diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2017-06-29 11:28:15 +0200 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2017-07-08 23:19:51 +0200 |
commit | 49d56e1b393eab7131768e3105ca933682ee9c6d (patch) | |
tree | 41b2fc7b36b395d0c01f64be94418570a7476092 | |
parent | 74aa1626d22b86f3245f35d8566cbd18992ef424 (diff) | |
download | strongswan-49d56e1b393eab7131768e3105ca933682ee9c6d.tar.bz2 strongswan-49d56e1b393eab7131768e3105ca933682ee9c6d.tar.xz |
imv-swima: Implemented SW event processing
-rw-r--r-- | conf/plugins/imv-swima.opt | 4 | ||||
-rw-r--r-- | src/libimcv/imv/imv_policy_manager.c | 25 | ||||
-rw-r--r-- | src/libimcv/plugins/imv_swima/imv_swima_agent.c | 106 | ||||
-rw-r--r-- | src/libimcv/plugins/imv_swima/imv_swima_state.c | 81 | ||||
-rw-r--r-- | src/libimcv/plugins/imv_swima/imv_swima_state.h | 21 | ||||
-rw-r--r-- | src/libstrongswan/plugins/curl/curl_fetcher.c | 14 |
6 files changed, 164 insertions, 87 deletions
diff --git a/conf/plugins/imv-swima.opt b/conf/plugins/imv-swima.opt index 1185bd365..a9ba96c21 100644 --- a/conf/plugins/imv-swima.opt +++ b/conf/plugins/imv-swima.opt @@ -1,5 +1,5 @@ -libimcv.plugins.imv-swima.rest_api_uri = +libimcv.plugins.imv-swima.rest_api.uri = HTTP URI of the SWID REST API. -libimcv.plugins.imv-swima.rest_api_timeout = 120 +libimcv.plugins.imv-swima.rest_api.timeout = 120 Timeout of SWID REST API HTTP POST transaction. diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c index b730f8c41..1988873e9 100644 --- a/src/libimcv/imv/imv_policy_manager.c +++ b/src/libimcv/imv/imv_policy_manager.c @@ -130,6 +130,31 @@ static bool iterate_enforcements(database_t *db, int device_id, int session_id, case IMV_WORKITEM_DIR_META: arg_int = dir; break; + case IMV_WORKITEM_SWID_TAGS: + /* software [identifier] inventory by default */ + arg_int = 0; + + /* software identifiers only? */ + if (device_id && strchr(argument, 'R')) + { + /* get last EID in order to set earliest EID */ + e2 = db->query(db, + "SELECT eid FROM swid_events where device == ? " + "ORDER BY eid DESC", DB_UINT, device_id, DB_INT); + if (e2) + { + if (e2->enumerate(e2, &arg_int)) + { + arg_int++; + } + else + { + arg_int = 1; + } + e2->destroy(e2); + } + } + break; default: arg_int = 0; } diff --git a/src/libimcv/plugins/imv_swima/imv_swima_agent.c b/src/libimcv/plugins/imv_swima/imv_swima_agent.c index eedc5da81..efa2b1105 100644 --- a/src/libimcv/plugins/imv_swima/imv_swima_agent.c +++ b/src/libimcv/plugins/imv_swima/imv_swima_agent.c @@ -52,7 +52,9 @@ static pen_type_t msg_types[] = { */ enum imv_swima_attr_t { IMV_SWIMA_ATTR_SW_INV = (1<<0), - IMV_SWIMA_ATTR_SW_ID_INV = (1<<1) + IMV_SWIMA_ATTR_SW_ID_INV = (1<<1), + IMV_SWIMA_ATTR_SW_EV = (1<<2), + IMV_SWIMA_ATTR_SW_ID_EV = (1<<2) }; /** @@ -208,8 +210,8 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this, missing = attr_cast->get_record_count(attr_cast); swima_state->set_missing(swima_state, missing); - DBG2(DBG_IMV, "received software identity inventory with " - "%d item%s for request %d at eid %d of epoch 0x%08x, " + DBG2(DBG_IMV, "received software ID inventory with " + "%d item%s for request %d at last eid %d of epoch 0x%08x, " "%d item%s to follow", sw_id_count, (sw_id_count == 1) ? "" : "s", request_id, last_eid, eid_epoch, missing, (missing == 1) ? "" : "s"); @@ -222,7 +224,7 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this, } else { - DBG1(DBG_IMV, "no workitem found for software identity " + DBG1(DBG_IMV, "no workitem found for software ID " "inventory with request ID %d", request_id); } attr_cast->clear_inventory(attr_cast); @@ -251,9 +253,9 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this, swima_state->set_missing(swima_state, missing); DBG2(DBG_IMV, "received software inventory with %d item%s for " - "request %d at eid %d of epoch 0x%08x, %d item%s to follow", - sw_count, (sw_count == 1) ? "" : "s", request_id, - last_eid, eid_epoch, missing, (missing == 1) ? "" : "s"); + "request %d at last eid %d of epoch 0x%08x, %d item%s to " + "follow", sw_count, (sw_count == 1) ? "" : "s", request_id, + last_eid, eid_epoch, missing, (missing == 1) ? "" : "s"); if (request_id == swima_state->get_request_id(swima_state)) { @@ -310,7 +312,7 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this, uint32_t missing; int sw_ev_count; - state->set_action_flags(state, IMV_SWIMA_ATTR_SW_ID_INV); + state->set_action_flags(state, IMV_SWIMA_ATTR_SW_ID_EV); attr_cast = (ietf_swima_attr_sw_ev_t*)attr; request_id = attr_cast->get_request_id(attr_cast); @@ -320,8 +322,8 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this, missing = attr_cast->get_event_count(attr_cast); swima_state->set_missing(swima_state, missing); - DBG2(DBG_IMV, "received software identity events with " - "%d item%s for request %d at eid %d of epoch 0x%08x, " + DBG2(DBG_IMV, "received software ID events with " + "%d item%s for request %d at last eid %d of epoch 0x%08x, " "%d item%s to follow", sw_ev_count, (sw_ev_count == 1) ? "" : "s", request_id, last_eid, eid_epoch, missing, (missing == 1) ? "" : "s"); @@ -334,8 +336,8 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this, } else { - DBG1(DBG_IMV, "no workitem found for software identity " - "evemts with request ID %d", request_id); + DBG1(DBG_IMV, "no workitem found for software ID events " + "with request ID %d", request_id); } attr_cast->clear_events(attr_cast); break; @@ -499,6 +501,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, { flags |= IETF_SWIMA_ATTR_REQ_FLAG_C; } + earliest_eid = workitem->get_arg_int(workitem); /* Determine maximum PA-TNC attribute segment size */ max_seg_size = state->get_max_msg_len(state) @@ -527,11 +530,13 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, targets->set_eid(targets, earliest_eid, 0); cast_attr = (ietf_swima_attr_req_t*)attr; cast_attr->set_targets(cast_attr, targets); + targets->destroy(targets); out_msg->add_attribute(out_msg, attr); workitem->set_imv_id(workitem, imv_id); no_workitems = FALSE; - DBG2(DBG_IMV, "IMV %d issues sw request %d", imv_id, request_id); + DBG2(DBG_IMV, "IMV %d issues sw request %d with earliest eid %d", + imv_id, request_id, earliest_eid); break; } enumerator->destroy(enumerator); @@ -552,36 +557,49 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, received = state->get_action_flags(state); if (handshake_state == IMV_SWIMA_STATE_WORKITEMS && - (received & (IMV_SWIMA_ATTR_SW_INV|IMV_SWIMA_ATTR_SW_ID_INV)) && + (received & (IMV_SWIMA_ATTR_SW_INV|IMV_SWIMA_ATTR_SW_ID_INV| + IMV_SWIMA_ATTR_SW_EV |IMV_SWIMA_ATTR_SW_ID_EV)) && swima_state->get_missing(swima_state) == 0) { TNC_IMV_Evaluation_Result eval; TNC_IMV_Action_Recommendation rec; - char result_str[BUF_LEN], *error_str = "", *command; - char *target_str; - int tag_id_count, tag_count, i; + char result_str[BUF_LEN], *format = NULL, *cmd = NULL, *command; + char *target_str, *error_str = ""; + int sw_id_count, tag_count, i, res; json_object *jrequest, *jresponse, *jvalue; ietf_swima_attr_req_t *cast_attr; swima_inventory_t *targets; swima_record_t *target; status_t status = SUCCESS; - if (this->rest_api && (received & IMV_SWIMA_ATTR_SW_ID_INV)) + if (received & IMV_SWIMA_ATTR_SW_ID_INV) { - if (asprintf(&command, "sessions/%d/swid-measurement/", - session->get_session_id(session, NULL, NULL)) < 0) + cmd = "swid-measurement"; + format = "received inventory of %d SW ID%s and %d SWID tag%s"; + } + else if (received & IMV_SWIMA_ATTR_SW_ID_EV) + { + cmd = "swid-events"; + format = "received %d SW ID event%s and %d SWID tag%s"; + } + + if (cmd && this->rest_api) + { + res = asprintf(&command, "sessions/%d/%s/", + session->get_session_id(session, NULL, NULL), cmd); + if (res < 0) { error_str = "allocation of command string failed"; status = FAILED; } else { - jrequest = swima_state->get_inventory(swima_state); + jrequest = swima_state->get_jrequest(swima_state); status = this->rest_api->post(this->rest_api, command, jrequest, &jresponse); if (status == FAILED) { - error_str = "error in REST API swid-measurement request"; + error_str = "error in REST API request"; } free(command); } @@ -595,12 +613,20 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, { if (workitem->get_type(workitem) == IMV_WORKITEM_SWID_TAGS) { - swima_state->get_count(swima_state, &tag_id_count, + swima_state->get_count(swima_state, &sw_id_count, &tag_count); - snprintf(result_str, BUF_LEN, "received inventory of " - "%d SWID tag ID%s and %d SWID tag%s", - tag_id_count, (tag_id_count == 1) ? "" : "s", - tag_count, (tag_count == 1) ? "" : "s"); + if (format) + { + snprintf(result_str, BUF_LEN, format, + sw_id_count, (sw_id_count == 1) ? "" : "s", + tag_count, (tag_count == 1) ? "" : "s"); + } + else + { + snprintf(result_str, BUF_LEN, "received %d SWID tag" + "%s", tag_count, (tag_count == 1) ? "" : "s"); + + } session->remove_workitem(session, enumerator); eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT; @@ -632,13 +658,13 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, /* Create an IETF SW Request attribute */ attr = ietf_swima_attr_req_create(IETF_SWIMA_ATTR_REQ_FLAG_NONE, swima_state->get_request_id(swima_state)); - tag_id_count = json_object_array_length(jresponse); - DBG1(DBG_IMV, "%d SWID tag target%s", tag_id_count, - (tag_id_count == 1) ? "" : "s"); - swima_state->set_missing(swima_state, tag_id_count); + sw_id_count = json_object_array_length(jresponse); + DBG1(DBG_IMV, "%d SWID tag target%s", sw_id_count, + (sw_id_count == 1) ? "" : "s"); + swima_state->set_missing(swima_state, sw_id_count); targets = swima_inventory_create(); - for (i = 0; i < tag_id_count; i++) + for (i = 0; i < sw_id_count; i++) { jvalue = json_object_array_get_idx(jresponse, i); if (json_object_get_type(jvalue) != json_type_string) @@ -739,8 +765,8 @@ imv_agent_if_t *imv_swima_agent_create(const char *name, TNC_IMVID id, { private_imv_swima_agent_t *this; imv_agent_t *agent; - char *rest_api_uri; - u_int rest_api_timeout; + char *uri; + u_int timeout; agent = imv_agent_create(name, msg_types, countof(msg_types), id, actual_version); @@ -764,13 +790,13 @@ imv_agent_if_t *imv_swima_agent_create(const char *name, TNC_IMVID id, .agent = agent, ); - rest_api_uri = lib->settings->get_str(lib->settings, - "%s.plugins.imv-swima.rest_api_uri", NULL, lib->ns); - rest_api_timeout = lib->settings->get_int(lib->settings, - "%s.plugins.imv-swima.rest_api_timeout", 120, lib->ns); - if (rest_api_uri) + uri = lib->settings->get_str(lib->settings, + "%s.plugins.imv-swima.rest_api.uri", NULL, lib->ns); + timeout = lib->settings->get_int(lib->settings, + "%s.plugins.imv-swima.rest_api.timeout", 120, lib->ns); + if (uri) { - this->rest_api = rest_create(rest_api_uri, rest_api_timeout); + this->rest_api = rest_create(uri, timeout); } return &this->public; diff --git a/src/libimcv/plugins/imv_swima/imv_swima_state.c b/src/libimcv/plugins/imv_swima/imv_swima_state.c index 04defae36..03500bc2d 100644 --- a/src/libimcv/plugins/imv_swima/imv_swima_state.c +++ b/src/libimcv/plugins/imv_swima/imv_swima_state.c @@ -106,9 +106,9 @@ struct private_imv_swima_state_t { uint32_t request_id; /** - * Number of processed SWID Tag IDs + * Number of processed Software Identifiers */ - int tag_id_count; + int sw_id_count; /** * Number of processed SWID Tags @@ -116,7 +116,7 @@ struct private_imv_swima_state_t { int tag_count; /** - * Number of missing SWID Tags or Tag IDs + * Number of missing Software Identifiers or SWID Tags */ uint32_t missing; @@ -131,7 +131,7 @@ struct private_imv_swima_state_t { json_object *jobj; /** - * JSON array containing an inventory of SWID Tag IDs + * JSON array containing either a SW [ID] inventory or SW ID events */ json_object *jarray; @@ -293,6 +293,12 @@ METHOD(imv_swima_state_t, set_inventory, void, swima_record_t *sw_record; enumerator_t *enumerator; + if (this->sw_id_count == 0) + { + this->jarray = json_object_new_array(); + json_object_object_add(this->jobj, "data", this->jarray); + } + enumerator = inventory->create_enumerator(inventory); while (enumerator->enumerate(enumerator, &sw_record)) { @@ -317,43 +323,64 @@ METHOD(imv_swima_state_t, set_inventory, void, enumerator->destroy(enumerator); } -METHOD(imv_swima_state_t, get_inventory, json_object*, - private_imv_swima_state_t *this) -{ - return this->jobj; -} - METHOD(imv_swima_state_t, set_events, void, private_imv_swima_state_t *this, swima_events_t *events) { chunk_t sw_id, timestamp; - uint32_t record_id, eid; - char *sw_id_str; - json_object *jstring; + uint32_t record_id, eid, last_eid, epoch, source_id, action; + char *sw_id_str, *timestamp_str; + json_object *jevent, *jvalue, *jstring; swima_event_t *sw_event; swima_record_t *sw_record; enumerator_t *enumerator; + if (this->sw_id_count == 0) + { + last_eid = events->get_eid(events, &epoch, NULL); + jvalue = json_object_new_int(epoch); + json_object_object_add(this->jobj, "epoch", jvalue); + jvalue = json_object_new_int(last_eid); + json_object_object_add(this->jobj, "lastEid", jvalue); + this->jarray = json_object_new_array(); + json_object_object_add(this->jobj, "events", this->jarray); + } + enumerator = events->create_enumerator(events); while (enumerator->enumerate(enumerator, &sw_event)) { eid = sw_event->get_eid(sw_event, ×tamp); + timestamp_str = strndup(timestamp.ptr, timestamp.len); + action = sw_event->get_action(sw_event); sw_record = sw_event->get_sw_record(sw_event); record_id = sw_record->get_record_id(sw_record); + source_id = sw_record->get_source_id(sw_record); sw_id = sw_record->get_sw_id(sw_record, NULL); sw_id_str = strndup(sw_id.ptr, sw_id.len); - DBG3(DBG_IMV, "%3u %.*s %6u: %s", eid, timestamp.len, timestamp.ptr, - record_id, sw_id_str); - - /* Add software identity to JSON array */ + DBG3(DBG_IMV, "%3u %.*s %u %5u: %s", eid, timestamp.len, timestamp.ptr, + action, record_id, sw_id_str); + + /* Add software event to JSON array */ + jevent = json_object_new_object(); + jvalue = json_object_new_int(eid); + json_object_object_add(jevent, "eid", jvalue); + jstring = json_object_new_string(timestamp_str); + json_object_object_add(jevent, "timestamp", jstring); + jvalue = json_object_new_int(record_id); + json_object_object_add(jevent, "recordId", jvalue); + jvalue = json_object_new_int(source_id); + json_object_object_add(jevent, "sourceId", jvalue); + jvalue = json_object_new_int(action); + json_object_object_add(jevent, "action", jvalue); jstring = json_object_new_string(sw_id_str); - json_object_array_add(this->jarray, jstring); + json_object_object_add(jevent, "softwareId", jstring); + json_object_array_add(this->jarray, jevent); + free(timestamp_str); free(sw_id_str); } enumerator->destroy(enumerator); } -METHOD(imv_swima_state_t, get_events, json_object*, +METHOD(imv_swima_state_t, get_jrequest, json_object*, private_imv_swima_state_t *this) { return this->jobj; @@ -372,20 +399,20 @@ METHOD(imv_swima_state_t, get_missing, uint32_t, } METHOD(imv_swima_state_t, set_count, void, - private_imv_swima_state_t *this, int tag_id_count, int tag_count, + private_imv_swima_state_t *this, int sw_id_count, int tag_count, TNC_UInt32 imc_id) { - this->tag_id_count += tag_id_count; + this->sw_id_count += sw_id_count; this->tag_count += tag_count; this->imc_id = imc_id; } METHOD(imv_swima_state_t, get_count, void, - private_imv_swima_state_t *this, int *tag_id_count, int *tag_count) + private_imv_swima_state_t *this, int *sw_id_count, int *tag_count) { - if (tag_id_count) + if (sw_id_count) { - *tag_id_count = this->tag_id_count; + *sw_id_count = this->sw_id_count; } if (tag_count) { @@ -433,9 +460,8 @@ imv_state_t *imv_swima_state_create(TNC_ConnectionID connection_id) .set_request_id = _set_request_id, .get_request_id = _get_request_id, .set_inventory = _set_inventory, - .get_inventory = _get_inventory, .set_events = _set_events, - .get_events = _get_events, + .get_jrequest = _get_jrequest, .set_missing = _set_missing, .get_missing = _get_missing, .set_count = _set_count, @@ -449,11 +475,8 @@ imv_state_t *imv_swima_state_create(TNC_ConnectionID connection_id) .contracts = seg_contract_manager_create(), .imc_id = TNC_IMCID_ANY, .jobj = json_object_new_object(), - .jarray = json_object_new_array(), ); - json_object_object_add(this->jobj, "data", this->jarray); - return &this->public.interface; } diff --git a/src/libimcv/plugins/imv_swima/imv_swima_state.h b/src/libimcv/plugins/imv_swima/imv_swima_state.h index beade6c9b..4fa32daf4 100644 --- a/src/libimcv/plugins/imv_swima/imv_swima_state.h +++ b/src/libimcv/plugins/imv_swima/imv_swima_state.h @@ -83,32 +83,25 @@ struct imv_swima_state_t { uint32_t (*get_request_id)(imv_swima_state_t *this); /** - * Set or extend the SWID Tag ID inventory in the state + * Set or extend the SW ID inventory in the state * - * @param inventory SWID Tags ID inventory to be added + * @param inventory SW ID inventory to be added */ void (*set_inventory)(imv_swima_state_t *this, swima_inventory_t *inventory); /** - * Get the encoding of the complete SWID Tag ID inventory + * Set or extend the SW ID events in the state * - * @return SWID Tags ID inventory as a JSON array - */ - json_object* (*get_inventory)(imv_swima_state_t *this); - - /** - * Set or extend the SWID Tag ID Events in the state - * - * @param inventory SWID Tags ID inventory to be added + * @param events SW ID events to be added */ void (*set_events)(imv_swima_state_t *this, swima_events_t *events); /** - * Get the encoding of the complete Software ID Events + * Get the JSON encoding of the complete SW ID inventory or SW ID events * - * @return Software ID events as a JSON array + * @return JSON encoding */ - json_object* (*get_events)(imv_swima_state_t *this); + json_object* (*get_jrequest)(imv_swima_state_t *this); /** * Set the number of still missing SW [ID] records or envents diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c index 9207f11b6..541d2a2f3 100644 --- a/src/libstrongswan/plugins/curl/curl_fetcher.c +++ b/src/libstrongswan/plugins/curl/curl_fetcher.c @@ -85,7 +85,7 @@ static size_t curl_cb(void *ptr, size_t size, size_t nmemb, cb_data_t *data) METHOD(fetcher_t, fetch, status_t, private_curl_fetcher_t *this, char *uri, void *userdata) { - char error[CURL_ERROR_SIZE], *enc_uri; + char error[CURL_ERROR_SIZE], *enc_uri, *p1, *p2; CURLcode curl_status; status_t status; long result = 0; @@ -123,7 +123,17 @@ METHOD(fetcher_t, fetch, status_t, curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, this->headers); } - DBG2(DBG_LIB, " sending request to '%s'...", uri); + /* if the URI contains a username[:password] prefix then mask it */ + p1 = strstr(uri, "://"); + p2 = strchr(uri, '@'); + if (p1 && p2) + { + DBG2(DBG_LIB, " sending request to '%.*sxxxx%s'...", p1+3-uri, uri, p2); + } + else + { + DBG2(DBG_LIB, " sending request to '%s'...", uri); + } curl_status = curl_easy_perform(this->curl); switch (curl_status) { |