/* * Do any per-module initialization that is separate to each * configured instance of the module. e.g. set up connections * to external databases, read configuration files, set up * dictionary entries, etc. * * If configuration information is given in the config section * that must be referenced in later calls, store a handle to it * in *instance otherwise put a null pointer there. */ static int sqlcounter_instantiate(CONF_SECTION *conf, void **instance) { rlm_sqlcounter_t *data; DICT_ATTR *dattr; ATTR_FLAGS flags; time_t now; char buffer[MAX_STRING_LEN]; /* * Set up a storage area for instance data */ data = rad_malloc(sizeof(*data)); if (!data) { return -1; } memset(data, 0, sizeof(*data)); /* * If the configuration parameters can't be parsed, then * fail. */ if (cf_section_parse(conf, data, module_config) < 0) { free(data); return -1; } /* * No query, die. */ if (data->query == NULL) { radlog(L_ERR, "rlm_sqlcounter: 'query' must be set."); return -1; } /* * Safe characters list for sql queries. Everything else is * replaced rwith their mime-encoded equivalents. */ allowed_chars = data->allowed_chars; /* * Discover the attribute number of the key. */ if (data->key_name == NULL) { radlog(L_ERR, "rlm_sqlcounter: 'key' must be set."); return -1; } sql_escape_func(buffer, sizeof(buffer), data->key_name); if (strcmp(buffer, data->key_name) != 0) { radlog(L_ERR, "rlm_sqlcounter: The value for option 'key' is too long or contains unsafe characters."); return -1; } dattr = dict_attrbyname(data->key_name); if (dattr == NULL) { radlog(L_ERR, "rlm_sqlcounter: No such attribute %s", data->key_name); return -1; } data->key_attr = dattr->attr; /* * Check the "sqlmod-inst" option. */ if (data->sqlmod_inst == NULL) { radlog(L_ERR, "rlm_sqlcounter: 'sqlmod-inst' must be set."); return -1; } sql_escape_func(buffer, sizeof(buffer), data->sqlmod_inst); if (strcmp(buffer, data->sqlmod_inst) != 0) { radlog(L_ERR, "rlm_sqlcounter: The value for option 'sqlmod-inst' is too long or contains unsafe characters."); return -1; } /* * Create a new attribute for the counter. */ if (data->counter_name == NULL) { radlog(L_ERR, "rlm_sqlcounter: 'counter-name' must be set."); return -1; } memset(&flags, 0, sizeof(flags)); dict_addattr(data->counter_name, 0, PW_TYPE_INTEGER, -1, flags); dattr = dict_attrbyname(data->counter_name); if (dattr == NULL) { radlog(L_ERR, "rlm_sqlcounter: Failed to create counter attribute %s", data->counter_name); return -1; } data->dict_attr = dattr->attr; DEBUG2("rlm_sqlcounter: Counter attribute %s is number %d", data->counter_name, data->dict_attr); /* * Create a new attribute for the check item. */ if (data->check_name == NULL) { radlog(L_ERR, "rlm_sqlcounter: 'check-name' must be set."); return -1; } dict_addattr(data->check_name, 0, PW_TYPE_INTEGER, -1, flags); dattr = dict_attrbyname(data->check_name); if (dattr == NULL) { radlog(L_ERR, "rlm_sqlcounter: Failed to create check attribute %s", data->counter_name); return -1; } DEBUG2("rlm_sqlcounter: Check attribute %s is number %d", data->check_name, dattr->attr); /* * Discover the end of the current time period. */ if (data->reset == NULL) { radlog(L_ERR, "rlm_sqlcounter: 'reset' must be set."); return -1; } now = time(NULL); data->reset_time = 0; if (find_next_reset(data,now) == -1) return -1; /* * Discover the beginning of the current time period. */ data->last_reset = 0; if (find_prev_reset(data,now) == -1) return -1; /* * Register the counter comparison operation. */ paircompare_register(data->dict_attr, 0, sqlcounter_cmp, data); *instance = data; return 0; }
/* * Find the named user in this modules database. Create the set * of attribute-value pairs to check and reply with for this user * from the database. The authentication code only needs to check * the password, the rest is done here. */ static int sqlcounter_authorize(void *instance, REQUEST *request) { rlm_sqlcounter_t *data = (rlm_sqlcounter_t *) instance; int ret=RLM_MODULE_NOOP; int counter=0; int res=0; DICT_ATTR *dattr; VALUE_PAIR *key_vp, *check_vp; VALUE_PAIR *reply_item; char msg[128]; char querystr[MAX_QUERY_LEN]; char responsestr[MAX_QUERY_LEN]; /* quiet the compiler */ instance = instance; request = request; /* * Before doing anything else, see if we have to reset * the counters. */ if (data->reset_time && (data->reset_time <= request->timestamp)) { /* * Re-set the next time and prev_time for this counters range */ data->last_reset = data->reset_time; find_next_reset(data,request->timestamp); } /* * Look for the key. User-Name is special. It means * The REAL username, after stripping. */ DEBUG2("rlm_sqlcounter: Entering module authorize code"); key_vp = (data->key_attr == PW_USER_NAME) ? request->username : pairfind(request->packet->vps, data->key_attr); if (key_vp == NULL) { DEBUG2("rlm_sqlcounter: Could not find Key value pair"); return ret; } /* * Look for the check item */ if ((dattr = dict_attrbyname(data->check_name)) == NULL) { return ret; } /* DEBUG2("rlm_sqlcounter: Found Check item attribute %d", dattr->attr); */ if ((check_vp= pairfind(request->config_items, dattr->attr)) == NULL) { DEBUG2("rlm_sqlcounter: Could not find Check item value pair"); return ret; } /* first, expand %k, %b and %e in query */ sqlcounter_expand(querystr, MAX_QUERY_LEN, data->query, instance); /* second, xlat any request attribs in query */ radius_xlat(responsestr, MAX_QUERY_LEN, querystr, request, sql_escape_func); /* third, wrap query with sql module & expand */ snprintf(querystr, sizeof(querystr), "%%{%%S:%s}", responsestr); sqlcounter_expand(responsestr, MAX_QUERY_LEN, querystr, instance); /* Finally, xlat resulting SQL query */ radius_xlat(querystr, MAX_QUERY_LEN, responsestr, request, sql_escape_func); counter = atoi(querystr); /* * Check if check item > counter */ res=check_vp->lvalue - counter; if (res > 0) { DEBUG2("rlm_sqlcounter: (Check item - counter) is greater than zero"); /* * We are assuming that simultaneous-use=1. But * even if that does not happen then our user * could login at max for 2*max-usage-time Is * that acceptable? */ /* * User is allowed, but set Session-Timeout. * Stolen from main/auth.c */ /* * If we are near a reset then add the next * limit, so that the user will not need to * login again */ if (data->reset_time && ( res >= (data->reset_time - request->timestamp))) { res = data->reset_time - request->timestamp; res += check_vp->lvalue; } if ((reply_item = pairfind(request->reply->vps, PW_SESSION_TIMEOUT)) != NULL) { if (reply_item->lvalue > res) reply_item->lvalue = res; } else { if ((reply_item = paircreate(PW_SESSION_TIMEOUT, PW_TYPE_INTEGER)) == NULL) { radlog(L_ERR|L_CONS, "no memory"); return RLM_MODULE_NOOP; } reply_item->lvalue = res; pairadd(&request->reply->vps, reply_item); } ret=RLM_MODULE_OK; DEBUG2("rlm_sqlcounter: Authorized user %s, check_item=%d, counter=%d", key_vp->strvalue,check_vp->lvalue,counter); DEBUG2("rlm_sqlcounter: Sent Reply-Item for user %s, Type=Session-Timeout, value=%d", key_vp->strvalue,reply_item->lvalue); } else{ char module_fmsg[MAX_STRING_LEN]; VALUE_PAIR *module_fmsg_vp; DEBUG2("rlm_sqlcounter: (Check item - counter) is less than zero"); /* * User is denied access, send back a reply message */ snprintf(msg, sizeof(msg), "Your maximum %s usage time has been reached", data->reset); reply_item=pairmake("Reply-Message", msg, T_OP_EQ); pairadd(&request->reply->vps, reply_item); snprintf(module_fmsg, sizeof(module_fmsg), "rlm_sqlcounter: Maximum %s usage time reached", data->reset); module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ); pairadd(&request->packet->vps, module_fmsg_vp); ret=RLM_MODULE_REJECT; DEBUG2("rlm_sqlcounter: Rejected user %s, check_item=%d, counter=%d", key_vp->strvalue,check_vp->lvalue,counter); } return ret; }
/* * Do any per-module initialization that is separate to each * configured instance of the module. e.g. set up connections * to external databases, read configuration files, set up * dictionary entries, etc. * * If configuration information is given in the config section * that must be referenced in later calls, store a handle to it * in *instance otherwise put a null pointer there. */ static int sqlcounter_instantiate(CONF_SECTION *conf, void **instance) { rlm_sqlcounter_t *data; DICT_ATTR *dattr; ATTR_FLAGS flags; time_t now; /* * Set up a storage area for instance data */ data = rad_malloc(sizeof(*data)); if (!data) { radlog(L_ERR, "rlm_sqlcounter: Not enough memory."); return -1; } memset(data, 0, sizeof(*data)); /* * If the configuration parameters can't be parsed, then * fail. */ if (cf_section_parse(conf, data, module_config) < 0) { radlog(L_ERR, "rlm_sqlcounter: Unable to parse parameters."); sqlcounter_detach(data); return -1; } /* * No query, die. */ if (data->query == NULL) { radlog(L_ERR, "rlm_sqlcounter: 'query' must be set."); sqlcounter_detach(data); return -1; } /* * Discover the attribute number of the key. */ if (data->key_name == NULL) { radlog(L_ERR, "rlm_sqlcounter: 'key' must be set."); sqlcounter_detach(data); return -1; } dattr = dict_attrbyname(data->key_name); if (dattr == NULL) { radlog(L_ERR, "rlm_sqlcounter: No such attribute %s", data->key_name); sqlcounter_detach(data); return -1; } data->key_attr = dattr; dattr = dict_attrbyname(data->reply_name); if (dattr == NULL) { radlog(L_ERR, "rlm_sqlcounter: No such attribute %s", data->reply_name); sqlcounter_detach(data); return -1; } data->reply_attr = dattr; DEBUG2("rlm_sqlcounter: Reply attribute %s is number %d", data->reply_name, dattr->attr); /* * Check the "sqlmod-inst" option. */ if (data->sqlmod_inst == NULL) { radlog(L_ERR, "rlm_sqlcounter: 'sqlmod-inst' must be set."); sqlcounter_detach(data); return -1; } /* * Create a new attribute for the counter. */ if (data->counter_name == NULL) { radlog(L_ERR, "rlm_sqlcounter: 'counter-name' must be set."); sqlcounter_detach(data); return -1; } memset(&flags, 0, sizeof(flags)); dict_addattr(data->counter_name, -1, 0, PW_TYPE_INTEGER, flags); dattr = dict_attrbyname(data->counter_name); if (dattr == NULL) { radlog(L_ERR, "rlm_sqlcounter: Failed to create counter attribute %s", data->counter_name); sqlcounter_detach(data); return -1; } if (dattr->vendor != 0) { radlog(L_ERR, "Counter attribute must not be a VSA"); sqlcounter_detach(data); return -1; } data->dict_attr = dattr; /* * Create a new attribute for the check item. */ if (data->check_name == NULL) { radlog(L_ERR, "rlm_sqlcounter: 'check-name' must be set."); sqlcounter_detach(data); return -1; } dict_addattr(data->check_name, 0, PW_TYPE_INTEGER, -1, flags); dattr = dict_attrbyname(data->check_name); if (dattr == NULL) { radlog(L_ERR, "rlm_sqlcounter: Failed to create check attribute %s", data->check_name); sqlcounter_detach(data); return -1; } DEBUG2("rlm_sqlcounter: Check attribute %s is number %d", data->check_name, dattr->attr); /* * Discover the end of the current time period. */ if (data->reset == NULL) { radlog(L_ERR, "rlm_sqlcounter: 'reset' must be set."); sqlcounter_detach(data); return -1; } now = time(NULL); data->reset_time = 0; if (find_next_reset(data,now) == -1) { radlog(L_ERR, "rlm_sqlcounter: Failed to find the next reset time."); sqlcounter_detach(data); return -1; } /* * Discover the beginning of the current time period. */ data->last_reset = 0; if (find_prev_reset(data,now) == -1) { radlog(L_ERR, "rlm_sqlcounter: Failed to find the previous reset time."); sqlcounter_detach(data); return -1; } /* * Register the counter comparison operation. */ paircompare_register(data->dict_attr->attr, 0, sqlcounter_cmp, data); *instance = data; return 0; }
/* * Find the named user in this modules database. Create the set * of attribute-value pairs to check and reply with for this user * from the database. The authentication code only needs to check * the password, the rest is done here. */ static int sqlcounter_authorize(void *instance, REQUEST *request) { rlm_sqlcounter_t *data = (rlm_sqlcounter_t *) instance; int ret=RLM_MODULE_NOOP; unsigned int counter; DICT_ATTR *dattr; VALUE_PAIR *key_vp, *check_vp; VALUE_PAIR *reply_item; char msg[128]; char querystr[MAX_QUERY_LEN]; char sqlxlat[MAX_QUERY_LEN]; /* quiet the compiler */ instance = instance; request = request; /* * Before doing anything else, see if we have to reset * the counters. */ if (data->reset_time && (data->reset_time <= request->timestamp)) { /* * Re-set the next time and prev_time for this counters range */ data->last_reset = data->reset_time; find_next_reset(data,request->timestamp); } /* * Look for the key. User-Name is special. It means * The REAL username, after stripping. */ DEBUG2("rlm_sqlcounter: Entering module authorize code"); key_vp = ((data->key_attr->vendor == 0) && (data->key_attr->attr == PW_USER_NAME)) ? request->username : pairfind(request->packet->vps, data->key_attr->attr, data->key_attr->vendor); if (key_vp == NULL) { DEBUG2("rlm_sqlcounter: Could not find Key value pair"); return ret; } /* * Look for the check item */ if ((dattr = dict_attrbyname(data->check_name)) == NULL) { return ret; } /* DEBUG2("rlm_sqlcounter: Found Check item attribute %d", dattr->attr); */ if ((check_vp= pairfind(request->config_items, dattr->attr, dattr->vendor)) == NULL) { DEBUG2("rlm_sqlcounter: Could not find Check item value pair"); return ret; } /* first, expand %k, %b and %e in query */ sqlcounter_expand(querystr, MAX_QUERY_LEN, data->query, instance); /* next, wrap query with sql module & expand */ snprintf(sqlxlat, sizeof(sqlxlat), "%%{%s:%s}", data->sqlmod_inst, querystr); /* Finally, xlat resulting SQL query */ radius_xlat(querystr, MAX_QUERY_LEN, sqlxlat, request, NULL, NULL); if (sscanf(querystr, "%u", &counter) != 1) { DEBUG2("rlm_sqlcounter: No integer found in string \"%s\"", querystr); return RLM_MODULE_NOOP; } /* * Check if check item > counter */ if (check_vp->vp_integer > counter) { unsigned int res = check_vp->vp_integer - counter; DEBUG2("rlm_sqlcounter: Check item is greater than query result"); /* * We are assuming that simultaneous-use=1. But * even if that does not happen then our user * could login at max for 2*max-usage-time Is * that acceptable? */ /* * If we are near a reset then add the next * limit, so that the user will not need to login * again. Do this only for Session-Timeout. */ if ((data->reply_attr->attr == PW_SESSION_TIMEOUT) && data->reset_time && (res >= (data->reset_time - request->timestamp))) { res = data->reset_time - request->timestamp; res += check_vp->vp_integer; } /* * Limit the reply attribute to the minimum of * the existing value, or this new one. */ reply_item = pairfind(request->reply->vps, data->reply_attr->attr, data->reply_attr->vendor); if (reply_item) { if (reply_item->vp_integer > res) reply_item->vp_integer = res; } else { reply_item = radius_paircreate(request, &request->reply->vps, data->reply_attr->attr, data->reply_attr->vendor, PW_TYPE_INTEGER); reply_item->vp_integer = res; } ret=RLM_MODULE_OK; DEBUG2("rlm_sqlcounter: Authorized user %s, check_item=%u, counter=%u", key_vp->vp_strvalue,check_vp->vp_integer,counter); DEBUG2("rlm_sqlcounter: Sent Reply-Item for user %s, Type=%s, value=%u", key_vp->vp_strvalue,data->reply_name,reply_item->vp_integer); } else{ char module_fmsg[MAX_STRING_LEN]; VALUE_PAIR *module_fmsg_vp; DEBUG2("rlm_sqlcounter: (Check item - counter) is less than zero"); /* * User is denied access, send back a reply message */ snprintf(msg, sizeof(msg), "Your maximum %s usage time has been reached", data->reset); reply_item=pairmake("Reply-Message", msg, T_OP_EQ); pairadd(&request->reply->vps, reply_item); snprintf(module_fmsg, sizeof(module_fmsg), "rlm_sqlcounter: Maximum %s usage time reached", data->reset); module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ); pairadd(&request->packet->vps, module_fmsg_vp); ret=RLM_MODULE_REJECT; DEBUG2("rlm_sqlcounter: Rejected user %s, check_item=%u, counter=%u", key_vp->vp_strvalue,check_vp->vp_integer,counter); } return ret; }
/* * Do any per-module initialization that is separate to each * configured instance of the module. e.g. set up connections * to external databases, read configuration files, set up * dictionary entries, etc. * * If configuration information is given in the config section * that must be referenced in later calls, store a handle to it * in *instance otherwise put a null pointer there. */ static int mod_instantiate(CONF_SECTION *conf, void *instance) { rlm_sqlcounter_t *inst = instance; DICT_ATTR const *da; ATTR_FLAGS flags; time_t now; rad_assert(inst->query && *inst->query); da = dict_attrbyname(inst->key_name); if (!da) { cf_log_err_cs(conf, "Invalid attribute '%s'", inst->key_name); return -1; } inst->key_attr = da; da = dict_attrbyname(inst->reply_name); if (!da) { cf_log_err_cs(conf, "Invalid attribute '%s'", inst->reply_name); return -1; } inst->reply_attr = da; /* * Create a new attribute for the counter. */ rad_assert(inst->counter_name && *inst->counter_name); memset(&flags, 0, sizeof(flags)); dict_addattr(inst->counter_name, -1, 0, PW_TYPE_INTEGER, flags); da = dict_attrbyname(inst->counter_name); if (!da) { cf_log_err_cs(conf, "Failed to create counter attribute %s", inst->counter_name); return -1; } inst->dict_attr = da; /* * Create a new attribute for the check item. */ rad_assert(inst->limit_name && *inst->limit_name); dict_addattr(inst->limit_name, -1, 0, PW_TYPE_INTEGER, flags); da = dict_attrbyname(inst->limit_name); if (!da) { cf_log_err_cs(conf, "Failed to create check attribute %s", inst->limit_name); return -1; } now = time(NULL); inst->reset_time = 0; if (find_next_reset(inst,now) == -1) { cf_log_err_cs(conf, "Invalid reset '%s'", inst->reset); return -1; } /* * Discover the beginning of the current time period. */ inst->last_reset = 0; if (find_prev_reset(inst, now) < 0) { cf_log_err_cs(conf, "Invalid reset '%s'", inst->reset); return -1; } /* * Register the counter comparison operation. */ paircompare_register(inst->dict_attr, NULL, true, sqlcounter_cmp, inst); return 0; }
/* * Find the named user in this modules database. Create the set * of attribute-value pairs to check and reply with for this user * from the database. The authentication code only needs to check * the password, the rest is done here. */ static rlm_rcode_t CC_HINT(nonnull) mod_authorize(void *instance, REQUEST *request) { rlm_sqlcounter_t *inst = instance; int rcode = RLM_MODULE_NOOP; uint64_t counter, res; DICT_ATTR const *da; VALUE_PAIR *key_vp, *limit; VALUE_PAIR *reply_item; char msg[128]; char query[MAX_QUERY_LEN], subst[MAX_QUERY_LEN]; char *expanded = NULL; size_t len; /* * Before doing anything else, see if we have to reset * the counters. */ if (inst->reset_time && (inst->reset_time <= request->timestamp)) { /* * Re-set the next time and prev_time for this counters range */ inst->last_reset = inst->reset_time; find_next_reset(inst,request->timestamp); } /* * Look for the key. User-Name is special. It means * The REAL username, after stripping. */ if ((inst->key_attr->vendor == 0) && (inst->key_attr->attr == PW_USER_NAME)) { key_vp = request->username; } else { key_vp = pairfind(request->packet->vps, inst->key_attr->attr, inst->key_attr->vendor, TAG_ANY); } if (!key_vp) { RWDEBUG2("Couldn't find key attribute 'request:%s'", inst->key_attr->name); return rcode; } /* * Look for the check item */ if ((da = dict_attrbyname(inst->limit_name)) == NULL) { return rcode; } limit = pairfind(request->config_items, da->attr, da->vendor, TAG_ANY); if (limit == NULL) { RWDEBUG2("Couldn't find control attribute 'control:%s'", inst->limit_name); return rcode; } /* First, expand %k, %b and %e in query */ if (sqlcounter_expand(subst, sizeof(subst), inst->query, inst) <= 0) { REDEBUG("Insufficient query buffer space"); return RLM_MODULE_FAIL; } /* Then combine that with the name of the module were using to do the query */ len = snprintf(query, sizeof(query), "%%{%s:%s}", inst->sqlmod_inst, subst); if (len >= (sizeof(query) - 1)) { REDEBUG("Insufficient query buffer space"); return RLM_MODULE_FAIL; } /* Finally, xlat resulting SQL query */ if (radius_axlat(&expanded, request, query, NULL, NULL) < 0) { return RLM_MODULE_FAIL; } talloc_free(expanded); if (sscanf(expanded, "%" PRIu64, &counter) != 1) { RDEBUG2("No integer found in result string \"%s\". May be first session, setting counter to 0", expanded); counter = 0; } /* * Check if check item > counter */ if (limit->vp_integer64 <= counter) { /* User is denied access, send back a reply message */ snprintf(msg, sizeof(msg), "Your maximum %s usage time has been reached", inst->reset); pairmake_reply("Reply-Message", msg, T_OP_EQ); REDEBUG2("Maximum %s usage time reached", inst->reset); REDEBUG2("Rejecting user, control:%s value (%" PRIu64 ") is less than counter value (%" PRIu64 ")", inst->limit_name, limit->vp_integer64, counter); return RLM_MODULE_REJECT; } res = limit->vp_integer64 - counter; RDEBUG2("Allowing user, control:%s value (%" PRIu64 ") is greater than counter value (%" PRIu64 ")", inst->limit_name, limit->vp_integer64, counter); /* * We are assuming that simultaneous-use=1. But * even if that does not happen then our user * could login at max for 2*max-usage-time Is * that acceptable? */ /* * If we are near a reset then add the next * limit, so that the user will not need to login * again. Do this only for Session-Timeout. */ if (((inst->reply_attr->vendor == 0) && (inst->reply_attr->attr == PW_SESSION_TIMEOUT)) && inst->reset_time && ((int) res >= (inst->reset_time - request->timestamp))) { res = (inst->reset_time - request->timestamp); res += limit->vp_integer; } /* * Limit the reply attribute to the minimum of the existing value, or this new one. */ reply_item = pairfind(request->reply->vps, inst->reply_attr->attr, inst->reply_attr->vendor, TAG_ANY); if (reply_item) { if (reply_item->vp_integer64 <= res) { RDEBUG2("Leaving existing reply:%s value of %" PRIu64, inst->reply_attr->name, reply_item->vp_integer64); return RLM_MODULE_OK; } } else { reply_item = radius_paircreate(request->reply, &request->reply->vps, inst->reply_attr->attr, inst->reply_attr->vendor); } reply_item->vp_integer64 = res; RDEBUG2("Setting reply:%s value to %" PRIu64, inst->reply_name, reply_item->vp_integer64); return RLM_MODULE_OK; }
/* * Find the named user in this modules database. Create the set * of attribute-value pairs to check and reply with for this user * from the database. The authentication code only needs to check * the password, the rest is done here. */ static rlm_rcode_t mod_authorize(UNUSED void *instance, UNUSED REQUEST *request) { rlm_sqlcounter_t *inst = instance; int rcode = RLM_MODULE_NOOP; uint64_t counter, res; DICT_ATTR const *dattr; VALUE_PAIR *key_vp, *check_vp; VALUE_PAIR *reply_item; char msg[128]; char *p; char query[MAX_QUERY_LEN]; char *expanded = NULL; size_t len; /* * Before doing anything else, see if we have to reset * the counters. */ if (inst->reset_time && (inst->reset_time <= request->timestamp)) { /* * Re-set the next time and prev_time for this counters range */ inst->last_reset = inst->reset_time; find_next_reset(inst,request->timestamp); } /* * Look for the key. User-Name is special. It means * The REAL username, after stripping. */ RDEBUG2("Entering module authorize code"); key_vp = ((inst->key_attr->vendor == 0) && (inst->key_attr->attr == PW_USER_NAME)) ? request->username : pairfind(request->packet->vps, inst->key_attr->attr, inst->key_attr->vendor, TAG_ANY); if (!key_vp) { RDEBUG2("Could not find Key value pair"); return rcode; } /* * Look for the check item */ if ((dattr = dict_attrbyname(inst->check_name)) == NULL) { return rcode; } /* DEBUG2("rlm_sqlcounter: Found Check item attribute %d", dattr->attr); */ if ((check_vp = pairfind(request->config_items, dattr->attr, dattr->vendor, TAG_ANY)) == NULL) { RDEBUG2("Could not find Check item value pair"); return rcode; } len = snprintf(query, sizeof(query), "%%{%s:%s}", inst->sqlmod_inst, query); if (len >= sizeof(query) - 1) { REDEBUG("Insufficient query buffer space"); return RLM_MODULE_FAIL; } p = query + len; /* first, expand %k, %b and %e in query */ len = sqlcounter_expand(p, p - query, inst->query, inst); if (len <= 0) { REDEBUG("Insufficient query buffer space"); return RLM_MODULE_FAIL; } p += len; if ((p - query) < 2) { REDEBUG("Insufficient query buffer space"); return RLM_MODULE_FAIL; } p[0] = '}'; p[1] = '\0'; /* Finally, xlat resulting SQL query */ if (radius_axlat(&expanded, request, query, NULL, NULL) < 0) { return RLM_MODULE_FAIL; } if (sscanf(expanded, "%" PRIu64, &counter) != 1) { RDEBUG2("No integer found in string \"%s\"", expanded); return RLM_MODULE_NOOP; } talloc_free(expanded); /* * Check if check item > counter */ if (check_vp->vp_integer64 <= counter) { RDEBUG2("(Check item - counter) is less than zero"); /* * User is denied access, send back a reply message */ snprintf(msg, sizeof(msg), "Your maximum %s usage time has been reached", inst->reset); pairmake_reply("Reply-Message", msg, T_OP_EQ); REDEBUG("Maximum %s usage time reached", inst->reset); rcode = RLM_MODULE_REJECT; RDEBUG2("Rejected user %s, check_item=%" PRIu64 ", counter=%" PRIu64, key_vp->vp_strvalue, check_vp->vp_integer64, counter); return RLM_MODULE_REJECT; } res = check_vp->vp_integer64 - counter; RDEBUG2("Check item is greater than query result"); /* * We are assuming that simultaneous-use=1. But * even if that does not happen then our user * could login at max for 2*max-usage-time Is * that acceptable? */ /* * If we are near a reset then add the next * limit, so that the user will not need to login * again. Do this only for Session-Timeout. */ if ((inst->reply_attr->attr == PW_SESSION_TIMEOUT) && inst->reset_time && ((int) res >= (inst->reset_time - request->timestamp))) { res = inst->reset_time - request->timestamp; res += check_vp->vp_integer; } /* * Limit the reply attribute to the minimum of * the existing value, or this new one. */ reply_item = pairfind(request->reply->vps, inst->reply_attr->attr, inst->reply_attr->vendor, TAG_ANY); if (reply_item) { if (reply_item->vp_integer64 > res) { reply_item->vp_integer64 = res; } } else { reply_item = radius_paircreate(request, &request->reply->vps, inst->reply_attr->attr, inst->reply_attr->vendor); reply_item->vp_integer64 = res; } RDEBUG2("Authorized user %s, check_item=%" PRIu64 ", counter=%" PRIu64 , key_vp->vp_strvalue, check_vp->vp_integer64, counter); RDEBUG2("Sent Reply-Item for user %s, Type=%s, value=%" PRIu64, key_vp->vp_strvalue, inst->reply_name, reply_item->vp_integer64); return RLM_MODULE_OK; }
/* * Do any per-module initialization that is separate to each * configured instance of the module. e.g. set up connections * to external databases, read configuration files, set up * dictionary entries, etc. * * If configuration information is given in the config section * that must be referenced in later calls, store a handle to it * in *instance otherwise put a null pointer there. */ static int mod_instantiate(CONF_SECTION *conf, void *instance) { rlm_sqlcounter_t *inst = instance; DICT_ATTR const *dattr; ATTR_FLAGS flags; time_t now; rad_assert(inst->query && *inst->query); dattr = dict_attrbyname(inst->key_name); rad_assert(dattr != NULL); if (dattr->vendor != 0) { cf_log_err_cs(conf, "Configuration item 'key' cannot be a VSA"); return -1; } inst->key_attr = dattr; dattr = dict_attrbyname(inst->reply_name); rad_assert(dattr != NULL); if (dattr->vendor != 0) { cf_log_err_cs(conf, "Configuration item 'reply_name' cannot be a VSA"); return -1; } inst->reply_attr = dattr; DEBUG2("rlm_sqlcounter: Reply attribute %s is number %d", inst->reply_name, dattr->attr); /* * Create a new attribute for the counter. */ rad_assert(inst->counter_name && *inst->counter_name); memset(&flags, 0, sizeof(flags)); dict_addattr(inst->counter_name, -1, 0, PW_TYPE_INTEGER, flags); dattr = dict_attrbyname(inst->counter_name); if (!dattr) { cf_log_err_cs(conf, "Failed to create counter attribute %s", inst->counter_name); return -1; } if (dattr->vendor != 0) { cf_log_err_cs(conf, "Counter attribute must not be a VSA"); return -1; } inst->dict_attr = dattr; /* * Create a new attribute for the check item. */ rad_assert(inst->check_name && *inst->check_name); dict_addattr(inst->check_name, 0, PW_TYPE_INTEGER, -1, flags); dattr = dict_attrbyname(inst->check_name); if (!dattr) { cf_log_err_cs(conf, "Failed to create check attribute %s", inst->check_name); return -1; } DEBUG2("rlm_sqlcounter: Check attribute %s is number %d", inst->check_name, dattr->attr); now = time(NULL); inst->reset_time = 0; if (find_next_reset(inst,now) == -1) { cf_log_err_cs(conf, "Invalid reset '%s'", inst->reset); return -1; } /* * Discover the beginning of the current time period. */ inst->last_reset = 0; if (find_prev_reset(inst, now) < 0) { cf_log_err_cs(conf, "Invalid reset '%s'", inst->reset); return -1; } /* * Register the counter comparison operation. */ paircompare_register(inst->dict_attr, NULL, true, sqlcounter_cmp, inst); return 0; }
/* * Find the named user in this modules database. Create the set * of attribute-value pairs to check and reply with for this user * from the database. The authentication code only needs to check * the password, the rest is done here. */ static rlm_rcode_t CC_HINT(nonnull) mod_authorize(UNUSED void *instance, UNUSED REQUEST *request) { rlm_counter_t *inst = instance; rlm_rcode_t rcode = RLM_MODULE_NOOP; datum key_datum; datum count_datum; rad_counter counter; VALUE_PAIR *key_vp, *check_vp; VALUE_PAIR *reply_item; char msg[128]; /* * Before doing anything else, see if we have to reset * the counters. */ if (inst->reset_time && (inst->reset_time <= request->timestamp)) { rlm_rcode_t rcode2; inst->last_reset = inst->reset_time; find_next_reset(inst,request->timestamp); pthread_mutex_lock(&inst->mutex); rcode2 = reset_db(inst); pthread_mutex_unlock(&inst->mutex); if (rcode2 != RLM_MODULE_OK) { return rcode2; } } /* * Look for the key. User-Name is special. It means * The REAL username, after stripping. */ DEBUG2("rlm_counter: Entering module authorize code"); key_vp = (inst->key_attr->attr == PW_USER_NAME) ? request->username : pair_find_by_da(request->packet->vps, inst->key_attr, TAG_ANY); if (!key_vp) { DEBUG2("rlm_counter: Could not find Key value pair"); return rcode; } /* * Look for the check item */ if ((check_vp = pair_find_by_da(request->config_items, inst->check_attr, TAG_ANY)) == NULL) { DEBUG2("rlm_counter: Could not find Check item value pair"); return rcode; } ASSIGN(key_datum.dptr, key_vp->vp_strvalue); key_datum.dsize = key_vp->length; /* * Init to be sure */ counter.user_counter = 0; DEBUG("rlm_counter: Searching the database for key '%s'",key_vp->vp_strvalue); pthread_mutex_lock(&inst->mutex); count_datum = gdbm_fetch(inst->gdbm, key_datum); pthread_mutex_unlock(&inst->mutex); if (count_datum.dptr != NULL) { DEBUG("rlm_counter: Key Found"); memcpy(&counter, count_datum.dptr, sizeof(rad_counter)); free(count_datum.dptr); } else DEBUG("rlm_counter: Could not find the requested key in the database"); /* * Check if check item > counter */ DEBUG("rlm_counter: Check item = %d, Count = %d",check_vp->vp_integer,counter.user_counter); if (check_vp->vp_integer > counter.user_counter) { unsigned int res; res = check_vp->vp_integer - counter.user_counter; DEBUG("rlm_counter: res is greater than zero"); if (inst->count_attr->attr == PW_ACCT_SESSION_TIME) { /* * Do the following only if the count attribute is * AcctSessionTime */ /* * We are assuming that simultaneous-use=1. But * even if that does not happen then our user * could login at max for 2*max-usage-time Is * that acceptable? */ /* * User is allowed, but set Session-Timeout. * Stolen from main/auth.c */ /* * If we are near a reset then add the next * limit, so that the user will not need to * login again * Before that set the return value to the time * remaining to next reset */ if (inst->reset_time && (res >= (inst->reset_time - request->timestamp))) { res = inst->reset_time - request->timestamp; res += check_vp->vp_integer; } reply_item = pairfind(request->reply->vps, PW_SESSION_TIMEOUT, 0, TAG_ANY); if (reply_item) { if (reply_item->vp_integer > res) { reply_item->vp_integer = res; } } else { reply_item = radius_paircreate(request->reply, &request->reply->vps, PW_SESSION_TIMEOUT, 0); reply_item->vp_integer = res; } } else if (inst->reply_attr) { reply_item = pair_find_by_da(request->reply->vps, inst->reply_attr, TAG_ANY); if (reply_item) { if (reply_item->vp_integer > res) { reply_item->vp_integer = res; } } else { reply_item = radius_paircreate(request->reply, &request->reply->vps, inst->reply_attr->attr, inst->reply_attr->vendor); reply_item->vp_integer = res; } } rcode = RLM_MODULE_OK; DEBUG2("rlm_counter: (Check item - counter) is greater than zero"); DEBUG2("rlm_counter: Authorized user %s, check_item=%d, counter=%d", key_vp->vp_strvalue,check_vp->vp_integer,counter.user_counter); DEBUG2("rlm_counter: Sent Reply-Item for user %s, Type=Session-Timeout, value=%d", key_vp->vp_strvalue,res); } else { /* * User is denied access, send back a reply message */ sprintf(msg, "Your maximum %s usage time has been reached", inst->reset); pairmake_reply("Reply-Message", msg, T_OP_EQ); REDEBUG("Maximum %s usage time reached", inst->reset); rcode = RLM_MODULE_REJECT; DEBUG2("rlm_counter: Rejected user %s, check_item=%d, counter=%d", key_vp->vp_strvalue,check_vp->vp_integer,counter.user_counter); } return rcode; }
/* * Write accounting information to this modules database. */ static rlm_rcode_t CC_HINT(nonnull) mod_accounting(void *instance, REQUEST *request) { rlm_counter_t *inst = instance; datum key_datum; datum count_datum; VALUE_PAIR *key_vp, *count_vp, *proto_vp, *uniqueid_vp; rad_counter counter; rlm_rcode_t rcode; int ret; int acctstatustype = 0; time_t diff; if ((key_vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE, 0, TAG_ANY)) != NULL) acctstatustype = key_vp->vp_integer; else { DEBUG("rlm_counter: Could not find account status type in packet"); return RLM_MODULE_NOOP; } if (acctstatustype != PW_STATUS_STOP) { DEBUG("rlm_counter: We only run on Accounting-Stop packets"); return RLM_MODULE_NOOP; } uniqueid_vp = pairfind(request->packet->vps, PW_ACCT_UNIQUE_SESSION_ID, 0, TAG_ANY); if (uniqueid_vp != NULL) DEBUG("rlm_counter: Packet Unique ID = '%s'",uniqueid_vp->vp_strvalue); /* * Before doing anything else, see if we have to reset * the counters. */ if (inst->reset_time && (inst->reset_time <= request->timestamp)) { DEBUG("rlm_counter: Time to reset the database"); inst->last_reset = inst->reset_time; find_next_reset(inst,request->timestamp); pthread_mutex_lock(&inst->mutex); rcode = reset_db(inst); pthread_mutex_unlock(&inst->mutex); if (rcode != RLM_MODULE_OK) return rcode; } /* * Check if we need to watch out for a specific service-type. If yes then check it */ if (inst->service_type != NULL) { if ((proto_vp = pairfind(request->packet->vps, PW_SERVICE_TYPE, 0, TAG_ANY)) == NULL) { DEBUG("rlm_counter: Could not find Service-Type attribute in the request. Returning NOOP"); return RLM_MODULE_NOOP; } if ((unsigned)proto_vp->vp_integer != inst->service_val) { DEBUG("rlm_counter: This Service-Type is not allowed. Returning NOOP"); return RLM_MODULE_NOOP; } } /* * Check if request->timestamp - {Acct-Delay-Time} < last_reset * If yes reject the packet since it is very old */ key_vp = pairfind(request->packet->vps, PW_ACCT_DELAY_TIME, 0, TAG_ANY); if (key_vp != NULL) { if ((key_vp->vp_integer != 0) && (request->timestamp - (time_t) key_vp->vp_integer) < inst->last_reset) { DEBUG("rlm_counter: This packet is too old. Returning NOOP"); return RLM_MODULE_NOOP; } } /* * Look for the key. User-Name is special. It means * The REAL username, after stripping. */ key_vp = (inst->key_attr->attr == PW_USER_NAME) ? request->username : pair_find_by_da(request->packet->vps, inst->key_attr, TAG_ANY); if (!key_vp) { DEBUG("rlm_counter: Could not find the key-attribute in the request. Returning NOOP"); return RLM_MODULE_NOOP; } /* * Look for the attribute to use as a counter. */ count_vp = pair_find_by_da(request->packet->vps, inst->count_attr, TAG_ANY); if (!count_vp) { DEBUG("rlm_counter: Could not find the count_attribute in the request"); return RLM_MODULE_NOOP; } ASSIGN(key_datum.dptr, key_vp->vp_strvalue); key_datum.dsize = key_vp->length; DEBUG("rlm_counter: Searching the database for key '%s'",key_vp->vp_strvalue); pthread_mutex_lock(&inst->mutex); count_datum = gdbm_fetch(inst->gdbm, key_datum); if (!count_datum.dptr) { DEBUG("rlm_counter: Could not find the requested key in the database"); counter.user_counter = 0; if (uniqueid_vp != NULL) strlcpy(counter.uniqueid,uniqueid_vp->vp_strvalue, sizeof(counter.uniqueid)); else memset((char *)counter.uniqueid,0,UNIQUEID_MAX_LEN); } else { DEBUG("rlm_counter: Key found"); memcpy(&counter, count_datum.dptr, sizeof(rad_counter)); free(count_datum.dptr); DEBUG("rlm_counter: Counter Unique ID = '%s'",counter.uniqueid); if (uniqueid_vp != NULL) { if (strncmp(uniqueid_vp->vp_strvalue,counter.uniqueid, UNIQUEID_MAX_LEN - 1) == 0) { DEBUG("rlm_counter: Unique IDs for user match. Droping the request"); pthread_mutex_unlock(&inst->mutex); return RLM_MODULE_NOOP; } strlcpy(counter.uniqueid,uniqueid_vp->vp_strvalue, sizeof(counter.uniqueid)); } DEBUG("rlm_counter: User=%s, Counter=%d.",request->username->vp_strvalue,counter.user_counter); } if (inst->count_attr->attr == PW_ACCT_SESSION_TIME) { /* * If session time < diff then the user got in after the * last reset. So add his session time, otherwise add the * diff. * * That way if he logged in at 23:00 and we reset the * daily counter at 24:00 and he logged out at 01:00 * then we will only count one hour (the one in the new * day). That is the right thing */ diff = request->timestamp - inst->last_reset; counter.user_counter += ((time_t) count_vp->vp_integer < diff) ? count_vp->vp_integer : diff; } else if (count_vp->da->type == PW_TYPE_INTEGER) { /* * Integers get counted, without worrying about * reset dates. */ counter.user_counter += count_vp->vp_integer; } else { /* * The attribute is NOT an integer, just count once * more that we've seen it. */ counter.user_counter++; } DEBUG("rlm_counter: User=%s, New Counter=%d.",request->username->vp_strvalue,counter.user_counter); count_datum.dptr = (char *) &counter; count_datum.dsize = sizeof(rad_counter); DEBUG("rlm_counter: Storing new value in database"); ret = gdbm_store(inst->gdbm, key_datum, count_datum, GDBM_REPLACE); pthread_mutex_unlock(&inst->mutex); if (ret < 0) { ERROR("rlm_counter: Failed storing data to %s: %s", inst->filename, gdbm_strerror(gdbm_errno)); return RLM_MODULE_FAIL; } DEBUG("rlm_counter: New value stored successfully"); return RLM_MODULE_OK; }
/* * Do any per-module initialization that is separate to each * configured instance of the module. e.g. set up connections * to external databases, read configuration files, set up * dictionary entries, etc. * * If configuration information is given in the config section * that must be referenced in later calls, store a handle to it * in *instance otherwise put a null pointer there. */ static int mod_instantiate(CONF_SECTION *conf, void *instance) { rlm_counter_t *inst = instance; DICT_ATTR const *da; DICT_VALUE *dval; ATTR_FLAGS flags; time_t now; int cache_size; int ret; datum key_datum; datum time_datum; char const *default1 = "DEFAULT1"; char const *default2 = "DEFAULT2"; cache_size = inst->cache_size; da = dict_attrbyname(inst->key_name); rad_assert(da != NULL); inst->key_attr = da; /* * Discover the attribute number of the counter. */ da = dict_attrbyname(inst->count_attribute); rad_assert(da != NULL); inst->count_attr = da; /* * Discover the attribute number of the reply attribute. */ if (inst->reply_name != NULL) { da = dict_attrbyname(inst->reply_name); if (!da) { cf_log_err_cs(conf, "No such attribute %s", inst->reply_name); return -1; } if (da->type != PW_TYPE_INTEGER) { cf_log_err_cs(conf, "Reply attribute' %s' is not of type integer", inst->reply_name); return -1; } inst->reply_attr = da; } else { inst->reply_attr = NULL; } /* * Create a new attribute for the counter. */ rad_assert(inst->counter_name && *inst->counter_name); memset(&flags, 0, sizeof(flags)); if (dict_addattr(inst->counter_name, -1, 0, PW_TYPE_INTEGER, flags) < 0) { ERROR("rlm_counter: Failed to create counter attribute %s: %s", inst->counter_name, fr_strerror()); return -1; } da = dict_attrbyname(inst->counter_name); if (!da) { cf_log_err_cs(conf, "Failed to find counter attribute %s", inst->counter_name); return -1; } inst->dict_attr = da; DEBUG2("rlm_counter: Counter attribute %s is number %d", inst->counter_name, inst->dict_attr->attr); /* * Create a new attribute for the check item. */ rad_assert(inst->check_name && *inst->check_name); if (dict_addattr(inst->check_name, -1, 0, PW_TYPE_INTEGER, flags) < 0) { ERROR("rlm_counter: Failed to create check attribute %s: %s", inst->counter_name, fr_strerror()); return -1; } da = dict_attrbyname(inst->check_name); if (!da) { ERROR("rlm_counter: Failed to find check attribute %s", inst->counter_name); return -1; } inst->check_attr = da; /* * Find the attribute for the allowed protocol */ if (inst->service_type != NULL) { if ((dval = dict_valbyname(PW_SERVICE_TYPE, 0, inst->service_type)) == NULL) { ERROR("rlm_counter: Failed to find attribute number for %s", inst->service_type); return -1; } inst->service_val = dval->value; } /* * Find when to reset the database. */ rad_assert(inst->reset && *inst->reset); now = time(NULL); inst->reset_time = 0; inst->last_reset = now; if (find_next_reset(inst,now) == -1) { ERROR("rlm_counter: find_next_reset() returned -1. Exiting"); return -1; } { char *filename; memcpy(&filename, &inst->filename, sizeof(filename)); inst->gdbm = gdbm_open(filename, sizeof(int), GDBM_NEWDB | GDBM_COUNTER_OPTS, 0600, NULL); } if (!inst->gdbm) { ERROR("rlm_counter: Failed to open file %s: %s", inst->filename, fr_syserror(errno)); return -1; } if (gdbm_setopt(inst->gdbm, GDBM_CACHESIZE, &cache_size, sizeof(cache_size)) == -1) { ERROR("rlm_counter: Failed to set cache size"); } /* * Look for the DEFAULT1 entry. This entry if it exists contains the * time of the next database reset. This time is set each time we reset * the database. If next_reset < now then we reset the database. * That way we can overcome the problem where radiusd is down during a database * reset time. If we did not keep state information in the database then the reset * would be extended and that would create problems. * * We also store the time of the last reset in the DEFAULT2 entry. * * If DEFAULT1 and DEFAULT2 do not exist (new database) we add them to the database */ memcpy(&key_datum.dptr, &default1, sizeof(key_datum.dptr)); key_datum.dsize = strlen(key_datum.dptr); time_datum = gdbm_fetch(inst->gdbm, key_datum); if (time_datum.dptr != NULL) { time_t next_reset = 0; memcpy(&next_reset, time_datum.dptr, sizeof(time_t)); free(time_datum.dptr); time_datum.dptr = NULL; if (next_reset && next_reset <= now) { inst->last_reset = now; ret = reset_db(inst); if (ret != RLM_MODULE_OK) { ERROR("rlm_counter: reset_db() failed"); return -1; } } else { inst->reset_time = next_reset; } memcpy(&key_datum.dptr, &default2, sizeof(key_datum.dptr)); key_datum.dsize = strlen(key_datum.dptr); time_datum = gdbm_fetch(inst->gdbm, key_datum); if (time_datum.dptr != NULL) { memcpy(&inst->last_reset, time_datum.dptr, sizeof(time_t)); free(time_datum.dptr); } } else { ret = add_defaults(inst); if (ret != RLM_MODULE_OK) { ERROR("rlm_counter: add_defaults() failed"); return -1; } } /* * Register the counter comparison operation. * FIXME: move all attributes to DA */ paircompare_register(inst->dict_attr, NULL, true, counter_cmp, inst); /* * Init the mutex */ pthread_mutex_init(&inst->mutex, NULL); return 0; }