config.*
tr/trust_router
common/dh_test/tr_dh_test
+common/t_constraint
tid/example/tids
tid/example/tidc
\ No newline at end of file
AM_CFLAGS = -Wall -Werror=missing-prototypes -Werror=strict-prototypes -Wno-parentheses
SUBDIRS = gsscon
common_srcs = common/tr_name.c \
-common/tr_msg.c \
-common/tr_dh.c \
+ common/tr_constraint.c \
+ common/tr_msg.c \
+ common/tr_dh.c \
common/tr_util.c
+check_PROGRAMS = common/t_constraint
+
lib_LTLIBRARIES = libtr_tid.la
+common_t_constraint_SOURCES = common/t_constraint.c
+common_t_constraint_CPPFLAGS = $(AM_CPPFLAGS) -DTESTS=\"$(srcdir)/common/tests.json\"
+common_t_constraint_LDADD = gsscon/libgsscon.la libtr_tid.la
+
tr_trust_router_SOURCES = tr/tr_main.c \
common/tr_config.c \
common/tr_idp.c \
common/tr_comm.c \
common/tr_filter.c \
-common/tr_constraint.c \
common/tr_rp.c \
tr/tr.c
systemd_DATA=tids.service
-EXTRA_DIST = trust_router.spec
+EXTRA_DIST = trust_router.spec common/tests.json
--- /dev/null
+/*
+ * Copyright (c) 2012, JANET(UK)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of JANET(UK) nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <jansson.h>
+#include <stdio.h>
+#include <assert.h>
+
+#include <trust_router/tid.h>
+#include <trust_router/tr_constraint.h>
+#include <tr_debug.h>
+
+static TID_REQ *request = NULL;
+
+static int handle_test_case(
+ json_t *tc)
+{
+ json_t *constraints, *valid, *expected;
+ int validp;
+ json_t *result;
+ assert(constraints = json_object_get(tc, "constraints"));
+ assert( valid = json_object_get(tc, "valid"));
+ validp = tr_constraint_set_validate((TR_CONSTRAINT_SET *)constraints);
+ if (validp != json_is_true(valid)) {
+ tr_debug("Unexpected validation result for \n");
+ json_dumpf( constraints, stderr, JSON_INDENT(4));
+ return 0;
+ }
+ if (!validp)
+ return 1;
+ assert( expected = json_object_get(tc, "expected"));
+ result = (json_t *) tr_constraint_set_intersect(request, (TR_CONSTRAINT_SET *) constraints);
+ if (!json_equal(result, expected)) {
+ tr_debug("Unexpected intersection; actual:\n");
+ json_dumpf(result, stderr, JSON_INDENT(4));
+ tr_debug("Expected: \n");
+ json_dumpf(expected, stderr, JSON_INDENT(4));
+ return 0;
+ }
+ return 1;
+}
+
+int main(void) {
+ json_t *tests;
+ int error=0;
+ json_t *tc;
+ size_t index;
+ request = tid_req_new();
+ tests = json_load_file(TESTS, JSON_REJECT_DUPLICATES|JSON_DISABLE_EOF_CHECK, NULL);
+ json_array_foreach(tests, index, tc)
+ if (!handle_test_case(tc))
+ error = 1;
+ if (error)
+ return 1;
+ return 0;
+}
--- /dev/null
+[
+ {
+ "constraints": [{}],
+ "valid": true,
+ "expected": [{}]
+ },
+ {
+ "constraints": [33],
+ "valid": false
+ },
+ {
+ "constraints": [{
+ "domain": ["ja.net", "*.ja.net", "foo.ja.net"]
+ }],
+ "valid": true,
+ "expected": [{
+ "domain": ["ja.net", "*.ja.net"]
+ }]
+ },
+ {
+ "constraints": [{
+ "domain": ["*"],
+ "realm": ["*"]
+ },
+ {
+ "domain": ["*.cam.ac.uk"]
+ }],
+ "expected": [{
+ "domain": ["*.cam.ac.uk"],
+ "realm": []
+ }],
+ "valid": true
+ }
+ ]
*
*/
#include <jansson.h>
+#include <assert.h>
#include <tr_filter.h>
+#include <tr_debug.h>
+
#include <trust_router/tr_constraint.h>
/* Returns TRUE (1) if the the string (str) matchs the wildcard string (wc_str), FALSE (0) if not.
if (fline->domain_cons)
tr_constraint_add_to_set((TR_CONSTRAINT_SET **)&cset, fline->domain_cons);
- return cset;
+ return (TR_CONSTRAINT_SET *) cset;
}
/* A constraint set is represented in json as an array of constraint
/* If we don't already have a json object, create one */
if (!(*cset))
- *cset = json_array();
+ *cset = (TR_CONSTRAINT_SET *) json_array();
/* Create a json object representing cons */
jmatches = json_array();
json_object_set_new(jcons, cons->type->buf, jmatches);
/* Add the created object to the cset object */
- json_array_append_new(*cset, jcons);
+ json_array_append_new((json_t *) *cset, jcons);
}
+ int tr_constraint_set_validate(TR_CONSTRAINT_SET *cset)
+{
+ json_t *json = (json_t *) cset;
+ size_t i;
+ json_t *set_member;
+ if (!json_is_array(json)){
+ tr_debug("Constraint_set is not an array");
+ return 0;
+ }
+ json_array_foreach(json, i, set_member) {
+ json_t *value;
+ const char *key;
+ if (!json_is_object(set_member)) {
+ tr_debug("Constraint member at %zu is not an object\n", i);
+ return 0;
+ }
+ json_object_foreach( set_member, key, value) {
+ size_t inner_index;
+ json_t *inner_value;
+ if (!json_is_array(value)) {
+ tr_debug("Constraint type %s at index %zu in constraint set is not an array\n", key,
+ i);
+ return 0;
+ }
+ json_array_foreach(value, inner_index, inner_value) {
+ if (!json_is_string(inner_value)) {
+ tr_debug("Constraint type %s at index %zu in constraint set has non-string element %zu\n",
+ key, i, inner_index);
+ return 0;
+ }
+ }
+ }
+ }
+ return 1;
+}
+
+
+TR_CONSTRAINT_SET *tr_constraint_set_filter( TID_REQ *request,
+ TR_CONSTRAINT_SET *orig,
+ const char *constraint_type)
+{
+ json_t *orig_cset = (json_t*) orig;
+ json_t *new_cs = NULL;
+ size_t index;
+ json_t *set_member;
+ if (!tr_constraint_set_validate( (TR_CONSTRAINT_SET *) orig_cset)) {
+ tr_debug ("tr_constraint_set_filter: not a valid constraint set\n");
+ return NULL;
+ }
+ assert (new_cs = json_array());
+ json_array_foreach(orig_cset, index, set_member) {
+ if (json_object_get( set_member, constraint_type))
+ json_array_append(new_cs, set_member);
+ }
+ return (TR_CONSTRAINT_SET *) new_cs;
+}
+
+/**
+ * Within a given constraint object merge any overlapping domain or
+ * realm constraints. For example ['*','*.net'] can be simplified to
+ * ['*']
+ */
+static void merge_constraints(json_t *constraint, const char *key)
+{
+ json_t *value_1, *value_2, *constraint_array;
+ size_t index_1, index_2;
+ /*
+ * Go through the loop pairwise linear, removing elements where one
+ * element is a subset of the other. Always shrik the array from
+ * the end so that index_1 never becomes invalid (swapping if
+ * needed).
+ */
+ constraint_array = json_object_get(constraint, key);
+ if (NULL == constraint_array)
+ return;
+ json_array_foreach( constraint_array, index_1, value_1)
+ json_array_foreach( constraint_array, index_2, value_2) {
+ if (index_2 <= index_1)
+ continue;
+ if ( tr_prefix_wildcard_match( json_string_value(value_2),
+ json_string_value(value_1))) {
+ json_array_remove(constraint_array, index_2);
+ index_2--;
+ }else if (tr_prefix_wildcard_match( json_string_value(value_1),
+ json_string_value(value_2))) {
+ json_array_set(constraint_array, index_1, value_2);
+ json_array_remove(constraint_array, index_2);
+ index_2--;
+ }
+ }
+}
+
+/**
+ * Returns an array of constraint strings that is the intersection of
+ * all constraints in the constraint_set of type #type
+ */
+static json_t *constraint_intersect_internal( TR_CONSTRAINT_SET *constraints,
+ const char *constraint_type)
+{
+ json_t *constraint, *result = NULL;
+ size_t i;
+ json_array_foreach( (json_t *) constraints, i, constraint) {
+ merge_constraints( constraint, constraint_type);
+ if (NULL == result) {
+ result = json_object_get(constraint, constraint_type);
+ if (NULL != result)
+ result = json_copy(result);
+ } else {
+ json_t *intersect, *value_1, *value_2;
+ size_t index_1, index_2;
+ intersect = json_object_get(constraint, constraint_type);
+ result_loop:
+ json_array_foreach(result, index_1, value_1) {
+ json_array_foreach(intersect, index_2, value_2) {
+ if (tr_prefix_wildcard_match( json_string_value(value_1),
+ json_string_value(value_2)))
+ goto result_acceptable;
+ else if (tr_prefix_wildcard_match(json_string_value( value_2),
+ json_string_value(value_1))) {
+ json_array_set(result, index_1, value_2);
+ goto result_acceptable;
+ }
+ }
+ json_array_remove(result, index_1);
+ if (index_1 == 0)
+ goto result_loop;
+ index_1--;
+ result_acceptable: continue;
+ }
+ }
+ }
+ return result;
+}
+
+/**
+ * Return the intersection of domain and realm constraints.
+ * Return is live until #request is freed.
+ */
+TR_CONSTRAINT_SET *tr_constraint_set_intersect( TID_REQ *request,
+ TR_CONSTRAINT_SET *input)
+{
+ json_t *domain=NULL, *realm=NULL;
+ json_t *result = NULL, *result_array = NULL;
+ if (tr_constraint_set_validate(input)) {
+ domain = constraint_intersect_internal(input, "domain");
+ realm = constraint_intersect_internal(input, "realm");
+ }
+ assert(result = json_object());
+ if (domain)
+ json_object_set_new(result, "domain", domain);
+ if (realm)
+ json_object_set_new(result, "realm", realm);
+ assert(result_array = json_array());
+ json_array_append_new(result_array, result);
+ tid_req_cleanup_json( request, result_array);
+ return (TR_CONSTRAINT_SET *) result_array;
+}
--- /dev/null
+/*
+ * Copyright (c) 2014, JANET(UK)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of JANET(UK) nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef _TR_DEBUG_H
+#define _TR_DEBUG_H
+
+#define tr_debug(...) fprintf( stderr, __VA_ARGS__)
+
+#endif
#include <trust_router/tr_name.h>
#include <trust_router/tr_versioning.h>
-#include <trust_router/tr_constraint.h>
#include <gssapi.h>
DH *aaa_server_dh; /* AAA server's public dh information */
} TID_SRVR_BLK;
+typedef struct _tr_constraint_set TR_CONSTRAINT_SET;
+
typedef struct tid_resp {
TID_RC result;
TR_NAME *err_msg;
#ifndef TR_CONSTRAINT_H
#define TR_CONSTRAINT_H
-
#include <trust_router/tr_name.h>
+#include <trust_router/tid.h>
+
#define TR_MAX_CONST_MATCHES 24
-typedef void TR_CONSTRAINT_SET;
typedef struct tr_constraint {
TR_NAME *type;
TR_NAME *matches[TR_MAX_CONST_MATCHES];
} TR_CONSTRAINT;
-void tr_constraint_add_to_set (TR_CONSTRAINT_SET **cs, TR_CONSTRAINT *c);
+void TR_EXPORT tr_constraint_add_to_set (TR_CONSTRAINT_SET **cs, TR_CONSTRAINT *c);
+
+int TR_EXPORT tr_constraint_set_validate( TR_CONSTRAINT_SET *);
+/**
+ * Create a new constraint set containing all constraints from #orig
+ * with constraint_type #constraint_type and no others. This constraint set is
+ * live until #request is freed.
+ */
+TR_EXPORT TR_CONSTRAINT_SET *tr_constraint_set_filter(TID_REQ *request,
+ TR_CONSTRAINT_SET *orig,
+ const char * constraint_type);
+TR_EXPORT TR_CONSTRAINT_SET
+*tr_constraint_set_intersect(TID_REQ *request,
+ TR_CONSTRAINT_SET *input);
#endif