osmo-pcap/src/osmo_server_vty.c

/*
 * osmo-pcap-server code
 *
 * (C) 2011-2016 by Holger Hans Peter Freyther <zecke@selfish.org>
 * (C) 2011 by On-Waves
 * All Rights Reserved
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 */

#include <osmo-pcap/osmo_pcap_server.h>
#include <osmo-pcap/common.h>

#include <osmocom/core/talloc.h>

#include <zmq.h>

#include <unistd.h>
#include <errno.h>
#include <string.h>


#define SERVER_STR "Server settings\n"
#define CLIENT_STR "Client\n"

static struct cmd_node server_node = {
	SERVER_NODE,
	"%s(server)#",
	1,
};

static void write_tls(struct vty *vty, struct osmo_pcap_server *pcap_server)
{
	if (!pcap_server->tls_on)
		return;

	vty_out(vty, " enable tls%s", VTY_NEWLINE);
	vty_out(vty, " tls log-level %d%s",
		pcap_server->tls_log_level, VTY_NEWLINE);

	if (pcap_server->tls_allow_anon)
		vty_out(vty, " tls allow-auth anonymous%s", VTY_NEWLINE);

	if (pcap_server->tls_allow_x509)
		vty_out(vty, " tls allow-auth x509%s", VTY_NEWLINE);

	if (pcap_server->tls_priority)
		vty_out(vty, " tls priority %s%s",
			pcap_server->tls_priority, VTY_NEWLINE);
	if (pcap_server->tls_capath)
		vty_out(vty, " tls capath %s%s", pcap_server->tls_capath, VTY_NEWLINE);

	if (pcap_server->tls_crlfile)
		vty_out(vty, " tls crlfile %s%s", pcap_server->tls_crlfile, VTY_NEWLINE);

	if (pcap_server->tls_server_cert)
		vty_out(vty, " tls server-cert %s%s",
			pcap_server->tls_server_cert, VTY_NEWLINE);

	if (pcap_server->tls_server_key)
		vty_out(vty, " tls server-key %s%s",
			pcap_server->tls_server_key, VTY_NEWLINE);

	if (pcap_server->tls_dh_pkcs3)
		vty_out(vty, " tls dh pkcs3 %s%s",
			pcap_server->tls_dh_pkcs3, VTY_NEWLINE);
	else
		vty_out(vty, " tls dh generate%s", VTY_NEWLINE);
}

static int config_write_server(struct vty *vty)
{
	struct osmo_pcap_conn *conn;

	vty_out(vty, "server%s", VTY_NEWLINE);

	if (pcap_server->base_path)
		vty_out(vty, " base-path %s%s", pcap_server->base_path, VTY_NEWLINE);
	vty_out(vty, " file-permission-mask 0%o%s", pcap_server->permission_mask, VTY_NEWLINE);
	if (pcap_server->addr)
		vty_out(vty, " server ip %s%s", pcap_server->addr, VTY_NEWLINE);
	if (pcap_server->port > 0)
		vty_out(vty, " server port %d%s", pcap_server->port, VTY_NEWLINE);
	vty_out(vty, " max-file-size %llu%s",
		(unsigned long long) pcap_server->max_size, VTY_NEWLINE);
	if (pcap_server->max_snaplen != DEFAULT_SNAPLEN)
		vty_out(vty, " server max-snaplen %d%s", pcap_server->max_snaplen, VTY_NEWLINE);
	if (pcap_server->zmq_port > 0)
		vty_out(vty, " zeromq-publisher %s %d%s",
			pcap_server->zmq_ip, pcap_server->zmq_port, VTY_NEWLINE);

	write_tls(vty, pcap_server);

	llist_for_each_entry(conn, &pcap_server->conn, entry) {
		vty_out(vty, " client %s %s%s%s%s",
			conn->name, conn->remote_host,
			conn->no_store ? " no-store" : " store",
			conn->tls_use ? " tls" : "",
			VTY_NEWLINE);
	}

	return CMD_SUCCESS;
}

DEFUN(cfg_server,
      cfg_server_cmd,
      "server",
      "Enter the server configuration\n")
{
	vty->node = SERVER_NODE;
	return CMD_SUCCESS;
}

DEFUN(cfg_server_base,
      cfg_server_base_cmd,
      "base-path PATH",
      "Base path for log files\n" "Path\n")
{
	talloc_free(pcap_server->base_path);
	pcap_server->base_path = talloc_strdup(pcap_server, argv[0]);
	return CMD_SUCCESS;
}

DEFUN(cfg_server_file_permission_mask,
      cfg_server_file_permission_mask_cmd,
      "file-permission-mask MODE",
      "Permission mask to use when creating pcap files\n"
      "The file permission mask, in octal format (default: 0440)\n")
{
	unsigned long long val;
	char *endptr;

	errno = 0;
	val = strtoul(argv[0], &endptr, 8);

	switch (errno) {
	case 0:
		break;
	case ERANGE:
	case EINVAL:
	default:
		goto ret_invalid;
	}
	if (!endptr || *endptr) {
		/* No chars were converted */
		if (endptr == argv[0])
			goto ret_invalid;
		/* Or there are surplus chars after the converted number */
		goto ret_invalid;
	}

	/* 'man mode_t': "According to POSIX, it shall be an integer type." */
	if (val > INT_MAX)
		goto ret_invalid;

	pcap_server->permission_mask = val;
	return CMD_SUCCESS;

ret_invalid:
	vty_out(vty, "%% File permission mask out of range: '%s'%s", argv[0], VTY_NEWLINE);
	return CMD_WARNING;
}

DEFUN(cfg_server_ip,
      cfg_server_ip_cmd,
      "server ip A.B.C.D",
      SERVER_STR "Listen\n" "IP Address\n")
{
	talloc_free(pcap_server->addr);
	pcap_server->addr = talloc_strdup(pcap_server, argv[0]);
	return CMD_SUCCESS;
}

DEFUN(cfg_server_port,
      cfg_server_port_cmd,
      "server port <1-65535>",
      SERVER_STR "Port\n" "Port Number\n")
{
	pcap_server->port = atoi(argv[0]);
	return CMD_SUCCESS;
}

DEFUN(cfg_server_max_size,
      cfg_server_max_size_cmd,
      "max-file-size NR",
      "Maximum file size for a trace\n" "Filesize in bytes\n")
{
	pcap_server->max_size = strtoull(argv[0], NULL, 10);
	return CMD_SUCCESS;
}

DEFUN(cfg_server_max_snaplen,
      cfg_server_max_snaplen_cmd,
      "max-snaplen <1-262144>", /* MAXIMUM_SNAPLEN */
      "Maximum pcap snapshot length\n" "Bytes\n")
{
	pcap_server->max_snaplen = atoi(argv[0]);
	return CMD_SUCCESS;
}

static int manage_client(struct osmo_pcap_server *pcap_server,
			struct vty *vty,
			const char *name, const char *remote_host,
			bool no_store, bool use_tls)
{
	struct osmo_pcap_conn *conn;
	conn = osmo_pcap_server_find(pcap_server, name);
	if (!conn) {
		vty_out(vty, "Failed to create a pcap server.\n");
		return CMD_WARNING;
	}

	talloc_free(conn->remote_host);
	conn->remote_host = talloc_strdup(pcap_server, remote_host);
	inet_aton(remote_host, &conn->remote_addr);

	/* Checking no-store and maybe closing a pcap file */
	if (no_store) {
		osmo_pcap_server_close_trace(conn);
		conn->no_store = 1;
	} else
		conn->no_store = 0;

	if (use_tls) {
		/* force moving to TLS */
		if (!conn->tls_use)
			osmo_pcap_server_close_conn(conn);
		conn->tls_use = true;
	} else {
		conn->tls_use = false;
	}

	return CMD_SUCCESS;
}


DEFUN(cfg_server_client,
      cfg_server_client_cmd,
      "client NAME A.B.C.D [no-store] [tls]",
      CLIENT_STR "Remote name used in filenames\n"
      "IP of the remote\n" "Do not store traffic\n"
      "Use Transport Level Security\n")
{
	return manage_client(pcap_server, vty, argv[0], argv[1], argc >= 3, argc >= 4);
}

DEFUN(cfg_server_client_store_tls,
      cfg_server_client_store_tls_cmd,
      "client NAME A.B.C.D store [tls]",
      CLIENT_STR "Remote name used in filenames\n"
      "IP of the remote\n" "Do not store traffic\n"
      "Use Transport Level Security\n")
{
	return manage_client(pcap_server, vty, argv[0], argv[1], false, argc >= 3);
}

DEFUN(cfg_server_no_client,
      cfg_server_no_client_cmd,
      "no client NAME",
      NO_STR CLIENT_STR "The name\n")
{
	struct osmo_pcap_conn *conn;
	conn = osmo_pcap_server_find(pcap_server, argv[0]);
	if (!conn) {
		vty_out(vty, "Failed to create a pcap server.\n");
		return CMD_WARNING;
	}

	osmo_pcap_server_delete(conn);
	return CMD_SUCCESS;
}

void destroy_zmq(struct vty *vty)
{
	if (pcap_server->zmq_publ) {
		int rc = zmq_close(pcap_server->zmq_publ);
		pcap_server->zmq_publ = NULL;
		if (rc != 0)
			vty_out(vty, "%%Failed to close publisher rc=%d errno=%d/%s%s",
				rc, errno, strerror(errno), VTY_NEWLINE);
	}
	if (pcap_server->zmq_ctx) {
		int rc = zmq_ctx_destroy(pcap_server->zmq_ctx);
		pcap_server->zmq_ctx = NULL;
		if (rc != 0)
			vty_out(vty, "%%Failed to destroy ctx rc=%d errno=%d/%s%s",
				rc, errno, strerror(errno), VTY_NEWLINE);
	}
}

DEFUN(cfg_server_zmq_ip_port,
      cfg_server_zmq_ip_port_cmd,
      "zeromq-publisher (A.B.C.D|*) <1-65535>",
      "Enable publishing data to ZeroMQ\n"
      "Bind to IPv4 address\n" "Bind to wildcard\n"
      "Bind to port\n")
{
	int linger, rc;
	char *bind_str;

	destroy_zmq(vty);
	talloc_free(pcap_server->zmq_ip);
	pcap_server->zmq_ip = talloc_strdup(pcap_server, argv[0]);
	if (!pcap_server->zmq_ip) {
		vty_out(vty, "%%Failed to allocate ip string%s", VTY_NEWLINE);
		return CMD_WARNING;
	}
	pcap_server->zmq_port = atoi(argv[1]);

	pcap_server->zmq_ctx = zmq_ctx_new();
	if (!pcap_server->zmq_ctx) {
		vty_out(vty, "%%Failed to create zmq ctx%s", VTY_NEWLINE);
		return CMD_WARNING;
	}
	pcap_server->zmq_publ = zmq_socket(pcap_server->zmq_ctx, ZMQ_PUB);
	if (!pcap_server->zmq_publ) {
		vty_out(vty, "%%Failed to create zmq publisher%s", VTY_NEWLINE);
		destroy_zmq(vty);
		return CMD_WARNING;
	}

	linger = 0;
	rc = zmq_setsockopt(pcap_server->zmq_publ, ZMQ_LINGER, &linger, sizeof(linger));
	if (rc != 0) {
		vty_out(vty, "%%Failed to set linger option rc=%d errno=%d/%s%s",
			rc, errno, strerror(errno), VTY_NEWLINE);
		destroy_zmq(vty);
		return CMD_WARNING;
	}

	bind_str = talloc_asprintf(pcap_server->zmq_ip, "tcp://%s:%d",
				pcap_server->zmq_ip, pcap_server->zmq_port);
	rc = zmq_bind(pcap_server->zmq_publ, bind_str);
	if (rc != 0) {
		vty_out(vty, "%%Failed to bind zmq publ rc=%d errno=%d/%s%s",
			rc, errno, strerror(errno), VTY_NEWLINE);
		destroy_zmq(vty);
		talloc_free(bind_str);
		return CMD_WARNING;
	}
	return CMD_SUCCESS;
}

DEFUN(cfg_no_server_zmq_ip_port,
      cfg_no_server_zmq_ip_port_cmd,
      "no zeromq-publisher",
      NO_STR "Disable zeromq-publishing\n")
{
	destroy_zmq(vty);
	talloc_free(pcap_server->zmq_ip);
	pcap_server->zmq_ip = NULL;
	pcap_server->zmq_port = 0;
	return CMD_SUCCESS;
}

#define TLS_STR "Transport Layer Security\n"

DEFUN(cfg_enable_tls,
      cfg_enable_tls_cmd,
      "enable tls",
      "Enable\n" "Transport Layer Security\n")
{
	pcap_server->tls_on = true;
	return CMD_SUCCESS;
}

DEFUN(cfg_disable_tls,
      cfg_disable_tls_cmd,
      "disable tls",
      "Disable\n" "Transport Layer Security\n")
{
	pcap_server->tls_on = false;
	return CMD_SUCCESS;
}

DEFUN(cfg_tls_log_level,
      cfg_tls_log_level_cmd,
      "tls log-level <0-255>",
      TLS_STR "Log-level\n" "GNUtls debug level\n")
{
	pcap_server->tls_log_level = atoi(argv[0]);
	return CMD_SUCCESS;
}

DEFUN(cfg_tls_allow_anon,
      cfg_tls_allow_anon_cmd,
      "tls allow-auth anonymous",
      TLS_STR "allow authentication\n" "for anonymous\n")
{
	pcap_server->tls_allow_anon = true;
	return CMD_SUCCESS;
}

DEFUN(cfg_no_tls_allow_anon,
      cfg_no_tls_allow_anon_cmd,
      "no tls allow-auth anonymous",
      NO_STR TLS_STR "allow authentication\n" "for anonymous\n")
{
	pcap_server->tls_allow_anon = false;
	return CMD_SUCCESS;
}

DEFUN(cfg_tls_allow_x509,
      cfg_tls_allow_x509_cmd,
      "tls allow-auth x509",
      TLS_STR "allow authentication\n" "for certificates\n")
{
	pcap_server->tls_allow_x509 = true;
	return CMD_SUCCESS;
}

DEFUN(cfg_no_tls_allow_x509,
      cfg_no_tls_allow_x509_cmd,
      "no tls allow-auth x509",
      NO_STR TLS_STR "allow authentication\n" "for certificates\n")
{
	pcap_server->tls_allow_x509 = false;
	return CMD_SUCCESS;
}

DEFUN(cfg_tls_priority,
      cfg_tls_priority_cmd,
      "tls priority STR",
      TLS_STR "Priority string for GNUtls\n" "Priority string\n")
{
	talloc_free(pcap_server->tls_priority);
	pcap_server->tls_priority = talloc_strdup(pcap_server, argv[0]);
	return CMD_SUCCESS;
}

DEFUN(cfg_no_tls_priority,
      cfg_no_tls_priority_cmd,
      "no tls priority",
      NO_STR TLS_STR "Priority string for GNUtls\n")
{
	talloc_free(pcap_server->tls_priority);
	pcap_server->tls_priority = NULL;
	return CMD_SUCCESS;
}

DEFUN(cfg_tls_capath,
      cfg_tls_capath_cmd,
      "tls capath .PATH",
      TLS_STR "Trusted root certificates\n" "Filename\n")
{
	talloc_free(pcap_server->tls_capath);
	pcap_server->tls_capath = talloc_strdup(pcap_server, argv[0]);
	return CMD_SUCCESS;
}

DEFUN(cfg_no_tls_capath,
      cfg_no_tls_capath_cmd,
      "no tls capath",
      NO_STR TLS_STR "Trusted root certificates\n")
{
	talloc_free(pcap_server->tls_capath);
	pcap_server->tls_capath = NULL;
	return CMD_SUCCESS;
}

DEFUN(cfg_tls_crlfile,
      cfg_tls_crlfile_cmd,
      "tls crlfile .PATH",
      TLS_STR "CRL file\n" "Filename\n")
{
	talloc_free(pcap_server->tls_crlfile);
	pcap_server->tls_crlfile = talloc_strdup(pcap_server, argv[0]);
	return CMD_SUCCESS;
}

DEFUN(cfg_no_tls_crlfile,
      cfg_no_tls_crlfile_cmd,
      "no tls crlfile",
      NO_STR TLS_STR "CRL file\n")
{
	talloc_free(pcap_server->tls_crlfile);
	pcap_server->tls_crlfile = NULL;
	return CMD_SUCCESS;
}

DEFUN(cfg_tls_server_cert,
      cfg_tls_server_cert_cmd,
      "tls server-cert .PATH",
      TLS_STR "Server certificate\n" "Filename\n")
{
	talloc_free(pcap_server->tls_server_cert);
	pcap_server->tls_server_cert = talloc_strdup(pcap_server, argv[0]);
	return CMD_SUCCESS;
}

DEFUN(cfg_no_tls_server_cert,
      cfg_no_tls_server_cert_cmd,
      "no tls server-cert",
      NO_STR TLS_STR "Server certificate\n")
{
	talloc_free(pcap_server->tls_server_cert);
	pcap_server->tls_server_cert = NULL;
	return CMD_SUCCESS;
}

DEFUN(cfg_tls_server_key,
      cfg_tls_server_key_cmd,
      "tls server-key .PATH",
      TLS_STR "Server private key\n" "Filename\n")
{
	talloc_free(pcap_server->tls_server_key);
	pcap_server->tls_server_key = talloc_strdup(pcap_server, argv[0]);
	return CMD_SUCCESS;
}

DEFUN(cfg_no_tls_server_key,
      cfg_no_tls_server_key_cmd,
      "no tls server-key",
      NO_STR TLS_STR "Server private key\n")
{
	talloc_free(pcap_server->tls_server_key);
	pcap_server->tls_server_key = NULL;
	return CMD_SUCCESS;
}

DEFUN(cfg_tls_dh_pkcs3,
      cfg_tls_dh_pkcs3_cmd,
      "tls dh pkcs .FILE",
      TLS_STR "Diffie-Hellman Key Exchange\n" "PKCS3\n" "Filename\n")
{
	talloc_free(pcap_server->tls_dh_pkcs3);
	pcap_server->tls_dh_pkcs3 = talloc_strdup(pcap_server, argv[0]);

	osmo_tls_dh_load(pcap_server);
	return CMD_SUCCESS;
}

DEFUN(cfg_tls_dh_generate,
      cfg_tls_dh_generate_cmd,
      "tls dh generate",
      TLS_STR "Diffie-Hellman Key Exchange\n" "Generate prime\n")
{
	talloc_free(pcap_server->tls_dh_pkcs3);
	pcap_server->tls_dh_pkcs3 = NULL;

	osmo_tls_dh_generate(pcap_server);
	return CMD_SUCCESS;
}

void vty_server_init(void)
{
	install_element(CONFIG_NODE, &cfg_server_cmd);
	install_node(&server_node, config_write_server);

	install_element(SERVER_NODE, &cfg_server_base_cmd);
	install_element(SERVER_NODE, &cfg_server_file_permission_mask_cmd);
	install_element(SERVER_NODE, &cfg_server_ip_cmd);
	install_element(SERVER_NODE, &cfg_server_port_cmd);
	install_element(SERVER_NODE, &cfg_server_max_size_cmd);
	install_element(SERVER_NODE, &cfg_server_max_snaplen_cmd);
	install_element(SERVER_NODE, &cfg_server_zmq_ip_port_cmd);
	install_element(SERVER_NODE, &cfg_no_server_zmq_ip_port_cmd);

	/* tls for the server */
	install_element(SERVER_NODE, &cfg_enable_tls_cmd);
	install_element(SERVER_NODE, &cfg_disable_tls_cmd);
	install_element(SERVER_NODE, &cfg_tls_log_level_cmd);
	install_element(SERVER_NODE, &cfg_tls_allow_anon_cmd);
	install_element(SERVER_NODE, &cfg_no_tls_allow_anon_cmd);
	install_element(SERVER_NODE, &cfg_tls_allow_x509_cmd);
	install_element(SERVER_NODE, &cfg_no_tls_allow_x509_cmd);
	install_element(SERVER_NODE, &cfg_tls_priority_cmd);
	install_element(SERVER_NODE, &cfg_no_tls_priority_cmd);
	install_element(SERVER_NODE, &cfg_tls_capath_cmd);
	install_element(SERVER_NODE, &cfg_no_tls_capath_cmd);
	install_element(SERVER_NODE, &cfg_tls_crlfile_cmd);
	install_element(SERVER_NODE, &cfg_no_tls_crlfile_cmd);
	install_element(SERVER_NODE, &cfg_tls_server_cert_cmd);
	install_element(SERVER_NODE, &cfg_no_tls_server_cert_cmd);
	install_element(SERVER_NODE, &cfg_tls_server_key_cmd);
	install_element(SERVER_NODE, &cfg_no_tls_server_key_cmd);
	install_element(SERVER_NODE, &cfg_tls_dh_generate_cmd);
	install_element(SERVER_NODE, &cfg_tls_dh_pkcs3_cmd);

	install_element(SERVER_NODE, &cfg_server_client_cmd);
	install_element(SERVER_NODE, &cfg_server_client_store_tls_cmd);
	install_element(SERVER_NODE, &cfg_server_no_client_cmd);
}