From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Sun, 19 May 2013 10:43:55 +0000 (+0200)
Subject: add overall recommendation to session database entry
X-Git-Tag: 5.1.0dr1~68
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2964562199dc4a5f744ff03820b24e5a4d4cb10f;p=thirdparty%2Fstrongswan.git

add overall recommendation to session database entry
---

diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c
index 29a161e694..4c8f3a9255 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20.c
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c
@@ -583,6 +583,7 @@ static void check_and_build_recommendation(private_tnccs_20_t *this)
 {
 	TNC_IMV_Action_Recommendation rec;
 	TNC_IMV_Evaluation_Result eval;
+	TNC_ConnectionState state;
 	TNC_IMVID id;
 	chunk_t reason, language;
 	enumerator_t *enumerator;
@@ -602,20 +603,27 @@ static void check_and_build_recommendation(private_tnccs_20_t *this)
 
 		/**
 		 * Map IMV Action Recommendation codes to PB Access Recommendation codes
+		 * and communicate Access Recommendation to IMVs
 		 */
 		switch (rec)
 		{
 			case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+				state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
 				pb_rec = PB_REC_ACCESS_ALLOWED;
 				break;
 			case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+				state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
 				pb_rec = PB_REC_QUARANTINED;
 				break;
 			case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
 			case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
 			default:
+				state = TNC_CONNECTION_STATE_ACCESS_NONE;
 				pb_rec = PB_REC_ACCESS_DENIED;
 		}
+		tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
+											state);
+
 		msg = pb_access_recommendation_msg_create(pb_rec);
 		this->messages->insert_last(this->messages, msg);
 
diff --git a/src/libimcv/imv/imv_database.c b/src/libimcv/imv/imv_database.c
index 2703ae2500..1e72b98b0f 100644
--- a/src/libimcv/imv/imv_database.c
+++ b/src/libimcv/imv/imv_database.c
@@ -189,6 +189,16 @@ METHOD(imv_database_t, add_device, int,
 	return did;
 }
 
+METHOD(imv_database_t, add_recommendation, void,
+	private_imv_database_t *this, imv_session_t *session,
+	TNC_IMV_Action_Recommendation rec)
+{
+	/* add final recommendation to session */
+	this->db->execute(this->db, NULL,
+			"UPDATE sessions SET rec = ? WHERE id = ?",
+			 DB_INT, rec, DB_INT, session->get_session_id(session));
+}
+
 METHOD(imv_database_t, policy_script, bool,
 	private_imv_database_t *this, imv_session_t *session, bool start)
 {
@@ -322,6 +332,7 @@ imv_database_t *imv_database_create(char *uri, char *script)
 			.get_session = _get_session,
 			.add_product = _add_product,
 			.add_device = _add_device,
+			.add_recommendation = _add_recommendation,
 			.policy_script = _policy_script,
 			.finalize_workitem = _finalize_workitem,
 			.get_database = _get_database,
diff --git a/src/libimcv/imv/imv_database.h b/src/libimcv/imv/imv_database.h
index 3c4bf83d84..6cab415899 100644
--- a/src/libimcv/imv/imv_database.h
+++ b/src/libimcv/imv/imv_database.h
@@ -68,6 +68,15 @@ struct imv_database_t {
 	 int (*add_device)(imv_database_t *this, imv_session_t *session,
 					   chunk_t device);
 
+	/**
+	 * Add final recommendation to a session database entry
+	 *
+	 * @param session		Session
+	 * @param rec			Final recommendation
+	 */
+	 void (*add_recommendation)(imv_database_t *this, imv_session_t *session,
+								TNC_IMV_Action_Recommendation rec);
+
 	/**
 	 * Announce session start/stop to policy script
 	 *
diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql
index c962d433a8..5377322d8a 100644
--- a/src/libimcv/imv/tables.sql
+++ b/src/libimcv/imv/tables.sql
@@ -63,7 +63,8 @@ CREATE TABLE sessions (
   connection INTEGER NOT NULL,
   identity INTEGER DEFAULT 0 REFERENCES identities(id),
   device INTEGER DEFAULT 0 REFERENCES devices(id),
-  product INTEGER DEFAULT 0 REFERENCES products(id)
+  product INTEGER DEFAULT 0 REFERENCES products(id),
+  rec INTEGER DEFAULT 3
 );
 
 DROP TABLE IF EXISTS workitems;
@@ -150,16 +151,6 @@ CREATE INDEX devices_value ON devices (
   value
 );
 
-DROP TABLE IF EXISTS device_infos;
-CREATE TABLE device_infos (
-  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-  session INTEGER NOT NULL REFERENCES sessions(id),
-  count INTEGER DEFAULT 0,
-  count_update INTEGER DEFAULT 0,
-  count_blacklist INTEGER DEFAULT 0,
-  flags INTEGER DEFAULT 0
-);
-
 DROP TABLE IF EXISTS identities;
 CREATE TABLE identities (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
diff --git a/src/libimcv/plugins/imv_os/imv_os.c b/src/libimcv/plugins/imv_os/imv_os.c
index 69043ccbb2..c0ce8051ab 100644
--- a/src/libimcv/plugins/imv_os/imv_os.c
+++ b/src/libimcv/plugins/imv_os/imv_os.c
@@ -119,6 +119,7 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
 										  TNC_ConnectionID connection_id,
 										  TNC_ConnectionState new_state)
 {
+	TNC_IMV_Action_Recommendation rec;
 	imv_state_t *state;
 	imv_session_t *session;
 
@@ -133,15 +134,31 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
 			state = imv_os_state_create(connection_id);
 			return imv_os->create_state(imv_os, state);
 		case TNC_CONNECTION_STATE_DELETE:
+			return imv_os->delete_state(imv_os, connection_id);
+		case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+		case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+		case TNC_CONNECTION_STATE_ACCESS_NONE:
 			if (imcv_db && imv_os->get_state(imv_os, connection_id, &state))
 			{
+				switch (new_state)
+				{
+					case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+						rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
+						break;
+					case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+						rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE;
+						break;
+					case TNC_CONNECTION_STATE_ACCESS_NONE:
+					default:
+						rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS;
+				}
 				session = state->get_session(state);
+				imcv_db->add_recommendation(imcv_db, session, rec);
 				imcv_db->policy_script(imcv_db, session, FALSE);
 			}
-			return imv_os->delete_state(imv_os, connection_id);
+			/* fall through to default state */
 		default:
-			return imv_os->change_state(imv_os, connection_id,
-											 new_state, NULL);
+			return imv_os->change_state(imv_os, connection_id, new_state, NULL);
 	}
 }
 
diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c
index 633d6c58dc..cb1220e726 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.c
+++ b/src/libpts/plugins/imv_attestation/attest_db.c
@@ -19,6 +19,8 @@
 #include <libgen.h>
 #include <time.h>
 
+#include <tncif_names.h>
+
 #include "attest_db.h"
 
 #include "libpts.h"
@@ -812,24 +814,22 @@ METHOD(attest_db_t, list_devices, void,
 	char *product;
 	time_t timestamp;
 	int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0;
-	int count, count_update, count_blacklist;
+	int session_id, rec;
 	u_int32_t ar_id_type;
-	u_int tstamp, flags = 0;
+	u_int tstamp;
 
 	e = this->db->query(this->db,
-			"SELECT d.id, d.value, s.time, s.identity, p.name, "
-			"i.count, i.count_update, i.count_blacklist, i.flags "
+			"SELECT d.id, d.value, s.id, s.time, s.identity, s.rec, p.name "
 			"FROM devices AS d "
 			"JOIN sessions AS s ON d.id = s.device "
 			"JOIN products AS p ON p.id = s.product "
-			"JOIN device_infos AS i ON i.session = s.id "
-			"ORDER BY d.value, s.time DESC", DB_INT, DB_BLOB, DB_UINT,
-			 DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_UINT);
+			"ORDER BY d.value, s.time DESC", DB_INT, DB_BLOB, DB_INT, DB_UINT,
+			 DB_INT, DB_INT, DB_TEXT);
 
 	if (e)
 	{
-		while (e->enumerate(e, &id, &value, &tstamp, &ar_id, &product,
-							&count, &count_update, &count_blacklist, &flags))
+		while (e->enumerate(e, &id, &value, &session_id, &tstamp, &ar_id, &rec,
+							   &product))
 		{
 			if (id != last_id)
 			{
@@ -838,8 +838,8 @@ METHOD(attest_db_t, list_devices, void,
 				last_id = id;
 			}
 			timestamp = tstamp;
-			printf("      %T, %4d, %3d, %3d, %1u, '%s'", &timestamp, this->utc,
-				   count, count_update, count_blacklist, flags, product);
+			printf("%4d:   %T, %-20s", session_id, &timestamp, this->utc,
+									   product);
 			if (ar_id)
 			{
 				if (ar_id != last_ar_id)
@@ -861,7 +861,7 @@ METHOD(attest_db_t, list_devices, void,
 				}
 				last_ar_id = ar_id;
 			}
-			printf("\n");
+			printf(" - %N\n", TNC_IMV_Action_Recommendation_names, rec);
 		}
 		e->destroy(e);
 		free(ar_id_value.ptr);
@@ -1519,31 +1519,32 @@ METHOD(attest_db_t, list_sessions, void,
 	enumerator_t *e;
 	chunk_t device, identity;
 	char *product;
-	int session_id, conn_id;
+	int session_id, conn_id, rec;
 	time_t created;
 	u_int t;
 
 	e = this->db->query(this->db,
-				"SELECT s.id, s.time, s.connection, p.name, d.value, i.value "
-				"FROM sessions AS s "
-				"LEFT JOIN products AS p ON s.product = p.id "
-				"LEFT JOIN devices AS d ON s.device = d.id "
-				"LEFT JOIN identities AS i ON s.identity = i.id "
-				"ORDER BY s.time DESC",
-				 DB_INT, DB_UINT, DB_INT, DB_TEXT, DB_BLOB, DB_BLOB);
+			"SELECT s.id, s.time, s.connection, s.rec, p.name, d.value, i.value "
+			"FROM sessions AS s "
+			"LEFT JOIN products AS p ON s.product = p.id "
+			"LEFT JOIN devices AS d ON s.device = d.id "
+			"LEFT JOIN identities AS i ON s.identity = i.id "
+			"ORDER BY s.time DESC",
+			 DB_INT, DB_UINT, DB_INT, DB_INT, DB_TEXT, DB_BLOB, DB_BLOB);
 	if (e)
 	{
-		while (e->enumerate(e, &session_id, &t, &conn_id, &product, &device,
-							   &identity))
+		while (e->enumerate(e, &session_id, &t, &conn_id, &rec, &product,
+							   &device, &identity))
 		{
 			created = t;
 			product = product ? product : "-";
 			device = device.len ? device : chunk_from_str("-");
 			device.len = min(device.len, 20);
 			identity = identity.len ? identity : chunk_from_str("-");
-			printf("%4d: %T %2d %-20s %.*s%*s %.*s\n", session_id, &created,
+			printf("%4d: %T %2d %-20s %.*s%*s %.*s - %N\n", session_id, &created,
 				   FALSE, conn_id, product, device.len, device.ptr,
-				   20-device.len, " ", identity.len, identity.ptr);
+				   20-device.len, " ", identity.len, identity.ptr,
+				   TNC_IMV_Action_Recommendation_names, rec);
 		}
 		e->destroy(e);
 	}