src/modules/rlm_protocol_filter/rlm_protocol_filter.c

   1 /*
   2  * rlm_protocol_filter.c
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  *
  20  * Copyright 2004  Cladju Consulting, Inc. <aland@cladju.com>
  21  */
  22
  23 #include <freeradius-devel/autoconf.h>
  24
  25 #include <stdio.h>
  26 #include <stdlib.h>
  27
  28 #include <freeradius-devel/radiusd.h>
  29 #include <freeradius-devel/modules.h>
  30 #include <freeradius-devel/conffile.h>
  31
  32 static const char rcsid[] = "$Id$";
  33
  34 /*
  35  *      Define a structure for our module configuration.
  36  *
  37  */
  38 typedef struct rlm_protocol_filter_t {
  39         char            *filename;
  40         char            *key;
  41         CONF_SECTION    *cs;
  42 } rlm_protocol_filter_t;
  43
  44 /*
  45  *      A mapping of configuration file names to internal variables.
  46  *
  47  *      Note that the string is dynamically allocated, so it MUST
  48  *      be freed.  When the configuration file parse re-reads the string,
  49  *      it free's the old one, and strdup's the new one, placing the pointer
  50  *      to the strdup'd string into 'config.string'.  This gets around
  51  *      buffer over-flows.
  52  */
  53 static const CONF_PARSER module_config[] = {
  54         { "filename",  PW_TYPE_FILENAME,
  55           offsetof(rlm_protocol_filter_t,filename), NULL,
  56           "${raddbdir}/protocol_filter.conf"},
  57
  58         { "key",  PW_TYPE_STRING_PTR,
  59           offsetof(rlm_protocol_filter_t,key), NULL, "%{Realm:-DEFAULT}"},
  60
  61         { NULL, -1, 0, NULL, NULL }             /* end the list */
  62 };
  63
  64 static int filter_detach(void *instance)
  65 {
  66         rlm_protocol_filter_t *inst = instance;
  67
  68         if (inst->filename) free(inst->filename);
  69         if (inst->key) free(inst->key);
  70         if (inst->cs) cf_section_free(&(inst->cs));
  71
  72         free(instance);
  73         return 0;
  74 }
  75
  76
  77 /*
  78  *      Do any per-module initialization that is separate to each
  79  *      configured instance of the module.  e.g. set up connections
  80  *      to external databases, read configuration files, set up
  81  *      dictionary entries, etc.
  82  *
  83  *      If configuration information is given in the config section
  84  *      that must be referenced in later calls, store a handle to it
  85  *      in *instance otherwise put a null pointer there.
  86  */
  87 static int filter_instantiate(CONF_SECTION *conf, void **instance)
  88 {
  89         rlm_protocol_filter_t *inst;
  90
  91         /*
  92          *      Set up a storage area for instance data
  93          */
  94         inst = rad_malloc(sizeof(*inst));
  95         if (!inst) {
  96                 return -1;
  97         }
  98         memset(inst, 0, sizeof(*inst));
  99
 100         /*
 101          *      If the configuration parameters can't be parsed, then
 102          *      fail.
 103          */
 104         if (cf_section_parse(conf, inst, module_config) < 0) {
 105                 filter_detach(inst);
 106                 return -1;
 107         }
 108
 109         inst->cs = conf_read("rlm_protocol_filter", 0,
 110                              inst->filename, NULL);
 111         if (!inst->cs) {
 112                 filter_detach(inst);
 113                 return -1;
 114         }
 115
 116         *instance = inst;
 117
 118         return 0;
 119 }
 120
 121
 122 /*
 123  *      Return permission.
 124  */
 125 static int str2sense(const char *str)
 126 {
 127         if (strcasecmp(str, "permit") == 0) return 1;
 128         if (strcasecmp(str, "deny") == 0) return 0;
 129
 130         return -1;
 131 }
 132
 133 /*
 134  *      Apply a subsection to a request.
 135  *      Returns permit/deny/error.
 136  */
 137 static int apply_subsection(rlm_protocol_filter_t *inst, REQUEST *request,
 138                             CONF_SECTION *cs, const char *name)
 139 {
 140         int sense;
 141         CONF_PAIR *cp;
 142         const char *value;
 143         char keybuf[256];
 144
 145         DEBUG2("  rlm_protocol_filter: Found subsection %s", name);
 146
 147         cp = cf_pair_find(cs, "key");
 148         if (!cp) {
 149                 radlog(L_ERR, "rlm_protocol_filter: %s[%d]: No key defined in subsection %s",
 150                        inst->filename, cf_section_lineno(cs), name);
 151                 return RLM_MODULE_FAIL;
 152         }
 153
 154         radius_xlat(keybuf, sizeof(keybuf),
 155                     cf_pair_value(cp), request, NULL);
 156         if (!*keybuf) {
 157                 DEBUG2("  rlm_protocol_filter: %s[%d]: subsection %s, key is empty, doing nothing.",
 158                        inst->filename, cf_section_lineno(cs), name);
 159                 return RLM_MODULE_NOOP;
 160         }
 161
 162         DEBUG2("  rlm_protocol_filter: %s[%d]: subsection %s, using key %s",
 163                inst->filename, cf_section_lineno(cs), name, keybuf);
 164
 165         /*
 166          *      And repeat some of the above code.
 167          */
 168         cp = cf_pair_find(cs, keybuf);
 169         if (!cp) {
 170                 CONF_SECTION *subcs;
 171
 172                 /*
 173                  *      Maybe it has a subsection, too.
 174                  */
 175                 subcs = cf_section_sub_find(cs, keybuf);
 176                 if (subcs) {
 177                         return apply_subsection(inst, request, subcs, keybuf);
 178                 } /* it was a subsection */
 179
 180
 181
 182                 DEBUG2("  rlm_protocol_filter: %s[%d]: subsection %s, rule not found, doing nothing.",
 183                        inst->filename, cf_section_lineno(cs), name);
 184                 return RLM_MODULE_NOOP;
 185         }
 186
 187         value = cf_pair_value(cp);
 188         sense = str2sense(value);
 189         if (sense < 0) {
 190                 radlog(L_ERR, "rlm_protocol_filter: %s[%d]: Unknwn directive %s",
 191                        inst->filename, cf_pair_lineno(cp), value);
 192                 return RLM_MODULE_FAIL;
 193         }
 194
 195         if (!sense) return RLM_MODULE_REJECT;
 196
 197         return RLM_MODULE_OK;
 198 }
 199
 200
 201 /*
 202  *      Authorize the user.
 203  */
 204 static int filter_authorize(void *instance, REQUEST *request)
 205 {
 206         int sense;
 207         VALUE_PAIR *vp;
 208         CONF_SECTION *cs;
 209         CONF_PAIR *cp;
 210         char keybuf[1024];
 211         rlm_protocol_filter_t *inst = instance;
 212
 213         radius_xlat(keybuf, sizeof(keybuf), inst->key, request, NULL);
 214         if (!*keybuf) {
 215                 DEBUG2("  rlm_protocol_filter: key is empty");
 216                 return RLM_MODULE_NOOP;
 217         }
 218         DEBUG2("  rlm_protocol_filter: Using key %s", keybuf);
 219
 220         cs = cf_section_sub_find(inst->cs, keybuf);
 221         if (!cs) {
 222                 DEBUG2("  rlm_protocol_filter: No such key in %s", inst->filename);
 223                 return RLM_MODULE_NOTFOUND;
 224         }
 225
 226         /*
 227          *      Walk through the list of attributes, seeing if they're
 228          *      permitted/denied.
 229          */
 230         for (vp = request->packet->vps; vp != NULL; vp = vp->next) {
 231                 const char *value;
 232                 CONF_SECTION *subcs;
 233
 234                 cp = cf_pair_find(cs, vp->name);
 235                 if (cp) {
 236                         value = cf_pair_value(cp);
 237
 238                         sense = str2sense(value);
 239                         if (sense < 0) {
 240                                 radlog(L_ERR, "rlm_protocol_filter %s[%d]: Unknown directive %s",
 241                                        inst->filename,
 242                                        cf_pair_lineno(cp),
 243                                        value);
 244                                 return RLM_MODULE_FAIL;
 245                         }
 246
 247                         if (!sense) return RLM_MODULE_REJECT;
 248                         continue; /* was permitted */
 249                 } /* else no pair was found */
 250
 251                 /*
 252                  *      Maybe it has a subsection
 253                  */
 254                 subcs = cf_section_sub_find(cs, vp->name);
 255                 if (subcs) {
 256                         sense = apply_subsection(inst, request, subcs, vp->name);
 257                         if ((sense == RLM_MODULE_OK) ||
 258                             (sense == RLM_MODULE_NOOP)) {
 259                                 continue;
 260                         }
 261
 262                         return sense;
 263                 } /* it was a subsection */
 264
 265                 /*
 266                  *      Not found, must be "permit"
 267                  */
 268         }
 269
 270         return RLM_MODULE_OK;
 271 }
 272
 273
 274 /*
 275  *      The module name should be the only globally exported symbol.
 276  *      That is, everything else should be 'static'.
 277  *
 278  *      If the module needs to temporarily modify it's instantiation
 279  *      data, the type should be changed to RLM_TYPE_THREAD_UNSAFE.
 280  *      The server will then take care of ensuring that the module
 281  *      is single-threaded.
 282  */
 283 module_t rlm_protocol_filter = {
 284         RLM_MODULE_INIT,
 285         "protocol_filter",
 286         RLM_TYPE_THREAD_SAFE,           /* type */
 287         filter_instantiate,             /* instantiation */
 288         filter_detach,                  /* detach */
 289         {
 290                 NULL,                   /* authentication */
 291                 filter_authorize,       /* authorization */
 292                 NULL,                   /* preaccounting */
 293                 NULL,                   /* accounting */
 294                 NULL,                   /* checksimul */
 295                 NULL,                   /* pre-proxy */
 296                 NULL,                   /* post-proxy */
 297                 NULL                    /* post-auth */
 298         },
 299 };