parent
0d24782691
commit
d63de520c9
@ -0,0 +1,55 @@
|
||||
const User = require('../../models/auth/User.model')
|
||||
const Client = require('../../models/radius/Client.model')
|
||||
const Application = require('../../models/Application.model')
|
||||
const Policy = require('../../models/iam/Policy.model')
|
||||
|
||||
/**
|
||||
* @implements IAuthentication from radius-server
|
||||
*/
|
||||
class CoreIDAuthentication {
|
||||
async authenticate(username, password, packet) {
|
||||
// We only allow client-specific secrets to authenticate
|
||||
if ( !packet || !packet.secret ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Try to look up the client
|
||||
const client = await Client.findOne({
|
||||
active: true,
|
||||
secret: packet.secret,
|
||||
})
|
||||
if ( !client ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Try to look up the associated application
|
||||
const application = await Application.findOne({
|
||||
radius_client_ids: client.id,
|
||||
})
|
||||
if ( !application ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Try to look up the user
|
||||
/** @var {User} */
|
||||
const user = await User.findByLogin(username)
|
||||
if ( !user ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Validate the incoming credential
|
||||
if ( !(await user.check_credential_string(password)) ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Don't allow login if the user has a trap set
|
||||
if ( user.trap ) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check the IAM policy engine to make sure the user can access this resource
|
||||
return Policy.check_user_access(user, application.id)
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = exports = CoreIDAuthentication
|
@ -0,0 +1,28 @@
|
||||
import radius from 'radius'
|
||||
import { RadiusServer } from '@coreid/radius-server'
|
||||
import RadiusClient from '../../models/radius/Client.model.js'
|
||||
import CoreIDUserPasswordPacketHandler from './CoreIDUserPasswordPacketHandler.mjs'
|
||||
|
||||
export default class CoreIDRadiusServer extends RadiusServer {
|
||||
|
||||
// constructor(options) {
|
||||
// super(options)
|
||||
// this.packetHandler.packetHandlers.pop()
|
||||
// this.packetHandler.packetHandlers.push(new CoreIDUserPasswordPacketHandler(options.authentication, this.logger))
|
||||
// console.log(this.packetHandler.packetHandlers)
|
||||
// }
|
||||
|
||||
async decodeMessage(msg) {
|
||||
const clients = await RadiusClient.find({ active: true })
|
||||
for ( const client of clients ) {
|
||||
try {
|
||||
const packet = radius.decode({ packet: msg, secret: client.secret })
|
||||
packet.secret = client.secret
|
||||
return packet
|
||||
} catch (e) {
|
||||
console.error(e)
|
||||
}
|
||||
}
|
||||
throw new Error('Unable to determine client to decode RADIUS packet: is the client active?')
|
||||
}
|
||||
}
|
@ -0,0 +1,40 @@
|
||||
import { UserPasswordPacketHandler } from '@coreid/radius-server/dist/radius/handler/UserPasswordPacketHandler.js'
|
||||
|
||||
export default class CoreIDUserPasswordPacketHandler extends UserPasswordPacketHandler {
|
||||
async handlePacket(packet) {
|
||||
console.log('coreid user password packet handler handlePacket', packet)
|
||||
const username = packet.attributes['User-Name'];
|
||||
let password = packet.attributes['User-Password'];
|
||||
|
||||
if (Buffer.isBuffer(password) && password.indexOf(0x00) > 0) {
|
||||
// check if there is a 0x00 in it, and trim it from there
|
||||
password = password.slice(0, password.indexOf(0x00));
|
||||
}
|
||||
|
||||
if (!username || !password) {
|
||||
// params missing, this handler cannot continue...
|
||||
return {};
|
||||
}
|
||||
|
||||
this.logger.debug('username', username, username.toString());
|
||||
this.logger.debug('token', password, password.toString());
|
||||
console.log('client', packet.__coreid_client)
|
||||
|
||||
const authenticated = await this.authentication.authenticate(
|
||||
username.toString(),
|
||||
password.toString()
|
||||
);
|
||||
if (authenticated) {
|
||||
// success
|
||||
return {
|
||||
code: 'Access-Accept',
|
||||
attributes: [['User-Name', username]],
|
||||
};
|
||||
}
|
||||
|
||||
// Failed
|
||||
return {
|
||||
code: 'Access-Reject',
|
||||
};
|
||||
}
|
||||
}
|
Loading…
Reference in new issue