2 * Copyright (c) 2016, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
31 * OF THE POSSIBILITY OF SUCH DAMAGE.
37 #include <trust_router/tr_dh.h>
38 #include <tid_internal.h>
39 #include <tr_filter.h>
43 #include <tr_rp_client.h>
47 #include <trp_route.h>
48 #include <trp_internal.h>
49 #include <tr_config.h>
55 /* Structure to hold data for the tid response callback */
56 typedef struct tr_resp_cookie {
61 /* hold a tids instance and a config manager */
62 struct tr_tids_event_cookie {
68 static void tr_tidc_resp_handler(TIDC_INSTANCE *tidc,
73 TR_RESP_COOKIE *cookie=talloc_get_type_abort(resp_cookie, TR_RESP_COOKIE);
75 tr_debug("tr_tidc_resp_handler: Response received! Realm = %s, Community = %s, result = %s.",
78 (TID_SUCCESS==resp->result)?"success":"error");
80 if (resp->error_path!=NULL)
81 tr_debug("tr_tids_resp_handler: error_path is set.");
82 cookie->resp=tid_resp_dup(cookie, resp);
85 /* data for AAA req forwarding threads */
86 struct tr_tids_fwd_cookie {
88 pthread_mutex_t mutex; /* lock on the mq (separate from the locking within the mq, see below) */
89 TR_MQ *mq; /* messages from thread to main process; set to NULL to disable response */
90 TR_NAME *aaa_hostname;
92 TID_REQ *fwd_req; /* the req to duplicate */
95 static int tr_tids_fwd_cookie_destructor(void *obj)
97 struct tr_tids_fwd_cookie *c=talloc_get_type_abort(obj, struct tr_tids_fwd_cookie);
98 if (c->aaa_hostname!=NULL)
99 tr_free_name(c->aaa_hostname);
100 if (c->dh_params!=NULL)
101 tr_destroy_dh_params(c->dh_params);
105 /* Block until we get the lock, returns 0 on success.
106 * The mutex is used to protect changes to the mq pointer in
107 * a thread's cookie. The master thread sets this to null to indicate
108 * that it has abandoned the thread and the message queue is no longer
109 * valid. This is unrelated to the locking in the message queue
110 * implementation itself. */
111 static int tr_tids_fwd_get_mutex(struct tr_tids_fwd_cookie *cookie)
116 return (pthread_mutex_lock(&(cookie->mutex)));
119 static int tr_tids_fwd_release_mutex(struct tr_tids_fwd_cookie *cookie)
124 return (pthread_mutex_unlock(&(cookie->mutex)));
127 /* values for messages */
128 #define TR_TID_MQMSG_SUCCESS "tid success"
129 #define TR_TID_MQMSG_FAILURE "tid failure"
131 /* Thread main for sending and receiving a request to a single AAA server */
132 static void *tr_tids_req_fwd_thread(void *arg)
134 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
135 struct tr_tids_fwd_cookie *args=talloc_get_type_abort(arg, struct tr_tids_fwd_cookie);
136 TIDC_INSTANCE *tidc=tidc_create();
138 TR_RESP_COOKIE *cookie=NULL;
142 talloc_steal(tmp_ctx, args); /* take responsibility for the cookie */
145 talloc_steal(tmp_ctx, tidc);
147 /* create the cookie we will use for our response */
148 cookie=talloc(tmp_ctx, TR_RESP_COOKIE);
150 tr_notice("tr_tids_req_fwd_thread: unable to allocate response cookie.");
154 cookie->thread_id=args->thread_id;
155 tr_debug("tr_tids_req_fwd_thread: thread %d started.", cookie->thread_id);
157 /* Create a TID client instance */
159 tr_crit("tr_tids_req_fwd_thread: Unable to allocate TIDC instance.");
160 /*tids_send_err_response(tids, orig_req, "Memory allocation failure");*/
161 /* TODO: encode reason for failure */
166 /* Set-up TID connection */
167 if (-1==(args->fwd_req->conn = tidc_open_connection(tidc,
168 args->aaa_hostname->buf,
169 TID_PORT, /* TODO: make this configurable */
170 &(args->fwd_req->gssctx)))) {
171 tr_notice("tr_tids_req_fwd_thread: Error in tidc_open_connection.");
172 /* tids_send_err_response(tids, orig_req, "Can't open connection to next hop TIDS"); */
173 /* TODO: encode reason for failure */
177 tr_debug("tr_tids_req_fwd_thread: thread %d opened TID connection to %s.",
179 args->aaa_hostname->buf);
181 /* Send a TID request. */
182 if (0 > (rc = tidc_fwd_request(tidc, args->fwd_req, tr_tidc_resp_handler, (void *)cookie))) {
183 tr_notice("Error from tidc_fwd_request, rc = %d.", rc);
187 /* cookie->resp should now contain our copy of the response */
189 tr_debug("tr_tids_req_fwd_thread: thread %d received response.", cookie->thread_id);
192 /* Notify parent thread of the response, if it's still listening. */
193 if (0!=tr_tids_fwd_get_mutex(args)) {
194 tr_notice("tr_tids_req_fwd_thread: thread %d unable to acquire mutex.", cookie->thread_id);
195 } else if (NULL!=args->mq) {
196 /* mq is still valid, so we can queue our response */
197 tr_debug("tr_tids_req_fwd_thread: thread %d using valid msg queue.", cookie->thread_id);
199 msg=tr_mq_msg_new(tmp_ctx, TR_TID_MQMSG_SUCCESS, TR_MQ_PRIO_NORMAL);
201 msg=tr_mq_msg_new(tmp_ctx, TR_TID_MQMSG_FAILURE, TR_MQ_PRIO_NORMAL);
204 tr_notice("tr_tids_req_fwd_thread: thread %d unable to allocate response msg.", cookie->thread_id);
206 tr_mq_msg_set_payload(msg, (void *)cookie, NULL);
208 talloc_steal(msg, cookie); /* attach this to the msg so we can forget about it */
209 tr_mq_add(args->mq, msg);
210 talloc_steal(NULL, args); /* take out of our tmp_ctx; master thread now responsible for freeing */
211 tr_debug("tr_tids_req_fwd_thread: thread %d queued response message.", cookie->thread_id);
212 if (0!=tr_tids_fwd_release_mutex(args))
213 tr_notice("tr_tids_req_fwd_thread: Error releasing mutex.");
216 talloc_free(tmp_ctx);
220 /* Merges r2 into r1 if they are compatible. */
221 static TID_RC tr_tids_merge_resps(TID_RESP *r1, TID_RESP *r2)
223 /* ensure these are compatible replies */
224 if ((r1->result!=TID_SUCCESS) || (r2->result!=TID_SUCCESS))
227 if ((0 == tr_name_cmp(r1->rp_realm, r2->rp_realm))
228 && (0 == tr_name_cmp(r1->realm, r2->realm))
229 && ( (0 == tr_name_cmp(r1->comm, r2->comm))
230 || (0 == tr_name_cmp(r1->comm, r2->orig_coi))
231 || (0 == tr_name_cmp(r1->orig_coi, r2->comm)))) {
233 tid_srvr_blk_add(r1->servers, tid_srvr_blk_dup(r1, r2->servers));
240 enum map_coi_result {
242 MAP_COI_MAP_NOT_REQUIRED,
243 MAP_COI_ALREADY_MAPPED,
246 MAP_COI_UNKNOWN_COMM,
250 static enum map_coi_result map_coi(TR_COMM_TABLE *ctable, TID_REQ *req)
257 if (tid_req_get_orig_coi(req) != NULL)
258 return MAP_COI_ALREADY_MAPPED;
260 /* look up the community */
261 orig_comm = tr_comm_table_find_comm(ctable, tid_req_get_comm(req));
262 if (orig_comm == NULL)
263 return MAP_COI_UNKNOWN_COMM;
265 if (tr_comm_get_type(orig_comm) == TR_COMM_APC)
266 return MAP_COI_MAP_NOT_REQUIRED; /* it was already an APC, no mapping to do */
268 /* use first (only) APC. These are just APC names */
269 apcs = tr_comm_get_apcs(orig_comm);
270 if ((!apcs) || (!tr_apc_get_id(apcs)))
271 return MAP_COI_NO_APC;
273 /* get our own copy of the APC name */
274 apc_name = tr_dup_name(tr_apc_get_id(apcs));
275 if (apc_name == NULL) {
276 tr_err("map_coi: Error allocating apc_name");
277 return MAP_COI_ERROR;
280 /* Check that the APC is configured */
281 apc = tr_comm_table_find_comm(ctable, apc_name);
283 tr_free_name(apc_name);
284 return MAP_COI_INVALID_APC;
287 tid_req_set_orig_coi(req, tid_req_get_comm(req)); /* was null, so no need to free anything */
288 tid_req_set_comm(req, apc_name); /* original contents will be freed via orig_coi */
290 return MAP_COI_SUCCESS; /* successfully mapped */
294 * Process a TID request
296 * Return value of -1 means to send a TID_ERROR response. Fill in resp->err_msg or it will
297 * be returned as a generic error.
305 static int tr_tids_req_handler(TIDS_INSTANCE *tids,
310 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
311 TR_AAA_SERVER *aaa_servers=NULL, *this_aaa=NULL;
314 TR_AAA_SERVER_ITER *aaa_iter=NULL;
315 pthread_t aaa_thread[TR_TID_MAX_AAA_SERVERS];
316 struct tr_tids_fwd_cookie *aaa_cookie[TR_TID_MAX_AAA_SERVERS]={NULL};
317 TID_RESP *aaa_resp[TR_TID_MAX_AAA_SERVERS]={NULL};
318 TR_RP_CLIENT *rp_client=NULL;
319 TR_RP_CLIENT_ITER *rpc_iter=NULL;
320 TID_REQ *fwd_req = NULL;
321 TR_COMM *cfg_comm = NULL;
322 TR_COMM *cfg_apc = NULL;
323 TR_FILTER_ACTION oaction = TR_FILTER_ACTION_REJECT;
324 time_t expiration_interval=0;
325 struct tr_tids_event_cookie *cookie=talloc_get_type_abort(cookie_in, struct tr_tids_event_cookie);
326 TR_CFG_MGR *cfg_mgr=cookie->cfg_mgr;
327 TRPS_INSTANCE *trps=cookie->trps;
328 TRP_ROUTE *route=NULL;
331 unsigned int n_responses=0;
332 unsigned int n_failed=0;
333 struct timespec ts_abort={0};
334 unsigned int resp_frac_numer=cfg_mgr->active->internal->tid_resp_numer;
335 unsigned int resp_frac_denom=cfg_mgr->active->internal->tid_resp_denom;
336 TR_RESP_COOKIE *payload=NULL;
337 TR_FILTER_TARGET *target=NULL;
341 if ((!tids) || (!orig_req) || (!resp)) {
342 tr_debug("tr_tids_req_handler: Bad parameters");
347 tr_debug("tr_tids_req_handler: Request received (conn = %d)! Realm = %s, Comm = %s", orig_req->conn,
348 orig_req->realm->buf, orig_req->comm->buf);
349 if (orig_req->request_id)
350 tr_debug("tr_tids_req_handler: TID request ID: %.*s", orig_req->request_id->len, orig_req->request_id->buf);
352 tr_debug("tr_tids_req_handler: TID request ID: none");
356 /* Duplicate the request, so we can modify and forward it */
357 if (NULL == (fwd_req=tid_dup_req(orig_req))) {
358 tr_debug("tr_tids_req_handler: Unable to duplicate request.");
359 retval=-1; /* response will be a generic internal error */
362 talloc_steal(tmp_ctx, fwd_req);
364 /* cfg_comm is now the community (APC or CoI) of the incoming request */
365 if (NULL == (cfg_comm=tr_comm_table_find_comm(cfg_mgr->active->ctable, orig_req->comm))) {
366 tr_notice("tr_tids_req_hander: Request for unknown comm: %s.", orig_req->comm->buf);
367 tid_resp_set_err_msg(resp, tr_new_name("Unknown community"));
372 /* We now need to apply the filters associated with the RP client handing us the request.
373 * It is possible (or even likely) that more than one client is associated with the GSS
374 * name we got from the authentication. We will apply all of them in an arbitrary order.
375 * For this to result in well-defined behavior, either only accept or only reject filter
376 * lines should be used, or a unique GSS name must be given for each RP realm. */
378 if (!tids->gss_name) {
379 tr_notice("tr_tids_req_handler: No GSS name for incoming request.");
380 tid_resp_set_err_msg(resp, tr_new_name("No GSS name for request"));
385 /* Keep original constraints, may add more from the filter. These will be added to orig_req as
386 * well. Need to verify that this is acceptable behavior, but it's what we've always done. */
387 fwd_req->cons=orig_req->cons;
389 target=tr_filter_target_tid_req(tmp_ctx, orig_req);
391 tr_crit("tid_req_handler: Unable to allocate filter target, cannot apply filter!");
392 tid_resp_set_err_msg(resp, tr_new_name("Incoming TID request filter error"));
397 rpc_iter=tr_rp_client_iter_new(tmp_ctx);
398 if (rpc_iter==NULL) {
399 tr_err("tid_req_handler: Unable to allocate RP client iterator.");
403 for (rp_client=tr_rp_client_iter_first(rpc_iter, cfg_mgr->active->rp_clients);
405 rp_client=tr_rp_client_iter_next(rpc_iter)) {
407 if (!tr_gss_names_matches(rp_client->gss_names, tids->gss_name))
408 continue; /* skip any that don't match the GSS name */
410 if (TR_FILTER_MATCH == tr_filter_apply(target,
411 tr_filter_set_get(rp_client->filters,
412 TR_FILTER_TYPE_TID_INBOUND),
415 break; /* Stop looking, oaction is set */
418 /* We get here whether or not a filter matched. If tr_filter_apply() doesn't match, it returns
419 * a default action of reject, so we don't have to check why we exited the loop. */
420 if (oaction != TR_FILTER_ACTION_ACCEPT) {
421 tr_notice("tr_tids_req_handler: Incoming TID request rejected by RP client filter for GSS name %.*s",
422 tids->gss_name->len, tids->gss_name->buf);
423 tid_resp_set_err_msg(resp, tr_new_name("Incoming TID request filter error"));
428 /* Check that the rp_realm is a member of the community in the request */
429 if (NULL == tr_comm_find_rp(cfg_mgr->active->ctable, cfg_comm, orig_req->rp_realm)) {
430 tr_notice("tr_tids_req_handler: RP Realm (%s) not member of community (%s).",
431 orig_req->rp_realm->buf, orig_req->comm->buf);
432 tid_resp_set_err_msg(resp, tr_new_name("RP community membership error"));
437 switch(map_coi(cfg_mgr->active->ctable, fwd_req)) {
438 case MAP_COI_MAP_NOT_REQUIRED:
442 case MAP_COI_SUCCESS:
443 cfg_apc = tr_comm_table_find_comm(cfg_mgr->active->ctable, tid_req_get_comm(fwd_req));
444 tr_debug("tr_tids_req_handler: Community %.*s is a COI, mapping to APC %.*s.",
445 tid_req_get_orig_coi(fwd_req)->len, tid_req_get_orig_coi(fwd_req)->buf,
446 tr_comm_get_id(cfg_apc)->len, tr_comm_get_id(cfg_apc)->buf);
449 case MAP_COI_ALREADY_MAPPED:
450 tr_notice("tr_tids_req_handler: community %.*s is COI but COI to APC mapping already occurred. Dropping request.",
451 tid_req_get_comm(orig_req)->len, tid_req_get_comm(orig_req)->buf);
452 tid_resp_set_err_msg(resp, tr_new_name("Second COI to APC mapping would result, permitted only once."));
457 tr_notice("No valid APC for COI %.*s.",
458 tid_req_get_comm(orig_req)->len, tid_req_get_comm(orig_req)->buf);
459 tid_resp_set_err_msg(resp, tr_new_name("No valid APC for community"));
463 case MAP_COI_INVALID_APC:
464 tr_notice("tr_tids_req_hander: Request for unknown APC.");
465 tid_resp_set_err_msg(resp, tr_new_name("Unknown APC"));
470 tr_notice("tr_tids_req_hander: Unexpected error mapping COI to APC.");
475 /* cfg_comm is now the original community, and cfg_apc is the APC it belongs to. These
476 * may both be the same. If not, check that rp_realm is a member of the mapped APC */
477 if ((cfg_apc != cfg_comm)
478 && (NULL == tr_comm_find_rp(cfg_mgr->active->ctable,
480 tid_req_get_rp_realm(fwd_req)))) {
481 tr_notice("tr_tids_req_hander: RP Realm (%.*s) not member of mapped APC (%.*s).",
482 tid_req_get_rp_realm(fwd_req)->len, tid_req_get_rp_realm(fwd_req)->buf,
483 tr_comm_get_id(cfg_apc)->len, tr_comm_get_id(cfg_apc)->buf);
484 tid_resp_set_err_msg(resp, tr_new_name("RP community membership error"));
489 /* Look up the route for forwarding request's community/realm. */
490 tr_debug("tr_tids_req_handler: looking up route.");
491 route=trps_get_selected_route(trps, fwd_req->comm, fwd_req->realm);
493 /* No route. Use default AAA servers if we have them. */
494 tr_debug("tr_tids_req_handler: No route for realm %s, defaulting.", fwd_req->realm->buf);
495 if (NULL == (aaa_servers = tr_default_server_lookup(cfg_mgr->active->default_servers,
497 tr_notice("tr_tids_req_handler: No default AAA servers, discarded.");
498 tid_resp_set_err_msg(resp, tr_new_name("No path to AAA Server(s) for realm"));
504 /* Found a route. Determine the AAA servers or next hop address for the request we are forwarding. */
505 tr_debug("tr_tids_req_handler: found route.");
506 if (trp_route_is_local(route)) {
507 tr_debug("tr_tids_req_handler: route is local.");
508 aaa_servers = tr_idp_aaa_server_lookup(cfg_mgr->active->ctable->idp_realms,
513 tr_debug("tr_tids_req_handler: route not local.");
514 aaa_servers = tr_aaa_server_new(tmp_ctx, trp_route_get_next_hop(route));
518 /* Since we aren't defaulting, check idp coi and apc membership of the original request */
519 if (NULL == (tr_comm_find_idp(cfg_mgr->active->ctable, cfg_comm, orig_req->realm))) {
520 tr_notice("tr_tids_req_handler: IDP Realm (%s) not member of community (%s).", orig_req->realm->buf, cfg_comm->id->buf);
521 tid_resp_set_err_msg(resp, tr_new_name("IDP community membership error"));
525 if ( cfg_apc && (NULL == (tr_comm_find_idp(cfg_mgr->active->ctable, cfg_apc, orig_req->realm)))) {
526 tr_notice("tr_tids_req_handler: IDP Realm (%s) not member of APC (%s).", orig_req->realm->buf, cfg_apc->id->buf);
527 tid_resp_set_err_msg(resp, tr_new_name("IDP APC membership error"));
533 /* Make sure we came through with a AAA server. If not, we can't handle the request.
534 * Report using the original request, not translated values. */
535 if (NULL == aaa_servers) {
536 tr_notice("tr_tids_req_handler: no route or AAA server for realm (%s) in community (%s).",
537 orig_req->realm->buf, orig_req->comm->buf);
538 tid_resp_set_err_msg(resp, tr_new_name("Missing trust route error"));
543 /* send a TID request to the AAA server(s), and get the answer(s) */
544 tr_debug("tr_tids_req_handler: sending TID request(s).");
545 /* Use the smaller of the APC's expiration interval and the expiration interval of the incoming request */
546 expiration_interval = cfg_apc->expiration_interval;
547 if (fwd_req->expiration_interval)
548 fwd_req->expiration_interval = (expiration_interval < fwd_req->expiration_interval) ? expiration_interval : fwd_req->expiration_interval;
550 fwd_req->expiration_interval = expiration_interval;
552 /* Set up message queue for replies from req forwarding threads */
553 mq=tr_mq_new(tmp_ctx);
555 tr_notice("tr_tids_req_handler: unable to allocate message queue.");
559 tr_debug("tr_tids_req_handler: message queue allocated.");
562 aaa_iter=tr_aaa_server_iter_new(tmp_ctx);
563 if (aaa_iter==NULL) {
564 tr_notice("tr_tids_req_handler: unable to allocate AAA server iterator.");
568 for (n_aaa=0, this_aaa=tr_aaa_server_iter_first(aaa_iter, aaa_servers);
570 n_aaa++, this_aaa=tr_aaa_server_iter_next(aaa_iter)) {
571 tr_debug("tr_tids_req_handler: Preparing to start thread %d.", n_aaa);
573 aaa_cookie[n_aaa]=talloc(tmp_ctx, struct tr_tids_fwd_cookie);
574 if (aaa_cookie[n_aaa]==NULL) {
575 tr_notice("tr_tids_req_handler: unable to allocate cookie for AAA thread %d.", n_aaa);
579 talloc_set_destructor((void *)(aaa_cookie[n_aaa]), tr_tids_fwd_cookie_destructor);
580 /* fill in the cookie. To ensure the thread has valid data even if we exit first and
581 * abandon it, duplicate anything pointed to (except the mq). */
582 aaa_cookie[n_aaa]->thread_id=n_aaa;
583 if (0!=pthread_mutex_init(&(aaa_cookie[n_aaa]->mutex), NULL)) {
584 tr_notice("tr_tids_req_handler: unable to init mutex for AAA thread %d.", n_aaa);
588 aaa_cookie[n_aaa]->mq=mq;
589 aaa_cookie[n_aaa]->aaa_hostname=tr_dup_name(this_aaa->hostname);
590 aaa_cookie[n_aaa]->dh_params=tr_dh_dup(orig_req->tidc_dh);
591 aaa_cookie[n_aaa]->fwd_req=tid_dup_req(fwd_req);
592 talloc_steal(aaa_cookie[n_aaa], aaa_cookie[n_aaa]->fwd_req);
593 tr_debug("tr_tids_req_handler: cookie %d initialized.", n_aaa);
595 /* Take the cookie out of tmp_ctx before starting thread. If thread starts, it becomes
596 * responsible for freeing it until it queues a response. If we did not do this, the possibility
597 * exists that this function exits, freeing the cookie, before the thread takes the cookie
598 * out of our tmp_ctx. This would cause a segfault or talloc error in the thread. */
599 talloc_steal(NULL, aaa_cookie[n_aaa]);
600 if (0!=pthread_create(&(aaa_thread[n_aaa]), NULL, tr_tids_req_fwd_thread, aaa_cookie[n_aaa])) {
601 talloc_steal(tmp_ctx, aaa_cookie[n_aaa]); /* thread start failed; steal this back */
602 tr_notice("tr_tids_req_handler: unable to start AAA thread %d.", n_aaa);
606 tr_debug("tr_tids_req_handler: thread %d started.", n_aaa);
609 /* determine expiration time */
610 if (0!=tr_mq_pop_timeout(cfg_mgr->active->internal->tid_req_timeout, &ts_abort)) {
611 tr_notice("tr_tids_req_handler: unable to read clock for timeout.");
616 /* wait for responses */
617 tr_debug("tr_tids_req_handler: waiting for response(s).");
620 while (((n_responses+n_failed)<n_aaa) &&
621 (NULL!=(msg=tr_mq_pop(mq, &ts_abort)))) {
622 /* process message */
623 if (0==strcmp(tr_mq_msg_get_message(msg), TR_TID_MQMSG_SUCCESS)) {
624 payload=talloc_get_type_abort(tr_mq_msg_get_payload(msg), TR_RESP_COOKIE);
625 talloc_steal(tmp_ctx, payload); /* put this back in our context */
626 aaa_resp[payload->thread_id]=payload->resp; /* save pointers to these */
628 if (payload->resp->result==TID_SUCCESS) {
629 tr_tids_merge_resps(resp, payload->resp);
633 tr_notice("tr_tids_req_handler: TID error received from AAA server %d: %.*s",
635 payload->resp->err_msg->len,
636 payload->resp->err_msg->buf);
638 } else if (0==strcmp(tr_mq_msg_get_message(msg), TR_TID_MQMSG_FAILURE)) {
641 payload=talloc_get_type(tr_mq_msg_get_payload(msg), TR_RESP_COOKIE);
643 talloc_steal(tmp_ctx, payload); /* put this back in our context */
645 /* this means the thread was unable to allocate a response cookie, and we thus cannot determine which thread it was. This is bad and should never happen in a working system.. Give up. */
646 tr_notice("tr_tids_req_handler: TID request thread sent invalid reply. Aborting!");
650 tr_notice("tr_tids_req_handler: TID request for AAA server %d failed.",
653 /* unexpected message */
654 tr_err("tr_tids_req_handler: Unexpected message received. Aborting!");
659 /* Set the cookie pointer to NULL so we know we've dealt with this one. The
660 * cookie itself is in our tmp_ctx, which we'll free before exiting. Let it hang
661 * around in case we are still using pointers to elements of the cookie. */
662 aaa_cookie[payload->thread_id]=NULL;
666 /* check whether we've received enough responses to exit */
667 if ((idp_shared && (n_responses>0)) ||
668 (resp_frac_denom*n_responses>=resp_frac_numer*n_aaa))
672 tr_debug("tr_tids_req_handler: done waiting for responses. %d responses, %d failures.",
673 n_responses, n_failed);
674 /* Inform any remaining threads that we will no longer handle their responses. */
675 for (ii=0; ii<n_aaa; ii++) {
676 if (aaa_cookie[ii]!=NULL) {
677 if (0!=tr_tids_fwd_get_mutex(aaa_cookie[ii]))
678 tr_notice("tr_tids_req_handler: unable to get mutex for AAA thread %d.", ii);
680 aaa_cookie[ii]->mq=NULL; /* threads will not try to respond through a null mq */
682 if (0!=tr_tids_fwd_release_mutex(aaa_cookie[ii]))
683 tr_notice("tr_tids_req_handler: unable to release mutex for AAA thread %d.", ii);
687 /* Now all threads have either replied (and aaa_cookie[ii] is null) or have been told not to
688 * reply (by setting their mq pointer to null). However, some may have responded by placing
689 * a message on the mq after we last checked but before we set their mq pointer to null. These
690 * will not know that we gave up on them, so we must free their cookies for them. We can just
691 * go through any remaining messages on the mq to identify these threads. By putting them in
692 * our context instead of freeing them directly, we ensure we don't accidentally invalidate
693 * any of our own pointers into the structure before this function exits. */
694 while (NULL!=(msg=tr_mq_pop(mq, NULL))) {
695 payload=(TR_RESP_COOKIE *)tr_mq_msg_get_payload(msg);
696 if (aaa_cookie[payload->thread_id]!=NULL)
697 talloc_steal(tmp_ctx, aaa_cookie[payload->thread_id]);
702 if (n_responses==0) {
703 /* No requests succeeded, so this will be an error */
706 /* If we got any error responses, send an arbitrarily chosen one. */
707 for (ii=0; ii<n_aaa; ii++) {
708 if (aaa_resp[ii] != NULL) {
709 tid_resp_cpy(resp, aaa_resp[ii]);
713 /* No error responses at all, so generate our own error. */
714 tid_resp_set_err_msg(resp, tr_new_name("Unable to contact AAA server(s)."));
722 talloc_free(tmp_ctx);
726 static int tr_tids_gss_handler(gss_name_t client_name, TR_NAME *gss_name,
729 struct tr_tids_event_cookie *cookie=talloc_get_type_abort(data, struct tr_tids_event_cookie);
730 TIDS_INSTANCE *tids = cookie->tids;
731 TR_CFG_MGR *cfg_mgr = cookie->cfg_mgr;
733 if ((!client_name) || (!gss_name) || (!tids) || (!cfg_mgr)) {
734 tr_debug("tr_tidc_gss_handler: Bad parameters.");
738 /* Ensure at least one client exists using this GSS name */
739 if (NULL == tr_rp_client_lookup(cfg_mgr->active->rp_clients, gss_name)) {
740 tr_debug("tr_tids_gss_handler: Unknown GSS name %.*s", gss_name->len, gss_name->buf);
744 /* Store the GSS name */
745 tids->gss_name = tr_dup_name(gss_name);
746 tr_debug("Client's GSS Name: %.*s", gss_name->len, gss_name->buf);
752 /***** TIDS event handling *****/
754 /* called when a connection to the TIDS port is received */
755 static void tr_tids_event_cb(int listener, short event, void *arg)
757 TIDS_INSTANCE *tids = talloc_get_type_abort(arg, TIDS_INSTANCE);
759 if (0==(event & EV_READ))
760 tr_debug("tr_tids_event_cb: unexpected event on TIDS socket (event=0x%X)", event);
762 tids_accept(tids, listener);
765 /* called when it's time to sweep for completed TID child processes */
766 static void tr_tids_sweep_cb(int listener, short event, void *arg)
768 TIDS_INSTANCE *tids = talloc_get_type_abort(arg, TIDS_INSTANCE);
770 if (0==(event & EV_TIMEOUT))
771 tr_debug("tr_tids_event_cb: unexpected event on TID process sweep timer (event=0x%X)", event);
773 tids_sweep_procs(tids);
776 /* Configure the tids instance and set up its event handlers.
777 * Returns 0 on success, nonzero on failure. Fills in
778 * *tids_event (which should be allocated by caller). */
779 int tr_tids_event_init(struct event_base *base, TIDS_INSTANCE *tids, TR_CFG_MGR *cfg_mgr, TRPS_INSTANCE *trps,
780 struct tr_socket_event *tids_ev, struct event **sweep_ev)
782 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
783 struct tr_tids_event_cookie *cookie=NULL;
784 struct timeval sweep_interval;
788 if (tids_ev == NULL) {
789 tr_debug("tr_tids_event_init: Null tids_ev.");
794 if (sweep_ev == NULL) {
795 tr_debug("tr_tids_event_init: Null sweep_ev.");
800 /* Create the cookie for callbacks. We'll put it in the tids context, so it will
801 * be cleaned up when tids is freed by talloc_free. */
802 cookie=talloc(tmp_ctx, struct tr_tids_event_cookie);
803 if (cookie == NULL) {
804 tr_debug("tr_tids_event_init: Unable to allocate cookie.");
809 cookie->cfg_mgr=cfg_mgr;
811 talloc_steal(tids, cookie);
813 /* get a tids listener */
814 tids_ev->n_sock_fd = (int)tids_get_listener(tids,
817 cfg_mgr->active->internal->hostname,
818 cfg_mgr->active->internal->tids_port,
822 if (tids_ev->n_sock_fd==0) {
823 tr_crit("Error opening TID server socket.");
828 /* Set up listener events */
829 for (ii=0; ii<tids_ev->n_sock_fd; ii++) {
830 tids_ev->ev[ii]=event_new(base,
831 tids_ev->sock_fd[ii],
835 event_add(tids_ev->ev[ii], NULL);
838 /* Set up a periodic check for completed TID handler processes */
839 *sweep_ev = event_new(base, -1, EV_TIMEOUT|EV_PERSIST, tr_tids_sweep_cb, tids);
840 sweep_interval.tv_sec = 10;
841 sweep_interval.tv_usec = 0;
842 event_add(*sweep_ev, &sweep_interval);
845 talloc_free(tmp_ctx);
projects / trust_router.git / blob