diff options
Diffstat (limited to 'kvmd')
-rw-r--r-- | kvmd/plugins/auth/radius.py | 89 |
1 files changed, 62 insertions, 27 deletions
diff --git a/kvmd/plugins/auth/radius.py b/kvmd/plugins/auth/radius.py index 532dafa2..3283f40b 100644 --- a/kvmd/plugins/auth/radius.py +++ b/kvmd/plugins/auth/radius.py @@ -19,26 +19,55 @@ # # # ========================================================================== # -# -# For some reason this needs the two following files in / -# https://raw.githubusercontent.com/AndrewAubury/kvmd/master/kvmd/plugins/auth/radius.py -# https://github.com/pyradius/pyrad/raw/master/example/dictionary.freeradius -# + +import io +import textwrap from typing import Dict +import pyrad.client +import pyrad.packet +import pyrad.dictionary + from ...yamlconf import Option -from ...validators.os import valid_abs_file from ...validators.net import valid_port from ...validators.net import valid_ip_or_host from ...validators.basic import valid_int_f1 +from ...logging import get_logger + +from ... import aiotools + from . import BaseAuthService -from pyrad.client import Client -from pyrad.dictionary import Dictionary -import pyrad.packet + +# ===== +_FREERADUIS_DICT = textwrap.dedent(""" + # https://github.com/pyradius/pyrad/raw/master/example/dictionary.freeradius + + VENDOR FreeRADIUS 11344 + BEGIN-VENDOR FreeRADIUS + + ATTRIBUTE FreeRADIUS-Statistics-Type 127 integer + + VALUE FreeRADIUS-Statistics-Type None 0 + VALUE FreeRADIUS-Statistics-Type Authentication 1 + VALUE FreeRADIUS-Statistics-Type Accounting 2 + VALUE FreeRADIUS-Statistics-Type Proxy-Authentication 4 + VALUE FreeRADIUS-Statistics-Type Proxy-Accounting 8 + VALUE FreeRADIUS-Statistics-Type Internal 0x10 + VALUE FreeRADIUS-Statistics-Type Client 0x20 + VALUE FreeRADIUS-Statistics-Type Server 0x40 + VALUE FreeRADIUS-Statistics-Type Home-Server 0x80 + + VALUE FreeRADIUS-Statistics-Type Auth-Acct 0x03 + VALUE FreeRADIUS-Statistics-Type Proxy-Auth-Acct 0x0c + + VALUE FreeRADIUS-Statistics-Type All 0x1f + + END-VENDOR FreeRADIUS +""") # ===== @@ -48,37 +77,43 @@ class Plugin(BaseAuthService): host: str, port: int, secret: str, - user: str, - passwd: str, - timeout: int, + timeout: float, ) -> None: self.__host = host self.__port = port self.__secret = secret - self.__user = user - self.__passwd = passwd self.__timeout = timeout @classmethod def get_plugin_options(cls) -> Dict: return { - "host": Option("localhost",type=valid_ip_or_host), - "port": Option(1812,type=valid_port), + "host": Option("localhost", type=valid_ip_or_host), + "port": Option(1812, type=valid_port), "secret": Option(""), - "user": Option(""), - "passwd": Option(""), - "timeout": Option(5,type=valid_int_f1), + "timeout": Option(5, type=valid_int_f1), } async def authorize(self, user: str, passwd: str) -> bool: - user = user.strip() + return (await aiotools.run_async(self.__inner_authorize, user, passwd)) + + def __inner_authorize(self, user: str, passwd: str) -> bool: + assert user == user.strip() + assert user try: - srv = Client(server=self.__host, secret=self.__secret.encode('ascii'), timeout=self.__timeout, dict=Dictionary("dictionary")) - req = srv.CreateAuthPacket(code=pyrad.packet.AccessRequest, User_Name=user) - req["User-Password"] = req.PwCrypt(passwd) - # send request - reply = srv.SendPacket(req) - return (reply.code == pyrad.packet.AccessAccept) - except: + with io.StringIO(_FREERADUIS_DICT) as dct_file: + dct = pyrad.dictionary.Dictionary(dct_file) + client = pyrad.client.Client( + server=self.__host, + authport=self.__port, + secret=self.__secret.encode("ascii"), + timeout=self.__timeout, + dict=dct, + ) + request = client.CreateAuthPacket(code=pyrad.packet.AccessRequest, User_Name=user) + request["User-Password"] = request.PwCrypt(passwd) + response = client.SendPacket(request) + return (response.code == pyrad.packet.AccessAccept) + except Exception: + get_logger().exception("Failed RADIUS auth request for user %r", user) return False |