add overall recommendation to session database entry
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 19 May 2013 10:43:55 +0000 (12:43 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 21 Jun 2013 21:25:22 +0000 (23:25 +0200)
src/libcharon/plugins/tnccs_20/tnccs_20.c
src/libimcv/imv/imv_database.c
src/libimcv/imv/imv_database.h
src/libimcv/imv/tables.sql
src/libimcv/plugins/imv_os/imv_os.c
src/libpts/plugins/imv_attestation/attest_db.c

index 29a161e..4c8f3a9 100644 (file)
@@ -583,6 +583,7 @@ static void check_and_build_recommendation(private_tnccs_20_t *this)
 {
        TNC_IMV_Action_Recommendation rec;
        TNC_IMV_Evaluation_Result eval;
+       TNC_ConnectionState state;
        TNC_IMVID id;
        chunk_t reason, language;
        enumerator_t *enumerator;
@@ -602,20 +603,27 @@ static void check_and_build_recommendation(private_tnccs_20_t *this)
 
                /**
                 * Map IMV Action Recommendation codes to PB Access Recommendation codes
+                * and communicate Access Recommendation to IMVs
                 */
                switch (rec)
                {
                        case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+                               state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
                                pb_rec = PB_REC_ACCESS_ALLOWED;
                                break;
                        case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+                               state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
                                pb_rec = PB_REC_QUARANTINED;
                                break;
                        case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
                        case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
                        default:
+                               state = TNC_CONNECTION_STATE_ACCESS_NONE;
                                pb_rec = PB_REC_ACCESS_DENIED;
                }
+               tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
+                                                                                       state);
+
                msg = pb_access_recommendation_msg_create(pb_rec);
                this->messages->insert_last(this->messages, msg);
 
index 2703ae2..1e72b98 100644 (file)
@@ -189,6 +189,16 @@ METHOD(imv_database_t, add_device, int,
        return did;
 }
 
+METHOD(imv_database_t, add_recommendation, void,
+       private_imv_database_t *this, imv_session_t *session,
+       TNC_IMV_Action_Recommendation rec)
+{
+       /* add final recommendation to session */
+       this->db->execute(this->db, NULL,
+                       "UPDATE sessions SET rec = ? WHERE id = ?",
+                        DB_INT, rec, DB_INT, session->get_session_id(session));
+}
+
 METHOD(imv_database_t, policy_script, bool,
        private_imv_database_t *this, imv_session_t *session, bool start)
 {
@@ -322,6 +332,7 @@ imv_database_t *imv_database_create(char *uri, char *script)
                        .get_session = _get_session,
                        .add_product = _add_product,
                        .add_device = _add_device,
+                       .add_recommendation = _add_recommendation,
                        .policy_script = _policy_script,
                        .finalize_workitem = _finalize_workitem,
                        .get_database = _get_database,
index 3c4bf83..6cab415 100644 (file)
@@ -69,6 +69,15 @@ struct imv_database_t {
                                           chunk_t device);
 
        /**
+        * Add final recommendation to a session database entry
+        *
+        * @param session               Session
+        * @param rec                   Final recommendation
+        */
+        void (*add_recommendation)(imv_database_t *this, imv_session_t *session,
+                                                               TNC_IMV_Action_Recommendation rec);
+
+       /**
         * Announce session start/stop to policy script
         *
         * @param session               Session
index c962d43..5377322 100644 (file)
@@ -63,7 +63,8 @@ CREATE TABLE sessions (
   connection INTEGER NOT NULL,
   identity INTEGER DEFAULT 0 REFERENCES identities(id),
   device INTEGER DEFAULT 0 REFERENCES devices(id),
-  product INTEGER DEFAULT 0 REFERENCES products(id)
+  product INTEGER DEFAULT 0 REFERENCES products(id),
+  rec INTEGER DEFAULT 3
 );
 
 DROP TABLE IF EXISTS workitems;
@@ -150,16 +151,6 @@ CREATE INDEX devices_value ON devices (
   value
 );
 
-DROP TABLE IF EXISTS device_infos;
-CREATE TABLE device_infos (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  session INTEGER NOT NULL REFERENCES sessions(id),
-  count INTEGER DEFAULT 0,
-  count_update INTEGER DEFAULT 0,
-  count_blacklist INTEGER DEFAULT 0,
-  flags INTEGER DEFAULT 0
-);
-
 DROP TABLE IF EXISTS identities;
 CREATE TABLE identities (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
index 69043cc..c0ce805 100644 (file)
@@ -119,6 +119,7 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
                                                                                  TNC_ConnectionID connection_id,
                                                                                  TNC_ConnectionState new_state)
 {
+       TNC_IMV_Action_Recommendation rec;
        imv_state_t *state;
        imv_session_t *session;
 
@@ -133,15 +134,31 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
                        state = imv_os_state_create(connection_id);
                        return imv_os->create_state(imv_os, state);
                case TNC_CONNECTION_STATE_DELETE:
+                       return imv_os->delete_state(imv_os, connection_id);
+               case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+               case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+               case TNC_CONNECTION_STATE_ACCESS_NONE:
                        if (imcv_db && imv_os->get_state(imv_os, connection_id, &state))
                        {
+                               switch (new_state)
+                               {
+                                       case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+                                               rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
+                                               break;
+                                       case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+                                               rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE;
+                                               break;
+                                       case TNC_CONNECTION_STATE_ACCESS_NONE:
+                                       default:
+                                               rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS;
+                               }
                                session = state->get_session(state);
+                               imcv_db->add_recommendation(imcv_db, session, rec);
                                imcv_db->policy_script(imcv_db, session, FALSE);
                        }
-                       return imv_os->delete_state(imv_os, connection_id);
+                       /* fall through to default state */
                default:
-                       return imv_os->change_state(imv_os, connection_id,
-                                                                                        new_state, NULL);
+                       return imv_os->change_state(imv_os, connection_id, new_state, NULL);
        }
 }
 
index 633d6c5..cb1220e 100644 (file)
@@ -19,6 +19,8 @@
 #include <libgen.h>
 #include <time.h>
 
+#include <tncif_names.h>
+
 #include "attest_db.h"
 
 #include "libpts.h"
@@ -812,24 +814,22 @@ METHOD(attest_db_t, list_devices, void,
        char *product;
        time_t timestamp;
        int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0;
-       int count, count_update, count_blacklist;
+       int session_id, rec;
        u_int32_t ar_id_type;
-       u_int tstamp, flags = 0;
+       u_int tstamp;
 
        e = this->db->query(this->db,
-                       "SELECT d.id, d.value, s.time, s.identity, p.name, "
-                       "i.count, i.count_update, i.count_blacklist, i.flags "
+                       "SELECT d.id, d.value, s.id, s.time, s.identity, s.rec, p.name "
                        "FROM devices AS d "
                        "JOIN sessions AS s ON d.id = s.device "
                        "JOIN products AS p ON p.id = s.product "
-                       "JOIN device_infos AS i ON i.session = s.id "
-                       "ORDER BY d.value, s.time DESC", DB_INT, DB_BLOB, DB_UINT,
-                        DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_UINT);
+                       "ORDER BY d.value, s.time DESC", DB_INT, DB_BLOB, DB_INT, DB_UINT,
+                        DB_INT, DB_INT, DB_TEXT);
 
        if (e)
        {
-               while (e->enumerate(e, &id, &value, &tstamp, &ar_id, &product,
-                                                       &count, &count_update, &count_blacklist, &flags))
+               while (e->enumerate(e, &id, &value, &session_id, &tstamp, &ar_id, &rec,
+                                                          &product))
                {
                        if (id != last_id)
                        {
@@ -838,8 +838,8 @@ METHOD(attest_db_t, list_devices, void,
                                last_id = id;
                        }
                        timestamp = tstamp;
-                       printf("      %T, %4d, %3d, %3d, %1u, '%s'", &timestamp, this->utc,
-                                  count, count_update, count_blacklist, flags, product);
+                       printf("%4d:   %T, %-20s", session_id, &timestamp, this->utc,
+                                                                          product);
                        if (ar_id)
                        {
                                if (ar_id != last_ar_id)
@@ -861,7 +861,7 @@ METHOD(attest_db_t, list_devices, void,
                                }
                                last_ar_id = ar_id;
                        }
-                       printf("\n");
+                       printf(" - %N\n", TNC_IMV_Action_Recommendation_names, rec);
                }
                e->destroy(e);
                free(ar_id_value.ptr);
@@ -1519,31 +1519,32 @@ METHOD(attest_db_t, list_sessions, void,
        enumerator_t *e;
        chunk_t device, identity;
        char *product;
-       int session_id, conn_id;
+       int session_id, conn_id, rec;
        time_t created;
        u_int t;
 
        e = this->db->query(this->db,
-                               "SELECT s.id, s.time, s.connection, p.name, d.value, i.value "
-                               "FROM sessions AS s "
-                               "LEFT JOIN products AS p ON s.product = p.id "
-                               "LEFT JOIN devices AS d ON s.device = d.id "
-                               "LEFT JOIN identities AS i ON s.identity = i.id "
-                               "ORDER BY s.time DESC",
-                                DB_INT, DB_UINT, DB_INT, DB_TEXT, DB_BLOB, DB_BLOB);
+                       "SELECT s.id, s.time, s.connection, s.rec, p.name, d.value, i.value "
+                       "FROM sessions AS s "
+                       "LEFT JOIN products AS p ON s.product = p.id "
+                       "LEFT JOIN devices AS d ON s.device = d.id "
+                       "LEFT JOIN identities AS i ON s.identity = i.id "
+                       "ORDER BY s.time DESC",
+                        DB_INT, DB_UINT, DB_INT, DB_INT, DB_TEXT, DB_BLOB, DB_BLOB);
        if (e)
        {
-               while (e->enumerate(e, &session_id, &t, &conn_id, &product, &device,
-                                                          &identity))
+               while (e->enumerate(e, &session_id, &t, &conn_id, &rec, &product,
+                                                          &device, &identity))
                {
                        created = t;
                        product = product ? product : "-";
                        device = device.len ? device : chunk_from_str("-");
                        device.len = min(device.len, 20);
                        identity = identity.len ? identity : chunk_from_str("-");
-                       printf("%4d: %T %2d %-20s %.*s%*s %.*s\n", session_id, &created,
+                       printf("%4d: %T %2d %-20s %.*s%*s %.*s - %N\n", session_id, &created,
                                   FALSE, conn_id, product, device.len, device.ptr,
-                                  20-device.len, " ", identity.len, identity.ptr);
+                                  20-device.len, " ", identity.len, identity.ptr,
+                                  TNC_IMV_Action_Recommendation_names, rec);
                }
                e->destroy(e);
        }