2 * rlm_protocol_filter.c
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2004 Cladju Consulting, Inc. <aland@cladju.com>
23 #include <freeradius-devel/autoconf.h>
28 #include <freeradius-devel/radiusd.h>
29 #include <freeradius-devel/modules.h>
30 #include <freeradius-devel/conffile.h>
32 static const char rcsid[] = "$Id$";
35 * Define a structure for our module configuration.
38 typedef struct rlm_protocol_filter_t {
42 } rlm_protocol_filter_t;
45 * A mapping of configuration file names to internal variables.
47 * Note that the string is dynamically allocated, so it MUST
48 * be freed. When the configuration file parse re-reads the string,
49 * it free's the old one, and strdup's the new one, placing the pointer
50 * to the strdup'd string into 'config.string'. This gets around
53 static const CONF_PARSER module_config[] = {
54 { "filename", PW_TYPE_FILENAME,
55 offsetof(rlm_protocol_filter_t,filename), NULL,
56 "${raddbdir}/protocol_filter.conf"},
58 { "key", PW_TYPE_STRING_PTR,
59 offsetof(rlm_protocol_filter_t,key), NULL, "%{Realm:-DEFAULT}"},
61 { NULL, -1, 0, NULL, NULL } /* end the list */
64 static int filter_detach(void *instance)
66 rlm_protocol_filter_t *inst = instance;
68 if (inst->filename) free(inst->filename);
69 if (inst->key) free(inst->key);
70 if (inst->cs) cf_section_free(&(inst->cs));
78 * Do any per-module initialization that is separate to each
79 * configured instance of the module. e.g. set up connections
80 * to external databases, read configuration files, set up
81 * dictionary entries, etc.
83 * If configuration information is given in the config section
84 * that must be referenced in later calls, store a handle to it
85 * in *instance otherwise put a null pointer there.
87 static int filter_instantiate(CONF_SECTION *conf, void **instance)
89 rlm_protocol_filter_t *inst;
92 * Set up a storage area for instance data
94 inst = rad_malloc(sizeof(*inst));
98 memset(inst, 0, sizeof(*inst));
101 * If the configuration parameters can't be parsed, then
104 if (cf_section_parse(conf, inst, module_config) < 0) {
109 inst->cs = conf_read("rlm_protocol_filter", 0,
110 inst->filename, NULL);
125 static int str2sense(const char *str)
127 if (strcasecmp(str, "permit") == 0) return 1;
128 if (strcasecmp(str, "deny") == 0) return 0;
134 * Apply a subsection to a request.
135 * Returns permit/deny/error.
137 static int apply_subsection(rlm_protocol_filter_t *inst, REQUEST *request,
138 CONF_SECTION *cs, const char *name)
145 DEBUG2(" rlm_protocol_filter: Found subsection %s", name);
147 cp = cf_pair_find(cs, "key");
149 radlog(L_ERR, "rlm_protocol_filter: %s[%d]: No key defined in subsection %s",
150 inst->filename, cf_section_lineno(cs), name);
151 return RLM_MODULE_FAIL;
154 radius_xlat(keybuf, sizeof(keybuf),
155 cf_pair_value(cp), request, NULL);
157 DEBUG2(" rlm_protocol_filter: %s[%d]: subsection %s, key is empty, doing nothing.",
158 inst->filename, cf_section_lineno(cs), name);
159 return RLM_MODULE_NOOP;
162 DEBUG2(" rlm_protocol_filter: %s[%d]: subsection %s, using key %s",
163 inst->filename, cf_section_lineno(cs), name, keybuf);
166 * And repeat some of the above code.
168 cp = cf_pair_find(cs, keybuf);
173 * Maybe it has a subsection, too.
175 subcs = cf_section_sub_find(cs, keybuf);
177 return apply_subsection(inst, request, subcs, keybuf);
178 } /* it was a subsection */
182 DEBUG2(" rlm_protocol_filter: %s[%d]: subsection %s, rule not found, doing nothing.",
183 inst->filename, cf_section_lineno(cs), name);
184 return RLM_MODULE_NOOP;
187 value = cf_pair_value(cp);
188 sense = str2sense(value);
190 radlog(L_ERR, "rlm_protocol_filter: %s[%d]: Unknwn directive %s",
191 inst->filename, cf_pair_lineno(cp), value);
192 return RLM_MODULE_FAIL;
195 if (!sense) return RLM_MODULE_REJECT;
197 return RLM_MODULE_OK;
202 * Authorize the user.
204 static int filter_authorize(void *instance, REQUEST *request)
211 rlm_protocol_filter_t *inst = instance;
213 radius_xlat(keybuf, sizeof(keybuf), inst->key, request, NULL);
215 DEBUG2(" rlm_protocol_filter: key is empty");
216 return RLM_MODULE_NOOP;
218 DEBUG2(" rlm_protocol_filter: Using key %s", keybuf);
220 cs = cf_section_sub_find(inst->cs, keybuf);
222 DEBUG2(" rlm_protocol_filter: No such key in %s", inst->filename);
223 return RLM_MODULE_NOTFOUND;
227 * Walk through the list of attributes, seeing if they're
230 for (vp = request->packet->vps; vp != NULL; vp = vp->next) {
234 cp = cf_pair_find(cs, vp->name);
236 value = cf_pair_value(cp);
238 sense = str2sense(value);
240 radlog(L_ERR, "rlm_protocol_filter %s[%d]: Unknown directive %s",
244 return RLM_MODULE_FAIL;
247 if (!sense) return RLM_MODULE_REJECT;
248 continue; /* was permitted */
249 } /* else no pair was found */
252 * Maybe it has a subsection
254 subcs = cf_section_sub_find(cs, vp->name);
256 sense = apply_subsection(inst, request, subcs, vp->name);
257 if ((sense == RLM_MODULE_OK) ||
258 (sense == RLM_MODULE_NOOP)) {
263 } /* it was a subsection */
266 * Not found, must be "permit"
270 return RLM_MODULE_OK;
275 * The module name should be the only globally exported symbol.
276 * That is, everything else should be 'static'.
278 * If the module needs to temporarily modify it's instantiation
279 * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE.
280 * The server will then take care of ensuring that the module
281 * is single-threaded.
283 module_t rlm_protocol_filter = {
286 RLM_TYPE_THREAD_SAFE, /* type */
287 filter_instantiate, /* instantiation */
288 filter_detach, /* detach */
290 NULL, /* authentication */
291 filter_authorize, /* authorization */
292 NULL, /* preaccounting */
293 NULL, /* accounting */
294 NULL, /* checksimul */
295 NULL, /* pre-proxy */
296 NULL, /* post-proxy */