rlm__imap_8c_source.html

/*

 *   This program is is free software; you can redistribute it and/or modify

 *   it under the terms of the GNU General Public License as published by

 *   the Free Software Foundation; either version 2 of the License, or (at

 *   your option) any later version.

 *

 *   This program is distributed in the hope that it will be useful,

 *   but WITHOUT ANY WARRANTY; without even the implied warranty of

 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 *   GNU General Public License for more details.

 *

 *   You should have received a copy of the GNU General Public License

 *   along with this program; if not, write to the Free Software

 *   Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA

 */


/**

 * $Id: 816e6231a0dd9558741e933e5a48c618899d517b $

 * @file rlm_imap.c

 * @brief imap server authentication.

 *

 * @copyright 2020 The FreeRADIUS server project

 * @copyright 2020 Network RADIUS SAS (legal@networkradius.com)

 */

RCSID("$Id: 816e6231a0dd9558741e933e5a48c618899d517b $")


#include <freeradius-devel/curl/base.h>

#include <freeradius-devel/server/base.h>

#include <freeradius-devel/server/global_lib.h>

#include <freeradius-devel/server/module_rlm.h>

#include <freeradius-devel/util/slab.h>


static fr_dict_t        const           *dict_radius; /*dictionary for radius protocol*/


static fr_dict_attr_t   const           *attr_user_password;

static fr_dict_attr_t   const           *attr_user_name;


extern fr_dict_autoload_t rlm_imap_dict[];


fr_dict_autoload_t rlm_imap_dict[] = {

        { .out = &dict_radius, .proto = "radius" },

        { NULL }

};


extern fr_dict_attr_autoload_t rlm_imap_dict_attr[];


fr_dict_attr_autoload_t rlm_imap_dict_attr[] = {

        { .out = &attr_user_name, .name = "User-Name", .type = FR_TYPE_STRING, .dict = &dict_radius },

        { .out = &attr_user_password, .name = "User-Password", .type = FR_TYPE_STRING, .dict = &dict_radius },

        { NULL },

};


extern global_lib_autoinst_t const * const rlm_imap_lib[];


global_lib_autoinst_t const * const rlm_imap_lib[] = {

        &fr_curl_autoinst,

        GLOBAL_LIB_TERMINATOR

};


typedef struct {

        char const                      *uri;           //!< URI of imap server

        fr_time_delta_t                 timeout;        //!< Timeout for connection and server response

        fr_curl_tls_t                   tls;

        fr_curl_conn_config_t           conn_config;    //!< Reusable CURL handle config

} rlm_imap_t;


FR_SLAB_TYPES(imap, fr_curl_io_request_t)

FR_SLAB_FUNCS(imap, fr_curl_io_request_t)


typedef struct {

        imap_slab_list_t                *slab;          //!< Slab list for connection handles.

        fr_curl_handle_t                *mhandle;       //!< Thread specific multi handle.  Serves as the dispatch and coralling structure for imap requests.

} rlm_imap_thread_t;


/*

 *      A mapping of configuration file names to internal variables.

 */


static const conf_parser_t module_config[] = {

        { FR_CONF_OFFSET("uri", rlm_imap_t, uri) },

        { FR_CONF_OFFSET("timeout", rlm_imap_t, timeout), .dflt = "5.0" },

        { FR_CONF_OFFSET_SUBSECTION("tls", 0, rlm_imap_t, tls, fr_curl_tls_config ) },//!<loading the tls values

        { FR_CONF_OFFSET_SUBSECTION("connection", 0, rlm_imap_t, conn_config, fr_curl_conn_config ) },

        CONF_PARSER_TERMINATOR

};


static void imap_io_module_signal(module_ctx_t const *mctx, request_t *request, UNUSED fr_signal_t action)

{

        fr_curl_io_request_t    *randle = talloc_get_type_abort(mctx->rctx, fr_curl_io_request_t);

        rlm_imap_thread_t       *t = talloc_get_type_abort(mctx->thread, rlm_imap_thread_t);

        CURLMcode               ret;


        RDEBUG2("Forcefully cancelling pending IMAP request");


        ret = curl_multi_remove_handle(t->mhandle->mandle, randle->candle);     /* Gracefully terminate the request */

        if (ret != CURLM_OK) {

                RERROR("Failed removing curl handle from multi-handle: %s (%i)", curl_multi_strerror(ret), ret);

                /* Not much we can do */

        }

        t->mhandle->transfers--;

        imap_slab_release(randle);

}


/*

 *      Called when the IMAP server responds

 *      It checks if the response was CURLE_OK

 *      If it wasn't we returns REJECT, if it was we returns OK

*/


static unlang_action_t CC_HINT(nonnull) mod_authenticate_resume(rlm_rcode_t *p_result, module_ctx_t const *mctx,

                                                                request_t *request)

{

        rlm_imap_t const                *inst = talloc_get_type_abort_const(mctx->mi->data, rlm_imap_t);

        fr_curl_io_request_t            *randle = talloc_get_type_abort(mctx->rctx, fr_curl_io_request_t);

        fr_curl_tls_t const             *tls;

        long                            curl_out;

        long                            curl_out_valid;


        tls = &inst->tls;


        curl_out_valid = curl_easy_getinfo(randle->candle, CURLINFO_SSL_VERIFYRESULT, &curl_out);

        if (curl_out_valid == CURLE_OK){

                RDEBUG2("server certificate %s verified", curl_out ? "was" : "not");

        } else {

                RDEBUG2("server certificate result not found");

        }


        if (randle->result != CURLE_OK) {

                CURLcode result = randle->result;

                imap_slab_release(randle);

                switch(result) {

                case CURLE_PEER_FAILED_VERIFICATION:

                case CURLE_LOGIN_DENIED:

                        RETURN_MODULE_REJECT;

                default:

                        RETURN_MODULE_FAIL;

                }

        }


        if (tls->extract_cert_attrs) fr_curl_response_certinfo(request, randle);


        imap_slab_release(randle);

        RETURN_MODULE_OK;

}


/*

 *      Checks that there is a User-Name and User-Password field in the request

 *      Checks that User-Password is not Blank

 *      Sets the: username, password

 *              website URI

 *              timeout information

 *              and TLS information

 *

 *      Then it queues the request and yields until a response is given

 *      When it responds, mod_authenticate_resume is called.

 */


static unlang_action_t CC_HINT(nonnull(1,2)) mod_authenticate(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)

{

        rlm_imap_thread_t       *t = talloc_get_type_abort(mctx->thread, rlm_imap_thread_t);


        fr_pair_t const         *username;

        fr_pair_t const         *password;

        fr_curl_io_request_t    *randle;


        username = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_name);

        password = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_password);


        if (!username) {

                REDEBUG("Attribute \"User-Name\" is required for authentication");

                RETURN_MODULE_INVALID;

        }


        if (!password) {

                RDEBUG2("Attribute \"User-Password\" is required for authentication");

                RETURN_MODULE_INVALID;

        }


        if (password->vp_length == 0) {

                RDEBUG2("\"User-Password\" must not be empty");

                RETURN_MODULE_INVALID;

        }


        randle = imap_slab_reserve(t->slab);

        if (!randle){

                RETURN_MODULE_FAIL;

        }


        FR_CURL_REQUEST_SET_OPTION(CURLOPT_USERNAME, username->vp_strvalue);

        FR_CURL_REQUEST_SET_OPTION(CURLOPT_PASSWORD, password->vp_strvalue);


        if (fr_curl_io_request_enqueue(t->mhandle, request, randle)) {

        error:

                imap_slab_release(randle);

                RETURN_MODULE_FAIL;

        }


        return unlang_module_yield(request, mod_authenticate_resume, imap_io_module_signal, ~FR_SIGNAL_CANCEL, randle);

}


/** Clean up CURL handle on freeing

 *

 */


static int _mod_conn_free(fr_curl_io_request_t *randle)

{

        curl_easy_cleanup(randle->candle);


        return 0;

}


/** Callback to configure a CURL handle when it is allocated

 *

 */


static int imap_conn_alloc(fr_curl_io_request_t *randle, void *uctx)

{

        rlm_imap_t const        *inst = talloc_get_type_abort(uctx, rlm_imap_t);


        randle->candle = curl_easy_init();

        if (unlikely(!randle->candle)) {

        error:

                fr_strerror_printf("Unable to initialise CURL handle");

                return -1;

        }


        talloc_set_destructor(randle, _mod_conn_free);


#if CURL_AT_LEAST_VERSION(7,45,0)

        FR_CURL_SET_OPTION(CURLOPT_DEFAULT_PROTOCOL, "imap");

#endif

        FR_CURL_SET_OPTION(CURLOPT_URL, inst->uri);

#if CURL_AT_LEAST_VERSION(7,85,0)

        FR_CURL_SET_OPTION(CURLOPT_PROTOCOLS_STR, "imap,imaps");

#else

        FR_CURL_SET_OPTION(CURLOPT_PROTOCOLS, CURLPROTO_IMAP | CURLPROTO_IMAPS);

#endif

        FR_CURL_SET_OPTION(CURLOPT_CONNECTTIMEOUT_MS, fr_time_delta_to_msec(inst->timeout));

        FR_CURL_SET_OPTION(CURLOPT_TIMEOUT_MS, fr_time_delta_to_msec(inst->timeout));


        if (DEBUG_ENABLED3) FR_CURL_SET_OPTION(CURLOPT_VERBOSE, 1L);


        if (fr_curl_easy_tls_init(randle, &inst->tls) != 0) goto error;


        return 0;

}


/*

 *      Initialize a new thread with a curl instance

 */


static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)

{

        rlm_imap_t              *inst = talloc_get_type_abort(mctx->mi->data, rlm_imap_t);

        rlm_imap_thread_t       *t = talloc_get_type_abort(mctx->thread, rlm_imap_thread_t);

        fr_curl_handle_t        *mhandle;


        if (!(t->slab = imap_slab_list_alloc(t, mctx->el, &inst->conn_config.reuse,

                                             imap_conn_alloc, NULL, inst,

                                             false, false))) {

                ERROR("Connection handle pool instantiation failed");

                return -1;

        }


        mhandle = fr_curl_io_init(t, mctx->el, false);

        if (!mhandle) return -1;


        t->mhandle = mhandle;

        return 0;

}


/*

 *      Close the thread and free the memory

 */


static int mod_thread_detach(module_thread_inst_ctx_t const *mctx)

{

        rlm_imap_thread_t               *t = talloc_get_type_abort(mctx->thread, rlm_imap_thread_t);


        talloc_free(t->mhandle);

        talloc_free(t->slab);

        return 0;

}


/*

 *      The module name should be the only globally exported symbol.

 *      That is, everything else should be 'static'.

 *

 *      If the module needs to temporarily modify it's instantiation

 *      data, the type should be changed to MODULE_TYPE_THREAD_UNSAFE.

 *      The server will then take care of ensuring that the module

 *      is single-threaded.

 */

extern module_rlm_t rlm_imap;


module_rlm_t rlm_imap = {

        .common = {

                .magic                  = MODULE_MAGIC_INIT,

                .name                   = "imap",

                .inst_size              = sizeof(rlm_imap_t),

                .thread_inst_size       = sizeof(rlm_imap_thread_t),

                .config                 = module_config,

                .thread_instantiate     = mod_thread_instantiate,

                .thread_detach          = mod_thread_detach,

        },

        .method_group = {

                .bindings = (module_method_binding_t[]){

                        { .section = SECTION_NAME("authenticate", CF_IDENT_ANY), .method = mod_authenticate },

                        MODULE_BINDING_TERMINATOR

                }

        }

};


unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35

RCSID
#define RCSID(id)
Definition build.h:483

unlikely
#define unlikely(_x)
Definition build.h:381

UNUSED
#define UNUSED
Definition build.h:315

CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:642

FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:268

FR_CONF_OFFSET_SUBSECTION
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:297

conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:579

CF_IDENT_ANY
#define CF_IDENT_ANY
Definition cf_util.h:78

fr_curl_io_init
fr_curl_handle_t * fr_curl_io_init(TALLOC_CTX *ctx, fr_event_list_t *el, bool multiplex)

FR_CURL_REQUEST_SET_OPTION
#define FR_CURL_REQUEST_SET_OPTION(_x, _y)
Definition base.h:67

fr_curl_io_request_t::result
CURLcode result
Result of executing the request.
Definition base.h:103

FR_CURL_SET_OPTION
#define FR_CURL_SET_OPTION(_x, _y)
Definition base.h:45

fr_curl_handle_t::transfers
uint64_t transfers
How many transfers are current in progress.
Definition base.h:94

fr_curl_tls_t::extract_cert_attrs
bool extract_cert_attrs
Definition base.h:119

fr_curl_handle_t::mandle
CURLM * mandle
The multi handle.
Definition base.h:95

fr_curl_io_request_enqueue
int fr_curl_io_request_enqueue(fr_curl_handle_t *mhandle, request_t *request, fr_curl_io_request_t *creq)
Sends a request using libcurl.
Definition io.c:482

fr_curl_io_request_t::candle
CURL * candle
Request specific handle.
Definition base.h:102

fr_curl_conn_config_t
Definition base.h:125

fr_curl_handle_t
Uctx data for timer and I/O functions.
Definition base.h:91

fr_curl_io_request_t
Structure representing an individual request being passed to curl for processing.
Definition base.h:101

fr_curl_tls_t
Definition base.h:108

ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:41

fr_dict_attr_autoload_t::out
fr_dict_attr_t const  ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:268

fr_dict_autoload_t::out
fr_dict_t const  ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:281

fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:267

fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:280

MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63

GLOBAL_LIB_TERMINATOR
#define GLOBAL_LIB_TERMINATOR
Definition global_lib.h:51

global_lib_autoinst_t
Structure to define how to initialise libraries with global configuration.
Definition global_lib.h:38

fr_curl_response_certinfo
int fr_curl_response_certinfo(request_t *request, fr_curl_io_request_t *randle)
Definition base.c:170

fr_curl_easy_tls_init
int fr_curl_easy_tls_init(fr_curl_io_request_t *randle, fr_curl_tls_t const *conf)
Definition base.c:139

fr_curl_autoinst
global_lib_autoinst_t fr_curl_autoinst
Definition base.c:387

fr_curl_conn_config
conf_parser_t fr_curl_conn_config[]
Definition base.c:97

fr_curl_tls_config
conf_parser_t fr_curl_tls_config[]
Definition base.c:68

RERROR
#define RERROR(fmt,...)
Definition log.h:298

DEBUG_ENABLED3
#define DEBUG_ENABLED3
True if global debug level 1-3 messages are enabled.
Definition log.h:259

talloc_free
talloc_free(reap)

FR_TYPE_STRING
@ FR_TYPE_STRING
String of printable characters.
Definition merged_model.c:83

fr_dict_attr_t
Definition merged_model.c:133

fr_dict_t
Definition merged_model.c:198

request_t
Definition merged_model.c:210

module_ctx_t::mi
module_instance_t const  * mi
Instance of the module being instantiated.
Definition module_ctx.h:42

module_ctx_t::thread
void * thread
Thread specific instance data.
Definition module_ctx.h:43

module_ctx_t::rctx
void * rctx
Resume ctx that a module previously set.
Definition module_ctx.h:45

module_thread_inst_ctx_t::el
fr_event_list_t * el
Event list to register any IO handlers and timers against.
Definition module_ctx.h:68

module_thread_inst_ctx_t::thread
void * thread
Thread instance data.
Definition module_ctx.h:67

module_thread_inst_ctx_t::mi
module_instance_t const  * mi
Instance of the module being instantiated.
Definition module_ctx.h:64

module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41

module_thread_inst_ctx_t
Temporary structure to hold arguments for thread_instantiation calls.
Definition module_ctx.h:63

module_rlm_s::common
module_t common
Common fields presented by all modules.
Definition module_rlm.h:39

module_rlm_s
Definition module_rlm.h:38

fr_pair_find_by_da
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:693

REDEBUG
#define REDEBUG(fmt,...)
Definition radclient.h:52

RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient.h:54

RETURN_MODULE_REJECT
#define RETURN_MODULE_REJECT
Definition rcode.h:55

RETURN_MODULE_INVALID
#define RETURN_MODULE_INVALID
Definition rcode.h:59

RETURN_MODULE_OK
#define RETURN_MODULE_OK
Definition rcode.h:57

RETURN_MODULE_FAIL
#define RETURN_MODULE_FAIL
Definition rcode.h:56

rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40

attr_user_password
static fr_dict_attr_t const  * attr_user_password
Definition rlm_imap.c:35

rlm_imap_thread_t::slab
imap_slab_list_t * slab
Slab list for connection handles.
Definition rlm_imap.c:68

rlm_imap_t::timeout
fr_time_delta_t timeout
Timeout for connection and server response.
Definition rlm_imap.c:59

rlm_imap_t::tls
fr_curl_tls_t tls
Definition rlm_imap.c:60

dict_radius
static fr_dict_t const  * dict_radius
Definition rlm_imap.c:33

mod_authenticate
static unlang_action_t mod_authenticate(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_imap.c:152

imap_conn_alloc
static int imap_conn_alloc(fr_curl_io_request_t *randle, void *uctx)
Callback to configure a CURL handle when it is allocated.
Definition rlm_imap.c:208

imap_io_module_signal
static void imap_io_module_signal(module_ctx_t const *mctx, request_t *request, UNUSED fr_signal_t action)
Definition rlm_imap.c:83

rlm_imap_t::uri
char const  * uri
URI of imap server.
Definition rlm_imap.c:58

rlm_imap_t::conn_config
fr_curl_conn_config_t conn_config
Reusable CURL handle config.
Definition rlm_imap.c:61

mod_thread_instantiate
static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
Definition rlm_imap.c:243

rlm_imap_lib
global_lib_autoinst_t const  *const rlm_imap_lib[]
Definition rlm_imap.c:52

mod_authenticate_resume
static unlang_action_t mod_authenticate_resume(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Definition rlm_imap.c:105

attr_user_name
static fr_dict_attr_t const  * attr_user_name
Definition rlm_imap.c:36

rlm_imap_dict
fr_dict_autoload_t rlm_imap_dict[]
Definition rlm_imap.c:39

rlm_imap_dict_attr
fr_dict_attr_autoload_t rlm_imap_dict_attr[]
Definition rlm_imap.c:45

rlm_imap
module_rlm_t rlm_imap
Definition rlm_imap.c:285

module_config
static const conf_parser_t module_config[]
Definition rlm_imap.c:75

_mod_conn_free
static int _mod_conn_free(fr_curl_io_request_t *randle)
Clean up CURL handle on freeing.
Definition rlm_imap.c:198

mod_thread_detach
static int mod_thread_detach(module_thread_inst_ctx_t const *mctx)
Definition rlm_imap.c:266

rlm_imap_thread_t::mhandle
fr_curl_handle_t * mhandle
Thread specific multi handle. Serves as the dispatch and coralling structure for imap requests.
Definition rlm_imap.c:69

rlm_imap_t
Definition rlm_imap.c:57

rlm_imap_thread_t
Definition rlm_imap.c:67

username
username
Definition rlm_securid.c:420

SECTION_NAME
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:40

module_s::inst_size
size_t inst_size
Size of the module's instance data.
Definition module.h:203

module_instance_s::data
void * data
Module's instance data.
Definition module.h:271

MODULE_BINDING_TERMINATOR
#define MODULE_BINDING_TERMINATOR
Terminate a module binding list.
Definition module.h:151

module_method_binding_s
Named methods exported by a module.
Definition module.h:173

fr_signal_t
fr_signal_t
Signals that can be generated/processed by request signal handlers.
Definition signal.h:38

FR_SIGNAL_CANCEL
@ FR_SIGNAL_CANCEL
Request has been cancelled.
Definition signal.h:40

FR_SLAB_FUNCS
#define FR_SLAB_FUNCS(_name, _type)
Define type specific wrapper functions for slabs and slab elements.
Definition slab.h:120

FR_SLAB_TYPES
#define FR_SLAB_TYPES(_name, _type)
Define type specific wrapper structs for slabs and slab elements.
Definition slab.h:72

unlang_module_yield
unlang_action_t unlang_module_yield(request_t *request, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
Definition module.c:419

inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3620

value_pair_s
Stores an attribute, a value and various bits of other data.
Definition pair.h:68

talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition talloc.h:282

fr_time_delta_to_msec
static int64_t fr_time_delta_to_msec(fr_time_delta_t delta)
Definition time.h:637

fr_time_delta_s
A time delta, a difference in time measured in nanoseconds.
Definition time.h:80

fr_strerror_printf
#define fr_strerror_printf(_fmt,...)
Log to thread local error buffer.
Definition strerror.h:64

nonnull
int nonnull(2, 5))