radiusrb 1.0.0.pre

data/lib/radiusrb/packet.rb

@@ -0,0 +1,312 @@
+# This file is part of the RadiusRB library for Ruby.
+# Copyright (C) 2011 Davide Guerri <davide.guerri@gmail.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+module RadiusRB
+
+  require 'digest/md5'
+  require 'ipaddr_extensions'
+
+  class Packet
+
+    CODES = { 'Access-Request' => 1,        'Access-Accept' => 2,
+              'Access-Reject' => 3,         'Accounting-Request' => 4,
+              'Accounting-Response' => 5,   'Access-Challenge' => 11,
+              'Status-Server' => 12,        'Status-Client' => 13 }
+
+
+    HDRLEN = 1 + 1 + 2 + 16	# size of packet header
+    P_HDR = "CCna16a*"	# pack template for header
+    P_ATTR = "CCa*"		# pack template for attribute
+
+    attr_accessor :code
+    attr_reader :id, :attributes, :authenticator
+
+    def initialize(dictionary, id, data = nil)
+      @dict = dictionary
+      @id = id
+      unset_all_attributes
+      if data
+        @packed = data
+        self.unpack
+      end
+      self
+    end
+
+    def increment_id
+      @id = (@id + 1) & 0xff
+    end
+
+    def to_a
+      @attributes.to_a
+    end
+
+    # Generate an authenticator. It will try to use /dev/urandom if
+    # possible, or the system rand call if that's not available.
+    def gen_auth_authenticator
+      if (File.exist?("/dev/urandom"))
+        File.open("/dev/urandom") do |urandom|
+          @authenticator = urandom.read(16)
+        end
+      else
+        @authenticator = []
+        8.times do
+          @authenticator << rand(65536)
+        end
+        @authenticator = @authenticator.pack("n8")
+      end
+    end
+
+    def gen_acct_authenticator(secret)
+      # From RFC2866
+      # Request Authenticator
+      # 
+      #       In Accounting-Request Packets, the Authenticator value is a 16
+      #       octet MD5 [5] checksum, called the Request Authenticator.
+      # 
+      #       The NAS and RADIUS accounting server share a secret.  The Request
+      #       Authenticator field in Accounting-Request packets contains a one-
+      #       way MD5 hash calculated over a stream of octets consisting of the
+      #       Code + Identifier + Length + 16 zero octets + request attributes +
+      #       shared secret (where + indicates concatenation).  The 16 octet MD5
+      #       hash value is stored in the Authenticator field of the
+      #       Accounting-Request packet.
+      # 
+      #       Note that the Request Authenticator of an Accounting-Request can
+      #       not be done the same way as the Request Authenticator of a RADIUS
+      #       Access-Request, because there is no User-Password attribute in an
+      #       Accounting-Request.
+      #       
+      @authenticator = "\000"*16
+      @authenticator = Digest::MD5.digest(pack + secret)
+      @packed = nil
+      @authenticator
+    end
+
+    def gen_response_authenticator(secret, request_authenticator)
+      @authenticator = request_authenticator
+      @authenticator = Digest::MD5.digest(pack + secret)
+      @packed = nil
+      @authenticator
+    end
+
+    def validate_acct_authenticator(secret)
+      if @authenticator
+        original_authenticator = @authenticator
+        if gen_acct_authenticator(secret) == original_authenticator
+          true
+        else
+          @authenticator = original_authenticator
+          false
+        end
+      else
+        false
+      end
+    end
+
+    def set_attribute(name, value)
+      @attributes[name] = Attribute.new(@dict, name, value)
+    end
+
+    def unset_attribute(name)
+      @attributes.delete(name)
+    end
+
+    def attribute(name)
+      if @attributes[name]
+        @attributes[name].value
+      end
+    end
+
+    def unset_all_attributes
+      @attributes = {}
+    end
+
+    def set_encoded_attribute(name, value, secret)
+      @attributes[name] = Attribute.new(@dict, name, encode(value, secret))
+    end
+
+    def decode_attribute(name, secret)
+      if @attributes[name]
+        decode(@attributes[name].value.to_s, secret)
+      end
+    end
+
+    def pack
+      attstr = ""
+      @attributes.values.each do |attribute|
+        attstr += attribute.pack
+      end
+      @packed = [CODES[@code], @id, attstr.length + HDRLEN, @authenticator, attstr].pack(P_HDR)
+    end
+
+    protected
+
+    def unpack
+      @code, @id, len, @authenticator, attribute_data = @packed.unpack(P_HDR)
+      @code = CODES.key(@code)
+
+      unset_all_attributes
+
+      while attribute_data.length > 0 do
+        length = attribute_data.unpack("xC").first.to_i
+        attribute_type, attribute_value = attribute_data.unpack("Cxa#{length-2}")
+        attribute_type = attribute_type.to_i
+
+        attribute = @dict.find_attribute_by_id(attribute_type)
+        attribute_value = case attribute.type
+        when 'string'
+          attribute_value
+        when 'integer'
+          attribute.has_values? ? attribute.find_values_by_id(attribute_value.unpack("N")[0]).name : attribute_value.unpack("N")[0]
+        when 'ipaddr'
+          attribute_value.unpack("N")[0].to_ip.to_s
+        when 'time'
+          attribute_value.unpack("N")[0]
+        when 'date'
+          attribute_value.unpack("N")[0]
+        end
+
+        set_attribute(attribute.name, attribute_value) if attribute
+        attribute_data[0, length] = ""
+      end
+    end
+
+    def xor_str(str1, str2)
+      i = 0
+      newstr = ""
+      str1.each_byte do |c1|
+        c2 = str2.bytes.to_a[i]
+        newstr = newstr << (c1 ^ c2)
+        i = i+1
+      end
+      newstr
+    end
+
+    def encode(value, secret)
+      lastround = @authenticator
+      encoded_value = ""
+      # pad to 16n bytes
+      value += "\000" * (15-(15 + value.length) % 16)
+      0.step(value.length-1, 16) do |i|
+        lastround = xor_str(value[i, 16], Digest::MD5.digest(secret + lastround) )
+        encoded_value += lastround
+      end
+      encoded_value
+    end
+
+    def decode(value, secret)
+      decoded_value = ""
+      lastround = @authenticator
+      0.step(value.length-1, 16) do |i|
+	      decoded_value = xor_str(value[i, 16], Digest::MD5.digest(secret + lastround))
+	      lastround = value[i, 16]
+      end
+
+      decoded_value.gsub!(/\000+/, "") if decoded_value
+      decoded_value[value.length, -1] = "" unless (decoded_value.length <= value.length)
+      return decoded_value
+    end
+
+    class Attribute
+
+      attr_reader :dict, :name, :vendor
+      attr_accessor :value
+
+      def initialize dict, name, value, vendor=nil
+        @dict = dict
+        # This is the cheapest and easiest way to add VSA's!
+        if (name && (chunks = name.split('/')) && (chunks.size == 2))
+          @vendor = chunks[0]
+          @name = chunks[1]
+        else
+          @name = name
+        end
+        @vendor ||= vendor
+        @value = value.is_a?(Attribute) ? value.to_s : value
+      end
+
+      def vendor?
+        !!@vendor
+      end
+
+      def pack
+        attribute = if (vendor? && (@dict.vendors.find_by_name(@vendor)))
+                      @dict.vendors.find_by_name(@vendor).attributes.find_by_name(@name)
+                    else
+                      @dict.find_attribute_by_name(@name)
+                    end
+        raise "Undefined attribute '#{@name}'." if attribute.nil?
+
+        if vendor?
+          pack_vendor_specific_attribute attribute
+        else
+          pack_attribute attribute
+        end
+      end
+
+      def inspect
+        @value
+      end
+
+      def to_s
+        @value
+      end
+
+      private
+
+      def pack_vendor_specific_attribute attribute
+        inside_attribute = pack_attribute attribute
+        vid = attribute.vendor.id.to_i
+        header = [ 26, inside_attribute.size + 6 ].pack("CC") # 26: Type = Vendor-Specific, 4: length of Vendor-Id field
+        header += [ 0, vid >> 16, vid >> 8, vid ].pack("CCCC") # first byte of Vendor-Id is 0
+        header + inside_attribute
+      end
+
+      def pack_attribute attribute
+        anum = attribute.id
+        val = case attribute.type
+              when "string"
+                @value
+              when "integer"
+                raise "Invalid value name '#{@value}'." if attribute.has_values? && attribute.find_values_by_name(@value).nil?
+                [attribute.has_values? ? attribute.find_values_by_name(@value).id : @value].pack("N")
+              when "ipaddr"
+                [@value.to_ip.to_i].pack("N")
+              when "ipv6addr"
+                ipi = @value.to_ip.to_i
+                [ ipi >> 96, ipi >> 64, ipi >> 32, ipi ].pack("NNNN")
+              when "date"
+                [@value].pack("N")
+              when "time"
+                [@value].pack("N")
+              else
+                ""
+              end
+        begin
+        [anum, 
+          val.length + 2, 
+          val
+        ].pack(P_ATTR)
+        rescue 
+          puts "#{@name} => #{@value}"
+          puts [anum, val.length + 2, val].inspect
+        end
+      end
+
+    end
+  end
+end

data/lib/radiusrb/request.rb

@@ -0,0 +1,141 @@
+# This file is part of the RadiusRB library for Ruby.
+# Copyright (C) 2011 Davide Guerri <davide.guerri@gmail.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+module RadiusRB
+
+  require 'socket'
+
+  class Request
+
+    def initialize(server, options = {})
+      @dict = options[:dict].nil? ? Dictionary.default : options[:dict]
+      @nas_ip = options[:nas_ip] || get_my_ip(@host)
+      @nas_identifier = options[:nas_identifier] || @nas_ip
+      @reply_timeout = options[:reply_timeout].nil? ? 60 : options[:reply_timeout].to_i
+      @retries_number = options[:retries_number].nil? ? 1 : options[:retries_number].to_i
+
+      @host, @port = server.split(":")
+
+      @port = Socket.getservbyname("radius", "udp") unless @port
+      @port = 1812 unless @port
+      @port = @port.to_i	# just in case
+      @socket = UDPSocket.open
+      @socket.connect(@host, @port)
+    end
+
+    def authenticate(name, password, secret, user_attributes = {})
+      @packet = Packet.new(@dict, Process.pid & 0xff)
+      @packet.gen_auth_authenticator
+      @packet.code = 'Access-Request'
+      @packet.set_attribute('User-Name', name)
+      @packet.set_attribute('NAS-Identifier', @nas_identifier)
+      @packet.set_attribute('NAS-IP-Address', @nas_ip)
+      @packet.set_encoded_attribute('User-Password', password, secret)
+
+      user_attributes.each_pair do |name, value|
+        @packet.set_attribute(name, value)
+      end
+
+      begin
+        send_packet
+        @recieved_packet = recv_packet(@reply_timeout)
+      rescue Exception => e
+        retry if (@retries_number -= 1) > 0
+        raise
+      end
+
+      reply = { :code => @recieved_packet.code }
+      reply.merge @recieved_packet.attributes
+    end
+    
+    def accounting_request(status_type, name, secret, sessionid, user_attributes = {})
+
+      @packet = Packet.new(@dict, Process.pid & 0xff)
+      @packet.code = 'Accounting-Request'
+
+      @packet.set_attribute('User-Name', name)
+      @packet.set_attribute('NAS-Identifier', @nas_identifier)
+      @packet.set_attribute('NAS-IP-Address', @nas_ip)
+      @packet.set_attribute('Acct-Status-Type', status_type)
+      @packet.set_attribute('Acct-Session-Id', sessionid)
+      @packet.set_attribute('Acct-Authentic', 'RADIUS')
+
+      user_attributes.each_pair do |name, value|
+        @packet.set_attribute(name, value)
+      end
+
+      @packet.gen_acct_authenticator(secret)
+
+      begin
+        send_packet
+        @recieved_packet = recv_packet(@reply_timeout)
+      rescue Exception => e
+        retry if (@retries_number -= 1) > 0
+        raise
+      end
+
+      return true
+    end
+
+    def accounting_start(name, secret, sessionid, options = {})
+      accounting_request('Start', name, secret, sessionid, options)
+    end
+
+    def accounting_update(name, secret, sessionid, options = {})
+      accounting_request('Interim-Update', name, secret, sessionid, options)
+    end
+
+    def accounting_stop(name, secret, sessionid, options = {})
+      accounting_request('Stop', name, secret, sessionid, options)
+    end
+
+    def inspect
+      to_s
+    end
+
+    private
+
+    def send_packet
+      data = @packet.pack
+      @packet.increment_id
+      @socket.send(data, 0)
+    end
+
+    def recv_packet(timeout)
+      if select([@socket], nil, nil, timeout.to_i) == nil
+        raise "Timed out waiting for response packet from server"
+      end
+      data = @socket.recvfrom(64)
+      Packet.new(@dict, Process.pid & 0xff, data[0])
+    end
+
+    #looks up the source IP address with a route to the specified destination
+    def get_my_ip(dest_address)
+      orig_reverse_lookup_setting = Socket.do_not_reverse_lookup
+      Socket.do_not_reverse_lookup = true
+
+      UDPSocket.open do |sock|
+        sock.connect dest_address, 1
+        sock.addr.last
+      end
+    ensure
+       Socket.do_not_reverse_lookup = orig_reverse_lookup_setting
+    end
+
+  end
+
+end

data/lib/radiusrb/vendor.rb

@@ -0,0 +1,77 @@
+# This file is part of the RadiusRB library for Ruby.
+# Copyright (C) 2011 Davide Guerri <davide.guerri@gmail.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+module RadiusRB
+
+  class VendorCollection < Array
+
+    def initialize
+      @collection = {}
+      @revcollection = []
+    end
+
+    def add(id, name)
+      @collection[name] ||= Vendor.new(name, id)
+      @revcollection[id.to_i] ||= @collection[name]
+      self << @collection[name]
+    end
+
+    def find_by_name(name)
+      @collection[name]
+    end
+
+    def find_by_id(id)
+      @revcollection[id.to_i]
+    end
+
+  end
+
+  class Vendor
+
+    include RadiusRB
+
+    attr_reader :name, :id
+
+    def initialize(name, id)
+      @name = name
+      @id = id
+      @attributes = AttributesCollection.new self
+    end
+
+    def add_attribute(name, id, type)
+      @attributes.add(name, id, type)
+    end
+
+    def find_attribute_by_name(name)
+      @attributes.find_by_name(name)
+    end
+
+    def find_attribute_by_id(id)
+      @attributes.find_by_id(id.to_i)
+    end
+
+    def has_attributes?
+      !@attributes.empty?
+    end
+
+    def attributes
+      @attributes
+    end
+
+  end
+
+end

data/lib/radiusrb/version.rb

@@ -0,0 +1,27 @@
+# This file is part of the RadiusRB library for Ruby.
+# Copyright (C) 2011 Davide Guerri <davide.guerri@gmail.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+module RadiusRB
+  module Version
+    MAJOR = 1
+    MINOR = 0
+    PATCH = 0
+    BUILD = 'pre'
+
+    STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')
+  end
+end

data/lib/radiusrb.rb

@@ -0,0 +1,75 @@
+# This file is part of the RadiusRB library for Ruby.
+# Copyright (C) 2011 Davide Guerri <davide.guerri@gmail.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+module RadiusRB
+
+  # :stopdoc:
+  LIBPATH = ::File.expand_path(::File.dirname(__FILE__)) + ::File::SEPARATOR
+  PATH = ::File.dirname(LIBPATH) + ::File::SEPARATOR
+  # :startdoc:
+
+  # Returns the library path for the module. If any arguments are given,
+  # they will be joined to the end of the library path using
+  # <tt>File.join</tt>.
+  #
+  def self.libpath( *args, &block )
+    rv =  args.empty? ? LIBPATH : ::File.join(LIBPATH, args.flatten)
+    if block
+      begin
+        $LOAD_PATH.unshift LIBPATH
+        rv = block.call
+      ensure
+        $LOAD_PATH.shift
+      end
+    end
+    return rv
+  end
+
+  # Returns the lpath for the module. If any arguments are given,
+  # they will be joined to the end of the path using
+  # <tt>File.join</tt>.
+  #
+  def self.path( *args, &block )
+    rv = args.empty? ? PATH : ::File.join(PATH, args.flatten)
+    if block
+      begin
+        $LOAD_PATH.unshift PATH
+        rv = block.call
+      ensure
+        $LOAD_PATH.shift
+      end
+    end
+    return rv
+  end
+
+  # Utility method used to require all files ending in .rb that lie in the
+  # directory below this file that has the same name as the filename passed
+  # in. Optionally, a specific _directory_ name can be passed in such that
+  # the _filename_ does not have to be equivalent to the directory.
+  #
+  def self.require_all_libs_relative_to( fname, dir = nil )
+    dir ||= ::File.basename(fname, '.*')
+    search_me = ::File.expand_path(
+        ::File.join(::File.dirname(fname), dir, '**', '*.rb'))
+
+    Dir.glob(search_me).sort.each {|rb| require rb}
+  end
+
+end  # module RadiusRB
+
+RadiusRB.require_all_libs_relative_to(__FILE__)
+

data/test/helper.rb

@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'test/unit'
+require 'shoulda'
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'radiusrb'
+
+class Test::Unit::TestCase
+end

data/test/test_radiusrb.rb

@@ -0,0 +1,7 @@
+require 'helper'
+
+class TestRadiusrb < Test::Unit::TestCase
+  should "probably rename this file and start testing for real" do
+    flunk "hey buddy, you should probably rename this file and start testing for real"
+  end
+end