src/modules/rlm_attr_filter/rlm_attr_filter.c

   1 /*
   2  * rlm_attr_filter.c  - Filter A/V Pairs received back from proxy reqs
   3  *                      before sending reply to the NAS/Server that sent
   4  *                      it to us.
   5  *
   6  * Version:      $Id$
   7  *
   8  *   This program is is free software; you can redistribute it and/or modify
   9  *   it under the terms of the GNU General Public License, version 2 if the
  10  *   License as published by the Free Software Foundation.
  11  *
  12  *   This program is distributed in the hope that it will be useful,
  13  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  *   GNU General Public License for more details.
  16  *
  17  *   You should have received a copy of the GNU General Public License
  18  *   along with this program; if not, write to the Free Software
  19  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  20  *
  21  * Copyright (C) 2001,2006 The FreeRADIUS server project
  22  * Copyright (C) 2001 Chris Parker <cparker@starnetusa.net>
  23  */
  24
  25 #include        <freeradius-devel/ident.h>
  26 RCSID("$Id$")
  27
  28 #include        <freeradius-devel/radiusd.h>
  29 #include        <freeradius-devel/modules.h>
  30 #include        <freeradius-devel/rad_assert.h>
  31
  32 #include        <sys/stat.h>
  33
  34 #include        <ctype.h>
  35 #include        <fcntl.h>
  36 #include        <limits.h>
  37
  38
  39 /*
  40  *      Define a structure with the module configuration, so it can
  41  *      be used as the instance handle.
  42  */
  43 struct attr_filter_instance {
  44         char *attrsfile;
  45         char *key;
  46         PAIR_LIST *attrs;
  47 };
  48
  49 static const CONF_PARSER module_config[] = {
  50         { "attrsfile",     PW_TYPE_FILENAME,
  51           offsetof(struct attr_filter_instance,attrsfile), NULL, "${raddbdir}/attrs" },
  52         { "key",     PW_TYPE_STRING_PTR,
  53           offsetof(struct attr_filter_instance,key), NULL, "%{Realm}" },
  54         { NULL, -1, 0, NULL, NULL }
  55 };
  56
  57 static void check_pair(VALUE_PAIR *check_item, VALUE_PAIR *reply_item,
  58                       int *pass, int *fail)
  59 {
  60         int compare;
  61
  62         if (check_item->operator == T_OP_SET) return;
  63
  64         compare = paircmp(check_item, reply_item);
  65         if (compare == 1) {
  66                 ++*(pass);
  67         } else {
  68                 ++*(fail);
  69         }
  70
  71         return;
  72 }
  73
  74
  75 static int getattrsfile(const char *filename, PAIR_LIST **pair_list)
  76 {
  77         int rcode;
  78         PAIR_LIST *attrs = NULL;
  79         PAIR_LIST *entry;
  80         VALUE_PAIR *vp;
  81
  82         rcode = pairlist_read(filename, &attrs, 1);
  83         if (rcode < 0) {
  84                 return -1;
  85         }
  86
  87         /*
  88          * Walk through the 'attrs' file list.
  89          */
  90
  91         entry = attrs;
  92         while (entry) {
  93
  94                 entry->check = entry->reply;
  95                 entry->reply = NULL;
  96
  97                 for (vp = entry->check; vp != NULL; vp = vp->next) {
  98
  99                     /*
 100                      * If it's NOT a vendor attribute,
 101                      * and it's NOT a wire protocol
 102                      * and we ignore Fall-Through,
 103                      * then bitch about it, giving a good warning message.
 104                      */
 105                      if ((vp->vendor == 0) &&
 106                          (vp->attribute > 0xff) &&
 107                          (vp->attribute > 1000)) {
 108                         log_debug("[%s]:%d WARNING! Check item \"%s\"\n"
 109                                   "\tfound in filter list for realm \"%s\".\n",
 110                                   filename, entry->lineno, vp->name,
 111                                   entry->name);
 112                     }
 113                 }
 114
 115                 entry = entry->next;
 116         }
 117
 118         *pair_list = attrs;
 119         return 0;
 120 }
 121
 122
 123 /*
 124  *      Clean up.
 125  */
 126 static int attr_filter_detach(void *instance)
 127 {
 128         struct attr_filter_instance *inst = instance;
 129         pairlist_free(&inst->attrs);
 130         free(inst);
 131         return 0;
 132 }
 133
 134
 135 /*
 136  *      (Re-)read the "attrs" file into memory.
 137  */
 138 static int attr_filter_instantiate(CONF_SECTION *conf, void **instance)
 139 {
 140         struct attr_filter_instance *inst;
 141         int rcode;
 142
 143         inst = rad_malloc(sizeof *inst);
 144         if (!inst) {
 145                 return -1;
 146         }
 147         memset(inst, 0, sizeof(*inst));
 148
 149         if (cf_section_parse(conf, inst, module_config) < 0) {
 150                 attr_filter_detach(inst);
 151                 return -1;
 152         }
 153
 154         rcode = getattrsfile(inst->attrsfile, &inst->attrs);
 155         if (rcode != 0) {
 156                 radlog(L_ERR|L_CONS, "Errors reading %s", inst->attrsfile);
 157                 attr_filter_detach(inst);
 158                 return -1;
 159         }
 160         *instance = inst;
 161         return 0;
 162 }
 163
 164
 165 /*
 166  *      Common attr_filter checks
 167  */
 168 static int attr_filter_common(void *instance, REQUEST *request,
 169                               RADIUS_PACKET *packet)
 170 {
 171         struct attr_filter_instance *inst = instance;
 172         VALUE_PAIR      *vp;
 173         VALUE_PAIR      *output;
 174         VALUE_PAIR      **output_tail;
 175         VALUE_PAIR      *check_item;
 176         PAIR_LIST       *pl;
 177         int             found = 0;
 178         int             pass, fail = 0;
 179         char            *keyname = NULL;
 180         VALUE_PAIR      **input;
 181         char            buffer[256];
 182
 183         if (!packet) return RLM_MODULE_NOOP;
 184
 185         input = &(packet->vps);
 186
 187         if (!inst->key) {
 188                 VALUE_PAIR      *namepair;
 189
 190                 namepair = pairfind(request->packet->vps, PW_REALM, 0);
 191                 if (!namepair) {
 192                         return (RLM_MODULE_NOOP);
 193                 }
 194                 keyname = namepair->vp_strvalue;
 195         } else {
 196                 int len;
 197
 198                 len = radius_xlat(buffer, sizeof(buffer), inst->key,
 199                                   request, NULL);
 200                 if (!len) {
 201                         return RLM_MODULE_NOOP;
 202                 }
 203                 keyname = buffer;
 204         }
 205
 206         output = NULL;
 207         output_tail = &output;
 208
 209         /*
 210          *      Find the attr_filter profile entry for the entry.
 211          */
 212         for (pl = inst->attrs; pl; pl = pl->next) {
 213                 int fall_through = 0;
 214
 215                 /*
 216                  *  If the current entry is NOT a default,
 217                  *  AND the realm does NOT match the current entry,
 218                  *  then skip to the next entry.
 219                  */
 220                 if ((strcmp(pl->name, "DEFAULT") != 0) &&
 221                     (strcmp(keyname, pl->name) != 0))  {
 222                     continue;
 223                 }
 224
 225                 DEBUG2(" attr_filter: Matched entry %s at line %d", pl->name,
 226                        pl->lineno);
 227                 found = 1;
 228
 229                 for (check_item = pl->check;
 230                      check_item != NULL;
 231                      check_item = check_item->next) {
 232                         if ((check_item->attribute == PW_FALL_THROUGH) &&
 233                             (check_item->vp_integer == 1)) {
 234                                 fall_through = 1;
 235                                 continue;
 236                         }
 237
 238                         /*
 239                          *    If it is a SET operator, add the attribute to
 240                          *    the output list without checking it.
 241                          */
 242                         if (check_item->operator == T_OP_SET ) {
 243                                 vp = paircopyvp(check_item);
 244                                 if (!vp) {
 245                                         pairfree(&output);
 246                                         return RLM_MODULE_FAIL;
 247                                 }
 248                                 *output_tail = vp;
 249                                 output_tail = &(vp->next);
 250                         }
 251                 }
 252
 253                 /*
 254                  *      Iterate through the input items, comparing
 255                  *      each item to every rule, then moving it to the
 256                  *      output list only if it matches all rules
 257                  *      for that attribute.  IE, Idle-Timeout is moved
 258                  *      only if it matches all rules that describe an
 259                  *      Idle-Timeout.
 260                  */
 261                 for (vp = *input; vp != NULL; vp = vp->next ) {
 262                         /* reset the pass,fail vars for each reply item */
 263                         pass = fail = 0;
 264
 265                         /*
 266                          *      reset the check_item pointer to
 267                          *      beginning of the list
 268                          */
 269                         for (check_item = pl->check;
 270                              check_item != NULL;
 271                              check_item = check_item->next) {
 272                                 /*
 273                                  *      Vendor-Specific is special, and
 274                                  *      matches any VSA if the comparison
 275                                  *      is always true.
 276                                  */
 277                                 if ((check_item->attribute == PW_VENDOR_SPECIFIC) &&
 278                                     (vp->vendor != 0) &&
 279                                     (check_item->operator == T_OP_CMP_TRUE)) {
 280                                         pass++;
 281                                         continue;
 282                                 }
 283
 284                                 if (vp->attribute == check_item->attribute) {
 285                                         check_pair(check_item, vp,
 286                                                    &pass, &fail);
 287                                 }
 288                         }
 289
 290                         /* only move attribute if it passed all rules */
 291                         if (fail == 0 && pass > 0) {
 292                                 *output_tail = paircopyvp(vp);
 293                                 if (!*output_tail) {
 294                                         pairfree(&output);
 295                                         return RLM_MODULE_FAIL;
 296                                 }
 297                                 output_tail = &((*output_tail)->next);
 298                         }
 299                 }
 300
 301                 /* If we shouldn't fall through, break */
 302                 if (!fall_through)
 303                         break;
 304         }
 305
 306         /*
 307          *      No entry matched.  We didn't do anything.
 308          */
 309         if (!found) {
 310                 rad_assert(output == NULL);
 311                 return RLM_MODULE_NOOP;
 312         }
 313
 314         pairfree(input);
 315         *input = output;
 316
 317         if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
 318                 request->username = pairfind(request->packet->vps,
 319                                              PW_STRIPPED_USER_NAME, 0);
 320                 if (!request->username)
 321                         request->username = pairfind(request->packet->vps,
 322                                                      PW_USER_NAME, 0);
 323                 request->password = pairfind(request->packet->vps,
 324                                              PW_USER_PASSWORD, 0);
 325         }
 326
 327         return RLM_MODULE_UPDATED;
 328 }
 329
 330 static int attr_filter_preacct(void *instance, REQUEST *request)
 331 {
 332         return attr_filter_common(instance, request, request->packet);
 333 }
 334
 335 static int attr_filter_accounting(void *instance, REQUEST *request)
 336 {
 337         return attr_filter_common(instance, request, request->reply);
 338 }
 339
 340 #ifdef WITH_PROXY
 341 static int attr_filter_preproxy(void *instance, REQUEST *request)
 342 {
 343         return attr_filter_common(instance, request, request->proxy);
 344 }
 345
 346 static int attr_filter_postproxy(void *instance, REQUEST *request)
 347 {
 348         return attr_filter_common(instance, request, request->proxy_reply);
 349 }
 350 #endif
 351
 352 static int attr_filter_postauth(void *instance, REQUEST *request)
 353 {
 354         return attr_filter_common(instance, request, request->reply);
 355 }
 356
 357 static int attr_filter_authorize(void *instance, REQUEST *request)
 358 {
 359         return attr_filter_common(instance, request, request->packet);
 360 }
 361
 362
 363 /* globally exported name */
 364 module_t rlm_attr_filter = {
 365         RLM_MODULE_INIT,
 366         "attr_filter",
 367         RLM_TYPE_CHECK_CONFIG_SAFE | RLM_TYPE_HUP_SAFE,         /* type */
 368         attr_filter_instantiate,        /* instantiation */
 369         attr_filter_detach,             /* detach */
 370         {
 371                 NULL,                   /* authentication */
 372                 attr_filter_authorize,  /* authorization */
 373                 attr_filter_preacct,    /* pre-acct */
 374                 attr_filter_accounting, /* accounting */
 375                 NULL,                   /* checksimul */
 376 #ifdef WITH_PROXY
 377                 attr_filter_preproxy,   /* pre-proxy */
 378                 attr_filter_postproxy,  /* post-proxy */
 379 #else
 380                 NULL, NULL,
 381 #endif
 382                 attr_filter_postauth    /* post-auth */
 383         },
 384 };
 385