fix: session resumptions + google ldap auth

4 years ago · 66fbcf4ca8
parent ab1ab1b130
commit 66fbcf4ca8
7 changed files with 777 additions and 1038 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,13 @@

 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.

+### [1.1.6](https://github.com/simllll/node-radius-server/compare/v1.1.5...v1.1.6) (2020-08-05)
+
+
+### Bug Fixes
+
+* **google-auth:** search base must include ou ([a3ab393](https://github.com/simllll/node-radius-server/commit/a3ab393379be7f1b8b2f82347bbc4300b8db409d))
+
 ### [1.1.5](https://github.com/simllll/node-radius-server/compare/v1.1.4...v1.1.5) (2020-06-26)


--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,7 +1,7 @@
 {
 	"name": "radius-server",
 	"description": "radius server for google LDAP and TTLS",
-	"version": "1.1.5",
+	"version": "1.1.6",
 	"engines": {
 		"node": ">13.10.1"
 	},
@ -30,30 +30,30 @@
 	"preferGlobal": true,
 	"main": "dist/app.js",
 	"dependencies": {
-		"@hokify/node-ts-cache": "^5.1.7",
+		"@hokify/node-ts-cache": "^5.2.0",
 		"debug": "^4.1.1",
 		"imap-simple": "^5.0.0",
 		"ldapauth-fork": "^4.3.3",
-		"ldapjs": "^2.0.0",
+		"ldapjs": "^2.1.1",
 		"native-duplexpair": "^1.0.0",
-		"node-cache": "^5.1.1",
+		"node-cache": "^5.1.2",
 		"radius": "~1.1.4",
-		"smtp-client": "^0.3.1",
-		"yargs": "~15.3.1"
+		"smtp-client": "^0.3.2",
+		"yargs": "~15.4.1"
 	},
 	"license": "GPLv3",
 	"devDependencies": {
 		"ts-node": "^8.10.2",
-		"standard-version": "^8.0.0",
-		"@hokify/eslint-config": "^0.4.25",
-		"@types/chai": "^4.2.11",
-		"@types/ldapjs": "^1.0.8",
-		"@types/mocha": "^7.0.2",
+		"standard-version": "^8.0.2",
+		"@hokify/eslint-config": "^0.4.42",
+		"@types/chai": "^4.2.12",
+		"@types/ldapjs": "^1.0.9",
+		"@types/mocha": "^8.0.1",
 		"@types/radius": "0.0.28",
 		"chai": "^4.2.0",
-		"eslint": "^7.3.1",
-		"mocha": "^8.0.1",
+		"eslint": "^7.6.0",
+		"mocha": "^8.1.1",
 		"prettier": "^2.0.5",
-		"typescript": "^3.9.5"
+		"typescript": "^3.9.7"
 	}
 }
--- a/src/auth/GoogleLDAPAuth.ts
+++ b/src/auth/GoogleLDAPAuth.ts
@ -14,6 +14,7 @@ interface IGoogleLDAPAuthOptions {
 	/** base DN
 	 *  e.g. 'dc=hokify,dc=com', */
 	base: string;
+	searchBase?: string; // default ou=users,{{base}}
 	tls: {
 		keyFile: string;
 		certFile: string;
@ -35,8 +36,11 @@ export class GoogleLDAPAuth implements IAuthentication {

 	private config: ClientOptions;

+	searchBase: string;
+
 	constructor(config: IGoogleLDAPAuthOptions) {
 		this.base = config.base;
+		this.searchBase = config.searchBase || `ou=users,${this.base}`;

 		const tlsOptions = {
 			key: fs.readFileSync(config.tls.keyFile),
@ -50,7 +54,9 @@ export class GoogleLDAPAuth implements IAuthentication {
 			tlsOptions,
 		};

-		this.fetchDNs();
+		this.fetchDNs().catch((err) => {
+			console.error('fatal error google ldap auth, cannot fetch DNs', err);
+		});
 	}

 	private async fetchDNs() {
@ -63,7 +69,7 @@ export class GoogleLDAPAuth implements IAuthentication {
 			});

 			ldapDNClient.search(
-				this.base,
+				this.searchBase,
 				{
 					scope: 'sub',
 				},
@ -86,8 +92,8 @@ export class GoogleLDAPAuth implements IAuthentication {
 					});

 					res.on('error', function (ldapErr) {
-						console.error(`error: ${ldapErr.message}`);
-						reject();
+						console.error(`error: ${JSON.stringify(ldapErr)}`);
+						reject(ldapErr);
 					});

 					res.on('end', (result) => {
@ -132,6 +138,7 @@ export class GoogleLDAPAuth implements IAuthentication {
 			if (!dnsFetched && !forceFetching) {
 				return this.authenticate(username, password, count, true);
 			}
+			// console.log('this.allValidDNsCache', this.allValidDNsCache);
 			console.error(`invalid username, not found in DN: ${username}`); // , this.allValidDNsCache);
 			return false;
 		}
--- a/src/radius/handler/EAPPacketHandler.ts
+++ b/src/radius/handler/EAPPacketHandler.ts
@ -34,8 +34,11 @@ export class EAPPacketHandler implements IPacketHandler {
 		// EAP MESSAGE
 		let msg = packet.attributes['EAP-Message'] as Buffer;

-		if (Array.isArray(msg)) {
-			msg = Buffer.concat(msg);
+		if (Array.isArray(msg) && !(packet.attributes['EAP-Message'] instanceof Buffer)) {
+			// log('multiple EAP Messages received, concat', msg.length);
+			const allMsgs = msg as Buffer[];
+			msg = Buffer.concat(allMsgs);
+			// log('final EAP Message', msg);
 		}

 		try {
--- a/src/radius/handler/eap/eapMethods/EAP-TTLS.ts
+++ b/src/radius/handler/eap/eapMethods/EAP-TTLS.ts
@ -3,7 +3,7 @@
 /* eslint-disable no-bitwise */
 import * as tls from 'tls';
 import * as NodeCache from 'node-cache';
-// eslint-disable-next-line @typescript-eslint/ban-ts-ignore
+// eslint-disable-next-line @typescript-eslint/ban-ts-comment
 // @ts-ignore
 import { attr_id_to_name, attr_name_to_id } from 'radius';
 import debug from 'debug';
@ -219,12 +219,13 @@ export class EAPTTLS implements IEAPMethod {
 		if (decodedFlags.lengthIncluded) {
 			msglength = msg.slice(6, 10).readUInt32BE(0); // .readDoubleLE(0); // .toString('hex');
 		}
-		const data = msg.slice(decodedFlags.lengthIncluded ? 10 : 6, msg.length);
+		const data = msg.slice(decodedFlags.lengthIncluded ? 10 : 6).slice(0, msglength);

 		log('>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS', {
 			flags: `00000000${flags.toString(2)}`.substr(-8),
 			decodedFlags,
 			identifier,
+			msglengthBuffer: msg.length,
 			msglength,
 			data,
 			// dataStr: data.toString()
@ -388,15 +389,24 @@ export class EAPTTLS implements IEAPMethod {
 			};

 			const responseHandler = (encryptedResponseData: Buffer) => {
+				log('complete');
 				// send back...
 				sendResponsePromise.resolve(
 					this.buildEAPTTLSResponse(identifier, 21, 0x00, stateID, encryptedResponseData)
 				);
 			};

+			const checkExistingSession = (isSessionReused) => {
+				if (isSessionReused) {
+					log('secured, session reused, accept auth!');
+					sendResponsePromise.resolve(this.authResponse(identifier, true, connection.tls, packet));
+				}
+			};
+
 			// register event listeners
 			connection.events.on('incoming', incomingMessageHandler);
 			connection.events.on('response', responseHandler);
+			connection.events.on('secured', checkExistingSession);

 			// emit data to tls server
 			connection.events.emit('decrypt', data);
@ -405,6 +415,9 @@ export class EAPTTLS implements IEAPMethod {
 			// cleanup
 			connection.events.off('incoming', incomingMessageHandler);
 			connection.events.off('response', responseHandler);
+			connection.events.off('secured', checkExistingSession);
+
+			// connection.events.off('secured');

 			// send response
 			return responseData; // this.buildEAPTTLSResponse(identifier, 21, 0x00, stateID, encryptedResponseData);
@ -473,7 +486,7 @@ export class EAPTTLS implements IEAPMethod {

 			let vendorId;
 			let data;
-			if (flags & 0b010000000) {
+			if (decodedFlags.V) {
 				// V flag set
 				vendorId = currentBuffer.slice(8, 12).readUInt32BE(0);
 				data = currentBuffer.slice(12, length);
--- a/src/tls/crypt.ts
+++ b/src/tls/crypt.ts
@ -5,6 +5,7 @@ import * as crypto from 'crypto';
 import * as DuplexPair from 'native-duplexpair';
 import debug from 'debug';
 import * as NodeCache from 'node-cache';
+// import * as constants from 'constants';
 import * as config from '../../config';

 const log = debug('radius:tls');
@ -96,6 +97,7 @@ export function startTLSServer(): ITLSServer {
 		});

 		log('*********** new TLS connection established / secured ********');
+		emitter.emit('secured', cleartext.isSessionReused());
 	});

 	cleartext.on('error', (err?: Error) => {