//通过 Session Id 获取 Session,如果没获取到,产生一个新的返回
func GetSessionById(sessionId string) *Session {
if session, ok := MemoryStore.Get(sessionId); ok {
return session
} else {
session = &Session{
Id: kmgRand.MustCryptoRandToAlphaNum(26),
Data: map[string]string{},
}
MemoryStore.Set(session.Id, session)
return session
}
}
func selfUpdate() {
baseFileContent, err := kmgHttp.UrlGetContent("http://kmgtools.qiniudn.com/v1/installKmg.bash?v=" + kmgRand.MustCryptoRandToAlphaNum(16))
kmgConsole.ExitOnErr(err)
baseFilePath := "/tmp/installKmg.bash"
kmgFile.MustDeleteFile(baseFilePath)
kmgFile.MustAppendFile(baseFilePath, baseFileContent)
kmgCmd.MustRunInBash(baseFilePath)
}
func selfUpdate() {
prefixB, err := kmgHttp.UrlGetContent("http://kmgtools.qiniudn.com/v1/kmgUrlPrefix.txt?v=" + kmgRand.MustCryptoRandToAlphaNum(16))
kmgConsole.ExitOnErr(err)
exeContent, err := kmgHttp.UrlGetContent(string(prefixB) + "_windows_amd64.exe")
kmgConsole.ExitOnErr(err)
//cmd 这个东西有超级神力,直接os.Rename不行 但是360会报警
// 已经试过下列方案:
// 1.os.Rename 后面的write会没有权限,原因不明
// 2.move windows上面没有这个命令
kmgCmd.ProxyRun(`cmd /c move C:\windows\system32\kmg.exe C:\windows\system32\kmg-old.exe`)
kmgFile.MustWriteFile(`C:\windows\system32\kmg.exe`, exeContent)
}
// 目前支持pap和mschapv2认证方式
func (p *server) radiusAccess(request *Packet) *Packet {
kmgLog.Log("Radius", "Access Request", request.ToStringMap())
npac := request.Reply()
username := request.GetUsername()
password := request.GetPassword()
if username == "" {
//不支持的认证方式,或者包格式错误
npac.AVPs = append(npac.AVPs, &StringAVP{Type: AVPTypeReplyMessage, Value: "need username"})
npac.Code = CodeAccessReject
LogError(fmt.Errorf("[kmgRadius.radiusAccess] need username or auth method not support"))
return npac
}
AuthPassword, exist := p.handler.Auth(username)
if !exist {
LogError(fmt.Errorf("[kmgRadius.radiusAccess] username [%s] not exist or do not have any transfer", username))
npac.Code = CodeAccessReject
return npac
}
//简单认证方式 pap
if password != "" {
if AuthPassword != password {
LogError(fmt.Errorf("[kmgRadius.radiusAccess] username [%s] password not match", username))
npac.Code = CodeAccessReject
return npac
}
npac.Code = CodeAccessAccept
return npac
}
//复杂认证方式
//如果没有输入密码,要求用户输入密码(遗留代码,应该是之前的bug导致的)
e := request.GetEAPMessage()
if e != nil {
//第一次请求,eapCode应该是 Response
// mschapv2 step 1
switch e.Header().Type {
case eap.TypeIdentity, eap.TypeLegacyNak:
npac.Code = CodeAccessChallenge
mschapV2Challenge := [16]byte{}
_, err := rand.Read(mschapV2Challenge[:])
if err != nil {
panic(err)
}
sessionId := kmgRand.MustCryptoRandToAlphaNum(18)
npac.SetState([]byte(sessionId))
p.mschapMap[sessionId] = mschapStatus{
Challenge: mschapV2Challenge,
}
npac.AddAVP(&EapAVP{
Value: &eap.MSCHAPV2Packet{
PacketHeader: eap.PacketHeader{
Code: eap.CodeRequest,
Identifier: e.Header().Identifier,
Type: eap.TypeMSCHAPV2,
},
MSCHAPV2: &MSCHAPV2.ChallengePacket{
Identifier: e.Header().Identifier,
Challenge: mschapV2Challenge,
Name: username,
},
},
})
return npac
//TODO process next step read Response packet and write Success Request packet
// reference http://tools.ietf.org/id/draft-kamath-pppext-eap-mschapv2-01.txt
case eap.TypeMSCHAPV2:
// mschapv2 step 3 and step 5
if e.Header().Code != eap.CodeResponse {
npac.Code = CodeAccessReject
LogError(fmt.Errorf("MSCHAPV2 step 3 fail! 1 eap.Code[%s]!=radius.EapCodeResponse", e.Header().Code))
return npac
}
mschapv2I := e.(*eap.MSCHAPV2Packet).MSCHAPV2
switch mschapv2I.OpCode() {
case MSCHAPV2.OpCodeResponse:
state := request.GetState()
//step 3
status, ok := p.mschapMap[string(state)]
if !ok {
npac.Code = CodeAccessReject
LogError(fmt.Errorf("MSCHAPV2 step 3 fail! 3 mschapStatus not found state:%s", state))
return npac
}
status.NTResponse = mschapv2I.(*MSCHAPV2.ResponsePacket).NTResponse
p.mschapMap[string(state)] = status
successPacket := MSCHAPV2.ReplySuccessPacket(&MSCHAPV2.ReplySuccessPacketRequest{
AuthenticatorChallenge: status.Challenge,
Response: mschapv2I.(*MSCHAPV2.ResponsePacket),
Username: []byte(username),
Password: []byte(AuthPassword),
Message: "success",
})
npac.AddAVP(&EapAVP{
Value: &eap.MSCHAPV2Packet{
PacketHeader: eap.PacketHeader{
Code: eap.CodeRequest,
Identifier: e.Header().Identifier,
Type: eap.TypeMSCHAPV2,
},
MSCHAPV2: successPacket,
},
})
npac.Code = CodeAccessChallenge
return npac
case MSCHAPV2.OpCodeSuccess:
//step 5
// reference http://www.ietf.org/rfc/rfc3079.txt
state := request.GetState()
//step 3
status, ok := p.mschapMap[string(state)]
if !ok {
npac.Code = CodeAccessReject
LogError(fmt.Errorf("MSCHAPV2 step 5 fail! 5 mschapStatus not found state:%#v", state))
return npac
}
npac.AddAVP(&EapAVP{
Value: &eap.SimplePacket{
PacketHeader: eap.PacketHeader{
Code: eap.CodeSuccess,
Identifier: e.Header().Identifier,
},
},
})
npac.AddAVP(&StringAVP{
Type: AVPTypeUserName,
Value: username,
})
//MS-MPPE-Encryption-Policy: Encryption-Allowed (1)
npac.AddAVP(&BinaryAVP{
Type: AVPTypeVendorSpecific,
Value: []byte{0x00, 0x00, 0x01, 0x37, 0x07, 0x06, 0, 0, 0, 1},
})
//MS-MPPE-Encryption-Types: RC4-40-128 (6)
npac.AddAVP(&BinaryAVP{
Type: AVPTypeVendorSpecific,
Value: []byte{0x00, 0x00, 0x01, 0x37, 0x08, 0x06, 0, 0, 0, 6},
})
sendkey, recvKey := MSCHAPV2.MsCHAPV2GetSendAndRecvKey([]byte(AuthPassword), status.NTResponse)
npac.AddAVP(&VendorSpecificAVP{
Value: NewMSMPPESendOrRecvKeyVSA(request, VendorTypeMSMPPESendKey, sendkey),
})
npac.AddAVP(&VendorSpecificAVP{
Value: NewMSMPPESendOrRecvKeyVSA(request, VendorTypeMSMPPERecvKey, recvKey),
})
npac.Code = CodeAccessAccept
npac.DeleteOneType(AVPTypeState)
return npac
default:
npac.Code = CodeAccessReject
LogError(fmt.Errorf("MSCHAPV2 step 3 and 5 fail! 2.5 mschapv2I.OpCode()[%s]!= MSCHAPV2.OpCodeResponse",
mschapv2I.OpCode()))
return npac
}
default:
npac.Code = CodeAccessReject
LogError(fmt.Errorf("MSCHAPV2 eap fail! 4"))
return npac
}
}
//不支持的认证方式,或者包格式错误
npac.AVPs = append(npac.AVPs, &StringAVP{Type: AVPTypeReplyMessage, Value: "need password"})
npac.Code = CodeAccessReject
LogError(fmt.Errorf("[kmgRadius.radiusAccess] username[%s] need password or auth method not support", username))
return npac
}