def validate_radius_server_config(config):
"""
Check the configuration of a radius_server module:
Make sure required keys are present (ikey, skey or skey_protected, api_host, radius_ip_1, radius_secret_1)
All radius_ip entries are valid IPs.
Args:
config: the ConfigDict for the module
Returns:
ConfigCheckResult with any config problems
"""
problems = []
for required_key in ['ikey', 'api_host']:
if required_key not in config:
problems.append(MissingConfigKeyProblem(required_key))
if not ('skey' in config or 'skey_protected' in config):
problems.append(MissingConfigKeyProblem('skey / skey_protected'))
for radius_ip_key in [x for x in config.keys() if x.lower().startswith('radius_ip')]:
radius_ip_value = config[radius_ip_key]
if not ip_util.is_valid_ip(radius_ip_value):
problems.append(InvalidConfigKeyProblem(radius_ip_key, radius_ip_value))
return ConfigCheckResult(problems)
def duo_auth_only(self, request, factor):
"""
duo_auth and return its result. On failure, generate an appropriate
response based on the configured failmode.
"""
try:
client_ip = request.client_ip
if not ip_util.is_valid_ip(client_ip):
client_ip = None
auth_res = yield self.client.auth(request.username, factor,
client_ip)
except duo_async.DuoAPIError as e:
log.err(None, 'Duo auth call failed')
if duo_async.should_server_fail_open(self.failmode, e.fail_open):
msg = duo_async.get_fail_open_msg()
self.log_request(request, msg)
log.auth_standard(msg=msg,
username=request.username,
auth_stage=log.AUTH_SECONDARY,
status=log.AUTH_ALLOW,
client_ip=request.client_ip,
server_section=self.server_section_name,
server_section_ikey=self.server_section_ikey)
ret = {'result': duo_async.API_RESULT_ALLOW, 'status': msg}
defer.returnValue(ret)
else:
msg = duo_async.FAILMODE_SECURE_MSG
self.log_request(request, msg)
log.auth_standard(msg=msg,
username=request.username,
auth_stage=log.AUTH_SECONDARY,
status=log.AUTH_ERROR,
client_ip=request.client_ip,
server_section=self.server_section_name,
server_section_ikey=self.server_section_ikey)
ret = {'result': duo_async.API_RESULT_DENY, 'status': msg}
defer.returnValue(ret)
if auth_res['result'] == duo_async.API_RESULT_ALLOW:
log.auth_standard(msg=auth_res['status'],
username=request.username,
auth_stage=log.AUTH_SECONDARY,
status=log.AUTH_ALLOW,
client_ip=request.client_ip,
server_section=self.server_section_name,
server_section_ikey=self.server_section_ikey)
else:
log.auth_standard(msg=auth_res['status'],
username=request.username,
auth_stage=log.AUTH_SECONDARY,
status=log.AUTH_REJECT,
client_ip=request.client_ip,
server_section=self.server_section_name,
server_section_ikey=self.server_section_ikey)
defer.returnValue(auth_res)
def test_ip_range(self, config, ip_range_key):
""" Test that a value is an IP range in 1 of 4 formats
Args:
config (ConfigDict): the section config to test
ip_range_key (str): Formats are single, range, cidr, and IP/netmask
Returns:
bool
"""
ip = config.get(ip_range_key)
return all(ip_util.is_valid_ip(ip) for ip in util.parse_delimited_set(ip))
def test_is_valid_ip(self, config, ip_key):
"""
Check the validity of an ip address in the config
Args:
config (ConfigDict): the section config to check
ip_key(str): key to an ip range. Formats are single, range, cidr, and IP/netmask
Returns:
Bool: whether or not the ip range is well formatted
"""
ip_range = config.get(ip_key)
return ip_util.is_valid_ip(ip_range)
def get_allowed_ip_networks(config):
"""
Determine the list of allowed IP Networks from the given configuration, where there may be a 'client_ip' section
with a comma-separated list, each item being either
A single IP address
An IP address range
A CIDR-style IP range
Args:
config (ConfigDict): the section config
Returns:
[IPNetwork]: The allowed IP Networks from the config
"""
client_ips = []
for ip_string in util.parse_delimited_set(config.get_str("client_ip", "")):
if ip_util.is_valid_ip(ip_string):
client_ips.extend(ip_util.get_ip_networks(ip_string))
return client_ips
def validate_http_proxy_config(config):
"""
Validate an 'http_proxy' configuration, checking that
1) All required values are present (currently only 'api_host' is required)
2) Any IPs provided in 'client_ip' are valid
Args:
config: A ConfigDict for an http_proxy module
Returns:
ConfigCheckResult with any config problems
"""
problems = []
if "api_host" not in config:
problems.append(MissingConfigKeyProblem("api_host"))
for client_ip in util.parse_delimited_set(config.get_str("client_ip", "")):
is_valid = ip_util.is_valid_ip(client_ip)
if not is_valid:
problems.append(InvalidConfigKeyProblem("client_ip", client_ip))
return ConfigCheckResult(problems)