2 * Copyright (c) 2012, 2015, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
31 * OF THE POSSIBILITY OF SUCH DAMAGE.
41 #include <sys/socket.h>
47 #include <tid_internal.h>
51 #include <tr_socket.h>
55 static TID_RESP *tids_create_response(TALLOC_CTX *mem_ctx, TIDS_INSTANCE *tids, TID_REQ *req)
60 if (NULL == (resp = tid_resp_new(mem_ctx))) {
61 tr_crit("tids_create_response: Error allocating response structure.");
65 resp->result = TID_SUCCESS; /* presume success */
66 if ((NULL == (resp->rp_realm = tr_dup_name(req->rp_realm))) ||
67 (NULL == (resp->realm = tr_dup_name(req->realm))) ||
68 (NULL == (resp->comm = tr_dup_name(req->comm)))) {
69 tr_crit("tids_create_response: Error allocating fields in response.");
73 if (NULL == (resp->orig_coi = tr_dup_name(req->orig_coi))) {
74 tr_crit("tids_create_response: Error allocating fields in response.");
82 if ((!success) && (resp!=NULL)) {
89 /* returns EACCES if authorization is denied */
90 static int tids_auth_cb(gss_name_t clientName, gss_buffer_t displayName,
93 struct tids_instance *inst = (struct tids_instance *) data;
94 TR_NAME name ={(char *) displayName->value, (int) displayName->length};
97 if (0!=inst->auth_handler(clientName, &name, inst->cookie)) {
98 tr_debug("tids_auth_cb: client '%.*s' denied authorization.", name.len, name.buf);
99 result=EACCES; /* denied */
105 static int tids_handle_request(TIDS_INSTANCE *tids, TID_REQ *req, TID_RESP *resp)
109 /* Check that this is a valid TID Request. If not, send an error return. */
111 (!(req->rp_realm)) ||
114 tr_notice("tids_handle_request(): Not a valid TID Request.");
115 resp->result = TID_ERROR;
116 resp->err_msg = tr_new_name("Bad request format");
120 tr_debug("tids_handle_request: adding self to req path.");
121 tid_req_add_path(req, tids->hostname, tids->tids_port);
123 /* Call the caller's request handler */
124 /* TBD -- Handle different error returns/msgs */
125 if (0 > (rc = (*tids->req_handler)(tids, req, resp, tids->cookie))) {
126 /* set-up an error response */
127 tr_debug("tids_handle_request: req_handler returned error.");
128 resp->result = TID_ERROR;
129 if (!resp->err_msg) /* Use msg set by handler, if any */
130 resp->err_msg = tr_new_name("Internal processing error");
133 /* set-up a success response */
134 tr_debug("tids_handle_request: req_handler returned success.");
135 resp->result = TID_SUCCESS;
136 resp->err_msg = NULL; /* No error msg on successful return */
143 * Produces a JSON-encoded msg containing the TID response
145 * @param mem_ctx talloc context for the return value
146 * @param tids TIDS_INSTANCE handling the request
147 * @param req incoming request
148 * @param resp outgoing response
149 * @return JSON-encoded message containing the TID response
151 static char *tids_encode_response(TALLOC_CTX *mem_ctx, TIDS_INSTANCE *tids, TID_REQ *req, TID_RESP *resp)
154 char *resp_buf = NULL;
156 /* Construct the response message */
157 mresp.msg_type = TID_RESPONSE;
158 tr_msg_set_resp(&mresp, resp);
160 /* Encode the message to JSON */
161 resp_buf = tr_msg_encode(mem_ctx, &mresp);
162 if (resp_buf == NULL) {
163 tr_err("tids_encode_response: Error encoding json response.");
166 tr_debug("tids_encode_response: Encoded response: %s", resp_buf);
173 * Encode/send an error response
175 * Part of the public interface
182 int tids_send_err_response (TIDS_INSTANCE *tids, TID_REQ *req, const char *err_msg) {
183 TID_RESP *resp = NULL;
186 if ((!tids) || (!req) || (!err_msg)) {
187 tr_debug("tids_send_err_response: Invalid parameters.");
191 /* If we already sent a response, don't send another no matter what. */
195 if (NULL == (resp = tids_create_response(req, tids, req))) {
196 tr_crit("tids_send_err_response: Can't create response.");
200 /* mark this as an error response, and include the error message */
201 resp->result = TID_ERROR;
202 resp->err_msg = tr_new_name((char *)err_msg);
203 resp->error_path = req->path;
205 rc = tids_send_response(tids, req, resp);
212 * Encode/send a response
214 * Part of the public interface
221 int tids_send_response (TIDS_INSTANCE *tids, TID_REQ *req, TID_RESP *resp)
226 if ((!tids) || (!req) || (!resp)) {
227 tr_debug("tids_send_response: Invalid parameters.");
231 /* Never send a second response if we already sent one. */
235 resp_buf = tids_encode_response(NULL, tids, req, resp);
236 if (resp_buf == NULL) {
237 tr_err("tids_send_response: Error encoding json response.");
242 tr_debug("tids_send_response: Encoded response: %s", resp_buf);
244 /* If external logging is enabled, fire off a message */
245 /* TODO Can be moved to end once segfault in gsscon_write_encrypted_token fixed */
248 /* Send the response over the connection */
249 err = gsscon_write_encrypted_token (req->conn, req->gssctx, resp_buf,
250 strlen(resp_buf) + 1);
252 tr_notice("tids_send_response: Error sending response over connection.");
257 /* indicate that a response has been sent for this request */
266 * Callback to process a request and produce a response
268 * @param req_str JSON-encoded request
269 * @param data pointer to a TIDS_INSTANCE
270 * @return pointer to the response string or null to send no response
272 static char *tids_req_cb(TALLOC_CTX *mem_ctx, const char *req_str, void *data)
274 TIDS_INSTANCE *tids = talloc_get_type_abort(data, TIDS_INSTANCE);
277 TID_RESP *resp = NULL;
278 char *resp_str = NULL;
281 mreq = tr_msg_decode(req_str, strlen(req_str)); // allocates memory on success!
283 tr_debug("tids_req_cb: Error decoding request.");
287 /* If this isn't a TID Request, just drop it. */
288 if (mreq->msg_type != TID_REQUEST) {
289 tr_msg_free_decoded(mreq);
290 tr_debug("tids_req_cb: Not a TID request, dropped.");
294 /* Get a handle on the request itself. Don't free req - it belongs to mreq */
295 req = tr_msg_get_req(mreq);
297 /* Allocate a response structure and populate common fields. The resp is in req's talloc context,
298 * which will be cleaned up when mreq is freed. */
299 resp = tids_create_response(req, tids, req);
301 /* If we were unable to create a response, we cannot reply. Log an
302 * error if we can, then drop the request. */
303 tr_msg_free_decoded(mreq);
304 tr_crit("tids_req_cb: Error creating response structure.");
308 /* Handle the request and fill in resp */
309 rc = tids_handle_request(tids, req, resp);
311 tr_debug("tids_req_cb: Error from tids_handle_request(), rc = %d.", rc);
312 /* Fall through, to send the response, either way */
315 /* Convert the completed response into an encoded response */
316 resp_str = tids_encode_response(mem_ctx, tids, req, resp);
318 /* Finished; free the request and return */
319 tr_msg_free_decoded(mreq); // this frees req and resp, too
323 TIDS_INSTANCE *tids_new(TALLOC_CTX *mem_ctx)
325 return talloc_zero(mem_ctx, TIDS_INSTANCE);
329 * Create a new TIDS instance
331 * Deprecated: exists for ABI compatibility, but tids_new() should be used instead
334 TIDS_INSTANCE *tids_create(void)
336 return talloc_zero(NULL, TIDS_INSTANCE);
338 /* Get a listener for tids requests, returns its socket fd. Accept
339 * connections with tids_accept() */
340 int tids_get_listener(TIDS_INSTANCE *tids,
341 TIDS_REQ_FUNC *req_handler,
342 tids_auth_func *auth_handler,
343 const char *hostname,
352 tids->tids_port = port;
353 n_fd = tr_sock_listen_all(port, fd_out, max_fd);
356 tr_err("tids_get_listener: Error opening port %d");
358 /* opening port succeeded */
359 tr_info("tids_get_listener: Opened port %d.", port);
361 /* make this socket non-blocking */
362 for (ii=0; ii<n_fd; ii++) {
363 if (0 != fcntl(fd_out[ii], F_SETFL, O_NONBLOCK)) {
364 tr_err("tids_get_listener: Error setting O_NONBLOCK.");
365 for (ii=0; ii<n_fd; ii++) {
376 /* store the caller's request handler & cookie */
377 tids->req_handler = req_handler;
378 tids->auth_handler = auth_handler;
379 tids->hostname = hostname;
380 tids->cookie = cookie;
386 /* Accept and process a connection on a port opened with tids_get_listener() */
387 int tids_accept(TIDS_INSTANCE *tids, int listen)
392 if (0 > (conn = accept(listen, NULL, NULL))) {
393 perror("Error from TIDS Server accept()");
397 if (0 > (pid = fork())) {
398 perror("Error on fork()");
404 tr_gss_handle_connection(conn,
405 "trustidentity", tids->hostname, /* acceptor name */
406 tids_auth_cb, tids, /* auth callback and cookie */
407 tids_req_cb, tids /* req callback and cookie */
410 exit(0); /* exit to kill forked child process */
415 /* clean up any processes that have completed (TBD: move to main loop?) */
416 while (waitpid(-1, 0, WNOHANG) > 0);
421 /* Process tids requests forever. Should not return except on error. */
422 int tids_start (TIDS_INSTANCE *tids,
423 TIDS_REQ_FUNC *req_handler,
424 tids_auth_func *auth_handler,
425 const char *hostname,
429 int fd[TR_MAX_SOCKETS]={0};
431 struct pollfd poll_fd[TR_MAX_SOCKETS]={{0}};
434 n_fd=tids_get_listener(tids, req_handler, auth_handler, hostname, port, cookie, fd, TR_MAX_SOCKETS);
436 perror ("Error from tids_listen()");
440 tr_info("Trust Path Query Server starting on host %s:%d.", hostname, port);
442 /* set up the poll structs */
443 for (ii=0; ii<n_fd; ii++) {
444 poll_fd[ii].fd=fd[ii];
445 poll_fd[ii].events=POLLIN;
448 while(1) { /* accept incoming conns until we are stopped */
449 /* clear out events from previous iteration */
450 for (ii=0; ii<n_fd; ii++)
451 poll_fd[ii].revents=0;
453 /* wait indefinitely for a connection */
454 if (poll(poll_fd, n_fd, -1) < 0) {
455 perror("Error from poll()");
459 /* fork handlers for any sockets that have data */
460 for (ii=0; ii<n_fd; ii++) {
461 if (poll_fd[ii].revents == 0)
464 if ((poll_fd[ii].revents & POLLERR) || (poll_fd[ii].revents & POLLNVAL)) {
465 perror("Error polling fd");
469 if (poll_fd[ii].revents & POLLIN) {
470 if (tids_accept(tids, poll_fd[ii].fd))
471 tr_err("tids_start: error in tids_accept().");
476 return 1; /* should never get here, loops "forever" */
479 void tids_destroy (TIDS_INSTANCE *tids)
481 /* clean up logfiles */