The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
rlm_tacacs.c
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 0eead8873f4475fcfff58e612bd28f90949a5da2 $
19 * @file rlm_tacacs.c
20 * @brief A TACACS client library.
21 *
22 * @copyright 2023 Network RADIUS SAS (legal@networkradius.com)
23 */
24RCSID("$Id: 0eead8873f4475fcfff58e612bd28f90949a5da2 $")
25
26#include <freeradius-devel/io/application.h>
27#include <freeradius-devel/server/modpriv.h>
28#include <freeradius-devel/util/debug.h>
29#include <freeradius-devel/util/dlist.h>
30
31#include "rlm_tacacs.h"
32
33static int type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
34
35/*
36 * Retransmission intervals for the packets we support.
37 */
38static conf_parser_t retry_config[] = {
39 { FR_CONF_OFFSET("initial_rtx_time", fr_retry_config_t, irt), .dflt = STRINGIFY(2) },
40 { FR_CONF_OFFSET("max_rtx_time", fr_retry_config_t, mrt), .dflt = STRINGIFY(16) },
41 { FR_CONF_OFFSET("max_rtx_count", fr_retry_config_t, mrc), .dflt = STRINGIFY(5) },
42 { FR_CONF_OFFSET("max_rtx_duration", fr_retry_config_t, mrd), .dflt = STRINGIFY(30) },
43 CONF_PARSER_TERMINATOR
44};
45
46/*
47 * A mapping of configuration file names to internal variables.
48 */
49static conf_parser_t const module_config[] = {
50 { FR_CONF_OFFSET_TYPE_FLAGS("transport", FR_TYPE_VOID, 0, rlm_tacacs_t, io_submodule),
51 .func = module_rlm_submodule_parse },
52
53 { FR_CONF_OFFSET_FLAGS("type", CONF_FLAG_NOT_EMPTY | CONF_FLAG_MULTI | CONF_FLAG_REQUIRED, rlm_tacacs_t, types),
54 .func = type_parse },
55
56 { FR_CONF_OFFSET("max_attributes", rlm_tacacs_t, max_attributes), .dflt = STRINGIFY(FR_MAX_ATTRIBUTES) },
57
58 { FR_CONF_OFFSET("response_window", rlm_tacacs_t, response_window), .dflt = STRINGIFY(20) },
59
60 { FR_CONF_OFFSET("zombie_period", rlm_tacacs_t, zombie_period), .dflt = STRINGIFY(40) },
61
62 { FR_CONF_OFFSET("revive_interval", rlm_tacacs_t, revive_interval) },
63
64 { FR_CONF_OFFSET_SUBSECTION("pool", 0, rlm_tacacs_t, trunk_conf, trunk_config ) },
65
66 { FR_CONF_OFFSET_SUBSECTION("retry", 0, rlm_tacacs_t, retry, retry_config ) },
67
68 CONF_PARSER_TERMINATOR
69};
70
71static fr_dict_t const *dict_tacacs;
72
73extern fr_dict_autoload_t rlm_tacacs_dict[];
74fr_dict_autoload_t rlm_tacacs_dict[] = {
75 { .out = &dict_tacacs, .proto = "tacacs" },
76 { NULL }
77};
78
79static fr_dict_attr_t const *attr_packet_type;
80
81extern fr_dict_attr_autoload_t rlm_tacacs_dict_attr[];
82fr_dict_attr_autoload_t rlm_tacacs_dict_attr[] = {
83 { .out = &attr_packet_type, .name = "Packet-Type", .type = FR_TYPE_UINT32, .dict = &dict_tacacs },
84 { NULL }
85};
86
87/** Set which types of packets we can parse
88 *
89 * @param[in] ctx to allocate data in (instance of rlm_tacacs).
90 * @param[out] out Where to write the parsed data.
91 * @param[in] parent Base structure address.
92 * @param[in] ci #CONF_PAIR specifying the name of the type module.
93 * @param[in] rule unused.
94 * @return
95 * - 0 on success.
96 * - -1 on failure.
97 */
98static int type_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent,
99 CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
100{
101 char const *type_str = cf_pair_value(cf_item_to_pair(ci));
102 fr_dict_enum_value_t const *type_enum;
103 uint32_t code;
104
105#ifndef NDEBUG
106 CONF_SECTION *cs = cf_item_to_section(cf_parent(ci));
107#endif
108
109 /*
110 * Must be the TACACS+ module
111 */
112 fr_assert(cs && (strcmp(cf_section_name1(cs), "tacacs") == 0));
113
114 /*
115 * Allow the process module to be specified by
116 * packet type.
117 */
118 type_enum = fr_dict_enum_by_name(attr_packet_type, type_str, -1);
119 if (!type_enum) {
120 cf_log_err(ci, "Unknown TACACS+ packet type '%s'", type_str);
121 return -1;
122 }
123
124 code = type_enum->value->vb_uint32;
125
126 memcpy(out, &code, sizeof(code));
127
128 return 0;
129}
130
131static void mod_tacacs_signal(module_ctx_t const *mctx, request_t *request, fr_signal_t action)
132{
133 rlm_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, rlm_tacacs_t);
134 rlm_tacacs_io_t const *io = (rlm_tacacs_io_t const *)inst->io_submodule->exported; /* Public symbol exported by the module */
135
136 /*
137 * We received a duplicate packet, ignore the dup, and rely on the
138 * IO submodule / trunk to do it's own retransmissions.
139 */
140 if (action == FR_SIGNAL_DUP) return;
141
142 if (!io->signal) return;
143
144 io->signal(MODULE_CTX(inst->io_submodule,
145 module_thread(inst->io_submodule)->data, mctx->env_data,
146 mctx->rctx), request, action);
147}
148
149/** Send packets outbound.
150 *
151 */
152static unlang_action_t CC_HINT(nonnull) mod_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
153{
154 rlm_tacacs_t const *inst = talloc_get_type_abort_const(mctx->mi->data, rlm_tacacs_t);
155 rlm_rcode_t rcode;
156 unlang_action_t ua;
157
158 void *rctx = NULL;
159
160 if (!FR_TACACS_PACKET_CODE_VALID(request->packet->code)) {
161 REDEBUG("Invalid packet code %d", request->packet->code);
162 RETURN_MODULE_FAIL;
163 }
164
165 if (!inst->allowed[request->packet->code]) {
166 REDEBUG("Packet code %s is disallowed by the configuration",
167 fr_tacacs_packet_names[request->packet->code]);
168 RETURN_MODULE_FAIL;
169 }
170
171 /*
172 * Push the request and it's data to the IO submodule.
173 *
174 * This may return YIELD, for "please yield", or it may
175 * return another code which indicates what happened to
176 * the request...
177 */
178 ua = inst->io->enqueue(&rcode, &rctx, inst->io_submodule->data,
179 module_thread(inst->io_submodule)->data, request);
180 if (ua != UNLANG_ACTION_YIELD) {
181 fr_assert(rctx == NULL);
182 RETURN_MODULE_RCODE(rcode);
183 }
184
185 return unlang_module_yield(request, inst->io->resume, mod_tacacs_signal, 0, rctx);
186}
187
188static int mod_instantiate(module_inst_ctx_t const *mctx)
189{
190 size_t i, num_types;
191 rlm_tacacs_t *inst = talloc_get_type_abort(mctx->mi->data, rlm_tacacs_t);
192
193 inst->io = (rlm_tacacs_io_t const *)inst->io_submodule->exported; /* Public symbol exported by the module */
194 inst->name = mctx->mi->name;
195
196 /*
197 * These limits are specific to TACACS, and cannot be over-ridden, due to 8-bit ID fields!
198 */
199 FR_INTEGER_BOUND_CHECK("trunk.per_connection_max", inst->trunk_conf.max_req_per_conn, >=, 2);
200 FR_INTEGER_BOUND_CHECK("trunk.per_connection_max", inst->trunk_conf.max_req_per_conn, <=, 255);
201 FR_INTEGER_BOUND_CHECK("trunk.per_connection_target", inst->trunk_conf.target_req_per_conn, <=, inst->trunk_conf.max_req_per_conn / 2);
202
203 FR_TIME_DELTA_BOUND_CHECK("response_window", inst->zombie_period, >=, fr_time_delta_from_sec(1));
204 FR_TIME_DELTA_BOUND_CHECK("response_window", inst->zombie_period, <=, fr_time_delta_from_sec(120));
205
206 FR_TIME_DELTA_BOUND_CHECK("zombie_period", inst->zombie_period, >=, fr_time_delta_from_sec(1));
207 FR_TIME_DELTA_BOUND_CHECK("zombie_period", inst->zombie_period, <=, fr_time_delta_from_sec(120));
208
209 FR_TIME_DELTA_BOUND_CHECK("revive_interval", inst->revive_interval, >=, fr_time_delta_from_sec(10));
210 FR_TIME_DELTA_BOUND_CHECK("revive_interval", inst->revive_interval, <=, fr_time_delta_from_sec(3600));
211
212 num_types = talloc_array_length(inst->types);
213 fr_assert(num_types > 0);
214
215 /*
216 * Allow for O(1) lookup later...
217 */
218 for (i = 0; i < num_types; i++) {
219 uint32_t code;
220
221 code = inst->types[i];
222 fr_assert(FR_TACACS_PACKET_CODE_VALID(code));
223
224 inst->allowed[code] = true;
225 }
226
227
228 return 0;
229}
230
231static int mod_load(void)
232{
233 if (fr_tacacs_global_init() < 0) {
234 PERROR("Failed initialising protocol library");
235 return -1;
236 }
237 return 0;
238}
239
240static void mod_unload(void)
241{
242 fr_tacacs_global_free();
243}
244
245/*
246 * The module name should be the only globally exported symbol.
247 * That is, everything else should be 'static'.
248 *
249 * If the module needs to temporarily modify it's instantiation
250 * data, the type should be changed to MODULE_TYPE_THREAD_UNSAFE.
251 * The server will then take care of ensuring that the module
252 * is single-threaded.
253 */
254extern module_rlm_t rlm_tacacs;
255module_rlm_t rlm_tacacs = {
256 .common = {
257 .magic = MODULE_MAGIC_INIT,
258 .name = "tacacs",
259 .inst_size = sizeof(rlm_tacacs_t),
260 .config = module_config,
261 .dict = &dict_tacacs,
262
263 .onload = mod_load,
264 .unload = mod_unload,
265
266 .instantiate = mod_instantiate,
267 },
268 .method_group = {
269 .bindings = (module_method_binding_t[]){
270 { .section = SECTION_NAME(CF_IDENT_ANY, CF_IDENT_ANY), .method = mod_process },
271 MODULE_BINDING_TERMINATOR
272 }
273 }
274};
unlang_action_t
unlang_action_t
Returned by unlang_op_t calls, determine the next action of the interpreter.
Definition action.h:35
UNLANG_ACTION_YIELD
@ UNLANG_ACTION_YIELD
Temporarily pause execution until an event occurs.
Definition action.h:41
RCSID
#define RCSID(id)
Definition build.h:485
STRINGIFY
#define STRINGIFY(x)
Definition build.h:197
UNUSED
#define UNUSED
Definition build.h:317
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:658
conf_parser_s::func
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:612
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:518
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:284
FR_CONF_OFFSET_FLAGS
#define FR_CONF_OFFSET_FLAGS(_name, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:272
FR_CONF_OFFSET_SUBSECTION
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:313
FR_TIME_DELTA_BOUND_CHECK
#define FR_TIME_DELTA_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:529
CONF_FLAG_REQUIRED
@ CONF_FLAG_REQUIRED
Error out if no matching CONF_PAIR is found, and no dflt value is set.
Definition cf_parse.h:434
CONF_FLAG_MULTI
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
Definition cf_parse.h:448
CONF_FLAG_NOT_EMPTY
@ CONF_FLAG_NOT_EMPTY
CONF_PAIR is required to have a non zero length value.
Definition cf_parse.h:449
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:595
cf_item
Common header for all CONF_* types.
Definition cf_priv.h:49
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_section_name1
char const * cf_section_name1(CONF_SECTION const *cs)
Return the second identifier of a CONF_SECTION.
Definition cf_util.c:1170
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:683
cf_item_to_pair
CONF_PAIR * cf_item_to_pair(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_PAIR.
Definition cf_util.c:663
cf_pair_value
char const * cf_pair_value(CONF_PAIR const *pair)
Return the value of a CONF_PAIR.
Definition cf_util.c:1593
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:289
cf_parent
#define cf_parent(_cf)
Definition cf_util.h:101
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition cf_util.h:78
fr_dict_attr_autoload_t::out
fr_dict_attr_t const ** out
Where to write a pointer to the resolved fr_dict_attr_t.
Definition dict.h:273
fr_dict_autoload_t::out
fr_dict_t const ** out
Where to write a pointer to the loaded/resolved fr_dict_t.
Definition dict.h:286
fr_dict_enum_value_t::value
fr_value_box_t const * value
Enum value (what name maps to).
Definition dict.h:236
fr_dict_enum_by_name
fr_dict_enum_value_t const * fr_dict_enum_by_name(fr_dict_attr_t const *da, char const *name, ssize_t len)
Definition dict_util.c:3439
fr_dict_attr_autoload_t
Specifies an attribute which must be present for the module to function.
Definition dict.h:272
fr_dict_autoload_t
Specifies a dictionary which must be loaded/loadable for the module to function.
Definition dict.h:285
fr_dict_enum_value_t
Value of an enumerated attribute.
Definition dict.h:232
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
PERROR
#define PERROR(_fmt,...)
Definition log.h:228
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_VOID
@ FR_TYPE_VOID
User data.
Definition merged_model.c:127
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
fr_dict_attr_t
Definition merged_model.c:133
fr_dict_t
Definition merged_model.c:198
request_t
Definition merged_model.c:210
module_ctx_t::env_data
void * env_data
Per call environment data.
Definition module_ctx.h:44
module_ctx_t::mi
module_instance_t const * mi
Instance of the module being instantiated.
Definition module_ctx.h:42
module_ctx_t::rctx
void * rctx
Resume ctx that a module previously set.
Definition module_ctx.h:45
MODULE_CTX
#define MODULE_CTX(_mi, _thread, _env_data, _rctx)
Wrapper to create a module_ctx_t as a compound literal.
Definition module_ctx.h:128
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
module_ctx_t
Temporary structure to hold arguments for module calls.
Definition module_ctx.h:41
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
module_rlm_submodule_parse
int module_rlm_submodule_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
Generic conf_parser_t func for loading drivers.
Definition module_rlm.c:936
module_rlm_s::common
module_t common
Common fields presented by all modules.
Definition module_rlm.h:39
module_rlm_s
Definition module_rlm.h:38
config
static const conf_parser_t config[]
Definition base.c:183
fr_tacacs_packet_names
char const * fr_tacacs_packet_names[FR_TACACS_CODE_MAX]
Definition base.c:119
fr_tacacs_global_free
void fr_tacacs_global_free(void)
Definition base.c:167
fr_tacacs_global_init
int fr_tacacs_global_init(void)
Definition base.c:144
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
REDEBUG
#define REDEBUG(fmt,...)
Definition radclient.h:52
RETURN_MODULE_RCODE
#define RETURN_MODULE_RCODE(_rcode)
Definition rcode.h:66
RETURN_MODULE_FAIL
#define RETURN_MODULE_FAIL
Definition rcode.h:57
rlm_rcode_t
rlm_rcode_t
Return codes indicating the result of the module call.
Definition rcode.h:40
instantiate
static int instantiate(module_inst_ctx_t const *mctx)
Definition rlm_rest.c:1313
mod_load
static int mod_load(void)
Definition rlm_tacacs.c:231
attr_packet_type
static fr_dict_attr_t const * attr_packet_type
Definition rlm_tacacs.c:79
rlm_tacacs_dict_attr
fr_dict_attr_autoload_t rlm_tacacs_dict_attr[]
Definition rlm_tacacs.c:82
mod_process
static unlang_action_t mod_process(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request)
Send packets outbound.
Definition rlm_tacacs.c:152
retry_config
static conf_parser_t retry_config[]
Definition rlm_tacacs.c:38
type_parse
static int type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
dict_tacacs
static fr_dict_t const * dict_tacacs
Definition rlm_tacacs.c:71
rlm_tacacs_dict
fr_dict_autoload_t rlm_tacacs_dict[]
Definition rlm_tacacs.c:74
mod_unload
static void mod_unload(void)
Definition rlm_tacacs.c:240
rlm_tacacs
module_rlm_t rlm_tacacs
Definition rlm_tacacs.c:255
mod_tacacs_signal
static void mod_tacacs_signal(module_ctx_t const *mctx, request_t *request, fr_signal_t action)
Definition rlm_tacacs.c:131
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition rlm_tacacs.c:188
module_config
static conf_parser_t const module_config[]
Definition rlm_tacacs.c:49
rlm_tacacs.h
rlm_tacacs_t
struct rlm_tacacs_s rlm_tacacs_t
Definition rlm_tacacs.h:36
rlm_tacacs_io_s::signal
unlang_module_signal_t signal
Send a signal to an IO module.
Definition rlm_tacacs.h:76
rlm_tacacs_io_s
Public structure describing an I/O path for an outgoing socket.
Definition rlm_tacacs.h:73
rlm_tacacs_s
Definition rlm_tacacs.h:44
SECTION_NAME
#define SECTION_NAME(_name1, _name2)
Define a section name consisting of a verb and a noun.
Definition section.h:40
module_instance_s::name
char const * name
Instance name e.g. user_database.
Definition module.h:336
module_s::inst_size
size_t inst_size
Size of the module's instance data.
Definition module.h:204
module_instance_s::data
void * data
Module's instance data.
Definition module.h:272
module_thread_instance_s::data
void * data
Thread specific instance data.
Definition module.h:353
module_thread
static module_thread_instance_t * module_thread(module_instance_t const *mi)
Retrieve module/thread specific instance for a module.
Definition module.h:482
MODULE_BINDING_TERMINATOR
#define MODULE_BINDING_TERMINATOR
Terminate a module binding list.
Definition module.h:151
module_method_binding_s
Named methods exported by a module.
Definition module.h:173
fr_signal_t
fr_signal_t
Signals that can be generated/processed by request signal handlers.
Definition signal.h:38
FR_SIGNAL_DUP
@ FR_SIGNAL_DUP
A duplicate request was received.
Definition signal.h:44
unlang_module_yield
unlang_action_t unlang_module_yield(request_t *request, module_method_t resume, unlang_module_signal_t signal, fr_signal_t sigmask, void *rctx)
Yield a request back to the interpreter from within a module.
Definition module.c:419
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3620
FR_TACACS_PACKET_CODE_VALID
#define FR_TACACS_PACKET_CODE_VALID(_code)
Definition tacacs.h:322
FR_MAX_ATTRIBUTES
#define FR_MAX_ATTRIBUTES
Definition tacacs.h:28
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition talloc.h:287
fr_time_delta_from_sec
static fr_time_delta_t fr_time_delta_from_sec(int64_t sec)
Definition time.h:590
trunk_config
conf_parser_t const trunk_config[]
Config parser definitions to populate a trunk_conf_t.
Definition trunk.c:314
parent
static fr_slen_t parent
Definition pair.h:839
fr_retry_config_t
Definition retry.h:32
nonnull
int nonnull(2, 5))
out
static size_t char ** out
Definition value.h:1020
Generated by   doxygen 1.9.8