[strongSwan-dev] Pull request for external-authorization plugin
Vyronas Tsingaras
vtsingaras at it.auth.gr
Tue Jul 29 20:09:07 CEST 2014
Hi Martin and everyone else
My second attempt.
https://github.com/strongswan/strongswan/pull/4
Comments are greatly appreciated.
On 29 July 2014 15:16:08 EEST, Martin Willi <martin at strongswan.org> wrote:
>Hi Vyronas,
>
>> https://github.com/strongswan/strongswan/pull/4
>> Please send me any problems you see/suggestions you may have.
>
>Thanks for your patch. Some notes:
>
>> +ARG_ENABL_SET([external-authorization], [enable the use of an
>external authorization program (like OpenVPN).
>
>That line misses two closing brackets. Travis failed to ./configure
>your
>sources, see [1].
>
>Also, the name is rather long; something like ext-auth might be simpler
>for all these identifiers?
>
>At the end of the file, you'll have to add your Makefile to
>AC_CONFIG_FILES to generate it during ./configure.
>
>> + -DIPSEC_PIDDIR=\"${piddir}\"
>
>You probably don't need that PIDDIR define in your source?
>
>> +++
>b/src/libcharon/plugins/external_authorization/external_authorization_listener.c
>> @@ -0,0 +1,121 @@
>> +#include "external_authorization_listener.h"
>
>Can you add a license header to all your new files? GPLv2 is possible,
>MIT preferable, see [2].
>
>> + if(!this->enabled)
>> + {
>> + DBG2(DBG_CFG, "external-authorization is disabled");
>> + *success = TRUE;
>> + return TRUE;
>> + }
>> + /* check if path is empty string or NULL */
>> + if (!strcmp(this->path, "") || this->path == NULL)
>> + {
>> + DBG1(DBG_CFG, "ERROR: no authorization script specified");
>> + *success = FALSE;
>> + return FALSE;
>> + }
>
>I think it would be simpler to check these values during plugin
>registration, and register the plugin in your plugin_cb only if these
>are set. You could add all that logic to _plugin.c, and pass the path
>as
>constructor argument to your listener.
>
>Also, most likely you won't need the "enabled" flag at all, as with
>5.2.0 we can now globally enable/disable plugins conveniently.
>
>> + DBG2(DBG_CFG, "peer identity received: '%Y'", peer_id);
>> + char buf[255];
>> + snprintf(buf, 255, "%Y", peer_id);
>
>Please define variables at the beginning of the block. Use of sizeof()
>is preferable.
>
>> + setenv("IPSEC_IDENTITY", (char*)buf, 1);
>
>As most likely that list of variables grows, we probably should
>consider
>some consistent naming scheme. IPSEC_IDENTITY is not very specific;
>what
>about IKE_REMOTE_EAP_ID?
>
>> + DBG2(DBG_CFG, "calling script: %s", this->path);
>> + authorized = WEXITSTATUS(system(this->path));
>
>While the invocation of the authorize() hook is currently serialized,
>this is not set in stone. If we change that behavior, this code has
>some
>serious multi-threading issues. Preferably you'd set that variable for
>the invocation only, i.e. pass it to the system() call.
>
>You also might consider using popen(), which allows you to redirect the
>output to the strongSwan log system. This allows your authorization
>script to log failure information. Refer to the updown plugin for
>details.
>
>> +METHOD(external_authorization_listener_t, set_active, void,
>> +METHOD(external_authorization_listener_t, set_path, void,
>
>Are there any users of these methods? If not you probably should drop
>these for now.
>
>> + .path = lib->settings->get_str(lib->settings,
>"%s.plugins.external-authorization.path", "", lib->ns),
>
>Please wrap lines around ~80 characters.
>
>Kind regards
>Martin
>
>[1]https://travis-ci.org/strongswan/strongswan/builds/31042895
>[2]https://wiki.strongswan.org/projects/strongswan/wiki/Contributions
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20140729/b3bb43f9/attachment.html>
More information about the Dev
mailing list