From 8065feaff703741986e93e3033fed8e559dc9bb3 Mon Sep 17 00:00:00 2001 From: aland Date: Thu, 5 Oct 2000 16:54:27 +0000 Subject: [PATCH] Patch from "Alan Curry" Update the module return codes to have the following values: Reject, Fail, OK, Handled, Invalid, Userlock, Notfound, No-op Updated Previously, there were only the first 4. This patch does *not* include the fail-over & 'modcall' code --- src/include/modules.h | 18 ++++++++++++----- src/include/radiusd.h | 3 +++ src/main/acct.c | 16 ++++++++++----- src/main/auth.c | 28 +++++++++++++++++++-------- src/modules/rlm_acct_unique/rlm_acct_unique.c | 2 +- src/modules/rlm_example/rlm_example.c | 2 +- src/modules/rlm_files/rlm_files.c | 6 +++--- src/modules/rlm_ldap/rlm_ldap.c | 8 ++++---- src/modules/rlm_pam/rlm_pam.c | 6 +++--- src/modules/rlm_preprocess/rlm_preprocess.c | 14 ++++++++------ src/modules/rlm_sql/rlm_sql.c | 4 ++-- src/modules/rlm_unix/rlm_unix.c | 20 +++++++++---------- 12 files changed, 79 insertions(+), 48 deletions(-) diff --git a/src/include/modules.h b/src/include/modules.h index f36ca94..03a69f7 100644 --- a/src/include/modules.h +++ b/src/include/modules.h @@ -5,6 +5,8 @@ * */ +#ifndef RADIUS_MODULES_H +#define RADIUS_MODULES_H #include "conffile.h" /* @@ -19,7 +21,6 @@ typedef int (*RLM_POST_AUTHENTICATE_FUNCP)(REQUEST *request); typedef int (*RLM_PRE_ACCOUNTING_FUNCP)(REQUEST *request); typedef int (*RLM_ACCOUNTING_FUNCP)(REQUEST *request); -/* Shouldn't need these anymore */ #define RLM_COMPONENT_AUTH 0 #define RLM_COMPONENT_AUTZ 1 #define RLM_COMPONENT_PREACCT 2 @@ -40,10 +41,16 @@ typedef struct module_t { } module_t; enum { - RLM_MODULE_REJECT = -2, /* reject the request */ - RLM_MODULE_FAIL = -1, /* module failed, don't reply */ - RLM_MODULE_OK = 0, /* the module is OK, continue */ - RLM_MODULE_HANDLED = 1 /* the module handled the request, so stop. */ + RLM_MODULE_REJECT, /* reject the request */ + RLM_MODULE_FAIL, /* module failed, don't reply */ + RLM_MODULE_OK, /* the module is OK, continue */ + RLM_MODULE_HANDLED, /* the module handled the request, so stop. */ + RLM_MODULE_INVALID, /* the module considers the request invalid. */ + RLM_MODULE_USERLOCK, /* reject the request (user is locked out) */ + RLM_MODULE_NOTFOUND, /* user not found */ + RLM_MODULE_NOOP, /* module succeeded without doing anything */ + RLM_MODULE_UPDATED, /* OK (pairs modified) */ + RLM_MODULE_NUMCODES /* How many return codes there are */ }; int setup_modules(void); @@ -52,3 +59,4 @@ int module_authenticate(int type, REQUEST *request); int module_preacct(REQUEST *request); int module_accounting(REQUEST *request); +#endif /* RADIUS_MODULES_H */ diff --git a/src/include/radiusd.h b/src/include/radiusd.h index 460aca6..9472e6f 100644 --- a/src/include/radiusd.h +++ b/src/include/radiusd.h @@ -6,6 +6,8 @@ * */ +#ifndef RADIUSD_H +#define RADIUSD_H #include "libradius.h" #include "radpaths.h" #include "conf.h" @@ -243,3 +245,4 @@ int radius_xlat2(char * out, int outlen, char *str, extern int thread_pool_init(void); extern int thread_pool_clean(void); #endif +#endif /*RADIUSD_H*/ diff --git a/src/main/acct.c b/src/main/acct.c index 812e150..dcde959 100644 --- a/src/main/acct.c +++ b/src/main/acct.c @@ -17,6 +17,9 @@ static const char rcsid[] = "$Id$"; /* * rad_accounting: call modules. + * + * The return value of this function isn't actually used right now, so + * it's not entirely clear if it is returning the right things. --Pac. */ int rad_accounting(REQUEST *request) { @@ -35,13 +38,15 @@ int rad_accounting(REQUEST *request) if(!request->proxy) { /* Only need to do this once, before proxying */ reply = module_preacct(request); - if (reply != RLM_MODULE_OK) - return RLM_MODULE_FAIL; + if (reply != RLM_MODULE_NOOP && + reply != RLM_MODULE_OK && + reply != RLM_MODULE_UPDATED) + return reply; /* Maybe one of the preacct modules has decided that a proxy should * be used. If so, get out of here and send the packet. */ if(pairfind(request->config_items, PW_PROXY_TO_REALM)) - return 0; + return reply; } reply = RLM_MODULE_OK; @@ -56,12 +61,13 @@ int rad_accounting(REQUEST *request) */ reply = module_accounting(request); } - if (reply == RLM_MODULE_OK) { + if (reply == RLM_MODULE_NOOP || + reply == RLM_MODULE_OK || + reply == RLM_MODULE_UPDATED) { /* * Now send back an ACK to the NAS. */ request->reply->code = PW_ACCOUNTING_RESPONSE; - reply = RLM_MODULE_OK; } return reply; diff --git a/src/main/auth.c b/src/main/auth.c index 8314541..fb70fa6 100644 --- a/src/main/auth.c +++ b/src/main/auth.c @@ -237,11 +237,17 @@ static int rad_check_password(REQUEST *request) switch (result) { /* * An authentication module FAIL - * return code is the same as - * an explicit REJECT! + * return code, or any return code that + * is not expected from authentication, + * is the same as an explicit REJECT! */ case RLM_MODULE_FAIL: case RLM_MODULE_REJECT: + case RLM_MODULE_USERLOCK: + case RLM_MODULE_INVALID: + case RLM_MODULE_NOTFOUND: + case RLM_MODULE_NOOP: + case RLM_MODULE_UPDATED: result = -1; break; case RLM_MODULE_OK: @@ -259,6 +265,9 @@ static int rad_check_password(REQUEST *request) /* * Process and reply to an authentication request + * + * The return value of this function isn't actually used right now, so + * it's not entirely clear if it is returning the right things. --Pac. */ int rad_authenticate(REQUEST *request) { @@ -371,7 +380,10 @@ int rad_authenticate(REQUEST *request) * Get the user's authorization information from the database */ r = module_authorize(request); - if (r != RLM_MODULE_OK) { + if (r != RLM_MODULE_NOTFOUND && + r != RLM_MODULE_NOOP && + r != RLM_MODULE_OK && + r != RLM_MODULE_UPDATED) { if (r != RLM_MODULE_FAIL && r != RLM_MODULE_HANDLED) { radlog(L_AUTH, "Invalid user: [%s%s%s] (%s)", auth_username(namepair), @@ -393,7 +405,7 @@ int rad_authenticate(REQUEST *request) */ if ((request->proxy == NULL) && (pairfind(request->config_items, PW_PROXY_TO_REALM) != NULL)) { - return 0; + return RLM_MODULE_OK; } /* @@ -410,7 +422,7 @@ int rad_authenticate(REQUEST *request) result = rad_check_password(request); if (result > 0) { /* don't reply! */ - return -1; + return RLM_MODULE_HANDLED; } } while(0); @@ -555,7 +567,7 @@ int rad_authenticate(REQUEST *request) * Result should be >= 0 here - if not, we return. */ if (result < 0) { - return 0; + return RLM_MODULE_OK; } /* @@ -629,7 +641,7 @@ int rad_authenticate(REQUEST *request) auth_username(namepair), auth_name(buf, sizeof(buf), request, 1)); } - return 0; + return RLM_MODULE_OK; } } @@ -692,6 +704,6 @@ int rad_authenticate(REQUEST *request) } if (exec_program) free(exec_program); - return 0; + return RLM_MODULE_OK; } diff --git a/src/modules/rlm_acct_unique/rlm_acct_unique.c b/src/modules/rlm_acct_unique/rlm_acct_unique.c index f8962d6..7e6a647 100644 --- a/src/modules/rlm_acct_unique/rlm_acct_unique.c +++ b/src/modules/rlm_acct_unique/rlm_acct_unique.c @@ -111,7 +111,7 @@ static int unique_accounting(void *instance, REQUEST *request) /* add the (hopefully) unique session ID to the packet */ pairadd(&request->packet->vps, vp); - return RLM_MODULE_OK; + return RLM_MODULE_UPDATED; } /* FIXME: unique_accounting should probably be called from preacct */ diff --git a/src/modules/rlm_example/rlm_example.c b/src/modules/rlm_example/rlm_example.c index e29ac45..339037d 100644 --- a/src/modules/rlm_example/rlm_example.c +++ b/src/modules/rlm_example/rlm_example.c @@ -118,7 +118,7 @@ static int radius_authorize(void *instance, REQUEST *request) instance = instance; request = request; - return RLM_MODULE_OK; + return RLM_MODULE_HANDLED; } /* diff --git a/src/modules/rlm_files/rlm_files.c b/src/modules/rlm_files/rlm_files.c index d182452..37178f9 100644 --- a/src/modules/rlm_files/rlm_files.c +++ b/src/modules/rlm_files/rlm_files.c @@ -667,7 +667,7 @@ static int file_authorize(void *instance, REQUEST *request) * then exit from the module. */ if (!found) - return RLM_MODULE_OK; + return RLM_MODULE_NOTFOUND; /* * Add the port number to the Framed-IP-Address if @@ -875,7 +875,7 @@ static int file_preacct(void *instance, REQUEST *request) * See if we succeeded. */ if (!found) - return RLM_MODULE_OK; /* on to the next module */ + return RLM_MODULE_NOOP; /* on to the next module */ /* * FIXME: log a warning if there are any reply items other than @@ -910,7 +910,7 @@ static int file_accounting(void *instance, REQUEST *request) */ if (stat(radacct_dir, &st) < 0) { DEBUG("No accounting directory %s", radacct_dir); - return RLM_MODULE_OK; + return RLM_MODULE_NOOP; } curtime = time(0); diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c index 83f3c26..f18f156 100644 --- a/src/modules/rlm_ldap/rlm_ldap.c +++ b/src/modules/rlm_ldap/rlm_ldap.c @@ -334,7 +334,7 @@ static int perform_search(char *ldap_basedn, char *filter, char **attrs, LDAPMes if ((ldap_count_entries(ld, *result)) != 1) { DEBUG("rlm_ldap: thread #%p user object not found or got ambiguous search result", pthread_self()); ldap_msgfree(*result); - res = RLM_MODULE_REJECT; + res = RLM_MODULE_NOTFOUND; } DEBUG2("rlm_ldap: thread #%p locking connection flag ...", pthread_self()); @@ -387,7 +387,7 @@ static int rlm_ldap_authorize(void *instance, REQUEST *request) */ if (name[0] == 0) { radlog(L_ERR, "rlm_ldap: zero length username not permitted\n"); - return RLM_MODULE_FAIL; + return RLM_MODULE_INVALID; } /* Unfortunately LDAP queries are case insensitive, so in order to provide @@ -533,7 +533,7 @@ static int rlm_ldap_authenticate(void *instance, REQUEST *request); */ if(request->password->attribute != PW_PASSWORD) { radlog(L_AUTH, "rlm_ldap: Attribute \"Password\" is required for authentication. Cannot use \"%s\".", request->password->name); - return RLM_MODULE_REJECT; + return RLM_MODULE_INVALID; } name = request->username->strvalue; @@ -541,7 +541,7 @@ static int rlm_ldap_authenticate(void *instance, REQUEST *request); if(strlen(passwd) == 0) { radlog(L_ERR, "rlm_ldap: empty password supplied"); - return RLM_MODULE_REJECT; + return RLM_MODULE_INVALID; } DEBUG("rlm_ldap: thread #%p login attempt by \"%s\" with password \"%s\"", pthread_self(), name, passwd); diff --git a/src/modules/rlm_pam/rlm_pam.c b/src/modules/rlm_pam/rlm_pam.c index 061dd8e..8df7180 100644 --- a/src/modules/rlm_pam/rlm_pam.c +++ b/src/modules/rlm_pam/rlm_pam.c @@ -179,7 +179,7 @@ static int pam_auth(void *instance, REQUEST *request) */ if (!request->username) { radlog(L_AUTH, "rlm_pam: Attribute \"User-Name\" is required for authentication."); - return RLM_MODULE_REJECT; + return RLM_MODULE_INVALID; } /* @@ -188,7 +188,7 @@ static int pam_auth(void *instance, REQUEST *request) */ if (!request->password) { radlog(L_AUTH, "rlm_pam: Attribute \"Password\" is required for authentication."); - return RLM_MODULE_REJECT; + return RLM_MODULE_INVALID; } /* @@ -197,7 +197,7 @@ static int pam_auth(void *instance, REQUEST *request) */ if (request->password->attribute != PW_PASSWORD) { radlog(L_AUTH, "rlm_pam: Attribute \"Password\" is required for authentication. Cannot use \"%s\".", request->password->name); - return RLM_MODULE_REJECT; + return RLM_MODULE_INVALID; } pair = pairfind(request->config_items, PAM_AUTH_ATTR); diff --git a/src/modules/rlm_preprocess/rlm_preprocess.c b/src/modules/rlm_preprocess/rlm_preprocess.c index 1f8be4b..4f01dde 100644 --- a/src/modules/rlm_preprocess/rlm_preprocess.c +++ b/src/modules/rlm_preprocess/rlm_preprocess.c @@ -287,7 +287,7 @@ static int hints_setup(REQUEST *request) request_pairs = request->packet->vps; if (hints == NULL || request_pairs == NULL) - return RLM_MODULE_OK; + return RLM_MODULE_NOOP; /* * Check for valid input, zero length names not permitted @@ -301,7 +301,7 @@ static int hints_setup(REQUEST *request) /* * No name, nothing to do. */ - return RLM_MODULE_OK; + return RLM_MODULE_NOOP; for (i = hints; i; i = i->next) { if (matches(name, i, newname)) { @@ -311,7 +311,7 @@ static int hints_setup(REQUEST *request) } } - if (i == NULL) return RLM_MODULE_OK; + if (i == NULL) return RLM_MODULE_NOOP; add = paircopy(i->reply); @@ -360,7 +360,7 @@ static int hints_setup(REQUEST *request) ; if (last) last->next = add; - return RLM_MODULE_OK; + return RLM_MODULE_UPDATED; } /* @@ -554,20 +554,22 @@ static int preprocess_authorize(void *instance, REQUEST *request) */ static int preprocess_preaccounting(void *instance, REQUEST *request) { + int r; + instance = instance; /* * Ensure that we have the SAME user name for both * authentication && accounting. */ rad_mangle(request); - hints_setup(request); + r = hints_setup(request); /* * Ensure that we log the NAS IP Address in the packet. */ add_nas_attr(request); - return RLM_MODULE_OK; + return r; } /* diff --git a/src/modules/rlm_sql/rlm_sql.c b/src/modules/rlm_sql/rlm_sql.c index 88a122a..3a2e610 100644 --- a/src/modules/rlm_sql/rlm_sql.c +++ b/src/modules/rlm_sql/rlm_sql.c @@ -172,7 +172,7 @@ static int rlm_sql_authorize(REQUEST *request) if (!found) { DEBUG2("User %s not found and DEFAULT not found", name); - return RLM_MODULE_OK; + return RLM_MODULE_NOTFOUND; } if (paircmp(request->packet->vps, check_tmp, &reply_tmp) != 0) { @@ -226,7 +226,7 @@ static int rlm_sql_authenticate(REQUEST *request) (request->password->length == 0) || (request->password->attribute != PW_PASSWORD)) { radlog(L_AUTH, "rlm_sql: Attribute \"Password\" is required for authentication."); - return RLM_MODULE_REJECT; + return RLM_MODULE_INVALID; } sql_escape_string(escaped_user, user, strlen(user)); diff --git a/src/modules/rlm_unix/rlm_unix.c b/src/modules/rlm_unix/rlm_unix.c index 5d35ecb..f018920 100644 --- a/src/modules/rlm_unix/rlm_unix.c +++ b/src/modules/rlm_unix/rlm_unix.c @@ -195,7 +195,7 @@ static int unix_authenticate(void *instance, REQUEST *request) */ if (!request->username) { radlog(L_AUTH, "rlm_unix: Attribute \"User-Name\" is required for authentication."); - return RLM_MODULE_REJECT; + return RLM_MODULE_INVALID; } /* @@ -204,7 +204,7 @@ static int unix_authenticate(void *instance, REQUEST *request) */ if (!request->password) { radlog(L_AUTH, "rlm_unix: Attribute \"Password\" is required for authentication."); - return RLM_MODULE_REJECT; + return RLM_MODULE_INVALID; } /* @@ -213,7 +213,7 @@ static int unix_authenticate(void *instance, REQUEST *request) */ if (request->password->attribute != PW_PASSWORD) { radlog(L_AUTH, "rlm_unix: Attribute \"Password\" is required for authentication. Cannot use \"%s\".", request->password->name); - return RLM_MODULE_REJECT; + return RLM_MODULE_INVALID; } name = (char *)request->username->strvalue; @@ -224,14 +224,14 @@ static int unix_authenticate(void *instance, REQUEST *request) #ifdef OSFC2 if ((pr_pw = getprpwnam(name)) == NULL) - return RLM_MODULE_REJECT; + return RLM_MODULE_NOTFOUND; encrypted_pass = pr_pw->ufld.fd_encrypt; #else /* OSFC2 */ /* * Get encrypted password from password file */ if ((pwd = getpwnam(name)) == NULL) { - return RLM_MODULE_REJECT; + return RLM_MODULE_NOTFOUND; } encrypted_pass = pwd->pw_passwd; #endif /* OSFC2 */ @@ -302,7 +302,7 @@ static int unix_authenticate(void *instance, REQUEST *request) */ if (pr_pw->uflg.fg_lock!=1) { radlog(L_AUTH, "rlm_unix: [%s]: account locked", name); - return RLM_MODULE_REJECT; + return RLM_MODULE_USERLOCK; } #endif /* OSFC2 */ @@ -379,7 +379,7 @@ static int unix_accounting(void *instance, REQUEST *request) */ if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE))==NULL) { radlog(L_ERR, "Accounting: no Accounting-Status-Type record."); - return RLM_MODULE_OK; + return RLM_MODULE_NOOP; } status = vp->lvalue; @@ -388,14 +388,14 @@ static int unix_accounting(void *instance, REQUEST *request) */ if (status != PW_STATUS_START && status != PW_STATUS_STOP) - return RLM_MODULE_OK; + return RLM_MODULE_NOOP; /* * We're only interested in accounting messages * with a username in it. */ if ((vp = pairfind(request->packet->vps, PW_USER_NAME)) == NULL) - return RLM_MODULE_OK; + return RLM_MODULE_NOOP; time(&t); memset(&ut, 0, sizeof(ut)); @@ -436,7 +436,7 @@ static int unix_accounting(void *instance, REQUEST *request) * where we didn't see a PW_NAS_PORT_ID. */ if (strncmp(ut.ut_name, "!root", sizeof(ut.ut_name)) == 0 || !port_seen) - return RLM_MODULE_OK; + return RLM_MODULE_NOOP; /* * If we didn't find out the NAS address, use the -- 2.1.4