vici: Raise alert events from the bus alert listener hook

The bus alert infrastructure is currently exposed through the error-notify
plugin using a dedicated socket using a rather archaic message format.
Vici clients would need a dedicated socket connection just to receive such
alert messages, making their implementation more complex.

With vici, it is rather trivial to expose bus alerts through a dedicated
event message that vici clients may subscribe to. Add such an "alert"
event type to vici. Alert names are mapped to strings for simple consumption by
clients.

For now, the error-notify string message is omitted from events, as it mostly
contains static information without much value; instead add the IKE_SA details
for alerts associated to an IKE_SA. Other alert specific data may be added in
the future if needed; preferably using a structured format instead of the
arbitrary string messages used by error-notify. To allow future extensions,
wrap IKE_SA details under a dedicated "ike-sa" property.

diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index cc4724edf40ba1fd3e2a0166793aa4f75c3aa353..38f7f9b01571e921d1ccf4a357f2bfab8a30760f 100644 (file)
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -1034,6 +1034,57 @@ The _child-rekey_ event is issued when a CHILD_SA is rekeyed.
                }
        }
 
+### alert ###
+
+The _alert_ event is issued for specific error conditions. Some alerts can
+be associated with an IKE_SA; if so, the IKE_SA details are included under an
+_ike-sa_ property.
+
+       {
+               type = <alert type>
+               ike-sa = {
+                       <IKE_SA config name> = {
+                               <same data as in list-sas event, but without child-sas section>
+                       }
+               }
+       }
+
+The _type_ property currently has one of the following fixed string values:
+
+  * _authorization-failed_: an authorization hook failed
+  * _cert-exceeded-path-len_: Certificate trustchain length exceeds limit
+  * _cert-expired_: Certificate rejected; it has expired
+  * _cert-no-issuer_:  Certificate rejected; no trusted issuer found
+  * _cert-policy-violation_: Certificate rejected; other policy violation
+  * _cert-revoked_: Certificate rejected; it has been revoked
+  * _cert-untrusted-root_: Certificate rejected; root not trusted
+  * _cert-validation-failed_: Certificate rejected: Validating status failed
+  * _half-open-timeout_: received half-open timeout before IKE_SA established
+  * _ike-sa-expired_: IKE_SA hit hard lifetime limit before it could be rekeyed
+  * _install-child-policy-failed_: Installation of IPsec Policy failed
+  * _install-child-sa-failed_: Installation of IPsec SAs failed
+  * _invalid-ike-spi_: received IKE message with invalid SPI
+  * _keep-on-child-sa-failure_: IKE_SA kept on failed child SA establishment
+  * _local-auth-failed_: local peer authentication failed (by us or by peer)
+  * _parse-error-body_: received IKE message with invalid body
+  * _parse-error-header_: received IKE message with invalid header
+  * _peer-addr-failed_: failed to resolve peer address
+  * _peer-auth-failed_: peer authentication failed
+  * _peer-init-unreachable_: peer did not respond to initial message
+  * _proposal-mismatch-child_: CHILD proposals do not match
+  * _proposal-mismatch-ike_: IKE proposals do not match
+  * _radius-not-responding_: a RADIUS server did not respond
+  * _retransmit-receive_: received a retransmit for a message
+  * _retransmit-send_: sending a retransmit for a message
+  * _retransmit-send-cleared_: received response for retransmitted request
+  * _retransmit-send-timeout_: sending retransmits timed out
+  * _shutdown-signal_: a shutdown signal has been received
+  * _ts-mismatch_: traffic selectors do not match
+  * _ts-narrowed_: traffic selectors have been narrowed (by us or by peer)
+  * _unique-keep_: IKE_SA deleted because of "keep" unique policy
+  * _unique-replace_: IKE_SA deleted because of "replace" unique policy
+  * _vip-failure_: allocating virtual IP failed
+
 # libvici C client library #
 
 libvici is the reference implementation of a C client library implementing

diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 70350e5004404227bd6c7e15a7bfa97b432dc799..98a09fa4ae027be9d2473373ba7d9a4decdecc94 100644 (file)
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -82,6 +82,42 @@ ENUM(vici_counter_type_names,
        "info-out-resp",
 );
 
+ENUM(alert_names, ALERT_RADIUS_NOT_RESPONDING, ALERT_CERT_POLICY_VIOLATION,
+       "radius-not-responding",
+       "shutdown-signal",
+       "local-auth-failed",
+       "peer-auth-failed",
+       "peer-addr-failed",
+       "peer-init-unreachable",
+       "invalid-ike-spi",
+       "parse-error-header",
+       "parse-error-body",
+       "retransmit-send",
+       "retransmit-send-cleared",
+       "retransmit-send-timeout",
+       "retransmit-receive",
+       "half-open-timeout",
+       "proposal-mismatch-ike",
+       "proposal-mismatch-child",
+       "ts-mismatch",
+       "ts-narrowed",
+       "install-child-sa-failed",
+       "install-child-policy-failed",
+       "unique-replace",
+       "unique-keep",
+       "keep-on-child-sa-failure",
+       "vip-failure",
+       "authorization-failed",
+       "ike-sa-expired",
+       "cert-expired",
+       "cert-revoked",
+       "cert-validation-failed",
+       "cert-no-issuer",
+       "cert-untrusted-root",
+       "cert-exceeded-path-len",
+       "cert-policy-violation",
+);
+
 typedef struct private_vici_query_t private_vici_query_t;
 
 /**
@@ -1778,6 +1814,7 @@ static void manage_commands(private_vici_query_t *this, bool reg)
        this->dispatcher->manage_event(this->dispatcher, "ike-update", reg);
        this->dispatcher->manage_event(this->dispatcher, "child-updown", reg);
        this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg);
+       this->dispatcher->manage_event(this->dispatcher, "alert", reg);
        manage_command(this, "list-sas", list_sas, reg);
        manage_command(this, "list-policies", list_policies, reg);
        manage_command(this, "list-conns", list_conns, reg);
@@ -1957,6 +1994,32 @@ METHOD(listener_t, child_rekey, bool,
        return TRUE;
 }
 
+METHOD(listener_t, alert, bool,
+       private_vici_query_t *this, ike_sa_t *ike_sa, alert_t alert, va_list args)
+{
+       vici_builder_t *b;
+
+       if (!this->dispatcher->has_event_listeners(this->dispatcher, "alert"))
+       {
+               return TRUE;
+       }
+
+       b = vici_builder_create();
+       b->add_kv(b, "type", "%N", alert_names, alert);
+       if (ike_sa)
+       {
+               b->begin_section(b, "ike-sa");
+               b->begin_section(b, ike_sa->get_name(ike_sa));
+               list_ike(this, b, ike_sa, time_monotonic(NULL));
+               b->end_section(b);
+               b->end_section(b);
+       }
+
+       this->dispatcher->raise_event(this->dispatcher, "alert", 0, b->finalize(b));
+
+       return TRUE;
+}
+
 METHOD(vici_query_t, destroy, void,
        private_vici_query_t *this)
 {
@@ -1974,6 +2037,7 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher)
        INIT(this,
                .public = {
                        .listener = {
+                               .alert = _alert,
                                .ike_updown = _ike_updown,
                                .ike_rekey = _ike_rekey,
                                .ike_update = _ike_update,