Separated IMV session management from IMV policy database
[strongswan.git] / src / libimcv / imv / imv_database.c
1 /*
2 * Copyright (C) 2013-2014 Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #define _GNU_SOURCE
17
18 #include <stdio.h>
19 #include <stdarg.h>
20 #include <string.h>
21 #include <time.h>
22
23 #include "imv_database.h"
24
25 #include <utils/debug.h>
26 #include <threading/mutex.h>
27
28 typedef struct private_imv_database_t private_imv_database_t;
29
30 /**
31 * Private data of a imv_database_t object.
32 */
33 struct private_imv_database_t {
34
35 /**
36 * Public imv_database_t interface.
37 */
38 imv_database_t public;
39
40 /**
41 * database instance
42 */
43 database_t *db;
44
45 /**
46 * policy script
47 */
48 char *script;
49
50 };
51
52 METHOD(imv_database_t, get_database, database_t*,
53 private_imv_database_t *this)
54 {
55 return this->db;
56 }
57
58 /**
59 * Create a session entry in the IMV database
60 */
61 static bool create_session(private_imv_database_t *this, imv_session_t *session)
62 {
63 enumerator_t *e;
64 imv_os_info_t *os_info;
65 chunk_t device_id, ar_id_value;
66 TNC_ConnectionID conn_id;
67 uint32_t ar_id_type;
68 char *product, *device;
69 int session_id = 0, ar_id = 0, pid = 0, did = 0, trusted = 0, created;
70
71 ar_id_value = session->get_ar_id(session, &ar_id_type);
72 if (ar_id_value.len)
73 {
74 /* get primary key of AR identity if it exists */
75 e = this->db->query(this->db,
76 "SELECT id FROM identities WHERE type = ? AND value = ?",
77 DB_INT, ar_id_type, DB_BLOB, ar_id_value, DB_INT);
78 if (e)
79 {
80 e->enumerate(e, &ar_id);
81 e->destroy(e);
82 }
83
84 /* if AR identity has not been found - register it */
85 if (!ar_id)
86 {
87 this->db->execute(this->db, &ar_id,
88 "INSERT INTO identities (type, value) VALUES (?, ?)",
89 DB_INT, ar_id_type, DB_BLOB, ar_id_value);
90 }
91
92 if (!ar_id)
93 {
94 DBG1(DBG_IMV, "imv_db: registering access requestor failed");
95 return FALSE;
96 }
97 }
98
99 /* get product info string */
100 os_info = session->get_os_info(session);
101 product = os_info->get_info(os_info);
102 if (!product)
103 {
104 DBG1(DBG_IMV, "imv_db: product info is not available");
105 return FALSE;
106 }
107
108 /* get primary key of product info string if it exists */
109 e = this->db->query(this->db,
110 "SELECT id FROM products WHERE name = ?", DB_TEXT, product, DB_INT);
111 if (e)
112 {
113 e->enumerate(e, &pid);
114 e->destroy(e);
115 }
116
117 /* if product info string has not been found - register it */
118 if (!pid)
119 {
120 this->db->execute(this->db, &pid,
121 "INSERT INTO products (name) VALUES (?)", DB_TEXT, product);
122 }
123
124 if (!pid)
125 {
126 DBG1(DBG_IMV, "imv_db: registering product info failed");
127 return FALSE;
128 }
129
130 /* get device ID string */
131 if (!session->get_device_id(session, &device_id))
132 {
133 DBG1(DBG_IMV, "imv_db: device ID is not available");
134 return FALSE;
135 }
136 device = strndup(device_id.ptr, device_id.len);
137
138 /* get primary key of device ID if it exists */
139 e = this->db->query(this->db,
140 "SELECT id, trusted FROM devices WHERE value = ? AND product = ?",
141 DB_TEXT, device, DB_INT, pid, DB_INT, DB_INT);
142 if (e)
143 {
144 e->enumerate(e, &did, &trusted);
145 e->destroy(e);
146 }
147
148 /* if device ID is trusted, set trust in session */
149 if (trusted)
150 {
151 session->set_device_trust(session, TRUE);
152 }
153
154 /* if device ID has not been found - register it */
155 if (!did)
156 {
157 this->db->execute(this->db, &did,
158 "INSERT INTO devices (value, product) VALUES (?, ?)",
159 DB_TEXT, device, DB_INT, pid);
160 }
161 free(device);
162
163 if (!did)
164 {
165 DBG1(DBG_IMV, "imv_db: registering device ID failed");
166 return FALSE;
167 }
168
169 /* create a new session entry */
170 created = session->get_creation_time(session);
171 conn_id = session->get_connection_id(session);
172 this->db->execute(this->db, &session_id,
173 "INSERT INTO sessions (time, connection, identity, product, device) "
174 "VALUES (?, ?, ?, ?, ?)",
175 DB_INT, created, DB_INT, conn_id, DB_INT, ar_id,
176 DB_INT, pid, DB_INT, did);
177
178 if (session_id)
179 {
180 DBG2(DBG_IMV, "assigned session ID %d to Connection ID %d",
181 session_id, conn_id);
182 }
183 else
184 {
185 DBG1(DBG_IMV, "imv_db: registering session failed");
186 return FALSE;
187 }
188 session->set_session_id(session, session_id, pid, did);
189
190 return TRUE;
191 }
192
193 static bool add_workitems(private_imv_database_t *this, imv_session_t *session)
194 {
195 char *arg_str;
196 int id, arg_int, rec_fail, rec_noresult;
197 imv_workitem_t *workitem;
198 imv_workitem_type_t type;
199 enumerator_t *e;
200
201 e = this->db->query(this->db,
202 "SELECT id, type, arg_str, arg_int, rec_fail, rec_noresult "
203 "FROM workitems WHERE session = ?",
204 DB_INT, session->get_session_id(session, NULL, NULL),
205 DB_INT, DB_INT, DB_TEXT, DB_INT,DB_INT, DB_INT);
206 if (!e)
207 {
208 DBG1(DBG_IMV, "imv_db: no workitem enumerator returned");
209 return FALSE;
210 }
211 while (e->enumerate(e, &id, &type, &arg_str, &arg_int, &rec_fail,
212 &rec_noresult))
213 {
214 DBG2(DBG_IMV, "%N workitem %d", imv_workitem_type_names, type, id);
215 workitem = imv_workitem_create(id, type, arg_str, arg_int, rec_fail,
216 rec_noresult);
217 session->insert_workitem(session, workitem);
218 }
219 e->destroy(e);
220
221 return TRUE;
222 }
223
224 METHOD(imv_database_t, add_recommendation, void,
225 private_imv_database_t *this, imv_session_t *session,
226 TNC_IMV_Action_Recommendation rec)
227 {
228 /* add final recommendation to session DB entry */
229 this->db->execute(this->db, NULL,
230 "UPDATE sessions SET rec = ? WHERE id = ?",
231 DB_INT, rec, DB_INT, session->get_session_id(session, NULL, NULL));
232 }
233
234 METHOD(imv_database_t, policy_script, bool,
235 private_imv_database_t *this, imv_session_t *session, bool start)
236 {
237 char command[512], resp[128], *last;
238 FILE *shell;
239
240 if (start)
241 {
242 if (session->get_policy_started(session))
243 {
244 DBG1(DBG_IMV, "policy script as already been started");
245 return FALSE;
246 }
247
248 /* add product info and device ID to session DB entry */
249 if (!create_session(this, session))
250 {
251 return FALSE;
252 }
253 }
254 else
255 {
256 if (!session->get_policy_started(session))
257 {
258 DBG1(DBG_IMV, "policy script as already been stopped");
259 return FALSE;
260 }
261 }
262
263 /* call the policy script */
264 snprintf(command, sizeof(command), "2>&1 TNC_SESSION_ID='%d' %s %s",
265 session->get_session_id(session, NULL, NULL), this->script,
266 start ? "start" : "stop");
267 DBG3(DBG_IMV, "running policy script: %s", command);
268
269 shell = popen(command, "r");
270 if (shell == NULL)
271 {
272 DBG1(DBG_IMV, "could not execute policy script '%s'",
273 this->script);
274 return FALSE;
275 }
276 while (TRUE)
277 {
278 if (fgets(resp, sizeof(resp), shell) == NULL)
279 {
280 if (ferror(shell))
281 {
282 DBG1(DBG_IMV, "error reading output from policy script");
283 }
284 break;
285 }
286 else
287 {
288 last = resp + strlen(resp) - 1;
289 if (last >= resp && *last == '\n')
290 {
291 /* replace trailing '\n' */
292 *last = '\0';
293 }
294 DBG1(DBG_IMV, "policy: %s", resp);
295 }
296 }
297 pclose(shell);
298
299 if (start)
300 {
301 /* add workitem list generated by policy manager to session object */
302 if (!add_workitems(this, session))
303 {
304 return FALSE;
305 }
306 session->set_policy_started(session, TRUE);
307 }
308 else
309 {
310 session->set_policy_started(session, FALSE);
311 }
312
313 return TRUE;
314 }
315
316 METHOD(imv_database_t, finalize_workitem, bool,
317 private_imv_database_t *this, imv_workitem_t *workitem)
318 {
319 char *result;
320 int rec;
321
322 rec = workitem->get_result(workitem, &result);
323
324 return this->db->execute(this->db, NULL,
325 "UPDATE workitems SET result = ?, rec_final = ? WHERE id = ?",
326 DB_TEXT, result, DB_INT, rec,
327 DB_INT, workitem->get_id(workitem)) == 1;
328 }
329
330 METHOD(imv_database_t, destroy, void,
331 private_imv_database_t *this)
332 {
333 DESTROY_IF(this->db);
334 free(this);
335 }
336
337 /**
338 * See header
339 */
340 imv_database_t *imv_database_create(char *uri, char *script)
341 {
342 private_imv_database_t *this;
343
344 INIT(this,
345 .public = {
346 .get_database = _get_database,
347 .policy_script = _policy_script,
348 .finalize_workitem = _finalize_workitem,
349 .add_recommendation = _add_recommendation,
350 .destroy = _destroy,
351 },
352 .db = lib->db->create(lib->db, uri),
353 .script = script,
354 );
355
356 if (!this->db)
357 {
358 DBG1(DBG_IMV,
359 "failed to connect to IMV database '%s'", uri);
360 destroy(this);
361 return NULL;
362 }
363
364 return &this->public;
365 }
366