providers/radius: simple radius outpost (#1796)

* initial implementation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens@goauthentik.io> * cleanup Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add migrations Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix web Signed-off-by: Jens Langhammer <jens@goauthentik.io> * minor fixes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use search-select Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update locale Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fixup Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix ip with port being sent to delegated ip Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add radius tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-03-20 16:54:35 +01:00
parent 84c2da8a6e
commit 3f5effb1bc
54 changed files with 5433 additions and 677 deletions
--- a/internal/outpost/radius/handler.go
+++ b/internal/outpost/radius/handler.go
@ -0,0 +1,79 @@
+package radius
+
+import (
+	"crypto/sha512"
+
+	"github.com/getsentry/sentry-go"
+	"github.com/google/uuid"
+	"github.com/prometheus/client_golang/prometheus"
+	log "github.com/sirupsen/logrus"
+
+	"goauthentik.io/internal/outpost/radius/metrics"
+	"goauthentik.io/internal/utils"
+	"layeh.com/radius"
+)
+
+type RadiusRequest struct {
+	*radius.Request
+	log  *log.Entry
+	id   string
+	span *sentry.Span
+	pi   *ProviderInstance
+}
+
+func (r *RadiusRequest) Log() *log.Entry {
+	return r.log
+}
+
+func (r *RadiusRequest) RemoteAddr() string {
+	return utils.GetIP(r.Request.RemoteAddr)
+}
+
+func (r *RadiusRequest) ID() string {
+	return r.id
+}
+
+func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request) {
+	span := sentry.StartSpan(r.Context(), "authentik.providers.radius.connect",
+		sentry.TransactionName("authentik.providers.radius.connect"))
+	rid := uuid.New().String()
+	span.SetTag("request_uid", rid)
+	rl := rs.log.WithField("code", r.Code.String()).WithField("request", rid)
+	selectedApp := ""
+	defer func() {
+		span.Finish()
+		metrics.Requests.With(prometheus.Labels{
+			"outpost_name": rs.ac.Outpost.Name,
+			"app":          selectedApp,
+		}).Observe(float64(span.EndTime.Sub(span.StartTime)))
+	}()
+
+	nr := &RadiusRequest{
+		Request: r,
+		log:     rl,
+		id:      rid,
+		span:    span,
+	}
+
+	rl.Info("Radius Request")
+
+	// Lookup provider by shared secret
+	var pi *ProviderInstance
+	for _, p := range rs.providers {
+		if string(p.SharedSecret) == string(r.Secret) {
+			pi = p
+			selectedApp = pi.appSlug
+			break
+		}
+	}
+	if pi == nil {
+		nr.Log().WithField("hashed_secret", string(sha512.New().Sum(r.Secret))).Warning("No provider found")
+		_ = w.Write(r.Response(radius.CodeAccessReject))
+		return
+	}
+	nr.pi = pi
+
+	if nr.Code == radius.CodeAccessRequest {
+		rs.Handle_AccessRequest(w, nr)
+	}
+}