static int sql_get_grouplist (SQL_INST *inst, SQLSOCK *sqlsocket, REQUEST *request, SQL_GROUPLIST **group_list)
{
char querystr[MAX_QUERY_LEN];
int num_groups = 0;
SQL_ROW row;
SQL_GROUPLIST *group_list_tmp;
/* NOTE: sql_set_user should have been run before calling this function */
group_list_tmp = *group_list = NULL;
if (!inst->config->groupmemb_query ||
(inst->config->groupmemb_query[0] == 0))
return 0;
if (!radius_xlat(querystr, sizeof(querystr), inst->config->groupmemb_query, request, sql_escape_func)) {
radlog_request(L_ERR, 0, request, "xlat \"%s\" failed.",
inst->config->groupmemb_query);
return -1;
}
if (rlm_sql_select_query(sqlsocket, inst, querystr) < 0) {
radlog_request(L_ERR, 0, request,
"database query error, %s: %s",
querystr,
(inst->module->sql_error)(sqlsocket,inst->config));
return -1;
}
while (rlm_sql_fetch_row(sqlsocket, inst) == 0) {
row = sqlsocket->row;
if (row == NULL)
break;
if (row[0] == NULL){
RDEBUG("row[0] returned NULL");
(inst->module->sql_finish_select_query)(sqlsocket, inst->config);
sql_grouplist_free(group_list);
return -1;
}
if (*group_list == NULL) {
*group_list = rad_malloc(sizeof(SQL_GROUPLIST));
group_list_tmp = *group_list;
} else {
rad_assert(group_list_tmp != NULL);
group_list_tmp->next = rad_malloc(sizeof(SQL_GROUPLIST));
group_list_tmp = group_list_tmp->next;
}
group_list_tmp->next = NULL;
strlcpy(group_list_tmp->groupname, row[0], MAX_STRING_LEN);
}
(inst->module->sql_finish_select_query)(sqlsocket, inst->config);
return num_groups;
}
static int sql_get_grouplist (rlm_sql_t *inst, rlm_sql_handle_t *handle, REQUEST *request, rlm_sql_grouplist_t **group_list)
{
char querystr[MAX_QUERY_LEN];
int num_groups = 0;
rlm_sql_row_t row;
rlm_sql_grouplist_t *group_list_tmp;
/* NOTE: sql_set_user should have been run before calling this function */
group_list_tmp = *group_list = NULL;
if (!inst->config->groupmemb_query ||
(inst->config->groupmemb_query[0] == 0))
return 0;
if (!radius_xlat(querystr, sizeof(querystr), inst->config->groupmemb_query, request, sql_escape_func, inst)) {
radlog_request(L_ERR, 0, request, "xlat \"%s\" failed.",
inst->config->groupmemb_query);
return -1;
}
if (rlm_sql_select_query(&handle, inst, querystr) < 0) {
return -1;
}
while (rlm_sql_fetch_row(&handle, inst) == 0) {
row = handle->row;
if (row == NULL)
break;
if (row[0] == NULL){
RDEBUG("row[0] returned NULL");
(inst->module->sql_finish_select_query)(handle, inst->config);
sql_grouplist_free(group_list);
return -1;
}
if (*group_list == NULL) {
*group_list = rad_malloc(sizeof(rlm_sql_grouplist_t));
group_list_tmp = *group_list;
} else {
rad_assert(group_list_tmp != NULL);
group_list_tmp->next = rad_malloc(sizeof(rlm_sql_grouplist_t));
group_list_tmp = group_list_tmp->next;
}
group_list_tmp->next = NULL;
strlcpy(group_list_tmp->groupname, row[0], MAX_STRING_LEN);
}
(inst->module->sql_finish_select_query)(handle, inst->config);
return num_groups;
}
static int rlm_sql_process_groups(rlm_sql_t *inst, REQUEST *request, rlm_sql_handle_t *handle, int *dofallthrough)
{
VALUE_PAIR *check_tmp = NULL;
VALUE_PAIR *reply_tmp = NULL;
rlm_sql_grouplist_t *group_list, *group_list_tmp;
VALUE_PAIR *sql_group = NULL;
char querystr[MAX_QUERY_LEN];
int found = 0;
int rows;
/*
* Get the list of groups this user is a member of
*/
if (sql_get_grouplist(inst, handle, request, &group_list) < 0) {
radlog_request(L_ERR, 0, request, "Error retrieving group list");
return -1;
}
for (group_list_tmp = group_list; group_list_tmp != NULL && *dofallthrough != 0; group_list_tmp = group_list_tmp->next) {
/*
* Add the Sql-Group attribute to the request list so we know
* which group we're retrieving attributes for
*/
sql_group = pairmake("Sql-Group", group_list_tmp->groupname, T_OP_EQ);
if (!sql_group) {
radlog_request(L_ERR, 0, request,
"Error creating Sql-Group attribute");
sql_grouplist_free(&group_list);
return -1;
}
pairadd(&request->packet->vps, sql_group);
if (!radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_check_query, request, sql_escape_func, inst)) {
radlog_request(L_ERR, 0, request,
"Error generating query; rejecting user");
/* Remove the grouup we added above */
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
sql_grouplist_free(&group_list);
return -1;
}
rows = sql_getvpdata(inst, &handle, &check_tmp, querystr);
if (rows < 0) {
radlog_request(L_ERR, 0, request, "Error retrieving check pairs for group %s",
group_list_tmp->groupname);
/* Remove the grouup we added above */
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
pairfree(&check_tmp);
sql_grouplist_free(&group_list);
return -1;
} else if (rows > 0) {
/*
* Only do this if *some* check pairs were returned
*/
if (paircompare(request, request->packet->vps, check_tmp, &request->reply->vps) == 0) {
found = 1;
RDEBUG2("User found in group %s",
group_list_tmp->groupname);
/*
* Now get the reply pairs since the paircompare matched
*/
if (!radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_reply_query, request, sql_escape_func, inst)) {
radlog_request(L_ERR, 0, request, "Error generating query; rejecting user");
/* Remove the grouup we added above */
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
pairfree(&check_tmp);
sql_grouplist_free(&group_list);
return -1;
}
if (sql_getvpdata(inst, &handle, &reply_tmp, querystr) < 0) {
radlog_request(L_ERR, 0, request, "Error retrieving reply pairs for group %s",
group_list_tmp->groupname);
/* Remove the grouup we added above */
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
pairfree(&check_tmp);
pairfree(&reply_tmp);
sql_grouplist_free(&group_list);
return -1;
}
*dofallthrough = fallthrough(reply_tmp);
radius_xlat_move(request, &request->reply->vps, &reply_tmp);
radius_xlat_move(request, &request->config_items, &check_tmp);
}
} else {
/*
* rows == 0. This is like having the username on a line
* in the user's file with no check vp's. As such, we treat
* it as found and add the reply attributes, so that we
* match expected behavior
*/
found = 1;
RDEBUG2("User found in group %s",
group_list_tmp->groupname);
/*
* Now get the reply pairs since the paircompare matched
*/
if (!radius_xlat(querystr, sizeof(querystr), inst->config->authorize_group_reply_query, request, sql_escape_func, inst)) {
radlog_request(L_ERR, 0, request, "Error generating query; rejecting user");
/* Remove the grouup we added above */
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
pairfree(&check_tmp);
sql_grouplist_free(&group_list);
return -1;
}
if (sql_getvpdata(inst, &handle, &reply_tmp, querystr) < 0) {
radlog_request(L_ERR, 0, request, "Error retrieving reply pairs for group %s",
group_list_tmp->groupname);
/* Remove the grouup we added above */
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
pairfree(&check_tmp);
pairfree(&reply_tmp);
sql_grouplist_free(&group_list);
return -1;
}
*dofallthrough = fallthrough(reply_tmp);
radius_xlat_move(request, &request->reply->vps, &reply_tmp);
radius_xlat_move(request, &request->config_items, &check_tmp);
}
/*
* Delete the Sql-Group we added above
* And clear out the pairlists
*/
pairdelete(&request->packet->vps, PW_SQL_GROUP, 0, TAG_ANY);
pairfree(&check_tmp);
pairfree(&reply_tmp);
}
sql_grouplist_free(&group_list);
return found;
}
static int sql_groupcmp(void *instance, REQUEST *request, VALUE_PAIR *request_vp, VALUE_PAIR *check,
VALUE_PAIR *check_pairs, VALUE_PAIR **reply_pairs)
{
rlm_sql_handle_t *handle;
rlm_sql_t *inst = instance;
rlm_sql_grouplist_t *group_list, *group_list_tmp;
check_pairs = check_pairs;
reply_pairs = reply_pairs;
request_vp = request_vp;
RDEBUG("sql_groupcmp");
if (!check || !check->length){
RDEBUG("sql_groupcmp: Illegal group name");
return 1;
}
if (!request){
RDEBUG("sql_groupcmp: NULL request");
return 1;
}
/*
* Set, escape, and check the user attr here
*/
if (sql_set_user(inst, request, NULL) < 0)
return 1;
/*
* Get a socket for this lookup
*/
handle = sql_get_socket(inst);
if (handle == NULL) {
return 1;
}
/*
* Get the list of groups this user is a member of
*/
if (sql_get_grouplist(inst, handle, request, &group_list) < 0) {
radlog_request(L_ERR, 0, request,
"Error getting group membership");
sql_release_socket(inst, handle);
return 1;
}
for (group_list_tmp = group_list; group_list_tmp != NULL; group_list_tmp = group_list_tmp->next) {
if (strcmp(group_list_tmp->groupname, check->vp_strvalue) == 0){
RDEBUG("sql_groupcmp finished: User is a member of group %s",
check->vp_strvalue);
/* Free the grouplist */
sql_grouplist_free(&group_list);
sql_release_socket(inst, handle);
return 0;
}
}
/* Free the grouplist */
sql_grouplist_free(&group_list);
sql_release_socket(inst,handle);
RDEBUG("sql_groupcmp finished: User is NOT a member of group %s",
check->vp_strvalue);
return 1;
}
static int sql_groupcmp(void *instance, REQUEST *request, VALUE_PAIR *request_vp, VALUE_PAIR *check,
VALUE_PAIR *check_pairs, VALUE_PAIR **reply_pairs)
{
SQLSOCK *sqlsocket;
SQL_INST *inst = instance;
char sqlusername[MAX_STRING_LEN];
SQL_GROUPLIST *group_list, *group_list_tmp;
check_pairs = check_pairs;
reply_pairs = reply_pairs;
request_vp = request_vp;
RDEBUG("sql_groupcmp");
if (!check || !check->vp_strvalue || !check->length){
RDEBUG("sql_groupcmp: Illegal group name");
return 1;
}
if (!request){
RDEBUG("sql_groupcmp: NULL request");
return 1;
}
/*
* Set, escape, and check the user attr here
*/
if (sql_set_user(inst, request, sqlusername, NULL) < 0)
return 1;
/*
* Get a socket for this lookup
*/
sqlsocket = sql_get_socket(inst);
if (sqlsocket == NULL) {
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
return 1;
}
/*
* Get the list of groups this user is a member of
*/
if (sql_get_grouplist(inst, sqlsocket, request, &group_list) < 0) {
radlog_request(L_ERR, 0, request,
"Error getting group membership");
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
sql_release_socket(inst, sqlsocket);
return 1;
}
for (group_list_tmp = group_list; group_list_tmp != NULL; group_list_tmp = group_list_tmp->next) {
if (strcmp(group_list_tmp->groupname, check->vp_strvalue) == 0){
RDEBUG("sql_groupcmp finished: User is a member of group %s",
check->vp_strvalue);
/* Free the grouplist */
sql_grouplist_free(&group_list);
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
sql_release_socket(inst, sqlsocket);
return 0;
}
}
/* Free the grouplist */
sql_grouplist_free(&group_list);
/* Remove the username we (maybe) added above */
pairdelete(&request->packet->vps, PW_SQL_USER_NAME, 0);
sql_release_socket(inst,sqlsocket);
RDEBUG("sql_groupcmp finished: User is NOT a member of group %s",
check->vp_strvalue);
return 1;
}