projects / trust_router.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 09a57c0)
Don't check IDP membership when defaulting, minor fixes. tr-peering
authorMargaret Wasserman <mrw@painless-security.com>
Tue, 23 Sep 2014 19:02:32 +0000 (15:02 -0400)
committerMargaret Wasserman <mrw@painless-security.com>
Tue, 23 Sep 2014 19:02:32 +0000 (15:02 -0400)
common/tr_config.c patch | blob | history
tr/manual.cfg patch | blob | history
tr/portal.cfg patch | blob | history
tr/tr_main.c patch | blob | history

diff --git a/common/tr_config.c b/common/tr_config.c
index ca8520e..9b9fb19 100644 (file)
--- a/common/tr_config.c
+++ b/common/tr_config.c
@@ -405,7 +405,7 @@ static TR_CFG_RC tr_cfg_parse_rp_clients (TR_CFG *trc, json_t *jcfg) {
                                                   &rc))) {
        return rc;
       }
-      fprintf(stderr, "tr_cfg_parse_rp_clients: RP client configured -- first gss: %s", rp->gss_names[0]->buf);
+      fprintf(stderr, "tr_cfg_parse_rp_clients: RP client configured -- first gss: %s\n", rp->gss_names[0]->buf);
       rp->next = trc->rp_clients;
       trc->rp_clients = rp;
     }
diff --git a/tr/manual.cfg b/tr/manual.cfg
index 399878c..5d33638 100644 (file)
--- a/tr/manual.cfg
+++ b/tr/manual.cfg
@@ -1,2 +1,2 @@
 {"tr_internal":{"max_tree_depth": 4,
-                "hostname":"moonshot-proxy.local"}}
\ No newline at end of file
+                "hostname":"margaret-moonshot3.local"}}
\ No newline at end of file
diff --git a/tr/portal.cfg b/tr/portal.cfg
index 0998e1f..6ead29d 100644 (file)
--- a/tr/portal.cfg
+++ b/tr/portal.cfg
@@ -2,31 +2,12 @@
   "communities": [
     {
       "apcs": [
-        "pci-community.ja.net"
       ],
-      "community_id": "comm.offcenter.org",
+      "community_id": "apc.painless-security.com",
       "idp_realms": [
-        "idr2.offcenter.org"
       ],
       "rp_realms": [
-        "sr3.offcenter.org"
-      ],
-      "type": "coi"
-    },
-    {
-      "apcs": [
-
-      ],
-      "community_id": "pci-community.ja.net",
-      "idp_realms": [
-        "idr1.offcenter.org",
-        "idr2.offcenter.org",
-        "ja.net",
-        "no-longer-untitled.offcenter.org"
-      ],
-      "rp_realms": [
-        "exchange.ja.net",
-        "sr3.offcenter.org"
+        "margaret-2.painless-security.com"
       ],
       "type": "apc"
     }
@@ -79,49 +60,24 @@
         "filter_lines": [
           {
             "action": "accept",
-            "domain_constraints": ["*.exchange.ja.net"],
-            "filter_specs": [
-              {
-                "field": "rp_realm",
-                "match": "exchange.ja.net"
-              },
-              {
-                "field": "rp_realm",
-                "match": "*.exchange.ja.net"
-              }
-            ],
-            "realm_constraints": ["*.exchange.ja.net", "a.com"]
-          }
-        ],
-        "type": "rp_permitted"
-      },
-      "gss_names": [
-        "01b80aa9-8753-4691-8f8a-f49f7793546f@portal-realm.ja.net"
-      ]
-    },
-    {
-      "filter": {
-        "filter_lines": [
-          {
-            "action": "accept",
-            "domain_constraints": ["*.bob.sr3.offcenter.org"],
+            "domain_constraints": ["*.painless-security.com"],
             "filter_specs": [
               {
                 "field": "rp_realm",
-                "match": "sr3.offcenter.org"
+                "match": "margaret-2.painless-security.com"
               },
               {
                 "field": "rp_realm",
-                "match": "*.sr3.offcenter.org"
+                "match": "*.margaret-2.painless-security.com"
               }
             ],
-            "realm_constraints": ["*.sr3.offcenter.org" ]
+            "realm_constraints": ["*.painless-security.com", "a.com"]
           }
         ],
         "type": "rp_permitted"
       },
       "gss_names": [
-        "895c308a-5624-4055-bb4f-ea24b77e6637@portal-realm.ja.net"
+        "4b95cd61-616f-48f2-9713-7d2cbe19ce69@apc.painless-security.com"
       ]
     }
   ]
diff --git a/tr/tr_main.c b/tr/tr_main.c
index 98aa2bb..659f899 100644 (file)
--- a/tr/tr_main.c
+++ b/tr/tr_main.c
@@ -119,17 +119,12 @@ static int tr_tids_req_handler (TIDS_INSTANCE *tids,
     tids_send_err_response(tids, orig_req, "RP Realm filter error");
     return -1;
   }
-  /* Check that the rp_realm and target_realm are members of the community in the request */
+  /* Check that the rp_realm is a member of the community in the request */
   if (NULL == (tr_find_comm_rp(cfg_comm, orig_req->rp_realm))) {
-    fprintf(stderr, "tr_tids_req_hander: RP Realm (%s) not member of community (%s).\n", orig_req->rp_realm->buf, orig_req->comm->buf);
+    fprintf(stderr, "tr_tids_req_handler: RP Realm (%s) not member of community (%s).\n", orig_req->rp_realm->buf, orig_req->comm->buf);
     tids_send_err_response(tids, orig_req, "RP COI membership error");
     return -1;
   }
-  if (NULL == (tr_find_comm_idp(cfg_comm, orig_req->realm))) {
-    fprintf(stderr, "tr_tids_req_hander: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf);
-    tids_send_err_response(tids, orig_req, "IDP COI membership error");
-    return -1;
-  }
 
   /* Map the comm in the request from a COI to an APC, if needed */
   if (TR_COMM_COI == cfg_comm->type) {
@@ -152,17 +147,12 @@ static int tr_tids_req_handler (TIDS_INSTANCE *tids,
     fwd_req->comm = apc;
     fwd_req->orig_coi = orig_req->comm;
 
-    /* Check that rp_realm and target_realm are members of this APC */
+    /* Check that rp_realm is a  member of this APC */
     if (NULL == (tr_find_comm_rp(cfg_apc, orig_req->rp_realm))) {
       fprintf(stderr, "tr_tids_req_hander: RP Realm (%s) not member of community (%s).\n", orig_req->rp_realm->buf, orig_req->comm->buf);
       tids_send_err_response(tids, orig_req, "RP APC membership error");
       return -1;
     }
-    if (NULL == (tr_find_comm_idp(cfg_apc, orig_req->realm))) {
-      fprintf(stderr, "tr_tids_req_hander: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf);
-      tids_send_err_response(tids, orig_req, "IDP APC membership error");
-      return -1;
-    }
   }
 
   /* Find the AAA server(s) for this request */
@@ -176,6 +166,18 @@ static int tr_tids_req_handler (TIDS_INSTANCE *tids,
       tids_send_err_response(tids, orig_req, "No path to AAA Server(s) for realm");
       return -1;
       }
+  } else {
+    /* if we aren't defaulting, check idp coi and apc membership */
+    if (NULL == (tr_find_comm_idp(cfg_comm, fwd_req->orig_coi))) {
+      fprintf(stderr, "tr_tids_req_hander: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf);
+      tids_send_err_response(tids, orig_req, "IDP COI membership error");
+      return -1;
+    }
+    if (NULL == (tr_find_comm_idp(cfg_apc, fwd_req->comm))) {
+      fprintf(stderr, "tr_tids_req_hander: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf);
+      tids_send_err_response(tids, orig_req, "IDP APC membership error");
+      return -1;
+    }
   }
 
   /* send a TID request to the AAA server(s), and get the answer(s) */
Moonshot Trust Router