Merge pull request #333 from Telecominfraproject/master

https://telecominfraproject.atlassian.net/browse/WIFI-7831
Telecominfraproject · Sep 26, 2023 · bc8cf59 · bc8cf59
2 parents e623774 + c48d129
commit bc8cf59
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 12 deletions.
diff --git a/build b/build
@@ -1 +1 @@
-27
+29
diff --git a/openapi/owgw.yaml b/openapi/owgw.yaml
@@ -1359,6 +1359,9 @@ components:
           description: The keep alive value in seconds. Usually 30s or less.
           format: int64
           default: 25
+        enabled:
+          type: boolean
+          default: true
 
     RadiusProxyPoolList:
       type: object

diff --git a/src/RADIUS_proxy_server.cpp b/src/RADIUS_proxy_server.cpp
@@ -159,11 +159,15 @@ namespace OpenWifi {
 	void RADIUS_proxy_server::StartRADSECServers() {
 		std::lock_guard G(Mutex_);
 		for (const auto &pool : PoolList_.pools) {
-			for (const auto &entry : pool.authConfig.servers) {
-				if (entry.radsec) {
-					RADSECservers_[Poco::Net::SocketAddress(entry.ip, 0)] =
-						std::make_unique<RADSEC_server>(*RadiusReactor_, entry, pool);
+			if(pool.enabled) {
+				for (const auto &entry : pool.authConfig.servers) {
+					if (entry.radsec) {
+						RADSECservers_[Poco::Net::SocketAddress(entry.ip, 0)] =
+							std::make_unique<RADSEC_server>(*RadiusReactor_, entry, pool);
+					}
 				}
+			} else {
+				poco_information(Logger(),fmt::format("Pool {} is not enabled.", pool.name));
 			}
 		}
 	}

diff --git a/src/RADSEC_server.h b/src/RADSEC_server.h
@@ -53,19 +53,26 @@ namespace OpenWifi {
 
 		inline void run() final {
 			Poco::Thread::trySleep(5000);
-			std::uint64_t LastStatus = 0;
+			std::uint64_t CurrentDelay = 10, maxDelay=300, LastTry=0, LastKeepAlive=0;
 			while (TryAgain_) {
 				if (!Connected_) {
-					LastStatus = Utils::Now();
-					Connect();
-				} else if ((Utils::Now() - LastStatus) > KeepAlive_) {
+					if(!LastTry || (Utils::Now()-LastTry)>CurrentDelay) {
+						LastTry = Utils::Now();
+						if (!Connect()) {
+							CurrentDelay *= 2;
+							if(CurrentDelay>maxDelay) CurrentDelay=10;
+						} else {
+							CurrentDelay = 10;
+						}
+					}
+				} else if ((Utils::Now() - LastKeepAlive) > KeepAlive_) {
 					RADIUS::RadiusOutputPacket P(Server_.radsecSecret);
 					P.MakeStatusMessage();
 					poco_trace(Logger_, fmt::format("{}: Keep-Alive message.", Server_.name));
 					Socket_->sendBytes(P.Data(), P.Len());
-					LastStatus = Utils::Now();
+					LastKeepAlive = Utils::Now();
 				}
-				Poco::Thread::trySleep(!Connected_ ? 30000 : 2000);
+				Poco::Thread::trySleep(2000);
 			}
 		}
 
@@ -166,6 +173,9 @@ namespace OpenWifi {
 			Disconnect();
 		}
 
+		static inline bool IsExpired(const Poco::Crypto::X509Certificate &C) {
+			return C.expiresOn().timestamp().epochTime() < (std::time_t)Utils::Now();
+		}
 
 		inline bool Connect_GlobalReach() {
 			if (TryAgain_) {
@@ -221,7 +231,13 @@ namespace OpenWifi {
 				}
 
 				SecureContext->usePrivateKey(Poco::Crypto::RSAKey("",KeyFile_.path(),""));
-				SecureContext->useCertificate(Poco::Crypto::X509Certificate(CertFile_.path()));
+				Poco::Crypto::X509Certificate	Cert(CertFile_.path());
+				if(!IsExpired(Cert)) {
+					SecureContext->useCertificate(Poco::Crypto::X509Certificate(CertFile_.path()));
+				} else {
+					poco_error(Logger_, fmt::format("Certificate for {} has expired. We cannot connect to this server.", Server_.name));
+					return false;
+				}
 				SecureContext->addCertificateAuthority(Poco::Crypto::X509Certificate(OpenRoamingRootCertFile_.path()));
 				SecureContext->addChainCertificate(Poco::Crypto::X509Certificate(Intermediate0.path()));
 				SecureContext->addChainCertificate(Poco::Crypto::X509Certificate(Intermediate1.path()));
@@ -287,6 +303,12 @@ namespace OpenWifi {
 				DecodeFile(CertFile_.path(), Server_.radsecCert);
 				DecodeFile(KeyFile_.path(), Server_.radsecKey);
 
+				Poco::Crypto::X509Certificate	Cert(CertFile_.path());
+				if(IsExpired(Cert)) {
+					poco_error(Logger_, fmt::format("Certificate for {} has expired. We cannot connect to this server.", Server_.name));
+					return false;
+				}
+
 				for (auto &cert : Server_.radsecCacerts) {
 					CaCertFiles_.emplace_back(
 						std::make_unique<Poco::TemporaryFile>(MicroServiceDataDirectory()));

diff --git a/src/RESTObjects/RESTAPI_GWobjects.cpp b/src/RESTObjects/RESTAPI_GWobjects.cpp
@@ -433,6 +433,7 @@ namespace OpenWifi::GWObjects {
 		field_to_json(Obj, "radsecKeepAlive", radsecKeepAlive);
 		field_to_json(Obj, "poolProxyIp", poolProxyIp);
 		field_to_json(Obj, "radsecPoolType", radsecPoolType);
+		field_to_json(Obj, "enabled", enabled);
 	}
 
 	bool RadiusProxyPool::from_json(const Poco::JSON::Object::Ptr &Obj) {
@@ -446,6 +447,7 @@ namespace OpenWifi::GWObjects {
 			field_from_json(Obj, "radsecKeepAlive", radsecKeepAlive);
 			field_from_json(Obj, "poolProxyIp", poolProxyIp);
 			field_from_json(Obj, "radsecPoolType", radsecPoolType);
+			field_from_json(Obj, "enabled", enabled);
 			return true;
 		} catch (const Poco::Exception &E) {
 		}

diff --git a/src/RESTObjects/RESTAPI_GWobjects.h b/src/RESTObjects/RESTAPI_GWobjects.h
@@ -363,6 +363,7 @@ namespace OpenWifi::GWObjects {
 		std::string 	radsecPoolType;
 		std::string 	poolProxyIp;
 		std::uint64_t 	radsecKeepAlive=25;
+		bool			enabled=true;
 
 		void to_json(Poco::JSON::Object &Obj) const;
 		bool from_json(const Poco::JSON::Object::Ptr &Obj);