Sam Hartman [Thu, 12 Mar 2015 15:34:20 +0000 (11:34 -0400)]
Key expiration in minutes
Sam Hartman [Wed, 11 Mar 2015 22:31:55 +0000 (18:31 -0400)]
Fix logging configuration
Sam Hartman [Wed, 11 Mar 2015 17:31:36 +0000 (13:31 -0400)]
Merge branch 'logging_changes' of https://github.com/adam-bishop/trust_router
Pull in two additional fixes from Adam.
Adam Bishop [Wed, 11 Mar 2015 14:47:27 +0000 (14:47 +0000)]
Explicitly call tr_log_open when we're not being used as a library
Adam Bishop [Wed, 11 Mar 2015 14:46:59 +0000 (14:46 +0000)]
Don't call openlog() implicitly
Sam Hartman [Wed, 11 Mar 2015 14:49:31 +0000 (10:49 -0400)]
increment version
Sam Hartman [Wed, 11 Mar 2015 14:15:59 +0000 (10:15 -0400)]
Connection clean up
We need to clean up the connection file descriptor and the gss context.
* tidc_fwd_request is the wrong place to free the TID_REQ because it does not allocate it
* tid_req_dup needs to use talloc; duplicated requests are freed by
the original request
* tidc_send_message frees its request
* The request destructor closes the connection.
* Keep track of whether a request is duplicated; only free the connection and gss context in the original request.
Sam Hartman [Tue, 10 Mar 2015 20:18:07 +0000 (16:18 -0400)]
Logic for expiration and path
* Add path as requests are received at a tids
* Calculate expiration in tids
* Insert expiration into database
* Update schema
* tids now requires glib
Sam Hartman [Tue, 10 Mar 2015 20:10:45 +0000 (16:10 -0400)]
Add expiration and path to messages
Handle path and key expiration in encoders and decoders.
Sam Hartman [Tue, 10 Mar 2015 00:45:38 +0000 (20:45 -0400)]
Real syslog support for trust router
Merge branch 'logging_changes' of https://github.com/adam-bishop/trust_router
Conflicts:
common/tr_config.c
common/tr_msg.c
tr/tr_main.c
Sam Hartman [Tue, 10 Mar 2015 00:34:57 +0000 (20:34 -0400)]
Configuration of key expiration for APC
Add support for configuring the key expiration in the config and pass this allong as requests are forwarded.
Sam Hartman [Tue, 10 Mar 2015 00:32:02 +0000 (20:32 -0400)]
Add key expiration to output message
Sam Hartman [Tue, 10 Mar 2015 00:31:21 +0000 (20:31 -0400)]
Start depending on glib
We need glib for ISO 8601 time functions and
plan to use it for more.
Adam Bishop [Wed, 10 Dec 2014 11:43:42 +0000 (11:43 +0000)]
Workaround for glibc bug 14347
Adam Bishop [Thu, 27 Nov 2014 15:56:58 +0000 (15:56 +0000)]
Add logging to the default main config
Adam Bishop [Tue, 9 Dec 2014 13:27:13 +0000 (13:27 +0000)]
Replace calls to fprintf with new tr_* macros
Sam Hartman [Mon, 9 Mar 2015 13:38:46 +0000 (09:38 -0400)]
tr_main: clean up void pointer style
Sam Hartman [Mon, 9 Mar 2015 11:54:12 +0000 (07:54 -0400)]
Initial path and expiration utilities
Add path functions to tid_req and tid_resp
Add path members and expiration to tid_req and tid_resp
Update copyrights
Sam Hartman [Mon, 23 Feb 2015 16:58:14 +0000 (11:58 -0500)]
tid_req_free: delete GSS context
Free the gss context in a TID request.
Adam Bishop [Thu, 27 Nov 2014 15:55:27 +0000 (15:55 +0000)]
Add logging values to the TR config struct, code to parse it, and a default value in case it is not configured
Adam Bishop [Tue, 9 Dec 2014 13:47:26 +0000 (13:47 +0000)]
Add some audit messages to be logged
Adam Bishop [Mon, 8 Dec 2014 14:15:11 +0000 (14:15 +0000)]
Update Makefile.am to include new sources
Adam Bishop [Wed, 10 Dec 2014 18:13:24 +0000 (18:13 +0000)]
Add functions to log trust query results handled by the TID server
Adam Bishop [Thu, 27 Nov 2014 13:40:53 +0000 (13:40 +0000)]
Adding syslog into configure checks
Adam Bishop [Thu, 27 Nov 2014 13:29:47 +0000 (13:29 +0000)]
Specfile minor version bump
Sam Hartman [Tue, 4 Nov 2014 20:46:51 +0000 (15:46 -0500)]
update spec version
Margaret Wasserman [Tue, 4 Nov 2014 20:35:09 +0000 (15:35 -0500)]
Remove period from default configuration message.
Margaret Wasserman [Tue, 4 Nov 2014 20:30:28 +0000 (15:30 -0500)]
Add default aaa server to config printout, remove redundant log mesage.
Sam Hartman [Tue, 14 Oct 2014 06:28:28 +0000 (02:28 -0400)]
TODONES!
Sam Hartman [Wed, 8 Oct 2014 18:33:33 +0000 (14:33 -0400)]
Fix home directory of trust router user in centos packaging
Sam Hartman [Tue, 7 Oct 2014 14:32:05 +0000 (10:32 -0400)]
Update version in spec file
Sam Hartman [Tue, 7 Oct 2014 10:10:28 +0000 (06:10 -0400)]
Mark version 1.4.1
Sam Hartman [Tue, 7 Oct 2014 10:08:55 +0000 (06:08 -0400)]
Set busy timeout
Set a busy timeout in the tids sqlite3 setup code so that we do not
fail on any database locking. As an example in 1.4 if two tids
processes try to write at the same time, one will fail.
Sam Hartman [Tue, 7 Oct 2014 10:02:35 +0000 (06:02 -0400)]
tr_config: remove free calls
Since we're using talloc, we only need to free the entire
configuration and that will cascade to sub objects. Remove calls to
free, which are wrong anyway for talloc'd memory.
Sam Hartman [Tue, 7 Oct 2014 09:57:51 +0000 (05:57 -0400)]
tr_req_handler: Handle non-defaulted case
In 1.4, we broke forwarding requests that were not defaulted. We
looked up the community as a member of the community rather than the
realm. Fix this logic error.
Also, update error messages to be more accurate and to fibx a spelling error.
Sam Hartman [Fri, 26 Sep 2014 15:41:58 +0000 (11:41 -0400)]
Fix typo
Sam Hartman [Fri, 26 Sep 2014 14:57:51 +0000 (10:57 -0400)]
move tids.init to redhat
Patch from Stefan Paetow
Sam Hartman [Fri, 26 Sep 2014 13:51:42 +0000 (09:51 -0400)]
Actually include *.cfg in future source tarballs
Sam Hartman [Fri, 26 Sep 2014 13:41:44 +0000 (09:41 -0400)]
dist extra files in redhat
Margaret Wasserman [Tue, 23 Sep 2014 19:23:06 +0000 (15:23 -0400)]
Merge Stefan's changes for TIDS init scripts for Centos.
Margaret Wasserman [Tue, 23 Sep 2014 19:02:32 +0000 (15:02 -0400)]
Don't check IDP membership when defaulting, minor fixes.
Margaret Wasserman [Tue, 23 Sep 2014 01:37:38 +0000 (21:37 -0400)]
Add configuration for default next-hop
Margaret Wasserman [Tue, 23 Sep 2014 01:36:16 +0000 (21:36 -0400)]
Merge branch 'tr-peering' of moonshot.suchdamage.org:/srv/git/trust_router into tr-peering
Sam Hartman [Tue, 23 Sep 2014 00:04:41 +0000 (20:04 -0400)]
Don't loop on waitpid returning 0
Margaret Wasserman [Fri, 19 Sep 2014 19:38:37 +0000 (15:38 -0400)]
Updated version number
Margaret Wasserman [Fri, 19 Sep 2014 19:28:30 +0000 (15:28 -0400)]
Fixes to make build work after merging.
Margaret Wasserman [Fri, 19 Sep 2014 19:13:52 +0000 (15:13 -0400)]
Merge remote-tracking branch 'origin/tr-peering' into tr-peering
Margaret Wasserman [Fri, 19 Sep 2014 19:01:10 +0000 (15:01 -0400)]
Commit changes to allow a default server and to improve peering config.
Margaret Wasserman [Mon, 15 Sep 2014 15:31:58 +0000 (11:31 -0400)]
Clean up any zombie processes whenever a new request is forked.
Stefan Paetow [Fri, 19 Sep 2014 17:02:38 +0000 (18:02 +0100)]
Update tids.initd
A tweak or two because of tids status.
Stefan Paetow [Fri, 19 Sep 2014 16:29:31 +0000 (17:29 +0100)]
Update trust_router.spec
Keep the SPEC clean and tidy.
Stefan Paetow [Fri, 19 Sep 2014 16:26:10 +0000 (17:26 +0100)]
Update trust_router.spec
Add the TIDS script to the SPEC file to be added to the installation. It does *not* mean that TIDS is auto-started or enabled in chkconfig. That is a manual step when the admin is ready to do so.
Stefan Paetow [Fri, 19 Sep 2014 15:47:38 +0000 (16:47 +0100)]
Create sysconfig.tids
The TIDS sysconfig file - Stores the tids configuration
Stefan Paetow [Fri, 19 Sep 2014 15:44:02 +0000 (16:44 +0100)]
Create tids-wrapper
The wrapper for the TIDS executable. Makes TIDS go nicely into the background
Stefan Paetow [Fri, 19 Sep 2014 15:41:46 +0000 (16:41 +0100)]
Update tids.initd
Revamped to use Adam B's method of 'double-forking'. Seems to function just as well.
Stefan Paetow [Fri, 19 Sep 2014 15:30:47 +0000 (16:30 +0100)]
Create tids.initd
Initial version sent to Sam H.
Margaret Wasserman [Mon, 15 Sep 2014 15:31:58 +0000 (11:31 -0400)]
Clean up any zombie processes whenever a new request is forked.
Adam Bishop [Wed, 3 Sep 2014 13:02:58 +0000 (14:02 +0100)]
Specfile version bump
Adam Bishop [Wed, 3 Sep 2014 13:02:02 +0000 (14:02 +0100)]
Don't recreate the log directory if it is still available
Adam Bishop [Wed, 3 Sep 2014 12:45:05 +0000 (13:45 +0100)]
Move user creation to %pre, and use the method the redhat manual suggests
Adam Bishop [Wed, 3 Sep 2014 12:43:28 +0000 (13:43 +0100)]
Changing the spec file to package the redhat init scripts and config
Adam Bishop [Wed, 3 Sep 2014 12:38:21 +0000 (13:38 +0100)]
Include /redhat when installing
Adam Bishop [Wed, 3 Sep 2014 12:35:04 +0000 (13:35 +0100)]
Adding files for running trust_router on rhel6-ish distributions nicely
Sam Hartman [Wed, 27 Aug 2014 23:59:38 +0000 (19:59 -0400)]
remove indentation in makefile which breaks install rule
(cherry picked from commit
8ee1a1c9a537c2d4847571c6611f3f32187c5eff)
Sam Hartman [Wed, 27 Aug 2014 22:31:59 +0000 (18:31 -0400)]
Release 1.3.1 for stable point for Debian
Sam Hartman [Wed, 27 Aug 2014 22:57:47 +0000 (18:57 -0400)]
gsscon_passive: remove dead code
Adam Bishop [Wed, 20 Aug 2014 18:01:54 +0000 (19:01 +0100)]
Allow tidc to take a port number as an optional argument
Sam Hartman [Wed, 30 Jul 2014 23:44:12 +0000 (19:44 -0400)]
We don't install the tids.service until rhel7
Sam Hartman [Wed, 30 Jul 2014 23:23:39 +0000 (19:23 -0400)]
Standardized approach to systemd unit files
Sam Hartman [Wed, 30 Jul 2014 22:00:59 +0000 (18:00 -0400)]
Create user and populate keys database
Sam Hartman [Wed, 30 Jul 2014 19:29:20 +0000 (15:29 -0400)]
Convince Centos not to override -Wno-parenthesis
Sam Hartman [Wed, 30 Jul 2014 19:24:37 +0000 (15:24 -0400)]
Distribute tr_debug.h
Sam Hartman [Wed, 30 Jul 2014 18:56:20 +0000 (14:56 -0400)]
Include new files in spec
Sam Hartman [Wed, 30 Jul 2014 18:54:51 +0000 (14:54 -0400)]
distribute tids.service and schema.sql
Sam Hartman [Thu, 24 Jul 2014 15:59:41 +0000 (11:59 -0400)]
Centos6 compiler is too picky about typedefs; pacify it.
Sam Hartman [Tue, 22 Jul 2014 14:29:17 +0000 (10:29 -0400)]
Version 1.3
Sam Hartman [Thu, 17 Jul 2014 00:41:45 +0000 (20:41 -0400)]
API improvements needed by freeradius
Sam Hartman [Wed, 16 Jul 2014 16:51:17 +0000 (12:51 -0400)]
In with the scabs, out with the tr_msg union!
The tr_msg union lead to a number of security issues because the code
tended to check to see if msg->msg_struct_name was non-null. However
it was always non-null because the pointer was shared among all the
union members. Instead, use accessors for everything.
LP: #1333734
Sam Hartman [Wed, 16 Jul 2014 15:17:52 +0000 (11:17 -0400)]
ABI/API break: pas in TID_RESP * to handler
Previously, we passed in TID_RESP ** to the request handler. However
the request handlers assumed that the response was allocated. We
don't want responses allocated in the handler, so make it a single
pointer.
note that the existing handler interface is probably inappropriate for
an event-loop-based trust router.
Sam Hartman [Mon, 21 Jul 2014 21:44:36 +0000 (17:44 -0400)]
always use tid_req_new for TID_REQ
Sam Hartman [Mon, 21 Jul 2014 21:43:38 +0000 (17:43 -0400)]
Enable talloc error reporting for tids and tidc
Sam Hartman [Tue, 15 Jul 2014 20:38:12 +0000 (16:38 -0400)]
Track num_servers correctly
Sam Hartman [Tue, 15 Jul 2014 15:39:15 +0000 (11:39 -0400)]
TID_RESP: array of servers rather than linked list
Provide an array of servers rather than a linked list for easier sorting.
TID_RESP is now allocated by talloc.
Sam Hartman [Tue, 15 Jul 2014 14:07:29 +0000 (10:07 -0400)]
Make tid types opaque
Sam Hartman [Mon, 14 Jul 2014 19:59:46 +0000 (15:59 -0400)]
It is not a failure to have no constraints at all, although no authorizations are created
Sam Hartman [Mon, 14 Jul 2014 19:55:27 +0000 (15:55 -0400)]
tr_constraints: constraint set members can have limited types
If a constraint set member has a domain constraint but no realm
constraint treat that as a universal realm constraint (*).
However, if no constraint set member has that constraint type then
access is denied; we do not fail open.
Sam Hartman [Mon, 14 Jul 2014 18:18:36 +0000 (14:18 -0400)]
Include authorizations view in schema
Sam Hartman [Fri, 11 Jul 2014 19:12:34 +0000 (15:12 -0400)]
Iterators also needed for tests
Sam Hartman [Fri, 11 Jul 2014 19:12:24 +0000 (15:12 -0400)]
don't redefine json_t
Sam Hartman [Fri, 11 Jul 2014 19:03:12 +0000 (15:03 -0400)]
Back port jansson iterators
Sam Hartman [Mon, 7 Jul 2014 18:27:48 +0000 (14:27 -0400)]
tids: include constraints in database
new table authorizations includes constraints for domain and realm as
well as the COI and APC used for the connection.
Sam Hartman [Thu, 3 Jul 2014 20:40:48 +0000 (16:40 -0400)]
tr_constraint_set_get_match_strings
New function to retrieve the wild card strings that match a constraint
type for an intersected constraint set.
As a result convert TID_REQ to using talloc.
Depend on talloc project wide.
# Please enter the commit
message for your changes. Lines starting # with '#' will be ignored,
and an empty message aborts the commit. # On branch master # Your
branch is ahead of 'origin/master' by 3 commits. # (use "git push" to
publish your local commits) # # Changes to be committed: # modified:
common/tr_constraint.c # modified: configure.ac # modified:
include/trust_router/tid.h # modified:
include/trust_router/tr_constraint.h # modified:
include/trust_router/tr_name.h # modified: tid/tid_req.c # modified:
tid/tidc.c # # Changes not staged for commit: # modified:
include/trust_router/tr_versioning.h # # Untracked files: # "\a" #
cscope.out # db # dest/ # foo.c # trust_router-1.0.tar.gz #
Sam Hartman [Thu, 3 Jul 2014 20:38:57 +0000 (16:38 -0400)]
tr_dh_pub_digest
Function to compute public key digest of client. Use to store that in
sqlite3 database. Update schema.
Sam Hartman [Thu, 3 Jul 2014 14:43:50 +0000 (10:43 -0400)]
copyright update
Sam Hartman [Thu, 3 Jul 2014 14:36:35 +0000 (10:36 -0400)]
Include constraints in tid_req messages
Sam Hartman [Wed, 2 Jul 2014 09:41:41 +0000 (05:41 -0400)]
Makefile: enable tests and -Werror
Enable t_constraint tests in make check
Also enable -Werror since we pass with that.
Sam Hartman [Wed, 2 Jul 2014 09:37:06 +0000 (05:37 -0400)]
tr_constraint_set_intersect
New function to intersect a constraint set and return a constraint
describing the domain and realm constraints that can be met by the
set.
Include tests for this. The particular test cases are also designed
to test merge_constraints (included in this patch) and
tr_prefix_wildcard_match.
Sam Hartman [Wed, 2 Jul 2014 09:34:12 +0000 (05:34 -0400)]
tid_req: Store json references
Support storing references to json objects in TID requests.
Sam Hartman [Wed, 2 Jul 2014 09:30:21 +0000 (05:30 -0400)]
Move tr_prefix_wildcard_match to tr_constraint.c
We need tr_prefix_wildcard_match for merge_constraints and for
tr_filter.c. Export it from libtr_tid even though it's in a private
header. It's not part of the public API but is part of the library so
tr_filter can import it.
Also, fix bug; all strings were treated as wildcards.
Sam Hartman [Mon, 26 May 2014 19:44:21 +0000 (15:44 -0400)]
fix keys creation