easier to figure out what's going on with the many return codes.
*/
int rad_accounting(REQUEST *request)
{
- int reply = RLM_MODULE_OK;
+ int result = RLM_MODULE_OK;
/*
* Run the modules only once, before proxying.
VALUE_PAIR *vp;
int acct_type = 0;
- reply = module_preacct(request);
- if (reply != RLM_MODULE_NOOP &&
- reply != RLM_MODULE_OK &&
- reply != RLM_MODULE_HANDLED &&
- reply != RLM_MODULE_UPDATED)
- return reply;
+ result = module_preacct(request);
+ switch (result) {
+ /*
+ * The module has a number of OK return codes.
+ */
+ case RLM_MODULE_NOOP:
+ case RLM_MODULE_OK:
+ case RLM_MODULE_UPDATED:
+ break;
+ /*
+ * The module handled the request, stop here.
+ */
+ case RLM_MODULE_HANDLED:
+ return result;
+ /*
+ * The module failed, or said the request is
+ * invalid, therefore we stop here.
+ */
+ case RLM_MODULE_FAIL:
+ case RLM_MODULE_INVALID:
+ case RLM_MODULE_NOTFOUND:
+ case RLM_MODULE_REJECT:
+ case RLM_MODULE_USERLOCK:
+ default:
+ return result;
+ }
/*
* Do the data storage before proxying. This is to ensure
* that we log the packet, even if the proxy never does.
- *
- * In case the accounting module returns FAIL, it's still
- * useful to send the data to the proxy.
*/
vp = pairfind(request->config_items, PW_ACCT_TYPE);
if (vp) {
DEBUG2(" Found Acct-Type %s", vp->vp_strvalue);
acct_type = vp->lvalue;
}
- reply = module_accounting(acct_type, request);
- if (reply != RLM_MODULE_NOOP &&
- reply != RLM_MODULE_OK &&
- reply != RLM_MODULE_HANDLED &&
- reply != RLM_MODULE_UPDATED &&
- reply != RLM_MODULE_FAIL)
- return reply;
+ result = module_accounting(acct_type, request);
+ switch (result) {
+ /*
+ * In case the accounting module returns FAIL,
+ * it's still useful to send the data to the
+ * proxy.
+ */
+ case RLM_MODULE_FAIL:
+ case RLM_MODULE_NOOP:
+ case RLM_MODULE_OK:
+ case RLM_MODULE_UPDATED:
+ break;
+ /*
+ * The module handled the request, don't reply.
+ */
+ case RLM_MODULE_HANDLED:
+ return result;
+ /*
+ * Neither proxy, nor reply to invalid requests.
+ */
+ case RLM_MODULE_INVALID:
+ case RLM_MODULE_NOTFOUND:
+ case RLM_MODULE_REJECT:
+ case RLM_MODULE_USERLOCK:
+ default:
+ return result;
+ }
/*
* Maybe one of the preacct modules has decided
* we have to send the proxied packet
* before that.
*/
- return reply;
+ return result;
}
}
}
* storage did not succeed, so radiusd should not send
* Accounting-Response.
*/
- if (reply == RLM_MODULE_OK ||
- reply == RLM_MODULE_HANDLED ||
- reply == RLM_MODULE_UPDATED) {
-
+ switch (result) {
/*
- * Now send back an ACK to the NAS.
+ * Send back an ACK to the NAS.
*/
- request->reply->code = PW_ACCOUNTING_RESPONSE;
+ case RLM_MODULE_OK:
+ case RLM_MODULE_UPDATED:
+ request->reply->code = PW_ACCOUNTING_RESPONSE;
+ break;
+ /*
+ * The module handled the request, don't reply.
+ */
+ case RLM_MODULE_HANDLED:
+ break;
+ /*
+ * Failed to log or to proxy the accounting data,
+ * therefore don't reply to the NAS.
+ */
+ case RLM_MODULE_FAIL:
+ case RLM_MODULE_INVALID:
+ case RLM_MODULE_NOOP:
+ case RLM_MODULE_NOTFOUND:
+ case RLM_MODULE_REJECT:
+ case RLM_MODULE_USERLOCK:
+ default:
+ break;
}
-
- return reply;
+ return result;
}
* is the same as an explicit REJECT!
*/
case RLM_MODULE_FAIL:
- case RLM_MODULE_REJECT:
- case RLM_MODULE_USERLOCK:
case RLM_MODULE_INVALID:
- case RLM_MODULE_NOTFOUND:
case RLM_MODULE_NOOP:
+ case RLM_MODULE_NOTFOUND:
+ case RLM_MODULE_REJECT:
case RLM_MODULE_UPDATED:
+ case RLM_MODULE_USERLOCK:
+ default:
result = -1;
break;
case RLM_MODULE_OK:
}
result = module_post_auth(postauth_type, request);
switch (result) {
- default:
- break;
-
- /*
- * The module failed, or said to reject the user: Do so.
- */
- case RLM_MODULE_FAIL:
- case RLM_MODULE_REJECT:
- case RLM_MODULE_USERLOCK:
- case RLM_MODULE_INVALID:
- request->reply->code = PW_AUTHENTICATION_REJECT;
- result = RLM_MODULE_REJECT;
- break;
-
- /*
- * The module had a number of OK return codes.
- */
- case RLM_MODULE_NOTFOUND:
- case RLM_MODULE_NOOP:
- case RLM_MODULE_UPDATED:
- case RLM_MODULE_OK:
- case RLM_MODULE_HANDLED:
- result = RLM_MODULE_OK;
- break;
+ /*
+ * The module failed, or said to reject the user: Do so.
+ */
+ case RLM_MODULE_FAIL:
+ case RLM_MODULE_INVALID:
+ case RLM_MODULE_REJECT:
+ case RLM_MODULE_USERLOCK:
+ default:
+ request->reply->code = PW_AUTHENTICATION_REJECT;
+ result = RLM_MODULE_REJECT;
+ break;
+ /*
+ * The module handled the request, cancel the reply.
+ */
+ case RLM_MODULE_HANDLED:
+ /* FIXME */
+ break;
+ /*
+ * The module had a number of OK return codes.
+ */
+ case RLM_MODULE_NOOP:
+ case RLM_MODULE_NOTFOUND:
+ case RLM_MODULE_OK:
+ case RLM_MODULE_UPDATED:
+ result = RLM_MODULE_OK;
+ break;
}
return result;
}
VALUE_PAIR *auth_item;
VALUE_PAIR *module_msg;
VALUE_PAIR *tmp = NULL;
- int result, r;
+ int result;
char umsg[MAX_STRING_LEN + 1];
const char *user_msg = NULL;
const char *password;
*/
case PW_ACCESS_CHALLENGE:
request->reply->code = PW_ACCESS_CHALLENGE;
- return RLM_MODULE_HANDLED;
+ return RLM_MODULE_OK;
/*
* ALL other replies mean reject. (this is fail-safe)
*
* Get the user's authorization information from the database
*/
autz_redo:
- r = module_authorize(autz_type, request);
- if (r != RLM_MODULE_NOTFOUND &&
- r != RLM_MODULE_NOOP &&
- r != RLM_MODULE_OK &&
- r != RLM_MODULE_UPDATED) {
- if (r != RLM_MODULE_FAIL && r != RLM_MODULE_HANDLED) {
+ result = module_authorize(autz_type, request);
+ switch (result) {
+ case RLM_MODULE_NOOP:
+ case RLM_MODULE_NOTFOUND:
+ case RLM_MODULE_OK:
+ case RLM_MODULE_UPDATED:
+ break;
+ case RLM_MODULE_FAIL:
+ case RLM_MODULE_HANDLED:
+ return result;
+ case RLM_MODULE_INVALID:
+ case RLM_MODULE_REJECT:
+ case RLM_MODULE_USERLOCK:
+ default:
if ((module_msg = pairfind(request->packet->vps,
- PW_MODULE_FAILURE_MESSAGE)) != NULL){
- char msg[MAX_STRING_LEN+16];
+ PW_MODULE_FAILURE_MESSAGE)) != NULL) {
+ char msg[MAX_STRING_LEN + 16];
snprintf(msg, sizeof(msg), "Invalid user (%s)",
module_msg->vp_strvalue);
rad_authlog(msg,request,0);
rad_authlog("Invalid user", request, 0);
}
request->reply->code = PW_AUTHENTICATION_REJECT;
- }
- return r;
+ return result;
}
if (!autz_retry) {
tmp = pairfind(request->config_items, PW_AUTZ_TYPE);
if (result >= 0 &&
(check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE)) != NULL) {
- int session_type = 0;
+ int r, session_type = 0;
tmp = pairfind(request->config_items, PW_SESSION_TYPE);
if (tmp) {
/*
* We received a response from a remote radius server.
- * Find the original request, then return.
- * Returns: 1 replication don't reply
- * 0 proxy found
- * -1 error don't reply
+ * Call the post-proxy modules.
*/
int proxy_receive(REQUEST *request)
{
radlog(L_ERR|L_CONS, "no memory");
exit(1);
}
- sprintf((char *)proxy_pair->vp_strvalue, "%d", request->packet->id);
- proxy_pair->length = strlen((char *)proxy_pair->vp_strvalue);
+ sprintf(proxy_pair->vp_strvalue, "%d", request->packet->id);
+ proxy_pair->length = strlen(proxy_pair->vp_strvalue);
pairadd(&request->proxy->vps, proxy_pair);
}
pairadd(&request->packet->vps,
pairmake("Realm", realm->realm, T_OP_EQ));
-
/*
* Access-Request: look for LOCAL realm.
* Accounting-Request: look for LOCAL realm.
return RLM_MODULE_NOOP;
}
-
-
/*
* Allocate the proxy packet, only if it wasn't already
* allocated by a module. This check is mainly to support
request->proxy_start_time = request->timestamp;
/*
- * Do pre-proxying
+ * Do pre-proxying.
*/
vp = pairfind(request->config_items, PW_PRE_PROXY_TYPE);
if (vp) {
pre_proxy_type = vp->lvalue;
}
rcode = module_pre_proxy(pre_proxy_type, request);
-
+ switch (rcode) {
/*
- * Do NOT free request->proxy->vps, the pairs are needed
- * for the retries! --Pac.
- */
-
- /*
- * Delay sending the proxy packet until after we've
- * done the work above, playing with the request.
- *
- * After this point, it becomes dangerous to play
- * with the request data structure, as the reply MAY
- * come in and get processed before we're done with it here.
- *
* Only proxy the packet if the pre-proxy code succeeded.
*/
- if ((rcode == RLM_MODULE_OK) ||
- (rcode == RLM_MODULE_NOOP) ||
- (rcode == RLM_MODULE_UPDATED)) {
+ case RLM_MODULE_NOOP:
+ case RLM_MODULE_OK:
+ case RLM_MODULE_UPDATED:
+ /*
+ * Delay sending the proxy packet until after we've
+ * done the work above, playing with the request.
+ *
+ * After this point, it becomes dangerous to play with
+ * the request data structure, as the reply MAY come in
+ * and get processed before we're done with it here.
+ */
request->options |= RAD_REQUEST_OPTION_PROXIED;
/*
- * IF it's a fake request, don't send the proxy
+ * If it's a fake request, don't send the proxy
* packet. The outer tunnel session will take
* care of doing that.
*/
request);
}
rcode = RLM_MODULE_HANDLED; /* caller doesn't reply */
- } else {
+ break;
+ /*
+ * The module handled the request, don't reply.
+ */
+ case RLM_MODULE_HANDLED:
+ break;
+ /*
+ * Neither proxy, nor reply to invalid requests.
+ */
+ case RLM_MODULE_FAIL:
+ case RLM_MODULE_INVALID:
+ case RLM_MODULE_NOTFOUND:
+ case RLM_MODULE_REJECT:
+ case RLM_MODULE_USERLOCK:
+ default:
rcode = RLM_MODULE_FAIL; /* caller doesn't reply */
+ break;
}
+ /*
+ * Do NOT free request->proxy->vps, the pairs are needed
+ * for the retries!
+ */
return rcode;
}