static Term
p_mod(Term t1, Term t2 USES_REGS) {
switch (ETypeOfTerm(t1)) {
case (CELL)long_int_e:
switch (ETypeOfTerm(t2)) {
case (CELL)long_int_e:
/* two integers */
{
Int i1 = IntegerOfTerm(t1);
Int i2 = IntegerOfTerm(t2);
Int mod;
if (i2 == 0)
return Yap_ArithError(EVALUATION_ERROR_ZERO_DIVISOR, t2, "X is " Int_FORMAT " mod 0", i1);
if (i1 == Int_MIN && i2 == -1) {
return MkIntTerm(0);
}
mod = i1%i2;
if (mod && (mod ^ i2) < 0)
mod += i2;
RINT(mod);
}
case (CELL)double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "mod/2");
case (CELL)big_int_e:
#ifdef USE_GMP
return Yap_gmp_mod_int_big(IntegerOfTerm(t1), t2);
#endif
default:
RERROR();
break;
}
case (CELL)double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "mod/2");
case (CELL)big_int_e:
#ifdef USE_GMP
switch (ETypeOfTerm(t2)) {
case long_int_e:
/* modulo between bignum and integer */
{
Int i2 = IntegerOfTerm(t2);
if (i2 == 0)
return Yap_ArithError(EVALUATION_ERROR_ZERO_DIVISOR, t2, "X is ... mod 0");
return Yap_gmp_mod_big_int(t1, i2);
}
case (CELL)big_int_e:
/* two bignums */
return Yap_gmp_mod_big_big(t1, t2);
case double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "mod/2");
default:
RERROR();
}
#endif
default:
RERROR();
}
}
static Term
p_rem(Term t1, Term t2) {
switch (ETypeOfTerm(t1)) {
case (CELL)long_int_e:
switch (ETypeOfTerm(t2)) {
case (CELL)long_int_e:
/* two integers */
{
Int i1 = IntegerOfTerm(t1);
Int i2 = IntegerOfTerm(t2);
Int mod;
if (i2 == 0) goto zero_divisor;
if (i1 == Int_MIN && i2 == -1) {
#ifdef USE_GMP
return Yap_gmp_add_ints(Int_MAX, 1);
#else
return Yap_ArithError(EVALUATION_ERROR_INT_OVERFLOW, t1,
"rem/2 with %d and %d", i1, i2);
#endif
}
mod = i1%i2;
RINT(i1%i2);
}
case (CELL)double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "mod/2");
case (CELL)big_int_e:
#ifdef USE_GMP
return Yap_gmp_rem_int_big(IntegerOfTerm(t1), t2);
#endif
default:
RERROR();
}
break;
case (CELL)double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t1, "mod/2");
case (CELL)big_int_e:
#ifdef USE_GMP
switch (ETypeOfTerm(t2)) {
case long_int_e:
return Yap_gmp_rem_big_int(t1, IntegerOfTerm(t2));
case (CELL)big_int_e:
/* two bignums */
return Yap_gmp_rem_big_big(t1, t2);
case double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "mod/2");
default:
RERROR();
}
#endif
default:
RERROR();
}
zero_divisor:
return Yap_ArithError(EVALUATION_ERROR_ZERO_DIVISOR, t2, "X is mod 0");
}
/** Dialogue between RADIUS and PAM modules
*
* Uses PAM's appdata_ptr so it's thread safe, and doesn't
* have any nasty static variables hanging around.
*/
static int pam_conv(int num_msg, struct pam_message const **msg, struct pam_response **resp, void *appdata_ptr)
{
int count;
struct pam_response *reply;
REQUEST *request;
rlm_pam_data_t *pam_config = (rlm_pam_data_t *) appdata_ptr;
request = pam_config->request;
/* strdup(NULL) doesn't work on some platforms */
#define COPY_STRING(s) ((s) ? strdup(s) : NULL)
reply = rad_malloc(num_msg * sizeof(struct pam_response));
memset(reply, 0, num_msg * sizeof(struct pam_response));
for (count = 0; count < num_msg; count++) {
switch (msg[count]->msg_style) {
case PAM_PROMPT_ECHO_ON:
reply[count].resp_retcode = PAM_SUCCESS;
reply[count].resp = COPY_STRING(pam_config->username);
break;
case PAM_PROMPT_ECHO_OFF:
reply[count].resp_retcode = PAM_SUCCESS;
reply[count].resp = COPY_STRING(pam_config->password);
break;
case PAM_TEXT_INFO:
RDEBUG2("%s", msg[count]->msg);
break;
case PAM_ERROR_MSG:
default:
RERROR("PAM conversation failed");
/* Must be an error of some sort... */
for (count = 0; count < num_msg; count++) {
if (msg[count]->msg_style == PAM_ERROR_MSG) RERROR("%s", msg[count]->msg);
if (reply[count].resp) {
/* could be a password, let's be sanitary */
memset(reply[count].resp, 0, strlen(reply[count].resp));
free(reply[count].resp);
}
}
free(reply);
pam_config->error = true;
return PAM_CONV_ERR;
}
}
*resp = reply;
/* PAM frees reply (including reply[].resp) */
return PAM_SUCCESS;
}
static Term
p_rem(Term t1, Term t2 USES_REGS) {
switch (ETypeOfTerm(t1)) {
case (CELL)long_int_e:
switch (ETypeOfTerm(t2)) {
case (CELL)long_int_e:
/* two integers */
{
Int i1 = IntegerOfTerm(t1);
Int i2 = IntegerOfTerm(t2);
if (i2 == 0)
return Yap_ArithError(EVALUATION_ERROR_ZERO_DIVISOR, t2, "X is " Int_FORMAT " rem 0", i1);
if (i1 == Int_MIN && i2 == -1) {
return MkIntTerm(0);
}
RINT(i1%i2);
}
case (CELL)double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "mod/2");
case (CELL)big_int_e:
#ifdef USE_GMP
return Yap_gmp_rem_int_big(IntegerOfTerm(t1), t2);
#endif
default:
RERROR();
}
break;
case (CELL)double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t1, "mod/2");
case (CELL)big_int_e:
#ifdef USE_GMP
switch (ETypeOfTerm(t2)) {
case long_int_e:
if (IntegerOfTerm(t2) == 0)
return Yap_ArithError(EVALUATION_ERROR_ZERO_DIVISOR, t2, "X is ... rem 0");
return Yap_gmp_rem_big_int(t1, IntegerOfTerm(t2));
case (CELL)big_int_e:
/* two bignums */
return Yap_gmp_rem_big_big(t1, t2);
case double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "mod/2");
default:
RERROR();
}
#endif
default:
RERROR();
}
}
/** Check the users password against the standard UNIX password table + PAM.
*
* @note For most flexibility, passing a pamauth type to this function
* allows you to have multiple authentication types (i.e. multiple
* files associated with radius in /etc/pam.d).
*
* @param request The current request.
* @param username User to authenticate.
* @param passwd Password to authenticate with,
* @param pamauth Type of PAM authentication.
* @return 0 on success -1 on failure.
*/
static int do_pam(REQUEST *request, char const *username, char const *passwd, char const *pamauth)
{
pam_handle_t *handle = NULL;
int ret;
rlm_pam_data_t pam_config;
struct pam_conv conv;
/*
* Initialize the structures
*/
conv.conv = pam_conv;
conv.appdata_ptr = &pam_config;
pam_config.request = request;
pam_config.username = username;
pam_config.password = passwd;
pam_config.error = false;
RDEBUG2("Using pamauth string \"%s\" for pam.conf lookup", pamauth);
ret = pam_start(pamauth, username, &conv, &handle);
if (ret != PAM_SUCCESS) {
RERROR("pam_start failed: %s", pam_strerror(handle, ret));
return -1;
}
ret = pam_authenticate(handle, 0);
if (ret != PAM_SUCCESS) {
RERROR("pam_authenticate failed: %s", pam_strerror(handle, ret));
pam_end(handle, ret);
return -1;
}
/*
* FreeBSD 3.x doesn't have account and session management
* functions in PAM, while 4.0 does.
*/
#if !defined(__FreeBSD_version) || (__FreeBSD_version >= 400000)
ret = pam_acct_mgmt(handle, 0);
if (ret != PAM_SUCCESS) {
RERROR("pam_acct_mgmt failed: %s", pam_strerror(handle, ret));
pam_end(handle, ret);
return -1;
}
#endif
RDEBUG2("Authentication succeeded");
pam_end(handle, ret);
return 0;
}
/*
* Query the redis database
*/
int rlm_redis_query(REDISSOCK **dissocket_p, REDIS_INST *inst,
char const *query, REQUEST *request)
{
REDISSOCK *dissocket;
int argc;
char const *argv[MAX_REDIS_ARGS];
char argv_buf[MAX_QUERY_LEN];
if (!query || !*query || !inst || !dissocket_p) {
return -1;
}
argc = rad_expand_xlat(request, query, MAX_REDIS_ARGS, argv, false,
sizeof(argv_buf), argv_buf);
if (argc <= 0)
return -1;
dissocket = *dissocket_p;
DEBUG2("executing %s ...", argv[0]);
dissocket->reply = redisCommandArgv(dissocket->conn, argc, argv, NULL);
if (!dissocket->reply) {
RERROR("%s", dissocket->conn->errstr);
dissocket = fr_connection_reconnect(inst->pool, dissocket);
if (!dissocket) {
error:
*dissocket_p = NULL;
return -1;
}
dissocket->reply = redisCommand(dissocket->conn, query);
if (!dissocket->reply) {
RERROR("Failed after re-connect");
fr_connection_del(inst->pool, dissocket);
goto error;
}
*dissocket_p = dissocket;
}
if (dissocket->reply->type == REDIS_REPLY_ERROR) {
RERROR("Query failed, %s", query);
return -1;
}
return 0;
}
/** Insert a new entry into the data store
*
* @param inst main rlm_cache instance.
* @param request The current request.
* @param handle Pointer to memcached handle.
* @param c entry to insert.
* @return CACHE_OK on success else CACHE_ERROR on error.
*/
static cache_status_t cache_entry_insert(UNUSED rlm_cache_t *inst, REQUEST *request, rlm_cache_handle_t **handle,
rlm_cache_entry_t *c)
{
rlm_cache_memcached_handle_t *mandle = *handle;
memcached_return_t ret;
TALLOC_CTX *pool;
char *to_store;
pool = talloc_pool(NULL, 1024);
if (!pool) return CACHE_ERROR;
if (cache_serialize(pool, &to_store, c) < 0) {
talloc_free(pool);
return CACHE_ERROR;
}
ret = memcached_set(mandle->handle, c->key, talloc_array_length(c->key) - 1,
to_store ? to_store : "",
to_store ? talloc_array_length(to_store) - 1 : 0, c->expires, 0);
talloc_free(pool);
if (ret != MEMCACHED_SUCCESS) {
RERROR("Failed storing entry with key \"%s\": %s: %s", c->key,
memcached_strerror(mandle->handle, ret),
memcached_last_error_message(mandle->handle));
return CACHE_ERROR;
}
return CACHE_OK;
}
static Term
p_rdiv(Term t1, Term t2 USES_REGS) {
#ifdef USE_GMP
switch (ETypeOfTerm(t1)) {
case (CELL)double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "rdiv/2");
case (CELL)long_int_e:
switch (ETypeOfTerm(t2)) {
case (CELL)long_int_e:
/* two integers */
{
Int i1 = IntegerOfTerm(t1);
Int i2 = IntegerOfTerm(t2);
if (i2 == 0)
return Yap_ArithError(EVALUATION_ERROR_ZERO_DIVISOR, t2, "X is " Int_FORMAT " rdiv 0", i1);
return Yap_gmq_rdiv_int_int(i1, i2);
}
case (CELL)big_int_e:
/* I know the term is much larger, so: */
return Yap_gmq_rdiv_int_big(IntegerOfTerm(t1), t2);
default:
RERROR();
}
break;
case (CELL)big_int_e:
switch (ETypeOfTerm(t2)) {
case long_int_e:
if (IntegerOfTerm(t2) == 0)
return Yap_ArithError(EVALUATION_ERROR_ZERO_DIVISOR, t2, "X is ... rdiv 0");
/* I know the term is much larger, so: */
return Yap_gmq_rdiv_big_int(t1, IntegerOfTerm(t2));
case (CELL)big_int_e:
return Yap_gmq_rdiv_big_big(t1, t2);
case double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "mod/2");
default:
RERROR();
}
default:
RERROR();
}
#else
RERROR();
#endif
}
/*
module gcd
*/
static Term
p_gcd(Term t1, Term t2 USES_REGS)
{
switch (ETypeOfTerm(t1)) {
case long_int_e:
switch (ETypeOfTerm(t2)) {
case long_int_e:
/* two integers */
{
Int i1 = IntegerOfTerm(t1), i2 = IntegerOfTerm(t2);
i1 = (i1 >= 0 ? i1 : -i1);
i2 = (i2 >= 0 ? i2 : -i2);
RINT(gcd(i1,i2 PASS_REGS));
}
case double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "gcd/2");
case big_int_e:
#ifdef USE_GMP
return Yap_gmp_gcd_int_big(IntegerOfTerm(t1), t2);
#endif
default:
RERROR();
}
break;
case double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t1, "gcd/2");
case big_int_e:
#ifdef USE_GMP
switch (ETypeOfTerm(t2)) {
case long_int_e:
return Yap_gmp_gcd_int_big(IntegerOfTerm(t2), t1);
case big_int_e:
return Yap_gmp_gcd_big_big(t1, t2);
case double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "gcd/2");
default:
RERROR();
}
#endif
default:
RERROR();
}
RERROR();
}
/*
xor #
*/
static Term
p_xor(Term t1, Term t2 USES_REGS)
{
switch (ETypeOfTerm(t1)) {
case long_int_e:
switch (ETypeOfTerm(t2)) {
case long_int_e:
/* two integers */
RINT(IntegerOfTerm(t1) ^ IntegerOfTerm(t2));
case double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "#/2");
case big_int_e:
#ifdef USE_GMP
return Yap_gmp_xor_int_big(IntegerOfTerm(t1), t2);
#endif
default:
RERROR();
}
break;
case double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t1, "#/2");
case big_int_e:
#ifdef USE_GMP
switch (ETypeOfTerm(t2)) {
case long_int_e:
return Yap_gmp_xor_int_big(IntegerOfTerm(t2), t1);
case big_int_e:
return Yap_gmp_xor_big_big(t1, t2);
case double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "#/2");
default:
RERROR();
}
#endif
default:
RERROR();
}
RERROR();
}
/** Locate a cache entry in memcached
*
* @param out Where to write the pointer to the cach entry.
* @param inst main rlm_cache instance.
* @param request The current request.
* @param handle Pointer to memcached handle.
* @param key to search for.
* @return CACHE_OK on success CACHE_MISS if no entry found, CACHE_ERROR on error.
*/
static cache_status_t cache_entry_find(rlm_cache_entry_t **out, UNUSED rlm_cache_t *inst, REQUEST *request,
rlm_cache_handle_t **handle, char const *key)
{
rlm_cache_memcached_handle_t *mandle = *handle;
memcached_return_t mret;
size_t len;
int ret;
uint32_t flags;
char *from_store;
rlm_cache_entry_t *c;
from_store = memcached_get(mandle->handle, key, strlen(key), &len, &flags, &mret);
if (!from_store) {
if (mret == MEMCACHED_NOTFOUND) return CACHE_MISS;
RERROR("Failed retrieving entry for key \"%s\": %s: %s", key, memcached_strerror(mandle->handle, mret),
memcached_last_error_message(mandle->handle));
return CACHE_ERROR;
}
RDEBUG2("Retrieved %zu bytes from memcached", len);
RDEBUG2("%s", from_store);
c = talloc_zero(NULL, rlm_cache_entry_t);
ret = cache_deserialize(c, from_store, len);
free(from_store);
if (ret < 0) {
RERROR("%s", fr_strerror());
talloc_free(c);
return CACHE_ERROR;
}
c->key = talloc_strdup(c, key);
*out = c;
return CACHE_OK;
}
static rlm_rcode_t mod_post_auth(void *instance, REQUEST *request)
{
rlm_eap_t *inst = instance;
VALUE_PAIR *vp;
eap_handler_t *handler;
eap_packet_raw_t *eap_packet;
/*
* Only build a failure message if something previously rejected the request
*/
vp = pairfind(request->config_items, PW_POSTAUTHTYPE, 0, TAG_ANY);
if (!vp || (vp->vp_integer != PW_POSTAUTHTYPE_REJECT)) return RLM_MODULE_NOOP;
if (!pairfind(request->packet->vps, PW_EAP_MESSAGE, 0, TAG_ANY)) {
RDEBUG2("Request didn't contain an EAP-Message, not inserting EAP-Failure");
return RLM_MODULE_NOOP;
}
if (pairfind(request->reply->vps, PW_EAP_MESSAGE, 0, TAG_ANY)) {
RDEBUG2("Reply already contained an EAP-Message, not inserting EAP-Failure");
return RLM_MODULE_NOOP;
}
eap_packet = eap_vp2packet(request, request->packet->vps);
if (!eap_packet) {
RERROR("Malformed EAP Message");
return RLM_MODULE_FAIL;
}
handler = eap_handler(inst, &eap_packet, request);
if (!handler) {
RDEBUG2("Failed to get handler, probably already removed, not inserting EAP-Failure");
return RLM_MODULE_NOOP;
}
RDEBUG2("Request was previously rejected, inserting EAP-Failure");
eap_fail(handler);
eap_handler_free(inst, handler);
/*
* Make sure there's a message authenticator attribute in the response
* RADIUS protocol code will calculate the correct value later...
*/
vp = pairfind(request->reply->vps, PW_MESSAGE_AUTHENTICATOR, 0, TAG_ANY);
if (!vp) {
pairmake_reply("Message-Authenticator", "0x00", T_OP_EQ);
}
return RLM_MODULE_UPDATED;
}
/*
* Xlat for %{client:[<ipaddr>.]foo}
*/
static ssize_t xlat_client(TALLOC_CTX *ctx, char **out, UNUSED size_t outlen,
UNUSED void const *mod_inst, UNUSED void const *xlat_inst,
REQUEST *request, char const *fmt)
{
char const *value = NULL;
char buffer[INET6_ADDRSTRLEN], *q;
char const *p = fmt;
fr_ipaddr_t ip;
CONF_PAIR *cp;
RADCLIENT *client = NULL;
*out = NULL;
q = strrchr(p, '.');
if (q) {
strlcpy(buffer, p, (q + 1) - p);
if (fr_inet_pton(&ip, buffer, -1, AF_UNSPEC, false, true) < 0) goto request_client;
p = q + 1;
client = client_find(NULL, &ip, IPPROTO_IP);
if (!client) {
RDEBUG("No client found with IP \"%s\"", buffer);
return 0;
}
} else {
request_client:
client = request->client;
if (!client) {
RERROR("No client associated with this request");
return -1;
}
}
cp = cf_pair_find(client->cs, p);
if (!cp || !(value = cf_pair_value(cp))) {
if (strcmp(fmt, "shortname") == 0 && request->client->shortname) {
value = request->client->shortname;
}
else if (strcmp(fmt, "nas_type") == 0 && request->client->nas_type) {
value = request->client->nas_type;
}
if (!value) return 0;
}
*out = talloc_typed_strdup(ctx, value);
return talloc_array_length(*out) - 1;
}
static Term
eval2(Int fi, Term t1, Term t2 USES_REGS) {
arith2_op f = fi;
switch (f) {
case op_plus:
return p_plus(t1, t2 PASS_REGS);
case op_minus:
return p_minus(t1, t2 PASS_REGS);
case op_times:
return p_times(t1, t2 PASS_REGS);
case op_div:
return p_div(t1, t2 PASS_REGS);
case op_idiv:
return p_div2(t1, t2 PASS_REGS);
case op_and:
return p_and(t1, t2 PASS_REGS);
case op_or:
return p_or(t1, t2 PASS_REGS);
case op_sll:
return p_sll(t1, t2 PASS_REGS);
case op_slr:
return p_slr(t1, t2 PASS_REGS);
case op_mod:
return p_mod(t1, t2 PASS_REGS);
case op_rem:
return p_rem(t1, t2 PASS_REGS);
case op_fdiv:
return p_fdiv(t1, t2 PASS_REGS);
case op_xor:
return p_xor(t1, t2 PASS_REGS);
case op_atan2:
return p_atan2(t1, t2 PASS_REGS);
case op_power:
return p_exp(t1, t2 PASS_REGS);
case op_power2:
return p_power(t1, t2 PASS_REGS);
case op_gcd:
return p_gcd(t1, t2 PASS_REGS);
case op_min:
return p_min(t1, t2);
case op_max:
return p_max(t1, t2);
case op_rdiv:
return p_rdiv(t1, t2 PASS_REGS);
}
RERROR();
}
/** Call delete the cache entry from memcached
*
* @param inst main rlm_cache instance.
* @param request The current request.
* @param handle Pointer to memcached handle.
* @param c entry to expire.
* @return CACHE_OK on success else CACHE_ERROR.
*/
static cache_status_t cache_entry_expire(UNUSED rlm_cache_t *inst, REQUEST *request, rlm_cache_handle_t **handle,
rlm_cache_entry_t *c)
{
rlm_cache_memcached_handle_t *mandle = *handle;
memcached_return_t ret;
ret = memcached_delete(mandle->handle, c->key, talloc_array_length(c->key) - 1, 0);
if (ret != MEMCACHED_SUCCESS) {
RERROR("Failed deleting entry with key \"%s\": %s", c->key,
memcached_last_error_message(mandle->handle));
return CACHE_ERROR;
}
return CACHE_OK;
}
/** Handle asynchronous cancellation of a request
*
* If we're signalled that the request has been cancelled (FR_SIGNAL_CANCEL).
* Cleanup any pending state and release the connection handle back into the pool.
*
* @param[in] instance of rlm_rest.
* @param[in] thread Thread specific module instance.
* @param[in] request being cancelled.
* @param[in] rctx rlm_rest_handle_t currently used by the request.
* @param[in] action What happened.
*/
void rest_io_module_action(void *instance, void *thread, REQUEST *request, void *rctx, fr_state_signal_t action)
{
rlm_rest_handle_t *randle = talloc_get_type_abort(rctx, rlm_rest_handle_t);
rlm_rest_thread_t *t = thread;
CURLMcode ret;
if (action != FR_SIGNAL_CANCEL) return;
RDEBUG2("Forcefully cancelling pending REST request");
ret = curl_multi_remove_handle(t->mandle, randle->candle); /* Gracefully terminate the request */
if (ret != CURLM_OK) {
RERROR("Failed removing curl handle from multi-handle: %s (%i)", curl_multi_strerror(ret), ret);
/* Not much we can do */
}
t->transfers--;
rest_request_cleanup(instance, randle);
fr_pool_connection_release(t->pool, request, randle);
}
/*
* Do detail, compatible with old accounting
*/
static rlm_rcode_t CC_HINT(nonnull) detail_do(void *instance, REQUEST *request, RADIUS_PACKET *packet, bool compat)
{
int outfd;
char buffer[DIRLEN];
FILE *outfp;
#ifdef HAVE_GRP_H
gid_t gid;
struct group *grp;
char *endptr;
#endif
detail_instance_t *inst = instance;
/*
* Generate the path for the detail file. Use the same
* format, but truncate at the last /. Then feed it
* through radius_xlat() to expand the variables.
*/
if (radius_xlat(buffer, sizeof(buffer), request, inst->filename, NULL, NULL) < 0) {
return RLM_MODULE_FAIL;
}
RDEBUG2("%s expands to %s", inst->filename, buffer);
#ifdef WITH_ACCOUNTING
#if defined(HAVE_FNMATCH_H) && defined(FNM_FILE_NAME)
/*
* If we read it from a detail file, and we're about to
* write it back to the SAME detail file directory, then
* suppress the write. This check prevents an infinite
* loop.
*/
if ((request->listener->type == RAD_LISTEN_DETAIL) &&
(fnmatch(((listen_detail_t *)request->listener->data)->filename,
buffer, FNM_FILE_NAME | FNM_PERIOD ) == 0)) {
RWDEBUG2("Suppressing infinite loop");
return RLM_MODULE_NOOP;
}
#endif
#endif
outfd = fr_logfile_open(inst->lf, buffer, inst->perm);
if (outfd < 0) {
RERROR("Couldn't open file %s: %s", buffer, fr_strerror());
return RLM_MODULE_FAIL;
}
#ifdef HAVE_GRP_H
if (inst->group != NULL) {
gid = strtol(inst->group, &endptr, 10);
if (*endptr != '\0') {
grp = rad_getgrnam(inst->group);
if (!grp) {
RDEBUG2("Unable to find system group '%s'", inst->group);
goto skip_group;
}
gid = grp->gr_gid;
}
if (chown(buffer, -1, gid) == -1) {
RDEBUG2("Unable to change system group of '%s'", buffer);
}
}
skip_group:
#endif
/*
* Open the output fp for buffering.
*/
if ((outfp = fdopen(outfd, "a")) == NULL) {
RERROR("Couldn't open file %s: %s", buffer, fr_syserror(errno));
fail:
if (outfp) fclose(outfp);
fr_logfile_unlock(inst->lf, outfd);
return RLM_MODULE_FAIL;
}
if (detail_write(outfp, inst, request, packet, compat) < 0) goto fail;
/*
* Flush everything
*/
fclose(outfp);
fr_logfile_unlock(inst->lf, outfd); /* do NOT close outfp */
/*
* And everything is fine.
*/
return RLM_MODULE_OK;
}
/*
Floating point division: /
*/
static Term
p_fdiv(Term t1, Term t2 USES_REGS)
{
switch (ETypeOfTerm(t1)) {
case long_int_e:
switch (ETypeOfTerm(t2)) {
case long_int_e:
{
Int i2 = IntegerOfTerm(t2);
/* two integers */
RFLOAT((((Float)IntegerOfTerm(t1))/(Float)i2));
}
case double_e:
{
/* integer, double */
Float fl1 = (Float)IntegerOfTerm(t1);
Float fl2 = FloatOfTerm(t2);
RFLOAT(fl1/fl2);
}
case (CELL)big_int_e:
#ifdef USE_GMP
return Yap_gmp_fdiv_int_big(IntegerOfTerm(t1), t2);
#endif
default:
RERROR();
}
break;
case double_e:
switch (ETypeOfTerm(t2)) {
case long_int_e:
/* float / integer */
{
Int i2 = IntegerOfTerm(t2);
RFLOAT(FloatOfTerm(t1)/(Float)i2);
}
case double_e:
{
Float f2 = FloatOfTerm(t2);
RFLOAT(FloatOfTerm(t1)/f2);
}
case big_int_e:
#ifdef USE_GMP
return Yap_gmp_fdiv_float_big(FloatOfTerm(t1), t2);
#endif
default:
RERROR();
}
break;
case big_int_e:
#ifdef USE_GMP
switch (ETypeOfTerm(t2)) {
case long_int_e:
return Yap_gmp_fdiv_big_int(t1, IntegerOfTerm(t2));
case big_int_e:
/* two bignums*/
return Yap_gmp_fdiv_big_big(t1, t2);
case double_e:
return Yap_gmp_fdiv_big_float(t1, FloatOfTerm(t2));
default:
RERROR();
}
#endif
default:
RERROR();
}
RERROR();
}
/*
* The S flag is set only within the EAP-TLS start message sent
* from the EAP server to the peer.
*
* Similarly, when the EAP server receives an EAP-Response with
* the M bit set, it MUST respond with an EAP-Request with
* EAP-Type=EAP-TLS and no data. This serves as a fragment
* ACK. The EAP peer MUST wait.
*/
static fr_tls_status_t eaptls_verify(eap_handler_t *handler)
{
EAP_DS *eap_ds = handler->eap_ds;
EAP_DS *prev_eap_ds = handler->prev_eapds;
eaptls_packet_t *eaptls_packet, *eaptls_prev = NULL;
REQUEST *request = handler->request;
/*
* We don't check ANY of the input parameters. It's all
* code which works together, so if something is wrong,
* we SHOULD core dump.
*
* e.g. if eap_ds is NULL, of if eap_ds->response is
* NULL, of if it's NOT an EAP-Response, or if the packet
* is too short. See eap_validation()., in ../../eap.c
*
* Also, eap_method_select() takes care of selecting the
* appropriate type, so we don't need to check
* eap_ds->response->type.num == PW_EAP_TLS, or anything
* else.
*/
eaptls_packet = (eaptls_packet_t *)eap_ds->response->type.data;
if (prev_eap_ds && prev_eap_ds->response)
eaptls_prev = (eaptls_packet_t *)prev_eap_ds->response->type.data;
/*
* check for ACK
*
* If there's no TLS data, or there's 1 byte of TLS data,
* with the flags set to zero, then it's an ACK.
*
* Find if this is a reply to the previous request sent
*/
if ((!eaptls_packet) ||
((eap_ds->response->length == EAP_HEADER_LEN + 2) &&
((eaptls_packet->flags & 0xc0) == 0x00))) {
if (prev_eap_ds &&
(prev_eap_ds->request->id == eap_ds->response->id)) {
/*
* Run the ACK handler directly from here.
*/
RDEBUG2("Received TLS ACK");
return tls_ack_handler(handler->opaque, request);
} else {
RERROR("Received Invalid TLS ACK");
return FR_TLS_INVALID;
}
}
/*
* We send TLS_START, but do not receive it.
*/
if (TLS_START(eaptls_packet->flags)) {
RDEBUG("Received unexpected EAP-TLS Start message");
return FR_TLS_INVALID;
}
/*
* The L bit (length included) is set to indicate the
* presence of the four octet TLS Message Length field,
* and MUST be set for the first fragment of a fragmented
* TLS message or set of messages.
*
* The M bit (more fragments) is set on all but the last
* fragment.
*
* The S bit (EAP-TLS start) is set in an EAP-TLS Start
* message. This differentiates the EAP-TLS Start message
* from a fragment acknowledgement.
*/
if (TLS_LENGTH_INCLUDED(eaptls_packet->flags)) {
DEBUG2(" TLS Length %d",
eaptls_packet->data[2] * 256 | eaptls_packet->data[3]);
if (TLS_MORE_FRAGMENTS(eaptls_packet->flags)) {
/*
* FIRST_FRAGMENT is identified
* 1. If there is no previous EAP-response received.
* 2. If EAP-response received, then its M bit not set.
* (It is because Last fragment will not have M bit set)
*/
if (!prev_eap_ds ||
(!prev_eap_ds->response) ||
(!eaptls_prev) ||
!TLS_MORE_FRAGMENTS(eaptls_prev->flags)) {
RDEBUG2("Received EAP-TLS First Fragment of the message");
return FR_TLS_FIRST_FRAGMENT;
} else {
RDEBUG2("More Fragments with length included");
return FR_TLS_MORE_FRAGMENTS_WITH_LENGTH;
}
} else {
RDEBUG2("Length Included");
return FR_TLS_LENGTH_INCLUDED;
}
}
if (TLS_MORE_FRAGMENTS(eaptls_packet->flags)) {
RDEBUG2("More fragments to follow");
return FR_TLS_MORE_FRAGMENTS;
}
/*
* None of the flags are set, but it's still a valid
* EAPTLS packet.
*/
return FR_TLS_OK;
}
/** Locate a cache entry in redis
*
* @copydetails cache_entry_find_t
*/
static cache_status_t cache_entry_find(rlm_cache_entry_t **out,
UNUSED rlm_cache_config_t const *config, void *driver_inst,
REQUEST *request, UNUSED void *handle, uint8_t const *key, size_t key_len)
{
rlm_cache_redis_t *driver = driver_inst;
size_t i;
fr_redis_cluster_state_t state;
fr_redis_conn_t *conn;
fr_redis_rcode_t status;
redisReply *reply = NULL;
int s_ret;
vp_map_t *head = NULL, **last = &head;
#ifdef HAVE_TALLOC_POOLED_OBJECT
size_t pool_size = 0;
#endif
rlm_cache_entry_t *c;
for (s_ret = fr_redis_cluster_state_init(&state, &conn, driver->cluster, request, key, key_len, false);
s_ret == REDIS_RCODE_TRY_AGAIN; /* Continue */
s_ret = fr_redis_cluster_state_next(&state, &conn, driver->cluster, request, status, &reply)) {
/*
* Grab all the data for this hash, should return an array
* of alternating keys/values which we then convert into maps.
*/
if (RDEBUG_ENABLED3) {
char *p;
p = fr_asprint(NULL, (char const *)key, key_len, '"');
RDEBUG3("LRANGE %s 0 -1", key);
talloc_free(p);
}
reply = redisCommand(conn->handle, "LRANGE %b 0 -1", key, key_len);
status = fr_redis_command_status(conn, reply);
}
if (s_ret != REDIS_RCODE_SUCCESS) {
RERROR("Failed retrieving entry");
fr_redis_reply_free(reply);
return CACHE_ERROR;
}
rad_assert(reply); /* clang scan */
if (reply->type != REDIS_REPLY_ARRAY) {
REDEBUG("Bad result type, expected array, got %s",
fr_int2str(redis_reply_types, reply->type, "<UNKNOWN>"));
fr_redis_reply_free(reply);
return CACHE_ERROR;
}
RDEBUG3("Entry contains %zu elements", reply->elements);
if (reply->elements == 0) {
fr_redis_reply_free(reply);
return CACHE_MISS;
}
if (reply->elements % 3) {
REDEBUG("Invalid number of reply elements (%zu). "
"Reply must contain triplets of keys operators and values",
reply->elements);
fr_redis_reply_free(reply);
return CACHE_ERROR;
}
#ifdef HAVE_TALLOC_POOLED_OBJECT
/*
* We can get a pretty good idea of the required size of the pool
*/
for (i = 0; i < reply->elements; i += 3) {
pool_size += sizeof(vp_map_t) + (sizeof(vp_tmpl_t) * 2);
if (reply->element[i]->type == REDIS_REPLY_STRING) pool_size += reply->element[i]->len + 1;
}
/*
* reply->elements gives us the number of chunks, as the maps are triplets, and there
* are three chunks per map
*/
c = talloc_pooled_object(NULL, rlm_cache_entry_t, reply->elements, pool_size);
memset(&pool, 0, sizeof(rlm_cache_entry_t));
#else
c = talloc_zero(NULL, rlm_cache_entry_t);
#endif
/*
* Convert the key/value pairs back into maps
*/
for (i = 0; i < reply->elements; i += 3) {
if (fr_redis_reply_to_map(c, last, request,
reply->element[i], reply->element[i + 1], reply->element[i + 2]) < 0) {
talloc_free(c);
fr_redis_reply_free(reply);
return CACHE_ERROR;
}
last = &(*last)->next;
}
fr_redis_reply_free(reply);
/*
* Pull out the cache created date
*/
if ((head->lhs->tmpl_da->vendor == 0) && (head->lhs->tmpl_da->attr == PW_CACHE_CREATED)) {
vp_map_t *map;
c->created = head->rhs->tmpl_data_value.date;
map = head;
head = head->next;
talloc_free(map);
}
/*
* Pull out the cache expires date
*/
if ((head->lhs->tmpl_da->vendor == 0) && (head->lhs->tmpl_da->attr == PW_CACHE_EXPIRES)) {
vp_map_t *map;
c->expires = head->rhs->tmpl_data_value.date;
map = head;
head = head->next;
talloc_free(map);
}
c->key = talloc_memdup(c, key, key_len);
c->key_len = key_len;
c->maps = head;
*out = c;
return CACHE_OK;
}
static rlm_rcode_t do_linelog(void *instance, REQUEST *request)
{
int fd = -1;
char buffer[4096];
char *p;
char line[1024];
rlm_linelog_t *inst = (rlm_linelog_t*) instance;
char const *value = inst->line;
#ifdef HAVE_GRP_H
gid_t gid;
struct group *grp;
char *endptr;
#endif
if (inst->reference) {
CONF_ITEM *ci;
CONF_PAIR *cp;
p = line + 1;
if (radius_xlat(p, sizeof(line) - 2, request, inst->reference, linelog_escape_func,
NULL) < 0) {
return RLM_MODULE_FAIL;
}
line[0] = '.'; /* force to be in current section */
/*
* Don't allow it to go back up
*/
if (line[1] == '.') goto do_log;
ci = cf_reference_item(NULL, inst->cs, line);
if (!ci) {
RDEBUG2("No such entry \"%s\"", line);
return RLM_MODULE_NOOP;
}
if (!cf_item_is_pair(ci)) {
RDEBUG2("Entry \"%s\" is not a variable assignment ", line);
goto do_log;
}
cp = cf_itemtopair(ci);
value = cf_pair_value(cp);
if (!value) {
RDEBUG2("Entry \"%s\" has no value", line);
goto do_log;
}
/*
* Value exists, but is empty. Don't log anything.
*/
if (!*value) return RLM_MODULE_OK;
}
do_log:
/*
* FIXME: Check length.
*/
if (strcmp(inst->filename, "syslog") != 0) {
if (radius_xlat(buffer, sizeof(buffer), request, inst->filename, NULL, NULL) < 0) {
return RLM_MODULE_FAIL;
}
/* check path and eventually create subdirs */
p = strrchr(buffer,'/');
if (p) {
*p = '\0';
if (rad_mkdir(buffer, 0700) < 0) {
RERROR("rlm_linelog: Failed to create directory %s: %s", buffer, fr_syserror(errno));
return RLM_MODULE_FAIL;
}
*p = '/';
}
fd = fr_logfile_open(inst->lf, buffer, inst->permissions);
if (fd == -1) {
ERROR("rlm_linelog: Failed to open %s: %s",
buffer, fr_syserror(errno));
return RLM_MODULE_FAIL;
}
#ifdef HAVE_GRP_H
if (inst->group != NULL) {
gid = strtol(inst->group, &endptr, 10);
if (*endptr != '\0') {
grp = getgrnam(inst->group);
if (!grp) {
RDEBUG2("Unable to find system group \"%s\"", inst->group);
goto skip_group;
}
gid = grp->gr_gid;
}
if (chown(buffer, -1, gid) == -1) {
RDEBUG2("Unable to change system group of \"%s\"", buffer);
}
}
#endif
}
skip_group:
/*
* FIXME: Check length.
*/
if (radius_xlat(line, sizeof(line) - 1, request, value, linelog_escape_func, NULL) < 0) {
if (fd > -1) {
fr_logfile_close(inst->lf, fd);
}
return RLM_MODULE_FAIL;
}
if (fd >= 0) {
strcat(line, "\n");
if (write(fd, line, strlen(line)) < 0) {
EDEBUG("rlm_linelog: Failed writing: %s", fr_syserror(errno));
fr_logfile_close(inst->lf, fd);
return RLM_MODULE_FAIL;
}
fr_logfile_close(inst->lf, fd);
#ifdef HAVE_SYSLOG_H
} else {
syslog(inst->facility, "%s", line);
#endif
}
return RLM_MODULE_OK;
}
/*
power: x^y
*/
static Term
p_power(Term t1, Term t2 USES_REGS)
{
switch (ETypeOfTerm(t1)) {
case long_int_e:
switch (ETypeOfTerm(t2)) {
case long_int_e:
{
Int i2 = IntegerOfTerm(t2);
/* two integers */
RFLOAT(pow(IntegerOfTerm(t1),i2));
}
case double_e:
{
/* integer, double */
Float fl1 = (Float)IntegerOfTerm(t1);
Float fl2 = FloatOfTerm(t2);
RFLOAT(pow(fl1,fl2));
}
case big_int_e:
#ifdef USE_GMP
{
Int i1 = IntegerOfTerm(t1);
Float f2 = Yap_gmp_to_float(t2);
RFLOAT(pow(i1,f2));
}
#endif
default:
RERROR();
}
break;
case double_e:
switch (ETypeOfTerm(t2)) {
case long_int_e:
/* float / integer */
{
Int i2 = IntegerOfTerm(t2);
RFLOAT(pow(FloatOfTerm(t1),i2));
}
case double_e:
{
Float f2 = FloatOfTerm(t2);
RFLOAT(pow(FloatOfTerm(t1),f2));
}
case big_int_e:
#ifdef USE_GMP
{
RFLOAT(pow(FloatOfTerm(t1),Yap_gmp_to_float(t2)));
}
#endif
default:
RERROR();
}
break;
case big_int_e:
#ifdef USE_GMP
switch (ETypeOfTerm(t2)) {
case long_int_e:
{
Int i = IntegerOfTerm(t2);
RFLOAT(pow(Yap_gmp_to_float(t1),i));
}
case big_int_e:
/* two bignums */
RFLOAT(pow(Yap_gmp_to_float(t1),Yap_gmp_to_float(t2)));
case double_e:
{
Float dbl = FloatOfTerm(t2);
RFLOAT(pow(Yap_gmp_to_float(t1),dbl));
}
default:
RERROR();
}
#endif
default:
RERROR();
}
RERROR();
}
/*
atan2: arc tangent x/y
*/
static Term
p_atan2(Term t1, Term t2 USES_REGS)
{
switch (ETypeOfTerm(t1)) {
case long_int_e:
switch (ETypeOfTerm(t2)) {
case long_int_e:
/* two integers */
RFLOAT(atan2(IntegerOfTerm(t1),IntegerOfTerm(t2)));
case double_e:
RFLOAT(atan2(IntegerOfTerm(t1),FloatOfTerm(t2)));
case big_int_e:
#ifdef USE_GMP
{
Int i1 = IntegerOfTerm(t1);
Float f2 = Yap_gmp_to_float(t2);
RFLOAT(atan2(i1,f2));
}
#endif
default:
RERROR();
break;
}
case double_e:
switch (ETypeOfTerm(t2)) {
case long_int_e:
/* float / integer */
{
Int i2 = IntegerOfTerm(t2);
RFLOAT(atan2(FloatOfTerm(t1),i2));
}
case double_e:
{
Float f2 = FloatOfTerm(t2);
RFLOAT(atan2(FloatOfTerm(t1),f2));
}
case big_int_e:
#ifdef USE_GMP
{
RFLOAT(atan2(FloatOfTerm(t1),Yap_gmp_to_float(t2)));
}
#endif
default:
RERROR();
}
break;
case big_int_e:
#ifdef USE_GMP
{
Float dbl1 = Yap_gmp_to_float(t1);
switch (ETypeOfTerm(t2)) {
case long_int_e:
{
Int i = IntegerOfTerm(t2);
RFLOAT(atan2(dbl1,i));
}
case big_int_e:
/* two bignums */
RFLOAT(atan2(dbl1,Yap_gmp_to_float(t2)));
case double_e:
{
Float dbl = FloatOfTerm(t2);
RFLOAT(atan2(dbl1,dbl));
}
default:
RERROR();
}
}
#endif
default:
RERROR();
}
RERROR();
}
/** Handle authorization requests using Couchbase document data
*
* Attempt to fetch the document assocaited with the requested user by
* using the deterministic key defined in the configuration. When a valid
* document is found it will be parsed and the containing value pairs will be
* injected into the request.
*
* @param instance The module instance.
* @param thread specific data.
* @param request The authorization request.
* @return Operation status (#rlm_rcode_t).
*/
static rlm_rcode_t mod_authorize(void *instance, UNUSED void *thread, REQUEST *request)
{
rlm_couchbase_t const *inst = instance; /* our module instance */
rlm_couchbase_handle_t *handle = NULL; /* connection pool handle */
char buffer[MAX_KEY_SIZE];
char const *dockey; /* our document key */
lcb_error_t cb_error = LCB_SUCCESS; /* couchbase error holder */
rlm_rcode_t rcode = RLM_MODULE_OK; /* return code */
ssize_t slen;
/* assert packet as not null */
rad_assert(request->packet != NULL);
/* attempt to build document key */
slen = tmpl_expand(&dockey, buffer, sizeof(buffer), request, inst->user_key, NULL, NULL);
if (slen < 0) return RLM_MODULE_FAIL;
if ((dockey == buffer) && is_truncated((size_t)slen, sizeof(buffer))) {
REDEBUG("Key too long, expected < " STRINGIFY(sizeof(buffer)) " bytes, got %zi bytes", slen);
return RLM_MODULE_FAIL;
}
/* get handle */
handle = fr_pool_connection_get(inst->pool, request);
/* check handle */
if (!handle) return RLM_MODULE_FAIL;
/* set couchbase instance */
lcb_t cb_inst = handle->handle;
/* set cookie */
cookie_t *cookie = handle->cookie;
/* fetch document */
cb_error = couchbase_get_key(cb_inst, cookie, dockey);
/* check error */
if (cb_error != LCB_SUCCESS || !cookie->jobj) {
/* log error */
RERROR("failed to fetch document or parse return");
/* set return */
rcode = RLM_MODULE_FAIL;
/* return */
goto finish;
}
/* debugging */
RDEBUG3("parsed user document == %s", json_object_to_json_string(cookie->jobj));
{
TALLOC_CTX *pool = talloc_pool(request, 1024); /* We need to do lots of allocs */
fr_cursor_t maps, vlms;
vp_map_t *map_head = NULL, *map;
vp_list_mod_t *vlm_head = NULL, *vlm;
fr_cursor_init(&maps, &map_head);
/*
* Convert JSON data into maps
*/
if ((mod_json_object_to_map(pool, &maps, request, cookie->jobj, PAIR_LIST_CONTROL) < 0) ||
(mod_json_object_to_map(pool, &maps, request, cookie->jobj, PAIR_LIST_REPLY) < 0) ||
(mod_json_object_to_map(pool, &maps, request, cookie->jobj, PAIR_LIST_REQUEST) < 0) ||
(mod_json_object_to_map(pool, &maps, request, cookie->jobj, PAIR_LIST_STATE) < 0)) {
invalid:
talloc_free(pool);
rcode = RLM_MODULE_INVALID;
goto finish;
}
fr_cursor_init(&vlms, &vlm_head);
/*
* Convert all the maps into list modifications,
* which are guaranteed to succeed.
*/
for (map = fr_cursor_head(&maps);
map;
map = fr_cursor_next(&maps)) {
if (map_to_list_mod(pool, &vlm, request, map, NULL, NULL) < 0) goto invalid;
fr_cursor_insert(&vlms, vlm);
}
if (!vlm_head) {
RDEBUG2("Nothing to update");
talloc_free(pool);
rcode = RLM_MODULE_NOOP;
goto finish;
}
/*
* Apply the list of modifications
*/
for (vlm = fr_cursor_head(&vlms);
vlm;
vlm = fr_cursor_next(&vlms)) {
int ret;
ret = map_list_mod_apply(request, vlm); /* SHOULD NOT FAIL */
if (!fr_cond_assert(ret == 0)) {
talloc_free(pool);
rcode = RLM_MODULE_FAIL;
goto finish;
}
}
talloc_free(pool);
}
finish:
/* free json object */
if (cookie->jobj) {
json_object_put(cookie->jobj);
cookie->jobj = NULL;
}
/* release handle */
if (handle) fr_pool_connection_release(inst->pool, request, handle);
/* return */
return rcode;
}
/*
power: x^y
*/
static Term
p_exp(Term t1, Term t2 USES_REGS)
{
switch (ETypeOfTerm(t1)) {
case long_int_e:
switch (ETypeOfTerm(t2)) {
case long_int_e:
{
Int i1 = IntegerOfTerm(t1);
Int i2 = IntegerOfTerm(t2);
Int pow = ipow(i1,i2);
if (i2 < 0) {
return Yap_ArithError(DOMAIN_ERROR_NOT_LESS_THAN_ZERO, t2,
"%d ^ %d", i1, i2);
}
#ifdef USE_GMP
/* two integers */
if ((i1 && !pow)) {
/* overflow */
return Yap_gmp_exp_int_int(i1, i2);
}
#endif
RINT(pow);
}
case double_e:
{
/* integer, double */
Float fl1 = (Float)IntegerOfTerm(t1);
Float fl2 = FloatOfTerm(t2);
RFLOAT(pow(fl1,fl2));
}
case big_int_e:
#ifdef USE_GMP
{
Int i = IntegerOfTerm(t1);
return Yap_gmp_exp_int_big(i,t2);
}
#endif
default:
RERROR();
}
break;
case double_e:
switch (ETypeOfTerm(t2)) {
case long_int_e:
/* float / integer */
{
Int i2 = IntegerOfTerm(t2);
RFLOAT(pow(FloatOfTerm(t1),i2));
}
case double_e:
{
Float f2 = FloatOfTerm(t2);
RFLOAT(pow(FloatOfTerm(t1),f2));
}
case big_int_e:
#ifdef USE_GMP
{
RFLOAT(pow(FloatOfTerm(t1),Yap_gmp_to_float(t2)));
}
#endif
default:
RERROR();
}
break;
case big_int_e:
#ifdef USE_GMP
switch (ETypeOfTerm(t2)) {
case long_int_e:
{
Int i = IntegerOfTerm(t2);
return Yap_gmp_exp_big_int(t1,i);
}
case big_int_e:
/* two bignums, makes no sense */
return Yap_gmp_exp_big_big(t1,t2);
case double_e:
{
Float dbl = FloatOfTerm(t2);
RFLOAT(pow(Yap_gmp_to_float(t1),dbl));
}
default:
RERROR();
}
#endif
default:
RERROR();
}
RERROR();
}
/** Write accounting data to Couchbase documents
*
* Handle accounting requests and store the associated data into JSON documents
* in couchbase mapping attribute names to JSON element names per the module configuration.
*
* When an existing document already exists for the same accounting section the new attributes
* will be merged with the currently existing data. When conflicts arrise the new attribute
* value will replace or be added to the existing value.
*
* @param instance The module instance.
* @param thread specific data.
* @param request The accounting request object.
* @return Operation status (#rlm_rcode_t).
*/
static rlm_rcode_t mod_accounting(void *instance, UNUSED void *thread, REQUEST *request)
{
rlm_couchbase_t const *inst = instance; /* our module instance */
rlm_couchbase_handle_t *handle = NULL; /* connection pool handle */
rlm_rcode_t rcode = RLM_MODULE_OK; /* return code */
VALUE_PAIR *vp; /* radius value pair linked list */
char buffer[MAX_KEY_SIZE];
char const *dockey; /* our document key */
char document[MAX_VALUE_SIZE]; /* our document body */
char element[MAX_KEY_SIZE]; /* mapped radius attribute to element name */
int status = 0; /* account status type */
int docfound = 0; /* document found toggle */
lcb_error_t cb_error = LCB_SUCCESS; /* couchbase error holder */
ssize_t slen;
/* assert packet as not null */
rad_assert(request->packet != NULL);
/* sanity check */
if ((vp = fr_pair_find_by_da(request->packet->vps, attr_acct_status_type, TAG_ANY)) == NULL) {
/* log debug */
RDEBUG2("could not find status type in packet");
/* return */
return RLM_MODULE_NOOP;
}
/* set status */
status = vp->vp_uint32;
/* acknowledge the request but take no action */
if (status == FR_STATUS_ACCOUNTING_ON || status == FR_STATUS_ACCOUNTING_OFF) {
/* log debug */
RDEBUG2("handling accounting on/off request without action");
/* return */
return RLM_MODULE_OK;
}
/* get handle */
handle = fr_pool_connection_get(inst->pool, request);
/* check handle */
if (!handle) return RLM_MODULE_FAIL;
/* set couchbase instance */
lcb_t cb_inst = handle->handle;
/* set cookie */
cookie_t *cookie = handle->cookie;
/* attempt to build document key */
slen = tmpl_expand(&dockey, buffer, sizeof(buffer), request, inst->acct_key, NULL, NULL);
if (slen < 0) {
rcode = RLM_MODULE_FAIL;
goto finish;
}
if ((dockey == buffer) && is_truncated((size_t)slen, sizeof(buffer))) {
REDEBUG("Key too long, expected < " STRINGIFY(sizeof(buffer)) " bytes, got %zi bytes", slen);
rcode = RLM_MODULE_FAIL;
/* return */
goto finish;
}
/* attempt to fetch document */
cb_error = couchbase_get_key(cb_inst, cookie, dockey);
/* check error and object */
if (cb_error != LCB_SUCCESS || cookie->jerr != json_tokener_success || !cookie->jobj) {
/* log error */
RERROR("failed to execute get request or parse returned json object");
/* free and reset json object */
if (cookie->jobj) {
json_object_put(cookie->jobj);
cookie->jobj = NULL;
}
/* check cookie json object */
} else if (cookie->jobj) {
/* set doc found */
docfound = 1;
/* debugging */
RDEBUG3("parsed json body from couchbase: %s", json_object_to_json_string(cookie->jobj));
}
/* start json document if needed */
if (docfound != 1) {
/* debugging */
RDEBUG2("no existing document found - creating new json document");
/* create new json object */
cookie->jobj = json_object_new_object();
/* set 'docType' element for new document */
json_object_object_add(cookie->jobj, "docType", json_object_new_string(inst->doctype));
/* default startTimestamp and stopTimestamp to null values */
json_object_object_add(cookie->jobj, "startTimestamp", NULL);
json_object_object_add(cookie->jobj, "stopTimestamp", NULL);
}
/* status specific replacements for start/stop time */
switch (status) {
case FR_STATUS_START:
/* add start time */
if ((vp = fr_pair_find_by_da(request->packet->vps, attr_acct_status_type, TAG_ANY)) != NULL) {
/* add to json object */
json_object_object_add(cookie->jobj, "startTimestamp",
mod_value_pair_to_json_object(request, vp));
}
break;
case FR_STATUS_STOP:
/* add stop time */
if ((vp = fr_pair_find_by_da(request->packet->vps, attr_event_timestamp, TAG_ANY)) != NULL) {
/* add to json object */
json_object_object_add(cookie->jobj, "stopTimestamp",
mod_value_pair_to_json_object(request, vp));
}
/* check start timestamp and adjust if needed */
mod_ensure_start_timestamp(cookie->jobj, request->packet->vps);
break;
case FR_STATUS_ALIVE:
/* check start timestamp and adjust if needed */
mod_ensure_start_timestamp(cookie->jobj, request->packet->vps);
break;
default:
/* don't doing anything */
rcode = RLM_MODULE_NOOP;
/* return */
goto finish;
}
/* loop through pairs and add to json document */
for (vp = request->packet->vps; vp; vp = vp->next) {
/* map attribute to element */
if (mod_attribute_to_element(vp->da->name, inst->map, &element) == 0) {
/* debug */
RDEBUG3("mapped attribute %s => %s", vp->da->name, element);
/* add to json object with mapped name */
json_object_object_add(cookie->jobj, element, mod_value_pair_to_json_object(request, vp));
}
}
/* copy json string to document and check size */
if (strlcpy(document, json_object_to_json_string(cookie->jobj), sizeof(document)) >= sizeof(document)) {
/* this isn't good */
RERROR("could not write json document - insufficient buffer space");
/* set return */
rcode = RLM_MODULE_FAIL;
/* return */
goto finish;
}
/* debugging */
RDEBUG3("setting '%s' => '%s'", dockey, document);
/* store document/key in couchbase */
cb_error = couchbase_set_key(cb_inst, dockey, document, inst->expire);
/* check return */
if (cb_error != LCB_SUCCESS) {
RERROR("failed to store document (%s): %s (0x%x)", dockey, lcb_strerror(NULL, cb_error), cb_error);
}
finish:
/* free and reset json object */
if (cookie->jobj) {
json_object_put(cookie->jobj);
cookie->jobj = NULL;
}
/* release our connection handle */
if (handle) {
fr_pool_connection_release(inst->pool, request, handle);
}
/* return */
return rcode;
}
/*
maximum: max(x,y)
*/
static Term
p_max(Term t1, Term t2)
{
switch (ETypeOfTerm(t1)) {
case long_int_e:
switch (ETypeOfTerm(t2)) {
case long_int_e:
{
Int i1 = IntegerOfTerm(t1);
Int i2 = IntegerOfTerm(t2);
return((i1 > i2 ? t1 : t2));
}
case double_e:
{
/* integer, double */
Int i = IntegerOfTerm(t1);
Float fl = FloatOfTerm(t2);
if (i >= fl) {
return t1;
}
return t2;
}
case big_int_e:
#ifdef USE_GMP
if (Yap_gmp_cmp_int_big(IntegerOfTerm(t1), t2) > 0) {
return t1;
}
return t2;
#endif
default:
RERROR();
}
break;
case double_e:
switch (ETypeOfTerm(t2)) {
case long_int_e:
/* float / integer */
{
Int i = IntegerOfTerm(t2);
Float fl = FloatOfTerm(t1);
if (i >= fl) {
return t2;
}
return t1;
}
case double_e:
{
Float fl1 = FloatOfTerm(t1);
Float fl2 = FloatOfTerm(t2);
if (fl1 >= fl2) {
return t1;
}
return t2;
}
case big_int_e:
#ifdef USE_GMP
if (Yap_gmp_cmp_float_big(FloatOfTerm(t1), t2) > 0) {
return t1;
}
return t2;
#endif
default:
RERROR();
}
break;
case big_int_e:
#ifdef USE_GMP
switch (ETypeOfTerm(t2)) {
case long_int_e:
if (Yap_gmp_cmp_big_int(t1, IntegerOfTerm(t2)) > 0) {
return t1;
}
return t2;
case big_int_e:
if (Yap_gmp_cmp_big_big(t1, t2) > 0) {
return t1;
}
return t2;
case double_e:
if (Yap_gmp_cmp_big_float(t1, FloatOfTerm(t2)) > 0) {
return t1;
}
return t2;
default:
RERROR();
}
#endif
default:
RERROR();
}
RERROR();
}
/** Execute a program.
*
* @param[in,out] ctx to allocate new VALUE_PAIR (s) in.
* @param[out] out buffer to append plaintext (non valuepair) output.
* @param[in] outlen length of out buffer.
* @param[out] output_pairs list of value pairs - Data on child's stdout will be parsed and
* added into this list of value pairs.
* @param[in] request Current request (may be NULL).
* @param[in] cmd Command to execute. This is parsed into argv[] parts, then each individual argv
* part is xlat'ed.
* @param[in] input_pairs list of value pairs - these will be available in the environment of the
* child.
* @param[in] exec_wait set to 1 if you want to read from or write to child.
* @param[in] shell_escape values before passing them as arguments.
* @param[in] timeout amount of time to wait, in seconds.
* @return
* - 0 if exec_wait==0.
* - exit code if exec_wait!=0.
* - -1 on failure.
*/
int radius_exec_program(TALLOC_CTX *ctx, char *out, size_t outlen, VALUE_PAIR **output_pairs,
REQUEST *request, char const *cmd, VALUE_PAIR *input_pairs,
bool exec_wait, bool shell_escape, int timeout)
{
pid_t pid;
int from_child;
#ifndef __MINGW32__
char *p;
pid_t child_pid;
int comma = 0;
int status, ret = 0;
ssize_t len;
char answer[4096];
#endif
RDEBUG2("Executing: %s:", cmd);
if (out) *out = '\0';
pid = radius_start_program(cmd, request, exec_wait, NULL, &from_child, input_pairs, shell_escape);
if (pid < 0) {
return -1;
}
if (!exec_wait) {
return 0;
}
#ifndef __MINGW32__
len = radius_readfrom_program(from_child, pid, timeout, answer, sizeof(answer));
if (len < 0) {
/*
* Failure - radius_readfrom_program will
* have called close(from_child) for us
*/
RERROR("Failed to read from child output");
return -1;
}
answer[len] = '\0';
/*
* Make sure that the writer can't block while writing to
* a pipe that no one is reading from anymore.
*/
close(from_child);
if (len == 0) {
goto wait;
}
/*
* Parse the output, if any.
*/
if (output_pairs) {
/*
* HACK: Replace '\n' with ',' so that
* fr_pair_list_afrom_str() can parse the buffer in
* one go (the proper way would be to
* fix fr_pair_list_afrom_str(), but oh well).
*/
for (p = answer; *p; p++) {
if (*p == '\n') {
*p = comma ? ' ' : ',';
p++;
comma = 0;
}
if (*p == ',') {
comma++;
}
}
/*
* Replace any trailing comma by a NUL.
*/
if (answer[len - 1] == ',') {
answer[--len] = '\0';
}
if (fr_pair_list_afrom_str(ctx, answer, output_pairs) == T_INVALID) {
RERROR("Failed parsing output from: %s: %s", cmd, fr_strerror());
strlcpy(out, answer, len);
ret = -1;
}
/*
* We've not been told to extract output pairs,
* just copy the programs output to the out
* buffer.
*/
} else if (out) {
strlcpy(out, answer, outlen);
}
/*
* Call rad_waitpid (should map to waitpid on non-threaded
* or single-server systems).
*/
wait:
child_pid = rad_waitpid(pid, &status);
if (child_pid == 0) {
RERROR("Timeout waiting for child");
return -2;
}
if (child_pid == pid) {
if (WIFEXITED(status)) {
status = WEXITSTATUS(status);
if ((status != 0) || (ret < 0)) {
RERROR("Program returned code (%d) and output '%s'", status, answer);
} else {
RDEBUG2("Program returned code (%d) and output '%s'", status, answer);
}
return ret < 0 ? ret : status;
}
}
RERROR("Abnormal child exit: %s", fr_syserror(errno));
#endif /* __MINGW32__ */
return -1;
}
static Term
p_div2(Term t1, Term t2 USES_REGS) {
switch (ETypeOfTerm(t1)) {
case (CELL)long_int_e:
switch (ETypeOfTerm(t2)) {
case (CELL)long_int_e:
/* two integers */
{
Int i1 = IntegerOfTerm(t1);
Int i2 = IntegerOfTerm(t2);
Int res, mod;
if (i2 == 0)
return Yap_ArithError(EVALUATION_ERROR_ZERO_DIVISOR, t2, "X is " Int_FORMAT " div 0", i1);
if (i1 == Int_MIN && i2 == -1) {
#ifdef USE_GMP
return Yap_gmp_add_ints(Int_MAX, 1);
#else
return Yap_ArithError(EVALUATION_ERROR_INT_OVERFLOW, t1,
"// /2 with %d and %d", i1, i2);
#endif
}
mod = i1%i2;
if (mod && (mod ^ i2) < 0)
mod += i2;
res = (i1 - mod) / i2;
RINT(res);
}
case (CELL)double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "div/2");
case (CELL)big_int_e:
#ifdef USE_GMP
return Yap_gmp_div_int_big(IntegerOfTerm(t1), t2);
#endif
default:
RERROR();
break;
}
case (CELL)double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "div/2");
case (CELL)big_int_e:
#ifdef USE_GMP
switch (ETypeOfTerm(t2)) {
case long_int_e:
/* modulo between bignum and integer */
{
Int i2 = IntegerOfTerm(t2);
if (i2 == 0)
return Yap_ArithError(EVALUATION_ERROR_ZERO_DIVISOR, t2, "X is ... div 0");
return Yap_gmp_div2_big_int(t1, i2);
}
case (CELL)big_int_e:
/* two bignums */
return Yap_gmp_div2_big_big(t1, t2);
case double_e:
return Yap_ArithError(TYPE_ERROR_INTEGER, t2, "mod/2");
default:
RERROR();
}
#endif
default:
RERROR();
}
}
/** Insert a new entry into the data store
*
* @copydetails cache_entry_insert_t
*/
static cache_status_t cache_entry_insert(UNUSED rlm_cache_config_t const *config, void *driver_inst,
REQUEST *request, UNUSED void *handle, const rlm_cache_entry_t *c)
{
rlm_cache_redis_t *driver = driver_inst;
TALLOC_CTX *pool;
vp_map_t *map;
fr_redis_conn_t *conn;
fr_redis_cluster_state_t state;
fr_redis_rcode_t status;
redisReply *reply = NULL;
int s_ret;
static char const command[] = "RPUSH";
char const **argv;
size_t *argv_len;
char const **argv_p;
size_t *argv_len_p;
int pipelined = 0; /* How many commands pending in the pipeline */
redisReply *replies[5]; /* Should have the same number of elements as pipelined commands */
size_t reply_num = 0, i;
char *p;
int cnt;
vp_tmpl_t expires_value;
vp_map_t expires = {
.op = T_OP_SET,
.lhs = &driver->expires_attr,
.rhs = &expires_value,
};
vp_tmpl_t created_value;
vp_map_t created = {
.op = T_OP_SET,
.lhs = &driver->created_attr,
.rhs = &created_value,
.next = &expires
};
/*
* Encode the entry created date
*/
tmpl_init(&created_value, TMPL_TYPE_DATA, "<TEMP>", 6, T_BARE_WORD);
created_value.tmpl_data_type = PW_TYPE_DATE;
created_value.tmpl_data_length = sizeof(created_value.tmpl_data_value.date);
created_value.tmpl_data_value.date = c->created;
/*
* Encode the entry expiry time
*
* Although Redis objects expire on their own, we still need this
* to ignore entries that were created before the last epoch.
*/
tmpl_init(&expires_value, TMPL_TYPE_DATA, "<TEMP>", 6, T_BARE_WORD);
expires_value.tmpl_data_type = PW_TYPE_DATE;
expires_value.tmpl_data_length = sizeof(expires_value.tmpl_data_value.date);
expires_value.tmpl_data_value.date = c->expires;
expires.next = c->maps; /* Head of the list */
for (cnt = 0, map = &created; map; cnt++, map = map->next);
/*
* The majority of serialized entries should be under 1k.
*
* @todo We should really calculate this using some sort of moving average.
*/
pool = talloc_pool(request, 1024);
if (!pool) return CACHE_ERROR;
argv_p = argv = talloc_array(pool, char const *, (cnt * 3) + 2); /* pair = 3 + cmd + key */
argv_len_p = argv_len = talloc_array(pool, size_t, (cnt * 3) + 2); /* pair = 3 + cmd + key */
*argv_p++ = command;
*argv_len_p++ = sizeof(command) - 1;
*argv_p++ = (char const *)c->key;
*argv_len_p++ = c->key_len;
/*
* Add the maps to the command string in reverse order
*/
for (map = &created; map; map = map->next) {
if (fr_redis_tuple_from_map(pool, argv_p, argv_len_p, map) < 0) {
REDEBUG("Failed encoding map as Redis K/V pair");
talloc_free(pool);
return CACHE_ERROR;
}
argv_p += 3;
argv_len_p += 3;
}
RDEBUG3("Pipelining commands");
RINDENT();
for (s_ret = fr_redis_cluster_state_init(&state, &conn, driver->cluster, request, c->key, c->key_len, false);
s_ret == REDIS_RCODE_TRY_AGAIN; /* Continue */
s_ret = fr_redis_cluster_state_next(&state, &conn, driver->cluster, request, status, &reply)) {
/*
* Start the transaction, as we need to set an expiry time too.
*/
if (c->expires > 0) {
RDEBUG3("MULTI");
if (redisAppendCommand(conn->handle, "MULTI") != REDIS_OK) {
append_error:
REXDENT();
RERROR("Failed appending Redis command to output buffer: %s", conn->handle->errstr);
talloc_free(pool);
return CACHE_ERROR;
}
pipelined++;
}
if (RDEBUG_ENABLED3) {
p = fr_asprint(request, (char const *)c->key, c->key_len, '\0');
RDEBUG3("DEL \"%s\"", p);
talloc_free(p);
}
if (redisAppendCommand(conn->handle, "DEL %b", c->key, c->key_len) != REDIS_OK) goto append_error;
pipelined++;
if (RDEBUG_ENABLED3) {
RDEBUG3("argv command");
RINDENT();
for (i = 0; i < talloc_array_length(argv); i++) {
p = fr_asprint(request, argv[i], argv_len[i], '\0');
RDEBUG3("%s", p);
talloc_free(p);
}
REXDENT();
}
redisAppendCommandArgv(conn->handle, talloc_array_length(argv), argv, argv_len);
pipelined++;
/*
* Set the expiry time and close out the transaction.
*/
if (c->expires > 0) {
if (RDEBUG_ENABLED3) {
p = fr_asprint(request, (char const *)c->key, c->key_len, '\"');
RDEBUG3("EXPIREAT \"%s\" %li", p, (long)c->expires);
talloc_free(p);
}
if (redisAppendCommand(conn->handle, "EXPIREAT %b %i", c->key,
c->key_len, c->expires) != REDIS_OK) goto append_error;
pipelined++;
RDEBUG3("EXEC");
if (redisAppendCommand(conn->handle, "EXEC") != REDIS_OK) goto append_error;
pipelined++;
}
REXDENT();
reply_num = fr_redis_pipeline_result(&status, replies, sizeof(replies) / sizeof(*replies),
conn, pipelined);
reply = replies[0];
}
talloc_free(pool);
if (s_ret != REDIS_RCODE_SUCCESS) {
RERROR("Failed inserting entry");
return CACHE_ERROR;
}
RDEBUG3("Command results");
RINDENT();
for (i = 0; i < reply_num; i++) {
fr_redis_reply_print(L_DBG_LVL_3, replies[i], request, i);
fr_redis_reply_free(replies[i]);
}
REXDENT();
return CACHE_OK;
}
/** Call delete the cache entry from redis
*
* @copydetails cache_entry_expire_t
*/
static cache_status_t cache_entry_expire(UNUSED rlm_cache_config_t const *config, void *driver_inst,
REQUEST *request, UNUSED void *handle, uint8_t const *key, size_t key_len)
{
rlm_cache_redis_t *driver = driver_inst;
fr_redis_cluster_state_t state;
fr_redis_conn_t *conn;
fr_redis_rcode_t status;
redisReply *reply = NULL;
int s_ret;
for (s_ret = fr_redis_cluster_state_init(&state, &conn, driver->cluster, request, key, key_len, false);
s_ret == REDIS_RCODE_TRY_AGAIN; /* Continue */
s_ret = fr_redis_cluster_state_next(&state, &conn, driver->cluster, request, status, &reply)) {
reply = redisCommand(conn->handle, "DEL %b", key, key_len);
status = fr_redis_command_status(conn, reply);
}
if (s_ret != REDIS_RCODE_SUCCESS) {
RERROR("Failed expiring entry");
fr_redis_reply_free(reply);
return CACHE_ERROR;
}
rad_assert(reply); /* clang scan */
if (reply->type == REDIS_REPLY_INTEGER) {
fr_redis_reply_free(reply);
if (reply->integer) return CACHE_OK; /* Affected */
return CACHE_MISS;
}
REDEBUG("Bad result type, expected integer, got %s",
fr_int2str(redis_reply_types, reply->type, "<UNKNOWN>"));
fr_redis_reply_free(reply);
return CACHE_ERROR;
}
extern cache_driver_t rlm_cache_redis;
cache_driver_t rlm_cache_redis = {
.name = "rlm_cache_redis",
.instantiate = mod_instantiate,
.inst_size = sizeof(rlm_cache_redis_t),
.free = cache_entry_free,
.find = cache_entry_find,
.insert = cache_entry_insert,
.expire = cache_entry_expire,
};
