From: Alan T. DeKok Date: Wed, 23 Aug 2023 14:16:09 +0000 (-0400) Subject: remove logintime module X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=003ba33a6cde134088f79f7a9c84ebeecb6de4f5;p=thirdparty%2Ffreeradius-server.git remove logintime module and all references to it, and the attributes it uses --- diff --git a/debian/freeradius-config.postinst b/debian/freeradius-config.postinst index 1a308b8fcf1..17c700ed38e 100644 --- a/debian/freeradius-config.postinst +++ b/debian/freeradius-config.postinst @@ -35,7 +35,7 @@ case "$1" in # Create links for default modules for mod in always attr_filter cache_eap chap client \ delay detail detail.log digest eap \ - eap_inner echo exec files linelog logintime \ + eap_inner echo exec files linelog \ mschap ntlm_auth pap pam passwd radutmp \ sradutmp stats unix unpack utf8 ; do if test ! -h /etc/freeradius/mods-enabled/$mod && \ diff --git a/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc b/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc index 9fe3a47432d..3ee10b0f688 100644 --- a/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc +++ b/doc/antora/modules/howto/pages/modules/ldap/authentication.adoc @@ -75,7 +75,6 @@ ldapsearch -LL -H ldap://localhost -x -D cn=freeradius,dc=example,dc=com -w mypa ** found some useful attributes associated with that user *** the password which it placed into `control.Password.With-Header` *** as RADIUS attributes were changed, it returns `updated` as a result code to unlang - . the modules `expiration` and `logintime` were used, but both had no effect (`noop`) . the module `pap` was used ** it found a suitable password to use in `&Password.With-Header` *** populates `&control.Password.Cleartext` @@ -113,7 +112,6 @@ You should now look to the output of the debugging from the FreeRADIUS terminal (0) ldap - Released connection (0) (0) ldap (ok) (0) expiration (noop) -(0) logintime (noop) (0) pap - WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap - WARNING: Authentication will fail unless a "known good" password is available (0) pap (noop) @@ -129,7 +127,7 @@ Here FreeRADIUS describes it: ** found `uid=john,ou=people,dc=example,dc=com` ** did *not* find any useful attributes associated with that user ** module was successful in operation, but changed no RADIUS attributes so returns `ok` - . the modules `expiration` and `logintime` were used, but both had no effect (`noop`) + . the module `expiration` was used, but it had no effect (`noop`) . the module `pap` was used ** it finds no suitable password RADIUS attributes to use ** as it makes no changes, the module returns `noop` @@ -177,7 +175,6 @@ If you use LDAP bind'ing to perform user authentication, then when `radclient` r (0) } # update (noop) (0) } # if ((ok || updated) && &User-Password) (noop) (0) expiration (noop) -(0) logintime (noop) (0) pap - WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap - WARNING: Authentication will fail unless a "known good" password is available (0) pap (noop) @@ -205,7 +202,7 @@ Here FreeRADIUS is describes it: ** did *not* find any useful attributes associated with that user ** module was successful in operation, but changed no RADIUS attributes so returns `ok` . `&control.Auth-Type := ldap` was set as the `ldap` module was successful in finding a user - . the modules `expiration` and `logintime` were used, but both had no effect (`noop`) + . the module `expiration` was used, but it had no effect (`noop`) . the module `pap` was used ** it finds no suitable password RADIUS attributes to use ** as it makes no changes, the module returns `noop` diff --git a/doc/antora/modules/installation/pages/upgrade.adoc b/doc/antora/modules/installation/pages/upgrade.adoc index c94113a5283..e501cec47e1 100644 --- a/doc/antora/modules/installation/pages/upgrade.adoc +++ b/doc/antora/modules/installation/pages/upgrade.adoc @@ -954,6 +954,14 @@ It is difficult to maintain multiple implementations of the same functionality. As a result, we have simplified the server by removing duplicate functionality. +== rlm_logintime + +This module was poorly documented, and it appears that no one was using it. + +The attributes `Time-Of-Day`, `Login-Time`, and `Current-Time` have +also been removed. Any configuration which tries to use them will +result in an error. + == Deleted Functionality The `Response-Packet-Type` attribute has been removed. Please replace diff --git a/doc/antora/modules/raddb/nav.adoc b/doc/antora/modules/raddb/nav.adoc index 85accca91a5..1e7cea64167 100644 --- a/doc/antora/modules/raddb/nav.adoc +++ b/doc/antora/modules/raddb/nav.adoc @@ -40,7 +40,6 @@ *** xref:mods-available/krb5.adoc[Kerberos Module] *** xref:mods-available/ldap.adoc[LDAP (Lightweight Directory Access Protocol) Module] *** xref:mods-available/linelog.adoc[Linelog Module] -*** xref:mods-available/logintime.adoc[Login time Module] *** xref:mods-available/logtee.adoc[Logtee Module] *** xref:mods-available/lua.adoc[Lua Module] *** xref:mods-available/mac2ip.adoc[Mac2IP Module] diff --git a/doc/antora/modules/raddb/pages/mods-available/all_modules.adoc b/doc/antora/modules/raddb/pages/mods-available/all_modules.adoc index 470191419ff..cf9530b0901 100644 --- a/doc/antora/modules/raddb/pages/mods-available/all_modules.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/all_modules.adoc @@ -130,7 +130,6 @@ including syslog, flat files, and raw UDP/TCP sockets. | xref:mods-available/escape.adoc[escape] | Escapes and unescapes strings using the MIME escape format | xref:mods-available/idn.adoc[idn] | Converts internationalized domain names to ASCII. | xref:mods-available/json.adoc[json] | Parses JSON strings into an in memory format using the json-c library. -| xref:mods-available/logintime.adoc[logintime] | Enforces the time span during which a user may login to the system. | xref:mods-available/sometimes.adoc[sometimes] | Is a hashing and distribution protocol, that will sometimes return one code or another depending on the input value configured. | xref:mods-available/sqlcounter.adoc[sqlcounter] | Records statistics for users such as data transfer and session time, and prevent further logins when limits are reached. diff --git a/doc/antora/modules/raddb/pages/mods-available/logintime.adoc b/doc/antora/modules/raddb/pages/mods-available/logintime.adoc deleted file mode 100644 index 6074d6cfd95..00000000000 --- a/doc/antora/modules/raddb/pages/mods-available/logintime.adoc +++ /dev/null @@ -1,44 +0,0 @@ - - - - -= Login time Module - -The `logintime` module handles the `Login-Time`, `Current-Time`, -and `Time-Of-Day` attributes. - -It should be included in the *end* of the `recv Access-Request` -section in order to handle `Login-Time` checks. - -When the `Login-Time` attribute is set to some value, and the user -has been permitted to log in, the `link:https://freeradius.org/rfc/rfc2865.html#Session-Timeout[Session-Timeout]` will be -calculated based on the remaining time. Note that this is a - *maximum* value. If another module sets `link:https://freeradius.org/rfc/rfc2865.html#Session-Timeout[Session-Timeout]` to a -lower value, the `logintime` module will not increase its value. - - - -## Configuration Settings - - -minimum_timeout:: - -The minimum timeout (in seconds) a user is allowed -to have. If the calculated timeout is lower we don't -allow the login. - -NOTE: Some NAS do not handle values lower than 60 seconds. -They will either ignore the result, or set it to some -larger value. - -Default is `60`. - - - -== Default Configuration - -``` -logintime { - minimum_timeout = 60 -} -``` diff --git a/doc/antora/modules/raddb/pages/sites-available/abfab-tr-idp.adoc b/doc/antora/modules/raddb/pages/sites-available/abfab-tr-idp.adoc index 2012a28af17..9794cd23b3e 100644 --- a/doc/antora/modules/raddb/pages/sites-available/abfab-tr-idp.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/abfab-tr-idp.adoc @@ -53,11 +53,7 @@ For EAP requests. -.Please see the link:../mods-available/expiration.adoc[mods-available/expiration] for full documentation. - - - -.Please see the link:../mods-available/logintime.adoc[mods-available/logintime] for full documentation. +.Please see the link:../../../../../../mods-available/expiration.adoc[mods-available/expiration] for full documentation. @@ -157,7 +153,6 @@ server abfab-idp { ok = return } expiration - logintime } authenticate eap { eap diff --git a/doc/antora/modules/raddb/pages/sites-available/default.adoc b/doc/antora/modules/raddb/pages/sites-available/default.adoc index 7397a5085cf..a984dd501bd 100644 --- a/doc/antora/modules/raddb/pages/sites-available/default.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/default.adoc @@ -44,7 +44,7 @@ There are many "commented out" references to modules and configurations These references serve as place-holders, and as documentation. If you need the functionality of that module, then: - * configure the module in link:../mods-available/index.adoc[mods-available/] + * configure the module in link:../../../../../../mods-available/index.adoc[mods-available/] * enable the module in `mods-enabled`. e.g. for LDAP, do: `cd mods-enabled;ln -s ../mods-available/ldap` * uncomment the references to it in this file. @@ -606,7 +606,7 @@ The `auth_log` module will write all `link:https://freeradius.org/rfc/rfc2865.ht Uncomment the next bit in order to have a log of authentication requests. For more information, see -link:../mods-available/detail.log.adoc[mods-available/detail.log]. +link:../../../../../../mods-available/detail.log.adoc[mods-available/detail.log]. @@ -713,12 +713,6 @@ If the account has not expired, set `link:https://freeradius.org/rfc/rfc2865.htm -Look at the `Login-Time` attribute and reject if the user -is not allowed access at the present time. Otherwise, -set `link:https://freeradius.org/rfc/rfc2865.html#Session-Timeout[Session-Timeout]` to the end of the permitted time span. - - - The `pap` module will set `Auth-Type := PAP` if the packet contains a `link:https://freeradius.org/rfc/rfc2865.html#User-Password[User-Password]` attribute. The module does this only if the `Auth-Type` attribute has not already @@ -871,7 +865,7 @@ can be configured. The `Auth-Type` attribute would need to be set to `proxy-example.com`. The home servers MUST be defined in -link:../mods-available/radius.adoc[mods-available/radius]. +link:../../../../../../mods-available/radius.adoc[mods-available/radius]. @@ -930,7 +924,7 @@ Access-Accept. Uncomment the line below if If you want to have a log of authentication replies, uncomment the following line. This is defined in -link:../mods-available/detail.log.adoc[mods-available/detail.log]. +link:../../../../../../mods-available/detail.log.adoc[mods-available/detail.log]. @@ -964,7 +958,7 @@ calculations, e.g. You may want to delete the `MS-MPPE-*-Keys` from the reply, as some WiMAX clients behave badly when those attributes are included. See the configuration entry -`delete_mppe_keys` in link:../mods-available/wimax.adoc[mods-available/wimax] for +`delete_mppe_keys` in link:../../../../../../mods-available/wimax.adoc[mods-available/wimax] for more information. @@ -1199,7 +1193,7 @@ pool of IPs are used. Log traffic to an SQL database. -See "Accounting Queries" in link:../mods-available/sql.adoc[mods-available/sql]. +See "Accounting Queries" in link:../../../../../../mods-available/sql.adoc[mods-available/sql]. @@ -1333,7 +1327,6 @@ recv Access-Request { -ldap # dailycounter expiration - logintime pap } recv Status-Server { diff --git a/doc/antora/modules/raddb/pages/sites-available/inner-tunnel.adoc b/doc/antora/modules/raddb/pages/sites-available/inner-tunnel.adoc index 24d1e3b1cac..2ab60df5559 100644 --- a/doc/antora/modules/raddb/pages/sites-available/inner-tunnel.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/inner-tunnel.adoc @@ -272,7 +272,6 @@ recv Access-Request { -ldap # daily expiration - logintime pap } authenticate pap { diff --git a/raddb/all.mk b/raddb/all.mk index 5e052ba4e9c..38a5ae3f850 100644 --- a/raddb/all.mk +++ b/raddb/all.mk @@ -9,7 +9,7 @@ LOCAL_SITES := $(addprefix raddb/sites-enabled/,$(DEFAULT_SITES)) DEFAULT_MODULES := always attr_filter cache_eap chap client \ delay detail detail.log digest eap \ - eap_inner echo escape exec files linelog logintime \ + eap_inner echo escape exec files linelog \ mschap ntlm_auth pap passwd radutmp \ sradutmp stats unix unpack utf8 diff --git a/raddb/mods-available/logintime b/raddb/mods-available/logintime deleted file mode 100644 index 674bf677b64..00000000000 --- a/raddb/mods-available/logintime +++ /dev/null @@ -1,42 +0,0 @@ -# -*- text -*- -# -# -# $Id$ - -####################################################################### -# -# = Login time Module -# -# The `logintime` module handles the `Login-Time`, `Current-Time`, -# and `Time-Of-Day` attributes. -# -# It should be included in the *end* of the `recv Access-Request` -# section in order to handle `Login-Time` checks. -# -# When the `Login-Time` attribute is set to some value, and the user -# has been permitted to log in, the `Session-Timeout` will be -# calculated based on the remaining time. Note that this is a -# *maximum* value. If another module sets `Session-Timeout` to a -# lower value, the `logintime` module will not increase its value. -# - -# -# ## Configuration Settings -# -logintime { - # - # minimum_timeout:: - # - # The minimum timeout (in seconds) a user is allowed - # to have. If the calculated timeout is lower we don't - # allow the login. - # - # NOTE: Some NAS do not handle values lower than 60 seconds. - # They will either ignore the result, or set it to some - # larger value. - # - # Default is `60`. - # - minimum_timeout = 60 -} - diff --git a/raddb/sites-available/abfab-tr-idp b/raddb/sites-available/abfab-tr-idp index dfe10a8dcc4..9d7b28010b4 100644 --- a/raddb/sites-available/abfab-tr-idp +++ b/raddb/sites-available/abfab-tr-idp @@ -67,11 +67,6 @@ server abfab-idp { # .Please see the `mods-available/expiration` for full documentation. # expiration - - # - # .Please see the `mods-available/logintime` for full documentation. - # - logintime } # diff --git a/raddb/sites-available/default b/raddb/sites-available/default index 4ae4a0fd84e..0af55c0d956 100644 --- a/raddb/sites-available/default +++ b/raddb/sites-available/default @@ -821,13 +821,6 @@ recv Access-Request { # expiration - # - # Look at the `Login-Time` attribute and reject if the user - # is not allowed access at the present time. Otherwise, - # set `Session-Timeout` to the end of the permitted time span. - # - logintime - # # The `pap` module will set `Auth-Type := PAP` if the # packet contains a `User-Password` attribute. The module diff --git a/raddb/sites-available/inner-tunnel b/raddb/sites-available/inner-tunnel index 9cb0c126dfd..3fe3dea366c 100644 --- a/raddb/sites-available/inner-tunnel +++ b/raddb/sites-available/inner-tunnel @@ -138,7 +138,6 @@ recv Access-Request { # daily expiration - logintime # # If no other module has claimed responsibility for diff --git a/redhat/freeradius.spec b/redhat/freeradius.spec index fc39e27dd11..a3f985b9839 100644 --- a/redhat/freeradius.spec +++ b/redhat/freeradius.spec @@ -982,7 +982,6 @@ fi %{_libdir}/freeradius/rlm_icmp.so %{_libdir}/freeradius/rlm_isc_dhcp.so %{_libdir}/freeradius/rlm_linelog.so -%{_libdir}/freeradius/rlm_logintime.so %{_libdir}/freeradius/rlm_logtee.so %{_libdir}/freeradius/rlm_mschap.so %{_libdir}/freeradius/rlm_pam.so diff --git a/share/dictionary/freeradius/dictionary.freeradius.internal b/share/dictionary/freeradius/dictionary.freeradius.internal index aae82fb5d66..038d079a3fe 100644 --- a/share/dictionary/freeradius/dictionary.freeradius.internal +++ b/share/dictionary/freeradius/dictionary.freeradius.internal @@ -1,4 +1,4 @@ -# -*- text -*- + # -*- text -*- # Copyright (C) 2022 The FreeRADIUS Server project and contributors # This work is licensed under CC-BY version 4.0 https://creativecommons.org/licenses/by/4.0 # Version $Id$ @@ -148,9 +148,8 @@ ATTRIBUTE Client-Shortname 1011 string virtual ATTRIBUTE User-Category 1013 string ATTRIBUTE Pam-Auth 1014 string -ATTRIBUTE Login-Time 1015 string +# 1015 was Current-Time -ATTRIBUTE Current-Time 1016 string ATTRIBUTE Realm 1017 string # 1018 was No-Such-Attribute @@ -174,7 +173,7 @@ ATTRIBUTE MS-CHAP-Use-NTLM-Auth 1041 bool ATTRIBUTE NTLM-User-Name 1042 string ATTRIBUTE MS-CHAP-User-Name 1043 string -ATTRIBUTE Time-Of-Day 1089 string +# 1089 was Time-Of-Day ATTRIBUTE SQL-Table-Name 1110 string ATTRIBUTE Home-Server-Pool 1111 string diff --git a/src/modules/rlm_logintime/README.md b/src/modules/rlm_logintime/README.md deleted file mode 100644 index ae50a800a6d..00000000000 --- a/src/modules/rlm_logintime/README.md +++ /dev/null @@ -1,11 +0,0 @@ -# rlm_logintime -## Metadata -
-
category
policy
-
- -## Summary -Enforces the time span during which a user may login to the system. - -Time spans are defined with timestrings, which are similar in format to those used by UUCP. A timestring may be a -simple timestring, or it may be a list of simpletime strings separated by "|" or ",". diff --git a/src/modules/rlm_logintime/all.mk b/src/modules/rlm_logintime/all.mk deleted file mode 100644 index 6e678c1d392..00000000000 --- a/src/modules/rlm_logintime/all.mk +++ /dev/null @@ -1,6 +0,0 @@ -TARGETNAME := rlm_logintime - -TARGET := $(TARGETNAME)$(L) -SOURCES := $(TARGETNAME).c timestr.c - -LOG_ID_LIB = 28 diff --git a/src/modules/rlm_logintime/rlm_logintime.c b/src/modules/rlm_logintime/rlm_logintime.c deleted file mode 100644 index fd8c0a62814..00000000000 --- a/src/modules/rlm_logintime/rlm_logintime.c +++ /dev/null @@ -1,272 +0,0 @@ -/* - * This program is is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA - */ - -/** - * $Id$ - * @file rlm_logintime.c - * @brief Allow login only during a given timeslot. - * - * @copyright 2001,2006 The FreeRADIUS server project - * @copyright 2004 Kostas Kalevras (kkalev@noc.ntua.gr) - */ -RCSID("$Id$") - -#include -#include - -#include - -/* timestr.c */ -int timestr_match(fr_time_delta_t *out, char const *tmstr, fr_time_t when); - -/* - * Define a structure for our module configuration. - * - * These variables do not need to be in a structure, but it's - * a lot cleaner to do so, and a pointer to the structure can - * be used as the instance handle. - */ -typedef struct { - fr_time_delta_t min_time; -} rlm_logintime_t; - -static const CONF_PARSER module_config[] = { - { FR_CONF_OFFSET("minimum_timeout", FR_TYPE_TIME_DELTA, rlm_logintime_t, min_time), .dflt = "60s" }, - CONF_PARSER_TERMINATOR -}; - -static fr_dict_t const *dict_freeradius; -static fr_dict_t const *dict_radius; - -extern fr_dict_autoload_t rlm_logintime_dict[]; -fr_dict_autoload_t rlm_logintime_dict[] = { - { .out = &dict_freeradius, .proto = "freeradius" }, - { .out = &dict_radius, .proto = "radius" }, - { NULL } -}; - -static fr_dict_attr_t const *attr_current_time; -static fr_dict_attr_t const *attr_login_time; -static fr_dict_attr_t const *attr_time_of_day; - -static fr_dict_attr_t const *attr_session_timeout; - -extern fr_dict_attr_autoload_t rlm_logintime_dict_attr[]; -fr_dict_attr_autoload_t rlm_logintime_dict_attr[] = { - { .out = &attr_current_time, .name = "Current-Time", .type = FR_TYPE_STRING, .dict = &dict_freeradius }, - { .out = &attr_login_time, .name = "Login-Time", .type = FR_TYPE_STRING, .dict = &dict_freeradius }, - { .out = &attr_time_of_day, .name = "Time-Of-Day", .type = FR_TYPE_STRING, .dict = &dict_freeradius }, - - { .out = &attr_session_timeout, .name = "Session-Timeout", .type = FR_TYPE_UINT32, .dict = &dict_radius }, - - { NULL } -}; - -/* - * Compare the current time to a range. - */ -static int timecmp(UNUSED void *instance, request_t *request, fr_pair_t const *check) -{ - fr_time_delta_t left; - - if (timestr_match(&left, check->vp_strvalue, request->packet->timestamp) < 0) return -1; - - /* - * 0 is a special case meaning "allowed". - */ - if (fr_time_delta_gteq(left, fr_time_delta_wrap(0))) return 0; - - return -1; -} - - -/* - * Time-Of-Day support - */ -static int time_of_day(UNUSED void *instance, request_t *request, fr_pair_t const *check) -{ - int scan; - int hhmmss, when; - char const *p; - struct tm *tm, s_tm; - time_t now; - - if (strspn(check->vp_strvalue, "0123456789: ") != strlen(check->vp_strvalue)) { - RDEBUG2("Bad Time-Of-Day value \"%pV\"", &check->data); - return -1; - } - - now = fr_time_to_sec(request->packet->timestamp); - tm = localtime_r(&now, &s_tm); - hhmmss = (tm->tm_hour * 3600) + (tm->tm_min * 60) + tm->tm_sec; - - /* - * Time of day is a 24-hour clock - */ - p = check->vp_strvalue; - scan = atoi(p); - p = strchr(p, ':'); - if ((scan > 23) || !p) { - RDEBUG2("Bad Time-Of-Day value \"%pV\"", &check->data); - return -1; - } - when = scan * 3600; - p++; - - scan = atoi(p); - if (scan > 59) { - RDEBUG2("Bad Time-Of-Day value \"%pV\"", &check->data); - return -1; - } - when += scan * 60; - - p = strchr(p, ':'); - if (p) { - scan = atoi(p + 1); - if (scan > 59) { - RDEBUG2("Bad Time-Of-Day value \"%pV\"", &check->data); - return -1; - } - when += scan; - } - - return hhmmss - when; -} - -/* - * Check if account has expired, and if user may login now. - */ -static unlang_action_t CC_HINT(nonnull) mod_authorize(rlm_rcode_t *p_result, module_ctx_t const *mctx, request_t *request) -{ - rlm_logintime_t const *inst = talloc_get_type_abort_const(mctx->inst->data, rlm_logintime_t); - fr_pair_t *ends, *vp; - fr_time_delta_t left; - - ends = fr_pair_find_by_da(&request->control_pairs, NULL, attr_login_time); - if (!ends) RETURN_MODULE_NOOP; - - /* - * Authentication is OK. Now see if this user may login at this time of the day. - */ - RDEBUG2("Checking Login-Time"); - - /* - * Compare the time the request was received with the current Login-Time value - */ - if (timestr_match(&left, ends->vp_strvalue, request->packet->timestamp) < 0) { - RETURN_MODULE_DISALLOW; /* outside of the allowed time */ - } - - /* - * Do nothing, login time is not controlled (unended). - */ - if (fr_time_delta_eq(left, fr_time_delta_wrap(0))) RETURN_MODULE_OK; - - /* - * The min_time setting is to deal with NAS that won't allow Session-vp values below a certain value - * For example some Alcatel Lucent products won't allow a Session-vp < 300 (5 minutes). - * - * We don't know were going to get another chance to lock out the user, so we need to do it now. - */ - if (fr_time_delta_lt(left, inst->min_time)) { - REDEBUG("Login outside of allowed time-slot (session end %s, with lockout %i seconds before)", - ends->vp_strvalue, (int) fr_time_delta_to_sec(inst->min_time)); - - RETURN_MODULE_DISALLOW; - } - - /* else left > inst->min_time */ - - /* - * There's time left in the users session, inform the NAS by including a Session-Timeout - * attribute in the reply, or modifying the existing one. - */ - RDEBUG2("Login within allowed time-slot, %d seconds left in this session", (int) fr_time_delta_to_sec(left)); - - switch (pair_update_reply(&vp, attr_session_timeout)) { - case 1: - /* just update... */ - if (vp->vp_uint32 > fr_time_delta_to_sec(left)) { - vp->vp_uint32 = fr_time_delta_to_sec(left); - RDEBUG2("&reply.Session-Timeout := %pV", &vp->data); - } - break; - - case 0: /* no pre-existing */ - vp->vp_uint32 = fr_time_delta_to_sec(left); - RDEBUG2("&reply.Session-Timeout := %pV", &vp->data); - break; - - case -1: /* malloc failure */ - MEM(NULL); - } - - RETURN_MODULE_OK; -} - - -/* - * Do any per-module initialization that is separate to each - * configured instance of the module. e.g. set up connections - * to external databases, read configuration files, set up - * dictionary entries, etc. - * - * If configuration information is given in the config section - * that must be referenced in later calls, store a handle to it - * in *instance otherwise put a null pointer there. - */ -static int mod_instantiate(module_inst_ctx_t const *mctx) -{ - rlm_logintime_t *inst = talloc_get_type_abort(mctx->inst->data, rlm_logintime_t); - CONF_SECTION *conf = mctx->inst->conf; - - if (!fr_time_delta_ispos(inst->min_time)) { - cf_log_err(conf, "Invalid value '0' for minimum_timeout"); - return -1; - } - - /* - * Register a Current-Time comparison function - */ - paircmp_register(attr_current_time, NULL, true, timecmp, inst); - paircmp_register(attr_time_of_day, NULL, true, time_of_day, inst); - - return 0; -} - -/* - * The module name should be the only globally exported symbol. - * That is, everything else should be 'static'. - * - * If the module needs to temporarily modify it's instantiation - * data, the type should be changed to MODULE_TYPE_THREAD_UNSAFE. - * The server will then take care of ensuring that the module - * is single-threaded. - */ -extern module_rlm_t rlm_logintime; -module_rlm_t rlm_logintime = { - .common = { - .magic = MODULE_MAGIC_INIT, - .name = "logintime", - .inst_size = sizeof(rlm_logintime_t), - .config = module_config, - .instantiate = mod_instantiate - }, - .method_names = (module_method_name_t[]){ - { .name1 = CF_IDENT_ANY, .name2 = CF_IDENT_ANY, .method = mod_authorize }, - MODULE_NAME_TERMINATOR - } -}; diff --git a/src/modules/rlm_logintime/timestr.c b/src/modules/rlm_logintime/timestr.c deleted file mode 100644 index f6303a733b4..00000000000 --- a/src/modules/rlm_logintime/timestr.c +++ /dev/null @@ -1,275 +0,0 @@ -/* - * timestr.c See if a string like 'Su2300-0700' matches (UUCP style). - * - * Version: $Id$ - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA - * - * @copyright 2000,2006 The FreeRADIUS server project - * @copyright 2000 Alan DeKok (aland@freeradius.org) - */ - -RCSID("$Id$") - -#include - -#include - -int timestr_match(fr_time_delta_t *out, char const *tmstr, fr_time_t when); - -static char const *days[] = - { "su", "mo", "tu", "we", "th", "fr", "sa", "wk", "any", "al" }; - -#define DAYMIN (24*60) -#define WEEKMIN (24*60*7) -#define val(x) (( (x) < 48 || (x) > 57) ? 0 : ((x) - 48)) - -#if 0 /* Set to 1 if you're a developer and want to debug this code */ -# define timestr_debug DEBUG2 -# define do_timestr_debug 1 -#else -# define timestr_debug if (0) printf -#endif - -/* - * String code. - */ -static int strcode (char const **str) -{ - int i; - size_t l; - - timestr_debug("strcode %s called\n", *str); - - for (i = 0; i < 10; i++) { - l = strlen(days[i]); - if (l > strlen(*str)) - continue; - if (strncmp(*str, days[i], l) == 0) { - *str += l; - break; - } - } - timestr_debug("strcode result %d\n", i); - - return (i >= 10) ? -1 : i; - -} - -/* - * Fill bitmap with hours/mins. - */ -static int hour_fill(char *bitmap, char const *tm) -{ - char *p; - int start, end; - int i, bit, byte; - - timestr_debug("hour_fill called for %s\n", tm); - - /* - * Get timerange in start and end. - */ - end = -1; - if ((p = strchr(tm, '-')) != NULL) { - p++; - if (p - tm != 5 || strlen(p) < 4 || !isdigit((uint8_t) *p)) - return 0; - end = 600 * val(p[0]) + 60 * val(p[1]) + atoi(p + 2); - } - if (*tm == 0) { - start = 0; - end = DAYMIN - 1; - } else { - if (strlen(tm) < 4 || !isdigit((uint8_t) *tm)) - return 0; - start = 600 * val(tm[0]) + 60 * val(tm[1]) + atoi(tm + 2); - if (end < 0) end = start; - } - /* Treat 2400 as 0000, and do some more silent error checks. */ - if (end < 0) end = 0; - if (start < 0) start = 0; - if (end >= DAYMIN) end = DAYMIN - 1; - if (start >= DAYMIN) start = DAYMIN - 1; - - timestr_debug("hour_fill: range from %d to %d\n", start, end); - - /* - * Fill bitmap. - */ - i = start; - while (1) { - byte = (i / 8); - bit = i % 8; - timestr_debug("setting byte %d, bit %d\n", byte, bit); - bitmap[byte] |= (1 << bit); - if (i == end) break; - i++; - i %= DAYMIN; - } - return 1; -} - -/* - * Call the fill bitmap function for every day listed. - */ -static int day_fill(char *bitmap, char const *tm) -{ - char const *hr; - int n; - int start, end; - - for (hr = tm; *hr; hr++) - if (isdigit((uint8_t) *hr)) - break; - if (hr == tm) - tm = "Al"; - - timestr_debug("dayfill: hr %s tm %s\n", hr, tm); - - while ((start = strcode(&tm)) >= 0) { - /* - * Find start and end weekdays and - * build a valid range 0 - 6. - */ - if (*tm == '-') { - tm++; - if ((end = strcode(&tm)) < 0) - break; - } else - end = start; - if (start == 7) { - start = 1; - end = 5; - } - if (start > 7) { - start = 0; - end = 6; - } - n = start; - timestr_debug("day_fill: range from %d to %d\n", start, end); - while (1) { - hour_fill(bitmap + 180 * n, hr); - if (n == end) break; - n++; - n %= 7; - } - } - - return 1; -} - -/* - * Fill the week bitmap with allowed times. - */ -static int week_fill(char *bitmap, char const *tm) -{ - char *s; - char tmp[256]; - - strlcpy(tmp, tm, sizeof(tmp)); - for (s = tmp; *s; s++) - if (isupper((uint8_t) *s)) *s = tolower((uint8_t) *s); - - s = strtok(tmp, ",|"); - while (s) { - day_fill(bitmap, s); - s = strtok(NULL, ",|"); - } - - return 0; -} - -/* - * Match a time string, and return time left in `out`. - * -1 for no match - */ -int timestr_match(fr_time_delta_t *out, char const *tmstr, fr_time_t when) -{ - struct tm *tm, s_tm; - char bitmap[WEEKMIN / 8]; - int64_t now, tot, i; - int byte, bit; -#ifdef do_timestr_debug - int y; - char *s; - char null[8]; -#endif - time_t t = fr_time_to_sec(when); - - tm = localtime_r(&t, &s_tm); - now = (int64_t) (tm->tm_wday) * DAYMIN + (int64_t) (tm->tm_hour) * 60 + tm->tm_min; - tot = 0; - memset(bitmap, 0, sizeof(bitmap)); - week_fill(bitmap, tmstr); - -#ifdef do_timestr_debug - memset(null, 0, 8); - for (i = 0; i < 7; i++) { - timestr_debug("%d: ", i); - s = bitmap + 180 * i; - for (y = 0; y < 23; y++) { - s = bitmap + 180 * i + (75 * y) / 10; - timestr_debug("%c", memcmp(s, null, 8) == 0 ? '.' : '#'); - } - timestr_debug("\n"); - } -#endif - - /* - * See how many minutes we have. - */ - i = now; - while (1) { - byte = i / 8; - bit = i % 8; - timestr_debug("READ: checking byte %d bit %d\n", byte, bit); - if (!(bitmap[byte] & (1 << bit))) - break; - tot += 60; - i++; - i %= WEEKMIN; - if (i == now) - break; - } - - if (!tot) return -1; - - if (i == now) { - *out = fr_time_delta_wrap(0); - return 0; - } - - *out = fr_time_delta_wrap(tot); - return 0; -} - -#ifdef STANDALONE - -int main(int argc, char **argv) -{ - fr_time_delta_t l; - - if (argc != 2) { - fprintf(stderr, "Usage: test timestring\n"); - fr_exit_now(EXIT_FAILURE); - } - l = timestr_match(argv[1], fr_time()); - printf ("%s: %d seconds left\n", argv[1], fr_time_delta_to_sec(l)); - return 0; -} - -#endif - diff --git a/src/modules/stable b/src/modules/stable index 005c00f3b98..8525adc0722 100644 --- a/src/modules/stable +++ b/src/modules/stable @@ -15,7 +15,6 @@ rlm_json rlm_krb5 rlm_ldap rlm_linelog -rlm_logintime rlm_mschap rlm_pam rlm_pap