6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2002,2006 The FreeRADIUS server project
21 * Copyright 2002 Alan DeKok <aland@ox.org>
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/radiusd.h>
28 #include <freeradius-devel/modules.h>
31 * Define a structure for our module configuration.
33 typedef struct rlm_exec_t {
40 unsigned int packet_code;
45 * A mapping of configuration file names to internal variables.
47 * Note that the string is dynamically allocated, so it MUST
48 * be freed. When the configuration file parse re-reads the string,
49 * it free's the old one, and strdup's the new one, placing the pointer
50 * to the strdup'd string into 'config.string'. This gets around
53 static const CONF_PARSER module_config[] = {
54 { "wait", PW_TYPE_BOOLEAN, offsetof(rlm_exec_t,wait), NULL, "yes" },
55 { "program", PW_TYPE_STRING_PTR,
56 offsetof(rlm_exec_t,program), NULL, NULL },
57 { "input_pairs", PW_TYPE_STRING_PTR,
58 offsetof(rlm_exec_t,input), NULL, "request" },
59 { "output_pairs", PW_TYPE_STRING_PTR,
60 offsetof(rlm_exec_t,output), NULL, NULL },
61 { "packet_type", PW_TYPE_STRING_PTR,
62 offsetof(rlm_exec_t,packet_type), NULL, NULL },
63 { "shell_escape", PW_TYPE_BOOLEAN, offsetof(rlm_exec_t,shell_escape), NULL, "yes" },
64 { NULL, -1, 0, NULL, NULL } /* end the list */
69 * Decode the configuration file string to a pointer to
70 * a value-pair list in the REQUEST data structure.
72 static VALUE_PAIR **decode_string(REQUEST *request, const char *string)
74 if (!string) return NULL;
77 * Yuck. We need a 'switch' over character strings
80 if (strcmp(string, "request") == 0) {
81 return &request->packet->vps;
84 if (strcmp(string, "reply") == 0) {
85 if (!request->reply) return NULL;
87 return &request->reply->vps;
90 if (strcmp(string, "proxy-request") == 0) {
91 if (!request->proxy) return NULL;
93 return &request->proxy->vps;
96 if (strcmp(string, "proxy-reply") == 0) {
97 if (!request->proxy_reply) return NULL;
99 return &request->proxy_reply->vps;
102 if (strcmp(string, "config") == 0) {
103 return &request->config_items;
106 if (strcmp(string, "none") == 0) {
115 * Do xlat of strings.
117 static int exec_xlat(void *instance, REQUEST *request,
118 char *fmt, char *out, size_t outlen,
119 UNUSED RADIUS_ESCAPE_STRING func)
122 rlm_exec_t *inst = instance;
123 VALUE_PAIR **input_pairs;
125 input_pairs = decode_string(request, inst->input);
127 radlog(L_ERR, "rlm_exec (%s): Failed to find input pairs for xlat",
134 * FIXME: Do xlat of program name?
136 DEBUG2("rlm_exec (%s): Executing %s", inst->xlat_name, fmt);
137 result = radius_exec_program(fmt, request, inst->wait,
138 out, outlen, *input_pairs, NULL, inst->shell_escape);
139 DEBUG2("rlm_exec (%s): result %d", inst->xlat_name, result);
150 * Detach an instance and free it's data.
152 static int exec_detach(void *instance)
154 rlm_exec_t *inst = instance;
156 if (inst->xlat_name) {
157 xlat_unregister(inst->xlat_name, exec_xlat);
158 free(inst->xlat_name);
167 * Do any per-module initialization that is separate to each
168 * configured instance of the module. e.g. set up connections
169 * to external databases, read configuration files, set up
170 * dictionary entries, etc.
172 * If configuration information is given in the config section
173 * that must be referenced in later calls, store a handle to it
174 * in *instance otherwise put a null pointer there.
176 static int exec_instantiate(CONF_SECTION *conf, void **instance)
179 const char *xlat_name;
182 * Set up a storage area for instance data
185 inst = rad_malloc(sizeof(rlm_exec_t));
188 memset(inst, 0, sizeof(rlm_exec_t));
191 * If the configuration parameters can't be parsed, then
194 if (cf_section_parse(conf, inst, module_config) < 0) {
195 radlog(L_ERR, "rlm_exec: Failed parsing the configuration");
201 * No input pairs defined. Why are we executing a program?
204 radlog(L_ERR, "rlm_exec: Must define input pairs for external program.");
210 * Sanity check the config. If we're told to NOT wait,
211 * then the output pairs must not be defined.
214 (inst->output != NULL)) {
215 radlog(L_ERR, "rlm_exec: Cannot read output pairs if wait=no");
221 * Sanity check the config. If we're told to wait,
222 * then the output pairs should be defined.
225 (inst->output == NULL)) {
226 radlog(L_INFO, "rlm_exec: wait=yes but no output defined. Did you mean output=none?");
230 * Get the packet type on which to execute
232 if (!inst->packet_type) {
233 inst->packet_code = 0;
237 dval = dict_valbyname(PW_PACKET_TYPE, inst->packet_type);
239 radlog(L_ERR, "rlm_exec: Unknown packet type %s: See list of VALUEs for Packet-Type in share/dictionary", inst->packet_type);
243 inst->packet_code = dval->value;
246 xlat_name = cf_section_name2(conf);
247 if (xlat_name == NULL)
248 xlat_name = cf_section_name1(conf);
250 inst->xlat_name = strdup(xlat_name);
251 xlat_register(xlat_name, exec_xlat, inst);
261 * Dispatch an exec method
263 static int exec_dispatch(void *instance, REQUEST *request)
266 VALUE_PAIR **input_pairs, **output_pairs;
268 rlm_exec_t *inst = (rlm_exec_t *) instance;
271 * We need a program to execute.
273 if (!inst->program) {
274 radlog(L_ERR, "rlm_exec (%s): We require a program to execute",
276 return RLM_MODULE_FAIL;
280 * See if we're supposed to execute it now.
282 if (!((inst->packet_code == 0) ||
283 (request->packet->code == inst->packet_code) ||
284 (request->reply->code == inst->packet_code) ||
286 (request->proxy->code == inst->packet_code)) ||
287 (request->proxy_reply &&
288 (request->proxy_reply->code == inst->packet_code)))) {
289 DEBUG2(" rlm_exec (%s): Packet type is not %s. Not executing.",
290 inst->xlat_name, inst->packet_type);
291 return RLM_MODULE_NOOP;
295 * Decide what input/output the program takes.
297 input_pairs = decode_string(request, inst->input);
298 output_pairs = decode_string(request, inst->output);
301 * It points to the attribute list, but the attribute
304 if (input_pairs && !*input_pairs) {
305 DEBUG2("rlm_exec (%s): WARNING! Input pairs are empty. No attributes will be passed to the script", inst->xlat_name);
309 * This function does it's own xlat of the input program
312 * FIXME: if inst->program starts with %{, then
313 * do an xlat ourselves. This will allow us to do
314 * program = %{Exec-Program}, which this module
315 * xlat's into it's string value, and then the
316 * exec program function xlat's it's string value
317 * into something else.
319 result = radius_exec_program(inst->program, request,
321 *input_pairs, &answer, inst->shell_escape);
323 radlog(L_ERR, "rlm_exec (%s): External script failed",
325 return RLM_MODULE_FAIL;
329 * Move the answer over to the output pairs.
331 * If we're not waiting, then there are no output pairs.
333 if (output_pairs) pairmove(output_pairs, &answer);
338 return RLM_MODULE_OK;
340 if (result > RLM_MODULE_NUMCODES) {
341 return RLM_MODULE_FAIL;
348 * First, look for Exec-Program && Exec-Program-Wait.
350 * Then, call exec_dispatch.
352 static int exec_postauth(void *instance, REQUEST *request)
356 VALUE_PAIR *vp, *tmp;
357 rlm_exec_t *inst = (rlm_exec_t *) instance;
359 vp = pairfind(request->reply->vps, PW_EXEC_PROGRAM);
363 } else if ((vp = pairfind(request->reply->vps, PW_EXEC_PROGRAM_WAIT)) != NULL) {
366 if (!vp) goto dispatch;
369 result = radius_exec_program(vp->vp_strvalue, request, exec_wait,
370 NULL, 0, request->packet->vps, &tmp,
374 * Always add the value-pairs to the reply.
376 pairmove(&request->reply->vps, &tmp);
381 * Error. radius_exec_program() returns -1 on
384 tmp = pairmake("Reply-Message", "Access denied (external check failed)", T_OP_SET);
385 pairadd(&request->reply->vps, tmp);
387 DEBUG2("Login incorrect (external check failed)");
389 request->reply->code = PW_AUTHENTICATION_REJECT;
390 return RLM_MODULE_REJECT;
394 * Reject. radius_exec_program() returns >0
395 * if the exec'ed program had a non-zero
398 request->reply->code = PW_AUTHENTICATION_REJECT;
399 DEBUG2("Login incorrect (external check said so)");
400 return RLM_MODULE_REJECT;
404 if (!inst->program) return RLM_MODULE_NOOP;
406 return exec_dispatch(instance, request);
410 * The module name should be the only globally exported symbol.
411 * That is, everything else should be 'static'.
413 * If the module needs to temporarily modify it's instantiation
414 * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE.
415 * The server will then take care of ensuring that the module
416 * is single-threaded.
418 module_t rlm_exec = {
421 RLM_TYPE_THREAD_SAFE, /* type */
422 exec_instantiate, /* instantiation */
423 exec_detach, /* detach */
425 exec_dispatch, /* authentication */
426 exec_dispatch, /* authorization */
427 exec_dispatch, /* pre-accounting */
428 exec_dispatch, /* accounting */
429 NULL, /* check simul */
430 exec_dispatch, /* pre-proxy */
431 exec_dispatch, /* post-proxy */
432 exec_postauth /* post-auth */