Skip to content
Snippets Groups Projects
Commit 1b5d753d authored by Thijs Kinkhorst's avatar Thijs Kinkhorst
Browse files

Fix formatting of radius module

parent 07eef913
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
modules/radius/docs/radius.txt
+ 4
4
View file @ 1b5d753d
...@@ -39,9 +39,9 @@ authentication source which uses the `radius:Radius` module to ...@@ -39,9 +39,9 @@ authentication source which uses the `radius:Radius` module to
/* /*
* The number of times we should retry connections to the RADIUS server. * The number of times we should retry connections to the RADIUS server.
* Please note that retries would be attempted with each server before * Please note that retries would be attempted with each server before
* trying with the next server in the queue, so if you want not to wait * trying with the next server in the queue, so if you want not to wait
* before trying the next server, retries should be set to 1. * before trying the next server, retries should be set to 1.
* Optional, defaults to 3 attempts. * Optional, defaults to 3 attempts.
*/ */
'retries' => 3, 'retries' => 3,
...@@ -71,7 +71,7 @@ from the RADIUS server. ...@@ -71,7 +71,7 @@ from the RADIUS server.
The code expects one vendor-attribute with a specific vendor and a specific The code expects one vendor-attribute with a specific vendor and a specific
vendor attribute type for each user attribute. The vendor-attribute must vendor attribute type for each user attribute. The vendor-attribute must
contain a value on the form <name>=<value>. contain a value of the form `&lt;name&gt;=&lt;value&gt;`.
The following configuration options are available for user attributes: The following configuration options are available for user attributes:
......
modules/radius/lib/Auth/Source/Radius.php
+ 216
205
View file @ 1b5d753d
...@@ -7,209 +7,220 @@ ...@@ -7,209 +7,220 @@
* *
* @package SimpleSAMLphp * @package SimpleSAMLphp
*/ */
class sspmod_radius_Auth_Source_Radius extends sspmod_core_Auth_UserPassBase { class sspmod_radius_Auth_Source_Radius extends sspmod_core_Auth_UserPassBase
{
/** /**
* The list of radius servers to use. * The list of radius servers to use.
*/ */
private $servers; private $servers;
/** /**
* The hostname of the radius server. * The hostname of the radius server.
*/ */
private $hostname; private $hostname;
/** /**
* The port of the radius server. * The port of the radius server.
*/ */
private $port; private $port;
/** /**
* The secret used when communicating with the radius server. * The secret used when communicating with the radius server.
*/ */
private $secret; private $secret;
/** /**
* The timeout for contacting the radius server. * The timeout for contacting the radius server.
*/ */
private $timeout; private $timeout;
/** /**
* The number of retries which should be attempted. * The number of retries which should be attempted.
*/ */
private $retries; private $retries;
/** /**
* The attribute name where the username should be stored. * The attribute name where the username should be stored.
*/ */
private $usernameAttribute; private $usernameAttribute;
/** /**
* The vendor for the RADIUS attributes we are interrested in. * The vendor for the RADIUS attributes we are interrested in.
*/ */
private $vendor; private $vendor;
/** /**
* The vendor-specific attribute for the RADIUS attributes we are interrested in. * The vendor-specific attribute for the RADIUS attributes we are
*/ * interrested in.
private $vendorType; */
/** private $vendorType;
* The NAS-Identifier that should be set in Access-Request packets.
*/ /**
private $nasIdentifier; * The NAS-Identifier that should be set in Access-Request packets.
*/
/** private $nasIdentifier;
* Constructor for this authentication source.
* /**
* @param array $info Information about this authentication source. * Constructor for this authentication source.
* @param array $config Configuration. *
*/ * @param array $info Information about this authentication source.
public function __construct($info, $config) { * @param array $config Configuration.
assert('is_array($info)'); */
assert('is_array($config)'); public function __construct($info, $config)
{
// Call the parent constructor first, as required by the interface assert('is_array($info)');
parent::__construct($info, $config); assert('is_array($config)');
// Parse configuration. // Call the parent constructor first, as required by the interface
$config = SimpleSAML_Configuration::loadFromArray($config, parent::__construct($info, $config);
'Authentication source ' . var_export($this->authId, TRUE));
// Parse configuration.
$this->servers = $config->getArray('servers', array()); $config = SimpleSAML_Configuration::loadFromArray($config,
/* For backwards compatibility. */ 'Authentication source ' . var_export($this->authId, true));
if (empty($this->servers)) {
$this->hostname = $config->getString('hostname'); $this->servers = $config->getArray('servers', array());
$this->port = $config->getIntegerRange('port', 1, 65535, 1812); /* For backwards compatibility. */
$this->secret = $config->getString('secret'); if (empty($this->servers)) {
$this->servers[] = array('hostname' => $this->hostname, $this->hostname = $config->getString('hostname');
'port' => $this->port, $this->port = $config->getIntegerRange('port', 1, 65535, 1812);
'secret' => $this->secret); $this->secret = $config->getString('secret');
} $this->servers[] = array('hostname' => $this->hostname,
$this->timeout = $config->getInteger('timeout', 5); 'port' => $this->port,
$this->retries = $config->getInteger('retries', 3); 'secret' => $this->secret);
$this->usernameAttribute = $config->getString('username_attribute', NULL); }
$this->nasIdentifier = $config->getString('nas_identifier', $this->timeout = $config->getInteger('timeout', 5);
isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : 'localhost'); $this->retries = $config->getInteger('retries', 3);
$this->usernameAttribute = $config->getString('username_attribute', null);
$this->vendor = $config->getInteger('attribute_vendor', NULL); $this->nasIdentifier = $config->getString('nas_identifier',
if ($this->vendor !== NULL) { isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : 'localhost');
$this->vendorType = $config->getInteger('attribute_vendor_type');
} $this->vendor = $config->getInteger('attribute_vendor', null);
} if ($this->vendor !== null) {
$this->vendorType = $config->getInteger('attribute_vendor_type');
}
/** }
* Attempt to log in using the given username and password.
*
* @param string $username The username the user wrote. /**
* @param string $password The password the user wrote. * Attempt to log in using the given username and password.
* @return array Associative array with the users attributes. *
*/ * @param string $username The username the user wrote.
protected function login($username, $password) { * @param string $password The password the user wrote.
assert('is_string($username)'); * @return array Associative array with the user's attributes.
assert('is_string($password)'); */
protected function login($username, $password)
$radius = radius_auth_open(); {
assert('is_string($username)');
/* Try to add all radius servers, trigger a failure if no one works. */ assert('is_string($password)');
$success = false;
foreach ($this->servers as $server) { $radius = radius_auth_open();
if (!isset($server['port'])) {
$server['port'] = 1812; /* Try to add all radius servers, trigger a failure if no one works. */
} $success = false;
if (!radius_add_server($radius, $server['hostname'], $server['port'], $server['secret'], foreach ($this->servers as $server) {
$this->timeout, $this->retries)) { if (!isset($server['port'])) {
SimpleSAML_Logger::info("Could not connect to server: ".radius_strerror($radius)); $server['port'] = 1812;
continue; }
} if (!radius_add_server($radius,
$success = true; $server['hostname'], $server['port'], $server['secret'],
} $this->timeout, $this->retries)) {
if (!$success) { SimpleSAML_Logger::info("Could not connect to server: " .
throw new Exception('Error connecting to radius server, no servers available'); radius_strerror($radius));
} continue;
}
if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) { $success = true;
throw new Exception('Error creating radius request: ' . radius_strerror($radius)); }
} if (!$success) {
throw new Exception('Error connecting to radius server, no servers available');
radius_put_attr($radius, RADIUS_USER_NAME, $username); }
radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
if (!radius_create_request($radius, RADIUS_ACCESS_REQUEST)) {
if ($this->nasIdentifier != NULL) throw new Exception('Error creating radius request: ' .
radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier); radius_strerror($radius));
}
$res = radius_send_request($radius);
if ($res != RADIUS_ACCESS_ACCEPT) { radius_put_attr($radius, RADIUS_USER_NAME, $username);
switch ($res) { radius_put_attr($radius, RADIUS_USER_PASSWORD, $password);
case RADIUS_ACCESS_REJECT:
/* Invalid username or password. */ if ($this->nasIdentifier != null) {
throw new SimpleSAML_Error_Error('WRONGUSERPASS'); radius_put_attr($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier);
case RADIUS_ACCESS_CHALLENGE: }
throw new Exception('Radius authentication error: Challenge requested, but not supported.');
default: $res = radius_send_request($radius);
throw new Exception('Error during radius authentication: ' . radius_strerror($radius)); if ($res != RADIUS_ACCESS_ACCEPT) {
} switch ($res) {
} case RADIUS_ACCESS_REJECT:
/* Invalid username or password. */
/* If we get this far, we have a valid login. */ throw new SimpleSAML_Error_Error('WRONGUSERPASS');
case RADIUS_ACCESS_CHALLENGE:
$attributes = array(); throw new Exception('Radius authentication error: Challenge requested, but not supported.');
default:
if ($this->usernameAttribute !== NULL) { throw new Exception('Error during radius authentication: ' .
$attributes[$this->usernameAttribute] = array($username); radius_strerror($radius));
} }
}
if ($this->vendor === NULL) {
/* /* If we get this far, we have a valid login. */
* We aren't interested in any vendor-specific attributes. We are
* therefore done now. $attributes = array();
*/
return $attributes; if ($this->usernameAttribute !== null) {
} $attributes[$this->usernameAttribute] = array($username);
}
/* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */
while ($resa = radius_get_attr($radius)) { if ($this->vendor === null) {
/*
if (!is_array($resa)) { * We aren't interested in any vendor-specific attributes. We are
throw new Exception('Error getting radius attributes: ' . radius_strerror($radius)); * therefore done now.
} */
return $attributes;
/* Use the received user name */ }
if ($resa['attr'] == RADIUS_USER_NAME) {
$attributes[$this->usernameAttribute] = array($resa['data']); /* get AAI attribute sets. Contributed by Stefan Winter, (c) RESTENA */
continue; while ($resa = radius_get_attr($radius)) {
}
if (!is_array($resa)) {
if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) { throw new Exception('Error getting radius attributes: ' .
continue; radius_strerror($radius));
} }
$resv = radius_get_vendor_attr($resa['data']); /* Use the received user name */
if (!is_array($resv)) { if ($resa['attr'] == RADIUS_USER_NAME) {
throw new Exception('Error getting vendor specific attribute: ' . radius_strerror($radius)); $attributes[$this->usernameAttribute] = array($resa['data']);
} continue;
}
$vendor = $resv['vendor'];
$attrv = $resv['attr']; if ($resa['attr'] !== RADIUS_VENDOR_SPECIFIC) {
$datav = $resv['data']; continue;
}
if ($vendor != $this->vendor || $attrv != $this->vendorType) {
continue; $resv = radius_get_vendor_attr($resa['data']);
} if (!is_array($resv)) {
throw new Exception('Error getting vendor specific attribute: ' .
$attrib_name = strtok($datav,'='); radius_strerror($radius));
$attrib_value = strtok('='); }
/* if the attribute name is already in result set, add another value */ $vendor = $resv['vendor'];
if (array_key_exists($attrib_name, $attributes)) { $attrv = $resv['attr'];
$attributes[$attrib_name][] = $attrib_value; $datav = $resv['data'];
} else {
$attributes[$attrib_name] = array($attrib_value); if ($vendor != $this->vendor || $attrv != $this->vendorType) {
} continue;
} }
/* end of contribution */
$attrib_name = strtok($datav,'=');
return $attributes; $attrib_value = strtok('=');
}
/* if the attribute name is already in result set,
add another value */
if (array_key_exists($attrib_name, $attributes)) {
$attributes[$attrib_name][] = $attrib_value;
} else {
$attributes[$attrib_name] = array($attrib_value);
}
}
/* end of contribution */
return $attributes;
}
} }
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment