fix: session resumptions + google ldap auth
This commit is contained in:
Simon Tretter
GitHub
@@ -14,6 +14,7 @@ interface IGoogleLDAPAuthOptions {
|
||||
/** base DN
|
||||
* e.g. 'dc=hokify,dc=com', */
|
||||
base: string;
|
||||
searchBase?: string; // default ou=users,{{base}}
|
||||
tls: {
|
||||
keyFile: string;
|
||||
certFile: string;
|
||||
@@ -35,8 +36,11 @@ export class GoogleLDAPAuth implements IAuthentication {
|
||||
|
||||
private config: ClientOptions;
|
||||
|
||||
searchBase: string;
|
||||
|
||||
constructor(config: IGoogleLDAPAuthOptions) {
|
||||
this.base = config.base;
|
||||
this.searchBase = config.searchBase || `ou=users,${this.base}`;
|
||||
|
||||
const tlsOptions = {
|
||||
key: fs.readFileSync(config.tls.keyFile),
|
||||
@@ -50,7 +54,9 @@ export class GoogleLDAPAuth implements IAuthentication {
|
||||
tlsOptions,
|
||||
};
|
||||
|
||||
this.fetchDNs();
|
||||
this.fetchDNs().catch((err) => {
|
||||
console.error('fatal error google ldap auth, cannot fetch DNs', err);
|
||||
});
|
||||
}
|
||||
|
||||
private async fetchDNs() {
|
||||
@@ -63,7 +69,7 @@ export class GoogleLDAPAuth implements IAuthentication {
|
||||
});
|
||||
|
||||
ldapDNClient.search(
|
||||
this.base,
|
||||
this.searchBase,
|
||||
{
|
||||
scope: 'sub',
|
||||
},
|
||||
@@ -86,8 +92,8 @@ export class GoogleLDAPAuth implements IAuthentication {
|
||||
});
|
||||
|
||||
res.on('error', function (ldapErr) {
|
||||
console.error(`error: ${ldapErr.message}`);
|
||||
reject();
|
||||
console.error(`error: ${JSON.stringify(ldapErr)}`);
|
||||
reject(ldapErr);
|
||||
});
|
||||
|
||||
res.on('end', (result) => {
|
||||
@@ -132,6 +138,7 @@ export class GoogleLDAPAuth implements IAuthentication {
|
||||
if (!dnsFetched && !forceFetching) {
|
||||
return this.authenticate(username, password, count, true);
|
||||
}
|
||||
// console.log('this.allValidDNsCache', this.allValidDNsCache);
|
||||
console.error(`invalid username, not found in DN: ${username}`); // , this.allValidDNsCache);
|
||||
return false;
|
||||
}
|
||||
|
||||
@@ -34,8 +34,11 @@ export class EAPPacketHandler implements IPacketHandler {
|
||||
// EAP MESSAGE
|
||||
let msg = packet.attributes['EAP-Message'] as Buffer;
|
||||
|
||||
if (Array.isArray(msg)) {
|
||||
msg = Buffer.concat(msg);
|
||||
if (Array.isArray(msg) && !(packet.attributes['EAP-Message'] instanceof Buffer)) {
|
||||
// log('multiple EAP Messages received, concat', msg.length);
|
||||
const allMsgs = msg as Buffer[];
|
||||
msg = Buffer.concat(allMsgs);
|
||||
// log('final EAP Message', msg);
|
||||
}
|
||||
|
||||
try {
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
/* eslint-disable no-bitwise */
|
||||
import * as tls from 'tls';
|
||||
import * as NodeCache from 'node-cache';
|
||||
// eslint-disable-next-line @typescript-eslint/ban-ts-ignore
|
||||
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
|
||||
// @ts-ignore
|
||||
import { attr_id_to_name, attr_name_to_id } from 'radius';
|
||||
import debug from 'debug';
|
||||
@@ -219,12 +219,13 @@ export class EAPTTLS implements IEAPMethod {
|
||||
if (decodedFlags.lengthIncluded) {
|
||||
msglength = msg.slice(6, 10).readUInt32BE(0); // .readDoubleLE(0); // .toString('hex');
|
||||
}
|
||||
const data = msg.slice(decodedFlags.lengthIncluded ? 10 : 6, msg.length);
|
||||
const data = msg.slice(decodedFlags.lengthIncluded ? 10 : 6).slice(0, msglength);
|
||||
|
||||
log('>>>>>>>>>>>> REQUEST FROM CLIENT: EAP TTLS', {
|
||||
flags: `00000000${flags.toString(2)}`.substr(-8),
|
||||
decodedFlags,
|
||||
identifier,
|
||||
msglengthBuffer: msg.length,
|
||||
msglength,
|
||||
data,
|
||||
// dataStr: data.toString()
|
||||
@@ -388,15 +389,24 @@ export class EAPTTLS implements IEAPMethod {
|
||||
};
|
||||
|
||||
const responseHandler = (encryptedResponseData: Buffer) => {
|
||||
log('complete');
|
||||
// send back...
|
||||
sendResponsePromise.resolve(
|
||||
this.buildEAPTTLSResponse(identifier, 21, 0x00, stateID, encryptedResponseData)
|
||||
);
|
||||
};
|
||||
|
||||
const checkExistingSession = (isSessionReused) => {
|
||||
if (isSessionReused) {
|
||||
log('secured, session reused, accept auth!');
|
||||
sendResponsePromise.resolve(this.authResponse(identifier, true, connection.tls, packet));
|
||||
}
|
||||
};
|
||||
|
||||
// register event listeners
|
||||
connection.events.on('incoming', incomingMessageHandler);
|
||||
connection.events.on('response', responseHandler);
|
||||
connection.events.on('secured', checkExistingSession);
|
||||
|
||||
// emit data to tls server
|
||||
connection.events.emit('decrypt', data);
|
||||
@@ -405,6 +415,9 @@ export class EAPTTLS implements IEAPMethod {
|
||||
// cleanup
|
||||
connection.events.off('incoming', incomingMessageHandler);
|
||||
connection.events.off('response', responseHandler);
|
||||
connection.events.off('secured', checkExistingSession);
|
||||
|
||||
// connection.events.off('secured');
|
||||
|
||||
// send response
|
||||
return responseData; // this.buildEAPTTLSResponse(identifier, 21, 0x00, stateID, encryptedResponseData);
|
||||
@@ -473,7 +486,7 @@ export class EAPTTLS implements IEAPMethod {
|
||||
|
||||
let vendorId;
|
||||
let data;
|
||||
if (flags & 0b010000000) {
|
||||
if (decodedFlags.V) {
|
||||
// V flag set
|
||||
vendorId = currentBuffer.slice(8, 12).readUInt32BE(0);
|
||||
data = currentBuffer.slice(12, length);
|
||||
|
||||
@@ -5,6 +5,7 @@ import * as crypto from 'crypto';
|
||||
import * as DuplexPair from 'native-duplexpair';
|
||||
import debug from 'debug';
|
||||
import * as NodeCache from 'node-cache';
|
||||
// import * as constants from 'constants';
|
||||
import * as config from '../../config';
|
||||
|
||||
const log = debug('radius:tls');
|
||||
@@ -96,6 +97,7 @@ export function startTLSServer(): ITLSServer {
|
||||
});
|
||||
|
||||
log('*********** new TLS connection established / secured ********');
|
||||
emitter.emit('secured', cleartext.isSessionReused());
|
||||
});
|
||||
|
||||
cleartext.on('error', (err?: Error) => {
|
||||
|
||||
Reference in New Issue
Block a user