mrw42 [Fri, 4 May 2018 18:50:16 +0000 (14:50 -0400)]
Merge pull request #62 from painless-security/jennifer/report_incoming_ipaddr
Report incoming IP address when a connection comes in
mrw42 [Thu, 3 May 2018 20:42:46 +0000 (16:42 -0400)]
Merge pull request #59 from painless-security/jennifer/datastructures
Replace fixed length arrays with dynamic lists
mrw42 [Thu, 3 May 2018 20:13:15 +0000 (16:13 -0400)]
Merge pull request #48 from painless-security/jennifer/monitoring
Monitoring interface and back end support (pull request 10)
mrw42 [Thu, 3 May 2018 20:11:35 +0000 (16:11 -0400)]
Merge pull request #57 from painless-security/jennifer/show_rp_clients
Add show rp_clients command (pull request 9)
mrw42 [Thu, 3 May 2018 20:10:13 +0000 (16:10 -0400)]
Merge pull request #56 from painless-security/jennifer/show_realms
Add show realms command (pull request 8)
mrw42 [Thu, 3 May 2018 20:09:12 +0000 (16:09 -0400)]
Merge pull request #55 from painless-security/jennifer/show_communities
Add show communities command (pull request 7)
mrw42 [Thu, 3 May 2018 20:08:08 +0000 (16:08 -0400)]
Merge pull request #54 from painless-security/jennifer/show_peers
Add the show peers command (pull request 6)
mrw42 [Thu, 3 May 2018 20:07:11 +0000 (16:07 -0400)]
Merge pull request #53 from painless-security/jennifer/show_routes
Add show routes message support (pull request 5)
mrw42 [Thu, 3 May 2018 20:05:51 +0000 (16:05 -0400)]
Merge pull request #52 from painless-security/jennifer/subprocess_status
Report whether TID requests succeed and better clean up zombie TID / MON processes (pull request 4)
mrw42 [Thu, 3 May 2018 20:03:15 +0000 (16:03 -0400)]
Merge pull request #51 from painless-security/jennifer/monitoring_client_and_server
First functioning monitoring client/server (pull request 3)
mrw42 [Thu, 3 May 2018 20:02:05 +0000 (16:02 -0400)]
Merge pull request #50 from painless-security/jennifer/refactoring_tids
TID refactoring (pull request 2)
mrw42 [Thu, 3 May 2018 20:00:42 +0000 (16:00 -0400)]
Merge pull request #49 from painless-security/jennifer/mon_msg_encoders
Add encoders for monitoring messages (pull request 1)
Jennifer Richards [Mon, 30 Apr 2018 17:12:41 +0000 (13:12 -0400)]
Fix JSON reference counting errors
Jennifer Richards [Thu, 26 Apr 2018 20:51:33 +0000 (16:51 -0400)]
Correctly display RP realms in the 'show communities' response
Jennifer Richards [Thu, 26 Apr 2018 16:05:15 +0000 (12:05 -0400)]
Log incoming IP address when accepting a connection
Jennifer Richards [Wed, 25 Apr 2018 17:13:03 +0000 (13:13 -0400)]
Change -v/--validate-config to -C/--config-validate
There are enough things that use v, we'll accept Adam Bishop's hint and
copy FreeRADIUS's '-C' choice.
Jennifer Richards [Wed, 25 Apr 2018 17:08:06 +0000 (13:08 -0400)]
Merge pull request #60 from painless-security/jennifer/validate_config
Validate config with -v or --validate-config options
Jennifer Richards [Wed, 25 Apr 2018 17:05:30 +0000 (13:05 -0400)]
Validate config with -v or --validate-config options
Removes the -v short form for --version
Jennifer Richards [Wed, 25 Apr 2018 16:47:19 +0000 (12:47 -0400)]
Use TR_LIST for TR_GSS_NAMES
Jennifer Richards [Wed, 25 Apr 2018 16:04:37 +0000 (12:04 -0400)]
Change most while loops over TR_LISTs to for loops
The while loop patter (i = first(); while(i){blah; i = next()}) pattern
was error-prone -- too easy to overlook or forget the next() call.
Changed most of these to for loops to make the iteration more apparent.
Added a few comments. No intentional functional changes.
Jennifer Richards [Wed, 25 Apr 2018 15:43:35 +0000 (11:43 -0400)]
Add a few comments
Jennifer Richards [Tue, 24 Apr 2018 21:21:43 +0000 (17:21 -0400)]
Add missing %.*s so debug message includes GSS name
Jennifer Richards [Tue, 24 Apr 2018 15:48:27 +0000 (11:48 -0400)]
Use TR_LIST for domain/realm constraint matches
Jennifer Richards [Tue, 24 Apr 2018 01:48:34 +0000 (21:48 -0400)]
Use TR_LIST for TR_FILTER's 'flines' member
Jennifer Richards [Tue, 24 Apr 2018 01:42:42 +0000 (21:42 -0400)]
Use TR_LIST for TR_FLINE's 'fspec' member
* Replace custom iterators with generic iterator
* Add 'steal' option to steal (or not) an item's talloc context when
adding it to a TR_LIST
* Add tr_list_foreach() function to iterate over a TR_LIST
Jennifer Richards [Mon, 23 Apr 2018 15:01:55 +0000 (11:01 -0400)]
Add a generic TR_LIST type, use for TR_FILTER's 'lines' member
Jennifer Richards [Sat, 21 Apr 2018 06:04:27 +0000 (02:04 -0400)]
Refactor TR_FLINE using GPtrArray
Jennifer Richards [Sat, 21 Apr 2018 05:34:27 +0000 (01:34 -0400)]
Refactor TR_FSPEC using GPtrArray
Jennifer Richards [Sat, 21 Apr 2018 05:04:36 +0000 (01:04 -0400)]
Refactor TR_FILTER using a GPtrArray of filter lines
Jennifer Richards [Sat, 21 Apr 2018 04:17:35 +0000 (00:17 -0400)]
Reimplement TR_GSS_NAMES using GPtrArray
Jennifer Richards [Sat, 21 Apr 2018 04:17:04 +0000 (00:17 -0400)]
Add const modifier to TR_NAME functions
This should be backward compatible.
Jennifer Richards [Sat, 21 Apr 2018 00:48:25 +0000 (20:48 -0400)]
Bump versions to 3.4.0~1 (did not update ABI version yet)
Jennifer Richards [Sat, 21 Apr 2018 00:44:11 +0000 (20:44 -0400)]
Merge remote-tracking branch 'origin/v3.3.0' into jennifer/monitoring
# Conflicts:
# tr/tr_tid.c
# tr/tr_trp.c
Jennifer Richards [Sat, 21 Apr 2018 00:00:27 +0000 (20:00 -0400)]
Fix lines that were swapped accidentally
Jennifer Richards [Fri, 20 Apr 2018 23:50:49 +0000 (19:50 -0400)]
Check in changes that were accidentally omitted
Jennifer Richards [Fri, 20 Apr 2018 23:17:04 +0000 (19:17 -0400)]
Clean up monitoring format/naming
* change show "serial" to "config_files" to reflect its function
* suppress display of empty strings for unset / irrelevant values when
returning routes / communities
Jennifer Richards [Fri, 20 Apr 2018 22:38:59 +0000 (18:38 -0400)]
Rename acceptor_realm/name to _hostname/service, add some debug output
Jennifer Richards [Fri, 20 Apr 2018 22:32:38 +0000 (18:32 -0400)]
Read GSS credentials for monitoring service
Some refactoring here and there, too.
Jennifer Richards [Fri, 20 Apr 2018 21:03:22 +0000 (17:03 -0400)]
Bump version number (but not shared library version yet). Now 3.3.1~1
Jennifer Richards [Fri, 20 Apr 2018 20:41:40 +0000 (16:41 -0400)]
Bump version number (but not shared library version yet). Now 3.3.1~1
Jennifer Richards [Fri, 20 Apr 2018 19:17:36 +0000 (15:17 -0400)]
Break tr_config.c into smaller chunks
No functional changes
Jennifer Richards [Fri, 20 Apr 2018 18:47:12 +0000 (14:47 -0400)]
Support 'show serial' monitoring request
Jennifer Richards [Fri, 20 Apr 2018 17:27:38 +0000 (13:27 -0400)]
Fix CoI to APC mapping
* Route forwarded request based on mapped APC, not the original COI
* Refactor COI/APC mapping code out of tr_tids_req_handler(), which
remains in desperate need of refactoring for clarity
* Use accessors instead of direct reference to structure elements in a
few places (still more to convert)
* Don't assume TR_NAME buf is null-terminated (it always is AFAIK, but
is not required by the data structure). Still more of these to fix
* Rename tid_req_set_rp_orig_coi() to _set_orig_coi(). It's not exported
as part of the public API and was not used in our code. I think this
was originally a copy/paste error.
This resolves https://bugs.launchpad.net/moonshot-tr/+bug/1765681
Jennifer Richards [Fri, 20 Apr 2018 15:07:10 +0000 (11:07 -0400)]
Update tids->hostname after configuration reload
This was also done in
3b59db3c5565b707e745d58f7ec1df1bdc7c1895.
Fixes https://bugs.launchpad.net/moonshot-tr/+bug/1765633
Jennifer Richards [Thu, 19 Apr 2018 23:35:20 +0000 (19:35 -0400)]
Add encoders for tr_filters, include in peer and rp_client encoders
Jennifer Richards [Thu, 19 Apr 2018 21:43:00 +0000 (17:43 -0400)]
Add support for "show rp_clients" monitoring request
Jennifer Richards [Thu, 19 Apr 2018 21:27:17 +0000 (17:27 -0400)]
Separate tr_rp and tr_rp_client into separate modules
No functional changes
Jennifer Richards [Thu, 19 Apr 2018 21:01:13 +0000 (17:01 -0400)]
Add support for "show realms" monitoring request
Jennifer Richards [Thu, 19 Apr 2018 19:55:49 +0000 (15:55 -0400)]
Improve structure of realm listings in 'show communities' response
Jennifer Richards [Thu, 19 Apr 2018 18:54:39 +0000 (14:54 -0400)]
Add support for show communities monitoring request
Jennifer Richards [Thu, 19 Apr 2018 16:58:10 +0000 (12:58 -0400)]
Add support for show peers monitoring request
Jennifer Richards [Thu, 19 Apr 2018 16:57:42 +0000 (12:57 -0400)]
Refactor trp_route_encoders for better style
Jennifer Richards [Thu, 19 Apr 2018 16:14:18 +0000 (12:14 -0400)]
Split trp_ptable into trp_ptable, trp_peer, and _encoders modules
No functional changes
Jennifer Richards [Thu, 19 Apr 2018 15:51:28 +0000 (11:51 -0400)]
Support "show routes" monitoring request
* Separate _to_string and _to_json functions into _encoders.c files
for trp_rtable and trp_route
* Add monitoring handler to call trp_rtable_to_json()
Jennifer Richards [Thu, 19 Apr 2018 14:55:02 +0000 (10:55 -0400)]
Separate trp_route and trp_rtable, move timespec_to_str to tr_util.c
No functional changes
Jennifer Richards [Thu, 19 Apr 2018 03:18:24 +0000 (23:18 -0400)]
Make trmon into a usable command-line interface
* accept monitoring request command/options on the command line
* display response JSON to stdout
* remove extraneous stdout output
Jennifer Richards [Thu, 19 Apr 2018 02:39:44 +0000 (22:39 -0400)]
Periodically call tids_sweep_procs() during trust router operation
Jennifer Richards [Thu, 19 Apr 2018 01:59:03 +0000 (21:59 -0400)]
Add better error checking for waitpid in tids_sweep_procs
Jennifer Richards [Thu, 19 Apr 2018 00:20:29 +0000 (20:20 -0400)]
Use pipe instead of exit status to determine whether TID req succeeded
The exit status of the TID process is not reliable --- with some
versions of moonshot-gss-eap, a segfault occurs during tear-down and
contaminates the process status returned by waitpid.
Jennifer Richards [Wed, 18 Apr 2018 17:45:21 +0000 (13:45 -0400)]
Track and clean up monitoring processes by pid, fix some debug msgs
Jennifer Richards [Wed, 18 Apr 2018 17:34:26 +0000 (13:34 -0400)]
Track TID processes and add TID req counts for success/error/pending
* Track TID processes by pid
* Add handlers for the TID req counts
Still only check for terminated TID processes after the next one comes
in, should either periodically sweep or check this after a child
terminates and sends SIGCHLD
Jennifer Richards [Wed, 18 Apr 2018 15:41:06 +0000 (11:41 -0400)]
Add TID_REQ_COUNT handler
* Add a separate source file for TID-related monitoring handlers
* Increment tids->req_count in the main process, otherwise it will
always seem to be zero. This does mean any connection to the TID
port is counted as a tid request, which is not perfect.
*
Jennifer Richards [Wed, 18 Apr 2018 15:16:42 +0000 (11:16 -0400)]
Collect return codes from monitoring handlers and indicate errors
Jennifer Richards [Wed, 18 Apr 2018 14:09:10 +0000 (10:09 -0400)]
Get rid of CLion warnings about undefined PACKAGE_* macros
Jennifer Richards [Wed, 18 Apr 2018 03:38:27 +0000 (23:38 -0400)]
Replace static monitor handler tables with dynamic handler registry
* Keep a list of handlers as part of MONS_INSTANCE
- each handles a command/opt_type pair
- registered via mons_register_handler()
* Scan the list of handlers when servicing a monitoring request
* Add handlers for version and uptime, registered through tr_main.c
(probably need to move these, but this works as a demo)
Jennifer Richards [Tue, 17 Apr 2018 18:15:53 +0000 (14:15 -0400)]
First functional monitoring server - can return the trust router version
Jennifer Richards [Tue, 17 Apr 2018 16:58:44 +0000 (12:58 -0400)]
First steps toward actually handling monitoring requests
Jennifer Richards [Tue, 17 Apr 2018 16:27:15 +0000 (12:27 -0400)]
Use TR_MSG instead of encoded strings in GSS request handler interface
Also some further cleanup of header files and data types.
Jennifer Richards [Tue, 17 Apr 2018 16:07:56 +0000 (12:07 -0400)]
Clean up TR_MSG, hopefully getting talloc context handling right
I had assumed in a few places that TR_MSGs and the various message
payload types were always allocated dynamically via talloc(). This is
not a safe assumption - in a few places, we use stack-allocated TR_MSGs
and these are all used outside our code via the libtr_tid library.
We now use talloc when we can (i.e., when we have encoded or decoded
a message and know we used talloc), but otherwise leave it to the calling
code to properly manage memory.
Jennifer Richards [Mon, 16 Apr 2018 21:50:13 +0000 (17:50 -0400)]
Fix makefile, full make now succeeds
Jennifer Richards [Mon, 16 Apr 2018 21:32:01 +0000 (17:32 -0400)]
Refactor tidc/monc to better share code
* Implement minimal decoding of monitoring responses
* Add tr_gss_client.[ch] to house GSS req/resp message exchange
* Always use 'payload' as the key for MON_RESP payload, don't name it
after the command that it is responding to
* Use better reference count behavior for MON_RESP payload
* Move typedefs out of mon_internal.h to mon.h to avoid cyclic header
dependencies
* Fix some minor integer type mismatches in option parser
* Update various test programs to use extra argument to
tr_msg_(en/de)code methods
Jennifer Richards [Mon, 16 Apr 2018 17:08:00 +0000 (13:08 -0400)]
Make better use of talloc for TR_MSG handling
Jennifer Richards [Mon, 16 Apr 2018 16:31:34 +0000 (12:31 -0400)]
Enclose macro arguments in parentheses
Jennifer Richards [Fri, 13 Apr 2018 21:02:18 +0000 (17:02 -0400)]
First pass at a trmon command-line interface; fix a few bugs
At this point, if you hack tr_mons_auth_handler() to always return 0
(success), then trmon can connect to the trust router's monitoring port
and retrieve a test message. That counts as first contact, I guess.
Actual functionality is still to come.
* Create basic trmon utility based closely on tidc
* Temporarily use void pointers for trps/tids handles in the MON_INSTANCE
structure - there is a header file cycle that prevents compliation.
Need to sort that out, but this works for the moment.
* Fill in tr_msg handlers for monitoring message encoders/decoders
* Revert to the monitoring msg decoder working from json, not a string,
since that is what we need. This breaks the test programs for now.
Jennifer Richards [Fri, 13 Apr 2018 20:03:52 +0000 (16:03 -0400)]
Further work on tids and monitoring, tids appears to work again
* Actually encode the TID response!
* Do not directly send responses from tids_req_handler(), set the
properties in the response and return with an error code
* Add hostname to MONS_INSTANCE
* Update tids hostname after configuration change
* Add a tid_resp_cpy() function to duplicate a TID_RESP into a struct
that already exists
Jennifer Richards [Fri, 13 Apr 2018 16:43:25 +0000 (12:43 -0400)]
Parse monitoring port from internal configuration
Jennifer Richards [Fri, 13 Apr 2018 16:28:23 +0000 (12:28 -0400)]
Refactor to eliminate repeated code in tr_cfg_parse_internal()
Jennifer Richards [Fri, 13 Apr 2018 15:37:03 +0000 (11:37 -0400)]
Move internal config parser to a separate file
Jennifer Richards [Fri, 13 Apr 2018 15:01:32 +0000 (11:01 -0400)]
Add stub of handler for monitoring requests
Trust router now builds and opens monitoring port
Jennifer Richards [Fri, 13 Apr 2018 14:31:24 +0000 (10:31 -0400)]
Remove several unused parameters and clean up some lint warnings
Jennifer Richards [Fri, 13 Apr 2018 14:16:00 +0000 (10:16 -0400)]
Further cleanup of tr_gss and usage for tids handling
The trust router now builds, but the monitoring parser tests do not.
* Eliminate extra layer of auth callback when using tr_gss.c, services
using it now need only one auth callback
* Document tr_gss.c's intended usage
* Flesh out the MONS_INSTANCE structure
* Fix a couple more pedantic data typing errors
Jennifer Richards [Thu, 12 Apr 2018 20:27:15 +0000 (16:27 -0400)]
Fix accidentally changed variable name in function prototype
Jennifer Richards [Thu, 12 Apr 2018 20:24:32 +0000 (16:24 -0400)]
Checkpoint commit: refactoring the request code in TIDS for better reuse
* Move tr_gss.[ch] to tr_gss_names.[ch], that is what the files contain
* Add new tr_gss.[ch] containing generalized GSS request/response code
* Refactor tids request handlers to use generalized code
* First steps towards a monitoring interface handler, not functional
* Rename listen_on_all_addrs() to tr_sock_listen_all()
* Make better use of talloc in a few places
* Clean up a few missing or unused #includes
* Fix a few data types for the sake of pedantry
Jennifer Richards [Thu, 12 Apr 2018 16:57:14 +0000 (12:57 -0400)]
Rename tr_gss.[ch] to tr_gss_names.[ch]
Jennifer Richards [Wed, 11 Apr 2018 23:25:32 +0000 (19:25 -0400)]
Factor out identical tids_listen/trps_listen functions into shared copy
Jennifer Richards [Wed, 11 Apr 2018 21:29:48 +0000 (17:29 -0400)]
Change tr_mon_ prefix to mon_, no functional changes
This better matches other protocol submodule naming (tid_, trp_, gss_)
Jennifer Richards [Wed, 11 Apr 2018 21:06:29 +0000 (17:06 -0400)]
Add encoder for monitoring responses
* add response encoder
* add partial test of response encoder
* move tr_mon.h to include directory
* move code common to req/resp from tr_mon_req.c to tr_mon.c
* fix a couple warnings
Jennifer Richards [Wed, 11 Apr 2018 16:01:14 +0000 (12:01 -0400)]
Add req encode/decode tests to make system, move from test/ to tests/
Jennifer Richards [Wed, 11 Apr 2018 15:41:48 +0000 (11:41 -0400)]
Add CMakeLists.txt for CLion integration
This is not actually used for building the trust router!
Jennifer Richards [Wed, 11 Apr 2018 02:05:12 +0000 (22:05 -0400)]
First pass at monitoring request encoder/decoder and tests
Works, but not yet integrated with the build system.
Jennifer Richards [Fri, 23 Feb 2018 17:06:44 +0000 (12:06 -0500)]
Bump package and ABI version numbers
Jennifer Richards [Thu, 22 Feb 2018 18:48:09 +0000 (13:48 -0500)]
Fix segfault when sweeping realms and communities
Mutation of linked lists led to dereferencing a "next" pointer when the
last item in the list was removed. Fixed in three places.
Jennifer Richards [Fri, 17 Nov 2017 23:18:14 +0000 (18:18 -0500)]
Correct / update example configuration files
* Combine filter specs into single spec with multiple match strings
* Use example.com instead of local in example hostnames
* Remove "max_tree_depth", which is not used
Jennifer Richards [Fri, 17 Nov 2017 17:10:53 +0000 (12:10 -0500)]
Use default AAA servers if we have no route for a TID req realm
Resolves https://bugs.launchpad.net/moonshot-tr/+bug/1643681
Jennifer Richards [Mon, 13 Nov 2017 17:15:30 +0000 (12:15 -0500)]
Update example configuration file to include APC org and realm
Jennifer Richards [Tue, 7 Nov 2017 19:04:56 +0000 (14:04 -0500)]
Update version in trust_router.spec
Jennifer Richards [Tue, 7 Nov 2017 18:05:50 +0000 (13:05 -0500)]
Bump version in configure.ac to 3.0.3
Jennifer Richards [Tue, 7 Nov 2017 17:42:55 +0000 (12:42 -0500)]
Return NULL if dh struct cannot be allocated completely
Resolves https://bugs.launchpad.net/moonshot-tr/+bug/1730679
Jennifer Richards [Tue, 12 Sep 2017 20:31:04 +0000 (16:31 -0400)]
Need libtool also
Jennifer Richards [Tue, 12 Sep 2017 20:28:34 +0000 (16:28 -0400)]
Add automake and m4 to buildrequires