/** Allocate a fake client representing the LDAP connection * * The server expects a client, and it's easier to fake one than check all * request->client dereferences. * * @param[in] inst of proto_ldap to allocate a fake client for. * @return * - A fake client. * - NULL on error. */ static RADCLIENT *proto_ldap_fake_client_alloc(proto_ldap_inst_t *inst) { CONF_SECTION *cs; CONF_PAIR *cp; RADCLIENT *client; char buffer[FR_IPADDR_STRLEN]; cs = cf_section_alloc(NULL, NULL, "client", "ldap"); cp = cf_pair_alloc(cs, "ipaddr", fr_inet_ntop(buffer, sizeof(buffer), &inst->dst_ipaddr), T_OP_EQ, T_BARE_WORD, T_BARE_WORD); cf_pair_add(cs, cp); cp = cf_pair_alloc(cs, "secret", "fake", T_OP_EQ, T_BARE_WORD, T_BARE_WORD); cf_pair_add(cs, cp); client = client_afrom_cs(inst, cs, NULL); if (!client) { PERROR("Failed creating fake LDAP client"); talloc_free(cs); return NULL; } talloc_steal(client, cs); return client; }
RADCLIENT_LIST *client_list_parse_section(CONF_SECTION *section, UNUSED bool tls_required) #endif { bool global = false, in_server = false; CONF_SECTION *cs; RADCLIENT *c; RADCLIENT_LIST *clients; /* * Be forgiving. If there's already a clients, return * it. Otherwise create a new one. */ clients = cf_data_find(section, "clients"); if (clients) return clients; clients = client_list_init(section); if (!clients) return NULL; if (cf_top_section(section) == section) global = true; if (strcmp("server", cf_section_name1(section)) == 0) in_server = true; /* * Associate the clients structure with the section. */ if (cf_data_add(section, "clients", clients, NULL) < 0) { cf_log_err_cs(section, "Failed to associate clients with section %s", cf_section_name1(section)); client_list_free(clients); return NULL; } for (cs = cf_subsection_find_next(section, NULL, "client"); cs != NULL; cs = cf_subsection_find_next(section, cs, "client")) { c = client_afrom_cs(cs, cs, in_server, false); if (!c) { return NULL; } #ifdef WITH_TLS /* * TLS clients CANNOT use non-TLS listeners. * non-TLS clients CANNOT use TLS listeners. */ if (tls_required != c->tls_required) { cf_log_err_cs(cs, "Client does not have the same TLS configuration as the listener"); client_free(c); client_list_free(clients); return NULL; } #endif /* * FIXME: Add the client as data via cf_data_add, * for migration issues. */ #ifdef WITH_DYNAMIC_CLIENTS #ifdef HAVE_DIRENT_H if (c->client_server) { char const *value; CONF_PAIR *cp; DIR *dir; struct dirent *dp; struct stat stat_buf; char buf2[2048]; /* * Find the directory where individual * client definitions are stored. */ cp = cf_pair_find(cs, "directory"); if (!cp) goto add_client; value = cf_pair_value(cp); if (!value) { cf_log_err_cs(cs, "The \"directory\" entry must not be empty"); client_free(c); return NULL; } DEBUG("including dynamic clients in %s", value); dir = opendir(value); if (!dir) { cf_log_err_cs(cs, "Error reading directory %s: %s", value, fr_syserror(errno)); client_free(c); return NULL; } /* * Read the directory, ignoring "." files. */ while ((dp = readdir(dir)) != NULL) { char const *p; RADCLIENT *dc; if (dp->d_name[0] == '.') continue; /* * Check for valid characters */ for (p = dp->d_name; *p != '\0'; p++) { if (isalpha((int)*p) || isdigit((int)*p) || (*p == ':') || (*p == '.')) continue; break; } if (*p != '\0') continue; snprintf(buf2, sizeof(buf2), "%s/%s", value, dp->d_name); if ((stat(buf2, &stat_buf) != 0) || S_ISDIR(stat_buf.st_mode)) continue; dc = client_read(buf2, in_server, true); if (!dc) { cf_log_err_cs(cs, "Failed reading client file \"%s\"", buf2); client_free(c); closedir(dir); return NULL; } /* * Validate, and add to the list. */ if (!client_add_dynamic(clients, c, dc)) { client_free(c); closedir(dir); return NULL; } } /* loop over the directory */ closedir(dir); } #endif /* HAVE_DIRENT_H */ add_client: #endif /* WITH_DYNAMIC_CLIENTS */ if (!client_add(clients, c)) { cf_log_err_cs(cs, "Failed to add client %s", cf_section_name2(cs)); client_free(c); return NULL; } } /* * Replace the global list of clients with the new one. * The old one is still referenced from the original * configuration, and will be freed when that is freed. */ if (global) { root_clients = clients; } return clients; }
/** Load clients from LDAP on server start * * @param[in] inst rlm_ldap configuration. * @param[in] cs to load client attribute/LDAP attribute mappings from. * @return -1 on error else 0. */ int rlm_ldap_client_load(ldap_instance_t const *inst, CONF_SECTION *cs) { int ret = 0; ldap_rcode_t status; ldap_handle_t *conn = NULL; char const **attrs = NULL; CONF_PAIR *cp; int count = 0, idx = 0; LDAPMessage *result = NULL; LDAPMessage *entry; char *dn = NULL; RADCLIENT *c; LDAP_DBG("Loading dynamic clients"); rad_assert(inst->clientobj_base_dn); if (!inst->clientobj_filter) { LDAP_ERR("Told to load clients but 'client.filter' not specified"); return -1; } count = cf_pair_count(cs); count++; /* * Create an array of LDAP attributes to feed to rlm_ldap_search. */ attrs = talloc_array(inst, char const *, count); if (rlm_ldap_client_get_attrs(attrs, &idx, cs) < 0) return -1; conn = rlm_ldap_get_socket(inst, NULL); if (!conn) return -1; /* * Perform all searches as the admin user. */ if (conn->rebound) { status = rlm_ldap_bind(inst, NULL, &conn, inst->admin_dn, inst->password, true); if (status != LDAP_PROC_SUCCESS) { ret = -1; goto finish; } rad_assert(conn); conn->rebound = false; } status = rlm_ldap_search(inst, NULL, &conn, inst->clientobj_base_dn, inst->clientobj_scope, inst->clientobj_filter, attrs, &result); switch (status) { case LDAP_PROC_SUCCESS: break; case LDAP_PROC_NO_RESULT: LDAP_INFO("No clients were found in the directory"); ret = 0; goto finish; default: ret = -1; goto finish; } rad_assert(conn); entry = ldap_first_entry(conn->handle, result); if (!entry) { int ldap_errno; ldap_get_option(conn->handle, LDAP_OPT_RESULT_CODE, &ldap_errno); LDAP_ERR("Failed retrieving entry: %s", ldap_err2string(ldap_errno)); ret = -1; goto finish; } do { CONF_SECTION *cc; char *id; char **value; id = dn = ldap_get_dn(conn->handle, entry); cp = cf_pair_find(cs, "identifier"); if (cp) { value = ldap_get_values(conn->handle, entry, cf_pair_value(cp)); if (value) id = value[0]; } /* * Iterate over mapping sections */ cc = cf_section_alloc(NULL, "client", id); if (rlm_ldap_client_map_section(inst, cc, cs, conn, entry) < 0) { talloc_free(cc); ret = -1; goto finish; } /* *@todo these should be parented from something */ c = client_afrom_cs(NULL, cc, false); if (!c) { talloc_free(cc); ret = -1; goto finish; } /* * Client parents the CONF_SECTION which defined it */ talloc_steal(c, cc); if (!client_add(NULL, c)) { LDAP_ERR("Failed to add client \"%s\", possible duplicate?", dn); ret = -1; client_free(c); goto finish; } LDAP_DBG("Client \"%s\" added", dn); ldap_memfree(dn); dn = NULL; } while ((entry = ldap_next_entry(conn->handle, entry))); finish: talloc_free(attrs); if (dn) ldap_memfree(dn); if (result) ldap_msgfree(result); rlm_ldap_release_socket(inst, conn); return ret; }
/** Load client entries from Couchbase client documents on startup * * This function executes the view defined in the module configuration and loops * through all returned rows. The view is called with "stale=false" to ensure the * most accurate data available when the view is called. This will force an index * rebuild on this design document in Couchbase. However, since this function is only * run once at sever startup this should not be a concern. * * @param inst The module instance. * @param cs The client attribute configuration section. * @return Returns 0 on success, -1 on error. */ int mod_load_client_documents(rlm_couchbase_t *inst, CONF_SECTION *cs) { void *handle = NULL; /* connection pool handle */ char vpath[256], docid[MAX_KEY_SIZE]; /* view path and document id */ char error[512]; /* view error return */ int idx = 0; /* row array index counter */ int retval = 0; /* return value */ lcb_error_t cb_error = LCB_SUCCESS; /* couchbase error holder */ json_object *json, *jval; /* json object holders */ json_object *jrows = NULL; /* json object to hold view rows */ CONF_SECTION *client; /* freeradius config section */ RADCLIENT *c; /* freeradius client */ /* get handle */ handle = fr_connection_get(inst->pool); /* check handle */ if (!handle) return -1; /* set handle pointer */ rlm_couchbase_handle_t *handle_t = handle; /* set couchbase instance */ lcb_t cb_inst = handle_t->handle; /* set cookie */ cookie_t *cookie = handle_t->cookie; /* check cookie */ if (cookie) { /* clear cookie */ memset(cookie, 0, sizeof(cookie_t)); } else { /* log error */ ERROR("rlm_couchbase: cookie not usable - possibly not allocated"); /* set return */ retval = -1; /* return */ goto free_and_return; } /* build view path */ snprintf(vpath, sizeof(vpath), "%s?stale=false", inst->client_view); /* init cookie error status */ cookie->jerr = json_tokener_success; /* setup cookie tokener */ cookie->jtok = json_tokener_new(); /* query view for document */ cb_error = couchbase_query_view(cb_inst, cookie, vpath, NULL); /* free json token */ json_tokener_free(cookie->jtok); /* check error */ if (cb_error != LCB_SUCCESS || cookie->jerr != json_tokener_success) { /* log error */ ERROR("rlm_couchbase: failed to execute view request or parse return"); /* set return */ retval = -1; /* return */ goto free_and_return; } /* debugging */ DEBUG("rlm_couchbase: cookie->jobj == %s", json_object_to_json_string(cookie->jobj)); /* check cookie */ if (!cookie->jobj) { /* log error */ ERROR("rlm_couchbase: failed to fetch view"); /* set return */ retval = -1; /* return */ goto free_and_return; } /* check for error in json object */ if (json_object_object_get_ex(cookie->jobj, "error", &json)) { /* build initial error buffer */ strlcpy(error, json_object_get_string(json), sizeof(error)); /* get error reason */ if (json_object_object_get_ex(cookie->jobj, "reason", &json)) { /* append divider */ strlcat(error, " - ", sizeof(error)); /* append reason */ strlcat(error, json_object_get_string(json), sizeof(error)); } /* log error */ ERROR("rlm_couchbase: view request failed with error: %s", error); /* set return */ retval = -1; /* return */ goto free_and_return; } /* check for document id in return */ if (!json_object_object_get_ex(cookie->jobj, "rows", &json)) { /* log error */ ERROR("rlm_couchbase: failed to fetch rows from view payload"); /* set return */ retval = -1; /* return */ goto free_and_return; } /* get and hold rows */ jrows = json_object_get(json); /* free cookie object */ json_object_put(cookie->jobj); /* debugging */ DEBUG("rlm_couchbase: jrows == %s", json_object_to_json_string(jrows)); /* check for valid row value */ if (!json_object_is_type(jrows, json_type_array) && json_object_array_length(jrows) < 1) { /* log error */ ERROR("rlm_couchbase: couldn't find valid rows in view return"); /* set return */ retval = -1; /* return */ goto free_and_return; } /* loop across all row elements */ for (idx = 0; idx < json_object_array_length(jrows); idx++) { /* fetch current index */ json = json_object_array_get_idx(jrows, idx); /* get document id */ if (json_object_object_get_ex(json, "id", &jval)) { /* clear docid */ memset(docid, 0, sizeof(docid)); /* copy and check length */ if (strlcpy(docid, json_object_get_string(jval), sizeof(docid)) >= sizeof(docid)) { ERROR("rlm_couchbase: document id from row longer than MAX_KEY_SIZE (%d)", MAX_KEY_SIZE); continue; } } /* check for valid doc id */ if (docid[0] == 0) { WARN("rlm_couchbase: failed to fetch document id from row - skipping"); continue; } /* debugging */ DEBUG("rlm_couchbase: preparing to fetch docid '%s'", docid); /* reset cookie error status */ cookie->jerr = json_tokener_success; /* fetch document */ cb_error = couchbase_get_key(cb_inst, cookie, docid); /* check error */ if (cb_error != LCB_SUCCESS || cookie->jerr != json_tokener_success) { /* log error */ ERROR("rlm_couchbase: failed to execute get request or parse return"); /* set return */ retval = -1; /* return */ goto free_and_return; } /* debugging */ DEBUG("rlm_couchbase: cookie->jobj == %s", json_object_to_json_string(cookie->jobj)); /* allocate conf section */ client = cf_section_alloc(NULL, "client", docid); if (_mod_client_map_section(client, cs, cookie->jobj, docid) != 0) { /* free config setion */ talloc_free(client); /* set return */ retval = -1; /* return */ goto free_and_return; } /* * @todo These should be parented from something. */ c = client_afrom_cs(NULL, client, false); if (!c) { ERROR("rlm_couchbase: failed to allocate client"); /* free config setion */ talloc_free(client); /* set return */ retval = -1; /* return */ goto free_and_return; } /* * Client parents the CONF_SECTION which defined it. */ talloc_steal(c, client); /* attempt to add client */ if (!client_add(NULL, c)) { ERROR("rlm_couchbase: failed to add client from %s, possible duplicate?", docid); /* free client */ client_free(c); /* set return */ retval = -1; /* return */ goto free_and_return; } /* debugging */ DEBUG("rlm_couchbase: client '%s' added", c->longname); /* free json object */ json_object_put(cookie->jobj); } free_and_return: /* free json object */ if (cookie->jobj) { json_object_put(cookie->jobj); } /* free rows */ if (jrows) { json_object_put(jrows); } /* release handle */ if (handle) { fr_connection_release(inst->pool, handle); } /* return */ return retval; }