From 41ec04c34d2e0e4a7ce6ee489e745b018c590f0a Mon Sep 17 00:00:00 2001
From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Wed, 10 Nov 2010 17:59:41 +0100
Subject: [PATCH] enforce_recommendation inserts TNC group membership rules for
 IKE_SA

---
 src/libcharon/plugins/tnc_imv/tnc_imv_manager.c | 40 +++++++++++++++++++++++--
 src/libcharon/tnc/imv/imv_manager.h             | 10 +++++++
 2 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
index 00060bb..c5de572 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
@@ -19,8 +19,7 @@
 #include <tnc/tncifimv.h>
 
 #include <debug.h>
-#include <library.h>
-#include <utils/linked_list.h>
+#include <daemon.h>
 
 typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t;
 
@@ -98,6 +97,42 @@ METHOD(imv_manager_t, get_count, int,
 	return this->imvs->get_count(this->imvs);
 }
 
+METHOD(imv_manager_t, enforce_recommendation, bool,
+	private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec)
+{
+	char *group;
+	identification_t *id;
+	ike_sa_t *ike_sa;
+	auth_cfg_t *auth;
+
+	switch (rec)
+	{
+		case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+			DBG1(DBG_TNC, "TNC recommendation is allow");
+			group = "allow";
+			break;	
+		case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+			DBG1(DBG_TNC, "TNC recommendation is isolate");
+			group = "isolate";
+			break;
+		case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+		case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+		default:
+			DBG1(DBG_TNC, "TNC recommendation is none");
+			return FALSE;
+	}
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (ike_sa)
+	{
+		auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
+		id = identification_create_from_string(group);
+		auth->add(auth, AUTH_RULE_GROUP, id);
+		DBG1(DBG_TNC, "TNC added group membership '%s'", group);
+	}
+	return TRUE;
+}
+
+
 METHOD(imv_manager_t, notify_connection_change, void,
 	private_tnc_imv_manager_t *this, TNC_ConnectionID id,
 									 TNC_ConnectionState state)
@@ -222,6 +257,7 @@ imv_manager_t* tnc_imv_manager_create(void)
 			.add = _add,
 			.remove = _remove_, /* avoid name conflict with stdio.h */
 			.get_count = _get_count,
+			.enforce_recommendation = _enforce_recommendation,
 			.notify_connection_change = _notify_connection_change,
 			.set_message_types = _set_message_types,
 			.solicit_recommendation = _solicit_recommendation,
diff --git a/src/libcharon/tnc/imv/imv_manager.h b/src/libcharon/tnc/imv/imv_manager.h
index 1482361..0e83193 100644
--- a/src/libcharon/tnc/imv/imv_manager.h
+++ b/src/libcharon/tnc/imv/imv_manager.h
@@ -56,6 +56,16 @@ struct imv_manager_t {
 	int (*get_count)(imv_manager_t *this);
 
 	/**
+	 * Enforce the TNC recommendation on the IKE_SA by either inserting an
+	 * allow|isolate group membership rule (TRUE) or by blocking access (FALSE)
+	 *
+	 * @param void				TNC action recommendation
+	 * @return					TRUE for allow|isolate, FALSE for none
+	 */
+	bool (*enforce_recommendation)(imv_manager_t *this,
+								   TNC_IMV_Action_Recommendation rec);
+
+	/**
 	 * Notify all IMV instances
 	 *
 	 * @param state			communicate the state a connection has reached
-- 
2.7.4