From 2a024238fe56f7a7a77c9143273a9aca0d7dd804 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Fri, 16 May 2025 15:18:39 +0200
Subject: [PATCH] slightly better logging

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 internal/outpost/radius/eap/handler.go     | 12 ++-------
 internal/outpost/radius/eap/tls/payload.go | 30 +++++++++++-----------
 2 files changed, 17 insertions(+), 25 deletions(-)

diff --git a/internal/outpost/radius/eap/handler.go b/internal/outpost/radius/eap/handler.go
index 1267806aea..00d5eeda6c 100644
--- a/internal/outpost/radius/eap/handler.go
+++ b/internal/outpost/radius/eap/handler.go
@@ -82,12 +82,10 @@ func (p *Packet) GetChallengeForType(ctx *context, t protocol.Type) *Packet {
 	var payload any
 	switch t {
 	case tls.TypeTLS:
-		// TODO: rewrite this
 		if _, ok := p.Payload.(*tls.Payload); !ok {
 			p.Payload = &tls.Payload{}
 			p.Payload.Decode(p.rawPayload)
 		}
-		// this
 		payload = p.Payload.(*tls.Payload).Handle(ctx)
 	}
 	if payload != nil {
@@ -97,18 +95,12 @@ func (p *Packet) GetChallengeForType(ctx *context, t protocol.Type) *Packet {
 }
 
 func (p *Packet) setMessageAuthenticator(rp *radius.Packet) {
-	err := rfc2869.MessageAuthenticator_Set(rp, make([]byte, 16))
-	if err != nil {
-		panic(err)
-	}
+	_ = rfc2869.MessageAuthenticator_Set(rp, make([]byte, 16))
 	hash := hmac.New(md5.New, rp.Secret)
 	encode, err := rp.MarshalBinary()
 	if err != nil {
 		panic(err)
 	}
 	hash.Write(encode)
-	err = rfc2869.MessageAuthenticator_Set(rp, hash.Sum(nil))
-	if err != nil {
-		panic(err)
-	}
+	_ = rfc2869.MessageAuthenticator_Set(rp, hash.Sum(nil))
 }
diff --git a/internal/outpost/radius/eap/tls/payload.go b/internal/outpost/radius/eap/tls/payload.go
index 91878636e6..368d493922 100644
--- a/internal/outpost/radius/eap/tls/payload.go
+++ b/internal/outpost/radius/eap/tls/payload.go
@@ -67,7 +67,7 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 	p.st = ctx.GetProtocolState(NewState).(*State)
 	defer ctx.SetProtocolState(p.st)
 	if !p.st.HasStarted {
-		log.Debug("TLS: handshake starting")
+		ctx.Log().Debug("TLS: handshake starting")
 		p.st.HasStarted = true
 		return &Payload{
 			Flags: FlagTLSStart,
@@ -77,12 +77,12 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 	if p.st.TLS == nil {
 		p.tlsInit(ctx)
 	} else if len(p.Data) > 0 {
-		log.Debug("TLS: Updating buffer with new TLS data from packet")
+		ctx.Log().Debug("TLS: Updating buffer with new TLS data from packet")
 		if p.Flags&FlagLengthIncluded != 0 && p.st.Conn.expectedWriterByteCount == 0 {
-			log.Debugf("TLS: Expecting %d total bytes, will buffer", p.Length)
+			ctx.Log().Debugf("TLS: Expecting %d total bytes, will buffer", p.Length)
 			p.st.Conn.expectedWriterByteCount = int(p.Length)
 		} else if p.Flags&FlagLengthIncluded != 0 {
-			log.Debug("TLS: No length included, not buffering")
+			ctx.Log().Debug("TLS: No length included, not buffering")
 			p.st.Conn.expectedWriterByteCount = 0
 		}
 		p.st.Conn.UpdateData(p.Data)
@@ -115,12 +115,12 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 }
 
 func (p *Payload) tlsInit(ctx protocol.Context) {
-	log.Debug("TLS: no TLS connection in state yet, starting connection")
+	ctx.Log().Debug("TLS: no TLS connection in state yet, starting connection")
 	p.st.Context, p.st.ContextCancel = context.WithTimeout(context.Background(), staleConnectionTimeout*time.Second)
 	p.st.Conn = NewBuffConn(p.Data, p.st.Context)
 	cfg := ctx.ProtocolSettings().(Settings).Config.Clone()
 	cfg.GetConfigForClient = func(chi *tls.ClientHelloInfo) (*tls.Config, error) {
-		log.Debugf("TLS: ClientHello: %+v\n", chi)
+		ctx.Log().Debugf("TLS: ClientHello: %+v\n", chi)
 		p.st.ClientHello = chi
 		return nil, nil
 	}
@@ -128,35 +128,35 @@ func (p *Payload) tlsInit(ctx protocol.Context) {
 	go func() {
 		err := p.st.TLS.HandshakeContext(p.st.Context)
 		if err != nil {
-			log.WithError(err).Debug("TLS: Handshake error")
+			ctx.Log().WithError(err).Debug("TLS: Handshake error")
 			ctx.EndInnerProtocol(protocol.StatusError, func(p *radius.Packet) *radius.Packet {
 				return p
 			})
 			return
 		}
-		log.Debug("TLS: handshake done")
-		p.tlsHandshakeFinished()
+		ctx.Log().Debug("TLS: handshake done")
+		p.tlsHandshakeFinished(ctx)
 	}()
 }
 
-func (p *Payload) tlsHandshakeFinished() {
+func (p *Payload) tlsHandshakeFinished(ctx protocol.Context) {
 	cs := p.st.TLS.ConnectionState()
 	label := "client EAP encryption"
 	var context []byte
 	switch cs.Version {
 	case tls.VersionTLS10:
-		log.Debugf("TLS: Version %d (1.0)", cs.Version)
+		ctx.Log().Debugf("TLS: Version %d (1.0)", cs.Version)
 	case tls.VersionTLS11:
-		log.Debugf("TLS: Version %d (1.1)", cs.Version)
+		ctx.Log().Debugf("TLS: Version %d (1.1)", cs.Version)
 	case tls.VersionTLS12:
-		log.Debugf("TLS: Version %d (1.2)", cs.Version)
+		ctx.Log().Debugf("TLS: Version %d (1.2)", cs.Version)
 	case tls.VersionTLS13:
-		log.Debugf("TLS: Version %d (1.3)", cs.Version)
+		ctx.Log().Debugf("TLS: Version %d (1.3)", cs.Version)
 		label = "EXPORTER_EAP_TLS_Key_Material"
 		context = []byte{byte(TypeTLS)}
 	}
 	ksm, err := cs.ExportKeyingMaterial(label, context, 64+64)
-	log.Debugf("TLS: ksm % x %v", ksm, err)
+	ctx.Log().Debugf("TLS: ksm % x %v", ksm, err)
 	p.st.MPPEKey = ksm
 	p.st.HandshakeDone = true
 }