Implement better radius support

This commit is contained in:
Garrett Mills 2022-10-26 13:45:05 -05:00
parent 0d24782691
commit d63de520c9
11 changed files with 2332 additions and 2319 deletions

2
.gitignore vendored
View File

@ -1,3 +1,5 @@
*.conf
# ---> Node
# Logs
logs

View File

@ -44,7 +44,7 @@ const FlitterUnits = {
'LDAPController': require('./app/unit/LDAPControllerUnit'),
'LDAPRoutingUnit': require('./app/unit/LDAPRoutingUnit'),
'OpenIDConnect' : require('./app/unit/OpenIDConnectUnit'),
// 'Radius' : require('./app/unit/RadiusUnit'),
'Radius' : require('./app/unit/RadiusUnit'),
/*
* The Core Flitter Units

View File

@ -0,0 +1,55 @@
const User = require('../../models/auth/User.model')
const Client = require('../../models/radius/Client.model')
const Application = require('../../models/Application.model')
const Policy = require('../../models/iam/Policy.model')
/**
* @implements IAuthentication from radius-server
*/
class CoreIDAuthentication {
async authenticate(username, password, packet) {
// We only allow client-specific secrets to authenticate
if ( !packet || !packet.secret ) {
return false;
}
// Try to look up the client
const client = await Client.findOne({
active: true,
secret: packet.secret,
})
if ( !client ) {
return false;
}
// Try to look up the associated application
const application = await Application.findOne({
radius_client_ids: client.id,
})
if ( !application ) {
return false;
}
// Try to look up the user
/** @var {User} */
const user = await User.findByLogin(username)
if ( !user ) {
return false;
}
// Validate the incoming credential
if ( !(await user.check_credential_string(password)) ) {
return false;
}
// Don't allow login if the user has a trap set
if ( user.trap ) {
return false;
}
// Check the IAM policy engine to make sure the user can access this resource
return Policy.check_user_access(user, application.id)
}
}
module.exports = exports = CoreIDAuthentication

View File

@ -0,0 +1,28 @@
import radius from 'radius'
import { RadiusServer } from '@coreid/radius-server'
import RadiusClient from '../../models/radius/Client.model.js'
import CoreIDUserPasswordPacketHandler from './CoreIDUserPasswordPacketHandler.mjs'
export default class CoreIDRadiusServer extends RadiusServer {
// constructor(options) {
// super(options)
// this.packetHandler.packetHandlers.pop()
// this.packetHandler.packetHandlers.push(new CoreIDUserPasswordPacketHandler(options.authentication, this.logger))
// console.log(this.packetHandler.packetHandlers)
// }
async decodeMessage(msg) {
const clients = await RadiusClient.find({ active: true })
for ( const client of clients ) {
try {
const packet = radius.decode({ packet: msg, secret: client.secret })
packet.secret = client.secret
return packet
} catch (e) {
console.error(e)
}
}
throw new Error('Unable to determine client to decode RADIUS packet: is the client active?')
}
}

View File

@ -0,0 +1,40 @@
import { UserPasswordPacketHandler } from '@coreid/radius-server/dist/radius/handler/UserPasswordPacketHandler.js'
export default class CoreIDUserPasswordPacketHandler extends UserPasswordPacketHandler {
async handlePacket(packet) {
console.log('coreid user password packet handler handlePacket', packet)
const username = packet.attributes['User-Name'];
let password = packet.attributes['User-Password'];
if (Buffer.isBuffer(password) && password.indexOf(0x00) > 0) {
// check if there is a 0x00 in it, and trim it from there
password = password.slice(0, password.indexOf(0x00));
}
if (!username || !password) {
// params missing, this handler cannot continue...
return {};
}
this.logger.debug('username', username, username.toString());
this.logger.debug('token', password, password.toString());
console.log('client', packet.__coreid_client)
const authenticated = await this.authentication.authenticate(
username.toString(),
password.toString()
);
if (authenticated) {
// success
return {
code: 'Access-Accept',
attributes: [['User-Name', username]],
};
}
// Failed
return {
code: 'Access-Reject',
};
}
}

View File

@ -59,34 +59,8 @@ class LDAPController extends Injectable {
return next(new LDAP.InsufficientAccessRightsError())
}
// Check if the credentials are an app_password
const app_password_verified = Array.isArray(item.app_passwords)
&& item.app_passwords.length > 0
&& await item.check_app_password(req.credentials)
// Check if the user has MFA enabled.
// If so, split the incoming password to fetch the MFA code
// e.g. normalPassword:123456
if ( !app_password_verified && item.mfa_enabled ) {
const parts = req.credentials.split(':')
const mfa_code = parts.pop()
const actual_password = parts.join(':')
// Check the credentials
if ( !await item.check_password(actual_password) ) {
this.output.debug(`Bind failure: user w/ MFA provided invalid credentials`)
return next(new LDAP.InvalidCredentialsError('Invalid credentials. Make sure MFA code is included at the end of your password (e.g. password:123456)'))
}
// Now, check the MFA code
if ( !item.mfa_token.verify(mfa_code) ) {
this.output.debug(`Bind failure: user w/ MFA provided invalid MFA token`)
return next(new LDAP.InvalidCredentialsError('Invalid credentials. Verification of the MFA token failed.'))
}
// If not MFA, just check the credentials
} else if (!app_password_verified && !await item.check_password(req.credentials)) {
this.output.debug(`Bind failure: user w/ simple auth provided invalid credentials`)
// Check if the credentials are valid
if ( !(await item.check_credential_string(req.credentials)) ) {
return next(new LDAP.InvalidCredentialsError())
}

View File

@ -155,6 +155,38 @@ class User extends AuthUser {
await this.save()
}
async check_credential_string(credential) {
// Check if the credentials are an app_password
const app_password_verified = Array.isArray(this.app_passwords)
&& this.app_passwords.length > 0
&& await this.check_app_password(credential)
// Check if the user has MFA enabled.
// If so, split the incoming password to fetch the MFA code
// e.g. normalPassword:123456
if ( !app_password_verified && this.mfa_enabled ) {
const parts = credential.split(':')
const mfa_code = parts.pop()
const actual_password = parts.join(':')
// Check the credentials
if ( !await this.check_password(actual_password) ) {
return false
}
// Now, check the MFA code
if ( !this.mfa_token.verify(mfa_code) ) {
return false
}
// If not MFA, just check the credentials
} else if (!app_password_verified && !await this.check_password(credential)) {
return false
}
return true
}
async check_password(password) {
return this.get_provider().check_user_auth(this, password)
}

View File

@ -1,185 +1,47 @@
const fs = require('fs/promises')
const uuid = require('uuid')
const { Unit } = require('libflitter')
const fs = require('fs')
const radius = require('radius')
const CoreIDAuthentication = require('../classes/radius/CoreIDAuthentication')
const net = require("net");
const uuid = require('uuid').v4
/**
* Unit that provides a CoreID IAM-integrated RADIUS server.
*/
class RadiusUnit extends Unit {
static get services() {
return [...super.services, 'configs', 'output', 'models']
}
getPacketDecoder() {
const RadiusClient = this.models.get('radius:Client')
return async (msg) => {
const clients = await RadiusClient.find({ active: true })
// Try the secrets for all active clients.
// If we can successfully decode the packet with a client's secret, then we know
// that the message came from that client.
let authenticatedClient
let packet
for ( const client of clients ) {
try {
packet = radius.decode({ packet: msg, secret: client.secret })
authenticatedClient = client
break
} catch (e) {}
}
packet.credentialMiddleware = (username, password) => {
this.output.debug(`Called credential middleware: ${username}`)
return [`${username}@${authenticatedClient.id}`, password]
}
return {
packet,
secret: authenticatedClient.secret || '',
}
}
}
async go(app) {
if ( !(await this.port_free()) ) {
this.output.info('RADIUS server port is in use. Will not start!')
return
}
if ( !this.configs.get('radius.enable') ) return;
const config = this.getConfig()
const packageInterface = require('@coreid/radius-server/dist/interface').default.get()
packageInterface.setConfig(config)
packageInterface.packetDecoder = this.getPacketDecoder()
packageInterface.log = (...any) => any.forEach(x => this.output.info(x))
const CoreIDRadiusServer = (await import('../classes/radius/CoreIDRadiusServer.mjs')).default
const { RadiusServer } = require('@coreid/radius-server/dist/radius/RadiusServer')
const server = RadiusServer.get()
// Load the certificates
const pubkey = await fs.readFile(this.configs.get('radius.cert_file.public'))
const privkey = await fs.readFile(this.configs.get('radius.cert_file.private'))
await server.up()
this.output.success('Started RADIUS server!')
// await packageInterface.up()
// Overwrite radius-server's global config object with the user-provided values
/*const radiusConfig = require('radius-server/config')
for ( const key in config ) {
if ( !Object.hasOwnProperty.apply(config, [key]) ) continue
radiusConfig[key] = config[key]
}*/
/*const { Authentication } = require('radius-server/dist/auth')
const { UDPServer } = require('radius-server/dist/server/UDPServer')
const { RadiusService } = require('radius-server/dist/radius/RadiusService')
this.output.info('Starting RADIUS server...')
// Create the authenticator instance
const AuthMechanismus = require(`radius-server/dist/auth/${config.authentication}`)[config.authentication]
const auth = new AuthMechanismus(config.authenticationOptions)
const authentication = new Authentication(auth)
this.server = new UDPServer(config.port)
this.radiusService = new RadiusService(config.secret, authentication)
// Define the server handler
this.server.on('message', async (msg, rinfo) => {
this.output.debug('Incoming RADIUS message...')
const response = await this.handleMessage(msg)
if ( response ) {
this.output.debug('Sending response...')
this.server.sendToClient(
response.data,
rinfo.port,
rinfo.address,
(err, _bytes) => {
if ( err ) {
this.output.error(`Error sending response to:`)
this.output.error(rinfo)
}
},
response.expectAcknowledgment
)
}
this.radius = new CoreIDRadiusServer({
// logger
secret: this.configs.get('radius.secret', uuid.v4()),
port: this.configs.get('radius.port', 1812),
address: this.configs.get('radius.interface', '0.0.0.0'),
tlsOptions: {
cert: pubkey,
key: privkey,
},
authentication: new CoreIDAuthentication(),
})
// Start the radius server
await this.server.start()
this.output.success('Started RADIUS server!')*/
if ( await this.port_free() ) {
this.output.info('Starting RADIUS server...')
await this.radius.start()
} else {
this.output.error('Will not start RADIUS server. Reason: configured port is already in use')
delete this.radius
}
}
async cleanup(app) {
const { RadiusServer } = require('@coreid/radius-server/dist/radius/RadiusServer')
const server = RadiusServer.get()
await server.down()
// const packageInterface = require('@coreid/radius-server/dist/interface').get()
// await packageInterface.down()
/*if ( this.server ) {
// radius-server doesn't expose a "close" method explicitly, which is annoying
// instead, reach in and close the internal UDP socket
this.server.server.close()
}*/
}
/**
* Handle an incoming radius request message.
* @param msg
* @returns {Promise<{expectAcknowledgment: boolean, data: *}|undefined>}
*/
async handleMessage(msg) {
const RadiusClient = this.models.get('radius:Client')
const clients = await RadiusClient.find({ active: true })
// Try the secrets for all active clients.
// If we can successfully decode the packet with a client's secret, then we know
// that the message came from that client.
let authenticatedClient
let packet
for ( const client of clients ) {
try {
packet = radius.decode({ packet: msg, secret: this.getConfig().secret /*client.secret*/ })
authenticatedClient = client
break
} catch (e) {}
}
if (packet.code !== 'Access-Request') {
console.error('unknown packet type: ', packet.code)
return
}
// Include the RADIUS Client ID in the username so we can parse it out in the controller
// This allows us to check IAM access in the controller
packet.attributes['User-Name'] = `${packet.attributes['User-Name']}@${authenticatedClient.id}`
this.output.info(`RADIUS auth attempt: ${packet.attributes['User-Name']}`)
this.output.debug(packet)
const response = await this.radiusService.packetHandler.handlePacket(packet)
// still no response, we are done here
if (!response || !response.code) {
this.output.debug(`RADIUS error: no response / response code`)
this.output.debug(response)
return
}
// all fine, return radius encoded response
return {
data: radius.encode_response({
packet,
code: response.code,
secret: this.getConfig().secret, // authenticatedClient.secret, // use the client's secret to encode the response
attributes: response.attributes,
}),
// if message is accept or reject, we conside this as final message
// this means we do not expect a reponse from the client again (acknowledgement for package)
expectAcknowledgment: response.code === 'Access-Challenge',
if ( this.radius ) {
await this.radius.server.close()
}
}
@ -193,37 +55,9 @@ class RadiusUnit extends Unit {
server.close()
res(true)
})
server.listen(this.getConfig().port)
server.listen(this.configs.get('radius.port', 1812))
})
}
getConfig() {
const baseUrl = this.configs.get('app.url')
const config = {
port: this.configs.get('radius.port', 1812),
secret: 'testing123', // uuid(), // this is never used - client-specific secrets are injected instead
certificate: {
cert: fs.readFileSync(this.configs.get('radius.cert_file.public')),
key: [
{
pem: fs.readFileSync(this.configs.get('radius.cert_file.private')),
},
],
},
authentication: 'HTTPAuth',
authenticationOptions: {
url: `${baseUrl}api/v1/radius/attempt`,
},
}
const passphrase = this.configs.get('saml.cert_file.passphrase')
if ( passphrase ) {
config.certificate.key[0].passphrase = passphrase
}
return config
}
}
module.exports = exports = RadiusUnit

View File

@ -1,5 +1,10 @@
const uuid = require('uuid')
const radius_config = {
enable: env('RADIUS_ENABLE', false),
port: env('RADIUS_PORT', 1812),
interface: env('RADIUS_INTERFACE', '0.0.0.0'),
secret: env('RADIUS_SECRET', uuid.v4()),
cert_file: {
public: env('RADIUS_CERT_FILE'),

View File

@ -20,7 +20,7 @@
"author": "Garrett Mills <garrett@glmdev.tech> (https://garrettmills.dev/)",
"license": "MIT",
"dependencies": {
"@coreid/radius-server": "^1.2.6",
"@coreid/radius-server": "^2.2.2",
"bullmq": "^1.8.8",
"email-validator": "^2.0.4",
"flitter-auth": "^0.19.6",

4233
yarn.lock

File diff suppressed because it is too large Load Diff