2 * rlm_attr_filter.c - Filter A/V Pairs received back from proxy reqs
3 * before sending reply to the NAS/Server that sent
8 * This program is is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License, version 2 if the
10 * License as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
21 * Copyright (C) 2001 The FreeRADIUS server project
22 * Copyright (C) 2001 Chris Parker <cparker@starnetusa.net>
26 #include "libradius.h"
44 static const char rcsid[] = "$Id$";
46 struct attr_filter_instance {
55 * Copy the specified attribute to the specified list
57 static void mypairappend(VALUE_PAIR *item, VALUE_PAIR **to)
61 tmp = paircreate(item->attribute, item->type);
63 radlog(L_ERR|L_CONS, "no memory");
70 tmp->lvalue = item->lvalue;
73 memcpy((char *)tmp->strvalue, (char *)item->strvalue, item->length);
74 tmp->length = item->length;
81 * See if a VALUE_PAIR list contains Fall-Through = Yes
83 static int fallthrough(VALUE_PAIR *vp)
87 tmp = pairfind(vp, PW_FALL_THROUGH);
89 return tmp ? tmp->lvalue : 0;
92 static CONF_PARSER module_config[] = {
93 { "attrsfile", PW_TYPE_STRING_PTR,
94 offsetof(struct attr_filter_instance,attrsfile), NULL, "${raddbdir}/attrs" },
95 { NULL, -1, 0, NULL, NULL }
98 static int getattrsfile(const char *filename, PAIR_LIST **pair_list)
101 PAIR_LIST *attrs = NULL;
105 rcode = pairlist_read(filename, &attrs, 1);
111 * Walk through the 'attrs' file list.
117 entry->check = entry->reply;
120 for (vp = entry->check; vp != NULL; vp = vp->next) {
123 * If it's NOT a vendor attribute,
124 * and it's NOT a wire protocol
125 * and we ignore Fall-Through,
126 * then bitch about it, giving a
127 * good warning message.
129 if (!(vp->attribute & ~0xffff) &&
130 (vp->attribute > 0xff) &&
131 (vp->attribute > 1000)) {
132 log_debug("[%s]:%d WARNING! Check item \"%s\"\n"
133 "\tfound in filter list for realm \"%s\".\n",
134 filename, entry->lineno, vp->name,
147 * (Re-)read the "attrs" file into memory.
149 static int attr_filter_instantiate(CONF_SECTION *conf, void **instance)
151 struct attr_filter_instance *inst;
154 inst = rad_malloc(sizeof *inst);
156 if (cf_section_parse(conf, inst, module_config) < 0) {
161 rcode = getattrsfile(inst->attrsfile, &inst->attrs);
163 radlog(L_ERR|L_CONS, "Errors reading %s", inst->attrsfile);
164 free(inst->attrsfile);
174 * Find the named realm in the database. Create the
175 * set of attribute-value pairs to check and reply with
176 * for this realm from the database.
178 static int attr_filter_authorize(void *instance, REQUEST *request)
180 struct attr_filter_instance *inst = instance;
181 VALUE_PAIR *request_pairs;
182 VALUE_PAIR **reply_items;
183 VALUE_PAIR *reply_item;
184 VALUE_PAIR *reply_tmp = NULL;
185 VALUE_PAIR *check_item;
193 VALUE_PAIR *realmpair;
198 * It's not a proxy reply, so return NOOP
201 if( request->proxy == NULL ) {
202 return( RLM_MODULE_NOOP );
205 request_pairs = request->packet->vps;
206 reply_items = &request->reply->vps;
209 * Get the realm. Can't use request->config_items as
210 * that gets freed by rad_authenticate.... use the one
211 * set in the original request vps
213 realmpair = pairfind(request_pairs, PW_REALM);
215 /* Can't find a realm, so no filtering of attributes
216 * or should we use a DEFAULT entry?
217 * For now, just return NOTFOUND. (maybe NOOP?)
219 return RLM_MODULE_NOTFOUND;
222 realmname = (char *) realmpair->strvalue;
223 realm = realm_find(realmname, FALSE);
226 * Find the attr_filter profile entry for the realm.
228 for(pl = inst->attrs; pl; pl = pl->next) {
231 * If the current entry is NOT a default,
232 * AND the realm does NOT match the current entry,
233 * then skip to the next entry.
235 if ( (strcmp(pl->name, "DEFAULT") != 0)
236 && (strcmp(realmname, pl->name) != 0) ) {
240 DEBUG2(" attr_filter: Matched entry %s at line %d", pl->name, pl->lineno);
244 check_item = pl->check;
246 while( check_item != NULL ) {
249 * If it is a SET operator, add the attribute to
250 * the reply list without checking reply_items.
254 if( check_item->operator == T_OP_SET ) {
255 mypairappend(check_item, &reply_tmp);
257 check_item = check_item->next;
259 } /* while( check_item != NULL ) */
262 * Iterate through the reply items, comparing each reply item to every rule,
263 * then moving it to the reply_tmp list only if it matches all rules for that
264 * attribute. IE, Idle-Timeout is moved only if it matches all rules that
265 * describe an Idle-Timeout.
268 for( reply_item = *reply_items;
270 reply_item = reply_item->next ) {
272 /* reset the pass,fail vars for each reply item */
275 /* reset the check_item pointer to the beginning of the list */
276 check_item = pl->check;
278 while( check_item != NULL ) {
280 if(reply_item->attribute == check_item->attribute) {
282 compare = simplepaircmp(request, reply_item, check_item);
284 switch(check_item->operator) {
286 case T_OP_SET: /* nothing to do for set */
290 radlog(L_ERR, "Invalid operator for item %s: "
291 "reverting to '=='", check_item->name);
293 case T_OP_CMP_TRUE: /* compare always == 0 */
294 case T_OP_CMP_FALSE: /* compare always == 1 */
344 regcomp(®, (char *)check_item->strvalue, 0);
345 compare = regexec(®, (char *)reply_item->strvalue,
356 regcomp(®, (char *)check_item->strvalue, 0);
357 compare = regexec(®, (char *)reply_item->strvalue,
367 } /* switch( check_item->operator ) */
369 } /* if reply == check */
371 check_item = check_item->next;
373 } /* while( check ) */
375 /* only move attribute if it passed all rules */
376 if (fail == 0 && pass > 0) {
377 mypairappend( reply_item, &reply_tmp);
382 /* If we shouldn't fall through, break */
383 if(!fallthrough(pl->check))
387 pairfree(&request->reply->vps);
388 request->reply->vps = reply_tmp;
391 * See if we succeeded. If we didn't find the realm,
392 * then exit from the module.
395 return RLM_MODULE_OK;
398 * Remove server internal parameters.
400 pairdelete(reply_items, PW_FALL_THROUGH);
402 return RLM_MODULE_UPDATED;
408 static int attr_filter_detach(void *instance)
410 struct attr_filter_instance *inst = instance;
411 pairlist_free(&inst->attrs);
412 free(inst->attrsfile);
418 /* globally exported name */
419 module_t rlm_attr_filter = {
421 0, /* type: reserved */
422 NULL, /* initialization */
423 attr_filter_instantiate, /* instantiation */
425 NULL, /* authentication */
426 attr_filter_authorize, /* authorization */
427 NULL, /* preaccounting */
428 NULL, /* accounting */
429 NULL /* checksimul */
431 attr_filter_detach, /* detach */