Skip to content

move group detection of RADIUS attribute 25 into own function #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kaikli wants to merge 1 commit into
base: master
Choose a base branch
from
Open

move group detection of RADIUS attribute 25 into own function #29

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 31 additions & 24 deletions radiusauth/backends/radius.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,36 @@ def _get_server_from_settings(self):
settings.RADIUS_SECRET.encode('utf-8'),
)

def _get_groups_from_auth_response(self, reply):
"""
Get the groups from the RADIUS Attribute 25 "Class".
Returns a tuple (list of groups, is_staff, is_superuser).
"""
if not "Class" in reply.keys():
return [], False, False

groups = []
is_staff = False
is_superuser = False

app_class_prefix = getattr(settings, 'RADIUS_CLASS_APP_PREFIX', '')
group_class_prefix = app_class_prefix + "group="
role_class_prefix = app_class_prefix + "role="

for cl in reply['Class']:
cl = cl.decode("utf-8")
if cl.lower().find(group_class_prefix) == 0:
groups.append(cl[len(group_class_prefix):])
elif cl.lower().find(role_class_prefix) == 0:
role = cl[len(role_class_prefix):]
if role == "staff":
is_staff = True
elif role == "superuser":
is_superuser = True
else:
logging.warning("RADIUS Attribute Class contains unknown role '%s'. Only roles 'staff' and 'superuser' are allowed" % cl)
return groups, is_staff, is_superuser

def _perform_radius_auth(self, client, packet):
"""
Perform the actual radius authentication by passing the given packet
Expand Down Expand Up @@ -134,30 +164,7 @@ def _perform_radius_auth(self, client, packet):
logging.info("RADIUS access granted for user '%s'" % (
packet['User-Name']))

if not "Class" in reply.keys():
return [], False, False

groups = []
is_staff = False
is_superuser = False

app_class_prefix = getattr(settings, 'RADIUS_CLASS_APP_PREFIX', '')
group_class_prefix = app_class_prefix + "group="
role_class_prefix = app_class_prefix + "role="

for cl in reply['Class']:
cl = cl.decode("utf-8")
if cl.lower().find(group_class_prefix) == 0:
groups.append(cl[len(group_class_prefix):])
elif cl.lower().find(role_class_prefix) == 0:
role = cl[len(role_class_prefix):]
if role == "staff":
is_staff = True
elif role == "superuser":
is_superuser = True
else:
logging.warning("RADIUS Attribute Class contains unknown role '%s'. Only roles 'staff' and 'superuser' are allowed" % cl)
return groups, is_staff, is_superuser
return self._get_groups_from_auth_response(reply)

def _radius_auth(self, server, username, password):
"""
Expand Down