diff --git a/freeradius/auth.py b/freeradius/auth.py index 8ffcbd80..1e39d449 100644 --- a/freeradius/auth.py +++ b/freeradius/auth.py @@ -19,14 +19,15 @@ # Voir des exemples plus complets ici: # https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_python/ -from lc_ldap.shortcuts import with_ldap_conn, lc_ldap_admin +import lc_ldap.shortcuts from lc_ldap.crans_utils import escape as escape_ldap import lc_ldap.crans_utils from gestion.config.config import vlans import lc_ldap.objets import radiusd import netaddr -from gestion.gen_confs.generate import trigger as trigger_generate +import traceback +from gestion.gen_confs.trigger import trigger_generate_cochon as trigger_generate # Voilà, pour faire marcher le V6Only, il faut se retirer l'ipv4 de sa machine # ou en enregistrer une nouvelle (sans ipv4) avec une autre mac. Moi j'ai la @@ -37,6 +38,15 @@ u'dc:9f:db:5c:c3:ea', # polynice-wlan0 u'00:26:c7:a6:9e:16', # cerveaulent ] +# TODO (à metre dans bcfg2) +#setfacl -m u:freerad:rx /etc/crans/ +#setfacl -m u:freerad:rx /etc/crans/secrets +#setfacl -m u:freerad:r /etc/crans/secrets/dhcp.py +#setfacl -m u:freerad:r /etc/crans/secrets/secrets.py +#setfacl -m u:freerad:r /etc/crans/secrets/trigger-generate.pub +#setfacl -m m::r /etc/crans/secrets/trigger-generate +#setfacl -m u:freerad:r /etc/crans/secrets/trigger-generate + bl_reject = [u'bloq'] bl_isolement = [u'virus', u'autodisc_virus', u'autodisc_p2p', u'ipv6_ra'] # TODO carte_etudiant: dépend si sursis ou non (regarder lc_ldap) @@ -44,7 +54,10 @@ bl_isolement = [u'virus', u'autodisc_virus', u'autodisc_p2p', u'ipv6_ra'] bl_accueil = [u'carte_etudiant', u'chambre_invalide', u'paiement'] # Decorateur utilisé plus tard (same connection) -use_ldap = with_ldap_conn(retries=2, delay=5, constructor=lc_ldap_admin) +use_ldap_admin = lc_ldap.shortcuts.with_ldap_conn(retries=2, delay=5, + constructor=lc_ldap.shortcuts.lc_ldap_admin) +use_ldap = lc_ldap.shortcuts.with_ldap_conn(retries=2, delay=5, + constructor=lc_ldap.shortcuts.lc_ldap_anonymous) @use_ldap def get_machines(auth_data, conn): @@ -84,7 +97,7 @@ def get_machines(auth_data, conn): ] for filter_s in search_strats: - res = conn.search(filter_s, mode='rw') + res = conn.search(filter_s) if res: break @@ -120,8 +133,9 @@ def get_prise(auth_data): return bat_name + "%01d%02d" % (bat_num, port) -@use_ldap +@use_ldap_admin def register_mac(auth_data, machine, conn): + machine = conn.search(unicode(machine.dn.split(',',1)[0]), mode='rw')[0] for (key, value) in auth_data: if key == 'Calling-Station-Id': try: @@ -129,19 +143,25 @@ def register_mac(auth_data, machine, conn): mac = lc_ldap.crans_utils.format_mac(value) except: radiusd.radlog(radiusd.L_ERR, 'Cannot format MAC !') + if mac is not None: mac = unicode(mac.lower()) + + radiusd.radlog(radiusd.L_INFO, 'Registering mac %s' % mac) machine['macAddress'] = mac - machine.history_add(u'auth.py', u'macAddress ( %s )' % mac) + machine.history_add(u'auth.py', u'macAddress ( -> %s)' % mac) machine.save() radiusd.radlog(radiusd.L_INFO, 'Mac set') - trigger_generate('komaz', background=True) + radiusd.radlog(radiusd.L_INFO, 'Triggering komaz') + trigger_generate('komaz') + radiusd.radlog(radiusd.L_INFO, 'done ! (triggered komaz)') else: radiusd.radlog(radiusd.L_ERR, 'Cannot find MAC') +@use_ldap_admin @use_ldap -def instantiate(p, conn): - """Utile pour initialiser la connexion ldap une première fois (otherwise, +def instantiate(p, *conns): + """Utile pour initialiser les connexions ldap une première fois (otherwise, do nothing)""" pass @@ -249,7 +269,10 @@ def post_auth(auth_data, conn): # return (0, "Hébergeur non à jour", "accueil") # # + # Pour l'instant, on ne met pas d'infos de vlans dans la réponse return radiusd.RLM_MODULE_OK + + # This is dead code (for now) return (radiusd.RLM_MODULE_UPDATED, ( ("Tunnel-Type", "VLAN"), diff --git a/freeradius/test.py b/freeradius/test.py index c3467794..4d5e7365 100755 --- a/freeradius/test.py +++ b/freeradius/test.py @@ -5,13 +5,17 @@ import auth import sys import time -if len(sys.argv) < 2 and False: - print "Give me a mac !" - sys.exit(1) +delattr(sys, 'argv') + +#if len(sys.argv) < 2 and False: +# print "Give me a mac !" +# sys.exit(1) # Machine à s'authentifier (cerveaulent) #p=(('Calling-Station-Id', sys.argv[1]),) +auth.instantiate(()) + p=( ('Calling-Station-Id', 'ba:27:eb:3c:54:d5'), ('User-Name', 'test18'), diff --git a/gestion/gen_confs/trigger.py b/gestion/gen_confs/trigger.py index 29c565af..8da9b110 100755 --- a/gestion/gen_confs/trigger.py +++ b/gestion/gen_confs/trigger.py @@ -3,16 +3,22 @@ import subprocess -def trigger_generate(host, background=False): +_options = ['PasswordAuthentication=no', 'ConnectTimeout=1', 'VerifyHostKeyDNS=yes', + 'BatchMode=yes', 'ServerAliveInterval=5', 'ServerAliveCountMax=1'] +_args = ["ssh", "-4", "-i", "/etc/crans/secrets/trigger-generate" ] + +def build_args(host): if not 'adm.crans.org' in host: host=host + '.adm.crans.org' - options = ['PasswordAuthentication=no', 'ConnectTimeout=1', 'VerifyHostKeyDNS=yes', - 'BatchMode=yes', 'ServerAliveInterval=5', 'ServerAliveCountMax=1'] - args = ["ssh", "-4", "-i", "/etc/crans/secrets/trigger-generate" ] - for opt in options: + args = list(_args) + for opt in _options: args.append('-o') args.append(opt) args.extend(["rpcssh@%s" % host, "generate"]) + return args + +def trigger_generate(host, background=False): + args = build_args(host) if background: subprocess.Popen(args) else: @@ -22,3 +28,10 @@ def trigger_generate(host, background=False): raise Exception(err) return out +def trigger_generate_cochon(host): + """Ceci est une fonction crade qui permet de se débarraser du process enfant + que l'on aurait laissé en arrière plan""" + args = build_args(host) + p = subprocess.Popen(['/bin/bash'], + stdin=subprocess.PIPE, ) + p.communicate(' '.join(args) + ' &> /dev/null &')