imv-swima: Implemented SW event processing

6 files changed, 164 insertions, 87 deletions

diff --git a/conf/plugins/imv-swima.opt b/conf/plugins/imv-swima.opt
index 1185bd365..a9ba96c21 100644
--- a/conf/plugins/imv-swima.opt
+++ b/conf/plugins/imv-swima.opt
@@ -1,5 +1,5 @@
-libimcv.plugins.imv-swima.rest_api_uri = 
+libimcv.plugins.imv-swima.rest_api.uri =
 	HTTP URI of the SWID REST API.
 
-libimcv.plugins.imv-swima.rest_api_timeout = 120
+libimcv.plugins.imv-swima.rest_api.timeout = 120
 	Timeout of SWID REST API HTTP POST transaction.
diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c
index b730f8c41..1988873e9 100644
--- a/src/libimcv/imv/imv_policy_manager.c
+++ b/src/libimcv/imv/imv_policy_manager.c
@@ -130,6 +130,31 @@ static bool iterate_enforcements(database_t *db, int device_id, int session_id,
 				case IMV_WORKITEM_DIR_META:
 					arg_int = dir;
 					break;
+				case IMV_WORKITEM_SWID_TAGS:
+					/* software [identifier] inventory by default */
+					arg_int = 0;
+
+					/* software identifiers only? */
+					if (device_id && strchr(argument, 'R'))
+					{
+						/* get last EID in order to set earliest EID */
+						e2 = db->query(db,
+							"SELECT eid FROM swid_events where device == ? "
+							"ORDER BY eid DESC", DB_UINT, device_id, DB_INT);
+						if (e2)
+						{
+							if (e2->enumerate(e2, &arg_int))
+							{
+								arg_int++;
+							}
+							else
+							{
+								arg_int = 1;
+							}
+							e2->destroy(e2);
+						}
+					}
+					break;
 				default:
 					arg_int = 0;
 			}
diff --git a/src/libimcv/plugins/imv_swima/imv_swima_agent.c b/src/libimcv/plugins/imv_swima/imv_swima_agent.c
index eedc5da81..efa2b1105 100644
--- a/src/libimcv/plugins/imv_swima/imv_swima_agent.c
+++ b/src/libimcv/plugins/imv_swima/imv_swima_agent.c
@@ -52,7 +52,9 @@ static pen_type_t msg_types[] = {
  */
 enum imv_swima_attr_t {
 	IMV_SWIMA_ATTR_SW_INV =    (1<<0),
-	IMV_SWIMA_ATTR_SW_ID_INV = (1<<1)
+	IMV_SWIMA_ATTR_SW_ID_INV = (1<<1),
+	IMV_SWIMA_ATTR_SW_EV =     (1<<2),
+	IMV_SWIMA_ATTR_SW_ID_EV =  (1<<2)
 };
 
 /**
@@ -208,8 +210,8 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this,
 				missing = attr_cast->get_record_count(attr_cast);
 				swima_state->set_missing(swima_state, missing);
 
-				DBG2(DBG_IMV, "received software identity inventory with "
-					 "%d item%s for request %d at eid %d of epoch 0x%08x, "
+				DBG2(DBG_IMV, "received software ID inventory with "
+					 "%d item%s for request %d at last eid %d of epoch 0x%08x, "
 					 "%d item%s to follow", sw_id_count,
 					 (sw_id_count == 1) ? "" : "s", request_id, last_eid,
 					 eid_epoch, missing, (missing == 1) ? "" : "s");
@@ -222,7 +224,7 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this,
 				}
 				else
 				{
-					DBG1(DBG_IMV, "no workitem found for software identity "
+					DBG1(DBG_IMV, "no workitem found for software ID "
 								  "inventory with request ID %d", request_id);
 				}
 				attr_cast->clear_inventory(attr_cast);
@@ -251,9 +253,9 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this,
 				swima_state->set_missing(swima_state, missing);
 
 				DBG2(DBG_IMV, "received software inventory with %d item%s for "
-					 "request %d at eid %d of epoch 0x%08x, %d item%s to follow",
-					 sw_count, (sw_count == 1) ? "" : "s", request_id,
-					 last_eid, eid_epoch, missing, (missing == 1) ? "" : "s");
+					 "request %d at last eid %d of epoch 0x%08x, %d item%s to "
+					 "follow", sw_count, (sw_count == 1) ? "" : "s", request_id,
+					  last_eid, eid_epoch, missing, (missing == 1) ? "" : "s");
 
 				if (request_id == swima_state->get_request_id(swima_state))
 				{
@@ -310,7 +312,7 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this,
 				uint32_t missing;
 				int sw_ev_count;
 
-				state->set_action_flags(state, IMV_SWIMA_ATTR_SW_ID_INV);
+				state->set_action_flags(state, IMV_SWIMA_ATTR_SW_ID_EV);
 
 				attr_cast = (ietf_swima_attr_sw_ev_t*)attr;
 				request_id = attr_cast->get_request_id(attr_cast);
@@ -320,8 +322,8 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this,
 				missing = attr_cast->get_event_count(attr_cast);
 				swima_state->set_missing(swima_state, missing);
 
-				DBG2(DBG_IMV, "received software identity events with "
-					 "%d item%s for request %d at eid %d of epoch 0x%08x, "
+				DBG2(DBG_IMV, "received software ID events with "
+					 "%d item%s for request %d at last eid %d of epoch 0x%08x, "
 					 "%d item%s to follow", sw_ev_count,
 					 (sw_ev_count == 1) ? "" : "s", request_id, last_eid,
 					 eid_epoch, missing, (missing == 1) ? "" : "s");
@@ -334,8 +336,8 @@ static TNC_Result receive_msg(private_imv_swima_agent_t *this,
 				}
 				else
 				{
-					DBG1(DBG_IMV, "no workitem found for software identity "
-								  "evemts with request ID %d", request_id);
+					DBG1(DBG_IMV, "no workitem found for software ID events "
+								  "with request ID %d", request_id);
 				}
 				attr_cast->clear_events(attr_cast);
 				break;
@@ -499,6 +501,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 				{
 					flags |= IETF_SWIMA_ATTR_REQ_FLAG_C;
 				}
+				earliest_eid = workitem->get_arg_int(workitem);
 
 				/* Determine maximum PA-TNC attribute segment size */
 				max_seg_size = state->get_max_msg_len(state)
@@ -527,11 +530,13 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 				targets->set_eid(targets, earliest_eid, 0);
 				cast_attr = (ietf_swima_attr_req_t*)attr;
 				cast_attr->set_targets(cast_attr, targets);
+				targets->destroy(targets);
 
 				out_msg->add_attribute(out_msg, attr);
 				workitem->set_imv_id(workitem, imv_id);
 				no_workitems = FALSE;
-				DBG2(DBG_IMV, "IMV %d issues sw request %d", imv_id, request_id);
+				DBG2(DBG_IMV, "IMV %d issues sw request %d with earliest eid %d",
+							   imv_id, request_id, earliest_eid);
 				break;
 			}
 			enumerator->destroy(enumerator);
@@ -552,36 +557,49 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 	received = state->get_action_flags(state);
 
 	if (handshake_state == IMV_SWIMA_STATE_WORKITEMS &&
-	   (received & (IMV_SWIMA_ATTR_SW_INV|IMV_SWIMA_ATTR_SW_ID_INV)) &&
+	   (received & (IMV_SWIMA_ATTR_SW_INV|IMV_SWIMA_ATTR_SW_ID_INV|
+					IMV_SWIMA_ATTR_SW_EV |IMV_SWIMA_ATTR_SW_ID_EV)) &&
 		swima_state->get_missing(swima_state) == 0)
 	{
 		TNC_IMV_Evaluation_Result eval;
 		TNC_IMV_Action_Recommendation rec;
-		char result_str[BUF_LEN], *error_str = "", *command;
-		char *target_str;
-		int tag_id_count, tag_count, i;
+		char result_str[BUF_LEN], *format = NULL, *cmd = NULL, *command;
+		char *target_str, *error_str = "";
+		int sw_id_count, tag_count, i, res;
 		json_object *jrequest, *jresponse, *jvalue;
 		ietf_swima_attr_req_t *cast_attr;
 		swima_inventory_t *targets;
 		swima_record_t *target;
 		status_t status = SUCCESS;
 
-		if (this->rest_api && (received & IMV_SWIMA_ATTR_SW_ID_INV))
+		if (received & IMV_SWIMA_ATTR_SW_ID_INV)
 		{
-			if (asprintf(&command, "sessions/%d/swid-measurement/",
-						 session->get_session_id(session, NULL, NULL)) < 0)
+			cmd = "swid-measurement";
+			format = "received inventory of %d SW ID%s and %d SWID tag%s";
+		}
+		else if (received & IMV_SWIMA_ATTR_SW_ID_EV)
+		{
+			cmd = "swid-events";
+			format = "received %d SW ID event%s and %d SWID tag%s";
+		}
+
+		if (cmd && this->rest_api)
+		{
+			res = asprintf(&command, "sessions/%d/%s/",
+					 session->get_session_id(session, NULL, NULL), cmd);
+			if (res < 0)
 			{
 				error_str = "allocation of command string failed";
 				status = FAILED;
 			}
 			else
 			{
-				jrequest = swima_state->get_inventory(swima_state);
+				jrequest = swima_state->get_jrequest(swima_state);
 				status = this->rest_api->post(this->rest_api, command,
 											  jrequest, &jresponse);
 				if (status == FAILED)
 				{
-					error_str = "error in REST API swid-measurement request";
+						error_str = "error in REST API request";
 				}
 				free(command);
 			}
@@ -595,12 +613,20 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 				{
 					if (workitem->get_type(workitem) == IMV_WORKITEM_SWID_TAGS)
 					{
-						swima_state->get_count(swima_state, &tag_id_count,
+						swima_state->get_count(swima_state, &sw_id_count,
 														  &tag_count);
-						snprintf(result_str, BUF_LEN, "received inventory of "
-								 "%d SWID tag ID%s and %d SWID tag%s",
-								 tag_id_count, (tag_id_count == 1) ? "" : "s",
-								 tag_count, (tag_count == 1) ? "" : "s");
+						if (format)
+						{
+							snprintf(result_str, BUF_LEN, format,
+								sw_id_count, (sw_id_count == 1) ? "" : "s",
+								tag_count,   (tag_count   == 1) ? "" : "s");
+						}
+						else
+						{
+							snprintf(result_str, BUF_LEN, "received %d SWID tag"
+								"%s", tag_count, (tag_count == 1) ? "" : "s");
+
+						}
 						session->remove_workitem(session, enumerator);
 
 						eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
@@ -632,13 +658,13 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 				/* Create an IETF SW Request attribute */
 				attr = ietf_swima_attr_req_create(IETF_SWIMA_ATTR_REQ_FLAG_NONE,
 								swima_state->get_request_id(swima_state));
-				tag_id_count = json_object_array_length(jresponse);
-				DBG1(DBG_IMV, "%d SWID tag target%s", tag_id_count,
-							  (tag_id_count == 1) ? "" : "s");
-				swima_state->set_missing(swima_state, tag_id_count);
+				sw_id_count = json_object_array_length(jresponse);
+				DBG1(DBG_IMV, "%d SWID tag target%s", sw_id_count,
+							  (sw_id_count == 1) ? "" : "s");
+				swima_state->set_missing(swima_state, sw_id_count);
 				targets = swima_inventory_create();
 
-				for (i = 0; i < tag_id_count; i++)
+				for (i = 0; i < sw_id_count; i++)
 				{
 					jvalue = json_object_array_get_idx(jresponse, i);
 					if (json_object_get_type(jvalue) != json_type_string)
@@ -739,8 +765,8 @@ imv_agent_if_t *imv_swima_agent_create(const char *name, TNC_IMVID id,
 {
 	private_imv_swima_agent_t *this;
 	imv_agent_t *agent;
-	char *rest_api_uri;
-	u_int rest_api_timeout;
+	char *uri;
+	u_int timeout;
 
 	agent = imv_agent_create(name, msg_types, countof(msg_types), id,
 							 actual_version);
@@ -764,13 +790,13 @@ imv_agent_if_t *imv_swima_agent_create(const char *name, TNC_IMVID id,
 		.agent = agent,
 	);
 
-	rest_api_uri = lib->settings->get_str(lib->settings,
-						"%s.plugins.imv-swima.rest_api_uri", NULL, lib->ns);
-	rest_api_timeout = lib->settings->get_int(lib->settings,
-						"%s.plugins.imv-swima.rest_api_timeout", 120, lib->ns);
-	if (rest_api_uri)
+	uri = lib->settings->get_str(lib->settings,
+					"%s.plugins.imv-swima.rest_api.uri", NULL, lib->ns);
+	timeout = lib->settings->get_int(lib->settings,
+					"%s.plugins.imv-swima.rest_api.timeout", 120, lib->ns);
+	if (uri)
 	{
-		this->rest_api = rest_create(rest_api_uri, rest_api_timeout);
+		this->rest_api = rest_create(uri, timeout);
 	}
 
 	return &this->public;
diff --git a/src/libimcv/plugins/imv_swima/imv_swima_state.c b/src/libimcv/plugins/imv_swima/imv_swima_state.c
index 04defae36..03500bc2d 100644
--- a/src/libimcv/plugins/imv_swima/imv_swima_state.c
+++ b/src/libimcv/plugins/imv_swima/imv_swima_state.c
@@ -106,9 +106,9 @@ struct private_imv_swima_state_t {
 	uint32_t request_id;
 
 	/**
-	 * Number of processed SWID Tag IDs
+	 * Number of processed Software Identifiers
 	 */
-	int tag_id_count;
+	int sw_id_count;
 
 	/**
 	 * Number of processed SWID Tags
@@ -116,7 +116,7 @@ struct private_imv_swima_state_t {
 	int tag_count;
 
 	/**
-	 * Number of missing SWID Tags or Tag IDs
+	 * Number of missing Software Identifiers or SWID Tags
 	 */
 	uint32_t missing;
 
@@ -131,7 +131,7 @@ struct private_imv_swima_state_t {
 	json_object *jobj;
 
 	/**
-	 * JSON array containing an inventory of SWID Tag IDs
+	 * JSON array containing either a SW [ID] inventory or SW ID events
 	 */
 	json_object *jarray;
 
@@ -293,6 +293,12 @@ METHOD(imv_swima_state_t, set_inventory, void,
 	swima_record_t *sw_record;
 	enumerator_t *enumerator;
 
+	if (this->sw_id_count == 0)
+	{
+		this->jarray = json_object_new_array();
+		json_object_object_add(this->jobj, "data", this->jarray);
+	}
+
 	enumerator = inventory->create_enumerator(inventory);
 	while (enumerator->enumerate(enumerator, &sw_record))
 	{
@@ -317,43 +323,64 @@ METHOD(imv_swima_state_t, set_inventory, void,
 	enumerator->destroy(enumerator);
 }
 
-METHOD(imv_swima_state_t, get_inventory, json_object*,
-	private_imv_swima_state_t *this)
-{
-	return this->jobj;
-}
-
 METHOD(imv_swima_state_t, set_events, void,
     private_imv_swima_state_t *this, swima_events_t *events)
 {
 	chunk_t sw_id, timestamp;
-	uint32_t record_id, eid;
-	char *sw_id_str;
-	json_object *jstring;
+	uint32_t record_id, eid, last_eid, epoch, source_id, action;
+	char *sw_id_str, *timestamp_str;
+	json_object *jevent, *jvalue, *jstring;
 	swima_event_t *sw_event;
 	swima_record_t *sw_record;
 	enumerator_t *enumerator;
 
+	if (this->sw_id_count == 0)
+	{
+		last_eid = events->get_eid(events, &epoch, NULL);
+		jvalue = json_object_new_int(epoch);
+		json_object_object_add(this->jobj, "epoch", jvalue);
+		jvalue = json_object_new_int(last_eid);
+		json_object_object_add(this->jobj, "lastEid", jvalue);
+		this->jarray = json_object_new_array();
+		json_object_object_add(this->jobj, "events", this->jarray);
+	}
+
 	enumerator = events->create_enumerator(events);
 	while (enumerator->enumerate(enumerator, &sw_event))
 	{
 		eid = sw_event->get_eid(sw_event, &timestamp);
+		timestamp_str = strndup(timestamp.ptr, timestamp.len);
+		action = sw_event->get_action(sw_event);
 		sw_record = sw_event->get_sw_record(sw_event);
 		record_id = sw_record->get_record_id(sw_record);
+		source_id = sw_record->get_source_id(sw_record);
 		sw_id = sw_record->get_sw_id(sw_record, NULL);
 		sw_id_str = strndup(sw_id.ptr, sw_id.len);
-		DBG3(DBG_IMV, "%3u %.*s %6u: %s", eid, timestamp.len, timestamp.ptr,
-										  record_id, sw_id_str);
-
-		/* Add software identity to JSON array */
+		DBG3(DBG_IMV, "%3u %.*s %u %5u: %s", eid, timestamp.len, timestamp.ptr,
+											 action, record_id, sw_id_str);
+
+		/* Add software event to JSON array */
+		jevent = json_object_new_object();
+		jvalue = json_object_new_int(eid);
+		json_object_object_add(jevent, "eid", jvalue);
+		jstring = json_object_new_string(timestamp_str);
+		json_object_object_add(jevent, "timestamp", jstring);
+		jvalue = json_object_new_int(record_id);
+		json_object_object_add(jevent, "recordId", jvalue);
+		jvalue = json_object_new_int(source_id);
+		json_object_object_add(jevent, "sourceId", jvalue);
+		jvalue = json_object_new_int(action);
+		json_object_object_add(jevent, "action", jvalue);
 		jstring = json_object_new_string(sw_id_str);
-		json_object_array_add(this->jarray, jstring);
+		json_object_object_add(jevent, "softwareId", jstring);
+		json_object_array_add(this->jarray, jevent);
+		free(timestamp_str);
 		free(sw_id_str);
 	}
 	enumerator->destroy(enumerator);
 }
 
-METHOD(imv_swima_state_t, get_events, json_object*,
+METHOD(imv_swima_state_t, get_jrequest, json_object*,
 	private_imv_swima_state_t *this)
 {
 	return this->jobj;
@@ -372,20 +399,20 @@ METHOD(imv_swima_state_t, get_missing, uint32_t,
 }
 
 METHOD(imv_swima_state_t, set_count, void,
-	private_imv_swima_state_t *this, int tag_id_count, int tag_count,
+	private_imv_swima_state_t *this, int sw_id_count, int tag_count,
 	TNC_UInt32 imc_id)
 {
-	this->tag_id_count += tag_id_count;
+	this->sw_id_count += sw_id_count;
 	this->tag_count += tag_count;
 	this->imc_id = imc_id;
 }
 
 METHOD(imv_swima_state_t, get_count, void,
-	private_imv_swima_state_t *this, int *tag_id_count, int *tag_count)
+	private_imv_swima_state_t *this, int *sw_id_count, int *tag_count)
 {
-	if (tag_id_count)
+	if (sw_id_count)
 	{
-		*tag_id_count = this->tag_id_count;
+		*sw_id_count = this->sw_id_count;
 	}
 	if (tag_count)
 	{
@@ -433,9 +460,8 @@ imv_state_t *imv_swima_state_create(TNC_ConnectionID connection_id)
 			.set_request_id = _set_request_id,
 			.get_request_id = _get_request_id,
 			.set_inventory = _set_inventory,
-			.get_inventory = _get_inventory,
 			.set_events = _set_events,
-			.get_events = _get_events,
+			.get_jrequest = _get_jrequest,
 			.set_missing = _set_missing,
 			.get_missing = _get_missing,
 			.set_count = _set_count,
@@ -449,11 +475,8 @@ imv_state_t *imv_swima_state_create(TNC_ConnectionID connection_id)
 		.contracts = seg_contract_manager_create(),
 		.imc_id = TNC_IMCID_ANY,
 		.jobj = json_object_new_object(),
-		.jarray = json_object_new_array(),
 	);
 
-	json_object_object_add(this->jobj, "data", this->jarray);
-
 	return &this->public.interface;
 }
 
diff --git a/src/libimcv/plugins/imv_swima/imv_swima_state.h b/src/libimcv/plugins/imv_swima/imv_swima_state.h
index beade6c9b..4fa32daf4 100644
--- a/src/libimcv/plugins/imv_swima/imv_swima_state.h
+++ b/src/libimcv/plugins/imv_swima/imv_swima_state.h
@@ -83,32 +83,25 @@ struct imv_swima_state_t {
 	uint32_t (*get_request_id)(imv_swima_state_t *this);
 
 	/**
-	 * Set or extend the SWID Tag ID inventory in the state
+	 * Set or extend the SW ID inventory in the state
 	 *
-	 * @param inventory			SWID Tags ID inventory to be added
+	 * @param inventory			SW ID inventory to be added
 	 */
 	void (*set_inventory)(imv_swima_state_t *this, swima_inventory_t *inventory);
 
 	/**
-	 * Get the encoding of the complete SWID Tag ID inventory
+	 * Set or extend the SW ID events in the state
 	 *
-	 * @return			       SWID Tags ID inventory as a JSON array
-	 */
-	json_object* (*get_inventory)(imv_swima_state_t *this);
-
-	/**
-	 * Set or extend the SWID Tag ID Events in the state
-	 *
-	 * @param inventory			SWID Tags ID inventory to be added
+	 * @param events			SW ID events to be added
 	 */
 	void (*set_events)(imv_swima_state_t *this, swima_events_t *events);
 
 	/**
-	 * Get the encoding of the complete Software ID Events
+	 * Get the JSON encoding of the complete SW ID inventory or SW ID events
 	 *
-	 * @return			       Software ID events as a JSON array
+	 * @return			       JSON encoding
 	 */
-	json_object* (*get_events)(imv_swima_state_t *this);
+	json_object* (*get_jrequest)(imv_swima_state_t *this);
 
 	/**
 	 * Set the number of still missing SW [ID] records or envents
diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c
index 9207f11b6..541d2a2f3 100644
--- a/src/libstrongswan/plugins/curl/curl_fetcher.c
+++ b/src/libstrongswan/plugins/curl/curl_fetcher.c
@@ -85,7 +85,7 @@ static size_t curl_cb(void *ptr, size_t size, size_t nmemb, cb_data_t *data)
 METHOD(fetcher_t, fetch, status_t,
 	private_curl_fetcher_t *this, char *uri, void *userdata)
 {
-	char error[CURL_ERROR_SIZE], *enc_uri;
+	char error[CURL_ERROR_SIZE], *enc_uri, *p1, *p2;
 	CURLcode curl_status;
 	status_t status;
 	long result = 0;
@@ -123,7 +123,17 @@ METHOD(fetcher_t, fetch, status_t,
 		curl_easy_setopt(this->curl, CURLOPT_HTTPHEADER, this->headers);
 	}
 
-	DBG2(DBG_LIB, "  sending request to '%s'...", uri);
+	/* if the URI contains a username[:password] prefix then mask it */
+	p1 = strstr(uri, "://");
+	p2 = strchr(uri, '@');
+	if (p1 && p2)
+	{
+		DBG2(DBG_LIB, "  sending request to '%.*sxxxx%s'...", p1+3-uri, uri, p2);
+	}
+	else
+	{
+		DBG2(DBG_LIB, "  sending request to '%s'...", uri);
+	}
 	curl_status = curl_easy_perform(this->curl);
 	switch (curl_status)
 	{