/** Allocate a fake client representing the LDAP connection
*
* The server expects a client, and it's easier to fake one than check all
* request->client dereferences.
*
* @param[in] inst of proto_ldap to allocate a fake client for.
* @return
* - A fake client.
* - NULL on error.
*/
static RADCLIENT *proto_ldap_fake_client_alloc(proto_ldap_inst_t *inst)
{
CONF_SECTION *cs;
CONF_PAIR *cp;
RADCLIENT *client;
char buffer[FR_IPADDR_STRLEN];
cs = cf_section_alloc(NULL, NULL, "client", "ldap");
cp = cf_pair_alloc(cs, "ipaddr", fr_inet_ntop(buffer, sizeof(buffer), &inst->dst_ipaddr),
T_OP_EQ, T_BARE_WORD, T_BARE_WORD);
cf_pair_add(cs, cp);
cp = cf_pair_alloc(cs, "secret", "fake", T_OP_EQ, T_BARE_WORD, T_BARE_WORD);
cf_pair_add(cs, cp);
client = client_afrom_cs(inst, cs, NULL);
if (!client) {
PERROR("Failed creating fake LDAP client");
talloc_free(cs);
return NULL;
}
talloc_steal(client, cs);
return client;
}
RADCLIENT_LIST *client_list_parse_section(CONF_SECTION *section, UNUSED bool tls_required)
#endif
{
bool global = false, in_server = false;
CONF_SECTION *cs;
RADCLIENT *c;
RADCLIENT_LIST *clients;
/*
* Be forgiving. If there's already a clients, return
* it. Otherwise create a new one.
*/
clients = cf_data_find(section, "clients");
if (clients) return clients;
clients = client_list_init(section);
if (!clients) return NULL;
if (cf_top_section(section) == section) global = true;
if (strcmp("server", cf_section_name1(section)) == 0) in_server = true;
/*
* Associate the clients structure with the section.
*/
if (cf_data_add(section, "clients", clients, NULL) < 0) {
cf_log_err_cs(section,
"Failed to associate clients with section %s",
cf_section_name1(section));
client_list_free(clients);
return NULL;
}
for (cs = cf_subsection_find_next(section, NULL, "client");
cs != NULL;
cs = cf_subsection_find_next(section, cs, "client")) {
c = client_afrom_cs(cs, cs, in_server, false);
if (!c) {
return NULL;
}
#ifdef WITH_TLS
/*
* TLS clients CANNOT use non-TLS listeners.
* non-TLS clients CANNOT use TLS listeners.
*/
if (tls_required != c->tls_required) {
cf_log_err_cs(cs, "Client does not have the same TLS configuration as the listener");
client_free(c);
client_list_free(clients);
return NULL;
}
#endif
/*
* FIXME: Add the client as data via cf_data_add,
* for migration issues.
*/
#ifdef WITH_DYNAMIC_CLIENTS
#ifdef HAVE_DIRENT_H
if (c->client_server) {
char const *value;
CONF_PAIR *cp;
DIR *dir;
struct dirent *dp;
struct stat stat_buf;
char buf2[2048];
/*
* Find the directory where individual
* client definitions are stored.
*/
cp = cf_pair_find(cs, "directory");
if (!cp) goto add_client;
value = cf_pair_value(cp);
if (!value) {
cf_log_err_cs(cs,
"The \"directory\" entry must not be empty");
client_free(c);
return NULL;
}
DEBUG("including dynamic clients in %s", value);
dir = opendir(value);
if (!dir) {
cf_log_err_cs(cs, "Error reading directory %s: %s", value, fr_syserror(errno));
client_free(c);
return NULL;
}
/*
* Read the directory, ignoring "." files.
*/
while ((dp = readdir(dir)) != NULL) {
char const *p;
RADCLIENT *dc;
if (dp->d_name[0] == '.') continue;
/*
* Check for valid characters
*/
for (p = dp->d_name; *p != '\0'; p++) {
if (isalpha((int)*p) ||
isdigit((int)*p) ||
(*p == ':') ||
(*p == '.')) continue;
break;
}
if (*p != '\0') continue;
snprintf(buf2, sizeof(buf2), "%s/%s",
value, dp->d_name);
if ((stat(buf2, &stat_buf) != 0) ||
S_ISDIR(stat_buf.st_mode)) continue;
dc = client_read(buf2, in_server, true);
if (!dc) {
cf_log_err_cs(cs,
"Failed reading client file \"%s\"", buf2);
client_free(c);
closedir(dir);
return NULL;
}
/*
* Validate, and add to the list.
*/
if (!client_add_dynamic(clients, c, dc)) {
client_free(c);
closedir(dir);
return NULL;
}
} /* loop over the directory */
closedir(dir);
}
#endif /* HAVE_DIRENT_H */
add_client:
#endif /* WITH_DYNAMIC_CLIENTS */
if (!client_add(clients, c)) {
cf_log_err_cs(cs,
"Failed to add client %s",
cf_section_name2(cs));
client_free(c);
return NULL;
}
}
/*
* Replace the global list of clients with the new one.
* The old one is still referenced from the original
* configuration, and will be freed when that is freed.
*/
if (global) {
root_clients = clients;
}
return clients;
}
/** Load clients from LDAP on server start
*
* @param[in] inst rlm_ldap configuration.
* @param[in] cs to load client attribute/LDAP attribute mappings from.
* @return -1 on error else 0.
*/
int rlm_ldap_client_load(ldap_instance_t const *inst, CONF_SECTION *cs)
{
int ret = 0;
ldap_rcode_t status;
ldap_handle_t *conn = NULL;
char const **attrs = NULL;
CONF_PAIR *cp;
int count = 0, idx = 0;
LDAPMessage *result = NULL;
LDAPMessage *entry;
char *dn = NULL;
RADCLIENT *c;
LDAP_DBG("Loading dynamic clients");
rad_assert(inst->clientobj_base_dn);
if (!inst->clientobj_filter) {
LDAP_ERR("Told to load clients but 'client.filter' not specified");
return -1;
}
count = cf_pair_count(cs);
count++;
/*
* Create an array of LDAP attributes to feed to rlm_ldap_search.
*/
attrs = talloc_array(inst, char const *, count);
if (rlm_ldap_client_get_attrs(attrs, &idx, cs) < 0) return -1;
conn = rlm_ldap_get_socket(inst, NULL);
if (!conn) return -1;
/*
* Perform all searches as the admin user.
*/
if (conn->rebound) {
status = rlm_ldap_bind(inst, NULL, &conn, inst->admin_dn, inst->password, true);
if (status != LDAP_PROC_SUCCESS) {
ret = -1;
goto finish;
}
rad_assert(conn);
conn->rebound = false;
}
status = rlm_ldap_search(inst, NULL, &conn, inst->clientobj_base_dn, inst->clientobj_scope,
inst->clientobj_filter, attrs, &result);
switch (status) {
case LDAP_PROC_SUCCESS:
break;
case LDAP_PROC_NO_RESULT:
LDAP_INFO("No clients were found in the directory");
ret = 0;
goto finish;
default:
ret = -1;
goto finish;
}
rad_assert(conn);
entry = ldap_first_entry(conn->handle, result);
if (!entry) {
int ldap_errno;
ldap_get_option(conn->handle, LDAP_OPT_RESULT_CODE, &ldap_errno);
LDAP_ERR("Failed retrieving entry: %s", ldap_err2string(ldap_errno));
ret = -1;
goto finish;
}
do {
CONF_SECTION *cc;
char *id;
char **value;
id = dn = ldap_get_dn(conn->handle, entry);
cp = cf_pair_find(cs, "identifier");
if (cp) {
value = ldap_get_values(conn->handle, entry, cf_pair_value(cp));
if (value) id = value[0];
}
/*
* Iterate over mapping sections
*/
cc = cf_section_alloc(NULL, "client", id);
if (rlm_ldap_client_map_section(inst, cc, cs, conn, entry) < 0) {
talloc_free(cc);
ret = -1;
goto finish;
}
/*
*@todo these should be parented from something
*/
c = client_afrom_cs(NULL, cc, false);
if (!c) {
talloc_free(cc);
ret = -1;
goto finish;
}
/*
* Client parents the CONF_SECTION which defined it
*/
talloc_steal(c, cc);
if (!client_add(NULL, c)) {
LDAP_ERR("Failed to add client \"%s\", possible duplicate?", dn);
ret = -1;
client_free(c);
goto finish;
}
LDAP_DBG("Client \"%s\" added", dn);
ldap_memfree(dn);
dn = NULL;
} while ((entry = ldap_next_entry(conn->handle, entry)));
finish:
talloc_free(attrs);
if (dn) ldap_memfree(dn);
if (result) ldap_msgfree(result);
rlm_ldap_release_socket(inst, conn);
return ret;
}
/** Load client entries from Couchbase client documents on startup
*
* This function executes the view defined in the module configuration and loops
* through all returned rows. The view is called with "stale=false" to ensure the
* most accurate data available when the view is called. This will force an index
* rebuild on this design document in Couchbase. However, since this function is only
* run once at sever startup this should not be a concern.
*
* @param inst The module instance.
* @param cs The client attribute configuration section.
* @return Returns 0 on success, -1 on error.
*/
int mod_load_client_documents(rlm_couchbase_t *inst, CONF_SECTION *cs)
{
void *handle = NULL; /* connection pool handle */
char vpath[256], docid[MAX_KEY_SIZE]; /* view path and document id */
char error[512]; /* view error return */
int idx = 0; /* row array index counter */
int retval = 0; /* return value */
lcb_error_t cb_error = LCB_SUCCESS; /* couchbase error holder */
json_object *json, *jval; /* json object holders */
json_object *jrows = NULL; /* json object to hold view rows */
CONF_SECTION *client; /* freeradius config section */
RADCLIENT *c; /* freeradius client */
/* get handle */
handle = fr_connection_get(inst->pool);
/* check handle */
if (!handle) return -1;
/* set handle pointer */
rlm_couchbase_handle_t *handle_t = handle;
/* set couchbase instance */
lcb_t cb_inst = handle_t->handle;
/* set cookie */
cookie_t *cookie = handle_t->cookie;
/* check cookie */
if (cookie) {
/* clear cookie */
memset(cookie, 0, sizeof(cookie_t));
} else {
/* log error */
ERROR("rlm_couchbase: cookie not usable - possibly not allocated");
/* set return */
retval = -1;
/* return */
goto free_and_return;
}
/* build view path */
snprintf(vpath, sizeof(vpath), "%s?stale=false", inst->client_view);
/* init cookie error status */
cookie->jerr = json_tokener_success;
/* setup cookie tokener */
cookie->jtok = json_tokener_new();
/* query view for document */
cb_error = couchbase_query_view(cb_inst, cookie, vpath, NULL);
/* free json token */
json_tokener_free(cookie->jtok);
/* check error */
if (cb_error != LCB_SUCCESS || cookie->jerr != json_tokener_success) {
/* log error */
ERROR("rlm_couchbase: failed to execute view request or parse return");
/* set return */
retval = -1;
/* return */
goto free_and_return;
}
/* debugging */
DEBUG("rlm_couchbase: cookie->jobj == %s", json_object_to_json_string(cookie->jobj));
/* check cookie */
if (!cookie->jobj) {
/* log error */
ERROR("rlm_couchbase: failed to fetch view");
/* set return */
retval = -1;
/* return */
goto free_and_return;
}
/* check for error in json object */
if (json_object_object_get_ex(cookie->jobj, "error", &json)) {
/* build initial error buffer */
strlcpy(error, json_object_get_string(json), sizeof(error));
/* get error reason */
if (json_object_object_get_ex(cookie->jobj, "reason", &json)) {
/* append divider */
strlcat(error, " - ", sizeof(error));
/* append reason */
strlcat(error, json_object_get_string(json), sizeof(error));
}
/* log error */
ERROR("rlm_couchbase: view request failed with error: %s", error);
/* set return */
retval = -1;
/* return */
goto free_and_return;
}
/* check for document id in return */
if (!json_object_object_get_ex(cookie->jobj, "rows", &json)) {
/* log error */
ERROR("rlm_couchbase: failed to fetch rows from view payload");
/* set return */
retval = -1;
/* return */
goto free_and_return;
}
/* get and hold rows */
jrows = json_object_get(json);
/* free cookie object */
json_object_put(cookie->jobj);
/* debugging */
DEBUG("rlm_couchbase: jrows == %s", json_object_to_json_string(jrows));
/* check for valid row value */
if (!json_object_is_type(jrows, json_type_array) && json_object_array_length(jrows) < 1) {
/* log error */
ERROR("rlm_couchbase: couldn't find valid rows in view return");
/* set return */
retval = -1;
/* return */
goto free_and_return;
}
/* loop across all row elements */
for (idx = 0; idx < json_object_array_length(jrows); idx++) {
/* fetch current index */
json = json_object_array_get_idx(jrows, idx);
/* get document id */
if (json_object_object_get_ex(json, "id", &jval)) {
/* clear docid */
memset(docid, 0, sizeof(docid));
/* copy and check length */
if (strlcpy(docid, json_object_get_string(jval), sizeof(docid)) >= sizeof(docid)) {
ERROR("rlm_couchbase: document id from row longer than MAX_KEY_SIZE (%d)", MAX_KEY_SIZE);
continue;
}
}
/* check for valid doc id */
if (docid[0] == 0) {
WARN("rlm_couchbase: failed to fetch document id from row - skipping");
continue;
}
/* debugging */
DEBUG("rlm_couchbase: preparing to fetch docid '%s'", docid);
/* reset cookie error status */
cookie->jerr = json_tokener_success;
/* fetch document */
cb_error = couchbase_get_key(cb_inst, cookie, docid);
/* check error */
if (cb_error != LCB_SUCCESS || cookie->jerr != json_tokener_success) {
/* log error */
ERROR("rlm_couchbase: failed to execute get request or parse return");
/* set return */
retval = -1;
/* return */
goto free_and_return;
}
/* debugging */
DEBUG("rlm_couchbase: cookie->jobj == %s", json_object_to_json_string(cookie->jobj));
/* allocate conf section */
client = cf_section_alloc(NULL, "client", docid);
if (_mod_client_map_section(client, cs, cookie->jobj, docid) != 0) {
/* free config setion */
talloc_free(client);
/* set return */
retval = -1;
/* return */
goto free_and_return;
}
/*
* @todo These should be parented from something.
*/
c = client_afrom_cs(NULL, client, false);
if (!c) {
ERROR("rlm_couchbase: failed to allocate client");
/* free config setion */
talloc_free(client);
/* set return */
retval = -1;
/* return */
goto free_and_return;
}
/*
* Client parents the CONF_SECTION which defined it.
*/
talloc_steal(c, client);
/* attempt to add client */
if (!client_add(NULL, c)) {
ERROR("rlm_couchbase: failed to add client from %s, possible duplicate?", docid);
/* free client */
client_free(c);
/* set return */
retval = -1;
/* return */
goto free_and_return;
}
/* debugging */
DEBUG("rlm_couchbase: client '%s' added", c->longname);
/* free json object */
json_object_put(cookie->jobj);
}
free_and_return:
/* free json object */
if (cookie->jobj) {
json_object_put(cookie->jobj);
}
/* free rows */
if (jrows) {
json_object_put(jrows);
}
/* release handle */
if (handle) {
fr_connection_release(inst->pool, handle);
}
/* return */
return retval;
}
