2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License, version 2 if the
4 * License as published by the Free Software Foundation.
6 * This program is distributed in the hope that it will be useful,
7 * but WITHOUT ANY WARRANTY; without even the implied warranty of
8 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 * GNU General Public License for more details.
11 * You should have received a copy of the GNU General Public License
12 * along with this program; if not, write to the Free Software
13 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
18 * @file rlm_expiration.c
19 * @brief Lockout user accounts based on control attributes.
21 * @copyright 2001,2006 The FreeRADIUS server project
22 * @copyright 2004 Kostas Kalevras <kkalev@noc.ntua.gr>
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/radiusd.h>
28 #include <freeradius-devel/modules.h>
33 * Define a structure for our module configuration.
35 * These variables do not need to be in a structure, but it's
36 * a lot cleaner to do so, and a pointer to the structure can
37 * be used as the instance handle.
39 typedef struct rlm_expiration_t {
40 char *msg; /* The Reply-Message passed back to the user if the account is expired */
44 * A mapping of configuration file names to internal variables.
46 * Note that the string is dynamically allocated, so it MUST
47 * be freed. When the configuration file parse re-reads the string,
48 * it free's the old one, and strdup's the new one, placing the pointer
49 * to the strdup'd string into 'config.string'. This gets around
52 static const CONF_PARSER module_config[] = {
53 { "reply-message", PW_TYPE_STRING_PTR, offsetof(rlm_expiration_t,msg),
54 NULL, "Password Has Expired\r\n"},
55 { NULL, -1, 0, NULL, NULL }
59 * Check if account has expired, and if user may login now.
61 static rlm_rcode_t expiration_authorize(void *instance, REQUEST *request)
63 rlm_expiration_t *data = (rlm_expiration_t *)instance;
64 VALUE_PAIR *vp, *check_item = NULL;
65 char msg[MAX_STRING_LEN];
67 if ((check_item = pairfind(request->config_items, PW_EXPIRATION, 0, TAG_ANY)) != NULL){
69 * Has this user's password expired?
71 * If so, remove ALL reply attributes,
72 * and add our own Reply-Message, saying
73 * why they're being rejected.
75 RDEBUG("Checking Expiration time: '%s'",check_item->vp_strvalue);
76 if (((time_t) check_item->vp_date) <= request->timestamp) {
77 char logstr[MAX_STRING_LEN];
78 VALUE_PAIR *module_fmsg_vp;
80 RDEBUG("Account has expired");
82 if (data->msg && data->msg[0]){
83 if (!radius_xlat(msg, sizeof(msg), data->msg, request, NULL, NULL)) {
84 radlog(L_ERR, "rlm_expiration: xlat failed.");
85 return RLM_MODULE_FAIL;
88 vp = pairmake("Reply-Message", msg, T_OP_ADD);
89 pairfree(&request->reply->vps);
90 request->reply->vps = vp;
92 snprintf(logstr, sizeof(logstr), "Account has expired [Expiration %s]",check_item->vp_strvalue);
93 module_fmsg_vp = pairmake("Module-Failure-Message", logstr, T_OP_EQ);
94 pairadd(&request->packet->vps, module_fmsg_vp);
96 return RLM_MODULE_USERLOCK;
99 * Else the account hasn't expired, but it may do so
100 * in the future. Set Session-Timeout.
102 vp = pairfind(request->reply->vps, PW_SESSION_TIMEOUT, 0, TAG_ANY);
104 vp = radius_paircreate(request, &request->reply->vps,
105 PW_SESSION_TIMEOUT, 0);
106 vp->vp_date = (uint32_t) (((time_t) check_item->vp_date) - request->timestamp);
108 } else if (vp->vp_date > ((uint32_t) (((time_t) check_item->vp_date) - request->timestamp))) {
109 vp->vp_date = (uint32_t) (((time_t) check_item->vp_date) - request->timestamp);
113 return RLM_MODULE_NOOP;
115 return RLM_MODULE_OK;
119 * Compare the expiration date.
121 static int expirecmp(void *instance, REQUEST *req,
122 VALUE_PAIR *request, VALUE_PAIR *check,
123 VALUE_PAIR *check_pairs, VALUE_PAIR **reply_pairs)
127 request = request; /* shut the compiler up */
128 check_pairs = check_pairs;
129 reply_pairs = reply_pairs;
131 now = (req) ? req->timestamp : time(NULL);
133 if (now <= ((time_t) check->vp_date))
139 static int expiration_detach(void *instance)
141 paircompare_unregister(PW_EXPIRATION, expirecmp);
146 * Do any per-module initialization that is separate to each
147 * configured instance of the module. e.g. set up connections
148 * to external databases, read configuration files, set up
149 * dictionary entries, etc.
151 * If configuration information is given in the config section
152 * that must be referenced in later calls, store a handle to it
153 * in *instance otherwise put a null pointer there.
155 static int expiration_instantiate(CONF_SECTION *conf, void **instance)
157 rlm_expiration_t *data;
160 * Set up a storage area for instance data
162 *instance = data = talloc_zero(conf, rlm_expiration_t);
163 if (!data) return -1;
166 * If the configuration parameters can't be parsed, then
169 if (cf_section_parse(conf, data, module_config) < 0) {
170 radlog(L_ERR, "rlm_expiration: Configuration parsing failed.");
175 * Register the expiration comparison operation.
177 paircompare_register(PW_EXPIRATION, 0, expirecmp, data);
182 * The module name should be the only globally exported symbol.
183 * That is, everything else should be 'static'.
185 * If the module needs to temporarily modify it's instantiation
186 * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE.
187 * The server will then take care of ensuring that the module
188 * is single-threaded.
190 module_t rlm_expiration = {
193 RLM_TYPE_THREAD_SAFE, /* type */
194 expiration_instantiate, /* instantiation */
195 expiration_detach, /* detach */
197 NULL, /* authentication */
198 expiration_authorize, /* authorization */
199 NULL, /* preaccounting */
200 NULL, /* accounting */
201 NULL, /* checksimul */
202 NULL, /* pre-proxy */
203 NULL, /* post-proxy */