2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License, version 2 if the
4 * License as published by the Free Software Foundation.
6 * This program is distributed in the hope that it will be useful,
7 * but WITHOUT ANY WARRANTY; without even the implied warranty of
8 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 * GNU General Public License for more details.
11 * You should have received a copy of the GNU General Public License
12 * along with this program; if not, write to the Free Software
13 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19 * @brief Integrate FreeRADIUS with RESTfull APIs
21 * @copyright 2012-2014 Arran Cudbard-Bell <arran.cudbardb@freeradius.org>
25 #include <freeradius-devel/radiusd.h>
26 #include <freeradius-devel/modules.h>
27 #include <freeradius-devel/token.h>
28 #include <freeradius-devel/rad_assert.h>
36 static CONF_PARSER tls_config[] = {
37 { "ca_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_rest_section_t, tls_ca_file), NULL },
38 { "ca_path", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_rest_section_t, tls_ca_path), NULL },
39 { "certificate_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_rest_section_t, tls_certificate_file), NULL },
40 { "private_key_file", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_rest_section_t, tls_private_key_file), NULL },
41 { "private_key_password", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, rlm_rest_section_t, tls_private_key_password), NULL },
42 { "random_file", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_rest_section_t, tls_random_file), NULL },
43 { "check_cert", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_rest_section_t, tls_check_cert), "yes" },
44 { "check_cert_cn", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_rest_section_t, tls_check_cert_cn), "yes" },
46 { NULL, -1, 0, NULL, NULL }
50 * A mapping of configuration file names to internal variables.
52 * Note that the string is dynamically allocated, so it MUST
53 * be freed. When the configuration file parse re-reads the string,
54 * it free's the old one, and strdup's the new one, placing the pointer
55 * to the strdup'd string into 'config.string'. This gets around
58 static const CONF_PARSER section_config[] = {
59 { "uri", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_rest_section_t, uri), "" },
60 { "method", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_rest_section_t, method_str), "GET" },
61 { "body", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_rest_section_t, body_str), "none" },
62 { "data", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_rest_section_t, data), NULL },
64 /* User authentication */
65 { "auth", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_rest_section_t, auth_str), "none" },
66 { "username", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_rest_section_t, username), NULL },
67 { "password", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_rest_section_t, password), NULL },
68 { "require_auth", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_rest_section_t, require_auth), "no" },
70 /* Transfer configuration */
71 { "timeout", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_rest_section_t, timeout), "4" },
72 { "chunk", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_rest_section_t, chunk), "0" },
75 { "tls", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) tls_config },
77 { NULL, -1, 0, NULL, NULL }
80 static const CONF_PARSER module_config[] = {
81 { "connect_uri", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_rest_t, connect_uri), NULL },
83 { NULL, -1, 0, NULL, NULL }
86 static int rlm_rest_perform(rlm_rest_t *instance, rlm_rest_section_t *section, void *handle, REQUEST *request,
87 char const *username, char const *password)
94 RDEBUG("Expanding URI components");
97 * Build xlat'd URI, this allows REST servers to be specified by
100 uri_len = rest_uri_build(&uri, instance, request, section->uri);
101 if (uri_len <= 0) return -1;
103 RDEBUG("Sending HTTP %s to \"%s\"", fr_int2str(http_method_table, section->method, NULL), uri);
106 * Configure various CURL options, and initialise the read/write
109 ret = rest_request_config(instance, section, request, handle, section->method, section->body,
110 uri, username, password);
112 if (ret < 0) return -1;
115 * Send the CURL request, pre-parse headers, aggregate incoming
116 * HTTP body data into a single contiguous buffer.
118 ret = rest_request_perform(instance, section, request, handle);
119 if (ret < 0) return -1;
124 static void rlm_rest_cleanup(rlm_rest_t *instance, rlm_rest_section_t *section, void *handle)
126 rest_request_cleanup(instance, section, handle);
130 * Simple xlat to read text data from a URL
132 static ssize_t rest_xlat(void *instance, REQUEST *request,
133 char const *fmt, char *out, size_t freespace)
135 rlm_rest_t *inst = instance;
139 ssize_t len, outlen = 0;
141 char const *p = fmt, *q;
143 http_method_t method;
145 /* There are no configurable parameters other than the URI */
146 rlm_rest_section_t section = {
148 .method = HTTP_METHOD_GET,
149 .body = HTTP_BODY_NONE,
150 .body_str = "application/x-www-form-urlencoded",
151 .require_auth = false,
153 .force_to = HTTP_BODY_PLAIN
159 RDEBUG("Expanding URI components");
161 handle = fr_connection_get(inst->conn_pool);
162 if (!handle) return -1;
165 * Extract the method from the start of the format string (if there is one)
167 method = fr_substr2int(http_method_table, p, HTTP_METHOD_UNKNOWN, -1);
168 if (method != HTTP_METHOD_UNKNOWN) {
169 section.method = method;
170 p += strlen(http_method_table[method].name);
176 while (isspace(*p) && p++);
179 * Unescape parts of xlat'd URI, this allows REST servers to be specified by
180 * request attributes.
182 len = rest_uri_host_unescape(&uri, instance, request, handle, p);
189 * Extract freeform body data (url can't contain spaces)
192 if (q && (*++q != '\0')) {
193 section.body = HTTP_BODY_CUSTOM_LITERAL;
197 RDEBUG("Sending HTTP %s to \"%s\"", fr_int2str(http_method_table, section.method, NULL), uri);
200 * Configure various CURL options, and initialise the read/write
203 * @todo We could extract the User-Name and password from the URL string.
205 ret = rest_request_config(instance, §ion, request, handle, section.method, section.body,
208 if (ret < 0) return -1;
211 * Send the CURL request, pre-parse headers, aggregate incoming
212 * HTTP body data into a single contiguous buffer.
214 ret = rest_request_perform(instance, §ion, request, handle);
215 if (ret < 0) return -1;
217 hcode = rest_get_handle_code(handle);
225 len = rest_get_handle_data(&body, handle);
226 if (len > 0) REDEBUG("%s", body);
235 * Attempt to parse content if there was any.
237 if ((hcode >= 200) && (hcode < 300)) {
239 } else if (hcode < 500) {
248 len = rest_get_handle_data(&body, handle);
249 if ((size_t) len >= freespace) {
250 REDEBUG("Insufficient space to write HTTP response, needed %zu bytes, have %zu bytes", len + 1,
257 strlcpy(out, body, len + 1); /* strlcpy takes the size of the buffer */
261 rlm_rest_cleanup(instance, §ion, handle);
263 fr_connection_release(inst->conn_pool, handle);
269 * Find the named user in this modules database. Create the set
270 * of attribute-value pairs to check and reply with for this user
271 * from the database. The authentication code only needs to check
272 * the password, the rest is done here.
274 static rlm_rcode_t CC_HINT(nonnull) mod_authorize(void *instance, REQUEST *request)
276 rlm_rest_t *inst = instance;
277 rlm_rest_section_t *section = &inst->authorize;
281 int rcode = RLM_MODULE_OK;
284 handle = fr_connection_get(inst->conn_pool);
285 if (!handle) return RLM_MODULE_FAIL;
287 ret = rlm_rest_perform(instance, section, handle, request, NULL, NULL);
289 rcode = RLM_MODULE_FAIL;
293 hcode = rest_get_handle_code(handle);
297 rcode = RLM_MODULE_NOTFOUND;
301 rcode = RLM_MODULE_USERLOCK;
306 * Attempt to parse content if there was any.
308 ret = rest_response_decode(inst, section, request, handle);
310 rcode = RLM_MODULE_FAIL;
314 rcode = RLM_MODULE_REJECT;
318 rcode = RLM_MODULE_OK;
323 * Attempt to parse content if there was any.
325 if ((hcode >= 200) && (hcode < 300)) {
326 ret = rest_response_decode(inst, section, request, handle);
327 if (ret < 0) rcode = RLM_MODULE_FAIL;
328 else if (ret == 0) rcode = RLM_MODULE_OK;
329 else rcode = RLM_MODULE_UPDATED;
331 } else if (hcode < 500) {
332 rcode = RLM_MODULE_INVALID;
334 rcode = RLM_MODULE_FAIL;
339 rlm_rest_cleanup(instance, section, handle);
341 fr_connection_release(inst->conn_pool, handle);
347 * Authenticate the user with the given password.
349 static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, UNUSED REQUEST *request)
351 rlm_rest_t *inst = instance;
352 rlm_rest_section_t *section = &inst->authenticate;
356 int rcode = RLM_MODULE_OK;
359 VALUE_PAIR const *username;
360 VALUE_PAIR const *password;
362 username = request->username;
363 if (!request->username) {
364 REDEBUG("Can't perform authentication, 'User-Name' attribute not found in the request");
366 return RLM_MODULE_INVALID;
369 password = request->password;
371 (password->da->attr != PW_USER_PASSWORD)) {
372 REDEBUG("You set 'Auth-Type = REST' for a request that does not contain a User-Password attribute!");
373 return RLM_MODULE_INVALID;
376 handle = fr_connection_get(inst->conn_pool);
377 if (!handle) return RLM_MODULE_FAIL;
379 ret = rlm_rest_perform(instance, section, handle, request, username->vp_strvalue, password->vp_strvalue);
381 rcode = RLM_MODULE_FAIL;
385 hcode = rest_get_handle_code(handle);
389 rcode = RLM_MODULE_NOTFOUND;
393 rcode = RLM_MODULE_USERLOCK;
398 * Attempt to parse content if there was any.
400 ret = rest_response_decode(inst, section, request, handle);
402 rcode = RLM_MODULE_FAIL;
406 rcode = RLM_MODULE_REJECT;
410 rcode = RLM_MODULE_OK;
415 * Attempt to parse content if there was any.
417 if ((hcode >= 200) && (hcode < 300)) {
418 ret = rest_response_decode(inst, section, request, handle);
419 if (ret < 0) rcode = RLM_MODULE_FAIL;
420 else if (ret == 0) rcode = RLM_MODULE_OK;
421 else rcode = RLM_MODULE_UPDATED;
423 } else if (hcode < 500) {
424 rcode = RLM_MODULE_INVALID;
426 rcode = RLM_MODULE_FAIL;
431 rlm_rest_cleanup(instance, section, handle);
433 fr_connection_release(inst->conn_pool, handle);
439 * Send accounting info to a REST API endpoint
441 static rlm_rcode_t CC_HINT(nonnull) mod_accounting(void *instance, UNUSED REQUEST *request)
443 rlm_rest_t *inst = instance;
444 rlm_rest_section_t *section = &inst->accounting;
448 int rcode = RLM_MODULE_OK;
451 handle = fr_connection_get(inst->conn_pool);
452 if (!handle) return RLM_MODULE_FAIL;
454 ret = rlm_rest_perform(inst, section, handle, request, NULL, NULL);
456 rcode = RLM_MODULE_FAIL;
460 hcode = rest_get_handle_code(handle);
462 rcode = RLM_MODULE_FAIL;
463 } else if (hcode == 204) {
464 rcode = RLM_MODULE_OK;
465 } else if ((hcode >= 200) && (hcode < 300)) {
466 ret = rest_response_decode(inst, section, request, handle);
467 if (ret < 0) rcode = RLM_MODULE_FAIL;
468 else if (ret == 0) rcode = RLM_MODULE_OK;
469 else rcode = RLM_MODULE_UPDATED;
471 rcode = RLM_MODULE_INVALID;
475 rlm_rest_cleanup(inst, section, handle);
477 fr_connection_release(inst->conn_pool, handle);
483 * Send post-auth info to a REST API endpoint
485 static rlm_rcode_t CC_HINT(nonnull) mod_post_auth(void *instance, UNUSED REQUEST *request)
487 rlm_rest_t *inst = instance;
488 rlm_rest_section_t *section = &inst->post_auth;
492 int rcode = RLM_MODULE_OK;
495 handle = fr_connection_get(inst->conn_pool);
496 if (!handle) return RLM_MODULE_FAIL;
498 ret = rlm_rest_perform(inst, section, handle, request, NULL, NULL);
500 rcode = RLM_MODULE_FAIL;
504 hcode = rest_get_handle_code(handle);
506 rcode = RLM_MODULE_FAIL;
507 } else if (hcode == 204) {
508 rcode = RLM_MODULE_OK;
509 } else if ((hcode >= 200) && (hcode < 300)) {
510 ret = rest_response_decode(inst, section, request, handle);
511 if (ret < 0) rcode = RLM_MODULE_FAIL;
512 else if (ret == 0) rcode = RLM_MODULE_OK;
513 else rcode = RLM_MODULE_UPDATED;
515 rcode = RLM_MODULE_INVALID;
519 rlm_rest_cleanup(inst, section, handle);
521 fr_connection_release(inst->conn_pool, handle);
526 static int parse_sub_section(CONF_SECTION *parent, rlm_rest_section_t *config, rlm_components_t comp)
530 char const *name = section_type_value[comp].section;
532 cs = cf_section_sub_find(parent, name);
534 /* TODO: Should really setup section with default values */
538 if (cf_section_parse(cs, config, section_config) < 0) {
543 * Add section name (Maybe add to headers later?).
550 if ((config->username && !config->password) || (!config->username && config->password)) {
551 cf_log_err_cs(cs, "'username' and 'password' must both be set or both be absent");
557 * Convert HTTP method auth and body type strings into their integer equivalents.
559 config->auth = fr_str2int(http_auth_table, config->auth_str, HTTP_AUTH_UNKNOWN);
560 if (config->auth == HTTP_AUTH_UNKNOWN) {
561 cf_log_err_cs(cs, "Unknown HTTP auth type '%s'", config->auth_str);
564 } else if ((config->auth != HTTP_AUTH_NONE) && !http_curl_auth[config->auth]) {
565 cf_log_err_cs(cs, "Unsupported HTTP auth type \"%s\", check libcurl version, OpenSSL build "
566 "configuration, then recompile this module", config->auth_str);
571 config->method = fr_str2int(http_method_table, config->method_str, HTTP_METHOD_CUSTOM);
574 * We don't have any custom user data, so we need to select the right encoder based
577 * To make this slightly more/less confusing, we accept both canonical body_types,
581 config->body = fr_str2int(http_body_type_table, config->body_str, HTTP_BODY_UNKNOWN);
582 if (config->body == HTTP_BODY_UNKNOWN) {
583 config->body = fr_str2int(http_content_type_table, config->body_str, HTTP_BODY_UNKNOWN);
586 if (config->body == HTTP_BODY_UNKNOWN) {
587 cf_log_err_cs(cs, "Unknown HTTP body type '%s'", config->body_str);
591 switch (http_body_type_supported[config->body]) {
592 case HTTP_BODY_UNSUPPORTED:
593 cf_log_err_cs(cs, "Unsupported HTTP body type \"%s\", please submit patches",
597 case HTTP_BODY_INVALID:
598 cf_log_err_cs(cs, "Invalid HTTP body type. \"%s\" is not a valid web API data "
599 "markup format", config->body_str);
606 * We have custom body data so we set HTTP_BODY_CUSTOM_XLAT, but also need to try and
607 * figure out what content-type to use. So if they've used the canonical form we
608 * need to convert it back into a proper HTTP content_type value.
611 http_body_type_t body;
613 config->body = HTTP_BODY_CUSTOM_XLAT;
615 body = fr_str2int(http_body_type_table, config->body_str, HTTP_BODY_UNKNOWN);
616 if (body != HTTP_BODY_UNKNOWN) {
617 config->body_str = fr_int2str(http_content_type_table, body, config->body_str);
625 * Do any per-module initialization that is separate to each
626 * configured instance of the module. e.g. set up connections
627 * to external databases, read configuration files, set up
628 * dictionary entries, etc.
630 * If configuration information is given in the config section
631 * that must be referenced in later calls, store a handle to it
632 * in *instance otherwise put a null pointer there.
634 static int mod_instantiate(CONF_SECTION *conf, void *instance)
636 rlm_rest_t *inst = instance;
637 char const *xlat_name;
639 xlat_name = cf_section_name2(conf);
641 xlat_name = cf_section_name1(conf);
644 inst->xlat_name = xlat_name;
647 * Register the rest xlat function
649 xlat_register(inst->xlat_name, rest_xlat, rest_uri_escape, inst);
652 * Parse sub-section configs.
655 (parse_sub_section(conf, &inst->authorize, RLM_COMPONENT_AUTZ) < 0) ||
656 (parse_sub_section(conf, &inst->authenticate, RLM_COMPONENT_AUTH) < 0) ||
657 (parse_sub_section(conf, &inst->accounting, RLM_COMPONENT_ACCT) < 0) ||
659 /* @todo add behaviour for checksimul */
660 /* (parse_sub_section(conf, &inst->checksimul, RLM_COMPONENT_SESS) < 0) || */
661 (parse_sub_section(conf, &inst->post_auth, RLM_COMPONENT_POST_AUTH) < 0))
667 * Initialise REST libraries.
669 if (rest_init(inst) < 0) {
673 inst->conn_pool = fr_connection_pool_init(conf, inst, mod_conn_create, mod_conn_alive, NULL, NULL);
674 if (!inst->conn_pool) {
682 * Only free memory we allocated. The strings allocated via
683 * cf_section_parse() do not need to be freed.
685 static int mod_detach(void *instance)
687 rlm_rest_t *inst = instance;
689 fr_connection_pool_delete(inst->conn_pool);
691 xlat_unregister(inst->xlat_name, rest_xlat, instance);
693 /* Free any memory used by libcurl */
700 * The module name should be the only globally exported symbol.
701 * That is, everything else should be 'static'.
703 * If the module needs to temporarily modify it's instantiation
704 * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE.
705 * The server will then take care of ensuring that the module
706 * is single-threaded.
708 module_t rlm_rest = {
711 RLM_TYPE_THREAD_SAFE, /* type */
714 mod_instantiate, /* instantiation */
715 mod_detach, /* detach */
717 mod_authenticate, /* authentication */
718 mod_authorize, /* authorization */
719 NULL, /* preaccounting */
720 mod_accounting, /* accounting */
721 NULL, /* checksimul */
722 NULL, /* pre-proxy */
723 NULL, /* post-proxy */
724 mod_post_auth /* post-auth */