def test_success_okta(self, a, b): self.server.hosts["127.0.0.1"] = os.getenv('RADIUS_SECRET') self.server.BindToAddress("127.0.0.1") Client(server="127.0.0.1", secret=os.getenv('RADIUS_SECRET').encode(), dict=Dictionary("dictionary")) # create request req = AuthPacket( id=AccessRequest, secret=os.getenv('RADIUS_SECRET').encode(), authenticator=b'01234567890ABCDEF', dict=Dictionary("dictionary") ) req["User-Name"] = '*****@*****.**' req["User-Password"] = req.PwCrypt('fake') req["Proxy-State"] = 'state'.encode("ascii") req.source = ("test", "port") fd = MockFd() req.fd = fd # send request with self.assertLogs('server', level='INFO') as log: self.server.auth_handler(req) self.assertEqual(fd.data, b'\x02\x01\x00\x1b\x82\xb4\x88\xb4G\xbc:\xde\xc1\xe5A\xe0\xe7y\r\x1f!\x07state') self.assertIn('INFO:server:Push approved by [email protected].', log.output)
def HandleAuthPacket(self:server.Server, pkt:packet.AuthPacket): print(vars()) print("Auth request: ") print(pkt) reply = self.CreateReplyPacket(pkt, **{"Service-Type": "Framed-User", "Framed-IP-Address": pkt['Framed-IP-Address'][0]}) # type: packet.AuthPacket print(dir(reply)) reply.code = packet.AccessReject for attr in pkt.keys(): print("%s: %s" % (attr, pkt[attr])) if "User-Password" in pkt.keys(): print("Checking Password") print(pkt.secret) pkt.dict passwd = pkt.PwDecrypt(pkt.get(2)[0]) print(passwd) # Remove expired vouchers before authenticating GuestServer.removeExpiredVouchers() # Auth against current tokens print(list(map(lambda v: str(v), GuestServer.vouchers))) if GuestServer.vouchers and reduce(lambda a, b: a or b, map(lambda v: v.authenticate(passwd), GuestServer.vouchers)): print("Auth Success") reply.code = packet.AccessAccept else: print("Auth Failed") self.SendReplyPacket(pkt.fd, reply)
def process_request(data, address, secret): error_message = None pkt = AuthPacket(packet=data, secret=secret, dict={}) reply_pkt = pkt.CreateReply() reply_pkt.code = AccessReject try: username = pkt.get(1)[0] try: password = pkt.PwDecrypt(pkt.get(2)[0]) except UnicodeDecodeError: logger.error("Error decrypting password -- probably incorrect secret") reply_pkt.code = AccessReject return reply_pkt.ReplyPacket() auth_status = auth_with_foxpass(username, password) and two_factor(username) if auth_status: logger.info('Successful auth') reply_pkt.code = AccessAccept return reply_pkt.ReplyPacket() logger.info('Incorrect password') error_message = 'Incorrect password' except Exception as e: logger.exception(e) error_message = 'Unknown error' if error_message: reply_pkt.AddAttribute(18, error_message) return reply_pkt.ReplyPacket()
def add_mppe( reply: AuthPacket, send_key: bytes, recv_key: bytes, secret: bytes, authenticator: bytes, ) -> None: """ Add MPPE (Microsoft Point to Point Encryption) Send and Recv keys to the provided packet Args: reply: the reply to add the send key and recv key to send_key: The plaintext MS-MPPE-Send-Key to encrypt and add to the reply recv_key: The plaintext MS-MPPE-Recv-Key to encrypt and add to the reply secret: the RADIUS secret authenticator: RADIUS authenticator. Should be 16 bytes. """ sodiumchloride = _generator.randint(32768, 65535) # Leftmost bit must be set potassiumnitrate = _generator.randint(32768, 65535) # Leftmost bit must be set send_key_salt = struct.pack(">H", sodiumchloride) recv_key_salt = struct.pack(">H", potassiumnitrate) encrypted_send_key = encrypt_mppe(send_key, secret, authenticator, send_key_salt) encrypted_recv_key = encrypt_mppe(recv_key, secret, authenticator, recv_key_salt) reply.AddAttribute((MICROSOFT_VENDOR_ID, MS_MPPE_SEND_KEY_TYPE), send_key_salt + encrypted_send_key) reply.AddAttribute((MICROSOFT_VENDOR_ID, MS_MPPE_RECV_KEY_TYPE), recv_key_salt + encrypted_recv_key)
def test_using_samaccountname_flag(self, o, mock_get, mock_post): self.assertIsNotNone(os.environ.get('OKTA_USE_SAMACCOUNTNAME')) self.server.hosts["127.0.0.1"] = os.getenv('RADIUS_SECRET') self.server.BindToAddress("127.0.0.1") Client(server="127.0.0.1", secret=os.getenv('RADIUS_SECRET').encode(), dict=Dictionary("dictionary")) # create request req = AuthPacket( id=AccessRequest, secret=os.getenv('RADIUS_SECRET').encode(), authenticator=b'01234567890ABCDEF', dict=Dictionary("dictionary") ) req["User-Name"] = 'username' req["User-Password"] = req.PwCrypt('fake') req["Proxy-State"] = 'state'.encode() req.source = ("test", "port") fd = MockFd() req.fd = fd # send request with self.assertLogs('server', level='INFO') as log: o.return_value = '00ub0oNGTSWTBKOLGLNR' self.server.auth_handler(req) o.assert_called_once_with('username') self.assertEqual(fd.data, b'\x02\x01\x00\x1b\x82\xb4\x88\xb4G\xbc:\xde\xc1\xe5A\xe0\xe7y\r\x1f!\x07state') self.assertIn('INFO:server:Push approved by username.', log.output)
def __init__(self, code=AccessRequest, id=None, secret=six.b(''), authenticator=None, **attributes): AuthPacket.__init__(self, code, id, secret, authenticator, **attributes)
def __init__(self, code=AccessRequest, id=None, secret=six.b(''), authenticator=None, **attributes): AuthPacket.__init__(self, code, id, secret, authenticator, **attributes) self.deferred = Deferred() self.source_user = None self.vendor_id = 0 self.vlanid = 0 self.vlanid2 = 0 self.client_macaddr = None self.created = datetime.datetime.now()
def _create_reply(self, request_packet: packet.AuthPacket, success: bool) -> AuthResult: """ Creates an AuthResult as a reply the given request_packet Args: request_packet: The request to create a reply to success: True if the reply should have code AccessAccept, false for AccessReject """ pass_through_attrs = copy.copy(self.pass_through_radius_attrs) reply = request_packet.CreateReply() reply.code = packet.AccessAccept if success else packet.AccessReject reply.authenticator = request_packet.authenticator reply.AddAttribute("Reply-Message", "Hello") # If it's an MS-CHAPv2 request, add the MS-MPPE-Send-Key and MS-MPPE-Recv-Key if ("MS-CHAP-Challenge" in request_packet or "MS-CHAP2-Response" in request_packet): mppe.add_mppe( reply, self.ms_mppe_send_key, self.ms_mppe_recv_key, self.secret.encode(), request_packet.authenticator, ) # Include error info in response, if it's MS-CHAP2 and an error if not success and self.chap_challenge: pass_through_attrs["MS-CHAP-Error"] = [b"\x00E=691 R=0 V=3"] if request_packet.get("MS-CHAP2-Response") == [ self.chap2_response_expired.encode() ]: pass_through_attrs["MS-CHAP-Error"] = [b"\x00E=648 R=0 V=3"] add_packet_attributes(reply, pass_through_attrs) # Wrap the reply in an AuthResult pass_through_attr_names = (list(pass_through_attrs.keys()) + MS_CHAP2_RESPONSE_ATTRS) auth_result = AuthResult.from_radius_packet(reply, pass_through_attr_names) return auth_result
def process_request(data, address, secret): error_message = None pkt = AuthPacket(packet=data, secret=secret, dict={}) reply_pkt = pkt.CreateReply() reply_pkt.code = AccessReject try: username = pkt.get(1)[0] try: password = pkt.PwDecrypt(pkt.get(2)[0]) except UnicodeDecodeError: logger.error( "Error decrypting password -- probably incorrect secret") reply_pkt.code = AccessReject return reply_pkt.ReplyPacket() auth_status = auth_with_foxpass(username, password) and two_factor(username) if auth_status: logger.info('Successful auth') reply_pkt.code = AccessAccept return reply_pkt.ReplyPacket() logger.info('Incorrect password') error_message = 'Incorrect password' except Exception as e: logger.exception(e) error_message = 'Unknown error' if error_message: reply_pkt.AddAttribute(18, error_message) return reply_pkt.ReplyPacket()
def process_request(data, address, secret): error_message = None pkt = AuthPacket(packet=data, secret=secret, dict={}) reply_pkt = pkt.CreateReply() reply_pkt.code = AccessReject try: username = pkt.get(1)[0] logger.info("Auth attempt for '%s'" % (username,)) try: password = pkt.get(2) if not password: logger.error("No password field in request") reply_pkt.code = AccessReject return reply_pkt.ReplyPacket() password = pkt.PwDecrypt(password[0]) except UnicodeDecodeError: logger.error("Error decrypting password -- probably incorrect secret") reply_pkt.code = AccessReject return reply_pkt.ReplyPacket() auth_status = auth_with_foxpass(username, password) and group_match(username) and two_factor(username) if auth_status: logger.info("Successful auth for '%s'" % (username,)) reply_pkt.code = AccessAccept return reply_pkt.ReplyPacket() logger.info("Authentication failed for '%s'" % (username,)) error_message = 'Authentication failed' except Exception as e: logger.exception(e) error_message = str(e) if error_message: reply_pkt.AddAttribute(18, error_message) return reply_pkt.ReplyPacket()
def handle(self, data, address): ip, port = address print('from %s, data: %r' % (ip, data)) # 处理 request = AuthPacket(dict=self.dictionary, secret=SECRET, packet=data) is_user = True if is_user: reply = access_accept(request) print('access_accept') else: reply = access_reject(request) print('access_reject') reply['Acct-Interim-Interval'] = 60 # 返回 self.socket.sendto(reply.ReplyPacket(), address)
def add_mppe(reply: AuthPacket, keys: List[bytes], secret: bytes, auth: bytes) -> None: """ Add MPPE (Microsoft Point to Point Encryption) attributes to the reply packet Args: reply (AuthPacket): the reply that will be sent keys [bytes, bytes]: two-element list of bytes that are the MPPE keys secret (bytes): the RADIUS secret auth (bytes): RADIUS authenticator """ sodiumchloride = _generator.randint(32768, 65535) # Leftmost bit must be set potassiumnitrate = _generator.randint(32768, 65535) # Leftmost bit must be set salt = struct.pack('>H', sodiumchloride) salt2 = struct.pack('>H', potassiumnitrate) encrypted_keys = [ encrypt_mppe(keys[0], secret, auth, salt), encrypt_mppe(keys[1], secret, auth, salt2) ] reply.AddAttribute(26, ms_attr(17, salt + encrypted_keys[0])) # Recv-key reply.AddAttribute(26, ms_attr(16, salt2 + encrypted_keys[1])) # Send-Key
def testSendPacket(self): def MockSend(self, pkt, port): self._mock_pkt = pkt self._mock_port = port _SendPacket = Client._SendPacket Client._SendPacket = MockSend self.client.SendPacket(AuthPacket()) self.assertEqual(self.client._mock_port, self.client.authport) self.client.SendPacket(AcctPacket()) self.assertEqual(self.client._mock_port, self.client.acctport) Client._SendPacket = _SendPacket
def CreateAuthPacket(self, **args): """Create a new RADIUS packet. This utility function creates a new RADIUS packet which can be used to communicate with the RADIUS server this client talks to. This is initializing the new packet with the dictionary and secret used for the client. :return: a new empty packet instance :rtype: pyrad.packet.Packet """ if not self.protocol_auth: raise Exception('Transport not initialized') return AuthPacket(dict=self.dict, id=self.protocol_auth.create_id(), secret=self.secret, **args)
def handle(self, data, address): ip, port = address # print('from %s, data: %r' % (ip, data)) # 解析报文 request = AuthPacket(dict=self.dictionary, secret=SECRET, packet=data) # 验证用户 auth_user = verify(request) # 接受或拒绝 reply = access_reject(request) if auth_user.is_valid: if is_unique_session(mac_address=auth_user.mac_address): reply = access_accept(request) # 返回 reply['Acct-Interim-Interval'] = ACCT_INTERVAL self.socket.sendto(reply.ReplyPacket(), address)
def process_request(data, address, secret): error_message = None pkt = AuthPacket(packet=data, secret=secret, dict=Dictionary(io.StringIO(DICTIONARY_DATA))) reply_pkt = pkt.CreateReply() reply_pkt.code = AccessReject try: # [0] is needed because pkt.get returns a list pkt_username = pkt.get('User-Name')[0] logger.info("Auth attempt for '%s'" % (pkt_username, )) try: password = pkt.get('Password') if not password: logger.error("No password field in request") reply_pkt.code = AccessReject return reply_pkt.ReplyPacket() # [0] is needed because pkt.get returns a list password = pkt.PwDecrypt(password[0]) except UnicodeDecodeError: logger.error( "Error decrypting password -- probably incorrect secret") reply_pkt.code = AccessReject return reply_pkt.ReplyPacket() (auth_status, username) = auth_with_foxpass(pkt_username, password) auth_status = auth_status and group_match(username) and two_factor( username) if auth_status: logger.info("Successful auth for '%s'" % (pkt_username, )) reply_pkt.code = AccessAccept return reply_pkt.ReplyPacket() logger.info("Authentication failed for '%s'" % (pkt_username, )) error_message = 'Authentication failed' except Exception as e: logger.exception(e) error_message = str(e) if error_message: reply_pkt.AddAttribute('Reply-Message', error_message) return reply_pkt.ReplyPacket()
def datagram_received(self, data, addr): self.logger.debug('[%s:%d] Received %d bytes from %s', self.ip, self.port, len(data), addr) receive_date = datetime.utcnow() if addr[0] in self.hosts: remote_host = self.hosts[addr[0]] elif '0.0.0.0' in self.hosts: remote_host = self.hosts['0.0.0.0'] else: self.logger.warn('[%s:%d] Drop package from unknown source %s', self.ip, self.port, addr) return try: self.logger.debug('[%s:%d] Received from %s packet: %s', self.ip, self.port, addr, data.hex()) req = Packet(packet=data, dict=self.server.dict) except Exception as exc: self.logger.error('[%s:%d] Error on decode packet: %s', self.ip, self.port, exc) return try: if req.code in (AccountingResponse, AccessAccept, AccessReject, CoANAK, CoAACK, DisconnectNAK, DisconnectACK): raise ServerPacketError('Invalid response packet %d' % req.code) elif self.server_type == ServerType.Auth: if req.code != AccessRequest: raise ServerPacketError( 'Received non-auth packet on auth port') req = AuthPacket(secret=remote_host.secret, dict=self.server.dict, packet=data) if self.server.enable_pkt_verify: if req.VerifyAuthRequest(): raise PacketError('Packet verification failed') elif self.server_type == ServerType.Coa: if req.code != DisconnectRequest and req.code != CoARequest: raise ServerPacketError( 'Received non-coa packet on coa port') req = CoAPacket(secret=remote_host.secret, dict=self.server.dict, packet=data) if self.server.enable_pkt_verify: if req.VerifyCoARequest(): raise PacketError('Packet verification failed') elif self.server_type == ServerType.Acct: if req.code != AccountingRequest: raise ServerPacketError( 'Received non-acct packet on acct port') req = AcctPacket(secret=remote_host.secret, dict=self.server.dict, packet=data) if self.server.enable_pkt_verify: if req.VerifyAcctRequest(): raise PacketError('Packet verification failed') # Call request callback self.request_callback(self, req, addr) except Exception as exc: if self.server.debug: self.logger.exception('[%s:%d] Error for packet from %s', self.ip, self.port, addr) else: self.logger.error('[%s:%d] Error for packet from %s: %s', self.ip, self.port, addr, exc) process_date = datetime.utcnow() self.logger.debug('[%s:%d] Request from %s processed in %d ms', self.ip, self.port, addr, (process_date - receive_date).microseconds / 1000)
def datagram_received(self, data, addr): self.logger.debug('[%s:%d] Received %d bytes from %s', self.ip, self.port, len(data), addr) receive_date = datetime.utcnow() remote_host = self.__get_remote_host__(addr[0]) if remote_host: try: if self.server.debug: self.logger.info('[%s:%d] Received from %s packet: %s.' % (self.ip, self.port, addr, data.hex())) req = Packet(packet=data, dict=self.server.dict) except Exception as exc: self.logger.error( '[%s:%d] Error on decode packet: %s. Ignore it.' % (self.ip, self.port, exc)) req = None if not req: return try: if req.code in (AccountingResponse, AccessAccept, AccessReject, CoANAK, CoAACK, DisconnectNAK, DisconnectACK): raise ServerPacketError('Invalid response packet %d' % req.code) elif self.server_type == ServerType.Auth: if req.code != AccessRequest: raise ServerPacketError( 'Received not-authentication packet ' 'on authentication port') req = AuthPacket(secret=remote_host.secret, dict=self.server.dict, packet=data) if self.server.enable_pkt_verify and \ req.message_authenticator and \ not req.verify_message_authenticator(): raise PacketError( 'Received invalid Message-Authenticator') elif self.server_type == ServerType.Coa: if req.code != DisconnectRequest and \ req.code != CoARequest: raise ServerPacketError( 'Received not-coa packet on coa port') req = CoAPacket(secret=remote_host.secret, dict=self.server.dict, packet=data) if self.server.enable_pkt_verify: if not req.VerifyCoARequest(): raise PacketError('Packet verification failed') if req.message_authenticator and \ not req.verify_message_authenticator(): raise PacketError( 'Received invalid Message-Authenticator') elif self.server_type == ServerType.Acct: if req.code != AccountingRequest: raise ServerPacketError( 'Received not-accounting packet on ' 'accounting port') req = AcctPacket(secret=remote_host.secret, dict=self.server.dict, packet=data) if self.server.enable_pkt_verify: if not req.VerifyAcctRequest(): raise PacketError('Packet verification failed') if req.message_authenticator and not \ req.verify_message_authenticator(): raise PacketError( 'Received invalid Message-Authenticator') # Call request callback self.request_callback(self, req, addr) self.requests += 1 except Exception as e: self.logger.error( '[%s:%d] Unexpected error for packet from %s: %s' % (self.ip, self.port, addr, (e, '\n'.join(traceback.format_exc().splitlines()) )[self.server.debug])) else: self.logger.error('[%s:%d] Drop package from unknown source %s', self.ip, self.port, addr) process_date = datetime.utcnow() self.logger.debug('[%s:%d] Request from %s processed in %d ms', self.ip, self.port, addr, (process_date - receive_date).microseconds / 1000)