providers/radius: Add support for custom attributes (#10509)

* unrelated: show logs for failed blueprints Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add dictionaries Signed-off-by: Jens Langhammer <jens@goauthentik.io> * unrelated: remove some unused api functions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add initial api Signed-off-by: Jens Langhammer <jens@goauthentik.io> * placeholder backend Signed-off-by: Jens Langhammer <jens@goauthentik.io> * idk Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add proper mappings Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2024-07-25 19:08:33 +02:00
parent 650370d94c
commit 61c6887e82
24 changed files with 1450 additions and 165 deletions
--- a/internal/outpost/radius/api.go
+++ b/internal/outpost/radius/api.go
@ -46,6 +46,7 @@ func (rs *RadiusServer) Refresh() error {
 			MFASupport:     provider.GetMfaSupport(),
 			appSlug:        provider.ApplicationSlug,
 			flowSlug:       provider.AuthFlowSlug,
+			providerId:     provider.Pk,
 			s:              rs,
 			log:            logger,
 		}
--- a/internal/outpost/radius/handle_access_request.go
+++ b/internal/outpost/radius/handle_access_request.go
@ -1,6 +1,8 @@
 package radius

 import (
+	"encoding/base64"
+
 	"github.com/prometheus/client_golang/prometheus"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/outpost/flow"
@ -43,7 +45,7 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
 		_ = w.Write(r.Response(radius.CodeAccessReject))
 		return
 	}
-	access, err := fe.CheckApplicationAccess(r.pi.appSlug)
+	access, _, err := fe.ApiClient().OutpostsApi.OutpostsRadiusCheckAccessRetrieve(r.Context(), r.pi.providerId).AppSlug(r.pi.appSlug).Execute()
 	if err != nil {
 		r.Log().WithField("username", username).WithError(err).Warning("failed to check access")
 		_ = w.Write(r.Response(radius.CodeAccessReject))
@ -54,7 +56,7 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
 		}).Inc()
 		return
 	}
-	if !access {
+	if !access.Access.Passing {
 		r.Log().WithField("username", username).Info("Access denied for user")
 		_ = w.Write(r.Response(radius.CodeAccessReject))
 		metrics.RequestsRejected.With(prometheus.Labels{
@ -64,5 +66,22 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
 		}).Inc()
 		return
 	}
-	_ = w.Write(r.Response(radius.CodeAccessAccept))
+	res := r.Response(radius.CodeAccessAccept)
+	defer func() { _ = w.Write(res) }()
+	if !access.HasAttributes() {
+		r.Log().Debug("No attributes")
+		return
+	}
+	rawData, err := base64.StdEncoding.DecodeString(access.GetAttributes())
+	if err != nil {
+		r.Log().WithError(err).Warning("failed to decode attributes from core")
+		return
+	}
+	p, err := radius.Parse(rawData, r.pi.SharedSecret)
+	if err != nil {
+		r.Log().WithError(err).Warning("failed to parse attributes from core")
+	}
+	for _, attr := range p.Attributes {
+		res.Add(attr.Type, attr.Attribute)
+	}
 }
--- a/internal/outpost/radius/radius.go
+++ b/internal/outpost/radius/radius.go
@ -19,10 +19,11 @@ type ProviderInstance struct {
 	SharedSecret   []byte
 	MFASupport     bool

-	appSlug  string
-	flowSlug string
-	s        *RadiusServer
-	log      *log.Entry
+	appSlug    string
+	flowSlug   string
+	providerId int32
+	s          *RadiusServer
+	log        *log.Entry
 }

 type RadiusServer struct {