Refactor AAA app in preparation for clustered operation.
* Add formal API for accessing auth state information rather than directly
looking up static maps.
* Move static maps in StateMachine to non-static maps in AaaManager
* Manage identifier space used for requests/replies better
* Refactored state machine timeout mechansim
Change-Id: Ie53c3a66ac1619e10607d9926b71747a333317f3
diff --git a/api/src/main/java/org/opencord/aaa/AuthenticationEvent.java b/api/src/main/java/org/opencord/aaa/AuthenticationEvent.java
index da02ec2..87054c0 100644
--- a/api/src/main/java/org/opencord/aaa/AuthenticationEvent.java
+++ b/api/src/main/java/org/opencord/aaa/AuthenticationEvent.java
@@ -47,7 +47,12 @@
/**
* Authentication request was denied.
*/
- DENIED
+ DENIED,
+
+ /**
+ * Authentication flow timed out.
+ */
+ TIMEOUT
}
/**
diff --git a/api/src/main/java/org/opencord/aaa/AuthenticationRecord.java b/api/src/main/java/org/opencord/aaa/AuthenticationRecord.java
new file mode 100644
index 0000000..5433fd9
--- /dev/null
+++ b/api/src/main/java/org/opencord/aaa/AuthenticationRecord.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright 2020-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.opencord.aaa;
+
+import org.onlab.packet.MacAddress;
+import org.onosproject.net.ConnectPoint;
+
+/**
+ * Describes state of an authentication attempt.
+ */
+public class AuthenticationRecord {
+
+ private final ConnectPoint supplicantConnectPoint;
+
+ private final byte[] username;
+
+ private final MacAddress supplicantAddress;
+
+ private final String state;
+
+ /**
+ * Creates a new authentication record.
+ *
+ * @param supplicantConnectPoint connect point
+ * @param username user name
+ * @param supplicantAddress MAC address of supplicant
+ * @param state authentication state
+ */
+ public AuthenticationRecord(ConnectPoint supplicantConnectPoint, byte[] username,
+ MacAddress supplicantAddress, String state) {
+ this.supplicantConnectPoint = supplicantConnectPoint;
+ this.username = username;
+ this.supplicantAddress = supplicantAddress;
+ this.state = state;
+ }
+
+ /**
+ * Gets the connect point of supplicant.
+ *
+ * @return connect point
+ */
+ public ConnectPoint supplicantConnectPoint() {
+ return supplicantConnectPoint;
+ }
+
+ /**
+ * Gets the username of supplicant.
+ *
+ * @return username
+ */
+ public byte[] username() {
+ return username;
+ }
+
+ /**
+ * Gets the MAC address of the supplicant.
+ *
+ * @return MAC address
+ */
+ public MacAddress supplicantAddress() {
+ return supplicantAddress;
+ }
+
+ /**
+ * Gets the current state of the authentication attempt.
+ *
+ * @return state
+ */
+ public String state() {
+ return state;
+ }
+}
diff --git a/api/src/main/java/org/opencord/aaa/AuthenticationService.java b/api/src/main/java/org/opencord/aaa/AuthenticationService.java
index 82aabbd..c474203 100644
--- a/api/src/main/java/org/opencord/aaa/AuthenticationService.java
+++ b/api/src/main/java/org/opencord/aaa/AuthenticationService.java
@@ -16,11 +16,30 @@
package org.opencord.aaa;
+import org.onlab.packet.MacAddress;
import org.onosproject.event.ListenerService;
+import java.util.List;
+
/**
- * Service for interacting with authentication module.
+ * Service for interacting with authentication state.
*/
public interface AuthenticationService extends
ListenerService<AuthenticationEvent, AuthenticationEventListener> {
+
+ /**
+ * Gets records of authentications that are completed or in progress.
+ *
+ * @return list of authentication records
+ */
+ List<AuthenticationRecord> getAuthenticationRecords();
+
+ /**
+ * Removes an authentication record.
+ *
+ * @param mac MAC address of record to remove
+ * @return true if a record was remove, otherwise false
+ */
+ boolean removeAuthenticationStateByMac(MacAddress mac);
+
}
diff --git a/app/pom.xml b/app/pom.xml
index 8e3bb75..18d1a20 100644
--- a/app/pom.xml
+++ b/app/pom.xml
@@ -43,6 +43,13 @@
<dependencies>
<dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-simple</artifactId>
+ <version>1.7.25</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
<groupId>org.opencord</groupId>
<artifactId>sadis-api</artifactId>
<version>${sadis.api.version}</version>
diff --git a/app/src/main/java/org/opencord/aaa/cli/AaaResetDeviceCommand.java b/app/src/main/java/org/opencord/aaa/cli/AaaResetDeviceCommand.java
index c5e604f..af1265b 100644
--- a/app/src/main/java/org/opencord/aaa/cli/AaaResetDeviceCommand.java
+++ b/app/src/main/java/org/opencord/aaa/cli/AaaResetDeviceCommand.java
@@ -20,7 +20,7 @@
import org.apache.karaf.shell.api.action.lifecycle.Service;
import org.onlab.packet.MacAddress;
import org.onosproject.cli.AbstractShellCommand;
-import org.opencord.aaa.impl.StateMachine;
+import org.opencord.aaa.AuthenticationService;
/**
* Removes a AAA state machine.
@@ -35,8 +35,10 @@
@Override
protected void doExecute() {
+ AuthenticationService service = get(AuthenticationService.class);
+
for (String mac : macs) {
- StateMachine.deleteByMac(MacAddress.valueOf(mac));
+ service.removeAuthenticationStateByMac(MacAddress.valueOf(mac));
}
}
}
diff --git a/app/src/main/java/org/opencord/aaa/cli/AaaShowUsersCommand.java b/app/src/main/java/org/opencord/aaa/cli/AaaShowUsersCommand.java
index 112d70b..cd1cea5 100644
--- a/app/src/main/java/org/opencord/aaa/cli/AaaShowUsersCommand.java
+++ b/app/src/main/java/org/opencord/aaa/cli/AaaShowUsersCommand.java
@@ -20,7 +20,8 @@
import org.onosproject.cli.AbstractShellCommand;
import org.onosproject.net.AnnotationKeys;
import org.onosproject.net.device.DeviceService;
-import org.opencord.aaa.impl.StateMachine;
+import org.opencord.aaa.AuthenticationRecord;
+import org.opencord.aaa.AuthenticationService;
import org.opencord.sadis.SadisService;
import org.opencord.sadis.SubscriberAndDeviceInformation;
@@ -33,32 +34,25 @@
public class AaaShowUsersCommand extends AbstractShellCommand {
@Override
protected void doExecute() {
- String[] state = {
- "IDLE",
- "STARTED",
- "PENDING",
- "AUTHORIZED",
- "UNAUTHORIZED"
- };
- DeviceService devService = AbstractShellCommand.get(DeviceService.class);
- SadisService sadisService =
- AbstractShellCommand.get(SadisService.class);
+ DeviceService devService = get(DeviceService.class);
+ SadisService sadisService = get(SadisService.class);
+ AuthenticationService authService = get(AuthenticationService.class);
- for (StateMachine stateMachine : StateMachine.sessionIdMap().values()) {
- String deviceId = stateMachine.supplicantConnectpoint().deviceId().toString();
- String portNum = stateMachine.supplicantConnectpoint().port().toString();
+ for (AuthenticationRecord auth : authService.getAuthenticationRecords()) {
+ String deviceId = auth.supplicantConnectPoint().deviceId().toString();
+ String portNum = auth.supplicantConnectPoint().port().toString();
String username = "UNKNOWN";
- if (stateMachine.username() != null) {
- username = new String(stateMachine.username());
+ if (auth.username() != null) {
+ username = new String(auth.username());
}
String mac = "UNKNOWN";
- if (stateMachine.supplicantAddress() != null) {
- mac = stateMachine.supplicantAddress().toString();
+ if (auth.supplicantAddress() != null) {
+ mac = auth.supplicantAddress().toString();
}
- String nasPortId = devService.getPort(stateMachine.supplicantConnectpoint()).
+ String nasPortId = devService.getPort(auth.supplicantConnectPoint()).
annotations().value(AnnotationKeys.PORT_NAME);
String subsId = "UNKNOWN";
@@ -68,7 +62,7 @@
}
print("UserName=%s,CurrentState=%s,DeviceId=%s,MAC=%s,PortNumber=%s,SubscriberId=%s",
- username, state[stateMachine.state()], deviceId, mac, portNum, subsId);
+ username, auth.state(), deviceId, mac, portNum, subsId);
}
}
}
diff --git a/app/src/main/java/org/opencord/aaa/impl/AaaManager.java b/app/src/main/java/org/opencord/aaa/impl/AaaManager.java
index f1f5c05..67cfb75 100644
--- a/app/src/main/java/org/opencord/aaa/impl/AaaManager.java
+++ b/app/src/main/java/org/opencord/aaa/impl/AaaManager.java
@@ -16,6 +16,7 @@
package org.opencord.aaa.impl;
import com.google.common.base.Strings;
+import com.google.common.collect.Maps;
import org.apache.commons.lang3.builder.ToStringBuilder;
import org.onlab.packet.DeserializationException;
import org.onlab.packet.EAP;
@@ -55,6 +56,7 @@
import org.opencord.aaa.AaaSupplicantMachineStats;
import org.opencord.aaa.AuthenticationEvent;
import org.opencord.aaa.AuthenticationEventListener;
+import org.opencord.aaa.AuthenticationRecord;
import org.opencord.aaa.AuthenticationService;
import org.opencord.aaa.AuthenticationStatisticsEvent;
import org.opencord.aaa.AuthenticationStatisticsService;
@@ -85,10 +87,12 @@
import java.util.HashSet;
import java.util.List;
import java.util.Map;
+import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
+import java.util.stream.Collectors;
import static org.onosproject.net.config.basics.SubjectFactories.APP_SUBJECT_FACTORY;
import static org.opencord.aaa.impl.OsgiPropertyConstants.OPERATIONAL_STATUS_SERVER_EVENT_GENERATION;
@@ -158,6 +162,10 @@
private int operationalStatusServerTimeoutInSeconds = OPERATIONAL_STATUS_SERVER_TIMEOUT_DEFAULT;
protected String operationalStatusEvaluationMode = STATUS_SERVER_MODE_DEFAULT;
+ private IdentifierManager idManager;
+
+ private ConcurrentMap<String, StateMachine> stateMachines;
+
// NAS IP address
protected InetAddress nasIpAddress;
@@ -262,6 +270,8 @@
@Activate
public void activate(ComponentContext context) {
+ idManager = new IdentifierManager();
+ stateMachines = Maps.newConcurrentMap();
appId = coreService.registerApplication(APP_NAME);
eventDispatcher.addSink(AuthenticationEvent.class, listenerRegistry);
netCfgService.addListener(cfgListener);
@@ -275,7 +285,6 @@
configureRadiusCommunication();
// register our event handler
packetService.addProcessor(processor, PacketProcessor.director(2));
- StateMachine.initializeMaps();
StateMachine.setDelegate(delegate);
cleanupTimerTimeOutInMins = newCfg.sessionCleanupTimer();
StateMachine.setcleanupTimerTimeOutInMins(cleanupTimerTimeOutInMins);
@@ -303,7 +312,6 @@
netCfgService.removeListener(cfgListener);
cfgService.unregisterProperties(getClass(), false);
StateMachine.unsetDelegate(delegate);
- StateMachine.destroyMaps();
impl.deactivate();
deviceService.removeListener(deviceListener);
eventDispatcher.removeSink(AuthenticationEvent.class);
@@ -435,30 +443,13 @@
impl.sendRadiusPacket(radiusPacket, inPkt);
}
- /**
- * For scheduling the timer required for cleaning up StateMachine
- * when no response
- * from RADIUS SERVER.
- *
- * @param sessionId SessionId of the current session
- * @param stateMachine StateMachine for the id
- */
- public void scheduleStateMachineCleanupTimer(String sessionId, StateMachine stateMachine) {
- StateMachine.CleanupTimerTask cleanupTask = stateMachine.new CleanupTimerTask(sessionId, this);
- ScheduledFuture<?> cleanupTimer = executor.schedule(cleanupTask, cleanupTimerTimeOutInMins, TimeUnit.MINUTES);
- stateMachine.setCleanupTimer(cleanupTimer);
-
- }
-
- /**
+ /**
* Handles RADIUS packets.
*
* @param radiusPacket RADIUS packet coming from the RADIUS server.
- * @throws StateMachineException if an illegal state transition is triggered
* @throws DeserializationException if packet deserialization fails
*/
- public void handleRadiusPacket(RADIUS radiusPacket)
- throws StateMachineException, DeserializationException {
+ public void handleRadiusPacket(RADIUS radiusPacket) throws DeserializationException {
if (log.isTraceEnabled()) {
log.trace("Received RADIUS packet {}", radiusPacket);
}
@@ -466,7 +457,20 @@
radiusOperationalStatusService.handleRadiusPacketForOperationalStatus(radiusPacket);
return;
}
- StateMachine stateMachine = StateMachine.lookupStateMachineById(radiusPacket.getIdentifier());
+
+ RequestIdentifier identifier = RequestIdentifier.of(radiusPacket.getIdentifier());
+ String sessionId = idManager.getSessionId(identifier);
+
+ if (sessionId == null) {
+ log.error("Invalid packet identifier {}, could not find corresponding "
+ + "state machine ... exiting", radiusPacket.getIdentifier());
+ aaaStatisticsManager.getAaaStats().incrementNumberOfSessionsExpired();
+ aaaStatisticsManager.getAaaStats().countDroppedResponsesRx();
+ return;
+ }
+
+ idManager.releaseIdentifier(identifier);
+ StateMachine stateMachine = stateMachines.get(sessionId);
if (stateMachine == null) {
log.error("Invalid packet identifier {}, could not find corresponding "
+ "state machine ... exiting", radiusPacket.getIdentifier());
@@ -476,7 +480,7 @@
}
//instance of StateMachine using the sessionId for updating machine stats
- StateMachine machineStats = StateMachine.lookupStateMachineBySessionId(stateMachine.sessionId());
+ StateMachine machineStats = stateMachines.get(stateMachine.sessionId());
EAP eapPayload;
Ethernet eth;
@@ -591,7 +595,6 @@
OutboundPacket packet = new DefaultOutboundPacket(connectPoint.deviceId(),
treatment, ByteBuffer.wrap(ethernetPkt.serialize()));
EAPOL eap = ((EAPOL) ethernetPkt.getPayload());
- EAP eapPkt = (EAP) eap.getPayload();
if (log.isTraceEnabled()) {
log.trace("Sending eapol payload {} enclosed in {} to supplicant at {}",
eap, ethernetPkt, connectPoint);
@@ -609,6 +612,47 @@
return ToStringBuilder.reflectionToString(this);
}
+ @Override
+ public List<AuthenticationRecord> getAuthenticationRecords() {
+ return stateMachines.values().stream()
+ .map(this::toAuthRecord)
+ .collect(Collectors.toList());
+ }
+
+ private AuthenticationRecord toAuthRecord(StateMachine stateMachine) {
+ return new AuthenticationRecord(stateMachine.supplicantConnectpoint(),
+ stateMachine.username(), stateMachine.supplicantAddress(), stateMachine.stateString());
+ }
+
+ @Override
+ public boolean removeAuthenticationStateByMac(MacAddress mac) {
+
+ StateMachine stateMachine = null;
+
+ for (Map.Entry<String, StateMachine> e : stateMachines.entrySet()) {
+ if (e.getValue().supplicantAddress() != null &&
+ e.getValue().supplicantAddress().equals(mac)) {
+ stateMachine = stateMachines.remove(e.getKey());
+ break;
+ }
+ }
+
+ if (stateMachine != null) {
+ stateMachine.stop();
+ return true;
+ }
+
+ return false;
+ }
+
+ public StateMachine getStateMachine(String sessionId) {
+ return stateMachines.get(sessionId);
+ }
+
+ private String sessionId(ConnectPoint cp) {
+ return cp.deviceId().toString() + cp.port().toString();
+ }
+
// our handler defined as a private inner class
/**
@@ -625,18 +669,14 @@
return;
}
- try {
- // identify if incoming packet comes from supplicant (EAP) or RADIUS
- switch (EthType.EtherType.lookup(ethPkt.getEtherType())) {
- case EAPOL:
- handleSupplicantPacket(context.inPacket());
- break;
- default:
- // any other packets let the specific implementation handle
- impl.handlePacketFromServer(context);
- }
- } catch (StateMachineException e) {
- log.warn("Unable to process packet:", e);
+ // identify if incoming packet comes from supplicant (EAP) or RADIUS
+ switch (EthType.EtherType.lookup(ethPkt.getEtherType())) {
+ case EAPOL:
+ handleSupplicantPacket(context.inPacket());
+ break;
+ default:
+ // any other packets let the specific implementation handle
+ impl.handlePacketFromServer(context);
}
}
@@ -672,7 +712,7 @@
*
* @param inPacket Ethernet packet coming from the supplicant
*/
- private void handleSupplicantPacket(InboundPacket inPacket) throws StateMachineException {
+ private void handleSupplicantPacket(InboundPacket inPacket) {
Ethernet ethPkt = inPacket.parsed();
// Where does it come from?
MacAddress srcMac = ethPkt.getSourceMAC();
@@ -701,24 +741,16 @@
if (pktlen >= 0 && ethPkt.getEtherType() == EthType.EtherType.EAPOL.ethType().toShort()) {
aaaStatisticsManager.getAaaStats().incrementValidEapolFramesRx();
}
- StateMachine stateMachine = StateMachine.lookupStateMachineBySessionId(sessionId);
- if (stateMachine == null) {
- log.debug("Creating new state machine for sessionId: {} for "
- + "dev/port: {}/{}", sessionId, deviceId, portNumber);
- stateMachine = new StateMachine(sessionId);
- } else {
- log.debug("Using existing state-machine for sessionId: {}", sessionId);
- stateMachine.setEapolTypeVal(eapol.getEapolType());
- }
+
+ StateMachine stateMachine = stateMachines.computeIfAbsent(sessionId, id -> new StateMachine(id, executor));
+ stateMachine.setEapolTypeVal(eapol.getEapolType());
switch (eapol.getEapolType()) {
case EAPOL.EAPOL_START:
log.debug("EAP packet: EAPOL_START");
stateMachine.setSupplicantConnectpoint(inPacket.receivedFrom());
- if (stateMachine.getCleanupTimer() == null) {
- scheduleStateMachineCleanupTimer(sessionId, stateMachine);
- }
stateMachine.start();
+
aaaStatisticsManager.getAaaStats().incrementEapolStartReqTrans();
//send an EAP Request/Identify to the supplicant
EAP eapPayload = new EAP(EAP.REQUEST, stateMachine.identifier(), EAP.ATTR_IDENTITY, null);
@@ -762,6 +794,9 @@
EAP eapPacket = (EAP) eapol.getPayload();
Byte identifier = new Byte(eapPacket.getIdentifier());
+ // get identifier for request and store mapping to session ID
+ RequestIdentifier radiusIdentifier = idManager.getNewIdentifier(sessionId);
+
byte dataType = eapPacket.getDataType();
switch (dataType) {
@@ -774,7 +809,7 @@
// request id access to RADIUS
stateMachine.setUsername(eapPacket.getData());
- radiusPayload = getRadiusPayload(stateMachine, stateMachine.identifier(), eapPacket);
+ radiusPayload = getRadiusPayload(stateMachine, radiusIdentifier.identifier(), eapPacket);
radiusPayload = pktCustomizer.customizePacket(radiusPayload, inPacket);
radiusPayload.addMessageAuthenticator(AaaManager.this.radiusSecret);
@@ -797,10 +832,8 @@
// machine.
if (eapPacket.getIdentifier() == stateMachine.challengeIdentifier()) {
//send the RADIUS challenge response
- radiusPayload =
- getRadiusPayload(stateMachine,
- stateMachine.identifier(),
- eapPacket);
+ radiusPayload = getRadiusPayload(stateMachine,
+ radiusIdentifier.identifier(), eapPacket);
radiusPayload = pktCustomizer.customizePacket(radiusPayload, inPacket);
if (stateMachine.challengeState() != null) {
@@ -820,7 +853,7 @@
case EAP.ATTR_TLS:
log.debug("EAP packet: EAPOL_PACKET ATTR_TLS");
// request id access to RADIUS
- radiusPayload = getRadiusPayload(stateMachine, stateMachine.identifier(), eapPacket);
+ radiusPayload = getRadiusPayload(stateMachine, radiusIdentifier.identifier(), eapPacket);
radiusPayload = pktCustomizer.customizePacket(radiusPayload, inPacket);
if (stateMachine.challengeState() != null) {
@@ -865,10 +898,25 @@
public void notify(AuthenticationEvent authenticationEvent) {
log.info("Auth event {} for {}",
authenticationEvent.type(), authenticationEvent.subject());
+
+ if (authenticationEvent.type() == AuthenticationEvent.Type.TIMEOUT) {
+ handleStateMachineTimeout(authenticationEvent.subject());
+ }
+
post(authenticationEvent);
}
}
+ private void handleStateMachineTimeout(ConnectPoint supplicantConnectPoint) {
+ StateMachine stateMachine = stateMachines.remove(sessionId(supplicantConnectPoint));
+
+ if (stateMachine.state() == StateMachine.STATE_PENDING && stateMachine.isWaitingForRadiusResponse()) {
+ aaaStatisticsManager.getAaaStats().increaseTimedOutPackets();
+ }
+
+ StateMachine.deleteStateMachineMapping(stateMachine);
+ }
+
/**
* Configuration Listener, handles change in configuration.
*/
@@ -953,7 +1001,7 @@
PortNumber portNumber = event.port().number();
String sessionId = devId.toString() + portNumber.toString();
- StateMachine stateMachine = StateMachine.lookupStateMachineBySessionId(sessionId);
+ StateMachine stateMachine = stateMachines.get(sessionId);
if (stateMachine != null) {
stateMachine.setSessionTerminateReason(
StateMachine.SessionTerminationReasons.PORT_REMOVED.getReason());
@@ -963,8 +1011,7 @@
aaaSupplicantStatsManager.getMachineStatsDelegate()
.notify(new AaaMachineStatisticsEvent(AaaMachineStatisticsEvent.Type.STATS_UPDATE, obj));
- Map<String, StateMachine> sessionIdMap = StateMachine.sessionIdMap();
- StateMachine removed = sessionIdMap.remove(sessionId);
+ StateMachine removed = stateMachines.remove(sessionId);
if (removed != null) {
StateMachine.deleteStateMachineMapping(removed);
}
@@ -1034,4 +1081,4 @@
}
}
-}
\ No newline at end of file
+}
diff --git a/app/src/main/java/org/opencord/aaa/impl/AaaStatisticsManager.java b/app/src/main/java/org/opencord/aaa/impl/AaaStatisticsManager.java
index 5b3e439..125898e 100644
--- a/app/src/main/java/org/opencord/aaa/impl/AaaStatisticsManager.java
+++ b/app/src/main/java/org/opencord/aaa/impl/AaaStatisticsManager.java
@@ -16,13 +16,6 @@
package org.opencord.aaa.impl;
-import static org.slf4j.LoggerFactory.getLogger;
-
-import java.util.HashMap;
-import java.util.Map;
-import java.util.concurrent.atomic.AtomicLong;
-
-import org.osgi.service.component.annotations.Component;
import org.onosproject.event.AbstractListenerManager;
import org.opencord.aaa.AaaStatistics;
import org.opencord.aaa.AuthenticationStatisticsDelegate;
@@ -30,9 +23,16 @@
import org.opencord.aaa.AuthenticationStatisticsEventListener;
import org.opencord.aaa.AuthenticationStatisticsService;
import org.osgi.service.component.annotations.Activate;
+import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.slf4j.Logger;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.atomic.AtomicLong;
+
+import static org.slf4j.LoggerFactory.getLogger;
+
@Component(immediate = true)
diff --git a/app/src/main/java/org/opencord/aaa/impl/IdentifierManager.java b/app/src/main/java/org/opencord/aaa/impl/IdentifierManager.java
new file mode 100644
index 0000000..27f824f
--- /dev/null
+++ b/app/src/main/java/org/opencord/aaa/impl/IdentifierManager.java
@@ -0,0 +1,95 @@
+/*
+ * Copyright 2020-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.opencord.aaa.impl;
+
+import com.google.common.collect.Maps;
+
+import java.util.concurrent.BlockingQueue;
+import java.util.concurrent.ConcurrentMap;
+import java.util.concurrent.LinkedBlockingQueue;
+
+/**
+ * Manages allocating request identifiers and mapping them to sessions.
+ */
+public class IdentifierManager {
+
+ private static final int MAX_IDENTIFIER = 256;
+
+ private BlockingQueue<Integer> freeIdNumbers;
+
+ private ConcurrentMap<RequestIdentifier, String> idToSession;
+
+ /**
+ * Creates and initializes a new identifier manager.
+ */
+ public IdentifierManager() {
+ idToSession = Maps.newConcurrentMap();
+ freeIdNumbers = new LinkedBlockingQueue<>();
+
+ // Starts at 2 because ids 0 and 1 are reserved for RADIUS server status requests.
+ for (int i = 2; i < MAX_IDENTIFIER; i++) {
+ freeIdNumbers.add(i);
+ }
+ }
+
+ /**
+ * Gets a new identifier and maps it to the given session ID.
+ *
+ * @param sessionId session this identifier is associated with
+ * @return identifier
+ */
+ public synchronized RequestIdentifier getNewIdentifier(String sessionId) {
+ int idNum;
+ try {
+ idNum = freeIdNumbers.take();
+ } catch (InterruptedException e) {
+ return null;
+ }
+
+ RequestIdentifier id = RequestIdentifier.of((byte) idNum);
+
+ idToSession.put(id, sessionId);
+
+ return id;
+ }
+
+ /**
+ * Gets the session ID associated with a given request ID.
+ *
+ * @param id request ID
+ * @return session ID
+ */
+ public String getSessionId(RequestIdentifier id) {
+ return idToSession.get(id);
+ }
+
+ /**
+ * Releases a request identifier and removes session mapping.
+ *
+ * @param id request identifier to release
+ */
+ public synchronized void releaseIdentifier(RequestIdentifier id) {
+ String session = idToSession.remove(id);
+ if (session == null) {
+ // this id wasn't mapped to a session so is still free
+ return;
+ }
+
+ // add id number back to set of free ids
+ freeIdNumbers.add((int) id.identifier());
+ }
+}
diff --git a/app/src/main/java/org/opencord/aaa/impl/PortBasedRadiusCommunicator.java b/app/src/main/java/org/opencord/aaa/impl/PortBasedRadiusCommunicator.java
index ad00b5f..4cdf958 100755
--- a/app/src/main/java/org/opencord/aaa/impl/PortBasedRadiusCommunicator.java
+++ b/app/src/main/java/org/opencord/aaa/impl/PortBasedRadiusCommunicator.java
@@ -391,12 +391,8 @@
.deserialize(udpPacket.serialize(),
8,
udpPacket.getLength() - 8);
- try {
- aaaManager.aaaStatisticsManager.handleRoundtripTime(radiusMsg.getIdentifier());
- aaaManager.handleRadiusPacket(radiusMsg);
- } catch (StateMachineException sme) {
- log.error("Illegal state machine operation", sme);
- }
+ aaaManager.aaaStatisticsManager.handleRoundtripTime(radiusMsg.getIdentifier());
+ aaaManager.handleRadiusPacket(radiusMsg);
} catch (DeserializationException dex) {
log.error("Cannot deserialize packet", dex);
}
diff --git a/app/src/main/java/org/opencord/aaa/impl/RequestIdentifier.java b/app/src/main/java/org/opencord/aaa/impl/RequestIdentifier.java
new file mode 100644
index 0000000..9869af1
--- /dev/null
+++ b/app/src/main/java/org/opencord/aaa/impl/RequestIdentifier.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright 2020-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.opencord.aaa.impl;
+
+import java.util.Objects;
+
+/**
+ * An identifier for an authentication request.
+ */
+public final class RequestIdentifier {
+
+ private byte identifier;
+
+ /**
+ * Creates a new request identifier.
+ *
+ * @param identifier id number
+ */
+ private RequestIdentifier(byte identifier) {
+ this.identifier = identifier;
+ }
+
+ /**
+ * Returns the id number.
+ *
+ * @return id
+ */
+ public byte identifier() {
+ return this.identifier;
+ }
+
+ /**
+ * Creates a new request identifier.
+ *
+ * @param identifier id number
+ * @return identifier
+ */
+ public static RequestIdentifier of(byte identifier) {
+ return new RequestIdentifier(identifier);
+ }
+
+ public boolean equals(Object other) {
+ if (!(other instanceof RequestIdentifier)) {
+ return false;
+ }
+
+ RequestIdentifier that = (RequestIdentifier) other;
+
+ return identifier == that.identifier;
+ }
+
+ public int hashCode() {
+ return Objects.hashCode(identifier);
+ }
+}
diff --git a/app/src/main/java/org/opencord/aaa/impl/SocketBasedRadiusCommunicator.java b/app/src/main/java/org/opencord/aaa/impl/SocketBasedRadiusCommunicator.java
index d3c49c2..99c9396 100755
--- a/app/src/main/java/org/opencord/aaa/impl/SocketBasedRadiusCommunicator.java
+++ b/app/src/main/java/org/opencord/aaa/impl/SocketBasedRadiusCommunicator.java
@@ -198,10 +198,7 @@
} catch (DeserializationException dex) {
aaaManager.aaaStatisticsManager.getAaaStats().increaseMalformedResponsesRx();
log.error("Cannot deserialize packet", dex);
- } catch (StateMachineException sme) {
- log.error("Illegal state machine operation", sme);
}
-
} catch (IOException e) {
log.info("Socket was closed, exiting listener thread");
done = true;
diff --git a/app/src/main/java/org/opencord/aaa/impl/StateMachine.java b/app/src/main/java/org/opencord/aaa/impl/StateMachine.java
index 8d73e15..744b0ae 100644
--- a/app/src/main/java/org/opencord/aaa/impl/StateMachine.java
+++ b/app/src/main/java/org/opencord/aaa/impl/StateMachine.java
@@ -17,7 +17,6 @@
package org.opencord.aaa.impl;
-import com.google.common.collect.Maps;
import org.onlab.packet.MacAddress;
import org.onosproject.net.ConnectPoint;
import org.opencord.aaa.AuthenticationEvent;
@@ -25,15 +24,15 @@
import org.slf4j.Logger;
import java.util.HashSet;
-import java.util.Map;
import java.util.Set;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.TimeUnit;
import static org.slf4j.LoggerFactory.getLogger;
/**
* AAA Finite State Machine.
*/
-
public class StateMachine {
//INDEX to identify the state in the transition table
static final int STATE_IDLE = 0;
@@ -43,7 +42,7 @@
static final int STATE_UNAUTHORIZED = 4;
// Defining the states where timeout can happen
- static final Set<Integer> TIMEOUT_ELIGIBLE_STATES = new HashSet();
+ static final Set<Integer> TIMEOUT_ELIGIBLE_STATES = new HashSet<>();
static {
TIMEOUT_ELIGIBLE_STATES.add(STATE_STARTED);
TIMEOUT_ELIGIBLE_STATES.add(STATE_PENDING);
@@ -55,7 +54,7 @@
static final int TRANSITION_DENY_ACCESS = 3;
static final int TRANSITION_LOGOFF = 4;
- private static int identifier = 1;
+ private static int identifier = -1;
private byte challengeIdentifier;
private byte[] challengeState;
private byte[] username;
@@ -120,6 +119,7 @@
private State[] states = {new Idle(), new Started(), new Pending(), new Authorized(), new Unauthorized() };
// Cleanup Timer instance created for this session
+ private ScheduledExecutorService executor;
private java.util.concurrent.ScheduledFuture<?> cleanupTimer = null;
// TimeStamp of last EAPOL or RADIUS message received.
@@ -158,24 +158,8 @@
private int currentState = STATE_IDLE;
- // Maps of state machines. Each state machine is represented by an
- // unique identifier on the switch: dpid + port number
- private static Map<String, StateMachine> sessionIdMap;
- private static Map<Integer, StateMachine> identifierMap;
-
private static StateMachineDelegate delegate;
- public static void initializeMaps() {
- sessionIdMap = Maps.newConcurrentMap();
- identifierMap = Maps.newConcurrentMap();
- identifier = 1;
- }
-
- public static void destroyMaps() {
- sessionIdMap = null;
- identifierMap = null;
- }
-
public static void setDelegate(StateMachineDelegate delegate) {
StateMachine.delegate = delegate;
}
@@ -184,38 +168,27 @@
cleanupTimerTimeOutInMins = cleanupTimerTimeoutInMins;
}
+ private void scheduleTimeout() {
+ cleanupTimer = executor.schedule(this::timeout, cleanupTimerTimeOutInMins, TimeUnit.MINUTES);
+ }
+
public static void unsetDelegate(StateMachineDelegate delegate) {
if (StateMachine.delegate == delegate) {
StateMachine.delegate = null;
}
}
- public static Map<String, StateMachine> sessionIdMap() {
- return sessionIdMap;
- }
-
- public static StateMachine lookupStateMachineById(byte identifier) {
- return identifierMap.get((int) identifier);
- }
-
- public static StateMachine lookupStateMachineBySessionId(String sessionId) {
- return sessionIdMap.get(sessionId);
- }
-
- public static void deleteStateMachineId(String sessionId) {
- sessionIdMap.remove(sessionId);
- }
-
public static void deleteStateMachineMapping(StateMachine machine) {
- identifierMap.entrySet().removeIf(e -> e.getValue().equals(machine));
if (machine.cleanupTimer != null) {
machine.cleanupTimer.cancel(false);
machine.cleanupTimer = null;
}
}
- public java.util.concurrent.ScheduledFuture<?> getCleanupTimer() {
- return cleanupTimer;
+ public void stop() {
+ if (cleanupTimer != null) {
+ cleanupTimer.cancel(false);
+ }
}
public boolean isWaitingForRadiusResponse() {
@@ -226,43 +199,16 @@
this.waitingForRadiusResponse = waitingForRadiusResponse;
}
- public void setCleanupTimer(java.util.concurrent.ScheduledFuture<?> cleanupTimer) {
- this.cleanupTimer = cleanupTimer;
- }
-
- /**
- * Deletes authentication state machine records for a given MAC address.
- *
- * @param mac mac address of the suppliant who's state machine should be removed
- */
- public static void deleteByMac(MacAddress mac) {
-
- // Walk the map from session IDs to state machines looking for a MAC match
- for (Map.Entry<String, StateMachine> e : sessionIdMap.entrySet()) {
-
- // If a MAC match is found then delete the entry from the session ID
- // and identifier map as well as call delete identifier to clean up
- // the identifier bit set.
- if (e.getValue() != null && e.getValue().supplicantAddress != null
- && e.getValue().supplicantAddress.equals(mac)) {
- sessionIdMap.remove(e.getValue().sessionId);
- if (e.getValue().identifier != 1) {
- deleteStateMachineMapping(e.getValue());
- }
- break;
- }
- }
- }
-
/**
* Creates a new StateMachine with the given session ID.
*
* @param sessionId session Id represented by the switch dpid + port number
+ * @param executor executor to run background tasks on
*/
- public StateMachine(String sessionId) {
+ public StateMachine(String sessionId, ScheduledExecutorService executor) {
log.info("Creating a new state machine for {}", sessionId);
this.sessionId = sessionId;
- sessionIdMap.put(sessionId, this);
+ this.executor = executor;
}
/**
@@ -538,11 +484,8 @@
* @return The state machine identifier.
*/
public synchronized byte identifier() {
- //identifier 0 is for statusServerrequest
- //identifier 1 is for fake accessRequest
- identifier = (identifier + 1) % 253;
- identifierMap.put((identifier + 2), this);
- return (byte) (identifier + 2);
+ identifier = (identifier + 1) % 255;
+ return (byte) identifier;
}
/**
@@ -557,26 +500,23 @@
/**
* Client has requested the start action to allow network access.
- *
- * @throws StateMachineException if authentication protocol is violated
*/
- public void start() throws StateMachineException {
+ public void start() {
+ this.scheduleTimeout();
+
states[currentState].start();
delegate.notify(new AuthenticationEvent(AuthenticationEvent.Type.STARTED, supplicantConnectpoint));
// move to the next state
next(TRANSITION_START);
- identifier = this.identifier();
}
/**
* An Identification information has been sent by the supplicant. Move to the
* next state if possible.
- *
- * @throws StateMachineException if authentication protocol is violated
*/
- public void requestAccess() throws StateMachineException {
+ public void requestAccess() {
states[currentState].requestAccess();
delegate.notify(new AuthenticationEvent(AuthenticationEvent.Type.REQUESTED, supplicantConnectpoint));
@@ -587,10 +527,8 @@
/**
* RADIUS has accepted the identification. Move to the next state if possible.
- *
- * @throws StateMachineException if authentication protocol is violated
*/
- public void authorizeAccess() throws StateMachineException {
+ public void authorizeAccess() {
states[currentState].radiusAccepted();
// move to the next state
next(TRANSITION_AUTHORIZE_ACCESS);
@@ -603,10 +541,8 @@
/**
* RADIUS has denied the identification. Move to the next state if possible.
- *
- * @throws StateMachineException if authentication protocol is violated
*/
- public void denyAccess() throws StateMachineException {
+ public void denyAccess() {
states[currentState].radiusDenied();
// move to the next state
next(TRANSITION_DENY_ACCESS);
@@ -619,10 +555,8 @@
/**
* Logoff request has been requested. Move to the next state if possible.
- *
- * @throws StateMachineException if authentication protocol is violated
*/
- public void logoff() throws StateMachineException {
+ public void logoff() {
states[currentState].logoff();
// move to the next state
next(TRANSITION_LOGOFF);
@@ -638,46 +572,54 @@
return currentState;
}
- @Override
- public String toString() {
- return ("sessionId: " + this.sessionId) + "\t" + ("identifier: " + this.identifier) + "\t"
- + ("state: " + this.currentState);
+ public String stateString() {
+ return states[currentState].name();
}
- abstract class State {
+ @Override
+ public String toString() {
+ return ("sessionId: " + this.sessionId) + "\t" + ("state: " + this.currentState);
+ }
+
+ abstract static class State {
private final Logger log = getLogger(getClass());
- private String name = "State";
+ abstract String name();
- public void start() throws StateMachineInvalidTransitionException {
+ public void start() {
log.warn("START transition from this state is not allowed.");
}
- public void requestAccess() throws StateMachineInvalidTransitionException {
+ public void requestAccess() {
log.warn("REQUEST ACCESS transition from this state is not allowed.");
}
- public void radiusAccepted() throws StateMachineInvalidTransitionException {
+ public void radiusAccepted() {
log.warn("AUTHORIZE ACCESS transition from this state is not allowed.");
}
- public void radiusDenied() throws StateMachineInvalidTransitionException {
+ public void radiusDenied() {
log.warn("DENY ACCESS transition from this state is not allowed.");
}
- public void logoff() throws StateMachineInvalidTransitionException {
+ public void logoff() {
log.warn("LOGOFF transition from this state is not allowed.");
}
}
/**
- * Idle state: supplicant is logged of from the network.
+ * Idle state: supplicant is logged off from the network.
*/
- class Idle extends State {
+ static class Idle extends State {
private final Logger log = getLogger(getClass());
private String name = "IDLE_STATE";
@Override
+ String name() {
+ return this.name;
+ }
+
+ @Override
public void start() {
log.info("Moving from IDLE state to STARTED state.");
}
@@ -687,11 +629,16 @@
* Started state: supplicant has entered the network and informed the
* authenticator.
*/
- class Started extends State {
+ static class Started extends State {
private final Logger log = getLogger(getClass());
private String name = "STARTED_STATE";
@Override
+ String name() {
+ return this.name;
+ }
+
+ @Override
public void requestAccess() {
log.info("Moving from STARTED state to PENDING state.");
}
@@ -701,11 +648,16 @@
* Pending state: supplicant has been identified by the authenticator but has
* not access yet.
*/
- class Pending extends State {
+ static class Pending extends State {
private final Logger log = getLogger(getClass());
private String name = "PENDING_STATE";
@Override
+ String name() {
+ return this.name;
+ }
+
+ @Override
public void radiusAccepted() {
log.info("Moving from PENDING state to AUTHORIZED state.");
}
@@ -719,11 +671,16 @@
/**
* Authorized state: supplicant port has been accepted, access is granted.
*/
- class Authorized extends State {
+ static class Authorized extends State {
private final Logger log = getLogger(getClass());
private String name = "AUTHORIZED_STATE";
@Override
+ String name() {
+ return this.name;
+ }
+
+ @Override
public void start() {
log.info("Moving from AUTHORIZED state to STARTED state.");
}
@@ -738,11 +695,16 @@
/**
* Unauthorized state: supplicant port has been rejected, access is denied.
*/
- class Unauthorized extends State {
+ static class Unauthorized extends State {
private final Logger log = getLogger(getClass());
private String name = "UNAUTHORIZED_STATE";
@Override
+ String name() {
+ return this.name;
+ }
+
+ @Override
public void start() {
log.info("Moving from UNAUTHORIZED state to STARTED state.");
}
@@ -753,53 +715,15 @@
}
}
- /**
- * Class for cleaning the StateMachine for those session for which no response
- * is coming--implementing timeout.
- */
- class CleanupTimerTask implements Runnable {
- private final Logger log = getLogger(getClass());
- private String sessionId;
- private AaaManager aaaManager;
+ private void timeout() {
+ boolean noTrafficWithinThreshold =
+ (System.currentTimeMillis() - lastPacketReceivedTime) > ((cleanupTimerTimeOutInMins * 60 * 1000) / 2);
- CleanupTimerTask(String sessionId, AaaManager aaaManager) {
- this.sessionId = sessionId;
- this.aaaManager = aaaManager;
- }
-
- @Override
- public void run() {
- StateMachine stateMachine = StateMachine.lookupStateMachineBySessionId(sessionId);
- if (null != stateMachine) {
- // Asserting if last packet received for this stateMachine session was beyond half of timeout period.
- // StateMachine is considered eligible for cleanup when no packets has been exchanged by it with AAA
- // Server or RG during a long period (half of timeout period). For example, when cleanup timer has
- // been configured as 10 minutes, StateMachine would be cleaned up at the end of 10 minutes if
- // the authentication is still pending and no packet was exchanged for this session during last 5
- // minutes.
-
- boolean noTrafficWithinThreshold = (System.currentTimeMillis()
- - stateMachine.getLastPacketReceivedTime()) > ((cleanupTimerTimeOutInMins * 60 * 1000) / 2);
-
- if ((TIMEOUT_ELIGIBLE_STATES.contains(stateMachine.state())) && noTrafficWithinThreshold) {
- log.info("Deleting StateMachineMapping for sessionId: {}", sessionId);
- cleanupTimer = null;
- if (stateMachine.state() == STATE_PENDING && stateMachine.isWaitingForRadiusResponse()) {
- aaaManager.aaaStatisticsManager.getAaaStats().increaseTimedOutPackets();
- }
- deleteStateMachineId(sessionId);
- deleteStateMachineMapping(stateMachine);
-
- // If StateMachine is not eligible for cleanup yet, reschedule cleanupTimer further.
- } else {
- aaaManager.scheduleStateMachineCleanupTimer(sessionId, stateMachine);
- }
- } else {
- // This statement should not be logged; cleanupTimer should be cancelled for stateMachine
- // instances which have been authenticated successfully.
- log.warn("state-machine not found for sessionId: {}", sessionId);
- }
-
+ if (TIMEOUT_ELIGIBLE_STATES.contains(currentState) && noTrafficWithinThreshold) {
+ delegate.notify(new AuthenticationEvent(AuthenticationEvent.Type.TIMEOUT, this.supplicantConnectpoint));
+ // If StateMachine is not eligible for cleanup yet, reschedule cleanupTimer further.
+ } else {
+ this.scheduleTimeout();
}
}
diff --git a/app/src/main/java/org/opencord/aaa/impl/StateMachineException.java b/app/src/main/java/org/opencord/aaa/impl/StateMachineException.java
deleted file mode 100644
index 6dd7bb4..0000000
--- a/app/src/main/java/org/opencord/aaa/impl/StateMachineException.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright 2017-present Open Networking Foundation
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-package org.opencord.aaa.impl;
-
-/**
- * Exception for the State Machine.
- */
-class StateMachineException extends Exception {
- public StateMachineException(String message) {
- super(message);
-
- }
-}
diff --git a/app/src/main/java/org/opencord/aaa/impl/StateMachineInvalidTransitionException.java b/app/src/main/java/org/opencord/aaa/impl/StateMachineInvalidTransitionException.java
deleted file mode 100644
index 6ccd3fc..0000000
--- a/app/src/main/java/org/opencord/aaa/impl/StateMachineInvalidTransitionException.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright 2017-present Open Networking Foundation
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-package org.opencord.aaa.impl;
-
-/**
- * Exception raised when the transition from one state to another is invalid.
- */
-class StateMachineInvalidTransitionException extends StateMachineException {
- public StateMachineInvalidTransitionException(String message) {
- super(message);
- }
-}
diff --git a/app/src/test/java/org/opencord/aaa/impl/AaaIntegrationTest.java b/app/src/test/java/org/opencord/aaa/impl/AaaIntegrationTest.java
index 0275b13..b6c9fe8 100644
--- a/app/src/test/java/org/opencord/aaa/impl/AaaIntegrationTest.java
+++ b/app/src/test/java/org/opencord/aaa/impl/AaaIntegrationTest.java
@@ -113,8 +113,7 @@
// State machine should have been created by now
- StateMachine stateMachine =
- StateMachine.lookupStateMachineBySessionId(SESSION_ID);
+ StateMachine stateMachine = aaa.getStateMachine(SESSION_ID);
assertThat(stateMachine, notNullValue());
assertThat(stateMachine.state(), is(StateMachine.STATE_PENDING));
diff --git a/app/src/test/java/org/opencord/aaa/impl/AaaManagerTest.java b/app/src/test/java/org/opencord/aaa/impl/AaaManagerTest.java
index 1b4257d..d50be7d 100644
--- a/app/src/test/java/org/opencord/aaa/impl/AaaManagerTest.java
+++ b/app/src/test/java/org/opencord/aaa/impl/AaaManagerTest.java
@@ -15,7 +15,6 @@
*/
package org.opencord.aaa.impl;
-import com.google.common.base.Charsets;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -37,13 +36,13 @@
import org.onosproject.net.packet.InboundPacket;
import org.opencord.aaa.AaaConfig;
-import java.lang.reflect.Field;
import java.net.InetAddress;
import java.net.UnknownHostException;
import static com.google.common.base.Preconditions.checkState;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.notNullValue;
+import static org.hamcrest.Matchers.nullValue;
import static org.junit.Assert.assertThat;
/**
@@ -111,50 +110,6 @@
}
/**
- * Constructs an Ethernet packet containing a RADIUS challenge
- * packet.
- *
- * @param challengeCode code to use in challenge packet
- * @param challengeType type to use in challenge packet
- * @return Ethernet packet
- */
- private RADIUS constructRadiusCodeAccessChallengePacket(byte challengeCode, byte challengeType) {
-
- String challenge = "12345678901234567";
-
- EAP eap = new EAP(challengeType, (byte) 4, challengeType,
- challenge.getBytes(Charsets.US_ASCII));
- eap.setIdentifier((byte) 4);
-
- RADIUS radius = new RADIUS();
- radius.setCode(challengeCode);
- radius.setIdentifier((byte) 4);
- radius.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE,
- challenge.getBytes(Charsets.US_ASCII));
-
- radius.setPayload(eap);
- radius.setAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE,
- eap.serialize());
- radius.setAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH,
- aaaManager.radiusSecret.getBytes());
- return radius;
- }
-
- public static void injectEventDispatcher(Object manager, EventDeliveryService svc) {
- Class mc = manager.getClass();
- for (Field f : mc.getSuperclass().getDeclaredFields()) {
- if (f.getType().equals(EventDeliveryService.class)) {
- try {
- TestUtils.setField(manager, f.getName(), svc);
- } catch (TestUtils.TestUtilsException e) {
- throw new IllegalArgumentException("Unable to inject reference", e);
- }
- break;
- }
- }
- }
-
- /**
* Sets up the services required by the AAA application.
*/
@Before
@@ -217,7 +172,7 @@
* @throws DeserializationException if packed deserialization fails.
*/
@Test
- public void testAuthentication() throws Exception {
+ public void testAuthentication() throws Exception {
// (1) Supplicant start up
@@ -229,10 +184,12 @@
// (2) Supplicant identify
- Ethernet identifyPacket = constructSupplicantIdentifyPacket(null, EAP.ATTR_IDENTITY, (byte) 3, null);
+ Ethernet identifyPacket = constructSupplicantIdentifyPacket(null,
+ EAP.ATTR_IDENTITY, (byte) 3, null);
sendPacket(identifyPacket);
RADIUS radiusIdentifyPacket = (RADIUS) fetchPacket(1);
+ byte reqId = radiusIdentifyPacket.getIdentifier();
checkRadiusPacketFromSupplicant(radiusIdentifyPacket);
@@ -248,15 +205,15 @@
// State machine should have been created by now
- StateMachine stateMachine =
- StateMachine.lookupStateMachineBySessionId(SESSION_ID);
+ StateMachine stateMachine = aaaManager.getStateMachine(SESSION_ID);
assertThat(stateMachine, notNullValue());
assertThat(stateMachine.state(), is(StateMachine.STATE_PENDING));
// (3) RADIUS MD5 challenge
RADIUS radiusCodeAccessChallengePacket =
- constructRadiusCodeAccessChallengePacket(RADIUS.RADIUS_CODE_ACCESS_CHALLENGE, EAP.ATTR_MD5);
+ constructRadiusCodeAccessChallengePacket(RADIUS.RADIUS_CODE_ACCESS_CHALLENGE, EAP.ATTR_MD5,
+ reqId, aaaManager.radiusSecret.getBytes());
aaaManager.handleRadiusPacket(radiusCodeAccessChallengePacket);
Ethernet radiusChallengeMD5Packet = (Ethernet) fetchPacket(2);
@@ -274,7 +231,8 @@
RADIUS responseMd5RadiusPacket = (RADIUS) fetchPacket(3);
checkRadiusPacketFromSupplicant(responseMd5RadiusPacket);
- assertThat(responseMd5RadiusPacket.getIdentifier(), is((byte) 9));
+ //assertThat(responseMd5RadiusPacket.getIdentifier(), is((byte) 9));
+ reqId = responseMd5RadiusPacket.getIdentifier();
assertThat(responseMd5RadiusPacket.getCode(), is(RADIUS.RADIUS_CODE_ACCESS_REQUEST));
// State machine should be in pending state
@@ -285,7 +243,8 @@
// (5) RADIUS Success
RADIUS successPacket =
- constructRadiusCodeAccessChallengePacket(RADIUS.RADIUS_CODE_ACCESS_ACCEPT, EAP.SUCCESS);
+ constructRadiusCodeAccessChallengePacket(RADIUS.RADIUS_CODE_ACCESS_ACCEPT,
+ EAP.SUCCESS, reqId, aaaManager.radiusSecret.getBytes());
aaaManager.handleRadiusPacket((successPacket));
Ethernet supplicantSuccessPacket = (Ethernet) fetchPacket(4);
@@ -295,7 +254,21 @@
assertThat(stateMachine, notNullValue());
assertThat(stateMachine.state(), is(StateMachine.STATE_AUTHORIZED));
+ }
+ @Test
+ public void testRemoveAuthentication() {
+ Ethernet startPacket = constructSupplicantStartPacket();
+ sendPacket(startPacket);
+
+ StateMachine stateMachine = aaaManager.getStateMachine(SESSION_ID);
+
+ assertThat(stateMachine, notNullValue());
+ assertThat(stateMachine.state(), is(StateMachine.STATE_STARTED));
+
+ aaaManager.removeAuthenticationStateByMac(stateMachine.supplicantAddress());
+
+ assertThat(aaaManager.getStateMachine(SESSION_ID), nullValue());
}
/**
diff --git a/app/src/test/java/org/opencord/aaa/impl/AaaStatisticsTest.java b/app/src/test/java/org/opencord/aaa/impl/AaaStatisticsTest.java
index 5c9f657..2f67ba0 100644
--- a/app/src/test/java/org/opencord/aaa/impl/AaaStatisticsTest.java
+++ b/app/src/test/java/org/opencord/aaa/impl/AaaStatisticsTest.java
@@ -15,7 +15,6 @@
*/
package org.opencord.aaa.impl;
-import com.google.common.base.Charsets;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -42,7 +41,6 @@
import org.opencord.aaa.AaaConfig;
import org.slf4j.Logger;
-import java.lang.reflect.Field;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.ByteBuffer;
@@ -69,19 +67,19 @@
private AaaSupplicantMachineStatsManager aaaSupplicantStatsManager;
class AaaManagerWithoutRadiusServer extends AaaManager {
- protected void sendRadiusPacket(RADIUS radiusPacket, InboundPacket inPkt) {
- super.sendRadiusPacket(radiusPacket, inPkt);
- aaaManager.aaaStatisticsManager.putOutgoingIdentifierToMap(radiusPacket.getIdentifier());
- savePacket(radiusPacket);
- }
+ protected void sendRadiusPacket(RADIUS radiusPacket, InboundPacket inPkt) {
+ super.sendRadiusPacket(radiusPacket, inPkt);
+ aaaManager.aaaStatisticsManager.putOutgoingIdentifierToMap(radiusPacket.getIdentifier());
+ savePacket(radiusPacket);
+ }
- // changed the configuration of parent method to protected
- protected void configureRadiusCommunication() {
- PacketService pktService = new MockPacketService();
- ApplicationId appId = new CoreServiceAdapter().registerApplication("org.opencord.aaa");
- aaaManager.impl = new TestSocketBasedRadiusCommunicator(appId, pktService, aaaManager);
- }
- }
+ // changed the configuration of parent method to protected
+ protected void configureRadiusCommunication() {
+ PacketService pktService = new MockPacketService();
+ ApplicationId appId = new CoreServiceAdapter().registerApplication("org.opencord.aaa");
+ aaaManager.impl = new TestSocketBasedRadiusCommunicator(appId, pktService, aaaManager);
+ }
+ }
/**
* Mocks the AAAConfig class to force usage of an unroutable address for the
@@ -90,13 +88,13 @@
static class MockAaaConfig extends AaaConfig {
@Override
public InetAddress radiusIp() {
- try {
+ try {
return InetAddress.getByName(BAD_IP_ADDRESS);
- } catch (UnknownHostException ex) {
+ } catch (UnknownHostException ex) {
throw new IllegalStateException(ex);
- }
+ }
}
- }
+ }
/**
* Mocks the network config registry.
@@ -107,77 +105,32 @@
public <S, C extends Config<S>> C getConfig(S subject, Class<C> configClass) {
AaaConfig aaaConfig = new MockAaaConfig();
return (C) aaaConfig;
- }
+ }
}
public static class TestEventDispatcher extends DefaultEventSinkRegistry implements EventDeliveryService {
- @Override
- @SuppressWarnings("unchecked")
- public synchronized void post(Event event) {
- EventSink sink = getSink(event.getClass());
- checkState(sink != null, "No sink for event %s", event);
- sink.process(event);
- }
+ @Override
+ @SuppressWarnings("unchecked")
+ public synchronized void post(Event event) {
+ EventSink sink = getSink(event.getClass());
+ checkState(sink != null, "No sink for event %s", event);
+ sink.process(event);
+ }
- @Override
- public void setDispatchTimeLimit(long millis) {
- }
+ @Override
+ public void setDispatchTimeLimit(long millis) {
+ }
- @Override
- public long getDispatchTimeLimit() {
- return 0;
- }
- }
-
- /**
- * Constructs an Ethernet packet containing a RADIUS challenge packet.
- *
- * @param challengeCode
- * code to use in challenge packet
- * @param challengeType
- * type to use in challenge packet
- * @return Ethernet packet
- */
- private RADIUS constructRadiusCodeAccessChallengePacket(byte challengeCode, byte challengeType) {
-
- String challenge = "12345678901234567";
-
- EAP eap = new EAP(challengeType, (byte) 4, challengeType,
- challenge.getBytes(Charsets.US_ASCII));
- eap.setIdentifier((byte) 4);
-
- RADIUS radius = new RADIUS();
- radius.setCode(challengeCode);
- radius.setIdentifier((byte) 4);
- radius.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE,
- challenge.getBytes(Charsets.US_ASCII));
-
- radius.setPayload(eap);
- radius.setAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE,
- eap.serialize());
- radius.setAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH,
- aaaManager.radiusSecret.getBytes());
- return radius;
- }
-
- public static void injectEventDispatcher(Object manager, EventDeliveryService svc) {
- Class mc = manager.getClass();
- for (Field f : mc.getSuperclass().getDeclaredFields()) {
- if (f.getType().equals(EventDeliveryService.class)) {
- try {
- TestUtils.setField(manager, f.getName(), svc);
- } catch (TestUtils.TestUtilsException e) {
- throw new IllegalArgumentException("Unable to inject reference", e);
- }
- break;
- }
- }
+ @Override
+ public long getDispatchTimeLimit() {
+ return 0;
+ }
}
-/**
- * Set up the services required by the AAA application.
- */
+ /**
+ * Set up the services required by the AAA application.
+ */
@Before
public void setUp() {
aaaManager = new AaaManagerWithoutRadiusServer();
@@ -200,46 +153,44 @@
aaaManager.activate(new AaaTestBase.MockComponentContext());
}
-/**
- * Tear down the AAA application.
- */
-@After
-public void tearDown() {
- aaaManager.deactivate(new AaaTestBase.MockComponentContext());
-}
+ /**
+ * Tear down the AAA application.
+ */
+ @After
+ public void tearDown() {
+ aaaManager.deactivate(new AaaTestBase.MockComponentContext());
+ }
-/**
- * Extracts the RADIUS packet from a packet sent by the supplicant.
- *
- * @param radius
- * RADIUS packet sent by the supplicant
- * @throws DeserializationException
- * if deserialization of the packet contents fails.
- */
-private void checkRadiusPacketFromSupplicant(RADIUS radius) throws DeserializationException {
- assertThat(radius, notNullValue());
- EAP eap = radius.decapsulateMessage();
- assertThat(eap, notNullValue());
-}
+ /**
+ * Extracts the RADIUS packet from a packet sent by the supplicant.
+ *
+ * @param radius RADIUS packet sent by the supplicant
+ * @throws DeserializationException if deserialization of the packet contents fails.
+ */
+ private void checkRadiusPacketFromSupplicant(RADIUS radius) throws DeserializationException {
+ assertThat(radius, notNullValue());
+ EAP eap = radius.decapsulateMessage();
+ assertThat(eap, notNullValue());
+ }
-/**
- * Fetches the sent packet at the given index. The requested packet must be the
- * last packet on the list.
- *
- * @param index
- * index into sent packets array
- * @return packet
- */
-private BasePacket fetchPacket(int index) {
- BasePacket packet = savedPackets.get(index);
- assertThat(packet, notNullValue());
- return packet;
-}
+ /**
+ * Fetches the sent packet at the given index. The requested packet must be the
+ * last packet on the list.
+ *
+ * @param index index into sent packets array
+ * @return packet
+ */
+ private BasePacket fetchPacket(int index) {
+ BasePacket packet = savedPackets.get(index);
+ assertThat(packet, notNullValue());
+ return packet;
+ }
- /** Tests the authentication path through the AAA application.
- * And counts the aaa Stats for successful transmission.
- * @throws DeserializationException
- * if packed deserialization fails.
+ /**
+ * Tests the authentication path through the AAA application.
+ * And counts the aaa Stats for successful transmission.
+ *
+ * @throws DeserializationException if packed deserialization fails.
*/
@Test
public void testAaaStatisticsForAcceptedPackets() throws Exception {
@@ -263,19 +214,20 @@
assertThat(new String(radiusIdentifyPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME).getValue()),
is("testuser"));
IpAddress nasIp = IpAddress.valueOf(IpAddress.Version.INET,
- radiusIdentifyPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP).getValue());
+ radiusIdentifyPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP).getValue());
assertThat(nasIp.toString(), is(aaaManager.nasIpAddress.getHostAddress()));
// State machine should have been created by now
- StateMachine stateMachine = StateMachine.lookupStateMachineBySessionId(SESSION_ID);
+ StateMachine stateMachine = aaaManager.getStateMachine(SESSION_ID);
assertThat(stateMachine, notNullValue());
assertThat(stateMachine.state(), is(StateMachine.STATE_PENDING));
// (3) RADIUS MD5 challenge
- RADIUS radiusCodeAccessChallengePacket = constructRadiusCodeAccessChallengePacket(
- RADIUS.RADIUS_CODE_ACCESS_CHALLENGE, EAP.ATTR_MD5);
+ RADIUS radiusCodeAccessChallengePacket = constructRadiusCodeAccessChallengePacket(
+ RADIUS.RADIUS_CODE_ACCESS_CHALLENGE, EAP.ATTR_MD5, radiusIdentifyPacket.getIdentifier(),
+ aaaManager.radiusSecret.getBytes());
aaaManager.handleRadiusPacket(radiusCodeAccessChallengePacket);
Ethernet radiusChallengeMD5Packet = (Ethernet) fetchPacket(2);
@@ -283,14 +235,14 @@
// (4) Supplicant MD5 response
- Ethernet md5RadiusPacket = constructSupplicantIdentifyPacket(stateMachine, EAP.ATTR_MD5,
- stateMachine.challengeIdentifier(), radiusChallengeMD5Packet);
- sendPacket(md5RadiusPacket);
+ Ethernet md5RadiusPacket = constructSupplicantIdentifyPacket(stateMachine, EAP.ATTR_MD5,
+ stateMachine.challengeIdentifier(), radiusChallengeMD5Packet);
+ sendPacket(md5RadiusPacket);
RADIUS responseMd5RadiusPacket = (RADIUS) fetchPacket(3);
checkRadiusPacketFromSupplicant(responseMd5RadiusPacket);
- assertThat(responseMd5RadiusPacket.getIdentifier(), is((byte) 9));
+ //assertThat(responseMd5RadiusPacket.getIdentifier(), is((byte) 9));
assertThat(responseMd5RadiusPacket.getCode(), is(RADIUS.RADIUS_CODE_ACCESS_REQUEST));
// State machine should be in pending state
@@ -301,7 +253,8 @@
// (5) RADIUS Success
RADIUS successPacket =
- constructRadiusCodeAccessChallengePacket(RADIUS.RADIUS_CODE_ACCESS_ACCEPT, EAP.SUCCESS);
+ constructRadiusCodeAccessChallengePacket(RADIUS.RADIUS_CODE_ACCESS_ACCEPT, EAP.SUCCESS,
+ responseMd5RadiusPacket.getIdentifier(), aaaManager.radiusSecret.getBytes());
aaaManager.handleRadiusPacket((successPacket));
Ethernet supplicantSuccessPacket = (Ethernet) fetchPacket(4);
@@ -324,16 +277,15 @@
assertNotEquals(aaaStatisticsManager.getAaaStats().getChallengeResponsesRx(), ZERO);
assertNotEquals(aaaStatisticsManager.getAaaStats().getDroppedResponsesRx(), ZERO);
assertNotEquals(aaaStatisticsManager.getAaaStats().getInvalidValidatorsRx(), ZERO);
- assertNotEquals(aaaStatisticsManager.getAaaStats().getPendingRequests(), ZERO);
// Counts the aaa Statistics count and displays in the log
countAaaStatistics();
}
- /** Tests the count for defected packets.
+ /**
+ * Tests the count for defected packets.
*
- * @throws DeserializationException
- * if packed deserialization fails.
+ * @throws DeserializationException if packed deserialization fails.
*/
@Test
public void testAaaStatisticsForDefectivePackets() throws Exception {
@@ -350,16 +302,15 @@
checkRadiusPacketFromSupplicant(radiusIdentifyPacket);
- // Calling the mock test socket based to handle packet
- aaaManager.impl.handlePacketFromServer(null);
// State machine should have been created by now
- StateMachine stateMachine = StateMachine.lookupStateMachineBySessionId(SESSION_ID);
+ StateMachine stateMachine = aaaManager.getStateMachine(SESSION_ID);
// (3) RADIUS MD5 challenge
RADIUS radiusCodeAccessChallengePacket = constructRadiusCodeAccessChallengePacket(
- RADIUS.RADIUS_CODE_ACCESS_CHALLENGE, EAP.ATTR_MD5);
+ RADIUS.RADIUS_CODE_ACCESS_CHALLENGE, EAP.ATTR_MD5, radiusIdentifyPacket.getIdentifier(),
+ aaaManager.radiusSecret.getBytes());
aaaManager.handleRadiusPacket(radiusCodeAccessChallengePacket);
Ethernet radiusChallengeMD5Packet = (Ethernet) fetchPacket(2);
@@ -367,13 +318,17 @@
// (4) Supplicant MD5 response
Ethernet md5RadiusPacket = constructSupplicantIdentifyPacket(stateMachine, EAP.ATTR_MD5,
- stateMachine.challengeIdentifier(), radiusChallengeMD5Packet);
+ stateMachine.challengeIdentifier(), radiusChallengeMD5Packet);
sendPacket(md5RadiusPacket);
aaaManager.aaaStatisticsManager.calculatePacketRoundtripTime();
+
+ RADIUS responseMd5RadiusPacket = (RADIUS) fetchPacket(3);
+
// (5) RADIUS Rejected
RADIUS rejectedPacket =
- constructRadiusCodeAccessChallengePacket(RADIUS.RADIUS_CODE_ACCESS_REJECT, EAP.FAILURE);
+ constructRadiusCodeAccessChallengePacket(RADIUS.RADIUS_CODE_ACCESS_REJECT, EAP.FAILURE,
+ responseMd5RadiusPacket.getIdentifier(), aaaManager.radiusSecret.getBytes());
aaaManager.handleRadiusPacket((rejectedPacket));
Ethernet supplicantRejectedPacket = (Ethernet) fetchPacket(4);
@@ -396,15 +351,12 @@
assertNotEquals(aaaStatisticsManager.getAaaStats().getChallengeResponsesRx(), ZERO);
assertNotEquals(aaaStatisticsManager.getAaaStats().getDroppedResponsesRx(), ZERO);
assertNotEquals(aaaStatisticsManager.getAaaStats().getInvalidValidatorsRx(), ZERO);
- assertNotEquals(aaaStatisticsManager.getAaaStats().getPendingRequests(), ZERO);
assertNotEquals(aaaStatisticsManager.getAaaStats().getRejectResponsesRx(), ZERO);
- assertNotEquals(aaaStatisticsManager.getAaaStats().getRequestRttMilis(), ZERO);
- assertNotEquals(aaaStatisticsManager.getAaaStats().getUnknownTypeRx(), ZERO);
// Counts the aaa Statistics count
countAaaStatistics();
- }
+ }
/*
* Tests the retransmitted packet and malformed packet count
@@ -436,7 +388,7 @@
// creating malformed packet
final ByteBuffer byteBuffer = ByteBuffer.wrap(startPacket.serialize());
InboundPacket inPacket = new DefaultInboundPacket(connectPoint("1", 1),
- startPacket, byteBuffer);
+ startPacket, byteBuffer);
PacketContext context = new TestPacketContext(127L, inPacket, null, false);
aaaManager.impl.handlePacketFromServer(context);
@@ -456,10 +408,11 @@
countAaaStatistics();
}
- /** Tests the authentication path through the AAA application.
- * And counts the aaa Stats for logoff transactionXZ.
- * @throws DeserializationException
- * if packed deserialization fails.
+ /**
+ * Tests the authentication path through the AAA application.
+ * And counts the aaa Stats for logoff transactionXZ.
+ *
+ * @throws DeserializationException if packed deserialization fails.
*/
@Test
public void testAaaStatisticsForLogoffPackets() throws Exception {
@@ -483,19 +436,21 @@
assertThat(new String(radiusIdentifyPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME).getValue()),
is("testuser"));
IpAddress nasIp = IpAddress.valueOf(IpAddress.Version.INET,
- radiusIdentifyPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP).getValue());
+ radiusIdentifyPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP).getValue());
assertThat(nasIp.toString(), is(aaaManager.nasIpAddress.getHostAddress()));
// State machine should have been created by now
- StateMachine stateMachine = StateMachine.lookupStateMachineBySessionId(SESSION_ID);
+ //StateMachine stateMachine = StateMachine.lookupStateMachineBySessionId(SESSION_ID);
+ StateMachine stateMachine = aaaManager.getStateMachine(SESSION_ID);
assertThat(stateMachine, notNullValue());
assertThat(stateMachine.state(), is(StateMachine.STATE_PENDING));
// (3) RADIUS MD5 challenge
- RADIUS radiusCodeAccessChallengePacket = constructRadiusCodeAccessChallengePacket(
- RADIUS.RADIUS_CODE_ACCESS_CHALLENGE, EAP.ATTR_MD5);
+ RADIUS radiusCodeAccessChallengePacket = constructRadiusCodeAccessChallengePacket(
+ RADIUS.RADIUS_CODE_ACCESS_CHALLENGE, EAP.ATTR_MD5,
+ radiusIdentifyPacket.getIdentifier(), aaaManager.radiusSecret.getBytes());
aaaManager.handleRadiusPacket(radiusCodeAccessChallengePacket);
Ethernet radiusChallengeMD5Packet = (Ethernet) fetchPacket(2);
@@ -503,14 +458,13 @@
// (4) Supplicant MD5 response
- Ethernet md5RadiusPacket = constructSupplicantIdentifyPacket(stateMachine, EAP.ATTR_MD5,
- stateMachine.challengeIdentifier(), radiusChallengeMD5Packet);
- sendPacket(md5RadiusPacket);
+ Ethernet md5RadiusPacket = constructSupplicantIdentifyPacket(stateMachine, EAP.ATTR_MD5,
+ stateMachine.challengeIdentifier(), radiusChallengeMD5Packet);
+ sendPacket(md5RadiusPacket);
RADIUS responseMd5RadiusPacket = (RADIUS) fetchPacket(3);
checkRadiusPacketFromSupplicant(responseMd5RadiusPacket);
- assertThat(responseMd5RadiusPacket.getIdentifier(), is((byte) 9));
assertThat(responseMd5RadiusPacket.getCode(), is(RADIUS.RADIUS_CODE_ACCESS_REQUEST));
// State machine should be in pending state
@@ -521,7 +475,8 @@
// (5) RADIUS Success
RADIUS successPacket =
- constructRadiusCodeAccessChallengePacket(RADIUS.RADIUS_CODE_ACCESS_ACCEPT, EAP.SUCCESS);
+ constructRadiusCodeAccessChallengePacket(RADIUS.RADIUS_CODE_ACCESS_ACCEPT, EAP.SUCCESS,
+ responseMd5RadiusPacket.getIdentifier(), aaaManager.radiusSecret.getBytes());
aaaManager.handleRadiusPacket((successPacket));
Ethernet supplicantSuccessPacket = (Ethernet) fetchPacket(4);
@@ -533,8 +488,8 @@
assertThat(stateMachine.state(), is(StateMachine.STATE_AUTHORIZED));
// Supplicant trigger EAP Logoff
- Ethernet loggoffPacket = constructSupplicantLogoffPacket();
- sendPacket(loggoffPacket);
+ Ethernet logoffPacket = constructSupplicantLogoffPacket();
+ sendPacket(logoffPacket);
// State machine should be in logoff state
assertThat(stateMachine, notNullValue());
@@ -547,8 +502,8 @@
assertNotEquals(aaaStatisticsManager.getAaaStats().getEapolStartReqTrans(), ZERO);
assertNotEquals(aaaStatisticsManager.getAaaStats().getEapolTransRespNotNak(), ZERO);
assertNotEquals(aaaStatisticsManager.getAaaStats().getEapPktTxauthChooseEap(), ZERO);
- // Counts the aaa Statistics count
- countAaaStatistics();
+ // Counts the aaa Statistics count
+ countAaaStatistics();
}
@@ -575,16 +530,16 @@
*/
class TestSocketBasedRadiusCommunicator extends SocketBasedRadiusCommunicator {
- TestSocketBasedRadiusCommunicator(ApplicationId appId, PacketService pktService, AaaManager aaaManager) {
- super(appId, pktService, aaaManager);
- }
+ TestSocketBasedRadiusCommunicator(ApplicationId appId, PacketService pktService, AaaManager aaaManager) {
+ super(appId, pktService, aaaManager);
+ }
// Implementation of socketBasedRadiusCommunicator--> run() method
public void handlePacketFromServer(PacketContext context) {
- RADIUS incomingPkt = (RADIUS) fetchPacket(savedPackets.size() - 1);
- try {
- if (context == null) {
+ RADIUS incomingPkt = (RADIUS) fetchPacket(savedPackets.size() - 1);
+ try {
+ if (context == null) {
aaaStatisticsManager.handleRoundtripTime(incomingPkt.getIdentifier());
aaaManager.handleRadiusPacket(incomingPkt);
} else if (null != context) {
@@ -594,14 +549,11 @@
incomingPkt =
RADIUS.deserializer().deserialize(incomingPkt.generateAuthCode(), 0, 1);
}
- } catch (DeserializationException dex) {
- aaaManager.aaaStatisticsManager.getAaaStats().increaseMalformedResponsesRx();
- aaaStatisticsManager.getAaaStats().countDroppedResponsesRx();
- log.error("Cannot deserialize packet", dex);
- } catch (StateMachineException sme) {
- log.error("Illegal state machine operation", sme);
- }
-
+ } catch (DeserializationException dex) {
+ aaaManager.aaaStatisticsManager.getAaaStats().increaseMalformedResponsesRx();
+ aaaStatisticsManager.getAaaStats().countDroppedResponsesRx();
+ log.error("Cannot deserialize packet", dex);
+ }
}
}
diff --git a/app/src/test/java/org/opencord/aaa/impl/AaaTestBase.java b/app/src/test/java/org/opencord/aaa/impl/AaaTestBase.java
index 14f1258..3d7a28b 100644
--- a/app/src/test/java/org/opencord/aaa/impl/AaaTestBase.java
+++ b/app/src/test/java/org/opencord/aaa/impl/AaaTestBase.java
@@ -15,6 +15,7 @@
*/
package org.opencord.aaa.impl;
+import com.google.common.base.Charsets;
import org.onlab.packet.BasePacket;
import org.onlab.packet.EAP;
import org.onlab.packet.EAPOL;
@@ -22,15 +23,17 @@
import org.onlab.packet.Ethernet;
import org.onlab.packet.Ip4Address;
import org.onlab.packet.MacAddress;
+import org.onlab.packet.RADIUS;
+import org.onlab.packet.RADIUSAttribute;
import org.onlab.packet.VlanId;
import org.onosproject.cfg.ComponentConfigService;
import org.onosproject.cfg.ConfigProperty;
import org.onosproject.net.Annotations;
-import org.onosproject.net.device.DeviceServiceAdapter;
import org.onosproject.net.ConnectPoint;
import org.onosproject.net.Element;
import org.onosproject.net.Port;
import org.onosproject.net.PortNumber;
+import org.onosproject.net.device.DeviceServiceAdapter;
import org.onosproject.net.packet.DefaultInboundPacket;
import org.onosproject.net.packet.DefaultPacketContext;
import org.onosproject.net.packet.InboundPacket;
@@ -38,7 +41,6 @@
import org.onosproject.net.packet.PacketContext;
import org.onosproject.net.packet.PacketProcessor;
import org.onosproject.net.packet.PacketServiceAdapter;
-
import org.opencord.sadis.BandwidthProfileInformation;
import org.opencord.sadis.BaseInformationService;
import org.opencord.sadis.SadisService;
@@ -477,4 +479,34 @@
return eth;
}
+ /**
+ * Constructs an Ethernet packet containing a RADIUS challenge
+ * packet.
+ *
+ * @param challengeCode code to use in challenge packet
+ * @param challengeType type to use in challenge packet
+ * @return Ethernet packet
+ */
+ RADIUS constructRadiusCodeAccessChallengePacket(byte challengeCode, byte challengeType,
+ byte identifier, byte[] messageAuth) {
+
+ String challenge = "12345678901234567";
+
+ EAP eap = new EAP(challengeType, (byte) 4, challengeType,
+ challenge.getBytes(Charsets.US_ASCII));
+ //eap.setIdentifier((byte) 4);
+ eap.setIdentifier(identifier);
+
+ RADIUS radius = new RADIUS();
+ radius.setCode(challengeCode);
+ //radius.setIdentifier((byte) 4);
+ radius.setIdentifier(identifier);
+ radius.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE,
+ challenge.getBytes(Charsets.US_ASCII));
+
+ radius.setPayload(eap);
+ radius.setAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE, eap.serialize());
+ radius.setAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, messageAuth);
+ return radius;
+ }
}
diff --git a/app/src/test/java/org/opencord/aaa/impl/StateMachineTest.java b/app/src/test/java/org/opencord/aaa/impl/StateMachineTest.java
index 4053ff9..e66a5f3 100644
--- a/app/src/test/java/org/opencord/aaa/impl/StateMachineTest.java
+++ b/app/src/test/java/org/opencord/aaa/impl/StateMachineTest.java
@@ -19,11 +19,10 @@
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
-import org.onlab.packet.MacAddress;
+
+import java.util.concurrent.Executors;
import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNull;
public class StateMachineTest {
StateMachine stateMachine = null;
@@ -31,15 +30,13 @@
@Before
public void setUp() {
System.out.println("Set Up.");
- StateMachine.initializeMaps();
StateMachine.setDelegate(e -> { });
- stateMachine = new StateMachine("session0");
+ stateMachine = new StateMachine("session0", Executors.newSingleThreadScheduledExecutor());
}
@After
public void tearDown() {
System.out.println("Tear Down.");
- StateMachine.destroyMaps();
stateMachine = null;
}
@@ -47,7 +44,7 @@
/**
* Test all the basic inputs from state to state: IDLE -> STARTED -> PENDING -> AUTHORIZED -> IDLE
*/
- public void basic() throws StateMachineException {
+ public void basic() {
System.out.println("======= BASIC =======.");
assertEquals(stateMachine.state(), StateMachine.STATE_IDLE);
@@ -68,7 +65,7 @@
/**
* Test all inputs from an IDLE state (starting with the ones that are not impacting the current state)
*/
- public void testIdleState() throws StateMachineException {
+ public void testIdleState() {
System.out.println("======= IDLE STATE TEST =======.");
stateMachine.requestAccess();
assertEquals(stateMachine.state(), StateMachine.STATE_IDLE);
@@ -90,7 +87,7 @@
/**
* Test all inputs from an STARTED state (starting with the ones that are not impacting the current state)
*/
- public void testStartedState() throws StateMachineException {
+ public void testStartedState() {
System.out.println("======= STARTED STATE TEST =======.");
stateMachine.start();
@@ -115,7 +112,7 @@
* Test all inputs from a PENDING state (starting with the ones that are not impacting the current state).
* The next valid state for this test is AUTHORIZED
*/
- public void testPendingStateToAuthorized() throws StateMachineException {
+ public void testPendingStateToAuthorized() {
System.out.println("======= PENDING STATE TEST (AUTHORIZED) =======.");
stateMachine.start();
stateMachine.requestAccess();
@@ -141,7 +138,7 @@
* Test all inputs from an PENDING state (starting with the ones that are not impacting the current state).
* The next valid state for this test is UNAUTHORIZED
*/
- public void testPendingStateToUnauthorized() throws StateMachineException {
+ public void testPendingStateToUnauthorized() {
System.out.println("======= PENDING STATE TEST (DENIED) =======.");
stateMachine.start();
stateMachine.requestAccess();
@@ -166,7 +163,7 @@
/**
* Test all inputs from an AUTHORIZED state (starting with the ones that are not impacting the current state).
*/
- public void testAuthorizedState() throws StateMachineException {
+ public void testAuthorizedState() {
System.out.println("======= AUTHORIZED STATE TEST =======.");
stateMachine.start();
stateMachine.requestAccess();
@@ -192,7 +189,7 @@
/**
* Test all inputs from an UNAUTHORIZED state (starting with the ones that are not impacting the current state).
*/
- public void testUnauthorizedState() throws StateMachineException {
+ public void testUnauthorizedState() {
System.out.println("======= UNAUTHORIZED STATE TEST =======.");
stateMachine.start();
stateMachine.requestAccess();
@@ -214,87 +211,4 @@
assertEquals(stateMachine.state(), StateMachine.STATE_IDLE);
}
- @Test
- public void testSessionIdLookups() {
- String sessionId1 = "session1";
- String sessionId2 = "session2";
- String sessionId3 = "session3";
-
- StateMachine machine1ShouldBeNull =
- StateMachine.lookupStateMachineBySessionId(sessionId1);
- assertNull(machine1ShouldBeNull);
- StateMachine machine2ShouldBeNull =
- StateMachine.lookupStateMachineBySessionId(sessionId2);
- assertNull(machine2ShouldBeNull);
-
- StateMachine stateMachine1 = new StateMachine(sessionId1);
- StateMachine stateMachine2 = new StateMachine(sessionId2);
-
- assertEquals(stateMachine1,
- StateMachine.lookupStateMachineBySessionId(sessionId1));
- assertEquals(stateMachine2,
- StateMachine.lookupStateMachineBySessionId(sessionId2));
- assertNull(StateMachine.lookupStateMachineBySessionId(sessionId3));
- }
-
- @Test
- public void testIdentifierLookups() throws StateMachineException {
- String sessionId1 = "session1";
- String sessionId2 = "session2";
-
- StateMachine machine1ShouldBeNull =
- StateMachine.lookupStateMachineById((byte) 1);
- assertNull(machine1ShouldBeNull);
- StateMachine machine2ShouldBeNull =
- StateMachine.lookupStateMachineById((byte) 2);
- assertNull(machine2ShouldBeNull);
-
- StateMachine stateMachine1 = new StateMachine(sessionId1);
- stateMachine1.start();
- StateMachine stateMachine2 = new StateMachine(sessionId2);
- stateMachine2.start();
-
- assertEquals(stateMachine1,
- StateMachine.lookupStateMachineById(stateMachine1.identifier()));
- assertEquals(stateMachine2,
- StateMachine.lookupStateMachineById(stateMachine2.identifier()));
- }
-
- @Test
- /**
- * Test state machine deletes
- */
- public void testStateMachineReset() throws StateMachineException {
-
- int count = 256;
-
- //StateMachine.initializeMaps();
- StateMachine.lookupStateMachineById((byte) 1);
-
- // Instantiate a bunch of state machines
- for (int i = 0; i < count; i += 1) {
- String mac = String.format("00:00:00:00:00:%02x", i);
- StateMachine sm = new StateMachine(mac);
- sm.start();
- sm.setSupplicantAddress(MacAddress.valueOf(mac));
- }
-
- // Verify all state machines with a "even" MAC exist
- for (int i = 0; i < count; i += 2) {
- String mac = String.format("00:00:00:00:00:%02x", i);
- assertNotNull(StateMachine.lookupStateMachineBySessionId(mac));
- }
-
- // Delete all state machines with a "even" MAC
- for (int i = 0; i < count; i += 2) {
- String mac = String.format("00:00:00:00:00:%02x", i);
- StateMachine.deleteByMac(MacAddress.valueOf(mac));
- }
-
- // Verify all the delete state machines no long exist
- for (int i = 0; i < count; i += 2) {
- String mac = String.format("00:00:00:00:00:%02x", i);
- assertNull(StateMachine.lookupStateMachineBySessionId(mac));
- }
- }
}