From 462ba78c60d2a1dde2788f4b388dcaa136a858bb Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Wed, 2 Jul 2014 05:37:06 -0400 Subject: [PATCH] tr_constraint_set_intersect New function to intersect a constraint set and return a constraint describing the domain and realm constraints that can be met by the set. Include tests for this. The particular test cases are also designed to test merge_constraints (included in this patch) and tr_prefix_wildcard_match. --- .gitignore | 1 + Makefile.am | 14 ++- common/t_constraint.c | 86 ++++++++++++++++++ common/tests.json | 34 +++++++ common/tr_constraint.c | 166 ++++++++++++++++++++++++++++++++++- include/tr_debug.h | 40 +++++++++ include/trust_router/tid.h | 3 +- include/trust_router/tr_constraint.h | 19 +++- 8 files changed, 352 insertions(+), 11 deletions(-) create mode 100644 common/t_constraint.c create mode 100644 common/tests.json create mode 100644 include/tr_debug.h diff --git a/.gitignore b/.gitignore index f46797e..7159568 100644 --- a/.gitignore +++ b/.gitignore @@ -19,5 +19,6 @@ libtool config.* tr/trust_router common/dh_test/tr_dh_test +common/t_constraint tid/example/tids tid/example/tidc \ No newline at end of file diff --git a/Makefile.am b/Makefile.am index 0beaa01..5191b75 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3,18 +3,24 @@ AM_CPPFLAGS=-I$(srcdir)/include AM_CFLAGS = -Wall -Werror=missing-prototypes -Werror=strict-prototypes -Wno-parentheses SUBDIRS = gsscon common_srcs = common/tr_name.c \ -common/tr_msg.c \ -common/tr_dh.c \ + common/tr_constraint.c \ + common/tr_msg.c \ + common/tr_dh.c \ common/tr_util.c +check_PROGRAMS = common/t_constraint + lib_LTLIBRARIES = libtr_tid.la +common_t_constraint_SOURCES = common/t_constraint.c +common_t_constraint_CPPFLAGS = $(AM_CPPFLAGS) -DTESTS=\"$(srcdir)/common/tests.json\" +common_t_constraint_LDADD = gsscon/libgsscon.la libtr_tid.la + tr_trust_router_SOURCES = tr/tr_main.c \ common/tr_config.c \ common/tr_idp.c \ common/tr_comm.c \ common/tr_filter.c \ -common/tr_constraint.c \ common/tr_rp.c \ tr/tr.c @@ -55,4 +61,4 @@ systemddir=/lib/systemd/system systemd_DATA=tids.service -EXTRA_DIST = trust_router.spec +EXTRA_DIST = trust_router.spec common/tests.json diff --git a/common/t_constraint.c b/common/t_constraint.c new file mode 100644 index 0000000..7123588 --- /dev/null +++ b/common/t_constraint.c @@ -0,0 +1,86 @@ +/* + * Copyright (c) 2012, JANET(UK) + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of JANET(UK) nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include +#include + +#include +#include +#include + +static TID_REQ *request = NULL; + +static int handle_test_case( + json_t *tc) +{ + json_t *constraints, *valid, *expected; + int validp; + json_t *result; + assert(constraints = json_object_get(tc, "constraints")); + assert( valid = json_object_get(tc, "valid")); + validp = tr_constraint_set_validate((TR_CONSTRAINT_SET *)constraints); + if (validp != json_is_true(valid)) { + tr_debug("Unexpected validation result for \n"); + json_dumpf( constraints, stderr, JSON_INDENT(4)); + return 0; + } + if (!validp) + return 1; + assert( expected = json_object_get(tc, "expected")); + result = (json_t *) tr_constraint_set_intersect(request, (TR_CONSTRAINT_SET *) constraints); + if (!json_equal(result, expected)) { + tr_debug("Unexpected intersection; actual:\n"); + json_dumpf(result, stderr, JSON_INDENT(4)); + tr_debug("Expected: \n"); + json_dumpf(expected, stderr, JSON_INDENT(4)); + return 0; + } + return 1; +} + +int main(void) { + json_t *tests; + int error=0; + json_t *tc; + size_t index; + request = tid_req_new(); + tests = json_load_file(TESTS, JSON_REJECT_DUPLICATES|JSON_DISABLE_EOF_CHECK, NULL); + json_array_foreach(tests, index, tc) + if (!handle_test_case(tc)) + error = 1; + if (error) + return 1; + return 0; +} diff --git a/common/tests.json b/common/tests.json new file mode 100644 index 0000000..4dee665 --- /dev/null +++ b/common/tests.json @@ -0,0 +1,34 @@ +[ + { + "constraints": [{}], + "valid": true, + "expected": [{}] + }, + { + "constraints": [33], + "valid": false + }, + { + "constraints": [{ + "domain": ["ja.net", "*.ja.net", "foo.ja.net"] + }], + "valid": true, + "expected": [{ + "domain": ["ja.net", "*.ja.net"] + }] + }, + { + "constraints": [{ + "domain": ["*"], + "realm": ["*"] + }, + { + "domain": ["*.cam.ac.uk"] + }], + "expected": [{ + "domain": ["*.cam.ac.uk"], + "realm": [] + }], + "valid": true + } + ] diff --git a/common/tr_constraint.c b/common/tr_constraint.c index f0c3316..60c4e53 100644 --- a/common/tr_constraint.c +++ b/common/tr_constraint.c @@ -32,8 +32,11 @@ * */ #include +#include #include +#include + #include /* Returns TRUE (1) if the the string (str) matchs the wildcard string (wc_str), FALSE (0) if not. @@ -80,7 +83,7 @@ TR_CONSTRAINT_SET *tr_constraint_set_from_fline (TR_FLINE *fline) if (fline->domain_cons) tr_constraint_add_to_set((TR_CONSTRAINT_SET **)&cset, fline->domain_cons); - return cset; + return (TR_CONSTRAINT_SET *) cset; } /* A constraint set is represented in json as an array of constraint @@ -102,7 +105,7 @@ void tr_constraint_add_to_set (TR_CONSTRAINT_SET **cset, TR_CONSTRAINT *cons) /* If we don't already have a json object, create one */ if (!(*cset)) - *cset = json_array(); + *cset = (TR_CONSTRAINT_SET *) json_array(); /* Create a json object representing cons */ jmatches = json_array(); @@ -115,6 +118,163 @@ void tr_constraint_add_to_set (TR_CONSTRAINT_SET **cset, TR_CONSTRAINT *cons) json_object_set_new(jcons, cons->type->buf, jmatches); /* Add the created object to the cset object */ - json_array_append_new(*cset, jcons); + json_array_append_new((json_t *) *cset, jcons); } + int tr_constraint_set_validate(TR_CONSTRAINT_SET *cset) +{ + json_t *json = (json_t *) cset; + size_t i; + json_t *set_member; + if (!json_is_array(json)){ + tr_debug("Constraint_set is not an array"); + return 0; + } + json_array_foreach(json, i, set_member) { + json_t *value; + const char *key; + if (!json_is_object(set_member)) { + tr_debug("Constraint member at %zu is not an object\n", i); + return 0; + } + json_object_foreach( set_member, key, value) { + size_t inner_index; + json_t *inner_value; + if (!json_is_array(value)) { + tr_debug("Constraint type %s at index %zu in constraint set is not an array\n", key, + i); + return 0; + } + json_array_foreach(value, inner_index, inner_value) { + if (!json_is_string(inner_value)) { + tr_debug("Constraint type %s at index %zu in constraint set has non-string element %zu\n", + key, i, inner_index); + return 0; + } + } + } + } + return 1; +} + + +TR_CONSTRAINT_SET *tr_constraint_set_filter( TID_REQ *request, + TR_CONSTRAINT_SET *orig, + const char *constraint_type) +{ + json_t *orig_cset = (json_t*) orig; + json_t *new_cs = NULL; + size_t index; + json_t *set_member; + if (!tr_constraint_set_validate( (TR_CONSTRAINT_SET *) orig_cset)) { + tr_debug ("tr_constraint_set_filter: not a valid constraint set\n"); + return NULL; + } + assert (new_cs = json_array()); + json_array_foreach(orig_cset, index, set_member) { + if (json_object_get( set_member, constraint_type)) + json_array_append(new_cs, set_member); + } + return (TR_CONSTRAINT_SET *) new_cs; +} + +/** + * Within a given constraint object merge any overlapping domain or + * realm constraints. For example ['*','*.net'] can be simplified to + * ['*'] + */ +static void merge_constraints(json_t *constraint, const char *key) +{ + json_t *value_1, *value_2, *constraint_array; + size_t index_1, index_2; + /* + * Go through the loop pairwise linear, removing elements where one + * element is a subset of the other. Always shrik the array from + * the end so that index_1 never becomes invalid (swapping if + * needed). + */ + constraint_array = json_object_get(constraint, key); + if (NULL == constraint_array) + return; + json_array_foreach( constraint_array, index_1, value_1) + json_array_foreach( constraint_array, index_2, value_2) { + if (index_2 <= index_1) + continue; + if ( tr_prefix_wildcard_match( json_string_value(value_2), + json_string_value(value_1))) { + json_array_remove(constraint_array, index_2); + index_2--; + }else if (tr_prefix_wildcard_match( json_string_value(value_1), + json_string_value(value_2))) { + json_array_set(constraint_array, index_1, value_2); + json_array_remove(constraint_array, index_2); + index_2--; + } + } +} + +/** + * Returns an array of constraint strings that is the intersection of + * all constraints in the constraint_set of type #type + */ +static json_t *constraint_intersect_internal( TR_CONSTRAINT_SET *constraints, + const char *constraint_type) +{ + json_t *constraint, *result = NULL; + size_t i; + json_array_foreach( (json_t *) constraints, i, constraint) { + merge_constraints( constraint, constraint_type); + if (NULL == result) { + result = json_object_get(constraint, constraint_type); + if (NULL != result) + result = json_copy(result); + } else { + json_t *intersect, *value_1, *value_2; + size_t index_1, index_2; + intersect = json_object_get(constraint, constraint_type); + result_loop: + json_array_foreach(result, index_1, value_1) { + json_array_foreach(intersect, index_2, value_2) { + if (tr_prefix_wildcard_match( json_string_value(value_1), + json_string_value(value_2))) + goto result_acceptable; + else if (tr_prefix_wildcard_match(json_string_value( value_2), + json_string_value(value_1))) { + json_array_set(result, index_1, value_2); + goto result_acceptable; + } + } + json_array_remove(result, index_1); + if (index_1 == 0) + goto result_loop; + index_1--; + result_acceptable: continue; + } + } + } + return result; +} + +/** + * Return the intersection of domain and realm constraints. + * Return is live until #request is freed. + */ +TR_CONSTRAINT_SET *tr_constraint_set_intersect( TID_REQ *request, + TR_CONSTRAINT_SET *input) +{ + json_t *domain=NULL, *realm=NULL; + json_t *result = NULL, *result_array = NULL; + if (tr_constraint_set_validate(input)) { + domain = constraint_intersect_internal(input, "domain"); + realm = constraint_intersect_internal(input, "realm"); + } + assert(result = json_object()); + if (domain) + json_object_set_new(result, "domain", domain); + if (realm) + json_object_set_new(result, "realm", realm); + assert(result_array = json_array()); + json_array_append_new(result_array, result); + tid_req_cleanup_json( request, result_array); + return (TR_CONSTRAINT_SET *) result_array; +} diff --git a/include/tr_debug.h b/include/tr_debug.h new file mode 100644 index 0000000..ac2c4b7 --- /dev/null +++ b/include/tr_debug.h @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2014, JANET(UK) + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of JANET(UK) nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef _TR_DEBUG_H +#define _TR_DEBUG_H + +#define tr_debug(...) fprintf( stderr, __VA_ARGS__) + +#endif diff --git a/include/trust_router/tid.h b/include/trust_router/tid.h index 2b580bb..e10f0e3 100644 --- a/include/trust_router/tid.h +++ b/include/trust_router/tid.h @@ -40,7 +40,6 @@ #include #include -#include #include @@ -58,6 +57,8 @@ typedef struct tid_srvr_blk { DH *aaa_server_dh; /* AAA server's public dh information */ } TID_SRVR_BLK; +typedef struct _tr_constraint_set TR_CONSTRAINT_SET; + typedef struct tid_resp { TID_RC result; TR_NAME *err_msg; diff --git a/include/trust_router/tr_constraint.h b/include/trust_router/tr_constraint.h index fc20ae0..e2a73d5 100644 --- a/include/trust_router/tr_constraint.h +++ b/include/trust_router/tr_constraint.h @@ -34,18 +34,31 @@ #ifndef TR_CONSTRAINT_H #define TR_CONSTRAINT_H - #include +#include + #define TR_MAX_CONST_MATCHES 24 -typedef void TR_CONSTRAINT_SET; typedef struct tr_constraint { TR_NAME *type; TR_NAME *matches[TR_MAX_CONST_MATCHES]; } TR_CONSTRAINT; -void tr_constraint_add_to_set (TR_CONSTRAINT_SET **cs, TR_CONSTRAINT *c); +void TR_EXPORT tr_constraint_add_to_set (TR_CONSTRAINT_SET **cs, TR_CONSTRAINT *c); + +int TR_EXPORT tr_constraint_set_validate( TR_CONSTRAINT_SET *); +/** + * Create a new constraint set containing all constraints from #orig + * with constraint_type #constraint_type and no others. This constraint set is + * live until #request is freed. + */ +TR_EXPORT TR_CONSTRAINT_SET *tr_constraint_set_filter(TID_REQ *request, + TR_CONSTRAINT_SET *orig, + const char * constraint_type); +TR_EXPORT TR_CONSTRAINT_SET +*tr_constraint_set_intersect(TID_REQ *request, + TR_CONSTRAINT_SET *input); #endif -- 2.1.4