From 9590d9e095e1ef9b0db6f7d3aeedcbbbacab0c8a Mon Sep 17 00:00:00 2001
From: Margaret Wasserman <margaret@moonshot-proxy>
Date: Wed, 3 Jul 2013 04:02:38 -0400
Subject: [PATCH] Check rp_realm and target_realm membership in both COI and
 APC

---
 tr/tr_main.c | 34 ++++++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 8 deletions(-)

diff --git a/tr/tr_main.c b/tr/tr_main.c
index b3f7921..92dafe1 100644
--- a/tr/tr_main.c
+++ b/tr/tr_main.c
@@ -98,10 +98,15 @@ static int tr_tids_req_handler (TIDS_INSTANCE * tids,
     return -1;
   }
 
-  /* Check that the rp_realm is a member of the community in the request */
+  /* Check that the rp_realm and target_realm are members of the community in the request */
   if (NULL == (tr_find_comm_rp(cfg_comm, orig_req->rp_realm))) {
     fprintf(stderr, "tr_tids_req_hander: RP Realm (%s) not member of community (%s).\n", orig_req->rp_realm->buf, orig_req->comm->buf);
-    tids_send_err_response(tids, orig_req, "RP community membership error");
+    tids_send_err_response(tids, orig_req, "RP COI membership error");
+    return -1;
+  }
+  if (NULL == (tr_find_comm_idp(cfg_comm, orig_req->realm))) {
+    fprintf(stderr, "tr_tids_req_hander: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf);
+    tids_send_err_response(tids, orig_req, "IDP COI membership error");
     return -1;
   }
 
@@ -115,15 +120,28 @@ static int tr_tids_req_handler (TIDS_INSTANCE * tids,
       return -1;
     }
     apc = tr_dup_name(cfg_comm->apcs->id);
+
+    /* Check that the APC is configured */
+    if (NULL == (cfg_apc = tr_comm_lookup((TR_INSTANCE *)tids->cookie, apc))) {
+      fprintf(stderr, "tr_tids_req_hander: Request for unknown comm: %s.\n", apc->buf);
+      tids_send_err_response(tids, orig_req, "Unknown APC");
+      return -1;
+    }
+
     fwd_req->comm = apc;
     fwd_req->orig_coi = orig_req->comm;
-  }
 
-  /* Check that target realm is a valid IDP Realm for this APC */
-  if (NULL == (tr_find_comm_idp(cfg_comm, orig_req->realm))) {
-    fprintf(stderr, "tr_tids_req_hander: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf);
-    tids_send_err_response(tids, orig_req, "IDP APC membership error");
-    return -1;
+    /* Check that rp_realm and target_realm are members of this APC */
+    if (NULL == (tr_find_comm_rp(cfg_apc, orig_req->rp_realm))) {
+      fprintf(stderr, "tr_tids_req_hander: RP Realm (%s) not member of community (%s).\n", orig_req->rp_realm->buf, orig_req->comm->buf);
+      tids_send_err_response(tids, orig_req, "RP APC membership error");
+      return -1;
+    }
+    if (NULL == (tr_find_comm_idp(cfg_apc, orig_req->realm))) {
+      fprintf(stderr, "tr_tids_req_hander: IDP Realm (%s) not member of APC (%s).\n", orig_req->realm->buf, orig_req->comm->buf);
+      tids_send_err_response(tids, orig_req, "IDP APC membership error");
+      return -1;
+    }
   }
 
   /* Find the AAA server(s) for this request */
-- 
2.1.4