8
0
Fork 0
mirror of https://gitlab2.federez.net/re2o/re2o synced 2024-12-23 15:33:45 +00:00

Merge branch 'fix-autocapture' into 'dev'

fix: Fix autocapture

See merge request re2o/re2o!623
This commit is contained in:
Jean-Romain Garnier 2022-01-09 19:20:07 +00:00
commit 8627c7d686
4 changed files with 32 additions and 25 deletions

View file

@ -141,14 +141,10 @@ def authorize(data):
if not nas_type or nas_type.port_access_mode == "802.1X": if not nas_type or nas_type.port_access_mode == "802.1X":
user = data.get("User-Name", "") user = data.get("User-Name", "")
user = user.split("@", 1)[0] user = user.split("@", 1)[0]
mac = data.get("Calling-Station-Id", "") user = User.objects.filter(pseudo__iexact=user).first()
result, log, password = check_user_machine_and_register(nas_type, user, mac) if not user:
logger.info(str(log)) return (False, "User unknown", "")
logger.info(str(user)) password = user.pwd_ntlm
if not result:
return radiusd.RLM_MODULE_REJECT
else:
return ( return (
radiusd.RLM_MODULE_UPDATED, radiusd.RLM_MODULE_UPDATED,
(), (),
@ -234,6 +230,14 @@ def post_auth(data):
return (radiusd.RLM_MODULE_REJECT, tuple(attributes), ()) return (radiusd.RLM_MODULE_REJECT, tuple(attributes), ())
else: else:
user = data.get("User-Name", "")
user = user.split("@", 1)[0]
result, log, password = check_user_machine_and_register(nas_type, user, mac)
logger.info(str(log))
logger.info(str(user))
if not result:
return radiusd.RLM_MODULE_REJECT
return radiusd.RLM_MODULE_OK return radiusd.RLM_MODULE_OK

View file

@ -110,7 +110,6 @@ class AuthorizeResponseSerializer(Serializer):
nas = NasSerializer(read_only=True) nas = NasSerializer(read_only=True)
user = UserSerializer(read_only=True) user = UserSerializer(read_only=True)
user_interface = InterfaceSerializer(read_only=True)
class PostAuthResponseSerializer(Serializer): class PostAuthResponseSerializer(Serializer):
@ -123,6 +122,7 @@ class PostAuthResponseSerializer(Serializer):
port = PortSerializer() port = PortSerializer()
port_profile = PortProfileSerializer(partial=True) port_profile = PortProfileSerializer(partial=True)
switch = SwitchSerializer() switch = SwitchSerializer()
user = UserSerializer(read_only=True)
user_interface = InterfaceSerializer() user_interface = InterfaceSerializer()
radius_option = RadiusOptionSerializer() radius_option = RadiusOptionSerializer()
EMAIL_STATE_UNVERIFIED = serializers.IntegerField() EMAIL_STATE_UNVERIFIED = serializers.IntegerField()

View file

@ -23,12 +23,12 @@ from . import views
urls_functional_view = [ urls_functional_view = [
( (
r"radius/authorize/(?P<nas_id>[^/]+)/(?P<username>.+)/(?P<mac_address>[^/]{17})$", r"radius/authorize/(?P<nas_id>[^/]+)/(?P<username>.+)$",
views.authorize, views.authorize,
None, None,
), ),
( (
r"radius/post_auth/(?P<nas_id>[^/]+)/(?P<nas_port>.+)/(?P<user_mac>[^/]{17})$", r"radius/post_auth/(?P<nas_id>[^/]+)/(?P<nas_port>.+)/(?P<user_mac>[^/]{17})/(?P<username>.+)$",
views.post_auth, views.post_auth,
None, None,
), ),

View file

@ -37,10 +37,9 @@ from re2o.acl import can_view_all_api, can_edit_all_api, can_create_api
class AuthorizeResponse: class AuthorizeResponse:
"""Contains objects the radius needs for the Authorize step""" """Contains objects the radius needs for the Authorize step"""
def __init__(self, nas, user, user_interface): def __init__(self, nas, user):
self.nas = nas self.nas = nas
self.user = user self.user = user
self.user_interface = user_interface
def can_view(self, user): def can_view(self, user):
"""Method to bypass api permissions, because we are using ACL decorators""" """Method to bypass api permissions, because we are using ACL decorators"""
@ -50,13 +49,12 @@ class AuthorizeResponse:
@api_view(["GET"]) @api_view(["GET"])
@login_required @login_required
@can_view_all_api(Interface, Domain, IpList, Nas, User) @can_view_all_api(Interface, Domain, IpList, Nas, User)
def authorize(request, nas_id, username, mac_address): def authorize(request, nas_id, username):
"""Return objects the radius needs for the Authorize step """Return objects the radius needs for the Authorize step
Parameters: Parameters:
nas_id (string): NAS name or ipv4 nas_id (string): NAS name or ipv4
username (string): username of the user who is trying to connect username (string): username of the user who is trying to connect
mac_address (string): mac address of the device which is trying to connect
Return: Return:
AuthorizeResponse: contains all required informations AuthorizeResponse: contains all required informations
@ -74,11 +72,8 @@ def authorize(request, nas_id, username, mac_address):
# If no username was provided (wired connection), username="None" # If no username was provided (wired connection), username="None"
user = User.objects.filter(pseudo__iexact=username).first() user = User.objects.filter(pseudo__iexact=username).first()
# get the interface which is trying to connect (if already created)
user_interface = Interface.objects.filter(mac_address=mac_address).first()
serialized = serializers.AuthorizeResponseSerializer( serialized = serializers.AuthorizeResponseSerializer(
AuthorizeResponse(nas_type, user, user_interface) AuthorizeResponse(nas_type, user)
) )
return Response(data=serialized.data) return Response(data=serialized.data)
@ -94,6 +89,7 @@ class PostAuthResponse:
port, port,
port_profile, port_profile,
switch, switch,
user,
user_interface, user_interface,
radius_option, radius_option,
EMAIL_STATE_UNVERIFIED, EMAIL_STATE_UNVERIFIED,
@ -105,6 +101,7 @@ class PostAuthResponse:
self.port = port self.port = port
self.port_profile = port_profile self.port_profile = port_profile
self.switch = switch self.switch = switch
self.user = user
self.user_interface = user_interface self.user_interface = user_interface
self.radius_option = radius_option self.radius_option = radius_option
self.EMAIL_STATE_UNVERIFIED = EMAIL_STATE_UNVERIFIED self.EMAIL_STATE_UNVERIFIED = EMAIL_STATE_UNVERIFIED
@ -119,13 +116,14 @@ class PostAuthResponse:
@api_view(["GET"]) @api_view(["GET"])
@login_required @login_required
@can_view_all_api(Interface, Domain, IpList, Nas, Switch, Port, User) @can_view_all_api(Interface, Domain, IpList, Nas, Switch, Port, User)
def post_auth(request, nas_id, nas_port, user_mac): def post_auth(request, nas_id, nas_port, user_mac, username):
"""Return objects the radius needs for the Post-Auth step """Return objects the radius needs for the Post-Auth step
Parameters: Parameters:
nas_id (string): NAS name or ipv4 nas_id (string): NAS name or ipv4
nas_port (string): NAS port from wich the request came. Work with Cisco, HP and Juniper convention nas_port (string): NAS port from wich the request came. Work with Cisco, HP and Juniper convention
user_mac (string): mac address of the device which is trying to connect user_mac (string): mac address of the device which is trying to connect
username (string): username of the user who is trying to connect
Return: Return:
PostAuthResponse: contains all required informations PostAuthResponse: contains all required informations
@ -172,6 +170,10 @@ def post_auth(request, nas_id, nas_port, user_mac):
if port: if port:
port_profile = port.get_port_profile port_profile = port.get_port_profile
# get the User corresponding to the username in the URL
# If no username was provided (wired connection), username="None"
user = User.objects.filter(pseudo__iexact=username).first()
# get the interface which is trying to connect (if already created) # get the interface which is trying to connect (if already created)
user_interface = ( user_interface = (
Interface.objects.filter(mac_address=user_mac) Interface.objects.filter(mac_address=user_mac)
@ -202,6 +204,7 @@ def post_auth(request, nas_id, nas_port, user_mac):
port, port,
port_profile, port_profile,
switch, switch,
user,
user_interface, user_interface,
radius_option, radius_option,
EMAIL_STATE_UNVERIFIED, EMAIL_STATE_UNVERIFIED,