From 6bf8494a5d7cb027a919b2f66732430c87f3a5ab Mon Sep 17 00:00:00 2001
From: chapeau <corentin@canebier.fr>
Date: Sun, 9 Jan 2022 19:20:04 +0000
Subject: [PATCH] fix: Fix autocapture

---
 freeradius_utils/auth.py  | 30 +++++++++++++++++-------------
 radius/api/serializers.py |  2 +-
 radius/api/urls.py        |  4 ++--
 radius/api/views.py       | 21 ++++++++++++---------
 4 files changed, 32 insertions(+), 25 deletions(-)

diff --git a/freeradius_utils/auth.py b/freeradius_utils/auth.py
index 9c1fd295..e53127fa 100644
--- a/freeradius_utils/auth.py
+++ b/freeradius_utils/auth.py
@@ -141,19 +141,15 @@ def authorize(data):
     if not nas_type or nas_type.port_access_mode == "802.1X":
         user = data.get("User-Name", "")
         user = user.split("@", 1)[0]
-        mac = data.get("Calling-Station-Id", "")
-        result, log, password = check_user_machine_and_register(nas_type, user, mac)
-        logger.info(str(log))
-        logger.info(str(user))
-
-        if not result:
-            return radiusd.RLM_MODULE_REJECT
-        else:
-            return (
-                radiusd.RLM_MODULE_UPDATED,
-                (),
-                ((str("NT-Password"), str(password)),),
-            )
+        user = User.objects.filter(pseudo__iexact=user).first()
+        if not user:
+            return (False, "User unknown", "")
+        password = user.pwd_ntlm
+        return (
+            radiusd.RLM_MODULE_UPDATED,
+            (),
+            ((str("NT-Password"), str(password)),),
+        )
 
     else:
         return (radiusd.RLM_MODULE_UPDATED, (), (("Auth-Type", "Accept"),))
@@ -234,6 +230,14 @@ def post_auth(data):
             return (radiusd.RLM_MODULE_REJECT, tuple(attributes), ())
 
     else:
+        user = data.get("User-Name", "")
+        user = user.split("@", 1)[0]
+        result, log, password = check_user_machine_and_register(nas_type, user, mac)
+        logger.info(str(log))
+        logger.info(str(user))
+
+        if not result:
+            return radiusd.RLM_MODULE_REJECT
         return radiusd.RLM_MODULE_OK
 
 
diff --git a/radius/api/serializers.py b/radius/api/serializers.py
index febca280..f4521e98 100644
--- a/radius/api/serializers.py
+++ b/radius/api/serializers.py
@@ -110,7 +110,6 @@ class AuthorizeResponseSerializer(Serializer):
 
     nas = NasSerializer(read_only=True)
     user = UserSerializer(read_only=True)
-    user_interface = InterfaceSerializer(read_only=True)
 
 
 class PostAuthResponseSerializer(Serializer):
@@ -123,6 +122,7 @@ class PostAuthResponseSerializer(Serializer):
     port = PortSerializer()
     port_profile = PortProfileSerializer(partial=True)
     switch = SwitchSerializer()
+    user = UserSerializer(read_only=True)
     user_interface = InterfaceSerializer()
     radius_option = RadiusOptionSerializer()
     EMAIL_STATE_UNVERIFIED = serializers.IntegerField()
diff --git a/radius/api/urls.py b/radius/api/urls.py
index 2ab8ec91..b0a0d336 100644
--- a/radius/api/urls.py
+++ b/radius/api/urls.py
@@ -23,12 +23,12 @@ from . import views
 
 urls_functional_view = [
     (
-        r"radius/authorize/(?P<nas_id>[^/]+)/(?P<username>.+)/(?P<mac_address>[^/]{17})$",
+        r"radius/authorize/(?P<nas_id>[^/]+)/(?P<username>.+)$",
         views.authorize,
         None,
     ),
     (
-        r"radius/post_auth/(?P<nas_id>[^/]+)/(?P<nas_port>.+)/(?P<user_mac>[^/]{17})$",
+        r"radius/post_auth/(?P<nas_id>[^/]+)/(?P<nas_port>.+)/(?P<user_mac>[^/]{17})/(?P<username>.+)$",
         views.post_auth,
         None,
     ),
diff --git a/radius/api/views.py b/radius/api/views.py
index ba490b04..67936687 100644
--- a/radius/api/views.py
+++ b/radius/api/views.py
@@ -37,10 +37,9 @@ from re2o.acl import can_view_all_api, can_edit_all_api, can_create_api
 class AuthorizeResponse:
     """Contains objects the radius needs for the Authorize step"""
 
-    def __init__(self, nas, user, user_interface):
+    def __init__(self, nas, user):
         self.nas = nas
         self.user = user
-        self.user_interface = user_interface
 
     def can_view(self, user):
         """Method to bypass api permissions, because we are using ACL decorators"""
@@ -50,13 +49,12 @@ class AuthorizeResponse:
 @api_view(["GET"])
 @login_required
 @can_view_all_api(Interface, Domain, IpList, Nas, User)
-def authorize(request, nas_id, username, mac_address):
+def authorize(request, nas_id, username):
     """Return objects the radius needs for the Authorize step
 
     Parameters:
         nas_id (string): NAS name or ipv4
         username (string): username of the user who is trying to connect
-        mac_address (string): mac address of the device which is trying to connect
 
     Return:
         AuthorizeResponse: contains all required informations
@@ -74,11 +72,8 @@ def authorize(request, nas_id, username, mac_address):
     # If no username was provided (wired connection), username="None"
     user = User.objects.filter(pseudo__iexact=username).first()
 
-    # get the interface which is trying to connect (if already created)
-    user_interface = Interface.objects.filter(mac_address=mac_address).first()
-
     serialized = serializers.AuthorizeResponseSerializer(
-        AuthorizeResponse(nas_type, user, user_interface)
+        AuthorizeResponse(nas_type, user)
     )
 
     return Response(data=serialized.data)
@@ -94,6 +89,7 @@ class PostAuthResponse:
         port,
         port_profile,
         switch,
+        user,
         user_interface,
         radius_option,
         EMAIL_STATE_UNVERIFIED,
@@ -105,6 +101,7 @@ class PostAuthResponse:
         self.port = port
         self.port_profile = port_profile
         self.switch = switch
+        self.user = user
         self.user_interface = user_interface
         self.radius_option = radius_option
         self.EMAIL_STATE_UNVERIFIED = EMAIL_STATE_UNVERIFIED
@@ -119,13 +116,14 @@ class PostAuthResponse:
 @api_view(["GET"])
 @login_required
 @can_view_all_api(Interface, Domain, IpList, Nas, Switch, Port, User)
-def post_auth(request, nas_id, nas_port, user_mac):
+def post_auth(request, nas_id, nas_port, user_mac, username):
     """Return objects the radius needs for the Post-Auth step
 
     Parameters:
         nas_id (string): NAS name or ipv4
         nas_port (string): NAS port from wich the request came. Work with Cisco, HP and Juniper convention
         user_mac (string): mac address of the device which is trying to connect
+        username (string): username of the user who is trying to connect
 
     Return:
         PostAuthResponse: contains all required informations
@@ -172,6 +170,10 @@ def post_auth(request, nas_id, nas_port, user_mac):
     if port:
         port_profile = port.get_port_profile
 
+    # get the User corresponding to the username in the URL
+    # If no username was provided (wired connection), username="None"
+    user = User.objects.filter(pseudo__iexact=username).first()
+
     # get the interface which is trying to connect (if already created)
     user_interface = (
         Interface.objects.filter(mac_address=user_mac)
@@ -202,6 +204,7 @@ def post_auth(request, nas_id, nas_port, user_mac):
             port,
             port_profile,
             switch,
+            user,
             user_interface,
             radius_option,
             EMAIL_STATE_UNVERIFIED,