providers/radius: Add support for custom attributes (#10509)
* unrelated: show logs for failed blueprints Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add dictionaries Signed-off-by: Jens Langhammer <jens@goauthentik.io> * unrelated: remove some unused api functions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add initial api Signed-off-by: Jens Langhammer <jens@goauthentik.io> * placeholder backend Signed-off-by: Jens Langhammer <jens@goauthentik.io> * idk Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add proper mappings Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L.
@ -1,6 +1,8 @@
|
||||
package radius
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
|
||||
"github.com/prometheus/client_golang/prometheus"
|
||||
log "github.com/sirupsen/logrus"
|
||||
"goauthentik.io/internal/outpost/flow"
|
||||
@ -43,7 +45,7 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
|
||||
_ = w.Write(r.Response(radius.CodeAccessReject))
|
||||
return
|
||||
}
|
||||
access, err := fe.CheckApplicationAccess(r.pi.appSlug)
|
||||
access, _, err := fe.ApiClient().OutpostsApi.OutpostsRadiusCheckAccessRetrieve(r.Context(), r.pi.providerId).AppSlug(r.pi.appSlug).Execute()
|
||||
if err != nil {
|
||||
r.Log().WithField("username", username).WithError(err).Warning("failed to check access")
|
||||
_ = w.Write(r.Response(radius.CodeAccessReject))
|
||||
@ -54,7 +56,7 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
|
||||
}).Inc()
|
||||
return
|
||||
}
|
||||
if !access {
|
||||
if !access.Access.Passing {
|
||||
r.Log().WithField("username", username).Info("Access denied for user")
|
||||
_ = w.Write(r.Response(radius.CodeAccessReject))
|
||||
metrics.RequestsRejected.With(prometheus.Labels{
|
||||
@ -64,5 +66,22 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
|
||||
}).Inc()
|
||||
return
|
||||
}
|
||||
_ = w.Write(r.Response(radius.CodeAccessAccept))
|
||||
res := r.Response(radius.CodeAccessAccept)
|
||||
defer func() { _ = w.Write(res) }()
|
||||
if !access.HasAttributes() {
|
||||
r.Log().Debug("No attributes")
|
||||
return
|
||||
}
|
||||
rawData, err := base64.StdEncoding.DecodeString(access.GetAttributes())
|
||||
if err != nil {
|
||||
r.Log().WithError(err).Warning("failed to decode attributes from core")
|
||||
return
|
||||
}
|
||||
p, err := radius.Parse(rawData, r.pi.SharedSecret)
|
||||
if err != nil {
|
||||
r.Log().WithError(err).Warning("failed to parse attributes from core")
|
||||
}
|
||||
for _, attr := range p.Attributes {
|
||||
res.Add(attr.Type, attr.Attribute)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user