Implemented a in-memory peer identity whitelist plugin
[strongswan.git] / src / libcharon / plugins / whitelist / whitelist_listener.c
1 /*
2 * Copyright (C) 2011 Martin Willi
3 * Copyright (C) 2011 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "whitelist_listener.h"
17
18 #include <daemon.h>
19 #include <utils/hashtable.h>
20 #include <threading/rwlock.h>
21
22 typedef struct private_whitelist_listener_t private_whitelist_listener_t;
23
24 /**
25 * Private data of an whitelist_listener_t object.
26 */
27 struct private_whitelist_listener_t {
28
29 /**
30 * Public whitelist_listener_t interface.
31 */
32 whitelist_listener_t public;
33
34 /**
35 * Lock for hashtable
36 */
37 rwlock_t *lock;
38
39 /**
40 * Hashtable with whitelisted identities
41 */
42 hashtable_t *ids;
43 };
44
45 /**
46 * Hashtable hash function
47 */
48 static u_int hash(identification_t *key)
49 {
50 return chunk_hash(key->get_encoding(key));
51 }
52
53 /**
54 * Hashtable equals function
55 */
56 static bool equals(identification_t *a, identification_t *b)
57 {
58 return a->equals(a, b);
59 }
60
61 METHOD(listener_t, authorize, bool,
62 private_whitelist_listener_t *this, ike_sa_t *ike_sa,
63 bool final, bool *success)
64 {
65 /* check each authentication round */
66 if (!final)
67 {
68 bool whitelisted = FALSE;
69 identification_t *id;
70 auth_cfg_t *auth;
71
72 auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
73 /* for authenticated with EAP, check EAP identity */
74 id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
75 if (!id)
76 {
77 id = auth->get(auth, AUTH_RULE_IDENTITY);
78 }
79 if (id)
80 {
81 this->lock->read_lock(this->lock);
82 whitelisted = this->ids->get(this->ids, id) != NULL;
83 this->lock->unlock(this->lock);
84 }
85 if (whitelisted)
86 {
87 DBG2(DBG_CFG, "peer identity '%Y' whitelisted", id);
88 }
89 else
90 {
91 DBG1(DBG_CFG, "peer identity '%Y' not whitelisted", id);
92 *success = FALSE;
93 }
94 }
95 return TRUE;
96 }
97
98 METHOD(whitelist_listener_t, add, void,
99 private_whitelist_listener_t *this, identification_t *id)
100 {
101 id = id->clone(id);
102 this->lock->write_lock(this->lock);
103 id = this->ids->put(this->ids, id, id);
104 this->lock->unlock(this->lock);
105 DESTROY_IF(id);
106 }
107
108 METHOD(whitelist_listener_t, remove_, void,
109 private_whitelist_listener_t *this, identification_t *id)
110 {
111 this->lock->write_lock(this->lock);
112 id = this->ids->remove(this->ids, id);
113 this->lock->unlock(this->lock);
114 DESTROY_IF(id);
115 }
116
117 /**
118 * Enumerator filter, from hashtable (key, value) to single identity
119 */
120 static bool whitelist_filter(rwlock_t *lock, identification_t **key,
121 identification_t **id, identification_t **value)
122 {
123 *id = *value;
124 return TRUE;
125 }
126
127 METHOD(whitelist_listener_t, create_enumerator, enumerator_t*,
128 private_whitelist_listener_t *this)
129 {
130 this->lock->read_lock(this->lock);
131 return enumerator_create_filter(this->ids->create_enumerator(this->ids),
132 (void*)whitelist_filter, this->lock,
133 (void*)this->lock->unlock);
134 }
135
136 METHOD(whitelist_listener_t, flush, void,
137 private_whitelist_listener_t *this, identification_t *id)
138 {
139 enumerator_t *enumerator;
140 identification_t *key, *value;
141
142 this->lock->write_lock(this->lock);
143 enumerator = this->ids->create_enumerator(this->ids);
144 while (enumerator->enumerate(enumerator, &key, &value))
145 {
146 if (value->matches(value, id))
147 {
148 this->ids->remove_at(this->ids, enumerator);
149 value->destroy(value);
150 }
151 }
152 enumerator->destroy(enumerator);
153 this->lock->unlock(this->lock);
154 }
155
156 METHOD(whitelist_listener_t, destroy, void,
157 private_whitelist_listener_t *this)
158 {
159 identification_t *key, *value;
160 enumerator_t *enumerator;
161
162 enumerator = this->ids->create_enumerator(this->ids);
163 while (enumerator->enumerate(enumerator, &key, &value))
164 {
165 value->destroy(value);
166 }
167 enumerator->destroy(enumerator);
168 this->ids->destroy(this->ids);
169 this->lock->destroy(this->lock);
170 free(this);
171 }
172
173 /**
174 * See header
175 */
176 whitelist_listener_t *whitelist_listener_create()
177 {
178 private_whitelist_listener_t *this;
179
180 INIT(this,
181 .public = {
182 .listener = {
183 .authorize = _authorize,
184 },
185 .add = _add,
186 .remove = _remove_,
187 .create_enumerator = _create_enumerator,
188 .flush = _flush,
189 .destroy = _destroy,
190 },
191 .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
192 .ids = hashtable_create((hashtable_hash_t)hash,
193 (hashtable_equals_t)equals, 32),
194 );
195
196 return &this->public;
197 }