parent
0d24782691
commit
d63de520c9
@ -0,0 +1,55 @@
|
|||||||
|
const User = require('../../models/auth/User.model')
|
||||||
|
const Client = require('../../models/radius/Client.model')
|
||||||
|
const Application = require('../../models/Application.model')
|
||||||
|
const Policy = require('../../models/iam/Policy.model')
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @implements IAuthentication from radius-server
|
||||||
|
*/
|
||||||
|
class CoreIDAuthentication {
|
||||||
|
async authenticate(username, password, packet) {
|
||||||
|
// We only allow client-specific secrets to authenticate
|
||||||
|
if ( !packet || !packet.secret ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try to look up the client
|
||||||
|
const client = await Client.findOne({
|
||||||
|
active: true,
|
||||||
|
secret: packet.secret,
|
||||||
|
})
|
||||||
|
if ( !client ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try to look up the associated application
|
||||||
|
const application = await Application.findOne({
|
||||||
|
radius_client_ids: client.id,
|
||||||
|
})
|
||||||
|
if ( !application ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try to look up the user
|
||||||
|
/** @var {User} */
|
||||||
|
const user = await User.findByLogin(username)
|
||||||
|
if ( !user ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Validate the incoming credential
|
||||||
|
if ( !(await user.check_credential_string(password)) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Don't allow login if the user has a trap set
|
||||||
|
if ( user.trap ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check the IAM policy engine to make sure the user can access this resource
|
||||||
|
return Policy.check_user_access(user, application.id)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
module.exports = exports = CoreIDAuthentication
|
@ -0,0 +1,28 @@
|
|||||||
|
import radius from 'radius'
|
||||||
|
import { RadiusServer } from '@coreid/radius-server'
|
||||||
|
import RadiusClient from '../../models/radius/Client.model.js'
|
||||||
|
import CoreIDUserPasswordPacketHandler from './CoreIDUserPasswordPacketHandler.mjs'
|
||||||
|
|
||||||
|
export default class CoreIDRadiusServer extends RadiusServer {
|
||||||
|
|
||||||
|
// constructor(options) {
|
||||||
|
// super(options)
|
||||||
|
// this.packetHandler.packetHandlers.pop()
|
||||||
|
// this.packetHandler.packetHandlers.push(new CoreIDUserPasswordPacketHandler(options.authentication, this.logger))
|
||||||
|
// console.log(this.packetHandler.packetHandlers)
|
||||||
|
// }
|
||||||
|
|
||||||
|
async decodeMessage(msg) {
|
||||||
|
const clients = await RadiusClient.find({ active: true })
|
||||||
|
for ( const client of clients ) {
|
||||||
|
try {
|
||||||
|
const packet = radius.decode({ packet: msg, secret: client.secret })
|
||||||
|
packet.secret = client.secret
|
||||||
|
return packet
|
||||||
|
} catch (e) {
|
||||||
|
console.error(e)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
throw new Error('Unable to determine client to decode RADIUS packet: is the client active?')
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,40 @@
|
|||||||
|
import { UserPasswordPacketHandler } from '@coreid/radius-server/dist/radius/handler/UserPasswordPacketHandler.js'
|
||||||
|
|
||||||
|
export default class CoreIDUserPasswordPacketHandler extends UserPasswordPacketHandler {
|
||||||
|
async handlePacket(packet) {
|
||||||
|
console.log('coreid user password packet handler handlePacket', packet)
|
||||||
|
const username = packet.attributes['User-Name'];
|
||||||
|
let password = packet.attributes['User-Password'];
|
||||||
|
|
||||||
|
if (Buffer.isBuffer(password) && password.indexOf(0x00) > 0) {
|
||||||
|
// check if there is a 0x00 in it, and trim it from there
|
||||||
|
password = password.slice(0, password.indexOf(0x00));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!username || !password) {
|
||||||
|
// params missing, this handler cannot continue...
|
||||||
|
return {};
|
||||||
|
}
|
||||||
|
|
||||||
|
this.logger.debug('username', username, username.toString());
|
||||||
|
this.logger.debug('token', password, password.toString());
|
||||||
|
console.log('client', packet.__coreid_client)
|
||||||
|
|
||||||
|
const authenticated = await this.authentication.authenticate(
|
||||||
|
username.toString(),
|
||||||
|
password.toString()
|
||||||
|
);
|
||||||
|
if (authenticated) {
|
||||||
|
// success
|
||||||
|
return {
|
||||||
|
code: 'Access-Accept',
|
||||||
|
attributes: [['User-Name', username]],
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
// Failed
|
||||||
|
return {
|
||||||
|
code: 'Access-Reject',
|
||||||
|
};
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in new issue