2 * modules.c Radius module support.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2003,2006 The FreeRADIUS server project
21 * Copyright 2000 Alan DeKok <aland@ox.org>
22 * Copyright 2000 Alan Curry <pacman@world.std.com>
25 #include <freeradius-devel/ident.h>
28 #include <freeradius-devel/radiusd.h>
29 #include <freeradius-devel/modpriv.h>
30 #include <freeradius-devel/modcall.h>
31 #include <freeradius-devel/rad_assert.h>
33 typedef struct indexed_modcallable {
37 modcallable *modulelist;
38 } indexed_modcallable;
41 * For each component, keep an ordered list of ones to call.
43 static rbtree_t *components;
45 static rbtree_t *module_tree = NULL;
47 typedef struct section_type_value_t {
51 } section_type_value_t;
55 * Ordered by component
57 static const section_type_value_t section_type_value[RLM_COMPONENT_COUNT] = {
58 { "authenticate", "Auth-Type", PW_AUTH_TYPE },
59 { "authorize", "Autz-Type", PW_AUTZ_TYPE },
60 { "preacct", "Pre-Acct-Type", PW_PRE_ACCT_TYPE },
61 { "accounting", "Acct-Type", PW_ACCT_TYPE },
62 { "session", "Session-Type", PW_SESSION_TYPE },
63 { "pre-proxy", "Pre-Proxy-Type", PW_PRE_PROXY_TYPE },
64 { "post-proxy", "Post-Proxy-Type", PW_POST_PROXY_TYPE },
65 { "post-auth", "Post-Auth-Type", PW_POST_AUTH_TYPE },
68 static void indexed_modcallable_free(void *data)
70 indexed_modcallable *c = data;
72 modcallable_free(&c->modulelist);
76 static int indexed_modcallable_cmp(const void *one, const void *two)
79 const indexed_modcallable *a = one;
80 const indexed_modcallable *b = two;
82 if (a->server && !b->server) return -1;
83 if (!a->server && b->server) return +1;
84 if (a->server && b->server) {
85 rcode = strcmp(a->server, b->server);
86 if (rcode != 0) return rcode;
89 if (a->comp < b->comp) return -1;
90 if (a->comp > b->comp) return +1;
92 return a->idx - b->idx;
97 * Free a module instance.
99 static void module_instance_free(void *data)
101 module_instance_t *this = data;
103 if (this->entry->module->detach)
104 (this->entry->module->detach)(this->insthandle);
105 #ifdef HAVE_PTHREAD_H
109 * The mutex MIGHT be locked...
110 * we'll check for that later, I guess.
112 pthread_mutex_destroy(this->mutex);
121 * Compare two module entries
123 static int module_entry_cmp(const void *one, const void *two)
125 const module_entry_t *a = one;
126 const module_entry_t *b = two;
128 return strcmp(a->name, b->name);
132 * Free a module entry.
134 static void module_entry_free(void *data)
136 module_entry_t *this = data;
138 lt_dlclose(this->handle); /* ignore any errors */
144 * Remove the module lists.
146 int detach_modules(void)
148 rbtree_free(components);
149 rbtree_free(module_tree);
156 * Find a module on disk or in memory, and link to it.
158 static module_entry_t *linkto_module(const char *module_name,
161 module_entry_t myentry;
162 module_entry_t *node;
164 char module_struct[256];
168 strlcpy(myentry.name, module_name, sizeof(myentry.name));
169 node = rbtree_finddata(module_tree, &myentry);
170 if (node) return node;
173 * Keep the handle around so we can dlclose() it.
175 handle = lt_dlopenext(module_name);
176 if (handle == NULL) {
177 cf_log_err(cf_sectiontoitem(cs),
178 "Failed to link to module '%s': %s\n",
179 module_name, lt_dlerror());
184 * Link to the module's rlm_FOO{} module structure.
186 * The module_name variable has the version number
187 * embedded in it, and we don't want that here.
189 strcpy(module_struct, module_name);
190 p = strrchr(module_struct, '-');
193 DEBUG3(" (Loaded %s, checking if it's valid)", module_name);
196 * libltld MAY core here, if the handle it gives us contains
199 module = lt_dlsym(handle, module_struct);
201 cf_log_err(cf_sectiontoitem(cs),
202 "Failed linking to %s structure: %s\n",
203 module_name, lt_dlerror());
208 * Before doing anything else, check if it's sane.
210 if ((*(const uint32_t *) module) != RLM_MODULE_MAGIC_NUMBER) {
212 cf_log_err(cf_sectiontoitem(cs),
213 "Invalid version in module '%s'",
219 /* make room for the module type */
220 node = rad_malloc(sizeof(*node));
221 memset(node, 0, sizeof(*node));
222 strlcpy(node->name, module_name, sizeof(node->name));
223 node->module = module;
224 node->handle = handle;
226 DEBUG(" Module: Linked to module %s", module_name);
229 * Add the module as "rlm_foo-version" to the configuration
232 if (!rbtree_insert(module_tree, node)) {
233 radlog(L_ERR, "Failed to cache module %s", module_name);
243 * Find a module instance.
245 module_instance_t *find_module_instance(CONF_SECTION *modules,
246 const char *instname)
249 const char *name1, *name2;
250 module_instance_t *node;
251 char module_name[256];
253 if (!modules) return NULL;
256 * Module instances are declared in the modules{} block
257 * and referenced later by their name, which is the
258 * name2 from the config section, or name1 if there was
261 cs = cf_section_sub_find_name2(modules, NULL, instname);
263 radlog(L_ERR, "ERROR: Cannot find a configuration entry for module \"%s\".\n", instname);
268 * If there's already a module instance, return it.
270 node = cf_data_find(cs, "instance");
271 if (node) return node;
273 name1 = cf_section_name1(cs);
274 name2 = cf_section_name2(cs);
277 * Found the configuration entry.
279 node = rad_malloc(sizeof(*node));
280 memset(node, 0, sizeof(*node));
282 node->insthandle = NULL;
285 * Names in the "modules" section aren't prefixed
286 * with "rlm_", so we add it here.
288 snprintf(module_name, sizeof(module_name), "rlm_%s", name1);
290 node->entry = linkto_module(module_name, cs);
293 /* linkto_module logs any errors */
297 DEBUG2(" Module: Instantiating %s", instname);
300 * Call the module's instantiation routine.
302 if ((node->entry->module->instantiate) &&
303 ((node->entry->module->instantiate)(cs, &node->insthandle) < 0)) {
304 cf_log_err(cf_sectiontoitem(cs),
305 "Instantiation failed for module \"%s\"",
312 * We're done. Fill in the rest of the data structure,
313 * and link it to the module instance list.
315 strlcpy(node->name, instname, sizeof(node->name));
317 #ifdef HAVE_PTHREAD_H
319 * If we're threaded, check if the module is thread-safe.
321 * If it isn't, we create a mutex.
323 if ((node->entry->module->type & RLM_TYPE_THREAD_UNSAFE) != 0) {
324 node->mutex = (pthread_mutex_t *) rad_malloc(sizeof(pthread_mutex_t));
326 * Initialize the mutex.
328 pthread_mutex_init(node->mutex, NULL);
331 * The module is thread-safe. Don't give it a mutex.
337 cf_data_add(cs, "instance", node, module_instance_free);
342 static indexed_modcallable *lookup_by_index(const char *server, int comp,
345 indexed_modcallable myc;
351 return rbtree_finddata(components, &myc);
355 * Create a new sublist.
357 static indexed_modcallable *new_sublist(const char *server, int comp, int idx)
359 indexed_modcallable *c;
361 c = lookup_by_index(server, comp, idx);
363 /* It is an error to try to create a sublist that already
364 * exists. It would almost certainly be caused by accidental
365 * duplication in the config file.
367 * index 0 is the exception, because it is used when we want
368 * to collect _all_ listed modules under a single index by
369 * default, which is currently the case in all components
370 * except authenticate. */
378 c = rad_malloc(sizeof(*c));
379 c->modulelist = NULL;
384 if (!rbtree_insert(components, c)) {
392 static int indexed_modcall(int comp, int idx, REQUEST *request)
395 indexed_modcallable *this;
396 modcallable *list = NULL;
398 this = lookup_by_index(request->server, comp, idx);
400 if (idx != 0) DEBUG2(" WARNING: Unknown value specified for %s. Cannot perform requested action.",
401 section_type_value[comp].typename);
403 list = this->modulelist;
406 request->component = section_type_value[comp].section;
408 rcode = modcall(comp, list, request);
410 request->module = "<server-core>";
411 request->component = "<server-core>";
416 * Load a sub-module list, as found inside an Auth-Type foo {}
419 static int load_subcomponent_section(modcallable *parent, CONF_SECTION *cs,
420 const char *server, int comp)
422 indexed_modcallable *subcomp;
425 const char *name2 = cf_section_name2(cs);
427 rad_assert(comp >= RLM_COMPONENT_AUTH);
428 rad_assert(comp <= RLM_COMPONENT_COUNT);
434 cf_log_err(cf_sectiontoitem(cs),
435 "No name specified for %s block",
436 section_type_value[comp].typename);
443 ml = compile_modgroup(parent, comp, cs);
449 * We must assign a numeric index to this subcomponent.
450 * It is generated and placed in the dictionary
451 * automatically. If it isn't found, it's a serious
454 dval = dict_valbyname(section_type_value[comp].attr, name2);
456 cf_log_err(cf_sectiontoitem(cs),
457 "%s %s Not previously configured",
458 section_type_value[comp].typename, name2);
459 modcallable_free(&ml);
463 subcomp = new_sublist(server, comp, dval->value);
465 modcallable_free(&ml);
469 subcomp->modulelist = ml;
473 static int define_type(const DICT_ATTR *dattr, const char *name)
479 * If the value already exists, don't
482 dval = dict_valbyname(dattr->attr, name);
486 * Create a new unique value with a
487 * meaningless number. You can't look at
488 * it from outside of this code, so it
489 * doesn't matter. The only requirement
490 * is that it's unique.
493 value = lrad_rand() & 0x00ffffff;
494 } while (dict_valbyattr(dattr->attr, value));
496 if (dict_addvalue(name, dattr->name, value) < 0) {
497 radlog(L_ERR, "%s", librad_errstr);
504 static int load_component_section(CONF_SECTION *cs,
505 const char *server, int comp)
510 indexed_modcallable *subcomp;
512 const char *visiblename;
513 const DICT_ATTR *dattr;
516 * Find the attribute used to store VALUEs for this section.
518 dattr = dict_attrbyvalue(section_type_value[comp].attr);
520 cf_log_err(cf_sectiontoitem(cs),
521 "No such attribute %s",
522 section_type_value[comp].typename);
527 * Loop over the entries in the named section.
529 for (modref = cf_item_find_next(cs, NULL);
531 modref = cf_item_find_next(cs, modref)) {
532 CONF_PAIR *cp = NULL;
533 CONF_SECTION *scs = NULL;
535 if (cf_item_is_section(modref)) {
537 scs = cf_itemtosection(modref);
539 name1 = cf_section_name1(scs);
542 section_type_value[comp].typename) == 0) {
544 if (!define_type(dattr, cf_section_name2(scs))) {
548 if (!load_subcomponent_section(NULL, scs,
550 return -1; /* FIXME: memleak? */
556 } else if (cf_item_is_pair(modref)) {
557 cp = cf_itemtopair(modref);
560 * Create types for simple references
561 * only when parsing the authenticate
564 if (section_type_value[comp].attr == PW_AUTH_TYPE) {
565 if (!define_type(dattr, cf_pair_attr(cp))) {
571 continue; /* ignore it */
575 * Try to compile one entry.
577 this = compile_modsingle(NULL, comp, modref, &modname);
579 cf_log_err(cf_sectiontoitem(cs),
580 "Failed to parse %s section.\n",
581 cf_section_name1(cs));
586 * Look for Auth-Type foo {}, which are special
587 * cases of named sections, and allowable ONLY
590 * i.e. They're not allowed in a "group" or "redundant"
593 if (comp == RLM_COMPONENT_AUTH) {
595 const char *modrefname = NULL;
597 modrefname = cf_pair_attr(cp);
599 modrefname = cf_section_name2(scs);
601 cf_log_err(cf_sectiontoitem(cs),
602 "Failed to parse %s sub-section.\n",
603 cf_section_name1(scs));
608 dval = dict_valbyname(PW_AUTH_TYPE, modrefname);
611 * It's a section, but nothing we
614 cf_log_err(cf_sectiontoitem(cs),
615 "Unknown Auth-Type \"%s\" in %s sub-section.",
616 modrefname, section_type_value[comp].section);
621 /* See the comment in new_sublist() for explanation
622 * of the special index 0 */
626 subcomp = new_sublist(server, comp, idx);
627 if (subcomp == NULL) {
628 modcallable_free(&this);
632 /* If subcomp->modulelist is NULL, add_to_modcallable will
634 visiblename = cf_section_name2(cs);
635 if (visiblename == NULL)
636 visiblename = cf_section_name1(cs);
637 add_to_modcallable(&subcomp->modulelist, this,
644 static int load_byserver(CONF_SECTION *cs, int *do_component)
647 const char *server = cf_section_name2(cs);
649 DEBUG2(" modules {");
652 * Loop over all of the known components, finding their
653 * configuration section, and loading it.
656 for (comp = 0; comp < RLM_COMPONENT_COUNT; ++comp) {
659 if (!do_component[comp]) continue;
661 subcs = cf_section_sub_find(cs,
662 section_type_value[comp].section);
663 if (!subcs) continue;
665 if (cf_item_find_next(subcs, NULL) == NULL) continue;
667 DEBUG2(" Module: Checking %s {...} for more modules to load",
668 section_type_value[comp].section);
670 if (load_component_section(subcs, server, comp) < 0) {
675 } /* loop over components */
678 * We haven't loaded any of the normal sections. Maybe we're
679 * supposed to load the vmps section.
681 * This is a bit of a hack...
683 if (!flag && do_component[RLM_COMPONENT_POST_AUTH]) {
686 subcs = cf_section_sub_find(cs, "vmps");
688 DEBUG2(" Module: Checking vmps {...} for more modules to load");
689 if (load_component_section(subcs, server,
690 RLM_COMPONENT_POST_AUTH) < 0) {
700 DEBUG("WARNING: Server %s is empty, and will do nothing!",
708 * Parse the module config sections, and load
709 * and call each module's init() function.
711 * Libtool makes your life a LOT easier, especially with libltdl.
712 * see: http://www.gnu.org/software/libtool/
714 int setup_modules(int reload, CONF_SECTION *config)
717 CONF_SECTION *cs, *modules;
718 int do_component[RLM_COMPONENT_COUNT];
719 rad_listen_t *listener;
720 int null_server = FALSE;
723 * If necessary, initialize libltdl.
727 * Set the default list of preloaded symbols.
728 * This is used to initialize libltdl's list of
731 * i.e. Static modules.
733 LTDL_SET_PRELOADED_SYMBOLS();
735 if (lt_dlinit() != 0) {
736 radlog(L_ERR, "Failed to initialize libraries: %s\n",
742 * Set the search path to ONLY our library directory.
743 * This prevents the modules from being found from
744 * any location on the disk.
746 lt_dlsetsearchpath(radlib_dir);
748 DEBUG2("radiusd: Library search path is %s",
749 lt_dlgetsearchpath());
752 * Set up the internal module struct.
754 module_tree = rbtree_create(module_entry_cmp,
755 module_entry_free, 0);
757 radlog(L_ERR, "Failed to initialize modules\n");
761 rbtree_free(components);
764 components = rbtree_create(indexed_modcallable_cmp,
765 indexed_modcallable_free, 0);
767 radlog(L_ERR, "Failed to initialize components\n");
772 * Figure out which sections to load.
774 memset(do_component, 0, sizeof(do_component));
775 for (listener = mainconfig.listen;
777 listener = listener->next) {
778 switch (listener->type) {
779 case RAD_LISTEN_AUTH:
780 do_component[RLM_COMPONENT_AUTZ] = 1;
781 do_component[RLM_COMPONENT_AUTH] = 1;
782 do_component[RLM_COMPONENT_POST_AUTH] = 1;
783 do_component[RLM_COMPONENT_SESS] = 1;
786 case RAD_LISTEN_DETAIL: /* just like acct */
787 case RAD_LISTEN_ACCT:
788 do_component[RLM_COMPONENT_PREACCT] = 1;
789 do_component[RLM_COMPONENT_ACCT] = 1;
792 case RAD_LISTEN_PROXY:
793 do_component[RLM_COMPONENT_PRE_PROXY] = 1;
794 do_component[RLM_COMPONENT_POST_PROXY] = 1;
798 do_component[RLM_COMPONENT_POST_AUTH] = 1;
803 case RAD_LISTEN_SNMP:
812 for (comp = RLM_COMPONENT_AUTH; comp < RLM_COMPONENT_COUNT; comp++) {
814 * Have the debugging messages all in one place.
816 if (!do_component[comp]) {
817 DEBUG2("modules: Not loading %s{} section",
818 section_type_value[comp].section);
823 * Remember where the modules were stored.
825 modules = cf_section_sub_find(config, "modules");
827 radlog(L_ERR, "Cannot find a \"modules\" section in the configuration file!");
832 * Look for the 'instantiate' section, which tells us
833 * the instantiation order of the modules, and also allows
834 * us to load modules with no authorize/authenticate/etc.
837 cs = cf_section_sub_find(config, "instantiate");
841 module_instance_t *module;
844 DEBUG2(" instantiate {");
847 * Loop over the items in the 'instantiate' section.
849 for (ci=cf_item_find_next(cs, NULL);
851 ci=cf_item_find_next(cs, ci)) {
854 * Skip sections. They'll be handled
855 * later, if they're referenced at all...
857 if (cf_item_is_section(ci)) {
861 cp = cf_itemtopair(ci);
862 name = cf_pair_attr(cp);
863 module = find_module_instance(modules, name);
867 } /* loop over items in the subsection */
870 } /* if there's an 'instantiate' section. */
873 * Loop over the listeners, figuring out which sections
876 for (listener = mainconfig.listen;
878 listener = listener->next) {
881 if (listener->type == RAD_LISTEN_PROXY) continue;
883 cs = cf_section_sub_find_name2(config,
884 "server", listener->server);
885 if (!cs && (listener->server != NULL)) {
886 listener->print(listener, buffer, sizeof(buffer));
888 radlog(L_ERR, "No server has been defined for %s", buffer);
894 * Load all of the virtual servers.
896 for (cs = cf_subsection_find_next(config, NULL, "server");
898 cs = cf_subsection_find_next(config, cs, "server")) {
899 const char *name2 = cf_section_name2(cs);
902 DEBUG2("server %s {", name2);
907 if (load_byserver(cs, do_component) < 0) {
915 * No empty server defined. Try to load an old-style
916 * one for backwards compatibility.
919 DEBUG2("WARNING: Please update your configuration to use virtual servers!");
921 if (load_byserver(config, do_component) < 0) {
932 * Call all authorization modules until one returns
933 * somethings else than RLM_MODULE_OK
935 int module_authorize(int autz_type, REQUEST *request)
937 return indexed_modcall(RLM_COMPONENT_AUTZ, autz_type, request);
941 * Authenticate a user/password with various methods.
943 int module_authenticate(int auth_type, REQUEST *request)
945 return indexed_modcall(RLM_COMPONENT_AUTH, auth_type, request);
949 * Do pre-accounting for ALL configured sessions
951 int module_preacct(REQUEST *request)
953 return indexed_modcall(RLM_COMPONENT_PREACCT, 0, request);
957 * Do accounting for ALL configured sessions
959 int module_accounting(int acct_type, REQUEST *request)
961 return indexed_modcall(RLM_COMPONENT_ACCT, acct_type, request);
965 * See if a user is already logged in.
967 * Returns: 0 == OK, 1 == double logins, 2 == multilink attempt
969 int module_checksimul(int sess_type, REQUEST *request, int maxsimul)
973 if(!request->username)
976 request->simul_count = 0;
977 request->simul_max = maxsimul;
978 request->simul_mpp = 1;
980 rcode = indexed_modcall(RLM_COMPONENT_SESS, sess_type, request);
982 if (rcode != RLM_MODULE_OK) {
983 /* FIXME: Good spot for a *rate-limited* warning to the log */
987 return (request->simul_count < maxsimul) ? 0 : request->simul_mpp;
991 * Do pre-proxying for ALL configured sessions
993 int module_pre_proxy(int type, REQUEST *request)
995 return indexed_modcall(RLM_COMPONENT_PRE_PROXY, type, request);
999 * Do post-proxying for ALL configured sessions
1001 int module_post_proxy(int type, REQUEST *request)
1003 return indexed_modcall(RLM_COMPONENT_POST_PROXY, type, request);
1007 * Do post-authentication for ALL configured sessions
1009 int module_post_auth(int postauth_type, REQUEST *request)
1011 return indexed_modcall(RLM_COMPONENT_POST_AUTH, postauth_type, request);
projects / freeradius.git / blob