const User = require('../../models/auth/User.model') const Client = require('../../models/radius/Client.model') const Application = require('../../models/Application.model') const Policy = require('../../models/iam/Policy.model') /** * @implements IAuthentication from radius-server */ class CoreIDAuthentication { async authenticate(username, password, packet) { // We only allow client-specific secrets to authenticate if ( !packet || !packet.secret ) { return false; } // Try to look up the client const client = await Client.findOne({ active: true, secret: packet.secret, }) if ( !client ) { return false; } // Try to look up the associated application const application = await Application.findOne({ radius_client_ids: client.id, }) if ( !application ) { return false; } // Try to look up the user /** @var {User} */ const user = await User.findByLogin(username) if ( !user ) { return false; } // Validate the incoming credential if ( !(await user.check_credential_string(password)) ) { return false; } // Don't allow login if the user has a trap set if ( user.trap ) { return false; } // Check the IAM policy engine to make sure the user can access this resource return Policy.check_user_access(user, application.id) } } module.exports = exports = CoreIDAuthentication