/* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* * Author : Maxim Mamontov */ /* * FreeRADIUS module for data access via Stargazer * * $Revision: 1.8 $ * $Date: 2010/08/14 04:15:08 $ * */ #include #include #include #include extern "C" { #include "radius.h" #include "modules.h" } #include "stg_client.h" #include "stg/common.h" STG_CLIENT * cli; volatile time_t stgTime; /* * Define a structure for our module configuration. * * These variables do not need to be in a structure, but it's * a lot cleaner to do so, and a pointer to the structure can * be used as the instance handle. */ typedef struct rlm_stg_t { char * server; char * password; uint32_t port; uint32_t localPort; } rlm_stg_t; /* * A mapping of configuration file names to internal variables. * * Note that the string is dynamically allocated, so it MUST * be freed. When the configuration file parse re-reads the string, * it free's the old one, and strdup's the new one, placing the pointer * to the strdup'd string into 'config.string'. This gets around * buffer over-flows. */ static CONF_PARSER module_config[] = { { "password", PW_TYPE_STRING_PTR, offsetof(rlm_stg_t,password), NULL, NULL}, { "server", PW_TYPE_STRING_PTR, offsetof(rlm_stg_t,server), NULL, NULL}, { "port", PW_TYPE_INTEGER, offsetof(rlm_stg_t,port), NULL, "5555" }, { "local_port", PW_TYPE_INTEGER, offsetof(rlm_stg_t,localPort), NULL, "0" }, { NULL, -1, 0, NULL, NULL } /* end the list */ }; /* * Do any per-module initialization that is separate to each * configured instance of the module. e.g. set up connections * to external databases, read configuration files, set up * dictionary entries, etc. * * If configuration information is given in the config section * that must be referenced in later calls, store a handle to it * in *instance otherwise put a null pointer there. */ static int stg_instantiate(CONF_SECTION *conf, void **instance) { rlm_stg_t *data; /* * Set up a storage area for instance data */ DEBUG("rlm_stg: stg_instantiate()"); data = (rlm_stg_t *)rad_malloc(sizeof(rlm_stg_t)); if (!data) { return -1; } memset(data, 0, sizeof(rlm_stg_t)); /* * If the configuration parameters can't be parsed, then * fail. */ if (cf_section_parse(conf, data, module_config) < 0) { free(data); return -1; } try { cli = new STG_CLIENT(data->server, data->port, data->localPort, data->password); } catch (std::exception & ex) { DEBUG("rlm_stg: stg_instantiate() error: '%s'", ex.what()); return -1; } *instance = data; return 0; } /* * Find the named user in this modules database. Create the set * of attribute-value pairs to check and reply with for this user * from the database. The authentication code only needs to check * the password, the rest is done here. */ static int stg_authorize(void *, REQUEST *request) { VALUE_PAIR *uname; VALUE_PAIR *pwd; VALUE_PAIR *svc; DEBUG("rlm_stg: stg_authorize()"); uname = pairfind(request->packet->vps, PW_USER_NAME); if (uname) { DEBUG("rlm_stg: stg_authorize() user name defined as '%s'", uname->vp_strvalue); } else { DEBUG("rlm_stg: stg_authorize() user name undefined"); return RLM_MODULE_FAIL; } if (request->username) { DEBUG("rlm_stg: stg_authorize() request username field: '%s'", request->username->vp_strvalue); } if (request->password) { DEBUG("rlm_stg: stg_authorize() request password field: '%s'", request->password->vp_strvalue); } // Here we need to define Framed-Protocol svc = pairfind(request->packet->vps, PW_SERVICE_TYPE); if (svc) { DEBUG("rlm_stg: stg_authorize() Service-Type defined as '%s'", svc->vp_strvalue); if (cli->Authorize((const char *)request->username->vp_strvalue, (const char *)svc->vp_strvalue)) { DEBUG("rlm_stg: stg_authorize() stg status: '%s'", cli->GetError().c_str()); return RLM_MODULE_REJECT; } } else { DEBUG("rlm_stg: stg_authorize() Service-Type undefined"); if (cli->Authorize((const char *)request->username->vp_strvalue, "")) { DEBUG("rlm_stg: stg_authorize() stg status: '%s'", cli->GetError().c_str()); return RLM_MODULE_REJECT; } } pwd = pairmake("Cleartext-Password", cli->GetUserPassword().c_str(), T_OP_SET); pairadd(&request->config_items, pwd); //pairadd(&request->reply->vps, uname); return RLM_MODULE_UPDATED; } /* * Authenticate the user with the given password. */ static int stg_authenticate(void *, REQUEST *request) { /* quiet the compiler */ VALUE_PAIR *svc; DEBUG("rlm_stg: stg_authenticate()"); svc = pairfind(request->packet->vps, PW_SERVICE_TYPE); if (svc) { DEBUG("rlm_stg: stg_authenticate() Service-Type defined as '%s'", svc->vp_strvalue); if (cli->Authenticate((char *)request->username->vp_strvalue, (const char *)svc->vp_strvalue)) { DEBUG("rlm_stg: stg_authenticate() stg status: '%s'", cli->GetError().c_str()); return RLM_MODULE_REJECT; } } else { DEBUG("rlm_stg: stg_authenticate() Service-Type undefined"); if (cli->Authenticate((char *)request->username->vp_strvalue, "")) { DEBUG("rlm_stg: stg_authenticate() stg status: '%s'", cli->GetError().c_str()); return RLM_MODULE_REJECT; } } return RLM_MODULE_NOOP; } /* * Massage the request before recording it or proxying it */ static int stg_preacct(void *, REQUEST *) { DEBUG("rlm_stg: stg_preacct()"); return RLM_MODULE_OK; } /* * Write accounting information to this modules database. */ static int stg_accounting(void *, REQUEST * request) { /* quiet the compiler */ VALUE_PAIR * sttype; VALUE_PAIR * svc; VALUE_PAIR * sessid; svc = pairfind(request->packet->vps, PW_SERVICE_TYPE); DEBUG("rlm_stg: stg_accounting()"); sessid = pairfind(request->packet->vps, PW_ACCT_SESSION_ID); if (!sessid) { DEBUG("rlm_stg: stg_accounting() Acct-Session-ID undefined"); return RLM_MODULE_FAIL; } sttype = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE); if (sttype) { DEBUG("Acct-Status-Type := %s", sttype->vp_strvalue); if (svc) { DEBUG("rlm_stg: stg_accounting() Service-Type defined as '%s'", svc->vp_strvalue); if (cli->Account((const char *)sttype->vp_strvalue, (const char *)request->username->vp_strvalue, (const char *)svc->vp_strvalue, (const char *)sessid->vp_strvalue)) { DEBUG("rlm_stg: stg_accounting error: '%s'", cli->GetError().c_str()); return RLM_MODULE_FAIL; } } else { DEBUG("rlm_stg: stg_accounting() Service-Type undefined"); if (cli->Account((const char *)sttype->vp_strvalue, (const char *)request->username->vp_strvalue, "", (const char *)sessid->vp_strvalue)) { DEBUG("rlm_stg: stg_accounting error: '%s'", cli->GetError().c_str()); return RLM_MODULE_FAIL; } } } else { DEBUG("Acct-Status-Type := NULL"); } return RLM_MODULE_OK; } /* * See if a user is already logged in. Sets request->simul_count to the * current session count for this user and sets request->simul_mpp to 2 * if it looks like a multilink attempt based on the requested IP * address, otherwise leaves request->simul_mpp alone. * * Check twice. If on the first pass the user exceeds his * max. number of logins, do a second pass and validate all * logins by querying the terminal server (using eg. SNMP). */ static int stg_checksimul(void *, REQUEST *request) { DEBUG("rlm_stg: stg_checksimul()"); request->simul_count=0; return RLM_MODULE_OK; } static int stg_postauth(void *, REQUEST *request) { VALUE_PAIR *fia; VALUE_PAIR *svc; struct in_addr fip; DEBUG("rlm_stg: stg_postauth()"); svc = pairfind(request->packet->vps, PW_SERVICE_TYPE); if (svc) { DEBUG("rlm_stg: stg_postauth() Service-Type defined as '%s'", svc->vp_strvalue); if (cli->PostAuthenticate((const char *)request->username->vp_strvalue, (const char *)svc->vp_strvalue)) { DEBUG("rlm_stg: stg_postauth() error: '%s'", cli->GetError().c_str()); return RLM_MODULE_FAIL; } } else { DEBUG("rlm_stg: stg_postauth() Service-Type undefined"); if (cli->PostAuthenticate((const char *)request->username->vp_strvalue, "")) { DEBUG("rlm_stg: stg_postauth() error: '%s'", cli->GetError().c_str()); return RLM_MODULE_FAIL; } } if (strncmp((const char *)svc->vp_strvalue, "Framed-User", 11) == 0) { fip.s_addr = cli->GetFramedIP(); DEBUG("rlm_stg: stg_postauth() ip = '%s'", inet_ntostring(fip.s_addr).c_str()); fia = pairmake("Framed-IP-Address", inet_ntostring(fip.s_addr).c_str(), T_OP_SET); pairadd(&request->reply->vps, fia); } return RLM_MODULE_UPDATED; } static int stg_detach(void *instance) { DEBUG("rlm_stg: stg_detach()"); delete cli; free(((struct rlm_stg_t *)instance)->server); free(((struct rlm_stg_t *)instance)->password); free(instance); return 0; } /* * The module name should be the only globally exported symbol. * That is, everything else should be 'static'. * * If the module needs to temporarily modify it's instantiation * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE. * The server will then take care of ensuring that the module * is single-threaded. */ module_t rlm_stg = { RLM_MODULE_INIT, "stg", RLM_TYPE_THREAD_SAFE, /* type */ stg_instantiate, /* instantiation */ stg_detach, /* detach */ { stg_authenticate, /* authentication */ stg_authorize, /* authorization */ stg_preacct, /* preaccounting */ stg_accounting, /* accounting */ stg_checksimul, /* checksimul */ NULL, /* pre-proxy */ NULL, /* post-proxy */ stg_postauth /* post-auth */ }, };