src/modules/rlm_attr_filter/rlm_attr_filter.c

   1 /*
   2  * rlm_attr_filter.c  - Filter A/V Pairs received back from proxy reqs
   3  *                      before sending reply to the NAS/Server that sent
   4  *                      it to us.
   5  *
   6  * Version:      $Id$
   7  *
   8  *   This program is is free software; you can redistribute it and/or modify
   9  *   it under the terms of the GNU General Public License, version 2 if the
  10  *   License as published by the Free Software Foundation.
  11  *
  12  *   This program is distributed in the hope that it will be useful,
  13  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  *   GNU General Public License for more details.
  16  *
  17  *   You should have received a copy of the GNU General Public License
  18  *   along with this program; if not, write to the Free Software
  19  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  20  *
  21  * Copyright (C) 2001 The FreeRADIUS server project
  22  * Copyright (C) 2001 Chris Parker <cparker@starnetusa.net>
  23  */
  24
  25 #include        <freeradius-devel/autoconf.h>
  26
  27 #include        <sys/stat.h>
  28
  29 #include        <stdlib.h>
  30 #include        <string.h>
  31 #include        <netdb.h>
  32 #include        <ctype.h>
  33 #include        <fcntl.h>
  34 #include        <limits.h>
  35
  36 #include        <freeradius-devel/radiusd.h>
  37 #include        <freeradius-devel/rad_assert.h>
  38 #include        <freeradius-devel/modules.h>
  39
  40 static const char rcsid[] = "$Id$";
  41
  42 /*
  43  *      Define a structure with the module configuration, so it can
  44  *      be used as the instance handle.
  45  */
  46 struct attr_filter_instance {
  47         char *attrsfile;
  48         PAIR_LIST *attrs;
  49 };
  50
  51 static const CONF_PARSER module_config[] = {
  52         { "attrsfile",     PW_TYPE_FILENAME,
  53           offsetof(struct attr_filter_instance,attrsfile), NULL, "${raddbdir}/attrs" },
  54         { NULL, -1, 0, NULL, NULL }
  55 };
  56
  57 static void check_pair(VALUE_PAIR *check_item, VALUE_PAIR *reply_item,
  58                       int *pass, int *fail)
  59 {
  60         int compare;
  61
  62         if (check_item->operator == T_OP_SET) return;
  63
  64         compare = paircmp(check_item, reply_item);
  65         if (compare == 1) {
  66                 ++*(pass);
  67         } else {
  68                 ++*(fail);
  69         }
  70
  71         return;
  72 }
  73
  74 /*
  75  *      Copy the specified attribute to the specified list
  76  */
  77 static int mypairappend(VALUE_PAIR *item, VALUE_PAIR **to)
  78 {
  79         VALUE_PAIR *tmp;
  80         tmp = paircreate(item->attribute, item->type);
  81         if (!tmp) {
  82                 radlog(L_ERR|L_CONS, "no memory");
  83                 return -1;
  84         }
  85
  86         /*
  87          *      Copy EVERYTHING.
  88          */
  89         memcpy(tmp, item, sizeof(*tmp));
  90         tmp->next = NULL;
  91         *to = tmp;
  92
  93         return 0;
  94 }
  95
  96 static int getattrsfile(const char *filename, PAIR_LIST **pair_list)
  97 {
  98         int rcode;
  99         PAIR_LIST *attrs = NULL;
 100         PAIR_LIST *entry;
 101         VALUE_PAIR *vp;
 102
 103         rcode = pairlist_read(filename, &attrs, 1);
 104         if (rcode < 0) {
 105                 return -1;
 106         }
 107
 108         /*
 109          * Walk through the 'attrs' file list.
 110          */
 111
 112         entry = attrs;
 113         while (entry) {
 114
 115                 entry->check = entry->reply;
 116                 entry->reply = NULL;
 117
 118                 for (vp = entry->check; vp != NULL; vp = vp->next) {
 119
 120                     /*
 121                      * If it's NOT a vendor attribute,
 122                      * and it's NOT a wire protocol
 123                      * and we ignore Fall-Through,
 124                      * then bitch about it, giving a good warning message.
 125                      */
 126                     if (!(vp->attribute & ~0xffff) &&
 127                          (vp->attribute > 0xff) &&
 128                          (vp->attribute > 1000)) {
 129                         log_debug("[%s]:%d WARNING! Check item \"%s\"\n"
 130                                   "\tfound in filter list for realm \"%s\".\n",
 131                                   filename, entry->lineno, vp->name,
 132                                   entry->name);
 133                     }
 134                 }
 135
 136                 entry = entry->next;
 137         }
 138
 139         *pair_list = attrs;
 140         return 0;
 141 }
 142
 143
 144 /*
 145  *      Clean up.
 146  */
 147 static int attr_filter_detach(void *instance)
 148 {
 149         struct attr_filter_instance *inst = instance;
 150         pairlist_free(&inst->attrs);
 151         free(inst->attrsfile);
 152         free(inst);
 153         return 0;
 154 }
 155
 156
 157 /*
 158  *      (Re-)read the "attrs" file into memory.
 159  */
 160 static int attr_filter_instantiate(CONF_SECTION *conf, void **instance)
 161 {
 162         struct attr_filter_instance *inst;
 163         int rcode;
 164
 165         inst = rad_malloc(sizeof *inst);
 166         if (!inst) {
 167                 return -1;
 168         }
 169         memset(inst, 0, sizeof(*inst));
 170
 171         if (cf_section_parse(conf, inst, module_config) < 0) {
 172                 attr_filter_detach(inst);
 173                 return -1;
 174         }
 175
 176         rcode = getattrsfile(inst->attrsfile, &inst->attrs);
 177         if (rcode != 0) {
 178                 radlog(L_ERR|L_CONS, "Errors reading %s", inst->attrsfile);
 179                 attr_filter_detach(inst);
 180                 return -1;
 181         }
 182         *instance = inst;
 183         return 0;
 184 }
 185
 186
 187 /*
 188  *      Common attr_filter checks
 189  */
 190 static int attr_filter_common(void *instance, REQUEST *request,
 191                               VALUE_PAIR **input)
 192 {
 193         struct attr_filter_instance *inst = instance;
 194         VALUE_PAIR      *vp;
 195         VALUE_PAIR      *output = NULL;
 196         VALUE_PAIR      **output_tail;
 197         VALUE_PAIR      *check_item;
 198         PAIR_LIST       *pl;
 199         int             found = 0;
 200         int             pass, fail = 0;
 201         VALUE_PAIR      *realmpair;
 202         char            *realmname = NULL;
 203
 204         /*
 205          *      Get the realm.  Can't use request->config_items as
 206          *      that gets freed by rad_authenticate....  use the one
 207          *      set in the original request vps
 208          */
 209         realmpair = pairfind(request->packet->vps, PW_REALM);
 210         if (!realmpair) {
 211                 /* If there is no realm...NOOP */
 212                 return (RLM_MODULE_NOOP);
 213         }
 214         realmname = realmpair->vp_strvalue;
 215
 216         output_tail = &output;
 217
 218         /*
 219          *      Find the attr_filter profile entry for the realm.
 220          */
 221         for (pl = inst->attrs; pl; pl = pl->next) {
 222                 int fall_through = 0;
 223
 224                 /*
 225                  *  If the current entry is NOT a default,
 226                  *  AND the realm does NOT match the current entry,
 227                  *  then skip to the next entry.
 228                  */
 229                 if ((strcmp(pl->name, "DEFAULT") != 0) &&
 230                     (strcmp(realmname, pl->name) != 0))  {
 231                     continue;
 232                 }
 233
 234                 DEBUG2(" attr_filter: Matched entry %s at line %d", pl->name,
 235                        pl->lineno);
 236                 found = 1;
 237
 238                 for (check_item = pl->check;
 239                      check_item != NULL;
 240                      check_item = check_item->next) {
 241                         if (check_item->attribute == PW_FALL_THROUGH) {
 242                                 fall_through = 1;
 243                                 continue;
 244                         }
 245
 246                         /*
 247                          *    If it is a SET operator, add the attribute to
 248                          *    the output list without checking it.
 249                          */
 250                         if (check_item->operator == T_OP_SET ) {
 251                                 if (mypairappend(check_item, output_tail) < 0) {
 252                                         pairfree(&output);
 253                                         return RLM_MODULE_FAIL;
 254                                 }
 255                                 output_tail = &((*output_tail)->next);
 256                         }
 257                 }
 258
 259                 /*
 260                  *      Iterate through the input items, comparing
 261                  *      each item to every rule, then moving it to the
 262                  *      output list only if it matches all rules
 263                  *      for that attribute.  IE, Idle-Timeout is moved
 264                  *      only if it matches all rules that describe an
 265                  *      Idle-Timeout.
 266                  */
 267                 for (vp = *input; vp != NULL; vp = vp->next ) {
 268                         /* reset the pass,fail vars for each reply item */
 269                         pass = fail = 0;
 270
 271                         /*
 272                          *      reset the check_item pointer to
 273                          *      beginning of the list
 274                          */
 275                         for (check_item = pl->check;
 276                              check_item != NULL;
 277                              check_item = check_item->next) {
 278                                 if (vp->attribute == check_item->attribute) {
 279                                         check_pair(check_item, vp,
 280                                                    &pass, &fail);
 281                                 }
 282                         }
 283
 284                         /* only move attribute if it passed all rules */
 285                         if (fail == 0 && pass > 0) {
 286                                 if (mypairappend(vp, output_tail) < 0) {
 287                                         pairfree(&output);
 288                                         return RLM_MODULE_FAIL;
 289                                 }
 290                                 output_tail = &((*output_tail)->next);
 291                         }
 292                 }
 293
 294                 /* If we shouldn't fall through, break */
 295                 if (!fall_through)
 296                         break;
 297         }
 298
 299         /*
 300          *      No entry matched.  We didn't do anything.
 301          */
 302         if (!found) {
 303                 rad_assert(output == NULL);
 304                 return RLM_MODULE_NOOP;
 305         }
 306
 307         pairfree(input);
 308         *input = output;
 309
 310         return RLM_MODULE_UPDATED;
 311 }
 312
 313 static int attr_filter_authorize(void *instance, REQUEST *request)
 314 {
 315         return attr_filter_common(instance, request,  &request->packet->vps);
 316 }
 317
 318 static int attr_filter_accounting(void *instance, REQUEST *request)
 319 {
 320         return attr_filter_common(instance, request, &request->packet->vps);
 321 }
 322
 323 static int attr_filter_preproxy(void *instance, REQUEST *request)
 324 {
 325         return attr_filter_common(instance, request, &request->proxy->vps);
 326 }
 327
 328 static int attr_filter_postproxy(void *instance, REQUEST *request)
 329 {
 330         return attr_filter_common(instance, request, &request->proxy_reply->vps);
 331 }
 332
 333 static int attr_filter_postauth(void *instance, REQUEST *request)
 334 {
 335         return attr_filter_common(instance, request, &request->reply->vps);
 336 }
 337
 338
 339 /* globally exported name */
 340 module_t rlm_attr_filter = {
 341         RLM_MODULE_INIT,
 342         "attr_filter",
 343         0,                              /* type: reserved */
 344         attr_filter_instantiate,        /* instantiation */
 345         attr_filter_detach,             /* detach */
 346         {
 347                 NULL,                   /* authentication */
 348                 attr_filter_authorize,  /* authorization */
 349                 NULL,                   /* preaccounting */
 350                 attr_filter_accounting, /* accounting */
 351                 NULL,                   /* checksimul */
 352                 attr_filter_preproxy,   /* pre-proxy */
 353                 attr_filter_postproxy,  /* post-proxy */
 354                 attr_filter_postauth    /* post-auth */
 355         },
 356 };
 357