From 8ab5ef7efbd75eea9b8674e3a4deea59c3483919 Mon Sep 17 00:00:00 2001 From: Margaret Wasserman Date: Tue, 23 Sep 2014 15:02:32 -0400 Subject: [PATCH] Don't check IDP membership when defaulting, minor fixes. --- common/tr_config.c | 2 +- tr/manual.cfg | 2 +- tr/portal.cfg | 58 +++++++----------------------------------------------- tr/tr_main.c | 28 ++++++++++++++------------ 4 files changed, 24 insertions(+), 66 deletions(-) diff --git a/common/tr_config.c b/common/tr_config.c index ca8520e..9b9fb19 100644 --- a/common/tr_config.c +++ b/common/tr_config.c @@ -405,7 +405,7 @@ static TR_CFG_RC tr_cfg_parse_rp_clients (TR_CFG *trc, json_t *jcfg) { &rc))) { return rc; } - fprintf(stderr, "tr_cfg_parse_rp_clients: RP client configured -- first gss: %s", rp->gss_names[0]->buf); + fprintf(stderr, "tr_cfg_parse_rp_clients: RP client configured -- first gss: %s\n", rp->gss_names[0]->buf); rp->next = trc->rp_clients; trc->rp_clients = rp; } diff --git a/tr/manual.cfg b/tr/manual.cfg index 399878c..5d33638 100644 --- a/tr/manual.cfg +++ b/tr/manual.cfg @@ -1,2 +1,2 @@ {"tr_internal":{"max_tree_depth": 4, - "hostname":"moonshot-proxy.local"}} \ No newline at end of file + "hostname":"margaret-moonshot3.local"}} \ No newline at end of file diff --git a/tr/portal.cfg b/tr/portal.cfg index 0998e1f..6ead29d 100644 --- a/tr/portal.cfg +++ b/tr/portal.cfg @@ -2,31 +2,12 @@ "communities": [ { "apcs": [ - "pci-community.ja.net" ], - "community_id": "comm.offcenter.org", + "community_id": "apc.painless-security.com", "idp_realms": [ - "idr2.offcenter.org" ], "rp_realms": [ - "sr3.offcenter.org" - ], - "type": "coi" - }, - { - "apcs": [ - - ], - "community_id": "pci-community.ja.net", - "idp_realms": [ - "idr1.offcenter.org", - "idr2.offcenter.org", - "ja.net", - "no-longer-untitled.offcenter.org" - ], - "rp_realms": [ - "exchange.ja.net", - "sr3.offcenter.org" + "margaret-2.painless-security.com" ], "type": "apc" } @@ -79,49 +60,24 @@ "filter_lines": [ { "action": "accept", - "domain_constraints": ["*.exchange.ja.net"], - "filter_specs": [ - { - "field": "rp_realm", - "match": "exchange.ja.net" - }, - { - "field": "rp_realm", - "match": "*.exchange.ja.net" - } - ], - "realm_constraints": ["*.exchange.ja.net", "a.com"] - } - ], - "type": "rp_permitted" - }, - "gss_names": [ - "01b80aa9-8753-4691-8f8a-f49f7793546f@portal-realm.ja.net" - ] - }, - { - "filter": { - "filter_lines": [ - { - "action": "accept", - "domain_constraints": ["*.bob.sr3.offcenter.org"], + "domain_constraints": ["*.painless-security.com"], "filter_specs": [ { "field": "rp_realm", - "match": "sr3.offcenter.org" + "match": "margaret-2.painless-security.com" }, { "field": "rp_realm", - "match": "*.sr3.offcenter.org" + "match": "*.margaret-2.painless-security.com" } ], - "realm_constraints": ["*.sr3.offcenter.org" ] + "realm_constraints": ["*.painless-security.com", "a.com"] } ], "type": "rp_permitted" }, "gss_names": [ - "895c308a-5624-4055-bb4f-ea24b77e6637@portal-realm.ja.net" + "4b95cd61-616f-48f2-9713-7d2cbe19ce69@apc.painless-security.com" ] } ] diff --git a/tr/tr_main.c b/tr/tr_main.c index 98aa2bb..659f899 100644 --- a/tr/tr_main.c +++ b/tr/tr_main.c @@ -119,17 +119,12 @@ static int tr_tids_req_handler (TIDS_INSTANCE *tids, tids_send_err_response(tids, orig_req, "RP Realm filter error"); return -1; } - /* Check that the rp_realm and target_realm are members of the community in the request */ + /* Check that the rp_realm is a member of the community in the request */ if (NULL == (tr_find_comm_rp(cfg_comm, orig_req->rp_realm))) { - fprintf(stderr, "tr_tids_req_hander: RP Realm (%s) not member of community (%s).\n", orig_req->rp_realm->buf, orig_req->comm->buf); + fprintf(stderr, "tr_tids_req_handler: RP Realm (%s) not member of community (%s).\n", orig_req->rp_realm->buf, orig_req->comm->buf); tids_send_err_response(tids, orig_req, "RP COI membership error"); return -1; } - if (NULL == (tr_find_comm_idp(cfg_comm, orig_req->realm))) { - fprintf(stderr, "tr_tids_req_hander: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf); - tids_send_err_response(tids, orig_req, "IDP COI membership error"); - return -1; - } /* Map the comm in the request from a COI to an APC, if needed */ if (TR_COMM_COI == cfg_comm->type) { @@ -152,17 +147,12 @@ static int tr_tids_req_handler (TIDS_INSTANCE *tids, fwd_req->comm = apc; fwd_req->orig_coi = orig_req->comm; - /* Check that rp_realm and target_realm are members of this APC */ + /* Check that rp_realm is a member of this APC */ if (NULL == (tr_find_comm_rp(cfg_apc, orig_req->rp_realm))) { fprintf(stderr, "tr_tids_req_hander: RP Realm (%s) not member of community (%s).\n", orig_req->rp_realm->buf, orig_req->comm->buf); tids_send_err_response(tids, orig_req, "RP APC membership error"); return -1; } - if (NULL == (tr_find_comm_idp(cfg_apc, orig_req->realm))) { - fprintf(stderr, "tr_tids_req_hander: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf); - tids_send_err_response(tids, orig_req, "IDP APC membership error"); - return -1; - } } /* Find the AAA server(s) for this request */ @@ -176,6 +166,18 @@ static int tr_tids_req_handler (TIDS_INSTANCE *tids, tids_send_err_response(tids, orig_req, "No path to AAA Server(s) for realm"); return -1; } + } else { + /* if we aren't defaulting, check idp coi and apc membership */ + if (NULL == (tr_find_comm_idp(cfg_comm, fwd_req->orig_coi))) { + fprintf(stderr, "tr_tids_req_hander: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf); + tids_send_err_response(tids, orig_req, "IDP COI membership error"); + return -1; + } + if (NULL == (tr_find_comm_idp(cfg_apc, fwd_req->comm))) { + fprintf(stderr, "tr_tids_req_hander: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf); + tids_send_err_response(tids, orig_req, "IDP APC membership error"); + return -1; + } } /* send a TID request to the AAA server(s), and get the answer(s) */ -- 2.1.4