diff --git a/.gitignore b/.gitignore
index 3283dcc7a..b4b627791 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,7 +8,6 @@ a.out
*workspace
docs/_*
bin
-.idea
dean*
data/vagrant/.vagrant
data/vagrant/vagrant_ansible_inventory_default
diff --git a/agents/librad.go b/agents/librad.go
index e1ecf36fc..14a30110a 100644
--- a/agents/librad.go
+++ b/agents/librad.go
@@ -19,7 +19,6 @@ along with this program. If not, see
package agents
import (
- "crypto/md5"
"fmt"
"net"
@@ -120,10 +119,10 @@ func (pk *radiusDP) RemoteHost() net.Addr {
return utils.NewNetAddr(pk.req.RemoteAddr().Network(), pk.req.RemoteAddr().String())
}
-//authReq is used to authorize a request
+//radauthReq is used to authorize a request
//if User-Password avp is present use PAP auth
//if CHAP-Password is presented use CHAP auth
-func authReq(req *radigo.Packet, aReq *AgentRequest) (bool, error) {
+func radauthReq(req *radigo.Packet, aReq *AgentRequest) (bool, error) {
// try to get UserPassword from Vars as slice of NMItems
nmItems, err := aReq.Vars.FieldAsInterface([]string{utils.UserPassword})
if err != nil {
@@ -139,35 +138,8 @@ func authReq(req *radigo.Packet, aReq *AgentRequest) (bool, error) {
return false, nil
}
} else {
- return checkAgainstCHAP([]byte(utils.IfaceAsString(nmItems.([]*config.NMItem)[0].Data)),
+ return radigo.AuthenticateCHAP([]byte(utils.IfaceAsString(nmItems.([]*config.NMItem)[0].Data)),
req.Authenticator[:], chapAVPs[0].RawValue), nil
}
return true, nil
}
-
-//checkAgainstCHAP receive the password as plaintext and verify against the chap challenge
-func checkAgainstCHAP(password, authenticator, chapChallenge []byte) bool {
- h := md5.New()
- h.Write(chapChallenge[:1])
- h.Write(password)
- h.Write(authenticator)
- answer := h.Sum(nil)
- if len(answer) != len(chapChallenge[1:]) {
- return false
- }
- for i := range answer {
- if answer[i] != chapChallenge[i+1] {
- return false
- }
- }
- return true
-}
-
-//encodeChap is used in test to encode CHAP-Password raw value
-func encodeChap(password, authenticator, chapIdent []byte) []byte {
- h := md5.New()
- h.Write(chapIdent)
- h.Write(password)
- h.Write(authenticator)
- return h.Sum(nil)
-}
diff --git a/agents/radagent.go b/agents/radagent.go
index c7f039f64..ff8710289 100644
--- a/agents/radagent.go
+++ b/agents/radagent.go
@@ -304,10 +304,10 @@ func (ra *RadiusAgent) processRequest(req *radigo.Packet, reqProcessor *config.R
}
case utils.MetaCDRs: // allow this method
case utils.MetaRadauth:
- if ok, err := authReq(req, agReq); err != nil {
+ if ok, err := radauthReq(req, agReq); err != nil {
return false, err
} else if !ok {
- agReq.CGRReply.Set([]string{utils.Error}, "Failed to authenticate request", false, false)
+ agReq.CGRReply.Set([]string{utils.Error}, utils.RadauthFailed, false, false)
}
}
// separate request so we can capture the Terminate/Event also here
diff --git a/agents/radagent_it_test.go b/agents/radagent_it_test.go
index 7073ac030..a7ea35d50 100644
--- a/agents/radagent_it_test.go
+++ b/agents/radagent_it_test.go
@@ -21,7 +21,6 @@ along with this program. If not, see
package agents
import (
- "crypto/rand"
"fmt"
"net/rpc"
"os/exec"
@@ -207,7 +206,7 @@ func testRAitAuthPAPSuccess(t *testing.T) {
t.Error(err)
}
// encode the password as required so we can decode it properly
- authReq.AVPs[1].RawValue = radigo.EncodePass([]byte("CGRateSPassword1"), []byte("CGRateS.org"), authReq.Authenticator[:])
+ authReq.AVPs[1].RawValue = radigo.EncodeUserPassWord([]byte("CGRateSPassword1"), []byte("CGRateS.org"), authReq.Authenticator[:])
if err := authReq.AddAVPWithName("Service-Type", "SIP-Caller-AVPs", ""); err != nil {
t.Error(err)
}
@@ -252,7 +251,7 @@ func testRAitAuthPAPFail(t *testing.T) {
t.Error(err)
}
// encode the password as required so we can decode it properly
- authReq.AVPs[1].RawValue = radigo.EncodePass([]byte("CGRateSPassword2"), []byte("CGRateS.org"), authReq.Authenticator[:])
+ authReq.AVPs[1].RawValue = radigo.EncodeUserPassWord([]byte("CGRateSPassword2"), []byte("CGRateS.org"), authReq.Authenticator[:])
if err := authReq.AddAVPWithName("Service-Type", "SIP-Caller-AVPs", ""); err != nil {
t.Error(err)
}
@@ -280,7 +279,7 @@ func testRAitAuthPAPFail(t *testing.T) {
}
if len(reply.AVPs) != 1 { // make sure max duration is received
t.Errorf("Received AVPs: %+v", reply.AVPs)
- } else if !reflect.DeepEqual("Failed to authenticate request", string(reply.AVPs[0].RawValue)) {
+ } else if !reflect.DeepEqual(utils.RadauthFailed, string(reply.AVPs[0].RawValue)) {
t.Errorf("Received: %s", string(reply.AVPs[0].RawValue))
}
}
@@ -296,14 +295,7 @@ func testRAitAuthCHAPSuccess(t *testing.T) {
if err := authReq.AddAVPWithName("CHAP-Password", "CGRateSPassword1", ""); err != nil {
t.Error(err)
}
- // simulate encoding for CHAP-Password
- chapIdent := make([]byte, 1)
- rand.Read(chapIdent)
- chapChallange := encodeChap([]byte("CGRateSPassword1"), authReq.Authenticator[:], chapIdent)
- chapRawVal := make([]byte, 17)
- copy(chapRawVal[:1], chapIdent) // copy the Ident
- copy(chapRawVal[1:], chapChallange) // copy the challange that needs to be verify
- authReq.AVPs[1].RawValue = chapRawVal
+ authReq.AVPs[1].RawValue = radigo.EncodeCHAPPassword([]byte("CGRateSPassword1"), authReq.Authenticator[:])
if err := authReq.AddAVPWithName("Service-Type", "SIP-Caller-AVPs", ""); err != nil {
t.Error(err)
}
@@ -347,13 +339,8 @@ func testRAitAuthCHAPFail(t *testing.T) {
if err := authReq.AddAVPWithName("CHAP-Password", "CGRateSPassword2", ""); err != nil {
t.Error(err)
}
- chapIdent := make([]byte, 1)
- rand.Read(chapIdent)
- chapChallange := encodeChap([]byte("CGRateSPassword2"), authReq.Authenticator[:], chapIdent)
- chapRawVal := make([]byte, 17)
- copy(chapRawVal[:1], chapIdent)
- copy(chapRawVal[1:], chapChallange)
- authReq.AVPs[1].RawValue = chapRawVal
+
+ authReq.AVPs[1].RawValue = radigo.EncodeCHAPPassword([]byte("CGRateSPassword2"), authReq.Authenticator[:])
if err := authReq.AddAVPWithName("Service-Type", "SIP-Caller-AVPs", ""); err != nil {
t.Error(err)
}
@@ -381,7 +368,7 @@ func testRAitAuthCHAPFail(t *testing.T) {
}
if len(reply.AVPs) != 1 { // make sure max duration is received
t.Errorf("Received AVPs: %+v", reply.AVPs)
- } else if !reflect.DeepEqual("Failed to authenticate request", string(reply.AVPs[0].RawValue)) {
+ } else if !reflect.DeepEqual(utils.RadauthFailed, string(reply.AVPs[0].RawValue)) {
t.Errorf("Received: %s", string(reply.AVPs[0].RawValue))
}
}
diff --git a/data/conf/samples/dispatchers/radagent/cgrates.json b/data/conf/samples/dispatchers/radagent/cgrates.json
index 3978d4eff..1937f240f 100644
--- a/data/conf/samples/dispatchers/radagent/cgrates.json
+++ b/data/conf/samples/dispatchers/radagent/cgrates.json
@@ -84,18 +84,19 @@
],
},
{
- "id": "RadiusPAPAuth",
- "filters": ["*string:~*vars.*radReqType:*radAuth","*exists:~*req.User-Password:"],
+ "id": "RadiusAuthProcessor",
+ "filters": ["*string:~*vars.*radReqType:*radAuth"],
"flags": ["*radauth", "*log"],
"request_fields":[
{"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable",
"value": "~*cgrep.Attributes.PasswordFromAttributes"},
],
"reply_fields":[
- {"filters": ["*empty:~*cgrep.Error:"], "type": "*none", "blocker": true},
- {"filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
- {"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessReject"},
- {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "type": "*variable", "value": "~*cgrep.Error"}
+ {"tag":"RemoveAddedFields", "filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
+ {"tag": "Code", "path": "*rep.*radReplyCode", "filters": ["*notempty:~*cgrep.Error:"],
+ "type": "*constant", "value": "AccessReject"},
+ {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "filters": ["*notempty:~*cgrep.Error:"],
+ "type": "*variable", "value": "~*cgrep.Error"}
]
},
{
diff --git a/data/conf/samples/radagent_internal/cgrates.json b/data/conf/samples/radagent_internal/cgrates.json
index bbb61f80a..87bf5dd09 100644
--- a/data/conf/samples/radagent_internal/cgrates.json
+++ b/data/conf/samples/radagent_internal/cgrates.json
@@ -96,18 +96,19 @@
],
},
{
- "id": "RadiusPAPAuth",
- "filters": ["*string:~*vars.*radReqType:*radAuth","*exists:~*req.User-Password:"],
+ "id": "RadiusAuthProcessor",
+ "filters": ["*string:~*vars.*radReqType:*radAuth"],
"flags": ["*radauth", "*log"],
"request_fields":[
{"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable",
"value": "~*cgrep.Attributes.PasswordFromAttributes"},
],
"reply_fields":[
- {"filters": ["*empty:~*cgrep.Error:"], "type": "*none", "blocker": true},
- {"filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
- {"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessReject"},
- {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "type": "*variable", "value": "~*cgrep.Error"}
+ {"tag":"RemoveAddedFields", "filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
+ {"tag": "Code", "path": "*rep.*radReplyCode", "filters": ["*notempty:~*cgrep.Error:"],
+ "type": "*constant", "value": "AccessReject"},
+ {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "filters": ["*notempty:~*cgrep.Error:"],
+ "type": "*variable", "value": "~*cgrep.Error"}
]
},
{
diff --git a/data/conf/samples/radagent_internal_gob/cgrates.json b/data/conf/samples/radagent_internal_gob/cgrates.json
index e9866eda0..de820ee01 100644
--- a/data/conf/samples/radagent_internal_gob/cgrates.json
+++ b/data/conf/samples/radagent_internal_gob/cgrates.json
@@ -104,18 +104,19 @@
],
},
{
- "id": "RadiusPAPAuth",
- "filters": ["*string:~*vars.*radReqType:*radAuth","*exists:~*req.User-Password:"],
+ "id": "RadiusAuthProcessor",
+ "filters": ["*string:~*vars.*radReqType:*radAuth"],
"flags": ["*radauth", "*log"],
"request_fields":[
{"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable",
"value": "~*cgrep.Attributes.PasswordFromAttributes"},
],
"reply_fields":[
- {"filters": ["*empty:~*cgrep.Error:"], "type": "*none", "blocker": true},
- {"filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
- {"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessReject"},
- {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "type": "*variable", "value": "~*cgrep.Error"}
+ {"tag":"RemoveAddedFields", "filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
+ {"tag": "Code", "path": "*rep.*radReplyCode", "filters": ["*notempty:~*cgrep.Error:"],
+ "type": "*constant", "value": "AccessReject"},
+ {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "filters": ["*notempty:~*cgrep.Error:"],
+ "type": "*variable", "value": "~*cgrep.Error"}
]
},
{
diff --git a/data/conf/samples/radagent_mongo/cgrates.json b/data/conf/samples/radagent_mongo/cgrates.json
index 48d27c728..8fc2c92dc 100644
--- a/data/conf/samples/radagent_mongo/cgrates.json
+++ b/data/conf/samples/radagent_mongo/cgrates.json
@@ -99,18 +99,19 @@
],
},
{
- "id": "RadiusPAPAuth",
- "filters": ["*string:~*vars.*radReqType:*radAuth","*exists:~*req.User-Password:"],
+ "id": "RadiusAuthProcessor",
+ "filters": ["*string:~*vars.*radReqType:*radAuth"],
"flags": ["*radauth", "*log"],
"request_fields":[
{"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable",
"value": "~*cgrep.Attributes.PasswordFromAttributes"},
],
"reply_fields":[
- {"filters": ["*empty:~*cgrep.Error:"], "type": "*none", "blocker": true},
- {"filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
- {"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessReject"},
- {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "type": "*variable", "value": "~*cgrep.Error"}
+ {"tag":"RemoveAddedFields", "filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
+ {"tag": "Code", "path": "*rep.*radReplyCode", "filters": ["*notempty:~*cgrep.Error:"],
+ "type": "*constant", "value": "AccessReject"},
+ {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "filters": ["*notempty:~*cgrep.Error:"],
+ "type": "*variable", "value": "~*cgrep.Error"}
]
},
{
diff --git a/data/conf/samples/radagent_mongo_gob/cgrates.json b/data/conf/samples/radagent_mongo_gob/cgrates.json
index c1a103a66..7decb638b 100644
--- a/data/conf/samples/radagent_mongo_gob/cgrates.json
+++ b/data/conf/samples/radagent_mongo_gob/cgrates.json
@@ -107,18 +107,19 @@
],
},
{
- "id": "RadiusPAPAuth",
- "filters": ["*string:~*vars.*radReqType:*radAuth","*exists:~*req.User-Password:"],
+ "id": "RadiusAuthProcessor",
+ "filters": ["*string:~*vars.*radReqType:*radAuth"],
"flags": ["*radauth", "*log"],
"request_fields":[
{"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable",
"value": "~*cgrep.Attributes.PasswordFromAttributes"},
],
"reply_fields":[
- {"filters": ["*empty:~*cgrep.Error:"], "type": "*none", "blocker": true},
- {"filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
- {"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessReject"},
- {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "type": "*variable", "value": "~*cgrep.Error"}
+ {"tag":"RemoveAddedFields", "filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
+ {"tag": "Code", "path": "*rep.*radReplyCode", "filters": ["*notempty:~*cgrep.Error:"],
+ "type": "*constant", "value": "AccessReject"},
+ {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "filters": ["*notempty:~*cgrep.Error:"],
+ "type": "*variable", "value": "~*cgrep.Error"}
]
},
{
diff --git a/data/conf/samples/radagent_mysql/cgrates.json b/data/conf/samples/radagent_mysql/cgrates.json
index 513354430..979f99e30 100644
--- a/data/conf/samples/radagent_mysql/cgrates.json
+++ b/data/conf/samples/radagent_mysql/cgrates.json
@@ -95,18 +95,19 @@
],
},
{
- "id": "RadiusPAPAuth",
- "filters": ["*string:~*vars.*radReqType:*radAuth","*exists:~*req.User-Password:"],
+ "id": "RadiusAuthProcessor",
+ "filters": ["*string:~*vars.*radReqType:*radAuth"],
"flags": ["*radauth", "*log"],
"request_fields":[
{"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable",
"value": "~*cgrep.Attributes.PasswordFromAttributes"},
],
"reply_fields":[
- {"filters": ["*empty:~*cgrep.Error:"], "type": "*none", "blocker": true},
- {"filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
- {"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessReject"},
- {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "type": "*variable", "value": "~*cgrep.Error"}
+ {"tag":"RemoveAddedFields", "filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
+ {"tag": "Code", "path": "*rep.*radReplyCode", "filters": ["*notempty:~*cgrep.Error:"],
+ "type": "*constant", "value": "AccessReject"},
+ {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "filters": ["*notempty:~*cgrep.Error:"],
+ "type": "*variable", "value": "~*cgrep.Error"}
]
},
{
diff --git a/data/conf/samples/radagent_mysql_gob/cgrates.json b/data/conf/samples/radagent_mysql_gob/cgrates.json
index 8cef9f440..13301dd77 100644
--- a/data/conf/samples/radagent_mysql_gob/cgrates.json
+++ b/data/conf/samples/radagent_mysql_gob/cgrates.json
@@ -102,18 +102,19 @@
],
},
{
- "id": "RadiusPAPAuth",
- "filters": ["*string:~*vars.*radReqType:*radAuth","*exists:~*req.User-Password:"],
+ "id": "RadiusAuthProcessor",
+ "filters": ["*string:~*vars.*radReqType:*radAuth"],
"flags": ["*radauth", "*log"],
"request_fields":[
{"tag": "UserPassword", "path": "*vars.UserPassword", "type": "*variable",
"value": "~*cgrep.Attributes.PasswordFromAttributes"},
],
"reply_fields":[
- {"filters": ["*empty:~*cgrep.Error:"], "type": "*none", "blocker": true},
- {"filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
- {"tag": "Code", "path": "*rep.*radReplyCode", "type": "*constant", "value": "AccessReject"},
- {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "type": "*variable", "value": "~*cgrep.Error"}
+ {"tag":"RemoveAddedFields", "filters": ["*notempty:~*cgrep.Error:"], "type": "*removeall", "path": "*rep"},
+ {"tag": "Code", "path": "*rep.*radReplyCode", "filters": ["*notempty:~*cgrep.Error:"],
+ "type": "*constant", "value": "AccessReject"},
+ {"tag": "ReplyMessage", "path": "*rep.Reply-Message", "filters": ["*notempty:~*cgrep.Error:"],
+ "type": "*variable", "value": "~*cgrep.Error"}
]
},
{
diff --git a/go.mod b/go.mod
index 81a97c5ae..4d5a98818 100644
--- a/go.mod
+++ b/go.mod
@@ -23,7 +23,7 @@ require (
github.com/cgrates/fsock v0.0.0-20190623100231-317895b42f1a
github.com/cgrates/kamevapi v0.0.0-20191001125829-7dbc3ad58817
github.com/cgrates/ltcache v0.0.0-20181016092649-92fb7fa77cca
- github.com/cgrates/radigo v0.0.0-20200318092814-07da25249ae6
+ github.com/cgrates/radigo v0.0.0-20200321121249-9e416fdf1479
github.com/cgrates/rpcclient v0.0.0-20200107134035-188454eb71b3
github.com/creack/pty v1.1.7
github.com/fiorix/go-diameter v3.0.3-0.20190716165154-f4823472d0e0+incompatible
diff --git a/go.sum b/go.sum
index 048c2727b..4349bc91c 100644
--- a/go.sum
+++ b/go.sum
@@ -75,6 +75,8 @@ github.com/cgrates/radigo v0.0.0-20200309151443-bb470a5a5c8d h1:4dDI8QG+rkQTNWws
github.com/cgrates/radigo v0.0.0-20200309151443-bb470a5a5c8d/go.mod h1:mTCzHAYfgZlRe0HorDz+jy2JTrNvNuKkHBAUjDZBWq8=
github.com/cgrates/radigo v0.0.0-20200318092814-07da25249ae6 h1:NLRfnSh1TGtCrgxVnpaSOEiwprmf/sQ+aOTM1kiEvaE=
github.com/cgrates/radigo v0.0.0-20200318092814-07da25249ae6/go.mod h1:mTCzHAYfgZlRe0HorDz+jy2JTrNvNuKkHBAUjDZBWq8=
+github.com/cgrates/radigo v0.0.0-20200321121249-9e416fdf1479 h1:UNareDs0BcycjiSy2ltRlsiaeoohDdt9OQOg55ak5Jc=
+github.com/cgrates/radigo v0.0.0-20200321121249-9e416fdf1479/go.mod h1:mTCzHAYfgZlRe0HorDz+jy2JTrNvNuKkHBAUjDZBWq8=
github.com/cgrates/rpcclient v0.0.0-20190505150825-8fcc68b2c38b h1:GC+/hEDN/2Frh8Tjkf7u1XFxj0Z2XtwjBxj0OH6Mzhw=
github.com/cgrates/rpcclient v0.0.0-20190505150825-8fcc68b2c38b/go.mod h1:Jy5Lv0y57OlxlNATKrkyAxgftYLHqXuxONgd4qsAC1U=
github.com/cgrates/rpcclient v0.0.0-20191115092211-732f09b356e3 h1:Hr038ZfPZz87OKLV4pRSzf3U06lZ8zjl/cXpwrv7hCM=
diff --git a/utils/consts.go b/utils/consts.go
index fcfff939a..7ebaf2258 100755
--- a/utils/consts.go
+++ b/utils/consts.go
@@ -709,6 +709,7 @@ const (
FileName = "FileName"
MetaRadauth = "*radauth"
UserPassword = "UserPassword"
+ RadauthFailed = "RADAUTH_FAILED"
)
// Migrator Action