crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

auth.py: feeds nas password from secrets

Browse source
This commit is contained in:
Daniel STAN 2015-02-26 18:17:57 +01:00
parent ea4e86dbdd
commit 546cba760f
2 changed files with 49 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

54
freeradius/auth.py
View file

@ -18,6 +18,7 @@ import lc_ldap.objets
import gestion.config.config as config import gestion.config.config as config
from gestion.gen_confs.trigger import trigger_generate_cochon as trigger_generate from gestion.gen_confs.trigger import trigger_generate_cochon as trigger_generate
import annuaires_pg import annuaires_pg
from gestion import secrets_new as secrets
TEST_SERVER = bool(os.getenv('DBG_FREERADIUS', False)) TEST_SERVER = bool(os.getenv('DBG_FREERADIUS', False))
WIFI_DYN_VLAN = TEST_SERVER WIFI_DYN_VLAN = TEST_SERVER
@ -313,14 +314,55 @@ def authorize_fil(data):
), ),
) )
def radius_password(secret_name, machine=None):
"""Cherche le mdp radius pour la machine donnée, et fallback sur le
secret canonique nommé"""
if machine and machine.has_key('TODO'):
pass
return secrets.get(secret_name)
@radius_event @radius_event
def authorize_nas(data): @use_ldap
"""Remplis le mdp d'une borne""" def authorize_nas(data, ldap):
password = "passoirtototo" """Remplis le mdp d'une borne, ou d'un switch"""
logger.debug('nas_auth with %r' % data) logger.debug('nas_auth with %r' % data)
radiusd.radlog(radiusd.L_ERR, 'nas_auth with %r' % data)
ip = data.get('NAS-Identifier', '') ip = data.get('NAS-Identifier', '')
ip_stm = ("FreeRADIUS-Client-IP%s-Address" % ('v6' if ':' in ip else ''), ip) is_v6 = ':' in ip
ip_stm = ("FreeRADIUS-Client-IP%s-Address" % ('v6'*is_v6, ), ip)
# Find machine
base_filter = u'(|(objectClass=machineCrans)(objectClass=borneWifi))'
if is_v6:
addr = netaddr.IPAddress(ip).value
# EUI64, hein ?
assert ((addr >> 24) & 0xffff) == 0xfffe
# Extrait la mac de l'EUI64 (« trust me, it works »)
mac = (addr >> 16) & (0xffffff << 24) ^ (addr & 0xffffff) ^ (1 << 42)
mac = lc_ldap.crans_utils.format_mac("%012x" % mac)
m_filter = u'(macAddress=%s)' % mac
else:
m_filter = u'(ipHostNumber=%s)' % escape_ldap(ip)
machines = ldap.search(u'(&%s%s)' % (base_filter, m_filter))
if not machines:
if TEST_SERVER or ip == '127.0.0.1':
password = radius_password('radius_eap_key')
shortname = "wifi"
vserver = 'inner-tunnel'
else:
return radiusd.RLM_MODULE_NOTFOUND
elif unicode(machines[0]['host'][0]).startswith('bat'):
password = radius_password('radius_key', machines[0])
shortname = 'switchs'
vserver = 'filaire'
else:
password = radius_password('radius_eap_key', machines[0])
shortname = "wifi"
vserver = 'wifi'
return (radiusd.RLM_MODULE_OK, return (radiusd.RLM_MODULE_OK,
(), (),
@ -328,10 +370,10 @@ def authorize_nas(data):
ip_stm, ip_stm,
("FreeRADIUS-Client-Require-MA", "no"), ("FreeRADIUS-Client-Require-MA", "no"),
("FreeRADIUS-Client-Secret", password), ("FreeRADIUS-Client-Secret", password),
("FreeRADIUS-Client-Shortname", "wifi"), ("FreeRADIUS-Client-Shortname", shortname),
("FreeRADIUS-Client-NAS-Type", "other"), ("FreeRADIUS-Client-NAS-Type", "other"),
# On teste avec une équipe qui marche # On teste avec une équipe qui marche
("FreeRADIUS-Client-Virtual-Server", "inner-tunnel"), ("FreeRADIUS-Client-Virtual-Server", vserver),
), ),
) )
@radius_event @radius_event

1
freeradius/testing/auth.py Symbolic link
View file

@ -0,0 +1 @@
../auth.py