rezometz/re2o
8
0
Fork 0
mirror of https://gitlab.federez.net/re2o/re2o synced 2024-05-16 23:56:12 +00:00
Code Issues Releases Wiki Activity

fix: Fix autocapture

Browse source
This commit is contained in:
chapeau 2022-01-09 19:20:04 +00:00 committed by jr-garnier
parent ca2e999089
commit 6bf8494a5d
4 changed files with 32 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
freeradius_utils/auth.py
View file

@ -141,19 +141,15 @@ def authorize(data):
if not nas_type or nas_type.port_access_mode == "802.1X":
user = data.get("User-Name", "")
user = user.split("@", 1)[0]
mac = data.get("Calling-Station-Id", "")
result, log, password = check_user_machine_and_register(nas_type, user, mac)
logger.info(str(log))
logger.info(str(user))
if not result:
return radiusd.RLM_MODULE_REJECT
else:
return (
radiusd.RLM_MODULE_UPDATED,
(),
((str("NT-Password"), str(password)),),
)
user = User.objects.filter(pseudo__iexact=user).first()
if not user:
return (False, "User unknown", "")
password = user.pwd_ntlm
return (
radiusd.RLM_MODULE_UPDATED,
(),
((str("NT-Password"), str(password)),),
)
else:
return (radiusd.RLM_MODULE_UPDATED, (), (("Auth-Type", "Accept"),))
@ -234,6 +230,14 @@ def post_auth(data):
return (radiusd.RLM_MODULE_REJECT, tuple(attributes), ())
else:
user = data.get("User-Name", "")
user = user.split("@", 1)[0]
result, log, password = check_user_machine_and_register(nas_type, user, mac)
logger.info(str(log))
logger.info(str(user))
if not result:
return radiusd.RLM_MODULE_REJECT
return radiusd.RLM_MODULE_OK

2
radius/api/serializers.py
View file

@ -110,7 +110,6 @@ class AuthorizeResponseSerializer(Serializer):
nas = NasSerializer(read_only=True)
user = UserSerializer(read_only=True)
user_interface = InterfaceSerializer(read_only=True)
class PostAuthResponseSerializer(Serializer):
@ -123,6 +122,7 @@ class PostAuthResponseSerializer(Serializer):
port = PortSerializer()
port_profile = PortProfileSerializer(partial=True)
switch = SwitchSerializer()
user = UserSerializer(read_only=True)
user_interface = InterfaceSerializer()
radius_option = RadiusOptionSerializer()
EMAIL_STATE_UNVERIFIED = serializers.IntegerField()

4
radius/api/urls.py
View file

@ -23,12 +23,12 @@ from . import views
urls_functional_view = [
(
r"radius/authorize/(?P<nas_id>[^/]+)/(?P<username>.+)/(?P<mac_address>[^/]{17})$",
r"radius/authorize/(?P<nas_id>[^/]+)/(?P<username>.+)$",
views.authorize,
None,
),
(
r"radius/post_auth/(?P<nas_id>[^/]+)/(?P<nas_port>.+)/(?P<user_mac>[^/]{17})$",
r"radius/post_auth/(?P<nas_id>[^/]+)/(?P<nas_port>.+)/(?P<user_mac>[^/]{17})/(?P<username>.+)$",
views.post_auth,
None,
),

21
radius/api/views.py
View file

@ -37,10 +37,9 @@ from re2o.acl import can_view_all_api, can_edit_all_api, can_create_api
class AuthorizeResponse:
"""Contains objects the radius needs for the Authorize step"""
def __init__(self, nas, user, user_interface):
def __init__(self, nas, user):
self.nas = nas
self.user = user
self.user_interface = user_interface
def can_view(self, user):
"""Method to bypass api permissions, because we are using ACL decorators"""
@ -50,13 +49,12 @@ class AuthorizeResponse:
@api_view(["GET"])
@login_required
@can_view_all_api(Interface, Domain, IpList, Nas, User)
def authorize(request, nas_id, username, mac_address):
def authorize(request, nas_id, username):
"""Return objects the radius needs for the Authorize step
Parameters:
nas_id (string): NAS name or ipv4
username (string): username of the user who is trying to connect
mac_address (string): mac address of the device which is trying to connect
Return:
AuthorizeResponse: contains all required informations
@ -74,11 +72,8 @@ def authorize(request, nas_id, username, mac_address):
# If no username was provided (wired connection), username="None"
user = User.objects.filter(pseudo__iexact=username).first()
# get the interface which is trying to connect (if already created)
user_interface = Interface.objects.filter(mac_address=mac_address).first()
serialized = serializers.AuthorizeResponseSerializer(
AuthorizeResponse(nas_type, user, user_interface)
AuthorizeResponse(nas_type, user)
)
return Response(data=serialized.data)
@ -94,6 +89,7 @@ class PostAuthResponse:
port,
port_profile,
switch,
user,
user_interface,
radius_option,
EMAIL_STATE_UNVERIFIED,
@ -105,6 +101,7 @@ class PostAuthResponse:
self.port = port
self.port_profile = port_profile
self.switch = switch
self.user = user
self.user_interface = user_interface
self.radius_option = radius_option
self.EMAIL_STATE_UNVERIFIED = EMAIL_STATE_UNVERIFIED
@ -119,13 +116,14 @@ class PostAuthResponse:
@api_view(["GET"])
@login_required
@can_view_all_api(Interface, Domain, IpList, Nas, Switch, Port, User)
def post_auth(request, nas_id, nas_port, user_mac):
def post_auth(request, nas_id, nas_port, user_mac, username):
"""Return objects the radius needs for the Post-Auth step
Parameters:
nas_id (string): NAS name or ipv4
nas_port (string): NAS port from wich the request came. Work with Cisco, HP and Juniper convention
user_mac (string): mac address of the device which is trying to connect
username (string): username of the user who is trying to connect
Return:
PostAuthResponse: contains all required informations
@ -172,6 +170,10 @@ def post_auth(request, nas_id, nas_port, user_mac):
if port:
port_profile = port.get_port_profile
# get the User corresponding to the username in the URL
# If no username was provided (wired connection), username="None"
user = User.objects.filter(pseudo__iexact=username).first()
# get the interface which is trying to connect (if already created)
user_interface = (
Interface.objects.filter(mac_address=user_mac)
@ -202,6 +204,7 @@ def post_auth(request, nas_id, nas_port, user_mac):
port,
port_profile,
switch,
user,
user_interface,
radius_option,
EMAIL_STATE_UNVERIFIED,