osmo-sgsn: add VTY parameter to toggle authentication

It may be useful to have 'remote' authorization policy, but do not require authentication in GERAN at the same time, e.g. in combination with 'subscriber-create-on-demand' feature of OsmoHLR. This change introduces a new VTY parameter similar to the one that we already have in OsmoMSC: authentication (optional|required) Please note that 'required' only applies if 'auth-policy' is 'remote'. Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9
2019-05-27 05:39:06 +07:00 · 2019-05-27 05:39:06 +07:00 · 794f446a28
parent f7afd20200
commit 794f446a28
4 changed files with 45 additions and 1 deletions
--- a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
+++ b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
@ -10,6 +10,7 @@ sgsn
 ggsn 0 remote-ip 127.0.0.2
 ggsn 0 gtp-version 1
 ggsn 0 echo-interval 60
+ authentication optional
 auth-policy accept-all
 !
 ns
--- a/doc/examples/osmo-sgsn/osmo-sgsn.cfg
+++ b/doc/examples/osmo-sgsn/osmo-sgsn.cfg
@ -10,6 +10,7 @@ sgsn
 ggsn 0 remote-ip 127.0.0.2
 ggsn 0 gtp-version 1
 ggsn 0 echo-interval 60
+ authentication required
 auth-policy remote
 gsup remote-ip 127.0.0.1
 gsup remote-port 4222
--- a/doc/manuals/vty/sgsn_vty_reference.xml
+++ b/doc/manuals/vty/sgsn_vty_reference.xml
@ -2230,6 +2230,13 @@
        <param name='remote' doc='Use remote subscription data only (HLR)' />
      </params>
    </command>
+    <command id='authentication (optional|required)'>
+      <params>
+        <param name='authentication' doc='Whether to enforce MS authentication in GERAN' />
+        <param name='optional' doc='Allow MS to attach via GERAN without authentication' />
+        <param name='required' doc='Always require authentication' />
+      </params>
+    </command>
    <command id='encryption (GEA0|GEA1|GEA2|GEA3|GEA4)'>
      <params>
        <param name='encryption' doc='Set encryption algorithm for SGSN' />
--- a/src/gprs/sgsn_vty.c
+++ b/src/gprs/sgsn_vty.c
@ -211,6 +211,8 @@ static int config_write_sgsn(struct vty *vty)
 	if (g_cfg->gsup_server_port)
 		vty_out(vty, " gsup remote-port %d%s",
 			g_cfg->gsup_server_port, VTY_NEWLINE);
+	vty_out(vty, " authentication %s%s",
+		g_cfg->require_authentication ? "required" : "optional", VTY_NEWLINE);
 	vty_out(vty, " auth-policy %s%s",
 		get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy),
 		VTY_NEWLINE);
@ -693,6 +695,27 @@ DEFUN(cfg_encrypt, cfg_encrypt_cmd,
 	return CMD_SUCCESS;
 }

+DEFUN(cfg_authentication, cfg_authentication_cmd,
+      "authentication (optional|required)",
+      "Whether to enforce MS authentication in GERAN\n"
+      "Allow MS to attach via GERAN without authentication\n"
+      "Always require authentication\n")
+{
+	int required = (argv[0][0] == 'r');
+
+	if (vty->type != VTY_FILE) {
+		if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE && required) {
+			vty_out(vty, "%% Authentication is not possible without HLR, "
+				     "consider setting 'auth-policy' to 'remote'%s",
+				     VTY_NEWLINE);
+			return CMD_WARNING;
+		}
+	}
+
+	g_cfg->require_authentication = required;
+	return CMD_SUCCESS;
+}
+
 DEFUN(cfg_auth_policy, cfg_auth_policy_cmd,
 	"auth-policy (accept-all|closed|acl-only|remote)",
 	"Configure the Authorization policy of the SGSN. This setting determines which subscribers are"
@ -705,9 +728,12 @@ DEFUN(cfg_auth_policy, cfg_auth_policy_cmd,
 	int val = get_string_value(sgsn_auth_pol_strs, argv[0]);
 	OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE);
 	g_cfg->auth_policy = val;
-	g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE);
 	g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE);

+	/* Authentication is not possible without HLR */
+	if (val != SGSN_AUTH_POLICY_REMOTE)
+		g_cfg->require_authentication = 0;
+
 	return CMD_SUCCESS;
 }

@ -1391,6 +1417,7 @@ int sgsn_vty_init(struct sgsn_config *cfg)
 	install_element(SGSN_NODE, &cfg_ggsn_no_echo_interval_cmd);
 	install_element(SGSN_NODE, &cfg_imsi_acl_cmd);
 	install_element(SGSN_NODE, &cfg_auth_policy_cmd);
+	install_element(SGSN_NODE, &cfg_authentication_cmd);
 	install_element(SGSN_NODE, &cfg_encrypt_cmd);
 	install_element(SGSN_NODE, &cfg_gsup_ipa_name_cmd);
 	install_element(SGSN_NODE, &cfg_gsup_remote_ip_cmd);
@ -1462,6 +1489,14 @@ int sgsn_parse_config(const char *config_file)
 		return rc;
 	}

+	if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE
+	    && g_cfg->require_authentication) {
+		fprintf(stderr, "Configuration error:"
+			" authentication is not possible without HLR."
+			" Consider setting 'auth-policy' to 'remote'\n");
+		return -EINVAL;
+	}
+
 	if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE
 	    && !(g_cfg->gsup_server_addr.sin_addr.s_addr
 		 && g_cfg->gsup_server_port)) {