2 * rlm_attr_filter.c - Filter A/V Pairs received back from proxy reqs
3 * before sending reply to the NAS/Server that sent
8 * This program is is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License, version 2 if the
10 * License as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
21 * Copyright (C) 2001 The FreeRADIUS server project
22 * Copyright (C) 2001 Chris Parker <cparker@starnetusa.net>
26 #include "libradius.h"
44 static const char rcsid[] = "$Id$";
46 struct attr_filter_instance {
52 static int check_pair(VALUE_PAIR *check_item, VALUE_PAIR *reply_item,
53 int comp, int *pa, int *fa) {
57 switch(check_item->operator) {
59 case T_OP_SET: /* nothing to do for set */
63 radlog(L_ERR, "Invalid operator for item %s: "
64 "reverting to '=='", check_item->name);
66 case T_OP_CMP_TRUE: /* comp always == 0 */
67 case T_OP_CMP_FALSE: /* comp always == 1 */
117 regcomp(®, (char *)check_item->strvalue, 0);
118 comp = regexec(®, (char *)reply_item->strvalue,
129 regcomp(®, (char *)check_item->strvalue, 0);
130 comp = regexec(®, (char *)reply_item->strvalue,
145 * Copy the specified attribute to the specified list
147 static void mypairappend(VALUE_PAIR *item, VALUE_PAIR **to)
150 tmp = paircreate(item->attribute, item->type);
152 radlog(L_ERR|L_CONS, "no memory");
156 case PW_TYPE_INTEGER:
159 tmp->lvalue = item->lvalue;
162 memcpy((char *)tmp->strvalue, (char *)item->strvalue, item->length);
163 tmp->length = item->length;
170 * See if a VALUE_PAIR list contains Fall-Through = Yes
172 static int fallthrough(VALUE_PAIR *vp)
176 tmp = pairfind(vp, PW_FALL_THROUGH);
178 return tmp ? tmp->lvalue : 0;
181 static CONF_PARSER module_config[] = {
182 { "attrsfile", PW_TYPE_STRING_PTR,
183 offsetof(struct attr_filter_instance,attrsfile), NULL, "${raddbdir}/attrs" },
184 { NULL, -1, 0, NULL, NULL }
187 static int getattrsfile(const char *filename, PAIR_LIST **pair_list)
190 PAIR_LIST *attrs = NULL;
194 rcode = pairlist_read(filename, &attrs, 1);
200 * Walk through the 'attrs' file list.
206 entry->check = entry->reply;
209 for (vp = entry->check; vp != NULL; vp = vp->next) {
212 * If it's NOT a vendor attribute,
213 * and it's NOT a wire protocol
214 * and we ignore Fall-Through,
215 * then bitch about it, giving a good warning message.
217 if (!(vp->attribute & ~0xffff) &&
218 (vp->attribute > 0xff) &&
219 (vp->attribute > 1000)) {
220 log_debug("[%s]:%d WARNING! Check item \"%s\"\n"
221 "\tfound in filter list for realm \"%s\".\n",
222 filename, entry->lineno, vp->name,
235 * (Re-)read the "attrs" file into memory.
237 static int attr_filter_instantiate(CONF_SECTION *conf, void **instance)
239 struct attr_filter_instance *inst;
242 inst = rad_malloc(sizeof *inst);
246 memset(inst, 0, sizeof(*inst));
248 if (cf_section_parse(conf, inst, module_config) < 0) {
253 rcode = getattrsfile(inst->attrsfile, &inst->attrs);
255 radlog(L_ERR|L_CONS, "Errors reading %s", inst->attrsfile);
256 free(inst->attrsfile);
260 radlog(L_ERR|L_CONS, " rlm_attr_filter: Authorize method will be"\
266 static int attr_filter_authorize(void *instance, REQUEST *request)
268 struct attr_filter_instance *inst = instance;
269 VALUE_PAIR *request_pairs;
270 VALUE_PAIR **reply_items;
271 VALUE_PAIR *reply_item;
272 VALUE_PAIR *reply_tmp = NULL;
273 VALUE_PAIR *check_item;
278 VALUE_PAIR *realmpair;
283 * It's not a proxy reply, so return NOOP
286 if( request->proxy == NULL ) {
287 return( RLM_MODULE_NOOP );
290 request_pairs = request->packet->vps;
291 reply_items = &request->reply->vps;
294 * Get the realm. Can't use request->config_items as
295 * that gets freed by rad_authenticate.... use the one
296 * set in the original request vps
298 realmpair = pairfind(request_pairs, PW_REALM);
300 /* Can't find a realm, so no filtering of attributes
301 * or should we use a DEFAULT entry?
302 * For now, just return NOTFOUND. (maybe NOOP?)
304 return RLM_MODULE_NOTFOUND;
307 realmname = (char *) realmpair->strvalue;
308 realm = realm_find(realmname, FALSE);
311 * Find the attr_filter profile entry for the realm.
313 for(pl = inst->attrs; pl; pl = pl->next) {
316 * If the current entry is NOT a default,
317 * AND the realm does NOT match the current entry,
318 * then skip to the next entry.
320 if ( (strcmp(pl->name, "DEFAULT") != 0) &&
321 (strcmp(realmname, pl->name) != 0) ) {
325 DEBUG2(" attr_filter: Matched entry %s at line %d", pl->name,
329 check_item = pl->check;
331 while( check_item != NULL ) {
334 * If it is a SET operator, add the attribute to
335 * the reply list without checking reply_items.
339 if( check_item->operator == T_OP_SET ) {
340 mypairappend(check_item, &reply_tmp);
342 check_item = check_item->next;
347 * Iterate through the reply items, comparing each reply item
348 * to every rule, then moving it to the reply_tmp list
349 * only if it matches all rules for that attribute.
350 * IE, Idle-Timeout is moved only if it matches all rules that
351 * describe an Idle-Timeout.
354 for(reply_item = *reply_items;
356 reply_item = reply_item->next ) {
358 /* reset the pass,fail vars for each reply item */
361 /* reset the check_item pointer to beginning of the list */
362 check_item = pl->check;
364 while( check_item != NULL ) {
366 if(reply_item->attribute == check_item->attribute) {
368 compare = simplepaircmp(request, reply_item,
370 check_pair(check_item, reply_item, compare,
374 check_item = check_item->next;
378 /* only move attribute if it passed all rules */
379 if (fail == 0 && pass > 0) {
380 mypairappend( reply_item, &reply_tmp);
385 /* If we shouldn't fall through, break */
386 if(!fallthrough(pl->check))
390 pairfree(&request->reply->vps);
391 request->reply->vps = reply_tmp;
394 * See if we succeeded. If we didn't find the realm,
395 * then exit from the module.
398 return RLM_MODULE_OK;
401 * Remove server internal parameters.
403 pairdelete(reply_items, PW_FALL_THROUGH);
405 return RLM_MODULE_UPDATED;
408 static int attr_filter_accounting(void *instance, REQUEST *request)
410 struct attr_filter_instance *inst = instance;
411 VALUE_PAIR *request_pairs;
412 VALUE_PAIR *send_item;
413 VALUE_PAIR *send_tmp = NULL;
414 VALUE_PAIR *check_item;
419 VALUE_PAIR *realmpair;
423 * Accounting is similar to pre-proxy.
424 * Here we are concerned with what we are going to forward to
425 * the remote server as opposed to concerns with what we will send
426 * to the NAS based on a proxy reply to an auth request.
429 if (request->packet->code != PW_ACCOUNTING_REQUEST) {
430 return (RLM_MODULE_NOOP);
433 request_pairs = request->packet->vps;
435 /* Get the realm from the original request vps. */
436 realmpair = pairfind(request_pairs, PW_REALM);
439 /* If there is no realm...NOOP */
440 return (RLM_MODULE_NOOP);
443 realmname = (char *) realmpair->strvalue;
444 realm = realm_find (realmname, FALSE);
447 * Find the attr_filter profile entry for the realm
449 for (pl = inst->attrs; pl; pl = pl->next) {
452 * If the current entry is NOT a default,
453 * AND the realm does not match the current entry,
454 * then skip to the next entry.
456 if ( (strcmp(pl->name, "DEFAULT") != 0) &&
457 (strcasecmp(realmname, pl->name) != 0) ) {
461 DEBUG2(" attr_filter: Matched entry %s at line %d", pl->name,
465 check_item = pl->check;
467 while (check_item != NULL) {
470 * If it is a SET operator, add the attribute to
471 * the send list w/out checking.
474 if (check_item->operator == T_OP_SET) {
475 mypairappend(check_item, &send_tmp);
477 check_item = check_item->next;
480 * Iterate through the request_pairs (items sent from NAS).
481 * Compare each pair to every rule for this realm/DEFAULT.
482 * Move an item to send_tmp if it matches all rules for
483 * attribute in question.
485 for (send_item = request_pairs; send_item != NULL;
486 send_item = send_item->next ) {
488 /* reset the pass/fail vars for each packet->vp. */
491 /* reset the check_item pointer to beginning of the list */
492 check_item = pl->check;
494 while (check_item != NULL) {
495 if (send_item->attribute == check_item->attribute) {
497 compare = simplepaircmp(request, send_item,
499 check_pair(check_item, send_item, compare,
503 check_item = check_item->next;
505 /* only send if attribute passed all rules */
506 if (fail == 0 && pass > 0) {
507 mypairappend (send_item, &send_tmp);
510 if (!fallthrough(pl->check))
513 pairfree (&request->packet->vps);
514 request->packet->vps = send_tmp;
517 * See if we succeeded. If we didn't find the realm,
518 * then exit from the module.
521 return RLM_MODULE_OK;
524 * Remove server internal paramters.
526 pairdelete(&send_tmp, PW_FALL_THROUGH);
528 return RLM_MODULE_UPDATED;
531 static int attr_filter_preproxy (void *instance, REQUEST *request)
533 struct attr_filter_instance *inst = instance;
534 VALUE_PAIR *request_pairs;
535 VALUE_PAIR *send_item;
536 VALUE_PAIR *send_tmp = NULL;
537 VALUE_PAIR *check_item;
542 VALUE_PAIR *realmpair;
548 * concerned with what we are going to forward to
549 * to the remote server as opposed to we will do with
550 * with the remote servers' repsonse pairs. Consequently,
551 * we deal with modifications to the request->packet->vps;
553 request_pairs = request->proxy->vps;
554 if (request->packet->code != PW_AUTHENTICATION_REQUEST) {
555 return (RLM_MODULE_NOOP);
557 realmpair = pairfind(request_pairs, PW_REALM);
559 return (RLM_MODULE_NOOP);
562 realmname = (char *)realmpair->strvalue;
563 realm = realm_find(realmname, FALSE);
565 for (pl = inst->attrs; pl; pl = pl->next) {
566 if ( (strcmp(pl->name, "DEFAULT") != 0) &&
567 (strcasecmp(realmname, pl->name) != 0) ) {
571 DEBUG2(" attr_filter: Matched entry %s at line %d", pl->name,
575 check_item = pl->check;
577 while (check_item != NULL) {
580 * Append all SET operator attributes with no check.
582 if (check_item->operator == T_OP_SET) {
583 mypairappend(check_item, &send_tmp);
585 check_item = check_item->next;
588 * Iterate through the request_pairs (items sent from NAS).
589 * Compare each pair to every rule for this realm/DEFAULT.
590 * Move an item to send_tmp if it matches all rules for
591 * attribute in question.
593 for (send_item = request_pairs;
595 send_item = send_item->next ) {
597 /* reset the pass/fail vars for each packet->vp. */
600 /* reset the check_item to the beginning */
601 check_item = pl->check;
604 * compare each packet->vp to the entire list of
605 * check_items for this realm.
607 while (check_item != NULL) {
608 if (send_item->attribute == check_item->attribute) {
610 compare = simplepaircmp(request, send_item,
612 check_pair(check_item, send_item, compare,
617 check_item = check_item->next;
620 /* only send if attribute passed all rules */
621 if (fail == 0 && pass > 0) {
622 mypairappend (send_item, &send_tmp);
625 if (!fallthrough(pl->check))
628 pairfree (&request->proxy->vps);
629 request->proxy->vps = send_tmp;
632 return RLM_MODULE_OK;
633 pairdelete(&send_tmp, PW_FALL_THROUGH);
634 return RLM_MODULE_UPDATED;
637 static int attr_filter_postproxy(void *instance, REQUEST *request)
639 struct attr_filter_instance *inst = instance;
640 VALUE_PAIR *request_pairs;
641 VALUE_PAIR **reply_items;
642 VALUE_PAIR *reply_item;
643 VALUE_PAIR *reply_tmp = NULL;
644 VALUE_PAIR *check_item;
649 VALUE_PAIR *realmpair;
653 * It's not a proxy reply, so return NOOP
656 if( request->proxy == NULL ) {
657 return( RLM_MODULE_NOOP );
660 request_pairs = request->packet->vps;
661 reply_items = &request->proxy_reply->vps;
664 * Get the realm. Can't use request->config_items as
665 * that gets freed by rad_authenticate.... use the one
666 * set in the original request vps
668 realmpair = pairfind(request_pairs, PW_REALM);
670 /* Can't find a realm, so no filtering of attributes
671 * or should we use a DEFAULT entry?
672 * For now, just return NOTFOUND. (maybe NOOP?)
674 return RLM_MODULE_NOTFOUND;
677 realmname = (char *) realmpair->strvalue;
679 realm = realm_find(realmname, FALSE);
682 * Find the attr_filter profile entry for the realm.
684 for(pl = inst->attrs; pl; pl = pl->next) {
687 * If the current entry is NOT a default,
688 * AND the realm does NOT match the current entry,
689 * then skip to the next entry.
691 if ( (strcmp(pl->name, "DEFAULT") != 0) &&
692 (strcmp(realmname, pl->name) != 0) ) {
696 DEBUG2(" attr_filter: Matched entry %s at line %d", pl->name,
700 check_item = pl->check;
702 while( check_item != NULL ) {
705 * If it is a SET operator, add the attribute to
706 * the reply list without checking reply_items.
709 if( check_item->operator == T_OP_SET ) {
710 mypairappend(check_item, &reply_tmp);
712 check_item = check_item->next;
717 * Iterate through the reply items,
718 * comparing each reply item to every rule,
719 * then moving it to the reply_tmp list only if it matches all
720 * rules for that attribute.
721 * IE, Idle-Timeout is moved only if it matches
722 * all rules that describe an Idle-Timeout.
725 for( reply_item = *reply_items; reply_item != NULL;
726 reply_item = reply_item->next ) {
728 /* reset the pass,fail vars for each reply item */
731 /* reset the check_item pointer to beginning of the list */
732 check_item = pl->check;
734 while( check_item != NULL ) {
736 if(reply_item->attribute == check_item->attribute) {
738 compare = simplepaircmp(request, reply_item,
740 check_pair(check_item, reply_item, compare,
744 check_item = check_item->next;
748 /* only move attribute if it passed all rules */
749 if (fail == 0 && pass > 0) {
750 mypairappend( reply_item, &reply_tmp);
755 /* If we shouldn't fall through, break */
756 if(!fallthrough(pl->check))
760 pairfree(&request->proxy_reply->vps);
761 request->proxy_reply->vps = reply_tmp;
764 * See if we succeeded. If we didn't find the realm,
765 * then exit from the module.
768 return RLM_MODULE_OK;
771 * Remove server internal parameters.
773 pairdelete(reply_items, PW_FALL_THROUGH);
775 return RLM_MODULE_UPDATED;
781 static int attr_filter_detach(void *instance)
783 struct attr_filter_instance *inst = instance;
784 pairlist_free(&inst->attrs);
785 free(inst->attrsfile);
791 /* globally exported name */
792 module_t rlm_attr_filter = {
794 0, /* type: reserved */
795 NULL, /* initialization */
796 attr_filter_instantiate, /* instantiation */
798 NULL, /* authentication */
799 attr_filter_authorize, /* authorization */
800 NULL, /* preaccounting */
801 attr_filter_accounting, /* accounting */
802 NULL, /* checksimul */
803 attr_filter_preproxy, /* pre-proxy */
804 attr_filter_postproxy, /* post-proxy */
807 attr_filter_detach, /* detach */