Allow overriding session-timeout from radius

src/auth/radius.c

@@ -48,7 +48,7 @@
 
 static rc_handle *rh = NULL;
 static char nas_identifier[64];
-static unsigned override_interim_updates = 0;
+static unsigned override_config = 0;
 
 static void radius_global_init(void *pool, void *additional)
 {
@@ -62,7 +62,8 @@ static void radius_global_init(void *pool, void *additional)
 		goto fail;
 	}
 
-	override_interim_updates = config->override_interim_updates;
+	if (config->no_override_config == 0)
+		override_config = 1;
 
 	if (config->nas_identifier) {
 		strlcpy(nas_identifier, config->nas_identifier, sizeof(nas_identifier));
@@ -338,8 +339,10 @@ static int radius_auth_pass(void *ctx, const char *pass, unsigned pass_len)
 			} else if (vp->attribute == PW_FRAMED_IPV6_ROUTE && vp->type == PW_TYPE_STRING) {
 				/* Framed-IPv6-Route */
 				append_route(pctx, vp->strvalue, vp->lvalue);
-			} else if (vp->attribute == PW_INTERIM_INTERVAL && vp->type == PW_TYPE_INTEGER) {
+			} else if (vp->attribute == PW_INTERIM_INTERVAL && vp->type == PW_TYPE_INTEGER && override_config != 0) {
 				pctx->interim_interval_secs = vp->lvalue;
+			} else if (vp->attribute == PW_SESSION_TIMEOUT && vp->type == PW_TYPE_INTEGER && override_config != 0) {
+				pctx->session_timeout_secs = vp->lvalue;
 			} else {
 				syslog(LOG_DEBUG, "radius-auth: ignoring server's value %u of type %u", (int)vp->attribute, (int)vp->type);
 			}
@@ -390,15 +393,6 @@ static void radius_auth_deinit(void *ctx)
 	talloc_free(pctx);
 }
 
-static int radius_interim_update(void *ctx)
-{
-	struct radius_ctx_st *pctx = ctx;
-	if (override_interim_updates)
-		return 0;
-	else
-		return pctx->interim_interval_secs;
-}
-
 const struct auth_mod_st radius_auth_funcs = {
 	.type = AUTH_TYPE_RADIUS | AUTH_TYPE_USERNAME_PASS,
 	.allows_retries = 1,
@@ -410,7 +404,6 @@ const struct auth_mod_st radius_auth_funcs = {
 	.auth_pass = radius_auth_pass,
 	.auth_user = radius_auth_user,
 	.auth_group = radius_auth_group,
-	.get_interim_update = radius_interim_update,
 	.group_list = NULL
 };
 

src/auth/radius.h

@@ -30,7 +30,8 @@ struct radius_ctx_st {
 
 	char remote_ip[MAX_IP_STR];
 	char our_ip[MAX_IP_STR];
-	int interim_interval_secs;
+	unsigned interim_interval_secs;
+	unsigned session_timeout_secs;
 
 	/* variables for configuration */
 	char ipv4[MAX_IP_STR];

src/cfg.h

@@ -37,7 +37,7 @@ typedef struct gssapi_cfg_st {
 typedef struct radius_cfg_st {
 	char *config;
 	char *nas_identifier;
-	unsigned override_interim_updates;
+	unsigned no_override_config;
 } radius_cfg_st;
 
 typedef struct plain_cfg_st {

src/ipc.proto

@@ -79,6 +79,7 @@ message auth_reply_msg
 	repeated string no_routes = 29;
 	required bytes sid = 30;
 	optional uint32 interim_update_secs = 31;
+	optional uint32 session_timeout_secs = 32;
 }
 
 /* RESUME_FETCH_REQ + RESUME_DELETE_REQ */
@@ -258,6 +259,7 @@ message sec_auth_session_reply_msg
 {
 	required AUTH_REP reply = 1;
 	optional uint32 interim_update_secs = 2;
+	optional uint32 session_timeout_secs = 3;
 
 	/* sup - config */
 	optional bool no_udp = 10;

src/main-auth.c

@@ -97,9 +97,14 @@ int send_cookie_auth_reply(main_server_st* s, struct proc_st* proc,
 			msg.has_ipv6_prefix = 1;
 		}
 
-		if (proc->interim_update_secs) {
+		if (proc->config.interim_update_secs) {
 			msg.has_interim_update_secs = 1;
-			msg.interim_update_secs = proc->interim_update_secs;
+			msg.interim_update_secs = proc->config.interim_update_secs;
+		}
+
+		if (proc->config.session_timeout_secs) {
+			msg.has_session_timeout_secs = 1;
+			msg.session_timeout_secs = proc->config.session_timeout_secs;
 		}
 
 		if (proc->config.rx_per_sec != 0) {

src/main-sec-mod-cmd.c

@@ -232,7 +232,10 @@ int session_open(main_server_st * s, struct proc_st *proc, const uint8_t *cookie
 	}
 
 	if (msg->has_interim_update_secs)
-		proc->interim_update_secs = msg->interim_update_secs;
+		proc->config.interim_update_secs = msg->interim_update_secs;
+
+	if (msg->has_session_timeout_secs)
+		proc->config.session_timeout_secs = msg->session_timeout_secs;
 
 	/* fill in group_cfg_st */
 	if (msg->has_no_udp)

src/main.h

@@ -132,9 +132,6 @@ typedef struct proc_st {
 
 	unsigned status; /* PS_AUTH_ */
 	unsigned resume_reqs; /* the number of requests received */
-	/* the number of secs to send interim updates. If set, it overrides
-	 * stats-report-time. */
-	unsigned interim_update_secs;
 
 	/* these are filled in after the worker process dies, using the
 	 * Cli stats message. */

src/ocserv-args.def

@@ -94,11 +94,12 @@ An example configuration file follows.
 # One entry must be listed per line, and 'ocpasswd' should be used
 # to generate password entries.
 #
-# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]:
+# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-config=false]:
 #  The radius option requires specifying freeradius-client configuration
 # file. If the groupconfig option is set, then config-per-user will be overriden,
-# and all configuration will be read from radius. The 'override-interim-updates' if set to
-# true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered.
+# and all configuration will be read from radius. The 'override-config' if set to
+# false will ignore Acct-Interim-Interval, Session-Timeout from the server and only the
+# configured values will be considered.
 #
 # The supported atributes for radius configuration are:
 # Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address,

src/sec-mod-auth.c

@@ -480,12 +480,6 @@ int handle_sec_auth_session_open(sec_mod_st *sec, int fd, const SecAuthSessionMs
 		}
 	}
 
-	if (e->module && e->module->get_interim_update) {
-		rep.interim_update_secs = e->module->get_interim_update(e->auth_ctx);
-		if (rep.interim_update_secs > 0)
-			rep.has_interim_update_secs = 1;
-	}
-
 	ret = send_msg(lpool, fd, SM_CMD_AUTH_SESSION_REPLY, &rep,
 			(pack_size_func) sec_auth_session_reply_msg__get_packed_size,
 			(pack_func) sec_auth_session_reply_msg__pack);

src/sec-mod-auth.h

@@ -43,7 +43,6 @@ typedef struct auth_mod_st {
 	int (*auth_pass)(void* ctx, const char* pass, unsigned pass_len);
 	int (*auth_group)(void* ctx, const char *suggested, char *groupname, int groupname_size);
 	int (*auth_user)(void* ctx, char *groupname, int groupname_size);
-	int (*get_interim_update)(void* ctx);
 
 	void (*auth_deinit)(void* ctx);
 	void (*group_list)(void *pool, void *additional, char ***groupname, unsigned *groupname_size);

src/subconfig.c

@@ -230,8 +230,8 @@ void *radius_get_brackets_string(struct perm_cfg_st *config, const char *str)
 			} else if (c_strcasecmp(vals[i].name, "nas-identifier") == 0) {
 				additional->nas_identifier = vals[i].value;
 				vals[i].value = NULL;
-			} else if (c_strcasecmp(vals[i].name, "override-interim-updates") == 0) {
-				additional->override_interim_updates = CHECK_TRUE(vals[i].value);
+			} else if (c_strcasecmp(vals[i].name, "override-config") == 0) {
+				additional->no_override_config = 1-CHECK_TRUE(vals[i].value);
 			} else if (c_strcasecmp(vals[i].name, "groupconfig") == 0) {
 				if (CHECK_TRUE(vals[i].value))
 					config->sup_config_type = SUP_CONFIG_RADIUS;

src/sup-config/radius.c

@@ -47,6 +47,14 @@ static int get_sup_config(struct cfg_st *cfg, client_entry_st *entry,
 	if (pctx == NULL)
 		return 0;
 
+	msg->interim_update_secs = pctx->interim_interval_secs;
+	if (msg->interim_update_secs > 0)
+		msg->has_interim_update_secs = 1;
+
+	msg->session_timeout_secs = pctx->session_timeout_secs;
+	if (msg->session_timeout_secs > 0)
+		msg->has_session_timeout_secs = 1;
+
 	if (pctx->ipv4[0] != 0) {
 		msg->explicit_ipv4 = talloc_strdup(pool, pctx->ipv4);
 	}

src/vpn.h

@@ -214,6 +214,11 @@ struct group_cfg_st {
 	size_t rx_per_sec;
 	size_t tx_per_sec;
 
+	/* the number of secs to send interim updates. If set, it overrides
+	 * stats-report-time. */
+	unsigned interim_update_secs;
+	unsigned session_timeout_secs;
+
 	unsigned deny_roaming; /* whether the user is allowed to re-use cookies from another IP */
 	unsigned net_priority;
 	unsigned no_udp; /* whether to disable UDP for this user */

src/worker-auth.c

@@ -561,6 +561,12 @@ static int recv_cookie_auth_reply(worker_st * ws)
 				ws->config->stats_report_time = msg->interim_update_secs;
 			}
 
+			if (msg->has_session_timeout_secs) {
+				oclog(ws, LOG_DEBUG, "overriding session-timeout with auth server's value (%u)",
+				      (unsigned)msg->session_timeout_secs);
+				ws->config->session_timeout = msg->session_timeout_secs;
+			}
+
 			if (msg->ipv4 != NULL) {
 				talloc_free(ws->vinfo.ipv4);
 				if (strcmp(msg->ipv4, "0.0.0.0") == 0)