From: Sam Hartman Date: Tue, 7 Oct 2014 11:17:39 +0000 (-0400) Subject: Import moonshot-trust-router_1.4.1.orig.tar.gz X-Git-Tag: upstream/1.4.1 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=trust_router.git;a=commitdiff_plain;h=bbf497cdf42f068cae597f3a38e2d2400470119b;hp=977060c97b78af82d3035dc8d30ba43ed336403a Import moonshot-trust-router_1.4.1.orig.tar.gz --- diff --git a/Makefile.am b/Makefile.am index 5fd1825..371e57f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -62,10 +62,12 @@ noinst_HEADERS = include/gsscon.h include/tr_config.h \ include/tid_internal.h pkgdata_DATA=schema.sql -nobase_dist_pkgdata_DATA=redhat/init redhat/sysconfig redhat/trusts.cfg redhat/tidc-wrapper redhat/trust_router-wrapper redhat/tr-test-main.cfg redhat/default-main.cfg +nobase_dist_pkgdata_DATA=redhat/init redhat/sysconfig redhat/trusts.cfg redhat/tidc-wrapper redhat/trust_router-wrapper redhat/tr-test-main.cfg redhat/default-main.cfg redhat/tids-wrapper redhat/sysconfig.tids if HAVE_SYSTEMD systemdsystemunit_DATA = tids.service endif -EXTRA_DIST = trust_router.spec common/tests.json schema.sql tids.service +EXTRA_DIST = trust_router.spec common/tests.json schema.sql tids.service \ + tr/manual.cfg tr/portal.cfg \ + redhat/tids.init diff --git a/Makefile.in b/Makefile.in index faa3e25..69aedec 100644 --- a/Makefile.in +++ b/Makefile.in @@ -658,9 +658,12 @@ noinst_HEADERS = include/gsscon.h include/tr_config.h \ include/tid_internal.h pkgdata_DATA = schema.sql -nobase_dist_pkgdata_DATA = redhat/init redhat/sysconfig redhat/trusts.cfg redhat/tidc-wrapper redhat/trust_router-wrapper redhat/tr-test-main.cfg redhat/default-main.cfg +nobase_dist_pkgdata_DATA = redhat/init redhat/sysconfig redhat/trusts.cfg redhat/tidc-wrapper redhat/trust_router-wrapper redhat/tr-test-main.cfg redhat/default-main.cfg redhat/tids-wrapper redhat/sysconfig.tids @HAVE_SYSTEMD_TRUE@systemdsystemunit_DATA = tids.service -EXTRA_DIST = trust_router.spec common/tests.json schema.sql tids.service +EXTRA_DIST = trust_router.spec common/tests.json schema.sql tids.service \ + tr/manual.cfg tr/portal.cfg \ + redhat/tids.init + all: all-recursive .SUFFIXES: diff --git a/common/tr_config.c b/common/tr_config.c index 9b9fb19..352c894 100644 --- a/common/tr_config.c +++ b/common/tr_config.c @@ -367,7 +367,6 @@ static TR_RP_CLIENT *tr_cfg_parse_one_rp_client (TR_CFG *trc, json_t *jrp, TR_CF /* TBD -- support more than one filter entry per RP Client? */ if (NULL == (rp->filter = tr_cfg_parse_one_filter(trc, jfilt, rc))) { fprintf(stderr, "tr_cfg_parse_one_rp_client: Error parsing filter.\n"); - free(rp); *rc = TR_CFG_NOPARSE; return NULL; } @@ -375,7 +374,6 @@ static TR_RP_CLIENT *tr_cfg_parse_one_rp_client (TR_CFG *trc, json_t *jrp, TR_CF for (i = 0; i < json_array_size(jgns); i++) { if (NULL == (rp->gss_names[i] = tr_new_name ((char *)json_string_value(json_array_get(jgns, i))))) { fprintf(stderr, "tr_cfg_parse_one_rp_client: No memory for GSS Name.\n"); - free(rp); *rc = TR_CFG_NOMEM; return NULL; } @@ -517,7 +515,6 @@ static TR_IDP_REALM *tr_cfg_parse_one_idp_realm (TR_CFG *trc, json_t *jidp, TR_C (NULL == (jsrvrs = json_object_get(jidp, "aaa_servers"))) || (!json_is_array(jsrvrs))) { fprintf(stderr, "tr_cfg_parse_one_idp_realm: Error parsing IDP realm configuration.\n"); - free(idp); *rc = TR_CFG_NOPARSE; return NULL; } @@ -529,7 +526,6 @@ static TR_IDP_REALM *tr_cfg_parse_one_idp_realm (TR_CFG *trc, json_t *jidp, TR_C } if (NULL == (idp->realm_id = tr_new_name((char *)json_string_value(jrid)))) { - free(idp); fprintf(stderr, "tr_cfg_parse_one_idp_realm: No memory for realm id.\n"); *rc = TR_CFG_NOMEM; return NULL; @@ -538,7 +534,6 @@ static TR_IDP_REALM *tr_cfg_parse_one_idp_realm (TR_CFG *trc, json_t *jidp, TR_C if (NULL == (idp->aaa_servers = tr_cfg_parse_aaa_servers(trc, jsrvrs, rc))) { fprintf(stderr, "tr_cfg_parse_one_idp_realm: Can't parse AAA servers for realm %s.\n", idp->realm_id->buf); tr_free_name(idp->realm_id); - free(idp); return NULL; } @@ -548,7 +543,6 @@ static TR_IDP_REALM *tr_cfg_parse_one_idp_realm (TR_CFG *trc, json_t *jidp, TR_C fprintf(stderr, "tr_cfg_parse_one_idp_realm: Can't parse APCs for realm %s .\n", idp->realm_id->buf); tr_free_name(idp->realm_id); /* TBD -- free aaa_servers */; - free(idp); return NULL; } } @@ -714,13 +708,11 @@ static TR_COMM *tr_cfg_parse_one_comm (TR_CFG *trc, json_t *jcomm, TR_CFG_RC *rc (NULL == (jrps = json_object_get(jcomm, "rp_realms"))) || (!json_is_array(jrps))) { fprintf(stderr, "tr_cfg_parse_one_comm: Error parsing Communities configuration.\n"); - free(comm); *rc = TR_CFG_NOPARSE; return NULL; } if (NULL == (comm->id = tr_new_name((char *)json_string_value(jid)))) { - free(comm); fprintf(stderr, "tr_cfg_parse_one_comm: No memory for community id.\n"); *rc = TR_CFG_NOMEM; return NULL; @@ -733,13 +725,11 @@ static TR_COMM *tr_cfg_parse_one_comm (TR_CFG *trc, json_t *jcomm, TR_CFG_RC *rc if (NULL == (comm->apcs = tr_cfg_parse_apcs(trc, japcs, rc))) { fprintf(stderr, "tr_cfg_parse_one_comm: Can't parse APCs for COI %s.\n", comm->id->buf); tr_free_name(comm->id); - free(comm); return NULL; } } else { fprintf(stderr, "tr_cfg_parse_one_comm: Invalid community type, comm = %s, type = %s\n", comm->id->buf, json_string_value(jtype)); tr_free_name(comm->id); - free(comm); *rc = TR_CFG_NOPARSE; return NULL; } @@ -748,7 +738,6 @@ static TR_COMM *tr_cfg_parse_one_comm (TR_CFG *trc, json_t *jcomm, TR_CFG_RC *rc if (TR_CFG_SUCCESS != *rc) { fprintf(stderr, "tr_cfg_parse_one_comm: Can't parse IDP realms for comm %s.\n", comm->id->buf); tr_free_name(comm->id); - free(comm); return NULL; } @@ -757,7 +746,6 @@ static TR_COMM *tr_cfg_parse_one_comm (TR_CFG *trc, json_t *jcomm, TR_CFG_RC *rc fprintf(stderr, "tr_cfg_parse_comm: Can't parse RP realms for comm %s .\n", comm->id->buf); tr_free_name(comm->id); /* TBD -- free idps? */; - free(comm); return NULL; } diff --git a/configure b/configure index 2fef375..687ce53 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for trust_router 1.4. +# Generated by GNU Autoconf 2.69 for trust_router 1.4.1. # # Report bugs to . # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='trust_router' PACKAGE_TARNAME='trust_router' -PACKAGE_VERSION='1.4' -PACKAGE_STRING='trust_router 1.4' +PACKAGE_VERSION='1.4.1' +PACKAGE_STRING='trust_router 1.4.1' PACKAGE_BUGREPORT='bugs@project-moonshot.org' PACKAGE_URL='' @@ -1323,7 +1323,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures trust_router 1.4 to adapt to many kinds of systems. +\`configure' configures trust_router 1.4.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1393,7 +1393,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of trust_router 1.4:";; + short | recursive ) echo "Configuration of trust_router 1.4.1:";; esac cat <<\_ACEOF @@ -1508,7 +1508,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -trust_router configure 1.4 +trust_router configure 1.4.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1877,7 +1877,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by trust_router $as_me 1.4, which was +It was created by trust_router $as_me 1.4.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4111,7 +4111,7 @@ fi # Define the identity of the package. PACKAGE='trust_router' - VERSION='1.4' + VERSION='1.4.1' cat >>confdefs.h <<_ACEOF @@ -13196,7 +13196,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by trust_router $as_me 1.4, which was +This file was extended by trust_router $as_me 1.4.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -13253,7 +13253,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -trust_router config.status 1.4 +trust_router config.status 1.4.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index e0e015e..7b3d658 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ(2.63) -AC_INIT([trust_router],[1.4], +AC_INIT([trust_router],[1.4.1], [bugs@project-moonshot.org]) AC_CONFIG_MACRO_DIR(m4) AC_CONFIG_AUX_DIR(build-aux) diff --git a/redhat/sysconfig.tids b/redhat/sysconfig.tids new file mode 100644 index 0000000..a1e5b80 --- /dev/null +++ b/redhat/sysconfig.tids @@ -0,0 +1,17 @@ +## Define the variables needed to run TIDS +## +## /usr/bin/tids +## + +TIDS_SERVER_IP="127.0.0.1" # IP address that the TIDS is reachable on +TIDS_SERVER_NAME="localhost" # The host name that the TIDS is known as +TIDS_USER="trustrouter" # The user that the TIDS is running as +TIDS_GROUP="trustrouter" # The group that the TIDS is running as + +TIDS_GSS_NAME="trustrouter@apc.moonshot.ja.net" # The GSS service name for the TIDS APC +KEYFILE="/var/lib/trust_router/keys" # The key file that the TIDS will store keys in + +## Static variables that you can also adjust + +TIDS_PIDDIR="/var/run/tids" +TIDS_LOGDIR="/var/log/tids" diff --git a/redhat/tids-wrapper b/redhat/tids-wrapper new file mode 100644 index 0000000..55e3d0d --- /dev/null +++ b/redhat/tids-wrapper @@ -0,0 +1,14 @@ +#! /usr/bin/env bash + +PIDFILE=${1} +LOGFILE=${2} +shift 2 + +unset DISPLAY +/usr/bin/tids $@ >> ${LOGFILE} 2>&1 & +BGPID=$! +RET=$? + +echo "${BGPID}" > "${PIDFILE}" + +exit "${RET}" diff --git a/redhat/tids.init b/redhat/tids.init new file mode 100644 index 0000000..2bff707 --- /dev/null +++ b/redhat/tids.init @@ -0,0 +1,108 @@ +#!/bin/bash +### BEGIN INIT INFO +# Provides: tids +# Default-Start: 3 5 +# Default-Stop: 0 1 2 4 6 +# Required-Start: radiusd +# Should-Start: $network +# Short-Description: Starts Moonshot TIDS +# Description: Starts the Moonshot Temporary ID Service +### END INIT INFO +# chkconfig: - 89 11 +# +# description: Starts the Moonshot Temporary ID Service +# +# Source function library. +. /etc/init.d/functions + +[ -z "$HOME" ] && export HOME=/ + +usage() { + echo "Usage: $0 {start|stop|status}" +} + +# Load the configuration +[ -f /etc/sysconfig/tids ] || exit 6 +. /etc/sysconfig/tids + +# Create the PID and LOG directories +[ -d ${TIDS_PIDDIR} ] || mkdir -p ${TIDS_PIDDIR} && chown ${TIDS_USER}:${TIDS_GROUP} ${TIDS_PIDDIR} +[ -d ${TIDS_LOGDIR} ] || mkdir -p ${TIDS_LOGDIR} && chown ${TIDS_USER}:${TIDS_GROUP} ${TIDS_LOGDIR} + +# Some variables +prog=/usr/bin/tids-wrapper +PIDFILE="${TIDS_PIDDIR}/tids.pid" +LOGFILE="${TIDS_LOGDIR}/tids.log" + +# Does the trust router and wrapper exist +[ -x /usr/bin/tids ] || exit 5 +[ -x /usr/bin/tids-wrapper ] || exit 5 + +[ -f ${LOGFILE} ] || touch ${LOGFILE} && chown ${TIDS_USER}:${TIDS_GROUP} ${LOGFILE} + +OPTIONS="${PIDFILE} ${LOGFILE} ${TIDS_SERVER_IP} ${TIDS_GSS_NAME} ${TIDS_SERVER_NAME} ${KEYFILE}" + +case "$1" in + start) + if [ -f ${PIDFILE} ] ; + then + OLD_PID=$(cat "${PIDFILE}") + + if [ -d "/proc/${OLD_PID}" ] ; + then + echo "Error: TIDS already running" ; exit 1 + else + rm ${PIDFILE} + fi + fi + + timestamp=$(date) + echo "${timestamp} Starting TIDS..." >> ${LOGFILE} + echo -n "Starting TIDS..." + daemon --user="${TIDS_USER}" --pidfile="${PIDFILE}" "${prog}" "${OPTIONS}" + echo + + exit $? + ;; + stop) + timestamp=$(date) + echo "${timestamp} Stopping TIDS..." >> ${LOGFILE} + echo -n "Stopping TIDS..." + if [ -f "${PIDFILE}" ] ; + then + killproc -p "${PIDFILE}" "${prog}" + echo + else + echo "TIDS does not appear to be running" + fi + exit $? + ;; + status) + if [ -f ${PIDFILE} ] ; + then + PID=$(cat "${PIDFILE}") + + if [ -d "/proc/${PID}" ] ; + then + echo "TIDS is running (pid ${PID})" + else + if [ -e ${PIDFILE} ] ; then + echo "TIDS appears to be dead but its PID file exists" + else + echo "TIDS appears to be stopped" + fi + fi + else + echo "TIDS appears to be stopped" + fi + exit 0 + ;; + reload | force-reload | condrestart | try-restart) + usage + exit 3 + ;; + *) + usage + exit 2 + ;; +esac diff --git a/tid/example/tids_main.c b/tid/example/tids_main.c index e920874..29a43b8 100644 --- a/tid/example/tids_main.c +++ b/tid/example/tids_main.c @@ -276,6 +276,7 @@ int main (int argc, fprintf(stdout, "Error opening database %s\n", argv[4]); exit(1); } + sqlite3_busy_timeout( db, 1000); sqlite3_prepare_v2(db, "insert into psk_keys (keyid, key, client_dh_pub) values(?, ?, ?)", -1, &insert_stmt, NULL); sqlite3_prepare_v2(db, "insert into authorizations (client_dh_pub, coi, acceptor_realm, hostname, apc) values(?, ?, ?, ?, ?)", diff --git a/tr/manual.cfg b/tr/manual.cfg new file mode 100644 index 0000000..5d33638 --- /dev/null +++ b/tr/manual.cfg @@ -0,0 +1,2 @@ +{"tr_internal":{"max_tree_depth": 4, + "hostname":"margaret-moonshot3.local"}} \ No newline at end of file diff --git a/tr/portal.cfg b/tr/portal.cfg new file mode 100644 index 0000000..6ead29d --- /dev/null +++ b/tr/portal.cfg @@ -0,0 +1,84 @@ +{ + "communities": [ + { + "apcs": [ + ], + "community_id": "apc.painless-security.com", + "idp_realms": [ + ], + "rp_realms": [ + "margaret-2.painless-security.com" + ], + "type": "apc" + } + ], + "idp_realms": [ + { + "aaa_servers": [ + "127.0.0.1" + ], + "apcs": [ + "pci-community.ja.net" + ], + "realm_id": "idr1.offcenter.org", + "shared_config": "yes" + }, + { + "aaa_servers": [ + "127.0.0.1" + ], + "apcs": [ + "pci-community.ja.net" + ], + "realm_id": "idr2.offcenter.org", + "shared_config": "no" + }, + { + "aaa_servers": [ + "10.1.10.90" + ], + "apcs": [ + "pci-community.ja.net" + ], + "realm_id": "ja.net", + "shared_config": "no" + }, + { + "aaa_servers": [ + "127.0.0.1" + ], + "apcs": [ + "pci-community.ja.net" + ], + "realm_id": "no-longer-untitled.offcenter.org", + "shared_config": "yes" + } + ], + "rp_clients": [ + { + "filter": { + "filter_lines": [ + { + "action": "accept", + "domain_constraints": ["*.painless-security.com"], + "filter_specs": [ + { + "field": "rp_realm", + "match": "margaret-2.painless-security.com" + }, + { + "field": "rp_realm", + "match": "*.margaret-2.painless-security.com" + } + ], + "realm_constraints": ["*.painless-security.com", "a.com"] + } + ], + "type": "rp_permitted" + }, + "gss_names": [ + "4b95cd61-616f-48f2-9713-7d2cbe19ce69@apc.painless-security.com" + ] + } + ] +} diff --git a/tr/tr_main.c b/tr/tr_main.c index 659f899..8777354 100644 --- a/tr/tr_main.c +++ b/tr/tr_main.c @@ -168,13 +168,13 @@ static int tr_tids_req_handler (TIDS_INSTANCE *tids, } } else { /* if we aren't defaulting, check idp coi and apc membership */ - if (NULL == (tr_find_comm_idp(cfg_comm, fwd_req->orig_coi))) { - fprintf(stderr, "tr_tids_req_hander: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf); - tids_send_err_response(tids, orig_req, "IDP COI membership error"); + if (NULL == (tr_find_comm_idp(cfg_comm, fwd_req->realm))) { + fprintf(stderr, "tr_tids_req_handler: IDP Realm (%s) not member of community (%s).\n", orig_req->realm->buf, orig_req->comm->buf); + tids_send_err_response(tids, orig_req, "IDP community membership error"); return -1; } - if (NULL == (tr_find_comm_idp(cfg_apc, fwd_req->comm))) { - fprintf(stderr, "tr_tids_req_hander: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf); + if ( cfg_apc && (NULL == (tr_find_comm_idp(cfg_apc, fwd_req->realm)))) { + fprintf(stderr, "tr_tids_req_handler: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf); tids_send_err_response(tids, orig_req, "IDP APC membership error"); return -1; } diff --git a/trust_router.spec b/trust_router.spec index 1d449ed..a00abe5 100644 --- a/trust_router.spec +++ b/trust_router.spec @@ -61,7 +61,7 @@ install -D -m 640 redhat/default-main.cfg $RPM_BUILD_ROOT/%{_sysconfdir}/trust_r install -D -m 640 redhat/tr-test-main.cfg $RPM_BUILD_ROOT/%{_sysconfdir}/trust_router/conf.d/tr-test/main.cfg install -D -m 640 redhat/sysconfig $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/trust_router install -D -m 640 redhat/sysconfig.tids $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/tids -install -D -m 755 tids.initd $RPM_BUILD_ROOT/%{_initrddir}/tids +install -D -m 755 redhat/tids.init $RPM_BUILD_ROOT/%{_initrddir}/tids # Link shared config ln -s ../../trusts.cfg $RPM_BUILD_ROOT/%{_sysconfdir}/trust_router/conf.d/default/trusts.cfg