src/modules/rlm_protocol_filter/rlm_protocol_filter.c

   1 /*
   2  * rlm_protocol_filter.c
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  *
  20  * Copyright 2004  Cladju Consulting, Inc. <aland@cladju.com>
  21  * Copyright 2006  The FreeRADIUS server project
  22  */
  23
  24 #include <freeradius-devel/ident.h>
  25 RCSID("$Id$")
  26
  27 #include <freeradius-devel/autoconf.h>
  28
  29 #include <stdio.h>
  30 #include <stdlib.h>
  31
  32 #include <freeradius-devel/radiusd.h>
  33 #include <freeradius-devel/modules.h>
  34
  35 static const char rcsid[] = "$Id$";
  36
  37 /*
  38  *      Define a structure for our module configuration.
  39  *
  40  */
  41 typedef struct rlm_protocol_filter_t {
  42         char            *filename;
  43         char            *key;
  44         CONF_SECTION    *cs;
  45 } rlm_protocol_filter_t;
  46
  47 /*
  48  *      A mapping of configuration file names to internal variables.
  49  *
  50  *      Note that the string is dynamically allocated, so it MUST
  51  *      be freed.  When the configuration file parse re-reads the string,
  52  *      it free's the old one, and strdup's the new one, placing the pointer
  53  *      to the strdup'd string into 'config.string'.  This gets around
  54  *      buffer over-flows.
  55  */
  56 static const CONF_PARSER module_config[] = {
  57         { "filename",  PW_TYPE_FILENAME,
  58           offsetof(rlm_protocol_filter_t,filename), NULL,
  59           "${raddbdir}/protocol_filter.conf"},
  60
  61         { "key",  PW_TYPE_STRING_PTR,
  62           offsetof(rlm_protocol_filter_t,key), NULL, "%{Realm:-DEFAULT}"},
  63
  64         { NULL, -1, 0, NULL, NULL }             /* end the list */
  65 };
  66
  67 static int filter_detach(void *instance)
  68 {
  69         rlm_protocol_filter_t *inst = instance;
  70
  71         if (inst->cs) cf_section_free(&(inst->cs));
  72
  73         free(instance);
  74         return 0;
  75 }
  76
  77
  78 /*
  79  *      Do any per-module initialization that is separate to each
  80  *      configured instance of the module.  e.g. set up connections
  81  *      to external databases, read configuration files, set up
  82  *      dictionary entries, etc.
  83  *
  84  *      If configuration information is given in the config section
  85  *      that must be referenced in later calls, store a handle to it
  86  *      in *instance otherwise put a null pointer there.
  87  */
  88 static int filter_instantiate(CONF_SECTION *conf, void **instance)
  89 {
  90         rlm_protocol_filter_t *inst;
  91
  92         /*
  93          *      Set up a storage area for instance data
  94          */
  95         inst = rad_malloc(sizeof(*inst));
  96         if (!inst) {
  97                 return -1;
  98         }
  99         memset(inst, 0, sizeof(*inst));
 100
 101         /*
 102          *      If the configuration parameters can't be parsed, then
 103          *      fail.
 104          */
 105         if (cf_section_parse(conf, inst, module_config) < 0) {
 106                 filter_detach(inst);
 107                 return -1;
 108         }
 109
 110         inst->cs = conf_read("rlm_protocol_filter", 0,
 111                              inst->filename, NULL);
 112         if (!inst->cs) {
 113                 filter_detach(inst);
 114                 return -1;
 115         }
 116
 117         *instance = inst;
 118
 119         return 0;
 120 }
 121
 122
 123 /*
 124  *      Return permission.
 125  */
 126 static int str2sense(const char *str)
 127 {
 128         if (strcasecmp(str, "permit") == 0) return 1;
 129         if (strcasecmp(str, "deny") == 0) return 0;
 130
 131         return -1;
 132 }
 133
 134 /*
 135  *      Apply a subsection to a request.
 136  *      Returns permit/deny/error.
 137  */
 138 static int apply_subsection(rlm_protocol_filter_t *inst, REQUEST *request,
 139                             CONF_SECTION *cs, const char *name)
 140 {
 141         int sense;
 142         CONF_PAIR *cp;
 143         const char *value;
 144         char keybuf[256];
 145
 146         DEBUG2("  rlm_protocol_filter: Found subsection %s", name);
 147
 148         cp = cf_pair_find(cs, "key");
 149         if (!cp) {
 150                 radlog(L_ERR, "rlm_protocol_filter: %s[%d]: No key defined in subsection %s",
 151                        inst->filename, cf_section_lineno(cs), name);
 152                 return RLM_MODULE_FAIL;
 153         }
 154
 155         radius_xlat(keybuf, sizeof(keybuf),
 156                     cf_pair_value(cp), request, NULL);
 157         if (!*keybuf) {
 158                 DEBUG2("  rlm_protocol_filter: %s[%d]: subsection %s, key is empty, doing nothing.",
 159                        inst->filename, cf_section_lineno(cs), name);
 160                 return RLM_MODULE_NOOP;
 161         }
 162
 163         DEBUG2("  rlm_protocol_filter: %s[%d]: subsection %s, using key %s",
 164                inst->filename, cf_section_lineno(cs), name, keybuf);
 165
 166         /*
 167          *      And repeat some of the above code.
 168          */
 169         cp = cf_pair_find(cs, keybuf);
 170         if (!cp) {
 171                 CONF_SECTION *subcs;
 172
 173                 /*
 174                  *      Maybe it has a subsection, too.
 175                  */
 176                 subcs = cf_section_sub_find(cs, keybuf);
 177                 if (subcs) {
 178                         return apply_subsection(inst, request, subcs, keybuf);
 179                 } /* it was a subsection */
 180
 181
 182
 183                 DEBUG2("  rlm_protocol_filter: %s[%d]: subsection %s, rule not found, doing nothing.",
 184                        inst->filename, cf_section_lineno(cs), name);
 185                 return RLM_MODULE_NOOP;
 186         }
 187
 188         value = cf_pair_value(cp);
 189         sense = str2sense(value);
 190         if (sense < 0) {
 191                 radlog(L_ERR, "rlm_protocol_filter: %s[%d]: Unknwn directive %s",
 192                        inst->filename, cf_pair_lineno(cp), value);
 193                 return RLM_MODULE_FAIL;
 194         }
 195
 196         if (!sense) return RLM_MODULE_REJECT;
 197
 198         return RLM_MODULE_OK;
 199 }
 200
 201
 202 /*
 203  *      Authorize the user.
 204  */
 205 static int filter_authorize(void *instance, REQUEST *request)
 206 {
 207         int sense;
 208         VALUE_PAIR *vp;
 209         CONF_SECTION *cs;
 210         CONF_PAIR *cp;
 211         char keybuf[1024];
 212         rlm_protocol_filter_t *inst = instance;
 213
 214         radius_xlat(keybuf, sizeof(keybuf), inst->key, request, NULL);
 215         if (!*keybuf) {
 216                 DEBUG2("  rlm_protocol_filter: key is empty");
 217                 return RLM_MODULE_NOOP;
 218         }
 219         DEBUG2("  rlm_protocol_filter: Using key %s", keybuf);
 220
 221         cs = cf_section_sub_find(inst->cs, keybuf);
 222         if (!cs) {
 223                 DEBUG2("  rlm_protocol_filter: No such key in %s", inst->filename);
 224                 return RLM_MODULE_NOTFOUND;
 225         }
 226
 227         /*
 228          *      Walk through the list of attributes, seeing if they're
 229          *      permitted/denied.
 230          */
 231         for (vp = request->packet->vps; vp != NULL; vp = vp->next) {
 232                 const char *value;
 233                 CONF_SECTION *subcs;
 234
 235                 cp = cf_pair_find(cs, vp->name);
 236                 if (cp) {
 237                         value = cf_pair_value(cp);
 238
 239                         sense = str2sense(value);
 240                         if (sense < 0) {
 241                                 radlog(L_ERR, "rlm_protocol_filter %s[%d]: Unknown directive %s",
 242                                        inst->filename,
 243                                        cf_pair_lineno(cp),
 244                                        value);
 245                                 return RLM_MODULE_FAIL;
 246                         }
 247
 248                         if (!sense) return RLM_MODULE_REJECT;
 249                         continue; /* was permitted */
 250                 } /* else no pair was found */
 251
 252                 /*
 253                  *      Maybe it has a subsection
 254                  */
 255                 subcs = cf_section_sub_find(cs, vp->name);
 256                 if (subcs) {
 257                         sense = apply_subsection(inst, request, subcs, vp->name);
 258                         if ((sense == RLM_MODULE_OK) ||
 259                             (sense == RLM_MODULE_NOOP)) {
 260                                 continue;
 261                         }
 262
 263                         return sense;
 264                 } /* it was a subsection */
 265
 266                 /*
 267                  *      Not found, must be "permit"
 268                  */
 269         }
 270
 271         return RLM_MODULE_OK;
 272 }
 273
 274
 275 /*
 276  *      The module name should be the only globally exported symbol.
 277  *      That is, everything else should be 'static'.
 278  *
 279  *      If the module needs to temporarily modify it's instantiation
 280  *      data, the type should be changed to RLM_TYPE_THREAD_UNSAFE.
 281  *      The server will then take care of ensuring that the module
 282  *      is single-threaded.
 283  */
 284 module_t rlm_protocol_filter = {
 285         RLM_MODULE_INIT,
 286         "protocol_filter",
 287         RLM_TYPE_THREAD_SAFE,           /* type */
 288         filter_instantiate,             /* instantiation */
 289         filter_detach,                  /* detach */
 290         {
 291                 NULL,                   /* authentication */
 292                 filter_authorize,       /* authorization */
 293                 NULL,                   /* preaccounting */
 294                 NULL,                   /* accounting */
 295                 NULL,                   /* checksimul */
 296                 NULL,                   /* pre-proxy */
 297                 NULL,                   /* post-proxy */
 298                 NULL                    /* post-auth */
 299         },
 300 };