2 * Copyright (c) 2016, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
31 * OF THE POSSIBILITY OF SUCH DAMAGE.
37 #include <trust_router/tr_dh.h>
38 #include <tid_internal.h>
39 #include <tr_filter.h>
46 #include <trp_internal.h>
47 #include <tr_config.h>
52 /* Structure to hold data for the tid response callback */
53 typedef struct tr_resp_cookie {
58 /* hold a tids instance and a config manager */
59 struct tr_tids_event_cookie {
65 static void tr_tidc_resp_handler(TIDC_INSTANCE *tidc,
70 TR_RESP_COOKIE *cookie=talloc_get_type_abort(resp_cookie, TR_RESP_COOKIE);
72 tr_debug("tr_tidc_resp_handler: Response received! Realm = %s, Community = %s, result = %s.",
75 (TID_SUCCESS==resp->result)?"success":"error");
77 if (resp->error_path!=NULL)
78 tr_debug("tr_tids_resp_handler: error_path is set.");
79 cookie->resp=tid_resp_dup(cookie, resp);
82 /* data for AAA req forwarding threads */
83 struct tr_tids_fwd_cookie {
85 pthread_mutex_t mutex; /* lock on the mq (separate from the locking within the mq, see below) */
86 TR_MQ *mq; /* messages from thread to main process; set to NULL to disable response */
87 TR_NAME *aaa_hostname;
89 TID_REQ *fwd_req; /* the req to duplicate */
92 static int tr_tids_fwd_cookie_destructor(void *obj)
94 struct tr_tids_fwd_cookie *c=talloc_get_type_abort(obj, struct tr_tids_fwd_cookie);
95 if (c->aaa_hostname!=NULL)
96 tr_free_name(c->aaa_hostname);
97 if (c->dh_params!=NULL)
98 tr_destroy_dh_params(c->dh_params);
102 /* Block until we get the lock, returns 0 on success.
103 * The mutex is used to protect changes to the mq pointer in
104 * a thread's cookie. The master thread sets this to null to indicate
105 * that it has abandoned the thread and the message queue is no longer
106 * valid. This is unrelated to the locking in the message queue
107 * implementation itself. */
108 static int tr_tids_fwd_get_mutex(struct tr_tids_fwd_cookie *cookie)
113 return (pthread_mutex_lock(&(cookie->mutex)));
116 static int tr_tids_fwd_release_mutex(struct tr_tids_fwd_cookie *cookie)
121 return (pthread_mutex_unlock(&(cookie->mutex)));
124 /* values for messages */
125 #define TR_TID_MQMSG_SUCCESS "tid success"
126 #define TR_TID_MQMSG_FAILURE "tid failure"
128 /* Thread main for sending and receiving a request to a single AAA server */
129 static void *tr_tids_req_fwd_thread(void *arg)
131 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
132 struct tr_tids_fwd_cookie *args=talloc_get_type_abort(arg, struct tr_tids_fwd_cookie);
133 TIDC_INSTANCE *tidc=tidc_create();
135 TR_RESP_COOKIE *cookie=NULL;
139 talloc_steal(tmp_ctx, args); /* take responsibility for the cookie */
142 talloc_steal(tmp_ctx, tidc);
144 /* create the cookie we will use for our response */
145 cookie=talloc(tmp_ctx, TR_RESP_COOKIE);
147 tr_notice("tr_tids_req_fwd_thread: unable to allocate response cookie.");
151 cookie->thread_id=args->thread_id;
152 tr_debug("tr_tids_req_fwd_thread: thread %d started.", cookie->thread_id);
154 /* Create a TID client instance */
156 tr_crit("tr_tids_req_fwd_thread: Unable to allocate TIDC instance.");
157 /*tids_send_err_response(tids, orig_req, "Memory allocation failure");*/
158 /* TODO: encode reason for failure */
163 /* Set-up TID connection */
164 if (-1==(args->fwd_req->conn = tidc_open_connection(tidc,
165 args->aaa_hostname->buf,
166 TID_PORT, /* TODO: make this configurable */
167 &(args->fwd_req->gssctx)))) {
168 tr_notice("tr_tids_req_fwd_thread: Error in tidc_open_connection.");
169 /* tids_send_err_response(tids, orig_req, "Can't open connection to next hop TIDS"); */
170 /* TODO: encode reason for failure */
174 tr_debug("tr_tids_req_fwd_thread: thread %d opened TID connection to %s.",
176 args->aaa_hostname->buf);
178 /* Send a TID request. */
179 if (0 > (rc = tidc_fwd_request(tidc, args->fwd_req, tr_tidc_resp_handler, (void *)cookie))) {
180 tr_notice("Error from tidc_fwd_request, rc = %d.", rc);
184 /* cookie->resp should now contain our copy of the response */
186 tr_debug("tr_tids_req_fwd_thread: thread %d received response.");
189 /* Notify parent thread of the response, if it's still listening. */
190 if (0!=tr_tids_fwd_get_mutex(args)) {
191 tr_notice("tr_tids_req_fwd_thread: thread %d unable to acquire mutex.", cookie->thread_id);
192 } else if (NULL!=args->mq) {
193 /* mq is still valid, so we can queue our response */
194 tr_debug("tr_tids_req_fwd_thread: thread %d using valid msg queue.", cookie->thread_id);
196 msg=tr_mq_msg_new(tmp_ctx, TR_TID_MQMSG_SUCCESS, TR_MQ_PRIO_NORMAL);
198 msg=tr_mq_msg_new(tmp_ctx, TR_TID_MQMSG_FAILURE, TR_MQ_PRIO_NORMAL);
201 tr_notice("tr_tids_req_fwd_thread: thread %d unable to allocate response msg.", cookie->thread_id);
203 tr_mq_msg_set_payload(msg, (void *)cookie, NULL);
205 talloc_steal(msg, cookie); /* attach this to the msg so we can forget about it */
206 tr_mq_add(args->mq, msg);
207 talloc_steal(NULL, args); /* take out of our tmp_ctx; master thread now responsible for freeing */
208 tr_debug("tr_tids_req_fwd_thread: thread %d queued response message.", cookie->thread_id);
209 if (0!=tr_tids_fwd_release_mutex(args))
210 tr_notice("tr_tids_req_fwd_thread: Error releasing mutex.");
213 talloc_free(tmp_ctx);
217 /* Merges r2 into r1 if they are compatible. */
218 static TID_RC tr_tids_merge_resps(TID_RESP *r1, TID_RESP *r2)
220 /* ensure these are compatible replies */
221 if ((r1->result!=TID_SUCCESS) || (r2->result!=TID_SUCCESS))
224 if ((0!=tr_name_cmp(r1->rp_realm, r2->rp_realm)) ||
225 (0!=tr_name_cmp(r1->realm, r2->realm)) ||
226 (0!=tr_name_cmp(r1->comm, r2->comm)))
229 tid_srvr_blk_add(r1->servers, tid_srvr_blk_dup(r1, r2->servers));
233 static int tr_tids_req_handler(TIDS_INSTANCE *tids,
238 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
239 TR_AAA_SERVER *aaa_servers=NULL, *this_aaa=NULL;
242 TR_AAA_SERVER_ITER *aaa_iter=NULL;
243 pthread_t aaa_thread[TR_TID_MAX_AAA_SERVERS];
244 struct tr_tids_fwd_cookie *aaa_cookie[TR_TID_MAX_AAA_SERVERS]={NULL};
245 TID_RESP *aaa_resp[TR_TID_MAX_AAA_SERVERS]={NULL};
246 TR_RP_CLIENT *rp_client=NULL;
247 TR_RP_CLIENT_ITER *rpc_iter=NULL;
249 TID_REQ *fwd_req = NULL;
250 TR_COMM *cfg_comm = NULL;
251 TR_COMM *cfg_apc = NULL;
252 TR_FILTER_ACTION oaction = TR_FILTER_ACTION_REJECT;
253 time_t expiration_interval=0;
254 struct tr_tids_event_cookie *cookie=talloc_get_type_abort(cookie_in, struct tr_tids_event_cookie);
255 TR_CFG_MGR *cfg_mgr=cookie->cfg_mgr;
256 TRPS_INSTANCE *trps=cookie->trps;
257 TRP_ROUTE *route=NULL;
260 unsigned int n_responses=0;
261 unsigned int n_failed=0;
262 struct timespec ts_abort={0};
263 unsigned int resp_frac_numer=cfg_mgr->active->internal->tid_resp_numer;
264 unsigned int resp_frac_denom=cfg_mgr->active->internal->tid_resp_denom;
265 TR_RESP_COOKIE *payload=NULL;
266 TR_FILTER_TARGET *target=NULL;
270 if ((!tids) || (!orig_req) || (!resp)) {
271 tr_debug("tr_tids_req_handler: Bad parameters");
276 tr_debug("tr_tids_req_handler: Request received (conn = %d)! Realm = %s, Comm = %s", orig_req->conn,
277 orig_req->realm->buf, orig_req->comm->buf);
280 /* Duplicate the request, so we can modify and forward it */
281 if (NULL == (fwd_req=tid_dup_req(orig_req))) {
282 tr_debug("tr_tids_req_handler: Unable to duplicate request.");
286 talloc_steal(tmp_ctx, fwd_req);
288 if (NULL == (cfg_comm=tr_comm_table_find_comm(cfg_mgr->active->ctable, orig_req->comm))) {
289 tr_notice("tr_tids_req_hander: Request for unknown comm: %s.", orig_req->comm->buf);
290 tids_send_err_response(tids, orig_req, "Unknown community");
295 /* We now need to apply the filters associated with the RP client handing us the request.
296 * It is possible (or even likely) that more than one client is associated with the GSS
297 * name we got from the authentication. We will apply all of them in an arbitrary order.
298 * For this to result in well-defined behavior, either only accept or only reject filter
299 * lines should be used, or a unique GSS name must be given for each RP realm. */
301 if (!tids->gss_name) {
302 tr_notice("tr_tids_req_handler: No GSS name for incoming request.");
303 tids_send_err_response(tids, orig_req, "No GSS name for request");
308 /* Keep original constraints, may add more from the filter. These will be added to orig_req as
309 * well. Need to verify that this is acceptable behavior, but it's what we've always done. */
310 fwd_req->cons=orig_req->cons;
312 target=tr_filter_target_tid_req(tmp_ctx, orig_req);
314 tr_crit("tid_req_handler: Unable to allocate filter target, cannot apply filter!");
315 tids_send_err_response(tids, orig_req, "Incoming TID request filter error");
320 rpc_iter=tr_rp_client_iter_new(tmp_ctx);
321 if (rpc_iter==NULL) {
322 tr_err("tid_req_handler: Unable to allocate RP client iterator.");
326 for (rp_client=tr_rp_client_iter_first(rpc_iter, cfg_mgr->active->rp_clients);
328 rp_client=tr_rp_client_iter_next(rpc_iter)) {
330 if (!tr_gss_names_matches(rp_client->gss_names, tids->gss_name))
331 continue; /* skip any that don't match the GSS name */
333 if (TR_FILTER_MATCH == tr_filter_apply(target,
334 tr_filter_set_get(rp_client->filters,
335 TR_FILTER_TYPE_TID_INBOUND),
338 break; /* Stop looking, oaction is set */
341 /* We get here whether or not a filter matched. If tr_filter_apply() doesn't match, it returns
342 * a default action of reject, so we don't have to check why we exited the loop. */
343 if (oaction != TR_FILTER_ACTION_ACCEPT) {
344 tr_notice("tr_tids_req_handler: Incoming TID request rejected by filter for GSS name", orig_req->rp_realm->buf);
345 tids_send_err_response(tids, orig_req, "Incoming TID request filter error");
350 /* Check that the rp_realm is a member of the community in the request */
351 if (NULL == tr_comm_find_rp(cfg_mgr->active->ctable, cfg_comm, orig_req->rp_realm)) {
352 tr_notice("tr_tids_req_handler: RP Realm (%s) not member of community (%s).", orig_req->rp_realm->buf, orig_req->comm->buf);
353 tids_send_err_response(tids, orig_req, "RP COI membership error");
358 /* Map the comm in the request from a COI to an APC, if needed */
359 if (TR_COMM_COI == cfg_comm->type) {
360 if (orig_req->orig_coi!=NULL) {
361 tr_notice("tr_tids_req_handler: community %s is COI but COI to APC mapping already occurred. Dropping request.",
362 orig_req->comm->buf);
363 tids_send_err_response(tids, orig_req, "Second COI to APC mapping would result, permitted only once.");
368 tr_debug("tr_tids_req_handler: Community was a COI, switching.");
369 /* TBD -- In theory there can be more than one? How would that work? */
370 if ((!cfg_comm->apcs) || (!cfg_comm->apcs->id)) {
371 tr_notice("No valid APC for COI %s.", orig_req->comm->buf);
372 tids_send_err_response(tids, orig_req, "No valid APC for community");
376 apc = tr_dup_name(cfg_comm->apcs->id);
378 /* Check that the APC is configured */
379 if (NULL == (cfg_apc = tr_comm_table_find_comm(cfg_mgr->active->ctable, apc))) {
380 tr_notice("tr_tids_req_hander: Request for unknown comm: %s.", apc->buf);
381 tids_send_err_response(tids, orig_req, "Unknown APC");
387 fwd_req->orig_coi = orig_req->comm;
389 /* Check that rp_realm is a member of this APC */
390 if (NULL == (tr_comm_find_rp(cfg_mgr->active->ctable, cfg_apc, orig_req->rp_realm))) {
391 tr_notice("tr_tids_req_hander: RP Realm (%s) not member of community (%s).", orig_req->rp_realm->buf, orig_req->comm->buf);
392 tids_send_err_response(tids, orig_req, "RP APC membership error");
398 /* Look up the route for this community/realm. */
399 tr_debug("tr_tids_req_handler: looking up route.");
400 route=trps_get_selected_route(trps, orig_req->comm, orig_req->realm);
402 /* No route. Use default AAA servers if we have them. */
403 tr_debug("tr_tids_req_handler: No route for realm %s, defaulting.", orig_req->realm->buf);
404 if (NULL == (aaa_servers = tr_default_server_lookup(cfg_mgr->active->default_servers,
406 tr_notice("tr_tids_req_handler: No default AAA servers, discarded.");
407 tids_send_err_response(tids, orig_req, "No path to AAA Server(s) for realm");
413 /* Found a route. Determine the AAA servers or next hop address. */
414 tr_debug("tr_tids_req_handler: found route.");
415 if (trp_route_is_local(route)) {
416 tr_debug("tr_tids_req_handler: route is local.");
417 aaa_servers = tr_idp_aaa_server_lookup(cfg_mgr->active->ctable->idp_realms,
422 tr_debug("tr_tids_req_handler: route not local.");
423 aaa_servers = tr_aaa_server_new(tmp_ctx, trp_route_get_next_hop(route));
427 /* Since we aren't defaulting, check idp coi and apc membership */
428 if (NULL == (tr_comm_find_idp(cfg_mgr->active->ctable, cfg_comm, fwd_req->realm))) {
429 tr_notice("tr_tids_req_handler: IDP Realm (%s) not member of community (%s).", orig_req->realm->buf, orig_req->comm->buf);
430 tids_send_err_response(tids, orig_req, "IDP community membership error");
434 if ( cfg_apc && (NULL == (tr_comm_find_idp(cfg_mgr->active->ctable, cfg_apc, fwd_req->realm)))) {
435 tr_notice("tr_tids_req_handler: IDP Realm (%s) not member of APC (%s).", orig_req->realm->buf, orig_req->comm->buf);
436 tids_send_err_response(tids, orig_req, "IDP APC membership error");
442 /* Make sure we came through with a AAA server. If not, we can't handle the request. */
443 if (NULL == aaa_servers) {
444 tr_notice("tr_tids_req_handler: no route or AAA server for realm (%s) in community (%s).",
445 orig_req->realm->buf, orig_req->comm->buf);
446 tids_send_err_response(tids, orig_req, "Missing trust route error");
451 /* send a TID request to the AAA server(s), and get the answer(s) */
452 tr_debug("tr_tids_req_handler: sending TID request(s).");
454 expiration_interval = cfg_apc->expiration_interval;
455 else expiration_interval = cfg_comm->expiration_interval;
456 if (fwd_req->expiration_interval)
457 fwd_req->expiration_interval = (expiration_interval < fwd_req->expiration_interval) ? expiration_interval : fwd_req->expiration_interval;
458 else fwd_req->expiration_interval = expiration_interval;
460 /* Set up message queue for replies from req forwarding threads */
461 mq=tr_mq_new(tmp_ctx);
463 tr_notice("tr_tids_req_handler: unable to allocate message queue.");
467 tr_debug("tr_tids_req_handler: message queue allocated.");
470 aaa_iter=tr_aaa_server_iter_new(tmp_ctx);
471 if (aaa_iter==NULL) {
472 tr_notice("tr_tids_req_handler: unable to allocate AAA server iterator.");
476 for (n_aaa=0, this_aaa=tr_aaa_server_iter_first(aaa_iter, aaa_servers);
478 n_aaa++, this_aaa=tr_aaa_server_iter_next(aaa_iter)) {
479 tr_debug("tr_tids_req_handler: Preparing to start thread %d.", n_aaa);
481 aaa_cookie[n_aaa]=talloc(tmp_ctx, struct tr_tids_fwd_cookie);
482 if (aaa_cookie[n_aaa]==NULL) {
483 tr_notice("tr_tids_req_handler: unable to allocate cookie for AAA thread %d.", n_aaa);
487 talloc_set_destructor((void *)(aaa_cookie[n_aaa]), tr_tids_fwd_cookie_destructor);
488 /* fill in the cookie. To ensure the thread has valid data even if we exit first and
489 * abandon it, duplicate anything pointed to (except the mq). */
490 aaa_cookie[n_aaa]->thread_id=n_aaa;
491 if (0!=pthread_mutex_init(&(aaa_cookie[n_aaa]->mutex), NULL)) {
492 tr_notice("tr_tids_req_handler: unable to init mutex for AAA thread %d.", n_aaa);
496 aaa_cookie[n_aaa]->mq=mq;
497 aaa_cookie[n_aaa]->aaa_hostname=tr_dup_name(this_aaa->hostname);
498 aaa_cookie[n_aaa]->dh_params=tr_dh_dup(orig_req->tidc_dh);
499 aaa_cookie[n_aaa]->fwd_req=tid_dup_req(fwd_req);
500 talloc_steal(aaa_cookie[n_aaa], aaa_cookie[n_aaa]->fwd_req);
501 tr_debug("tr_tids_req_handler: cookie %d initialized.", n_aaa);
503 /* Take the cookie out of tmp_ctx before starting thread. If thread starts, it becomes
504 * responsible for freeing it until it queues a response. If we did not do this, the possibility
505 * exists that this function exits, freeing the cookie, before the thread takes the cookie
506 * out of our tmp_ctx. This would cause a segfault or talloc error in the thread. */
507 talloc_steal(NULL, aaa_cookie[n_aaa]);
508 if (0!=pthread_create(&(aaa_thread[n_aaa]), NULL, tr_tids_req_fwd_thread, aaa_cookie[n_aaa])) {
509 talloc_steal(tmp_ctx, aaa_cookie[n_aaa]); /* thread start failed; steal this back */
510 tr_notice("tr_tids_req_handler: unable to start AAA thread %d.", n_aaa);
514 tr_debug("tr_tids_req_handler: thread %d started.", n_aaa);
517 /* determine expiration time */
518 if (0!=tr_mq_pop_timeout(cfg_mgr->active->internal->tid_req_timeout, &ts_abort)) {
519 tr_notice("tr_tids_req_handler: unable to read clock for timeout.");
524 /* wait for responses */
525 tr_debug("tr_tids_req_handler: waiting for response(s).");
528 while (((n_responses+n_failed)<n_aaa) &&
529 (NULL!=(msg=tr_mq_pop(mq, &ts_abort)))) {
530 /* process message */
531 if (0==strcmp(tr_mq_msg_get_message(msg), TR_TID_MQMSG_SUCCESS)) {
532 payload=talloc_get_type_abort(tr_mq_msg_get_payload(msg), TR_RESP_COOKIE);
533 talloc_steal(tmp_ctx, payload); /* put this back in our context */
534 aaa_resp[payload->thread_id]=payload->resp; /* save pointers to these */
536 if (payload->resp->result==TID_SUCCESS) {
537 tr_tids_merge_resps(resp, payload->resp);
541 tr_notice("tr_tids_req_handler: TID error received from AAA server %d: %.*s",
543 payload->resp->err_msg->len,
544 payload->resp->err_msg->buf);
546 } else if (0==strcmp(tr_mq_msg_get_message(msg), TR_TID_MQMSG_FAILURE)) {
549 payload=talloc_get_type(tr_mq_msg_get_payload(msg), TR_RESP_COOKIE);
551 talloc_steal(tmp_ctx, payload); /* put this back in our context */
553 /* this means the thread was unable to allocate a response cookie, and we thus cannot determine which thread it was. This is bad and should never happen in a working system.. Give up. */
554 tr_notice("tr_tids_req_handler: TID request thread sent invalid reply. Aborting!");
558 tr_notice("tr_tids_req_handler: TID request for AAA server %d failed.",
561 /* unexpected message */
562 tr_err("tr_tids_req_handler: Unexpected message received. Aborting!");
567 /* Set the cookie pointer to NULL so we know we've dealt with this one. The
568 * cookie itself is in our tmp_ctx, which we'll free before exiting. Let it hang
569 * around in case we are still using pointers to elements of the cookie. */
570 aaa_cookie[payload->thread_id]=NULL;
574 /* check whether we've received enough responses to exit */
575 if ((idp_shared && (n_responses>0)) ||
576 (resp_frac_denom*n_responses>=resp_frac_numer*n_aaa))
580 tr_debug("tr_tids_req_handler: done waiting for responses. %d responses, %d failures.",
581 n_responses, n_failed);
582 /* Inform any remaining threads that we will no longer handle their responses. */
583 for (ii=0; ii<n_aaa; ii++) {
584 if (aaa_cookie[ii]!=NULL) {
585 if (0!=tr_tids_fwd_get_mutex(aaa_cookie[ii]))
586 tr_notice("tr_tids_req_handler: unable to get mutex for AAA thread %d.", ii);
588 aaa_cookie[ii]->mq=NULL; /* threads will not try to respond through a null mq */
590 if (0!=tr_tids_fwd_release_mutex(aaa_cookie[ii]))
591 tr_notice("tr_tids_req_handler: unable to release mutex for AAA thread %d.", ii);
595 /* Now all threads have either replied (and aaa_cookie[ii] is null) or have been told not to
596 * reply (by setting their mq pointer to null). However, some may have responded by placing
597 * a message on the mq after we last checked but before we set their mq pointer to null. These
598 * will not know that we gave up on them, so we must free their cookies for them. We can just
599 * go through any remaining messages on the mq to identify these threads. By putting them in
600 * our context instead of freeing them directly, we ensure we don't accidentally invalidate
601 * any of our own pointers into the structure before this function exits. */
602 while (NULL!=(msg=tr_mq_pop(mq, NULL))) {
603 payload=(TR_RESP_COOKIE *)tr_mq_msg_get_payload(msg);
604 if (aaa_cookie[payload->thread_id]!=NULL)
605 talloc_steal(tmp_ctx, aaa_cookie[payload->thread_id]);
610 if (n_responses==0) {
611 /* No requests succeeded. Forward an error if we got any error responses. */
612 for (ii=0; ii<n_aaa; ii++) {
613 if (aaa_resp[ii]!=NULL)
614 tids_send_response(tids, orig_req, aaa_resp[ii]);
616 tids_send_err_response(tids, orig_req, "Unable to contact AAA server(s).");
624 talloc_free(tmp_ctx);
628 static int tr_tids_gss_handler(gss_name_t client_name, TR_NAME *gss_name,
631 struct tr_tids_event_cookie *cookie=talloc_get_type_abort(data, struct tr_tids_event_cookie);
632 TIDS_INSTANCE *tids = cookie->tids;
633 TR_CFG_MGR *cfg_mgr = cookie->cfg_mgr;
635 if ((!client_name) || (!gss_name) || (!tids) || (!cfg_mgr)) {
636 tr_debug("tr_tidc_gss_handler: Bad parameters.");
640 /* Ensure at least one client exists using this GSS name */
641 if (NULL == tr_rp_client_lookup(cfg_mgr->active->rp_clients, gss_name)) {
642 tr_debug("tr_tids_gss_handler: Unknown GSS name %.*s", gss_name->len, gss_name->buf);
646 /* Store the GSS name */
647 tids->gss_name = tr_dup_name(gss_name);
648 tr_debug("Client's GSS Name: %.*s", gss_name->len, gss_name->buf);
654 /***** TIDS event handling *****/
656 /* called when a connection to the TIDS port is received */
657 static void tr_tids_event_cb(int listener, short event, void *arg)
659 TIDS_INSTANCE *tids = (TIDS_INSTANCE *)arg;
661 if (0==(event & EV_READ))
662 tr_debug("tr_tids_event_cb: unexpected event on TIDS socket (event=0x%X)", event);
664 tids_accept(tids, listener);
667 /* Configure the tids instance and set up its event handler.
668 * Returns 0 on success, nonzero on failure. Fills in
669 * *tids_event (which should be allocated by caller). */
670 int tr_tids_event_init(struct event_base *base,
674 struct tr_socket_event *tids_ev)
676 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
677 struct tr_tids_event_cookie *cookie=NULL;
681 if (tids_ev == NULL) {
682 tr_debug("tr_tids_event_init: Null tids_ev.");
687 /* Create the cookie for callbacks. We'll put it in the tids context, so it will
688 * be cleaned up when tids is freed by talloc_free. */
689 cookie=talloc(tmp_ctx, struct tr_tids_event_cookie);
690 if (cookie == NULL) {
691 tr_debug("tr_tids_event_init: Unable to allocate cookie.");
696 cookie->cfg_mgr=cfg_mgr;
698 talloc_steal(tids, cookie);
700 /* get a tids listener */
701 tids_ev->n_sock_fd = tids_get_listener(tids,
704 cfg_mgr->active->internal->hostname,
705 cfg_mgr->active->internal->tids_port,
709 if (tids_ev->n_sock_fd==0) {
710 tr_crit("Error opening TID server socket.");
716 for (ii=0; ii<tids_ev->n_sock_fd; ii++) {
717 tids_ev->ev[ii]=event_new(base,
718 tids_ev->sock_fd[ii],
722 event_add(tids_ev->ev[ii], NULL);
726 talloc_free(tmp_ctx);