/* * Remote Laboratory Authentication Server * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. * * (c) 2012 Timothy Pearson * Raptor Engineering * http://www.raptorengineeringinc.com */ #include #include #include #include "auth_conn.h" #define ABORT_SOCKET(s) s->close(); \ s->disconnect(); \ delete s; \ s = NULL; /* exception handling */ struct exit_exception { int c; exit_exception(int c):c(c) { } }; /* The AuthSocket class provides a socket that is connected with a client. For every client that connects to the server, the server creates a new instance of this class. */ AuthSocket::AuthSocket(int sock, TQObject *parent, const char *name) : TDEKerberosServerSocket(parent, name), m_criticalSection(0), m_stationID(-1), m_bound(false), m_servActive(false), m_servState(0), m_servClientSocket(NULL), m_servClientTimeout(NULL), m_config(static_cast(parent)->m_config), m_database(NULL), m_databaseStationsCursor(NULL), m_databaseServicesCursor(NULL), m_databaseServiceTypesCursor(NULL), m_databasePermissionsCursor(NULL), m_databaseActivityCursor(NULL) { setServiceName("remotefpga"); line = 0; connect(this, SIGNAL(connectionClosed()), SLOT(connectionClosedHandler())); setSocket(sock); if (connectToDatabase() != 0) { exit(1); } } AuthSocket::~AuthSocket() { if (m_databaseStationsCursor) { delete m_databaseStationsCursor; } if (m_databaseServicesCursor) { delete m_databaseServicesCursor; } if (m_databaseServiceTypesCursor) { delete m_databaseServiceTypesCursor; } if (m_databasePermissionsCursor) { delete m_databasePermissionsCursor; } if (m_databaseActivityCursor) { delete m_databaseActivityCursor; } if (m_servClientSocket) { delete m_servClientSocket; } } void AuthSocket::close() { if (state() == TQSocket::Connected) { TDEKerberosServerSocket::close(); connectionClosedHandler(); } } void AuthSocket::connectionClosedHandler() { printf("[DEBUG] Connection from %s closed\n\r", m_remoteHost.ascii()); if (m_bound) { // Update database m_databaseActivityCursor->select(TQString("station='%1' AND username='%2' AND realmname='%3'").arg(m_stationID).arg(m_authenticatedUserName).arg(m_authenticatedRealmName)); if (m_databaseActivityCursor->next()) { m_databaseActivityCursor->primeDelete(); m_databaseActivityCursor->del(true); } } if (m_criticalSection > 0) { throw exit_exception(-1); } } int AuthSocket::initiateKerberosHandshake() { // RAJA FIXME setUsingKerberos(true); while (kerberosStatus() == TDEKerberosServerSocket::KerberosInitializing) { tqApp->processEvents(); } if (kerberosStatus() == TDEKerberosServerSocket::KerberosInUse) { TQ_UINT32 magicnum = MAGIC_NUMBER; TQ_UINT32 protover = PROTOCOL_VERSION; TQDataStream ds(this); ds << magicnum; ds << protover; return 0; } else { return -1; } } void AuthSocket::servLoop() { if (m_servActive) { TQString command; TQDataStream ds(this); TDEKerberosClientSocket::KerberosStatus krbstat; switch (m_servState) { case 0: if (!m_servClientTimeout) { m_servClientTimeout = new TQTimer(); m_servClientTimeout->start(5000, TRUE); } if ((m_servClientSocket->state() == TQSocket::Connecting) || (m_servClientSocket->state() == TQSocket::HostLookup)) { if (!m_servClientTimeout->isActive()) { m_servClientSocket->close(); ds << TQString("ERRNOTAVL"); printf("[DEBUG] Connection failed to %s:%d for user %s@%s\n\r", m_srvServiceHostName.ascii(), m_srvServicePort, m_authenticatedUserName.ascii(), m_authenticatedRealmName.ascii()); fflush(stdout); m_servActive = false; delete m_servClientTimeout; m_servClientTimeout = NULL; } } else { if (m_servClientTimeout) { m_servClientTimeout->stop(); delete m_servClientTimeout; m_servClientTimeout = NULL; } m_servState = 1; } break; case 1: if (m_servClientSocket->state() == TQSocket::Connected) { m_servClientSocket->setUsingKerberos(true); m_servState = 2; } else { m_servClientSocket->close(); ds << TQString("ERRNOTAVL"); printf("[DEBUG] Connection failed to %s:%d for user %s@%s\n\r", m_srvServiceHostName.ascii(), m_srvServicePort, m_authenticatedUserName.ascii(), m_authenticatedRealmName.ascii()); fflush(stdout); m_servActive = false; delete m_servClientTimeout; m_servClientTimeout = NULL; } break; case 2: krbstat = m_servClientSocket->kerberosStatus(); if ((krbstat == TDEKerberosClientSocket::KerberosInitializing) || (krbstat == TDEKerberosClientSocket::KerberosInUse)) { if (krbstat == TDEKerberosClientSocket::KerberosInUse) { m_servState = 3; } } else { m_servClientSocket->close(); ds << TQString("ERRNOTAVL"); printf("[DEBUG] Connection failed to %s:%d for user %s@%s due to Kerberos failure\n\r", m_srvServiceHostName.ascii(), m_srvServicePort, m_authenticatedUserName.ascii(), m_authenticatedRealmName.ascii()); fflush(stdout); m_servActive = false; delete m_servClientTimeout; m_servClientTimeout = NULL; } break; case 3: if (!m_servClientTimeout) { m_servClientTimeout = new TQTimer(); m_servClientTimeout->start(5000, TRUE); } if (m_servClientSocket->state() == TQSocket::Connected) { if (m_servClientSocket->canReadLine()) { TQDataStream clientDS(m_servClientSocket); TQString server_reply; clientDS >> server_reply; if (server_reply == "OK") { ds << TQString("OK"); m_servState = 4; } else { m_servClientSocket->close(); ds << TQString("ERRNOTAVL"); printf("[DEBUG] Connection failed to %s:%d for user %s@%s due to remote server returning %s\n\r", m_srvServiceHostName.ascii(), m_srvServicePort, m_authenticatedUserName.ascii(), m_authenticatedRealmName.ascii(), server_reply.ascii()); fflush(stdout); m_servActive = false; delete m_servClientTimeout; m_servClientTimeout = NULL; } } else { if (!m_servClientTimeout->isActive()) { // Timeout! m_servClientSocket->close(); ds << TQString("ERRNOTAVL"); printf("[DEBUG] Connection failed to %s:%d for user %s@%s\n\r", m_srvServiceHostName.ascii(), m_srvServicePort, m_authenticatedUserName.ascii(), m_authenticatedRealmName.ascii()); fflush(stdout); m_servActive = false; delete m_servClientTimeout; m_servClientTimeout = NULL; } } } else { m_servClientSocket->close(); ds << TQString("ERRNOTAVL"); printf("[DEBUG] Connection failed to %s:%d for user %s@%s\n\r", m_srvServiceHostName.ascii(), m_srvServicePort, m_authenticatedUserName.ascii(), m_authenticatedRealmName.ascii()); fflush(stdout); m_servActive = false; delete m_servClientTimeout; m_servClientTimeout = NULL; } break; case 4: if (m_servClientSocket->state() == TQSocket::Connected) { TQByteArray ba(8192); TQ_ULONG reclen; if (canReadLine()) { reclen = readBlock(ba.data(), 8192); m_servClientSocket->writeBlock(ba.data(), reclen); } if (m_servClientSocket->canReadLine()) { reclen = m_servClientSocket->readBlock(ba.data(), 8192); writeBlock(ba.data(), reclen); } } else { m_servClientSocket->close(); ds << TQString("ERRNOTAVL"); printf("[DEBUG] Connection terminated by remote host %s:%d for user %s@%s\n\r", m_srvServiceHostName.ascii(), m_srvServicePort, m_authenticatedUserName.ascii(), m_authenticatedRealmName.ascii()); fflush(stdout); m_servActive = false; } break; } } } void AuthSocket::commandLoop() { if (m_servActive) { servLoop(); TQTimer::singleShot(0, this, SLOT(commandLoop())); return; } m_criticalSection++; try { if (state() == TQSocket::Connected) { if (canReadLine()) { TQString command; TQDataStream ds(this); ds >> command; if (command != "") { printf("[DEBUG] Got command %s from user %s@%s\n\r", command.ascii(), m_authenticatedUserName.ascii(), m_authenticatedRealmName.ascii()); fflush(stdout); if (command == "LIST") { // Send list of available servers... m_slist.clear(); // Get all stations from the database m_databaseStationsCursor->select(); while (m_databaseStationsCursor->next()) { bool authorized = false; bool in_use = false; m_databasePermissionsCursor->select(TQString("station=%1").arg(m_databaseStationsCursor->value("pk").toInt())); while (m_databasePermissionsCursor->next()) { if (m_databasePermissionsCursor->value("username").toString() == m_authenticatedUserName) { authorized = true; } } m_databaseActivityCursor->select(TQString("station=%1").arg(m_databaseStationsCursor->value("pk").toInt())); while (m_databaseActivityCursor->next()) { if (m_databaseActivityCursor->value("username").toString() != "") { in_use = true; } } if ((authorized) && (!in_use)) { StationType st; st.id = m_databaseStationsCursor->value("pk").toInt(); st.name = m_databaseStationsCursor->value("name").toString(); st.description = m_databaseStationsCursor->value("description").toString(); m_databaseServicesCursor->select(TQString("station=%1").arg(m_databaseStationsCursor->value("pk").toInt())); while (m_databaseServicesCursor->next()) { m_databaseServiceTypesCursor->select(TQString("serviceid=%1").arg(m_databaseServicesCursor->value("servicetype").toInt())); ServiceType svt; if (m_databaseServiceTypesCursor->next()) { svt.name = m_databaseServiceTypesCursor->value("name").toString(); svt.description = m_databaseServiceTypesCursor->value("description").toString(); svt.clientLibrary = m_databaseServiceTypesCursor->value("client_library").toString(); svt.version = m_databaseServiceTypesCursor->value("version").toInt(); } if (svt.name == "") { svt.name = i18n(""); } if (svt.description == "") { svt.description = i18n(""); } st.services.append(svt); } m_slist.append(st); } } ds << m_slist; } else if (command == "BIND") { // Get desired Station Type from client StationType st; ds >> st; // Attempt to bind to station matching desired Service Type list... m_stationID = -1; // Ensure that this user is not already connected int activeID = -1; m_databaseActivityCursor->select(TQString("username='%1' AND realmname='%2'").arg(m_authenticatedUserName).arg(m_authenticatedRealmName)); if (m_databaseActivityCursor->next()) { activeID = m_databaseActivityCursor->value("station").toInt(); } if (activeID < 0) { for (StationList::Iterator it(m_slist.begin()); it != m_slist.end(); ++it) { if ((*it).services == st.services) { m_stationID = (*it).id; break; } } if (m_stationID < 0) { ds << TQString("ERRUNAVAL"); } else { m_bound = true; // Update database TQSqlRecord *buffer = m_databaseActivityCursor->primeInsert(); buffer->setValue("station", m_stationID); buffer->setValue("username", m_authenticatedUserName); buffer->setValue("realmname", m_authenticatedRealmName); buffer->setValue("logontime", TQDateTime::currentDateTime().toTime_t()); m_databaseActivityCursor->insert(); ds << TQString("OK"); } } else { ds << TQString("ERRPREVCN"); } } else if (command == "SERV") { // Get client library name from the client TQString libname; ds >> libname; m_databaseActivityCursor->select(TQString("username='%1' AND realmname='%2'").arg(m_authenticatedUserName).arg(m_authenticatedRealmName)); if (m_databaseActivityCursor->next()) { m_stationID = m_databaseActivityCursor->value("station").toInt(); } if (m_bound == true) { ds << TQString("ERRINVCMD"); } else { if (m_stationID < 0) { ds << TQString("ERRNOCONN"); } else { // Find the service ID for the specified client library name TQ_INT32 sid = -1; m_databaseServiceTypesCursor->select(TQString("client_library='%1'").arg(libname)); if (m_databaseServiceTypesCursor->next()) { sid = m_databaseServiceTypesCursor->value("serviceid").toInt(); } if (sid < 0) { ds << TQString("ERRNOSERV"); } else { // Attempt to connect to the backend server m_databaseServicesCursor->select(TQString("pk=%1 AND station=%2").arg(sid).arg(m_stationID)); if (m_databaseServicesCursor->next()) { m_srvServiceHostName = m_databaseServicesCursor->value("hostname").toString(); m_srvServicePort = m_databaseServicesCursor->value("port").toInt(); if (!m_servClientSocket) m_servClientSocket = new TDEKerberosClientSocket; m_servClientSocket->setServiceName("remotefpga"); m_servClientSocket->setServerFQDN(m_srvServiceHostName); m_servClientSocket->connectToHost(m_srvServiceHostName, m_srvServicePort); m_servState = 0; m_servActive = true; } else { ds << TQString("ERRNOSERV"); } } } } } else { ds << TQString("ERRINVCMD"); } } } m_criticalSection--; TQTimer::singleShot(0, this, SLOT(commandLoop())); return; } } catch (...) { m_criticalSection--; return; } } int AuthSocket::enterCommandLoop() { TQTimer::singleShot(0, this, SLOT(commandLoop())); return 0; } int AuthSocket::connectToDatabase() { if (m_database) { return -2; } m_database = TQSqlDatabase::database(); if (!m_database) { printf("[ERROR] Database was not constructed by the application\n\r"); fflush(stdout); return -1; } m_databaseStationsCursor = new TQSqlCursor("stations", TRUE, m_database); m_databaseServicesCursor = new TQSqlCursor("services", TRUE, m_database); m_databaseServiceTypesCursor = new TQSqlCursor("servicetypes", TRUE, m_database); m_databasePermissionsCursor = new TQSqlCursor("permissions", TRUE, m_database); m_databaseActivityCursor = new TQSqlCursor("activity", TRUE, m_database); return 0; } /* The AuthServer class handles new connections to the server. For every client that connects, it creates a new AuthSocket -- that instance is now responsible for the communication with that client. */ AuthServer::AuthServer(TQObject* parent) : TQServerSocket( 4004, 1, parent ), m_database(NULL) { m_config = new KSimpleConfig("remotefpga_authserver.conf", false); if (connectToDatabase() != 0) { exit(1); } if ( !ok() ) { printf("[ERROR] Failed to bind to port 4004\n\r"); exit(1); } printf("[INFO] Server started on port 4004\n\r"); fflush(stdout); } AuthServer::~AuthServer() { if (m_database) { TQSqlDatabase::removeDatabase(m_database); m_database = NULL; } delete m_config; } int AuthServer::connectToDatabase() { m_config->setGroup("Database"); m_database = TQSqlDatabase::addDatabase(m_config->readEntry("driver")); m_database->setDatabaseName(m_config->readEntry("database")); m_database->setUserName(m_config->readEntry("username")); m_database->setPassword(m_config->readEntry("password")); m_database->setHostName(m_config->readEntry("server")); if(!m_database->open()) { printf("[ERROR] Failed to connect to control database on server '%s' [%s]\n\r", m_database->hostName().ascii(), m_database->lastError().text().ascii()); fflush(stdout); TQSqlDatabase::removeDatabase(m_database); m_database = NULL; return -1; } if (!m_database->tables().contains("stations")) { m_database->close(); printf("[ERROR] Control database '%s' on '%s' does not contain the required 'stations' table\n\r", m_database->databaseName().ascii(), m_database->hostName().ascii()); fflush(stdout); TQSqlDatabase::removeDatabase(m_database); m_database = NULL; return -1; } if (!m_database->tables().contains("services")) { m_database->close(); printf("[ERROR] Control database '%s' on '%s' does not contain the required 'services' table\n\r", m_database->databaseName().ascii(), m_database->hostName().ascii()); fflush(stdout); TQSqlDatabase::removeDatabase(m_database); m_database = NULL; return -1; } if (!m_database->tables().contains("servicetypes")) { m_database->close(); printf("[ERROR] Control database '%s' on '%s' does not contain the required 'servicetypes' table\n\r", m_database->databaseName().ascii(), m_database->hostName().ascii()); fflush(stdout); TQSqlDatabase::removeDatabase(m_database); m_database = NULL; return -1; } if (!m_database->tables().contains("permissions")) { m_database->close(); printf("[ERROR] Control database '%s' on '%s' does not contain the required 'permissions' table\n\r", m_database->databaseName().ascii(), m_database->hostName().ascii()); fflush(stdout); TQSqlDatabase::removeDatabase(m_database); m_database = NULL; return -1; } if (!m_database->tables().contains("activity")) { m_database->close(); printf("[ERROR] Control database '%s' on '%s' does not contain the required 'activity' table\n\r", m_database->databaseName().ascii(), m_database->hostName().ascii()); fflush(stdout); TQSqlDatabase::removeDatabase(m_database); m_database = NULL; return -1; } return 0; } void AuthServer::newConnection(int socket) { AuthSocket *s = new AuthSocket(socket, this); s->m_remoteHost = s->peerAddress().toString(); printf("[DEBUG] New connection from %s\n\r", s->m_remoteHost.ascii()); if (s->initiateKerberosHandshake() != 0) { printf("[DEBUG] Connection from %s closed due to Kerberos failure\n\r", s->m_remoteHost.ascii()); fflush(stdout); ABORT_SOCKET(s) return; } else { connect(s, SIGNAL(connectionClosed()), s, SLOT(deleteLater())); emit newConnect(s); s->enterCommandLoop(); } }