2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License, version 2 if the
4 * License as published by the Free Software Foundation.
6 * This program is distributed in the hope that it will be useful,
7 * but WITHOUT ANY WARRANTY; without even the implied warranty of
8 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 * GNU General Public License for more details.
11 * You should have received a copy of the GNU General Public License
12 * along with this program; if not, write to the Free Software
13 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19 * @brief Execute commands and parse the results.
21 * @copyright 2002,2006 The FreeRADIUS server project
22 * @copyright 2002 Alan DeKok <aland@ox.org>
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/radiusd.h>
28 #include <freeradius-devel/modules.h>
31 * Define a structure for our module configuration.
33 typedef struct rlm_exec_t {
34 const char *xlat_name;
41 unsigned int packet_code;
46 * A mapping of configuration file names to internal variables.
48 * Note that the string is dynamically allocated, so it MUST
49 * be freed. When the configuration file parse re-reads the string,
50 * it free's the old one, and strdup's the new one, placing the pointer
51 * to the strdup'd string into 'config.string'. This gets around
54 static const CONF_PARSER module_config[] = {
55 { "wait", PW_TYPE_BOOLEAN, offsetof(rlm_exec_t,wait), NULL, "yes" },
56 { "program", PW_TYPE_STRING_PTR,
57 offsetof(rlm_exec_t,program), NULL, NULL },
58 { "input_pairs", PW_TYPE_STRING_PTR,
59 offsetof(rlm_exec_t,input), NULL, "request" },
60 { "output_pairs", PW_TYPE_STRING_PTR,
61 offsetof(rlm_exec_t,output), NULL, NULL },
62 { "packet_type", PW_TYPE_STRING_PTR,
63 offsetof(rlm_exec_t,packet_type), NULL, NULL },
64 { "shell_escape", PW_TYPE_BOOLEAN, offsetof(rlm_exec_t,shell_escape), NULL, "yes" },
65 { NULL, -1, 0, NULL, NULL } /* end the list */
70 * Decode the configuration file string to a pointer to
71 * a value-pair list in the REQUEST data structure.
73 static VALUE_PAIR **decode_string(REQUEST *request, const char *string)
75 if (!string) return NULL;
78 * Yuck. We need a 'switch' over character strings
81 if (strcmp(string, "request") == 0) {
82 return &request->packet->vps;
85 if (strcmp(string, "reply") == 0) {
86 if (!request->reply) return NULL;
88 return &request->reply->vps;
92 if (strcmp(string, "proxy-request") == 0) {
93 if (!request->proxy) return NULL;
95 return &request->proxy->vps;
98 if (strcmp(string, "proxy-reply") == 0) {
99 if (!request->proxy_reply) return NULL;
101 return &request->proxy_reply->vps;
105 if (strcmp(string, "config") == 0) {
106 return &request->config_items;
109 if (strcmp(string, "none") == 0) {
118 * Do xlat of strings.
120 static size_t exec_xlat(void *instance, REQUEST *request,
121 const char *fmt, char *out, size_t outlen)
124 rlm_exec_t *inst = instance;
125 VALUE_PAIR **input_pairs;
129 input_pairs = decode_string(request, inst->input);
131 radlog(L_ERR, "rlm_exec (%s): Failed to find input pairs"
132 " for xlat", inst->xlat_name);
138 * FIXME: Do xlat of program name?
140 RDEBUG2("Executing %s", fmt);
141 result = radius_exec_program(fmt, request, inst->wait,
142 out, outlen, *input_pairs, NULL, inst->shell_escape);
143 RDEBUG2("result %d", result);
149 for (p = out; *p != '\0'; p++) {
150 if (*p < ' ') *p = ' ';
158 * Detach an instance and free it's data.
160 static int exec_detach(void *instance)
162 rlm_exec_t *inst = instance;
164 if (inst->xlat_name) {
165 xlat_unregister(inst->xlat_name, exec_xlat, instance);
173 * Do any per-module initialization that is separate to each
174 * configured instance of the module. e.g. set up connections
175 * to external databases, read configuration files, set up
176 * dictionary entries, etc.
178 * If configuration information is given in the config section
179 * that must be referenced in later calls, store a handle to it
180 * in *instance otherwise put a null pointer there.
182 static int exec_instantiate(CONF_SECTION *conf, void **instance)
185 const char *xlat_name;
188 * Set up a storage area for instance data
190 *instance = inst = talloc_zero(conf, rlm_exec_t);
191 if (!inst) return -1;
193 xlat_name = cf_section_name2(conf);
195 xlat_name = cf_section_name1(conf);
199 inst->xlat_name = xlat_name;
200 xlat_register(xlat_name, exec_xlat, inst);
204 * If the configuration parameters can't be parsed, then
207 if (cf_section_parse(conf, inst, module_config) < 0) {
208 radlog(L_ERR, "rlm_exec (%s): Failed parsing the "
209 "configuration", xlat_name);
215 * No input pairs defined. Why are we executing a program?
218 radlog(L_ERR, "rlm_exec (%s): Must define input pairs for "
219 "external program", xlat_name);
225 * Sanity check the config. If we're told to NOT wait,
226 * then the output pairs must not be defined.
229 (inst->output != NULL)) {
230 radlog(L_ERR, "rlm_exec (%s): Cannot read output pairs if "
231 "wait=no", xlat_name);
237 * Get the packet type on which to execute
239 if (!inst->packet_type) {
240 inst->packet_code = 0;
244 dval = dict_valbyname(PW_PACKET_TYPE, 0, inst->packet_type);
246 radlog(L_ERR, "rlm_exec (%s): Unknown packet type %s: "
247 "See list of VALUEs for Packet-Type in "
248 "share/dictionary", xlat_name,
253 inst->packet_code = dval->value;
261 * Dispatch an exec method
263 static rlm_rcode_t exec_dispatch(void *instance, REQUEST *request)
265 rlm_exec_t *inst = (rlm_exec_t *) instance;
267 VALUE_PAIR **input_pairs, **output_pairs;
268 VALUE_PAIR *answer = NULL;
273 * We need a program to execute.
275 if (!inst->program) {
276 radlog(L_ERR, "rlm_exec (%s): We require a program to execute",
278 return RLM_MODULE_FAIL;
282 * See if we're supposed to execute it now.
284 if (!((inst->packet_code == 0) ||
285 (request->packet->code == inst->packet_code) ||
286 (request->reply->code == inst->packet_code)
288 || (request->proxy &&
289 (request->proxy->code == inst->packet_code)) ||
290 (request->proxy_reply &&
291 (request->proxy_reply->code == inst->packet_code))
294 RDEBUG2("Packet type is not %s. Not executing.",
296 return RLM_MODULE_NOOP;
300 * Decide what input/output the program takes.
302 input_pairs = decode_string(request, inst->input);
303 output_pairs = decode_string(request, inst->output);
306 RDEBUG2W("Possible parse error in %s",
308 return RLM_MODULE_NOOP;
312 * It points to the attribute list, but the attribute
316 RDEBUG2W("Input pairs are empty. No attributes will be passed to the script");
320 * This function does it's own xlat of the input program
323 * FIXME: if inst->program starts with %{, then
324 * do an xlat ourselves. This will allow us to do
325 * program = %{Exec-Program}, which this module
326 * xlat's into it's string value, and then the
327 * exec program function xlat's it's string value
328 * into something else.
330 result = radius_exec_program(inst->program, request,
331 inst->wait, msg, sizeof(msg),
332 *input_pairs, &answer, inst->shell_escape);
334 radlog(L_ERR, "rlm_exec (%s): External script failed",
336 return RLM_MODULE_FAIL;
340 * Move the answer over to the output pairs.
342 * If we're not waiting, then there are no output pairs.
344 if (output_pairs) pairmove(output_pairs, &answer);
349 return RLM_MODULE_OK;
351 if (result > RLM_MODULE_NUMCODES) {
352 return RLM_MODULE_FAIL;
356 * Write any exec output to module failure message
359 /* Trim off returns and newlines */
361 if (msg[len - 1] == '\n' || msg[len - 1] == '\r') {
365 module_failure_msg(request, "rlm_exec (%s): %s",
366 inst->xlat_name, msg);
374 * First, look for Exec-Program && Exec-Program-Wait.
376 * Then, call exec_dispatch.
378 static rlm_rcode_t exec_postauth(void *instance, REQUEST *request)
382 VALUE_PAIR *vp, *tmp;
383 rlm_exec_t *inst = (rlm_exec_t *) instance;
385 vp = pairfind(request->reply->vps, PW_EXEC_PROGRAM, 0, TAG_ANY);
389 } else if ((vp = pairfind(request->reply->vps, PW_EXEC_PROGRAM_WAIT, 0, TAG_ANY)) != NULL) {
393 if (!inst->program) return RLM_MODULE_NOOP;
395 return exec_dispatch(instance, request);
399 result = radius_exec_program(vp->vp_strvalue, request, exec_wait,
400 NULL, 0, request->packet->vps, &tmp,
404 * Always add the value-pairs to the reply.
406 pairmove(&request->reply->vps, &tmp);
410 RDEBUG2("%s", module_failure_msg(request, "rlm_exec (%s): "
411 "Login incorrect (external "
415 request->reply->code = PW_AUTHENTICATION_REJECT;
416 return RLM_MODULE_REJECT;
420 * Reject. radius_exec_program() returns >0
421 * if the exec'ed program had a non-zero
424 request->reply->code = PW_AUTHENTICATION_REJECT;
426 RDEBUG2("%s", module_failure_msg(request, "rlm_exec (%s): "
427 "Login incorrect (external "
430 return RLM_MODULE_REJECT;
433 return RLM_MODULE_OK;
437 * First, look for Exec-Program && Exec-Program-Wait.
439 * Then, call exec_dispatch.
441 static rlm_rcode_t exec_accounting(void *instance, REQUEST *request)
446 rlm_exec_t *inst = (rlm_exec_t *) instance;
449 * The "bare" exec module takes care of handling
450 * Exec-Program and Exec-Program-Wait.
452 if (!inst->bare) return exec_dispatch(instance, request);
454 vp = pairfind(request->reply->vps, PW_EXEC_PROGRAM, 0, TAG_ANY);
458 } else if ((vp = pairfind(request->reply->vps, PW_EXEC_PROGRAM_WAIT, 0, TAG_ANY)) != NULL) {
461 if (!vp) return RLM_MODULE_NOOP;
463 result = radius_exec_program(vp->vp_strvalue, request, exec_wait,
464 NULL, 0, request->packet->vps, NULL,
467 return RLM_MODULE_REJECT;
470 return RLM_MODULE_OK;
474 * The module name should be the only globally exported symbol.
475 * That is, everything else should be 'static'.
477 * If the module needs to temporarily modify it's instantiation
478 * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE.
479 * The server will then take care of ensuring that the module
480 * is single-threaded.
482 module_t rlm_exec = {
485 RLM_TYPE_CHECK_CONFIG_SAFE, /* type */
486 exec_instantiate, /* instantiation */
487 exec_detach, /* detach */
489 exec_dispatch, /* authentication */
490 exec_dispatch, /* authorization */
491 exec_dispatch, /* pre-accounting */
492 exec_accounting, /* accounting */
493 NULL, /* check simul */
494 exec_dispatch, /* pre-proxy */
495 exec_dispatch, /* post-proxy */
496 exec_postauth /* post-auth */