quote identity types, adds validator

Author: stgmsa

conf/radiusd/eap.conf.example

@@ -857,6 +857,49 @@ eap [% key -%] {
 		#
 		tls = [% eap.$key.teap_config.tls %]
 
+		default_eap_type = mschapv2
+
+
+		#  Set the EAP type for user / machine authentication.
+		#
+		#  If set, these values over-ride "default_eap_type"
+		#
+		#  These values can be over-ridden at run time by setting
+		#
+		#	&session-state:TEAP-Type-User = ...
+		#
+		#  and
+		#	&session-state:TEAP-Type-Machine = ...
+		#
+		#  The values for those attributes are the same as for EAP-Type.
+		#
+		#  Note that if you try to use "EAP-Type := TEAP" in the
+		#  "inner-tunnel" virtual server, it will not work.
+
+		#  PASSWORDS
+		#
+		#  Some supplicants support password authentication inside of
+		#  TEAP.  This can be configured automatically by setting
+		#
+		#	identity_type = "user"
+		#
+		#  and then not setting "default_eap_type" or
+		#  "user_eap_type".  The TEAP module will then
+		#  automatically initiate password authentication.
+		#
+		#  The user credentials are placed into the User-Name
+		#  and User-Password attributes inside of the
+		#  "inner-tunnel" virtual server.  These attributes
+		#  are not sent in TEAP, but are created by the module
+		#  from the Basic-Password-Auth-Resp TLV which is in TEAP.
+		#
+		#  Supported authentication methods inside of TEAP are
+		#  EAP-TLS, EAP-MSCHAPv2, and PAP.
+
+		user_eap_type = tls
+		machine_eap_type = mschapv2
+
+		#
 		#  If 'cipher_list' is set here, it will over-ride the
 		#  'cipher_list' configuration from the 'tls-common'
 		#  configuration.  The EAP-TEAP module has it's own
@@ -871,11 +914,6 @@ eap [% key -%] {
 		#
 		#cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"
 
-		#pac = no
-		#  PAC lifetime in seconds (default: seven days)
-		#
-		# pac_lifetime = 604800
-
 		#  Authority ID of the server
 		#
 		#  If you are running a cluster of RADIUS servers, you should make
@@ -885,7 +923,24 @@ eap [% key -%] {
 		#
 		authority_identity = [% eap.$key.teap_config.authority_identity %]
 
-		identity_types = [% eap.$key.teap_config.identity_types %]
+
+		#
+		#  Automatically go through the workflow of first machine, then user
+		#  authentication.
+		#
+		#  allowed values:  	"machine,user"
+		#  	   					"user,machine"
+		#						"user"
+		#						"machine"
+		#
+		#  If this isn't set, then TEAP likely won't work.
+		#
+		#  This configuration sets &session-state:FreeRADIUS-EAP-TEAP-TLV-Identity-Type with the
+		#  relevant values.  The TEAP module then picks those values, in order, to authenticate the
+		#  chosen identity.  You can set &session-state:FreeRADIUS-EAP-TEAP-TLV-Identity-Type
+		#  manually, but that is substantially more complicated.
+		#
+		identity_types = "[% eap.$key.teap_config.identity_types %]"
 
 		#  PAC Opaque encryption key (must be exactly 32 bytes in size)
 		#

html/pfappserver/root/src/views/Configuration/radius/teap/schema.js

@@ -4,9 +4,7 @@ import yup from '@/utils/yup'
 
 yup.addMethod(yup.string, 'radiusTeapIdNotExistsExcept', function (exceptId = '', message) {
   return this.test({
-    name: 'radiusTeapIdNotExistsExcept',
-    message: message || i18n.t('Identifier exists.'),
-    test: (value) => {
+    name: 'radiusTeapIdNotExistsExcept', message: message || i18n.t('Identifier exists.'), test: (value) => {
       if (!value || value.toLowerCase() === exceptId.toLowerCase()) return true
       return store.dispatch('config/getRadiusTeaps').then(response => {
         return response.filter(teap => teap.id.toLowerCase() === value.toLowerCase()).length === 0
@@ -19,19 +17,19 @@ yup.addMethod(yup.string, 'radiusTeapIdNotExistsExcept', function (exceptId = ''
 
 export default (props) => {
   const {
-    id,
-    isNew,
-    isClone
+    id, isNew, isClone
   } = props
 
   return yup.object().shape({
     id: yup.string()
       .nullable()
       .required(i18n.t('Identifier required.'))
+      .max(20)
+      .isAlphaNumericHyphenUnderscoreDot()
       .radiusTeapIdNotExistsExcept((!isNew && !isClone) ? id : undefined, i18n.t('Identifier exists.')),
     authority_identity: yup.string().nullable().label(i18n.t('Authority Identity')),
     identity_types: yup.string().nullable().label(i18n.t('Identity Types')),
-    pac_opaque_key: yup.string().nullable().label(i18n.t('Key')),
+    pac_opaque_key: yup.string().nullable().min(32).max(32).isHash().label(i18n.t('Key')),
     tls: yup.string().nullable().label(i18n.t('TLS Profile'))
   })
 }

t/venom/test_suites/wired_dot1x_eap_teap/00_enable_node_cleanup_task.yml

@@ -0,0 +1,40 @@
+name: Enable node_cleanup maintenance task and change the delete_window
+testcases:
+- name: get_login_token
+  steps:
+  - type: get_login_token
+
+- name: enable_node_cleanup_task
+  steps:
+  - type: http
+    method: PATCH
+    url: '{{.pfserver_webadmin_url}}/api/v1/config/maintenance_task/node_cleanup'
+    ignore_verify_ssl: true
+    body: >-
+      {
+        "status": "enabled"
+      }
+    headers:
+      "Authorization": "{{.get_login_token.result.token}}"
+      "Content-Type": "application/json"
+    assertions:
+      - result.statuscode ShouldEqual 200
+
+- name: change_delete_window
+  steps:
+  - type: http
+    method: PATCH
+    url: '{{.pfserver_webadmin_url}}/api/v1/config/maintenance_task/node_cleanup'
+    ignore_verify_ssl: true
+    body: >-
+      {
+        "delete_window": {
+          "interval": "{{.node_cleanup.delete_window.interval}}",
+          "unit": "{{.node_cleanup.delete_window.unit}}"
+        }
+      }
+    headers:
+      "Authorization": "{{.get_login_token.result.token}}"
+      "Content-Type": "application/json"
+    assertions:
+      - result.statuscode ShouldEqual 200

t/venom/test_suites/wired_dot1x_eap_teap/02_restart_pfcron_service.yml

@@ -0,0 +1,6 @@
+name: Restart pfcron service
+testcases:
+- name: restart_pfcron_service
+  steps:
+  - type: pf_api_service_restart_async 
+    service: 'pfcron'

t/venom/test_suites/wired_dot1x_eap_teap/06_join_domain.yml

@@ -0,0 +1,71 @@
+name: Join domain
+vars:
+  # temp, workaround for https://github.com/ovh/venom/issues/445
+  # pf only accepts hostname with less than 14 characters
+  random_server_name: "{{ randAlpha 13 }}"
+  random_ad_domain_id: "{{ randAlpha 7 }}"
+  random_machine_account_password: "{{ randAlpha 16 }}"
+testcases:
+- name: get_login_token
+  steps:
+  - type: get_login_token
+
+- name: create_domain
+  steps:
+  - type: http
+    method: POST
+    url: '{{.pfserver_webadmin_url}}/api/v1/config/domains'
+    ignore_verify_ssl: true
+    body: >-
+      {
+        "ad_fqdn": "ad.example.lan",
+        "ad_server": "{{.ad_mgmt_ip}}",
+        "bind_dn": "{{.ad_domain_admin_user}}",
+        "bind_pass": "{{.ad_domain_admin_password}}",
+        "dns_name": "{{.ad_dns_domain}}",
+        "dns_servers": "{{.ad_mgmt_ip}}",
+        "id": "{{.random_ad_domain_id}}",
+        "ntlm_cache": null,
+        "ntlm_cache_expiry": 3600,
+        "ntlm_cache_source": null,
+        "ntlmv2_only": null,
+        "ou": "Computers",
+        "registration": null,
+        "server_name": "{{.random_server_name}}",
+        "status": "enabled",
+        "sticky_dc": "*",
+        "workgroup": "{{.ad_domain_upper}}",
+        "machine_account_password": "{{.random_machine_account_password}}"
+      }
+    headers:
+      "Authorization": "{{.get_login_token.result.token}}"
+      "Content-Type": "application/json"
+    assertions:
+      - result.statuscode ShouldEqual 201
+
+- name: start_ntlm_auth_api_service
+  steps:
+    - type: pf_api_service_start_async
+      service: 'ntlm-auth-api'
+
+- name: sleep_some_time
+  steps:
+    - type: exec
+      script: sleep 10
+
+- name: test_machine_account
+  steps:
+    - type: http
+      method: POST
+      url: '{{.pfserver_webadmin_url}}/api/v1/ntlm/test'
+      ignore_verify_ssl: true
+      body: >-
+        {
+          "id": "{{.random_ad_domain_id}}",
+          "machine_account_password": "{{.random_machine_account_password}}"
+        }
+      headers:
+        "Authorization": "{{.get_login_token.result.token}}"
+        "Content-Type": "application/json"
+      assertions:
+        - result.statuscode ShouldEqual 200

t/venom/test_suites/wired_dot1x_eap_teap/07_create_realms.yml

@@ -0,0 +1,116 @@
+name: Create and configure REALMS
+testcases:
+- name: get_login_token
+  steps:
+  - type: get_login_token
+
+- name: get_ad_domain_id
+  steps:
+  - type: http
+    method: GET
+    url: '{{.pfserver_webadmin_url}}/api/v1/config/domains'
+    ignore_verify_ssl: true
+    headers:
+      "Authorization": "{{.get_login_token.result.token}}"
+      "Content-Type": "application/json"
+    assertions:
+      - result.statuscode ShouldEqual 200
+    vars:
+      domain_id:
+        from: result.bodyjson.items.items0.id
+
+- name: create_realms
+  steps:
+  - type: http
+    method: POST
+    url: '{{.pfserver_webadmin_url}}/api/v1/config/realms'
+    ignore_verify_ssl: true
+    body: >-
+      {
+        "admin_strip_username": "enabled",
+        "domain": "{{.get_ad_domain_id.domain_id}}",
+        "eduroam_options": null,
+        "eduroam_radius_acct": null,
+        "eduroam_radius_acct_proxy_type": "load-balance",
+        "eduroam_radius_auth": null,
+        "eduroam_radius_auth_compute_in_pf": "enabled",
+        "eduroam_radius_auth_proxy_type": "keyed-balance",
+        "id": "{{.ad_domain_upper}}",
+        "ldap_source": null,
+        "options": null,
+        "permit_custom_attributes": "disabled",
+        "portal_strip_username": "enabled",
+        "radius_acct": null,
+        "radius_acct_proxy_type": "load-balance",
+        "radius_auth": null,
+        "radius_auth_compute_in_pf": "enabled",
+        "radius_auth_proxy_type": "keyed-balance",
+        "radius_strip_username": "enabled"
+      }
+    headers:
+      "Authorization": "{{.get_login_token.result.token}}"
+      "Content-Type": "application/json"
+    assertions:
+      - result.statuscode ShouldEqual 201
+
+  - type: http
+    method: POST
+    url: '{{.pfserver_webadmin_url}}/api/v1/config/realms'
+    ignore_verify_ssl: true
+    body: >-
+      {
+        "admin_strip_username": "enabled",
+        "domain": "{{.get_ad_domain_id.domain_id}}",
+        "eduroam_options": null,
+        "eduroam_radius_acct": null,
+        "eduroam_radius_acct_proxy_type": "load-balance",
+        "eduroam_radius_auth": null,
+        "eduroam_radius_auth_compute_in_pf": "enabled",
+        "eduroam_radius_auth_proxy_type": "keyed-balance",
+        "id": "{{.ad_dns_domain}}",
+        "ldap_source": null,
+        "options": null,
+        "permit_custom_attributes": "disabled",
+        "portal_strip_username": "enabled",
+        "radius_acct": null,
+        "radius_acct_proxy_type": "load-balance",
+        "radius_auth": null,
+        "radius_auth_compute_in_pf": "enabled",
+        "radius_auth_proxy_type": "keyed-balance",
+        "radius_strip_username": "enabled"
+      }
+    headers:
+      "Authorization": "{{.get_login_token.result.token}}"
+      "Content-Type": "application/json"
+    assertions:
+      - result.statuscode ShouldEqual 201
+
+- name: modify_builtin_realms
+  steps:
+  - type: http
+    method: PATCH
+    url: '{{.pfserver_webadmin_url}}/api/v1/config/realm/DEFAULT'
+    ignore_verify_ssl: true
+    body: >-
+      {
+        "domain": "{{.get_ad_domain_id.domain_id}}"
+      }
+    headers:
+      "Authorization": "{{.get_login_token.result.token}}"
+      "Content-Type": "application/json"
+    assertions:
+      - result.statuscode ShouldEqual 200
+
+  - type: http
+    method: PATCH
+    url: '{{.pfserver_webadmin_url}}/api/v1/config/realm/NULL'
+    ignore_verify_ssl: true
+    body: >-
+      {
+        "domain": "{{.get_ad_domain_id.domain_id}}"
+      }
+    headers:
+      "Authorization": "{{.get_login_token.result.token}}"
+      "Content-Type": "application/json"
+    assertions:
+      - result.statuscode ShouldEqual 200

t/venom/test_suites/wired_dot1x_eap_teap/10_restart_radius_services.yml

@@ -0,0 +1,9 @@
+name: Restart RADIUS services
+testcases:
+- name: restart_radius_services
+  steps:
+  - type: pf_api_service_restart_async
+    service: 'radiusd-auth'
+
+  - type: pf_api_service_restart_async
+    service: 'pfacct'