/** Iterate over all client attribute pairs and create client pair data using JSON element names
*
* If we hit a CONF_SECTION we recurse and process its CONF_PAIRS as well to support nested
* configurations sections.
*
* @param client The new client config section using the mapped names.
* @param map The client attribute section from the module configuration.
* @param json JSON object representation of a client document fetched from Couchbase.
* @param docid Document id.
* @return Returns 0 on success, -1 on error.
*/
int _mod_client_map_section(CONF_SECTION *client, CONF_SECTION const *map,
json_object *json, char const *docid)
{
CONF_ITEM const *ci;
for (ci = cf_item_find_next(map, NULL); ci != NULL; ci = cf_item_find_next(map, ci)) {
CONF_PAIR const *cp;
char const *attribute;
char const *element;
json_object *jval;
/*
* Recursively process map subsection
*/
if (cf_item_is_section(ci)) {
CONF_SECTION *cs, *cc; /* local scoped for new section */
cs = cf_itemtosection(ci);
cc = cf_section_alloc(client, cf_section_name1(cs), cf_section_name2(cs));
if (!cc) return -1;
cf_section_add(client, cc);
if (_mod_client_map_section(cc, cs, json, docid) != 0) {
return -1;
}
/* continue on to the next item */
continue;
}
/* create pair from item and get attribute name and value */
cp = cf_itemtopair(ci);
attribute = cf_pair_attr(cp);
element = cf_pair_value(cp);
/* attempt to find element in json object */
if (!json_object_object_get_ex(json, element, &jval)) {
/* skip this item */
continue;
}
/* allocate config pair */
cp = cf_pair_alloc(client, attribute, json_object_get_string(jval), T_OP_SET, T_SINGLE_QUOTED_STRING);
/* check pair */
if (!cp) {
ERROR("rlm_couchbase: failed allocating config pair '%s' = '%s'", attribute, json_object_get_string(jval));
return -1;
}
/* add pair to section */
cf_item_add(client, cf_pairtoitem(cp));
}
/* return success */
return 0;
}
/** Iterate over pairs in mapping section creating equivalent client pairs from LDAP values
*
* If we hit a CONF_SECTION we recurse and process its CONF_PAIRS too.
*
* @param[in] inst rlm_ldap configuration.
* @param[out] client config section.
* @param[in] map section.
* @param[in] conn LDAP connection.
* @param[in] entry returned from search.
* @return 0 on success else -1 on error.
*/
static int rlm_ldap_client_map_section(ldap_instance_t const *inst, CONF_SECTION *client,
CONF_SECTION const *map, ldap_handle_t *conn,
LDAPMessage *entry)
{
CONF_ITEM const *ci;
for (ci = cf_item_find_next(map, NULL);
ci != NULL;
ci = cf_item_find_next(map, ci)) {
CONF_PAIR const *cp;
char **value;
char const *attr;
/*
* Recursively process map subsection
*/
if (cf_item_is_section(ci)) {
CONF_SECTION *cs, *cc;
cs = cf_itemtosection(ci);
cc = cf_section_alloc(client, cf_section_name1(cs), cf_section_name2(cs));
if (!cc) return -1;
cf_section_add(client, cc);
if (rlm_ldap_client_map_section(inst, cc, cs, conn, entry) < 0) return -1;
continue;
}
cp = cf_itemtopair(ci);
attr = cf_pair_attr(cp);
value = ldap_get_values(conn->handle, entry, cf_pair_value(cp));
if (!value) continue;
cp = cf_pair_alloc(client, attr, value[0], T_OP_SET, T_SINGLE_QUOTED_STRING);
if (!cp) {
LDAP_ERR("Failed allocing pair \"%s\" = \"%s\"", attr, value[0]);
return -1;
}
cf_item_add(client, cf_pairtoitem(cp));
}
return 0;
}
/** Create a client CONF_SECTION using a mapping section to map values from a result set to client attributes
*
* If we hit a CONF_SECTION we recurse and process its CONF_PAIRS too.
*
* @note Caller should free CONF_SECTION passed in as out, on error.
* Contents of that section will be in an undefined state.
*
* @param[in,out] out Section to perform mapping on. Either the root of the client config, or a parent section
* (when this function is called recursively).
* Should be alloced with cf_section_alloc, or if there's a separate template section, the
* result of calling cf_section_dup on that section.
* @param[in] map section.
* @param[in] func to call to retrieve CONF_PAIR values. Must return a talloced buffer containing the value.
* @param[in] data to pass to func, usually a result pointer.
* @return 0 on success else -1 on error.
*/
int client_map_section(CONF_SECTION *out, CONF_SECTION const *map, client_value_cb_t func, void *data)
{
CONF_ITEM const *ci;
for (ci = cf_item_find_next(map, NULL);
ci != NULL;
ci = cf_item_find_next(map, ci)) {
CONF_PAIR const *cp;
CONF_PAIR *old;
char *value;
char const *attr;
/*
* Recursively process map subsection
*/
if (cf_item_is_section(ci)) {
CONF_SECTION *cs, *cc;
cs = cf_item_to_section(ci);
/*
* Use pre-existing section or alloc a new one
*/
cc = cf_section_sub_find_name2(out, cf_section_name1(cs), cf_section_name2(cs));
if (!cc) {
cc = cf_section_alloc(out, cf_section_name1(cs), cf_section_name2(cs));
cf_section_add(out, cc);
if (!cc) return -1;
}
if (client_map_section(cc, cs, func, data) < 0) return -1;
continue;
}
cp = cf_item_to_pair(ci);
attr = cf_pair_attr(cp);
/*
* The callback can return 0 (success) and not provide a value
* in which case we skip the mapping pair.
*
* Or return -1 in which case we error out.
*/
if (func(&value, cp, data) < 0) {
cf_log_err_cs(out, "Failed performing mapping \"%s\" = \"%s\"", attr, cf_pair_value(cp));
return -1;
}
if (!value) continue;
/*
* Replace an existing CONF_PAIR
*/
old = cf_pair_find(out, attr);
if (old) {
cf_pair_replace(out, old, value);
talloc_free(value);
continue;
}
/*
* ...or add a new CONF_PAIR
*/
cp = cf_pair_alloc(out, attr, value, T_OP_SET, T_BARE_WORD, T_SINGLE_QUOTED_STRING);
if (!cp) {
cf_log_err_cs(out, "Failed allocing pair \"%s\" = \"%s\"", attr, value);
talloc_free(value);
return -1;
}
talloc_free(value);
cf_item_add(out, cf_pair_to_item(cp));
}
return 0;
}
/*
* Read config files.
*
* This function can ONLY be called from the main server process.
*/
int main_config_init(void)
{
char const *p = NULL;
CONF_SECTION *cs, *subcs;
struct stat statbuf;
cached_config_t *cc;
char buffer[1024];
if (stat(radius_dir, &statbuf) < 0) {
ERROR("Errors reading %s: %s",
radius_dir, fr_syserror(errno));
return -1;
}
#ifdef S_IWOTH
if ((statbuf.st_mode & S_IWOTH) != 0) {
ERROR("Configuration directory %s is globally writable. Refusing to start due to insecure configuration.",
radius_dir);
return -1;
}
#endif
#if 0 && defined(S_IROTH)
if (statbuf.st_mode & S_IROTH != 0) {
ERROR("Configuration directory %s is globally readable. Refusing to start due to insecure configuration.",
radius_dir);
return -1;
}
#endif
INFO("Starting - reading configuration files ...");
/*
* We need to load the dictionaries before reading the
* configuration files. This is because of the
* pre-compilation in conffile.c. That should probably
* be fixed to be done as a second stage.
*/
if (!main_config.dictionary_dir) {
main_config.dictionary_dir = DICTDIR;
}
/*
* About sizeof(REQUEST) + sizeof(RADIUS_PACKET) * 2 + sizeof(VALUE_PAIR) * 400
*
* Which should be enough for many configurations.
*/
main_config.talloc_pool_size = 8 * 1024; /* default */
/*
* Read the distribution dictionaries first, then
* the ones in raddb.
*/
DEBUG2("including dictionary file %s/%s", main_config.dictionary_dir, RADIUS_DICTIONARY);
if (dict_init(main_config.dictionary_dir, RADIUS_DICTIONARY) != 0) {
ERROR("Errors reading dictionary: %s",
fr_strerror());
return -1;
}
#define DICT_READ_OPTIONAL(_d, _n) \
do {\
switch (dict_read(_d, _n)) {\
case -1:\
ERROR("Errors reading %s/%s: %s", _d, _n, fr_strerror());\
return -1;\
case 0:\
DEBUG2("including dictionary file %s/%s", _d,_n);\
break;\
default:\
break;\
}\
} while (0)
/*
* Try to load protocol-specific dictionaries. It's OK
* if they don't exist.
*/
#ifdef WITH_DHCP
DICT_READ_OPTIONAL(main_config.dictionary_dir, "dictionary.dhcp");
#endif
#ifdef WITH_VMPS
DICT_READ_OPTIONAL(main_config.dictionary_dir, "dictionary.vqp");
#endif
/*
* It's OK if this one doesn't exist.
*/
DICT_READ_OPTIONAL(radius_dir, RADIUS_DICTIONARY);
cs = cf_section_alloc(NULL, "main", NULL);
if (!cs) return -1;
/*
* Add a 'feature' subsection off the main config
* We check if it's defined first, as the user may
* have defined their own feature flags, or want
* to manually override the ones set by modules
* or the server.
*/
subcs = cf_section_sub_find(cs, "feature");
if (!subcs) {
subcs = cf_section_alloc(cs, "feature", NULL);
if (!subcs) return -1;
cf_section_add(cs, subcs);
}
version_init_features(subcs);
/*
* Add a 'version' subsection off the main config
* We check if it's defined first, this is for
* backwards compatibility.
*/
subcs = cf_section_sub_find(cs, "version");
if (!subcs) {
subcs = cf_section_alloc(cs, "version", NULL);
if (!subcs) return -1;
cf_section_add(cs, subcs);
}
version_init_numbers(subcs);
/* Read the configuration file */
snprintf(buffer, sizeof(buffer), "%.200s/%.50s.conf", radius_dir, main_config.name);
if (cf_file_read(cs, buffer) < 0) {
ERROR("Errors reading or parsing %s", buffer);
talloc_free(cs);
return -1;
}
/*
* If there was no log destination set on the command line,
* set it now.
*/
if (default_log.dst == L_DST_NULL) {
default_log.dst = L_DST_STDERR;
default_log.fd = STDERR_FILENO;
if (cf_section_parse(cs, NULL, startup_server_config) == -1) {
fprintf(stderr, "%s: Error: Failed to parse log{} section.\n",
main_config.name);
cf_file_free(cs);
return -1;
}
if (!radlog_dest) {
fprintf(stderr, "%s: Error: No log destination specified.\n",
main_config.name);
cf_file_free(cs);
return -1;
}
default_log.fd = -1;
default_log.dst = fr_str2int(log_str2dst, radlog_dest,
L_DST_NUM_DEST);
if (default_log.dst == L_DST_NUM_DEST) {
fprintf(stderr, "%s: Error: Unknown log_destination %s\n",
main_config.name, radlog_dest);
cf_file_free(cs);
return -1;
}
if (default_log.dst == L_DST_SYSLOG) {
/*
* Make sure syslog_facility isn't NULL
* before using it
*/
if (!syslog_facility) {
fprintf(stderr, "%s: Error: Syslog chosen but no facility was specified\n",
main_config.name);
cf_file_free(cs);
return -1;
}
main_config.syslog_facility = fr_str2int(syslog_facility_table, syslog_facility, -1);
if (main_config.syslog_facility < 0) {
fprintf(stderr, "%s: Error: Unknown syslog_facility %s\n",
main_config.name, syslog_facility);
cf_file_free(cs);
return -1;
}
#ifdef HAVE_SYSLOG_H
/*
* Call openlog only once, when the
* program starts.
*/
openlog(main_config.name, LOG_PID, main_config.syslog_facility);
#endif
} else if (default_log.dst == L_DST_FILES) {
if (!main_config.log_file) {
fprintf(stderr, "%s: Error: Specified \"files\" as a log destination, but no log filename was given!\n",
main_config.name);
cf_file_free(cs);
return -1;
}
}
}
#ifdef HAVE_SETUID
/*
* Switch users as early as possible.
*/
if (!switch_users(cs)) fr_exit(1);
#endif
/*
* This allows us to figure out where, relative to
* radiusd.conf, the other configuration files exist.
*/
if (cf_section_parse(cs, NULL, server_config) < 0) return -1;
/*
* Fix up log_auth, and log_accept and log_reject
*/
if (main_config.log_auth) {
main_config.log_accept = main_config.log_reject = true;
}
/*
* We ignore colourization of output until after the
* configuration files have been parsed.
*/
p = getenv("TERM");
if (do_colourise && p && isatty(default_log.fd) && strstr(p, "xterm")) {
default_log.colourise = true;
} else {
default_log.colourise = false;
}
/*
* Starting the server, WITHOUT "-x" on the
* command-line: use whatever is in the config
* file.
*/
if (rad_debug_lvl == 0) {
rad_debug_lvl = main_config.debug_level;
}
fr_debug_lvl = rad_debug_lvl;
FR_INTEGER_COND_CHECK("max_request_time", main_config.max_request_time,
(main_config.max_request_time != 0), 100);
/*
* reject_delay can be zero. OR 1 though 10.
*/
if ((main_config.reject_delay.tv_sec != 0) || (main_config.reject_delay.tv_usec != 0)) {
FR_TIMEVAL_BOUND_CHECK("reject_delay", &main_config.reject_delay, >=, 1, 0);
}
/*
* The main guy.
*/
int main(int argc, char *argv[])
{
int rcode = EXIT_SUCCESS;
int argval;
const char *input_file = NULL;
const char *output_file = NULL;
const char *filter_file = NULL;
FILE *fp;
REQUEST *request = NULL;
VALUE_PAIR *vp;
VALUE_PAIR *filter_vps = NULL;
bool xlat_only = false;
fr_state_tree_t *state = NULL;
fr_talloc_fault_setup();
/*
* If the server was built with debugging enabled always install
* the basic fatal signal handlers.
*/
#ifndef NDEBUG
if (fr_fault_setup(getenv("PANIC_ACTION"), argv[0]) < 0) {
fr_perror("unittest");
exit(EXIT_FAILURE);
}
#endif
rad_debug_lvl = 0;
set_radius_dir(NULL, RADIUS_DIR);
/*
* Ensure that the configuration is initialized.
*/
memset(&main_config, 0, sizeof(main_config));
main_config.name = "unittest";
/*
* The tests should have only IPs, not host names.
*/
fr_hostname_lookups = false;
/*
* We always log to stdout.
*/
fr_log_fp = stdout;
default_log.dst = L_DST_STDOUT;
default_log.fd = STDOUT_FILENO;
/* Process the options. */
while ((argval = getopt(argc, argv, "d:D:f:hi:mMn:o:O:xX")) != EOF) {
switch (argval) {
case 'd':
set_radius_dir(NULL, optarg);
break;
case 'D':
main_config.dictionary_dir = talloc_typed_strdup(NULL, optarg);
break;
case 'f':
filter_file = optarg;
break;
case 'h':
usage(0);
break;
case 'i':
input_file = optarg;
break;
case 'm':
main_config.debug_memory = true;
break;
case 'M':
memory_report = true;
main_config.debug_memory = true;
break;
case 'n':
main_config.name = optarg;
break;
case 'o':
output_file = optarg;
break;
case 'O':
if (strcmp(optarg, "xlat_only") == 0) {
xlat_only = true;
break;
}
fprintf(stderr, "Unknown option '%s'\n", optarg);
exit(EXIT_FAILURE);
case 'X':
rad_debug_lvl += 2;
main_config.log_auth = true;
main_config.log_auth_badpass = true;
main_config.log_auth_goodpass = true;
break;
case 'x':
rad_debug_lvl++;
break;
default:
usage(1);
break;
}
}
if (rad_debug_lvl) version_print();
fr_debug_lvl = rad_debug_lvl;
/*
* Mismatch between the binary and the libraries it depends on
*/
if (fr_check_lib_magic(RADIUSD_MAGIC_NUMBER) < 0) {
fr_perror("%s", main_config.name);
exit(EXIT_FAILURE);
}
/*
* Initialising OpenSSL once, here, is safer than having individual modules do it.
*/
#ifdef HAVE_OPENSSL_CRYPTO_H
if (tls_global_init() < 0) {
rcode = EXIT_FAILURE;
goto finish;
}
#endif
if (xlat_register(NULL, "poke", xlat_poke, NULL, NULL, 0, XLAT_DEFAULT_BUF_LEN) < 0) {
rcode = EXIT_FAILURE;
goto finish;
}
if (map_proc_register(NULL, "test-fail", mod_map_proc, NULL, NULL, 0) < 0) {
rcode = EXIT_FAILURE;
goto finish;
}
/* Read the configuration files, BEFORE doing anything else. */
if (main_config_init() < 0) {
exit_failure:
rcode = EXIT_FAILURE;
goto finish;
}
/*
* Setup dummy virtual server
*/
cf_section_add(main_config.config, cf_section_alloc(main_config.config, "server", "unit_test"));
/*
* Initialize Auth-Type, etc. in the virtual servers
* before loading the modules. Some modules need those
* to be defined.
*/
if (virtual_servers_bootstrap(main_config.config) < 0) goto exit_failure;
/*
* Bootstrap the modules. This links to them, and runs
* their "bootstrap" routines.
*
* After this step, all dynamic attributes, xlats, etc. are defined.
*/
if (modules_bootstrap(main_config.config) < 0) exit(EXIT_FAILURE);
/*
* Load the modules
*/
if (modules_init(main_config.config) < 0) goto exit_failure;
/*
* And then load the virtual servers.
*/
if (virtual_servers_init(main_config.config) < 0) goto exit_failure;
state = fr_state_tree_init(NULL, main_config.max_requests * 2, 10);
/*
* Set the panic action (if required)
*/
{
char const *panic_action = NULL;
panic_action = getenv("PANIC_ACTION");
if (!panic_action) panic_action = main_config.panic_action;
if (panic_action && (fr_fault_setup(panic_action, argv[0]) < 0)) {
fr_perror("%s", main_config.name);
exit(EXIT_FAILURE);
}
}
setlinebuf(stdout); /* unbuffered output */
if (!input_file || (strcmp(input_file, "-") == 0)) {
fp = stdin;
} else {
fp = fopen(input_file, "r");
if (!fp) {
fprintf(stderr, "Failed reading %s: %s\n",
input_file, strerror(errno));
rcode = EXIT_FAILURE;
goto finish;
}
}
/*
* For simplicity, read xlat's.
*/
if (xlat_only) {
if (!do_xlats(input_file, fp)) rcode = EXIT_FAILURE;
if (input_file) fclose(fp);
goto finish;
}
/*
* Grab the VPs from stdin, or from the file.
*/
request = request_setup(fp);
if (!request) {
fprintf(stderr, "Failed reading input: %s\n", fr_strerror());
rcode = EXIT_FAILURE;
goto finish;
}
/*
* No filter file, OR there's no more input, OR we're
* reading from a file, and it's different from the
* filter file.
*/
if (!filter_file || filedone ||
((input_file != NULL) && (strcmp(filter_file, input_file) != 0))) {
if (output_file) {
fclose(fp);
fp = NULL;
}
filedone = false;
}
/*
* There is a filter file. If necessary, open it. If we
* already are reading it via "input_file", then we don't
* need to re-open it.
*/
if (filter_file) {
if (!fp) {
fp = fopen(filter_file, "r");
if (!fp) {
fprintf(stderr, "Failed reading %s: %s\n", filter_file, strerror(errno));
rcode = EXIT_FAILURE;
goto finish;
}
}
if (fr_pair_list_afrom_file(request, &filter_vps, fp, &filedone) < 0) {
fprintf(stderr, "Failed reading attributes from %s: %s\n",
filter_file, fr_strerror());
rcode = EXIT_FAILURE;
goto finish;
}
/*
* FIXME: loop over input packets.
*/
fclose(fp);
}
rad_virtual_server(request);
if (!output_file || (strcmp(output_file, "-") == 0)) {
fp = stdout;
} else {
fp = fopen(output_file, "w");
if (!fp) {
fprintf(stderr, "Failed writing %s: %s\n",
output_file, strerror(errno));
exit(EXIT_FAILURE);
}
}
print_packet(fp, request->reply);
if (output_file) fclose(fp);
/*
* Update the list with the response type.
*/
vp = radius_pair_create(request->reply, &request->reply->vps,
PW_RESPONSE_PACKET_TYPE, 0);
vp->vp_integer = request->reply->code;
{
VALUE_PAIR const *failed[2];
if (filter_vps && !fr_pair_validate(failed, filter_vps, request->reply->vps)) {
fr_pair_validate_debug(request, failed);
fr_perror("Output file %s does not match attributes in filter %s (%s)",
output_file ? output_file : input_file, filter_file, fr_strerror());
rcode = EXIT_FAILURE;
goto finish;
}
}
INFO("Exiting normally");
finish:
talloc_free(request);
talloc_free(state);
/*
* Free the configuration items.
*/
main_config_free();
/*
* Detach any modules.
*/
modules_free();
xlat_unregister(NULL, "poke", xlat_poke);
xlat_free(); /* modules may have xlat's */
if (memory_report) {
INFO("Allocated memory at time of report:");
fr_log_talloc_report(NULL);
}
return rcode;
}
