mrw42 [Thu, 3 May 2018 20:11:35 +0000 (16:11 -0400)]
Merge pull request #57 from painless-security/jennifer/show_rp_clients
Add show rp_clients command (pull request 9)
mrw42 [Thu, 3 May 2018 20:10:13 +0000 (16:10 -0400)]
Merge pull request #56 from painless-security/jennifer/show_realms
Add show realms command (pull request 8)
mrw42 [Thu, 3 May 2018 20:09:12 +0000 (16:09 -0400)]
Merge pull request #55 from painless-security/jennifer/show_communities
Add show communities command (pull request 7)
mrw42 [Thu, 3 May 2018 20:08:08 +0000 (16:08 -0400)]
Merge pull request #54 from painless-security/jennifer/show_peers
Add the show peers command (pull request 6)
mrw42 [Thu, 3 May 2018 20:07:11 +0000 (16:07 -0400)]
Merge pull request #53 from painless-security/jennifer/show_routes
Add show routes message support (pull request 5)
mrw42 [Thu, 3 May 2018 20:05:51 +0000 (16:05 -0400)]
Merge pull request #52 from painless-security/jennifer/subprocess_status
Report whether TID requests succeed and better clean up zombie TID / MON processes (pull request 4)
mrw42 [Thu, 3 May 2018 20:03:15 +0000 (16:03 -0400)]
Merge pull request #51 from painless-security/jennifer/monitoring_client_and_server
First functioning monitoring client/server (pull request 3)
mrw42 [Thu, 3 May 2018 20:02:05 +0000 (16:02 -0400)]
Merge pull request #50 from painless-security/jennifer/refactoring_tids
TID refactoring (pull request 2)
mrw42 [Thu, 3 May 2018 20:00:42 +0000 (16:00 -0400)]
Merge pull request #49 from painless-security/jennifer/mon_msg_encoders
Add encoders for monitoring messages (pull request 1)
Jennifer Richards [Wed, 25 Apr 2018 17:13:03 +0000 (13:13 -0400)]
Change -v/--validate-config to -C/--config-validate
There are enough things that use v, we'll accept Adam Bishop's hint and
copy FreeRADIUS's '-C' choice.
Jennifer Richards [Wed, 25 Apr 2018 17:08:06 +0000 (13:08 -0400)]
Merge pull request #60 from painless-security/jennifer/validate_config
Validate config with -v or --validate-config options
Jennifer Richards [Wed, 25 Apr 2018 17:05:30 +0000 (13:05 -0400)]
Validate config with -v or --validate-config options
Removes the -v short form for --version
Jennifer Richards [Thu, 19 Apr 2018 23:35:20 +0000 (19:35 -0400)]
Add encoders for tr_filters, include in peer and rp_client encoders
Jennifer Richards [Thu, 19 Apr 2018 21:43:00 +0000 (17:43 -0400)]
Add support for "show rp_clients" monitoring request
Jennifer Richards [Thu, 19 Apr 2018 21:27:17 +0000 (17:27 -0400)]
Separate tr_rp and tr_rp_client into separate modules
No functional changes
Jennifer Richards [Thu, 19 Apr 2018 21:01:13 +0000 (17:01 -0400)]
Add support for "show realms" monitoring request
Jennifer Richards [Thu, 19 Apr 2018 19:55:49 +0000 (15:55 -0400)]
Improve structure of realm listings in 'show communities' response
Jennifer Richards [Thu, 19 Apr 2018 18:54:39 +0000 (14:54 -0400)]
Add support for show communities monitoring request
Jennifer Richards [Thu, 19 Apr 2018 16:58:10 +0000 (12:58 -0400)]
Add support for show peers monitoring request
Jennifer Richards [Thu, 19 Apr 2018 16:57:42 +0000 (12:57 -0400)]
Refactor trp_route_encoders for better style
Jennifer Richards [Thu, 19 Apr 2018 16:14:18 +0000 (12:14 -0400)]
Split trp_ptable into trp_ptable, trp_peer, and _encoders modules
No functional changes
Jennifer Richards [Thu, 19 Apr 2018 15:51:28 +0000 (11:51 -0400)]
Support "show routes" monitoring request
* Separate _to_string and _to_json functions into _encoders.c files
for trp_rtable and trp_route
* Add monitoring handler to call trp_rtable_to_json()
Jennifer Richards [Thu, 19 Apr 2018 14:55:02 +0000 (10:55 -0400)]
Separate trp_route and trp_rtable, move timespec_to_str to tr_util.c
No functional changes
Jennifer Richards [Thu, 19 Apr 2018 03:18:24 +0000 (23:18 -0400)]
Make trmon into a usable command-line interface
* accept monitoring request command/options on the command line
* display response JSON to stdout
* remove extraneous stdout output
Jennifer Richards [Thu, 19 Apr 2018 02:39:44 +0000 (22:39 -0400)]
Periodically call tids_sweep_procs() during trust router operation
Jennifer Richards [Thu, 19 Apr 2018 01:59:03 +0000 (21:59 -0400)]
Add better error checking for waitpid in tids_sweep_procs
Jennifer Richards [Thu, 19 Apr 2018 00:20:29 +0000 (20:20 -0400)]
Use pipe instead of exit status to determine whether TID req succeeded
The exit status of the TID process is not reliable --- with some
versions of moonshot-gss-eap, a segfault occurs during tear-down and
contaminates the process status returned by waitpid.
Jennifer Richards [Wed, 18 Apr 2018 17:45:21 +0000 (13:45 -0400)]
Track and clean up monitoring processes by pid, fix some debug msgs
Jennifer Richards [Wed, 18 Apr 2018 17:34:26 +0000 (13:34 -0400)]
Track TID processes and add TID req counts for success/error/pending
* Track TID processes by pid
* Add handlers for the TID req counts
Still only check for terminated TID processes after the next one comes
in, should either periodically sweep or check this after a child
terminates and sends SIGCHLD
Jennifer Richards [Wed, 18 Apr 2018 15:41:06 +0000 (11:41 -0400)]
Add TID_REQ_COUNT handler
* Add a separate source file for TID-related monitoring handlers
* Increment tids->req_count in the main process, otherwise it will
always seem to be zero. This does mean any connection to the TID
port is counted as a tid request, which is not perfect.
*
Jennifer Richards [Wed, 18 Apr 2018 15:16:42 +0000 (11:16 -0400)]
Collect return codes from monitoring handlers and indicate errors
Jennifer Richards [Wed, 18 Apr 2018 14:09:10 +0000 (10:09 -0400)]
Get rid of CLion warnings about undefined PACKAGE_* macros
Jennifer Richards [Wed, 18 Apr 2018 03:38:27 +0000 (23:38 -0400)]
Replace static monitor handler tables with dynamic handler registry
* Keep a list of handlers as part of MONS_INSTANCE
- each handles a command/opt_type pair
- registered via mons_register_handler()
* Scan the list of handlers when servicing a monitoring request
* Add handlers for version and uptime, registered through tr_main.c
(probably need to move these, but this works as a demo)
Jennifer Richards [Tue, 17 Apr 2018 18:15:53 +0000 (14:15 -0400)]
First functional monitoring server - can return the trust router version
Jennifer Richards [Tue, 17 Apr 2018 16:58:44 +0000 (12:58 -0400)]
First steps toward actually handling monitoring requests
Jennifer Richards [Tue, 17 Apr 2018 16:27:15 +0000 (12:27 -0400)]
Use TR_MSG instead of encoded strings in GSS request handler interface
Also some further cleanup of header files and data types.
Jennifer Richards [Tue, 17 Apr 2018 16:07:56 +0000 (12:07 -0400)]
Clean up TR_MSG, hopefully getting talloc context handling right
I had assumed in a few places that TR_MSGs and the various message
payload types were always allocated dynamically via talloc(). This is
not a safe assumption - in a few places, we use stack-allocated TR_MSGs
and these are all used outside our code via the libtr_tid library.
We now use talloc when we can (i.e., when we have encoded or decoded
a message and know we used talloc), but otherwise leave it to the calling
code to properly manage memory.
Jennifer Richards [Mon, 16 Apr 2018 21:50:13 +0000 (17:50 -0400)]
Fix makefile, full make now succeeds
Jennifer Richards [Mon, 16 Apr 2018 21:32:01 +0000 (17:32 -0400)]
Refactor tidc/monc to better share code
* Implement minimal decoding of monitoring responses
* Add tr_gss_client.[ch] to house GSS req/resp message exchange
* Always use 'payload' as the key for MON_RESP payload, don't name it
after the command that it is responding to
* Use better reference count behavior for MON_RESP payload
* Move typedefs out of mon_internal.h to mon.h to avoid cyclic header
dependencies
* Fix some minor integer type mismatches in option parser
* Update various test programs to use extra argument to
tr_msg_(en/de)code methods
Jennifer Richards [Mon, 16 Apr 2018 17:08:00 +0000 (13:08 -0400)]
Make better use of talloc for TR_MSG handling
Jennifer Richards [Mon, 16 Apr 2018 16:31:34 +0000 (12:31 -0400)]
Enclose macro arguments in parentheses
Jennifer Richards [Fri, 13 Apr 2018 21:02:18 +0000 (17:02 -0400)]
First pass at a trmon command-line interface; fix a few bugs
At this point, if you hack tr_mons_auth_handler() to always return 0
(success), then trmon can connect to the trust router's monitoring port
and retrieve a test message. That counts as first contact, I guess.
Actual functionality is still to come.
* Create basic trmon utility based closely on tidc
* Temporarily use void pointers for trps/tids handles in the MON_INSTANCE
structure - there is a header file cycle that prevents compliation.
Need to sort that out, but this works for the moment.
* Fill in tr_msg handlers for monitoring message encoders/decoders
* Revert to the monitoring msg decoder working from json, not a string,
since that is what we need. This breaks the test programs for now.
Jennifer Richards [Fri, 13 Apr 2018 20:03:52 +0000 (16:03 -0400)]
Further work on tids and monitoring, tids appears to work again
* Actually encode the TID response!
* Do not directly send responses from tids_req_handler(), set the
properties in the response and return with an error code
* Add hostname to MONS_INSTANCE
* Update tids hostname after configuration change
* Add a tid_resp_cpy() function to duplicate a TID_RESP into a struct
that already exists
Jennifer Richards [Fri, 13 Apr 2018 16:43:25 +0000 (12:43 -0400)]
Parse monitoring port from internal configuration
Jennifer Richards [Fri, 13 Apr 2018 16:28:23 +0000 (12:28 -0400)]
Refactor to eliminate repeated code in tr_cfg_parse_internal()
Jennifer Richards [Fri, 13 Apr 2018 15:37:03 +0000 (11:37 -0400)]
Move internal config parser to a separate file
Jennifer Richards [Fri, 13 Apr 2018 15:01:32 +0000 (11:01 -0400)]
Add stub of handler for monitoring requests
Trust router now builds and opens monitoring port
Jennifer Richards [Fri, 13 Apr 2018 14:31:24 +0000 (10:31 -0400)]
Remove several unused parameters and clean up some lint warnings
Jennifer Richards [Fri, 13 Apr 2018 14:16:00 +0000 (10:16 -0400)]
Further cleanup of tr_gss and usage for tids handling
The trust router now builds, but the monitoring parser tests do not.
* Eliminate extra layer of auth callback when using tr_gss.c, services
using it now need only one auth callback
* Document tr_gss.c's intended usage
* Flesh out the MONS_INSTANCE structure
* Fix a couple more pedantic data typing errors
Jennifer Richards [Thu, 12 Apr 2018 20:27:15 +0000 (16:27 -0400)]
Fix accidentally changed variable name in function prototype
Jennifer Richards [Thu, 12 Apr 2018 20:24:32 +0000 (16:24 -0400)]
Checkpoint commit: refactoring the request code in TIDS for better reuse
* Move tr_gss.[ch] to tr_gss_names.[ch], that is what the files contain
* Add new tr_gss.[ch] containing generalized GSS request/response code
* Refactor tids request handlers to use generalized code
* First steps towards a monitoring interface handler, not functional
* Rename listen_on_all_addrs() to tr_sock_listen_all()
* Make better use of talloc in a few places
* Clean up a few missing or unused #includes
* Fix a few data types for the sake of pedantry
Jennifer Richards [Thu, 12 Apr 2018 16:57:14 +0000 (12:57 -0400)]
Rename tr_gss.[ch] to tr_gss_names.[ch]
Jennifer Richards [Wed, 11 Apr 2018 23:25:32 +0000 (19:25 -0400)]
Factor out identical tids_listen/trps_listen functions into shared copy
Jennifer Richards [Wed, 11 Apr 2018 21:29:48 +0000 (17:29 -0400)]
Change tr_mon_ prefix to mon_, no functional changes
This better matches other protocol submodule naming (tid_, trp_, gss_)
Jennifer Richards [Wed, 11 Apr 2018 21:06:29 +0000 (17:06 -0400)]
Add encoder for monitoring responses
* add response encoder
* add partial test of response encoder
* move tr_mon.h to include directory
* move code common to req/resp from tr_mon_req.c to tr_mon.c
* fix a couple warnings
Jennifer Richards [Wed, 11 Apr 2018 16:01:14 +0000 (12:01 -0400)]
Add req encode/decode tests to make system, move from test/ to tests/
Jennifer Richards [Wed, 11 Apr 2018 15:41:48 +0000 (11:41 -0400)]
Add CMakeLists.txt for CLion integration
This is not actually used for building the trust router!
Jennifer Richards [Wed, 11 Apr 2018 02:05:12 +0000 (22:05 -0400)]
First pass at monitoring request encoder/decoder and tests
Works, but not yet integrated with the build system.
Jennifer Richards [Fri, 23 Feb 2018 17:06:44 +0000 (12:06 -0500)]
Bump package and ABI version numbers
Jennifer Richards [Thu, 22 Feb 2018 18:48:09 +0000 (13:48 -0500)]
Fix segfault when sweeping realms and communities
Mutation of linked lists led to dereferencing a "next" pointer when the
last item in the list was removed. Fixed in three places.
Jennifer Richards [Fri, 17 Nov 2017 23:18:14 +0000 (18:18 -0500)]
Correct / update example configuration files
* Combine filter specs into single spec with multiple match strings
* Use example.com instead of local in example hostnames
* Remove "max_tree_depth", which is not used
Jennifer Richards [Fri, 17 Nov 2017 17:10:53 +0000 (12:10 -0500)]
Use default AAA servers if we have no route for a TID req realm
Resolves https://bugs.launchpad.net/moonshot-tr/+bug/1643681
Jennifer Richards [Mon, 13 Nov 2017 17:15:30 +0000 (12:15 -0500)]
Update example configuration file to include APC org and realm
Jennifer Richards [Tue, 7 Nov 2017 19:04:56 +0000 (14:04 -0500)]
Update version in trust_router.spec
Jennifer Richards [Tue, 7 Nov 2017 18:05:50 +0000 (13:05 -0500)]
Bump version in configure.ac to 3.0.3
Jennifer Richards [Tue, 7 Nov 2017 17:42:55 +0000 (12:42 -0500)]
Return NULL if dh struct cannot be allocated completely
Resolves https://bugs.launchpad.net/moonshot-tr/+bug/1730679
Jennifer Richards [Tue, 12 Sep 2017 20:31:04 +0000 (16:31 -0400)]
Need libtool also
Jennifer Richards [Tue, 12 Sep 2017 20:28:34 +0000 (16:28 -0400)]
Add automake and m4 to buildrequires
Jennifer Richards [Tue, 12 Sep 2017 20:23:13 +0000 (16:23 -0400)]
Add BuildRequires: autoconf
Using autoconf as a build requirement seems to be a controversial
practice, but it is currently required.
Jennifer Richards [Tue, 12 Sep 2017 02:17:27 +0000 (22:17 -0400)]
Raise priority of error messages when cannot open a socket
Jennifer Richards [Mon, 11 Sep 2017 22:33:28 +0000 (18:33 -0400)]
Update version number (now 3.0.2)
Jennifer Richards [Mon, 11 Sep 2017 21:52:13 +0000 (17:52 -0400)]
Copy hostname so it stays valid after config loading finishes
Jennifer Richards [Mon, 11 Sep 2017 21:51:04 +0000 (17:51 -0400)]
Bring test programs up to date - all now pass
* Use new config loader
* Fix various test config files so pass validation
* Use tr_name_internal.h instead of tr_name.h
Jennifer Richards [Mon, 11 Sep 2017 21:46:26 +0000 (17:46 -0400)]
Handle null TR_GSS_NAMES when checking for match
Jennifer Richards [Mon, 11 Sep 2017 21:45:35 +0000 (17:45 -0400)]
Remove Jansson dependence in tr_name.h
* Move Jansson references out of tr_name.h into tr_name_internal.h
* Move non-public API functions to tr_name_internal.h
* Use tr_name_internal.h instead of tr_name.h except in public headers
Jennifer Richards [Sat, 9 Sep 2017 00:05:31 +0000 (20:05 -0400)]
Validate arguments in helper function, fix whitespace issue
Jennifer Richards [Sat, 9 Sep 2017 00:02:20 +0000 (20:02 -0400)]
Remove unused code.
Jennifer Richards [Fri, 8 Sep 2017 23:59:27 +0000 (19:59 -0400)]
Rearrange config file loading to allow splitting across files
Prior to this commit, configuration files were loaded one-by-one,
parsing all the sections of each file before moving to the next. This
caused problems unless the files were arranged so that realms were
defined before they were referred to by communities when the files
were read in lexical order. This commit rearranges this so that all
files are first parsed into internal JSON structures, then the first
section of all these structures is parsed, the second section of all
structures is parsed, etc. This eliminates the dependency on file
order that caused the bug.
Also fixed a memory leak: the JSON structures were not being properly
freed after being parsed. These should now be freed.
Jennifer Richards [Tue, 18 Jul 2017 22:39:32 +0000 (18:39 -0400)]
Bump version in trust_router.spec, configure.ac
Jennifer Richards [Tue, 18 Jul 2017 21:54:01 +0000 (17:54 -0400)]
Reduce amount of debug output
* Use tr_debug functions instead of printf/fprintf
* Stop printing route and comm tables after each TRP update
* Fix potential (but unlikely) talloc_free() of null pointer
Jennifer Richards [Mon, 17 Jul 2017 18:14:32 +0000 (14:14 -0400)]
Output key expiration time on a successful request
Jennifer Richards [Mon, 17 Jul 2017 17:29:45 +0000 (13:29 -0400)]
Add accessor for TID_SRVR_BLK's key_expiration
* add the accessor
* bump libtr_tid ABI version
Jennifer Richards [Fri, 14 Jul 2017 22:49:10 +0000 (18:49 -0400)]
Initialize refcount for IDP realms
Jennifer Richards [Fri, 14 Jul 2017 20:04:19 +0000 (16:04 -0400)]
Fix tids/trps ports in default configuration for redhat/centos
Jennifer Richards [Fri, 14 Jul 2017 02:41:31 +0000 (22:41 -0400)]
Apply all filters applicable to a GSS name to a TID req
Jennifer Richards [Thu, 29 Jun 2017 16:29:14 +0000 (12:29 -0400)]
Bump version in trust_router.spec, configure.ac
(cherry picked from commit 83348c0)
Jennifer Richards [Tue, 11 Jul 2017 15:00:55 +0000 (11:00 -0400)]
Fix loop termination condition in trps_filter_outbound_updates()
Jennifer Richards [Fri, 30 Jun 2017 22:15:04 +0000 (18:15 -0400)]
Correct the default TID and TRP ports in internal.cfg
Jennifer Richards [Fri, 23 Jun 2017 15:19:46 +0000 (11:19 -0400)]
Give warnings if expiration interval is clipped to allowed min/max
* Print warnings in tr_config.c
* Use GLib-compliant integer as index for GLib function in trps.c
Jennifer Richards [Thu, 22 Jun 2017 21:32:06 +0000 (17:32 -0400)]
Fix memory leak in community parsing
Jennifer Richards [Fri, 16 Jun 2017 23:42:49 +0000 (19:42 -0400)]
Fix a few bugs in the filtering. Filtering works.
* Change "community" to "comm" to match other usage
* Gracefully fail to match on null field value
* Print filter debug information
Jennifer Richards [Fri, 16 Jun 2017 17:52:23 +0000 (13:52 -0400)]
Print community table as a debug message
* Add function to create string representation of comm table
* Add calls to print the community table after route table
* TODO: clean up the output so it only shows up when debugging
Jennifer Richards [Thu, 15 Jun 2017 22:37:58 +0000 (18:37 -0400)]
Fix log message to reflect broader filtering capabilities
Jennifer Richards [Thu, 15 Jun 2017 22:35:41 +0000 (18:35 -0400)]
Fix JSON type for TRP peer "filters" block
Jennifer Richards [Thu, 15 Jun 2017 20:15:58 +0000 (16:15 -0400)]
Provide necessary macros from Jansson 2.5+ when using old versions
Jennifer Richards [Wed, 14 Jun 2017 16:24:24 +0000 (12:24 -0400)]
Implement all TRP and TID fields for filtering
Jennifer Richards [Tue, 13 Jun 2017 16:32:58 +0000 (12:32 -0400)]
Allow inforec filter to have access to realm and community
Jennifer Richards [Mon, 12 Jun 2017 22:03:26 +0000 (18:03 -0400)]
Filter outbound TRP updates (compiles but not tested)
* Add methods to count and remove inforecs from an update
* Filter updates after collecting but before sending
Jennifer Richards [Mon, 12 Jun 2017 20:14:21 +0000 (16:14 -0400)]
Filter inbound TRP records (compiles but not tested)
Jennifer Richards [Mon, 12 Jun 2017 17:54:11 +0000 (13:54 -0400)]
Use new tr_filter_apply() function for TID_REQ filtering