From c49274042b709b0b8daeb4c99f456cb8509113a2 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Fri, 23 May 2025 20:29:33 +0200
Subject: [PATCH] slightly better decoding

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 internal/outpost/radius/eap/handler.go        |  2 +-
 internal/outpost/radius/eap/packet.go         | 33 ++-----------------
 .../outpost/radius/eap/protocol/eap/decode.go | 23 +++++++++++++
 .../radius/eap/protocol/eap/payload.go        | 10 ++++--
 internal/outpost/radius/eap/protocol/empty.go | 14 --------
 5 files changed, 34 insertions(+), 48 deletions(-)
 create mode 100644 internal/outpost/radius/eap/protocol/eap/decode.go
 delete mode 100644 internal/outpost/radius/eap/protocol/empty.go

diff --git a/internal/outpost/radius/eap/handler.go b/internal/outpost/radius/eap/handler.go
index 56bbf61f72..69fe8df5d1 100644
--- a/internal/outpost/radius/eap/handler.go
+++ b/internal/outpost/radius/eap/handler.go
@@ -101,7 +101,7 @@ func (p *Packet) handleEAP(pp protocol.Payload, stm protocol.StateManager) (*eap
 		return next()
 	}
 
-	np, t, _ := emptyPayload(stm, nextChallengeToOffer)
+	np, t, _ := eap.EmptyPayload(stm.GetEAPSettings(), nextChallengeToOffer)
 
 	ctx := &context{
 		req:         p.r,
diff --git a/internal/outpost/radius/eap/packet.go b/internal/outpost/radius/eap/packet.go
index 23f33f0cd9..b9ca23c5c1 100644
--- a/internal/outpost/radius/eap/packet.go
+++ b/internal/outpost/radius/eap/packet.go
@@ -1,8 +1,6 @@
 package eap
 
 import (
-	"fmt"
-
 	"goauthentik.io/internal/outpost/radius/eap/protocol"
 	"goauthentik.io/internal/outpost/radius/eap/protocol/eap"
 	"layeh.com/radius"
@@ -16,45 +14,20 @@ type Packet struct {
 	endModifier func(p *radius.Packet) *radius.Packet
 }
 
-func emptyPayload(stm protocol.StateManager, t protocol.Type) (protocol.Payload, protocol.Type, error) {
-	for _, cons := range stm.GetEAPSettings().Protocols {
-		np := cons()
-		if np.Type() == t {
-			return np, np.Type(), nil
-		}
-		// If the protocol has an inner protocol, return the original type but the code for the inner protocol
-		if i, ok := np.(protocol.Inner); ok {
-			if ii := i.HasInner(); ii != nil {
-				return np, ii.Type(), nil
-			}
-		}
-	}
-	return nil, protocol.Type(0), fmt.Errorf("unsupported EAP type %d", t)
-}
-
 func Decode(stm protocol.StateManager, raw []byte) (*Packet, error) {
 	packet := &Packet{
-		eap: &eap.Payload{},
+		eap: &eap.Payload{
+			Settings: stm.GetEAPSettings(),
+		},
 		stm: stm,
 		endModifier: func(p *radius.Packet) *radius.Packet {
 			return p
 		},
 	}
-	// FIXME: We're decoding twice here, first to get the msg type, then come back to assign the payload type
-	// then re-parse to parse the payload correctly
 	err := packet.eap.Decode(raw)
 	if err != nil {
 		return nil, err
 	}
-	p, _, err := emptyPayload(stm, packet.eap.MsgType)
-	if err != nil {
-		return nil, err
-	}
-	packet.eap.Payload = p
-	err = packet.eap.Decode(raw)
-	if err != nil {
-		return nil, err
-	}
 	return packet, nil
 }
 
diff --git a/internal/outpost/radius/eap/protocol/eap/decode.go b/internal/outpost/radius/eap/protocol/eap/decode.go
new file mode 100644
index 0000000000..ea1f23d5e2
--- /dev/null
+++ b/internal/outpost/radius/eap/protocol/eap/decode.go
@@ -0,0 +1,23 @@
+package eap
+
+import (
+	"fmt"
+
+	"goauthentik.io/internal/outpost/radius/eap/protocol"
+)
+
+func EmptyPayload(settings protocol.Settings, t protocol.Type) (protocol.Payload, protocol.Type, error) {
+	for _, cons := range settings.Protocols {
+		np := cons()
+		if np.Type() == t {
+			return np, np.Type(), nil
+		}
+		// If the protocol has an inner protocol, return the original type but the code for the inner protocol
+		if i, ok := np.(protocol.Inner); ok {
+			if ii := i.HasInner(); ii != nil {
+				return np, ii.Type(), nil
+			}
+		}
+	}
+	return nil, protocol.Type(0), fmt.Errorf("unsupported EAP type %d", t)
+}
diff --git a/internal/outpost/radius/eap/protocol/eap/payload.go b/internal/outpost/radius/eap/protocol/eap/payload.go
index 5a108a6f5a..54f692536a 100644
--- a/internal/outpost/radius/eap/protocol/eap/payload.go
+++ b/internal/outpost/radius/eap/protocol/eap/payload.go
@@ -22,6 +22,8 @@ type Payload struct {
 	MsgType    protocol.Type
 	Payload    protocol.Payload
 	RawPayload []byte
+
+	Settings protocol.Settings
 }
 
 func (p *Payload) Type() protocol.Type {
@@ -44,10 +46,12 @@ func (p *Payload) Decode(raw []byte) error {
 	}
 	log.WithField("raw", debug.FormatBytes(raw)).WithField("payload", fmt.Sprintf("%T", p.Payload)).Trace("EAP: decode raw")
 	p.RawPayload = raw[5:]
-	if p.Payload == nil {
-		return nil
+	pp, _, err := EmptyPayload(p.Settings, p.MsgType)
+	if err != nil {
+		return err
 	}
-	err := p.Payload.Decode(raw[5:])
+	p.Payload = pp
+	err = p.Payload.Decode(raw[5:])
 	if err != nil {
 		return err
 	}
diff --git a/internal/outpost/radius/eap/protocol/empty.go b/internal/outpost/radius/eap/protocol/empty.go
deleted file mode 100644
index 05ee0ffd39..0000000000
--- a/internal/outpost/radius/eap/protocol/empty.go
+++ /dev/null
@@ -1,14 +0,0 @@
-package protocol
-
-import "layeh.com/radius"
-
-type EmptyPayload struct {
-	ModifyPacket func(p *radius.Packet) *radius.Packet
-}
-
-func (ep EmptyPayload) Decode(raw []byte) error {
-	return nil
-}
-func (ep EmptyPayload) Encode() ([]byte, error) {
-	return []byte{}, nil
-}