*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*
- * Copyright (C) 2001 The FreeRADIUS server project
+ * Copyright (C) 2001,2006 The FreeRADIUS server project
* Copyright (C) 2001 Chris Parker <cparker@starnetusa.net>
*/
-#include <freeradius-devel/autoconf.h>
+#include <freeradius-devel/ident.h>
+RCSID("$Id$")
+
+#include <freeradius-devel/radiusd.h>
+#include <freeradius-devel/modules.h>
+#include <freeradius-devel/rad_assert.h>
#include <sys/stat.h>
-#include <stdlib.h>
-#include <string.h>
-#include <netdb.h>
#include <ctype.h>
#include <fcntl.h>
#include <limits.h>
-#include <freeradius-devel/radiusd.h>
-#include <freeradius-devel/rad_assert.h>
-#include <freeradius-devel/modules.h>
-
-static const char rcsid[] = "$Id$";
/*
* Define a structure with the module configuration, so it can
*/
struct attr_filter_instance {
char *attrsfile;
+ char *key;
PAIR_LIST *attrs;
};
static const CONF_PARSER module_config[] = {
{ "attrsfile", PW_TYPE_FILENAME,
offsetof(struct attr_filter_instance,attrsfile), NULL, "${raddbdir}/attrs" },
+ { "key", PW_TYPE_STRING_PTR,
+ offsetof(struct attr_filter_instance,key), NULL, "%{Realm}" },
{ NULL, -1, 0, NULL, NULL }
};
return;
}
-/*
- * Copy the specified attribute to the specified list
- */
-static int mypairappend(VALUE_PAIR *item, VALUE_PAIR **to)
-{
- VALUE_PAIR *tmp;
- tmp = paircreate(item->attribute, item->type);
- if (!tmp) {
- radlog(L_ERR|L_CONS, "no memory");
- return -1;
- }
-
- /*
- * Copy EVERYTHING.
- */
- memcpy(tmp, item, sizeof(*tmp));
- tmp->next = NULL;
- *to = tmp;
-
- return 0;
-}
static int getattrsfile(const char *filename, PAIR_LIST **pair_list)
{
* and we ignore Fall-Through,
* then bitch about it, giving a good warning message.
*/
- if (!(vp->attribute & ~0xffff) &&
+ if ((vp->vendor == 0) &&
(vp->attribute > 0xff) &&
(vp->attribute > 1000)) {
log_debug("[%s]:%d WARNING! Check item \"%s\"\n"
{
struct attr_filter_instance *inst = instance;
pairlist_free(&inst->attrs);
- free(inst->attrsfile);
free(inst);
return 0;
}
* Common attr_filter checks
*/
static int attr_filter_common(void *instance, REQUEST *request,
- VALUE_PAIR **input)
+ RADIUS_PACKET *packet)
{
struct attr_filter_instance *inst = instance;
VALUE_PAIR *vp;
- VALUE_PAIR *output = NULL;
+ VALUE_PAIR *output;
VALUE_PAIR **output_tail;
VALUE_PAIR *check_item;
PAIR_LIST *pl;
int found = 0;
int pass, fail = 0;
- VALUE_PAIR *realmpair;
- char *realmname = NULL;
+ char *keyname = NULL;
+ VALUE_PAIR **input;
+ char buffer[256];
- /*
- * Get the realm. Can't use request->config_items as
- * that gets freed by rad_authenticate.... use the one
- * set in the original request vps
- */
- realmpair = pairfind(request->packet->vps, PW_REALM);
- if (!realmpair) {
- /* If there is no realm...NOOP */
- return (RLM_MODULE_NOOP);
+ if (!packet) return RLM_MODULE_NOOP;
+
+ input = &(packet->vps);
+
+ if (!inst->key) {
+ VALUE_PAIR *namepair;
+
+ namepair = pairfind(request->packet->vps, PW_REALM, 0);
+ if (!namepair) {
+ return (RLM_MODULE_NOOP);
+ }
+ keyname = namepair->vp_strvalue;
+ } else {
+ int len;
+
+ len = radius_xlat(buffer, sizeof(buffer), inst->key,
+ request, NULL);
+ if (!len) {
+ return RLM_MODULE_NOOP;
+ }
+ keyname = buffer;
}
- realmname = realmpair->vp_strvalue;
+ output = NULL;
output_tail = &output;
/*
- * Find the attr_filter profile entry for the realm.
+ * Find the attr_filter profile entry for the entry.
*/
for (pl = inst->attrs; pl; pl = pl->next) {
int fall_through = 0;
* then skip to the next entry.
*/
if ((strcmp(pl->name, "DEFAULT") != 0) &&
- (strcmp(realmname, pl->name) != 0)) {
+ (strcmp(keyname, pl->name) != 0)) {
continue;
}
for (check_item = pl->check;
check_item != NULL;
check_item = check_item->next) {
- if (check_item->attribute == PW_FALL_THROUGH) {
+ if ((check_item->attribute == PW_FALL_THROUGH) &&
+ (check_item->vp_integer == 1)) {
fall_through = 1;
continue;
}
* the output list without checking it.
*/
if (check_item->operator == T_OP_SET ) {
- if (mypairappend(check_item, output_tail) < 0) {
+ vp = paircopyvp(check_item);
+ if (!vp) {
pairfree(&output);
return RLM_MODULE_FAIL;
}
- output_tail = &((*output_tail)->next);
+ *output_tail = vp;
+ output_tail = &(vp->next);
}
}
for (vp = *input; vp != NULL; vp = vp->next ) {
/* reset the pass,fail vars for each reply item */
pass = fail = 0;
-
+
/*
* reset the check_item pointer to
* beginning of the list
for (check_item = pl->check;
check_item != NULL;
check_item = check_item->next) {
+ /*
+ * Vendor-Specific is special, and
+ * matches any VSA if the comparison
+ * is always true.
+ */
+ if ((check_item->attribute == PW_VENDOR_SPECIFIC) &&
+ (vp->vendor != 0) &&
+ (check_item->operator == T_OP_CMP_TRUE)) {
+ pass++;
+ continue;
+ }
+
if (vp->attribute == check_item->attribute) {
check_pair(check_item, vp,
&pass, &fail);
}
}
-
+
/* only move attribute if it passed all rules */
if (fail == 0 && pass > 0) {
- if (mypairappend(vp, output_tail) < 0) {
+ *output_tail = paircopyvp(vp);
+ if (!*output_tail) {
pairfree(&output);
return RLM_MODULE_FAIL;
}
output_tail = &((*output_tail)->next);
}
}
-
+
/* If we shouldn't fall through, break */
if (!fall_through)
break;
pairfree(input);
*input = output;
+ if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
+ request->username = pairfind(request->packet->vps,
+ PW_STRIPPED_USER_NAME, 0);
+ if (!request->username)
+ request->username = pairfind(request->packet->vps,
+ PW_USER_NAME, 0);
+ request->password = pairfind(request->packet->vps,
+ PW_USER_PASSWORD, 0);
+ }
+
return RLM_MODULE_UPDATED;
}
-static int attr_filter_authorize(void *instance, REQUEST *request)
+static int attr_filter_preacct(void *instance, REQUEST *request)
{
- return attr_filter_common(instance, request, &request->packet->vps);
+ return attr_filter_common(instance, request, request->packet);
}
static int attr_filter_accounting(void *instance, REQUEST *request)
{
- return attr_filter_common(instance, request, &request->packet->vps);
+ return attr_filter_common(instance, request, request->reply);
}
+#ifdef WITH_PROXY
static int attr_filter_preproxy(void *instance, REQUEST *request)
{
- return attr_filter_common(instance, request, &request->proxy->vps);
+ return attr_filter_common(instance, request, request->proxy);
}
static int attr_filter_postproxy(void *instance, REQUEST *request)
{
- return attr_filter_common(instance, request, &request->proxy_reply->vps);
+ return attr_filter_common(instance, request, request->proxy_reply);
}
+#endif
static int attr_filter_postauth(void *instance, REQUEST *request)
{
- return attr_filter_common(instance, request, &request->reply->vps);
+ return attr_filter_common(instance, request, request->reply);
+}
+
+static int attr_filter_authorize(void *instance, REQUEST *request)
+{
+ return attr_filter_common(instance, request, request->packet);
}
module_t rlm_attr_filter = {
RLM_MODULE_INIT,
"attr_filter",
- 0, /* type: reserved */
+ RLM_TYPE_CHECK_CONFIG_SAFE | RLM_TYPE_HUP_SAFE, /* type */
attr_filter_instantiate, /* instantiation */
attr_filter_detach, /* detach */
{
NULL, /* authentication */
attr_filter_authorize, /* authorization */
- NULL, /* preaccounting */
+ attr_filter_preacct, /* pre-acct */
attr_filter_accounting, /* accounting */
NULL, /* checksimul */
+#ifdef WITH_PROXY
attr_filter_preproxy, /* pre-proxy */
attr_filter_postproxy, /* post-proxy */
+#else
+ NULL, NULL,
+#endif
attr_filter_postauth /* post-auth */
},
};