rubius2 0.1.0

data/lib/generators/rubius/templates/rubius.yml

@@ -0,0 +1,13 @@
+development:
+    host: 127.0.0.1
+    port: 1812
+    timeout: 10
+    secret: secret_key
+    dictionary: radius-dictionary
+
+production:
+    host: 127.0.0.1
+    port: 1812
+    timeout: 10
+    secret: secret_key
+    dictionary: radius-dictionary

data/lib/generators/rubius/templates/rubius_initializer.rb

@@ -0,0 +1,2 @@
+# Initialize Rubius
+Rubius::Rails.init

data/lib/rubius.rb

@@ -0,0 +1,7 @@
+require 'rubius/string'
+
+require 'rubius/exceptions'
+require 'rubius/rails'
+require 'rubius/dictionary'
+require 'rubius/packet'
+require 'rubius/authenticator'

data/lib/rubius/authenticator.rb

@@ -0,0 +1,112 @@
+module Rubius
+  require 'singleton'
+  require 'socket'
+  require 'yaml'
+  
+  class Authenticator
+    include Singleton
+    
+    def initialize
+      @dictionary = Rubius::Dictionary.new
+      @packet = nil
+      @secret = nil
+      
+      @host = nil
+      @port ||= Socket.getservbyname("radius", "udp")
+      @port ||= 1812
+      
+      @timeout = 10
+      
+      @sock = nil
+      
+      @identifier = Process.pid & 0xff
+    end
+    
+    def init_from_config(config_file, env=nil)
+      if env.nil?
+        env = defined?(::Rails) ? ::Rails.env : 'development'
+      end
+      
+      config = YAML.load_file(config_file)
+      raise Rubius::MissingEnvironmentConfiguration unless config.has_key?(env)
+      
+      @host = config[env]["host"]
+      @port = config[env]["port"] if config[env]["port"]
+      @secret = config[env]["secret"]
+      
+      if config[env]["dictionary"]
+        dict = File.join(File.dirname(config_file), config[env]["dictionary"])
+        @dictionary.load(dict) if File.exists?(dict)
+      end
+      
+      @nas_ip = config[env]["nas_ip"] if config[env]["nas_ip"]
+      @nas_ip ||= UDPSocket.open {|s| s.connect(@host, 1); s.addr.last }
+      
+      setup_connection
+    rescue Errno::ENOENT
+      raise Rubius::MissingConfiguration
+    end
+    
+    def authenticate(username, password)
+      init_packet
+      
+      @packet.code = Rubius::Packet::ACCESS_REQUEST
+      @packet.secret = @secret
+      rand_authenticator
+      
+      @packet.set_attribute('User-Name', username)
+      @packet.set_attribute('NAS-IP-Address', @nas_ip)
+      @packet.set_password(password)
+      
+      send_packet
+      recv_packet
+      
+      return(@packet.code == Rubius::Packet::ACCESS_ACCEPT)
+    end
+    
+    def self.authenticate(username, password)
+      Rubius::Authenticator.instance.authenticate(username, password)
+    end
+    
+    private
+    def init_packet
+      increment_identifier!
+      @packet = Rubius::Packet.new(@dictionary)
+      @packet.identifier = @identifier
+    end
+    
+    def increment_identifier!
+      @identifier = (@identifier + 1) & 0xff
+    end
+    
+    def setup_connection
+      @sock = UDPSocket.open
+      @sock.connect(@host, @port)
+    end
+    
+    def rand_authenticator
+      if (File.exists?("/dev/urandom"))
+        File.open("/dev/urandom") { |rand| @packet.authenticator = rand.read(16) }
+      else
+        @packet.authenticator = [rand(65536), rand(65536), rand(65536), rand(65536), rand(65536), rand(65536), rand(65536), rand(65536)].pack("n8")
+      end
+      @packet.authenticator
+    end
+    
+    def send_packet
+      data = @packet.pack
+      increment_identifier!
+      @sock.send(data, 0)
+    end
+    
+    def recv_packet
+      if select([@sock], nil, nil, @timeout) == nil
+        raise "Timed out waiting for response packet from server"
+      end
+      data = @sock.recvfrom(65536)
+      @packet.unpack(data[0])
+      @identifier = @packet.identifier
+      return @packet
+    end
+  end
+end

data/lib/rubius/dictionary.rb

@@ -0,0 +1,86 @@
+module Rubius
+  class Dictionary
+    VENDOR = 'VENDOR'
+    ATTRIBUTE = 'ATTRIBUTE'
+    VALUE = 'VALUE'
+    DEFAULT_VENDOR = 0
+    
+    def initialize
+      @dictionary = Hash.new
+      @dictionary[DEFAULT_VENDOR] = {:name => ''}
+    end
+    
+    def load(dictionary_file)
+      dict_lines = IO.readlines(dictionary_file)
+      
+      vendor_id = DEFAULT_VENDOR
+      skip_until_next_vendor = false
+      
+      dict_lines.each do |line|
+        next if line =~ /^\#/
+        next if (tokens = line.split(/\s+/)).empty?
+        
+        entry_type = tokens[0].upcase
+        case entry_type
+        when VENDOR
+          skip_until_next_vendor = false
+          
+          # If the vendor_id string is nil or empty, we should skip this entire block
+          # until we find another VENDOR definition, also ignore all VALUEs and ATTRIBUTEs
+          # until the next VENDOR because otherwise, they will be included in the wrong VENDOR
+          vendor_id_str = tokens[2]
+          if vendor_id_str.nil? || vendor_id_str.empty?
+            skip_until_next_vendor = true
+            next
+          end
+          
+          # VENDOR id should be higher than 0, skip everything if it isn't
+          vendor_id = vendor_id_str.to_i
+          if vendor_id <= 0
+            skip_until_next_vendor = true
+            next
+          end
+          
+          vendor_name = tokens[1].strip
+          @dictionary[vendor_id] ||= {:name => vendor_name}
+        when ATTRIBUTE
+          next if skip_until_next_vendor
+          next if tokens[1].nil? || tokens[2].to_i <= 0 || tokens[3].nil?
+          @dictionary[vendor_id][tokens[2].to_i] = {:name => tokens[1].strip, :type => tokens[3].strip}
+        when VALUE
+          next if skip_until_next_vendor
+          @dictionary[vendor_id][tokens[1]] = {tokens[2].strip => tokens[3].to_i}
+        end
+      end
+    rescue Errno::ENOENT
+      raise Rubius::InvalidDictionaryError
+    end
+    
+    def vendors
+      @dictionary.collect{|k,v| v[:name]}.reject{|n| n.empty?}
+    end
+    
+    def vendor_name(vendor_id = DEFAULT_VENDOR)
+      @dictionary[vendor_id][:name]
+    end
+    
+    def attribute_name(attr_id, vendor_id = DEFAULT_VENDOR)
+      attribute(attr_id, vendor_id)[:name] rescue nil
+    end
+    
+    def attribute_type(attr_id, vendor_id = DEFAULT_VENDOR)
+      attribute(attr_id, vendor_id)[:type] rescue nil
+    end
+    
+    def attribute_id(attr_name, vendor_id = DEFAULT_VENDOR)
+      vendor_object = @dictionary[vendor_id].reject{|k,v| !v.is_a?(Hash) || v[:name]!=attr_name}
+      vendor_object = vendor_object.to_a if RUBY_VERSION < "1.9.2"
+      vendor_object.flatten.first
+    end
+    
+    private
+    def attribute(attr_id, vendor_id)
+      @dictionary[vendor_id][attr_id] rescue nil
+    end
+  end
+end

data/lib/rubius/exceptions.rb

@@ -0,0 +1,6 @@
+module Rubius
+  class Error < RuntimeError; end
+  class InvalidDictionaryError < Error; end
+  class MissingConfiguration < Error; end
+  class MissingEnvironmentConfiguration < Error; end
+end

data/lib/rubius/packet.rb

@@ -0,0 +1,156 @@
+module Rubius
+  require 'ipaddr'
+  require 'digest/md5'
+  
+  class Packet
+    PACK_HEADER = 'CCna16a*'
+    HEADER_LENGTH = 1 + 1 + 2 + 16
+    VSA_TYPE = 26
+      ACCESS_REQUEST = 'Access-Request'
+      ACCESS_ACCEPT = 'Access-Accept'
+      ACCESS_REJECT = 'Access-Reject'
+      ACCOUNTING_REQUEST = 'Accounting-Request'
+      ACCOUNTING_RESPONSE = 'Accounting-Response'
+      ACCESS_CHALLENGE = 'Access-Challenge'
+      STATUS_SERVER = 'Status-Server'
+      STATUS_CLIENT = 'Status-Client'
+    RESPONSES = {   1 => ACCESS_REQUEST,
+                    2 => ACCESS_ACCEPT,
+                    3 => ACCESS_REJECT,
+                    4 => ACCOUNTING_REQUEST,
+                    5 => ACCOUNTING_RESPONSE,
+                    11 => ACCESS_CHALLENGE,
+                    12 => STATUS_SERVER,
+                    13 => STATUS_CLIENT}
+                    
+    attr_accessor :identifier
+    attr_accessor :secret
+    attr_accessor :code
+    attr_accessor :authenticator
+    
+    def initialize(dictionary)
+      @dictionary = dictionary
+      @attributes = Hash.new
+      @secret = nil
+    end
+    
+    def unpack_attribute(data, type)
+      val = case type 
+      when 'string'
+        data
+      when 'integer'
+        data.unpack("N")[0]
+      when 'ipaddr'
+        IPAddr.new(data, Socket::AF_INET).to_s
+      when 'time'
+        data.unpack("N")[0]
+      when 'date'
+        data.unpack("N")[0]
+      else
+        raise "Unknown type found: #{type}"
+      end
+      
+      val
+    end
+    private :unpack_attribute
+    
+    def pack_attribute(data, type)
+      val = case type
+      when 'string'
+        data
+      when 'integer'
+        [data].pack("N")
+      when 'ipaddr'
+        [IPAddr.new(data).to_i].pack("N")
+      when 'date'
+        [data].pack("N")
+      when 'time'
+        [data].pack("N")
+      else
+        nil
+      end
+      
+      val
+    end
+    
+    def unpack(data)
+      @code, @identifier, @length, @authenticator, attribute_data = data.unpack(PACK_HEADER)
+      @code = RESPONSES[@code]
+      @attributes = Hash.new
+      
+      while(attribute_data.length > 0)
+        # Read the length of the packet data
+        length = attribute_data.unpack("xC")[0].to_i
+        
+        # read the type header to determine if this is a VSA
+        type_id, value = attribute_data.unpack("Cxa#{length-2}")
+        type_id = type_id.to_i
+        
+        if(type_id == VSA_TYPE)
+          # Handle VSA's
+          vendor_id, vendor_attribute_id, vendor_attribute_length = value.unpack("NCC")
+          vendor_attribute_value = value.unpack("xxxxxxa#{vendor_attribute_length-2}")[0]
+          
+          # look up the type of data so we know how to unpack it
+          type = @dictionary.attribute_type(vendor_attribute_id, vendor_id)
+          raise "VSA not found in dictionary (#{vendor_id}/#{vendor_attribute_id})" if type.nil?
+          
+          val = unpack_attribute(vendor_attribute_value, type)
+          set_vendor_attribute(vendor_id, vendor_attribute_id, val)
+        else
+          type = @dictionary.attribute_type(type_id)
+          raise "Attribute not found in dictionary (#{Dictionary::DEFAULT_VENDOR}/#{type_id})" if type.nil?
+          
+          val = unpack_attribute(value, type)
+          set_vendor_attribute(Dictionary::DEFAULT_VENDOR, type_id, val)
+        end
+        attribute_data[0, length] = ''
+      end
+    end
+    
+    def pack
+      attr_string = ''
+      
+      @attributes.each_pair {|key, value|
+        attr_num = @dictionary.attribute_id(key)
+        type = @dictionary.attribute_type(attr_num)
+        val = pack_attribute(value, type)
+        next if val.nil?
+        attr_string += [attr_num, val.length + 2, val].pack("CCa*")
+      }
+      
+      rejected_responses = RESPONSES.reject{|k,v| v!=@code}
+      rejected_responses = rejected_responses.to_a if RUBY_VERSION < "1.9.2"
+      rcode = rejected_responses.flatten.first
+      
+      return [rcode, @identifier, attr_string.length + HEADER_LENGTH, @authenticator, attr_string].pack(PACK_HEADER)
+    end
+    
+    def set_vendor_attribute(vendor_id, attr_id, value)
+      attr_name = @dictionary.attribute_name(attr_id, vendor_id)
+      set_attribute(attr_name, value)
+    end
+    
+    def set_attribute(attr_name, value)
+      @attributes[attr_name] = value
+    end
+    
+    def set_password(password)
+      lastround = @authenticator
+      pwdout = ""
+      password += "\000" * (15-(15+password.length)%16)
+      0.step(password.length-1, 16) {|i|
+        lastround = password[i, 16].xor(Digest::MD5.digest(@secret + lastround))
+        pwdout += lastround
+      }
+      
+      set_attribute("User-Password", pwdout)
+    end
+    
+    def response_authenticator
+      attributes = ''
+      hash_data = [5, @identifier, attributes.length+HEADER_LENGTH, @authenticator, attributes, @secret].pack(PACK_HEADER)
+      digest = Digest::MD5.digest(hash_data)
+    end
+  end
+end

data/lib/rubius/rails.rb

@@ -0,0 +1,18 @@
+module Rubius
+  class Rails
+    def self.init(root = nil, env = nil)
+      base_dir = root
+      if root.nil?
+        root = defined?(::Rails) ?  ::Rails.root : FileUtils.pwd
+        base_dir = File.expand_path(File.join(root, 'config'))
+      end
+      
+      if env.nil?
+        env = defined?(::Rails) ? ::Rails.env : 'development'
+      end
+      
+      config_file = File.join(base_dir, 'rubius.yml')
+      Rubius::Authenticator.instance.init_from_config(config_file, env)
+    end
+  end
+end

data/lib/rubius/string.rb

@@ -0,0 +1,14 @@
+class String
+  def xor(s2)
+    if s2.empty?
+      self
+    else
+      a1 = self.unpack("c*")
+      a2 = s2.unpack("c*")
+      
+      a2 *= 2 while a2.length < a1.length
+      
+      a1.zip(a2).collect{|c1,c2| c1^c2}.pack("c*")
+    end
+  end
+end

data/rubius.gemspec

@@ -0,0 +1,87 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{rubius2}
+  s.version = "0.1.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Ralph Rooding"]
+  s.date = %q{2015-07-22}
+  s.description = %q{Rubius provides a simple interface to RADIUS authentication}
+  s.email = %q{ralph@izerion.com}
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+    "README.rdoc"
+  ]
+  s.files = [
+    ".autotest",
+    "Gemfile",
+    "LICENSE.txt",
+    "README.rdoc",
+    "Rakefile",
+    "VERSION",
+    "lib/generators/rubius/install_generator.rb",
+    "lib/generators/rubius/templates/radius-dictionary",
+    "lib/generators/rubius/templates/rubius.yml",
+    "lib/generators/rubius/templates/rubius_initializer.rb",
+    "lib/rubius.rb",
+    "lib/rubius/authenticator.rb",
+    "lib/rubius/dictionary.rb",
+    "lib/rubius/exceptions.rb",
+    "lib/rubius/packet.rb",
+    "lib/rubius/rails.rb",
+    "lib/rubius/string.rb",
+    "rubius.gemspec",
+    "test/helper.rb",
+    "test/test_authenticator.rb",
+    "test/test_dictionary.rb",
+    "test/test_rails.rb",
+    "test/test_string.rb"
+  ]
+  s.homepage = %q{http://github.com/bytemine/rubius}
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.5.2}
+  s.summary = %q{A simple ruby RADIUS authentication gem}
+  s.test_files = [
+    "test/helper.rb",
+    "test/test_authenticator.rb",
+    "test/test_dictionary.rb",
+    "test/test_rails.rb",
+    "test/test_string.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<shoulda>, [">= 0"])
+      s.add_development_dependency(%q<bundler>, ["~> 1.0.0"])
+      s.add_development_dependency(%q<jeweler>, ["~> 1.5.2"])
+      s.add_development_dependency(%q<rcov>, [">= 0"])
+      s.add_development_dependency(%q<simplecov>, [">= 0.4.0"])
+      s.add_development_dependency(%q<autotest-standalone>, ["~> 4.5.5"])
+      s.add_development_dependency(%q<mocha>, ["~> 0.9.12"])
+    else
+      s.add_dependency(%q<shoulda>, [">= 0"])
+      s.add_dependency(%q<bundler>, ["~> 1.0.0"])
+      s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
+      s.add_dependency(%q<rcov>, [">= 0"])
+      s.add_dependency(%q<simplecov>, [">= 0.4.0"])
+      s.add_dependency(%q<autotest-standalone>, ["~> 4.5.5"])
+      s.add_dependency(%q<mocha>, ["~> 0.9.12"])
+    end
+  else
+    s.add_dependency(%q<shoulda>, [">= 0"])
+    s.add_dependency(%q<bundler>, ["~> 1.0.0"])
+    s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
+    s.add_dependency(%q<rcov>, [">= 0"])
+    s.add_dependency(%q<simplecov>, [">= 0.4.0"])
+    s.add_dependency(%q<autotest-standalone>, ["~> 4.5.5"])
+    s.add_dependency(%q<mocha>, ["~> 0.9.12"])
+  end
+end
+