From: Alan T. DeKok Date: Mon, 28 Aug 2023 17:51:11 +0000 (-0400) Subject: make the files module work (mostly) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d981a675d3851344072e8d1faaf0fcdc92039232;p=thirdparty%2Ffreeradius-server.git make the files module work (mostly) Regular expressions are not supported. Arguably the module actually supported inter-attribute comparisons, we just never tried that? --- diff --git a/raddb/mods-available/files b/raddb/mods-available/files index 5cd02c94896..6155f333de5 100644 --- a/raddb/mods-available/files +++ b/raddb/mods-available/files @@ -9,7 +9,14 @@ # # The `users` file as located in `raddb/mods-config/files/authorize`. (Livingston-style format). # -# See "man 1 users" for more information. +# See `man 1 users` for more information. +# + +# +# NOTE: Temporarily (2023-08-27), the check items only support "real" +# attributes, and do not support regular expressions. This +# limitation will be removed when the module is rewritten to support +# xlat expressions for conditions # # diff --git a/src/modules/rlm_files/rlm_files.c b/src/modules/rlm_files/rlm_files.c index 46f6768041f..d6baea9d21d 100644 --- a/src/modules/rlm_files/rlm_files.c +++ b/src/modules/rlm_files/rlm_files.c @@ -161,10 +161,27 @@ static int getusersfile(TALLOC_CTX *ctx, char const *filename, fr_htrie_t **ptre ERROR("%s[%d] Left side of check item %s is not an attribute", entry->filename, entry->lineno, map->lhs->name); return -1; - } da = tmpl_attr_tail_da(map->lhs); + /* + * Disallow regexes for now. + */ + if ((map->op == T_OP_REG_EQ) || (map->op == T_OP_REG_NE)) { + ERROR("%s[%d] Regular expression for check item %s is not supported", + entry->filename, entry->lineno, map->lhs->name); + return -1; + } + + /* + * Disallow inter-attribute comparisons. + */ + if (!tmpl_is_data(map->rhs)) { + ERROR("%s[%d] Right side of check item %s is not a leaf value", + entry->filename, entry->lineno, map->lhs->name); + return -1; + } + /* * Ignore attributes which are set * properly. @@ -377,6 +394,20 @@ static int mod_instantiate(module_inst_ctx_t const *mctx) return 0; } +static bool files_eval_map(request_t *request, map_t *map) +{ + fr_pair_t *vp; + + fr_assert(tmpl_is_attr(map->lhs)); + fr_assert(fr_comparison_op[map->op]); + fr_assert(tmpl_is_data(map->rhs)); + + if (tmpl_find_vp(&vp, request, map->lhs) < 0) return false; + + return (fr_value_box_cmp_op(map->op, &vp->data, tmpl_value(map->rhs)) == 1); +} + + /* * Common code called by everything below. */ @@ -498,7 +529,7 @@ redo: * Evaluate the map, including regexes. */ default: - if (!fr_cond_eval_map(request, map)) { + if (!files_eval_map(request, map)) { RDEBUG3(" failed match - %s", fr_strerror()); match = false; } diff --git a/src/tests/modules/files/authorize b/src/tests/modules/files/authorize index 40bc94ba8ee..169724877d4 100644 --- a/src/tests/modules/files/authorize +++ b/src/tests/modules/files/authorize @@ -114,8 +114,8 @@ addcontrol Password.Cleartext := "testing123", Reply-Message := "success1" addcontrol Reply-Message += "success2" -regex NAS-Identifier =~ /der/, Password.Cleartext := "testing123" - Reply-Message := "wonderful" +#regex NAS-Identifier =~ /der/, Password.Cleartext := "testing123" +# Reply-Message := "wonderful" DEFAULT User-Name == "cmp_eq", Password.Cleartext := "hopping" Reply-Message := "success-cmp_eq" diff --git a/src/tests/modules/files/regex.unlang b/src/tests/modules/files/regex.unlang.ignore similarity index 100% rename from src/tests/modules/files/regex.unlang rename to src/tests/modules/files/regex.unlang.ignore