src/modules/rlm_policy/rlm_policy.c

   1 /*
   2  * rlm_policy.c         Implements a policy language
   3  *
   4  * Version:     $Id$
   5  *
   6  *   This program is free software; you can redistribute it and/or modify
   7  *   it under the terms of the GNU General Public License as published by
   8  *   the Free Software Foundation; either version 2 of the License, or
   9  *   (at your option) any later version.
  10  *
  11  *   This program is distributed in the hope that it will be useful,
  12  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *   GNU General Public License for more details.
  15  *
  16  *   You should have received a copy of the GNU General Public License
  17  *   along with this program; if not, write to the Free Software
  18  *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
  19  *
  20  * Copyright 2004  Alan DeKok <aland@ox.org>
  21  * Copyright 2006  The FreeRADIUS server project
  22  */
  23
  24 #include <freeradius-devel/ident.h>
  25 RCSID("$Id$")
  26
  27 #include <freeradius-devel/radiusd.h>
  28 #include <freeradius-devel/modules.h>
  29
  30 #include "rlm_policy.h"
  31
  32 /*
  33  *      A mapping of configuration file names to internal variables.
  34  *
  35  *      Note that the string is dynamically allocated, so it MUST
  36  *      be freed.  When the configuration file parse re-reads the string,
  37  *      it free's the old one, and strdup's the new one, placing the pointer
  38  *      to the strdup'd string into 'config.string'.  This gets around
  39  *      buffer over-flows.
  40  */
  41 static const CONF_PARSER module_config[] = {
  42   { "filename",  PW_TYPE_FILENAME,
  43     offsetof(rlm_policy_t,filename), NULL,  NULL},
  44
  45   { NULL, -1, 0, NULL, NULL }           /* end the list */
  46 };
  47
  48
  49 /*
  50  *      Callbacks for red-black trees.
  51  */
  52 static int policyname_cmp(const void *a, const void *b)
  53 {
  54         return strcmp(((const policy_named_t *)a)->name,
  55                       ((const policy_named_t *)b)->name);
  56 }
  57
  58
  59 /*
  60  *      Detach a policy.
  61  */
  62 static int policy_detach(void *instance)
  63 {
  64         rlm_policy_t *inst = instance;
  65
  66         if (inst->policies) rbtree_free(inst->policies);
  67         free(instance);
  68         return 0;
  69 }
  70
  71 /*
  72  *      Do any per-module initialization that is separate to each
  73  *      configured instance of the module.  e.g. set up connections
  74  *      to external databases, read configuration files, set up
  75  *      dictionary entries, etc.
  76  *
  77  *      If configuration information is given in the config section
  78  *      that must be referenced in later calls, store a handle to it
  79  *      in *instance otherwise put a null pointer there.
  80  */
  81 static int policy_instantiate(CONF_SECTION *conf, void **instance)
  82 {
  83         rlm_policy_t *inst;
  84
  85         /*
  86          *      Set up a storage area for instance data
  87          */
  88         inst = rad_malloc(sizeof(*inst));
  89         if (!inst) {
  90                 return -1;
  91         }
  92         memset(inst, 0, sizeof(*inst));
  93
  94         /*
  95          *      If the configuration parameters can't be parsed, then
  96          *      fail.
  97          */
  98         if (cf_section_parse(conf, inst, module_config) < 0) {
  99                 policy_detach(inst);
 100                 return -1;
 101         }
 102
 103         inst->policies = rbtree_create(policyname_cmp, rlm_policy_free_item, 0);
 104         if (!inst->policies) {
 105                 policy_detach(inst);
 106                 return -1;
 107         }
 108
 109         /*
 110          *      Parse the policy from the file.
 111          */
 112         if (!rlm_policy_parse(inst->policies, inst->filename)) {
 113                 policy_detach(inst);
 114                 return -1;
 115         }
 116
 117         *instance = inst;
 118
 119         return 0;
 120 }
 121
 122
 123 /*
 124  *      Insert a named policy into a list.
 125  */
 126 int rlm_policy_insert(rbtree_t *head, policy_named_t *policy)
 127 {
 128         if (!rbtree_insert(head, policy)) {
 129                 rlm_policy_free_item((policy_item_t *) policy);
 130                 return 0;
 131         }
 132
 133         return 1;
 134 }
 135
 136
 137 /*
 138  *      Find a named policy
 139  */
 140 policy_named_t *rlm_policy_find(rbtree_t *head, const char *name)
 141 {
 142         policy_named_t mypolicy;
 143
 144         mypolicy.name = name;
 145
 146         return rbtree_finddata(head, &mypolicy);
 147 }
 148
 149
 150 /*
 151  *      Find the named user in this modules database.  Create the set
 152  *      of attribute-value pairs to check and reply with for this user
 153  *      from the database. The authentication code only needs to check
 154  *      the password, the rest is done here.
 155  */
 156 static int policy_authorize(void *instance, REQUEST *request)
 157 {
 158         return rlm_policy_evaluate((rlm_policy_t *) instance, request,
 159                                    "authorize");
 160 }
 161
 162
 163 static int policy_preacct(void *instance, REQUEST *request)
 164 {
 165         return rlm_policy_evaluate((rlm_policy_t *) instance, request,
 166                                    "preacct");
 167 }
 168
 169 static int policy_accounting(void *instance, REQUEST *request)
 170 {
 171         return rlm_policy_evaluate((rlm_policy_t *) instance, request,
 172                                    "accounting");
 173 }
 174
 175 static int policy_post_auth(void *instance, REQUEST *request)
 176 {
 177         return rlm_policy_evaluate((rlm_policy_t *) instance, request,
 178                                    "post-auth");
 179 }
 180
 181 static int policy_pre_proxy(void *instance, REQUEST *request)
 182 {
 183         return rlm_policy_evaluate((rlm_policy_t *) instance, request,
 184                                    "pre-proxy");
 185 }
 186
 187 static int policy_post_proxy(void *instance, REQUEST *request)
 188 {
 189         return rlm_policy_evaluate((rlm_policy_t *) instance, request,
 190                                    "post-proxy");
 191 }
 192
 193 /*
 194  *      The "free" functions are here, for no particular reason.
 195  */
 196 void rlm_policy_free_item(policy_item_t *item)
 197 {
 198         while (item) {
 199                 policy_item_t *next = item->next;
 200
 201                 switch (item->type) {
 202                 default:
 203                 case POLICY_TYPE_BAD:
 204                         break;
 205
 206                 case POLICY_TYPE_ASSIGNMENT:
 207                         {
 208                                 policy_assignment_t *this;
 209
 210                                 this = (policy_assignment_t *) item;
 211                                 if (this->lhs) free(this->lhs);
 212                                 if (this->rhs) free(this->rhs);
 213                         }
 214                         break;
 215
 216                 case POLICY_TYPE_CONDITIONAL:
 217                         {
 218                                 policy_condition_t *this;
 219
 220                                 this = (policy_condition_t *) item;
 221                                 if (this->lhs) free(this->lhs);
 222                                 if (this->rhs) free(this->rhs);
 223
 224                                 if (this->child) {
 225                                         rlm_policy_free_item(this->child);
 226                                         this->child = NULL;
 227                                 }
 228                         }
 229                         break;
 230
 231                 case POLICY_TYPE_IF:
 232                         {
 233                                 policy_if_t *this;
 234
 235                                 this = (policy_if_t *) item;
 236                                 if (this->condition) {
 237                                         rlm_policy_free_item(this->condition);
 238                                         this->condition = NULL;
 239                                 }
 240                                 if (this->if_true) {
 241                                         rlm_policy_free_item(this->if_true);
 242                                         this->if_true = NULL;
 243                                 }
 244                                 if (this->if_false) {
 245                                         rlm_policy_free_item(this->if_false);
 246                                         this->if_false = NULL;
 247                                 }
 248                         }
 249                         break;
 250
 251                 case POLICY_TYPE_ATTRIBUTE_LIST:
 252                         {
 253                                 policy_attributes_t *this;
 254
 255                                 this = (policy_attributes_t *) item;
 256                                 rlm_policy_free_item(this->attributes);
 257                         }
 258                         break;
 259
 260                 case POLICY_TYPE_NAMED_POLICY:
 261                         {
 262                                 policy_named_t *this;
 263
 264                                 this = (policy_named_t *) item;
 265                                 rad_assert(this->name != NULL);
 266                                 free(this->name);
 267                                 rlm_policy_free_item(this->policy);
 268                         }
 269                         break;
 270
 271                 case POLICY_TYPE_CALL:
 272                         {
 273                                 policy_call_t *this;
 274
 275                                 this = (policy_call_t *) item;
 276                                 if (this->name) free(this->name);
 277                         }
 278                         break;
 279
 280                 case POLICY_TYPE_RETURN:
 281                         break;  /* do nothing */
 282
 283                 case POLICY_TYPE_MODULE:
 284                         {
 285                                 policy_module_t *this;
 286
 287                                 this = (policy_module_t *) item;
 288                                 if (this->cs) cf_section_free(&this->cs);
 289                                 if (this->mc) modcallable_free(&this->mc);
 290                         }
 291                         break;
 292                 } /* switch over type */
 293                 item->next = NULL; /* for debugging & sanity checks */
 294                 item->type = POLICY_TYPE_BAD;
 295                 free(item);
 296
 297                 item = next;
 298         }
 299 }
 300
 301
 302 /*
 303  *      The module name should be the only globally exported symbol.
 304  *      That is, everything else should be 'static'.
 305  *
 306  *      If the module needs to temporarily modify it's instantiation
 307  *      data, the type should be changed to RLM_TYPE_THREAD_UNSAFE.
 308  *      The server will then take care of ensuring that the module
 309  *      is single-threaded.
 310  */
 311 module_t rlm_policy = {
 312         RLM_MODULE_INIT,
 313         "policy",
 314         RLM_TYPE_THREAD_SAFE,           /* type */
 315         policy_instantiate,             /* instantiation */
 316         policy_detach,                  /* detach */
 317         {
 318                 NULL,                   /* authentication */
 319                 policy_authorize,       /* authorization */
 320                 policy_preacct,         /* preaccounting */
 321                 policy_accounting,      /* accounting */
 322                 NULL,                   /* checksimul */
 323                 policy_pre_proxy,       /* pre-proxy */
 324                 policy_post_proxy,      /* post-proxy */
 325                 policy_post_auth        /* post-auth */
 326         },
 327 };