static rlm_rcode_t mod_authorize(void *instance, REQUEST * request)
{
rlm_rcode_t rcode = RLM_MODULE_NOOP;
rlm_sql_t *inst = instance;
rlm_sql_handle_t *handle;
VALUE_PAIR *check_tmp = NULL;
VALUE_PAIR *reply_tmp = NULL;
VALUE_PAIR *user_profile = NULL;
bool user_found = false;
bool dofallthrough = true;
int rows;
char *expanded = NULL;
rad_assert(request != NULL);
rad_assert(request->packet != NULL);
rad_assert(request->reply != NULL);
/*
* Set, escape, and check the user attr here
*/
if (sql_set_user(inst, request, NULL) < 0) {
return RLM_MODULE_FAIL;
}
/*
* Reserve a socket
*
* After this point use goto error or goto release to cleanup socket temporary pairlists and
* temporary attributes.
*/
handle = sql_get_socket(inst);
if (!handle) {
rcode = RLM_MODULE_FAIL;
goto error;
}
/*
* Query the check table to find any conditions associated with this user/realm/whatever...
*/
if (inst->config->authorize_check_query && (inst->config->authorize_check_query[0] != '\0')) {
if (radius_axlat(&expanded, request, inst->config->authorize_check_query,
sql_escape_func, inst) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto error;
}
rows = sql_getvpdata(inst, &handle, request, &check_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("SQL query error");
rcode = RLM_MODULE_FAIL;
goto error;
}
if (rows == 0) {
goto skipreply;
}
/*
* Only do this if *some* check pairs were returned
*/
RDEBUG2("User found in radcheck table");
user_found = true;
if (paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) != 0) {
goto skipreply;
}
RDEBUG2("Check items matched");
radius_pairmove(request, &request->config_items, check_tmp, true);
rcode = RLM_MODULE_OK;
}
if (inst->config->authorize_reply_query && (inst->config->authorize_reply_query[0] != '\0')) {
/*
* Now get the reply pairs since the paircompare matched
*/
if (radius_axlat(&expanded, request, inst->config->authorize_reply_query,
sql_escape_func, inst) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto error;
}
rows = sql_getvpdata(inst, &handle, request->reply, &reply_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("SQL query error");
rcode = RLM_MODULE_FAIL;
goto error;
}
if (rows == 0) {
goto skipreply;
}
if (!inst->config->read_groups) {
dofallthrough = fallthrough(reply_tmp);
}
RDEBUG2("User found in radreply table");
user_found = true;
radius_pairmove(request, &request->reply->vps, reply_tmp, true);
rcode = RLM_MODULE_OK;
}
skipreply:
/*
* Clear out the pairlists
*/
pairfree(&check_tmp);
pairfree(&reply_tmp);
/*
* dofallthrough is set to 1 by default so that if the user information
* is not found, we will still process groups. If the user information,
* however, *is* found, Fall-Through must be set in order to process
* the groups as well.
*/
if (dofallthrough) {
rlm_rcode_t ret;
RDEBUG3("... falling-through to group processing");
ret = rlm_sql_process_groups(inst, request, handle, &dofallthrough);
switch (ret) {
/*
* Nothing bad happened, continue...
*/
case RLM_MODULE_UPDATED:
rcode = RLM_MODULE_UPDATED;
/* FALL-THROUGH */
case RLM_MODULE_OK:
if (rcode != RLM_MODULE_UPDATED) {
rcode = RLM_MODULE_OK;
}
/* FALL-THROUGH */
case RLM_MODULE_NOOP:
user_found = true;
break;
case RLM_MODULE_NOTFOUND:
break;
default:
rcode = ret;
goto release;
}
}
/*
* Repeat the above process with the default profile or User-Profile
*/
if (dofallthrough) {
rlm_rcode_t ret;
/*
* Check for a default_profile or for a User-Profile.
*/
RDEBUG3("... falling-through to profile processing");
user_profile = pairfind(request->config_items, PW_USER_PROFILE, 0, TAG_ANY);
char const *profile = user_profile ?
user_profile->vp_strvalue :
inst->config->default_profile;
if (!profile || !*profile) {
goto release;
}
RDEBUG2("Checking profile %s", profile);
if (sql_set_user(inst, request, profile) < 0) {
REDEBUG("Error setting profile");
rcode = RLM_MODULE_FAIL;
goto error;
}
ret = rlm_sql_process_groups(inst, request, handle, &dofallthrough);
switch (ret) {
/*
* Nothing bad happened, continue...
*/
case RLM_MODULE_UPDATED:
rcode = RLM_MODULE_UPDATED;
/* FALL-THROUGH */
case RLM_MODULE_OK:
if (rcode != RLM_MODULE_UPDATED) {
rcode = RLM_MODULE_OK;
}
/* FALL-THROUGH */
case RLM_MODULE_NOOP:
user_found = true;
break;
case RLM_MODULE_NOTFOUND:
break;
default:
rcode = ret;
goto release;
}
}
/*
* At this point the key (user) hasn't be found in the check table, the reply table
* or the group mapping table, and there was no matching profile.
*/
release:
if (!user_found) {
rcode = RLM_MODULE_NOTFOUND;
}
error:
sql_release_socket(inst, handle);
pairfree(&check_tmp);
pairfree(&reply_tmp);
return rcode;
}
static rlm_rcode_t rlm_sql_authorize(void *instance, REQUEST * request)
{
int ret = RLM_MODULE_NOTFOUND;
rlm_sql_t *inst = instance;
rlm_sql_handle_t *handle;
VALUE_PAIR *check_tmp = NULL;
VALUE_PAIR *reply_tmp = NULL;
VALUE_PAIR *user_profile = NULL;
int dofallthrough = 1;
int rows;
char querystr[MAX_QUERY_LEN];
/*
* Set, escape, and check the user attr here
*/
if (sql_set_user(inst, request, NULL) < 0)
return RLM_MODULE_FAIL;
/*
* Reserve a socket
*
* After this point use goto error or goto release to cleanup sockets
* temporary pairlists and temporary attributes.
*/
handle = sql_get_socket(inst);
if (handle == NULL)
goto error;
/*
* Query the check table to find any conditions associated with
* this user/realm/whatever...
*/
if (inst->config->authorize_check_query &&
*inst->config->authorize_check_query) {
if (!radius_xlat(querystr, sizeof(querystr), inst->config->authorize_check_query, request, sql_escape_func, inst)) {
radlog_request(L_ERR, 0, request, "Error generating query; rejecting user");
goto error;
}
rows = sql_getvpdata(inst, &handle, &check_tmp, querystr);
if (rows < 0) {
radlog_request(L_ERR, 0, request, "SQL query error; rejecting user");
goto error;
}
/*
* Only do this if *some* check pairs were returned
*/
if ((rows > 0) &&
(paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) == 0)) {
RDEBUG2("User found in radcheck table");
radius_xlat_move(request, &request->config_items, &check_tmp);
ret = RLM_MODULE_OK;
}
/*
* We only process reply table items if check conditions
* were verified
*/
else
goto skipreply;
}
if (inst->config->authorize_reply_query &&
*inst->config->authorize_reply_query) {
/*
* Now get the reply pairs since the paircompare matched
*/
if (!radius_xlat(querystr, sizeof(querystr), inst->config->authorize_reply_query, request, sql_escape_func, inst)) {
radlog_request(L_ERR, 0, request, "Error generating query; rejecting user");
goto error;
}
rows = sql_getvpdata(inst, &handle, &reply_tmp, querystr);
if (rows < 0) {
radlog_request(L_ERR, 0, request, "SQL query error; rejecting user");
goto error;
}
if (rows > 0) {
if (!inst->config->read_groups) {
dofallthrough = fallthrough(reply_tmp);
}
RDEBUG2("User found in radreply table");
radius_xlat_move(request, &request->reply->vps, &reply_tmp);
ret = RLM_MODULE_OK;
}
}
skipreply:
/*
* Clear out the pairlists
*/
pairfree(&check_tmp);
pairfree(&reply_tmp);
/*
* dofallthrough is set to 1 by default so that if the user information
* is not found, we will still process groups. If the user information,
* however, *is* found, Fall-Through must be set in order to process
* the groups as well.
*/
if (dofallthrough) {
rows = rlm_sql_process_groups(inst, request, handle, &dofallthrough);
if (rows < 0) {
radlog_request(L_ERR, 0, request, "Error processing groups; rejecting user");
goto error;
}
if (rows > 0)
ret = RLM_MODULE_OK;
}
/*
* Repeat the above process with the default profile or User-Profile
*/
if (dofallthrough) {
/*
* Check for a default_profile or for a User-Profile.
*/
user_profile = pairfind(request->config_items, PW_USER_PROFILE, 0, TAG_ANY);
const char *profile = user_profile ?
user_profile->vp_strvalue :
inst->config->default_profile;
if (!profile || !*profile)
goto release;
RDEBUG("Checking profile %s", profile);
if (sql_set_user(inst, request, profile) < 0) {
radlog_request(L_ERR, 0, request, "Error setting profile; rejecting user");
goto error;
}
rows = rlm_sql_process_groups(inst, request, handle, &dofallthrough);
if (rows < 0) {
radlog_request(L_ERR, 0, request, "Error processing profile groups; rejecting user");
goto error;
}
if (rows > 0)
ret = RLM_MODULE_OK;
}
goto release;
error:
ret = RLM_MODULE_FAIL;
release:
sql_release_socket(inst, handle);
pairfree(&check_tmp);
pairfree(&reply_tmp);
return ret;
}
static rlm_rcode_t rlm_sql_process_groups(rlm_sql_t *inst, REQUEST *request, rlm_sql_handle_t *handle,
bool *dofallthrough)
{
rlm_rcode_t rcode = RLM_MODULE_NOOP;
VALUE_PAIR *check_tmp = NULL, *reply_tmp = NULL, *sql_group = NULL;
rlm_sql_grouplist_t *head = NULL, *entry = NULL;
char *expanded = NULL;
int rows;
rad_assert(request != NULL);
rad_assert(request->packet != NULL);
/*
* Get the list of groups this user is a member of
*/
rows = sql_get_grouplist(inst, handle, request, &head);
if (rows < 0) {
REDEBUG("Error retrieving group list");
return RLM_MODULE_FAIL;
}
if (rows == 0) {
RDEBUG2("User not found in any groups");
rcode = RLM_MODULE_NOTFOUND;
goto finish;
}
RDEBUG2("User found in the group table");
for (entry = head; entry != NULL && (*dofallthrough != 0); entry = entry->next) {
/*
* Add the Sql-Group attribute to the request list so we know
* which group we're retrieving attributes for
*/
sql_group = pairmake_packet("Sql-Group", entry->name, T_OP_EQ);
if (!sql_group) {
REDEBUG("Error creating Sql-Group attribute");
rcode = RLM_MODULE_FAIL;
goto finish;
}
if (inst->config->authorize_group_check_query && (inst->config->authorize_group_check_query != '\0')) {
/*
* Expand the group query
*/
if (radius_axlat(&expanded, request, inst->config->authorize_group_check_query,
sql_escape_func, inst) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto finish;
}
rows = sql_getvpdata(inst, &handle, request, &check_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("Error retrieving check pairs for group %s", entry->name);
rcode = RLM_MODULE_FAIL;
goto finish;
}
/*
* If we got check rows we need to process them before we decide to process the reply rows
*/
if ((rows > 0) &&
(paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) != 0)) {
pairfree(&check_tmp);
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
continue;
}
RDEBUG2("Group \"%s\" check items matched", entry->name);
rcode = RLM_MODULE_OK;
radius_pairmove(request, &request->config_items, check_tmp, true);
check_tmp = NULL;
}
if (inst->config->authorize_group_reply_query && (inst->config->authorize_group_reply_query != '\0')) {
/*
* Now get the reply pairs since the paircompare matched
*/
if (radius_axlat(&expanded, request, inst->config->authorize_group_reply_query,
sql_escape_func, inst) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto finish;
}
rows = sql_getvpdata(inst, &handle, request->reply, &reply_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("Error retrieving reply pairs for group %s", entry->name);
rcode = RLM_MODULE_FAIL;
goto finish;
}
*dofallthrough = fallthrough(reply_tmp);
RDEBUG2("Group \"%s\" reply items processed", entry->name);
rcode = RLM_MODULE_OK;
radius_pairmove(request, &request->reply->vps, reply_tmp, true);
reply_tmp = NULL;
}
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
}
finish:
talloc_free(head);
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
return rcode;
}
static int rlm_sql_process_groups(rlm_sql_t *inst, REQUEST *request, rlm_sql_handle_t *handle, int *dofallthrough)
{
VALUE_PAIR *check_tmp = NULL;
VALUE_PAIR *reply_tmp = NULL;
rlm_sql_grouplist_t *group_list, *group_list_tmp;
VALUE_PAIR *sql_group = NULL;
char querystr[MAX_QUERY_LEN];
int found = 0;
int rows;
/*
* Get the list of groups this user is a member of
*/
if (sql_get_grouplist(inst, handle, request, &group_list) < 0) {
radlog_request(L_ERR, 0, request, "Error retrieving group list");
return -1;
}
for (group_list_tmp = group_list; group_list_tmp != NULL && *dofallthrough != 0; group_list_tmp = group_list_tmp->next) {
/*
* Add the Sql-Group attribute to the request list so we know
* which group we're retrieving attributes for
*/
sql_group = pairmake("Sql-Group", group_list_tmp->groupname, T_OP_EQ);
if (!sql_group) {
radlog_request(L_ERR, 0, request,
"Error creating Sql-Group attribute");
sql_grouplist_free(&group_list);
return -1;
}
pairadd(&request->packet->vps, sql_group);
if (!radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_check_query, request, sql_escape_func, inst)) {
radlog_request(L_ERR, 0, request,
"Error generating query; rejecting user");
/* Remove the grouup we added above */
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
sql_grouplist_free(&group_list);
return -1;
}
rows = sql_getvpdata(inst, &handle, &check_tmp, querystr);
if (rows < 0) {
radlog_request(L_ERR, 0, request, "Error retrieving check pairs for group %s",
group_list_tmp->groupname);
/* Remove the grouup we added above */
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
pairfree(&check_tmp);
sql_grouplist_free(&group_list);
return -1;
} else if (rows > 0) {
/*
* Only do this if *some* check pairs were returned
*/
if (paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) == 0) {
found = 1;
RDEBUG2("User found in group %s",
group_list_tmp->groupname);
/*
* Now get the reply pairs since the paircompare matched
*/
if (!radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_reply_query, request, sql_escape_func, inst)) {
radlog_request(L_ERR, 0, request, "Error generating query; rejecting user");
/* Remove the grouup we added above */
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
pairfree(&check_tmp);
sql_grouplist_free(&group_list);
return -1;
}
if (sql_getvpdata(inst, &handle, &reply_tmp, querystr) < 0) {
radlog_request(L_ERR, 0, request, "Error retrieving reply pairs for group %s",
group_list_tmp->groupname);
/* Remove the grouup we added above */
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
pairfree(&check_tmp);
pairfree(&reply_tmp);
sql_grouplist_free(&group_list);
return -1;
}
*dofallthrough = fallthrough(reply_tmp);
radius_xlat_move(request, &request->reply->vps, &reply_tmp);
radius_xlat_move(request, &request->config_items, &check_tmp);
}
} else {
/*
* rows == 0. This is like having the username on a line
* in the user's file with no check vp's. As such, we treat
* it as found and add the reply attributes, so that we
* match expected behavior
*/
found = 1;
RDEBUG2("User found in group %s",
group_list_tmp->groupname);
/*
* Now get the reply pairs since the paircompare matched
*/
if (!radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_reply_query, request, sql_escape_func, inst)) {
radlog_request(L_ERR, 0, request, "Error generating query; rejecting user");
/* Remove the grouup we added above */
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
pairfree(&check_tmp);
sql_grouplist_free(&group_list);
return -1;
}
if (sql_getvpdata(inst, &handle, &reply_tmp, querystr) < 0) {
radlog_request(L_ERR, 0, request, "Error retrieving reply pairs for group %s",
group_list_tmp->groupname);
/* Remove the grouup we added above */
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
pairfree(&check_tmp);
pairfree(&reply_tmp);
sql_grouplist_free(&group_list);
return -1;
}
*dofallthrough = fallthrough(reply_tmp);
radius_xlat_move(request, &request->reply->vps, &reply_tmp);
radius_xlat_move(request, &request->config_items, &check_tmp);
}
/*
* Delete the Sql-Group we added above
* And clear out the pairlists
*/
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
pairfree(&check_tmp);
pairfree(&reply_tmp);
}
sql_grouplist_free(&group_list);
return found;
}
static int rlm_sql_authorize(void *instance, REQUEST * request)
{
VALUE_PAIR *check_tmp = NULL;
VALUE_PAIR *reply_tmp = NULL;
VALUE_PAIR *user_profile = NULL;
int found = 0;
SQLSOCK *sqlsocket;
SQL_INST *inst = instance;
char querystr[MAX_QUERY_LEN];
char sqlusername[MAX_STRING_LEN];
/*
* They MUST have a user name to do SQL authorization.
*/
if ((request->username == NULL) ||
(request->username->length == 0)) {
radlog(L_ERR, "rlm_sql (%s): zero length username not permitted\n", inst->config->xlat_name);
return RLM_MODULE_INVALID;
}
/*
* Set, escape, and check the user attr here.
*/
if (sql_set_user(inst, request, sqlusername, NULL) < 0)
return RLM_MODULE_FAIL;
radius_xlat(querystr, sizeof(querystr), inst->config->authorize_check_query, request, sql_escape_func);
sqlsocket = sql_get_socket(inst);
if (sqlsocket == NULL) {
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME);
return RLM_MODULE_FAIL;
}
/*
* After this point, ALL 'return's MUST release the SQL socket!
*/
found = sql_getvpdata(inst, sqlsocket, &check_tmp, querystr, PW_VP_USERDATA);
/*
* Find the entry for the user.
*/
if (found > 0) {
radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_check_query, request, sql_escape_func);
sql_getvpdata(inst, sqlsocket, &check_tmp, querystr, PW_VP_GROUPDATA);
radius_xlat(querystr, sizeof(querystr), inst->config->authorize_reply_query, request, sql_escape_func);
sql_getvpdata(inst, sqlsocket, &reply_tmp, querystr, PW_VP_USERDATA);
radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_reply_query, request, sql_escape_func);
sql_getvpdata(inst, sqlsocket, &reply_tmp, querystr, PW_VP_GROUPDATA);
} else if (found < 0) {
radlog(L_ERR, "rlm_sql (%s): SQL query error; rejecting user",
inst->config->xlat_name);
sql_release_socket(inst, sqlsocket);
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME);
pairfree(&check_tmp);
return RLM_MODULE_FAIL;
} else {
radlog(L_DBG, "rlm_sql (%s): User %s not found in radcheck",
inst->config->xlat_name, sqlusername);
/*
* We didn't find the user in radcheck, so we try looking
* for radgroupcheck entry
*/
radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_check_query, request, sql_escape_func);
found = sql_getvpdata(inst, sqlsocket, &check_tmp, querystr, PW_VP_GROUPDATA);
radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_reply_query, request, sql_escape_func);
sql_getvpdata(inst, sqlsocket, &reply_tmp, querystr, PW_VP_GROUPDATA);
}
if (!found)
radlog(L_DBG, "rlm_sql (%s): User %s not found in radgroupcheck",
inst->config->xlat_name, sqlusername);
if (found || (!found && inst->config->query_on_not_found)){
int def_found = 0;
/*
* Check for a default_profile or for a User-Profile.
*/
user_profile = pairfind(request->config_items, PW_USER_PROFILE);
if (inst->config->default_profile[0] != 0 || user_profile != NULL){
char *profile = inst->config->default_profile;
if (user_profile != NULL)
profile = user_profile->strvalue;
if (profile && strlen(profile)){
radlog(L_DBG, "rlm_sql (%s): Checking profile %s",
inst->config->xlat_name, profile);
if (sql_set_user(inst, request, sqlusername, profile) < 0) {
sql_release_socket(inst, sqlsocket);
pairfree(&reply_tmp);
pairfree(&check_tmp);
return RLM_MODULE_FAIL;
}
radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_check_query,
request, sql_escape_func);
def_found = sql_getvpdata(inst, sqlsocket, &check_tmp, querystr, PW_VP_GROUPDATA);
if (def_found)
found = 1;
radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_reply_query,
request, sql_escape_func);
sql_getvpdata(inst, sqlsocket, &reply_tmp, querystr, PW_VP_GROUPDATA);
}
}
}
/*
* We don't need the SQL socket anymore.
*/
sql_release_socket(inst, sqlsocket);
if (!found) {
radlog(L_DBG, "rlm_sql (%s): User not found",
inst->config->xlat_name);
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME);
pairfree(&reply_tmp);
pairfree(&check_tmp);
return RLM_MODULE_NOTFOUND;
}
/*
* Uncomment these lines for debugging
* Recompile, and run 'radiusd -X'
*/
/*
DEBUG2("rlm_sql: check items");
vp_listdebug(check_tmp);
DEBUG2("rlm_sql: reply items");
vp_listdebug(reply_tmp);
*/
if (paircmp(request, request->packet->vps, check_tmp, &reply_tmp) != 0) {
radlog(L_INFO, "rlm_sql (%s): No matching entry in the database for request from user [%s]",
inst->config->xlat_name, sqlusername);
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME);
pairfree(&reply_tmp);
pairfree(&check_tmp);
return RLM_MODULE_NOTFOUND;
}
pairxlatmove(request, &request->reply->vps, &reply_tmp);
pairxlatmove(request, &request->config_items, &check_tmp);
pairfree(&reply_tmp);
pairfree(&check_tmp);
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME);
return RLM_MODULE_OK;
}
static rlm_rcode_t CC_HINT(nonnull) mod_authorize(void *instance, REQUEST *request)
{
rlm_rcode_t rcode = RLM_MODULE_NOOP;
rlm_sql_t *inst = instance;
rlm_sql_handle_t *handle;
VALUE_PAIR *check_tmp = NULL;
VALUE_PAIR *reply_tmp = NULL;
VALUE_PAIR *user_profile = NULL;
bool user_found = false;
sql_fall_through_t do_fall_through = FALL_THROUGH_DEFAULT;
int rows;
char *expanded = NULL;
rad_assert(request->packet != NULL);
rad_assert(request->reply != NULL);
if (!inst->config->authorize_check_query && !inst->config->authorize_reply_query &&
!inst->config->read_groups && !inst->config->read_profiles) {
RWDEBUG("No authorization checks configured, returning noop");
return RLM_MODULE_NOOP;
}
/*
* Set, escape, and check the user attr here
*/
if (sql_set_user(inst, request, NULL) < 0) {
return RLM_MODULE_FAIL;
}
/*
* Reserve a socket
*
* After this point use goto error or goto release to cleanup socket temporary pairlists and
* temporary attributes.
*/
handle = sql_get_socket(inst);
if (!handle) {
rcode = RLM_MODULE_FAIL;
goto error;
}
/*
* Query the check table to find any conditions associated with this user/realm/whatever...
*/
if (inst->config->authorize_check_query) {
vp_cursor_t cursor;
VALUE_PAIR *vp;
if (radius_axlat(&expanded, request, inst->config->authorize_check_query,
sql_escape_func, inst) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto error;
}
rows = sql_getvpdata(request, inst, &handle, &check_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("SQL query error");
rcode = RLM_MODULE_FAIL;
goto error;
}
if (rows == 0) goto skipreply; /* Don't need to free VPs we don't have */
/*
* Only do this if *some* check pairs were returned
*/
RDEBUG2("User found in radcheck table");
user_found = true;
if (paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) != 0) {
pairfree(&check_tmp);
check_tmp = NULL;
goto skipreply;
}
RDEBUG2("Conditional check items matched, merging assignment check items");
RINDENT();
for (vp = fr_cursor_init(&cursor, &check_tmp);
vp;
vp = fr_cursor_next(&cursor)) {
if (!fr_assignment_op[vp->op]) continue;
rdebug_pair(2, request, vp);
}
REXDENT();
radius_pairmove(request, &request->config_items, check_tmp, true);
rcode = RLM_MODULE_OK;
check_tmp = NULL;
}
if (inst->config->authorize_reply_query) {
/*
* Now get the reply pairs since the paircompare matched
*/
if (radius_axlat(&expanded, request, inst->config->authorize_reply_query,
sql_escape_func, inst) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto error;
}
rows = sql_getvpdata(request->reply, inst, &handle, &reply_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("SQL query error");
rcode = RLM_MODULE_FAIL;
goto error;
}
if (rows == 0) goto skipreply;
do_fall_through = fall_through(reply_tmp);
RDEBUG2("User found in radreply table, merging reply items");
user_found = true;
rdebug_pair_list(L_DBG_LVL_2, request, reply_tmp);
radius_pairmove(request, &request->reply->vps, reply_tmp, true);
rcode = RLM_MODULE_OK;
reply_tmp = NULL;
}
skipreply:
if ((do_fall_through == FALL_THROUGH_YES) ||
(inst->config->read_groups && (do_fall_through == FALL_THROUGH_DEFAULT))) {
rlm_rcode_t ret;
RDEBUG3("... falling-through to group processing");
ret = rlm_sql_process_groups(inst, request, &handle, &do_fall_through);
switch (ret) {
/*
* Nothing bad happened, continue...
*/
case RLM_MODULE_UPDATED:
rcode = RLM_MODULE_UPDATED;
/* FALL-THROUGH */
case RLM_MODULE_OK:
if (rcode != RLM_MODULE_UPDATED) {
rcode = RLM_MODULE_OK;
}
/* FALL-THROUGH */
case RLM_MODULE_NOOP:
user_found = true;
break;
case RLM_MODULE_NOTFOUND:
break;
default:
rcode = ret;
goto release;
}
}
/*
* Repeat the above process with the default profile or User-Profile
*/
if ((do_fall_through == FALL_THROUGH_YES) ||
(inst->config->read_profiles && (do_fall_through == FALL_THROUGH_DEFAULT))) {
rlm_rcode_t ret;
/*
* Check for a default_profile or for a User-Profile.
*/
RDEBUG3("... falling-through to profile processing");
user_profile = pairfind(request->config_items, PW_USER_PROFILE, 0, TAG_ANY);
char const *profile = user_profile ?
user_profile->vp_strvalue :
inst->config->default_profile;
if (!profile || !*profile) {
goto release;
}
RDEBUG2("Checking profile %s", profile);
if (sql_set_user(inst, request, profile) < 0) {
REDEBUG("Error setting profile");
rcode = RLM_MODULE_FAIL;
goto error;
}
ret = rlm_sql_process_groups(inst, request, &handle, &do_fall_through);
switch (ret) {
/*
* Nothing bad happened, continue...
*/
case RLM_MODULE_UPDATED:
rcode = RLM_MODULE_UPDATED;
/* FALL-THROUGH */
case RLM_MODULE_OK:
if (rcode != RLM_MODULE_UPDATED) {
rcode = RLM_MODULE_OK;
}
/* FALL-THROUGH */
case RLM_MODULE_NOOP:
user_found = true;
break;
case RLM_MODULE_NOTFOUND:
break;
default:
rcode = ret;
goto release;
}
}
/*
* At this point the key (user) hasn't be found in the check table, the reply table
* or the group mapping table, and there was no matching profile.
*/
release:
if (!user_found) {
rcode = RLM_MODULE_NOTFOUND;
}
sql_release_socket(inst, handle);
sql_unset_user(inst, request);
return rcode;
error:
pairfree(&check_tmp);
pairfree(&reply_tmp);
sql_unset_user(inst, request);
sql_release_socket(inst, handle);
return rcode;
}
static rlm_rcode_t rlm_sql_process_groups(rlm_sql_t *inst, REQUEST *request, rlm_sql_handle_t **handle,
sql_fall_through_t *do_fall_through)
{
rlm_rcode_t rcode = RLM_MODULE_NOOP;
VALUE_PAIR *check_tmp = NULL, *reply_tmp = NULL, *sql_group = NULL;
rlm_sql_grouplist_t *head = NULL, *entry = NULL;
char *expanded = NULL;
int rows;
rad_assert(request->packet != NULL);
/*
* Get the list of groups this user is a member of
*/
rows = sql_get_grouplist(inst, handle, request, &head);
if (rows < 0) {
REDEBUG("Error retrieving group list");
return RLM_MODULE_FAIL;
}
if (rows == 0) {
RDEBUG2("User not found in any groups");
rcode = RLM_MODULE_NOTFOUND;
*do_fall_through = FALL_THROUGH_DEFAULT;
goto finish;
}
rad_assert(head);
RDEBUG2("User found in the group table");
/*
* Add the Sql-Group attribute to the request list so we know
* which group we're retrieving attributes for
*/
sql_group = pairmake_packet("Sql-Group", NULL, T_OP_EQ);
if (!sql_group) {
REDEBUG("Error creating Sql-Group attribute");
rcode = RLM_MODULE_FAIL;
goto finish;
}
entry = head;
do {
next:
rad_assert(entry != NULL);
pairstrcpy(sql_group, entry->name);
if (inst->config->authorize_group_check_query) {
vp_cursor_t cursor;
VALUE_PAIR *vp;
/*
* Expand the group query
*/
if (radius_axlat(&expanded, request, inst->config->authorize_group_check_query,
sql_escape_func, inst) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto finish;
}
rows = sql_getvpdata(request, inst, request, handle, &check_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("Error retrieving check pairs for group %s", entry->name);
rcode = RLM_MODULE_FAIL;
goto finish;
}
/*
* If we got check rows we need to process them before we decide to
* process the reply rows
*/
if ((rows > 0) &&
(paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) != 0)) {
pairfree(&check_tmp);
entry = entry->next;
goto next; /* != continue */
}
RDEBUG2("Group \"%s\": Conditional check items matched", entry->name);
rcode = RLM_MODULE_OK;
RDEBUG2("Group \"%s\": Merging assignment check items", entry->name);
RINDENT();
for (vp = fr_cursor_init(&cursor, &check_tmp);
vp;
vp = fr_cursor_next(&cursor)) {
if (!fr_assignment_op[vp->op]) continue;
rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
}
REXDENT();
radius_pairmove(request, &request->config_items, check_tmp, true);
check_tmp = NULL;
}
if (inst->config->authorize_group_reply_query) {
/*
* Now get the reply pairs since the paircompare matched
*/
if (radius_axlat(&expanded, request, inst->config->authorize_group_reply_query,
sql_escape_func, inst) < 0) {
REDEBUG("Error generating query");
rcode = RLM_MODULE_FAIL;
goto finish;
}
rows = sql_getvpdata(request->reply, inst, request, handle, &reply_tmp, expanded);
TALLOC_FREE(expanded);
if (rows < 0) {
REDEBUG("Error retrieving reply pairs for group %s", entry->name);
rcode = RLM_MODULE_FAIL;
goto finish;
}
*do_fall_through = fall_through(reply_tmp);
RDEBUG2("Group \"%s\": Merging reply items", entry->name);
rcode = RLM_MODULE_OK;
rdebug_pair_list(L_DBG_LVL_2, request, reply_tmp, NULL);
radius_pairmove(request, &request->reply->vps, reply_tmp, true);
reply_tmp = NULL;
/*
* If there's no reply query configured, then we assume
* FALL_THROUGH_NO, which is the same as the users file if you
* had no reply attributes.
*/
} else {
*do_fall_through = FALL_THROUGH_DEFAULT;
}
entry = entry->next;
} while (entry != NULL && (*do_fall_through == FALL_THROUGH_YES));
finish:
talloc_free(head);
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
return rcode;
}
static int rlm_sql_authorize(void *instance, REQUEST * request)
{
VALUE_PAIR *check_tmp = NULL;
VALUE_PAIR *reply_tmp = NULL;
VALUE_PAIR *user_profile = NULL;
int found = 0;
int dofallthrough = 1;
int rows;
SQLSOCK *sqlsocket;
SQL_INST *inst = instance;
char querystr[MAX_QUERY_LEN];
char sqlusername[MAX_STRING_LEN];
/*
* the profile username is used as the sqlusername during
* profile checking so that we don't overwrite the orignal
* sqlusername string
*/
char profileusername[MAX_STRING_LEN];
/*
* Set, escape, and check the user attr here
*/
if (sql_set_user(inst, request, sqlusername, NULL) < 0)
return RLM_MODULE_FAIL;
/*
* reserve a socket
*/
sqlsocket = sql_get_socket(inst);
if (sqlsocket == NULL) {
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
return RLM_MODULE_FAIL;
}
/*
* After this point, ALL 'return's MUST release the SQL socket!
*/
/*
* Alright, start by getting the specific entry for the user
*/
if (!radius_xlat(querystr, sizeof(querystr), inst->config->authorize_check_query, request, sql_escape_func)) {
radlog_request(L_ERR, 0, request, "Error generating query; rejecting user");
sql_release_socket(inst, sqlsocket);
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
return RLM_MODULE_FAIL;
}
rows = sql_getvpdata(inst, sqlsocket, &check_tmp, querystr);
if (rows < 0) {
radlog_request(L_ERR, 0, request, "SQL query error; rejecting user");
sql_release_socket(inst, sqlsocket);
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
pairfree(&check_tmp);
return RLM_MODULE_FAIL;
} else if (rows > 0) {
/*
* Only do this if *some* check pairs were returned
*/
if (paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) == 0) {
found = 1;
RDEBUG2("User found in radcheck table");
if (inst->config->authorize_reply_query &&
*inst->config->authorize_reply_query) {
/*
* Now get the reply pairs since the paircompare matched
*/
if (!radius_xlat(querystr, sizeof(querystr), inst->config->authorize_reply_query, request, sql_escape_func)) {
radlog_request(L_ERR, 0, request, "Error generating query; rejecting user");
sql_release_socket(inst, sqlsocket);
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
pairfree(&check_tmp);
return RLM_MODULE_FAIL;
}
if (sql_getvpdata(inst, sqlsocket, &reply_tmp, querystr) < 0) {
radlog_request(L_ERR, 0, request, "SQL query error; rejecting user");
sql_release_socket(inst, sqlsocket);
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
pairfree(&check_tmp);
pairfree(&reply_tmp);
return RLM_MODULE_FAIL;
}
if (!inst->config->read_groups)
dofallthrough = fallthrough(reply_tmp);
pairxlatmove(request, &request->reply->vps, &reply_tmp);
}
pairxlatmove(request, &request->config_items, &check_tmp);
}
}
/*
* Clear out the pairlists
*/
pairfree(&check_tmp);
pairfree(&reply_tmp);
/*
* dofallthrough is set to 1 by default so that if the user information
* is not found, we will still process groups. If the user information,
* however, *is* found, Fall-Through must be set in order to process
* the groups as well
*/
if (dofallthrough) {
rows = rlm_sql_process_groups(inst, request, sqlsocket, &dofallthrough);
if (rows < 0) {
radlog_request(L_ERR, 0, request, "Error processing groups; rejecting user");
sql_release_socket(inst, sqlsocket);
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
return RLM_MODULE_FAIL;
} else if (rows > 0) {
found = 1;
}
}
/*
* repeat the above process with the default profile or User-Profile
*/
if (dofallthrough) {
int profile_found = 0;
/*
* Check for a default_profile or for a User-Profile.
*/
user_profile = pairfind(request->config_items, PW_USER_PROFILE, 0);
if (inst->config->default_profile[0] != 0 || user_profile != NULL){
char *profile = inst->config->default_profile;
if (user_profile != NULL)
profile = user_profile->vp_strvalue;
if (profile && strlen(profile)){
RDEBUG("Checking profile %s", profile);
if (sql_set_user(inst, request, profileusername, profile) < 0) {
radlog_request(L_ERR, 0, request, "Error setting profile; rejecting user");
sql_release_socket(inst, sqlsocket);
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
return RLM_MODULE_FAIL;
} else {
profile_found = 1;
}
}
}
if (profile_found) {
rows = rlm_sql_process_groups(inst, request, sqlsocket, &dofallthrough);
if (rows < 0) {
radlog_request(L_ERR, 0, request, "Error processing profile groups; rejecting user");
sql_release_socket(inst, sqlsocket);
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
return RLM_MODULE_FAIL;
} else if (rows > 0) {
found = 1;
}
}
}
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
sql_release_socket(inst, sqlsocket);
if (!found) {
RDEBUG("User %s not found", sqlusername);
return RLM_MODULE_NOTFOUND;
} else {
return RLM_MODULE_OK;
}
}