Added add_segment() method to IETF attributes
[strongswan.git] / src / libimcv / imv / imv_policy_manager.c
1 /*
2 * Copyright (C) 2013 Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_policy_manager_usage.h"
17 #include "imv_workitem.h"
18
19 #include <library.h>
20 #include <utils/debug.h>
21
22 #include <stdlib.h>
23 #include <stdio.h>
24 #include <time.h>
25
26 /* The default policy group #1 is assumed to always exist */
27 #define DEFAULT_GROUP_ID 1
28
29 /**
30 * global debug output variables
31 */
32 static int debug_level = 1;
33 static bool stderr_quiet = FALSE;
34
35 /**
36 * attest dbg function
37 */
38 static void stderr_dbg(debug_t group, level_t level, char *fmt, ...)
39 {
40 va_list args;
41
42 if (level <= debug_level)
43 {
44 if (!stderr_quiet)
45 {
46 va_start(args, fmt);
47 vfprintf(stderr, fmt, args);
48 fprintf(stderr, "\n");
49 va_end(args);
50 }
51 }
52 }
53
54 /**
55 * Collect all enforcements by iterating up through parent groups
56 */
57 static bool iterate_enforcements(database_t *db, int device_id, int session_id,
58 int group_id)
59 {
60 int id, type, file, dir, arg_int, parent, policy, max_age;
61 int p_rec_fail, p_rec_noresult, e_rec_fail, e_rec_noresult, latest_rec;
62 bool latest_success;
63 char *argument;
64 time_t now;
65 enumerator_t *e, *e1, *e2;
66
67 now = time(NULL);
68
69 while (group_id)
70 {
71 e1 = db->query(db,
72 "SELECT e.id, p.type, p.argument, p.file, p.dir, p.rec_fail, "
73 "p.rec_noresult, e.policy, e.max_age, e.rec_fail, e.rec_noresult "
74 "FROM enforcements AS e JOIN policies as p ON e.policy = p.id "
75 "WHERE e.group_id = ?", DB_INT, group_id,
76 DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT,
77 DB_INT, DB_INT, DB_INT, DB_INT);
78 if (!e1)
79 {
80 return FALSE;
81 }
82 while (e1->enumerate(e1, &id, &type, &argument, &file, &dir,
83 &p_rec_fail, &p_rec_noresult, &policy, &max_age,
84 &e_rec_fail, &e_rec_noresult))
85 {
86 /* check if the latest measurement of the device was successful */
87 latest_success = FALSE;
88
89 if (device_id)
90 {
91 e2 = db->query(db,
92 "SELECT r.rec FROM results AS r "
93 "JOIN sessions AS s ON s.id = r.session "
94 "WHERE r.policy = ? AND s.device = ? AND s.time > ? "
95 "ORDER BY s.time DESC",
96 DB_INT, policy, DB_INT, device_id,
97 DB_UINT, now - max_age, DB_INT);
98 if (!e2)
99 {
100 e1->destroy(e1);
101 return FALSE;
102 }
103 if (e2->enumerate(e2, &latest_rec) &&
104 latest_rec == TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
105 {
106 latest_success = TRUE;
107 }
108 e2->destroy(e2);
109 }
110
111 if (latest_success)
112 {
113 /*skipping enforcement */
114 printf("skipping enforcment %d\n", id);
115 continue;
116 }
117
118 /* determine arg_int */
119 switch ((imv_workitem_type_t)type)
120 {
121 case IMV_WORKITEM_FILE_REF_MEAS:
122 case IMV_WORKITEM_FILE_MEAS:
123 case IMV_WORKITEM_FILE_META:
124 arg_int = file;
125 break;
126 case IMV_WORKITEM_DIR_REF_MEAS:
127 case IMV_WORKITEM_DIR_MEAS:
128 case IMV_WORKITEM_DIR_META:
129 arg_int = dir;
130 break;
131 default:
132 arg_int = 0;
133 }
134
135 /* insert a workitem */
136 if (db->execute(db, NULL,
137 "INSERT INTO workitems (session, enforcement, type, arg_str, "
138 "arg_int, rec_fail, rec_noresult) VALUES (?, ?, ?, ?, ?, ?, ?)",
139 DB_INT, session_id, DB_INT, id, DB_INT, type, DB_TEXT, argument,
140 DB_INT, arg_int, DB_INT, e_rec_fail ? e_rec_fail : p_rec_fail,
141 DB_INT, e_rec_noresult ? e_rec_noresult : p_rec_noresult) != 1)
142 {
143 e1->destroy(e1);
144 fprintf(stderr, "could not insert workitem\n");
145 return FALSE;
146 }
147 }
148 e1->destroy(e1);
149
150 e = db->query(db,
151 "SELECT parent FROM groups WHERE id = ?",
152 DB_INT, group_id, DB_INT);
153 if (!e)
154 {
155 return FALSE;
156 }
157 if (e->enumerate(e, &parent))
158 {
159 group_id = parent;
160 }
161 else
162 {
163 fprintf(stderr, "group information not found\n");
164 group_id = 0;
165 }
166 e->destroy(e);
167 }
168 return TRUE;
169 }
170
171 static bool policy_start(database_t *db, int session_id)
172 {
173 enumerator_t *e;
174 int device_id, product_id, gid, group_id = DEFAULT_GROUP_ID;
175 u_int created;
176
177 /* get session data */
178 e = db->query(db,
179 "SELECT s.device, s.product, d.created FROM sessions AS s "
180 "LEFT JOIN devices AS d ON s.device = d.id WHERE s.id = ?",
181 DB_INT, session_id, DB_INT, DB_INT, DB_UINT);
182 if (!e || !e->enumerate(e, &device_id, &product_id, &created))
183 {
184 DESTROY_IF(e);
185 fprintf(stderr, "session %d not found\n", session_id);
186 return FALSE;
187 }
188 e->destroy(e);
189
190 /* if a device ID with a creation date exists, get all group memberships */
191 if (device_id && created)
192 {
193 e = db->query(db,
194 "SELECT group_id FROM groups_members WHERE device_id = ?",
195 DB_INT, device_id, DB_INT);
196 if (!e)
197 {
198 return FALSE;
199 }
200 while (e->enumerate(e, &group_id))
201 {
202 if (!iterate_enforcements(db, device_id, session_id, group_id))
203 {
204 e->destroy(e);
205 return FALSE;
206 }
207 }
208 e->destroy(e);
209
210 return TRUE;
211 }
212
213 /* determine if a default product group exists */
214 e = db->query(db,
215 "SELECT group_id FROM groups_product_defaults "
216 "WHERE product_id = ?", DB_INT, product_id, DB_INT);
217 if (!e)
218 {
219 return FALSE;
220 }
221 if (e->enumerate(e, &gid))
222 {
223 group_id = gid;
224 }
225 e->destroy(e);
226
227 if (device_id && !created)
228 {
229 /* assign a newly created device to a default group */
230 if (db->execute(db, NULL,
231 "INSERT INTO groups_members (device_id, group_id) "
232 "VALUES (?, ?)", DB_INT, device_id, DB_INT, group_id) != 1)
233 {
234 fprintf(stderr, "could not assign device to a default group\n");
235 return FALSE;
236 }
237
238 /* set the creation date if it hasn't been set yet */
239 if (db->execute(db, NULL,
240 "UPDATE devices SET created = ? WHERE id = ?",
241 DB_UINT, time(NULL), DB_INT, device_id) != 1)
242 {
243 fprintf(stderr, "creation date of device could not be set\n");
244 return FALSE;
245 }
246 }
247
248 return iterate_enforcements(db, device_id, session_id, group_id);
249 }
250
251 static bool policy_stop(database_t *db, int session_id)
252 {
253 enumerator_t *e;
254 int rec, policy;
255 char *result;
256
257 e = db->query(db,
258 "SELECT w.rec_final, w.result, e.policy FROM workitems AS w "
259 "JOIN enforcements AS e ON w.enforcement = e.id "
260 "WHERE w.session = ? AND w.result IS NOT NULL",
261 DB_INT, session_id, DB_INT, DB_TEXT, DB_INT);
262 if (e)
263 {
264 while (e->enumerate(e, &rec, &result, &policy))
265 {
266 db->execute(db, NULL,
267 "INSERT INTO results (session, policy, rec, result) "
268 "VALUES (?, ?, ?, ?)", DB_INT, session_id, DB_INT, policy,
269 DB_INT, rec, DB_TEXT, result);
270 }
271 e->destroy(e);
272 }
273 return db->execute(db, NULL,
274 "DELETE FROM workitems WHERE session = ?",
275 DB_UINT, session_id) >= 0;
276 }
277
278 int main(int argc, char *argv[])
279 {
280 database_t *db;
281 char *uri;
282 int session_id;
283 bool start, success;
284
285 /* enable attest debugging hook */
286 dbg = stderr_dbg;
287
288 atexit(library_deinit);
289
290 /* initialize library */
291 if (!library_init(NULL, "imv_policy_manager"))
292 {
293 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
294 }
295 if (!lib->plugins->load(lib->plugins,
296 lib->settings->get_str(lib->settings, "imv_policy_manager.load",
297 "sqlite")))
298 {
299 exit(SS_RC_INITIALIZATION_FAILED);
300 }
301
302 if (argc < 3)
303 {
304 usage();
305 exit(SS_RC_INITIALIZATION_FAILED);
306 }
307 if (streq(argv[1], "start"))
308 {
309 start = TRUE;
310 }
311 else if (streq(argv[1], "stop"))
312 {
313 start = FALSE;
314 }
315 else
316 {
317 usage();
318 exit(SS_RC_INITIALIZATION_FAILED);
319 }
320
321 session_id = atoi(argv[2]);
322
323 /* attach IMV database */
324 uri = lib->settings->get_str(lib->settings,
325 "imv_policy_manager.database",
326 lib->settings->get_str(lib->settings,
327 "charon.imcv.database",
328 lib->settings->get_str(lib->settings,
329 "libimcv.database", NULL)));
330 if (!uri)
331 {
332 fprintf(stderr, "database uri not defined.\n");
333 exit(SS_RC_INITIALIZATION_FAILED);
334 }
335
336 db = lib->db->create(lib->db, uri);
337 if (!db)
338 {
339 fprintf(stderr, "opening database failed.\n");
340 exit(SS_RC_INITIALIZATION_FAILED);
341 }
342
343 if (start)
344 {
345 success = policy_start(db, session_id);
346 }
347 else
348 {
349 success = policy_stop(db, session_id);
350 }
351 db->destroy(db);
352
353 fprintf(stderr, "imv_policy_manager %s %s\n", start ? "start" : "stop",
354 success ? "successful" : "failed");
355
356 exit(EXIT_SUCCESS);
357 }