From 794f446a284ed1ac6d31eb79a8f4c874d66fc34e Mon Sep 17 00:00:00 2001
From: Vadim Yanitskiy <axilirator@gmail.com>
Date: Mon, 27 May 2019 05:39:06 +0700
Subject: osmo-sgsn: add VTY parameter to toggle authentication

It may be useful to have 'remote' authorization policy, but do not
require authentication in GERAN at the same time, e.g. in combination
with 'subscriber-create-on-demand' feature of OsmoHLR.

This change introduces a new VTY parameter similar to the one
that we already have in OsmoMSC:

  authentication (optional|required)

Please note that 'required' only applies if 'auth-policy' is 'remote'.

Change-Id: I9909145e7e0af587c28827e16301a61b13eedaa9
---
 doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg |  1 +
 doc/examples/osmo-sgsn/osmo-sgsn.cfg            |  1 +
 doc/manuals/vty/sgsn_vty_reference.xml          |  7 +++++
 src/gprs/sgsn_vty.c                             | 37 ++++++++++++++++++++++++-
 4 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
index b47878a21..85112f41c 100644
--- a/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
+++ b/doc/examples/osmo-sgsn/osmo-sgsn-accept-all.cfg
@@ -10,6 +10,7 @@ sgsn
  ggsn 0 remote-ip 127.0.0.2
  ggsn 0 gtp-version 1
  ggsn 0 echo-interval 60
+ authentication optional
  auth-policy accept-all
 !
 ns
diff --git a/doc/examples/osmo-sgsn/osmo-sgsn.cfg b/doc/examples/osmo-sgsn/osmo-sgsn.cfg
index 263bd00e2..3be4d4935 100644
--- a/doc/examples/osmo-sgsn/osmo-sgsn.cfg
+++ b/doc/examples/osmo-sgsn/osmo-sgsn.cfg
@@ -10,6 +10,7 @@ sgsn
  ggsn 0 remote-ip 127.0.0.2
  ggsn 0 gtp-version 1
  ggsn 0 echo-interval 60
+ authentication required
  auth-policy remote
  gsup remote-ip 127.0.0.1
  gsup remote-port 4222
diff --git a/doc/manuals/vty/sgsn_vty_reference.xml b/doc/manuals/vty/sgsn_vty_reference.xml
index 7619215d5..ed117778e 100644
--- a/doc/manuals/vty/sgsn_vty_reference.xml
+++ b/doc/manuals/vty/sgsn_vty_reference.xml
@@ -2230,6 +2230,13 @@
         <param name='remote' doc='Use remote subscription data only (HLR)' />
       </params>
     </command>
+    <command id='authentication (optional|required)'>
+      <params>
+        <param name='authentication' doc='Whether to enforce MS authentication in GERAN' />
+        <param name='optional' doc='Allow MS to attach via GERAN without authentication' />
+        <param name='required' doc='Always require authentication' />
+      </params>
+    </command>
     <command id='encryption (GEA0|GEA1|GEA2|GEA3|GEA4)'>
       <params>
         <param name='encryption' doc='Set encryption algorithm for SGSN' />
diff --git a/src/gprs/sgsn_vty.c b/src/gprs/sgsn_vty.c
index 6389d92ac..29c97718e 100644
--- a/src/gprs/sgsn_vty.c
+++ b/src/gprs/sgsn_vty.c
@@ -211,6 +211,8 @@ static int config_write_sgsn(struct vty *vty)
 	if (g_cfg->gsup_server_port)
 		vty_out(vty, " gsup remote-port %d%s",
 			g_cfg->gsup_server_port, VTY_NEWLINE);
+	vty_out(vty, " authentication %s%s",
+		g_cfg->require_authentication ? "required" : "optional", VTY_NEWLINE);
 	vty_out(vty, " auth-policy %s%s",
 		get_value_string(sgsn_auth_pol_strs, g_cfg->auth_policy),
 		VTY_NEWLINE);
@@ -693,6 +695,27 @@ DEFUN(cfg_encrypt, cfg_encrypt_cmd,
 	return CMD_SUCCESS;
 }
 
+DEFUN(cfg_authentication, cfg_authentication_cmd,
+      "authentication (optional|required)",
+      "Whether to enforce MS authentication in GERAN\n"
+      "Allow MS to attach via GERAN without authentication\n"
+      "Always require authentication\n")
+{
+	int required = (argv[0][0] == 'r');
+
+	if (vty->type != VTY_FILE) {
+		if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE && required) {
+			vty_out(vty, "%% Authentication is not possible without HLR, "
+				     "consider setting 'auth-policy' to 'remote'%s",
+				     VTY_NEWLINE);
+			return CMD_WARNING;
+		}
+	}
+
+	g_cfg->require_authentication = required;
+	return CMD_SUCCESS;
+}
+
 DEFUN(cfg_auth_policy, cfg_auth_policy_cmd,
 	"auth-policy (accept-all|closed|acl-only|remote)",
 	"Configure the Authorization policy of the SGSN. This setting determines which subscribers are"
@@ -705,9 +728,12 @@ DEFUN(cfg_auth_policy, cfg_auth_policy_cmd,
 	int val = get_string_value(sgsn_auth_pol_strs, argv[0]);
 	OSMO_ASSERT(val >= SGSN_AUTH_POLICY_OPEN && val <= SGSN_AUTH_POLICY_REMOTE);
 	g_cfg->auth_policy = val;
-	g_cfg->require_authentication = (val == SGSN_AUTH_POLICY_REMOTE);
 	g_cfg->require_update_location = (val == SGSN_AUTH_POLICY_REMOTE);
 
+	/* Authentication is not possible without HLR */
+	if (val != SGSN_AUTH_POLICY_REMOTE)
+		g_cfg->require_authentication = 0;
+
 	return CMD_SUCCESS;
 }
 
@@ -1391,6 +1417,7 @@ int sgsn_vty_init(struct sgsn_config *cfg)
 	install_element(SGSN_NODE, &cfg_ggsn_no_echo_interval_cmd);
 	install_element(SGSN_NODE, &cfg_imsi_acl_cmd);
 	install_element(SGSN_NODE, &cfg_auth_policy_cmd);
+	install_element(SGSN_NODE, &cfg_authentication_cmd);
 	install_element(SGSN_NODE, &cfg_encrypt_cmd);
 	install_element(SGSN_NODE, &cfg_gsup_ipa_name_cmd);
 	install_element(SGSN_NODE, &cfg_gsup_remote_ip_cmd);
@@ -1462,6 +1489,14 @@ int sgsn_parse_config(const char *config_file)
 		return rc;
 	}
 
+	if (g_cfg->auth_policy != SGSN_AUTH_POLICY_REMOTE
+	    && g_cfg->require_authentication) {
+		fprintf(stderr, "Configuration error:"
+			" authentication is not possible without HLR."
+			" Consider setting 'auth-policy' to 'remote'\n");
+		return -EINVAL;
+	}
+
 	if (g_cfg->auth_policy == SGSN_AUTH_POLICY_REMOTE
 	    && !(g_cfg->gsup_server_addr.sin_addr.s_addr
 		 && g_cfg->gsup_server_port)) {
-- 
cgit v1.2.3