2 * modules.c Radius module support.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2003,2006 The FreeRADIUS server project
21 * Copyright 2000 Alan DeKok <aland@ox.org>
22 * Copyright 2000 Alan Curry <pacman@world.std.com>
27 #include <freeradius-devel/radiusd.h>
28 #include <freeradius-devel/modpriv.h>
29 #include <freeradius-devel/modcall.h>
30 #include <freeradius-devel/parser.h>
31 #include <freeradius-devel/rad_assert.h>
33 typedef struct indexed_modcallable {
34 rlm_components_t comp;
36 modcallable *modulelist;
37 } indexed_modcallable;
39 typedef struct virtual_server_t {
45 modcallable *mc[MOD_COUNT];
46 CONF_SECTION *subcs[MOD_COUNT];
47 struct virtual_server_t *next;
51 * Keep a hash of virtual servers, so that we can reload them.
53 #define VIRTUAL_SERVER_HASH_SIZE (256)
54 static virtual_server_t *virtual_servers[VIRTUAL_SERVER_HASH_SIZE];
56 static rbtree_t *module_tree = NULL;
58 static rbtree_t *instance_tree = NULL;
60 struct fr_module_hup_t {
61 module_instance_t *mi;
64 fr_module_hup_t *next;
68 * Ordered by component
70 const section_type_value_t section_type_value[MOD_COUNT] = {
71 { "authenticate", "Auth-Type", PW_AUTH_TYPE },
72 { "authorize", "Autz-Type", PW_AUTZ_TYPE },
73 { "preacct", "Pre-Acct-Type", PW_PRE_ACCT_TYPE },
74 { "accounting", "Acct-Type", PW_ACCT_TYPE },
75 { "session", "Session-Type", PW_SESSION_TYPE },
76 { "pre-proxy", "Pre-Proxy-Type", PW_PRE_PROXY_TYPE },
77 { "post-proxy", "Post-Proxy-Type", PW_POST_PROXY_TYPE },
78 { "post-auth", "Post-Auth-Type", PW_POST_AUTH_TYPE }
81 { "recv-coa", "Recv-CoA-Type", PW_RECV_COA_TYPE },
82 { "send-coa", "Send-CoA-Type", PW_SEND_COA_TYPE }
90 #define RTLD_LOCAL (0)
94 # define LT_SHREXT ".dylib"
96 # define LT_SHREXT ".dll"
98 # define LT_SHREXT ".so"
101 /** Check if the magic number in the module matches the one in the library
103 * This is used to detect potential ABI issues caused by running with modules which
104 * were built for a different version of the server.
106 * @param cs being parsed.
107 * @param module being loaded.
108 * @returns 0 on success, -1 if prefix mismatch, -2 if version mismatch, -3 if commit mismatch.
110 static int check_module_magic(CONF_SECTION *cs, module_t const *module)
112 if (MAGIC_PREFIX(module->magic) != MAGIC_PREFIX(RADIUSD_MAGIC_NUMBER)) {
113 cf_log_err_cs(cs, "Application and rlm_%s magic number (prefix) mismatch."
114 " application: %x module: %x", module->name,
115 MAGIC_PREFIX(RADIUSD_MAGIC_NUMBER),
116 MAGIC_PREFIX(module->magic));
120 if (MAGIC_VERSION(module->magic) != MAGIC_VERSION(RADIUSD_MAGIC_NUMBER)) {
121 cf_log_err_cs(cs, "Application and rlm_%s magic number (version) mismatch."
122 " application: %lx module: %lx", module->name,
123 (unsigned long) MAGIC_VERSION(RADIUSD_MAGIC_NUMBER),
124 (unsigned long) MAGIC_VERSION(module->magic));
128 if (MAGIC_COMMIT(module->magic) != MAGIC_COMMIT(RADIUSD_MAGIC_NUMBER)) {
129 cf_log_err_cs(cs, "Application and rlm_%s magic number (commit) mismatch."
130 " application: %lx module: %lx", module->name,
131 (unsigned long) MAGIC_COMMIT(RADIUSD_MAGIC_NUMBER),
132 (unsigned long) MAGIC_COMMIT(module->magic));
139 lt_dlhandle lt_dlopenext(char const *name)
141 int flags = RTLD_NOW;
147 if (strcmp(name, "rlm_perl") == 0) {
148 flags |= RTLD_GLOBAL;
155 * Bind all the symbols *NOW* so we don't hit errors later
160 * Prefer loading our libraries by absolute path.
162 snprintf(buffer, sizeof(buffer), "%s/%s%s", radlib_dir, name, LT_SHREXT);
164 DEBUG4("Loading library using absolute path \"%s\"", name);
166 handle = dlopen(buffer, flags);
167 if (handle) return handle;
170 * Because dlopen produces really shitty and inaccurate error messages
172 if (access(name, R_OK) < 0) switch (errno) {
174 WARN("Library file found, but we don't have permission to read it");
178 DEBUG4("Library file not found");
182 DEBUG4("Issue accessing library file: %s", fr_syserror(errno));
186 DEBUG4("Falling back to linker search path(s)");
187 if (DEBUG_ENABLED4) {
189 env = getenv("LD_LIBRARY_PATH");
191 DEBUG4("LD_LIBRARY_PATH : %s", env);
193 env = getenv("DYLD_LIBRARY_PATH");
195 DEBUG4("DYLB_LIBRARY_PATH : %s", env);
197 env = getenv("DYLD_FALLBACK_LIBRARY_PATH");
199 DEBUG4("DYLD_FALLBACK_LIBRARY_PATH : %s", env);
201 env = getcwd(buffer, sizeof(buffer));
203 DEBUG4("Current directory : %s", env);
206 env = getenv("LD_LIBRARY_PATH");
208 DEBUG4("LD_LIBRARY_PATH : %s", env);
210 DEBUG4("Defaults : /lib:/usr/lib");
214 strlcpy(buffer, name, sizeof(buffer));
216 * FIXME: Make this configurable...
218 strlcat(buffer, LT_SHREXT, sizeof(buffer));
220 return dlopen(buffer, flags);
223 void *lt_dlsym(lt_dlhandle handle, char const *symbol)
225 return dlsym(handle, symbol);
228 int lt_dlclose(lt_dlhandle handle)
230 if (!handle) return 0;
232 return dlclose(handle);
235 char const *lt_dlerror(void)
240 static int virtual_server_idx(char const *name)
246 hash = fr_hash_string(name);
248 return hash & (VIRTUAL_SERVER_HASH_SIZE - 1);
251 static virtual_server_t *virtual_server_find(char const *name)
254 virtual_server_t *server;
256 rcode = virtual_server_idx(name);
257 for (server = virtual_servers[rcode];
259 server = server->next) {
260 if (!name && !server->name) break;
262 if ((name && server->name) &&
263 (strcmp(name, server->name) == 0)) break;
269 static int _virtual_server_free(virtual_server_t *server)
271 if (server->components) rbtree_free(server->components);
275 void virtual_servers_free(time_t when)
278 virtual_server_t **last;
280 for (i = 0; i < VIRTUAL_SERVER_HASH_SIZE; i++) {
281 virtual_server_t *server, *next;
283 last = &virtual_servers[i];
284 for (server = virtual_servers[i];
290 * If we delete it, fix the links so that
291 * we don't orphan anything. Also,
292 * delete it if it's old, AND a newer one
295 * Otherwise, the last pointer gets set to
296 * the one we didn't delete.
299 ((server->created < when) && server->can_free)) {
300 *last = server->next;
303 last = &(server->next);
309 static int indexed_modcallable_cmp(void const *one, void const *two)
311 indexed_modcallable const *a = one;
312 indexed_modcallable const *b = two;
314 if (a->comp < b->comp) return -1;
315 if (a->comp > b->comp) return +1;
317 return a->idx - b->idx;
322 * Compare two module entries
324 static int module_instance_cmp(void const *one, void const *two)
326 module_instance_t const *a = one;
327 module_instance_t const *b = two;
329 return strcmp(a->name, b->name);
333 static void module_instance_free_old(UNUSED CONF_SECTION *cs, module_instance_t *node, time_t when)
335 fr_module_hup_t *mh, **last;
338 * Walk the list, freeing up old instances.
345 * Free only every 60 seconds.
347 if ((when - mh->when) < 60) {
352 talloc_free(mh->insthandle);
361 * Free a module instance.
363 static void module_instance_free(void *data)
365 module_instance_t *module = talloc_get_type_abort(data, module_instance_t);
367 module_instance_free_old(module->cs, module, time(NULL) + 100);
369 #ifdef HAVE_PTHREAD_H
373 * The mutex MIGHT be locked...
374 * we'll check for that later, I guess.
376 pthread_mutex_destroy(module->mutex);
377 talloc_free(module->mutex);
382 * Remove any registered paircompares.
384 paircompare_unregister_instance(module->insthandle);
386 xlat_unregister(module->name, NULL, module->insthandle);
388 * Remove all xlat's registered to module instance.
390 if (module->insthandle) xlat_unregister_module(module->insthandle);
396 * Compare two module entries
398 static int module_entry_cmp(void const *one, void const *two)
400 module_entry_t const *a = one;
401 module_entry_t const *b = two;
403 return strcmp(a->name, b->name);
407 * Free a module entry.
409 static int _module_entry_free(module_entry_t *this)
413 * Don't dlclose() modules if we're doing memory
414 * debugging. This removes the symbols needed by
417 if (!main_config.debug_memory)
419 dlclose(this->handle); /* ignore any errors */
425 * Remove the module lists.
427 int modules_free(void)
429 rbtree_free(instance_tree);
430 rbtree_free(module_tree);
439 static module_entry_t *module_dlopen(CONF_SECTION *cs, char const *module_name)
441 module_entry_t myentry;
442 module_entry_t *node;
444 module_t const *module;
446 strlcpy(myentry.name, module_name, sizeof(myentry.name));
447 node = rbtree_finddata(module_tree, &myentry);
448 if (node) return node;
451 * Link to the module's rlm_FOO{} structure, the same as
455 #if !defined(WITH_LIBLTDL) && defined(HAVE_DLFCN_H) && defined(RTLD_SELF)
456 module = dlsym(RTLD_SELF, module_name);
457 if (module) goto open_self;
461 * Keep the handle around so we can dlclose() it.
463 handle = lt_dlopenext(module_name);
465 cf_log_err_cs(cs, "Failed to link to module '%s': %s", module_name, dlerror());
469 DEBUG3("Loaded %s, checking if it's valid", module_name);
471 module = dlsym(handle, module_name);
473 cf_log_err_cs(cs, "Failed linking to %s structure: %s", module_name, dlerror());
478 #if !defined(WITH_LIBLTDL) && defined (HAVE_DLFCN_H) && defined(RTLD_SELF)
482 * Before doing anything else, check if it's sane.
484 if (check_module_magic(cs, module) < 0) {
489 /* make room for the module type */
490 node = talloc_zero(cs, module_entry_t);
491 talloc_set_destructor(node, _module_entry_free);
492 strlcpy(node->name, module_name, sizeof(node->name));
493 node->module = module;
494 node->handle = handle;
496 cf_log_module(cs, "Loaded module %s", module_name);
499 * Add the module as "rlm_foo-version" to the configuration
502 if (!rbtree_insert(module_tree, node)) {
503 ERROR("Failed to cache module %s", module_name);
512 /** Parse module's configuration section and setup destructors
515 static int module_conf_parse(module_instance_t *node, void **handle)
520 * If there is supposed to be instance data, allocate it now.
521 * Also parse the configuration data, if required.
523 if (node->entry->module->inst_size) {
524 *handle = talloc_zero_array(node, uint8_t, node->entry->module->inst_size);
527 talloc_set_name(*handle, "rlm_%s_t",
528 node->entry->module->name ? node->entry->module->name : "config");
530 if (node->entry->module->config &&
531 (cf_section_parse(node->cs, *handle, node->entry->module->config) < 0)) {
532 cf_log_err_cs(node->cs,"Invalid configuration for module \"%s\"", node->name);
533 talloc_free(*handle);
539 * Set the destructor.
541 if (node->entry->module->detach) {
542 talloc_set_destructor(*handle, node->entry->module->detach);
549 /** Bootstrap a module.
551 * Load the module shared library, allocate instance memory for it,
552 * parse the module configuration, and call the modules "bootstrap" method.
554 static module_instance_t *module_bootstrap(CONF_SECTION *cs)
556 char const *name1, *name2;
557 module_instance_t *node, myNode;
558 char module_name[256];
561 * Figure out which module we want to load.
563 name1 = cf_section_name1(cs);
564 name2 = cf_section_name2(cs);
565 if (!name2) name2 = name1;
567 strlcpy(myNode.name, name2, sizeof(myNode.name));
570 * See if the module already exists.
572 node = rbtree_finddata(instance_tree, &myNode);
574 ERROR("Duplicate module \"%s %s\", in file %s:%d and file %s:%d",
576 cf_section_filename(cs),
577 cf_section_lineno(cs),
578 cf_section_filename(node->cs),
579 cf_section_lineno(node->cs));
584 * Hang the node struct off of the configuration
585 * section. If the CS is free'd the instance will be
588 node = talloc_zero(cs, module_instance_t);
590 strlcpy(node->name, name2, sizeof(node->name));
593 * Names in the "modules" section aren't prefixed
594 * with "rlm_", so we add it here.
596 snprintf(module_name, sizeof(module_name), "rlm_%s", name1);
599 * Load the module shared library.
601 node->entry = module_dlopen(cs, module_name);
607 cf_log_module(cs, "Loading module \"%s\" from file %s", node->name,
608 cf_section_filename(cs));
611 * Parse the modules configuration.
613 if (module_conf_parse(node, &node->insthandle) < 0) {
619 * Bootstrap the module.
621 if (node->entry->module->bootstrap &&
622 ((node->entry->module->bootstrap)(cs, node->insthandle) < 0)) {
623 cf_log_err_cs(cs, "Instantiation failed for module \"%s\"", node->name);
629 * Remember the module for later.
631 rbtree_insert(instance_tree, node);
637 /** Find an existing module instance.
640 module_instance_t *module_find(CONF_SECTION *modules, char const *askedname)
642 char const *instname;
643 module_instance_t myNode;
645 if (!modules) return NULL;
648 * Look for the real name. Ignore the first character,
649 * which tells the server "it's OK for this module to not
652 instname = askedname;
653 if (instname[0] == '-') instname++;
655 strlcpy(myNode.name, instname, sizeof(myNode.name));
657 return rbtree_finddata(instance_tree, &myNode);
661 /** Load a module, and instantiate it.
664 module_instance_t *module_instantiate(CONF_SECTION *modules, char const *askedname)
667 module_instance_t *node;
670 * Find the module. If it's not there, do nothing.
672 node = module_find(modules, askedname);
674 ERROR("Cannot find a configuration entry for module \"%s\"", askedname);
679 * The module is already instantiated. Return it.
681 if (node->instantiated) return node;
684 * Now that ALL modules are instantiated, and ALL xlats
685 * are defined, go compile the config items marked as XLAT.
687 if (node->entry->module->config && node->cs &&
688 (cf_section_parse_pass2(node->cs, node->insthandle,
689 node->entry->module->config) < 0)) {
694 * Call the instantiate method, if any.
696 if (node->entry->module->instantiate) {
697 cf_log_module(node->cs, "Instantiating module \"%s\" from file %s", node->name,
698 cf_section_filename(node->cs));
701 * Call the module's instantiation routine.
703 if ((node->entry->module->instantiate)(node->cs, node->insthandle) < 0) {
704 cf_log_err_cs(node->cs, "Instantiation failed for module \"%s\"", node->name);
710 #ifdef HAVE_PTHREAD_H
712 * If we're threaded, check if the module is thread-safe.
714 * If it isn't, we create a mutex.
716 if ((node->entry->module->type & RLM_TYPE_THREAD_UNSAFE) != 0) {
717 node->mutex = talloc_zero(node, pthread_mutex_t);
720 * Initialize the mutex.
722 pthread_mutex_init(node->mutex, NULL);
726 node->instantiated = true;
731 /** Resolve polymorphic item's from a module's CONF_SECTION to a subsection in another module
733 * This allows certain module sections to reference module sections in other instances
734 * of the same module and share CONF_DATA associated with them.
748 * @param out where to write the pointer to a module's config section. May be NULL on success, indicating the config
749 * item was not found within the module CONF_SECTION, or the chain of module references was followed and the
750 * module at the end of the chain did not a subsection.
751 * @param module CONF_SECTION.
752 * @param name of the polymorphic sub-section.
753 * @return 0 on success with referenced section, 1 on success with local section, or -1 on failure.
755 int find_module_sibling_section(CONF_SECTION **out, CONF_SECTION *module, char const *name)
757 static bool loop = true; /* not used, we just need a valid pointer to quiet static analysis */
762 module_instance_t *inst;
763 char const *inst_name;
765 #define FIND_SIBLING_CF_KEY "find_sibling"
770 * Is a real section (not referencing sibling module).
772 cs = cf_section_sub_find(module, name);
780 * Item omitted completely from module config.
782 cp = cf_pair_find(module, name);
785 if (cf_data_find(module, FIND_SIBLING_CF_KEY)) {
786 cf_log_err_cp(cp, "Module reference loop found");
790 cf_data_add(module, FIND_SIBLING_CF_KEY, &loop, NULL);
793 * Item found, resolve it to a module instance.
794 * This triggers module loading, so we don't have
795 * instantiation order issues.
797 inst_name = cf_pair_value(cp);
798 inst = module_instantiate(cf_item_parent(cf_section_to_item(module)), inst_name);
801 * Remove the config data we added for loop
804 cf_data_remove(module, FIND_SIBLING_CF_KEY);
806 cf_log_err_cp(cp, "Unknown module instance \"%s\"", inst_name);
812 * Check the module instances are of the same type.
814 if (strcmp(cf_section_name1(inst->cs), cf_section_name1(module)) != 0) {
815 cf_log_err_cp(cp, "Referenced module is a rlm_%s instance, must be a rlm_%s instance",
816 cf_section_name1(inst->cs), cf_section_name1(module));
821 *out = cf_section_sub_find(inst->cs, name);
826 static indexed_modcallable *lookup_by_index(rbtree_t *components,
827 rlm_components_t comp, int idx)
829 indexed_modcallable myc;
834 return rbtree_finddata(components, &myc);
838 * Create a new sublist.
840 static indexed_modcallable *new_sublist(CONF_SECTION *cs,
841 rbtree_t *components, rlm_components_t comp, int idx)
843 indexed_modcallable *c;
845 c = lookup_by_index(components, comp, idx);
847 /* It is an error to try to create a sublist that already
848 * exists. It would almost certainly be caused by accidental
849 * duplication in the config file.
851 * index 0 is the exception, because it is used when we want
852 * to collect _all_ listed modules under a single index by
853 * default, which is currently the case in all components
854 * except authenticate. */
862 c = talloc_zero(cs, indexed_modcallable);
863 c->modulelist = NULL;
867 if (!rbtree_insert(components, c)) {
875 rlm_rcode_t indexed_modcall(rlm_components_t comp, int idx, REQUEST *request)
878 modcallable *list = NULL;
879 virtual_server_t *server;
882 * Hack to find the correct virtual server.
884 server = virtual_server_find(request->server);
886 RDEBUG("No such virtual server \"%s\"", request->server);
887 return RLM_MODULE_FAIL;
891 list = server->mc[comp];
892 if (!list) RDEBUG3("Empty %s section. Using default return values.", section_type_value[comp].section);
895 indexed_modcallable *this;
897 this = lookup_by_index(server->components, comp, idx);
899 list = this->modulelist;
901 RDEBUG2("%s sub-section not found. Ignoring.", section_type_value[comp].typename);
905 if (server->subcs[comp]) {
907 RDEBUG("# Executing section %s from file %s",
908 section_type_value[comp].section,
909 cf_section_filename(server->subcs[comp]));
911 RDEBUG("# Executing group from file %s",
912 cf_section_filename(server->subcs[comp]));
915 request->component = section_type_value[comp].section;
917 rcode = modcall(comp, list, request);
919 request->module = "";
920 request->component = "<core>";
925 * Load a sub-module list, as found inside an Auth-Type foo {}
928 static int load_subcomponent_section(CONF_SECTION *cs,
929 rbtree_t *components,
930 DICT_ATTR const *da, rlm_components_t comp)
932 indexed_modcallable *subcomp;
935 char const *name2 = cf_section_name2(cs);
947 ml = compile_modgroup(NULL, comp, cs);
953 * We must assign a numeric index to this subcomponent.
954 * It is generated and placed in the dictionary
955 * automatically. If it isn't found, it's a serious
958 dval = dict_valbyname(da->attr, da->vendor, name2);
962 "The %s attribute has no VALUE defined for %s",
963 section_type_value[comp].typename, name2);
967 subcomp = new_sublist(cs, components, comp, dval->value);
974 * Link it into the talloc hierarchy.
976 subcomp->modulelist = talloc_steal(subcomp, ml);
981 * Don't complain too often.
983 #define MAX_IGNORED (32)
984 static int last_ignored = -1;
985 static char const *ignored[MAX_IGNORED];
987 static int load_component_section(CONF_SECTION *cs,
988 rbtree_t *components, rlm_components_t comp)
993 indexed_modcallable *subcomp;
998 * Find the attribute used to store VALUEs for this section.
1000 da = dict_attrbyvalue(section_type_value[comp].attr, 0);
1003 "No such attribute %s",
1004 section_type_value[comp].typename);
1009 * Loop over the entries in the named section, loading
1010 * the sections this time.
1012 for (modref = cf_item_find_next(cs, NULL);
1014 modref = cf_item_find_next(cs, modref)) {
1016 CONF_PAIR *cp = NULL;
1017 CONF_SECTION *scs = NULL;
1019 if (cf_item_is_section(modref)) {
1020 scs = cf_item_to_section(modref);
1022 name1 = cf_section_name1(scs);
1025 section_type_value[comp].typename) == 0) {
1026 if (!load_subcomponent_section(scs,
1031 return -1; /* FIXME: memleak? */
1038 } else if (cf_item_is_pair(modref)) {
1039 cp = cf_item_to_pair(modref);
1042 continue; /* ignore it */
1046 * Look for Auth-Type foo {}, which are special
1047 * cases of named sections, and allowable ONLY
1050 * i.e. They're not allowed in a "group" or "redundant"
1053 if (comp == MOD_AUTHENTICATE) {
1055 char const *modrefname = NULL;
1057 modrefname = cf_pair_attr(cp);
1059 modrefname = cf_section_name2(scs);
1062 "Errors parsing %s sub-section.\n",
1063 cf_section_name1(scs));
1068 dval = dict_valbyname(PW_AUTH_TYPE, 0, modrefname);
1071 * It's a section, but nothing we
1075 "Unknown Auth-Type \"%s\" in %s sub-section.",
1076 modrefname, section_type_value[comp].section);
1081 /* See the comment in new_sublist() for explanation
1082 * of the special index 0 */
1086 subcomp = new_sublist(cs, components, comp, idx);
1087 if (!subcomp) continue;
1090 * Try to compile one entry.
1092 this = compile_modsingle(subcomp, &subcomp->modulelist, comp, modref, &modname);
1095 * It's OK for the module to not exist.
1097 if (!this && modname && (modname[0] == '-')) {
1100 if (last_ignored < 0) {
1103 ignored[last_ignored] = modname;
1106 WARN("Ignoring \"%s\" (see raddb/mods-available/README.rst)", modname + 1);
1110 if (last_ignored >= MAX_IGNORED) goto complain;
1112 for (i = 0; i <= last_ignored; i++) {
1113 if (strcmp(ignored[i], modname) == 0) {
1118 if (i > last_ignored) goto save_complain;
1124 "Errors parsing %s section.\n",
1125 cf_section_name1(cs));
1129 if (rad_debug_lvl > 2) modcall_debug(this, 2);
1131 add_to_modcallable(subcomp->modulelist, this);
1138 static int load_byserver(CONF_SECTION *cs)
1140 rlm_components_t comp, found;
1141 char const *name = cf_section_name2(cs);
1142 rbtree_t *components;
1143 virtual_server_t *server = NULL;
1144 indexed_modcallable *c;
1148 cf_log_info(cs, "server %s { # from file %s",
1149 name, cf_section_filename(cs));
1151 cf_log_info(cs, "server { # from file %s",
1152 cf_section_filename(cs));
1155 is_bare = (cf_item_parent(cf_section_to_item(cs)) == NULL);
1157 server = talloc_zero(cs, virtual_server_t);
1158 server->name = name;
1159 server->created = time(NULL);
1161 server->components = components = rbtree_create(server, indexed_modcallable_cmp, NULL, 0);
1163 ERROR("Failed to initialize components");
1166 if (rad_debug_lvl == 0) {
1167 ERROR("Failed to load virtual server %s",
1168 (name != NULL) ? name : "<default>");
1172 talloc_set_destructor(server, _virtual_server_free);
1175 * Loop over all of the known components, finding their
1176 * configuration section, and loading it.
1179 for (comp = 0; comp < MOD_COUNT; ++comp) {
1180 CONF_SECTION *subcs;
1182 subcs = cf_section_sub_find(cs,
1183 section_type_value[comp].section);
1184 if (!subcs) continue;
1187 cf_log_err_cs(subcs, "The %s section should be inside of a 'server { ... }' block!",
1188 section_type_value[comp].section);
1191 if (cf_item_find_next(subcs, NULL) == NULL) continue;
1194 * Skip pre/post-proxy sections if we're not
1199 !main_config.proxy_requests &&
1201 ((comp == MOD_PRE_PROXY) ||
1202 (comp == MOD_POST_PROXY))) {
1206 #ifndef WITH_ACCOUNTING
1207 if (comp == MOD_ACCOUNTING) continue;
1210 #ifndef WITH_SESSION_MGMT
1211 if (comp == MOD_SESSION) continue;
1214 if (rad_debug_lvl <= 3) {
1215 cf_log_module(cs, "Loading %s {...}",
1216 section_type_value[comp].section);
1218 DEBUG(" %s {", section_type_value[comp].section);
1221 if (load_component_section(subcs, components, comp) < 0) {
1225 if (rad_debug_lvl > 3) {
1226 DEBUG(" } # %s", section_type_value[comp].section);
1230 * Cache a default, if it exists. Some people
1231 * put empty sections for some reason...
1233 c = lookup_by_index(components, comp, 0);
1234 if (c) server->mc[comp] = c->modulelist;
1236 server->subcs[comp] = subcs;
1239 } /* loop over components */
1242 * We haven't loaded any of the normal sections. Maybe we're
1243 * supposed to load the vmps section.
1245 * This is a bit of a hack...
1248 #if defined(WITH_VMPS) || defined(WITH_DHCP)
1249 CONF_SECTION *subcs;
1252 DICT_ATTR const *da;
1256 subcs = cf_section_sub_find(cs, "vmps");
1258 cf_log_module(cs, "Loading vmps {...}");
1259 if (load_component_section(subcs, components,
1260 MOD_POST_AUTH) < 0) {
1263 c = lookup_by_index(components,
1265 if (c) server->mc[MOD_POST_AUTH] = c->modulelist;
1272 * It's OK to not have DHCP.
1274 subcs = cf_subsection_find_next(cs, NULL, "dhcp");
1277 da = dict_attrbyname("DHCP-Message-Type");
1280 * Handle each DHCP Message type separately.
1283 char const *name2 = cf_section_name2(subcs);
1286 cf_log_module(cs, "Loading dhcp %s {...}", name2);
1288 cf_log_module(cs, "Loading dhcp {...}");
1290 if (!load_subcomponent_section(subcs,
1294 goto error; /* FIXME: memleak? */
1296 c = lookup_by_index(components,
1298 if (c) server->mc[MOD_POST_AUTH] = c->modulelist;
1300 subcs = cf_subsection_find_next(cs, subcs, "dhcp");
1306 cf_log_info(cs, "} # server %s", name);
1308 cf_log_info(cs, "} # server");
1311 if (rad_debug_lvl == 0) {
1312 INFO("Loaded virtual server %s",
1313 (name != NULL) ? name : "<default>");
1317 * Now that it is OK, insert it into the list.
1319 * This is thread-safe...
1321 comp = virtual_server_idx(name);
1322 server->next = virtual_servers[comp];
1323 virtual_servers[comp] = server;
1326 * Mark OLDER ones of the same name as being unused.
1328 server = server->next;
1330 if ((!name && !server->name) ||
1331 (name && server->name &&
1332 (strcmp(server->name, name) == 0))) {
1333 server->can_free = true;
1336 server = server->next;
1343 static int pass2_cb(UNUSED void *ctx, void *data)
1345 indexed_modcallable *this = data;
1347 if (!modcall_pass2(this->modulelist)) return -1;
1354 * Load all of the virtual servers.
1356 int virtual_servers_load(CONF_SECTION *config)
1359 virtual_server_t *server;
1360 static bool first_time = true;
1362 DEBUG2("%s: #### Loading Virtual Servers ####", main_config.name);
1365 * If we have "server { ...}", then there SHOULD NOT be
1366 * bare "authorize", etc. sections. if there is no such
1367 * server, then try to load the old-style sections first.
1369 * In either case, load the "default" virtual server first.
1370 * this matches better with users expectations.
1372 cs = cf_section_find_name2(cf_subsection_find_next(config, NULL,
1376 if (load_byserver(cs) < 0) {
1380 if (load_byserver(config) < 0) {
1386 * Load all of the virtual servers.
1388 for (cs = cf_subsection_find_next(config, NULL, "server");
1390 cs = cf_subsection_find_next(config, cs, "server")) {
1393 name2 = cf_section_name2(cs);
1394 if (!name2) continue; /* handled above */
1396 server = virtual_server_find(name2);
1398 (cf_top_section(server->cs) == config)) {
1399 ERROR("Duplicate virtual server \"%s\" in file %s:%d and file %s:%d",
1401 cf_section_filename(server->cs),
1402 cf_section_lineno(server->cs),
1403 cf_section_filename(cs),
1404 cf_section_lineno(cs));
1408 if (load_byserver(cs) < 0) {
1410 * Once we successfully started once,
1411 * continue loading the OTHER servers,
1412 * even if one fails.
1414 if (!first_time) continue;
1420 * Try to compile the "authorize", etc. sections which
1421 * aren't in a virtual server.
1423 server = virtual_server_find(NULL);
1427 for (i = MOD_AUTHENTICATE; i < MOD_COUNT; i++) {
1428 if (!modcall_pass2(server->mc[i])) return -1;
1431 if (server->components &&
1432 (rbtree_walk(server->components, RBTREE_IN_ORDER,
1433 pass2_cb, NULL) != 0)) {
1439 * Now that we've loaded everything, run pass 2 over the
1440 * conditions and xlats.
1442 for (cs = cf_subsection_find_next(config, NULL, "server");
1444 cs = cf_subsection_find_next(config, cs, "server")) {
1448 name2 = cf_section_name2(cs);
1450 server = virtual_server_find(name2);
1451 if (!server) continue;
1453 for (i = MOD_AUTHENTICATE; i < MOD_COUNT; i++) {
1454 if (!modcall_pass2(server->mc[i])) return -1;
1457 if (server->components &&
1458 (rbtree_walk(server->components, RBTREE_IN_ORDER,
1459 pass2_cb, NULL) != 0)) {
1465 * If we succeed the first time around, remember that.
1472 int module_hup_module(CONF_SECTION *cs, module_instance_t *node, time_t when)
1475 fr_module_hup_t *mh;
1478 !node->entry->module->instantiate ||
1479 ((node->entry->module->type & RLM_TYPE_HUP_SAFE) == 0)) {
1483 cf_log_module(cs, "Trying to reload module \"%s\"", node->name);
1486 * Parse the module configuration, and setup destructors so the
1487 * module's detach method is called when it's instance data is
1488 * about to be freed.
1490 if (module_conf_parse(node, &insthandle) < 0) {
1491 cf_log_err_cs(cs, "HUP failed for module \"%s\" (parsing config failed). "
1492 "Using old configuration", node->name);
1497 if ((node->entry->module->instantiate)(cs, insthandle) < 0) {
1498 cf_log_err_cs(cs, "HUP failed for module \"%s\". Using old configuration.", node->name);
1499 talloc_free(insthandle);
1504 INFO(" Module: Reloaded module \"%s\"", node->name);
1506 module_instance_free_old(cs, node, when);
1509 * Save the old instance handle for later deletion.
1511 mh = talloc_zero(cs, fr_module_hup_t);
1514 mh->insthandle = node->insthandle;
1515 mh->next = node->mh;
1518 node->insthandle = insthandle;
1521 * FIXME: Set a timeout to come back in 60s, so that
1522 * we can pro-actively clean up the old instances.
1529 int modules_hup(CONF_SECTION *modules)
1534 module_instance_t *node;
1536 if (!modules) return 0;
1541 * Loop over the modules
1543 for (ci=cf_item_find_next(modules, NULL);
1545 ci=cf_item_find_next(modules, ci)) {
1546 char const *instname;
1547 module_instance_t myNode;
1550 * If it's not a section, ignore it.
1552 if (!cf_item_is_section(ci)) continue;
1554 cs = cf_item_to_section(ci);
1555 instname = cf_section_name2(cs);
1556 if (!instname) instname = cf_section_name1(cs);
1558 strlcpy(myNode.name, instname, sizeof(myNode.name));
1559 node = rbtree_finddata(instance_tree, &myNode);
1561 module_hup_module(cs, node, when);
1568 static int define_type(CONF_SECTION *cs, DICT_ATTR const *da, char const *name)
1574 * If the value already exists, don't
1577 dval = dict_valbyname(da->attr, da->vendor, name);
1579 if (dval->value == 0) {
1580 ERROR("The dictionaries must not define VALUE %s %s 0",
1588 * Create a new unique value with a
1589 * meaningless number. You can't look at
1590 * it from outside of this code, so it
1591 * doesn't matter. The only requirement
1592 * is that it's unique.
1595 value = (fr_rand() & 0x00ffffff) + 1;
1596 } while (dict_valbyattr(da->attr, da->vendor, value));
1598 cf_log_module(cs, "Creating %s = %s", da->name, name);
1599 if (dict_addvalue(name, da->name, value) < 0) {
1600 ERROR("%s", fr_strerror());
1608 * Define Auth-Type, etc. in a server.
1610 static bool server_define_types(CONF_SECTION *cs)
1612 rlm_components_t comp;
1615 * Loop over all of the components
1617 for (comp = 0; comp < MOD_COUNT; ++comp) {
1618 CONF_SECTION *subcs;
1620 DICT_ATTR const *da;
1622 subcs = cf_section_sub_find(cs,
1623 section_type_value[comp].section);
1624 if (!subcs) continue;
1626 if (cf_item_find_next(subcs, NULL) == NULL) continue;
1629 * Find the attribute used to store VALUEs for this section.
1631 da = dict_attrbyvalue(section_type_value[comp].attr, 0);
1633 cf_log_err_cs(subcs,
1634 "No such attribute %s",
1635 section_type_value[comp].typename);
1640 * Define dynamic types, so that others can reference
1643 for (modref = cf_item_find_next(subcs, NULL);
1645 modref = cf_item_find_next(subcs, modref)) {
1647 CONF_SECTION *subsubcs;
1650 * Create types for simple references
1651 * only when parsing the authenticate
1654 if ((section_type_value[comp].attr == PW_AUTH_TYPE) &&
1655 cf_item_is_pair(modref)) {
1656 CONF_PAIR *cp = cf_item_to_pair(modref);
1657 if (!define_type(cs, da, cf_pair_attr(cp))) {
1664 if (!cf_item_is_section(modref)) continue;
1666 subsubcs = cf_item_to_section(modref);
1667 name1 = cf_section_name1(subsubcs);
1669 if (strcmp(name1, section_type_value[comp].typename) == 0) {
1670 if (!define_type(cs, da,
1671 cf_section_name2(subsubcs))) {
1676 } /* loop over components */
1681 extern char const *unlang_keyword[];
1683 static bool is_reserved_word(const char *name)
1687 if (!name || !*name) return false;
1689 for (i = 1; unlang_keyword[i] != NULL; i++) {
1690 if (strcmp(name, unlang_keyword[i]) == 0) return true;
1698 * Parse the module config sections, and load
1699 * and call each module's init() function.
1701 int modules_init(CONF_SECTION *config)
1703 CONF_ITEM *ci, *next;
1704 CONF_SECTION *cs, *modules;
1707 * Set up the internal module struct.
1709 module_tree = rbtree_create(NULL, module_entry_cmp, NULL, 0);
1711 ERROR("Failed to initialize modules\n");
1715 instance_tree = rbtree_create(NULL, module_instance_cmp,
1716 module_instance_free, 0);
1717 if (!instance_tree) {
1718 ERROR("Failed to initialize modules\n");
1722 memset(virtual_servers, 0, sizeof(virtual_servers));
1725 * Remember where the modules were stored.
1727 modules = cf_section_sub_find(config, "modules");
1729 WARN("Cannot find a \"modules\" section in the configuration file!");
1733 * Load dictionaries.
1735 for (cs = cf_subsection_find_next(config, NULL, "server");
1737 cs = cf_subsection_find_next(config, cs, "server")) {
1738 CONF_SECTION *subcs;
1739 DICT_ATTR const *da;
1743 * Auto-load the VMPS/VQP dictionary.
1745 subcs = cf_section_sub_find(cs, "vmps");
1747 da = dict_attrbyname("VQP-Packet-Type");
1749 if (dict_read(main_config.dictionary_dir, "dictionary.vqp") < 0) {
1750 ERROR("Failed reading dictionary.vqp: %s",
1754 cf_log_module(cs, "Loading dictionary.vqp");
1756 da = dict_attrbyname("VQP-Packet-Type");
1758 ERROR("No VQP-Packet-Type in dictionary.vqp");
1767 * Auto-load the DHCP dictionary.
1769 subcs = cf_subsection_find_next(cs, NULL, "dhcp");
1771 da = dict_attrbyname("DHCP-Message-Type");
1773 cf_log_module(cs, "Loading dictionary.dhcp");
1774 if (dict_read(main_config.dictionary_dir, "dictionary.dhcp") < 0) {
1775 ERROR("Failed reading dictionary.dhcp: %s",
1780 da = dict_attrbyname("DHCP-Message-Type");
1782 ERROR("No DHCP-Message-Type in dictionary.dhcp");
1789 * Else it's a RADIUS virtual server, and the
1790 * dictionaries are already loaded.
1794 * Root through each virtual server, defining
1795 * Autz-Type and Auth-Type. This is so that the
1796 * modules can reference a particular type.
1798 if (!server_define_types(cs)) return -1;
1801 DEBUG2("%s: #### Instantiating modules ####", main_config.name);
1804 * Loop over module definitions, looking for duplicates.
1806 * This is O(N^2) in the number of modules, but most
1807 * systems should have less than 100 modules.
1809 for (ci = cf_item_find_next(modules, NULL);
1813 CONF_SECTION *subcs;
1814 module_instance_t *node;
1816 next = cf_item_find_next(modules, ci);
1818 if (!cf_item_is_section(ci)) continue;
1820 subcs = cf_item_to_section(ci);
1822 node = module_bootstrap(subcs);
1823 if (!node) return -1;
1825 if (!next || !cf_item_is_section(next)) continue;
1827 name1 = cf_section_name1(subcs);
1829 if (is_reserved_word(name1)) {
1830 cf_log_err_cs(subcs, "Module cannot be named for an 'unlang' keyword");
1836 * Look for the 'instantiate' section, which tells us
1837 * the instantiation order of the modules, and also allows
1838 * us to load modules with no authorize/authenticate/etc.
1841 cs = cf_section_sub_find(config, "instantiate");
1844 module_instance_t *module;
1847 cf_log_info(cs, " instantiate {");
1850 * Loop over the items in the 'instantiate' section.
1852 for (ci=cf_item_find_next(cs, NULL);
1854 ci=cf_item_find_next(cs, ci)) {
1857 * Skip sections and "other" stuff.
1858 * Sections will be handled later, if
1859 * they're referenced at all...
1861 if (cf_item_is_pair(ci)) {
1862 cp = cf_item_to_pair(ci);
1863 name = cf_pair_attr(cp);
1865 module = module_instantiate(modules, name);
1866 if (!module && (name[0] != '-')) {
1872 * Can only be "redundant" or
1874 * "redundant-load-balance"
1876 if (cf_item_is_section(ci)) {
1877 bool all_same = true;
1878 module_t const *last = NULL;
1879 CONF_SECTION *subcs;
1882 subcs = cf_item_to_section(ci);
1883 name = cf_section_name1(subcs);
1886 * Groups, etc. must have a name.
1888 if (((strcmp(name, "group") == 0) ||
1889 (strcmp(name, "redundant") == 0) ||
1890 (strcmp(name, "redundant-load-balance") == 0) ||
1891 strcmp(name, "load-balance") == 0)) {
1892 name = cf_section_name2(subcs);
1894 cf_log_err_cs(subcs, "Subsection must have a name");
1898 if (is_reserved_word(name)) {
1899 cf_log_err_cs(subcs, "Instantiate sections cannot be named for an 'unlang' keyword");
1903 if (is_reserved_word(name)) {
1904 cf_log_err_cs(subcs, "Instantiate sections cannot be named for an 'unlang' keyword");
1910 * Ensure that the modules we reference here exist.
1912 for (subci=cf_item_find_next(subcs, NULL);
1914 subci=cf_item_find_next(subcs, subci)) {
1915 if (cf_item_is_pair(subci)) {
1916 cp = cf_item_to_pair(subci);
1917 if (cf_pair_value(cp)) {
1918 cf_log_err(subci, "Cannot set return codes in a %s block",
1919 cf_section_name1(subcs));
1923 module = module_instantiate(modules, cf_pair_attr(cp));
1930 last = module->entry->module;
1931 } else if (last != module->entry->module) {
1941 * Don't check subsections for now.
1943 } /* loop over modules in a "redundant foo" section */
1946 * Register a redundant xlat
1949 if (!xlat_register_redundant(cf_item_to_section(ci))) {
1950 WARN("%s[%d] Not registering expansions for %s",
1951 cf_section_filename(subcs), cf_section_lineno(subcs),
1952 cf_section_name2(subcs));
1955 } /* handle subsections */
1956 } /* loop over the "instantiate" section */
1958 cf_log_info(cs, " }");
1959 } /* if there's an 'instantiate' section. */
1962 * Now that we've loaded the explicitly ordered modules,
1963 * load everything in the "modules" section. This is
1964 * because we've now split up the modules into
1967 cf_log_info(cs, " modules {");
1968 for (ci=cf_item_find_next(modules, NULL);
1972 module_instance_t *module;
1973 CONF_SECTION *subcs;
1975 next = cf_item_find_next(modules, ci);
1977 if (!cf_item_is_section(ci)) continue;
1979 subcs = cf_item_to_section(ci);
1980 name = cf_section_name2(subcs);
1981 if (!name) name = cf_section_name1(subcs);
1983 module = module_instantiate(modules, name);
1984 if (!module) return -1;
1986 cf_log_info(cs, " } # modules");
1988 if (virtual_servers_load(config) < 0) return -1;
1994 * Call all authorization modules until one returns
1995 * somethings else than RLM_MODULE_OK
1997 rlm_rcode_t process_authorize(int autz_type, REQUEST *request)
1999 return indexed_modcall(MOD_AUTHORIZE, autz_type, request);
2003 * Authenticate a user/password with various methods.
2005 rlm_rcode_t process_authenticate(int auth_type, REQUEST *request)
2007 return indexed_modcall(MOD_AUTHENTICATE, auth_type, request);
2010 #ifdef WITH_ACCOUNTING
2012 * Do pre-accounting for ALL configured sessions
2014 rlm_rcode_t module_preacct(REQUEST *request)
2016 return indexed_modcall(MOD_PREACCT, 0, request);
2020 * Do accounting for ALL configured sessions
2022 rlm_rcode_t process_accounting(int acct_type, REQUEST *request)
2024 return indexed_modcall(MOD_ACCOUNTING, acct_type, request);
2028 #ifdef WITH_SESSION_MGMT
2030 * See if a user is already logged in.
2032 * Returns: 0 == OK, 1 == double logins, 2 == multilink attempt
2034 int process_checksimul(int sess_type, REQUEST *request, int maxsimul)
2038 if(!request->username)
2041 request->simul_count = 0;
2042 request->simul_max = maxsimul;
2043 request->simul_mpp = 1;
2045 rcode = indexed_modcall(MOD_SESSION, sess_type, request);
2047 if (rcode != RLM_MODULE_OK) {
2048 /* FIXME: Good spot for a *rate-limited* warning to the log */
2052 return (request->simul_count < maxsimul) ? 0 : request->simul_mpp;
2058 * Do pre-proxying for ALL configured sessions
2060 rlm_rcode_t process_pre_proxy(int type, REQUEST *request)
2062 return indexed_modcall(MOD_PRE_PROXY, type, request);
2066 * Do post-proxying for ALL configured sessions
2068 rlm_rcode_t process_post_proxy(int type, REQUEST *request)
2070 return indexed_modcall(MOD_POST_PROXY, type, request);
2075 * Do post-authentication for ALL configured sessions
2077 rlm_rcode_t process_post_auth(int postauth_type, REQUEST *request)
2079 return indexed_modcall(MOD_POST_AUTH, postauth_type, request);
2083 rlm_rcode_t process_recv_coa(int recv_coa_type, REQUEST *request)
2085 return indexed_modcall(MOD_RECV_COA, recv_coa_type, request);
2088 rlm_rcode_t process_send_coa(int send_coa_type, REQUEST *request)
2090 return indexed_modcall(MOD_SEND_COA, send_coa_type, request);