2 * modules.c Radius module support.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2003,2006 The FreeRADIUS server project
21 * Copyright 2000 Alan DeKok <aland@ox.org>
22 * Copyright 2000 Alan Curry <pacman@world.std.com>
25 #include <freeradius-devel/ident.h>
28 #include <freeradius-devel/radiusd.h>
29 #include <freeradius-devel/modpriv.h>
30 #include <freeradius-devel/modcall.h>
31 #include <freeradius-devel/rad_assert.h>
33 #define VMPS_SPACE (1)
35 typedef struct indexed_modcallable {
39 modcallable *modulelist;
40 } indexed_modcallable;
43 * For each component, keep an ordered list of ones to call.
45 static rbtree_t *components;
47 static rbtree_t *module_tree = NULL;
49 typedef struct section_type_value_t {
53 } section_type_value_t;
57 * Ordered by component
59 static const section_type_value_t section_type_value[RLM_COMPONENT_COUNT] = {
60 { "authenticate", "Auth-Type", PW_AUTH_TYPE },
61 { "authorize", "Autz-Type", PW_AUTZ_TYPE },
62 { "preacct", "Pre-Acct-Type", PW_PRE_ACCT_TYPE },
63 { "accounting", "Acct-Type", PW_ACCT_TYPE },
64 { "session", "Session-Type", PW_SESSION_TYPE },
65 { "pre-proxy", "Pre-Proxy-Type", PW_PRE_PROXY_TYPE },
66 { "post-proxy", "Post-Proxy-Type", PW_POST_PROXY_TYPE },
67 { "post-auth", "Post-Auth-Type", PW_POST_AUTH_TYPE },
70 static void indexed_modcallable_free(void *data)
72 indexed_modcallable *c = data;
74 modcallable_free(&c->modulelist);
78 static int indexed_modcallable_cmp(const void *one, const void *two)
80 const indexed_modcallable *a = one;
81 const indexed_modcallable *b = two;
83 if (a->space < b->space) return -1;
84 if (a->space > b->space) return +1;
86 if (a->comp < b->comp) return -1;
87 if (a->comp > b->comp) return +1;
89 return a->idx - b->idx;
94 * Free a module instance.
96 static void module_instance_free(void *data)
98 module_instance_t *this = data;
100 if (this->entry->module->detach)
101 (this->entry->module->detach)(this->insthandle);
102 #ifdef HAVE_PTHREAD_H
106 * The mutex MIGHT be locked...
107 * we'll check for that later, I guess.
109 pthread_mutex_destroy(this->mutex);
118 * Compare two module entries
120 static int module_entry_cmp(const void *one, const void *two)
122 const module_entry_t *a = one;
123 const module_entry_t *b = two;
125 return strcmp(a->name, b->name);
129 * Free a module entry.
131 static void module_entry_free(void *data)
133 module_entry_t *this = data;
135 lt_dlclose(this->handle); /* ignore any errors */
141 * Remove the module lists.
143 int detach_modules(void)
145 rbtree_free(components);
146 rbtree_free(module_tree);
153 * Find a module on disk or in memory, and link to it.
155 static module_entry_t *linkto_module(const char *module_name,
156 const char *cffilename, int cflineno)
158 module_entry_t myentry;
159 module_entry_t *node;
161 char module_struct[256];
165 strlcpy(myentry.name, module_name, sizeof(myentry.name));
166 node = rbtree_finddata(module_tree, &myentry);
167 if (node) return node;
170 * Keep the handle around so we can dlclose() it.
172 handle = lt_dlopenext(module_name);
173 if (handle == NULL) {
174 radlog(L_ERR|L_CONS, "%s[%d] Failed to link to module '%s':"
175 " %s\n", cffilename, cflineno, module_name, lt_dlerror());
180 * Link to the module's rlm_FOO{} module structure.
182 * The module_name variable has the version number
183 * embedded in it, and we don't want that here.
185 strcpy(module_struct, module_name);
186 p = strrchr(module_struct, '-');
189 DEBUG3(" (Loaded %s, checking if it's valid)", module_name);
192 * libltld MAY core here, if the handle it gives us contains
195 module = lt_dlsym(handle, module_struct);
197 radlog(L_ERR|L_CONS, "%s[%d] Failed linking to "
198 "%s structure in %s: %s\n",
199 cffilename, cflineno,
200 module_name, cffilename, lt_dlerror());
205 * Before doing anything else, check if it's sane.
207 if ((*(const uint32_t *) module) != RLM_MODULE_MAGIC_NUMBER) {
209 radlog(L_ERR|L_CONS, "%s[%d] Invalid version in module '%s'",
210 cffilename, cflineno, module_name);
215 /* make room for the module type */
216 node = rad_malloc(sizeof(*node));
217 memset(node, 0, sizeof(*node));
218 strlcpy(node->name, module_name, sizeof(node->name));
219 node->module = module;
220 node->handle = handle;
222 DEBUG(" Module: Linked to module %s", module_name);
225 * Add the module as "rlm_foo-version" to the configuration
228 if (!rbtree_insert(module_tree, node)) {
229 radlog(L_ERR, "Failed to cache module %s", module_name);
239 * Find a module instance.
241 module_instance_t *find_module_instance(CONF_SECTION *modules,
242 const char *instname)
245 const char *name1, *name2;
246 module_instance_t *node;
247 char module_name[256];
249 if (!modules) return NULL;
252 * Module instances are declared in the modules{} block
253 * and referenced later by their name, which is the
254 * name2 from the config section, or name1 if there was
257 cs = cf_section_sub_find_name2(modules, NULL, instname);
259 radlog(L_ERR|L_CONS, "ERROR: Cannot find a configuration entry for module \"%s\".\n", instname);
264 * If there's already a module instance, return it.
266 node = cf_data_find(cs, "instance");
267 if (node) return node;
269 name1 = cf_section_name1(cs);
270 name2 = cf_section_name2(cs);
273 * Found the configuration entry.
275 node = rad_malloc(sizeof(*node));
276 memset(node, 0, sizeof(*node));
278 node->insthandle = NULL;
281 * Names in the "modules" section aren't prefixed
282 * with "rlm_", so we add it here.
284 snprintf(module_name, sizeof(module_name), "rlm_%s", name1);
286 node->entry = linkto_module(module_name,
287 mainconfig.radiusd_conf,
288 cf_section_lineno(cs));
291 /* linkto_module logs any errors */
295 DEBUG2(" Module: Instantiating %s", instname);
298 * Call the module's instantiation routine.
300 if ((node->entry->module->instantiate) &&
301 ((node->entry->module->instantiate)(cs, &node->insthandle) < 0)) {
303 "%s[%d]: %s: Module instantiation failed.\n",
304 mainconfig.radiusd_conf, cf_section_lineno(cs),
311 * We're done. Fill in the rest of the data structure,
312 * and link it to the module instance list.
314 strlcpy(node->name, instname, sizeof(node->name));
316 #ifdef HAVE_PTHREAD_H
318 * If we're threaded, check if the module is thread-safe.
320 * If it isn't, we create a mutex.
322 if ((node->entry->module->type & RLM_TYPE_THREAD_UNSAFE) != 0) {
323 node->mutex = (pthread_mutex_t *) rad_malloc(sizeof(pthread_mutex_t));
325 * Initialize the mutex.
327 pthread_mutex_init(node->mutex, NULL);
330 * The module is thread-safe. Don't give it a mutex.
336 cf_data_add(cs, "instance", node, module_instance_free);
341 static indexed_modcallable *lookup_by_index(int space, int comp, int idx)
343 indexed_modcallable myc;
349 return rbtree_finddata(components, &myc);
353 * Create a new sublist.
355 static indexed_modcallable *new_sublist(int space, int comp, int idx)
357 indexed_modcallable *c;
359 c = lookup_by_index(space, comp, idx);
361 /* It is an error to try to create a sublist that already
362 * exists. It would almost certainly be caused by accidental
363 * duplication in the config file.
365 * index 0 is the exception, because it is used when we want
366 * to collect _all_ listed modules under a single index by
367 * default, which is currently the case in all components
368 * except authenticate. */
376 c = rad_malloc(sizeof(*c));
377 c->modulelist = NULL;
382 if (!rbtree_insert(components, c)) {
390 static int indexed_modcall(int space, int comp, int idx, REQUEST *request)
393 indexed_modcallable *this;
395 this = lookup_by_index(space, comp, idx);
397 if (idx != 0) DEBUG2(" ERROR: Unknown value specified for %s. Cannot perform requested action.",
398 section_type_value[comp].typename);
399 request->component = section_type_value[comp].typename;
400 rcode = modcall(comp, NULL, request); /* does default action */
402 DEBUG2(" Processing the %s section of %s",
403 (space == 0) ? section_type_value[comp].section : "vmps",
404 mainconfig.radiusd_conf);
405 request->component = section_type_value[comp].typename;
406 rcode = modcall(comp, this->modulelist, request);
408 request->module = "<server-core>";
409 request->component = "<server-core>";
414 * Load a sub-module list, as found inside an Auth-Type foo {}
417 static int load_subcomponent_section(modcallable *parent,
418 CONF_SECTION *cs, int space, int comp,
419 const char *filename)
421 indexed_modcallable *subcomp;
424 const char *name2 = cf_section_name2(cs);
426 rad_assert(comp >= RLM_COMPONENT_AUTH);
427 rad_assert(comp <= RLM_COMPONENT_COUNT);
434 "%s[%d]: No name specified for %s block",
435 filename, cf_section_lineno(cs),
436 section_type_value[comp].typename);
443 ml = compile_modgroup(parent, comp, cs, filename);
449 * We must assign a numeric index to this subcomponent.
450 * It is generated and placed in the dictionary by
451 * setup_modules(), when it loads the sections. If it
452 * isn't found, it's a serious error.
454 dval = dict_valbyname(section_type_value[comp].attr, name2);
457 "%s[%d] %s %s Not previously configured",
458 filename, cf_section_lineno(cs),
459 section_type_value[comp].typename, name2);
460 modcallable_free(&ml);
464 subcomp = new_sublist(space, comp, dval->value);
467 "%s[%d] %s %s already configured - skipping",
468 filename, cf_section_lineno(cs),
469 section_type_value[comp].typename, name2);
470 modcallable_free(&ml);
474 subcomp->modulelist = ml;
478 static int load_component_section(modcallable *parent,
479 CONF_SECTION *cs, int space, int comp,
480 const char *filename)
485 indexed_modcallable *subcomp;
487 const char *visiblename;
490 * Loop over the entries in the named section.
492 for (modref = cf_item_find_next(cs, NULL);
494 modref = cf_item_find_next(cs, modref)) {
495 CONF_PAIR *cp = NULL;
496 CONF_SECTION *scs = NULL;
499 * Look for Auth-Type foo {}, which are special
500 * cases of named sections, and allowable ONLY
503 * i.e. They're not allowed in a "group" or "redundant"
506 if (cf_item_is_section(modref)) {
507 const char *sec_name;
508 scs = cf_itemtosection(modref);
510 sec_name = cf_section_name1(scs);
513 section_type_value[comp].typename) == 0) {
514 if (!load_subcomponent_section(parent, scs,
517 return -1; /* FIXME: memleak? */
523 } else if (cf_item_is_pair(modref)) {
524 cp = cf_itemtopair(modref);
526 continue; /* ignore it */
530 * Try to compile one entry.
532 this = compile_modsingle(parent, comp, modref, filename,
536 "%s[%d] Failed to parse %s section.\n",
537 filename, cf_section_lineno(cs),
538 cf_section_name1(cs));
542 if (comp == RLM_COMPONENT_AUTH) {
544 const char *modrefname = NULL;
548 modrefname = cf_pair_attr(cp);
549 lineno = cf_pair_lineno(cp);
551 modrefname = cf_section_name2(scs);
552 lineno = cf_section_lineno(scs);
555 "%s[%d] Failed to parse %s sub-section.\n",
557 cf_section_name1(scs));
562 dval = dict_valbyname(PW_AUTH_TYPE, modrefname);
565 * It's a section, but nothing we
568 radlog(L_ERR|L_CONS, "%s[%d] Unknown Auth-Type \"%s\" in %s sub-section.",
570 modrefname, section_type_value[comp].section);
575 /* See the comment in new_sublist() for explanation
576 * of the special index 0 */
580 subcomp = new_sublist(space, comp, idx);
581 if (subcomp == NULL) {
582 radlog(L_INFO|L_CONS,
583 "%s %s %s already configured - skipping",
584 filename, section_type_value[comp].typename,
586 modcallable_free(&this);
590 /* If subcomp->modulelist is NULL, add_to_modcallable will
592 visiblename = cf_section_name2(cs);
593 if (visiblename == NULL)
594 visiblename = cf_section_name1(cs);
595 add_to_modcallable(&subcomp->modulelist, this,
604 * Parse the module config sections, and load
605 * and call each module's init() function.
607 * Libtool makes your life a LOT easier, especially with libltdl.
608 * see: http://www.gnu.org/software/libtool/
610 int setup_modules(int reload)
613 CONF_SECTION *cs, *modules;
614 int do_component[RLM_COMPONENT_COUNT];
615 rad_listen_t *listener;
618 * If necessary, initialize libltdl.
622 * Set the default list of preloaded symbols.
623 * This is used to initialize libltdl's list of
626 * i.e. Static modules.
628 LTDL_SET_PRELOADED_SYMBOLS();
630 if (lt_dlinit() != 0) {
631 radlog(L_ERR|L_CONS, "Failed to initialize libraries: %s\n",
637 * Set the search path to ONLY our library directory.
638 * This prevents the modules from being found from
639 * any location on the disk.
641 lt_dlsetsearchpath(radlib_dir);
643 DEBUG2("radiusd: Library search path is %s",
644 lt_dlgetsearchpath());
647 * Set up the internal module struct.
649 module_tree = rbtree_create(module_entry_cmp,
650 module_entry_free, 0);
652 radlog(L_ERR|L_CONS, "Failed to initialize modules\n");
656 rbtree_free(components);
659 components = rbtree_create(indexed_modcallable_cmp,
660 indexed_modcallable_free, 0);
662 radlog(L_ERR|L_CONS, "Failed to initialize components\n");
667 * Figure out which sections to load.
669 memset(do_component, 0, sizeof(do_component));
670 for (listener = mainconfig.listen;
672 listener = listener->next) {
673 switch (listener->type) {
674 case RAD_LISTEN_AUTH:
675 do_component[RLM_COMPONENT_AUTZ] = 1;
676 do_component[RLM_COMPONENT_AUTH] = 1;
677 do_component[RLM_COMPONENT_POST_AUTH] = 1;
678 do_component[RLM_COMPONENT_SESS] = 1;
681 case RAD_LISTEN_DETAIL: /* just like acct */
682 case RAD_LISTEN_ACCT:
683 do_component[RLM_COMPONENT_PREACCT] = 1;
684 do_component[RLM_COMPONENT_ACCT] = 1;
687 case RAD_LISTEN_PROXY:
688 do_component[RLM_COMPONENT_PRE_PROXY] = 1;
689 do_component[RLM_COMPONENT_POST_PROXY] = 1;
693 do_component[RLM_COMPONENT_POST_AUTH] = 1;
698 case RAD_LISTEN_SNMP:
707 for (comp = RLM_COMPONENT_AUTH; comp < RLM_COMPONENT_COUNT; comp++) {
709 * Have the debugging messages all in one place.
711 if (!do_component[comp]) {
712 DEBUG2("modules: Not loading %s{} section",
713 section_type_value[comp].section);
718 * Create any DICT_VALUE's for the types. See
719 * 'doc/configurable_failover' for examples of 'authtype'
720 * used to create new Auth-Type values. In order to
721 * let the user create new names, we've got to look for
722 * those names, and create DICT_VALUE's for them.
724 for (comp = RLM_COMPONENT_AUTH; comp < RLM_COMPONENT_COUNT; comp++) {
729 CONF_SECTION *sub, *next;
733 * Not needed, don't load it.
735 if (!do_component[comp]) {
738 cs = cf_section_find(section_type_value[comp].section);
745 * See if there's a sub-section by that
748 next = cf_subsection_find_next(cs, sub,
749 section_type_value[comp].typename);
753 * If so, look for it to define a new
756 name2 = cf_section_name2(sub);
757 if (!name2) continue;
761 * If the value already exists, don't
764 dval = dict_valbyname(section_type_value[comp].attr,
769 * Find the attribute for the value.
771 dattr = dict_attrbyvalue(section_type_value[comp].attr);
773 radlog(L_ERR, "%s[%d]: No such attribute %s",
774 mainconfig.radiusd_conf,
775 cf_section_lineno(sub),
776 section_type_value[comp].typename);
781 * Create a new unique value with a
782 * meaningless number. You can't look at
783 * it from outside of this code, so it
784 * doesn't matter. The only requirement
785 * is that it's unique.
788 value = lrad_rand() & 0x00ffffff;
789 } while (dict_valbyattr(dattr->attr, value));
791 if (dict_addvalue(name2, dattr->name, value) < 0) {
792 radlog(L_ERR, "%s", librad_errstr);
795 } while (sub != NULL);
798 * Loop over the non-sub-sections, too.
803 * See if there's a conf-pair by that
806 cp = cf_pair_find_next(cs, cp, NULL);
811 * If the value already exists, don't
814 name2 = cf_pair_attr(cp);
815 dval = dict_valbyname(section_type_value[comp].attr,
820 * Find the attribute for the value.
822 dattr = dict_attrbyvalue(section_type_value[comp].attr);
824 radlog(L_ERR, "%s[%d]: No such attribute %s",
825 mainconfig.radiusd_conf,
826 cf_section_lineno(sub),
827 section_type_value[comp].typename);
832 * Finally, create the new attribute.
835 value = lrad_rand() & 0x00ffffff;
836 } while (dict_valbyattr(dattr->attr, value));
837 if (dict_addvalue(name2, dattr->name, value) < 0) {
838 radlog(L_ERR, "%s", librad_errstr);
841 } while (cp != NULL);
842 } /* over the sections which can have redundent sub-sections */
845 * Remember where the modules were stored.
847 modules = cf_section_find("modules");
849 radlog(L_ERR, "Cannot find a \"modules\" section in the configuration file!");
854 * Look for the 'instantiate' section, which tells us
855 * the instantiation order of the modules, and also allows
856 * us to load modules with no authorize/authenticate/etc.
859 cs = cf_section_find("instantiate");
863 module_instance_t *module;
866 DEBUG2(" instantiate {");
869 * Loop over the items in the 'instantiate' section.
871 for (ci=cf_item_find_next(cs, NULL);
873 ci=cf_item_find_next(cs, ci)) {
876 * Skip sections. They'll be handled
877 * later, if they're referenced at all...
879 if (cf_item_is_section(ci)) {
883 cp = cf_itemtopair(ci);
884 name = cf_pair_attr(cp);
885 module = find_module_instance(modules, name);
889 } /* loop over items in the subsection */
892 } /* if there's an 'instantiate' section. */
894 DEBUG2(" modules {");
897 * Loop over all of the known components, finding their
898 * configuration section, and loading it.
900 for (comp = 0; comp < RLM_COMPONENT_COUNT; ++comp) {
901 cs = cf_section_find(section_type_value[comp].section);
905 if (!do_component[comp]) {
909 if (cf_item_find_next(cs, NULL) == NULL) {
910 continue; /* section is empty */
913 DEBUG2(" Module: Checking %s {...} for more modules to load",
914 section_type_value[comp].section);
916 if (load_component_section(NULL, cs, 0, comp, mainconfig.radiusd_conf) < 0) {
922 * Load the VMPS section, if necessary.
924 for (listener = mainconfig.listen;
926 listener = listener->next) {
927 if (listener->type == RAD_LISTEN_VQP) {
933 cs = cf_section_find("vmps");
935 radlog(L_ERR, "Listening on vmps socket, but no vmps section");
939 if (cf_item_find_next(cs, NULL) == NULL) {
940 radlog(L_ERR, "Listening on vmps socket, vmps section is empty");
944 DEBUG2(" Module: Checking vmps {...} for more modules to load");
946 if (load_component_section(NULL, cs, VMPS_SPACE,
947 RLM_COMPONENT_POST_AUTH,
948 mainconfig.radiusd_conf) < 0) {
959 * Call all authorization modules until one returns
960 * somethings else than RLM_MODULE_OK
962 int module_authorize(int autz_type, REQUEST *request)
964 return indexed_modcall(0, RLM_COMPONENT_AUTZ, autz_type, request);
968 * Authenticate a user/password with various methods.
970 int module_authenticate(int auth_type, REQUEST *request)
972 return indexed_modcall(0, RLM_COMPONENT_AUTH, auth_type, request);
976 * Do pre-accounting for ALL configured sessions
978 int module_preacct(REQUEST *request)
980 return indexed_modcall(0, RLM_COMPONENT_PREACCT, 0, request);
984 * Do accounting for ALL configured sessions
986 int module_accounting(int acct_type, REQUEST *request)
988 return indexed_modcall(0, RLM_COMPONENT_ACCT, acct_type, request);
992 * See if a user is already logged in.
994 * Returns: 0 == OK, 1 == double logins, 2 == multilink attempt
996 int module_checksimul(int sess_type, REQUEST *request, int maxsimul)
1000 if(!request->username)
1003 request->simul_count = 0;
1004 request->simul_max = maxsimul;
1005 request->simul_mpp = 1;
1007 rcode = indexed_modcall(0, RLM_COMPONENT_SESS, sess_type, request);
1009 if (rcode != RLM_MODULE_OK) {
1010 /* FIXME: Good spot for a *rate-limited* warning to the log */
1014 return (request->simul_count < maxsimul) ? 0 : request->simul_mpp;
1018 * Do pre-proxying for ALL configured sessions
1020 int module_pre_proxy(int type, REQUEST *request)
1022 return indexed_modcall(0, RLM_COMPONENT_PRE_PROXY, type, request);
1026 * Do post-proxying for ALL configured sessions
1028 int module_post_proxy(int type, REQUEST *request)
1030 return indexed_modcall(0, RLM_COMPONENT_POST_PROXY, type, request);
1034 * Do post-authentication for ALL configured sessions
1036 int module_post_auth(int postauth_type, REQUEST *request)
1038 return indexed_modcall(0, RLM_COMPONENT_POST_AUTH, postauth_type, request);
1044 int module_vmps(REQUEST *request)
1046 return indexed_modcall(VMPS_SPACE, RLM_COMPONENT_POST_AUTH, 0,