/** Recursive function for jpath_expr_evaluate * * @param[in,out] ctx to allocate fr_value_box_t in. * @param[out] tail Where to write fr_value_box_t (**). * @param[in] dst_type FreeRADIUS type to convert to. * @param[in] dst_enumv Enumeration values to allow string to integer conversions. * @param[in] object current node in the json tree. * @param[in] jpath to evaluate. * @return * - 1 on match. * - 0 on no match. * - -1 on error. */ static int jpath_evaluate(TALLOC_CTX *ctx, fr_value_box_t ***tail, fr_type_t dst_type, fr_dict_attr_t const *dst_enumv, json_object *object, fr_jpath_node_t const *jpath) { fr_value_box_t *value; fr_jpath_node_t const *node; jpath_selector_t const *selector; bool child_matched = false; int ret = 0; /* * Iterate over the nodes, we only recurse for * more complex operations. */ for (node = jpath; node; node = node->next) switch (node->selector->type) { case JPATH_SELECTOR_FIELD: if (!fr_json_object_is_type(object, json_type_object)) return 0; if (!json_object_object_get_ex(object, node->selector->field, &object)) return 0; continue; case JPATH_SELECTOR_INDEX: case JPATH_SELECTOR_SLICE: /* * There may be multiple selectors per node */ for (selector = node->selector; selector; selector = selector->next) switch (selector->type) { case JPATH_SELECTOR_INDEX: { struct array_list *array_obj; /* Because array_list is a global... */ rad_assert(selector->slice[0] != SELECTOR_INDEX_UNSET); if (!fr_json_object_is_type(object, json_type_array)) return 0; array_obj = json_object_get_array(object); if ((selector->slice[0] < 0) || (selector->slice[0] >= (int32_t)(array_obj->length & INT32_MAX))) continue; ret = jpath_evaluate(ctx, tail, dst_type, dst_enumv, array_obj->array[selector->slice[0]], node->next); if (ret < 0) return ret; if (ret == 1) child_matched = true; } break; case JPATH_SELECTOR_SLICE: { struct array_list *array_obj; int32_t start, end, step, i; if (!fr_json_object_is_type(object, json_type_array)) return 0; array_obj = json_object_get_array(object); /* * This logic may seem slightly odd, but it perfectly * emulates python array slicing behaviour AFAICT */ step = selector->slice[2]; if (step == SELECTOR_INDEX_UNSET) step = 1; start = selector->slice[0]; if (start == SELECTOR_INDEX_UNSET) start = (step < 0) ? (int32_t)((array_obj->length - 1) & INT32_MAX) : 0; else if (start < 0) start = array_obj->length + start; end = selector->slice[1]; if (end == SELECTOR_INDEX_UNSET) end = (step < 0) ? -1 : (int32_t)((array_obj->length - 1) & INT32_MAX); else if (end < 0) end = array_obj->length + end; /* * Descending */ if (step < 0) for (i = start; (i > end) && (i >= 0); i += step) { rad_assert((i >= 0) && (i < (int32_t)(array_obj->length & INT32_MAX))); ret = jpath_evaluate(ctx, tail, dst_type, dst_enumv, array_obj->array[i], node->next); if (ret < 0) return ret; if (ret == 1) child_matched = true; /* * Ascending */ } else for (i = start; (i < end) && (i < (int32_t)(array_obj->length & INT32_MAX)); i += step) { rad_assert((i >= 0) && (i < (int32_t)(array_obj->length & INT32_MAX))); ret = jpath_evaluate(ctx, tail, dst_type, dst_enumv, array_obj->array[i], node->next); if (ret < 0) return ret; if (ret == 1) child_matched = true; } } break; default: rad_assert(0); return -1; } return child_matched ? 1 : 0; /* * Iterate over fields or array indices */ case JPATH_SELECTOR_WILDCARD: { int i; if (fr_json_object_is_type(object, json_type_array)) { struct array_list *array_obj; array_obj = json_object_get_array(object); for (i = 0; i < (int32_t)(array_obj->length & INT32_MAX); i++) { ret = jpath_evaluate(ctx, tail, dst_type, dst_enumv, array_obj->array[i], node->next); if (ret < 0) return ret; if (ret == 1) child_matched = true; } return child_matched ? 1 : 0; } else if (fr_json_object_is_type(object, json_type_object)) { json_object_object_foreach(object, field_name, field_value) { #ifndef NDEBUG rad_assert(field_name); #else UNUSED_VAR(field_name); #endif ret = jpath_evaluate(ctx, tail, dst_type, dst_enumv, field_value, node->next); if (ret < 0) return ret; if (ret == 1) child_matched = true; } return child_matched ? 1 : 0; } else return 0; }
/** Build value pairs from the passed JSON object and add to the request * * Parse the passed JSON object and create value pairs that will be injected into * the given request for authorization. * * Example JSON document structure: * @code{.json} * { * "docType": "raduser", * "userName": "******", * "config": { * "SHA-Password": { * "value": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", * "op": ":=" * } * }, * "reply": { * "Reply-Message": { * "value": "Hidey Ho!", * "op": "=" * } * } * } * @endcode * * @param json The JSON object representation of the user documnent. * @param section The pair section ("config" or "reply"). * @param request The request to which the generated pairs should be added. */ void *mod_json_object_to_value_pairs(json_object *json, const char *section, REQUEST *request) { json_object *jobj, *jval, *jop; /* json object pointers */ TALLOC_CTX *ctx; /* talloc context for fr_pair_make */ VALUE_PAIR *vp, **ptr; /* value pair and value pair pointer for fr_pair_make */ /* assign ctx and vps for fr_pair_make based on section */ if (strcmp(section, "config") == 0) { ctx = request; ptr = &(request->config); } else if (strcmp(section, "reply") == 0) { ctx = request->reply; ptr = &(request->reply->vps); } else { /* log error - this shouldn't happen */ RERROR("invalid section passed for fr_pair_make"); /* return */ return NULL; } /* get config payload */ if (json_object_object_get_ex(json, section, &jobj)) { /* make sure we have the correct type */ if (!fr_json_object_is_type(jobj, json_type_object)) { /* log error */ RERROR("invalid json type for '%s' section - sections must be json objects", section); /* reuturn */ return NULL; } /* loop through object */ json_object_object_foreach(jobj, attribute, json_vp) { /* check for appropriate type in value and op */ if (!fr_json_object_is_type(json_vp, json_type_object)) { /* log error */ RERROR("invalid json type for '%s' attribute - attributes must be json objects", attribute); /* return */ return NULL; } /* debugging */ RDEBUG("parsing '%s' attribute: %s => %s", section, attribute, json_object_to_json_string(json_vp)); /* create pair from json object */ if (json_object_object_get_ex(json_vp, "value", &jval) && json_object_object_get_ex(json_vp, "op", &jop)) { /* make correct pairs based on json object type */ switch (fr_json_object_get_type(jval)) { case json_type_double: case json_type_int: case json_type_string: /* debugging */ RDEBUG("adding '%s' attribute to '%s' section", attribute, section); /* add pair */ vp = fr_pair_make(ctx, ptr, attribute, json_object_get_string(jval), fr_str2int(fr_tokens, json_object_get_string(jop), 0)); /* check pair */ if (!vp) { RERROR("could not build value pair for '%s' attribute (%s)", attribute, fr_strerror()); /* return */ return NULL; } break; case json_type_object: case json_type_array: /* log error - we want to handle these eventually */ RERROR("skipping unhandled nested json object or array value pair object"); break; default: /* log error - this shouldn't ever happen */ RERROR("skipping unhandled json type in value pair object"); break; } } else { /* log error */ RERROR("failed to get 'value' or 'op' element for '%s' attribute", attribute); } } /* return NULL */ return NULL; } /* debugging */ RDEBUG("couldn't find '%s' section in json object - not adding value pairs for this section", section); /* return NULL */ return NULL; }
/** Load client entries from Couchbase client documents on startup * * This function executes the view defined in the module configuration and loops * through all returned rows. The view is called with "stale=false" to ensure the * most accurate data available when the view is called. This will force an index * rebuild on this design document in Couchbase. However, since this function is only * run once at sever startup this should not be a concern. * * @param inst The module instance. * @param tmpl Default values for new clients. * @param map The client attribute configuration section. * @return * - 0 on success. * - -1 on failure. */ int mod_load_client_documents(rlm_couchbase_t *inst, CONF_SECTION *tmpl, CONF_SECTION *map) { rlm_couchbase_handle_t *handle = NULL; /* connection pool handle */ char vpath[256], vid[MAX_KEY_SIZE], vkey[MAX_KEY_SIZE]; /* view path and fields */ char error[512]; /* view error return */ int idx = 0; /* row array index counter */ int retval = 0; /* return value */ lcb_error_t cb_error = LCB_SUCCESS; /* couchbase error holder */ json_object *json, *jval; /* json object holders */ json_object *jrows = NULL; /* json object to hold view rows */ CONF_SECTION *client; /* freeradius config section */ RADCLIENT *c; /* freeradius client */ /* get handle */ handle = fr_connection_get(inst->pool); /* check handle */ if (!handle) return -1; /* set couchbase instance */ lcb_t cb_inst = handle->handle; /* set cookie */ cookie_t *cookie = handle->cookie; /* build view path */ snprintf(vpath, sizeof(vpath), "%s?stale=false", inst->client_view); /* query view for document */ cb_error = couchbase_query_view(cb_inst, cookie, vpath, NULL); /* check error and object */ if (cb_error != LCB_SUCCESS || cookie->jerr != json_tokener_success || !cookie->jobj) { /* log error */ ERROR("rlm_couchbase: failed to execute view request or parse return"); /* set return */ retval = -1; /* return */ goto free_and_return; } /* debugging */ DEBUG3("rlm_couchbase: cookie->jobj == %s", json_object_to_json_string(cookie->jobj)); /* check for error in json object */ if (json_object_object_get_ex(cookie->jobj, "error", &json)) { /* build initial error buffer */ strlcpy(error, json_object_get_string(json), sizeof(error)); /* get error reason */ if (json_object_object_get_ex(cookie->jobj, "reason", &json)) { /* append divider */ strlcat(error, " - ", sizeof(error)); /* append reason */ strlcat(error, json_object_get_string(json), sizeof(error)); } /* log error */ ERROR("rlm_couchbase: view request failed with error: %s", error); /* set return */ retval = -1; /* return */ goto free_and_return; } /* check for document id in return */ if (!json_object_object_get_ex(cookie->jobj, "rows", &json)) { /* log error */ ERROR("rlm_couchbase: failed to fetch rows from view payload"); /* set return */ retval = -1; /* return */ goto free_and_return; } /* get and hold rows */ jrows = json_object_get(json); /* free cookie object */ if (cookie->jobj) { json_object_put(cookie->jobj); cookie->jobj = NULL; } /* debugging */ DEBUG3("rlm_couchbase: jrows == %s", json_object_to_json_string(jrows)); /* check for valid row value */ if (!fr_json_object_is_type(jrows, json_type_array) || json_object_array_length(jrows) < 1) { /* log error */ ERROR("rlm_couchbase: no valid rows returned from view: %s", vpath); /* set return */ retval = -1; /* return */ goto free_and_return; } /* loop across all row elements */ for (idx = 0; idx < json_object_array_length(jrows); idx++) { /* fetch current index */ json = json_object_array_get_idx(jrows, idx); /* get view id */ if (json_object_object_get_ex(json, "id", &jval)) { /* clear view id */ memset(vid, 0, sizeof(vid)); /* copy and check length */ if (strlcpy(vid, json_object_get_string(jval), sizeof(vid)) >= sizeof(vid)) { ERROR("rlm_couchbase: id from row longer than MAX_KEY_SIZE (%d)", MAX_KEY_SIZE); continue; } } else { WARN("rlm_couchbase: failed to fetch id from row - skipping"); continue; } /* get view key */ if (json_object_object_get_ex(json, "key", &jval)) { /* clear view key */ memset(vkey, 0, sizeof(vkey)); /* copy and check length */ if (strlcpy(vkey, json_object_get_string(jval), sizeof(vkey)) >= sizeof(vkey)) { ERROR("rlm_couchbase: key from row longer than MAX_KEY_SIZE (%d)", MAX_KEY_SIZE); continue; } } else { WARN("rlm_couchbase: failed to fetch key from row - skipping"); continue; } /* fetch document */ cb_error = couchbase_get_key(cb_inst, cookie, vid); /* check error and object */ if (cb_error != LCB_SUCCESS || cookie->jerr != json_tokener_success || !cookie->jobj) { /* log error */ ERROR("rlm_couchbase: failed to execute get request or parse return"); /* set return */ retval = -1; /* return */ goto free_and_return; } /* debugging */ DEBUG3("rlm_couchbase: cookie->jobj == %s", json_object_to_json_string(cookie->jobj)); /* allocate conf section */ client = tmpl ? cf_section_dup(NULL, tmpl, "client", vkey, true) : cf_section_alloc(NULL, "client", vkey); if (client_map_section(client, map, _get_client_value, cookie->jobj) < 0) { /* free config setion */ talloc_free(client); /* set return */ retval = -1; /* return */ goto free_and_return; } /* * @todo These should be parented from something. */ c = client_afrom_cs(NULL, client, false, false); if (!c) { ERROR("rlm_couchbase: failed to allocate client"); /* free config setion */ talloc_free(client); /* set return */ retval = -1; /* return */ goto free_and_return; } /* * Client parents the CONF_SECTION which defined it. */ talloc_steal(c, client); /* attempt to add client */ if (!client_add(NULL, c)) { ERROR("rlm_couchbase: failed to add client '%s' from '%s', possible duplicate?", vkey, vid); /* free client */ client_free(c); /* set return */ retval = -1; /* return */ goto free_and_return; } /* debugging */ DEBUG("rlm_couchbase: client '%s' added", c->longname); /* free json object */ if (cookie->jobj) { json_object_put(cookie->jobj); cookie->jobj = NULL; } } free_and_return: /* free rows */ if (jrows) { json_object_put(jrows); } /* free json object */ if (cookie->jobj) { json_object_put(cookie->jobj); cookie->jobj = NULL; } /* release handle */ if (handle) { fr_connection_release(inst->pool, handle); } /* return */ return retval; }
/** Check if a given user is already logged in. * * Process accounting data to determine if a user is already logged in. Sets request->simul_count * to the current session count for this user. * * Check twice. If on the first pass the user exceeds his maximum number of logins, do a second * pass and validate all logins by querying the terminal server. * * @param instance The module instance. * @param request The checksimul request object. * @return Operation status (#rlm_rcode_t). */ static rlm_rcode_t mod_checksimul(void *instance, REQUEST *request) { rlm_couchbase_t *inst = instance; /* our module instance */ rlm_rcode_t rcode = RLM_MODULE_OK; /* return code */ rlm_couchbase_handle_t *handle = NULL; /* connection pool handle */ char vpath[256]; char buffer[MAX_KEY_SIZE]; char const *vkey; /* view path and query key */ char docid[MAX_KEY_SIZE]; /* document id returned from view */ char error[512]; /* view error return */ int idx = 0; /* row array index counter */ char element[MAX_KEY_SIZE]; /* mapped radius attribute to element name */ lcb_error_t cb_error = LCB_SUCCESS; /* couchbase error holder */ json_object *json, *jval; /* json object holders */ json_object *jrows = NULL; /* json object to hold view rows */ VALUE_PAIR *vp; /* value pair */ uint32_t client_ip_addr = 0; /* current client ip address */ char const *client_cs_id = NULL; /* current client calling station id */ char *user_name = NULL; /* user name from accounting document */ char *session_id = NULL; /* session id from accounting document */ char *cs_id = NULL; /* calling station id from accounting document */ uint32_t nas_addr = 0; /* nas address from accounting document */ uint32_t nas_port = 0; /* nas port from accounting document */ uint32_t framed_ip_addr = 0; /* framed ip address from accounting document */ char framed_proto = 0; /* framed proto from accounting document */ int session_time = 0; /* session time from accounting document */ ssize_t slen; /* do nothing if this is not enabled */ if (inst->check_simul != true) { RDEBUG3("mod_checksimul returning noop - not enabled"); return RLM_MODULE_NOOP; } /* ensure valid username in request */ if ((!request->username) || (request->username->vp_length == '\0')) { RDEBUG3("mod_checksimul - invalid username"); return RLM_MODULE_INVALID; } slen = tmpl_expand(&vkey, buffer, sizeof(buffer), request, inst->simul_vkey, NULL, NULL); if (slen < 0) return RLM_MODULE_FAIL; if ((vkey == buffer) && is_truncated((size_t)slen, sizeof(buffer))) { REDEBUG("Key too long, expected < " STRINGIFY(sizeof(buffer)) " bytes, got %zi bytes", slen); return RLM_MODULE_FAIL; } /* get handle */ handle = fr_connection_get(inst->pool); /* check handle */ if (!handle) return RLM_MODULE_FAIL; /* set couchbase instance */ lcb_t cb_inst = handle->handle; /* set cookie */ cookie_t *cookie = handle->cookie; /* build view path */ snprintf(vpath, sizeof(vpath), "%s?key=\"%s\"&stale=update_after", inst->simul_view, vkey); /* query view for document */ cb_error = couchbase_query_view(cb_inst, cookie, vpath, NULL); /* check error and object */ if (cb_error != LCB_SUCCESS || cookie->jerr != json_tokener_success || !cookie->jobj) { /* log error */ RERROR("failed to execute view request or parse return"); /* set return */ rcode = RLM_MODULE_FAIL; /* return */ goto finish; } /* debugging */ RDEBUG3("cookie->jobj == %s", json_object_to_json_string(cookie->jobj)); /* check for error in json object */ if (json_object_object_get_ex(cookie->jobj, "error", &json)) { /* build initial error buffer */ strlcpy(error, json_object_get_string(json), sizeof(error)); /* get error reason */ if (json_object_object_get_ex(cookie->jobj, "reason", &json)) { /* append divider */ strlcat(error, " - ", sizeof(error)); /* append reason */ strlcat(error, json_object_get_string(json), sizeof(error)); } /* log error */ RERROR("view request failed with error: %s", error); /* set return */ rcode = RLM_MODULE_FAIL; /* return */ goto finish; } /* check for document id in return */ if (!json_object_object_get_ex(cookie->jobj, "rows", &json)) { /* log error */ RERROR("failed to fetch rows from view payload"); /* set return */ rcode = RLM_MODULE_FAIL; /* return */ goto finish; } /* get and hold rows */ jrows = json_object_get(json); /* free cookie object */ if (cookie->jobj) { json_object_put(cookie->jobj); cookie->jobj = NULL; } /* check for valid row value */ if (!jrows || !fr_json_object_is_type(jrows, json_type_array)) { /* log error */ RERROR("no valid rows returned from view: %s", vpath); /* set return */ rcode = RLM_MODULE_FAIL; /* return */ goto finish; } /* debugging */ RDEBUG3("jrows == %s", json_object_to_json_string(jrows)); /* set the count */ request->simul_count = json_object_array_length(jrows); /* debugging */ RDEBUG("found %d open sessions for %s", request->simul_count, request->username->vp_strvalue); /* check count */ if (request->simul_count < request->simul_max) { rcode = RLM_MODULE_OK; goto finish; } /* * Current session count exceeds configured maximum. * Continue on to verify the sessions if configured otherwise stop here. */ if (inst->verify_simul != true) { rcode = RLM_MODULE_OK; goto finish; } /* debugging */ RDEBUG("verifying session count"); /* reset the count */ request->simul_count = 0; /* get client ip address for MPP detection below */ if ((vp = fr_pair_find_by_num(request->packet->vps, PW_FRAMED_IP_ADDRESS, 0, TAG_ANY)) != NULL) { client_ip_addr = vp->vp_ipaddr; } /* get calling station id for MPP detection below */ if ((vp = fr_pair_find_by_num(request->packet->vps, PW_CALLING_STATION_ID, 0, TAG_ANY)) != NULL) { client_cs_id = vp->vp_strvalue; } /* loop across all row elements */ for (idx = 0; idx < json_object_array_length(jrows); idx++) { /* clear docid */ memset(docid, 0, sizeof(docid)); /* fetch current index */ json = json_object_array_get_idx(jrows, idx); /* get document id */ if (json_object_object_get_ex(json, "id", &jval)) { /* copy and check length */ if (strlcpy(docid, json_object_get_string(jval), sizeof(docid)) >= sizeof(docid)) { RERROR("document id from row longer than MAX_KEY_SIZE (%d)", MAX_KEY_SIZE); continue; } } /* check for valid doc id */ if (docid[0] == 0) { RWARN("failed to fetch document id from row - skipping"); continue; } /* fetch document */ cb_error = couchbase_get_key(cb_inst, cookie, docid); /* check error and object */ if (cb_error != LCB_SUCCESS || cookie->jerr != json_tokener_success || !cookie->jobj) { /* log error */ RERROR("failed to execute get request or parse return"); /* set return */ rcode = RLM_MODULE_FAIL; /* return */ goto finish; } /* debugging */ RDEBUG3("cookie->jobj == %s", json_object_to_json_string(cookie->jobj)); /* get element name for User-Name attribute */ if (mod_attribute_to_element("User-Name", inst->map, &element) == 0) { /* get and check username element */ if (!json_object_object_get_ex(cookie->jobj, element, &jval)){ RDEBUG("cannot zap stale entry without username"); rcode = RLM_MODULE_FAIL; goto finish; } /* copy json string value to user_name */ user_name = talloc_typed_strdup(request, json_object_get_string(jval)); } else { RDEBUG("failed to find map entry for User-Name attribute"); rcode = RLM_MODULE_FAIL; goto finish; } /* get element name for Acct-Session-Id attribute */ if (mod_attribute_to_element("Acct-Session-Id", inst->map, &element) == 0) { /* get and check session id element */ if (!json_object_object_get_ex(cookie->jobj, element, &jval)){ RDEBUG("cannot zap stale entry without session id"); rcode = RLM_MODULE_FAIL; goto finish; } /* copy json string value to session_id */ session_id = talloc_typed_strdup(request, json_object_get_string(jval)); } else { RDEBUG("failed to find map entry for Acct-Session-Id attribute"); rcode = RLM_MODULE_FAIL; goto finish; } /* get element name for NAS-IP-Address attribute */ if (mod_attribute_to_element("NAS-IP-Address", inst->map, &element) == 0) { /* attempt to get and nas address element */ if (json_object_object_get_ex(cookie->jobj, element, &jval)){ nas_addr = inet_addr(json_object_get_string(jval)); } } /* get element name for NAS-Port attribute */ if (mod_attribute_to_element("NAS-Port", inst->map, &element) == 0) { /* attempt to get nas port element */ if (json_object_object_get_ex(cookie->jobj, element, &jval)) { nas_port = (uint32_t) json_object_get_int(jval); } } /* check terminal server */ int check = rad_check_ts(nas_addr, nas_port, user_name, session_id); /* take action based on check return */ if (check == 0) { /* stale record - zap it if enabled */ if (inst->delete_stale_sessions) { /* get element name for Framed-IP-Address attribute */ if (mod_attribute_to_element("Framed-IP-Address", inst->map, &element) == 0) { /* attempt to get framed ip address element */ if (json_object_object_get_ex(cookie->jobj, element, &jval)) { framed_ip_addr = inet_addr(json_object_get_string(jval)); } } /* get element name for Framed-Port attribute */ if (mod_attribute_to_element("Framed-Port", inst->map, &element) == 0) { /* attempt to get framed port element */ if (json_object_object_get_ex(cookie->jobj, element, &jval)) { if (strcmp(json_object_get_string(jval), "PPP") == 0) { framed_proto = 'P'; } else if (strcmp(json_object_get_string(jval), "SLIP") == 0) { framed_proto = 'S'; } } } /* get element name for Acct-Session-Time attribute */ if (mod_attribute_to_element("Acct-Session-Time", inst->map, &element) == 0) { /* attempt to get session time element */ if (json_object_object_get_ex(cookie->jobj, element, &jval)) { session_time = json_object_get_int(jval); } } /* zap session */ session_zap(request, nas_addr, nas_port, user_name, session_id, framed_ip_addr, framed_proto, session_time); } } else if (check == 1) { /* user is still logged in - increase count */ ++request->simul_count; /* get element name for Framed-IP-Address attribute */ if (mod_attribute_to_element("Framed-IP-Address", inst->map, &element) == 0) { /* attempt to get framed ip address element */ if (json_object_object_get_ex(cookie->jobj, element, &jval)) { framed_ip_addr = inet_addr(json_object_get_string(jval)); } else { /* ensure 0 if not found */ framed_ip_addr = 0; } } /* get element name for Calling-Station-Id attribute */ if (mod_attribute_to_element("Calling-Station-Id", inst->map, &element) == 0) { /* attempt to get framed ip address element */ if (json_object_object_get_ex(cookie->jobj, element, &jval)) { /* copy json string value to cs_id */ cs_id = talloc_typed_strdup(request, json_object_get_string(jval)); } else { /* ensure null if not found */ cs_id = NULL; } } /* Does it look like a MPP attempt? */ if (client_ip_addr && framed_ip_addr && framed_ip_addr == client_ip_addr) { request->simul_mpp = 2; } else if (client_cs_id && cs_id && !strncmp(cs_id, client_cs_id, 16)) { request->simul_mpp = 2; } } else { /* check failed - return error */ REDEBUG("failed to check the terminal server for user '%s'", user_name); rcode = RLM_MODULE_FAIL; goto finish; } /* free and reset document user name talloc */ if (user_name) TALLOC_FREE(user_name); /* free and reset document calling station id talloc */ if (cs_id) TALLOC_FREE(cs_id); /* free and reset document session id talloc */ if (session_id) TALLOC_FREE(session_id); /* free and reset json object before fetching next row */ if (cookie->jobj) { json_object_put(cookie->jobj); cookie->jobj = NULL; } } /* debugging */ RDEBUG("Retained %d open sessions for %s after verification", request->simul_count, request->username->vp_strvalue); finish: if (user_name) talloc_free(user_name); if (cs_id) talloc_free(cs_id); if (session_id) talloc_free(session_id); /* free rows */ if (jrows) json_object_put(jrows); /* free and reset json object */ if (cookie->jobj) { json_object_put(cookie->jobj); cookie->jobj = NULL; } if (handle) fr_connection_release(inst->pool, handle); /* * The Auth module apparently looks at request->simul_count, * not the return value of this module when deciding to deny * a call for too many sessions. */ return rcode; }