def process_request(data, address, secret):
error_message = None
pkt = AuthPacket(packet=data, secret=secret, dict={})
reply_pkt = pkt.CreateReply()
reply_pkt.code = AccessReject
try:
username = pkt.get(1)[0]
try:
password = pkt.PwDecrypt(pkt.get(2)[0])
except UnicodeDecodeError:
logger.error(
"Error decrypting password -- probably incorrect secret")
reply_pkt.code = AccessReject
return reply_pkt.ReplyPacket()
auth_status = auth_with_foxpass(username,
password) and two_factor(username)
if auth_status:
logger.info('Successful auth')
reply_pkt.code = AccessAccept
return reply_pkt.ReplyPacket()
logger.info('Incorrect password')
error_message = 'Incorrect password'
except Exception as e:
logger.exception(e)
error_message = 'Unknown error'
if error_message:
reply_pkt.AddAttribute(18, error_message)
return reply_pkt.ReplyPacket()
def process_request(data, address, secret):
error_message = None
pkt = AuthPacket(packet=data,
secret=secret,
dict=Dictionary(io.StringIO(DICTIONARY_DATA)))
reply_pkt = pkt.CreateReply()
reply_pkt.code = AccessReject
try:
# [0] is needed because pkt.get returns a list
pkt_username = pkt.get('User-Name')[0]
logger.info("Auth attempt for '%s'" % (pkt_username, ))
try:
password = pkt.get('Password')
if not password:
logger.error("No password field in request")
reply_pkt.code = AccessReject
return reply_pkt.ReplyPacket()
# [0] is needed because pkt.get returns a list
password = pkt.PwDecrypt(password[0])
except UnicodeDecodeError:
logger.error(
"Error decrypting password -- probably incorrect secret")
reply_pkt.code = AccessReject
return reply_pkt.ReplyPacket()
(auth_status, username) = auth_with_foxpass(pkt_username, password)
auth_status = auth_status and group_match(username) and two_factor(
username)
if auth_status:
logger.info("Successful auth for '%s'" % (pkt_username, ))
reply_pkt.code = AccessAccept
return reply_pkt.ReplyPacket()
logger.info("Authentication failed for '%s'" % (pkt_username, ))
error_message = 'Authentication failed'
except Exception as e:
logger.exception(e)
error_message = str(e)
if error_message:
reply_pkt.AddAttribute('Reply-Message', error_message)
return reply_pkt.ReplyPacket()
def _create_reply(self, request_packet: packet.AuthPacket,
success: bool) -> AuthResult:
"""
Creates an AuthResult as a reply the given request_packet
Args:
request_packet: The request to create a reply to
success: True if the reply should have code AccessAccept, false for AccessReject
"""
pass_through_attrs = copy.copy(self.pass_through_radius_attrs)
reply = request_packet.CreateReply()
reply.code = packet.AccessAccept if success else packet.AccessReject
reply.authenticator = request_packet.authenticator
reply.AddAttribute("Reply-Message", "Hello")
# If it's an MS-CHAPv2 request, add the MS-MPPE-Send-Key and MS-MPPE-Recv-Key
if ("MS-CHAP-Challenge" in request_packet
or "MS-CHAP2-Response" in request_packet):
mppe.add_mppe(
reply,
self.ms_mppe_send_key,
self.ms_mppe_recv_key,
self.secret.encode(),
request_packet.authenticator,
)
# Include error info in response, if it's MS-CHAP2 and an error
if not success and self.chap_challenge:
pass_through_attrs["MS-CHAP-Error"] = [b"\x00E=691 R=0 V=3"]
if request_packet.get("MS-CHAP2-Response") == [
self.chap2_response_expired.encode()
]:
pass_through_attrs["MS-CHAP-Error"] = [b"\x00E=648 R=0 V=3"]
add_packet_attributes(reply, pass_through_attrs)
# Wrap the reply in an AuthResult
pass_through_attr_names = (list(pass_through_attrs.keys()) +
MS_CHAP2_RESPONSE_ATTRS)
auth_result = AuthResult.from_radius_packet(reply,
pass_through_attr_names)
return auth_result
