Gitiles
Code Review Sign In
gerrit.osmocom.org / osmo-sgsn / 794f446a284ed1ac6d31eb79a8f4c874d66fc34e^! / . / src / gprs
commit794f446a284ed1ac6d31eb79a8f4c874d66fc34e[log] [tgz]
authorVadim Yanitskiy <axilirator@gmail.com>Mon May 27 05:39:06 2019 +0700
committerlaforge <laforge@gnumonks.org>Thu Jun 06 19:45:34 2019 +0000
treea9fd8f5162c2450a58e9a665df2cfb9a30ac94e2
parentf7afd202000ccc7f59e059e3f5581507e3672af7 [diff]
osmo-sgsn: add VTY parameter to toggle authentication

It may be useful to have 'remote' authorization policy, but do not
require authentication in GERAN at the same time, e.g. in combination
with 'subscriber-create-on-demand' feature of OsmoHLR.

This change introduces a new VTY parameter similar to the one
that we already have in OsmoMSC:

  authentication (optional|required)

Please note that 'required' only applies if 'auth-policy' is 'remote'.

Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9

diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c
index 6389d92..29c9771 100644
--- a/src/gprs/sgsn_vty.c
+++ b/src/gprs/sgsn_vty.c

@@ -211,6 +211,8 @@
 	if (g_cfg->gsup_server_port)
 		vty_out(vty, " gsup remote-port %d%s",
 			g_cfg->gsup_server_port, VTY_NEWLINE);
+	vty_out(vty, " authentication %s%s",
+		g_cfg->require_authentication ? "required" : "optional", VTY_NEWLINE);
 	vty_out(vty, " auth-policy %s%s",
 		get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy),
 		VTY_NEWLINE);
@@ -693,6 +695,27 @@
 	return CMD_SUCCESS;
 }
 
+DEFUN(cfg_authentication, cfg_authentication_cmd,
+      "authentication (optional|required)",
+      "Whether to enforce MS authentication in GERAN\n"
+      "Allow MS to attach via GERAN without authentication\n"
+      "Always require authentication\n")
+{
+	int required = (argv[0][0] == 'r');
+
+	if (vty->type != VTY_FILE) {
+		if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE && required) {
+			vty_out(vty, "%% Authentication is not possible without HLR, "
+				     "consider setting 'auth-policy' to 'remote'%s",
+				     VTY_NEWLINE);
+			return CMD_WARNING;
+		}
+	}
+
+	g_cfg->require_authentication = required;
+	return CMD_SUCCESS;
+}
+
 DEFUN(cfg_auth_policy, cfg_auth_policy_cmd,
 	"auth-policy (accept-all|closed|acl-only|remote)",
 	"Configure the Authorization policy of the SGSN. This setting determines which subscribers are"
@@ -705,9 +728,12 @@
 	int val = get_string_value(sgsn_auth_pol_strs, argv[0]);
 	OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE);
 	g_cfg->auth_policy = val;
-	g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE);
 	g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE);
 
+	/* Authentication is not possible without HLR */
+	if (val != SGSN_AUTH_POLICY_REMOTE)
+		g_cfg->require_authentication = 0;
+
 	return CMD_SUCCESS;
 }
 
@@ -1391,6 +1417,7 @@
 	install_element(SGSN_NODE, &cfg_ggsn_no_echo_interval_cmd);
 	install_element(SGSN_NODE, &cfg_imsi_acl_cmd);
 	install_element(SGSN_NODE, &cfg_auth_policy_cmd);
+	install_element(SGSN_NODE, &cfg_authentication_cmd);
 	install_element(SGSN_NODE, &cfg_encrypt_cmd);
 	install_element(SGSN_NODE, &cfg_gsup_ipa_name_cmd);
 	install_element(SGSN_NODE, &cfg_gsup_remote_ip_cmd);
@@ -1462,6 +1489,14 @@
 		return rc;
 	}
 
+	if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE
+	    && g_cfg->require_authentication) {
+		fprintf(stderr, "Configuration error:"
+			" authentication is not possible without HLR."
+			" Consider setting 'auth-policy' to 'remote'\n");
+		return -EINVAL;
+	}
+
 	if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE
 	    && !(g_cfg->gsup_server_addr.sin_addr.s_addr
 		 && g_cfg->gsup_server_port)) {