2 * evaluate.c Evaluate a policy language
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2004 Alan DeKok <aland@ox.org>
21 * Copyright 2006 The FreeRADIUS server project
24 #include <freeradius-devel/ident.h>
27 #include "rlm_policy.h"
33 #define debug_evaluate if (0) printf
36 * Print stuff we've parsed
38 static void policy_print(const policy_item_t *item, int indent)
41 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
42 fprintf(fr_log_fp, "[NULL]\n");
49 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
50 fprintf(fr_log_fp, "[BAD STATEMENT]");
53 case POLICY_TYPE_PRINT:
54 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
56 const policy_print_t *this;
58 this = (const policy_print_t *) item;
60 if (this->rhs_type == POLICY_LEX_BARE_WORD) {
61 fprintf(fr_log_fp, "print %s\n", this->rhs);
63 fprintf(fr_log_fp, "print \"%s\"\n", this->rhs);
68 case POLICY_TYPE_ASSIGNMENT:
70 const policy_assignment_t *assign;
72 assign = (const policy_assignment_t *) item;
73 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
75 fprintf(fr_log_fp, "\t%s %s ", assign->lhs,
76 fr_int2str(rlm_policy_tokens,
77 assign->assign, "?"));
78 if (assign->rhs_type == POLICY_LEX_BARE_WORD) {
79 fprintf(fr_log_fp, "%s\n", assign->rhs);
84 fprintf(fr_log_fp, "\"%s\"\n", assign->rhs);
89 case POLICY_TYPE_CONDITIONAL: /* no indentation here */
91 const policy_condition_t *condition;
93 condition = (const policy_condition_t *) item;
95 fprintf(fr_log_fp, "(");
97 if (condition->sense) {
98 fprintf(fr_log_fp, "!");
104 if (condition->compare == POLICY_LEX_L_BRACKET) {
105 policy_print(condition->child, indent);
106 fprintf(fr_log_fp, ")");
110 if (condition->compare == POLICY_LEX_L_NOT) {
111 fprintf(fr_log_fp, "!");
112 policy_print(condition->child, indent);
113 fprintf(fr_log_fp, ")");
117 if (condition->compare == POLICY_LEX_CMP_TRUE) {
118 fprintf(fr_log_fp, "%s)", condition->lhs);
122 if (condition->lhs_type == POLICY_LEX_FUNCTION) {
123 fprintf(fr_log_fp, "%s()", condition->lhs);
127 * and move all of this logic
130 fprintf(fr_log_fp, "\"%s\"", condition->lhs);
134 * We always print this condition.
136 fprintf(fr_log_fp, " %s ", fr_int2str(rlm_policy_tokens,
139 if (condition->rhs_type == POLICY_LEX_BARE_WORD) {
140 fprintf(fr_log_fp, "%s", condition->rhs);
144 * and move all of this logic
147 fprintf(fr_log_fp, "\"%s\"", condition->rhs);
149 fprintf(fr_log_fp, ")");
151 if ((condition->child_condition != POLICY_LEX_BAD) &&
152 (condition->child_condition != POLICY_LEX_BARE_WORD)) {
153 fprintf(fr_log_fp, " %s ", fr_int2str(rlm_policy_tokens, condition->child_condition, "?"));
154 policy_print(condition->child, indent);
161 const policy_if_t *statement;
163 statement = (const policy_if_t *) item;
165 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
166 fprintf(fr_log_fp, "if ");
167 policy_print(statement->condition, indent);
168 fprintf(fr_log_fp, " {\n");
169 policy_print(statement->if_true, indent + 1);
170 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
171 if (statement->if_false) {
172 fprintf(fr_log_fp, "} else ");
173 if (statement->if_false->type == POLICY_TYPE_ASSIGNMENT) {
174 fprintf(fr_log_fp, " { ");
175 policy_print(statement->if_false, indent + 1);
176 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
177 fprintf(fr_log_fp, " }");
179 policy_print(statement->if_false, indent + 1);
182 fprintf(fr_log_fp, "}\n");
187 case POLICY_TYPE_ATTRIBUTE_LIST:
189 const policy_attributes_t *this;
191 this = (const policy_attributes_t *) item;
193 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
194 fprintf(fr_log_fp, "%s %s {\n",
195 fr_int2str(policy_reserved_words,
197 fr_int2str(rlm_policy_tokens,
199 policy_print(this->attributes, indent + 1);
200 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
201 fprintf(fr_log_fp, "}\n");
205 case POLICY_TYPE_NAMED_POLICY:
207 const policy_named_t *this;
209 this = (const policy_named_t *) item;
210 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
211 fprintf(fr_log_fp, "policy %s {\n", this->name);
212 policy_print(this->policy, indent + 1);
213 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
214 fprintf(fr_log_fp, "}\n");
218 case POLICY_TYPE_CALL:
220 const policy_call_t *this;
222 this = (const policy_call_t *) item;
223 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
224 fprintf(fr_log_fp, "call %s\n", this->name);
228 case POLICY_TYPE_RETURN:
230 const policy_return_t *this;
232 this = (const policy_return_t *) item;
233 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
234 fprintf(fr_log_fp, "return %s\n",
235 fr_int2str(policy_return_codes,
236 this->rcode, "???"));
240 case POLICY_TYPE_MODULE:
242 const policy_module_t *this;
244 this = (const policy_module_t *) item;
245 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
246 fprintf(fr_log_fp, "module %s <stuff>\n",
247 fr_int2str(policy_component_names,
248 this->component, "???"));
253 if (indent) fprintf(fr_log_fp, "%*s", indent, " ");
254 fprintf(fr_log_fp, "[HUH?]\n");
264 void rlm_policy_print(const policy_item_t *item)
266 if (!fr_log_fp) return;
268 fprintf(fr_log_fp, "# rlm_policy \n");
269 policy_print(item, 0);
273 * Internal stack of things to do. This lets us have function
276 * Yes, we should learn lex, yacc, etc.
278 #define POLICY_MAX_STACK 16
279 typedef struct policy_state_t {
281 REQUEST *request; /* so it's not passed on the C stack */
282 int rcode; /* for functions, etc. */
283 int component; /* for calling other modules */
285 const policy_item_t *stack[POLICY_MAX_STACK];
289 static int policy_evaluate_name(policy_state_t *state, const char *name);
292 * Push an item onto the state.
294 static int policy_stack_push(policy_state_t *state, const policy_item_t *item)
296 rad_assert(state->depth >= 0);
299 * Asked to push nothing. Don't push it.
304 * State is full. Die.
306 if (state->depth >= POLICY_MAX_STACK) {
311 * Walk back up the stack, looking for previous ocurrances
312 * of this name. If found, we have infinite recursion,
313 * which we stop dead in the water!
315 * This isn't strictly necessary right now, as we look up
316 * policies by name when they're first referenced. This
317 * means that ALL references are backwards (to the start
318 * of the file), which means that there are no circular
321 if (item->type == POLICY_TYPE_NAMED_POLICY) {
324 for (i = 0; i < state->depth; i++) {
326 * Check for circular references, by seeing
327 * if the function is already on the stack.
329 * Hmmm... do we want to do this for any type?
331 if (state->stack[i] == item) {
332 debug_evaluate("Circular call to policy %s\n",
333 ((const policy_named_t *) item)->name);
339 debug_evaluate("push %d %p\n", state->depth, item);
341 state->stack[state->depth] = item;
342 state->depth++; /* points to unused entry */
349 * Pop an item from the state.
351 static int policy_stack_pop(policy_state_t *state, const policy_item_t **pitem)
353 rad_assert(pitem != NULL);
354 rad_assert(state->depth >= 0);
357 if (state->depth == 0) {
362 *pitem = state->stack[state->depth - 1];
365 * Named policies are on the stack for catching recursion.
367 if ((*pitem)->type == POLICY_TYPE_NAMED_POLICY) {
373 * Process the whole item list.
375 if ((*pitem)->next) {
376 state->stack[state->depth - 1] = (*pitem)->next;
377 debug_evaluate("pop/push %d %p\n", state->depth - 1, *pitem);
379 state->depth--; /* points to unused entry */
380 debug_evaluate("pop %d %p\n", state->depth, *pitem);
388 * Evaluate a print statement
390 static int evaluate_print(policy_state_t *state, const policy_item_t *item)
392 const policy_print_t *this;
394 if (!fr_log_fp) return 1;
396 this = (const policy_print_t *) item;
398 if (this->rhs_type == POLICY_LEX_BARE_WORD) {
399 fprintf(fr_log_fp, "%s\n", this->rhs);
403 radius_xlat(buffer, sizeof(buffer), this->rhs,
404 state->request, NULL);
405 fprintf(fr_log_fp, "%s", buffer);
406 if (!strchr(buffer, '\n')) fprintf(fr_log_fp, "\n");
410 * Doesn't change state->rcode
417 * Return a VALUE_PAIR, given an attribute name.
419 * FIXME: Have it return the N'th one, too, like
422 * The amount of duplicated code is getting annoying...
424 static VALUE_PAIR *find_vp(REQUEST *request, const char *name)
427 const DICT_ATTR *dattr;
431 vps = request->packet->vps;;
434 * FIXME: use names from reserved word list?
436 if (strncasecmp(name, "request:", 8) == 0) {
438 } else if (strncasecmp(name, "reply:", 6) == 0) {
440 vps = request->reply->vps;
441 } else if (strncasecmp(name, "proxy-request:", 14) == 0) {
443 if (request->proxy) {
444 vps = request->proxy->vps;
446 } else if (strncasecmp(name, "proxy-reply:", 12) == 0) {
448 if (request->proxy_reply) {
449 vps = request->proxy_reply->vps;
451 } else if (strncasecmp(name, "control:", 8) == 0) {
453 vps = request->config_items;
454 } /* else it must be a bare attribute name */
460 dattr = dict_attrbyname(p);
462 fprintf(stderr, "No such attribute %s\n", p);
463 return NULL; /* no such attribute */
466 return pairfind(vps, dattr->attr, dattr->vendor);
471 * Evaluate an assignment
473 * Not really used much...
475 static int evaluate_assignment(UNUSED policy_state_t *state, const policy_item_t *item)
477 const policy_assignment_t *this;
479 const DICT_ATTR *dattr;
482 this = (const policy_assignment_t *) item;
484 rad_assert(this->lhs != NULL);
485 rad_assert(this->rhs != NULL);
488 dattr = dict_attrbyname(this->lhs);
490 fprintf(stderr, "HUH?\n");
500 * Evaluate a condition
502 static int evaluate_condition(policy_state_t *state, const policy_item_t *item)
505 const policy_condition_t *this;
506 VALUE_PAIR *vp = NULL;
507 const char *data = NULL;
513 char lhs_buffer[2048];
515 this = (const policy_condition_t *) item;
519 * FIXME: Don't always do this...
521 if (this->compare != POLICY_LEX_L_BRACKET) {
522 if (this->lhs_type == POLICY_LEX_FUNCTION) {
524 * We can't call evaluate_call here,
525 * because that just pushes stuff onto
526 * the stack, and we want to actually
527 * evaluate all of it...
529 rcode = policy_evaluate_name(state, this->lhs);
530 data = fr_int2str(policy_return_codes, rcode, "???");
531 strlcpy(lhs_buffer, data, sizeof(lhs_buffer)); /* FIXME: yuck */
532 } else if (this->lhs_type == POLICY_LEX_DOUBLE_QUOTED_STRING) {
533 if (radius_xlat(lhs_buffer, sizeof(lhs_buffer), this->lhs,
534 state->request, NULL) > 0) {
540 switch (this->compare) {
541 case POLICY_LEX_L_BRACKET: /* nested brackets are a special case */
542 rcode = evaluate_condition(state, this->child);
545 case POLICY_LEX_L_NOT:
546 rcode = evaluate_condition(state, this->child);
547 rcode = (rcode == FALSE); /* reverse sense of test */
550 case POLICY_LEX_CMP_FALSE: /* non-existence */
551 if (this->lhs_type == POLICY_LEX_BARE_WORD) {
552 vp = find_vp(state->request, this->lhs);
553 rcode = (vp == NULL);
555 rcode = (data == NULL);
559 case POLICY_LEX_CMP_TRUE: /* existence */
560 if (this->lhs_type == POLICY_LEX_BARE_WORD) {
561 vp = find_vp(state->request, this->lhs);
562 rcode = (vp != NULL);
564 rcode = (data != NULL);
568 default: /* process other comparisons */
569 if ((this->compare != POLICY_LEX_CMP_EQUALS) &&
571 (this->compare != POLICY_LEX_RX_EQUALS) &&
572 (this->compare != POLICY_LEX_RX_NOT_EQUALS) &&
574 (this->compare != POLICY_LEX_LT) &&
575 (this->compare != POLICY_LEX_GT) &&
576 (this->compare != POLICY_LEX_LE) &&
577 (this->compare != POLICY_LEX_GE) &&
578 (this->compare != POLICY_LEX_CMP_NOT_EQUALS)) {
579 fprintf(stderr, "%d: bad comparison\n",
584 if (this->lhs_type == POLICY_LEX_BARE_WORD) {
587 vp = find_vp(state->request, this->lhs);
590 * A op B is FALSE if A doesn't
599 * FIXME: Move sanity checks to
600 * post-parse code, so we don't do
601 * it on every packet.
603 vp_prints_value(buffer, sizeof(buffer), vp, 0);
604 myvp = pairmake(vp->name, this->rhs, T_OP_EQ);
605 if (!myvp) return FALSE; /* memory failure */
609 * FIXME: What to do about comparisons
610 * where vp doesn't exist? Right now,
611 * "simplepaircmp" returns -1, which is
612 * probably a bad idea. it should
613 * instead take an operator, a pointer to
614 * the comparison result, and return
615 * "true/false" for "comparions
616 * succeeded/failed", which are different
617 * error codes than "comparison is less
618 * than, equal to, or greater than zero".
620 compare = radius_callback_compare(state->request,
621 vp, myvp, NULL, NULL);
626 * FIXME: Do something for RHS type?
628 fr_printf_log("CMP %s %s\n", lhs_buffer, this->rhs);
629 compare = strcmp(lhs_buffer, this->rhs);
632 debug_evaluate("CONDITION COMPARE %d\n", compare);
634 switch (this->compare) {
635 case POLICY_LEX_CMP_EQUALS:
636 rcode = (compare == 0);
639 case POLICY_LEX_CMP_NOT_EQUALS:
640 rcode = (compare != 0);
644 rcode = (compare < 0);
648 rcode = (compare > 0);
652 rcode =(compare <= 0);
656 rcode = (compare >= 0);
660 case POLICY_LEX_RX_EQUALS:
661 { /* FIXME: copied from src/main/valuepair.c */
663 regmatch_t rxmatch[REQUEST_MAX_REGEX + 1];
666 * Include substring matches.
668 if (regcomp(®, this->rhs,
669 REG_EXTENDED) != 0) {
670 /* FIXME: print error */
673 rad_assert(data != NULL);
674 rcode = regexec(®, data,
675 REQUEST_MAX_REGEX + 1,
677 rcode = (rcode == 0);
681 * Add %{0}, %{1}, etc.
683 for (i = 0; i <= REQUEST_MAX_REGEX; i++) {
688 * Didn't match: delete old
689 * match, if it existed.
692 (rxmatch[i].rm_so == -1)) {
693 p = request_data_get(state->request, state->request,
694 REQUEST_DATA_REGEX | i);
708 * Copy substring into buffer.
711 data + rxmatch[i].rm_so,
712 rxmatch[i].rm_eo - rxmatch[i].rm_so);
713 rxbuffer[rxmatch[i].rm_eo - rxmatch[i].rm_so] = '\0';
716 * Copy substring, and add it to
719 * Note that we don't check
720 * for out of memory, which is
721 * the only error we can get...
723 p = strdup(rxbuffer);
724 request_data_add(state->request,
726 REQUEST_DATA_REGEX | i,
733 case POLICY_LEX_RX_NOT_EQUALS:
734 regcomp(®, this->rhs, REG_EXTENDED|REG_NOSUB);
735 rad_assert(data != NULL);
736 rcode = regexec(®, data,
738 rcode = (rcode != 0);
741 #endif /* HAVE_REGEX_H */
745 } /* switch over comparison operators */
746 break; /* default from first switch over compare */
749 if (this->sense) rcode = (rcode == FALSE); /* reverse sense of test */
754 switch (this->child_condition) {
758 case POLICY_LEX_L_AND:
759 if (!rcode) return rcode; /* FALSE && x == FALSE */
762 case POLICY_LEX_L_OR:
763 if (rcode) return rcode; /* TRUE && x == TRUE */
770 this = (const policy_condition_t *) this->child;
773 return 1; /* should never reach here */
778 * Evaluate an 'if' statement
780 static int evaluate_if(policy_state_t *state, const policy_item_t *item)
783 const policy_if_t *this;
785 this = (const policy_if_t *) item;
788 * evaluate_condition calls itself recursively.
789 * We should probably allocate a new state, instead.
791 rcode = evaluate_condition(state, this->condition);
792 debug_evaluate("IF condition returned %s\n",
793 rcode ? "true" : "false");
795 rcode = policy_stack_push(state, this->if_true);
796 if (!rcode) return rcode;
797 } else if (this->if_false) {
798 rcode = policy_stack_push(state, this->if_false);
799 if (!rcode) return rcode;
803 * 'if' can fail, if the block it's processing fails.
810 * Make a VALUE_PAIR from a policy_assignment_t*
812 * The assignment operator has to be '='.
814 static VALUE_PAIR *assign2vp(REQUEST *request,
815 const policy_assignment_t *assign)
818 FR_TOKEN operator = T_OP_EQ;
819 const char *value = assign->rhs;
822 if ((assign->rhs_type == POLICY_LEX_DOUBLE_QUOTED_STRING) &&
823 (strchr(assign->rhs, '%') != NULL)) {
824 radius_xlat(buffer, sizeof(buffer), assign->rhs,
830 * This is crappy.. fix it.
832 switch (assign->assign) {
833 case POLICY_LEX_ASSIGN:
837 case POLICY_LEX_SET_EQUALS:
841 case POLICY_LEX_PLUS_EQUALS:
846 fprintf(stderr, "Expected '=' for operator, not '%s' at line %d\n",
847 fr_int2str(rlm_policy_tokens,
848 assign->assign, "?"),
849 assign->item.lineno);
853 vp = pairmake(assign->lhs, value, operator);
855 fprintf(stderr, "Failed creating pair: %s %s\n", value, fr_strerror());
863 * Evaluate a 'packet .= {attrs}' statement
865 static int evaluate_attr_list(policy_state_t *state, const policy_item_t *item)
867 const policy_attributes_t *this;
868 VALUE_PAIR **vps = NULL;
869 VALUE_PAIR *vp, *head, **tail;
870 const policy_item_t *attr;
871 policy_lex_t this_how;
873 this = (const policy_attributes_t *) item;
875 switch (this->where) {
876 case POLICY_RESERVED_CONTROL:
877 vps = &(state->request->config_items);
880 case POLICY_RESERVED_REQUEST:
881 vps = &(state->request->packet->vps);
884 case POLICY_RESERVED_REPLY:
885 vps = &(state->request->reply->vps);
888 case POLICY_RESERVED_PROXY_REQUEST:
889 if (!state->request->proxy) return 0; /* FIXME: print error */
890 vps = &(state->request->proxy->vps);
893 case POLICY_RESERVED_PROXY_REPLY:
894 if (!state->request->proxy_reply) return 0; /* FIXME: print error */
895 vps = &(state->request->proxy_reply->vps);
905 for (attr = this->attributes; attr != NULL; attr = attr->next) {
906 if (attr->type != POLICY_TYPE_ASSIGNMENT) {
907 fprintf(stderr, "bad assignment in attribute list at line %d\n", attr->lineno);
912 vp = assign2vp(state->request, (const policy_assignment_t *) attr);
914 fprintf(stderr, "Failed to allocate VP\n");
922 this_how = this->how;
925 case POLICY_LEX_SET_EQUALS: /* dangerous: removes all previous things! */
930 case POLICY_LEX_AFTER_TAIL_ASSIGN:
931 pairmove(vps, &head);
935 case POLICY_LEX_ASSIGN: /* 'union' */
936 pairmove(vps, &head);
940 case POLICY_LEX_BEFORE_HEAD_ASSIGN:
941 pairmove(&head, vps);
946 case POLICY_LEX_AFTER_TAIL_EQUALS:
947 case POLICY_LEX_CONCAT_EQUALS:
951 case POLICY_LEX_BEFORE_HEAD_EQUALS:
952 pairadd(&head, *vps);
956 case POLICY_LEX_BEFORE_WHERE_EQUALS:
957 case POLICY_LEX_AFTER_WHERE_EQUALS:
958 case POLICY_LEX_BEFORE_WHERE_ASSIGN:
959 case POLICY_LEX_AFTER_WHERE_ASSIGN:
962 VALUE_PAIR *vpprev = NULL, *vpnext = NULL, *lvp;
964 for(lvp = *vps; lvp; vpprev = lvp, lvp = lvp->next) {
967 if (evaluate_condition(state, this->where_loc))
974 case POLICY_LEX_BEFORE_WHERE_EQUALS:
975 case POLICY_LEX_BEFORE_WHERE_ASSIGN:
982 default: /* always reached */
987 case POLICY_LEX_BEFORE_WHERE_EQUALS:
993 case POLICY_LEX_AFTER_WHERE_EQUALS:
996 case POLICY_LEX_BEFORE_WHERE_ASSIGN:
998 pairmove(&lvp, &head);
1004 case POLICY_LEX_AFTER_WHERE_ASSIGN:
1005 pairmove(&lvp, &head);
1008 default:/*never reached*/
1011 for( ; lvp && lvp->next; lvp = lvp->next);
1018 case POLICY_LEX_BEFORE_WHERE_EQUALS:
1019 this_how = POLICY_LEX_BEFORE_HEAD_EQUALS;
1021 case POLICY_LEX_AFTER_WHERE_EQUALS:
1022 this_how = POLICY_LEX_AFTER_TAIL_EQUALS;
1024 case POLICY_LEX_BEFORE_WHERE_ASSIGN:
1025 this_how = POLICY_LEX_BEFORE_HEAD_ASSIGN;
1027 case POLICY_LEX_AFTER_WHERE_ASSIGN:
1028 this_how = POLICY_LEX_AFTER_TAIL_ASSIGN;
1030 default: /*never reached*/
1038 fprintf(stderr, "HUH?\n");
1043 state->rcode = RLM_MODULE_UPDATED; /* we did stuff */
1050 * Evaluate a reference call to a module.
1052 static int evaluate_call(policy_state_t *state, const policy_item_t *item)
1055 const policy_call_t *this;
1056 const policy_named_t *policy;
1058 this = (const policy_call_t *) item;
1060 policy = rlm_policy_find(state->inst->policies, this->name);
1061 if (!policy) return 0; /* not found... */
1063 DEBUG2("rlm_policy: Evaluating policy %s", this->name);
1065 rad_assert(policy->policy->type != POLICY_TYPE_BAD);
1066 rad_assert(policy->policy->type < POLICY_TYPE_NUM_TYPES);
1069 * Push the name of the function onto the stack,
1070 * so that we can catch recursive calls.
1072 * The "pop" function will skip over it when it sees it.
1074 rcode = policy_stack_push(state, (const policy_item_t *) policy);
1080 * Push it onto the stack. Other code will take care of
1083 rcode = policy_stack_push(state, policy->policy);
1093 * Evaluate a return statement
1095 static int evaluate_return(policy_state_t *state, const policy_item_t *item)
1097 const policy_return_t *this;
1099 this = (const policy_return_t *) item;
1100 state->rcode = this->rcode;
1102 return 1; /* we succeeded */
1107 * Evaluate a module statement
1109 static int evaluate_module(policy_state_t *state, const policy_item_t *item)
1111 const policy_module_t *this;
1113 this = (const policy_module_t *) item;
1116 * Just to be paranoid. Maybe we want to loosen this
1117 * restriction in the future?
1119 if (this->component != state->component) {
1120 DEBUG2("rlm_policy: Cannot mix & match components");
1124 DEBUG2("rlm_policy: begin nested call");
1125 state->rcode = modcall(this->component, this->mc, state->request);
1126 DEBUG2("rlm_policy: end nested call");
1128 return 1; /* we succeeded */
1133 * State machine stuff.
1135 typedef int (*policy_evaluate_type_t)(policy_state_t *, const policy_item_t *);
1139 * MUST be kept in sync with policy_type_t
1141 static policy_evaluate_type_t evaluate_functions[POLICY_TYPE_NUM_TYPES] = {
1142 NULL, /* POLICY_TYPE_BAD */
1145 evaluate_assignment,
1148 NULL, /* define a named policy.. */
1156 * Evaluate a policy, keyed by name.
1158 static int policy_evaluate_name(policy_state_t *state, const char *name)
1161 const policy_item_t *this;
1162 policy_named_t mypolicy, *policy;
1164 mypolicy.name = name;
1165 policy = rbtree_finddata(state->inst->policies, &mypolicy);
1166 if (!policy) return RLM_MODULE_FAIL;
1168 DEBUG2("rlm_policy: Evaluating policy %s", name);
1170 rad_assert(policy->item.type != POLICY_TYPE_BAD);
1171 rad_assert(policy->item.type < POLICY_TYPE_NUM_TYPES);
1173 rcode = policy_stack_push(state, policy->policy);
1175 return RLM_MODULE_FAIL;
1179 * FIXME: Look for magic keywords like "return",
1180 * where the packet gets accepted/rejected/whatever
1182 while (policy_stack_pop(state, &this)) {
1183 rad_assert(this != NULL);
1184 rad_assert(this->type != POLICY_TYPE_BAD);
1185 rad_assert(this->type < POLICY_TYPE_NUM_TYPES);
1187 debug_evaluate("Evaluating at line %d\n",
1189 rcode = (*evaluate_functions[this->type])(state,
1192 return RLM_MODULE_FAIL;
1194 } /* loop until the stack is empty */
1196 return state->rcode;
1201 * Evaluate, which is pretty close to print, but we look at what
1204 int rlm_policy_evaluate(rlm_policy_t *inst, REQUEST *request, const char *name)
1207 policy_state_t *state;
1209 state = rad_malloc(sizeof(*state));
1210 memset(state, 0, sizeof(*state));
1211 state->request = request;
1213 state->rcode = RLM_MODULE_OK;
1214 state->component = fr_str2int(policy_component_names, name,
1215 RLM_COMPONENT_COUNT);
1217 rcode = policy_evaluate_name(state, name);
1221 return rcode; /* evaluated OK. */
projects / freeradius.git / blob