1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
|
/*
* evaluate.c Evaluate complex conditions
*
* Version: $Id$
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*
* Copyright 2007 The FreeRADIUS server project
* Copyright 2007 Alan DeKok <aland@deployingradius.com>
*/
RCSID("$Id$")
#include <freeradius-devel/radiusd.h>
#include <freeradius-devel/modules.h>
#include <freeradius-devel/parser.h>
#include <freeradius-devel/rad_assert.h>
#include <ctype.h>
#ifdef WITH_UNLANG
#ifdef WITH_EVAL_DEBUG
# define EVAL_DEBUG(fmt, ...) printf("EVAL: ");printf(fmt, ## __VA_ARGS__);printf("\n");fflush(stdout)
#else
# define EVAL_DEBUG(...)
#endif
FR_NAME_NUMBER const modreturn_table[] = {
{ "reject", RLM_MODULE_REJECT },
{ "fail", RLM_MODULE_FAIL },
{ "ok", RLM_MODULE_OK },
{ "handled", RLM_MODULE_HANDLED },
{ "invalid", RLM_MODULE_INVALID },
{ "userlock", RLM_MODULE_USERLOCK },
{ "notfound", RLM_MODULE_NOTFOUND },
{ "noop", RLM_MODULE_NOOP },
{ "updated", RLM_MODULE_UPDATED },
{ NULL, 0 }
};
static bool all_digits(char const *string)
{
char const *p = string;
rad_assert(p != NULL);
if (*p == '\0') return false;
if (*p == '-') p++;
while (isdigit((uint8_t) *p)) p++;
return (*p == '\0');
}
/** Evaluate a template
*
* Converts a vp_tmpl_t to a boolean value.
*
* @param[in] request the REQUEST
* @param[in] modreturn the previous module return code
* @param[in] depth of the recursion (only used for debugging)
* @param[in] vpt the template to evaluate
* @return -1 on error, 0 for "no match", 1 for "match".
*/
int radius_evaluate_tmpl(REQUEST *request, int modreturn, UNUSED int depth, vp_tmpl_t const *vpt)
{
int rcode;
int modcode;
value_data_t data;
switch (vpt->type) {
case TMPL_TYPE_LITERAL:
modcode = fr_str2int(modreturn_table, vpt->name, RLM_MODULE_UNKNOWN);
if (modcode != RLM_MODULE_UNKNOWN) {
rcode = (modcode == modreturn);
break;
}
/*
* Else it's a literal string. Empty string is
* false, non-empty string is true.
*
* @todo: Maybe also check for digits?
*
* The VPT *doesn't* have a "bare word" type,
* which arguably it should.
*/
rcode = (*vpt->name != '\0');
break;
case TMPL_TYPE_ATTR:
case TMPL_TYPE_LIST:
if (tmpl_find_vp(NULL, request, vpt) == 0) {
rcode = true;
} else {
rcode = false;
}
break;
case TMPL_TYPE_XLAT_STRUCT:
case TMPL_TYPE_XLAT:
case TMPL_TYPE_EXEC:
{
char *p;
if (!*vpt->name) return false;
rcode = tmpl_aexpand(request, &p, request, vpt, NULL, NULL);
if (rcode < 0) {
EVAL_DEBUG("FAIL %d", __LINE__);
return -1;
}
data.strvalue = p;
rcode = (data.strvalue && (*data.strvalue != '\0'));
talloc_free(data.ptr);
}
break;
/*
* Can't have a bare ... (/foo/) ...
*/
case TMPL_TYPE_REGEX:
case TMPL_TYPE_REGEX_STRUCT:
rad_assert(0 == 1);
/* FALL-THROUGH */
default:
EVAL_DEBUG("FAIL %d", __LINE__);
rcode = -1;
break;
}
return rcode;
}
#ifdef HAVE_REGEX
/** Perform a regular expressions comparison between two operands
*
* @return -1 on error, 0 for "no match", 1 for "match".
*/
static int cond_do_regex(REQUEST *request, fr_cond_t const *c,
PW_TYPE lhs_type, value_data_t const *lhs, size_t lhs_len,
PW_TYPE rhs_type, value_data_t const *rhs, size_t rhs_len)
{
vp_map_t const *map = c->data.map;
ssize_t slen;
int ret;
regex_t *preg, *rreg = NULL;
regmatch_t rxmatch[REQUEST_MAX_REGEX + 1]; /* +1 for %{0} (whole match) capture group */
size_t nmatch = sizeof(rxmatch) / sizeof(regmatch_t);
if (!lhs || (lhs_type != PW_TYPE_STRING)) return -1;
EVAL_DEBUG("CMP WITH REGEX %s %s",
map->rhs->tmpl_iflag ? "CASE INSENSITIVE" : "CASE SENSITIVE",
map->rhs->tmpl_mflag ? "MULTILINE" : "SINGLELINE");
switch (map->rhs->type) {
case TMPL_TYPE_REGEX_STRUCT: /* pre-compiled to a regex */
preg = map->rhs->tmpl_preg;
#ifdef HAVE_PCRE
rad_assert(preg->precompiled);
#endif
break;
default:
rad_assert(rhs_type == PW_TYPE_STRING);
rad_assert(rhs->strvalue);
slen = regex_compile(request, &rreg, rhs->strvalue, rhs_len,
map->rhs->tmpl_iflag, map->rhs->tmpl_mflag, true, true);
if (slen <= 0) {
REMARKER(rhs->strvalue, -slen, fr_strerror());
EVAL_DEBUG("FAIL %d", __LINE__);
return -1;
}
preg = rreg;
#ifdef HAVE_PCRE
rad_assert(!preg->precompiled);
#endif
break;
}
ret = regex_exec(preg, lhs->strvalue, lhs_len, rxmatch, &nmatch);
switch (ret) {
case 0:
EVAL_DEBUG("CLEARING SUBCAPTURES");
regex_sub_to_request(request, NULL, NULL, 0, NULL, 0); /* clear out old entries */
break;
case 1:
EVAL_DEBUG("SETTING SUBCAPTURES");
regex_sub_to_request(request, &preg, lhs->strvalue, lhs_len, rxmatch, nmatch);
break;
case -1:
EVAL_DEBUG("REGEX ERROR");
REDEBUG("regex failed: %s", fr_strerror());
break;
default:
break;
}
if (preg) talloc_free(rreg);
return ret;
}
#endif
#ifdef WITH_EVAL_DEBUG
static void cond_print_operands(REQUEST *request,
PW_TYPE lhs_type, value_data_t const *lhs, size_t lhs_len,
PW_TYPE rhs_type, value_data_t const *rhs, size_t rhs_len)
{
if (lhs) {
if (lhs_type == PW_TYPE_STRING) {
EVAL_DEBUG("LHS: \"%s\" (%zu)" , lhs->strvalue, lhs_len);
} else {
char *lhs_hex;
lhs_hex = talloc_array(request, char, (lhs_len * 2) + 1);
if (lhs_type == PW_TYPE_OCTETS) {
fr_bin2hex(lhs_hex, lhs->octets, lhs_len);
} else {
fr_bin2hex(lhs_hex, (uint8_t const *)lhs, lhs_len);
}
EVAL_DEBUG("LHS: 0x%s (%zu)", lhs_hex, lhs_len);
talloc_free(lhs_hex);
}
} else {
EVAL_DEBUG("LHS: VIRTUAL");
}
if (rhs) {
if (rhs_type == PW_TYPE_STRING) {
EVAL_DEBUG("RHS: \"%s\" (%zu)" , rhs->strvalue, rhs_len);
} else {
char *rhs_hex;
rhs_hex = talloc_array(request, char, (rhs_len * 2) + 1);
if (rhs_type == PW_TYPE_OCTETS) {
fr_bin2hex(rhs_hex, rhs->octets, rhs_len);
} else {
fr_bin2hex(rhs_hex, (uint8_t const *)rhs, rhs_len);
}
EVAL_DEBUG("RHS: 0x%s (%zu)", rhs_hex, rhs_len);
talloc_free(rhs_hex);
}
} else {
EVAL_DEBUG("RHS: COMPILED");
}
}
#endif
/** Call the correct data comparison function for the condition
*
* Deals with regular expression comparisons, virtual attribute
* comparisons, and data comparisons.
*
* @return -1 on error, 0 for "no match", 1 for "match".
*/
static int cond_cmp_values(REQUEST *request, fr_cond_t const *c,
PW_TYPE lhs_type, value_data_t const *lhs, size_t lhs_len,
PW_TYPE rhs_type, value_data_t const *rhs, size_t rhs_len)
{
vp_map_t const *map = c->data.map;
int rcode;
#ifdef WITH_EVAL_DEBUG
EVAL_DEBUG("CMP OPERANDS");
cond_print_operands(request, lhs_type, lhs, lhs_len, rhs_type, rhs, rhs_len);
#endif
#ifdef HAVE_REGEX
/*
* Regex comparison
*/
if (map->op == T_OP_REG_EQ) {
rcode = cond_do_regex(request, c, lhs_type, lhs, lhs_len, rhs_type, rhs, rhs_len);
goto finish;
}
#endif
/*
* Virtual attribute comparison.
*/
if (c->pass2_fixup == PASS2_PAIRCOMPARE) {
VALUE_PAIR *vp;
EVAL_DEBUG("CMP WITH PAIRCOMPARE");
rad_assert(map->lhs->type == TMPL_TYPE_ATTR);
vp = fr_pair_afrom_da(request, map->lhs->tmpl_da);
vp->op = c->data.map->op;
value_data_copy(vp, &vp->data, rhs_type, rhs, rhs_len);
vp->vp_length = rhs_len;
rcode = paircompare(request, request->packet->vps, vp, NULL);
rcode = (rcode == 0) ? 1 : 0;
talloc_free(vp);
goto finish;
}
/*
* At this point both operands should have been normalised
* to the same type, and there's no special comparisons
* left.
*/
rad_assert(lhs_type == rhs_type);
EVAL_DEBUG("CMP WITH VALUE DATA");
rcode = value_data_cmp_op(map->op, lhs_type, lhs, lhs_len, rhs_type, rhs, rhs_len);
finish:
switch (rcode) {
case 0:
EVAL_DEBUG("FALSE");
break;
case 1:
EVAL_DEBUG("TRUE");
break;
default:
EVAL_DEBUG("ERROR %i", rcode);
break;
}
return rcode;
}
static size_t regex_escape(UNUSED REQUEST *request, char *out, size_t outlen, char const *in, UNUSED void *arg)
{
char *p = out;
while (*in && (outlen > 2)) {
switch (*in) {
case '\\':
case '.':
case '*':
case '+':
case '?':
case '|':
case '^':
case '$':
case '[': /* we don't list close braces */
case '{':
case '(':
*(p++) = '\\';
outlen--;
/* FALL-THROUGH */
default:
*(p++) = *(in++);
outlen--;
break;
}
}
*(p++) = '\0';
return p - out;
}
/** Convert both operands to the same type
*
* If casting is successful, we call cond_cmp_values to do the comparison
*
* @return -1 on error, 0 for "no match", 1 for "match".
*/
static int cond_normalise_and_cmp(REQUEST *request, fr_cond_t const *c,
PW_TYPE lhs_type, DICT_ATTR const *lhs_enumv,
value_data_t const *lhs, size_t lhs_len)
{
vp_map_t const *map = c->data.map;
DICT_ATTR const *cast = NULL;
PW_TYPE cast_type = PW_TYPE_INVALID;
int rcode;
PW_TYPE rhs_type = PW_TYPE_INVALID;
DICT_ATTR const *rhs_enumv = NULL;
value_data_t const *rhs = NULL;
size_t rhs_len;
value_data_t lhs_cast, rhs_cast;
void *lhs_cast_buff = NULL, *rhs_cast_buff = NULL;
xlat_escape_t escape = NULL;
/*
* Cast operand to correct type.
*
* With hack for strings that look like integers, to cast them
* to 64 bit unsigned integers.
*
* @fixme For things like this it'd be useful to have a 64bit signed type.
*/
#define CAST(_s) \
do {\
if ((cast_type != PW_TYPE_INVALID) && (_s ## _type != PW_TYPE_INVALID) && (cast_type != _s ## _type)) {\
ssize_t r;\
EVAL_DEBUG("CASTING " #_s " FROM %s TO %s",\
fr_int2str(dict_attr_types, _s ## _type, "<INVALID>"),\
fr_int2str(dict_attr_types, cast_type, "<INVALID>"));\
r = value_data_cast(request, &_s ## _cast, cast_type, cast, _s ## _type, _s ## _enumv, _s, _s ## _len);\
if (r < 0) {\
REDEBUG("Failed casting " #_s " operand: %s", fr_strerror());\
rcode = -1;\
goto finish;\
}\
if (cast && cast->flags.is_pointer) _s ## _cast_buff = _s ## _cast.ptr;\
_s ## _type = cast_type;\
_s ## _len = (size_t)r;\
_s = &_s ## _cast;\
}\
} while (0)
#define CHECK_INT_CAST(_l, _r) \
do {\
if ((cast_type == PW_TYPE_INVALID) &&\
_l && (_l ## _type == PW_TYPE_STRING) &&\
_r && (_r ## _type == PW_TYPE_STRING) &&\
all_digits(lhs->strvalue) && all_digits(rhs->strvalue)) {\
cast_type = PW_TYPE_INTEGER64;\
EVAL_DEBUG("OPERANDS ARE NUMBER STRINGS, SETTING CAST TO integer64");\
}\
} while (0)
/*
* Regular expressions need both operands to be strings
*/
#ifdef HAVE_REGEX
if (map->op == T_OP_REG_EQ) {
cast_type = PW_TYPE_STRING;
if (map->rhs->type == TMPL_TYPE_XLAT_STRUCT) escape = regex_escape;
}
else
#endif
/*
* If it's a pair comparison, data gets cast to the
* type of the pair comparison attribute.
*
* Magic attribute is always the LHS.
*/
if (c->pass2_fixup == PASS2_PAIRCOMPARE) {
rad_assert(!c->cast);
rad_assert(map->lhs->type == TMPL_TYPE_ATTR);
#ifndef NDEBUG
/* expensive assert */
rad_assert((map->rhs->type != TMPL_TYPE_ATTR) || !radius_find_compare(map->rhs->tmpl_da));
#endif
cast = map->lhs->tmpl_da;
cast_type = cast->type;
EVAL_DEBUG("NORMALISATION TYPE %s (PAIRCMP TYPE)",
fr_int2str(dict_attr_types, cast->type, "<INVALID>"));
/*
* Otherwise we use the explicit cast, or implicit
* cast (from an attribute reference).
* We already have the data for the lhs, so we convert
* it here.
*/
} else if (c->cast) {
cast = c->cast;
EVAL_DEBUG("NORMALISATION TYPE %s (EXPLICIT CAST)",
fr_int2str(dict_attr_types, cast->type, "<INVALID>"));
} else if (map->lhs->type == TMPL_TYPE_ATTR) {
cast = map->lhs->tmpl_da;
EVAL_DEBUG("NORMALISATION TYPE %s (IMPLICIT FROM LHS REF)",
fr_int2str(dict_attr_types, cast->type, "<INVALID>"));
} else if (map->rhs->type == TMPL_TYPE_ATTR) {
cast = map->rhs->tmpl_da;
EVAL_DEBUG("NORMALISATION TYPE %s (IMPLICIT FROM RHS REF)",
fr_int2str(dict_attr_types, cast->type, "<INVALID>"));
} else if (map->lhs->type == TMPL_TYPE_DATA) {
cast_type = map->lhs->tmpl_data_type;
EVAL_DEBUG("NORMALISATION TYPE %s (IMPLICIT FROM LHS DATA)",
fr_int2str(dict_attr_types, cast_type, "<INVALID>"));
} else if (map->rhs->type == TMPL_TYPE_DATA) {
cast_type = map->rhs->tmpl_data_type;
EVAL_DEBUG("NORMALISATION TYPE %s (IMPLICIT FROM RHS DATA)",
fr_int2str(dict_attr_types, cast_type, "<INVALID>"));
}
if (cast) cast_type = cast->type;
switch (map->rhs->type) {
case TMPL_TYPE_ATTR:
{
VALUE_PAIR *vp;
vp_cursor_t cursor;
for (vp = tmpl_cursor_init(&rcode, &cursor, request, map->rhs);
vp;
vp = tmpl_cursor_next(&cursor, map->rhs)) {
rhs_type = vp->da->type;
rhs_enumv = vp->da;
rhs = &vp->data;
rhs_len = vp->vp_length;
CHECK_INT_CAST(lhs, rhs);
CAST(lhs);
CAST(rhs);
rcode = cond_cmp_values(request, c, lhs_type, lhs, lhs_len, rhs_type, rhs, rhs_len);
if (rcode != 0) break;
TALLOC_FREE(rhs_cast_buff);
}
}
break;
case TMPL_TYPE_DATA:
rhs_type = map->rhs->tmpl_data_type;
rhs = &map->rhs->tmpl_data_value;
rhs_len = map->rhs->tmpl_data_length;
CHECK_INT_CAST(lhs, rhs);
CAST(lhs);
CAST(rhs);
rcode = cond_cmp_values(request, c, lhs_type, lhs, lhs_len, rhs_type, rhs, rhs_len);
break;
/*
* Expanded types start as strings, then get converted
* to the type of the attribute or the explicit cast.
*/
case TMPL_TYPE_LITERAL:
case TMPL_TYPE_EXEC:
case TMPL_TYPE_XLAT:
case TMPL_TYPE_XLAT_STRUCT:
{
ssize_t ret;
value_data_t data;
if (map->rhs->type != TMPL_TYPE_LITERAL) {
char *p;
ret = tmpl_aexpand(request, &p, request, map->rhs, escape, NULL);
if (ret < 0) {
EVAL_DEBUG("FAIL [%i]", __LINE__);
rcode = -1;
goto finish;
}
data.strvalue = p;
rhs_len = ret;
} else {
data.strvalue = map->rhs->name;
rhs_len = map->rhs->len;
}
rad_assert(data.strvalue);
rhs_type = PW_TYPE_STRING;
rhs = &data;
CHECK_INT_CAST(lhs, rhs);
CAST(lhs);
CAST(rhs);
rcode = cond_cmp_values(request, c, lhs_type, lhs, lhs_len, rhs_type, rhs, rhs_len);
if (map->rhs->type != TMPL_TYPE_LITERAL)talloc_free(data.ptr);
break;
}
/*
* RHS is a compiled regex, we don't need to do anything with it.
*/
case TMPL_TYPE_REGEX_STRUCT:
CAST(lhs);
rcode = cond_cmp_values(request, c, lhs_type, lhs, lhs_len, PW_TYPE_INVALID, NULL, 0);
break;
/*
* Unsupported types (should have been parse errors)
*/
case TMPL_TYPE_NULL:
case TMPL_TYPE_LIST:
case TMPL_TYPE_UNKNOWN:
case TMPL_TYPE_ATTR_UNDEFINED:
case TMPL_TYPE_REGEX: /* Should now be a TMPL_TYPE_REGEX_STRUCT or TMPL_TYPE_XLAT_STRUCT */
rad_assert(0);
rcode = -1;
break;
}
finish:
talloc_free(lhs_cast_buff);
talloc_free(rhs_cast_buff);
return rcode;
}
/** Evaluate a map
*
* @param[in] request the REQUEST
* @param[in] modreturn the previous module return code
* @param[in] depth of the recursion (only used for debugging)
* @param[in] c the condition to evaluate
* @return -1 on error, 0 for "no match", 1 for "match".
*/
int radius_evaluate_map(REQUEST *request, UNUSED int modreturn, UNUSED int depth, fr_cond_t const *c)
{
int rcode = 0;
vp_map_t const *map = c->data.map;
EVAL_DEBUG(">>> MAP TYPES LHS: %s, RHS: %s",
fr_int2str(tmpl_names, map->lhs->type, "???"),
fr_int2str(tmpl_names, map->rhs->type, "???"));
switch (map->lhs->type) {
/*
* LHS is an attribute or list
*/
case TMPL_TYPE_LIST:
case TMPL_TYPE_ATTR:
{
VALUE_PAIR *vp;
vp_cursor_t cursor;
/*
* Legacy paircompare call, skip processing the magic attribute
* if it's the LHS and cast RHS to the same type.
*/
if ((c->pass2_fixup == PASS2_PAIRCOMPARE) && (map->op != T_OP_REG_EQ)) {
#ifndef NDEBUG
rad_assert(radius_find_compare(map->lhs->tmpl_da)); /* expensive assert */
#endif
rcode = cond_normalise_and_cmp(request, c, PW_TYPE_INVALID, NULL, NULL, 0);
break;
}
for (vp = tmpl_cursor_init(&rcode, &cursor, request, map->lhs);
vp;
vp = tmpl_cursor_next(&cursor, map->lhs)) {
/*
* Evaluate all LHS values, condition evaluates to true
* if we get at least one set of operands that
* evaluates to true.
*/
rcode = cond_normalise_and_cmp(request, c, vp->da->type, vp->da, &vp->data, vp->vp_length);
if (rcode != 0) break;
}
}
break;
case TMPL_TYPE_DATA:
rcode = cond_normalise_and_cmp(request, c,
map->lhs->tmpl_data_type, NULL, &map->lhs->tmpl_data_value,
map->lhs->tmpl_data_length);
break;
case TMPL_TYPE_LITERAL:
case TMPL_TYPE_EXEC:
case TMPL_TYPE_XLAT:
case TMPL_TYPE_XLAT_STRUCT:
{
ssize_t ret;
value_data_t data;
if (map->lhs->type != TMPL_TYPE_LITERAL) {
char *p;
ret = tmpl_aexpand(request, &p, request, map->lhs, NULL, NULL);
if (ret < 0) {
EVAL_DEBUG("FAIL [%i]", __LINE__);
return ret;
}
data.strvalue = p;
} else {
data.strvalue = map->lhs->name;
ret = map->lhs->len;
}
rad_assert(data.strvalue);
rcode = cond_normalise_and_cmp(request, c, PW_TYPE_STRING, NULL, &data, ret);
if (map->lhs->type != TMPL_TYPE_LITERAL) talloc_free(data.ptr);
}
break;
/*
* Unsupported types (should have been parse errors)
*/
case TMPL_TYPE_NULL:
case TMPL_TYPE_ATTR_UNDEFINED:
case TMPL_TYPE_UNKNOWN:
case TMPL_TYPE_REGEX: /* should now be a TMPL_TYPE_REGEX_STRUCT or TMPL_TYPE_XLAT_STRUCT */
case TMPL_TYPE_REGEX_STRUCT: /* not allowed as LHS */
rad_assert(0);
rcode = -1;
break;
}
EVAL_DEBUG("<<<");
return rcode;
}
/** Evaluate a fr_cond_t;
*
* @param[in] request the REQUEST
* @param[in] modreturn the previous module return code
* @param[in] depth of the recursion (only used for debugging)
* @param[in] c the condition to evaluate
* @return -1 on failure, -2 on attribute not found, 0 for "no match", 1 for "match".
*/
int radius_evaluate_cond(REQUEST *request, int modreturn, int depth, fr_cond_t const *c)
{
int rcode = -1;
#ifdef WITH_EVAL_DEBUG
char buffer[1024];
fr_cond_sprint(buffer, sizeof(buffer), c);
EVAL_DEBUG("%s", buffer);
#endif
while (c) {
switch (c->type) {
case COND_TYPE_EXISTS:
rcode = radius_evaluate_tmpl(request, modreturn, depth, c->data.vpt);
/* Existence checks are special, because we expect them to fail */
if (rcode < 0) rcode = 0;
break;
case COND_TYPE_MAP:
rcode = radius_evaluate_map(request, modreturn, depth, c);
break;
case COND_TYPE_CHILD:
rcode = radius_evaluate_cond(request, modreturn, depth + 1, c->data.child);
break;
case COND_TYPE_TRUE:
rcode = true;
break;
case COND_TYPE_FALSE:
rcode = false;
break;
default:
EVAL_DEBUG("FAIL %d", __LINE__);
return -1;
}
if (rcode < 0) return rcode;
if (c->negate) rcode = !rcode;
if (!c->next) break;
/*
* FALSE && ... = FALSE
*/
if (!rcode && (c->next_op == COND_AND)) return false;
/*
* TRUE || ... = TRUE
*/
if (rcode && (c->next_op == COND_OR)) return true;
c = c->next;
}
if (rcode < 0) {
EVAL_DEBUG("FAIL %d", __LINE__);
}
return rcode;
}
#endif
/*
* The fr_pair_list_move() function in src/lib/pair.c does all sorts of
* extra magic that we don't want here.
*
* FIXME: integrate this with the code calling it, so that we
* only fr_pair_list_copy() those attributes that we're really going to
* use.
*/
void radius_pairmove(REQUEST *request, VALUE_PAIR **to, VALUE_PAIR *from, bool do_xlat)
{
int i, j, count, from_count, to_count, tailto;
vp_cursor_t cursor;
VALUE_PAIR *vp, *next, **last;
VALUE_PAIR **from_list, **to_list;
VALUE_PAIR *append, **append_tail;
VALUE_PAIR *prepend;
VALUE_PAIR *to_copy;
bool *edited = NULL;
REQUEST *fixup = NULL;
TALLOC_CTX *ctx;
/*
* Set up arrays for editing, to remove some of the
* O(N^2) dependencies. This also makes it easier to
* insert and remove attributes.
*
* It also means that the operators apply ONLY to the
* attributes in the original list. With the previous
* implementation of fr_pair_list_move(), adding two attributes
* via "+=" and then "=" would mean that the second one
* wasn't added, because of the existence of the first
* one in the "to" list. This implementation doesn't
* have that bug.
*
* Also, the previous implementation did NOT implement
* "-=" correctly. If two of the same attributes existed
* in the "to" list, and you tried to subtract something
* matching the *second* value, then the fr_pair_delete_by_num()
* function was called, and the *all* attributes of that
* number were deleted. With this implementation, only
* the matching attributes are deleted.
*/
count = 0;
for (vp = fr_cursor_init(&cursor, &from); vp; vp = fr_cursor_next(&cursor)) count++;
from_list = talloc_array(request, VALUE_PAIR *, count);
for (vp = fr_cursor_init(&cursor, to); vp; vp = fr_cursor_next(&cursor)) count++;
to_list = talloc_array(request, VALUE_PAIR *, count);
prepend = NULL;
append = NULL;
append_tail = &append;
/*
* Move the lists to the arrays, and break the list
* chains.
*/
from_count = 0;
for (vp = from; vp != NULL; vp = next) {
next = vp->next;
from_list[from_count++] = vp;
vp->next = NULL;
}
to_count = 0;
ctx = talloc_parent(*to);
to_copy = fr_pair_list_copy(ctx, *to);
for (vp = to_copy; vp != NULL; vp = next) {
next = vp->next;
to_list[to_count++] = vp;
vp->next = NULL;
}
tailto = to_count;
edited = talloc_zero_array(request, bool, to_count);
RDEBUG4("::: FROM %d TO %d MAX %d", from_count, to_count, count);
/*
* Now that we have the lists initialized, start working
* over them.
*/
for (i = 0; i < from_count; i++) {
int found;
RDEBUG4("::: Examining %s", from_list[i]->da->name);
if (do_xlat) radius_xlat_do(request, from_list[i]);
/*
* Attribute should be appended, OR the "to" list
* is empty, and we're supposed to replace or
* "add if not existing".
*/
if (from_list[i]->op == T_OP_ADD) goto do_append;
/*
* The attribute needs to be prepended to the "to"
* list - store it in the prepend list
*/
if (from_list[i]->op == T_OP_PREPEND) {
RDEBUG4("::: PREPENDING %s FROM %d TO %d",
from_list[i]->da->name, i, tailto);
from_list[i]->next = prepend;
prepend = from_list[i];
prepend->op = T_OP_EQ;
from_list[i] = NULL;
continue;
}
found = false;
for (j = 0; j < to_count; j++) {
if (edited[j] || !to_list[j] || !from_list[i]) continue;
/*
* Attributes aren't the same, skip them.
*/
if (from_list[i]->da != to_list[j]->da) {
continue;
}
/*
* We don't use a "switch" statement here
* because we want to break out of the
* "for" loop over 'j' in most cases.
*/
/*
* Over-write the FIRST instance of the
* matching attribute name. We free the
* one in the "to" list, and move over
* the one in the "from" list.
*/
if (from_list[i]->op == T_OP_SET) {
RDEBUG4("::: OVERWRITING %s FROM %d TO %d",
to_list[j]->da->name, i, j);
fr_pair_list_free(&to_list[j]);
to_list[j] = from_list[i];
from_list[i] = NULL;
edited[j] = true;
break;
}
/*
* Add the attribute only if it does not
* exist... but it exists, so we stop
* looking.
*/
if (from_list[i]->op == T_OP_EQ) {
found = true;
break;
}
/*
* Delete every attribute, independent
* of its value.
*/
if (from_list[i]->op == T_OP_CMP_FALSE) {
goto delete;
}
/*
* Delete all matching attributes from
* "to"
*/
if ((from_list[i]->op == T_OP_SUB) ||
(from_list[i]->op == T_OP_CMP_EQ) ||
(from_list[i]->op == T_OP_LE) ||
(from_list[i]->op == T_OP_GE)) {
int rcode;
int old_op = from_list[i]->op;
/*
* Check for equality.
*/
from_list[i]->op = T_OP_CMP_EQ;
/*
* If equal, delete the one in
* the "to" list.
*/
rcode = radius_compare_vps(NULL, from_list[i],
to_list[j]);
/*
* We may want to do more
* subtractions, so we re-set the
* operator back to it's original
* value.
*/
from_list[i]->op = old_op;
switch (old_op) {
case T_OP_CMP_EQ:
if (rcode != 0) goto delete;
break;
case T_OP_SUB:
if (rcode == 0) {
delete:
RDEBUG4("::: DELETING %s FROM %d TO %d",
from_list[i]->da->name, i, j);
fr_pair_list_free(&to_list[j]);
to_list[j] = NULL;
}
break;
/*
* Enforce <=. If it's
* >, replace it.
*/
case T_OP_LE:
if (rcode > 0) {
RDEBUG4("::: REPLACING %s FROM %d TO %d",
from_list[i]->da->name, i, j);
fr_pair_list_free(&to_list[j]);
to_list[j] = from_list[i];
from_list[i] = NULL;
edited[j] = true;
}
break;
case T_OP_GE:
if (rcode < 0) {
RDEBUG4("::: REPLACING %s FROM %d TO %d",
from_list[i]->da->name, i, j);
fr_pair_list_free(&to_list[j]);
to_list[j] = from_list[i];
from_list[i] = NULL;
edited[j] = true;
}
break;
}
continue;
}
rad_assert(0 == 1); /* panic! */
}
/*
* We were asked to add it if it didn't exist,
* and it doesn't exist. Move it over to the
* tail of the "to" list, UNLESS it was already
* moved by another operator.
*/
if (!found && from_list[i]) {
if ((from_list[i]->op == T_OP_EQ) ||
(from_list[i]->op == T_OP_LE) ||
(from_list[i]->op == T_OP_GE) ||
(from_list[i]->op == T_OP_SET)) {
do_append:
RDEBUG4("::: APPENDING %s FROM %d TO %d",
from_list[i]->da->name, i, tailto);
*append_tail = from_list[i];
from_list[i]->op = T_OP_EQ;
from_list[i] = NULL;
append_tail = &(*append_tail)->next;
}
}
}
/*
* Delete attributes in the "from" list.
*/
for (i = 0; i < from_count; i++) {
if (!from_list[i]) continue;
fr_pair_list_free(&from_list[i]);
}
talloc_free(from_list);
RDEBUG4("::: TO in %d out %d", to_count, tailto);
/*
* Re-chain the "to" list.
*/
fr_pair_list_free(to);
last = to;
if (to == &request->packet->vps) {
fixup = request;
} else if (request->parent && (to == &request->parent->packet->vps)) {
fixup = request->parent;
}
/*
* Walk the list of "prepend" attributes first
*/
for (vp = prepend; vp != NULL; vp = vp->next) {
*last = vp;
last = &(*last)->next;
}
/*
* Next add on remaining items in the "to" list
*/
for (i = 0; i < tailto; i++) {
if (!to_list[i]) continue;
vp = to_list[i];
RDEBUG4("::: to[%d] = %s", i, vp->da->name);
/*
* Mash the operator to a simple '='. The
* operators in the "to" list aren't used for
* anything. BUT they're used in the "detail"
* file and debug output, where we don't want to
* see the operators.
*/
vp->op = T_OP_EQ;
*last = vp;
last = &(*last)->next;
}
/*
* And finally add in the attributes we're appending to
* the tail of the "to" list.
*/
*last = append;
/*
* Fix dumb cache issues
*/
if (fixup) {
fixup->username = NULL;
fixup->password = NULL;
for (vp = fixup->packet->vps; vp != NULL; vp = vp->next) {
if (vp->da->vendor) continue;
if ((vp->da->attr == PW_USER_NAME) && !fixup->username) {
fixup->username = vp;
} else if (vp->da->attr == PW_STRIPPED_USER_NAME) {
fixup->username = vp;
} else if (vp->da->attr == PW_USER_PASSWORD) {
fixup->password = vp;
}
}
}
rad_assert(request->packet != NULL);
talloc_free(to_list);
talloc_free(edited);
}
|
