FreeRADIUS 3.0.12: SQL xlat return back-quoted value in response

Alexey Dotsenko lex at rwx.su
Tue Dec 20 14:35:27 CET 2016 

Hello!

Test environment:
Centos 7 (x86_64), FreeRADIUS 3.0.12 - rpm build from upstream source 
3.0.12 (based on fedoraproject spec file (without code patches)).

MariaDB [radius]> select * from radgroupreply;
+----+-----------+--------------+----+-------------------------------------------------------------------------------------+
| id | groupname | attribute    | op | value                             
                                                   |
+----+-----------+--------------+----+-------------------------------------------------------------------------------------+
|  3 | ras       | cisco-avpair | += | ip:inacl#1=permit ip any 
10.0.253.224 255.255.255.224                               |
| 12 | ras       | cisco-avpair | += | ip:inacl#2=permit tcp any 
10.0.253.224 255.255.255.224                              |
| 14 | ras       | Fall-Through | := | Yes                               
                                                   |
| 29 | ras       | Cisco-AVPair | += | 
`ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-%{%{SQL-Group}:-%{%{User-Name}:-None}}-%l` 
|
+----+-----------+--------------+----+-------------------------------------------------------------------------------------+
4 rows in set (0.00 sec)

Back-quoted string (id 29 in radgroupreply) exlat-ed properly, but 
remains (in response) back-quoted (and as a result, rejected by nas):

Tue Dec 20 11:37:46 2016 : Debug: (1) sql: Group "ras": Merging reply 
items
Tue Dec 20 11:37:46 2016 : Debug: (1) sql:   Cisco-AVPair += 
"ip:inacl#1=permit ip any 10.0.253.224 255.255.255.224"
Tue Dec 20 11:37:46 2016 : Debug: (1) sql:   Cisco-AVPair += 
"ip:inacl#2=permit tcp any 10.0.253.224 255.255.255.224"
Tue Dec 20 11:37:46 2016 : Debug: (1) sql:   Fall-Through := Yes
Tue Dec 20 11:37:46 2016 : Debug: (1) sql:   Cisco-AVPair += 
"`ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-%{%{SQL-Group}:-%{%{User-Name}:-None}}-%l`"
Tue Dec 20 11:37:46 2016 : Debug: 
`ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-%{%{SQL-Group}:-%{%{User-Name}:-None}}-%l`
Tue Dec 20 11:37:46 2016 : Debug: Parsed xlat tree:
Tue Dec 20 11:37:46 2016 : Debug: literal --> 
`ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-
Tue Dec 20 11:37:46 2016 : Debug: if {
Tue Dec 20 11:37:46 2016 : Debug:       attribute --> SQL-Group
Tue Dec 20 11:37:46 2016 : Debug: }
Tue Dec 20 11:37:46 2016 : Debug: else {
Tue Dec 20 11:37:46 2016 : Debug:       if {
Tue Dec 20 11:37:46 2016 : Debug:               attribute --> User-Name
Tue Dec 20 11:37:46 2016 : Debug:       }
Tue Dec 20 11:37:46 2016 : Debug:       else {
Tue Dec 20 11:37:46 2016 : Debug:               literal --> None
Tue Dec 20 11:37:46 2016 : Debug:       }
Tue Dec 20 11:37:46 2016 : Debug: }
Tue Dec 20 11:37:46 2016 : Debug: literal --> -
Tue Dec 20 11:37:46 2016 : Debug: percent --> l
Tue Dec 20 11:37:46 2016 : Debug: literal --> `
Tue Dec 20 11:37:46 2016 : Debug: (1) sql: EXPAND 
`ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-%{%{SQL-Group}:-%{%{User-Name}:-None}}-%l`
Tue Dec 20 11:37:46 2016 : Debug: (1) sql:    --> 
`ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-ras-1482223066`
...
Tue Dec 20 11:37:47 2016 : Debug: (1) Sent Access-Accept Id 191 from 
172.18.200.21:1812 to 172.18.200.2:48332 length 0
Tue Dec 20 11:37:47 2016 : Debug: (1)   Cisco-AVPair += 
"ip:inacl#1=permit ip any 10.0.253.224 255.255.255.224"
Tue Dec 20 11:37:47 2016 : Debug: (1)   Cisco-AVPair += 
"ip:inacl#2=permit tcp any 10.0.253.224 255.255.255.224"
Tue Dec 20 11:37:47 2016 : Debug: (1)   Cisco-AVPair += 
"`ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-ras-1482223066`"
Tue Dec 20 11:37:47 2016 : Debug: (1)   Reply-Message = "privacyIDEA 
access granted"
Tue Dec 20 11:37:47 2016 : Debug: (1) Finished request

I looked at the source code of the module rlm_sql (sql.c, function 
sql_fr_pair_list_afrom_str) - back-quoted string marked for xlat and 
remains in quotes. I tried to change this behavior - take the value for 
xlat without quotes:

diff -ru freeradius-server-3.0.12.orig/src/modules/rlm_sql/sql.c 
freeradius-server-3.0.12/src/modules/rlm_sql/sql.c
--- freeradius-server-3.0.12.orig/src/modules/rlm_sql/sql.c     
2016-09-29 18:19:48.000000000 +0300
+++ freeradius-server-3.0.12/src/modules/rlm_sql/sql.c  2016-12-20 
11:44:37.001299860 +0300
@@ -168,16 +168,13 @@
                         break;

                 /*
-                *      Mark the pair to be allocated later.
+                *      Take the unquoted string and mark the pair to be 
allocated later.
                  */
                 case T_BACK_QUOTED_STRING:
                         do_xlat = 1;

-                       /* FALL-THROUGH */
-
-               /*
-                *      Keep the original string.
-                */
+                       value = buf;
+                       break;
                 default:
                         value = row[3];
                         break;


in this case, xlat-ed string return unquoted:

Tue Dec 20 11:59:27 2016 : Debug: (1) sql: Group "ras": Merging reply 
items
Tue Dec 20 11:59:27 2016 : Debug: (1) sql:   Cisco-AVPair += 
"ip:inacl#1=permit ip any 10.0.253.224 255.255.255.224"
Tue Dec 20 11:59:27 2016 : Debug: (1) sql:   Cisco-AVPair += 
"ip:inacl#2=permit tcp any 10.0.253.224 255.255.255.224"
Tue Dec 20 11:59:27 2016 : Debug: (1) sql:   Fall-Through := Yes
Tue Dec 20 11:59:27 2016 : Debug: (1) sql:   Cisco-AVPair += 
"ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-%{%{SQL-Group}:-%{%{User-Name}:-None}}-%l"
Tue Dec 20 11:59:27 2016 : Debug: 
ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-%{%{SQL-Group}:-%{%{User-Name}:-None}}-%l
Tue Dec 20 11:59:27 2016 : Debug: Parsed xlat tree:
Tue Dec 20 11:59:27 2016 : Debug: literal --> 
ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-
Tue Dec 20 11:59:27 2016 : Debug: if {
Tue Dec 20 11:59:27 2016 : Debug:       attribute --> SQL-Group
Tue Dec 20 11:59:27 2016 : Debug: }
Tue Dec 20 11:59:27 2016 : Debug: else {
Tue Dec 20 11:59:27 2016 : Debug:       if {
Tue Dec 20 11:59:27 2016 : Debug:               attribute --> User-Name
Tue Dec 20 11:59:27 2016 : Debug:       }
Tue Dec 20 11:59:27 2016 : Debug:       else {
Tue Dec 20 11:59:27 2016 : Debug:               literal --> None
Tue Dec 20 11:59:27 2016 : Debug:       }
Tue Dec 20 11:59:27 2016 : Debug: }
Tue Dec 20 11:59:27 2016 : Debug: literal --> -
Tue Dec 20 11:59:27 2016 : Debug: percent --> l
Tue Dec 20 11:59:27 2016 : Debug: (1) sql: EXPAND 
ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-%{%{SQL-Group}:-%{%{User-Name}:-None}}-%l
Tue Dec 20 11:59:27 2016 : Debug: (1) sql:    --> 
ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-ras-1482224367
...
Tue Dec 20 11:59:28 2016 : Debug: (1) Sent Access-Accept Id 120 from 
172.18.200.21:1812 to 172.18.200.2:57555 length 0
Tue Dec 20 11:59:28 2016 : Debug: (1)   Cisco-AVPair += 
"ip:inacl#1=permit ip any 10.0.253.224 255.255.255.224"
Tue Dec 20 11:59:28 2016 : Debug: (1)   Cisco-AVPair += 
"ip:inacl#2=permit tcp any 10.0.253.224 255.255.255.224"
Tue Dec 20 11:59:28 2016 : Debug: (1)   Cisco-AVPair += 
"ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-ras-1482224367"
Tue Dec 20 11:59:28 2016 : Debug: (1)   Reply-Message = "privacyIDEA 
access granted"
Tue Dec 20 11:59:28 2016 : Debug: (1) Finished request

Do I understand correctly that the removal of quotes should not do later 
-  in the xlat code area?

Best regards,
Alex Dotsenko.

More information about the Freeradius-Users mailing list