Module: Devise::Models::RadiusAuthenticatable

Extended by:
ActiveSupport::Concern
Defined in:
lib/devise/models/radius_authenticatable.rb

Overview

The RadiusAuthenticatable module is responsible for validating a user's credentials against the configured radius server. When authentication is successful, the attributes returned by the radius server are made available via the radius_attributes accessor in the user model.

The RadiusAuthenticatable module works by using the configured radius_uid_generator to generate a UID based on the username and the radius server hostname or IP address. This UID is used to see if an existing record representing the user already exists. If it does, radius authentication proceeds through that user record. Otherwise, a new user record is built and authentication proceeds. If authentication is successful, the after_radius_authentication callback is invoked, the default implementation of which simply saves the user record with validations disabled.

The radius username is extracted from the parameters hash by using the first configured value in the Devise.authentication_keys array. If the authentication key is in the list of case insensitive keys, the username will be converted to lowercase prior to authentication.

Options

RadiusAuthenticable adds the following options to devise_for:

  • radius_server: The hostname or IP address of the radius server.

  • radius_servers: An array of hostnames or IP addresses for radius servers,

    with optional port.
    
  • radius_server_port: The port the radius server is listening on.

  • radius_server_secret: The shared secret configured on the radius server.

  • radius_server_timeout: The number of seconds to wait for a response from the radius server.

  • radius_server_retries: The number of times to retry a request to the radius server.

  • radius_uid_field: The database column to store the UID in

  • radius_uid_generator: A proc that takes the username and server as parameters and returns a string representing the UID

  • radius_dictionary_path: The path containing the radius dictionary files to load

  • handle_radius_timeout_as_failure: Option to handle radius timeout as authentication failure

Callbacks

The after_radius_authentication callback is invoked on the user record when radius authentication succeeds for that user but prior to Devise checking if the user is active for authentication. Its default implementation simply saves the user record with validations disabled. This method should be overriden if further actions should be taken to make the user valid or active for authentication. If you override it, be sure to either call super to save the record or to save the record yourself.

Authorization callbacks are triggered when +after_radius_authentication is called:

  • +before_radius_authorization :method_name

  • +around_radius_authorization :method_name

  • +after_radius_authorization :method_name

Defined Under Namespace

Modules: ClassMethods

Constant Summary collapse

ACCESS_ACCEPT =
'Access-Accept'

Instance Method Summary collapse

Instance Method Details

#after_radius_authenticationObject

Callback invoked by the RadiusAuthenticatable strategy after authentication with the radius server has succeeded and devise has indicated the model is valid. This callback is invoked prior to devise checking if the model is active for authentication.


121
122
123
124
125
# File 'lib/devise/models/radius_authenticatable.rb', line 121

def after_radius_authentication
  run_callbacks :radius_authorization do
    self.save(validate: false)
  end
end

#valid_radius_password?(username, password) ⇒ Boolean

Use the currently configured radius server to attempt to authenticate the supplied username and password. If authentication succeeds, make the radius attributes returned by the server available via the radius_attributes accessor. Returns true if authentication was successful and false otherwise.

Parameters
  • username: The username to send to the radius server

  • password: The password to send to the radius server


76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# File 'lib/devise/models/radius_authenticatable.rb', line 76

def valid_radius_password?(username, password)
  reply   = nil
  secret  = self.class.radius_server_secret
  options = {
    reply_timeout:  self.class.radius_server_timeout,
    retries_number: self.class.radius_server_retries
  }

  if self.class.radius_dictionary_path
    options[:dict] = Radiustar::Dictionary.new(self.class.radius_dictionary_path)
  end

  self.class.radius_servers_with_ports.each do |server, port|
    req = Radiustar::Request.new("#{server}:#{port}", options)

    # The authenticate method will raise a RuntimeError if we time
    # out waiting for a response from the server. If the server responds,
    # break and process the radius response. If not, try the next server.
    begin
      reply = req.authenticate(username, password, secret)
      break
    rescue
      next
    end
  end

  # Handle the error if no servers respond.
  unless reply
    return false if self.class.handle_radius_timeout_as_failure
    raise
  end

  if reply[:code] == ACCESS_ACCEPT
    reply.extract!(:code)
    self.radius_attributes = reply
    true
  else
    false
  end
end