imv-swima: Implemented SW event processing
authorAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 29 Jun 2017 09:28:15 +0000 (11:28 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 8 Jul 2017 21:19:51 +0000 (23:19 +0200)
conf/plugins/imv-swima.opt
src/libimcv/imv/imv_policy_manager.c
src/libimcv/plugins/imv_swima/imv_swima_agent.c
src/libimcv/plugins/imv_swima/imv_swima_state.c
src/libimcv/plugins/imv_swima/imv_swima_state.h
src/libstrongswan/plugins/curl/curl_fetcher.c

index 1185bd3..a9ba96c 100644 (file)
@@ -1,5 +1,5 @@
-libimcv.plugins.imv-swima.rest_api_uri = 
+libimcv.plugins.imv-swima.rest_api.uri =
        HTTP URI of the SWID REST API.
 
-libimcv.plugins.imv-swima.rest_api_timeout = 120
+libimcv.plugins.imv-swima.rest_api.timeout = 120
        Timeout of SWID REST API HTTP POST transaction.
index b730f8c..1988873 100644 (file)
@@ -130,6 +130,31 @@ static bool iterate_enforcements(database_t *db, int device_id, int session_id,
                                case IMV_WORKITEM_DIR_META:
                                        arg_int = dir;
                                        break;
+                               case IMV_WORKITEM_SWID_TAGS:
+                                       /* software [identifier] inventory by default */
+                                       arg_int = 0;
+
+                                       /* software identifiers only? */
+                                       if (device_id && strchr(argument, 'R'))
+                                       {
+                                               /* get last EID in order to set earliest EID */
+                                               e2 = db->query(db,
+                                                       "SELECT eid FROM swid_events where device == ? "
+                                                       "ORDER BY eid DESC", DB_UINT, device_id, DB_INT);
+                                               if (e2)
+                                               {
+                                                       if (e2->enumerate(e2, &arg_int))
+                                                       {
+                                                               arg_int++;
+                                                       }
+                                                       else
+                                                       {
+                                                               arg_int = 1;
+                                                       }
+                                                       e2->destroy(e2);
+                                               }
+                                       }
+                                       break;
                                default:
                                        arg_int = 0;
                        }
index eedc5da..efa2b11 100644 (file)
@@ -52,7 +52,9 @@ static pen_type_t msg_types[] = {
  */
 enum imv_swima_attr_t {
        IMV_SWIMA_ATTR_SW_INV =    (1<<0),
-       IMV_SWIMA_ATTR_SW_ID_INV = (1<<1)
+       IMV_SWIMA_ATTR_SW_ID_INV = (1<<1),
+       IMV_SWIMA_ATTR_SW_EV =     (1<<2),
+       IMV_SWIMA_ATTR_SW_ID_EV =  (1<<2)
 };
 
 /**
@@ -208,8 +210,8 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this,
                                missing = attr_cast->get_record_count(attr_cast);
                                swima_state->set_missing(swima_state, missing);
 
-                               DBG2(DBG_IMV, "received software identity inventory with "
-                                        "%d item%s for request %d at eid %d of epoch 0x%08x, "
+                               DBG2(DBG_IMV, "received software ID inventory with "
+                                        "%d item%s for request %d at last eid %d of epoch 0x%08x, "
                                         "%d item%s to follow", sw_id_count,
                                         (sw_id_count == 1) ? "" : "s", request_id, last_eid,
                                         eid_epoch, missing, (missing == 1) ? "" : "s");
@@ -222,7 +224,7 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this,
                                }
                                else
                                {
-                                       DBG1(DBG_IMV, "no workitem found for software identity "
+                                       DBG1(DBG_IMV, "no workitem found for software ID "
                                                                  "inventory with request ID %d", request_id);
                                }
                                attr_cast->clear_inventory(attr_cast);
@@ -251,9 +253,9 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this,
                                swima_state->set_missing(swima_state, missing);
 
                                DBG2(DBG_IMV, "received software inventory with %d item%s for "
-                                        "request %d at eid %d of epoch 0x%08x, %d item%s to follow",
-                                        sw_count, (sw_count == 1) ? "" : "s", request_id,
-                                        last_eid, eid_epoch, missing, (missing == 1) ? "" : "s");
+                                        "request %d at last eid %d of epoch 0x%08x, %d item%s to "
+                                        "follow", sw_count, (sw_count == 1) ? "" : "s", request_id,
+                                         last_eid, eid_epoch, missing, (missing == 1) ? "" : "s");
 
                                if (request_id == swima_state->get_request_id(swima_state))
                                {
@@ -310,7 +312,7 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this,
                                uint32_t missing;
                                int sw_ev_count;
 
-                               state->set_action_flags(state, IMV_SWIMA_ATTR_SW_ID_INV);
+                               state->set_action_flags(state, IMV_SWIMA_ATTR_SW_ID_EV);
 
                                attr_cast = (ietf_swima_attr_sw_ev_t*)attr;
                                request_id = attr_cast->get_request_id(attr_cast);
@@ -320,8 +322,8 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this,
                                missing = attr_cast->get_event_count(attr_cast);
                                swima_state->set_missing(swima_state, missing);
 
-                               DBG2(DBG_IMV, "received software identity events with "
-                                        "%d item%s for request %d at eid %d of epoch 0x%08x, "
+                               DBG2(DBG_IMV, "received software ID events with "
+                                        "%d item%s for request %d at last eid %d of epoch 0x%08x, "
                                         "%d item%s to follow", sw_ev_count,
                                         (sw_ev_count == 1) ? "" : "s", request_id, last_eid,
                                         eid_epoch, missing, (missing == 1) ? "" : "s");
@@ -334,8 +336,8 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this,
                                }
                                else
                                {
-                                       DBG1(DBG_IMV, "no workitem found for software identity "
-                                                                 "evemts with request ID %d", request_id);
+                                       DBG1(DBG_IMV, "no workitem found for software ID events "
+                                                                 "with request ID %d", request_id);
                                }
                                attr_cast->clear_events(attr_cast);
                                break;
@@ -499,6 +501,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
                                {
                                        flags |= IETF_SWIMA_ATTR_REQ_FLAG_C;
                                }
+                               earliest_eid = workitem->get_arg_int(workitem);
 
                                /* Determine maximum PA-TNC attribute segment size */
                                max_seg_size = state->get_max_msg_len(state)
@@ -527,11 +530,13 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
                                targets->set_eid(targets, earliest_eid, 0);
                                cast_attr = (ietf_swima_attr_req_t*)attr;
                                cast_attr->set_targets(cast_attr, targets);
+                               targets->destroy(targets);
 
                                out_msg->add_attribute(out_msg, attr);
                                workitem->set_imv_id(workitem, imv_id);
                                no_workitems = FALSE;
-                               DBG2(DBG_IMV, "IMV %d issues sw request %d", imv_id, request_id);
+                               DBG2(DBG_IMV, "IMV %d issues sw request %d with earliest eid %d",
+                                                          imv_id, request_id, earliest_eid);
                                break;
                        }
                        enumerator->destroy(enumerator);
@@ -552,36 +557,49 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
        received = state->get_action_flags(state);
 
        if (handshake_state == IMV_SWIMA_STATE_WORKITEMS &&
-          (received & (IMV_SWIMA_ATTR_SW_INV|IMV_SWIMA_ATTR_SW_ID_INV)) &&
+          (received & (IMV_SWIMA_ATTR_SW_INV|IMV_SWIMA_ATTR_SW_ID_INV|
+                                       IMV_SWIMA_ATTR_SW_EV |IMV_SWIMA_ATTR_SW_ID_EV)) &&
                swima_state->get_missing(swima_state) == 0)
        {
                TNC_IMV_Evaluation_Result eval;
                TNC_IMV_Action_Recommendation rec;
-               char result_str[BUF_LEN], *error_str = "", *command;
-               char *target_str;
-               int tag_id_count, tag_count, i;
+               char result_str[BUF_LEN], *format = NULL, *cmd = NULL, *command;
+               char *target_str, *error_str = "";
+               int sw_id_count, tag_count, i, res;
                json_object *jrequest, *jresponse, *jvalue;
                ietf_swima_attr_req_t *cast_attr;
                swima_inventory_t *targets;
                swima_record_t *target;
                status_t status = SUCCESS;
 
-               if (this->rest_api && (received & IMV_SWIMA_ATTR_SW_ID_INV))
+               if (received & IMV_SWIMA_ATTR_SW_ID_INV)
                {
-                       if (asprintf(&command, "sessions/%d/swid-measurement/",
-                                                session->get_session_id(session, NULL, NULL)) < 0)
+                       cmd = "swid-measurement";
+                       format = "received inventory of %d SW ID%s and %d SWID tag%s";
+               }
+               else if (received & IMV_SWIMA_ATTR_SW_ID_EV)
+               {
+                       cmd = "swid-events";
+                       format = "received %d SW ID event%s and %d SWID tag%s";
+               }
+
+               if (cmd && this->rest_api)
+               {
+                       res = asprintf(&command, "sessions/%d/%s/",
+                                        session->get_session_id(session, NULL, NULL), cmd);
+                       if (res < 0)
                        {
                                error_str = "allocation of command string failed";
                                status = FAILED;
                        }
                        else
                        {
-                               jrequest = swima_state->get_inventory(swima_state);
+                               jrequest = swima_state->get_jrequest(swima_state);
                                status = this->rest_api->post(this->rest_api, command,
                                                                                          jrequest, &jresponse);
                                if (status == FAILED)
                                {
-                                       error_str = "error in REST API swid-measurement request";
+                                               error_str = "error in REST API request";
                                }
                                free(command);
                        }
@@ -595,12 +613,20 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
                                {
                                        if (workitem->get_type(workitem) == IMV_WORKITEM_SWID_TAGS)
                                        {
-                                               swima_state->get_count(swima_state, &tag_id_count,
+                                               swima_state->get_count(swima_state, &sw_id_count,
                                                                                                                  &tag_count);
-                                               snprintf(result_str, BUF_LEN, "received inventory of "
-                                                                "%d SWID tag ID%s and %d SWID tag%s",
-                                                                tag_id_count, (tag_id_count == 1) ? "" : "s",
-                                                                tag_count, (tag_count == 1) ? "" : "s");
+                                               if (format)
+                                               {
+                                                       snprintf(result_str, BUF_LEN, format,
+                                                               sw_id_count, (sw_id_count == 1) ? "" : "s",
+                                                               tag_count,   (tag_count   == 1) ? "" : "s");
+                                               }
+                                               else
+                                               {
+                                                       snprintf(result_str, BUF_LEN, "received %d SWID tag"
+                                                               "%s", tag_count, (tag_count == 1) ? "" : "s");
+
+                                               }
                                                session->remove_workitem(session, enumerator);
 
                                                eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
@@ -632,13 +658,13 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
                                /* Create an IETF SW Request attribute */
                                attr = ietf_swima_attr_req_create(IETF_SWIMA_ATTR_REQ_FLAG_NONE,
                                                                swima_state->get_request_id(swima_state));
-                               tag_id_count = json_object_array_length(jresponse);
-                               DBG1(DBG_IMV, "%d SWID tag target%s", tag_id_count,
-                                                         (tag_id_count == 1) ? "" : "s");
-                               swima_state->set_missing(swima_state, tag_id_count);
+                               sw_id_count = json_object_array_length(jresponse);
+                               DBG1(DBG_IMV, "%d SWID tag target%s", sw_id_count,
+                                                         (sw_id_count == 1) ? "" : "s");
+                               swima_state->set_missing(swima_state, sw_id_count);
                                targets = swima_inventory_create();
 
-                               for (i = 0; i < tag_id_count; i++)
+                               for (i = 0; i < sw_id_count; i++)
                                {
                                        jvalue = json_object_array_get_idx(jresponse, i);
                                        if (json_object_get_type(jvalue) != json_type_string)
@@ -739,8 +765,8 @@ imv_agent_if_t *imv_swima_agent_create(const char *name, TNC_IMVID id,
 {
        private_imv_swima_agent_t *this;
        imv_agent_t *agent;
-       char *rest_api_uri;
-       u_int rest_api_timeout;
+       char *uri;
+       u_int timeout;
 
        agent = imv_agent_create(name, msg_types, countof(msg_types), id,
                                                         actual_version);
@@ -764,13 +790,13 @@ imv_agent_if_t *imv_swima_agent_create(const char *name, TNC_IMVID id,
                .agent = agent,
        );
 
-       rest_api_uri = lib->settings->get_str(lib->settings,
-                                               "%s.plugins.imv-swima.rest_api_uri", NULL, lib->ns);
-       rest_api_timeout = lib->settings->get_int(lib->settings,
-                                               "%s.plugins.imv-swima.rest_api_timeout", 120, lib->ns);
-       if (rest_api_uri)
+       uri = lib->settings->get_str(lib->settings,
+                                       "%s.plugins.imv-swima.rest_api.uri", NULL, lib->ns);
+       timeout = lib->settings->get_int(lib->settings,
+                                       "%s.plugins.imv-swima.rest_api.timeout", 120, lib->ns);
+       if (uri)
        {
-               this->rest_api = rest_create(rest_api_uri, rest_api_timeout);
+               this->rest_api = rest_create(uri, timeout);
        }
 
        return &this->public;
index 04defae..03500bc 100644 (file)
@@ -106,9 +106,9 @@ struct private_imv_swima_state_t {
        uint32_t request_id;
 
        /**
-        * Number of processed SWID Tag IDs
+        * Number of processed Software Identifiers
         */
-       int tag_id_count;
+       int sw_id_count;
 
        /**
         * Number of processed SWID Tags
@@ -116,7 +116,7 @@ struct private_imv_swima_state_t {
        int tag_count;
 
        /**
-        * Number of missing SWID Tags or Tag IDs
+        * Number of missing Software Identifiers or SWID Tags
         */
        uint32_t missing;
 
@@ -131,7 +131,7 @@ struct private_imv_swima_state_t {
        json_object *jobj;
 
        /**
-        * JSON array containing an inventory of SWID Tag IDs
+        * JSON array containing either a SW [ID] inventory or SW ID events
         */
        json_object *jarray;
 
@@ -293,6 +293,12 @@ METHOD(imv_swima_state_t, set_inventory, void,
        swima_record_t *sw_record;
        enumerator_t *enumerator;
 
+       if (this->sw_id_count == 0)
+       {
+               this->jarray = json_object_new_array();
+               json_object_object_add(this->jobj, "data", this->jarray);
+       }
+
        enumerator = inventory->create_enumerator(inventory);
        while (enumerator->enumerate(enumerator, &sw_record))
        {
@@ -317,43 +323,64 @@ METHOD(imv_swima_state_t, set_inventory, void,
        enumerator->destroy(enumerator);
 }
 
-METHOD(imv_swima_state_t, get_inventory, json_object*,
-       private_imv_swima_state_t *this)
-{
-       return this->jobj;
-}
-
 METHOD(imv_swima_state_t, set_events, void,
     private_imv_swima_state_t *this, swima_events_t *events)
 {
        chunk_t sw_id, timestamp;
-       uint32_t record_id, eid;
-       char *sw_id_str;
-       json_object *jstring;
+       uint32_t record_id, eid, last_eid, epoch, source_id, action;
+       char *sw_id_str, *timestamp_str;
+       json_object *jevent, *jvalue, *jstring;
        swima_event_t *sw_event;
        swima_record_t *sw_record;
        enumerator_t *enumerator;
 
+       if (this->sw_id_count == 0)
+       {
+               last_eid = events->get_eid(events, &epoch, NULL);
+               jvalue = json_object_new_int(epoch);
+               json_object_object_add(this->jobj, "epoch", jvalue);
+               jvalue = json_object_new_int(last_eid);
+               json_object_object_add(this->jobj, "lastEid", jvalue);
+               this->jarray = json_object_new_array();
+               json_object_object_add(this->jobj, "events", this->jarray);
+       }
+
        enumerator = events->create_enumerator(events);
        while (enumerator->enumerate(enumerator, &sw_event))
        {
                eid = sw_event->get_eid(sw_event, &timestamp);
+               timestamp_str = strndup(timestamp.ptr, timestamp.len);
+               action = sw_event->get_action(sw_event);
                sw_record = sw_event->get_sw_record(sw_event);
                record_id = sw_record->get_record_id(sw_record);
+               source_id = sw_record->get_source_id(sw_record);
                sw_id = sw_record->get_sw_id(sw_record, NULL);
                sw_id_str = strndup(sw_id.ptr, sw_id.len);
-               DBG3(DBG_IMV, "%3u %.*s %6u: %s", eid, timestamp.len, timestamp.ptr,
-                                                                                 record_id, sw_id_str);
-
-               /* Add software identity to JSON array */
+               DBG3(DBG_IMV, "%3u %.*s %u %5u: %s", eid, timestamp.len, timestamp.ptr,
+                                                                                        action, record_id, sw_id_str);
+
+               /* Add software event to JSON array */
+               jevent = json_object_new_object();
+               jvalue = json_object_new_int(eid);
+               json_object_object_add(jevent, "eid", jvalue);
+               jstring = json_object_new_string(timestamp_str);
+               json_object_object_add(jevent, "timestamp", jstring);
+               jvalue = json_object_new_int(record_id);
+               json_object_object_add(jevent, "recordId", jvalue);
+               jvalue = json_object_new_int(source_id);
+               json_object_object_add(jevent, "sourceId", jvalue);
+               jvalue = json_object_new_int(action);
+               json_object_object_add(jevent, "action", jvalue);
                jstring = json_object_new_string(sw_id_str);
-               json_object_array_add(this->jarray, jstring);
+               json_object_object_add(jevent, "softwareId", jstring);
+               json_object_array_add(this->jarray, jevent);
+               free(timestamp_str);
                free(sw_id_str);
        }
        enumerator->destroy(enumerator);
 }
 
-METHOD(imv_swima_state_t, get_events, json_object*,
+METHOD(imv_swima_state_t, get_jrequest, json_object*,
        private_imv_swima_state_t *this)
 {
        return this->jobj;
@@ -372,20 +399,20 @@ METHOD(imv_swima_state_t, get_missing, uint32_t,
 }
 
 METHOD(imv_swima_state_t, set_count, void,
-       private_imv_swima_state_t *this, int tag_id_count, int tag_count,
+       private_imv_swima_state_t *this, int sw_id_count, int tag_count,
        TNC_UInt32 imc_id)
 {
-       this->tag_id_count += tag_id_count;
+       this->sw_id_count += sw_id_count;
        this->tag_count += tag_count;
        this->imc_id = imc_id;
 }
 
 METHOD(imv_swima_state_t, get_count, void,
-       private_imv_swima_state_t *this, int *tag_id_count, int *tag_count)
+       private_imv_swima_state_t *this, int *sw_id_count, int *tag_count)
 {
-       if (tag_id_count)
+       if (sw_id_count)
        {
-               *tag_id_count = this->tag_id_count;
+               *sw_id_count = this->sw_id_count;
        }
        if (tag_count)
        {
@@ -433,9 +460,8 @@ imv_state_t *imv_swima_state_create(TNC_ConnectionID connection_id)
                        .set_request_id = _set_request_id,
                        .get_request_id = _get_request_id,
                        .set_inventory = _set_inventory,
-                       .get_inventory = _get_inventory,
                        .set_events = _set_events,
-                       .get_events = _get_events,
+                       .get_jrequest = _get_jrequest,
                        .set_missing = _set_missing,
                        .get_missing = _get_missing,
                        .set_count = _set_count,
@@ -449,11 +475,8 @@ imv_state_t *imv_swima_state_create(TNC_ConnectionID connection_id)
                .contracts = seg_contract_manager_create(),
                .imc_id = TNC_IMCID_ANY,
                .jobj = json_object_new_object(),
-               .jarray = json_object_new_array(),
        );
 
-       json_object_object_add(this->jobj, "data", this->jarray);
-
        return &this->public.interface;
 }
 
index beade6c..4fa32da 100644 (file)
@@ -83,32 +83,25 @@ struct imv_swima_state_t {
        uint32_t (*get_request_id)(imv_swima_state_t *this);
 
        /**
-        * Set or extend the SWID Tag ID inventory in the state
+        * Set or extend the SW ID inventory in the state
         *
-        * @param inventory                     SWID Tags ID inventory to be added
+        * @param inventory                     SW ID inventory to be added
         */
        void (*set_inventory)(imv_swima_state_t *this, swima_inventory_t *inventory);
 
        /**
-        * Get the encoding of the complete SWID Tag ID inventory
+        * Set or extend the SW ID events in the state
         *
-        * @return                             SWID Tags ID inventory as a JSON array
-        */
-       json_object* (*get_inventory)(imv_swima_state_t *this);
-
-       /**
-        * Set or extend the SWID Tag ID Events in the state
-        *
-        * @param inventory                     SWID Tags ID inventory to be added
+        * @param events                        SW ID events to be added
         */
        void (*set_events)(imv_swima_state_t *this, swima_events_t *events);
 
        /**
-        * Get the encoding of the complete Software ID Events
+        * Get the JSON encoding of the complete SW ID inventory or SW ID events
         *
-        * @return                             Software ID events as a JSON array
+        * @return                             JSON encoding
         */
-       json_object* (*get_events)(imv_swima_state_t *this);
+       json_object* (*get_jrequest)(imv_swima_state_t *this);
 
        /**
         * Set the number of still missing SW [ID] records or envents
index 9207f11..541d2a2 100644 (file)
@@ -85,7 +85,7 @@ static size_t curl_cb(void *ptr, size_t size, size_t nmemb, cb_data_t *data)
 METHOD(fetcher_t, fetch, status_t,
        private_curl_fetcher_t *this, char *uri, void *userdata)
 {
-       char error[CURL_ERROR_SIZE], *enc_uri;
+       char error[CURL_ERROR_SIZE], *enc_uri, *p1, *p2;
        CURLcode curl_status;
        status_t status;
        long result = 0;
@@ -123,7 +123,17 @@ METHOD(fetcher_t, fetch, status_t,
                curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, this->headers);
        }
 
-       DBG2(DBG_LIB, "  sending request to '%s'...", uri);
+       /* if the URI contains a username[:password] prefix then mask it */
+       p1 = strstr(uri, "://");
+       p2 = strchr(uri, '@');
+       if (p1 && p2)
+       {
+               DBG2(DBG_LIB, "  sending request to '%.*sxxxx%s'...", p1+3-uri, uri, p2);
+       }
+       else
+       {
+               DBG2(DBG_LIB, "  sending request to '%s'...", uri);
+       }
        curl_status = curl_easy_perform(this->curl);
        switch (curl_status)
        {