From: Margaret Wasserman <margaret@moonshot-proxy>
Date: Tue, 2 Jul 2013 18:42:01 +0000 (-0400)
Subject: Code to check community membership on TR.
X-Git-Tag: 1.0~21
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=trust_router.git;a=commitdiff_plain;h=5c8c4deb4a3eac6ba6b900a4a80b3ad460677fb4

Code to check community membership on TR.
---

diff --git a/common/tr_comm.c b/common/tr_comm.c
index 9ad35b3..e032ea8 100644
--- a/common/tr_comm.c
+++ b/common/tr_comm.c
@@ -36,6 +36,43 @@
 #include <tr_config.h>
 #include <tr.h>
 #include <tr_comm.h>
+#include <tr_rp.h>
+
+TR_IDP_REALM *tr_find_comm_idp (TR_COMM *comm, TR_NAME *idp_realm)
+{
+  TR_IDP_REALM *idp;
+
+  if ((!comm) || (!idp_realm)) {
+    return NULL;
+  }
+
+  for (idp = comm->idp_realms; NULL != idp; idp = idp->next) {
+    if (!tr_name_cmp (idp_realm, idp->realm_id)) {
+      fprintf(stderr, "tr_find_comm_idp: Found %s.\n", idp_realm->buf);
+      return idp;
+    }
+  }
+  /* if we didn't find one, return NULL */ 
+  return NULL;
+}
+
+TR_RP_REALM *tr_find_comm_rp (TR_COMM *comm, TR_NAME *rp_realm)
+{
+  TR_RP_REALM *rp;
+
+  if ((!comm) || (!rp_realm)) {
+    return NULL;
+  }
+
+  for (rp = comm->rp_realms; NULL != rp; rp = rp->next) {
+    if (!tr_name_cmp (rp_realm, rp->realm_name)) {
+      fprintf(stderr, "tr_find_comm_idp: Found %s.\n", rp_realm->buf);
+      return rp;
+    }
+  }
+  /* if we didn't find one, return NULL */ 
+  return NULL;
+}
 
 TR_COMM *tr_comm_lookup(TR_INSTANCE *tr, TR_NAME *comm) 
 {
diff --git a/common/tr_config.c b/common/tr_config.c
index cd9ee2b..b5e12f0 100644
--- a/common/tr_config.c
+++ b/common/tr_config.c
@@ -595,26 +595,6 @@ TR_RP_CLIENT *tr_cfg_find_rp (TR_CFG *tr_cfg, TR_NAME *rp_gss, TR_CFG_RC *rc)
   return NULL;
 }
 
-TR_COMM *tr_cfg_find_comm (TR_CFG *tr_cfg, TR_NAME *comm_name, TR_CFG_RC *rc)
-{
-  TR_COMM *comm;
-
-  if ((!tr_cfg) || (!comm_name)) {
-    if (rc)
-      *rc = TR_CFG_BAD_PARAMS;
-    return NULL;
-  }
-
-  for (comm = tr_cfg->comms; NULL != comm; comm = comm->next) {
-    if (!tr_name_cmp (comm_name, comm->id)) {
-      fprintf(stderr, "tr_cfg_find_comm: Found %s.\n", comm_name->buf);
-      return comm;
-    }
-  }
-  /* if we didn't find one, return NULL */ 
-  return NULL;
-}
-
 json_t *tr_read_config (int n, struct dirent **cfg_files) {
   json_t *jcfg = NULL;
   json_t *temp = NULL;
diff --git a/include/tr_comm.h b/include/tr_comm.h
index f0fa8f0..717aafd 100644
--- a/include/tr_comm.h
+++ b/include/tr_comm.h
@@ -55,5 +55,7 @@ typedef struct tr_comm {
 } TR_COMM;
 
 TR_COMM *tr_comm_lookup(TR_INSTANCE *tr, TR_NAME *comm);
+TR_RP_REALM *tr_find_comm_rp (TR_COMM *comm, TR_NAME *rp_realm);
+TR_IDP_REALM *tr_find_comm_idp (TR_COMM *comm, TR_NAME *idp_realm);
 
 #endif
diff --git a/include/tr_config.h b/include/tr_config.h
index 443d185..4ee5232 100644
--- a/include/tr_config.h
+++ b/include/tr_config.h
@@ -75,7 +75,6 @@ TR_CFG_RC tr_apply_new_config (TR_INSTANCE *tr);
 void tr_cfg_free(TR_CFG *cfg);
 void tr_print_config(FILE *stream, TR_CFG *cfg);
 
-TR_COMM *tr_cfg_find_comm (TR_CFG *tr_cfg, TR_NAME *comm_name, TR_CFG_RC *rc);
 TR_IDP_REALM *tr_cfg_find_idp (TR_CFG *tr_cfg, TR_NAME *idp_id, TR_CFG_RC *rc);
 TR_RP_CLIENT *tr_cfg_find_rp (TR_CFG *tr_cfg, TR_NAME *rp_gss, TR_CFG_RC *rc);
 #endif
diff --git a/tr/tr_main.c b/tr/tr_main.c
index ceb0fb1..24b5d6a 100644
--- a/tr/tr_main.c
+++ b/tr/tr_main.c
@@ -92,16 +92,19 @@ static int tr_tids_req_handler (TIDS_INSTANCE * tids,
     return -1;
   }
 
-  /* Map the comm in the request from a COI to an APC, if needed */
   if (NULL == (cfg_comm = tr_comm_lookup((TR_INSTANCE *)tids->cookie, orig_req->comm))) {
     fprintf(stderr, "tr_tids_req_hander: Request for unknown comm: %s.\n", orig_req->comm->buf);
     tids_send_err_response(tids, orig_req, "Unknown community");
     return -1;
   }
 
-  /* TBD -- check that the rp_realm is a member of the original community */
+  /* Check that the rp_realm is a member of the community in the request */
+  if (NULL == (tr_find_comm_rp(cfg_comm, orig_req->rp_realm))) {
+    fprintf(stderr, "tr_tids_req_hander: RP Realm (%s) not member of community (%s).\n", orig_req->rp_realm->buf, orig_req->comm->buf);
+    tids_send_err_response(tids, orig_req, "RP community membership error");
+  }
 
-  /* If the community is a COI, switch to the apc */
+  /* Map the comm in the request from a COI to an APC, if needed */
   if (TR_COMM_COI == cfg_comm->type) {
     fprintf(stderr, "tr_tids_req_handler: Community was a COI, switching.\n");
     /* TBD -- In theory there can be more than one?  How would that work? */
@@ -115,12 +118,18 @@ static int tr_tids_req_handler (TIDS_INSTANCE * tids,
     fwd_req->orig_coi = orig_req->comm;
   }
 
+  /* Check that target realm is a valid IDP Realm for this APC */
+  if (NULL == (tr_find_comm_idp(cfg_comm, orig_req->realm))) {
+    fprintf(stderr, "tr_tids_req_hander: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf);
+    tids_send_err_response(tids, orig_req, "IDP APC membership error");
+  }
+
   /* Find the AAA server(s) for this request */
   if (NULL == (aaa_servers = tr_idp_aaa_server_lookup((TR_INSTANCE *)tids->cookie, 
 						      orig_req->realm, 
 						      orig_req->comm))) {
       fprintf(stderr, "tr_tids_req_handler: No AAA Servers for realm %s.\n", orig_req->realm->buf);
-      tids_send_err_response(tids, orig_req, "No path to AAA Servers for realm");
+      tids_send_err_response(tids, orig_req, "No path to AAA Server(s) for realm");
       return -1;
     }
   /* send a TID request to the AAA server(s), and get the answer(s) */