pthread_t aaa_thread[TR_TID_MAX_AAA_SERVERS];
struct tr_tids_fwd_cookie *aaa_cookie[TR_TID_MAX_AAA_SERVERS]={NULL};
TID_RESP *aaa_resp[TR_TID_MAX_AAA_SERVERS]={NULL};
+ TR_RP_CLIENT *rp_client=NULL;
+ TR_RP_CLIENT_ITER *rpc_iter=NULL;
TR_NAME *apc = NULL;
TID_REQ *fwd_req = NULL;
TR_COMM *cfg_comm = NULL;
TR_COMM *cfg_apc = NULL;
- int oaction = TR_FILTER_ACTION_REJECT;
+ TR_FILTER_ACTION oaction = TR_FILTER_ACTION_REJECT;
time_t expiration_interval=0;
struct tr_tids_event_cookie *cookie=talloc_get_type_abort(cookie_in, struct tr_tids_event_cookie);
TR_CFG_MGR *cfg_mgr=cookie->cfg_mgr;
unsigned int resp_frac_numer=cfg_mgr->active->internal->tid_resp_numer;
unsigned int resp_frac_denom=cfg_mgr->active->internal->tid_resp_denom;
TR_RESP_COOKIE *payload=NULL;
+ TR_FILTER_TARGET *target=NULL;
int ii=0;
int retval=-1;
goto cleanup;
}
- /* Check that the rp_realm matches the filter for the GSS name that
- * was received. N.B. that tids->rp_gss was pointed at the correct
- * rp_client when we received its GSS name. It is only set within
- * the TIDS handler subprocess. */
+ /* We now need to apply the filters associated with the RP client handing us the request.
+ * It is possible (or even likely) that more than one client is associated with the GSS
+ * name we got from the authentication. We will apply all of them in an arbitrary order.
+ * For this to result in well-defined behavior, either only accept or only reject filter
+ * lines should be used, or a unique GSS name must be given for each RP realm. */
- if ((!tids->rp_gss) ||
- (!tids->rp_gss->filter)) {
+ if (!tids->gss_name) {
tr_notice("tr_tids_req_handler: No GSS name for incoming request.");
tids_send_err_response(tids, orig_req, "No GSS name for request");
retval=-1;
goto cleanup;
}
- if ((TR_FILTER_NO_MATCH == tr_filter_process_rp_permitted(orig_req->rp_realm,
- tids->rp_gss->filter,
- orig_req->cons,
- &fwd_req->cons,
- &oaction)) ||
- (TR_FILTER_ACTION_REJECT == oaction)) {
- tr_notice("tr_tids_req_handler: RP realm (%s) does not match RP Realm filter for GSS name", orig_req->rp_realm->buf);
- tids_send_err_response(tids, orig_req, "RP Realm filter error");
+ /* Keep original constraints, may add more from the filter. These will be added to orig_req as
+ * well. Need to verify that this is acceptable behavior, but it's what we've always done. */
+ fwd_req->cons=orig_req->cons;
+
+ target=tr_filter_target_tid_req(tmp_ctx, orig_req);
+ if (target==NULL) {
+ tr_crit("tid_req_handler: Unable to allocate filter target, cannot apply filter!");
+ tids_send_err_response(tids, orig_req, "Incoming TID request filter error");
+ retval=-1;
+ goto cleanup;
+ }
+
+ rpc_iter=tr_rp_client_iter_new(tmp_ctx);
+ if (rpc_iter==NULL) {
+ tr_err("tid_req_handler: Unable to allocate RP client iterator.");
retval=-1;
goto cleanup;
}
+ for (rp_client=tr_rp_client_iter_first(rpc_iter, cfg_mgr->active->rp_clients);
+ rp_client != NULL;
+ rp_client=tr_rp_client_iter_next(rpc_iter)) {
+
+ if (!tr_gss_names_matches(rp_client->gss_names, tids->gss_name))
+ continue; /* skip any that don't match the GSS name */
+
+ if (TR_FILTER_MATCH == tr_filter_apply(target,
+ tr_filter_set_get(rp_client->filters,
+ TR_FILTER_TYPE_TID_INBOUND),
+ &(fwd_req->cons),
+ &oaction))
+ break; /* Stop looking, oaction is set */
+ }
+
+ /* We get here whether or not a filter matched. If tr_filter_apply() doesn't match, it returns
+ * a default action of reject, so we don't have to check why we exited the loop. */
+ if (oaction != TR_FILTER_ACTION_ACCEPT) {
+ tr_notice("tr_tids_req_handler: Incoming TID request rejected by filter for GSS name", orig_req->rp_realm->buf);
+ tids_send_err_response(tids, orig_req, "Incoming TID request filter error");
+ retval = -1;
+ goto cleanup;
+ }
+
/* Check that the rp_realm is a member of the community in the request */
if (NULL == tr_comm_find_rp(cfg_mgr->active->ctable, cfg_comm, orig_req->rp_realm)) {
tr_notice("tr_tids_req_handler: RP Realm (%s) not member of community (%s).", orig_req->rp_realm->buf, orig_req->comm->buf);
tr_debug("tr_tids_req_handler: looking up route.");
route=trps_get_selected_route(trps, orig_req->comm, orig_req->realm);
if (route==NULL) {
- tr_notice("tr_tids_req_handler: no route table entry found for realm (%s) in community (%s).",
- orig_req->realm->buf, orig_req->comm->buf);
- tids_send_err_response(tids, orig_req, "Missing trust route error");
- retval=-1;
- goto cleanup;
- }
- tr_debug("tr_tids_req_handler: found route.");
- if (trp_route_is_local(route)) {
- tr_debug("tr_tids_req_handler: route is local.");
- aaa_servers = tr_idp_aaa_server_lookup(cfg_mgr->active->ctable->idp_realms,
- orig_req->realm,
- orig_req->comm,
- &idp_shared);
- } else {
- tr_debug("tr_tids_req_handler: route not local.");
- aaa_servers = tr_aaa_server_new(tmp_ctx, trp_route_get_next_hop(route));
- idp_shared=0;
- }
-
- /* Find the AAA server(s) for this request */
- if (NULL == aaa_servers) {
- tr_debug("tr_tids_req_handler: No AAA Servers for realm %s, defaulting.", orig_req->realm->buf);
- if (NULL == (aaa_servers = tr_default_server_lookup (cfg_mgr->active->default_servers,
- orig_req->comm))) {
+ /* No route. Use default AAA servers if we have them. */
+ tr_debug("tr_tids_req_handler: No route for realm %s, defaulting.", orig_req->realm->buf);
+ if (NULL == (aaa_servers = tr_default_server_lookup(cfg_mgr->active->default_servers,
+ orig_req->comm))) {
tr_notice("tr_tids_req_handler: No default AAA servers, discarded.");
tids_send_err_response(tids, orig_req, "No path to AAA Server(s) for realm");
- retval=-1;
+ retval = -1;
goto cleanup;
}
- idp_shared=0;
+ idp_shared = 0;
} else {
- /* if we aren't defaulting, check idp coi and apc membership */
+ /* Found a route. Determine the AAA servers or next hop address. */
+ tr_debug("tr_tids_req_handler: found route.");
+ if (trp_route_is_local(route)) {
+ tr_debug("tr_tids_req_handler: route is local.");
+ aaa_servers = tr_idp_aaa_server_lookup(cfg_mgr->active->ctable->idp_realms,
+ orig_req->realm,
+ orig_req->comm,
+ &idp_shared);
+ } else {
+ tr_debug("tr_tids_req_handler: route not local.");
+ aaa_servers = tr_aaa_server_new(tmp_ctx, trp_route_get_next_hop(route));
+ idp_shared = 0;
+ }
+
+ /* Since we aren't defaulting, check idp coi and apc membership */
if (NULL == (tr_comm_find_idp(cfg_mgr->active->ctable, cfg_comm, fwd_req->realm))) {
tr_notice("tr_tids_req_handler: IDP Realm (%s) not member of community (%s).", orig_req->realm->buf, orig_req->comm->buf);
tids_send_err_response(tids, orig_req, "IDP community membership error");
}
}
+ /* Make sure we came through with a AAA server. If not, we can't handle the request. */
+ if (NULL == aaa_servers) {
+ tr_notice("tr_tids_req_handler: no route or AAA server for realm (%s) in community (%s).",
+ orig_req->realm->buf, orig_req->comm->buf);
+ tids_send_err_response(tids, orig_req, "Missing trust route error");
+ retval = -1;
+ goto cleanup;
+ }
+
/* send a TID request to the AAA server(s), and get the answer(s) */
tr_debug("tr_tids_req_handler: sending TID request(s).");
if (cfg_apc)
static int tr_tids_gss_handler(gss_name_t client_name, TR_NAME *gss_name,
void *data)
{
- TR_RP_CLIENT *rp;
struct tr_tids_event_cookie *cookie=talloc_get_type_abort(data, struct tr_tids_event_cookie);
TIDS_INSTANCE *tids = cookie->tids;
TR_CFG_MGR *cfg_mgr = cookie->cfg_mgr;
return -1;
}
- /* look up the RP client matching the GSS name */
- if ((NULL == (rp = tr_rp_client_lookup(cfg_mgr->active->rp_clients, gss_name)))) {
- tr_debug("tr_tids_gss_handler: Unknown GSS name %s", gss_name->buf);
+ /* Ensure at least one client exists using this GSS name */
+ if (NULL == tr_rp_client_lookup(cfg_mgr->active->rp_clients, gss_name)) {
+ tr_debug("tr_tids_gss_handler: Unknown GSS name %.*s", gss_name->len, gss_name->buf);
return -1;
}
- /* Store the rp client */
- tids->rp_gss = rp;
- tr_debug("Client's GSS Name: %s", gss_name->buf);
+ /* Store the GSS name */
+ tids->gss_name = tr_dup_name(gss_name);
+ tr_debug("Client's GSS Name: %.*s", gss_name->len, gss_name->buf);
return 0;
}
TALLOC_CTX *tmp_ctx=talloc_new(NULL);
struct tr_tids_event_cookie *cookie=NULL;
int retval=0;
- size_t ii=0;
+ int ii=0;
if (tids_ev == NULL) {
tr_debug("tr_tids_event_init: Null tids_ev.");
talloc_steal(tids, cookie);
/* get a tids listener */
- tids_ev->n_sock_fd=tids_get_listener(tids,
- tr_tids_req_handler,
- tr_tids_gss_handler,
- cfg_mgr->active->internal->hostname,
- cfg_mgr->active->internal->tids_port,
- (void *)cookie,
- tids_ev->sock_fd,
- TR_MAX_SOCKETS);
+ tids_ev->n_sock_fd = (int)tids_get_listener(tids,
+ tr_tids_req_handler,
+ tr_tids_gss_handler,
+ cfg_mgr->active->internal->hostname,
+ cfg_mgr->active->internal->tids_port,
+ (void *)cookie,
+ tids_ev->sock_fd,
+ TR_MAX_SOCKETS);
if (tids_ev->n_sock_fd==0) {
tr_crit("Error opening TID server socket.");
retval=1;
projects / trust_router.git / blobdiff