Merge pull request #59 from ruby-no-kai/radius

sorah · web-flow · commit 5ed4c8a74874 · 2023-04-17T17:07:26.000+09:00
radius
diff --git a/.github/workflows/docker-freeradius-exporter.jsonnet b/.github/workflows/docker-freeradius-exporter.jsonnet
@@ -0,0 +1 @@
+(import './docker-build-simple.libsonnet')('freeradius-exporter')
diff --git a/.github/workflows/docker-freeradius-exporter.yml b/.github/workflows/docker-freeradius-exporter.yml
@@ -0,0 +1,54 @@
+{
+   "jobs": {
+      "build": {
+         "name": "build",
+         "permissions": {
+            "contents": "read",
+            "id-token": "write"
+         },
+         "runs-on": "ubuntu-latest",
+         "steps": [
+            {
+               "uses": "docker/setup-qemu-action@v2"
+            },
+            {
+               "uses": "docker/setup-buildx-action@v2"
+            },
+            {
+               "uses": "aws-actions/configure-aws-credentials@v1",
+               "with": {
+                  "aws-region": "ap-northeast-1",
+                  "role-skip-session-tagging": true,
+                  "role-to-assume": "arn:aws:iam::005216166247:role/GhaDockerPush"
+               }
+            },
+            {
+               "id": "login-ecr",
+               "uses": "aws-actions/amazon-ecr-login@v1"
+            },
+            {
+               "uses": "docker/build-push-action@v3",
+               "with": {
+                  "context": "{{defaultContext}}:docker/freeradius-exporter",
+                  "platforms": "linux/arm64",
+                  "push": true,
+                  "tags": "${{ steps.login-ecr.outputs.registry }}/freeradius-exporter:${{ github.sha }},${{ steps.login-ecr.outputs.registry }}/freeradius-exporter:latest"
+               }
+            }
+         ]
+      }
+   },
+   "name": "docker-freeradius-exporter",
+   "on": {
+      "push": {
+         "branches": [
+            "master",
+            "test"
+         ],
+         "paths": [
+            "docker/freeradius-exporter/**",
+            ".github/workflows/docker-freeradius-exporter.yml"
+         ]
+      }
+   }
+}
diff --git a/.github/workflows/docker-radiusd.jsonnet b/.github/workflows/docker-radiusd.jsonnet
@@ -0,0 +1 @@
+(import './docker-build-simple.libsonnet')('radiusd')
diff --git a/.github/workflows/docker-radiusd.yml b/.github/workflows/docker-radiusd.yml
@@ -0,0 +1,54 @@
+{
+   "jobs": {
+      "build": {
+         "name": "build",
+         "permissions": {
+            "contents": "read",
+            "id-token": "write"
+         },
+         "runs-on": "ubuntu-latest",
+         "steps": [
+            {
+               "uses": "docker/setup-qemu-action@v2"
+            },
+            {
+               "uses": "docker/setup-buildx-action@v2"
+            },
+            {
+               "uses": "aws-actions/configure-aws-credentials@v1",
+               "with": {
+                  "aws-region": "ap-northeast-1",
+                  "role-skip-session-tagging": true,
+                  "role-to-assume": "arn:aws:iam::005216166247:role/GhaDockerPush"
+               }
+            },
+            {
+               "id": "login-ecr",
+               "uses": "aws-actions/amazon-ecr-login@v1"
+            },
+            {
+               "uses": "docker/build-push-action@v3",
+               "with": {
+                  "context": "{{defaultContext}}:docker/radiusd",
+                  "platforms": "linux/arm64",
+                  "push": true,
+                  "tags": "${{ steps.login-ecr.outputs.registry }}/radiusd:${{ github.sha }},${{ steps.login-ecr.outputs.registry }}/radiusd:latest"
+               }
+            }
+         ]
+      }
+   },
+   "name": "docker-radiusd",
+   "on": {
+      "push": {
+         "branches": [
+            "master",
+            "test"
+         ],
+         "paths": [
+            "docker/radiusd/**",
+            ".github/workflows/docker-radiusd.yml"
+         ]
+      }
+   }
+}
diff --git a/freeradius-exporter/Dockerfile b/freeradius-exporter/Dockerfile
@@ -0,0 +1,11 @@
+FROM --platform=$BUILDPLATFORM public.ecr.aws/docker/library/golang:1.20-bullseye as builder
+
+ENV GOOS=linux
+ENV GOARCH=arm64
+ENV CGO_ENABLED=0
+RUN go install github.com/bvantagelimited/freeradius_exporter@0ba8725aa1ab59e09f4f9f2a1a229ecb66b66d56
+
+FROM gcr.io/distroless/base-debian11
+
+COPY --from=builder /go/bin/linux_arm64/freeradius_exporter /usr/local/bin/
+CMD /usr/local/bin/freeradius_exporter
diff --git a/radiusd/Dockerfile b/radiusd/Dockerfile
@@ -0,0 +1,28 @@
+FROM public.ecr.aws/ubuntu/ubuntu:22.04
+
+ARG FR_VERSION=3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1
+
+RUN mkdir -p /etc/freeradius/3.0/certs && touch /etc/freeradius/3.0/certs/dh
+RUN apt-get update && apt-get install -y --no-install-recommends --no-install-suggests \
+      freeradius=${FR_VERSION} \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+RUN rm /etc/freeradius/3.0/sites-enabled/*
+COPY raddb/ /etc/freeradius/3.0/
+COPY run.sh /run.sh
+
+RUN ls -la /etc/freeradius/3.0/sites-* /etc/freeradius/3.0/mods-*
+
+COPY --chown=freerad:freerad dummycert /secrets/tls-cert
+RUN ls -la /secrets/tls-cert
+
+USER freerad
+RUN /usr/sbin/freeradius -f -Cx -lstdout
+
+USER root
+RUN rm -rf /secrets
+
+USER freerad
+EXPOSE 1812/tcp 1812/udp
+EXPOSE 18121/tcp 18121/udp
+CMD ["/run.sh"]
diff --git a/radiusd/README.md b/radiusd/README.md
@@ -0,0 +1,9 @@
+```
+docker build -t rkrad . && docker run --rm --name rkrad --net=host -v $(pwd)/dummycert:/secrets/tls-cert:ro rkrad
+docker kill rkrad
+```
+
+```
+eapol_test -c ./eapol_test.conf -s testing123 -a 127.0.0.1
+eapol_test -c ./eapol_fail.conf -s testing123 -a 127.0.0.1
+```
diff --git a/radiusd/dummycert/ca.crt b/radiusd/dummycert/ca.crt
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBXzCCAQWgAwIBAgIQJzw+EOAAQhjHLdki+FwdXTAKBggqhkjOPQQDAjAOMQww
+CgYDVQQDEwNmb28wHhcNMjMwNDE1MDgzMDIwWhcNMzMwNDEyMDgzMDIwWjAOMQww
+CgYDVQQDEwNmb28wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARMvRKBrV7aCKUA
+of9byLVCLqVbaMtWzDteng2j6aTYqkdl/+blinbuDdT2ICJ03R6PYveisK4Y4FYJ
+QKnTUZjho0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAd
+BgNVHQ4EFgQUIU53gInUIZFW6ryJ5TOf+TSUGA0wCgYIKoZIzj0EAwIDSAAwRQIh
+AIsmexLK62UY1/X9ZoXE3W/nliltOeaoc6S8AfHT4n6fAiBlSpRlgngEGJ9dvZd9
+dioqs4tcfOINehBBzBTBO6C8+A==
+-----END CERTIFICATE-----
diff --git a/radiusd/dummycert/tls.crt b/radiusd/dummycert/tls.crt
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBnTCCAUOgAwIBAgIRALuDzP9XeVu1iY6VDcY+enMwCgYIKoZIzj0EAwIwDjEM
+MAoGA1UEAxMDZm9vMB4XDTIzMDQxNTA4MzAzOFoXDTIzMDQxNjA4MzAzOFowDjEM
+MAoGA1UEAxMDYmF6MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELz26JG5erXWv
+IAdRjV1f0NmNp/Nr57UL11MSs1P4lzNVLe0wkY7UvURX/npHqSn22LHvC8het8If
+Tgd4vdJgwKOBgTB/MA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwHQYDVR0OBBYEFP7nu1ILkPnzSWeRndZjZQSC2+W2MB8GA1Ud
+IwQYMBaAFCFOd4CJ1CGRVuq8ieUzn/k0lBgNMA4GA1UdEQQHMAWCA2JhejAKBggq
+hkjOPQQDAgNIADBFAiBoWsiJpkpjObHyKxeiY2yGb5Og//F+iJaX4K+216Qc2QIh
+AMu4/50CWCcB5oL9bM3SEu/alzBaX2LSdin2W+W8fo0A
+-----END CERTIFICATE-----
diff --git a/radiusd/dummycert/tls.key b/radiusd/dummycert/tls.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIBaExrtFLk2vlohc558r2u+zVLCLl5XeWT465GkpkBrOoAoGCCqGSM49
+AwEHoUQDQgAELz26JG5erXWvIAdRjV1f0NmNp/Nr57UL11MSs1P4lzNVLe0wkY7U
+vURX/npHqSn22LHvC8het8IfTgd4vdJgwA==
+-----END EC PRIVATE KEY-----
diff --git a/radiusd/eapol_cert.conf b/radiusd/eapol_cert.conf
@@ -0,0 +1,11 @@
+# eapol_test -c eapol_cert.conf -s testing123
+network={
+  ssid="example"
+  key_mgmt=WPA-EAP
+  key_mgmt=IEEE8021X
+  identity="rubykaigi"
+  client_cert="./dummycert/tls.crt"
+  private_key="./dummycert/tls.key"
+  anonymous_identity="rubykaigi"
+  ca_cert="./dummycert/ca.crt"
+}
diff --git a/radiusd/eapol_fail.conf b/radiusd/eapol_fail.conf
@@ -0,0 +1,11 @@
+# eapol_test -c eapol_test.conf -s testing123
+network={
+  ssid="example"
+  key_mgmt=WPA-EAP
+  eap=PEAP
+  identity="rubykaigi"
+  anonymous_identity="rubykaigi"
+  password="invalid"
+  phase2="auth=MSCHAPV2"
+  # ca_cert="./dummycert/ca.crt"
+}
diff --git a/radiusd/eapol_test.conf b/radiusd/eapol_test.conf
@@ -0,0 +1,11 @@
+# eapol_test -c eapol_test.conf -s testing123
+network={
+  ssid="example"
+  key_mgmt=WPA-EAP
+  eap=PEAP
+  identity="rubykaigi"
+  anonymous_identity="rubykaigi"
+  password="matsumoto"
+  phase2="auth=MSCHAPV2"
+  ca_cert="./dummycert/ca.crt"
+}
diff --git a/radiusd/raddb/clients.conf b/radiusd/raddb/clients.conf
@@ -0,0 +1,30 @@
+client localhost {
+  ipaddr = 127.0.0.1
+  proto = *
+  secret = __RADIUS_SECRET__
+  require_message_authenticator = no
+  nas_type = other # localhost isn't usually a NAS...
+
+}
+client loopbacks {
+  ipaddr = 10.33.0.0/24
+  secret = __RADIUS_SECRET__
+}
+
+client venueair {
+  ipaddr = 10.33.2.0/24
+  secret = __RADIUS_SECRET__
+}
+client venuemgmt {
+  ipaddr = 10.33.100.0/24
+  secret = __RADIUS_SECRET__
+}
+
+client hotmgmt1 {
+  ipaddr = 10.33.32.0/24
+  secret = __RADIUS_SECRET__
+}
+client hotmgmt2 {
+  ipaddr = 10.33.30.0/24
+  secret = __RADIUS_SECRET__
+}
diff --git a/radiusd/raddb/mods-config/files/authorize b/radiusd/raddb/mods-config/files/authorize
@@ -0,0 +1,4 @@
+rubykaigi Cleartext-Password := "matsumoto"
+rk Cleartext-Password := "matsumoto"
+kaigi Cleartext-Password := "matsumoto"
+ruby Cleartext-Password := "matsumoto"
diff --git a/radiusd/raddb/mods-enabled/eap b/radiusd/raddb/mods-enabled/eap
@@ -0,0 +1,31 @@
+eap {
+  default_eap_type = peap
+  timer_expire = 60
+  tls-config tls-common {
+    private_key_password = whatever
+    private_key_file = /secrets/tls-cert/tls.key
+    certificate_file = /secrets/tls-cert/tls.crt
+    # ca_file = /secrets/tls-cert/ca.crt
+    tls_min_version = "1.2"
+    cipher_server_preference = no
+    cipher_list = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+    ocsp {
+      enable = yes
+      override_cert_url = no
+      use_nonce = yes
+    }
+  }
+  #  tls {
+  #    tls = tls-common
+  #  }
+  ttls {
+    tls = tls-common
+    default_eap_type = mschapv2
+    virtual_server = "inner-tunnel"
+  }
+  peap {
+    tls = tls-common
+    default_eap_type = mschapv2
+    virtual_server = "inner-tunnel"
+  }
+}
diff --git a/radiusd/raddb/mods-enabled/files b/radiusd/raddb/mods-enabled/files
@@ -0,0 +1,5 @@
+files {
+  moddir = ${modconfdir}/${.:instance}
+  #key = "%{%{Stripped-User-Name}:-%{User-Name}}"
+  filename = ${moddir}/authorize
+}
diff --git a/radiusd/raddb/mods-enabled/inner-eap b/radiusd/raddb/mods-enabled/inner-eap
@@ -0,0 +1,9 @@
+eap inner-eap {
+  default_eap_type = mschapv2
+  timer_expire = 60
+  # max_sessions = ${max_requests}
+
+  mschapv2 {
+    send_error = yes
+  }
+}
diff --git a/radiusd/raddb/mods-enabled/linelog b/radiusd/raddb/mods-enabled/linelog
@@ -0,0 +1,39 @@
+linelog linelog_recv_request {
+  filename = /dev/stdout
+  syslog_facility = local0
+  syslog_severity = debug
+  format = "action = Recv-Request, %{pairs:request:}"
+}
+
+linelog linelog_send_accept {
+  filename = /dev/stdout
+  syslog_facility = local0
+  syslog_severity = debug
+  format = "action = Send-Accept, %{pairs:request:}"
+}
+
+linelog linelog_send_reject {
+  filename = /dev/stdout
+  syslog_facility = local0
+  syslog_severity = debug
+  format = "action = Send-Reject, %{pairs:request:}"
+}
+
+linelog linelog_send_proxy_request {
+  filename = /dev/stdout
+  syslog_facility = local0
+  syslog_severity = debug
+  format = "action = Send-Proxy-Request, %{pairs:proxy-request:}"
+}
+
+linelog linelog_recv_proxy_response {
+  filename = /dev/stdout
+  syslog_facility = local0
+  syslog_severity = debug
+  reference = "messages.%{proxy-reply:Response-Packet-Type}"
+  messages {
+    Access-Accept = "action = Recv-Proxy-Accept, User-Name = %{User-Name}, Calling-Station-Id = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
+    Access-Reject = "action = Recv-Proxy-Reject, User-Name = %{User-Name}, Calling-Station-Id = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
+    Access-Challenge = "action = Recv-Proxy-Challenge, User-Name = %{User-Name}, Calling-Station-ID = %{Calling-Station-Id}, %{pairs:proxy-reply:}"
+  }
+}
diff --git a/radiusd/raddb/radiusd.conf b/radiusd/raddb/radiusd.conf
diff --git a/radiusd/raddb/sites-enabled/default b/radiusd/raddb/sites-enabled/default
diff --git a/radiusd/raddb/sites-enabled/inner-tunnel b/radiusd/raddb/sites-enabled/inner-tunnel
diff --git a/radiusd/raddb/sites-enabled/status b/radiusd/raddb/sites-enabled/status
diff --git a/radiusd/run.sh b/radiusd/run.sh

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+(import './docker-build-simple.libsonnet')('freeradius-exporter')`