From: Alan T. DeKok Date: Wed, 23 Aug 2023 01:18:45 +0000 (-0400) Subject: move group check to stand-alone function X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a611d5961d4bd8cf01e50a5c0660c788407df93e;p=thirdparty%2Ffreeradius-server.git move group check to stand-alone function in preparation for adding %{sql.group:name} --- diff --git a/src/modules/rlm_sql/rlm_sql.c b/src/modules/rlm_sql/rlm_sql.c index 14cdac9e36d..76fb2ff9507 100644 --- a/src/modules/rlm_sql/rlm_sql.c +++ b/src/modules/rlm_sql/rlm_sql.c @@ -767,36 +767,15 @@ static int sql_get_grouplist(rlm_sql_t const *inst, rlm_sql_handle_t **handle, r return num_groups; } - -/* - * sql groupcmp function. That way we can do group comparisons (in the users file for example) - * with the group memberships reciding in sql - * The group membership query should only return one element which is the username. The returned - * username will then be checked with the passed check string. +/** Check if a given group is in the SQL group for this user. + * */ -static int sql_groupcmp(void *instance, request_t *request, fr_pair_t const *check) CC_HINT(nonnull); - -static int sql_groupcmp(void *instance, request_t *request, fr_pair_t const *check) +static bool CC_HINT(nonnull) sql_check_group(rlm_sql_t const *inst, request_t *request, char const *name) { + bool rcode = false; rlm_sql_handle_t *handle; - rlm_sql_t const *inst = talloc_get_type_abort_const(instance, rlm_sql_t); rlm_sql_grouplist_t *head, *entry; - /* - * No group queries, don't do group comparisons. - */ - if (!inst->config.groupmemb_query) { - RWARN("Cannot do group comparison when group_membership_query is not set"); - return 1; - } - - RDEBUG2("sql_groupcmp"); - - if (check->vp_length == 0){ - RDEBUG2("sql_groupcmp: Illegal group name"); - return 1; - } - /* * Set, escape, and check the user attr here */ @@ -807,9 +786,7 @@ static int sql_groupcmp(void *instance, request_t *request, fr_pair_t const *che * Get a socket for this lookup */ handle = fr_pool_connection_get(inst->pool, request); - if (!handle) { - return 1; - } + if (!handle) return false; /* * Get the list of groups this user is a member of @@ -817,16 +794,13 @@ static int sql_groupcmp(void *instance, request_t *request, fr_pair_t const *che if (sql_get_grouplist(inst, &handle, request, &head) < 0) { REDEBUG("Error getting group membership"); fr_pool_connection_release(inst->pool, request, handle); - return 1; + return false; } for (entry = head; entry != NULL; entry = entry->next) { - if (strcmp(entry->name, check->vp_strvalue) == 0){ - RDEBUG2("sql_groupcmp finished: User is a member of group %s", - check->vp_strvalue); - talloc_free(head); - fr_pool_connection_release(inst->pool, request, handle); - return 0; + if (strcmp(entry->name, name) == 0) { + rcode = true; + break; } } @@ -834,8 +808,43 @@ static int sql_groupcmp(void *instance, request_t *request, fr_pair_t const *che talloc_free(head); fr_pool_connection_release(inst->pool, request, handle); - RDEBUG2("sql_groupcmp finished: User is NOT a member of group %pV", &check->data); + return rcode; +} + +/* + * sql groupcmp function. That way we can do group comparisons (in the users file for example) + * with the group memberships reciding in sql + * The group membership query should only return one element which is the username. The returned + * username will then be checked with the passed check string. + */ +static int sql_groupcmp(void *instance, request_t *request, fr_pair_t const *check) CC_HINT(nonnull); + +static int sql_groupcmp(void *instance, request_t *request, fr_pair_t const *check) +{ + rlm_sql_t const *inst = talloc_get_type_abort_const(instance, rlm_sql_t); + + /* + * No group queries, don't do group comparisons. + */ + if (!inst->config.groupmemb_query) { + RWARN("Cannot do group comparison when group_membership_query is not set"); + return 1; + } + + RDEBUG2("sql_groupcmp"); + + if (check->vp_length == 0){ + RDEBUG2("sql_groupcmp: Illegal group name"); + return 1; + } + if (sql_check_group(inst, request, check->vp_strvalue)) { + RDEBUG2("sql_groupcmp finished: User is a member of group %s", + check->vp_strvalue); + return 0; + } + + RDEBUG2("sql_groupcmp finished: User is NOT a member of group %pV", &check->data); return 1; }