src/modules/rlm_policy/rlm_policy.c

   1 /*
   2  * rlm_policy.c         Implements a policy language
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  *
  20  * Copyright 2004  Alan DeKok <aland@ox.org>
  21  * Copyright 2006  The FreeRADIUS server project
  22  */
  23
  24 #include <freeradius-devel/ident.h>
  25 RCSID("$Id$")
  26
  27 #include <freeradius-devel/radiusd.h>
  28 #include <freeradius-devel/modules.h>
  29
  30 #include "rlm_policy.h"
  31
  32 /*
  33  *      A mapping of configuration file names to internal variables.
  34  *
  35  *      Note that the string is dynamically allocated, so it MUST
  36  *      be freed.  When the configuration file parse re-reads the string,
  37  *      it free's the old one, and strdup's the new one, placing the pointer
  38  *      to the strdup'd string into 'config.string'.  This gets around
  39  *      buffer over-flows.
  40  */
  41 static const CONF_PARSER module_config[] = {
  42   { "filename",  PW_TYPE_FILENAME,
  43     offsetof(rlm_policy_t,filename), NULL,  "${confdir}/policy.txt"},
  44
  45   { NULL, -1, 0, NULL, NULL }           /* end the list */
  46 };
  47
  48
  49 /*
  50  *      Callbacks for red-black trees.
  51  */
  52 static int policyname_cmp(const void *a, const void *b)
  53 {
  54         return strcmp(((const policy_named_t *)a)->name,
  55                       ((const policy_named_t *)b)->name);
  56 }
  57
  58
  59 /*
  60  *      Detach a policy.
  61  */
  62 static int policy_detach(void *instance)
  63 {
  64         rlm_policy_t *inst = instance;
  65
  66         if (inst->policies) rbtree_free(inst->policies);
  67         free(instance);
  68         return 0;
  69 }
  70
  71 /*
  72  *      Do any per-module initialization that is separate to each
  73  *      configured instance of the module.  e.g. set up connections
  74  *      to external databases, read configuration files, set up
  75  *      dictionary entries, etc.
  76  *
  77  *      If configuration information is given in the config section
  78  *      that must be referenced in later calls, store a handle to it
  79  *      in *instance otherwise put a null pointer there.
  80  */
  81 static int policy_instantiate(CONF_SECTION *conf, void **instance)
  82 {
  83         rlm_policy_t *inst;
  84
  85         /*
  86          *      Set up a storage area for instance data
  87          */
  88         inst = rad_malloc(sizeof(*inst));
  89         if (!inst) {
  90                 return -1;
  91         }
  92         memset(inst, 0, sizeof(*inst));
  93
  94         /*
  95          *      If the configuration parameters can't be parsed, then
  96          *      fail.
  97          */
  98         if (cf_section_parse(conf, inst, module_config) < 0) {
  99                 policy_detach(inst);
 100                 return -1;
 101         }
 102
 103         inst->policies = rbtree_create(policyname_cmp, rlm_policy_free_item, 0);
 104         if (!inst->policies) {
 105                 policy_detach(inst);
 106                 return -1;
 107         }
 108
 109         /*
 110          *      Parse the policy from the file.
 111          */
 112         if (!rlm_policy_parse(inst->policies, inst->filename)) {
 113                 policy_detach(inst);
 114                 return -1;
 115         }
 116
 117         *instance = inst;
 118
 119         return 0;
 120 }
 121
 122
 123 /*
 124  *      Insert a named policy into a list.
 125  */
 126 int rlm_policy_insert(rbtree_t *head, policy_named_t *policy)
 127 {
 128         if (!rbtree_insert(head, policy)) {
 129                 return 0;
 130         }
 131
 132         return 1;
 133 }
 134
 135
 136 /*
 137  *      Find a named policy
 138  */
 139 policy_named_t *rlm_policy_find(rbtree_t *head, const char *name)
 140 {
 141         policy_named_t mypolicy;
 142
 143         mypolicy.name = name;
 144
 145         return rbtree_finddata(head, &mypolicy);
 146 }
 147
 148
 149 /*
 150  *      Find the named user in this modules database.  Create the set
 151  *      of attribute-value pairs to check and reply with for this user
 152  *      from the database. The authentication code only needs to check
 153  *      the password, the rest is done here.
 154  */
 155 static int policy_authorize(void *instance, REQUEST *request)
 156 {
 157         return rlm_policy_evaluate((rlm_policy_t *) instance, request,
 158                                    "authorize");
 159 }
 160
 161
 162 static int policy_preacct(void *instance, REQUEST *request)
 163 {
 164         return rlm_policy_evaluate((rlm_policy_t *) instance, request,
 165                                    "preacct");
 166 }
 167
 168 static int policy_accounting(void *instance, REQUEST *request)
 169 {
 170         return rlm_policy_evaluate((rlm_policy_t *) instance, request,
 171                                    "accounting");
 172 }
 173
 174 static int policy_post_auth(void *instance, REQUEST *request)
 175 {
 176         return rlm_policy_evaluate((rlm_policy_t *) instance, request,
 177                                    "post-auth");
 178 }
 179
 180 static int policy_pre_proxy(void *instance, REQUEST *request)
 181 {
 182         return rlm_policy_evaluate((rlm_policy_t *) instance, request,
 183                                    "pre-proxy");
 184 }
 185
 186 static int policy_post_proxy(void *instance, REQUEST *request)
 187 {
 188         return rlm_policy_evaluate((rlm_policy_t *) instance, request,
 189                                    "post-proxy");
 190 }
 191
 192 #ifdef WITH_COA
 193 static int policy_recv_coa(void *instance, REQUEST *request)
 194 {
 195         return rlm_policy_evaluate((rlm_policy_t *) instance, request,
 196                                    "recv-coa");
 197 }
 198 static int policy_send_coa(void *instance, REQUEST *request)
 199 {
 200         return rlm_policy_evaluate((rlm_policy_t *) instance, request,
 201                                    "send-coa");
 202 }
 203 #endif
 204
 205 /*
 206  *      The "free" functions are here, for no particular reason.
 207  */
 208 void rlm_policy_free_item(policy_item_t *item)
 209 {
 210         while (item) {
 211                 policy_item_t *next = item->next;
 212
 213                 switch (item->type) {
 214                 default:
 215                 case POLICY_TYPE_BAD:
 216                         break;
 217
 218                 case POLICY_TYPE_ASSIGNMENT:
 219                         {
 220                                 policy_assignment_t *this;
 221
 222                                 this = (policy_assignment_t *) item;
 223                                 if (this->lhs) free(this->lhs);
 224                                 if (this->rhs) free(this->rhs);
 225                         }
 226                         break;
 227
 228                 case POLICY_TYPE_CONDITIONAL:
 229                         {
 230                                 policy_condition_t *this;
 231
 232                                 this = (policy_condition_t *) item;
 233                                 if (this->lhs) free(this->lhs);
 234                                 if (this->rhs) free(this->rhs);
 235
 236                                 if (this->child) {
 237                                         rlm_policy_free_item(this->child);
 238                                         this->child = NULL;
 239                                 }
 240                         }
 241                         break;
 242
 243                 case POLICY_TYPE_IF:
 244                         {
 245                                 policy_if_t *this;
 246
 247                                 this = (policy_if_t *) item;
 248                                 if (this->condition) {
 249                                         rlm_policy_free_item(this->condition);
 250                                         this->condition = NULL;
 251                                 }
 252                                 if (this->if_true) {
 253                                         rlm_policy_free_item(this->if_true);
 254                                         this->if_true = NULL;
 255                                 }
 256                                 if (this->if_false) {
 257                                         rlm_policy_free_item(this->if_false);
 258                                         this->if_false = NULL;
 259                                 }
 260                         }
 261                         break;
 262
 263                 case POLICY_TYPE_ATTRIBUTE_LIST:
 264                         {
 265                                 policy_attributes_t *this;
 266
 267                                 this = (policy_attributes_t *) item;
 268                                 rlm_policy_free_item(this->attributes);
 269                         }
 270                         break;
 271
 272                 case POLICY_TYPE_NAMED_POLICY:
 273                         {
 274                                 policy_named_t *this;
 275
 276                                 this = (policy_named_t *) item;
 277                                 rad_assert(this->name != NULL);
 278                                 free(this->name);
 279                                 rlm_policy_free_item(this->policy);
 280                         }
 281                         break;
 282
 283                 case POLICY_TYPE_CALL:
 284                         {
 285                                 policy_call_t *this;
 286
 287                                 this = (policy_call_t *) item;
 288                                 if (this->name) free(this->name);
 289                         }
 290                         break;
 291
 292                 case POLICY_TYPE_RETURN:
 293                         break;  /* do nothing */
 294
 295                 case POLICY_TYPE_MODULE:
 296                         {
 297                                 policy_module_t *this;
 298
 299                                 this = (policy_module_t *) item;
 300                                 if (this->cs) cf_section_free(&this->cs);
 301                                 if (this->mc) modcallable_free(&this->mc);
 302                         }
 303                         break;
 304                 } /* switch over type */
 305                 item->next = NULL; /* for debugging & sanity checks */
 306                 item->type = POLICY_TYPE_BAD;
 307                 free(item);
 308
 309                 item = next;
 310         }
 311 }
 312
 313
 314 /*
 315  *      The module name should be the only globally exported symbol.
 316  *      That is, everything else should be 'static'.
 317  *
 318  *      If the module needs to temporarily modify it's instantiation
 319  *      data, the type should be changed to RLM_TYPE_THREAD_UNSAFE.
 320  *      The server will then take care of ensuring that the module
 321  *      is single-threaded.
 322  */
 323 module_t rlm_policy = {
 324         RLM_MODULE_INIT,
 325         "policy",
 326         RLM_TYPE_CHECK_CONFIG_SAFE | RLM_TYPE_HUP_SAFE,         /* type */
 327         policy_instantiate,             /* instantiation */
 328         policy_detach,                  /* detach */
 329         {
 330                 NULL,                   /* authentication */
 331                 policy_authorize,       /* authorization */
 332                 policy_preacct,         /* preaccounting */
 333                 policy_accounting,      /* accounting */
 334                 NULL,                   /* checksimul */
 335                 policy_pre_proxy,       /* pre-proxy */
 336                 policy_post_proxy,      /* post-proxy */
 337                 policy_post_auth        /* post-auth */
 338 #ifdef WITH_COA
 339                 , policy_recv_coa,
 340                 policy_send_coa
 341 #endif
 342         },
 343 };