From 546cba760f6dedfed7f3cfcf54714e40f3b5616b Mon Sep 17 00:00:00 2001
From: Daniel STAN <daniel.stan@crans.org>
Date: Thu, 26 Feb 2015 18:17:57 +0100
Subject: [PATCH] auth.py: feeds nas password from secrets

---
 freeradius/auth.py         | 54 +++++++++++++++++++++++++++++++++-----
 freeradius/testing/auth.py |  1 +
 2 files changed, 49 insertions(+), 6 deletions(-)
 create mode 120000 freeradius/testing/auth.py

diff --git a/freeradius/auth.py b/freeradius/auth.py
index 1422ca80..bbf81d40 100644
--- a/freeradius/auth.py
+++ b/freeradius/auth.py
@@ -18,6 +18,7 @@ import lc_ldap.objets
 import gestion.config.config as config
 from gestion.gen_confs.trigger import trigger_generate_cochon as trigger_generate
 import annuaires_pg
+from gestion import secrets_new as secrets
 
 TEST_SERVER = bool(os.getenv('DBG_FREERADIUS', False))
 WIFI_DYN_VLAN = TEST_SERVER
@@ -313,14 +314,55 @@ def authorize_fil(data):
         ),
       )
 
+def radius_password(secret_name, machine=None):
+    """Cherche le mdp radius pour la machine donnée, et fallback sur le
+    secret canonique nommé"""
+    if machine and machine.has_key('TODO'):
+        pass
+    return secrets.get(secret_name)
+
 @radius_event
-def authorize_nas(data):
-    """Remplis le mdp d'une borne"""
-    password = "passoirtototo"
+@use_ldap
+def authorize_nas(data, ldap):
+    """Remplis le mdp d'une borne, ou d'un switch"""
     logger.debug('nas_auth with %r' % data)
+    radiusd.radlog(radiusd.L_ERR, 'nas_auth with %r' % data)
 
     ip = data.get('NAS-Identifier', '')
-    ip_stm = ("FreeRADIUS-Client-IP%s-Address" % ('v6' if ':' in ip else ''), ip)
+    is_v6 = ':' in ip
+    ip_stm = ("FreeRADIUS-Client-IP%s-Address" % ('v6'*is_v6, ), ip)
+    
+    # Find machine
+    base_filter = u'(|(objectClass=machineCrans)(objectClass=borneWifi))'
+    if is_v6:
+        addr = netaddr.IPAddress(ip).value
+        # EUI64, hein ?
+        assert ((addr >> 24) & 0xffff) == 0xfffe
+        # Extrait la mac de l'EUI64 (« trust me, it works »)
+        mac = (addr >> 16) & (0xffffff << 24) ^ (addr & 0xffffff) ^ (1 << 42)
+
+        mac = lc_ldap.crans_utils.format_mac("%012x" % mac)
+        m_filter = u'(macAddress=%s)' % mac
+    else:
+        m_filter = u'(ipHostNumber=%s)' % escape_ldap(ip)
+    
+    machines = ldap.search(u'(&%s%s)' % (base_filter, m_filter))
+
+    if not machines:
+        if TEST_SERVER or ip == '127.0.0.1':
+            password = radius_password('radius_eap_key')
+            shortname = "wifi"
+            vserver = 'inner-tunnel'
+        else:
+            return radiusd.RLM_MODULE_NOTFOUND
+    elif unicode(machines[0]['host'][0]).startswith('bat'):
+        password = radius_password('radius_key', machines[0])
+        shortname = 'switchs'
+        vserver = 'filaire'
+    else:
+        password = radius_password('radius_eap_key', machines[0])
+        shortname = "wifi"
+        vserver = 'wifi'
 
     return (radiusd.RLM_MODULE_OK,
 	    (),
@@ -328,10 +370,10 @@ def authorize_nas(data):
           ip_stm,
           ("FreeRADIUS-Client-Require-MA", "no"),
           ("FreeRADIUS-Client-Secret", password),
-          ("FreeRADIUS-Client-Shortname", "wifi"),
+          ("FreeRADIUS-Client-Shortname", shortname),
           ("FreeRADIUS-Client-NAS-Type", "other"),
             # On teste avec une équipe qui marche
-          ("FreeRADIUS-Client-Virtual-Server", "inner-tunnel"),
+          ("FreeRADIUS-Client-Virtual-Server", vserver),
         ),
       )
 @radius_event
diff --git a/freeradius/testing/auth.py b/freeradius/testing/auth.py
new file mode 120000
index 00000000..c43a41e4
--- /dev/null
+++ b/freeradius/testing/auth.py
@@ -0,0 +1 @@
+../auth.py
\ No newline at end of file