2 * rlm_policy.c Implements a policy language
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Copyright 2004 Alan DeKok <aland@ox.org>
23 #include "rlm_policy.h"
25 #include <freeradius-devel/modules.h>
26 #include <freeradius-devel/conffile.h>
28 static const char rcsid[] = "$Id$";
32 * A mapping of configuration file names to internal variables.
34 * Note that the string is dynamically allocated, so it MUST
35 * be freed. When the configuration file parse re-reads the string,
36 * it free's the old one, and strdup's the new one, placing the pointer
37 * to the strdup'd string into 'config.string'. This gets around
40 static const CONF_PARSER module_config[] = {
41 { "filename", PW_TYPE_FILENAME,
42 offsetof(rlm_policy_t,filename), NULL, NULL},
44 { NULL, -1, 0, NULL, NULL } /* end the list */
49 * Callbacks for red-black trees.
51 static int policyname_cmp(const void *a, const void *b)
53 return strcmp(((const policy_named_t *)a)->name,
54 ((const policy_named_t *)b)->name);
61 static int policy_detach(void *instance)
63 rlm_policy_t *inst = instance;
65 if (inst->filename) free(inst->filename);
66 if (inst->policies) rbtree_free(inst->policies);
72 * Do any per-module initialization that is separate to each
73 * configured instance of the module. e.g. set up connections
74 * to external databases, read configuration files, set up
75 * dictionary entries, etc.
77 * If configuration information is given in the config section
78 * that must be referenced in later calls, store a handle to it
79 * in *instance otherwise put a null pointer there.
81 static int policy_instantiate(CONF_SECTION *conf, void **instance)
86 * Set up a storage area for instance data
88 inst = rad_malloc(sizeof(*inst));
92 memset(inst, 0, sizeof(*inst));
95 * If the configuration parameters can't be parsed, then
98 if (cf_section_parse(conf, inst, module_config) < 0) {
103 inst->policies = rbtree_create(policyname_cmp, rlm_policy_free_item, 0);
104 if (!inst->policies) {
110 * Parse the policy from the file.
112 if (!rlm_policy_parse(inst->policies, inst->filename)) {
124 * Insert a named policy into a list.
126 int rlm_policy_insert(rbtree_t *head, policy_named_t *policy)
128 if (!rbtree_insert(head, policy)) {
129 rlm_policy_free_item((policy_item_t *) policy);
138 * Find a named policy
140 policy_named_t *rlm_policy_find(rbtree_t *head, const char *name)
142 policy_named_t mypolicy;
144 mypolicy.name = name;
146 return rbtree_finddata(head, &mypolicy);
151 * Find the named user in this modules database. Create the set
152 * of attribute-value pairs to check and reply with for this user
153 * from the database. The authentication code only needs to check
154 * the password, the rest is done here.
156 static int policy_authorize(void *instance, REQUEST *request)
158 return rlm_policy_evaluate((rlm_policy_t *) instance, request,
163 static int policy_preacct(void *instance, REQUEST *request)
165 return rlm_policy_evaluate((rlm_policy_t *) instance, request,
169 static int policy_accounting(void *instance, REQUEST *request)
171 return rlm_policy_evaluate((rlm_policy_t *) instance, request,
175 static int policy_post_auth(void *instance, REQUEST *request)
177 return rlm_policy_evaluate((rlm_policy_t *) instance, request,
181 static int policy_pre_proxy(void *instance, REQUEST *request)
183 return rlm_policy_evaluate((rlm_policy_t *) instance, request,
187 static int policy_post_proxy(void *instance, REQUEST *request)
189 return rlm_policy_evaluate((rlm_policy_t *) instance, request,
194 * The "free" functions are here, for no particular reason.
196 void rlm_policy_free_item(policy_item_t *item)
199 policy_item_t *next = item->next;
201 switch (item->type) {
203 case POLICY_TYPE_BAD:
206 case POLICY_TYPE_ASSIGNMENT:
208 policy_assignment_t *this;
210 this = (policy_assignment_t *) item;
211 if (this->lhs) free(this->lhs);
212 if (this->rhs) free(this->rhs);
216 case POLICY_TYPE_CONDITIONAL:
218 policy_condition_t *this;
220 this = (policy_condition_t *) item;
221 if (this->lhs) free(this->lhs);
222 if (this->rhs) free(this->rhs);
225 rlm_policy_free_item(this->child);
235 this = (policy_if_t *) item;
236 if (this->condition) {
237 rlm_policy_free_item(this->condition);
238 this->condition = NULL;
241 rlm_policy_free_item(this->if_true);
242 this->if_true = NULL;
244 if (this->if_false) {
245 rlm_policy_free_item(this->if_false);
246 this->if_false = NULL;
251 case POLICY_TYPE_ATTRIBUTE_LIST:
253 policy_attributes_t *this;
255 this = (policy_attributes_t *) item;
256 rlm_policy_free_item(this->attributes);
260 case POLICY_TYPE_NAMED_POLICY:
262 policy_named_t *this;
264 this = (policy_named_t *) item;
265 rad_assert(this->name != NULL);
267 rlm_policy_free_item(this->policy);
271 case POLICY_TYPE_CALL:
275 this = (policy_call_t *) item;
276 if (this->name) free(this->name);
280 case POLICY_TYPE_RETURN:
281 break; /* do nothing */
283 case POLICY_TYPE_MODULE:
285 policy_module_t *this;
287 this = (policy_module_t *) item;
288 if (this->cs) cf_section_free(&this->cs);
289 if (this->mc) modcallable_free(&this->mc);
292 } /* switch over type */
293 item->next = NULL; /* for debugging & sanity checks */
294 item->type = POLICY_TYPE_BAD;
303 * The module name should be the only globally exported symbol.
304 * That is, everything else should be 'static'.
306 * If the module needs to temporarily modify it's instantiation
307 * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE.
308 * The server will then take care of ensuring that the module
309 * is single-threaded.
311 module_t rlm_policy = {
314 RLM_TYPE_THREAD_SAFE, /* type */
315 policy_instantiate, /* instantiation */
316 policy_detach, /* detach */
318 NULL, /* authentication */
319 policy_authorize, /* authorization */
320 policy_preacct, /* preaccounting */
321 policy_accounting, /* accounting */
322 NULL, /* checksimul */
323 policy_pre_proxy, /* pre-proxy */
324 policy_post_proxy, /* post-proxy */
325 policy_post_auth /* post-auth */