now responsible for freeing the name */
159 TR_APC *tr_cfg_parse_apcs(TALLOC_CTX *mem_ctx, json_t *japcs, TR_CFG_RC *rc)
161 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
163 TR_APC *new_apc=NULL;
165 TR_CFG_RC call_rc=TR_CFG_ERROR;
167 *rc = TR_CFG_SUCCESS; /* presume success */
169 if ((!japcs) || (!rc) || (!json_is_array(japcs))) {
170 tr_debug("tr_cfg_parse_one_apc: Bad parameters.");
172 *rc = TR_CFG_BAD_PARAMS;
176 for (ii=0; ii<json_array_size(japcs); ii++) {
177 new_apc=tr_cfg_parse_one_apc(tmp_ctx, json_array_get(japcs, ii), &call_rc);
178 if ((call_rc!=TR_CFG_SUCCESS) || (new_apc==NULL)) {
179 tr_debug("tr_cfg_parse_apcs: Error parsing APC %d.", ii+1);
183 tr_apc_add(apcs, new_apc);
186 talloc_steal(mem_ctx, apcs);
190 talloc_free(tmp_ctx);
194 static TR_NAME *tr_cfg_parse_name(TALLOC_CTX *mem_ctx, json_t *jname, TR_CFG_RC *rc)
199 if ((jname==NULL) || (!json_is_string(jname))) {
200 tr_err("tr_cfg_parse_name: name missing or not a string");
201 *rc=TR_CFG_BAD_PARAMS;
204 name=tr_new_name(json_string_value(jname));
206 tr_err("tr_cfg_parse_name: could not allocate name");
215 static int tr_cfg_parse_shared_config(json_t *jsc, TR_CFG_RC *rc)
217 const char *shared=NULL;
221 (!json_is_string(jsc)) ||
222 (NULL==(shared=json_string_value(jsc)))) {
223 *rc=TR_CFG_BAD_PARAMS;
227 if (0==strcmp(shared, "no"))
229 else if (0==strcmp(shared, "yes"))
232 /* any other value is an error */
233 tr_debug("tr_cfg_parse_shared_config: invalid shared_config value \"%s\" (should be \"yes\" or \"no\")",
239 static TR_REALM_ORIGIN tr_cfg_realm_origin(json_t *jrealm)
241 json_t *jremote=json_object_get(jrealm, "remote");
245 return TR_REALM_LOCAL;
246 if (!json_is_string(jremote)) {
247 tr_warning("tr_cfg_realm_origin: \"remote\" is not a string, assuming this is a local realm.");
248 return TR_REALM_LOCAL;
250 s=json_string_value(jremote);
251 if (strcasecmp(s, "yes")==0)
252 return TR_REALM_REMOTE_INCOMPLETE;
253 else if (strcasecmp(s, "no")!=0)
254 tr_warning("tr_cfg_realm_origin: \"remote\" is neither 'yes' nor 'no', assuming this is a local realm.");
256 return TR_REALM_LOCAL;
259 /* Parse the identity provider object from a realm and fill in the given TR_IDP_REALM. */
260 static TR_CFG_RC tr_cfg_parse_idp(TR_IDP_REALM *idp, json_t *jidp)
262 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
264 TR_AAA_SERVER *aaa=NULL;
265 TR_CFG_RC rc=TR_CFG_ERROR;
270 idp->shared_config=tr_cfg_parse_shared_config(json_object_get(jidp, "shared_config"), &rc);
271 if (rc!=TR_CFG_SUCCESS) {
272 tr_err("tr_cfg_parse_idp: missing or malformed shared_config specification");
277 apcs=tr_cfg_parse_apcs(tmp_ctx, json_object_get(jidp, "apcs"), &rc);
278 if ((rc!=TR_CFG_SUCCESS) || (apcs==NULL)) {
279 tr_err("tr_cfg_parse_idp: unable to parse APC");
284 aaa=tr_cfg_parse_aaa_servers(idp, json_object_get(jidp, "aaa_servers"), &rc);
285 if (rc!=TR_CFG_SUCCESS) {
286 tr_err("tr_cfg_parse_idp: unable to parse AAA servers");
291 tr_debug("tr_cfg_parse_idp: APC=\"%.*s\"",
295 /* done, fill in the idp structures */
297 talloc_steal(idp, apcs);
298 idp->aaa_servers=aaa;
302 if (rc!=TR_CFG_SUCCESS) {
306 tr_aaa_server_free(aaa);
309 talloc_free(tmp_ctx);
313 /* parses idp realm */
314 static TR_IDP_REALM *tr_cfg_parse_one_idp_realm(TALLOC_CTX *mem_ctx, json_t *jrealm, TR_CFG_RC *rc)
316 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
317 TR_IDP_REALM *realm=NULL;
318 TR_CFG_RC call_rc=TR_CFG_ERROR;
320 *rc=TR_CFG_ERROR; /* default to error if not set */
322 if ((!jrealm) || (!rc)) {
323 tr_err("tr_cfg_parse_one_idp_realm: Bad parameters.");
325 *rc=TR_CFG_BAD_PARAMS;
329 if (NULL==(realm=tr_idp_realm_new(tmp_ctx))) {
330 tr_err("tr_cfg_parse_one_idp_realm: could not allocate idp realm.");
335 realm->origin=tr_cfg_realm_origin(jrealm);
336 if (realm->origin!=TR_REALM_LOCAL) {
337 tr_debug("tr_cfg_parse_one_idp_realm: realm is remote, should not have full IdP info.");
342 /* must have a name */
343 realm->realm_id=tr_cfg_parse_name(realm,
344 json_object_get(jrealm, "realm"),
346 if ((call_rc!=TR_CFG_SUCCESS) || (realm->realm_id==NULL)) {
347 tr_err("tr_cfg_parse_one_idp_realm: could not parse realm name");
351 tr_debug("tr_cfg_parse_one_idp_realm: realm_id=\"%.*s\"",
352 realm->realm_id->len,
353 realm->realm_id->buf);
355 call_rc=tr_cfg_parse_idp(realm, json_object_get(jrealm, "identity_provider"));
356 if (call_rc!=TR_CFG_SUCCESS) {
357 tr_err("tr_cfg_parse_one_idp_realm: could not parse identity_provider.");
365 if (*rc==TR_CFG_SUCCESS)
366 talloc_steal(mem_ctx, realm);
372 talloc_free(tmp_ctx);
376 /* Determine whether the realm is an IDP realm */
377 static int tr_cfg_is_idp_realm(json_t *jrealm)
379 /* If a realm spec contains an identity_provider, it's an IDP realm. */
380 if (NULL != json_object_get(jrealm, "identity_provider"))
386 static TR_IDP_REALM *tr_cfg_parse_one_remote_realm(TALLOC_CTX *mem_ctx, json_t *jrealm, TR_CFG_RC *rc)
388 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
389 TR_IDP_REALM *realm=talloc(mem_ctx, TR_IDP_REALM);
391 *rc=TR_CFG_ERROR; /* default to error if not set */
393 if ((!jrealm) || (!rc)) {
394 tr_err("tr_cfg_parse_one_remote_realm: Bad parameters.");
396 *rc=TR_CFG_BAD_PARAMS;
400 if (NULL==(realm=tr_idp_realm_new(tmp_ctx))) {
401 tr_err("tr_cfg_parse_one_remote_realm: could not allocate idp realm.");
406 /* must have a name */
407 realm->realm_id=tr_cfg_parse_name(realm,
408 json_object_get(jrealm, "realm"),
410 if ((*rc!=TR_CFG_SUCCESS) || (realm->realm_id==NULL)) {
411 tr_err("tr_cfg_parse_one_remote_realm: could not parse realm name");
415 tr_debug("tr_cfg_parse_one_remote_realm: realm_id=\"%.*s\"",
416 realm->realm_id->len,
417 realm->realm_id->buf);
419 realm->origin=tr_cfg_realm_origin(jrealm);
423 if (*rc==TR_CFG_SUCCESS)
424 talloc_steal(mem_ctx, realm);
430 talloc_free(tmp_ctx);
434 static int tr_cfg_is_remote_realm(json_t *jrealm)
436 return (tr_cfg_realm_origin(jrealm)!=TR_REALM_LOCAL);
439 /* Parse any idp realms in the j_realms object. Ignores other realm types. */
440 TR_IDP_REALM *tr_cfg_parse_idp_realms(TALLOC_CTX *mem_ctx, json_t *jrealms, TR_CFG_RC *rc)
442 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
443 TR_IDP_REALM *realms=NULL;
444 TR_IDP_REALM *new_realm=NULL;
445 json_t *this_jrealm=NULL;
449 if ((jrealms==NULL) || (!json_is_array(jrealms))) {
450 tr_err("tr_cfg_parse_idp_realms: realms not an array");
451 *rc=TR_CFG_BAD_PARAMS;
455 for (ii=0; ii<json_array_size(jrealms); ii++) {
456 this_jrealm=json_array_get(jrealms, ii);
457 if (tr_cfg_is_idp_realm(this_jrealm)) {
458 new_realm=tr_cfg_parse_one_idp_realm(tmp_ctx, this_jrealm, rc);
459 if ((*rc)!=TR_CFG_SUCCESS) {
460 tr_err("tr_cfg_parse_idp_realms: error decoding realm entry %d", ii+1);
464 tr_idp_realm_add(realms, new_realm);
465 } else if (tr_cfg_is_remote_realm(this_jrealm)) {
466 new_realm=tr_cfg_parse_one_remote_realm(tmp_ctx, this_jrealm, rc);
467 if ((*rc)!=TR_CFG_SUCCESS) {
468 tr_err("tr_cfg_parse_idp_realms: error decoding remote realm entry %d", ii+1);
472 tr_idp_realm_add(realms, new_realm);
477 talloc_steal(mem_ctx, realms);
480 talloc_free(tmp_ctx);