Introduce "remote" routes that we know about but cannot contact directly.

author Jennifer Richards <jennifer@painless-security.com>

Thu, 4 Aug 2016 16:45:14 +0000 (12:45 -0400)

committer Jennifer Richards <jennifer@painless-security.com>

Thu, 4 Aug 2016 16:45:14 +0000 (12:45 -0400)
author Jennifer Richards <jennifer@painless-security.com>
Thu, 4 Aug 2016 16:45:14 +0000 (12:45 -0400)
committer Jennifer Richards <jennifer@painless-security.com>
Thu, 4 Aug 2016 16:45:14 +0000 (12:45 -0400)
diff --git a/common/tr_config.c b/common/tr_config.c

index 514a300..299643b 100644 (file)
--- a/common/tr_config.c
+++ b/common/tr_config.c
@@ -43,6 +43,7 @@
  #include <tr_debug.h>
  #include <tr_filter.h>
  #include <trust_router/tr_constraint.h>
+#include <tr_idp.h>
  #include <tr.h>
  
  void tr_print_config (FILE *stream, TR_CFG *cfg) {
@@ -605,6 +606,7 @@ static TR_APC *tr_cfg_parse_apcs (TR_CFG *trc, json_t *japcs, TR_CFG_RC *rc)
  
  static TR_IDP_REALM *tr_cfg_parse_one_idp_realm (TR_CFG *trc, json_t *jidp, TR_CFG_RC *rc) {
    TR_IDP_REALM *idp = NULL;
+  json_t *jremote = NULL;
    json_t *jrid = NULL;
    json_t *jscfg = NULL;
    json_t *jsrvrs = NULL;
@@ -617,28 +619,46 @@ static TR_IDP_REALM *tr_cfg_parse_one_idp_realm (TR_CFG *trc, json_t *jidp, TR_C
      return NULL;
    }
  
-  if (NULL == (idp = talloc_zero(trc, TR_IDP_REALM))) {
+  if (NULL == (idp = tr_idp_realm_new(trc))) {
      tr_debug("tr_cfg_parse_one_idp_realm: Out of memory.");
      *rc = TR_CFG_NOMEM;
      return NULL;
    }
  
-  if ((NULL == (jrid = json_object_get(jidp, "realm_id"))) ||
-      (!json_is_string(jrid)) ||
-      (NULL == (jscfg = json_object_get(jidp, "shared_config"))) ||
-      (!json_is_string(jscfg)) ||
-      (NULL == (jsrvrs = json_object_get(jidp, "aaa_servers"))) ||
-      (!json_is_array(jsrvrs))) {
-    tr_debug("tr_cfg_parse_one_idp_realm: Error parsing IDP realm configuration.");
-    *rc = TR_CFG_NOPARSE;
+  /* Assume local route unless specified as remote. */
+  jremote = json_object_get(jidp, "remote");
+  if ((jremote!=NULL) && (!json_is_number(jremote))) {
+    tr_debug("tr_cfg_parse_one_idp_realm: Error parsing IDP realm configuration (remote is not a number).");
+    *rc=TR_CFG_NOPARSE;
      return NULL;
    }
  
-  if (0 == strcmp(json_string_value(jscfg), "no")) {
-    idp->shared_config = 0;
-  } else {
-    idp->shared_config = 1;
+  if ((NULL == (jrid = json_object_get(jidp, "realm_id"))) ||
+      (!json_is_string(jrid))) {
+      tr_debug("tr_cfg_parse_one_idp_realm: Error parsing IDP realm configuration (realm_id missing or invalid).");
+      *rc = TR_CFG_NOPARSE;
+      return NULL;
    }
+        
+  if ((jremote==NULL) || (0==json_integer_value(jremote))) {
+    idp->origin=TR_REALM_LOCAL;
+
+    if ((NULL == (jscfg = json_object_get(jidp, "shared_config"))) ||
+        (!json_is_string(jscfg)) ||
+        (NULL == (jsrvrs = json_object_get(jidp, "aaa_servers"))) ||
+        (!json_is_array(jsrvrs))) {
+      tr_debug("tr_cfg_parse_one_idp_realm: Error parsing IDP realm configuration.");
+      *rc = TR_CFG_NOPARSE;
+      return NULL;
+    }
+
+    if (0 == strcmp(json_string_value(jscfg), "no")) {
+      idp->shared_config = 0;
+    } else {
+      idp->shared_config = 1;
+    }
+  } else
+    idp->origin=TR_REALM_REMOTE_INCOMPLETE;
  
    if (NULL == (idp->realm_id = tr_new_name((char *)json_string_value(jrid)))) {
      tr_debug("tr_cfg_parse_one_idp_realm: No memory for realm id.");
@@ -646,21 +666,23 @@ static TR_IDP_REALM *tr_cfg_parse_one_idp_realm (TR_CFG *trc, json_t *jidp, TR_C
      return NULL;
    }
  
-  if (NULL == (idp->aaa_servers = tr_cfg_parse_aaa_servers(trc, jsrvrs, rc))) {
-    tr_debug("tr_cfg_parse_one_idp_realm: Can't parse AAA servers for realm %s.", idp->realm_id->buf);
-    tr_free_name(idp->realm_id);
-    return NULL;
-  }
-
    if ((NULL != (japcs = json_object_get(jidp, "apcs"))) &&
        (json_is_array(japcs))) {
      if (NULL == (idp->apcs = tr_cfg_parse_apcs(trc, japcs, rc))) {
        tr_debug("tr_cfg_parse_one_idp_realm: Can't parse APCs for realm %s .", idp->realm_id->buf);
        tr_free_name(idp->realm_id);
-      /* TBD -- free aaa_servers */;
+      /* TBD -- free aaa_servers */
        return NULL;
      }
    } 
+
+  if ((idp->origin==TR_REALM_LOCAL) &&
+      (NULL == (idp->aaa_servers = tr_cfg_parse_aaa_servers(trc, jsrvrs, rc)))) {
+    tr_debug("tr_cfg_parse_one_idp_realm: Can't parse AAA servers for realm %s.", idp->realm_id->buf);
+    tr_free_name(idp->realm_id);
+    return NULL;
+  }
+
    return idp;
  }
  
diff --git a/common/tr_idp.c b/common/tr_idp.c

index 3cba7be..542505e 100644 (file)
--- a/common/tr_idp.c
+++ b/common/tr_idp.c
@@ -32,6 +32,8 @@
   *
   */
  
+#include <talloc.h>
+
  #include <trust_router/tr_name.h>
  #include <tr_idp.h>
  #include <tr_config.h>
@@ -59,3 +61,19 @@ TR_AAA_SERVER *tr_default_server_lookup(TR_AAA_SERVER *default_servers, TR_NAME
  
    return(default_servers);
  }
+
+
+TR_IDP_REALM *tr_idp_realm_new(TALLOC_CTX *mem_ctx)
+{
+  TR_IDP_REALM *idp=talloc(mem_ctx, TR_IDP_REALM);
+  if (idp!=NULL) {
+    idp->next=NULL;
+    idp->comm_next=NULL;
+    idp->realm_id=NULL;
+    idp->shared_config=0;
+    idp->aaa_servers=NULL;
+    idp->apcs=NULL;
+    idp->origin=TR_REALM_LOCAL;
+  }
+  return idp;
+}
diff --git a/include/tr_idp.h b/include/tr_idp.h

index 25d281d..f06f3dd 100644 (file)
--- a/include/tr_idp.h
+++ b/include/tr_idp.h
@@ -35,6 +35,8 @@
  #ifndef TR_IDP_H
  #define TR_IDP_H
  
+#include <talloc.h>
+
  #include <trust_router/tr_name.h>
  #include <tr_apc.h>
  
@@ -43,6 +45,14 @@ typedef struct tr_aaa_server {
    TR_NAME *hostname;
  } TR_AAA_SERVER;
  
+/* may also want to use in tr_rp.h */
+typedef enum tr_realm_origin {
+  TR_REALM_LOCAL=0, /* realm we were configured to contact */
+  TR_REALM_REMOTE_INCOMPLETE, /* realm we were configured to know about, without contact info yet */
+  TR_REALM_REMOTE, /* realm we were configured to know about, with discovered contact info */
+  TR_REALM_DISCOVERED /* realm we learned about from a peer */
+} TR_REALM_ORIGIN;
+
  typedef struct tr_idp_realm {
    struct tr_idp_realm *next;
    struct tr_idp_realm *comm_next; /* for linked list in comm config */
@@ -50,8 +60,11 @@ typedef struct tr_idp_realm {
    int shared_config;
    TR_AAA_SERVER *aaa_servers;
    TR_APC *apcs;
+  TR_REALM_ORIGIN origin; /* how did we learn about this realm? */
  } TR_IDP_REALM;
    
+TR_IDP_REALM *tr_idp_realm_new(TALLOC_CTX *mem_ctx);
+
  TR_AAA_SERVER *tr_idp_aaa_server_lookup(TR_IDP_REALM *idp_realms, TR_NAME *idp_realm_name, TR_NAME *comm);
  TR_AAA_SERVER *tr_default_server_lookup(TR_AAA_SERVER *default_servers, TR_NAME *comm);
  #endif
diff --git a/tr/tr_trp.c b/tr/tr_trp.c

index 39e9825..cbc57a3 100644 (file)
--- a/tr/tr_trp.c
+++ b/tr/tr_trp.c
@@ -612,7 +612,7 @@ static TRP_ROUTE **tr_make_local_routes(TALLOC_CTX *mem_ctx,
  
    *n_routes=0;
  
-  if (realm==NULL)
+  if ((realm==NULL) || (realm->origin!=TR_REALM_LOCAL))
      goto cleanup;
  
    /* count apcs */
author	Jennifer Richards <jennifer@painless-security.com>
	Thu, 4 Aug 2016 16:45:14 +0000 (12:45 -0400)
committer	Jennifer Richards <jennifer@painless-security.com>
	Thu, 4 Aug 2016 16:45:14 +0000 (12:45 -0400)
common/tr_config.c		patch \| blob \| history
common/tr_idp.c		patch \| blob \| history
include/tr_idp.h		patch \| blob \| history
tr/tr_trp.c		patch \| blob \| history