src/modules/rlm_attr_filter/rlm_attr_filter.c

   1 /*
   2  * rlm_attr_filter.c  - Filter A/V Pairs received back from proxy reqs
   3  *                      before sending reply to the NAS/Server that sent
   4  *                      it to us.
   5  *
   6  * Version:      $Id$
   7  *
   8  *   This program is is free software; you can redistribute it and/or modify
   9  *   it under the terms of the GNU General Public License, version 2 if the
  10  *   License as published by the Free Software Foundation.
  11  *
  12  *   This program is distributed in the hope that it will be useful,
  13  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  *   GNU General Public License for more details.
  16  *
  17  *   You should have received a copy of the GNU General Public License
  18  *   along with this program; if not, write to the Free Software
  19  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  20  *
  21  * Copyright (C) 2001,2006 The FreeRADIUS server project
  22  * Copyright (C) 2001 Chris Parker <cparker@starnetusa.net>
  23  */
  24
  25 #include        <freeradius-devel/ident.h>
  26 RCSID("$Id$")
  27
  28 #include        <freeradius-devel/radiusd.h>
  29 #include        <freeradius-devel/modules.h>
  30 #include        <freeradius-devel/rad_assert.h>
  31
  32 #include        <sys/stat.h>
  33
  34 #include        <ctype.h>
  35 #include        <fcntl.h>
  36 #include        <limits.h>
  37
  38
  39 /*
  40  *      Define a structure with the module configuration, so it can
  41  *      be used as the instance handle.
  42  */
  43 struct attr_filter_instance {
  44         char *attrsfile;
  45         char *key;
  46         PAIR_LIST *attrs;
  47 };
  48
  49 static const CONF_PARSER module_config[] = {
  50         { "attrsfile",     PW_TYPE_FILENAME,
  51           offsetof(struct attr_filter_instance,attrsfile), NULL, "${raddbdir}/attrs" },
  52         { "key",     PW_TYPE_STRING_PTR,
  53           offsetof(struct attr_filter_instance,key), NULL, "%{Realm}" },
  54         { NULL, -1, 0, NULL, NULL }
  55 };
  56
  57 static void check_pair(VALUE_PAIR *check_item, VALUE_PAIR *reply_item,
  58                       int *pass, int *fail)
  59 {
  60         int compare;
  61
  62         if (check_item->operator == T_OP_SET) return;
  63
  64         compare = paircmp(check_item, reply_item);
  65         if (compare == 1) {
  66                 ++*(pass);
  67         } else {
  68                 ++*(fail);
  69         }
  70
  71         return;
  72 }
  73
  74
  75 static int getattrsfile(const char *filename, PAIR_LIST **pair_list)
  76 {
  77         int rcode;
  78         PAIR_LIST *attrs = NULL;
  79         PAIR_LIST *entry;
  80         VALUE_PAIR *vp;
  81
  82         rcode = pairlist_read(filename, &attrs, 1);
  83         if (rcode < 0) {
  84                 return -1;
  85         }
  86
  87         /*
  88          * Walk through the 'attrs' file list.
  89          */
  90
  91         entry = attrs;
  92         while (entry) {
  93
  94                 entry->check = entry->reply;
  95                 entry->reply = NULL;
  96
  97                 for (vp = entry->check; vp != NULL; vp = vp->next) {
  98
  99                     /*
 100                      * If it's NOT a vendor attribute,
 101                      * and it's NOT a wire protocol
 102                      * and we ignore Fall-Through,
 103                      * then bitch about it, giving a good warning message.
 104                      */
 105                     if (!(vp->attribute & ~0xffff) &&
 106                          (vp->attribute > 0xff) &&
 107                          (vp->attribute > 1000)) {
 108                         log_debug("[%s]:%d WARNING! Check item \"%s\"\n"
 109                                   "\tfound in filter list for realm \"%s\".\n",
 110                                   filename, entry->lineno, vp->name,
 111                                   entry->name);
 112                     }
 113                 }
 114
 115                 entry = entry->next;
 116         }
 117
 118         *pair_list = attrs;
 119         return 0;
 120 }
 121
 122
 123 /*
 124  *      Clean up.
 125  */
 126 static int attr_filter_detach(void *instance)
 127 {
 128         struct attr_filter_instance *inst = instance;
 129         pairlist_free(&inst->attrs);
 130         free(inst);
 131         return 0;
 132 }
 133
 134
 135 /*
 136  *      (Re-)read the "attrs" file into memory.
 137  */
 138 static int attr_filter_instantiate(CONF_SECTION *conf, void **instance)
 139 {
 140         struct attr_filter_instance *inst;
 141         int rcode;
 142
 143         inst = rad_malloc(sizeof *inst);
 144         if (!inst) {
 145                 return -1;
 146         }
 147         memset(inst, 0, sizeof(*inst));
 148
 149         if (cf_section_parse(conf, inst, module_config) < 0) {
 150                 attr_filter_detach(inst);
 151                 return -1;
 152         }
 153
 154         rcode = getattrsfile(inst->attrsfile, &inst->attrs);
 155         if (rcode != 0) {
 156                 radlog(L_ERR|L_CONS, "Errors reading %s", inst->attrsfile);
 157                 attr_filter_detach(inst);
 158                 return -1;
 159         }
 160         *instance = inst;
 161         return 0;
 162 }
 163
 164
 165 /*
 166  *      Common attr_filter checks
 167  */
 168 static int attr_filter_common(void *instance, REQUEST *request,
 169                               VALUE_PAIR **input)
 170 {
 171         struct attr_filter_instance *inst = instance;
 172         VALUE_PAIR      *vp;
 173         VALUE_PAIR      *output;
 174         VALUE_PAIR      **output_tail;
 175         VALUE_PAIR      *check_item;
 176         PAIR_LIST       *pl;
 177         int             found = 0;
 178         int             pass, fail = 0;
 179         char            *keyname = NULL;
 180         char            buffer[256];
 181
 182         if (!inst->key) {
 183                 VALUE_PAIR      *namepair;
 184
 185                 namepair = pairfind(request->packet->vps, PW_REALM);
 186                 if (!namepair) {
 187                         return (RLM_MODULE_NOOP);
 188                 }
 189                 keyname = namepair->vp_strvalue;
 190         } else {
 191                 int len;
 192
 193                 len = radius_xlat(buffer, sizeof(buffer), inst->key,
 194                                   request, NULL);
 195                 if (!len) {
 196                         return RLM_MODULE_NOOP;
 197                 }
 198                 keyname = buffer;
 199         }
 200
 201         output = NULL;
 202         output_tail = &output;
 203
 204         /*
 205          *      Find the attr_filter profile entry for the entry.
 206          */
 207         for (pl = inst->attrs; pl; pl = pl->next) {
 208                 int fall_through = 0;
 209
 210                 /*
 211                  *  If the current entry is NOT a default,
 212                  *  AND the realm does NOT match the current entry,
 213                  *  then skip to the next entry.
 214                  */
 215                 if ((strcmp(pl->name, "DEFAULT") != 0) &&
 216                     (strcmp(keyname, pl->name) != 0))  {
 217                     continue;
 218                 }
 219
 220                 DEBUG2(" attr_filter: Matched entry %s at line %d", pl->name,
 221                        pl->lineno);
 222                 found = 1;
 223
 224                 for (check_item = pl->check;
 225                      check_item != NULL;
 226                      check_item = check_item->next) {
 227                         if (check_item->attribute == PW_FALL_THROUGH) {
 228                                 fall_through = 1;
 229                                 continue;
 230                         }
 231
 232                         /*
 233                          *    If it is a SET operator, add the attribute to
 234                          *    the output list without checking it.
 235                          */
 236                         if (check_item->operator == T_OP_SET ) {
 237                                 vp = paircopyvp(check_item);
 238                                 if (!vp) {
 239                                         pairfree(&output);
 240                                         return RLM_MODULE_FAIL;
 241                                 }
 242                                 *output_tail = vp;
 243                                 output_tail = &(vp->next);
 244                         }
 245                 }
 246
 247                 /*
 248                  *      Iterate through the input items, comparing
 249                  *      each item to every rule, then moving it to the
 250                  *      output list only if it matches all rules
 251                  *      for that attribute.  IE, Idle-Timeout is moved
 252                  *      only if it matches all rules that describe an
 253                  *      Idle-Timeout.
 254                  */
 255                 for (vp = *input; vp != NULL; vp = vp->next ) {
 256                         /* reset the pass,fail vars for each reply item */
 257                         pass = fail = 0;
 258
 259                         /*
 260                          *      reset the check_item pointer to
 261                          *      beginning of the list
 262                          */
 263                         for (check_item = pl->check;
 264                              check_item != NULL;
 265                              check_item = check_item->next) {
 266                                 /*
 267                                  *      Vendor-Specific is special, and
 268                                  *      matches any VSA if the comparison
 269                                  *      is always true.
 270                                  */
 271                                 if ((check_item->attribute == PW_VENDOR_SPECIFIC) &&
 272                                     (VENDOR(vp->attribute) != 0) &&
 273                                     (check_item->operator == T_OP_CMP_TRUE)) {
 274                                         pass++;
 275                                         continue;
 276                                 }
 277
 278                                 if (vp->attribute == check_item->attribute) {
 279                                         check_pair(check_item, vp,
 280                                                    &pass, &fail);
 281                                 }
 282                         }
 283
 284                         /* only move attribute if it passed all rules */
 285                         if (fail == 0 && pass > 0) {
 286                                 *output_tail = paircopyvp(vp);
 287                                 if (!*output_tail) {
 288                                         pairfree(&output);
 289                                         return RLM_MODULE_FAIL;
 290                                 }
 291                                 output_tail = &((*output_tail)->next);
 292                         }
 293                 }
 294
 295                 /* If we shouldn't fall through, break */
 296                 if (!fall_through)
 297                         break;
 298         }
 299
 300         /*
 301          *      No entry matched.  We didn't do anything.
 302          */
 303         if (!found) {
 304                 rad_assert(output == NULL);
 305                 return RLM_MODULE_NOOP;
 306         }
 307
 308         pairfree(input);
 309         *input = output;
 310
 311         if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
 312                 request->username = pairfind(request->packet->vps,
 313                                              PW_STRIPPED_USER_NAME);
 314                 if (!request->username)
 315                         request->username = pairfind(request->packet->vps,
 316                                                      PW_USER_NAME);
 317                 request->password = pairfind(request->packet->vps,
 318                                              PW_USER_PASSWORD);
 319         }
 320
 321         return RLM_MODULE_UPDATED;
 322 }
 323
 324 static int attr_filter_preacct(void *instance, REQUEST *request)
 325 {
 326         return attr_filter_common(instance, request, &request->packet->vps);
 327 }
 328
 329 static int attr_filter_accounting(void *instance, REQUEST *request)
 330 {
 331         return attr_filter_common(instance, request, &request->reply->vps);
 332 }
 333
 334 static int attr_filter_preproxy(void *instance, REQUEST *request)
 335 {
 336         return attr_filter_common(instance, request, &request->proxy->vps);
 337 }
 338
 339 static int attr_filter_postproxy(void *instance, REQUEST *request)
 340 {
 341         return attr_filter_common(instance, request, &request->proxy_reply->vps);
 342 }
 343
 344 static int attr_filter_postauth(void *instance, REQUEST *request)
 345 {
 346         return attr_filter_common(instance, request, &request->reply->vps);
 347 }
 348
 349 static int attr_filter_authorize(void *instance, REQUEST *request)
 350 {
 351         return attr_filter_common(instance, request, &request->packet->vps);
 352 }
 353
 354
 355 /* globally exported name */
 356 module_t rlm_attr_filter = {
 357         RLM_MODULE_INIT,
 358         "attr_filter",
 359         RLM_TYPE_CHECK_CONFIG_SAFE | RLM_TYPE_HUP_SAFE,         /* type */
 360         attr_filter_instantiate,        /* instantiation */
 361         attr_filter_detach,             /* detach */
 362         {
 363                 NULL,                   /* authentication */
 364                 attr_filter_authorize,  /* authorization */
 365                 attr_filter_preacct,    /* pre-acct */
 366                 attr_filter_accounting, /* accounting */
 367                 NULL,                   /* checksimul */
 368                 attr_filter_preproxy,   /* pre-proxy */
 369                 attr_filter_postproxy,  /* post-proxy */
 370                 attr_filter_postauth    /* post-auth */
 371         },
 372 };
 373