Asterisk - The Open Source Telephony Project  21.4.1
profile_config.c
1 /*
2  * Asterisk -- An open source telephony toolkit.
3  *
4  * Copyright (C) 2022, Sangoma Technologies Corporation
5  *
6  * Ben Ford <bford@sangoma.com>
7  *
8  * See http://www.asterisk.org for more information about
9  * the Asterisk project. Please do not directly contact
10  * any of the maintainers of this project for assistance;
11  * the project provides a web site, mailing lists and IRC
12  * channels for your use.
13  *
14  * This program is free software, distributed under the terms of
15  * the GNU General Public License Version 2. See the LICENSE file
16  * at the top of the source tree.
17  */
18 
19 #include "asterisk.h"
20 
21 #include "asterisk/cli.h"
22 #include "asterisk/sorcery.h"
23 #include "asterisk/acl.h"
24 #include "asterisk/stasis.h"
26 
27 #include "stir_shaken.h"
28 
29 #define CONFIG_TYPE "profile"
30 
31 #define DEFAULT_endpoint_behavior endpoint_behavior_OFF
32 
33 #define DEFAULT_ca_file NULL
34 #define DEFAULT_ca_path NULL
35 #define DEFAULT_crl_file NULL
36 #define DEFAULT_crl_path NULL
37 #define DEFAULT_cert_cache_dir NULL
38 
39 #define DEFAULT_curl_timeout 0
40 #define DEFAULT_max_iat_age 0
41 #define DEFAULT_max_date_header_age 0
42 #define DEFAULT_max_cache_entry_age 0
43 #define DEFAULT_max_cache_size 0
44 
45 #define DEFAULT_stir_shaken_failure_action stir_shaken_failure_action_NOT_SET
46 #define DEFAULT_use_rfc9410_responses use_rfc9410_responses_NOT_SET
47 #define DEFAULT_relax_x5u_port_scheme_restrictions relax_x5u_port_scheme_restrictions_NOT_SET
48 #define DEFAULT_relax_x5u_path_restrictions relax_x5u_path_restrictions_NOT_SET
49 #define DEFAULT_load_system_certs load_system_certs_NOT_SET
50 
51 #define DEFAULT_check_tn_cert_public_url check_tn_cert_public_url_NOT_SET
52 #define DEFAULT_private_key_file NULL
53 #define DEFAULT_public_cert_url NULL
54 #define DEFAULT_attest_level attest_level_NOT_SET
55 #define DEFAULT_send_mky send_mky_NOT_SET
56 
57 static void profile_destructor(void *obj)
58 {
59  struct profile_cfg *cfg = obj;
61 
62  acfg_cleanup(&cfg->acfg_common);
63  vcfg_cleanup(&cfg->vcfg_common);
64 
65  ao2_cleanup(cfg->eprofile);
66 
67  return;
68 }
69 
70 static void *profile_alloc(const char *name)
71 {
72  struct profile_cfg *profile;
73 
74  profile = ast_sorcery_generic_alloc(sizeof(*profile), profile_destructor);
75  if (!profile) {
76  return NULL;
77  }
78 
79  if (ast_string_field_init(profile, 2048)) {
80  ao2_ref(profile, -1);
81  return NULL;
82  }
83 
84  /*
85  * The memory for the commons actually comes from cfg
86  * due to the weirdness of the STRFLDSET macro used with
87  * sorcery. We just use a token amount of memory in
88  * this call so the initialize doesn't fail.
89  */
90  if (ast_string_field_init(&profile->acfg_common, 8)) {
91  ao2_ref(profile, -1);
92  return NULL;
93  }
94 
95  if (ast_string_field_init(&profile->vcfg_common, 8)) {
96  ao2_ref(profile, -1);
97  return NULL;
98  }
99 
100  return profile;
101 }
102 
103 static struct ao2_container *profile_get_all(void)
104 {
105  return ast_sorcery_retrieve_by_fields(get_sorcery(), CONFIG_TYPE,
107 }
108 
109 struct profile_cfg *profile_get_cfg(const char *id)
110 {
111  if (ast_strlen_zero(id)) {
112  return NULL;
113  }
114  return ast_sorcery_retrieve_by_id(get_sorcery(), CONFIG_TYPE, id);
115 }
116 
117 static struct ao2_container *eprofile_get_all(void)
118 {
119  return ast_sorcery_retrieve_by_fields(get_sorcery(), "eprofile",
121 }
122 
123 struct profile_cfg *eprofile_get_cfg(const char *id)
124 {
125  if (ast_strlen_zero(id)) {
126  return NULL;
127  }
128  return ast_sorcery_retrieve_by_id(get_sorcery(), "eprofile", id);
129 }
130 
131 static struct profile_cfg *create_effective_profile(
132  struct profile_cfg *base_profile)
133 {
134  struct profile_cfg *eprofile;
135  struct profile_cfg *existing_eprofile;
136  RAII_VAR(struct attestation_cfg*, acfg, as_get_cfg(), ao2_cleanup);
137  RAII_VAR(struct verification_cfg*, vcfg, vs_get_cfg(), ao2_cleanup);
138  const char *id = ast_sorcery_object_get_id(base_profile);
139  int rc = 0;
140 
141  eprofile = ast_sorcery_alloc(get_sorcery(), "eprofile", id);
142  if (!eprofile) {
143  ast_log(LOG_ERROR, "%s: Unable to allocate memory for effective profile\n", id);
144  return NULL;
145  }
146 
147  rc = vs_copy_cfg_common(id, &eprofile->vcfg_common,
148  &vcfg->vcfg_common);
149  if (rc != 0) {
150  ao2_cleanup(eprofile);
151  return NULL;
152  }
153 
154  rc = vs_copy_cfg_common(id, &eprofile->vcfg_common,
155  &base_profile->vcfg_common);
156  if (rc != 0) {
157  ao2_cleanup(eprofile);
158  return NULL;
159  }
160 
161  rc = as_copy_cfg_common(id, &eprofile->acfg_common,
162  &acfg->acfg_common);
163  if (rc != 0) {
164  ao2_cleanup(eprofile);
165  return NULL;
166  }
167 
168  rc = as_copy_cfg_common(id, &eprofile->acfg_common,
169  &base_profile->acfg_common);
170  if (rc != 0) {
171  ao2_cleanup(eprofile);
172  return NULL;
173  }
174 
175  eprofile->endpoint_behavior = base_profile->endpoint_behavior;
176 
177  if (eprofile->endpoint_behavior == endpoint_behavior_ON) {
178  if (acfg->global_disable && vcfg->global_disable) {
179  eprofile->endpoint_behavior = endpoint_behavior_OFF;
180  } else if (acfg->global_disable && !vcfg->global_disable) {
181  eprofile->endpoint_behavior = endpoint_behavior_VERIFY;
182  } else if (!acfg->global_disable && vcfg->global_disable) {
183  eprofile->endpoint_behavior = endpoint_behavior_ATTEST;
184  }
185  } else if (eprofile->endpoint_behavior == endpoint_behavior_ATTEST
186  && acfg->global_disable) {
187  eprofile->endpoint_behavior = endpoint_behavior_OFF;
188  } else if (eprofile->endpoint_behavior == endpoint_behavior_VERIFY
189  && vcfg->global_disable) {
190  eprofile->endpoint_behavior = endpoint_behavior_OFF;
191  }
192 
193  existing_eprofile = ast_sorcery_retrieve_by_id(get_sorcery(), "eprofile", id);
194  if (existing_eprofile) {
195  ao2_cleanup(existing_eprofile);
196  ast_sorcery_update(get_sorcery(), eprofile);
197  } else {
198  ast_sorcery_create(get_sorcery(), eprofile);
199  }
200 
201  /*
202  * This triggers eprofile_apply. We _could_ just call
203  * eprofile_apply directly but this seems more keeping
204  * with how sorcery works.
205  */
206  ast_sorcery_objectset_apply(get_sorcery(), eprofile, NULL);
207 
208  return eprofile;
209 }
210 
211 static int profile_apply(const struct ast_sorcery *sorcery, void *obj)
212 {
213  struct profile_cfg *cfg = obj;
214  const char *id = ast_sorcery_object_get_id(cfg);
215 
216  if (PROFILE_ALLOW_ATTEST(cfg)
217  && as_check_common_config(id, &cfg->acfg_common) != 0) {
218  return -1;
219  }
220 
221  if (PROFILE_ALLOW_VERIFY(cfg)
222  && vs_check_common_config(id, &cfg->vcfg_common) !=0) {
223  return -1;
224  }
225 
226  cfg->eprofile = create_effective_profile(cfg);
227  if (!cfg->eprofile) {
228  return -1;
229  }
230 
231  return 0;
232 }
233 
234 static int eprofile_apply(const struct ast_sorcery *sorcery, void *obj)
235 {
236  struct profile_cfg *cfg = obj;
237  const char *id = ast_sorcery_object_get_id(cfg);
238 
239  if (PROFILE_ALLOW_VERIFY(cfg) && !cfg->vcfg_common.tcs) {
240  ast_log(LOG_ERROR, "%s: Neither this profile nor default"
241  " verification options specify ca_file or ca_path\n", id);
242  return -1;
243  }
244 
245  return 0;
246 }
247 generate_acfg_common_sorcery_handlers(profile_cfg);
248 generate_vcfg_common_sorcery_handlers(profile_cfg);
249 
250 generate_sorcery_enum_from_str(profile_cfg, , endpoint_behavior, UNKNOWN);
251 generate_sorcery_enum_to_str(profile_cfg, , endpoint_behavior);
252 
253 static char *cli_profile_show(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
254 {
255  struct profile_cfg *profile;
256  struct config_object_cli_data data = {
257  .title = "Profile",
258  .object_type = config_object_type_profile,
259  };
260 
261  switch(cmd) {
262  case CLI_INIT:
263  e->command = "stir_shaken show profile";
264  e->usage =
265  "Usage: stir_shaken show profile <id>\n"
266  " Show the stir/shaken profile settings for a given id\n";
267  return NULL;
268  case CLI_GENERATE:
269  if (a->pos == 3) {
270  return config_object_tab_complete_name(a->word, profile_get_all());
271  } else {
272  return NULL;
273  }
274  }
275 
276  if (a->argc != 4) {
277  return CLI_SHOWUSAGE;
278  }
279 
280  profile = profile_get_cfg(a->argv[3]);
281  if (!profile) {
282  ast_log(LOG_ERROR,"Profile %s doesn't exist\n", a->argv[3]);
283  return CLI_FAILURE;
284  }
285  config_object_cli_show(profile, a, &data, 0);
286 
287  ao2_cleanup(profile);
288 
289  return CLI_SUCCESS;
290 }
291 
292 static char *cli_profile_show_all(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
293 {
294  struct ao2_container *container;
295  struct config_object_cli_data data = {
296  .title = "Profile",
297  .object_type = config_object_type_profile,
298  };
299 
300  switch(cmd) {
301  case CLI_INIT:
302  e->command = "stir_shaken show profiles";
303  e->usage =
304  "Usage: stir_shaken show profiles\n"
305  " Show all profiles for stir/shaken\n";
306  return NULL;
307  case CLI_GENERATE:
308  return NULL;
309  }
310 
311  if (a->argc != 3) {
312  return CLI_SHOWUSAGE;
313  }
314 
315  container = profile_get_all();
316  if (!container || ao2_container_count(container) == 0) {
317  ast_cli(a->fd, "No stir/shaken profiles found\n");
318  ao2_cleanup(container);
319  return CLI_SUCCESS;
320  }
321 
322  ao2_callback_data(container, OBJ_NODATA, config_object_cli_show, a, &data);
323  ao2_ref(container, -1);
324 
325  return CLI_SUCCESS;
326 }
327 
328 static char *cli_eprofile_show(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
329 {
330  struct profile_cfg *profile;
331  struct config_object_cli_data data = {
332  .title = "Effective Profile",
333  .object_type = config_object_type_profile,
334  };
335 
336  switch(cmd) {
337  case CLI_INIT:
338  e->command = "stir_shaken show eprofile";
339  e->usage =
340  "Usage: stir_shaken show eprofile <id>\n"
341  " Show the stir/shaken eprofile settings for a given id\n";
342  return NULL;
343  case CLI_GENERATE:
344  if (a->pos == 3) {
345  return config_object_tab_complete_name(a->word, eprofile_get_all());
346  } else {
347  return NULL;
348  }
349  }
350 
351  if (a->argc != 4) {
352  return CLI_SHOWUSAGE;
353  }
354 
355  profile = eprofile_get_cfg(a->argv[3]);
356  if (!profile) {
357  ast_log(LOG_ERROR,"Effective Profile %s doesn't exist\n", a->argv[3]);
358  return CLI_FAILURE;
359  }
360  config_object_cli_show(profile, a, &data, 0);
361 
362  ao2_cleanup(profile);
363 
364  return CLI_SUCCESS;
365 }
366 
367 static char *cli_eprofile_show_all(struct ast_cli_entry *e, int cmd, struct ast_cli_args *a)
368 {
369  struct ao2_container *container;
370  struct config_object_cli_data data = {
371  .title = "Effective Profile",
372  .object_type = config_object_type_profile,
373  };
374 
375  switch(cmd) {
376  case CLI_INIT:
377  e->command = "stir_shaken show eprofiles";
378  e->usage =
379  "Usage: stir_shaken show eprofiles\n"
380  " Show all eprofiles for stir/shaken\n";
381  return NULL;
382  case CLI_GENERATE:
383  return NULL;
384  }
385 
386  if (a->argc != 3) {
387  return CLI_SHOWUSAGE;
388  }
389 
390  container = eprofile_get_all();
391  if (!container || ao2_container_count(container) == 0) {
392  ast_cli(a->fd, "No stir/shaken eprofiles found\n");
393  ao2_cleanup(container);
394  return CLI_SUCCESS;
395  }
396 
397  ao2_callback_data(container, OBJ_NODATA, config_object_cli_show, a, &data);
398  ao2_ref(container, -1);
399 
400  return CLI_SUCCESS;
401 }
402 
403 static struct ast_cli_entry stir_shaken_profile_cli[] = {
404  AST_CLI_DEFINE(cli_profile_show, "Show stir/shaken profile by id"),
405  AST_CLI_DEFINE(cli_profile_show_all, "Show all stir/shaken profiles"),
406  AST_CLI_DEFINE(cli_eprofile_show, "Show stir/shaken eprofile by id"),
407  AST_CLI_DEFINE(cli_eprofile_show_all, "Show all stir/shaken eprofiles"),
408 };
409 
410 int profile_reload(void)
411 {
412  struct ast_sorcery *sorcery = get_sorcery();
413  ast_sorcery_force_reload_object(sorcery, CONFIG_TYPE);
414  ast_sorcery_force_reload_object(sorcery, "eprofile");
415  return 0;
416 }
417 
418 int profile_unload(void)
419 {
420  ast_cli_unregister_multiple(stir_shaken_profile_cli,
421  ARRAY_LEN(stir_shaken_profile_cli));
422 
423  return 0;
424 }
425 
426 int profile_load(void)
427 {
428  struct ast_sorcery *sorcery = get_sorcery();
429  enum ast_sorcery_apply_result apply_rc;
430 
431  /*
432  * eprofile MUST be registered first because profile needs it.
433  */
434  apply_rc = ast_sorcery_apply_default(sorcery, "eprofile", "memory", NULL);
435  if (apply_rc != AST_SORCERY_APPLY_SUCCESS) {
436  abort();
437  }
438  if (ast_sorcery_internal_object_register(sorcery, "eprofile",
439  profile_alloc, NULL, eprofile_apply)) {
440  ast_log(LOG_ERROR, "stir/shaken - failed to register '%s' sorcery object\n", "eprofile");
441  return -1;
442  }
443 
444  ast_sorcery_object_field_register_nodoc(sorcery, "eprofile", "type", "", OPT_NOOP_T, 0, 0);
445  enum_option_register(sorcery, "eprofile", endpoint_behavior, _nodoc);
446  register_common_verification_fields(sorcery, profile_cfg, "eprofile", _nodoc);
447  register_common_attestation_fields(sorcery, profile_cfg, "eprofile", _nodoc);
448 
449  /*
450  * Now we can do profile
451  */
452  ast_sorcery_apply_default(sorcery, CONFIG_TYPE, "config", "stir_shaken.conf,criteria=type=profile");
453  if (ast_sorcery_object_register(sorcery, CONFIG_TYPE, profile_alloc,
454  NULL, profile_apply)) {
455  ast_log(LOG_ERROR, "stir/shaken - failed to register '%s' sorcery object\n", CONFIG_TYPE);
456  return -1;
457  }
458 
459  ast_sorcery_object_field_register(sorcery, CONFIG_TYPE, "type", "", OPT_NOOP_T, 0, 0);
460  enum_option_register(sorcery, CONFIG_TYPE, endpoint_behavior,);
461  register_common_verification_fields(sorcery, profile_cfg, CONFIG_TYPE,);
462  register_common_attestation_fields(sorcery, profile_cfg, CONFIG_TYPE,);
463 
464  ast_sorcery_load_object(sorcery, CONFIG_TYPE);
465  ast_sorcery_load_object(sorcery, "eprofile");
466 
467  ast_cli_register_multiple(stir_shaken_profile_cli,
468  ARRAY_LEN(stir_shaken_profile_cli));
469 
470  return 0;
471 }
Security Event Reporting API.
#define ast_sorcery_object_field_register_nodoc(sorcery, type, name, default_val, opt_type, flags,...)
Register a field within an object without documentation.
Definition: sorcery.h:987
Asterisk main include file. File version handling, generic pbx functions.
int ao2_container_count(struct ao2_container *c)
Returns the number of elements in a container.
int ast_cli_unregister_multiple(struct ast_cli_entry *e, int len)
Unregister multiple commands.
Definition: clicompat.c:30
void ast_sorcery_force_reload_object(const struct ast_sorcery *sorcery, const char *type)
Inform any wizards of a specific object type to reload persistent objects even if no changes determin...
Definition: sorcery.c:1457
Stasis Message Bus API. See Stasis Message Bus API for detailed documentation.
descriptor for a cli entry.
Definition: cli.h:171
Perform no matching, return all objects.
Definition: sorcery.h:123
Full structure for sorcery.
Definition: sorcery.c:230
Type for a default handler that should do nothing.
#define ast_cli_register_multiple(e, len)
Register multiple commands.
Definition: cli.h:265
int ast_sorcery_objectset_apply(const struct ast_sorcery *sorcery, void *object, struct ast_variable *objectset)
Apply an object set (KVP list) to an object.
Definition: sorcery.c:1632
Return all matching objects.
Definition: sorcery.h:120
void ast_sorcery_load_object(const struct ast_sorcery *sorcery, const char *type)
Inform any wizards of a specific object type to load persistent objects.
Definition: sorcery.c:1393
void * ast_sorcery_retrieve_by_id(const struct ast_sorcery *sorcery, const char *type, const char *id)
Retrieve an object using its unique identifier.
Definition: sorcery.c:1853
int ast_sorcery_create(const struct ast_sorcery *sorcery, void *object)
Create and potentially persist an object using an available wizard.
Definition: sorcery.c:2062
ast_sorcery_apply_result
Definition: sorcery.h:423
#define ast_string_field_init(x, size)
Initialize a field pool and fields.
Definition: stringfields.h:359
Access Control of various sorts.
#define ao2_ref(o, delta)
Reference/unreference an object and return the old refcount.
Definition: astobj2.h:459
const char * ast_sorcery_object_get_id(const void *object)
Get the unique identifier of a sorcery object.
Definition: sorcery.c:2317
struct ao2_container * container
Definition: res_fax.c:501
#define ast_sorcery_object_register(sorcery, type, alloc, transform, apply)
Register an object type.
Definition: sorcery.h:837
#define ast_sorcery_internal_object_register(sorcery, type, alloc, transform, apply)
Register an internal, hidden object type.
Definition: sorcery.h:867
void * ast_sorcery_alloc(const struct ast_sorcery *sorcery, const char *type, const char *id)
Allocate an object.
Definition: sorcery.c:1744
char * command
Definition: cli.h:186
const char * usage
Definition: cli.h:177
void * ast_sorcery_retrieve_by_fields(const struct ast_sorcery *sorcery, const char *type, unsigned int flags, struct ast_variable *fields)
Retrieve an object or multiple objects using specific fields.
Definition: sorcery.c:1897
#define ast_sorcery_object_field_register(sorcery, type, name, default_val, opt_type, flags,...)
Register a field within an object.
Definition: sorcery.h:955
Standard Command Line Interface.
Profile configuration for stir/shaken.
Generic container type.
void * ast_sorcery_generic_alloc(size_t size, ao2_destructor_fn destructor)
Allocate a generic sorcery capable object.
Definition: sorcery.c:1728
#define RAII_VAR(vartype, varname, initval, dtor)
Declare a variable that will call a destructor function when it goes out of scope.
Definition: utils.h:941
#define ast_string_field_free_memory(x)
free all memory - to be called before destroying the object
Definition: stringfields.h:374
Sorcery Data Access Layer API.
int ast_sorcery_update(const struct ast_sorcery *sorcery, void *object)
Update an object.
Definition: sorcery.c:2150