From 2668fe63b4faf0e8216d1f1fde680726c72fc5f6 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 19 May 2014 19:56:42 +0200 Subject: [PATCH] Added the default-select-group directive. --- doc/sample.config | 4 ++++ src/config.c | 3 +++ src/ocserv-args.def | 4 ++++ src/vpn.h | 1 + src/worker-auth.c | 14 ++++++++++++-- 5 files changed, 24 insertions(+), 2 deletions(-) diff --git a/doc/sample.config b/doc/sample.config index 93a2f12b..bf69ef1e 100644 --- a/doc/sample.config +++ b/doc/sample.config @@ -279,6 +279,10 @@ route = 192.168.5.0/255.255.255.0 #select-group = group2 #select-group = tost +# The name of the group that if selected it would allow to use +# the assigned by default group. +#default-select-group = DEFAULT + # Instead of specifying manually all the allowed groups, you may instruct # ocserv to scan all available groups and include the full list. That # option is only functional on plain authentication. diff --git a/src/config.c b/src/config.c index 9e982dd7..f3c56b77 100644 --- a/src/config.c +++ b/src/config.c @@ -84,6 +84,7 @@ static struct cfg_options available_options[] = { { .name = "banner", .type = OPTION_STRING, .mandatory = 0 }, { .name = "predictable-ips", .type = OPTION_BOOLEAN, .mandatory = 0 }, { .name = "auto-select-group", .type = OPTION_BOOLEAN, .mandatory = 0 }, + { .name = "default-select-group", .type = OPTION_STRING, .mandatory = 0 }, /* this is alias for cisco-client-compat */ { .name = "always-require-cert", .type = OPTION_BOOLEAN, .mandatory = 0 }, { .name = "cisco-client-compat", .type = OPTION_BOOLEAN, .mandatory = 0 }, @@ -500,6 +501,7 @@ unsigned force_cert_auth; } } + READ_STRING("default-select-group", config->default_select_group); READ_TF("auto-select-group", auto_select_group, 0); if (auto_select_group != 0 && amod != NULL && amod->group_list != NULL) { amod->group_list(config, config->plain_passwd, &config->group_list, &config->group_list_size); @@ -709,6 +711,7 @@ unsigned i; for (i=0;igroup_list_size;i++) DEL(config->group_list[i]); DEL(config->group_list); + DEL(config->default_select_group); #ifdef HAVE_LIBTALLOC /* our included talloc don't include that */ talloc_free_children(config); diff --git a/src/ocserv-args.def b/src/ocserv-args.def index 0bd689af..9f98c6ff 100644 --- a/src/ocserv-args.def +++ b/src/ocserv-args.def @@ -352,6 +352,10 @@ route = 192.168.5.0/255.255.255.0 #select-group = group1 #select-group = group2 +# The name of the group that if selected it would allow to use +# the assigned by default group. +#default-select-group = DEFAULT + # Instead of specifying manually all the allowed groups, you may instruct # ocserv to scan all available groups and include the full list. That # option is only functional on plain authentication. diff --git a/src/vpn.h b/src/vpn.h index 3ecba58a..ac2a5319 100644 --- a/src/vpn.h +++ b/src/vpn.h @@ -201,6 +201,7 @@ struct cfg_st { char **group_list; /* select_group */ unsigned int group_list_size; + char *default_select_group; char **custom_header; unsigned custom_header_size;; diff --git a/src/worker-auth.c b/src/worker-auth.c index 7ac6e6d3..d099d45d 100644 --- a/src/worker-auth.c +++ b/src/worker-auth.c @@ -157,6 +157,15 @@ int get_auth_handler2(worker_st * ws, unsigned http_ver, const char *pmsg) goto cleanup; } + if (ws->config->default_select_group) { + snprintf(temp, sizeof(temp), "\n", ws->config->default_select_group); + ret = str_append_str(&str, temp); + if (ret < 0) { + ret = -1; + goto cleanup; + } + } + for (i=0;iconfig->group_list_size;i++) { snprintf(temp, sizeof(temp), "\n", ws->config->group_list[i]); ret = str_append_str(&str, temp); @@ -859,12 +868,13 @@ int post_auth_handler(worker_st * ws, unsigned http_ver) &groupname); if (ret < 0) { oclog(ws, LOG_DEBUG, "failed reading groupname"); - } else { + } else if (ws->config->default_select_group == NULL || + strcmp(groupname, ws->config->default_select_group) != 0) { snprintf(ws->groupname, sizeof(ws->groupname), "%s", groupname); ireq.group_name = ws->groupname; - talloc_free(groupname); } + talloc_free(groupname); ret = parse_reply(ws, req->body, req->body_length, USERNAME_FIELD, sizeof(USERNAME_FIELD)-1,