2 * modules.c Radius module support.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2003,2006 The FreeRADIUS server project
21 * Copyright 2000 Alan DeKok <aland@ox.org>
22 * Copyright 2000 Alan Curry <pacman@world.std.com>
25 #include <freeradius-devel/ident.h>
28 #include <freeradius-devel/radiusd.h>
29 #include <freeradius-devel/modpriv.h>
30 #include <freeradius-devel/modcall.h>
31 #include <freeradius-devel/rad_assert.h>
33 #define VMPS_SPACE "vmps"
35 typedef struct indexed_modcallable {
39 modcallable *modulelist;
40 } indexed_modcallable;
43 * For each component, keep an ordered list of ones to call.
45 static rbtree_t *components;
47 static rbtree_t *module_tree = NULL;
49 typedef struct section_type_value_t {
53 } section_type_value_t;
57 * Ordered by component
59 static const section_type_value_t section_type_value[RLM_COMPONENT_COUNT] = {
60 { "authenticate", "Auth-Type", PW_AUTH_TYPE },
61 { "authorize", "Autz-Type", PW_AUTZ_TYPE },
62 { "preacct", "Pre-Acct-Type", PW_PRE_ACCT_TYPE },
63 { "accounting", "Acct-Type", PW_ACCT_TYPE },
64 { "session", "Session-Type", PW_SESSION_TYPE },
65 { "pre-proxy", "Pre-Proxy-Type", PW_PRE_PROXY_TYPE },
66 { "post-proxy", "Post-Proxy-Type", PW_POST_PROXY_TYPE },
67 { "post-auth", "Post-Auth-Type", PW_POST_AUTH_TYPE },
70 static void indexed_modcallable_free(void *data)
72 indexed_modcallable *c = data;
74 modcallable_free(&c->modulelist);
78 static int indexed_modcallable_cmp(const void *one, const void *two)
81 const indexed_modcallable *a = one;
82 const indexed_modcallable *b = two;
84 if (a->space && !b->space) return -1;
85 if (!a->space && b->space) return +1;
86 if (a->space && b->space) {
87 rcode = strcmp(a->space, b->space);
88 if (rcode != 0) return rcode;
91 if (a->comp < b->comp) return -1;
92 if (a->comp > b->comp) return +1;
94 return a->idx - b->idx;
99 * Free a module instance.
101 static void module_instance_free(void *data)
103 module_instance_t *this = data;
105 if (this->entry->module->detach)
106 (this->entry->module->detach)(this->insthandle);
107 #ifdef HAVE_PTHREAD_H
111 * The mutex MIGHT be locked...
112 * we'll check for that later, I guess.
114 pthread_mutex_destroy(this->mutex);
123 * Compare two module entries
125 static int module_entry_cmp(const void *one, const void *two)
127 const module_entry_t *a = one;
128 const module_entry_t *b = two;
130 return strcmp(a->name, b->name);
134 * Free a module entry.
136 static void module_entry_free(void *data)
138 module_entry_t *this = data;
140 lt_dlclose(this->handle); /* ignore any errors */
146 * Remove the module lists.
148 int detach_modules(void)
150 rbtree_free(components);
151 rbtree_free(module_tree);
158 * Find a module on disk or in memory, and link to it.
160 static module_entry_t *linkto_module(const char *module_name,
163 module_entry_t myentry;
164 module_entry_t *node;
166 char module_struct[256];
170 strlcpy(myentry.name, module_name, sizeof(myentry.name));
171 node = rbtree_finddata(module_tree, &myentry);
172 if (node) return node;
175 * Keep the handle around so we can dlclose() it.
177 handle = lt_dlopenext(module_name);
178 if (handle == NULL) {
179 cf_log_err(cf_sectiontoitem(cs),
180 "Failed to link to module '%s': %s\n",
181 module_name, lt_dlerror());
186 * Link to the module's rlm_FOO{} module structure.
188 * The module_name variable has the version number
189 * embedded in it, and we don't want that here.
191 strcpy(module_struct, module_name);
192 p = strrchr(module_struct, '-');
195 DEBUG3(" (Loaded %s, checking if it's valid)", module_name);
198 * libltld MAY core here, if the handle it gives us contains
201 module = lt_dlsym(handle, module_struct);
203 cf_log_err(cf_sectiontoitem(cs),
204 "Failed linking to %s structure: %s\n",
205 module_name, lt_dlerror());
210 * Before doing anything else, check if it's sane.
212 if ((*(const uint32_t *) module) != RLM_MODULE_MAGIC_NUMBER) {
214 cf_log_err(cf_sectiontoitem(cs),
215 "Invalid version in module '%s'",
221 /* make room for the module type */
222 node = rad_malloc(sizeof(*node));
223 memset(node, 0, sizeof(*node));
224 strlcpy(node->name, module_name, sizeof(node->name));
225 node->module = module;
226 node->handle = handle;
228 DEBUG(" Module: Linked to module %s", module_name);
231 * Add the module as "rlm_foo-version" to the configuration
234 if (!rbtree_insert(module_tree, node)) {
235 radlog(L_ERR, "Failed to cache module %s", module_name);
245 * Find a module instance.
247 module_instance_t *find_module_instance(CONF_SECTION *modules,
248 const char *instname)
251 const char *name1, *name2;
252 module_instance_t *node;
253 char module_name[256];
255 if (!modules) return NULL;
258 * Module instances are declared in the modules{} block
259 * and referenced later by their name, which is the
260 * name2 from the config section, or name1 if there was
263 cs = cf_section_sub_find_name2(modules, NULL, instname);
265 radlog(L_ERR, "ERROR: Cannot find a configuration entry for module \"%s\".\n", instname);
270 * If there's already a module instance, return it.
272 node = cf_data_find(cs, "instance");
273 if (node) return node;
275 name1 = cf_section_name1(cs);
276 name2 = cf_section_name2(cs);
279 * Found the configuration entry.
281 node = rad_malloc(sizeof(*node));
282 memset(node, 0, sizeof(*node));
284 node->insthandle = NULL;
287 * Names in the "modules" section aren't prefixed
288 * with "rlm_", so we add it here.
290 snprintf(module_name, sizeof(module_name), "rlm_%s", name1);
292 node->entry = linkto_module(module_name, cs);
295 /* linkto_module logs any errors */
299 DEBUG2(" Module: Instantiating %s", instname);
302 * Call the module's instantiation routine.
304 if ((node->entry->module->instantiate) &&
305 ((node->entry->module->instantiate)(cs, &node->insthandle) < 0)) {
306 cf_log_err(cf_sectiontoitem(cs),
307 "Instantiation failed for module \"%s\"",
314 * We're done. Fill in the rest of the data structure,
315 * and link it to the module instance list.
317 strlcpy(node->name, instname, sizeof(node->name));
319 #ifdef HAVE_PTHREAD_H
321 * If we're threaded, check if the module is thread-safe.
323 * If it isn't, we create a mutex.
325 if ((node->entry->module->type & RLM_TYPE_THREAD_UNSAFE) != 0) {
326 node->mutex = (pthread_mutex_t *) rad_malloc(sizeof(pthread_mutex_t));
328 * Initialize the mutex.
330 pthread_mutex_init(node->mutex, NULL);
333 * The module is thread-safe. Don't give it a mutex.
339 cf_data_add(cs, "instance", node, module_instance_free);
344 static indexed_modcallable *lookup_by_index(const char *space, int comp,
347 indexed_modcallable myc;
353 return rbtree_finddata(components, &myc);
357 * Create a new sublist.
359 static indexed_modcallable *new_sublist(const char *space, int comp, int idx)
361 indexed_modcallable *c;
363 c = lookup_by_index(space, comp, idx);
365 /* It is an error to try to create a sublist that already
366 * exists. It would almost certainly be caused by accidental
367 * duplication in the config file.
369 * index 0 is the exception, because it is used when we want
370 * to collect _all_ listed modules under a single index by
371 * default, which is currently the case in all components
372 * except authenticate. */
380 c = rad_malloc(sizeof(*c));
381 c->modulelist = NULL;
386 if (!rbtree_insert(components, c)) {
394 static int indexed_modcall(const char *space, int comp, int idx,
398 indexed_modcallable *this;
399 modcallable *list = NULL;
401 this = lookup_by_index(space, comp, idx);
403 if (idx != 0) DEBUG2(" WARNING: Unknown value specified for %s. Cannot perform requested action.",
404 section_type_value[comp].typename);
406 list = this->modulelist;
409 request->component = section_type_value[comp].section;
411 rcode = modcall(comp, list, request);
413 request->module = "<server-core>";
414 request->component = "<server-core>";
419 * Load a sub-module list, as found inside an Auth-Type foo {}
422 static int load_subcomponent_section(modcallable *parent, CONF_SECTION *cs,
423 const char *space, int comp)
425 indexed_modcallable *subcomp;
428 const char *name2 = cf_section_name2(cs);
430 rad_assert(comp >= RLM_COMPONENT_AUTH);
431 rad_assert(comp <= RLM_COMPONENT_COUNT);
437 cf_log_err(cf_sectiontoitem(cs),
438 "No name specified for %s block",
439 section_type_value[comp].typename);
446 ml = compile_modgroup(parent, comp, cs);
452 * We must assign a numeric index to this subcomponent.
453 * It is generated and placed in the dictionary by
454 * setup_modules(), when it loads the sections. If it
455 * isn't found, it's a serious error.
457 dval = dict_valbyname(section_type_value[comp].attr, name2);
459 cf_log_err(cf_sectiontoitem(cs),
460 "%s %s Not previously configured",
461 section_type_value[comp].typename, name2);
462 modcallable_free(&ml);
466 subcomp = new_sublist(space, comp, dval->value);
468 modcallable_free(&ml);
472 subcomp->modulelist = ml;
476 static int load_component_section(modcallable *parent, CONF_SECTION *cs,
477 const char *space, int comp)
482 indexed_modcallable *subcomp;
484 const char *visiblename;
487 * Loop over the entries in the named section.
489 for (modref = cf_item_find_next(cs, NULL);
491 modref = cf_item_find_next(cs, modref)) {
492 CONF_PAIR *cp = NULL;
493 CONF_SECTION *scs = NULL;
496 * Look for Auth-Type foo {}, which are special
497 * cases of named sections, and allowable ONLY
500 * i.e. They're not allowed in a "group" or "redundant"
503 if (cf_item_is_section(modref)) {
504 const char *sec_name;
505 scs = cf_itemtosection(modref);
507 sec_name = cf_section_name1(scs);
510 section_type_value[comp].typename) == 0) {
511 if (!load_subcomponent_section(parent, scs,
513 return -1; /* FIXME: memleak? */
519 } else if (cf_item_is_pair(modref)) {
520 cp = cf_itemtopair(modref);
522 continue; /* ignore it */
526 * Try to compile one entry.
528 this = compile_modsingle(parent, comp, modref, &modname);
530 cf_log_err(cf_sectiontoitem(cs),
531 "Failed to parse %s section.\n",
532 cf_section_name1(cs));
536 if (comp == RLM_COMPONENT_AUTH) {
538 const char *modrefname = NULL;
540 modrefname = cf_pair_attr(cp);
542 modrefname = cf_section_name2(scs);
544 cf_log_err(cf_sectiontoitem(cs),
545 "Failed to parse %s sub-section.\n",
546 cf_section_name1(scs));
551 dval = dict_valbyname(PW_AUTH_TYPE, modrefname);
554 * It's a section, but nothing we
557 cf_log_err(cf_sectiontoitem(cs),
558 "Unknown Auth-Type \"%s\" in %s sub-section.",
559 modrefname, section_type_value[comp].section);
564 /* See the comment in new_sublist() for explanation
565 * of the special index 0 */
569 subcomp = new_sublist(space, comp, idx);
570 if (subcomp == NULL) {
571 modcallable_free(&this);
575 /* If subcomp->modulelist is NULL, add_to_modcallable will
577 visiblename = cf_section_name2(cs);
578 if (visiblename == NULL)
579 visiblename = cf_section_name1(cs);
580 add_to_modcallable(&subcomp->modulelist, this,
587 static int load_byspace(CONF_SECTION *cs, const char *space,
593 * Create any DICT_VALUE's for the types. See
594 * 'doc/configurable_failover' for examples of 'authtype'
595 * used to create new Auth-Type values. In order to
596 * let the user create new names, we've got to look for
597 * those names, and create DICT_VALUE's for them.
599 for (comp = RLM_COMPONENT_AUTH; comp < RLM_COMPONENT_COUNT; comp++) {
608 * Not needed, don't load it.
610 if (!do_component[comp]) {
613 subcs = cf_section_sub_find(cs,
614 section_type_value[comp].section);
617 * FIXME: This is probably an error.
619 if (!subcs) continue;
621 for (ci = cf_item_find_next(subcs, NULL);
623 ci = cf_item_find_next(subcs, ci)) {
624 if (cf_item_is_section(ci)) {
628 type = cf_itemtosection(ci);
629 name1 = cf_section_name1(type);
632 * Not Autz-Type, Auth-Type, etc.
634 if (strcmp(name1, section_type_value[comp].typename) != 0) {
638 name2 = cf_section_name2(cf_itemtosection(ci));
641 * FIXME: This is probably an error.
643 if (!name2) continue;
645 } else if (section_type_value[comp].attr != PW_AUTH_TYPE) {
647 * Create types for names only when
648 * parsing the authenticate section.
653 name2 = cf_pair_attr(cf_itemtopair(ci));
657 * If the value already exists, don't
660 dval = dict_valbyname(section_type_value[comp].attr,
665 * Find the attribute for the value.
667 dattr = dict_attrbyvalue(section_type_value[comp].attr);
669 cf_log_err(cf_sectiontoitem(subcs),
670 "No such attribute %s",
671 section_type_value[comp].typename);
676 * Create a new unique value with a
677 * meaningless number. You can't look at
678 * it from outside of this code, so it
679 * doesn't matter. The only requirement
680 * is that it's unique.
683 value = lrad_rand() & 0x00ffffff;
684 } while (dict_valbyattr(dattr->attr, value));
686 if (dict_addvalue(name2, dattr->name, value) < 0) {
687 radlog(L_ERR, "%s", librad_errstr);
691 } /* over the sections which can have redundent sub-sections */
693 DEBUG2(" modules {");
696 * Loop over all of the known components, finding their
697 * configuration section, and loading it.
699 for (comp = 0; comp < RLM_COMPONENT_COUNT; ++comp) {
702 if (!do_component[comp]) continue;
704 subcs = cf_section_sub_find(cs,
705 section_type_value[comp].section);
706 if (!subcs) continue;
708 if (cf_item_find_next(subcs, NULL) == NULL) continue;
710 DEBUG2(" Module: Checking %s {...} for more modules to load",
711 section_type_value[comp].section);
713 if (load_component_section(NULL, subcs, space, comp) < 0) {
717 } /* loop over components */
725 * Parse the module config sections, and load
726 * and call each module's init() function.
728 * Libtool makes your life a LOT easier, especially with libltdl.
729 * see: http://www.gnu.org/software/libtool/
731 int setup_modules(int reload, CONF_SECTION *config)
734 CONF_SECTION *cs, *modules;
735 int do_component[RLM_COMPONENT_COUNT];
736 rad_listen_t *listener;
739 * If necessary, initialize libltdl.
743 * Set the default list of preloaded symbols.
744 * This is used to initialize libltdl's list of
747 * i.e. Static modules.
749 LTDL_SET_PRELOADED_SYMBOLS();
751 if (lt_dlinit() != 0) {
752 radlog(L_ERR, "Failed to initialize libraries: %s\n",
758 * Set the search path to ONLY our library directory.
759 * This prevents the modules from being found from
760 * any location on the disk.
762 lt_dlsetsearchpath(radlib_dir);
764 DEBUG2("radiusd: Library search path is %s",
765 lt_dlgetsearchpath());
768 * Set up the internal module struct.
770 module_tree = rbtree_create(module_entry_cmp,
771 module_entry_free, 0);
773 radlog(L_ERR, "Failed to initialize modules\n");
777 rbtree_free(components);
780 components = rbtree_create(indexed_modcallable_cmp,
781 indexed_modcallable_free, 0);
783 radlog(L_ERR, "Failed to initialize components\n");
788 * Figure out which sections to load.
790 memset(do_component, 0, sizeof(do_component));
791 for (listener = mainconfig.listen;
793 listener = listener->next) {
794 switch (listener->type) {
795 case RAD_LISTEN_AUTH:
796 do_component[RLM_COMPONENT_AUTZ] = 1;
797 do_component[RLM_COMPONENT_AUTH] = 1;
798 do_component[RLM_COMPONENT_POST_AUTH] = 1;
799 do_component[RLM_COMPONENT_SESS] = 1;
802 case RAD_LISTEN_DETAIL: /* just like acct */
803 case RAD_LISTEN_ACCT:
804 do_component[RLM_COMPONENT_PREACCT] = 1;
805 do_component[RLM_COMPONENT_ACCT] = 1;
808 case RAD_LISTEN_PROXY:
809 do_component[RLM_COMPONENT_PRE_PROXY] = 1;
810 do_component[RLM_COMPONENT_POST_PROXY] = 1;
814 do_component[RLM_COMPONENT_POST_AUTH] = 1;
819 case RAD_LISTEN_SNMP:
828 for (comp = RLM_COMPONENT_AUTH; comp < RLM_COMPONENT_COUNT; comp++) {
830 * Have the debugging messages all in one place.
832 if (!do_component[comp]) {
833 DEBUG2("modules: Not loading %s{} section",
834 section_type_value[comp].section);
839 * Remember where the modules were stored.
841 modules = cf_section_sub_find(config, "modules");
843 radlog(L_ERR, "Cannot find a \"modules\" section in the configuration file!");
848 * Look for the 'instantiate' section, which tells us
849 * the instantiation order of the modules, and also allows
850 * us to load modules with no authorize/authenticate/etc.
853 cs = cf_section_sub_find(config, "instantiate");
857 module_instance_t *module;
860 DEBUG2(" instantiate {");
863 * Loop over the items in the 'instantiate' section.
865 for (ci=cf_item_find_next(cs, NULL);
867 ci=cf_item_find_next(cs, ci)) {
870 * Skip sections. They'll be handled
871 * later, if they're referenced at all...
873 if (cf_item_is_section(ci)) {
877 cp = cf_itemtopair(ci);
878 name = cf_pair_attr(cp);
879 module = find_module_instance(modules, name);
883 } /* loop over items in the subsection */
886 } /* if there's an 'instantiate' section. */
889 * Load *all*. If you don't want one loaded, don't list
890 * it in sites-enabled/
892 for (listener = mainconfig.listen;
894 listener = listener->next) {
895 if (listener->type == RAD_LISTEN_PROXY) continue;
897 cs = cf_section_sub_find_name2(config,
898 "server", listener->server);
902 listener->print(listener, buffer, sizeof(buffer));
904 radlog(L_ERR, "Listening on IP %s but no server has been defined", buffer);
908 if (listener->type != RAD_LISTEN_VQP) continue;
910 cs = cf_section_sub_find(config, "vmps");
912 radlog(L_ERR, "Listening on vmps socket, but no vmps section");
916 if (cf_item_find_next(cs, NULL) == NULL) {
917 radlog(L_ERR, "Listening on vmps socket, vmps section is empty");
921 DEBUG2(" Module: Checking vmps {...} for more modules to load");
922 if (load_component_section(NULL, cs, VMPS_SPACE,
923 RLM_COMPONENT_POST_AUTH) < 0) {
929 * Load all of the virtual servers.
931 for (cs = cf_subsection_find_next(config, NULL, "server");
933 cs = cf_subsection_find_next(config, cs, "server")) {
934 const char *name2 = cf_section_name2(cs);
937 DEBUG2("server %s {", name2);
941 if (load_byspace(cs, name2, do_component) < 0) {
952 * Call all authorization modules until one returns
953 * somethings else than RLM_MODULE_OK
955 int module_authorize(int autz_type, REQUEST *request)
957 return indexed_modcall(request->server,
958 RLM_COMPONENT_AUTZ, autz_type, request);
962 * Authenticate a user/password with various methods.
964 int module_authenticate(int auth_type, REQUEST *request)
966 return indexed_modcall(request->server,
967 RLM_COMPONENT_AUTH, auth_type, request);
971 * Do pre-accounting for ALL configured sessions
973 int module_preacct(REQUEST *request)
975 return indexed_modcall(request->server,
976 RLM_COMPONENT_PREACCT, 0, request);
980 * Do accounting for ALL configured sessions
982 int module_accounting(int acct_type, REQUEST *request)
984 return indexed_modcall(request->server,
985 RLM_COMPONENT_ACCT, acct_type, request);
989 * See if a user is already logged in.
991 * Returns: 0 == OK, 1 == double logins, 2 == multilink attempt
993 int module_checksimul(int sess_type, REQUEST *request, int maxsimul)
997 if(!request->username)
1000 request->simul_count = 0;
1001 request->simul_max = maxsimul;
1002 request->simul_mpp = 1;
1004 rcode = indexed_modcall(request->server,
1005 RLM_COMPONENT_SESS, sess_type, request);
1007 if (rcode != RLM_MODULE_OK) {
1008 /* FIXME: Good spot for a *rate-limited* warning to the log */
1012 return (request->simul_count < maxsimul) ? 0 : request->simul_mpp;
1016 * Do pre-proxying for ALL configured sessions
1018 int module_pre_proxy(int type, REQUEST *request)
1020 return indexed_modcall(request->server,
1021 RLM_COMPONENT_PRE_PROXY, type, request);
1025 * Do post-proxying for ALL configured sessions
1027 int module_post_proxy(int type, REQUEST *request)
1029 return indexed_modcall(request->server,
1030 RLM_COMPONENT_POST_PROXY, type, request);
1034 * Do post-authentication for ALL configured sessions
1036 int module_post_auth(int postauth_type, REQUEST *request)
1038 return indexed_modcall(request->server,
1039 RLM_COMPONENT_POST_AUTH, postauth_type, request);
1045 int module_vmps(REQUEST *request)
1047 return indexed_modcall(VMPS_SPACE, RLM_COMPONENT_POST_AUTH, 0,