Service description
A microservice intended for session deauthentication and user MAC address removing. Eltex-disconnect interacts with the PCRF service to directly send a user session removing command and with the Doors authentication service to validate incoming JWT tokens.
Available API methods: disconnect
- Eltex-disconnect will provide the following response in success:
{
"success" : true
}
- If an error occurs, a response will be as follows:
{
"success" : false,
"fail" : "description of the error occured"
}
Description of work
Disconnect waits for a GET request on port 9096 http://\{\{Ip_address\}\}:9096/disconnect?token=\{\{token\}
Request example:
http://192.168.49.110:9096/disconnect?token=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwiYXV0aCI6WyJST0xFX0FETUlOIl0sImlhdCI6MTU1OTI3OTU4MCwiZXhwIjoxNTU5MzUxNTgwLCJuYXNJcCI6IjEwMC4xMTIuMC4xIiwic2Vzc2lvbklkIjoiNTY5MjU0OTkyODk5NjMwNzk2NCIsInZyZiI6IjEiLCJjbGllbnRNYWMiOiJGQy00NS05Ni01Ri01MC1BQyJ9.fWhOkgFo_rLd2mB9_70HotPH9LlGh7SuT1-qDQvv77U
After receiving a GET request, eltex-disconnect sends an obtained token to eltex-doors in order to check if data has been really sent from an authorized source. Eltex-doors checks a token and gives a response depending upon whether it is valid or not.
The next step is decoding of a token from which payload (metadata) on a session of a user to be deauthenticated is extracted.
Decoded token example:
{
"sub": "user",
"auth": [
"ROLE_ADMIN"
],
"iat": 1559279580,
"exp": 1559351580,
"nasIp": "100.112.0.1",
"sessionId": "5692549928996307964",
"vrf": "1",
"clientMac": "FC-45-96-5F-50-AC"
}
Description of the payload token fields
sub - a user iat - token creation time exp - token lifetime nasIp - device's nas sessionId - unique user session vrf - Virtual Routing and Forwarding clientMac - client's MAC address
A disconnect GET request including all necessary parameters is sent to API PCRF: VRF, Mac, sessionId, nasIp
Request example:
GET http://127.0.0.1:7070/account/disconnect?session=5692549928996307974&nas_ip=100.112.0.1&vrf=1&single=false&mac=FC-45-96-5F-50-AC&remove_mac=true
PCRF performs appropriate actions: deauthentication and MACC address removing.
Configuration
The service's configuration file is located at /etc/eltex-disconnect-service/application.conf
pcrf {
host = localhost PCRF service address
port = 7070 the port listened by PCRF
timeout = 100 response timeout
}
doors {
host = localhost address of Doors service
port = 9097 port listened by Doors
path = /api path to request Doors
timeout = 200 response timeout
connectionTotal = 100 maximum number of connections to Doors
}
The logging configuration file /etc/eltex-disconnect-service/log4j2.xml
The configuration file for service initialization /etc/default/eltex-disconnect-service
PORT=9096 The port listened by the service # Initial size of Java heap JAVA_INIT_HEAP=4m RAM size allocated during initialization # Maximum size of Java heap JAVA_MAX_HEAP=32m RAM size allocated during operation # Additional arguments to pass to java JAVA_OPTS="-XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/eltex-disconnect-service