GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-14 19:07:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

client stats are conveyed to master through sec-mod

Browse Source 
That way both can keep a more accurate picture of user statistics.
This commit is contained in:
Nikos Mavrogiannopoulos
2015-02-27 22:15:53 +01:00
parent 7a11fa615c
commit 4eafc3c847
6 changed files with 288 additions and 270 deletions
Download Patch File Download Diff File Expand all files Collapse all files

177
src/sec-mod-auth.c
View File

@@ -386,7 +386,7 @@ static void stats_add_to(stats_st *dst, stats_st *src1, stats_st *src2)
}
static
int send_failed_auth_sec_reply(int cfd, sec_mod_st *sec)
int send_failed_session_open_reply(int cfd, sec_mod_st *sec)
{
SecAuthSessionReplyMsg rep = SEC_AUTH_SESSION_REPLY_MSG__INIT;
void *lpool;
@@ -410,10 +410,93 @@ int send_failed_auth_sec_reply(int cfd, sec_mod_st *sec)
return -1;
}
static
int handle_sec_auth_session_open(int cfd, sec_mod_st *sec, const SecAuthSessionMsg *req)
{
client_entry_st *e;
void *lpool;
int ret;
SecAuthSessionReplyMsg rep = SEC_AUTH_SESSION_REPLY_MSG__INIT;
if (req->sid.len != SID_SIZE) {
seclog(sec, LOG_ERR, "auth session open but with illegal sid size (%d)!",
(int)req->sid.len);
return send_failed_session_open_reply(cfd, sec);
}
e = find_client_entry(sec, req->sid.data);
if (e == NULL) {
seclog(sec, LOG_INFO, "session open but with non-existing SID!");
return send_failed_session_open_reply(cfd, sec);
}
if (e->status != PS_AUTH_COMPLETED) {
seclog(sec, LOG_ERR, "session open received in unauthenticated client %s "SESSION_STR"!", e->auth_info.username, e->auth_info.psid);
return send_failed_session_open_reply(cfd, sec);
}
if (e->time != -1 && time(0) > e->time + sec->config->cookie_timeout) {
seclog(sec, LOG_ERR, "session expired; denied session for user '%s' "SESSION_STR, e->auth_info.username, e->auth_info.psid);
e->status = PS_AUTH_FAILED;
return send_failed_session_open_reply(cfd, sec);
}
if (req->has_cookie == 0 || (req->cookie.len != e->cookie_size) ||
memcmp(req->cookie.data, e->cookie, e->cookie_size) != 0) {
seclog(sec, LOG_ERR, "cookie error; denied session for user '%s' "SESSION_STR, e->auth_info.username, e->auth_info.psid);
e->status = PS_AUTH_FAILED;
return send_failed_session_open_reply(cfd, sec);
}
if (sec->config->acct.amod != NULL && sec->config->acct.amod->open_session != NULL && e->session_is_open == 0) {
ret = sec->config->acct.amod->open_session(e->module->type, e->auth_ctx, &e->auth_info, req->sid.data, req->sid.len);
if (ret < 0) {
e->status = PS_AUTH_FAILED;
seclog(sec, LOG_INFO, "denied session for user '%s' "SESSION_STR, e->auth_info.username, e->auth_info.psid);
return send_failed_session_open_reply(cfd, sec);
} else {
e->session_is_open = 1;
}
}
rep.reply = AUTH__REP__OK;
lpool = talloc_new(e);
if (lpool == NULL) {
return ERR_MEM;
}
if (sec->config_module && sec->config_module->get_sup_config) {
ret = sec->config_module->get_sup_config(sec->config, e, &rep, lpool);
if (ret < 0) {
seclog(sec, LOG_ERR, "error reading additional configuration for '%s' "SESSION_STR, e->auth_info.username, e->auth_info.psid);
talloc_free(lpool);
return send_failed_session_open_reply(cfd, sec);
}
}
ret = send_msg(lpool, cfd, SM_CMD_AUTH_SESSION_REPLY, &rep,
(pack_size_func) sec_auth_session_reply_msg__get_packed_size,
(pack_func) sec_auth_session_reply_msg__pack);
if (ret < 0) {
seclog(sec, LOG_ERR, "error in sending session reply");
exit(1); /* we cannot recover */
}
talloc_free(lpool);
seclog(sec, LOG_INFO, "initiating session for user '%s' "SESSION_STR, e->auth_info.username, e->auth_info.psid);
e->time = -1;
e->in_use++;
return 0;
}
static
int handle_sec_auth_session_close(int cfd, sec_mod_st *sec, const SecAuthSessionMsg *req)
{
client_entry_st *e;
int ret;
CliStatsMsg rep = CLI_STATS_MSG__INIT;
if (req->sid.len != SID_SIZE) {
seclog(sec, LOG_ERR, "auth session close but with illegal sid size (%d)!",
@@ -444,6 +527,19 @@ int handle_sec_auth_session_close(int cfd, sec_mod_st *sec, const SecAuthSession
e->stats.bytes_out = req->bytes_out;
}
/* send reply */
rep.bytes_in = e->stats.bytes_in;
rep.bytes_out = e->stats.bytes_out;
ret = send_msg(e, cfd, SM_CMD_AUTH_CLI_STATS, &rep,
(pack_size_func) cli_stats_msg__get_packed_size,
(pack_func) cli_stats_msg__pack);
if (ret < 0) {
seclog(sec, LOG_ERR, "error in sending session stats");
exit(1); /* we cannot recover */
}
/* save total stats */
stats_add_to(&e->saved_stats, &e->saved_stats, &e->stats);
memset(&e->stats, 0, sizeof(e->stats));
expire_client_entry(sec, e);
@@ -451,85 +547,6 @@ int handle_sec_auth_session_close(int cfd, sec_mod_st *sec, const SecAuthSession
return 0;
}
static
int handle_sec_auth_session_open(int cfd, sec_mod_st *sec, const SecAuthSessionMsg *req)
{
client_entry_st *e;
void *lpool;
int ret;
SecAuthSessionReplyMsg rep = SEC_AUTH_SESSION_REPLY_MSG__INIT;
if (req->sid.len != SID_SIZE) {
seclog(sec, LOG_ERR, "auth session open but with illegal sid size (%d)!",
(int)req->sid.len);
return send_failed_auth_sec_reply(cfd, sec);
}
e = find_client_entry(sec, req->sid.data);
if (e == NULL) {
seclog(sec, LOG_INFO, "session open but with non-existing SID!");
return send_failed_auth_sec_reply(cfd, sec);
}
if (e->status != PS_AUTH_COMPLETED) {
seclog(sec, LOG_ERR, "session open received in unauthenticated client %s "SESSION_STR"!", e->auth_info.username, e->auth_info.psid);
return send_failed_auth_sec_reply(cfd, sec);
}
if (e->time != -1 && time(0) > e->time + sec->config->cookie_timeout) {
seclog(sec, LOG_ERR, "session expired; denied session for user '%s' "SESSION_STR, e->auth_info.username, e->auth_info.psid);
e->status = PS_AUTH_FAILED;
return send_failed_auth_sec_reply(cfd, sec);
}
if (req->has_cookie == 0 || (req->cookie.len != e->cookie_size) ||
memcmp(req->cookie.data, e->cookie, e->cookie_size) != 0) {
seclog(sec, LOG_ERR, "cookie error; denied session for user '%s' "SESSION_STR, e->auth_info.username, e->auth_info.psid);
e->status = PS_AUTH_FAILED;
return send_failed_auth_sec_reply(cfd, sec);
}
if (sec->config->acct.amod != NULL && sec->config->acct.amod->open_session != NULL && e->session_is_open == 0) {
ret = sec->config->acct.amod->open_session(e->module->type, e->auth_ctx, &e->auth_info, req->sid.data, req->sid.len);
if (ret < 0) {
e->status = PS_AUTH_FAILED;
seclog(sec, LOG_INFO, "denied session for user '%s' "SESSION_STR, e->auth_info.username, e->auth_info.psid);
return send_failed_auth_sec_reply(cfd, sec);
} else {
e->session_is_open = 1;
}
}
rep.reply = AUTH__REP__OK;
lpool = talloc_new(e);
if (lpool == NULL) {
return ERR_MEM;
}
if (sec->config_module && sec->config_module->get_sup_config) {
ret = sec->config_module->get_sup_config(sec->config, e, &rep, lpool);
if (ret < 0) {
seclog(sec, LOG_ERR, "error reading additional configuration for '%s' "SESSION_STR, e->auth_info.username, e->auth_info.psid);
talloc_free(lpool);
return send_failed_auth_sec_reply(cfd, sec);
}
}
ret = send_msg(lpool, cfd, SM_CMD_AUTH_SESSION_REPLY, &rep,
(pack_size_func) sec_auth_session_reply_msg__get_packed_size,
(pack_func) sec_auth_session_reply_msg__pack);
if (ret < 0) {
seclog(sec, LOG_WARNING, "error in sending session reply");
}
talloc_free(lpool);
seclog(sec, LOG_INFO, "initiating session for user '%s' "SESSION_STR, e->auth_info.username, e->auth_info.psid);
e->time = -1;
e->in_use++;
return 0;
}
int handle_sec_auth_session_cmd(int cfd, sec_mod_st *sec, const SecAuthSessionMsg *req,
unsigned cmd)