Service description
A microservice intended for session deauthentication and user MAC address removing. Eltex-disconnect interacts with the PCRF service to directly send a user session removing command and with the Doors authentication service to validate incoming JWT tokens.
Available API methods: disconnect
- Eltex-disconnect will provide the following response in success:
{ "success" : true }
- If an error occurs, a response will be as follows:
{ "success" : false, "fail" : "description of the error occured" }
Description of work
Disconnect waits for a GET request on port 9096 http://\{\{Ip_address\}\}:9096/disconnect?token=\{\{token\}
Request example:
http://192.168.49.110:9096/disconnect?token=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwiYXV0aCI6WyJST0xFX0FETUlOIl0sImlhdCI6MTU1OTI3OTU4MCwiZXhwIjoxNTU5MzUxNTgwLCJuYXNJcCI6IjEwMC4xMTIuMC4xIiwic2Vzc2lvbklkIjoiNTY5MjU0OTkyODk5NjMwNzk2NCIsInZyZiI6IjEiLCJjbGllbnRNYWMiOiJGQy00NS05Ni01Ri01MC1BQyJ9.fWhOkgFo_rLd2mB9_70HotPH9LlGh7SuT1-qDQvv77U
After receiving a GET request, eltex-disconnect sends an obtained token to eltex-doors in order to check if data has been really sent from an authorized source. Eltex-doors checks a token and gives a response depending upon whether it is valid or not.
The next step is decoding of a token from which payload (metadata) on a session of a user to be deauthenticated is extracted.
Decoded token example:
{ "sub": "user", "auth": [ "ROLE_ADMIN" ], "iat": 1559279580, "exp": 1559351580, "nasIp": "100.112.0.1", "sessionId": "5692549928996307964", "vrf": "1", "clientMac": "FC-45-96-5F-50-AC" }
Description of the payload token fields
sub - a user iat - token creation time exp - token lifetime nasIp - device's nas sessionId - unique user session vrf - Virtual Routing and Forwarding clientMac - client's MAC address
A disconnect GET request including all necessary parameters is sent to API PCRF: VRF, Mac, sessionId, nasIp
Request example:
GET http://127.0.0.1:7070/account/disconnect?session=5692549928996307974&nas_ip=100.112.0.1&vrf=1&single=false&mac=FC-45-96-5F-50-AC&remove_mac=true
PCRF performs appropriate actions: deauthentication and MACC address removing.
Configuration
The service's configuration file is located at /etc/eltex-disconnect-service/application.conf
pcrf { host = localhost PCRF service address port = 7070 the port listened by PCRF timeout = 100 response timeout } doors { host = localhost address of Doors service port = 9097 port listened by Doors path = /api path to request Doors timeout = 200 response timeout connectionTotal = 100 maximum number of connections to Doors }
The logging configuration file /etc/eltex-disconnect-service/log4j2.xml
The configuration file for service initialization /etc/default/eltex-disconnect-service
PORT=9096 The port listened by the service # Initial size of Java heap JAVA_INIT_HEAP=4m RAM size allocated during initialization # Maximum size of Java heap JAVA_MAX_HEAP=32m RAM size allocated during operation # Additional arguments to pass to java JAVA_OPTS="-XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/eltex-disconnect-service