The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
rlm_sql.c
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 549aa75c05bd8cb001c2c4ce2d18731b55d6a2f9 $
19 * @file rlm_sql.c
20 * @brief Implements SQL 'users' file, and SQL accounting.
21 *
22 * @copyright 2012-2014 Arran Cudbard-Bell (a.cudbardb@freeradius.org)
23 * @copyright 2000,2006 The FreeRADIUS server project
24 * @copyright 2000 Mike Machado (mike@innercite.com)
25 * @copyright 2000 Alan DeKok (aland@freeradius.org)
26 */
27
28RCSID("$Id: 549aa75c05bd8cb001c2c4ce2d18731b55d6a2f9 $")
29
30#define LOG_PREFIX mctx->mi->name
31
32#include <freeradius-devel/server/base.h>
33#include <freeradius-devel/server/exfile.h>
34#include <freeradius-devel/server/map_proc.h>
35#include <freeradius-devel/server/module_rlm.h>
36#include <freeradius-devel/server/pairmove.h>
37#include <freeradius-devel/server/rcode.h>
38#include <freeradius-devel/server/trigger.h>
39#include <freeradius-devel/util/debug.h>
40#include <freeradius-devel/util/dict.h>
41#include <freeradius-devel/util/skip.h>
42#include <freeradius-devel/util/table.h>
43#include <freeradius-devel/unlang/action.h>
44#include <freeradius-devel/unlang/function.h>
45#include <freeradius-devel/unlang/xlat_func.h>
46#include <freeradius-devel/unlang/module.h>
47#include <freeradius-devel/unlang/map.h>
48
49#include <sys/stat.h>
50
51#include "rlm_sql.h"
52
53#define SQL_SAFE_FOR (fr_value_box_safe_for_t)inst->driver
54
56
57static int submodule_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
58
63
64static const conf_parser_t module_config[] = {
65 { FR_CONF_OFFSET_TYPE_FLAGS("driver", FR_TYPE_VOID, 0, rlm_sql_t, driver_submodule), .dflt = "null",
67 { FR_CONF_OFFSET("server", rlm_sql_config_t, sql_server), .dflt = "" }, /* Must be zero length so drivers can determine if it was set */
68 { FR_CONF_OFFSET("port", rlm_sql_config_t, sql_port), .dflt = "0" },
69 { FR_CONF_OFFSET("login", rlm_sql_config_t, sql_login), .dflt = "" },
70 { FR_CONF_OFFSET_FLAGS("password", CONF_FLAG_SECRET, rlm_sql_config_t, sql_password), .dflt = "" },
71 { FR_CONF_OFFSET("radius_db", rlm_sql_config_t, sql_db), .dflt = "radius" },
72 { FR_CONF_OFFSET("read_groups", rlm_sql_config_t, read_groups), .dflt = "yes" },
73 { FR_CONF_OFFSET("group_attribute", rlm_sql_config_t, group_attribute) },
74 { FR_CONF_OFFSET("cache_groups", rlm_sql_config_t, cache_groups) },
75 { FR_CONF_OFFSET("read_profiles", rlm_sql_config_t, read_profiles), .dflt = "yes" },
76 { FR_CONF_OFFSET("open_query", rlm_sql_config_t, connect_query) },
77 { FR_CONF_OFFSET("query_number_attribute", rlm_sql_config_t, query_number_attribute) },
78
79 { FR_CONF_OFFSET("safe_characters", rlm_sql_config_t, allowed_chars), .dflt = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" },
80
81 /*
82 * This only works for a few drivers.
83 */
84 { FR_CONF_OFFSET("query_timeout", rlm_sql_config_t, query_timeout), .dflt = "5" },
85
86 /*
87 * The pool section is used for trunk config
88 */
89 { FR_CONF_OFFSET_SUBSECTION("pool", 0, rlm_sql_config_t, trunk_conf, trunk_config) },
90
92
94};
95
97
100 { .out = &dict_freeradius, .proto = "freeradius" },
101 { NULL }
102};
103
108
111 { .out = &attr_fall_through, .name = "Fall-Through", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
112 { .out = &attr_sql_user_name, .name = "SQL-User-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
113 { .out = &attr_user_profile, .name = "User-Profile", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
114 { .out = &attr_expr_bool_enum, .name = "Expr-Bool-Enum", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
115 { NULL }
116};
117
118typedef struct {
119 fr_value_box_t user; //!< Expansion of the sql_user_name
120 tmpl_t *check_query; //!< Tmpl to expand to form authorize_check_query
121 tmpl_t *reply_query; //!< Tmpl to expand to form authorize_reply_query
122 tmpl_t *membership_query; //!< Tmpl to expand to form group_membership_query
123 tmpl_t *group_check_query; //!< Tmpl to expand to form authorize_group_check_query
124 tmpl_t *group_reply_query; //!< Tmpl to expand to form authorize_group_reply_query
126
127static int logfile_call_env_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *cc,
128 call_env_ctx_t const *cec, call_env_parser_t const *rule);
129
130static int query_call_env_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *cc,
131 call_env_ctx_t const *cec, call_env_parser_t const *rule);
132
136
139 .env = (call_env_parser_t[]) {
141 .pair.escape = {
142 .box_escape = {
145 .always_escape = false,
146 },
148 },
149 .pair.literals_safe_for = (fr_value_box_safe_for_t)rad_filename_box_make_safe,
150 },
152 }
153};
154
156
157/** Status of the authorization process
158 */
159typedef enum {
160 SQL_AUTZ_CHECK = 0x12, //!< Running user `check` query
161 SQL_AUTZ_CHECK_RESUME = 0x13, //!< Completed user `check` query
162 SQL_AUTZ_REPLY = 0x14, //!< Running user `reply` query
163 SQL_AUTZ_REPLY_RESUME = 0x15, //!< Completed user `reply` query
164 SQL_AUTZ_GROUP_MEMB = 0x20, //!< Running group membership query
165 SQL_AUTZ_GROUP_MEMB_RESUME = 0x21, //!< Completed group membership query
166 SQL_AUTZ_GROUP_CHECK = 0x22, //!< Running group `check` query
167 SQL_AUTZ_GROUP_CHECK_RESUME = 0x23, //!< Completed group `check` query
168 SQL_AUTZ_GROUP_REPLY = 0x24, //!< Running group `reply` query
169 SQL_AUTZ_GROUP_REPLY_RESUME = 0x25, //!< Completed group `reply` query
170 SQL_AUTZ_PROFILE_START = 0x40, //!< Starting processing user profiles
171 SQL_AUTZ_PROFILE_CHECK = 0x42, //!< Running profile `check` query
172 SQL_AUTZ_PROFILE_CHECK_RESUME = 0x43, //!< Completed profile `check` query
173 SQL_AUTZ_PROFILE_REPLY = 0x44, //!< Running profile `reply` query
174 SQL_AUTZ_PROFILE_REPLY_RESUME = 0x45, //!< Completed profile `reply` query
176
177#define SQL_AUTZ_STAGE_GROUP 0x20
178#define SQL_AUTZ_STAGE_PROFILE 0x40
179
180/** Context for group membership query evaluation
181 */
182typedef struct {
183 rlm_sql_t const *inst; //!< Module instance.
184 fr_value_box_t *query; //!< Query string used for evaluating group membership.
185 fr_sql_query_t *query_ctx; //!< Query context.
186 rlm_sql_grouplist_t *groups; //!< List of groups retrieved.
187 int num_groups; //!< How many groups have been retrieved.
189
190/** Context for SQL authorization
191 */
192typedef struct {
193 rlm_sql_t const *inst; //!< Module instance.
194 request_t *request; //!< Request being processed.
195 rlm_rcode_t rcode; //!< Module return code.
196 trunk_t *trunk; //!< Trunk connection for current authorization.
197 sql_autz_call_env_t *call_env; //!< Call environment data.
198 map_list_t check_tmp; //!< List to store check items before processing.
199 map_list_t reply_tmp; //!< List to store reply items before processing.
200 sql_autz_status_t status; //!< Current status of the authorization.
201 fr_value_box_list_t query; //!< Where expanded query tmpls will be written.
202 bool user_found; //!< Has the user been found anywhere?
203 rlm_sql_grouplist_t *group; //!< Current group being processed.
204 fr_pair_t *sql_group; //!< Pair to update with group being processed.
205 fr_pair_t *profile; //!< Current profile being processed.
206 fr_sql_map_ctx_t *map_ctx; //!< Context used for retrieving attribute value pairs as a map list.
207 sql_group_ctx_t *group_ctx; //!< Context used for retrieving user group membership.
209
210typedef struct {
211 fr_value_box_t user; //!< Expansion of sql_user_name.
212 fr_value_box_t filename; //!< File name to write SQL logs to.
213 tmpl_t **query; //!< Array of tmpls for list of queries to run.
215
225
235
236/** Context for tracking redundant SQL query sets
237 */
238typedef struct {
239 rlm_sql_t const *inst; //!< Module instance.
240 request_t *request; //!< Request being processed.
241 trunk_t *trunk; //!< Trunk connection for queries.
242 sql_redundant_call_env_t *call_env; //!< Call environment data.
243 size_t query_no; //!< Current query number.
244 fr_value_box_list_t query; //!< Where expanded query tmpl will be written.
245 fr_value_box_t *query_vb; //!< Current query string.
246 fr_sql_query_t *query_ctx; //!< Query context for current query.
248
253
262
263int submodule_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
264{
265 rlm_sql_t *inst = talloc_get_type_abort(parent, rlm_sql_t);
267 int ret;
268
269 if (unlikely(ret = module_rlm_submodule_parse(ctx, out, parent, ci, rule) < 0)) return ret;
270
271 mi = talloc_get_type_abort(*((void **)out), module_instance_t);
272 inst->driver = (rlm_sql_driver_t const *)mi->exported; /* Public symbol exported by the submodule */
273
274 return 0;
275}
276
277static int _sql_escape_uxtx_free(void *uctx)
278{
279 return talloc_free(uctx);
280}
281
282/*
283 * Create a thread local uctx which is used in SQL value box escaping
284 * so that an already reserved connection can be used.
285 */
286static void *sql_escape_uctx_alloc(UNUSED request_t *request, void const *uctx)
287{
288 static _Thread_local rlm_sql_escape_uctx_t *t_ctx;
289
290 if (unlikely(t_ctx == NULL)) {
292
293 MEM(ctx = talloc_zero(NULL, rlm_sql_escape_uctx_t));
295 }
296 t_ctx->sql = uctx;
297
298 return t_ctx;
299}
300
301/*
302 * Fall-Through checking function from rlm_files.c
303 */
304static sql_fall_through_t fall_through(map_list_t *maps)
305{
306 bool rcode;
307 map_t *map, *next;
308
309 for (map = map_list_head(maps);
310 map != NULL;
311 map = next) {
312 next = map_list_next(maps, map);
313
315
317 (void) map_list_remove(maps, map);
318
319 if (tmpl_is_data(map->rhs)) {
321
322 rcode = tmpl_value(map->rhs)->vb_bool;
323 } else {
324 rcode = false;
325 }
326
327 talloc_free(map);
328 return rcode;
329 }
330 }
331
333}
334
335/*
336 * Yucky prototype.
337 */
338static ssize_t sql_escape_func(request_t *, char *out, size_t outlen, char const *in, void *arg);
339
340/** Escape a tainted VB used as an xlat argument
341 *
342 */
343static int CC_HINT(nonnull(2,3)) sql_xlat_escape(request_t *request, fr_value_box_t *vb, void *uctx)
344{
345 fr_sbuff_t sbuff;
346 fr_sbuff_uctx_talloc_t sbuff_ctx;
347
348 ssize_t len;
349 void *arg = NULL;
350 rlm_sql_escape_uctx_t *ctx = uctx;
352 rlm_sql_thread_t *thread = talloc_get_type_abort(module_thread(inst->mi)->data, rlm_sql_thread_t);
353
354 /*
355 * If it's already safe, don't do anything.
356 */
357 if (fr_value_box_is_safe_for(vb, inst->driver)) return 0;
358
359 /*
360 * No need to escape types with inherently safe data
361 */
362 switch (vb->type) {
363 case FR_TYPE_NUMERIC:
364 case FR_TYPE_IP:
365 case FR_TYPE_ETHERNET:
366 fr_value_box_mark_safe_for(vb, inst->driver);
367 return 0;
368
369 default:
370 break;
371 }
372
373 if (inst->sql_escape_arg) {
374 arg = inst->sql_escape_arg;
375 } else if (thread->sql_escape_arg) {
376 arg = thread->sql_escape_arg;
377 }
378 if (!arg) {
379 error:
381 return -1;
382 }
383
384 /*
385 * Escaping functions work on strings - ensure the box is a string
386 */
387 if ((vb->type != FR_TYPE_STRING) && (fr_value_box_cast_in_place(vb, vb, FR_TYPE_STRING, NULL) < 0)) goto error;
388
389 /*
390 * Maximum escaped length is 3 * original - if every character needs escaping
391 */
392 if (!fr_sbuff_init_talloc(vb, &sbuff, &sbuff_ctx, vb->vb_length * 3, vb->vb_length * 3)) {
393 fr_strerror_printf_push("Failed to allocate buffer for escaped sql argument");
394 return -1;
395 }
396
397 len = inst->sql_escape_func(request, fr_sbuff_buff(&sbuff), vb->vb_length * 3 + 1, vb->vb_strvalue, arg);
398 if (len < 0) goto error;
399
400 fr_sbuff_trim_talloc(&sbuff, len);
402
403 /*
404 * Different databases have slightly different ideas as
405 * to what is safe. So we track the database type in the
406 * safe value. This means that we don't
407 * cross-contaminate "safe" values across databases.
408 */
409 fr_value_box_mark_safe_for(vb, inst->driver);
410
411 return 0;
412}
413
414static int sql_box_escape(fr_value_box_t *vb, void *uctx)
415{
416 return sql_xlat_escape(NULL, vb, uctx);
417}
418
419/** Escape a value to make it SQL safe.
420 *
421@verbatim
422%sql.escape(<value>)
423@endverbatim
424 *
425 * @ingroup xlat_functions
426 */
427static xlat_action_t sql_escape_xlat(UNUSED TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx,
428 request_t *request, fr_value_box_list_t *in)
429{
430 rlm_sql_t const *inst = talloc_get_type_abort(xctx->mctx->mi->data, rlm_sql_t);
431 fr_value_box_t *vb;
432 rlm_sql_escape_uctx_t *escape_uctx = NULL;
433
434 while ((vb = fr_value_box_list_pop_head(in))) {
435 if (fr_value_box_is_safe_for(vb, inst->driver)) goto append;
436 if (!escape_uctx) escape_uctx = sql_escape_uctx_alloc(request, inst);
437 sql_box_escape(vb, escape_uctx);
438 append:
440 }
441 return XLAT_ACTION_DONE;
442}
443
444static xlat_action_t sql_xlat_query_resume(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx,
445 request_t *request, UNUSED fr_value_box_list_t *in)
446{
447 fr_sql_query_t *query_ctx = talloc_get_type_abort(xctx->rctx, fr_sql_query_t);
448 rlm_sql_t const *inst = query_ctx->inst;
449 fr_value_box_t *vb;
451 int numaffected;
452
453 fr_assert(query_ctx->type == SQL_QUERY_OTHER);
454
455 switch (query_ctx->rcode) {
457 case RLM_SQL_ERROR:
460 query_ctx->rcode, "<INVALID>"));
461 rlm_sql_print_error(inst, request, query_ctx, false);
462 ret = XLAT_ACTION_FAIL;
463 goto finish;
464
465 default:
466 break;
467 }
468
469 numaffected = (inst->driver->sql_affected_rows)(query_ctx, &inst->config);
470 if (numaffected < 1) {
471 RDEBUG2("SQL query affected no rows");
472 numaffected = 0;
473 }
474
475 MEM(vb = fr_value_box_alloc_null(ctx));
476 fr_value_box_uint32(vb, NULL, (uint32_t)numaffected, false);
478
479finish:
480 talloc_free(query_ctx);
481
482 return ret;
483}
484
485static xlat_action_t sql_xlat_select_resume(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx,
486 request_t *request, UNUSED fr_value_box_list_t *in)
487{
488 fr_sql_query_t *query_ctx = talloc_get_type_abort(xctx->rctx, fr_sql_query_t);
489 rlm_sql_t const *inst = query_ctx->inst;
490 fr_value_box_t *vb;
492 unlang_result_t p_result;
493 rlm_sql_row_t row;
494 bool fetched = false;
495
496 fr_assert(query_ctx->type == SQL_QUERY_SELECT);
497
498 if (query_ctx->rcode != RLM_SQL_OK) {
499 query_error:
501 query_ctx->rcode, "<INVALID>"));
502 rlm_sql_print_error(inst, request, query_ctx, false);
503 ret = XLAT_ACTION_FAIL;
504 goto finish;
505 }
506
507 do {
508 inst->fetch_row(&p_result, request, query_ctx);
509 row = query_ctx->row;
510 switch (query_ctx->rcode) {
511 case RLM_SQL_OK:
512 if (row[0]) break;
513
514 RDEBUG2("NULL value in first column of result");
515 goto finish;
516
518 if (!fetched) RDEBUG2("SQL query returned no results");
519 goto finish;
520
521 default:
522 goto query_error;
523 }
524
525 fetched = true;
526
527 MEM(vb = fr_value_box_alloc_null(ctx));
528 fr_value_box_strdup(vb, vb, NULL, row[0], false);
530
531 } while (1);
532
533finish:
534 talloc_free(query_ctx);
535
536 return ret;
537}
538
539/** Execute an arbitrary SQL query
540 *
541 * For SELECTs, the values of the first column will be returned.
542 * For INSERTS, UPDATEs and DELETEs, the number of rows affected will
543 * be returned instead.
544 *
545@verbatim
546%sql(<sql statement>)
547@endverbatim
548 *
549 * @ingroup xlat_functions
550 */
551static xlat_action_t sql_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out,
552 xlat_ctx_t const *xctx,
553 request_t *request, fr_value_box_list_t *in)
554{
555 sql_xlat_call_env_t *call_env = talloc_get_type_abort(xctx->env_data, sql_xlat_call_env_t);
556 rlm_sql_t const *inst = talloc_get_type_abort(xctx->mctx->mi->data, rlm_sql_t);
557 rlm_sql_thread_t *thread = talloc_get_type_abort(xctx->mctx->thread, rlm_sql_thread_t);
558 char const *p;
559 fr_value_box_t *arg = fr_value_box_list_head(in);
560 fr_sql_query_t *query_ctx = NULL;
562
563 if (call_env->filename.type == FR_TYPE_STRING && call_env->filename.vb_length > 0) {
564 rlm_sql_query_log(inst, call_env->filename.vb_strvalue, arg->vb_strvalue);
565 }
566
567 p = arg->vb_strvalue;
568
569 /*
570 * Trim whitespace for the prefix check
571 */
573
574 /*
575 * If the query starts with any of the following prefixes,
576 * then return the number of rows affected
577 */
578 if ((strncasecmp(p, "insert", 6) == 0) ||
579 (strncasecmp(p, "update", 6) == 0) ||
580 (strncasecmp(p, "delete", 6) == 0)) {
581 MEM(query_ctx = fr_sql_query_alloc(unlang_interpret_frame_talloc_ctx(request), inst, request,
582 thread->trunk, arg->vb_strvalue, SQL_QUERY_OTHER));
583
584 unlang_xlat_yield(request, sql_xlat_query_resume, NULL, 0, query_ctx);
585
586 /* Modify current frame's rcode directly */
587 query_ret = inst->query(unlang_interpret_result(request), request, query_ctx);
589
590 return sql_xlat_query_resume(ctx, out, &(xlat_ctx_t){.rctx = query_ctx, .inst = inst}, request, in);
591 } /* else it's a SELECT statement */
592
593 MEM(query_ctx = fr_sql_query_alloc(unlang_interpret_frame_talloc_ctx(request), inst, request,
594 thread->trunk, arg->vb_strvalue, SQL_QUERY_SELECT));
595
596 unlang_xlat_yield(request, sql_xlat_select_resume, NULL, 0, query_ctx);
597
598 if (unlang_function_push_with_result(/* discard, sql_xlat_select_resume just uses query_ctx->rcode */ NULL,
599 request,
600 inst->select,
601 NULL,
602 NULL, 0,
605}
606
607/** Execute an arbitrary SQL query, expecting results to be returned
608 *
609@verbatim
610%sql.fetch(<sql statement>)
611@endverbatim
612 *
613 * @ingroup xlat_functions
614 */
616 request_t *request, fr_value_box_list_t *in)
617{
618 sql_xlat_call_env_t *call_env = talloc_get_type_abort(xctx->env_data, sql_xlat_call_env_t);
619 rlm_sql_t const *inst = talloc_get_type_abort(xctx->mctx->mi->data, rlm_sql_t);
620 rlm_sql_thread_t *thread = talloc_get_type_abort(xctx->mctx->thread, rlm_sql_thread_t);
621 fr_value_box_t *arg = fr_value_box_list_head(in);
622 fr_sql_query_t *query_ctx = NULL;
623
624 if (call_env->filename.type == FR_TYPE_STRING && call_env->filename.vb_length > 0) {
625 rlm_sql_query_log(inst, call_env->filename.vb_strvalue, arg->vb_strvalue);
626 }
627
628 MEM(query_ctx = fr_sql_query_alloc(unlang_interpret_frame_talloc_ctx(request), inst, request,
629 thread->trunk, arg->vb_strvalue, SQL_QUERY_SELECT));
630
631 unlang_xlat_yield(request, sql_xlat_select_resume, NULL, 0, query_ctx);
632 if (unlang_function_push_with_result(/* discard, sql_xlat_select_resume just uses query_ctx->rcode */NULL,
633 request,
634 inst->select,
635 NULL,
636 NULL, 0,
639}
640
641/** Execute an arbitrary SQL query, returning the number of rows affected
642 *
643@verbatim
644%sql.modify(<sql statement>)
645@endverbatim
646 *
647 * @ingroup xlat_functions
648 */
649static xlat_action_t sql_modify_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx,
650 request_t *request, fr_value_box_list_t *in)
651{
652 sql_xlat_call_env_t *call_env = talloc_get_type_abort(xctx->env_data, sql_xlat_call_env_t);
653 rlm_sql_t const *inst = talloc_get_type_abort(xctx->mctx->mi->data, rlm_sql_t);
654 rlm_sql_thread_t *thread = talloc_get_type_abort(xctx->mctx->thread, rlm_sql_thread_t);
655 fr_value_box_t *arg = fr_value_box_list_head(in);
656 fr_sql_query_t *query_ctx = NULL;
657
658 if (call_env->filename.type == FR_TYPE_STRING && call_env->filename.vb_length > 0) {
659 rlm_sql_query_log(inst, call_env->filename.vb_strvalue, arg->vb_strvalue);
660 }
661
662 MEM(query_ctx = fr_sql_query_alloc(unlang_interpret_frame_talloc_ctx(request), inst, request,
663 thread->trunk, arg->vb_strvalue, SQL_QUERY_OTHER));
664
665 unlang_xlat_yield(request, sql_xlat_query_resume, NULL, 0, query_ctx);
666 /* Write out the result directly to this frame's rcode */
667 if (inst->query(unlang_interpret_result(request), request, query_ctx) == UNLANG_ACTION_PUSHED_CHILD) return XLAT_ACTION_PUSH_UNLANG;
668
669 return sql_xlat_query_resume(ctx, out, &(xlat_ctx_t){.rctx = query_ctx, .inst = inst}, request, in);
670}
671
672/** Converts a string value into a #fr_pair_t
673 *
674 * @param[in,out] ctx to allocate #fr_pair_t (s).
675 * @param[out] out where to write the resulting #fr_pair_t.
676 * @param[in] request The current request.
677 * @param[in] map to process.
678 * @param[in] uctx The value to parse.
679 * @return
680 * - 0 on success.
681 * - -1 on failure.
682 */
683static int _sql_map_proc_get_value(TALLOC_CTX *ctx, fr_pair_list_t *out,
684 request_t *request, map_t const *map, void *uctx)
685{
686 fr_pair_t *vp;
687 char const *value = uctx;
688
690 if (!vp) return -1;
691
692 /*
693 * Buffer not always talloced, sometimes it's
694 * just a pointer to a field in a result struct.
695 */
696 if (fr_pair_value_from_str(vp, value, strlen(value), NULL, true) < 0) {
697 RPEDEBUG("Failed parsing value \"%pV\" for attribute %s",
700 return -1;
701 }
703
704 return 0;
705}
706
707/*
708 * Verify the result of the map.
709 */
710static int sql_map_verify(CONF_SECTION *cs, UNUSED void const *mod_inst, UNUSED void *proc_inst,
711 tmpl_t const *src, UNUSED map_list_t const *maps)
712{
713 if (!src) {
714 cf_log_err(cs, "Missing SQL query");
715
716 return -1;
717 }
718
719 return 0;
720}
721
722#define MAX_SQL_FIELD_INDEX (64)
723
724/** Process the results of an SQL map query
725 *
726 * @param p_result Result of map expansion:
727 * - #RLM_MODULE_NOOP no rows were returned or columns matched.
728 * - #RLM_MODULE_UPDATED if one or more #fr_pair_t were added to the #request_t.
729 * - #RLM_MODULE_FAIL if a fault occurred.
730 * @param mpctx Map context, containing the module instance.
731 * @param request The current request.
732 * @param query string to execute.
733 * @param maps Head of the map list.
734 * @return UNLANG_ACTION_CALCULATE_RESULT
735 */
736static unlang_action_t mod_map_resume(unlang_result_t *p_result, map_ctx_t const *mpctx, request_t *request,
737 UNUSED fr_value_box_list_t *query, map_list_t const *maps)
738{
739 fr_sql_query_t *query_ctx = talloc_get_type_abort(mpctx->rctx, fr_sql_query_t);
740 rlm_sql_t const *inst = mpctx->moi;
741 map_t const *map;
743 sql_rcode_t ret;
744 char const **fields = NULL, *map_rhs;
745 rlm_sql_row_t row;
746 int i, j, field_cnt, rows = 0;
747 int field_index[MAX_SQL_FIELD_INDEX];
748 char map_rhs_buff[128];
749 bool found_field = false; /* Did we find any matching fields in the result set ? */
750
751 if (query_ctx->rcode != RLM_SQL_OK) {
752 RERROR("SQL query failed: %s", fr_table_str_by_value(sql_rcode_description_table, query_ctx->rcode, "<INVALID>"));
753 rcode = RLM_MODULE_FAIL;
754 goto finish;
755 }
756
757 /*
758 * Not every driver provides an sql_num_rows function
759 */
760 if (inst->driver->sql_num_rows) {
761 ret = inst->driver->sql_num_rows(query_ctx, &inst->config);
762 if (ret == 0) {
763 RDEBUG2("Server returned an empty result");
764 rcode = RLM_MODULE_NOTFOUND;
765 goto finish;
766 }
767
768 if (ret < 0) {
769 RERROR("Failed retrieving row count");
770 error:
771 rcode = RLM_MODULE_FAIL;
772 goto finish;
773 }
774 }
775
776 for (i = 0; i < MAX_SQL_FIELD_INDEX; i++) field_index[i] = -1;
777
778 /*
779 * Map proc only registered if driver provides an sql_fields function
780 */
781 ret = (inst->driver->sql_fields)(&fields, query_ctx, &inst->config);
782 if (ret != RLM_SQL_OK) {
783 RERROR("Failed retrieving field names: %s", fr_table_str_by_value(sql_rcode_description_table, ret, "<INVALID>"));
784 goto error;
785 }
786 fr_assert(fields);
787 field_cnt = talloc_array_length(fields);
788
789 if (RDEBUG_ENABLED3) for (j = 0; j < field_cnt; j++) RDEBUG3("Got field: %s", fields[j]);
790
791 /*
792 * Iterate over the maps, it's O(N2)ish but probably
793 * faster than building a radix tree each time the
794 * map set is evaluated (map->rhs can be dynamic).
795 */
796 for (map = map_list_head(maps), i = 0;
797 map && (i < MAX_SQL_FIELD_INDEX);
798 map = map_list_next(maps, map), i++) {
799 /*
800 * Expand the RHS to get the name of the SQL field
801 */
802 if (tmpl_expand(&map_rhs, map_rhs_buff, sizeof(map_rhs_buff),
803 request, map->rhs) < 0) {
804 RPERROR("Failed getting field name");
805 goto error;
806 }
807
808 for (j = 0; j < field_cnt; j++) {
809 if (strcasecmp(fields[j], map_rhs) != 0) continue;
810 field_index[i] = j;
811 found_field = true;
812 }
813 }
814
815 /*
816 * Couldn't resolve any map RHS values to fields
817 * in the result set.
818 */
819 if (!found_field) {
820 RDEBUG2("No fields matching map found in query result");
821 rcode = RLM_MODULE_NOOP;
822 goto finish;
823 }
824
825 /*
826 * We've resolved all the maps to result indexes, now convert
827 * the values at those indexes into fr_pair_ts.
828 *
829 * Note: Not all SQL client libraries provide a row count,
830 * so we have to do the count here.
831 */
832 while ((inst->fetch_row(p_result, request, query_ctx) == UNLANG_ACTION_CALCULATE_RESULT) &&
833 (query_ctx->rcode == RLM_SQL_OK)) {
834 row = query_ctx->row;
835 rows++;
836 for (map = map_list_head(maps), j = 0;
837 map && (j < MAX_SQL_FIELD_INDEX);
838 map = map_list_next(maps, map), j++) {
839 if (field_index[j] < 0) continue; /* We didn't find the map RHS in the field set */
840 if (!row[field_index[j]]) {
841 RDEBUG2("Database returned NULL for %s", fields[j]);
842 continue;
843 }
844 if (map_to_request(request, map, _sql_map_proc_get_value, row[field_index[j]]) < 0) goto error;
845 }
846 }
847
848 if (query_ctx->rcode == RLM_SQL_ERROR) goto error;
849
850 if (rows == 0) {
851 RDEBUG2("SQL query returned no results");
852 rcode = RLM_MODULE_NOTFOUND;
853 }
854
855finish:
856 talloc_free(fields);
857 talloc_free(query_ctx);
858
859 RETURN_UNLANG_RCODE(rcode);
860}
861
862/** Executes a SELECT query and maps the result to server attributes
863 *
864 * @param p_result Result of map expansion:
865 * - #RLM_MODULE_NOOP no rows were returned or columns matched.
866 * - #RLM_MODULE_UPDATED if one or more #fr_pair_t were added to the #request_t.
867 * - #RLM_MODULE_FAIL if a fault occurred.
868 * @param mpctx Map context, containing the module instance.
869 * @param request The current request.
870 * @param query string to execute.
871 * @param maps Head of the map list.
872 * @return UNLANG_ACTION_CALCULATE_RESULT
873 */
874static unlang_action_t mod_map_proc(unlang_result_t *p_result, map_ctx_t const *mpctx, request_t *request,
875 fr_value_box_list_t *query, UNUSED map_list_t const *maps)
876{
878 rlm_sql_thread_t *thread = talloc_get_type_abort(module_thread(inst->mi)->data, rlm_sql_thread_t);
879 fr_value_box_t *query_head = fr_value_box_list_head(query);
880 fr_sql_query_t *query_ctx = NULL;
881 fr_value_box_t *vb = NULL;
882 rlm_sql_escape_uctx_t *escape_uctx = NULL;
883
884 fr_assert(inst->driver->sql_fields); /* Should have been caught during validation... */
885
886 if (!query_head) {
887 REDEBUG("Query cannot be (null)");
889 }
890
891 while ((vb = fr_value_box_list_next(query, vb))) {
892 if (fr_value_box_is_safe_for(vb, inst->driver)) continue;
893 if (!escape_uctx) escape_uctx = sql_escape_uctx_alloc(request, inst);
894 sql_box_escape(vb, escape_uctx);
895 }
896
898 query_head, query, FR_TYPE_STRING,
900 SIZE_MAX) < 0) {
901 RPEDEBUG("Failed concatenating input string");
903 }
904
905 query_ctx = fr_sql_query_alloc(unlang_interpret_frame_talloc_ctx(request), inst, request,
906 thread->trunk, query_head->vb_strvalue, SQL_QUERY_SELECT);
907
908 if (unlang_map_yield(request, mod_map_resume, NULL, 0, query_ctx) != UNLANG_ACTION_YIELD) RETURN_UNLANG_FAIL;
909 return unlang_function_push_with_result(/* discard, mod_map_resume just uses query_ctx->rcode */ NULL,
910 request,
911 inst->select,
912 NULL,
913 NULL,
915 query_ctx);
916}
917
918/** xlat escape function for drivers which do not provide their own
919 *
920 */
921static ssize_t sql_escape_func(UNUSED request_t *request, char *out, size_t outlen, char const *in, void *arg)
922{
924 size_t len = 0;
925
926 while (in[0]) {
927 size_t utf8_len;
928
929 /*
930 * Allow all multi-byte UTF8 characters.
931 */
932 utf8_len = fr_utf8_char((uint8_t const *) in, -1);
933 if (utf8_len > 1) {
934 if (outlen <= utf8_len) break;
935
936 memcpy(out, in, utf8_len);
937 in += utf8_len;
938 out += utf8_len;
939
940 outlen -= utf8_len;
941 len += utf8_len;
942 continue;
943 }
944
945 /*
946 * Because we register our own escape function
947 * we're now responsible for escaping all special
948 * chars in an xlat expansion or attribute value.
949 */
950 switch (in[0]) {
951 case '\n':
952 if (outlen <= 2) break;
953 out[0] = '\\';
954 out[1] = 'n';
955
956 in++;
957 out += 2;
958 outlen -= 2;
959 len += 2;
960 break;
961
962 case '\r':
963 if (outlen <= 2) break;
964 out[0] = '\\';
965 out[1] = 'r';
966
967 in++;
968 out += 2;
969 outlen -= 2;
970 len += 2;
971 break;
972
973 case '\t':
974 if (outlen <= 2) break;
975 out[0] = '\\';
976 out[1] = 't';
977
978 in++;
979 out += 2;
980 outlen -= 2;
981 len += 2;
982 break;
983 }
984
985 /*
986 * Non-printable characters get replaced with their
987 * mime-encoded equivalents.
988 */
989 if ((in[0] < 32) ||
990 strchr(inst->config.allowed_chars, *in) == NULL) {
991 /*
992 * Only 3 or less bytes available.
993 */
994 if (outlen <= 3) {
995 break;
996 }
997
998 snprintf(out, outlen, "=%02X", (unsigned char) in[0]);
999 in++;
1000 out += 3;
1001 outlen -= 3;
1002 len += 3;
1003 continue;
1004 }
1005
1006 /*
1007 * Only one byte left.
1008 */
1009 if (outlen <= 1) {
1010 break;
1011 }
1012
1013 /*
1014 * Allowed character.
1015 */
1016 *out = *in;
1017 out++;
1018 in++;
1019 outlen--;
1020 len++;
1021 }
1022 *out = '\0';
1023 return len;
1024}
1025
1026/*
1027 * Set the SQL user name.
1028 *
1029 * We don't call the escape function here. The resulting string
1030 * will be escaped later in the queries xlat so we don't need to
1031 * escape it twice. (it will make things wrong if we have an
1032 * escape candidate character in the username)
1033 */
1034static void sql_set_user(rlm_sql_t const *inst, request_t *request, fr_value_box_t *user)
1035{
1036 fr_pair_t *vp = NULL;
1037
1038 fr_assert(request->packet != NULL);
1039
1040 MEM(pair_update_request(&vp, inst->sql_user) >= 0);
1041 if(!user || (user->type != FR_TYPE_STRING)) {
1043 return;
1044 }
1045
1046 /*
1047 * Replace any existing SQL-User-Name with new value
1048 */
1049 fr_pair_value_bstrdup_buffer(vp, user->vb_strvalue, user->tainted);
1050 RDEBUG2("SQL-User-Name set to '%pV'", &vp->data);
1051}
1052
1053/*
1054 * Do a set/unset user, so it's a bit clearer what's going on.
1055 */
1056#define sql_unset_user(_i, _r) fr_pair_delete_by_da(&_r->request_pairs, _i->sql_user)
1057
1058
1063
1065{
1066 sql_group_ctx_t *group_ctx = talloc_get_type_abort(uctx, sql_group_ctx_t);
1067 fr_sql_query_t *query_ctx = group_ctx->query_ctx;
1068 rlm_sql_t const *inst = group_ctx->inst;
1069 rlm_sql_row_t row;
1070 rlm_sql_grouplist_t *entry = group_ctx->groups;
1071
1072 if (query_ctx->rcode != RLM_SQL_OK) {
1073 error:
1074 rlm_sql_print_error(inst, request, query_ctx, false);
1075 talloc_free(query_ctx);
1077 }
1078
1079 while ((inst->fetch_row(p_result, request, query_ctx) == UNLANG_ACTION_CALCULATE_RESULT) &&
1080 (query_ctx->rcode == RLM_SQL_OK)) {
1081 row = query_ctx->row;
1082 if (!row[0]){
1083 RDEBUG2("row[0] returned NULL");
1084 goto error;
1085 }
1086
1087 if (!entry) {
1088 group_ctx->groups = talloc_zero(group_ctx, rlm_sql_grouplist_t);
1089 entry = group_ctx->groups;
1090 } else {
1091 entry->next = talloc_zero(group_ctx, rlm_sql_grouplist_t);
1092 entry = entry->next;
1093 }
1094 entry->next = NULL;
1095 entry->name = talloc_typed_strdup(entry, row[0]);
1096
1097 group_ctx->num_groups++;
1098 }
1099
1100 talloc_free(query_ctx);
1102}
1103
1105{
1106 rlm_sql_t const *inst = group_ctx->inst;
1107
1108 /* NOTE: sql_set_user should have been run before calling this function */
1109
1110 if (!group_ctx->query || (group_ctx->query->vb_length == 0)) return UNLANG_ACTION_CALCULATE_RESULT;
1111
1112 MEM(group_ctx->query_ctx = fr_sql_query_alloc(group_ctx, inst, request, trunk,
1113 group_ctx->query->vb_strvalue, SQL_QUERY_SELECT));
1114
1115 if (unlang_function_push_with_result(/* sql_get_grouplist_resume translates the query_ctx->rocde into a module rcode */p_result,
1116 request,
1117 NULL,
1119 NULL,
1121 group_ctx) < 0) return UNLANG_ACTION_FAIL;
1122
1123 return unlang_function_push_with_result(/* discard, sql_get_grouplist_resume translates rcodes */NULL,
1124 request,
1125 inst->select,
1126 NULL,
1127 NULL, 0,
1128 UNLANG_SUB_FRAME, group_ctx->query_ctx);
1129}
1130
1131typedef struct {
1132 fr_value_box_list_t query;
1135
1136/** Compare list of groups returned from SQL query to xlat argument.
1137 *
1138 * Called after the SQL query has completed and group list has been built.
1139 */
1141 UNUSED request_t *request, fr_value_box_list_t *in)
1142{
1143 sql_group_xlat_ctx_t *xlat_ctx = talloc_get_type_abort(xctx->rctx, sql_group_xlat_ctx_t);
1144 sql_group_ctx_t *group_ctx = talloc_get_type_abort(xlat_ctx->group_ctx, sql_group_ctx_t);
1145 fr_value_box_t *arg = fr_value_box_list_head(in);
1146 char const *name = arg->vb_strvalue;
1147 fr_value_box_t *vb;
1148 rlm_sql_grouplist_t *entry;
1149
1151
1153 for (entry = group_ctx->groups; entry != NULL; entry = entry->next) {
1154 if (strcmp(entry->name, name) == 0) {
1155 vb->vb_bool = true;
1156 break;
1157 }
1158 }
1160
1162
1163 return XLAT_ACTION_DONE;
1164}
1165
1166/** Run SQL query for group membership to return list of groups
1167 *
1168 * Called after group membership query tmpl is expanded
1169 */
1171 request_t *request, UNUSED fr_value_box_list_t *in)
1172{
1173 sql_group_xlat_ctx_t *xlat_ctx = talloc_get_type_abort(xctx->rctx, sql_group_xlat_ctx_t);
1174 rlm_sql_t const *inst = talloc_get_type_abort(xctx->mctx->mi->data, rlm_sql_t);
1175 rlm_sql_thread_t *thread = talloc_get_type_abort(xctx->mctx->thread, rlm_sql_thread_t);
1176 fr_value_box_t *query;
1177
1178 query = fr_value_box_list_head(&xlat_ctx->query);
1179 if (!query) return XLAT_ACTION_FAIL;
1180
1181 MEM(xlat_ctx->group_ctx = talloc(xlat_ctx, sql_group_ctx_t));
1182
1183 *xlat_ctx->group_ctx = (sql_group_ctx_t) {
1184 .inst = inst,
1185 .query = query,
1186 };
1187
1189
1190 if (sql_get_grouplist(NULL, xlat_ctx->group_ctx, thread->trunk, request) != UNLANG_ACTION_PUSHED_CHILD) {
1191 return XLAT_ACTION_FAIL;
1192 }
1193
1195}
1196
1197
1198/** Check if the user is a member of a particular group
1199 *
1200@verbatim
1201%sql.group(<name>)
1202@endverbatim
1203 *
1204 * @ingroup xlat_functions
1205 */
1207 request_t *request, UNUSED fr_value_box_list_t *in)
1208{
1209 sql_group_xlat_call_env_t *call_env = talloc_get_type_abort(xctx->env_data, sql_group_xlat_call_env_t);
1211 rlm_sql_t const *inst = talloc_get_type_abort(xctx->mctx->mi->data, rlm_sql_t);
1212
1213 if (!call_env->membership_query) {
1214 RWARN("Cannot check group membership - group_membership_query not set");
1215 return XLAT_ACTION_FAIL;
1216 }
1217
1218 /*
1219 * Set the user attr here
1220 */
1221 sql_set_user(inst, request, &call_env->user);
1222
1224 fr_value_box_list_init(&xlat_ctx->query);
1225
1227 if (unlang_tmpl_push(xlat_ctx, NULL, &xlat_ctx->query, request, call_env->membership_query, NULL, UNLANG_SUB_FRAME) < 0) return XLAT_ACTION_FAIL;
1229}
1230
1231/** Process a "check" map
1232 *
1233 * Any entries using an assignment operator will be moved to the reply map
1234 * for later merging into the request.
1235 *
1236 * @param request Current request.
1237 * @param check_map to process.
1238 * @param reply_map where any assignment entries will be moved.
1239 * @return
1240 * - 0 if all the check entries pass.
1241 * - -1 if the checks fail.
1242 */
1243static int check_map_process(request_t *request, map_list_t *check_map, map_list_t *reply_map)
1244{
1245 map_t *map, *next;
1246
1247 for (map = map_list_head(check_map);
1248 map != NULL;
1249 map = next) {
1250 next = map_list_next(check_map, map);
1251
1252 if (fr_assignment_op[map->op]) {
1253 (void) map_list_remove(check_map, map);
1254 map_list_insert_tail(reply_map, map);
1255 continue;
1256 }
1257
1258 if (!fr_comparison_op[map->op]) {
1259 REDEBUG("Invalid operator '%s'", fr_tokens[map->op]);
1260 goto fail;
1261 }
1262
1263 if (fr_type_is_structural(tmpl_attr_tail_da(map->lhs)->type) &&
1264 (map->op != T_OP_CMP_TRUE) && (map->op != T_OP_CMP_FALSE)) {
1265 REDEBUG("Invalid comparison for structural type");
1266 goto fail;
1267 }
1268
1269 RDEBUG2(" &%s %s %s", map->lhs->name, fr_tokens[map->op], map->rhs->name);
1270 if (radius_legacy_map_cmp(request, map) != 1) {
1271 fail:
1272 map_list_talloc_free(check_map);
1273 map_list_talloc_free(reply_map);
1274 RDEBUG2("failed match: skipping this entry");
1275 return -1;
1276 }
1277 }
1278 return 0;
1279}
1280
1282{
1283 if (!to_free->inst->sql_escape_arg) (void) request_data_get(to_free->request, (void *)sql_escape_uctx_alloc, 0);
1284 map_list_talloc_free(&to_free->check_tmp);
1285 map_list_talloc_free(&to_free->reply_tmp);
1286 sql_unset_user(to_free->inst, to_free->request);
1287
1288 return 0;
1289}
1290
1291/** Resume function called after authorization group / profile expansion of check / reply query tmpl
1292 *
1293 * Groups and profiles are treated almost identically except:
1294 * - groups are read from an SQL query
1295 * - profiles are read from &control.User-Profile
1296 * - if `cache_groups` is set, groups populate &control.SQL-Group
1297 *
1298 * Profiles are handled after groups, and will not happend if the last group resulted in `Fall-Through = no`
1299 *
1300 * Before each query is run, &request.SQL-Group is populated with the value of the group being evaluated.
1301 *
1302 * @param p_result Result of current authorization.
1303 * @param mctx Current request.
1304 * @param request Current authorization context.
1305 * @return one of the RLM_MODULE_* values.
1306 */
1308{
1309 sql_autz_ctx_t *autz_ctx = talloc_get_type_abort(mctx->rctx, sql_autz_ctx_t);
1310 sql_autz_call_env_t *call_env = autz_ctx->call_env;
1311 sql_group_ctx_t *group_ctx = autz_ctx->group_ctx;
1312 fr_sql_map_ctx_t *map_ctx = autz_ctx->map_ctx;
1313 rlm_sql_t const *inst = autz_ctx->inst;
1314 fr_value_box_t *query = fr_value_box_list_pop_head(&autz_ctx->query);
1315 sql_fall_through_t do_fall_through = FALL_THROUGH_DEFAULT;
1316 fr_pair_t *vp;
1317
1318 switch (p_result->rcode) {
1321
1322 default:
1323 break;
1324 }
1325
1326 switch(autz_ctx->status) {
1328 if (!query) RETURN_UNLANG_FAIL;
1330 MEM(autz_ctx->group_ctx = talloc(autz_ctx, sql_group_ctx_t));
1331 *autz_ctx->group_ctx = (sql_group_ctx_t) {
1332 .inst = inst,
1333 .query = query,
1334 };
1335
1336 if (sql_get_grouplist(p_result, autz_ctx->group_ctx, autz_ctx->trunk, request) == UNLANG_ACTION_PUSHED_CHILD) {
1339 }
1340
1341 group_ctx = autz_ctx->group_ctx;
1342
1344
1346 talloc_free(group_ctx->query);
1347
1348 if (group_ctx->num_groups == 0) {
1349 RDEBUG2("User not found in any groups");
1350 break;
1351 }
1352 fr_assert(group_ctx->groups);
1353
1354 RDEBUG2("User found in the group table");
1355 autz_ctx->user_found = true;
1356 autz_ctx->group = group_ctx->groups;
1357 MEM(pair_update_request(&autz_ctx->sql_group, inst->group_da) >= 0);
1358
1359 next_group:
1360 fr_pair_value_strdup(autz_ctx->sql_group, autz_ctx->group->name, true);
1361 autz_ctx->status = SQL_AUTZ_GROUP_CHECK;
1363
1365 next_profile:
1366 if (autz_ctx->status & SQL_AUTZ_STAGE_PROFILE) {
1367 fr_pair_value_strdup(autz_ctx->sql_group, autz_ctx->profile->vp_strvalue, true);
1368 autz_ctx->status = SQL_AUTZ_PROFILE_CHECK;
1369 }
1370 RDEBUG3("Processing %s %pV",
1371 autz_ctx->status & SQL_AUTZ_STAGE_GROUP ? "group" : "profile", &autz_ctx->sql_group->data);
1372 if (inst->config.cache_groups && autz_ctx->status & SQL_AUTZ_STAGE_GROUP) {
1373 MEM(pair_append_control(&vp, inst->group_da) >= 0);
1374 fr_pair_value_strdup(vp, autz_ctx->group->name, true);
1375 }
1376
1377 if (call_env->group_check_query) {
1379 if (unlang_tmpl_push(autz_ctx, NULL, &autz_ctx->query, request,
1382 }
1383
1384 if (call_env->group_reply_query) goto group_reply_push;
1385
1386 break;
1387
1390 if (!query) RETURN_UNLANG_FAIL;
1391 *autz_ctx->map_ctx = (fr_sql_map_ctx_t) {
1392 .ctx = autz_ctx,
1393 .inst = inst,
1394 .out = &autz_ctx->check_tmp,
1395 .list = request_attr_request,
1396 .query = query,
1397 };
1398
1400 if (sql_get_map_list(p_result, request, map_ctx, autz_ctx->trunk) == UNLANG_ACTION_PUSHED_CHILD) {
1403 }
1404
1406
1409 talloc_free(map_ctx->query);
1410
1411 /*
1412 * If we got check rows we need to process them before we decide to
1413 * process the reply rows
1414 */
1415 if (map_ctx->rows > 0) {
1416 if (check_map_process(request, &autz_ctx->check_tmp, &autz_ctx->reply_tmp) < 0) {
1417 map_list_talloc_free(&autz_ctx->check_tmp);
1418 goto next_group_find;
1419 }
1420 RDEBUG2("%s \"%pV\": Conditional check items matched",
1421 autz_ctx->status & SQL_AUTZ_STAGE_GROUP ? "Group" : "Profile", &autz_ctx->sql_group->data);
1422 } else {
1423 RDEBUG2("%s \"%pV\": Conditional check items matched (empty)",
1424 autz_ctx->status & SQL_AUTZ_STAGE_GROUP ? "Group" : "Profile", &autz_ctx->sql_group->data);
1425 }
1426
1427 if (autz_ctx->rcode == RLM_MODULE_NOOP) autz_ctx->rcode = RLM_MODULE_OK;
1428
1429 map_list_talloc_free(&autz_ctx->check_tmp);
1430
1431 if (call_env->group_reply_query) {
1432 group_reply_push:
1434 if (unlang_tmpl_push(autz_ctx, NULL, &autz_ctx->query, request,
1438 }
1439
1440 if (map_list_num_elements(&autz_ctx->reply_tmp)) goto group_attr_cache;
1441
1442 goto next_group_find;
1443
1446 if (!query) RETURN_UNLANG_FAIL;
1447 *autz_ctx->map_ctx = (fr_sql_map_ctx_t) {
1448 .ctx = autz_ctx,
1449 .inst = inst,
1450 .out = &autz_ctx->reply_tmp,
1451 .list = request_attr_reply,
1452 .query = query,
1453 .expand_rhs = true,
1454 };
1455
1457 if (sql_get_map_list(p_result, request, map_ctx, autz_ctx->trunk) == UNLANG_ACTION_PUSHED_CHILD) {
1460 }
1461
1463
1466 talloc_free(map_ctx->query);
1467
1468 if (map_ctx->rows == 0) {
1469 do_fall_through = FALL_THROUGH_DEFAULT;
1470 goto group_attr_cache;
1471 }
1472
1473 fr_assert(!map_list_empty(&autz_ctx->reply_tmp)); /* coverity, among others */
1474 do_fall_through = fall_through(&autz_ctx->reply_tmp);
1475
1476 group_attr_cache:
1477 if (inst->config.cache_groups && autz_ctx->status & SQL_AUTZ_STAGE_GROUP) {
1478 MEM(pair_append_control(&vp, inst->group_da) >= 0);
1479 fr_pair_value_strdup(vp, autz_ctx->group->name, true);
1480 }
1481
1482 if (map_list_num_elements(&autz_ctx->reply_tmp) == 0) goto next_group_find;
1483 RDEBUG2("%s \"%pV\": Merging control and reply items",
1484 autz_ctx->status & SQL_AUTZ_STAGE_GROUP ? "Group" : "Profile", &autz_ctx->sql_group->data);
1485 autz_ctx->rcode = RLM_MODULE_UPDATED;
1486
1487 RINDENT();
1488 if (radius_legacy_map_list_apply(request, &autz_ctx->reply_tmp, NULL) < 0) {
1489 RPEDEBUG("Failed applying reply item");
1490 REXDENT();
1492 }
1493 REXDENT();
1494 map_list_talloc_free(&autz_ctx->reply_tmp);
1495
1496 next_group_find:
1497 if (do_fall_through != FALL_THROUGH_YES) break;
1498 if (autz_ctx->status & SQL_AUTZ_STAGE_PROFILE) {
1499 autz_ctx->profile = fr_pair_find_by_da(&request->control_pairs, autz_ctx->profile, attr_user_profile);
1500 if (autz_ctx->profile) goto next_profile;
1501 break;
1502 }
1503 autz_ctx->group = autz_ctx->group->next;
1504 if (autz_ctx->group) goto next_group;
1505
1506 break;
1507
1508 default:
1509 fr_assert(0);
1510 }
1511
1512 /*
1513 * If group processing has completed, check to see if profile processing should be done
1514 */
1515 if ((autz_ctx->status & SQL_AUTZ_STAGE_GROUP) &&
1516 ((do_fall_through == FALL_THROUGH_YES) ||
1517 (inst->config.read_profiles && (do_fall_through == FALL_THROUGH_DEFAULT)))) {
1518 RDEBUG3("... falling-through to profile processing");
1519
1520 autz_ctx->profile = fr_pair_find_by_da(&request->control_pairs, NULL, attr_user_profile);
1521 if (autz_ctx->profile) {
1522 MEM(pair_update_request(&autz_ctx->sql_group, inst->group_da) >= 0);
1523 autz_ctx->status = SQL_AUTZ_PROFILE_START;
1524 goto next_profile;
1525 }
1526 }
1527
1528 if (!autz_ctx->user_found) RETURN_UNLANG_NOTFOUND;
1529
1530 RETURN_UNLANG_RCODE(autz_ctx->rcode);
1531}
1532
1533/** Resume function called after authorization check / reply tmpl expansion
1534 *
1535 * @param p_result Result of current authorization.
1536 * @param mctx Module call ctx.
1537 * @param request Current request.
1538 * @return one of the RLM_MODULE_* values.
1539 */
1541{
1542 sql_autz_ctx_t *autz_ctx = talloc_get_type_abort(mctx->rctx, sql_autz_ctx_t);
1543 sql_autz_call_env_t *call_env = autz_ctx->call_env;
1544 rlm_sql_t const *inst = autz_ctx->inst;
1545 fr_value_box_t *query = fr_value_box_list_pop_head(&autz_ctx->query);
1546 sql_fall_through_t do_fall_through = FALL_THROUGH_DEFAULT;
1547 fr_sql_map_ctx_t *map_ctx = autz_ctx->map_ctx;
1548
1549 /*
1550 * If a previous async call returned one of the "failure" results just return.
1551 */
1552 switch (p_result->rcode) {
1555
1556 default:
1557 break;
1558 }
1559
1560 switch(autz_ctx->status) {
1561 case SQL_AUTZ_CHECK:
1562 if (!query) RETURN_UNLANG_FAIL;
1563 *autz_ctx->map_ctx = (fr_sql_map_ctx_t) {
1564 .ctx = autz_ctx,
1565 .inst = inst,
1566 .out = &autz_ctx->check_tmp,
1567 .list = request_attr_request,
1568 .query = query,
1569 };
1570
1572 if (sql_get_map_list(p_result, request, map_ctx, autz_ctx->trunk) == UNLANG_ACTION_PUSHED_CHILD){
1573 autz_ctx->status = SQL_AUTZ_CHECK_RESUME;
1575 }
1576
1578
1580 talloc_free(map_ctx->query);
1581
1582 if (map_ctx->rows == 0) goto skip_reply; /* Don't need to handle map entries we don't have */
1583
1584 /*
1585 * Only do this if *some* check pairs were returned
1586 */
1587 RDEBUG2("User found in radcheck table");
1588 autz_ctx->user_found = true;
1589
1590 if (check_map_process(request, &autz_ctx->check_tmp, &autz_ctx->reply_tmp) < 0) goto skip_reply;
1591 RDEBUG2("Conditional check items matched");
1592
1593 autz_ctx->rcode = RLM_MODULE_OK;
1594 map_list_talloc_free(&autz_ctx->check_tmp);
1595
1596 if (!call_env->reply_query) goto skip_reply;
1597
1599 if (unlang_tmpl_push(autz_ctx, NULL, &autz_ctx->query, request, call_env->reply_query, NULL, UNLANG_SUB_FRAME) < 0) RETURN_UNLANG_FAIL;
1600 autz_ctx->status = SQL_AUTZ_REPLY;
1602
1603 case SQL_AUTZ_REPLY:
1604 if (!query) RETURN_UNLANG_FAIL;
1605 *autz_ctx->map_ctx = (fr_sql_map_ctx_t) {
1606 .ctx = autz_ctx,
1607 .inst = inst,
1608 .out = &autz_ctx->reply_tmp,
1609 .list = request_attr_reply,
1610 .query = query,
1611 .expand_rhs = true,
1612 };
1613
1615 if (sql_get_map_list(p_result, request, map_ctx, autz_ctx->trunk) == UNLANG_ACTION_PUSHED_CHILD){
1616 autz_ctx->status = SQL_AUTZ_REPLY_RESUME;
1618 }
1619
1621
1623 talloc_free(map_ctx->query);
1624
1625 if (map_ctx->rows == 0) goto skip_reply;
1626
1627 do_fall_through = fall_through(&autz_ctx->reply_tmp);
1628
1629 RDEBUG2("User found in radreply table");
1630 autz_ctx->user_found = true;
1631
1632 skip_reply:
1633 if (map_list_num_elements(&autz_ctx->reply_tmp)) {
1634 RDEBUG2("Merging control and reply items");
1635 RINDENT();
1636 if (radius_legacy_map_list_apply(request, &autz_ctx->reply_tmp, NULL) < 0) {
1637 RPEDEBUG("Failed applying item");
1638 REXDENT();
1640 }
1641 REXDENT();
1642
1643 autz_ctx->rcode = RLM_MODULE_UPDATED;
1644 map_list_talloc_free(&autz_ctx->reply_tmp);
1645 }
1646
1647 if ((do_fall_through == FALL_THROUGH_YES) ||
1648 (inst->config.read_groups && (do_fall_through == FALL_THROUGH_DEFAULT))) {
1649 RDEBUG3("... falling-through to group processing");
1650
1651 if (!call_env->membership_query) {
1652 RWARN("Cannot check groups when group_membership_query is not set");
1653 break;
1654 }
1655
1656 if (!call_env->group_check_query && !call_env->group_reply_query) {
1657 RWARN("Cannot process groups when neither authorize_group_check_query nor authorize_group_check_query are set");
1658 break;
1659 }
1660
1662 if (unlang_tmpl_push(autz_ctx, NULL, &autz_ctx->query, request,
1664 autz_ctx->status = SQL_AUTZ_GROUP_MEMB;
1666 }
1667
1668 if ((do_fall_through == FALL_THROUGH_YES) ||
1669 (inst->config.read_profiles && (do_fall_through == FALL_THROUGH_DEFAULT))) {
1670 RDEBUG3("... falling-through to profile processing");
1671
1672 if (!call_env->group_check_query && !call_env->group_reply_query) {
1673 RWARN("Cannot process profiles when neither authorize_group_check_query nor authorize_group_check_query are set");
1674 break;
1675 }
1676
1677 autz_ctx->profile = fr_pair_find_by_da(&request->control_pairs, NULL, attr_user_profile);
1678 if (!autz_ctx->profile) break;
1679
1680 MEM(pair_update_request(&autz_ctx->sql_group, inst->group_da) >= 0);
1681 autz_ctx->status = SQL_AUTZ_PROFILE_START;
1682 return mod_autz_group_resume(p_result, mctx, request);
1683 }
1684 break;
1685
1686 default:
1687 fr_assert_msg(0, "Invalid status %d in mod_authorize_resume", autz_ctx->status);
1688 }
1689
1690 if (!autz_ctx->user_found) RETURN_UNLANG_NOTFOUND;
1691 RETURN_UNLANG_RCODE(autz_ctx->rcode);
1692}
1693
1694/** Start of module authorize method
1695 *
1696 * Pushes the tmpl relating to the first required query for evaluation
1697 */
1698static unlang_action_t CC_HINT(nonnull) mod_authorize(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
1699{
1701 rlm_sql_thread_t *thread = talloc_get_type_abort(mctx->thread, rlm_sql_thread_t);
1702 sql_autz_call_env_t *call_env = talloc_get_type_abort(mctx->env_data, sql_autz_call_env_t);
1703 sql_autz_ctx_t *autz_ctx;
1704
1705 fr_assert(request->packet != NULL);
1706 fr_assert(request->reply != NULL);
1707
1708 if (!call_env->check_query && !call_env->reply_query && !(inst->config.read_groups && call_env->membership_query)) {
1709 RWDEBUG("No authorization checks configured, returning noop");
1711 }
1712
1713 /*
1714 * Set and check the user attr here
1715 */
1716 sql_set_user(inst, request, &call_env->user);
1717
1718 MEM(autz_ctx = talloc(unlang_interpret_frame_talloc_ctx(request), sql_autz_ctx_t));
1719 *autz_ctx = (sql_autz_ctx_t) {
1720 .inst = inst,
1721 .call_env = call_env,
1722 .request = request,
1723 .trunk = thread->trunk,
1724 .rcode = RLM_MODULE_NOOP
1725 };
1726 map_list_init(&autz_ctx->check_tmp);
1727 map_list_init(&autz_ctx->reply_tmp);
1728 MEM(autz_ctx->map_ctx = talloc_zero(autz_ctx, fr_sql_map_ctx_t));
1729 talloc_set_destructor(autz_ctx, sql_autz_ctx_free);
1730
1731 if (unlang_module_yield(request,
1733 NULL, 0, autz_ctx) == UNLANG_ACTION_FAIL) {
1734 error:
1735 talloc_free(autz_ctx);
1737 }
1738
1739 fr_value_box_list_init(&autz_ctx->query);
1740
1741 /*
1742 * Query the check table to find any conditions associated with this user/realm/whatever...
1743 */
1744 if (call_env->check_query) {
1745 if (unlang_tmpl_push(autz_ctx, NULL, &autz_ctx->query, request, call_env->check_query, NULL, UNLANG_SUB_FRAME) < 0) goto error;
1746 autz_ctx->status = SQL_AUTZ_CHECK;
1748 }
1749
1750 if (call_env->reply_query) {
1751 if (unlang_tmpl_push(autz_ctx, NULL, &autz_ctx->query, request, call_env->reply_query, NULL, UNLANG_SUB_FRAME) < 0) goto error;
1752 autz_ctx->status = SQL_AUTZ_REPLY;
1754 }
1755
1756 /*
1757 * Neither check nor reply queries were set, so we must be doing group stuff
1758 */
1759 if (unlang_tmpl_push(autz_ctx, NULL, &autz_ctx->query, request, call_env->membership_query, NULL, UNLANG_SUB_FRAME) < 0) goto error;
1760 autz_ctx->status = SQL_AUTZ_GROUP_MEMB;
1762}
1763
1764/** Tidy up when freeing an SQL redundant context
1765 *
1766 * Release the connection handle and unset the SQL-User attribute.
1767 */
1769{
1770 if (!to_free->inst->sql_escape_arg) (void) request_data_get(to_free->request, (void *)sql_escape_uctx_alloc, 0);
1771 sql_unset_user(to_free->inst, to_free->request);
1772
1773 return 0;
1774}
1775
1776static unlang_action_t mod_sql_redundant_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request);
1777
1778/** Resume function called after executing an SQL query in a redundant list of queries.
1779 *
1780 * @param p_result Result of current module call.
1781 * @param mctx Current module ctx.
1782 * @param request Current request.
1783 * @return one of the RLM_MODULE_* values.
1784 */
1786{
1787 sql_redundant_ctx_t *redundant_ctx = talloc_get_type_abort(mctx->rctx, sql_redundant_ctx_t);
1788 sql_redundant_call_env_t *call_env = redundant_ctx->call_env;
1789 rlm_sql_t const *inst = redundant_ctx->inst;
1790 fr_sql_query_t *query_ctx = redundant_ctx->query_ctx;
1791 int numaffected = 0;
1792
1793 RDEBUG2("SQL query returned: %s", fr_table_str_by_value(sql_rcode_description_table, query_ctx->rcode, "<INVALID>"));
1794
1795 switch (query_ctx->rcode) {
1796 /*
1797 * Query was a success! Now we just need to check if it did anything.
1798 */
1799 case RLM_SQL_OK:
1800 break;
1801
1802 /*
1803 * A general, unrecoverable server fault.
1804 */
1805 case RLM_SQL_ERROR:
1806 /*
1807 * If we get RLM_SQL_RECONNECT it means all connections in the pool
1808 * were exhausted, and we couldn't create a new connection,
1809 * so we do not need to call fr_pool_connection_release.
1810 */
1811 case RLM_SQL_RECONNECT:
1812 rlm_sql_print_error(inst, request, query_ctx, false);
1814
1815 /*
1816 * Query was invalid, this is a terminal error.
1817 */
1819 rlm_sql_print_error(inst, request, query_ctx, false);
1821
1822 /*
1823 * Driver found an error (like a unique key constraint violation)
1824 * that hinted it might be a good idea to try an alternative query.
1825 */
1826 case RLM_SQL_ALT_QUERY:
1827 goto next;
1828
1830 break;
1831 }
1832
1833 /*
1834 * We need to have updated something for the query to have been
1835 * counted as successful.
1836 */
1837 numaffected = (inst->driver->sql_affected_rows)(query_ctx, &inst->config);
1838 TALLOC_FREE(query_ctx);
1839 RDEBUG2("%i record(s) updated", numaffected);
1840
1841 if (numaffected > 0) {
1842 if (inst->query_number_da) {
1843 fr_pair_t *vp;
1844 if (unlikely(pair_update_control(&vp, inst->query_number_da) < 0)) RETURN_UNLANG_FAIL;
1845 vp->vp_uint32 = redundant_ctx->query_no + 1;
1846 RDEBUG2("control.%pP", vp);
1847 }
1848 RETURN_UNLANG_OK; /* A query succeeded, were done! */
1849 }
1850next:
1851 /*
1852 * Look to see if there are any more queries to expand
1853 */
1854 talloc_free(query_ctx);
1855 redundant_ctx->query_no++;
1856 if (redundant_ctx->query_no >= talloc_array_length(call_env->query)) RETURN_UNLANG_NOOP;
1858 if (unlang_tmpl_push(redundant_ctx, NULL, &redundant_ctx->query, request, call_env->query[redundant_ctx->query_no], NULL, UNLANG_SUB_FRAME) < 0) RETURN_UNLANG_FAIL;
1859
1860 RDEBUG2("Trying next query...");
1861
1863}
1864
1865
1866/** Resume function called after expansion of next query in a redundant list of queries
1867 *
1868 * @param p_result Result of current module call.
1869 * @param mctx Current module ctx.
1870 * @param request Current request.
1871 * @return one of the RLM_MODULE_* values.
1872 */
1874{
1875 sql_redundant_ctx_t *redundant_ctx = talloc_get_type_abort(mctx->rctx, sql_redundant_ctx_t);
1876 sql_redundant_call_env_t *call_env = redundant_ctx->call_env;
1877 rlm_sql_t const *inst = redundant_ctx->inst;
1878
1879 redundant_ctx->query_vb = fr_value_box_list_pop_head(&redundant_ctx->query);
1880 if (!redundant_ctx->query_vb) RETURN_UNLANG_FAIL;
1881
1882 if ((call_env->filename.type == FR_TYPE_STRING) && (call_env->filename.vb_length > 0)) {
1883 rlm_sql_query_log(inst, call_env->filename.vb_strvalue, redundant_ctx->query_vb->vb_strvalue);
1884 }
1885
1886 MEM(redundant_ctx->query_ctx = fr_sql_query_alloc(redundant_ctx, inst, request, redundant_ctx->trunk,
1887 redundant_ctx->query_vb->vb_strvalue, SQL_QUERY_OTHER));
1888
1889 unlang_module_yield(request, mod_sql_redundant_query_resume, NULL, 0, redundant_ctx);
1890 return unlang_function_push_with_result(/* discard, mod_sql_redundant_query_resume uses query_ctx->rcode*/ NULL,
1891 request,
1892 inst->query,
1893 NULL,
1894 NULL,
1896 redundant_ctx->query_ctx);
1897}
1898
1899/** Generic module call for failing between a bunch of queries.
1900 *
1901 * Used for `accounting` and `send` module calls
1902 *
1903 */
1904static unlang_action_t CC_HINT(nonnull) mod_sql_redundant(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
1905{
1907 rlm_sql_thread_t *thread = talloc_get_type_abort(mctx->thread, rlm_sql_thread_t);
1908 sql_redundant_call_env_t *call_env = talloc_get_type_abort(mctx->env_data, sql_redundant_call_env_t);
1909 sql_redundant_ctx_t *redundant_ctx;
1910
1911 /*
1912 * No query to expand - do nothing.
1913 */
1914 if (!call_env->query) {
1915 RWARN("No query configured");
1917 }
1918
1919 MEM(redundant_ctx = talloc_zero(unlang_interpret_frame_talloc_ctx(request), sql_redundant_ctx_t));
1920 *redundant_ctx = (sql_redundant_ctx_t) {
1921 .inst = inst,
1922 .request = request,
1923 .trunk = thread->trunk,
1924 .call_env = call_env,
1925 .query_no = 0
1926 };
1927 talloc_set_destructor(redundant_ctx, sql_redundant_ctx_free);
1928
1929 sql_set_user(inst, request, &call_env->user);
1930
1931 fr_value_box_list_init(&redundant_ctx->query);
1932
1933 return unlang_module_yield_to_tmpl(request, &redundant_ctx->query, request, *call_env->query,
1934 NULL, mod_sql_redundant_resume, NULL, 0, redundant_ctx);
1935}
1936
1937static int logfile_call_env_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules,
1938 CONF_ITEM *ci,
1939 call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule)
1940{
1941 CONF_SECTION const *subcs = NULL, *subsubcs = NULL;
1942 CONF_PAIR const *to_parse = NULL;
1943 tmpl_t *parsed_tmpl;
1944 call_env_parsed_t *parsed_env;
1945 tmpl_rules_t our_rules;
1946 char *section2, *p;
1947
1949
1950 /*
1951 * The call env subsection which calls this has CF_IDENT_ANY as its name
1952 * which results in finding the first child section of the module config.
1953 * We actually want the whole module config - so go to the parent.
1954 */
1955 ci = cf_parent(ci);
1956
1957 /*
1958 * Find the instance of "logfile" to parse
1959 *
1960 * If the module call is from `accounting Start` then first is
1961 * <module> { accounting { start { logfile } } }
1962 * then
1963 * <module> { accounting { logfile } }
1964 * falling back to
1965 * <module> { logfile }
1966 */
1968 if (subcs) {
1969 if (cec->asked->name2) {
1970 section2 = talloc_strdup(NULL, cec->asked->name2);
1971 p = section2;
1972 while (*p != '\0') {
1973 *(p) = tolower((uint8_t)*p);
1974 p++;
1975 }
1976 subsubcs = cf_section_find(subcs, section2, CF_IDENT_ANY);
1977 talloc_free(section2);
1978 if (subsubcs) to_parse = cf_pair_find(subsubcs, "logfile");
1979 }
1980 if (!to_parse) to_parse = cf_pair_find(subcs, "logfile");
1981 }
1982
1983 if (!to_parse) to_parse = cf_pair_find(cf_item_to_section(ci), "logfile");
1984
1985 if (!to_parse) return 0;
1986
1987 /*
1988 * Use filename safety escape functions
1989 */
1990 our_rules = *t_rules;
1994 .always_escape = false,
1995 };
1997 our_rules.literals_safe_for = our_rules.escape.box_escape.safe_for;
1998
1999 MEM(parsed_env = call_env_parsed_add(ctx, out,
2001
2002 if (tmpl_afrom_substr(parsed_env, &parsed_tmpl,
2003 &FR_SBUFF_IN(cf_pair_value(to_parse), talloc_array_length(cf_pair_value(to_parse)) - 1),
2005 &our_rules) < 0) {
2006 error:
2007 call_env_parsed_free(out, parsed_env);
2008 return -1;
2009 }
2010 if (tmpl_needs_resolving(parsed_tmpl) &&
2011 (tmpl_resolve(parsed_tmpl, &(tmpl_res_rules_t){ .dict_def = our_rules.attr.dict_def }) < 0)) goto error;
2012
2013 call_env_parsed_set_tmpl(parsed_env, parsed_tmpl);
2014
2015 return 0;
2016}
2017
2018static int query_call_env_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules,
2019 CONF_ITEM *ci,
2020 call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule)
2021{
2023 CONF_SECTION const *subcs = NULL;
2024 CONF_PAIR const *to_parse = NULL;
2025 tmpl_t *parsed_tmpl;
2026 call_env_parsed_t *parsed_env;
2027 tmpl_rules_t our_rules;
2028 char *section2, *p;
2029 ssize_t count, slen, multi_index = 0;
2030
2032
2033 /*
2034 * Find the instance(s) of "query" to parse
2035 *
2036 * If the module call is from `accounting Start` then it should be
2037 * <module> { accounting { start { query } } }
2038 */
2039 section2 = talloc_strdup(NULL, section_name_str(cec->asked->name2));
2040 p = section2;
2041 while (*p != '\0') {
2042 *(p) = tolower((uint8_t)*p);
2043 p++;
2044 }
2045 subcs = cf_section_find(cf_item_to_section(ci), section2, CF_IDENT_ANY);
2046 if (!subcs) {
2047 no_query:
2048 cf_log_warn(ci, "No query found for \"%s.%s\", this query will be disabled",
2049 section_name_str(cec->asked->name1), section2);
2050 talloc_free(section2);
2051 return 0;
2052 }
2053 count = cf_pair_count(subcs, "query");
2054 if (count == 0) goto no_query;
2055
2056 talloc_free(section2);
2057
2058 /*
2059 * Use module specific escape functions
2060 */
2061 our_rules = *t_rules;
2062 our_rules.escape = (tmpl_escape_t) {
2065 .safe_for = SQL_SAFE_FOR,
2066 .always_escape = false,
2067 },
2068 .uctx = { .func = { .uctx = inst, .alloc = sql_escape_uctx_alloc }, .type = TMPL_ESCAPE_UCTX_ALLOC_FUNC },
2069 .mode = TMPL_ESCAPE_PRE_CONCAT,
2070 };
2071 our_rules.literals_safe_for = our_rules.escape.box_escape.safe_for;
2072
2073 while ((to_parse = cf_pair_find_next(subcs, to_parse, "query"))) {
2074 MEM(parsed_env = call_env_parsed_add(ctx, out,
2078 }));
2079
2080 slen = tmpl_afrom_substr(parsed_env, &parsed_tmpl,
2081 &FR_SBUFF_IN(cf_pair_value(to_parse), talloc_array_length(cf_pair_value(to_parse)) - 1),
2083 &our_rules);
2084 if (slen <= 0) {
2085 cf_canonicalize_error(to_parse, slen, "Failed parsing query", cf_pair_value(to_parse));
2086 error:
2087 call_env_parsed_free(out, parsed_env);
2088 return -1;
2089 }
2090 if (tmpl_needs_resolving(parsed_tmpl) &&
2091 (tmpl_resolve(parsed_tmpl, &(tmpl_res_rules_t){ .dict_def = our_rules.attr.dict_def }) < 0)) {
2092 cf_log_perr(to_parse, "Failed resolving query");
2093 goto error;
2094 }
2095
2096 call_env_parsed_set_multi_index(parsed_env, count, multi_index++);
2097 call_env_parsed_set_data(parsed_env, parsed_tmpl);
2098 }
2099
2100 return 0;
2101}
2102
2103static int mod_detach(module_detach_ctx_t const *mctx)
2104{
2105 rlm_sql_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_sql_t);
2106
2107 /*
2108 * We need to explicitly free all children, so if the driver
2109 * parented any memory off the instance, their destructors
2110 * run before we unload the bytecode for them.
2111 *
2112 * If we don't do this, we get a SEGV deep inside the talloc code
2113 * when it tries to call a destructor that no longer exists.
2114 */
2115 talloc_free_children(inst);
2116
2117 return 0;
2118}
2119
2120static int mod_instantiate(module_inst_ctx_t const *mctx)
2121{
2122 rlm_sql_boot_t const *boot = talloc_get_type_abort(mctx->mi->boot, rlm_sql_boot_t);
2123 rlm_sql_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_sql_t);
2124 CONF_SECTION *conf = mctx->mi->conf;
2125
2126 /*
2127 * We can't modify the inst field in bootstrap, and there's no
2128 * point in making rlm_sql_boot_t available everywhere.
2129 */
2130 inst->group_da = boot->group_da;
2131 inst->query_number_da = boot->query_number_da;
2132
2133 inst->name = mctx->mi->name; /* Need this for functions in sql.c */
2134 inst->mi = mctx->mi; /* For looking up thread instance data */
2135
2136 /*
2137 * We need authorize_group_check_query or authorize_group_reply_query
2138 * if group_membership_query is set.
2139 *
2140 * Or we need group_membership_query if authorize_group_check_query or
2141 * authorize_group_reply_query is set.
2142 */
2143 if (!cf_pair_find(conf, "group_membership_query")) {
2144 if (cf_pair_find(conf, "authorize_group_check_query")) {
2145 WARN("Ignoring authorize_group_check_query as group_membership_query is not configured");
2146 }
2147
2148 if (cf_pair_find(conf, "authorize_group_reply_query")) {
2149 WARN("Ignoring authorize_group_reply_query as group_membership_query is not configured");
2150 }
2151
2152 if (!inst->config.read_groups) {
2153 WARN("Ignoring read_groups as group_membership_query is not configured");
2154 inst->config.read_groups = false;
2155 }
2156 } /* allow the group check / reply queries to be NULL */
2157
2158 /*
2159 * Cache the SQL-User-Name fr_dict_attr_t, so we can be slightly
2160 * more efficient about creating SQL-User-Name attributes.
2161 */
2162 inst->sql_user = attr_sql_user_name;
2163
2164 /*
2165 * Export these methods, too. This avoids RTDL_GLOBAL.
2166 */
2167 inst->query = rlm_sql_trunk_query;
2168 inst->select = rlm_sql_trunk_query;
2169 inst->fetch_row = rlm_sql_fetch_row;
2170 inst->query_alloc = fr_sql_query_alloc;
2171
2172 /*
2173 * Either use the module specific escape function
2174 * or our default one.
2175 */
2176 if (inst->driver->sql_escape_func) {
2177 inst->sql_escape_func = inst->driver->sql_escape_func;
2178 } else {
2179 inst->sql_escape_func = sql_escape_func;
2180 inst->sql_escape_arg = inst;
2181 }
2182 inst->box_escape = (fr_value_box_escape_t) {
2183 .func = sql_box_escape,
2184 .safe_for = SQL_SAFE_FOR,
2185 .always_escape = false,
2186 };
2187
2188 inst->ef = module_rlm_exfile_init(inst, conf, 256, fr_time_delta_from_sec(30), true, false, NULL, NULL);
2189 if (!inst->ef) {
2190 cf_log_err(conf, "Failed creating log file context");
2191 return -1;
2192 }
2193
2194 /*
2195 * Most SQL trunks can only have one running request per connection.
2196 */
2197 if (!(inst->driver->flags & RLM_SQL_MULTI_QUERY_CONN)) {
2198 inst->config.trunk_conf.target_req_per_conn = 1;
2199 inst->config.trunk_conf.max_req_per_conn = 1;
2200 }
2201 if (!inst->driver->trunk_io_funcs.connection_notify) {
2202 inst->config.trunk_conf.always_writable = true;
2203 }
2204
2205 /*
2206 * Instantiate the driver module
2207 */
2208 if (unlikely(module_instantiate(inst->driver_submodule) < 0)) {
2209 cf_log_err(conf, "Failed instantiating driver module");
2210 return -1;
2211 }
2212
2213 if (!inst->config.trunk_conf.conn_triggers) return 0;
2214
2215 MEM(inst->trigger_args = fr_pair_list_alloc(inst));
2216 return module_trigger_args_build(inst->trigger_args, inst->trigger_args, cf_section_find(conf, "pool", NULL),
2218 .module = inst->mi->module->name,
2219 .name = inst->name,
2220 .server = inst->config.sql_server,
2221 .port = inst->config.sql_port
2222 });
2223}
2224
2225static int mod_bootstrap(module_inst_ctx_t const *mctx)
2226{
2227 rlm_sql_boot_t *boot = talloc_get_type_abort(mctx->mi->boot, rlm_sql_boot_t);
2228 rlm_sql_t const *inst = talloc_get_type_abort(mctx->mi->data, rlm_sql_t);
2229 CONF_SECTION *conf = mctx->mi->conf;
2230 xlat_t *xlat;
2231 xlat_arg_parser_t *sql_xlat_arg;
2233
2234 /*
2235 * Register the group comparison attribute
2236 */
2237 if (cf_pair_find(conf, "group_membership_query")) {
2238 char const *group_attribute;
2239 char buffer[256];
2240
2241 if (inst->config.group_attribute) {
2242 group_attribute = inst->config.group_attribute;
2243 } else if (cf_section_name2(conf)) {
2244 snprintf(buffer, sizeof(buffer), "%s-SQL-Group", mctx->mi->name);
2245 group_attribute = buffer;
2246 } else {
2247 group_attribute = "SQL-Group";
2248 }
2249
2250 boot->group_da = fr_dict_attr_by_name(NULL, fr_dict_root(dict_freeradius), group_attribute);
2251 if (!boot->group_da) {
2253 cf_log_perr(conf, "Failed defining group attribute");
2254 return -1;
2255 }
2256
2257 boot->group_da = fr_dict_attr_search_by_qualified_oid(NULL, dict_freeradius, group_attribute,
2258 false, false);
2259 if (!boot->group_da) {
2260 cf_log_perr(conf, "Failed resolving group attribute");
2261 return -1;
2262 }
2263 }
2264
2265 /*
2266 * Define the new %sql.group(name) xlat. The
2267 * register function automatically adds the
2268 * module instance name as a prefix.
2269 */
2270 xlat = module_rlm_xlat_register(boot, mctx, "group", sql_group_xlat, FR_TYPE_BOOL);
2271 if (!xlat) {
2272 cf_log_perr(conf, "Failed registering %s expansion", group_attribute);
2273 return -1;
2274 }
2276
2277 /*
2278 * The xlat escape function needs access to inst - so
2279 * argument parser details need to be defined here
2280 */
2281 sql_xlat_arg = talloc_zero_array(xlat, xlat_arg_parser_t, 2);
2282 sql_xlat_arg[0] = (xlat_arg_parser_t){
2284 .required = true,
2285 .concat = true
2286 };
2288
2289 xlat_func_args_set(xlat, sql_xlat_arg);
2290 }
2291
2292 /*
2293 * If we need to record which query from a redundant set succeeds, find / create the attribute to use.
2294 */
2295 if (inst->config.query_number_attribute) {
2297 inst->config.query_number_attribute);
2298 if (!boot->query_number_da) {
2300 inst->config.query_number_attribute, FR_TYPE_UINT32, NULL) < 0) {
2301 ERROR("Failed defining query number attribute \"%s\"", inst->config.query_number_attribute);
2302 return -1;
2303 }
2304
2306 inst->config.query_number_attribute,
2307 false, false);
2308 if (!boot->query_number_da) {
2309 ERROR("Failed resolving query number attribute \"%s\"", inst->config.query_number_attribute);
2310 return -1;
2311 }
2312 } else {
2313 if (boot->query_number_da->type != FR_TYPE_UINT32) {
2314 ERROR("Query number attribute \"%s\" is type \"%s\", needs to be uint32",
2315 inst->config.query_number_attribute, fr_type_to_str(boot->query_number_da->type));
2316 return -1;
2317 }
2318 }
2319 }
2320
2321 /*
2322 * Register the SQL xlat function
2323 */
2324 xlat = module_rlm_xlat_register(boot, mctx, NULL, sql_xlat, FR_TYPE_VOID); /* Returns an integer sometimes */
2325 if (!xlat) {
2326 cf_log_perr(conf, "Failed registering %s expansion", mctx->mi->name);
2327 return -1;
2328 }
2330
2331 /*
2332 * The xlat escape function needs access to inst - so
2333 * argument parser details need to be defined here.
2334 * Parented off the module instance "boot" so it can be shared
2335 * between three xlats.
2336 */
2337 MEM(sql_xlat_arg = talloc_zero_array(boot, xlat_arg_parser_t, 2));
2338 MEM(uctx = talloc_zero(sql_xlat_arg, rlm_sql_escape_uctx_t));
2339 *uctx = (rlm_sql_escape_uctx_t){ .sql = inst };
2340 sql_xlat_arg[0] = (xlat_arg_parser_t){
2342 .required = true,
2343 .concat = true,
2344 .func = sql_xlat_escape,
2345 .safe_for = SQL_SAFE_FOR,
2346 .uctx = uctx
2347 };
2349
2350 xlat_func_args_set(xlat, sql_xlat_arg);
2351
2352 /*
2353 * Register instances of the SQL xlat with pre-determined output types
2354 */
2355 if (unlikely(!(xlat = module_rlm_xlat_register(boot, mctx, "fetch", sql_fetch_xlat, FR_TYPE_VOID)))) return -1;
2357 xlat_func_args_set(xlat, sql_xlat_arg);
2358
2359 if (unlikely(!(xlat = module_rlm_xlat_register(boot, mctx, "modify", sql_modify_xlat, FR_TYPE_UINT32)))) return -1;
2361 xlat_func_args_set(xlat, sql_xlat_arg);
2362
2363 if (unlikely(!(xlat = module_rlm_xlat_register(boot, mctx, "escape", sql_escape_xlat, FR_TYPE_STRING)))) return -1;
2364 sql_xlat_arg = talloc_zero_array(xlat, xlat_arg_parser_t, 2);
2365 sql_xlat_arg[0] = (xlat_arg_parser_t){
2367 .variadic = true,
2368 .concat = true,
2369 };
2371 xlat_func_args_set(xlat, sql_xlat_arg);
2374
2375 if (unlikely(!(xlat = module_rlm_xlat_register(boot, mctx, "safe", xlat_transparent, FR_TYPE_STRING)))) return -1;
2376 sql_xlat_arg = talloc_zero_array(xlat, xlat_arg_parser_t, 2);
2377 sql_xlat_arg[0] = (xlat_arg_parser_t){
2379 .variadic = true,
2380 .concat = true
2381 };
2383 xlat_func_args_set(xlat, sql_xlat_arg);
2386
2387 /*
2388 * Register the SQL map processor function
2389 */
2390 if (inst->driver->sql_fields) map_proc_register(mctx->mi->boot, inst, mctx->mi->name, mod_map_proc, sql_map_verify, 0, SQL_SAFE_FOR);
2391
2392 return 0;
2393}
2394
2395/** Initialise thread specific data structure
2396 *
2397 */
2399{
2400 rlm_sql_thread_t *t = talloc_get_type_abort(mctx->thread, rlm_sql_thread_t);
2401 rlm_sql_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_sql_t);
2402
2403 if (inst->driver->sql_escape_arg_alloc) {
2404 t->sql_escape_arg = inst->driver->sql_escape_arg_alloc(t, mctx->el, inst);
2405 if (!t->sql_escape_arg) return -1;
2406 }
2407
2408 t->inst = inst;
2409
2410 t->trunk = trunk_alloc(t, mctx->el, &inst->driver->trunk_io_funcs,
2411 &inst->config.trunk_conf, inst->name, t, false, inst->trigger_args);
2412 if (!t->trunk) return -1;
2413
2414 return 0;
2415}
2416
2418{
2419 rlm_sql_thread_t *t = talloc_get_type_abort(mctx->thread, rlm_sql_thread_t);
2420 rlm_sql_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_sql_t);
2421
2422 if (inst->driver->sql_escape_arg_free) inst->driver->sql_escape_arg_free(t->sql_escape_arg);
2423
2424 return 0;
2425}
2426
2427/** Custom parser for sql call env queries
2428 *
2429 * Needed as the escape function needs to reference the correct SQL driver
2430 */
2431static int sql_call_env_parse(TALLOC_CTX *ctx, void *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci,
2432 call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule)
2433{
2435 tmpl_t *parsed_tmpl;
2436 CONF_PAIR const *to_parse = cf_item_to_pair(ci);
2437 tmpl_rules_t our_rules = *t_rules;
2438
2439 /*
2440 * Set the sql module instance data as the uctx for escaping
2441 * and use the same "safe_for" as the sql module.
2442 */
2445 .safe_for = SQL_SAFE_FOR,
2446 .always_escape = false,
2447 };
2448 our_rules.escape.uctx.func.uctx = inst;
2449 our_rules.literals_safe_for = SQL_SAFE_FOR;
2450
2451 if (tmpl_afrom_substr(ctx, &parsed_tmpl,
2452 &FR_SBUFF_IN(cf_pair_value(to_parse), talloc_array_length(cf_pair_value(to_parse)) - 1),
2454 &our_rules) < 0) return -1;
2455 *(void **)out = parsed_tmpl;
2456 return 0;
2457}
2458
2459#define QUERY_ESCAPE .pair.escape = { \
2460 .mode = TMPL_ESCAPE_PRE_CONCAT, \
2461 .uctx = { .func = { .alloc = sql_escape_uctx_alloc }, .type = TMPL_ESCAPE_UCTX_ALLOC_FUNC }, \
2462}, .pair.func = sql_call_env_parse
2463
2476
2477/* globally exported name */
2479 .common = {
2480 .magic = MODULE_MAGIC_INIT,
2481 .name = "sql",
2482 .boot_size = sizeof(rlm_sql_boot_t),
2483 .boot_type = "rlm_sql_boot_t",
2484 .inst_size = sizeof(rlm_sql_t),
2485 .config = module_config,
2486 .bootstrap = mod_bootstrap,
2487 .instantiate = mod_instantiate,
2488 .detach = mod_detach,
2489 .thread_inst_size = sizeof(rlm_sql_thread_t),
2492 },
2493 .method_group = {
2494 .bindings = (module_method_binding_t[]){
2495 /*
2496 * Hack to support old configurations
2497 */
2498 { .section = SECTION_NAME("accounting", CF_IDENT_ANY), .method = mod_sql_redundant, .method_env = &accounting_method_env },
2499 { .section = SECTION_NAME("authorize", CF_IDENT_ANY), .method = mod_authorize, .method_env = &authorize_method_env },
2500
2501 { .section = SECTION_NAME("recv", CF_IDENT_ANY), .method = mod_authorize, .method_env = &authorize_method_env },
2502 { .section = SECTION_NAME("send", CF_IDENT_ANY), .method = mod_sql_redundant, .method_env = &send_method_env },
2504 }
2505 }
2506};
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
@ UNLANG_ACTION_PUSHED_CHILD
unlang_t pushed a new child onto the stack, execute it instead of continuing.
Definition action.h:39
@ UNLANG_ACTION_FAIL
Encountered an unexpected error.
Definition action.h:36
@ UNLANG_ACTION_CALCULATE_RESULT
Calculate a new section rlm_rcode_t value.
Definition action.h:37
@ UNLANG_ACTION_YIELD
Temporarily pause execution until an event occurs.
Definition action.h:41
static int const char char buffer[256]
Definition acutest.h:576
#define fr_atexit_thread_local(_name, _free, _uctx)
Definition atexit.h:221
#define RCSID(id)
Definition build.h:485
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:324
#define unlikely(_x)
Definition build.h:383
#define UNUSED
Definition build.h:317
void call_env_parsed_free(call_env_parsed_head_t *parsed, call_env_parsed_t *ptr)
Remove a call_env_parsed_t from the list of parsed call envs.
Definition call_env.c:775
call_env_parsed_t * call_env_parsed_add(TALLOC_CTX *ctx, call_env_parsed_head_t *head, call_env_parser_t const *rule)
Allocate a new call_env_parsed_t structure and add it to the list of parsed call envs.
Definition call_env.c:688
void call_env_parsed_set_multi_index(call_env_parsed_t *parsed, size_t count, size_t index)
Assign a count and index to a call_env_parsed_t.
Definition call_env.c:760
void call_env_parsed_set_data(call_env_parsed_t *parsed, void const *data)
Assign data to a call_env_parsed_t.
Definition call_env.c:745
void call_env_parsed_set_tmpl(call_env_parsed_t *parsed, tmpl_t const *tmpl)
Assign a tmpl to a call_env_parsed_t.
Definition call_env.c:717
#define CALL_ENV_TERMINATOR
Definition call_env.h:236
call_env_ctx_type_t type
Type of callenv ctx.
Definition call_env.h:227
@ CALL_ENV_CTX_TYPE_MODULE
The callenv is registered to a module method.
Definition call_env.h:222
#define FR_CALL_ENV_METHOD_OUT(_inst)
Helper macro for populating the size/type fields of a call_env_method_t from the output structure typ...
Definition call_env.h:240
call_env_parser_t const * env
Parsing rules for call method env.
Definition call_env.h:247
section_name_t const * asked
The actual name1/name2 that resolved to a module_method_binding_t.
Definition call_env.h:232
@ CALL_ENV_FLAG_CONCAT
If the tmpl produced multiple boxes they should be concatenated.
Definition call_env.h:76
@ CALL_ENV_FLAG_SUBSECTION
This is a subsection.
Definition call_env.h:87
@ CALL_ENV_FLAG_PARSE_ONLY
The result of parsing will not be evaluated at runtime.
Definition call_env.h:85
@ CALL_ENV_FLAG_MULTI
Multiple instances of the conf pairs are allowed.
Definition call_env.h:78
@ CALL_ENV_FLAG_NULLABLE
Tmpl expansions are allowed to produce no output.
Definition call_env.h:80
module_instance_t const * mi
Module instance that the callenv is registered to.
Definition call_env.h:229
#define FR_CALL_ENV_SUBSECTION_FUNC(_name, _name2, _flags, _func)
Specify a call_env_parser_t which parses a subsection using a callback function.
Definition call_env.h:412
#define FR_CALL_ENV_OFFSET(_name, _cast_type, _flags, _struct, _field)
Specify a call_env_parser_t which writes out runtime results to the specified field.
Definition call_env.h:340
#define FR_CALL_ENV_PARSE_ONLY_OFFSET(_name, _cast_type, _flags, _struct, _parse_field)
Specify a call_env_parser_t which writes out the result of the parsing phase to the field specified.
Definition call_env.h:389
Per method call config.
Definition call_env.h:180
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:660
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:614
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:283
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:271
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:312
@ CONF_FLAG_SECRET
Only print value if debug level >= 3.
Definition cf_parse.h:436
@ CONF_FLAG_HIDDEN
Used by scripts to omit items from the generated documentation.
Definition cf_parse.h:458
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:597
Common header for all CONF_* types.
Definition cf_priv.h:49
Configuration AVP similar to a fr_pair_t.
Definition cf_priv.h:70
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
CONF_PAIR * cf_pair_find_next(CONF_SECTION const *cs, CONF_PAIR const *prev, char const *attr)
Find a pair with a name matching attr, after specified pair.
Definition cf_util.c:1440
unsigned int cf_pair_count(CONF_SECTION const *cs, char const *attr)
Count the number of times an attribute occurs in a parent section.
Definition cf_util.c:1507
char const * cf_section_name2(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1184
CONF_SECTION * cf_section_find(CONF_SECTION const *cs, char const *name1, char const *name2)
Find a CONF_SECTION with name1 and optionally name2.
Definition cf_util.c:1027
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:683
CONF_PAIR * cf_pair_find(CONF_SECTION const *cs, char const *attr)
Search for a CONF_PAIR with a specific name.
Definition cf_util.c:1426
fr_token_t cf_pair_value_quote(CONF_PAIR const *pair)
Return the value (rhs) quoting of a pair.
Definition cf_util.c:1625
CONF_PAIR * cf_item_to_pair(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_PAIR.
Definition cf_util.c:663
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition cf_util.c:1581
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:286
#define cf_parent(_cf)
Definition cf_util.h:101
#define cf_canonicalize_error(_ci, _slen, _msg, _str)
Definition cf_util.h:364
#define cf_log_perr(_cf, _fmt,...)
Definition cf_util.h:293
#define cf_log_warn(_cf, _fmt,...)
Definition cf_util.h:287
#define CF_IDENT_ANY
Definition cf_util.h:78
static int fr_dcursor_append(fr_dcursor_t *cursor, void *v)
Insert a single item at the end of the list.
Definition dcursor.h:408
#define fr_assert_msg(_x, _msg,...)
Calls panic_action ifndef NDEBUG, else logs error and causes the server to exit immediately with code...
Definition debug.h:202
#define MEM(x)
Definition debug.h:36
#define ERROR(fmt,...)
Definition dhcpclient.c:41
fr_dict_attr_t const * fr_dict_attr_search_by_qualified_oid(fr_dict_attr_err_t *err, fr_dict_t const *dict_def, char const *attr, bool internal, bool foreign))
Locate a qualified fr_dict_attr_t by its name and a dictionary qualifier.
Definition dict_util.c:3177
int fr_dict_attr_add_name_only(fr_dict_t *dict, fr_dict_attr_t const *parent, char const *name, fr_type_t type, fr_dict_attr_flags_t const *flags))
Add an attribute to the dictionary.
Definition dict_util.c:1816
fr_dict_t * fr_dict_unconst(fr_dict_t const *dict)
Coerce to non-const.
Definition dict_util.c:4724
fr_dict_attr_t const * fr_dict_attr_by_name(fr_dict_attr_err_t *err, fr_dict_attr_t const *parent, char const *attr))
Locate a fr_dict_attr_t by its name.
Definition dict_util.c:3359
fr_dict_attr_t const * fr_dict_root(fr_dict_t const *dict)
Return the root attribute of a dictionary.
Definition dict_util.c:2496
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:287
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:300
static fr_slen_t in
Definition dict.h:861
Specifies an attribute which must be present for the module to function.
Definition dict.h:286
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:299
Test enumeration values.
Definition dict_test.h:92
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
#define unlang_function_push_with_result(_result_p, _request, _func, _repeat, _signal, _sigmask, _top_frame, _uctx)
Push a generic function onto the unlang stack that produces a result.
Definition function.h:144
static xlat_action_t sql_escape_xlat(UNUSED TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Escape a value to make it SQL safe.
Definition rlm_sql.c:427
static xlat_action_t sql_group_xlat(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, UNUSED fr_value_box_list_t *in)
Check if the user is a member of a particular group.
Definition rlm_sql.c:1206
static xlat_action_t sql_modify_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Execute an arbitrary SQL query, returning the number of rows affected.
Definition rlm_sql.c:649
static xlat_action_t sql_fetch_xlat(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Execute an arbitrary SQL query, expecting results to be returned.
Definition rlm_sql.c:615
static xlat_action_t sql_xlat(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *in)
Execute an arbitrary SQL query.
Definition rlm_sql.c:551
unlang_result_t * unlang_interpret_result(request_t *request)
Get the last instruction result OR the last frame that was popped.
Definition interpret.c:1567
TALLOC_CTX * unlang_interpret_frame_talloc_ctx(request_t *request)
Get a talloc_ctx which is valid only for this frame.
Definition interpret.c:1667
#define UNLANG_SUB_FRAME
Definition interpret.h:37
rlm_rcode_t rcode
The current rcode, from executing the instruction or merging the result from a frame.
Definition interpret.h:134
#define REXDENT()
Exdent (unindent) R* messages by one level.
Definition log.h:443
#define RWDEBUG(fmt,...)
Definition log.h:361
#define RDEBUG_ENABLED3
True if request debug level 1-3 messages are enabled.
Definition log.h:335
#define RDEBUG3(fmt,...)
Definition log.h:343
#define RWARN(fmt,...)
Definition log.h:297
#define RERROR(fmt,...)
Definition log.h:298
#define RPERROR(fmt,...)
Definition log.h:302
#define RPEDEBUG(fmt,...)
Definition log.h:376
#define RINDENT()
Indent R* messages by one level.
Definition log.h:430
int map_to_request(request_t *request, map_t const *map, radius_map_getvalue_t func, void *ctx)
Convert map_t to fr_pair_t (s) and add them to a request_t.
Definition map.c:1873
int rad_filename_box_make_safe(fr_value_box_t *vb, UNUSED void *uxtc)
Definition util.c:160
unlang_action_t unlang_map_yield(request_t *request, map_proc_func_t resume, unlang_map_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
Definition map.c:110
talloc_free(reap)
static TALLOC_CTX * map_ctx
Definition map_builtin.c:32
int map_proc_register(TALLOC_CTX *ctx, void const *mod_inst, char const *name, map_proc_func_t evaluate, map_proc_instantiate_t instantiate, size_t inst_size, fr_value_box_safe_for_t literals_safe_for)
Register a map processor.
Definition map_proc.c:125
void * rctx
Resume ctx that a module previously set.
Definition map_proc.h:53
void const * moi
Map module instance.
Definition map_proc.h:54
Temporary structure to hold arguments for map calls.
Definition map_proc.h:52
@ FR_TYPE_ETHERNET
48 Bit Mac-Address.
@ FR_TYPE_STRING
String of printable characters.
@ FR_TYPE_UINT32
32 Bit unsigned integer.
@ FR_TYPE_VOID
User data.
@ FR_TYPE_BOOL
A truth value.
unsigned int uint32_t
long int ssize_t
unsigned char uint8_t
int strncasecmp(char *s1, char *s2, int n)
Definition missing.c:36
int strcasecmp(char *s1, char *s2)
Definition missing.c:66
void * env_data
Per call environment data.
Definition module_ctx.h:44
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
void * thread
Thread specific instance data.
Definition module_ctx.h:43
void * rctx
Resume ctx that a module previously set.
Definition module_ctx.h:45
fr_event_list_t * el
Event list to register any IO handlers and timers against.
Definition module_ctx.h:68
module_instance_t * mi
Module instance to detach.
Definition module_ctx.h:57
void * thread
Thread instance data.
Definition module_ctx.h:67
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:64
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
Temporary structure to hold arguments for detach calls.
Definition module_ctx.h:56
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
Temporary structure to hold arguments for thread_instantiation calls.
Definition module_ctx.h:63
exfile_t * module_rlm_exfile_init(TALLOC_CTX *ctx, CONF_SECTION *module, uint32_t max_entries, fr_time_delta_t max_idle, bool locking, bool triggers, char const *trigger_prefix, fr_pair_list_t *trigger_args)
Initialise a module specific exfile handle.
Definition module_rlm.c:103
xlat_t * module_rlm_xlat_register(TALLOC_CTX *ctx, module_inst_ctx_t const *mctx, char const *name, xlat_func_t func, fr_type_t return_type)
Definition module_rlm.c:247
int module_rlm_submodule_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic conf_parser_t func for loading drivers.
Definition module_rlm.c:943
module_t common
Common fields presented by all modules.
Definition module_rlm.h:39
int fr_pair_value_strdup(fr_pair_t *vp, char const *src, bool tainted)
Copy data into an "string" data type.
Definition pair.c:2640
int fr_pair_value_from_str(fr_pair_t *vp, char const *value, size_t inlen, fr_sbuff_unescape_rules_t const *uerules, UNUSED bool tainted)
Convert string value to native attribute value.
Definition pair.c:2594
fr_pair_t * fr_pair_find_by_da(fr_pair_list_t const *list, fr_pair_t const *prev, fr_dict_attr_t const *da)
Find the first pair with a matching da.
Definition pair.c:700
fr_pair_list_t * fr_pair_list_alloc(TALLOC_CTX *ctx)
Allocate a new pair list on the heap.
Definition pair.c:119
int fr_pair_append(fr_pair_list_t *list, fr_pair_t *to_add)
Add a VP to the end of the list.
Definition pair.c:1345
fr_pair_t * fr_pair_afrom_da(TALLOC_CTX *ctx, fr_dict_attr_t const *da)
Dynamically allocate a new attribute and assign a fr_dict_attr_t.
Definition pair.c:287
int radius_legacy_map_cmp(request_t *request, map_t const *map)
Definition pairmove.c:792
int radius_legacy_map_list_apply(request_t *request, map_list_t const *list, fr_edit_list_t *el)
Definition pairmove.c:773
size_t fr_utf8_char(uint8_t const *str, ssize_t inlen)
Checks for utf-8, taken from http://www.w3.org/International/questions/qa-forms-utf-8.
Definition print.c:39
#define fr_assert(_expr)
Definition rad_assert.h:38
#define pair_update_request(_attr, _da)
#define REDEBUG(fmt,...)
Definition radclient.h:52
#define RDEBUG2(fmt,...)
Definition radclient.h:54
#define WARN(fmt,...)
Definition radclient.h:47
static void thread_detach(UNUSED void *uctx)
Explicitly cleanup module/xlat resources.
Definition radiusd.c:150
static int thread_instantiate(TALLOC_CTX *ctx, fr_event_list_t *el, UNUSED void *uctx)
Create module and xlat per-thread instances.
Definition radiusd.c:133
static rs_t * conf
Definition radsniff.c:53
#define RLM_MODULE_USER_SECTION_REJECT
Rcodes that translate to a user configurable section failing overall.
Definition rcode.h:75
#define RETURN_UNLANG_INVALID
Definition rcode.h:62
#define RETURN_UNLANG_RCODE(_rcode)
Definition rcode.h:57
#define RETURN_UNLANG_NOTFOUND
Definition rcode.h:64
#define RETURN_UNLANG_FAIL
Definition rcode.h:59
#define RETURN_UNLANG_OK
Definition rcode.h:60
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
@ RLM_MODULE_OK
The module is OK, continue.
Definition rcode.h:45
@ RLM_MODULE_FAIL
Module failed, don't reply.
Definition rcode.h:44
@ RLM_MODULE_NOTFOUND
User not found.
Definition rcode.h:49
@ RLM_MODULE_UPDATED
OK (pairs modified).
Definition rcode.h:51
@ RLM_MODULE_NOOP
Module succeeded without doing anything.
Definition rcode.h:50
#define RETURN_UNLANG_NOOP
Definition rcode.h:65
fr_dict_attr_t const * request_attr_request
Definition request.c:43
fr_dict_attr_t const * request_attr_reply
Definition request.c:44
void * request_data_get(request_t *request, void const *unique_ptr, int unique_int)
Get opaque data from a request.
static char const * name
fr_value_box_t user
Definition rlm_sql.c:250
rlm_sql_t const * inst
Module instance.
Definition rlm_sql.c:239
static int sql_map_verify(CONF_SECTION *cs, UNUSED void const *mod_inst, UNUSED void *proc_inst, tmpl_t const *src, UNUSED map_list_t const *maps)
Definition rlm_sql.c:710
static int mod_detach(module_detach_ctx_t const *mctx)
Definition rlm_sql.c:2103
static unlang_action_t mod_autz_group_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Resume function called after authorization group / profile expansion of check / reply query tmpl.
Definition rlm_sql.c:1307
fr_sql_query_t * query_ctx
Query context.
Definition rlm_sql.c:185
sql_group_ctx_t * group_ctx
Definition rlm_sql.c:1133
rlm_sql_t const * inst
Module instance.
Definition rlm_sql.c:183
sql_redundant_call_env_t * call_env
Call environment data.
Definition rlm_sql.c:242
#define QUERY_ESCAPE
Definition rlm_sql.c:2459
tmpl_t * check_query
Tmpl to expand to form authorize_check_query.
Definition rlm_sql.c:120
static sql_fall_through_t fall_through(map_list_t *maps)
Definition rlm_sql.c:304
rlm_sql_grouplist_t * group
Current group being processed.
Definition rlm_sql.c:203
fr_value_box_t filename
File name to write SQL logs to.
Definition rlm_sql.c:212
static int _sql_map_proc_get_value(TALLOC_CTX *ctx, fr_pair_list_t *out, request_t *request, map_t const *map, void *uctx)
Converts a string value into a fr_pair_t.
Definition rlm_sql.c:683
request_t * request
Request being processed.
Definition rlm_sql.c:240
size_t query_no
Current query number.
Definition rlm_sql.c:243
static const call_env_method_t authorize_method_env
Definition rlm_sql.c:2464
tmpl_t * reply_query
Tmpl to expand to form authorize_reply_query.
Definition rlm_sql.c:121
static int _sql_escape_uxtx_free(void *uctx)
Definition rlm_sql.c:277
static fr_dict_attr_t const * attr_sql_user_name
Definition rlm_sql.c:105
fr_dict_attr_t const * query_number_da
Definition rlm_sql.c:61
static unlang_action_t sql_get_grouplist_resume(unlang_result_t *p_result, request_t *request, void *uctx)
Definition rlm_sql.c:1064
#define SQL_SAFE_FOR
Definition rlm_sql.c:53
static unlang_action_t mod_authorize_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Resume function called after authorization check / reply tmpl expansion.
Definition rlm_sql.c:1540
static int check_map_process(request_t *request, map_list_t *check_map, map_list_t *reply_map)
Process a "check" map.
Definition rlm_sql.c:1243
#define sql_unset_user(_i, _r)
Definition rlm_sql.c:1056
static fr_dict_attr_t const * attr_fall_through
Definition rlm_sql.c:104
static int logfile_call_env_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *cc, call_env_ctx_t const *cec, call_env_parser_t const *rule)
static fr_dict_t const * dict_freeradius
Definition rlm_sql.c:96
static xlat_action_t sql_group_xlat_resume(UNUSED TALLOC_CTX *ctx, UNUSED fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, UNUSED fr_value_box_list_t *in)
Run SQL query for group membership to return list of groups.
Definition rlm_sql.c:1170
fr_sql_map_ctx_t * map_ctx
Context used for retrieving attribute value pairs as a map list.
Definition rlm_sql.c:206
static xlat_action_t sql_xlat_select_resume(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, UNUSED fr_value_box_list_t *in)
Definition rlm_sql.c:485
static void sql_set_user(rlm_sql_t const *inst, request_t *request, fr_value_box_t *user)
Definition rlm_sql.c:1034
rlm_sql_grouplist_t * groups
List of groups retrieved.
Definition rlm_sql.c:186
fr_value_box_t filename
Definition rlm_sql.c:134
static xlat_action_t sql_group_xlat_query_resume(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, UNUSED request_t *request, fr_value_box_list_t *in)
Compare list of groups returned from SQL query to xlat argument.
Definition rlm_sql.c:1140
static fr_dict_attr_t const * attr_expr_bool_enum
Definition rlm_sql.c:107
fr_value_box_t user
Expansion of the sql_user_name.
Definition rlm_sql.c:119
fr_pair_t * sql_group
Pair to update with group being processed.
Definition rlm_sql.c:204
trunk_t * trunk
Trunk connection for queries.
Definition rlm_sql.c:241
#define SQL_AUTZ_STAGE_PROFILE
Definition rlm_sql.c:178
static xlat_action_t sql_xlat_query_resume(TALLOC_CTX *ctx, fr_dcursor_t *out, xlat_ctx_t const *xctx, request_t *request, UNUSED fr_value_box_list_t *in)
Definition rlm_sql.c:444
map_list_t check_tmp
List to store check items before processing.
Definition rlm_sql.c:198
static int submodule_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Definition rlm_sql.c:263
static int mod_bootstrap(module_inst_ctx_t const *mctx)
Definition rlm_sql.c:2225
fr_value_box_t * query
Query string used for evaluating group membership.
Definition rlm_sql.c:184
sql_autz_call_env_t * call_env
Call environment data.
Definition rlm_sql.c:197
module_rlm_t rlm_sql
Definition rlm_sql.c:2478
static unlang_action_t mod_authorize(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Start of module authorize method.
Definition rlm_sql.c:1698
static unlang_action_t sql_get_grouplist(unlang_result_t *p_result, sql_group_ctx_t *group_ctx, trunk_t *trunk, request_t *request)
Definition rlm_sql.c:1104
static const call_env_method_t xlat_method_env
Definition rlm_sql.c:137
sql_autz_status_t
Status of the authorization process.
Definition rlm_sql.c:159
@ SQL_AUTZ_PROFILE_REPLY
Running profile reply query.
Definition rlm_sql.c:173
@ SQL_AUTZ_CHECK
Running user check query.
Definition rlm_sql.c:160
@ SQL_AUTZ_GROUP_MEMB_RESUME
Completed group membership query.
Definition rlm_sql.c:165
@ SQL_AUTZ_REPLY
Running user reply query.
Definition rlm_sql.c:162
@ SQL_AUTZ_GROUP_MEMB
Running group membership query.
Definition rlm_sql.c:164
@ SQL_AUTZ_PROFILE_REPLY_RESUME
Completed profile reply query.
Definition rlm_sql.c:174
@ SQL_AUTZ_PROFILE_CHECK_RESUME
Completed profile check query.
Definition rlm_sql.c:172
@ SQL_AUTZ_CHECK_RESUME
Completed user check query.
Definition rlm_sql.c:161
@ SQL_AUTZ_PROFILE_START
Starting processing user profiles.
Definition rlm_sql.c:170
@ SQL_AUTZ_GROUP_REPLY_RESUME
Completed group reply query.
Definition rlm_sql.c:169
@ SQL_AUTZ_REPLY_RESUME
Completed user reply query.
Definition rlm_sql.c:163
@ SQL_AUTZ_GROUP_CHECK
Running group check query.
Definition rlm_sql.c:166
@ SQL_AUTZ_PROFILE_CHECK
Running profile check query.
Definition rlm_sql.c:171
@ SQL_AUTZ_GROUP_REPLY
Running group reply query.
Definition rlm_sql.c:168
@ SQL_AUTZ_GROUP_CHECK_RESUME
Completed group check query.
Definition rlm_sql.c:167
static int sql_xlat_escape(request_t *request, fr_value_box_t *vb, void *uctx)
Escape a tainted VB used as an xlat argument.
Definition rlm_sql.c:343
rlm_sql_t const * inst
Module instance.
Definition rlm_sql.c:193
#define SQL_AUTZ_STAGE_GROUP
Definition rlm_sql.c:177
tmpl_t * group_reply_query
Tmpl to expand to form authorize_group_reply_query.
Definition rlm_sql.c:124
tmpl_t * group_check_query
Tmpl to expand to form authorize_group_check_query.
Definition rlm_sql.c:123
int num_groups
How many groups have been retrieved.
Definition rlm_sql.c:187
static int sql_autz_ctx_free(sql_autz_ctx_t *to_free)
Definition rlm_sql.c:1281
trunk_t * trunk
Trunk connection for current authorization.
Definition rlm_sql.c:196
fr_value_box_t * query_vb
Current query string.
Definition rlm_sql.c:245
fr_value_box_list_t query
Where expanded query tmpl will be written.
Definition rlm_sql.c:244
map_list_t reply_tmp
List to store reply items before processing.
Definition rlm_sql.c:199
sql_autz_status_t status
Current status of the authorization.
Definition rlm_sql.c:200
request_t * request
Request being processed.
Definition rlm_sql.c:194
fr_pair_t * profile
Current profile being processed.
Definition rlm_sql.c:205
#define MAX_SQL_FIELD_INDEX
Definition rlm_sql.c:722
fr_dict_attr_autoload_t rlm_sql_dict_attr[]
Definition rlm_sql.c:110
fr_value_box_list_t query
Definition rlm_sql.c:1132
static int mod_thread_instantiate(module_thread_inst_ctx_t const *mctx)
Initialise thread specific data structure.
Definition rlm_sql.c:2398
static void * sql_escape_uctx_alloc(UNUSED request_t *request, void const *uctx)
Definition rlm_sql.c:286
static unlang_action_t mod_sql_redundant(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Generic module call for failing between a bunch of queries.
Definition rlm_sql.c:1904
fr_sql_query_t * query_ctx
Query context for current query.
Definition rlm_sql.c:246
static unlang_action_t mod_sql_redundant_query_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Resume function called after executing an SQL query in a redundant list of queries.
Definition rlm_sql.c:1785
rlm_rcode_t rcode
Module return code.
Definition rlm_sql.c:195
tmpl_t ** query
Array of tmpls for list of queries to run.
Definition rlm_sql.c:213
rlm_sql_grouplist_t * next
Definition rlm_sql.c:1061
static const call_env_method_t accounting_method_env
Definition rlm_sql.c:216
static int sql_redundant_ctx_free(sql_redundant_ctx_t *to_free)
Tidy up when freeing an SQL redundant context.
Definition rlm_sql.c:1768
static const call_env_method_t group_xlat_method_env
Definition rlm_sql.c:254
sql_group_ctx_t * group_ctx
Context used for retrieving user group membership.
Definition rlm_sql.c:207
tmpl_t * membership_query
Tmpl to expand to form group_membership_query.
Definition rlm_sql.c:122
static int sql_box_escape(fr_value_box_t *vb, void *uctx)
Definition rlm_sql.c:414
static const conf_parser_t module_config[]
Definition rlm_sql.c:64
fr_value_box_list_t query
Where expanded query tmpls will be written.
Definition rlm_sql.c:201
bool user_found
Has the user been found anywhere?
Definition rlm_sql.c:202
static fr_dict_attr_t const * attr_user_profile
Definition rlm_sql.c:106
static const call_env_method_t send_method_env
Definition rlm_sql.c:226
fr_dict_autoload_t rlm_sql_dict[]
Definition rlm_sql.c:99
fr_dict_attr_t const * group_da
Definition rlm_sql.c:60
static int mod_thread_detach(module_thread_inst_ctx_t const *mctx)
Definition rlm_sql.c:2417
static unlang_action_t mod_map_resume(unlang_result_t *p_result, map_ctx_t const *mpctx, request_t *request, UNUSED fr_value_box_list_t *query, map_list_t const *maps)
Process the results of an SQL map query.
Definition rlm_sql.c:736
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition rlm_sql.c:2120
fr_value_box_t user
Expansion of sql_user_name.
Definition rlm_sql.c:211
static int query_call_env_parse(TALLOC_CTX *ctx, call_env_parsed_head_t *out, tmpl_rules_t const *t_rules, CONF_ITEM *cc, call_env_ctx_t const *cec, call_env_parser_t const *rule)
static unlang_action_t mod_map_proc(unlang_result_t *p_result, map_ctx_t const *mpctx, request_t *request, fr_value_box_list_t *query, UNUSED map_list_t const *maps)
Executes a SELECT query and maps the result to server attributes.
Definition rlm_sql.c:874
static ssize_t sql_escape_func(request_t *, char *out, size_t outlen, char const *in, void *arg)
static int sql_call_env_parse(TALLOC_CTX *ctx, void *out, tmpl_rules_t const *t_rules, CONF_ITEM *ci, call_env_ctx_t const *cec, UNUSED call_env_parser_t const *rule)
Custom parser for sql call env queries.
Definition rlm_sql.c:2431
static unlang_action_t mod_sql_redundant_resume(unlang_result_t *p_result, module_ctx_t const *mctx, request_t *request)
Resume function called after expansion of next query in a redundant list of queries.
Definition rlm_sql.c:1873
Context for SQL authorization.
Definition rlm_sql.c:192
Context for group membership query evaluation.
Definition rlm_sql.c:182
Context for tracking redundant SQL query sets.
Definition rlm_sql.c:238
Prototypes and functions for the SQL module.
fr_sql_query_t * fr_sql_query_alloc(TALLOC_CTX *ctx, rlm_sql_t const *inst, request_t *request, trunk_t *trunk, char const *query_str, fr_sql_query_type_t type)
Allocate an sql query structure.
Definition sql.c:183
trunk_t * trunk
Trunk connection for this thread.
Definition rlm_sql.h:114
rlm_sql_t const * inst
Module instance data.
Definition rlm_sql.h:115
#define RLM_SQL_MULTI_QUERY_CONN
Can support multiple queries on a single connection.
Definition rlm_sql.h:173
fr_sql_query_type_t type
Type of query.
Definition rlm_sql.h:143
unlang_action_t sql_get_map_list(unlang_result_t *p_result, request_t *request, fr_sql_map_ctx_t *map_ctx, trunk_t *trunk)
Submit the query to get any user / group check or reply pairs.
Definition sql.c:347
unlang_action_t rlm_sql_fetch_row(unlang_result_t *p_result, request_t *request, void *uctx)
Call the driver's sql_fetch_row function.
Definition sql.c:79
void rlm_sql_query_log(rlm_sql_t const *inst, char const *filename, char const *query)
Definition sql.c:377
rlm_sql_t const * inst
Module instance for this query.
Definition rlm_sql.h:137
sql_rcode_t
Action to take at end of an SQL query.
Definition rlm_sql.h:44
@ RLM_SQL_QUERY_INVALID
Query syntax error.
Definition rlm_sql.h:45
@ RLM_SQL_ALT_QUERY
Key constraint violation, use an alternative query.
Definition rlm_sql.h:49
@ RLM_SQL_RECONNECT
Stale connection, should reconnect.
Definition rlm_sql.h:48
@ RLM_SQL_ERROR
General connection/server error.
Definition rlm_sql.h:46
@ RLM_SQL_OK
Success.
Definition rlm_sql.h:47
@ RLM_SQL_NO_MORE_ROWS
No more rows available.
Definition rlm_sql.h:50
@ SQL_QUERY_SELECT
Definition rlm_sql.h:120
@ SQL_QUERY_OTHER
Definition rlm_sql.h:121
TALLOC_CTX * ctx
To allocate map entries in.
Definition rlm_sql.h:153
void * sql_escape_arg
Thread specific argument to be passed to escape function.
Definition rlm_sql.h:116
sql_fall_through_t
Definition rlm_sql.h:53
@ FALL_THROUGH_DEFAULT
Definition rlm_sql.h:56
@ FALL_THROUGH_YES
Definition rlm_sql.h:55
char ** rlm_sql_row_t
Definition rlm_sql.h:59
void rlm_sql_print_error(rlm_sql_t const *inst, request_t *request, fr_sql_query_t *query_ctx, bool force_debug)
Retrieve any errors from the SQL driver.
Definition sql.c:122
rlm_sql_row_t row
Row data from the last query.
Definition rlm_sql.h:146
sql_rcode_t rcode
Result code.
Definition rlm_sql.h:145
rlm_sql_t const * sql
Definition rlm_sql.h:197
fr_table_num_sorted_t const sql_rcode_description_table[]
Definition sql.c:45
unlang_action_t rlm_sql_trunk_query(unlang_result_t *p_result, request_t *request, void *uctx)
Submit an SQL query using a trunk connection.
Definition sql.c:233
Context used when fetching attribute value pairs as a map list.
Definition rlm_sql.h:152
int fr_sbuff_trim_talloc(fr_sbuff_t *sbuff, size_t len)
Trim a talloced sbuff to the minimum length required to represent the contained string.
Definition sbuff.c:424
#define FR_SBUFF_IN(_start, _len_or_end)
#define fr_sbuff_buff(_sbuff_or_marker)
Talloc sbuff extension structure.
Definition sbuff.h:139
static char const * section_name_str(char const *name)
Return a printable string for the section name.
Definition section.h:98
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:40
char const * name2
Second section name. Usually a packet type like 'access-request', 'access-accept',...
Definition section.h:46
char const * name1
First section name. Usually a verb like 'recv', 'send', etc...
Definition section.h:45
char const * name
Instance name e.g. user_database.
Definition module.h:355
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:349
void * data
Module's instance data.
Definition module.h:291
void * boot
Data allocated during the boostrap phase.
Definition module.h:294
void * data
Thread specific instance data.
Definition module.h:372
static module_thread_instance_t * module_thread(module_instance_t const *mi)
Retrieve module/thread specific instance for a module.
Definition module.h:501
#define MODULE_BINDING_TERMINATOR
Terminate a module binding list.
Definition module.h:152
size_t boot_size
Size of the module's bootstrap data.
Definition module.h:209
module_t * exported
Public module structure.
Definition module.h:296
Module instance data.
Definition module.h:285
Named methods exported by a module.
Definition module.h:174
#define pair_append_control(_attr, _da)
Allocate and append a fr_pair_t to the control list.
Definition pair.h:57
#define pair_delete_request(_pair_or_da)
Delete a fr_pair_t in the request list.
Definition pair.h:172
#define pair_update_control(_attr, _da)
Return or allocate a fr_pair_t in the control list.
Definition pair.h:140
tmpl_escape_t escape
How escaping should be handled during evaluation.
Definition tmpl.h:349
int tmpl_resolve(tmpl_t *vpt, tmpl_res_rules_t const *tr_rules))
Attempt to resolve functions and attributes in xlats and attribute references.
#define tmpl_value(_tmpl)
Definition tmpl.h:937
fr_value_box_safe_for_t literals_safe_for
safe_for value assigned to literal values in xlats, execs, and data.
Definition tmpl.h:347
#define tmpl_is_attr(vpt)
Definition tmpl.h:208
ssize_t tmpl_afrom_substr(TALLOC_CTX *ctx, tmpl_t **out, fr_sbuff_t *in, fr_token_t quote, fr_sbuff_parse_rules_t const *p_rules, tmpl_rules_t const *t_rules))
Convert an arbitrary string into a tmpl_t.
#define tmpl_is_data(vpt)
Definition tmpl.h:206
#define tmpl_expand(_out, _buff, _buff_len, _request, _vpt)
Expand a tmpl to a C type, using existing storage to hold variably sized types.
Definition tmpl.h:1052
#define tmpl_value_type(_tmpl)
Definition tmpl.h:939
tmpl_attr_rules_t attr
Rules/data for parsing attribute references.
Definition tmpl.h:335
static fr_dict_attr_t const * tmpl_attr_tail_da(tmpl_t const *vpt)
Return the last attribute reference da.
Definition tmpl.h:801
#define tmpl_needs_resolving(vpt)
Definition tmpl.h:223
Similar to tmpl_rules_t, but used to specify parameters that may change during subsequent resolution ...
Definition tmpl.h:364
Optional arguments passed to vp_tmpl functions.
Definition tmpl.h:332
#define fr_skip_whitespace(_p)
Skip whitespace ('\t', '\n', '\v', '\f', '\r', ' ')
Definition skip.h:37
PUBLIC int snprintf(char *string, size_t length, char *format, va_alist)
Definition snprintf.c:689
return count
Definition module.c:155
int module_instantiate(module_instance_t *instance)
Manually complete module setup by calling its instantiate function.
Definition module.c:1189
unlang_action_t unlang_module_yield(request_t *request, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
Definition module.c:429
unlang_action_t unlang_module_yield_to_tmpl(TALLOC_CTX *ctx, fr_value_box_list_t *out, request_t *request, tmpl_t const *vpt, unlang_tmpl_args_t *args, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Push a pre-compiled tmpl and resumption state onto the stack for evaluation.
Definition module.c:216
eap_aka_sim_process_conf_t * inst
fr_pair_value_bstrdup_buffer(vp, eap_session->identity, true)
fr_pair_t * vp
eap_type_t type
The preferred EAP-Type of this instance of the EAP-SIM/AKA/AKA' state machine.
Value pair map.
Definition map.h:77
fr_token_t op
The operator that controls insertion of the dst attribute.
Definition map.h:82
tmpl_t * lhs
Typically describes the attribute to add, modify or compare.
Definition map.h:78
tmpl_t * rhs
Typically describes a literal value or a src attribute to copy or compare.
Definition map.h:79
void * sql_escape_arg
Instance specific argument to be passed to escape function.
Definition rlm_sql.h:239
fr_dict_t const * dict_def
Default dictionary to use with unqualified attribute references.
Definition tmpl.h:273
Stores an attribute, a value and various bits of other data.
Definition pair.h:68
fr_dict_attr_t const *_CONST da
Dictionary attribute defines the attribute number, vendor and type of the pair.
Definition pair.h:69
#define fr_table_str_by_value(_table, _number, _def)
Convert an integer to a string.
Definition table.h:772
char * talloc_typed_strdup(TALLOC_CTX *ctx, char const *p)
Call talloc_strdup, setting the type on the new chunk correctly.
Definition talloc.c:467
#define talloc_get_type_abort_const
Definition talloc.h:287
static fr_time_delta_t fr_time_delta_from_sec(int64_t sec)
Definition time.h:590
int unlang_tmpl_push(TALLOC_CTX *ctx, unlang_result_t *p_result, fr_value_box_list_t *out, request_t *request, tmpl_t const *tmpl, unlang_tmpl_args_t *args, bool top_frame)
Push a tmpl onto the stack for evaluation.
Definition tmpl.c:276
@ TMPL_ESCAPE_UCTX_ALLOC_FUNC
A new uctx of the specified size and type is allocated and pre-populated by memcpying uctx....
Definition tmpl_escape.h:35
fr_value_box_escape_t box_escape
How to escape when returned from evaluation.
Definition tmpl_escape.h:81
@ TMPL_ESCAPE_PRE_CONCAT
Pre-concatenation escaping is useful for DSLs where elements of the expansion are static,...
Definition tmpl_escape.h:61
struct tmpl_escape_t::@75 uctx
tmpl_escape_mode_t mode
Whether to apply escape function after concatenation, i.e.
Definition tmpl_escape.h:83
Escaping rules for tmpls.
Definition tmpl_escape.h:80
const bool fr_assignment_op[T_TOKEN_LAST]
Definition token.c:169
char const * fr_tokens[T_TOKEN_LAST]
Definition token.c:79
const bool fr_comparison_op[T_TOKEN_LAST]
Definition token.c:199
@ T_OP_CMP_TRUE
Definition token.h:104
@ T_OP_CMP_FALSE
Definition token.h:105
int module_trigger_args_build(TALLOC_CTX *ctx, fr_pair_list_t *list, CONF_SECTION *cs, module_trigger_args_t *args)
Build trigger args pair list for modules.
Definition trigger.c:493
Common values used by modules when building trigger args.
Definition trigger.h:42
trunk_t * trunk_alloc(TALLOC_CTX *ctx, fr_event_list_t *el, trunk_io_funcs_t const *funcs, trunk_conf_t const *conf, char const *log_prefix, void const *uctx, bool delay_start, fr_pair_list_t *trigger_args)
Allocate a new collection of connections.
Definition trunk.c:4963
conf_parser_t const trunk_config[]
Config parser definitions to populate a trunk_conf_t.
Definition trunk.c:341
Main trunk management handle.
Definition trunk.c:215
static int expand_rhs(request_t *request, unlang_frame_state_edit_t *state, edit_map_t *current)
Definition edit.c:1137
xlat_action_t unlang_xlat_yield(request_t *request, xlat_func_t resume, xlat_func_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
Definition xlat.c:548
fr_type_t type
Type to cast argument to.
Definition xlat.h:155
xlat_action_t xlat_transparent(UNUSED TALLOC_CTX *ctx, fr_dcursor_t *out, UNUSED xlat_ctx_t const *xctx, request_t *request, fr_value_box_list_t *args)
#define XLAT_ARG_PARSER_TERMINATOR
Definition xlat.h:170
xlat_action_t
Definition xlat.h:37
@ XLAT_ACTION_FAIL
An xlat function failed.
Definition xlat.h:44
@ XLAT_ACTION_YIELD
An xlat function pushed a resume frame onto the stack.
Definition xlat.h:42
@ XLAT_ACTION_PUSH_UNLANG
An xlat function pushed an unlang frame onto the unlang stack.
Definition xlat.h:39
@ XLAT_ACTION_DONE
We're done evaluating this level of nesting.
Definition xlat.h:43
Definition for a single argument consumend by an xlat function.
Definition xlat.h:145
static fr_slen_t parent
Definition pair.h:841
#define fr_strerror_printf_push(_fmt,...)
Add a message to an existing stack of messages at the tail.
Definition strerror.h:84
#define fr_type_is_structural(_x)
Definition types.h:393
#define FR_TYPE_IP
Definition types.h:309
static char const * fr_type_to_str(fr_type_t type)
Return a static string containing the type name.
Definition types.h:455
#define FR_TYPE_NUMERIC
Definition types.h:307
fr_sbuff_parse_rules_t const * value_parse_rules_quoted[T_TOKEN_LAST]
Parse rules for quoted strings.
Definition value.c:612
int fr_value_box_cast_in_place(TALLOC_CTX *ctx, fr_value_box_t *vb, fr_type_t dst_type, fr_dict_attr_t const *dst_enumv)
Convert one type of fr_value_box_t to another in place.
Definition value.c:3976
void fr_value_box_clear_value(fr_value_box_t *data)
Clear/free any existing value.
Definition value.c:4085
int fr_value_box_strdup(TALLOC_CTX *ctx, fr_value_box_t *dst, fr_dict_attr_t const *enumv, char const *src, bool tainted)
Copy a nul terminated string to a fr_value_box_t.
Definition value.c:4368
void fr_value_box_strdup_shallow_replace(fr_value_box_t *vb, char const *src, ssize_t len)
Free the existing buffer (if talloced) associated with the valuebox, and replace it with a new one.
Definition value.c:4493
int fr_value_box_list_concat_in_place(TALLOC_CTX *ctx, fr_value_box_t *out, fr_value_box_list_t *list, fr_type_t type, fr_value_box_list_action_t proc_action, bool flatten, size_t max_size)
Concatenate a list of value boxes.
Definition value.c:6267
@ FR_VALUE_BOX_LIST_FREE
Definition value.h:239
#define fr_value_box_alloc(_ctx, _type, _enumv)
Allocate a value box of a specific type.
Definition value.h:643
#define fr_value_box_mark_safe_for(_box, _safe_for)
Definition value.h:1074
#define fr_box_strvalue_buffer(_val)
Definition value.h:311
#define fr_value_box_is_safe_for(_box, _safe_for)
Definition value.h:1081
fr_value_box_safe_for_t safe_for
Definition value.h:677
uintptr_t fr_value_box_safe_for_t
Escaping that's been applied to a value box.
Definition value.h:162
int nonnull(2, 5))
#define fr_value_box_alloc_null(_ctx)
Allocate a value box for later use with a value assignment function.
Definition value.h:654
fr_value_box_escape_func_t func
Definition value.h:676
static size_t char ** out
Definition value.h:1023
static TALLOC_CTX * xlat_ctx
void * rctx
Resume context.
Definition xlat_ctx.h:54
void * env_data
Expanded call env data.
Definition xlat_ctx.h:53
module_ctx_t const * mctx
Synthesised module calling ctx.
Definition xlat_ctx.h:52
An xlat calling ctx.
Definition xlat_ctx.h:49
void xlat_func_flags_set(xlat_t *x, xlat_func_flags_t flags)
Specify flags that alter the xlat's behaviour.
Definition xlat_func.c:399
int xlat_func_args_set(xlat_t *x, xlat_arg_parser_t const args[])
Register the arguments of an xlat.
Definition xlat_func.c:363
void xlat_func_call_env_set(xlat_t *x, call_env_method_t const *env_method)
Register call environment of an xlat.
Definition xlat_func.c:389
#define xlat_func_safe_for_set(_xlat, _escaped)
Set the escaped values for output boxes.
Definition xlat_func.h:82
@ XLAT_FUNC_FLAG_PURE
Definition xlat_func.h:38