imc-swima: Support subscriptions
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 24 Jul 2018 20:35:55 +0000 (22:35 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 29 Jul 2018 08:37:36 +0000 (10:37 +0200)
conf/plugins/imc-swima.opt
src/libimcv/imc/imc_agent.c
src/libimcv/imc/imc_agent.h
src/libimcv/plugins/imc_swima/Makefile.am
src/libimcv/plugins/imc_swima/imc_swima.c
src/libimcv/plugins/imc_swima/imc_swima_state.c
src/libimcv/plugins/imc_swima/imc_swima_state.h

index 099a3c8..daa4eca 100644 (file)
@@ -19,3 +19,6 @@ libimcv.plugins.imc-swima.swid_pretty = no
 
 libimcv.plugins.imc-swima.swid_full = no
        Include file information in the XML-encoded SWID tags.
+
+libimcv.plugins.imc-swima.subscriptions = no
+       Accept SW Inventory or SW Events subscriptions.
index 3a7a16b..fb59cfa 100644 (file)
@@ -74,6 +74,11 @@ struct private_imc_agent_t {
        rwlock_t *connection_lock;
 
        /**
+        * Is the transport protocol PT-TLS?
+        */
+       bool has_pt_tls;
+
+       /**
         * Inform a TNCC about the set of message types the IMC is able to receive
         *
         * @param imc_id                        IMC ID assigned by TNCC
@@ -372,6 +377,8 @@ METHOD(imc_agent_t, create_state, TNC_Result,
        DBG2(DBG_IMC, "  over %s %s with maximum PA-TNC message size of %u bytes",
                                  t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len);
 
+       this->has_pt_tls = streq(t_p, "IF-T for TLS");
+
        free(tnccs_p);
        free(tnccs_v);
        free(t_p);
@@ -531,6 +538,12 @@ METHOD(imc_agent_t, get_non_fatal_attr_types, linked_list_t*,
        return this->non_fatal_attr_types;
 }
 
+METHOD(imc_agent_t, has_pt_tls, bool,
+       private_imc_agent_t *this)
+{
+       return  this->has_pt_tls;
+}
+
 METHOD(imc_agent_t, destroy, void,
        private_imc_agent_t *this)
 {
@@ -575,6 +588,7 @@ imc_agent_t *imc_agent_create(const char *name,
                        .create_id_enumerator = _create_id_enumerator,
                        .add_non_fatal_attr_type = _add_non_fatal_attr_type,
                        .get_non_fatal_attr_types = _get_non_fatal_attr_types,
+                       .has_pt_tls = _has_pt_tls,
                        .destroy = _destroy,
                },
                .name = name,
index bac1b48..27c7499 100644 (file)
@@ -182,6 +182,13 @@ struct imc_agent_t {
        linked_list_t* (*get_non_fatal_attr_types)(imc_agent_t *this);
 
        /**
+        * Is the transport protocol PT-TLS?
+        *
+        * return                                       TRUE if PT-TLS
+        */
+       bool (*has_pt_tls)(imc_agent_t *this);
+
+       /**
         * Destroys an imc_agent_t object
         */
        void (*destroy)(imc_agent_t *this);
index 4a29e79..e31f98d 100644 (file)
@@ -19,11 +19,13 @@ $(swid_tag) : $(regid)__strongSwan.swidtag.in
 AM_CPPFLAGS = \
        -I$(top_srcdir)/src/libstrongswan \
        -I$(top_srcdir)/src/libtncif \
-       -I$(top_srcdir)/src/libimcv
+       -I$(top_srcdir)/src/libimcv \
+       -DSW_COLLECTOR=\"${prefix}/sbin/sw-collector\"
 
 AM_CFLAGS = \
        $(PLUGIN_CFLAGS) $(json_CFLAGS)
 
+
 imcv_LTLIBRARIES = imc-swima.la
 
 imc_swima_la_LIBADD = \
index 67080e0..7869a92 100644 (file)
 #include <pen/pen.h>
 #include <utils/debug.h>
 
+#include <errno.h>
+#include <poll.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/inotify.h>
+#include <unistd.h>
+
+#ifndef SW_COLLECTOR
+#define SW_COLLECTOR NULL
+#endif
+
 /* IMC definitions */
 
 static const char imc_name[] = "SWIMA";
@@ -68,6 +79,75 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 }
 
 /**
+ * Poll for IN_CLOSE_WRITE event on the apt history.log
+ */
+static bool poll_history_log(void)
+{
+       int fd, wd, res;
+       nfds_t nfds;
+       struct pollfd fds[1];
+       char *history_path;
+       bool success = FALSE;
+
+       history_path = lib->settings->get_str(lib->settings, "sw-collector.history",
+                                                                                 NULL);
+       if (!history_path)
+       {
+               DBG1(DBG_IMC, "sw-collector.history path not set");
+               return FALSE;
+       }
+
+       /* Create the file descriptor for accessing the inotify API */
+       fd = inotify_init1(IN_NONBLOCK);
+       if (fd == -1)
+       {
+               DBG1(DBG_IMC, "inotify file descriptor could not be created");
+               return FALSE;
+       }
+
+       /* Watch for CLOSE_WRITE events on history log */
+       wd = inotify_add_watch(fd, history_path, IN_CLOSE_WRITE);
+       if (wd == -1)
+       {
+               DBG1(DBG_IMC, "cannot watch '%s'", history_path);
+               goto end;
+       }
+
+       /* Prepare for polling */
+       nfds = 1;
+
+       /* Inotify input */
+       fds[0].fd = fd;
+       fds[0].events = POLLIN;
+
+       while (1)
+       {
+               DBG1(DBG_IMC, "  waiting for write event on history.log ...");
+
+               res = poll(fds, nfds, -1);
+               if (res == -1)
+               {
+                       DBG1(DBG_IMC, "  poll failed: %s", strerror(errno));
+                       if (errno == EINTR)
+                       {
+                               continue;
+                       }
+                       goto end;
+               }
+               if (res > 0 &&  fds[0].revents & POLLIN)
+               {
+                       DBG1(DBG_IMC, "  poll successful");
+                       success = TRUE;
+                       break;
+               }
+       }
+
+end:
+       close(fd);
+       return success;
+}
+
+/**
  * see section 3.8.2 of TCG TNC IF-IMC Specification 1.3
  */
 TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
@@ -75,6 +155,11 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
                                                                                  TNC_ConnectionState new_state)
 {
        imc_state_t *state;
+       imc_swima_state_t *swima_state;
+       imc_swima_subscription_t *subscription;
+       TNC_IMV_Evaluation_Result res;
+       TNC_Result result;
+       uint32_t eid, eid_epoch;
 
        if (!imc_swima)
        {
@@ -95,6 +180,43 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
                        state->set_result(state, imc_id,
                                                          TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
                        return TNC_RESULT_SUCCESS;
+               case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+               case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+               case TNC_CONNECTION_STATE_ACCESS_NONE:
+                       /* get updated IMC state */
+                       result = imc_swima->change_state(imc_swima, connection_id,
+                                                                                        new_state, &state);
+                       if (result != TNC_RESULT_SUCCESS)
+                       {
+                               return TNC_RESULT_FATAL;
+                       }
+                       swima_state = (imc_swima_state_t*)state;
+
+                       /* do a handshake retry? */
+                       if (swima_state->get_subscription(swima_state, &subscription))
+                       {
+                               /* update earliest EID in subscription target */
+                               if (state->get_result(state, imc_id, &res) &&
+                                       res == TNC_IMV_EVALUATION_RESULT_COMPLIANT)
+                               {
+                                       eid = subscription->targets->get_eid(subscription->targets,
+                                                                                                  &eid_epoch);
+                                       if (eid > 0)
+                                       {
+                                               eid = swima_state->get_earliest_eid(swima_state);
+                                               subscription->targets->set_eid(subscription->targets, eid,
+                                                                                                          eid_epoch);
+                                       }
+                               }
+                               DBG1(DBG_IMC, "SWIMA subscription %u:", subscription->request_id);
+                               if (!poll_history_log())
+                               {
+                                       return TNC_RESULT_FATAL;
+                               }
+                               return imc_swima->request_handshake_retry(imc_id, connection_id,
+                                                                                               TNC_RETRY_REASON_IMC_PERIODIC);
+                       }
+                       return TNC_RESULT_SUCCESS;
                case TNC_CONNECTION_STATE_DELETE:
                        return imc_swima->delete_state(imc_swima, connection_id);
                default:
@@ -104,61 +226,11 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
 }
 
 /**
- * see section 3.8.3 of TCG TNC IF-IMC Specification 1.3
- */
-TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
-                                                                 TNC_ConnectionID connection_id)
-{
-       imc_state_t *state;
-       imc_msg_t *out_msg;
-       pa_tnc_attr_t *attr;
-       seg_contract_t *contract;
-       seg_contract_manager_t *contracts;
-       size_t max_attr_size = SWIMA_MAX_ATTR_SIZE;
-       size_t max_seg_size;
-       char buf[BUF_LEN];
-       TNC_Result result = TNC_RESULT_SUCCESS;
-
-       if (!imc_swima)
-       {
-               DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
-               return TNC_RESULT_NOT_INITIALIZED;
-       }
-       if (!imc_swima->get_state(imc_swima, connection_id, &state))
-       {
-               return TNC_RESULT_FATAL;
-       }
-
-       /* Determine maximum PA-TNC attribute segment size */
-       max_seg_size = state->get_max_msg_len(state) - PA_TNC_HEADER_SIZE
-                                                                                                - PA_TNC_ATTR_HEADER_SIZE
-                                                                                                - TCG_SEG_ATTR_SEG_ENV_HEADER;
-
-       /* Announce support of PA-TNC segmentation to IMV */
-       contract = seg_contract_create(msg_types[0], max_attr_size, max_seg_size,
-                                                                  TRUE, imc_id, TRUE);
-       contract->get_info_string(contract, buf, BUF_LEN, TRUE);
-       DBG2(DBG_IMC, "%s", buf);
-       contracts = state->get_contracts(state);
-       contracts->add_contract(contracts, contract);
-       attr = tcg_seg_attr_max_size_create(max_attr_size, max_seg_size, TRUE);
-
-       /* send PA-TNC message with the excl flag not set */
-       out_msg = imc_msg_create(imc_swima, state, connection_id, imc_id,
-                                                        TNC_IMVID_ANY, msg_types[0]);
-       out_msg->add_attribute(out_msg, attr);
-       result = out_msg->send(out_msg, FALSE);
-       out_msg->destroy(out_msg);
-
-       return result;
-}
-
-/**
  * Add SWID Inventory or Event attribute to the send queue
  */
 static void fulfill_request(imc_state_t *state, imc_msg_t *msg,
-                                                       uint32_t request_id, bool sw_id_only,
-                                                       swima_inventory_t *targets)
+                                                          uint32_t request_id, bool sw_id_only,
+                                                          swima_inventory_t *targets)
 {
        pa_tnc_attr_t *attr;
        swima_collector_t  *collector;
@@ -174,6 +246,8 @@ static void fulfill_request(imc_state_t *state, imc_msg_t *msg,
        {
                swima_events_t *sw_ev;
                ietf_swima_attr_sw_ev_t *sw_ev_attr;
+               imc_swima_state_t *swima_state;
+               uint32_t eid_epoch, last_eid = 0;
 
                sw_ev = collector->collect_events(collector, sw_id_only, targets);
                if (!sw_ev)
@@ -185,8 +259,14 @@ static void fulfill_request(imc_state_t *state, imc_msg_t *msg,
                }
                else {
                        items = sw_ev->get_count(sw_ev);
-                       DBG1(DBG_IMC, "collected %d SW%s event%s", items, id_str,
-                                                                                                          items == 1 ? "" : "s");
+                       last_eid = sw_ev->get_eid(sw_ev, &eid_epoch, NULL);
+
+                       DBG1(DBG_IMC, "collected %d SW%s event%s at last eid %d of epoch 0x%08x",
+                                items, id_str, items == 1 ? "" : "s", last_eid, eid_epoch);
+
+                       /* Store the earliest EID for the next subscription round */
+                       swima_state = (imc_swima_state_t*)state;
+                       swima_state->set_earliest_eid(swima_state, last_eid + 1);
 
                        /* Send an IETF SW [Identity] Events attribute */
                        attr = ietf_swima_attr_sw_ev_create(IETF_SWIMA_ATTR_SW_INV_FLAG_NONE,
@@ -226,9 +306,78 @@ static void fulfill_request(imc_state_t *state, imc_msg_t *msg,
        collector->destroy(collector);
 }
 
+/**
+ * see section 3.8.3 of TCG TNC IF-IMC Specification 1.3
+ */
+TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
+                                                                 TNC_ConnectionID connection_id)
+{
+       imc_state_t *state;
+       imc_swima_state_t *swima_state;
+       imc_msg_t *out_msg;
+       pa_tnc_attr_t *attr;
+       seg_contract_t *contract;
+       seg_contract_manager_t *contracts;
+       imc_swima_subscription_t *subscription;
+       size_t max_attr_size = SWIMA_MAX_ATTR_SIZE;
+       size_t max_seg_size;
+       char buf[BUF_LEN];
+       TNC_Result result = TNC_RESULT_SUCCESS;
+
+       if (!imc_swima)
+       {
+               DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+               return TNC_RESULT_NOT_INITIALIZED;
+       }
+       if (!imc_swima->get_state(imc_swima, connection_id, &state))
+       {
+               return TNC_RESULT_FATAL;
+       }
+       swima_state = (imc_swima_state_t*)state;
+
+       if (swima_state->get_subscription(swima_state, &subscription))
+       {
+               if (system(SW_COLLECTOR) != 0)
+               {
+                       DBG1(DBG_IMC, "calling %s failed", SW_COLLECTOR);
+                       return TNC_RESULT_FATAL;
+               }
+               out_msg = imc_msg_create(imc_swima, state, connection_id, imc_id,
+                                                                subscription->imv_id, msg_types[0]);
+               fulfill_request(state, out_msg, subscription->request_id,
+                                               subscription->sw_id_only, subscription->targets);
+       }
+       else
+       {
+               /* Determine maximum PA-TNC attribute segment size */
+               max_seg_size = state->get_max_msg_len(state) - PA_TNC_HEADER_SIZE
+                                                                                                        - PA_TNC_ATTR_HEADER_SIZE
+                                                                                                - TCG_SEG_ATTR_SEG_ENV_HEADER;
+
+               /* Announce support of PA-TNC segmentation to IMV */
+               contract = seg_contract_create(msg_types[0], max_attr_size, max_seg_size,
+                                                                          TRUE, imc_id, TRUE);
+               contract->get_info_string(contract, buf, BUF_LEN, TRUE);
+               DBG2(DBG_IMC, "%s", buf);
+               contracts = state->get_contracts(state);
+               contracts->add_contract(contracts, contract);
+               attr = tcg_seg_attr_max_size_create(max_attr_size, max_seg_size, TRUE);
+
+               /* send PA-TNC message with the excl flag not set */
+               out_msg = imc_msg_create(imc_swima, state, connection_id, imc_id,
+                                                                TNC_IMVID_ANY, msg_types[0]);
+               out_msg->add_attribute(out_msg, attr);
+       }
+       result = out_msg->send(out_msg, FALSE);
+       out_msg->destroy(out_msg);
+
+       return result;
+}
+
 static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
 {
        imc_msg_t *out_msg;
+       imc_swima_state_t *swima_state;
        pa_tnc_attr_t *attr;
        enumerator_t *enumerator;
        pen_type_t type;
@@ -255,7 +404,6 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
                uint32_t request_id;
                bool sw_id_only;
                swima_inventory_t *targets;
-
                type = attr->get_type(attr);
 
                if (type.vendor_id != PEN_IETF || type.type != IETF_ATTR_SWIMA_REQUEST)
@@ -267,15 +415,55 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
                flags = attr_req->get_flags(attr_req);
                request_id = attr_req->get_request_id(attr_req);
                targets = attr_req->get_targets(attr_req);
+               sw_id_only = (flags & IETF_SWIMA_ATTR_REQ_FLAG_R);
 
                if (flags & (IETF_SWIMA_ATTR_REQ_FLAG_S | IETF_SWIMA_ATTR_REQ_FLAG_C))
                {
-                       attr = swima_error_create(PA_ERROR_SWIMA_SUBSCRIPTION_DENIED,
-                                               request_id, 0, "no subscription available yet");
-                       out_msg->add_attribute(out_msg, attr);
-                       break;
+                       if (imc_swima->has_pt_tls(imc_swima) &&
+                               lib->settings->get_bool(lib->settings,
+                                       "%s.plugins.imc-swima.subscriptions", FALSE, lib->ns))
+                       {
+                               imc_swima_subscription_t *subscription;
+
+                               swima_state = (imc_swima_state_t*)state;
+
+                               if (flags & IETF_SWIMA_ATTR_REQ_FLAG_C)
+                               {
+                                       if (swima_state->get_subscription(swima_state, &subscription))
+                                       {
+                                               DBG1(DBG_IMC, "SWIMA subscription %u cleared",
+                                                                          subscription->request_id);
+                                               swima_state->set_subscription(swima_state, NULL, FALSE);
+                                       }
+                               }
+                               else
+                               {
+                                       INIT(subscription,
+                                               .imv_id = in_msg->get_src_id(in_msg),
+                                               .request_id = request_id,
+                                               .targets = targets->get_ref(targets),
+                                               .sw_id_only = sw_id_only,
+                                       );
+
+                                       swima_state->set_subscription(swima_state, subscription,
+                                                                                                 TRUE);
+                                       DBG1(DBG_IMC, "SWIMA subscription %u established",
+                                                                  subscription->request_id);
+                                       if (system(SW_COLLECTOR) != 0)
+                                       {
+                                               DBG1(DBG_IMC, "calling %s failed", SW_COLLECTOR);
+                                               out_msg->destroy(out_msg);
+                                               return TNC_RESULT_FATAL;
+                                       }
+                               }
+                       }
+                       else
+                       {
+                               attr = swima_error_create(PA_ERROR_SWIMA_SUBSCRIPTION_DENIED,
+                                                       request_id, 0, "subscriptions not enabled");
+                               out_msg->add_attribute(out_msg, attr);
+                       }
                }
-               sw_id_only = (flags & IETF_SWIMA_ATTR_REQ_FLAG_R);
 
                fulfill_request(state, out_msg, request_id, sw_id_only, targets);
                break;
index 70b2434..b985a40 100644 (file)
@@ -65,8 +65,33 @@ struct private_imc_swima_state_t {
         * PA-TNC attribute segmentation contracts associated with TNCCS connection
         */
        seg_contract_manager_t *contracts;
+
+       /**
+        * Has a subscription been established?
+        */
+       bool has_subscription;
+
+       /**
+        * State information on subscriptions
+        */
+       imc_swima_subscription_t *subscription;
+
+       /**
+        * Earliest EID for the next subscription round
+        */
+       uint32_t earliest_eid;
+
 };
 
+static void free_subscription(imc_swima_subscription_t *this)
+{
+       if (this)
+       {
+               this->targets->destroy(this->targets);
+               free(this);
+       }
+}
+
 METHOD(imc_state_t, get_connection_id, TNC_ConnectionID,
        private_imc_swima_state_t *this)
 {
@@ -137,10 +162,50 @@ METHOD(imc_state_t, get_result, bool,
 METHOD(imc_state_t, destroy, void,
        private_imc_swima_state_t *this)
 {
+       free(this->subscription);
        this->contracts->destroy(this->contracts);
        free(this);
 }
 
+METHOD(imc_swima_state_t, set_subscription, void,
+       private_imc_swima_state_t *this, imc_swima_subscription_t *subscription,
+       bool set)
+{
+       free_subscription(this->subscription);
+       this->has_subscription = set;
+
+       if (set)
+       {
+               this->subscription = subscription;
+       }
+       else
+       {
+               this->subscription = NULL;
+       }
+}
+
+METHOD(imc_swima_state_t, get_subscription, bool,
+       private_imc_swima_state_t *this, imc_swima_subscription_t **subscription)
+{
+       if (subscription)
+       {
+               *subscription = this->subscription;
+       }
+       return this->has_subscription;
+}
+
+METHOD(imc_swima_state_t, set_earliest_eid, void,
+       private_imc_swima_state_t *this, uint32_t eid)
+{
+       this->earliest_eid = eid;
+}
+
+METHOD(imc_swima_state_t, get_earliest_eid, uint32_t,
+       private_imc_swima_state_t *this)
+{
+       return this->earliest_eid;
+}
+
 /**
  * Described in header.
  */
@@ -163,13 +228,17 @@ imc_state_t *imc_swima_state_create(TNC_ConnectionID connection_id)
                                .get_result = _get_result,
                                .destroy = _destroy,
                        },
+                       .set_subscription = _set_subscription,
+                       .get_subscription = _get_subscription,
+                       .set_earliest_eid = _set_earliest_eid,
+                       .get_earliest_eid = _get_earliest_eid,
                },
                .state = TNC_CONNECTION_STATE_CREATE,
                .result = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
                .connection_id = connection_id,
                .contracts = seg_contract_manager_create(),
        );
-       
+
        return &this->public.interface;
 }
 
index 4e4e3b1..92a674f 100644 (file)
 #define IMC_SWIMA_STATE_H_
 
 #include <imc/imc_state.h>
+#include <swima/swima_inventory.h>
 #include <library.h>
 
 typedef struct imc_swima_state_t imc_swima_state_t;
+typedef struct imc_swima_subscription_t imc_swima_subscription_t;
+
+/**
+ * State information on subscriptions
+ */
+struct imc_swima_subscription_t {
+
+       /**
+        * IMV which sent the subscription request
+         */
+       TNC_IMVID imv_id;
+
+       /**
+        * SWIMA Request ID
+        */
+       uint32_t request_id;
+
+       /**
+        * SWIMA Request targets
+        */
+       swima_inventory_t *targets;
+
+       /**
+        * Retrieve SW Identifieres only
+        */
+       bool sw_id_only;
+
+};
 
 /**
  * Internal state of an imc_swima_t connection instance
@@ -39,6 +68,37 @@ struct imc_swima_state_t {
         */
        imc_state_t interface;
 
+       /**
+        * Set or clear a subscription
+        *
+        * @param subscription          state information on subscription
+        * @param set                           TRUE sets and FALSE clears a subscripton
+        */
+       void (*set_subscription)(imc_swima_state_t *this,
+                                                        imc_swima_subscription_t *subscription, bool set);
+
+       /**
+        * Get the subscription status
+        *
+        * @param subscription          state information on subscription
+        * @return                                      TRUE if subscription is set
+        */
+       bool (*get_subscription)(imc_swima_state_t *this,
+                                                        imc_swima_subscription_t**subscription);
+
+       /**
+        * Set the earliest EID for the next subscription round
+        *
+        * @param eid                           Earliest EID for events or 0 for inventories
+        */
+       void (*set_earliest_eid)(imc_swima_state_t *this, uint32_t eid);
+
+       /**
+        * Get earliest EID for the next subscription round
+        *
+        * @return                                      Earliest EID for events or 0 for inventories
+        */
+       uint32_t (*get_earliest_eid)(imc_swima_state_t *this);
 };
 
 /**