diff options
Diffstat (limited to 'src/libcharon')
-rw-r--r-- | src/libcharon/Makefile.am | 7 | ||||
-rw-r--r-- | src/libcharon/plugins/attr_sql/Makefile.am | 19 | ||||
-rw-r--r-- | src/libcharon/plugins/attr_sql/attr_sql_plugin.c | 129 | ||||
-rw-r--r-- | src/libcharon/plugins/attr_sql/attr_sql_plugin.h | 42 | ||||
-rw-r--r-- | src/libcharon/plugins/attr_sql/sql_attribute.c | 475 | ||||
-rw-r--r-- | src/libcharon/plugins/attr_sql/sql_attribute.h | 50 |
6 files changed, 722 insertions, 0 deletions
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index 5df7dbbf3..0384064fb 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -644,3 +644,10 @@ if MONOLITHIC libcharon_la_LIBADD += plugins/attr/libstrongswan-attr.la endif endif + +if USE_ATTR_SQL + SUBDIRS += plugins/attr_sql +if MONOLITHIC + libcharon_la_LIBADD += plugins/attr_sql/libstrongswan-attr-sql.la +endif +endif diff --git a/src/libcharon/plugins/attr_sql/Makefile.am b/src/libcharon/plugins/attr_sql/Makefile.am new file mode 100644 index 000000000..5d89e67cb --- /dev/null +++ b/src/libcharon/plugins/attr_sql/Makefile.am @@ -0,0 +1,19 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-attr-sql.la +else +plugin_LTLIBRARIES = libstrongswan-attr-sql.la +endif + +libstrongswan_attr_sql_la_SOURCES = \ + attr_sql_plugin.h attr_sql_plugin.c \ + sql_attribute.h sql_attribute.c + +libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/attr_sql/attr_sql_plugin.c b/src/libcharon/plugins/attr_sql/attr_sql_plugin.c new file mode 100644 index 000000000..dde90051a --- /dev/null +++ b/src/libcharon/plugins/attr_sql/attr_sql_plugin.c @@ -0,0 +1,129 @@ +/* + * Copyright (C) 2013 Tobias Brunner + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <hydra.h> +#include <utils/debug.h> +#include <plugins/plugin_feature.h> + +#include "attr_sql_plugin.h" +#include "sql_attribute.h" + +typedef struct private_attr_sql_plugin_t private_attr_sql_plugin_t; + +/** + * private data of attr_sql plugin + */ +struct private_attr_sql_plugin_t { + + /** + * implements plugin interface + */ + attr_sql_plugin_t public; + + /** + * database connection instance + */ + database_t *db; + + /** + * configuration attributes + */ + sql_attribute_t *attribute; +}; + +METHOD(plugin_t, get_name, char*, + private_attr_sql_plugin_t *this) +{ + return "attr-sql"; +} + +/** + * Connect to database + */ +static bool open_database(private_attr_sql_plugin_t *this, + plugin_feature_t *feature, bool reg, void *cb_data) +{ + if (reg) + { + char *uri; + + uri = lib->settings->get_str(lib->settings, + "%s.plugins.attr-sql.database", NULL, lib->ns); + if (!uri) + { + DBG1(DBG_CFG, "attr-sql plugin: database URI not set"); + return FALSE; + } + + this->db = lib->db->create(lib->db, uri); + if (!this->db) + { + DBG1(DBG_CFG, "attr-sql plugin failed to connect to database"); + return FALSE; + } + this->attribute = sql_attribute_create(this->db); + hydra->attributes->add_provider(hydra->attributes, + &this->attribute->provider); + } + else + { + hydra->attributes->remove_provider(hydra->attributes, + &this->attribute->provider); + this->attribute->destroy(this->attribute); + this->db->destroy(this->db); + } + return TRUE; +} + +METHOD(plugin_t, get_features, int, + private_attr_sql_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK((plugin_feature_callback_t)open_database, NULL), + PLUGIN_PROVIDE(CUSTOM, "attr-sql"), + PLUGIN_DEPENDS(DATABASE, DB_ANY), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_attr_sql_plugin_t *this) +{ + free(this); +} + +/* + * see header file + */ +plugin_t *attr_sql_plugin_create() +{ + private_attr_sql_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + }, + ); + lib->settings->add_fallback(lib->settings, "%s.plugins.attr-sql", + "libhydra.plugins.attr-sql", lib->ns); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/attr_sql/attr_sql_plugin.h b/src/libcharon/plugins/attr_sql/attr_sql_plugin.h new file mode 100644 index 000000000..ef71492f3 --- /dev/null +++ b/src/libcharon/plugins/attr_sql/attr_sql_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup attr_sql attr_sql + * @ingroup cplugins + * + * @defgroup sql_plugin sql_plugin + * @{ @ingroup attr_sql + */ + +#ifndef ATTR_SQL_PLUGIN_H_ +#define ATTR_SQL_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct attr_sql_plugin_t attr_sql_plugin_t; + +/** + * SQL database attribute configuration plugin + */ +struct attr_sql_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** ATTR_SQL_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/attr_sql/sql_attribute.c b/src/libcharon/plugins/attr_sql/sql_attribute.c new file mode 100644 index 000000000..d527c3fba --- /dev/null +++ b/src/libcharon/plugins/attr_sql/sql_attribute.c @@ -0,0 +1,475 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <time.h> + +#include <utils/debug.h> +#include <library.h> + +#include "sql_attribute.h" + +typedef struct private_sql_attribute_t private_sql_attribute_t; + +/** + * private data of sql_attribute + */ +struct private_sql_attribute_t { + + /** + * public functions + */ + sql_attribute_t public; + + /** + * database connection + */ + database_t *db; + + /** + * whether to record lease history in lease table + */ + bool history; +}; + +/** + * lookup/insert an identity + */ +static u_int get_identity(private_sql_attribute_t *this, identification_t *id) +{ + enumerator_t *e; + u_int row; + + this->db->transaction(this->db, TRUE); + /* look for peer identity in the identities table */ + e = this->db->query(this->db, + "SELECT id FROM identities WHERE type = ? AND data = ?", + DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id), + DB_UINT); + if (e && e->enumerate(e, &row)) + { + e->destroy(e); + this->db->commit(this->db); + return row; + } + DESTROY_IF(e); + /* not found, insert new one */ + if (this->db->execute(this->db, &row, + "INSERT INTO identities (type, data) VALUES (?, ?)", + DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id)) == 1) + { + this->db->commit(this->db); + return row; + } + this->db->rollback(this->db); + return 0; +} + +/** + * Lookup an attribute pool by name + */ +static u_int get_attr_pool(private_sql_attribute_t *this, char *name) +{ + enumerator_t *e; + u_int row = 0; + + e = this->db->query(this->db, + "SELECT id FROM attribute_pools WHERE name = ?", + DB_TEXT, name, DB_UINT); + if (e) + { + e->enumerate(e, &row); + } + DESTROY_IF(e); + + return row; +} + +/** + * Lookup pool by name and address family + */ +static u_int get_pool(private_sql_attribute_t *this, char *name, int family, + u_int *timeout) +{ + enumerator_t *e; + chunk_t start; + u_int pool; + + e = this->db->query(this->db, + "SELECT id, start, timeout FROM pools WHERE name = ?", + DB_TEXT, name, DB_UINT, DB_BLOB, DB_UINT); + if (e && e->enumerate(e, &pool, &start, timeout)) + { + if ((family == AF_INET && start.len == 4) || + (family == AF_INET6 && start.len == 16)) + { + e->destroy(e); + return pool; + } + } + DESTROY_IF(e); + return 0; +} + +/** + * Look up an existing lease + */ +static host_t* check_lease(private_sql_attribute_t *this, char *name, + u_int pool, u_int identity) +{ + while (TRUE) + { + u_int id; + chunk_t address; + enumerator_t *e; + time_t now = time(NULL); + + e = this->db->query(this->db, + "SELECT id, address FROM addresses " + "WHERE pool = ? AND identity = ? AND released != 0 LIMIT 1", + DB_UINT, pool, DB_UINT, identity, DB_UINT, DB_BLOB); + if (!e || !e->enumerate(e, &id, &address)) + { + DESTROY_IF(e); + break; + } + address = chunk_clonea(address); + e->destroy(e); + + if (this->db->execute(this->db, NULL, + "UPDATE addresses SET acquired = ?, released = 0 " + "WHERE id = ? AND identity = ? AND released != 0", + DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0) + { + host_t *host; + + host = host_create_from_chunk(AF_UNSPEC, address, 0); + if (host) + { + DBG1(DBG_CFG, "acquired existing lease for address %H in" + " pool '%s'", host, name); + return host; + } + } + } + return NULL; +} + +/** + * We check for unallocated addresses or expired leases. First we select an + * address as a candidate, but double check later on if it is still available + * during the update operation. This allows us to work without locking. + */ +static host_t* get_lease(private_sql_attribute_t *this, char *name, + u_int pool, u_int timeout, u_int identity) +{ + while (TRUE) + { + u_int id; + chunk_t address; + enumerator_t *e; + time_t now = time(NULL); + int hits; + + if (timeout) + { + /* check for an expired lease */ + e = this->db->query(this->db, + "SELECT id, address FROM addresses " + "WHERE pool = ? AND released != 0 AND released < ? LIMIT 1", + DB_UINT, pool, DB_UINT, now - timeout, DB_UINT, DB_BLOB); + } + else + { + /* with static leases, check for an unallocated address */ + e = this->db->query(this->db, + "SELECT id, address FROM addresses " + "WHERE pool = ? AND identity = 0 LIMIT 1", + DB_UINT, pool, DB_UINT, DB_BLOB); + + } + + if (!e || !e->enumerate(e, &id, &address)) + { + DESTROY_IF(e); + break; + } + address = chunk_clonea(address); + e->destroy(e); + + if (timeout) + { + hits = this->db->execute(this->db, NULL, + "UPDATE addresses SET " + "acquired = ?, released = 0, identity = ? " + "WHERE id = ? AND released != 0 AND released < ?", + DB_UINT, now, DB_UINT, identity, + DB_UINT, id, DB_UINT, now - timeout); + } + else + { + hits = this->db->execute(this->db, NULL, + "UPDATE addresses SET " + "acquired = ?, released = 0, identity = ? " + "WHERE id = ? AND identity = 0", + DB_UINT, now, DB_UINT, identity, DB_UINT, id); + } + if (hits > 0) + { + host_t *host; + + host = host_create_from_chunk(AF_UNSPEC, address, 0); + if (host) + { + DBG1(DBG_CFG, "acquired new lease for address %H in pool '%s'", + host, name); + return host; + } + } + } + DBG1(DBG_CFG, "no available address found in pool '%s'", name); + return NULL; +} + +METHOD(attribute_provider_t, acquire_address, host_t*, + private_sql_attribute_t *this, linked_list_t *pools, identification_t *id, + host_t *requested) +{ + enumerator_t *enumerator; + host_t *address = NULL; + u_int identity, pool, timeout; + char *name; + int family; + + identity = get_identity(this, id); + if (identity) + { + family = requested->get_family(requested); + /* check for an existing lease in all pools */ + enumerator = pools->create_enumerator(pools); + while (enumerator->enumerate(enumerator, &name)) + { + pool = get_pool(this, name, family, &timeout); + if (pool) + { + address = check_lease(this, name, pool, identity); + if (address) + { + break; + } + } + } + enumerator->destroy(enumerator); + + if (!address) + { + /* get an unallocated address or expired lease */ + enumerator = pools->create_enumerator(pools); + while (enumerator->enumerate(enumerator, &name)) + { + pool = get_pool(this, name, family, &timeout); + if (pool) + { + address = get_lease(this, name, pool, timeout, identity); + if (address) + { + break; + } + } + } + enumerator->destroy(enumerator); + } + } + return address; +} + +METHOD(attribute_provider_t, release_address, bool, + private_sql_attribute_t *this, linked_list_t *pools, host_t *address, + identification_t *id) +{ + enumerator_t *enumerator; + u_int pool, timeout; + time_t now = time(NULL); + bool found = FALSE; + char *name; + int family; + + family = address->get_family(address); + enumerator = pools->create_enumerator(pools); + while (enumerator->enumerate(enumerator, &name)) + { + pool = get_pool(this, name, family, &timeout); + if (!pool) + { + continue; + } + if (this->db->execute(this->db, NULL, + "UPDATE addresses SET released = ? WHERE " + "pool = ? AND address = ?", DB_UINT, time(NULL), + DB_UINT, pool, DB_BLOB, address->get_address(address)) > 0) + { + if (this->history) + { + this->db->execute(this->db, NULL, + "INSERT INTO leases (address, identity, acquired, released)" + " SELECT id, identity, acquired, ? FROM addresses " + " WHERE pool = ? AND address = ?", + DB_UINT, now, DB_UINT, pool, + DB_BLOB, address->get_address(address)); + } + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + + return found; +} + +METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, + private_sql_attribute_t *this, linked_list_t *pools, identification_t *id, + linked_list_t *vips) +{ + enumerator_t *attr_enumerator = NULL; + + if (vips->get_count(vips)) + { + enumerator_t *pool_enumerator; + u_int count; + char *name; + + /* in a first step check for attributes that match name and id */ + if (id) + { + u_int identity = get_identity(this, id); + + pool_enumerator = pools->create_enumerator(pools); + while (pool_enumerator->enumerate(pool_enumerator, &name)) + { + u_int attr_pool = get_attr_pool(this, name); + if (!attr_pool) + { + continue; + } + + attr_enumerator = this->db->query(this->db, + "SELECT count(*) FROM attributes " + "WHERE pool = ? AND identity = ?", + DB_UINT, attr_pool, DB_UINT, identity, DB_UINT); + + if (attr_enumerator && + attr_enumerator->enumerate(attr_enumerator, &count) && + count != 0) + { + attr_enumerator->destroy(attr_enumerator); + attr_enumerator = this->db->query(this->db, + "SELECT type, value FROM attributes " + "WHERE pool = ? AND identity = ?", DB_UINT, + attr_pool, DB_UINT, identity, DB_INT, DB_BLOB); + break; + } + DESTROY_IF(attr_enumerator); + attr_enumerator = NULL; + } + pool_enumerator->destroy(pool_enumerator); + } + + /* in a second step check for attributes that match name */ + if (!attr_enumerator) + { + pool_enumerator = pools->create_enumerator(pools); + while (pool_enumerator->enumerate(pool_enumerator, &name)) + { + u_int attr_pool = get_attr_pool(this, name); + if (!attr_pool) + { + continue; + } + + attr_enumerator = this->db->query(this->db, + "SELECT count(*) FROM attributes " + "WHERE pool = ? AND identity = 0", + DB_UINT, attr_pool, DB_UINT); + + if (attr_enumerator && + attr_enumerator->enumerate(attr_enumerator, &count) && + count != 0) + { + attr_enumerator->destroy(attr_enumerator); + attr_enumerator = this->db->query(this->db, + "SELECT type, value FROM attributes " + "WHERE pool = ? AND identity = 0", + DB_UINT, attr_pool, DB_INT, DB_BLOB); + break; + } + DESTROY_IF(attr_enumerator); + attr_enumerator = NULL; + } + pool_enumerator->destroy(pool_enumerator); + } + + /* lastly try to find global attributes */ + if (!attr_enumerator) + { + attr_enumerator = this->db->query(this->db, + "SELECT type, value FROM attributes " + "WHERE pool = 0 AND identity = 0", + DB_INT, DB_BLOB); + } + } + + return (attr_enumerator ? attr_enumerator : enumerator_create_empty()); +} + +METHOD(sql_attribute_t, destroy, void, + private_sql_attribute_t *this) +{ + free(this); +} + +/* + * see header file + */ +sql_attribute_t *sql_attribute_create(database_t *db) +{ + private_sql_attribute_t *this; + time_t now = time(NULL); + + INIT(this, + .public = { + .provider = { + .acquire_address = _acquire_address, + .release_address = _release_address, + .create_attribute_enumerator = _create_attribute_enumerator, + }, + .destroy = _destroy, + }, + .db = db, + .history = lib->settings->get_bool(lib->settings, + "%s.plugins.attr-sql.lease_history", TRUE, lib->ns), + ); + + /* close any "online" leases in the case we crashed */ + if (this->history) + { + this->db->execute(this->db, NULL, + "INSERT INTO leases (address, identity, acquired, released)" + " SELECT id, identity, acquired, ? FROM addresses " + " WHERE released = 0", DB_UINT, now); + } + this->db->execute(this->db, NULL, + "UPDATE addresses SET released = ? WHERE released = 0", + DB_UINT, now); + return &this->public; +} diff --git a/src/libcharon/plugins/attr_sql/sql_attribute.h b/src/libcharon/plugins/attr_sql/sql_attribute.h new file mode 100644 index 000000000..ca87eb27e --- /dev/null +++ b/src/libcharon/plugins/attr_sql/sql_attribute.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup sql_attribute sql_attribute + * @{ @ingroup attr_sql + */ + +#ifndef SQL_ATTRIBUTE_H_ +#define SQL_ATTRIBUTE_H_ + +#include <attributes/attribute_provider.h> +#include <database/database.h> + +typedef struct sql_attribute_t sql_attribute_t; + +/** + * SQL database based IKEv2 cfg attribute provider. + */ +struct sql_attribute_t { + + /** + * Implements attribute provider interface + */ + attribute_provider_t provider; + + /** + * Destroy a sql_attribute instance. + */ + void (*destroy)(sql_attribute_t *this); +}; + +/** + * Create a sql_attribute instance. + */ +sql_attribute_t *sql_attribute_create(database_t *db); + +#endif /** SQL_ATTRIBUTE_H_ @}*/ |