2 * Copyright (c) 2016, JANET(UK)
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of JANET(UK) nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
31 * OF THE POSSIBILITY OF SUCH DAMAGE.
37 #include <trust_router/tr_dh.h>
38 #include <tid_internal.h>
39 #include <tr_filter.h>
46 #include <trp_internal.h>
47 #include <tr_config.h>
52 /* Structure to hold data for the tid response callback */
53 typedef struct tr_resp_cookie {
58 /* hold a tids instance and a config manager */
59 struct tr_tids_event_cookie {
65 static void tr_tidc_resp_handler(TIDC_INSTANCE *tidc,
70 TR_RESP_COOKIE *cookie=talloc_get_type_abort(resp_cookie, TR_RESP_COOKIE);
72 tr_debug("tr_tidc_resp_handler: Response received! Realm = %s, Community = %s, result = %s.",
75 (TID_SUCCESS==resp->result)?"success":"error");
77 if (resp->error_path!=NULL)
78 tr_debug("tr_tids_resp_handler: error_path is set.");
79 cookie->resp=tid_resp_dup(cookie, resp);
82 /* data for AAA req forwarding threads */
83 struct tr_tids_fwd_cookie {
85 pthread_mutex_t mutex; /* lock on the mq (separate from the locking within the mq, see below) */
86 TR_MQ *mq; /* messages from thread to main process; set to NULL to disable response */
87 TR_NAME *aaa_hostname;
89 TID_REQ *fwd_req; /* the req to duplicate */
92 static int tr_tids_fwd_cookie_destructor(void *obj)
94 struct tr_tids_fwd_cookie *c=talloc_get_type_abort(obj, struct tr_tids_fwd_cookie);
95 if (c->aaa_hostname!=NULL)
96 tr_free_name(c->aaa_hostname);
97 if (c->dh_params!=NULL)
98 tr_destroy_dh_params(c->dh_params);
102 /* Block until we get the lock, returns 0 on success.
103 * The mutex is used to protect changes to the mq pointer in
104 * a thread's cookie. The master thread sets this to null to indicate
105 * that it has abandoned the thread and the message queue is no longer
106 * valid. This is unrelated to the locking in the message queue
107 * implementation itself. */
108 static int tr_tids_fwd_get_mutex(struct tr_tids_fwd_cookie *cookie)
113 return (pthread_mutex_lock(&(cookie->mutex)));
116 static int tr_tids_fwd_release_mutex(struct tr_tids_fwd_cookie *cookie)
121 return (pthread_mutex_unlock(&(cookie->mutex)));
124 /* values for messages */
125 #define TR_TID_MQMSG_SUCCESS "tid success"
126 #define TR_TID_MQMSG_FAILURE "tid failure"
128 /* Thread main for sending and receiving a request to a single AAA server */
129 static void *tr_tids_req_fwd_thread(void *arg)
131 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
132 struct tr_tids_fwd_cookie *args=talloc_get_type_abort(arg, struct tr_tids_fwd_cookie);
133 TIDC_INSTANCE *tidc=tidc_create();
135 TR_RESP_COOKIE *cookie=NULL;
139 talloc_steal(tmp_ctx, args); /* take responsibility for the cookie */
142 talloc_steal(tmp_ctx, tidc);
144 /* create the cookie we will use for our response */
145 cookie=talloc(tmp_ctx, TR_RESP_COOKIE);
147 tr_notice("tr_tids_req_fwd_thread: unable to allocate response cookie.");
151 cookie->thread_id=args->thread_id;
152 tr_debug("tr_tids_req_fwd_thread: thread %d started.", cookie->thread_id);
154 /* Create a TID client instance */
156 tr_crit("tr_tids_req_fwd_thread: Unable to allocate TIDC instance.");
157 /*tids_send_err_response(tids, orig_req, "Memory allocation failure");*/
158 /* TODO: encode reason for failure */
163 /* Set-up TID connection */
164 if (-1==(args->fwd_req->conn = tidc_open_connection(tidc,
165 args->aaa_hostname->buf,
166 TID_PORT, /* TODO: make this configurable */
167 &(args->fwd_req->gssctx)))) {
168 tr_notice("tr_tids_req_fwd_thread: Error in tidc_open_connection.");
169 /* tids_send_err_response(tids, orig_req, "Can't open connection to next hop TIDS"); */
170 /* TODO: encode reason for failure */
174 tr_debug("tr_tids_req_fwd_thread: thread %d opened TID connection to %s.",
176 args->aaa_hostname->buf);
178 /* Send a TID request. */
179 if (0 > (rc = tidc_fwd_request(tidc, args->fwd_req, tr_tidc_resp_handler, (void *)cookie))) {
180 tr_notice("Error from tidc_fwd_request, rc = %d.", rc);
184 /* cookie->resp should now contain our copy of the response */
186 tr_debug("tr_tids_req_fwd_thread: thread %d received response.");
189 /* Notify parent thread of the response, if it's still listening. */
190 if (0!=tr_tids_fwd_get_mutex(args)) {
191 tr_notice("tr_tids_req_fwd_thread: thread %d unable to acquire mutex.", cookie->thread_id);
192 } else if (NULL!=args->mq) {
193 /* mq is still valid, so we can queue our response */
194 tr_debug("tr_tids_req_fwd_thread: thread %d using valid msg queue.", cookie->thread_id);
196 msg=tr_mq_msg_new(tmp_ctx, TR_TID_MQMSG_SUCCESS, TR_MQ_PRIO_NORMAL);
198 msg=tr_mq_msg_new(tmp_ctx, TR_TID_MQMSG_FAILURE, TR_MQ_PRIO_NORMAL);
201 tr_notice("tr_tids_req_fwd_thread: thread %d unable to allocate response msg.", cookie->thread_id);
203 tr_mq_msg_set_payload(msg, (void *)cookie, NULL);
205 talloc_steal(msg, cookie); /* attach this to the msg so we can forget about it */
206 tr_mq_add(args->mq, msg);
207 talloc_steal(NULL, args); /* take out of our tmp_ctx; master thread now responsible for freeing */
208 tr_debug("tr_tids_req_fwd_thread: thread %d queued response message.", cookie->thread_id);
209 if (0!=tr_tids_fwd_release_mutex(args))
210 tr_notice("tr_tids_req_fwd_thread: Error releasing mutex.");
213 talloc_free(tmp_ctx);
217 /* Merges r2 into r1 if they are compatible. */
218 static TID_RC tr_tids_merge_resps(TID_RESP *r1, TID_RESP *r2)
220 /* ensure these are compatible replies */
221 if ((r1->result!=TID_SUCCESS) || (r2->result!=TID_SUCCESS))
224 if ((0!=tr_name_cmp(r1->rp_realm, r2->rp_realm)) ||
225 (0!=tr_name_cmp(r1->realm, r2->realm)) ||
226 (0!=tr_name_cmp(r1->comm, r2->comm)))
229 tid_srvr_blk_add(r1->servers, tid_srvr_blk_dup(r1, r2->servers));
234 * Process a TID request
236 * Return value of -1 means to send a TID_ERROR response. Fill in resp->err_msg or it will
237 * be returned as a generic error.
245 static int tr_tids_req_handler(TIDS_INSTANCE *tids,
250 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
251 TR_AAA_SERVER *aaa_servers=NULL, *this_aaa=NULL;
254 TR_AAA_SERVER_ITER *aaa_iter=NULL;
255 pthread_t aaa_thread[TR_TID_MAX_AAA_SERVERS];
256 struct tr_tids_fwd_cookie *aaa_cookie[TR_TID_MAX_AAA_SERVERS]={NULL};
257 TID_RESP *aaa_resp[TR_TID_MAX_AAA_SERVERS]={NULL};
258 TR_RP_CLIENT *rp_client=NULL;
259 TR_RP_CLIENT_ITER *rpc_iter=NULL;
261 TID_REQ *fwd_req = NULL;
262 TR_COMM *cfg_comm = NULL;
263 TR_COMM *cfg_apc = NULL;
264 TR_FILTER_ACTION oaction = TR_FILTER_ACTION_REJECT;
265 time_t expiration_interval=0;
266 struct tr_tids_event_cookie *cookie=talloc_get_type_abort(cookie_in, struct tr_tids_event_cookie);
267 TR_CFG_MGR *cfg_mgr=cookie->cfg_mgr;
268 TRPS_INSTANCE *trps=cookie->trps;
269 TRP_ROUTE *route=NULL;
272 unsigned int n_responses=0;
273 unsigned int n_failed=0;
274 struct timespec ts_abort={0};
275 unsigned int resp_frac_numer=cfg_mgr->active->internal->tid_resp_numer;
276 unsigned int resp_frac_denom=cfg_mgr->active->internal->tid_resp_denom;
277 TR_RESP_COOKIE *payload=NULL;
278 TR_FILTER_TARGET *target=NULL;
282 if ((!tids) || (!orig_req) || (!resp)) {
283 tr_debug("tr_tids_req_handler: Bad parameters");
288 tr_debug("tr_tids_req_handler: Request received (conn = %d)! Realm = %s, Comm = %s", orig_req->conn,
289 orig_req->realm->buf, orig_req->comm->buf);
291 /* Duplicate the request, so we can modify and forward it */
292 if (NULL == (fwd_req=tid_dup_req(orig_req))) {
293 tr_debug("tr_tids_req_handler: Unable to duplicate request.");
294 retval=-1; /* response will be a generic internal error */
297 talloc_steal(tmp_ctx, fwd_req);
299 if (NULL == (cfg_comm=tr_comm_table_find_comm(cfg_mgr->active->ctable, orig_req->comm))) {
300 tr_notice("tr_tids_req_hander: Request for unknown comm: %s.", orig_req->comm->buf);
301 tid_resp_set_err_msg(resp, tr_new_name("Unknown community"));
306 /* We now need to apply the filters associated with the RP client handing us the request.
307 * It is possible (or even likely) that more than one client is associated with the GSS
308 * name we got from the authentication. We will apply all of them in an arbitrary order.
309 * For this to result in well-defined behavior, either only accept or only reject filter
310 * lines should be used, or a unique GSS name must be given for each RP realm. */
312 if (!tids->gss_name) {
313 tr_notice("tr_tids_req_handler: No GSS name for incoming request.");
314 tid_resp_set_err_msg(resp, tr_new_name("No GSS name for request"));
319 /* Keep original constraints, may add more from the filter. These will be added to orig_req as
320 * well. Need to verify that this is acceptable behavior, but it's what we've always done. */
321 fwd_req->cons=orig_req->cons;
323 target=tr_filter_target_tid_req(tmp_ctx, orig_req);
325 tr_crit("tid_req_handler: Unable to allocate filter target, cannot apply filter!");
326 tid_resp_set_err_msg(resp, tr_new_name("Incoming TID request filter error"));
331 rpc_iter=tr_rp_client_iter_new(tmp_ctx);
332 if (rpc_iter==NULL) {
333 tr_err("tid_req_handler: Unable to allocate RP client iterator.");
337 for (rp_client=tr_rp_client_iter_first(rpc_iter, cfg_mgr->active->rp_clients);
339 rp_client=tr_rp_client_iter_next(rpc_iter)) {
341 if (!tr_gss_names_matches(rp_client->gss_names, tids->gss_name))
342 continue; /* skip any that don't match the GSS name */
344 if (TR_FILTER_MATCH == tr_filter_apply(target,
345 tr_filter_set_get(rp_client->filters,
346 TR_FILTER_TYPE_TID_INBOUND),
349 break; /* Stop looking, oaction is set */
352 /* We get here whether or not a filter matched. If tr_filter_apply() doesn't match, it returns
353 * a default action of reject, so we don't have to check why we exited the loop. */
354 if (oaction != TR_FILTER_ACTION_ACCEPT) {
355 tr_notice("tr_tids_req_handler: Incoming TID request rejected by filter for GSS name", orig_req->rp_realm->buf);
356 tid_resp_set_err_msg(resp, tr_new_name("Incoming TID request filter error"));
361 /* Check that the rp_realm is a member of the community in the request */
362 if (NULL == tr_comm_find_rp(cfg_mgr->active->ctable, cfg_comm, orig_req->rp_realm)) {
363 tr_notice("tr_tids_req_handler: RP Realm (%s) not member of community (%s).", orig_req->rp_realm->buf, orig_req->comm->buf);
364 tid_resp_set_err_msg(resp, tr_new_name("RP COI membership error"));
369 /* Map the comm in the request from a COI to an APC, if needed */
370 if (TR_COMM_COI == cfg_comm->type) {
371 if (orig_req->orig_coi!=NULL) {
372 tr_notice("tr_tids_req_handler: community %s is COI but COI to APC mapping already occurred. Dropping request.",
373 orig_req->comm->buf);
374 tid_resp_set_err_msg(resp, tr_new_name("Second COI to APC mapping would result, permitted only once."));
379 tr_debug("tr_tids_req_handler: Community was a COI, switching.");
380 /* TBD -- In theory there can be more than one? How would that work? */
381 if ((!cfg_comm->apcs) || (!cfg_comm->apcs->id)) {
382 tr_notice("No valid APC for COI %s.", orig_req->comm->buf);
383 tid_resp_set_err_msg(resp, tr_new_name("No valid APC for community"));
387 apc = tr_dup_name(cfg_comm->apcs->id);
389 /* Check that the APC is configured */
390 if (NULL == (cfg_apc = tr_comm_table_find_comm(cfg_mgr->active->ctable, apc))) {
391 tr_notice("tr_tids_req_hander: Request for unknown comm: %s.", apc->buf);
392 tid_resp_set_err_msg(resp, tr_new_name("Unknown APC"));
398 fwd_req->orig_coi = orig_req->comm;
400 /* Check that rp_realm is a member of this APC */
401 if (NULL == (tr_comm_find_rp(cfg_mgr->active->ctable, cfg_apc, orig_req->rp_realm))) {
402 tr_notice("tr_tids_req_hander: RP Realm (%s) not member of community (%s).", orig_req->rp_realm->buf, orig_req->comm->buf);
403 tid_resp_set_err_msg(resp, tr_new_name("RP APC membership error"));
409 /* Look up the route for this community/realm. */
410 tr_debug("tr_tids_req_handler: looking up route.");
411 route=trps_get_selected_route(trps, orig_req->comm, orig_req->realm);
413 /* No route. Use default AAA servers if we have them. */
414 tr_debug("tr_tids_req_handler: No route for realm %s, defaulting.", orig_req->realm->buf);
415 if (NULL == (aaa_servers = tr_default_server_lookup(cfg_mgr->active->default_servers,
417 tr_notice("tr_tids_req_handler: No default AAA servers, discarded.");
418 tid_resp_set_err_msg(resp, tr_new_name("No path to AAA Server(s) for realm"));
424 /* Found a route. Determine the AAA servers or next hop address. */
425 tr_debug("tr_tids_req_handler: found route.");
426 if (trp_route_is_local(route)) {
427 tr_debug("tr_tids_req_handler: route is local.");
428 aaa_servers = tr_idp_aaa_server_lookup(cfg_mgr->active->ctable->idp_realms,
433 tr_debug("tr_tids_req_handler: route not local.");
434 aaa_servers = tr_aaa_server_new(tmp_ctx, trp_route_get_next_hop(route));
438 /* Since we aren't defaulting, check idp coi and apc membership */
439 if (NULL == (tr_comm_find_idp(cfg_mgr->active->ctable, cfg_comm, fwd_req->realm))) {
440 tr_notice("tr_tids_req_handler: IDP Realm (%s) not member of community (%s).", orig_req->realm->buf, orig_req->comm->buf);
441 tid_resp_set_err_msg(resp, tr_new_name("IDP community membership error"));
445 if ( cfg_apc && (NULL == (tr_comm_find_idp(cfg_mgr->active->ctable, cfg_apc, fwd_req->realm)))) {
446 tr_notice("tr_tids_req_handler: IDP Realm (%s) not member of APC (%s).", orig_req->realm->buf, orig_req->comm->buf);
447 tid_resp_set_err_msg(resp, tr_new_name("IDP APC membership error"));
453 /* Make sure we came through with a AAA server. If not, we can't handle the request. */
454 if (NULL == aaa_servers) {
455 tr_notice("tr_tids_req_handler: no route or AAA server for realm (%s) in community (%s).",
456 orig_req->realm->buf, orig_req->comm->buf);
457 tid_resp_set_err_msg(resp, tr_new_name("Missing trust route error"));
462 /* send a TID request to the AAA server(s), and get the answer(s) */
463 tr_debug("tr_tids_req_handler: sending TID request(s).");
465 expiration_interval = cfg_apc->expiration_interval;
466 else expiration_interval = cfg_comm->expiration_interval;
467 if (fwd_req->expiration_interval)
468 fwd_req->expiration_interval = (expiration_interval < fwd_req->expiration_interval) ? expiration_interval : fwd_req->expiration_interval;
469 else fwd_req->expiration_interval = expiration_interval;
471 /* Set up message queue for replies from req forwarding threads */
472 mq=tr_mq_new(tmp_ctx);
474 tr_notice("tr_tids_req_handler: unable to allocate message queue.");
478 tr_debug("tr_tids_req_handler: message queue allocated.");
481 aaa_iter=tr_aaa_server_iter_new(tmp_ctx);
482 if (aaa_iter==NULL) {
483 tr_notice("tr_tids_req_handler: unable to allocate AAA server iterator.");
487 for (n_aaa=0, this_aaa=tr_aaa_server_iter_first(aaa_iter, aaa_servers);
489 n_aaa++, this_aaa=tr_aaa_server_iter_next(aaa_iter)) {
490 tr_debug("tr_tids_req_handler: Preparing to start thread %d.", n_aaa);
492 aaa_cookie[n_aaa]=talloc(tmp_ctx, struct tr_tids_fwd_cookie);
493 if (aaa_cookie[n_aaa]==NULL) {
494 tr_notice("tr_tids_req_handler: unable to allocate cookie for AAA thread %d.", n_aaa);
498 talloc_set_destructor((void *)(aaa_cookie[n_aaa]), tr_tids_fwd_cookie_destructor);
499 /* fill in the cookie. To ensure the thread has valid data even if we exit first and
500 * abandon it, duplicate anything pointed to (except the mq). */
501 aaa_cookie[n_aaa]->thread_id=n_aaa;
502 if (0!=pthread_mutex_init(&(aaa_cookie[n_aaa]->mutex), NULL)) {
503 tr_notice("tr_tids_req_handler: unable to init mutex for AAA thread %d.", n_aaa);
507 aaa_cookie[n_aaa]->mq=mq;
508 aaa_cookie[n_aaa]->aaa_hostname=tr_dup_name(this_aaa->hostname);
509 aaa_cookie[n_aaa]->dh_params=tr_dh_dup(orig_req->tidc_dh);
510 aaa_cookie[n_aaa]->fwd_req=tid_dup_req(fwd_req);
511 talloc_steal(aaa_cookie[n_aaa], aaa_cookie[n_aaa]->fwd_req);
512 tr_debug("tr_tids_req_handler: cookie %d initialized.", n_aaa);
514 /* Take the cookie out of tmp_ctx before starting thread. If thread starts, it becomes
515 * responsible for freeing it until it queues a response. If we did not do this, the possibility
516 * exists that this function exits, freeing the cookie, before the thread takes the cookie
517 * out of our tmp_ctx. This would cause a segfault or talloc error in the thread. */
518 talloc_steal(NULL, aaa_cookie[n_aaa]);
519 if (0!=pthread_create(&(aaa_thread[n_aaa]), NULL, tr_tids_req_fwd_thread, aaa_cookie[n_aaa])) {
520 talloc_steal(tmp_ctx, aaa_cookie[n_aaa]); /* thread start failed; steal this back */
521 tr_notice("tr_tids_req_handler: unable to start AAA thread %d.", n_aaa);
525 tr_debug("tr_tids_req_handler: thread %d started.", n_aaa);
528 /* determine expiration time */
529 if (0!=tr_mq_pop_timeout(cfg_mgr->active->internal->tid_req_timeout, &ts_abort)) {
530 tr_notice("tr_tids_req_handler: unable to read clock for timeout.");
535 /* wait for responses */
536 tr_debug("tr_tids_req_handler: waiting for response(s).");
539 while (((n_responses+n_failed)<n_aaa) &&
540 (NULL!=(msg=tr_mq_pop(mq, &ts_abort)))) {
541 /* process message */
542 if (0==strcmp(tr_mq_msg_get_message(msg), TR_TID_MQMSG_SUCCESS)) {
543 payload=talloc_get_type_abort(tr_mq_msg_get_payload(msg), TR_RESP_COOKIE);
544 talloc_steal(tmp_ctx, payload); /* put this back in our context */
545 aaa_resp[payload->thread_id]=payload->resp; /* save pointers to these */
547 if (payload->resp->result==TID_SUCCESS) {
548 tr_tids_merge_resps(resp, payload->resp);
552 tr_notice("tr_tids_req_handler: TID error received from AAA server %d: %.*s",
554 payload->resp->err_msg->len,
555 payload->resp->err_msg->buf);
557 } else if (0==strcmp(tr_mq_msg_get_message(msg), TR_TID_MQMSG_FAILURE)) {
560 payload=talloc_get_type(tr_mq_msg_get_payload(msg), TR_RESP_COOKIE);
562 talloc_steal(tmp_ctx, payload); /* put this back in our context */
564 /* this means the thread was unable to allocate a response cookie, and we thus cannot determine which thread it was. This is bad and should never happen in a working system.. Give up. */
565 tr_notice("tr_tids_req_handler: TID request thread sent invalid reply. Aborting!");
569 tr_notice("tr_tids_req_handler: TID request for AAA server %d failed.",
572 /* unexpected message */
573 tr_err("tr_tids_req_handler: Unexpected message received. Aborting!");
578 /* Set the cookie pointer to NULL so we know we've dealt with this one. The
579 * cookie itself is in our tmp_ctx, which we'll free before exiting. Let it hang
580 * around in case we are still using pointers to elements of the cookie. */
581 aaa_cookie[payload->thread_id]=NULL;
585 /* check whether we've received enough responses to exit */
586 if ((idp_shared && (n_responses>0)) ||
587 (resp_frac_denom*n_responses>=resp_frac_numer*n_aaa))
591 tr_debug("tr_tids_req_handler: done waiting for responses. %d responses, %d failures.",
592 n_responses, n_failed);
593 /* Inform any remaining threads that we will no longer handle their responses. */
594 for (ii=0; ii<n_aaa; ii++) {
595 if (aaa_cookie[ii]!=NULL) {
596 if (0!=tr_tids_fwd_get_mutex(aaa_cookie[ii]))
597 tr_notice("tr_tids_req_handler: unable to get mutex for AAA thread %d.", ii);
599 aaa_cookie[ii]->mq=NULL; /* threads will not try to respond through a null mq */
601 if (0!=tr_tids_fwd_release_mutex(aaa_cookie[ii]))
602 tr_notice("tr_tids_req_handler: unable to release mutex for AAA thread %d.", ii);
606 /* Now all threads have either replied (and aaa_cookie[ii] is null) or have been told not to
607 * reply (by setting their mq pointer to null). However, some may have responded by placing
608 * a message on the mq after we last checked but before we set their mq pointer to null. These
609 * will not know that we gave up on them, so we must free their cookies for them. We can just
610 * go through any remaining messages on the mq to identify these threads. By putting them in
611 * our context instead of freeing them directly, we ensure we don't accidentally invalidate
612 * any of our own pointers into the structure before this function exits. */
613 while (NULL!=(msg=tr_mq_pop(mq, NULL))) {
614 payload=(TR_RESP_COOKIE *)tr_mq_msg_get_payload(msg);
615 if (aaa_cookie[payload->thread_id]!=NULL)
616 talloc_steal(tmp_ctx, aaa_cookie[payload->thread_id]);
621 if (n_responses==0) {
622 /* No requests succeeded, so this will be an error */
625 /* If we got any error responses, send an arbitrarily chosen one. */
626 for (ii=0; ii<n_aaa; ii++) {
627 if (aaa_resp[ii] != NULL) {
628 tid_resp_cpy(resp, aaa_resp[ii]);
632 /* No error responses at all, so generate our own error. */
633 tid_resp_set_err_msg(resp, tr_new_name("Unable to contact AAA server(s)."));
641 talloc_free(tmp_ctx);
645 static int tr_tids_gss_handler(gss_name_t client_name, TR_NAME *gss_name,
648 struct tr_tids_event_cookie *cookie=talloc_get_type_abort(data, struct tr_tids_event_cookie);
649 TIDS_INSTANCE *tids = cookie->tids;
650 TR_CFG_MGR *cfg_mgr = cookie->cfg_mgr;
652 if ((!client_name) || (!gss_name) || (!tids) || (!cfg_mgr)) {
653 tr_debug("tr_tidc_gss_handler: Bad parameters.");
657 /* Ensure at least one client exists using this GSS name */
658 if (NULL == tr_rp_client_lookup(cfg_mgr->active->rp_clients, gss_name)) {
659 tr_debug("tr_tids_gss_handler: Unknown GSS name %.*s", gss_name->len, gss_name->buf);
663 /* Store the GSS name */
664 tids->gss_name = tr_dup_name(gss_name);
665 tr_debug("Client's GSS Name: %.*s", gss_name->len, gss_name->buf);
671 /***** TIDS event handling *****/
673 /* called when a connection to the TIDS port is received */
674 static void tr_tids_event_cb(int listener, short event, void *arg)
676 TIDS_INSTANCE *tids = (TIDS_INSTANCE *)arg;
678 if (0==(event & EV_READ))
679 tr_debug("tr_tids_event_cb: unexpected event on TIDS socket (event=0x%X)", event);
681 tids_accept(tids, listener);
684 /* Configure the tids instance and set up its event handler.
685 * Returns 0 on success, nonzero on failure. Fills in
686 * *tids_event (which should be allocated by caller). */
687 int tr_tids_event_init(struct event_base *base,
691 struct tr_socket_event *tids_ev)
693 TALLOC_CTX *tmp_ctx=talloc_new(NULL);
694 struct tr_tids_event_cookie *cookie=NULL;
698 if (tids_ev == NULL) {
699 tr_debug("tr_tids_event_init: Null tids_ev.");
704 /* Create the cookie for callbacks. We'll put it in the tids context, so it will
705 * be cleaned up when tids is freed by talloc_free. */
706 cookie=talloc(tmp_ctx, struct tr_tids_event_cookie);
707 if (cookie == NULL) {
708 tr_debug("tr_tids_event_init: Unable to allocate cookie.");
713 cookie->cfg_mgr=cfg_mgr;
715 talloc_steal(tids, cookie);
717 /* get a tids listener */
718 tids_ev->n_sock_fd = (int)tids_get_listener(tids,
721 cfg_mgr->active->internal->hostname,
722 cfg_mgr->active->internal->tids_port,
726 if (tids_ev->n_sock_fd==0) {
727 tr_crit("Error opening TID server socket.");
733 for (ii=0; ii<tids_ev->n_sock_fd; ii++) {
734 tids_ev->ev[ii]=event_new(base,
735 tids_ev->sock_fd[ii],
739 event_add(tids_ev->ev[ii], NULL);
743 talloc_free(tmp_ctx);
projects / trust_router.git / blob