don't have authenticate modules define Auth-Type = foo

instead of defining it in the module bootstrap phase, the virtual server code should define it when it parses the various "authenticate" sections. The modules should then check for it in their instantiate and run-time sections. And complain if "Auth-type foo" isn't set
FreeRADIUS · Jun 25, 2020 · 1c5ae4f · 1c5ae4f
1 parent 6f0c5c1
commit 1c5ae4f
Show file tree

Hide file tree

Showing 8 changed files with 131 additions and 51 deletions.
diff --git a/src/modules/rlm_chap/rlm_chap.c b/src/modules/rlm_chap/rlm_chap.c
@@ -131,6 +131,12 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authorize(module_ctx_t const *mctx, REQU
 		fr_pair_add(&request->packet->vps, vp);
 	}
 
+	if (!inst->auth_type) {
+		WARN("No 'authenticate %s {...}' section or 'Auth-Type = %s' set.  Cannot setup CHAP authentication",
+		     inst->name, inst->name);
+		return RLM_MODULE_NOOP;
+	}
+
 	if (!module_section_type_set(request, attr_auth_type, inst->auth_type)) return RLM_MODULE_NOOP;
 
 	return RLM_MODULE_OK;
@@ -248,12 +254,22 @@ static int mod_bootstrap(void *instance, CONF_SECTION *conf)
 	inst->name = cf_section_name2(conf);
 	if (!inst->name) inst->name = cf_section_name1(conf);
 
-	if (fr_dict_enum_add_name_next(fr_dict_attr_unconst(attr_auth_type), inst->name) < 0) {
-		PERROR("Failed adding %s alias", attr_auth_type->name);
-		return -1;
-	}
+	return 0;
+}
+
+/*
+ *	Create instance for our module. Allocate space for
+ *	instance structure and read configuration parameters
+ */
+static int mod_instantiate(void *instance, UNUSED CONF_SECTION *conf)
+{
+	rlm_chap_t		*inst = instance;
+
 	inst->auth_type = fr_dict_enum_by_name(attr_auth_type, inst->name, -1);
-	fr_assert(inst->auth_type);
+	if (!inst->auth_type) {
+		WARN("Failed to find 'authenticate %s {...}' section.  CHAP authentication will likely not work",
+		     inst->name);
+	}
 
 	return 0;
 }
@@ -287,6 +303,7 @@ module_t rlm_chap = {
 	.onload		= mod_load,
 	.unload		= mod_unload,
 	.bootstrap	= mod_bootstrap,
+	.instantiate	= mod_instantiate,
 	.dict		= &dict_radius,
 	.methods = {
 		[MOD_AUTHENTICATE]	= mod_authenticate,

diff --git a/src/modules/rlm_digest/rlm_digest.c b/src/modules/rlm_digest/rlm_digest.c
@@ -102,6 +102,12 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authorize(module_ctx_t const *mctx, REQU
 	 */
 	if (!vp) return RLM_MODULE_NOOP;
 
+	if (!inst->auth_type) {
+		WARN("No 'authenticate %s {...}' section or 'Auth-Type = %s' set.  Cannot setup Digest authentication",
+		     inst->name, inst->name);
+		return RLM_MODULE_NOOP;
+	}
+
 	/*
 	 *	Everything's OK, add a digest authentication type.
 	 */
@@ -448,12 +454,22 @@ static int mod_bootstrap(void *instance, CONF_SECTION *conf)
 	if (!name) name = cf_section_name1(conf);
 	inst->name = name;
 
-	if (fr_dict_enum_add_name_next(fr_dict_attr_unconst(attr_auth_type), inst->name) < 0) {
-		PERROR("Failed adding %s alias", attr_auth_type->name);
-		return -1;
-	}
+	return 0;
+}
+
+/*
+ *	Create instance for our module. Allocate space for
+ *	instance structure and read configuration parameters
+ */
+static int mod_instantiate(void *instance, UNUSED CONF_SECTION *conf)
+{
+	rlm_digest_t		*inst = instance;
+
 	inst->auth_type = fr_dict_enum_by_name(attr_auth_type, inst->name, -1);
-	fr_assert(inst->auth_type);
+	if (!inst->auth_type) {
+		WARN("Failed to find 'authenticate %s {...}' section.  Digest authentication will likely not work",
+		     inst->name);
+	}
 
 	return 0;
 }
@@ -473,6 +489,7 @@ module_t rlm_digest = {
 	.name		= "digest",
 	.inst_size	= sizeof(rlm_digest_t),
 	.bootstrap	= mod_bootstrap,
+	.instantiate	= mod_instantiate,
 	.dict		= &dict_radius,
 	.methods = {
 		[MOD_AUTHENTICATE]	= mod_authenticate,

diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c
@@ -750,6 +750,12 @@ static rlm_rcode_t mod_authorize(module_ctx_t const *mctx, REQUEST *request)
 		return RLM_MODULE_NOOP;
 #endif
 
+	if (!inst->auth_type) {
+		WARN("No 'authenticate %s {...}' section or 'Auth-Type = %s' set.  Cannot setup EAP authentication",
+		     inst->name, inst->name);
+		return RLM_MODULE_NOOP;
+	}
+
 	/*
 	 *	For EAP_START, send Access-Challenge with EAP Identity
 	 *	request.  even when we have to proxy this request
@@ -976,6 +982,12 @@ static int mod_instantiate(void *instance, UNUSED CONF_SECTION *cs)
 	rlm_eap_t	*inst = talloc_get_type_abort(instance, rlm_eap_t);
 	size_t		i;
 
+	inst->auth_type = fr_dict_enum_by_name(attr_auth_type, inst->name, -1);
+	if (!inst->auth_type) {
+		WARN("Failed to find 'authenticate %s {...}' section.  EAP authentication will likely not work",
+		     inst->name);
+	}
+
 	/*
 	 *	Create our own random pool.
 	 */
@@ -992,14 +1004,7 @@ static int mod_bootstrap(void *instance, CONF_SECTION *cs)
 	size_t		i, j, loaded, count = 0;
 
 	inst->name = cf_section_name2(cs);
-	if (!inst->name) inst->name = "eap";
-
-	if (fr_dict_enum_add_name_next(fr_dict_attr_unconst(attr_auth_type), inst->name) < 0) {
-		PERROR("Failed adding %s alias", inst->name);
-		return -1;
-	}
-	inst->auth_type = fr_dict_enum_by_name(attr_auth_type, inst->name, -1);
-	fr_assert(inst->name);
+	if (!inst->name) inst->name = cf_section_name1(cs);
 
 	/*
 	 *	Load and bootstrap the submodules now

diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c
@@ -1383,6 +1383,12 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authorize(module_ctx_t const *mctx, REQU
 		return RLM_MODULE_NOOP;
 	}
 
+	if (!inst->auth_type) {
+		WARN("No 'authenticate %s {...}' section or 'Auth-Type = %s' set.  Cannot setup MS-CHAP authentication",
+		     inst->name, inst->name);
+		return RLM_MODULE_NOOP;
+	}
+
 	if (!module_section_type_set(request, attr_auth_type, inst->auth_type)) return RLM_MODULE_NOOP;
 
 	return RLM_MODULE_OK;
@@ -2113,6 +2119,12 @@ static int mod_instantiate(void *instance, CONF_SECTION *conf)
 {
 	rlm_mschap_t		*inst = instance;
 
+	inst->auth_type = fr_dict_enum_by_name(attr_auth_type, inst->name, -1);
+	if (!inst->auth_type) {
+		WARN("Failed to find 'authenticate %s {...}' section.  MS-CHAP authentication will likely not work",
+		     inst->name);
+	}
+
 	/*
 	 *	Set auth method
 	 */
@@ -2184,13 +2196,6 @@ static int mod_bootstrap(void *instance, CONF_SECTION *conf)
 	if (!name) name = cf_section_name1(conf);
 	inst->name = name;
 
-	if (fr_dict_enum_add_name_next(fr_dict_attr_unconst(attr_auth_type), inst->name) < 0) {
-		PERROR("Failed adding %s alias", attr_auth_type->name);
-		return -1;
-	}
-	inst->auth_type = fr_dict_enum_by_name(attr_auth_type, inst->name, -1);
-	fr_assert(inst->auth_type);
-
 	xlat_register(inst, inst->name, mschap_xlat, NULL, NULL, 0, XLAT_DEFAULT_BUF_LEN, true);
 
 	return 0;

diff --git a/src/modules/rlm_opendirectory/rlm_opendirectory.c b/src/modules/rlm_opendirectory/rlm_opendirectory.c
@@ -457,10 +457,7 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authorize(module_ctx_t const *mctx, REQU
 
 	if (uuid_is_null(guid_sacl) && uuid_is_null(guid_nasgroup)) {
 		RDEBUG2("No access control groups, all users allowed");
-
-		if (!module_section_type_set(request, attr_auth_type, inst->auth_type)) return RLM_MODULE_NOOP;
-
-		return RLM_MODULE_OK;
+		goto setup_auth_type;
 	}
 
 	/* resolve user */
@@ -505,6 +502,13 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authorize(module_ctx_t const *mctx, REQU
 		}
 	}
 
+setup_auth_type:
+	if (!inst->auth_type) {
+		WARN("No 'authenticate %s {...}' section or 'Auth-Type = %s' set.  Cannot setup OpenDirectory authentication",
+		     inst->name, inst->name);
+		return RLM_MODULE_NOOP;
+	}
+
 	if (!module_section_type_set(request, attr_auth_type, inst->auth_type)) return RLM_MODULE_NOOP;
 
 	return RLM_MODULE_OK;
@@ -517,12 +521,18 @@ static int mod_bootstrap(void *instance, CONF_SECTION *conf)
 	inst->name = cf_section_name2(conf);
 	if (!inst->name) inst->name = cf_section_name1(conf);
 
-	if (fr_dict_enum_add_name_next(fr_dict_attr_unconst(attr_auth_type), inst->name) < 0) {
-		PERROR("Failed adding %s alias", attr_auth_type->name);
-		return -1;
-	}
+	return 0;
+}
+
+static int mod_instantiate(void *instance, CONF_SECTION *conf)
+{
+	rlm_opendirectory_t *inst = instance;
+
 	inst->auth_type = fr_dict_enum_by_name(attr_auth_type, inst->name, -1);
-	fr_assert(inst->auth_type);
+	if (!inst->auth_type) {
+		WARN("Failed to find 'authenticate %s {...}' section.  OpenDirectory authentication will likely not work",
+		     inst->name);
+	}
 
 	return 0;
 }
@@ -535,6 +545,7 @@ module_t rlm_opendirectory = {
 	.inst_size	= sizeof(rlm_opendirectory_t),
 	.type		= RLM_TYPE_THREAD_SAFE,
 	.bootstrap	= mod_bootstrap,
+	.instantiate	= mod_instantiate,
 	.methods = {
 		[MOD_AUTHENTICATE]	= mod_authenticate,
 		[MOD_AUTHORIZE]		= mod_authorize

diff --git a/src/modules/rlm_pap/rlm_pap.c b/src/modules/rlm_pap/rlm_pap.c
@@ -135,6 +135,12 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authorize(module_ctx_t const *mctx, REQU
 		return RLM_MODULE_NOOP;
 	}
 
+	if (!inst->auth_type) {
+		WARN("No 'authenticate %s {...}' section or 'Auth-Type = %s' set.  Cannot setup PAP authentication.",
+		     inst->name, inst->name);
+		return RLM_MODULE_NOOP;
+	}
+
 	if (!module_section_type_set(request, attr_auth_type, inst->auth_type)) return RLM_MODULE_NOOP;
 
 	return RLM_MODULE_UPDATED;
@@ -922,12 +928,18 @@ static int mod_bootstrap(void *instance, CONF_SECTION *conf)
 	if (!name) name = cf_section_name1(conf);
 	inst->name = name;
 
-	if (fr_dict_enum_add_name_next(fr_dict_attr_unconst(attr_auth_type), inst->name) < 0) {
-		PERROR("Failed adding %s alias", attr_auth_type->name);
-		return -1;
-	}
+	return 0;
+}
+
+static int mod_instantiate(void *instance, UNUSED CONF_SECTION *cs)
+{
+	rlm_pap_t	*inst = talloc_get_type_abort(instance, rlm_pap_t);
+
 	inst->auth_type = fr_dict_enum_by_name(attr_auth_type, inst->name, -1);
-	fr_assert(inst->auth_type);
+	if (!inst->auth_type) {
+		WARN("Failed to find 'authenticate %s {...}' section.  PAP will likely not work",
+		     inst->name);
+	}
 
 	return 0;
 }
@@ -1006,6 +1018,7 @@ module_t rlm_pap = {
 	.unload		= mod_unload,
 	.config		= module_config,
 	.bootstrap	= mod_bootstrap,
+	.instantiate	= mod_instantiate,
 	.methods = {
 		[MOD_AUTHENTICATE]	= mod_authenticate,
 		[MOD_AUTHORIZE]		= mod_authorize

diff --git a/src/modules/rlm_winbind/rlm_winbind.c b/src/modules/rlm_winbind/rlm_winbind.c
@@ -335,12 +335,6 @@ static int mod_bootstrap(void *instance, CONF_SECTION *conf)
 	inst->name = cf_section_name2(conf);
 	if (!inst->name) inst->name = cf_section_name1(conf);
 
-	if (fr_dict_enum_add_name_next(fr_dict_attr_unconst(attr_auth_type), inst->name) < 0) {
-		PERROR("Failed adding %s alias", inst->name);
-		return -1;
-	}
-	inst->auth_type = fr_dict_enum_by_name(attr_auth_type, inst->name, -1);
-
 	if (inst->group_attribute) {
 		group_attribute = inst->group_attribute;
 	} else if (cf_section_name2(conf)) {
@@ -385,6 +379,12 @@ static int mod_instantiate(void *instance, CONF_SECTION *conf)
 		return -1;
 	}
 
+	inst->auth_type = fr_dict_enum_by_name(attr_auth_type, inst->name, -1);
+	if (!inst->auth_type) {
+		WARN("Failed to find 'authenticate %s {...}' section.  Winbind authentication will likely not work",
+		     inst->name);
+	}
+
 	/*
 	 *	If the domain has not been specified, try and find
 	 *	out what it is from winbind.
@@ -471,6 +471,12 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authorize(module_ctx_t const *mctx, REQU
 		return RLM_MODULE_NOOP;
 	}
 
+	if (!inst->auth_type) {
+		WARN("No 'authenticate %s {...}' section or 'Auth-Type = %s' set.  Cannot setup Winbind authentication",
+		     inst->name, inst->name);
+		return RLM_MODULE_NOOP;
+	}
+
 	if (!module_section_type_set(request, attr_auth_type, inst->auth_type)) return RLM_MODULE_NOOP;
 
 	return RLM_MODULE_OK;

diff --git a/src/modules/rlm_yubikey/rlm_yubikey.c b/src/modules/rlm_yubikey/rlm_yubikey.c
@@ -169,12 +169,6 @@ static int mod_bootstrap(void *instance, CONF_SECTION *conf)
 	}
 #endif
 
-	if (fr_dict_enum_add_name_next(fr_dict_attr_unconst(attr_auth_type), inst->name) < 0) {
-		PERROR("Failed adding %s alias", inst->name);
-		return -1;
-	}
-	inst->auth_type = fr_dict_enum_by_name(attr_auth_type, inst->name, -1);
-
 	if (!cf_section_name2(conf)) return 0;
 
 	xlat_register(inst, "modhextohex", modhex_to_hex_xlat, NULL, NULL, 0, XLAT_DEFAULT_BUF_LEN, true);
@@ -196,6 +190,12 @@ static int mod_instantiate(void *instance, CONF_SECTION *conf)
 {
 	rlm_yubikey_t *inst = instance;
 
+	inst->auth_type = fr_dict_enum_by_name(attr_auth_type, inst->name, -1);
+	if (!inst->auth_type) {
+		WARN("Failed to find 'authenticate %s {...}' section.  Yubikey authentication will likely not work",
+		     inst->name);
+	}
+
 	if (inst->validate) {
 #ifdef HAVE_YKCLIENT
 		CONF_SECTION *cs;
@@ -340,6 +340,12 @@ static rlm_rcode_t CC_HINT(nonnull) mod_authorize(module_ctx_t const *mctx, REQU
 		fr_pair_value_bstrndup(vp, passcode, inst->id_len, true);
 	}
 
+	if (!inst->auth_type) {
+		WARN("No 'authenticate %s {...}' section or 'Auth-Type = %s' set.  Cannot setup Yubikey authentication",
+		     inst->name, inst->name);
+		return RLM_MODULE_NOOP;
+	}
+
 	if (!module_section_type_set(request, attr_auth_type, inst->auth_type)) return RLM_MODULE_NOOP;
 
 	return RLM_MODULE_OK;