start tying it into the flow

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

internal/outpost/flow/executor.go

@@ -94,6 +94,10 @@ func NewFlowExecutor(ctx context.Context, flowSlug string, refConfig *api.Config
 	return fe
 }
 
+func (fe *FlowExecutor) AddHeader(name string, value string) {
+	fe.api.GetConfig().AddDefaultHeader(name, value)
+}
+
 func (fe *FlowExecutor) RoundTrip(req *http.Request) (*http.Response, error) {
 	res, err := fe.transport.RoundTrip(req)
 	if res != nil {

internal/outpost/radius/eap/context.go

@@ -7,6 +7,7 @@ import (
 )
 
 type context struct {
+	req         *radius.Request
 	state       interface{}
 	log         *log.Entry
 	settings    interface{}
@@ -14,6 +15,10 @@ type context struct {
 	endModifier func(p *radius.Packet) *radius.Packet
 }
 
+func (ctx context) Packet() *radius.Request {
+	return ctx.req
+}
+
 func (ctx context) ProtocolSettings() interface{} {
 	return ctx.settings
 }
@@ -30,6 +35,9 @@ func (ctx *context) SetProtocolState(st interface{}) {
 }
 
 func (ctx *context) EndInnerProtocol(st protocol.Status, mf func(p *radius.Packet) *radius.Packet) {
+	if ctx.endStatus != protocol.StatusUnknown {
+		return
+	}
 	ctx.endStatus = st
 	ctx.endModifier = mf
 }

internal/outpost/radius/eap/handler.go

@@ -14,8 +14,8 @@ import (
 	"layeh.com/radius/rfc2869"
 )
 
-func (p *Packet) Handle(stm StateManager, w radius.ResponseWriter, r *radius.Packet) {
+func (p *Packet) Handle(stm StateManager, w radius.ResponseWriter, r *radius.Request) {
-	rst := rfc2865.State_GetString(r)
+	rst := rfc2865.State_GetString(r.Packet)
 	if rst == "" {
 		rst = base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(12))
 	}
@@ -30,6 +30,7 @@ func (p *Packet) Handle(stm StateManager, w radius.ResponseWriter, r *radius.Pac
 	nextChallengeToOffer := st.ChallengesToOffer[0]
 
 	ctx := &context{
+		req:      r,
 		state:    st.TypeState[nextChallengeToOffer],
 		log:      log.WithField("type", nextChallengeToOffer),
 		settings: stm.GetEAPSettings().ProtocolSettings[nextChallengeToOffer],

internal/outpost/radius/eap/protocol/context.go

@@ -14,7 +14,7 @@ const (
 )
 
 type Context interface {
-	// GlobalState()
+	Packet() *radius.Request
 
 	ProtocolSettings() interface{}
 	GetProtocolState(def func(Context) interface{}) interface{}

internal/outpost/radius/eap/tls/payload.go

@@ -159,6 +159,7 @@ func (p *Payload) tlsHandshakeFinished(ctx protocol.Context) {
 	ctx.Log().Debugf("TLS: ksm % x %v", ksm, err)
 	p.st.MPPEKey = ksm
 	p.st.HandshakeDone = true
+	ctx.ProtocolSettings().(Settings).HandshakeSuccessful(ctx, cs.PeerCertificates)
 }
 
 func (p *Payload) startChunkedTransfer(data []byte) *Payload {

internal/outpost/radius/eap/tls/settings.go

@@ -1,7 +1,13 @@
 package tls
 
-import "crypto/tls"
+import (
+	"crypto/tls"
+	"crypto/x509"
+
+	"goauthentik.io/internal/outpost/radius/eap/protocol"
+)
 
 type Settings struct {
-	Config *tls.Config
+	Config              *tls.Config
+	HandshakeSuccessful func(ctx protocol.Context, certs []*x509.Certificate)
 }

internal/outpost/radius/handle_access_request.go

@@ -1,8 +1,12 @@
 package radius
 
 import (
+	"context"
 	ttls "crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
+	"net/url"
 
 	"github.com/prometheus/client_golang/prometheus"
 	log "github.com/sirupsen/logrus"
@@ -11,6 +15,7 @@ import (
 	"goauthentik.io/internal/outpost/radius/eap/protocol"
 	"goauthentik.io/internal/outpost/radius/eap/tls"
 	"goauthentik.io/internal/outpost/radius/metrics"
+	"goauthentik.io/internal/utils"
 	"layeh.com/radius"
 	"layeh.com/radius/rfc2865"
 	"layeh.com/radius/rfc2869"
@@ -111,11 +116,9 @@ func (rs *RadiusServer) Handle_AccessRequest_EAP(w radius.ResponseWriter, r *Rad
 		rs.log.WithError(err).Warning("failed to parse EAP packet")
 		return
 	}
-	ep.Handle(r.pi, w, r.Packet)
+	ep.Handle(r.pi, w, r.Request)
 }
 
-// -----------
-
 func (pi *ProviderInstance) GetEAPState(key string) *eap.State {
 	return pi.eapState[key]
 }
@@ -142,6 +145,35 @@ func (pi *ProviderInstance) GetEAPSettings() eap.Settings {
 					Certificates: []ttls.Certificate{cert},
 					ClientAuth:   ttls.RequireAnyClientCert,
 				},
+				HandshakeSuccessful: func(ctx protocol.Context, certs []*x509.Certificate) {
+					pem := pem.EncodeToMemory(&pem.Block{
+						Type:  "CERTIFICATE",
+						Bytes: certs[0].Raw,
+					})
+
+					fe := flow.NewFlowExecutor(context.Background(), pi.flowSlug, pi.s.ac.Client.GetConfig(), log.Fields{
+						// "username":  username,
+						// "client":    r.RemoteAddr(),
+						// "requestId": r.ID(),
+					})
+					fe.DelegateClientIP(utils.GetIP(ctx.Packet().RemoteAddr))
+					fe.Params.Add("goauthentik.io/outpost/radius", "true")
+					fe.AddHeader("X-Authentik-Outpost-Certificate", url.QueryEscape(string(pem)))
+
+					passed, err := fe.Execute()
+					if err != nil {
+						panic(err)
+					}
+					if passed {
+						ctx.EndInnerProtocol(protocol.StatusSuccess, func(p *radius.Packet) *radius.Packet {
+							return p
+						})
+					} else {
+						ctx.EndInnerProtocol(protocol.StatusError, func(p *radius.Packet) *radius.Packet {
+							return p
+						})
+					}
+				},
 			},
 		},
 	}