From 321a46b71f6f3cf2325a72cd37c15fba5fc0c1b3 Mon Sep 17 00:00:00 2001 From: phpipam <miha.petkovsek@telemach.si> Date: Wed, 20 Dec 2023 15:24:27 +0100 Subject: [PATCH] Changed from propriatary to dapphp/radius for radius auth #3986 --- functions/classes/class.User.php | 92 +++++++++++++++++++++++++++++++- functions/composer.json | 3 +- functions/composer.lock | 71 +++++++++++++++++++++++- 3 files changed, 163 insertions(+), 3 deletions(-) diff --git a/functions/classes/class.User.php b/functions/classes/class.User.php index 6e858b42..e2d023cc 100644 --- a/functions/classes/class.User.php +++ b/functions/classes/class.User.php @@ -1174,7 +1174,7 @@ class User extends Common_functions { * @param mixed $password * @return void */ - private function auth_radius ($username, $password) { + private function auth_radius_legacy ($username, $password) { # decode radius parameters $params = pf_json_decode($this->authmethodparams); @@ -1223,6 +1223,96 @@ class User extends Common_functions { } } + /** + * Authenticates user on radius server + * + * GH: https://github.com/dapphp/radius + * + * @access private + * @param mixed $username + * @param mixed $password + * @return void + */ + private function auth_radius ($username, $password) { + # decode radius parameters + $params = pf_json_decode($this->authmethodparams); + + # Valdate composer + if($this->composer_has_errors(["dapphp/radius"])) { + $this->Result->show("danger", $this->composer_err, true); + } + + # Composer + require __DIR__ . '/../vendor/autoload.php'; + + // init client + $client = new Radius(); + // set params + $client->setServer($params->hostname) + ->setSecret($params->secret) + ->setNasIpAddress(gethostbyname(gethostname())) + ->setAttribute(32, 'login'); + + // fake type for testing + $params->authType = "pap"; + + // pap + if(!isset($params->authType) || @$params->authType=="pap") { + $authenticated = $client->accessRequest($username, $password); + } + // chap-md5 + elseif ($params->authType == "chap") { + $client->setChapPassword($password); + $authenticated = $client->accessRequest($username); + } + // mschapv1 + elseif ($params->authType == "mschapv1") { + $client->setMSChapPassword($password); + $authenticated = $client->accessRequest($username); + } + // mschapv2 + elseif($params->authType == "mschapv2") { + $authenticated = $client->accessRequestEapMsChapV2($username, $password); + } + // fault + else { + $this->Result->show("danger", _("Invalid radius authentication method"), true); + } + + # debug? + if($this->debugging) + $client->setDebug(true); + + # authenticate user + if($authenticated === true) { + # check login restrictions for authenticated user + $this->check_login_restrictions ($username); + # save to session + $this->write_session_parameters (); + + $this->Log->write( _("Radius login"), _("User")." ".$this->user->real_name." "._("logged in via radius"), 0, $username ); + $this->Result->show("success", _("Radius login successful")); + + # write last logintime + $this->update_login_time (); + # remove possible blocked IP + $this->block_remove_entry (); + } + else { + # add blocked count + $this->block_ip (); + $this->log_failed_access ($username); + $this->Log->write( _("Radius login"), _("Failed to authenticate user on radius server"), 2, $username ); + $this->Result->show("danger", _("Invalid username or password"), true); + # debug ? + if($this->debugging) { + print "<pre style='width:700px;margin:auto;margin-top:10px;'>"; + print "Access-Request failed with error ".$client->getErrorMessage()." (".$client->getErrorCode().")"; + print "</pre>"; + } + } + } + /** * SAML2 auth * diff --git a/functions/composer.json b/functions/composer.json index 98208ceb..1fa21abd 100644 --- a/functions/composer.json +++ b/functions/composer.json @@ -1,6 +1,7 @@ { "require": { "firehed/webauthn": "dev-main", - "firehed/cbor": "^0.1.0" + "firehed/cbor": "^0.1.0", + "dapphp/radius": "^3.0" } } diff --git a/functions/composer.lock b/functions/composer.lock index df24dd56..33a26a30 100644 --- a/functions/composer.lock +++ b/functions/composer.lock @@ -4,8 +4,77 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "b0a7a5cc1994c275013de9975a5f2675", + "content-hash": "23e5bbc9dd993a1c1824330765401dfd", "packages": [ + { + "name": "dapphp/radius", + "version": "v3.0.0", + "source": { + "type": "git", + "url": "https://github.com/dapphp/radius.git", + "reference": "023f538e46d20fa285f55dd65d7054fb9b370a82" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/dapphp/radius/zipball/023f538e46d20fa285f55dd65d7054fb9b370a82", + "reference": "023f538e46d20fa285f55dd65d7054fb9b370a82", + "shasum": "" + }, + "require": { + "php": "^7.3 || ^8.0" + }, + "require-dev": { + "phpunit/phpunit": "^9.5.13" + }, + "suggest": { + "ext-openssl": "To support hashing required by Pear_CHAP" + }, + "type": "library", + "autoload": { + "psr-0": { + "Crypt_CHAP_": "lib/" + }, + "psr-4": { + "Dapphp\\Radius\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "LGPL-3.0-or-later" + ], + "authors": [ + { + "name": "Drew Phillips", + "email": "drew@drew-phillips.com", + "homepage": "https://drew-phillips.com/" + }, + { + "name": "SysCo/al", + "homepage": "http://developer.sysco.ch/php/" + } + ], + "description": "A pure PHP RADIUS client based on the SysCo/al implementation", + "homepage": "https://github.com/dapphp/radius", + "keywords": [ + "Authentication", + "authorization", + "chap", + "ms-chap", + "ms-chap v2", + "pap", + "radius", + "rfc1994", + "rfc2284", + "rfc2759", + "rfc2865", + "rfc2869" + ], + "support": { + "issues": "https://github.com/dapphp/radius/issues", + "source": "https://github.com/dapphp/radius/tree/v3.0.0" + }, + "time": "2022-01-26T04:33:16+00:00" + }, { "name": "firehed/cbor", "version": "0.1.0", -- GitLab