From 10fc15ffe0db877f3e69950877d50ec255845987 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Fri, 23 May 2025 20:13:51 +0200
Subject: [PATCH] more debug tools

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 .../radius/eap/protocol/eap/payload.go        | 13 +++++-
 .../radius/eap/protocol/identity/payload.go   | 13 +++++-
 .../radius/eap/protocol/legacy_nak/payload.go | 13 +++++-
 .../radius/eap/protocol/mschapv2/payload.go   | 41 +++++++++++++++++++
 .../outpost/radius/eap/protocol/packet.go     |  1 +
 .../radius/eap/protocol/peap/payload.go       | 13 +++++-
 .../radius/eap/protocol/tls/payload.go        | 10 +++++
 .../outpost/radius/handle_access_request.go   |  6 ++-
 8 files changed, 105 insertions(+), 5 deletions(-)
 create mode 100644 internal/outpost/radius/eap/protocol/mschapv2/payload.go

diff --git a/internal/outpost/radius/eap/protocol/eap/payload.go b/internal/outpost/radius/eap/protocol/eap/payload.go
index 6a519276dd..5a108a6f5a 100644
--- a/internal/outpost/radius/eap/protocol/eap/payload.go
+++ b/internal/outpost/radius/eap/protocol/eap/payload.go
@@ -73,7 +73,18 @@ func (p *Payload) Encode() ([]byte, error) {
 	return buff, nil
 }
 
-func (ip *Payload) Handle(ctx protocol.Context) protocol.Payload {
+func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 	ctx.Log().Debug("EAP: Handle")
 	return nil
 }
+
+func (p *Payload) String() string {
+	return fmt.Sprintf(
+		"<EAP Packet Code=%d, ID=%d, Type=%d, Length=%d, Payload=%T>",
+		p.Code,
+		p.ID,
+		p.MsgType,
+		p.Length,
+		p.Payload,
+	)
+}
diff --git a/internal/outpost/radius/eap/protocol/identity/payload.go b/internal/outpost/radius/eap/protocol/identity/payload.go
index 3d748eed8a..bb9dc850fd 100644
--- a/internal/outpost/radius/eap/protocol/identity/payload.go
+++ b/internal/outpost/radius/eap/protocol/identity/payload.go
@@ -1,6 +1,10 @@
 package identity
 
-import "goauthentik.io/internal/outpost/radius/eap/protocol"
+import (
+	"fmt"
+
+	"goauthentik.io/internal/outpost/radius/eap/protocol"
+)
 
 const TypeIdentity protocol.Type = 1
 
@@ -35,3 +39,10 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 func (p *Payload) Offerable() bool {
 	return false
 }
+
+func (p *Payload) String() string {
+	return fmt.Sprintf(
+		"<Identity Packet Identity=%s>",
+		p.Identity,
+	)
+}
diff --git a/internal/outpost/radius/eap/protocol/legacy_nak/payload.go b/internal/outpost/radius/eap/protocol/legacy_nak/payload.go
index 662d8d3239..468e241a01 100644
--- a/internal/outpost/radius/eap/protocol/legacy_nak/payload.go
+++ b/internal/outpost/radius/eap/protocol/legacy_nak/payload.go
@@ -1,6 +1,10 @@
 package legacy_nak
 
-import "goauthentik.io/internal/outpost/radius/eap/protocol"
+import (
+	"fmt"
+
+	"goauthentik.io/internal/outpost/radius/eap/protocol"
+)
 
 const TypeLegacyNAK protocol.Type = 3
 
@@ -35,3 +39,10 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 func (p *Payload) Offerable() bool {
 	return false
 }
+
+func (p *Payload) String() string {
+	return fmt.Sprintf(
+		"<Legacy NAK Packet DesiredType=%d>",
+		p.DesiredType,
+	)
+}
diff --git a/internal/outpost/radius/eap/protocol/mschapv2/payload.go b/internal/outpost/radius/eap/protocol/mschapv2/payload.go
new file mode 100644
index 0000000000..b6374cf3a1
--- /dev/null
+++ b/internal/outpost/radius/eap/protocol/mschapv2/payload.go
@@ -0,0 +1,41 @@
+package mschapv2
+
+import (
+	"goauthentik.io/internal/outpost/radius/eap/protocol"
+)
+
+const TypeMSCHAPv2 protocol.Type = 26
+
+func Protocol() protocol.Payload {
+	return &Payload{}
+}
+
+type Payload struct {
+}
+
+func (p *Payload) Type() protocol.Type {
+	return TypeMSCHAPv2
+}
+
+func (p *Payload) Decode(raw []byte) error {
+	return nil
+}
+
+func (p *Payload) Encode() ([]byte, error) {
+	return []byte{}, nil
+}
+
+func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
+	if ctx.IsProtocolStart(TypeMSCHAPv2) {
+		ctx.EndInnerProtocol(protocol.StatusError, nil)
+	}
+	return nil
+}
+
+func (p *Payload) Offerable() bool {
+	return true
+}
+
+func (p *Payload) String() string {
+	return "<MSCHAPv2 Packet >"
+}
diff --git a/internal/outpost/radius/eap/protocol/packet.go b/internal/outpost/radius/eap/protocol/packet.go
index 62d30219e7..a1606864ca 100644
--- a/internal/outpost/radius/eap/protocol/packet.go
+++ b/internal/outpost/radius/eap/protocol/packet.go
@@ -6,6 +6,7 @@ type Payload interface {
 	Handle(ctx Context) Payload
 	Type() Type
 	Offerable() bool
+	String() string
 }
 
 type Inner interface {
diff --git a/internal/outpost/radius/eap/protocol/peap/payload.go b/internal/outpost/radius/eap/protocol/peap/payload.go
index 955c3fe58e..774aaa8cfd 100644
--- a/internal/outpost/radius/eap/protocol/peap/payload.go
+++ b/internal/outpost/radius/eap/protocol/peap/payload.go
@@ -2,6 +2,7 @@ package peap
 
 import (
 	"encoding/binary"
+	"fmt"
 
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/outpost/radius/eap/debug"
@@ -80,7 +81,9 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 
 	if ctx.IsProtocolStart(TypePEAP) {
 		ctx.Log().Debug("PEAP: Protocol start")
-		p.st = &State{}
+		p.st = &State{
+			SubState: make(map[string]*protocol.State),
+		}
 		return &eap.Payload{
 			Code:    protocol.CodeRequest,
 			ID:      rootEap.ID + 1,
@@ -98,6 +101,7 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 			ID:   rootEap.ID + 1,
 		}
 	}
+	ctx.Log().Debugf("PEAP: Decoded inner EAP to %s", ep.String())
 
 	res, err := ctx.HandleInnerEAP(ep, p)
 	if err != nil {
@@ -121,3 +125,10 @@ func (p *Payload) SetEAPState(key string, st *protocol.State) {
 func (p *Payload) Offerable() bool {
 	return true
 }
+
+func (p *Payload) String() string {
+	return fmt.Sprintf(
+		"<PEAP Packet Wrapping=%s>",
+		p.eap.String(),
+	)
+}
diff --git a/internal/outpost/radius/eap/protocol/tls/payload.go b/internal/outpost/radius/eap/protocol/tls/payload.go
index 89c4ccef9a..5db45c377d 100644
--- a/internal/outpost/radius/eap/protocol/tls/payload.go
+++ b/internal/outpost/radius/eap/protocol/tls/payload.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"encoding/binary"
 	"errors"
+	"fmt"
 	"os"
 	"slices"
 	"time"
@@ -253,3 +254,12 @@ func (p *Payload) sendNextChunk() *Payload {
 		Data:   nextChunk,
 	}
 }
+
+func (p *Payload) String() string {
+	return fmt.Sprintf(
+		"<TLS Packet HandshakeDone=%t, FinalStatus=%d, ClientHello=%v>",
+		p.st.HandshakeDone,
+		p.st.FinalStatus,
+		p.st.ClientHello,
+	)
+}
diff --git a/internal/outpost/radius/handle_access_request.go b/internal/outpost/radius/handle_access_request.go
index 92f962c7c8..72e43ea267 100644
--- a/internal/outpost/radius/handle_access_request.go
+++ b/internal/outpost/radius/handle_access_request.go
@@ -15,6 +15,7 @@ import (
 	"goauthentik.io/internal/outpost/radius/eap/protocol"
 	"goauthentik.io/internal/outpost/radius/eap/protocol/identity"
 	"goauthentik.io/internal/outpost/radius/eap/protocol/legacy_nak"
+	"goauthentik.io/internal/outpost/radius/eap/protocol/mschapv2"
 	"goauthentik.io/internal/outpost/radius/eap/protocol/peap"
 	"goauthentik.io/internal/outpost/radius/eap/protocol/tls"
 	"goauthentik.io/internal/outpost/radius/metrics"
@@ -193,7 +194,10 @@ func (pi *ProviderInstance) GetEAPSettings() protocol.Settings {
 				Config: &ttls.Config{
 					Certificates: []ttls.Certificate{*cert},
 				},
-				InnerProtocols: protocol.Settings{},
+				InnerProtocols: protocol.Settings{
+					Protocols:        append(protocols, mschapv2.Protocol),
+					ProtocolPriority: []protocol.Type{mschapv2.TypeMSCHAPv2},
+				},
 			},
 		},
 	}