chewie.radius module

RADIUS Packets

exception chewie.radius.InvalidMessageAuthenticatorError

Bases: Exception

To be used when the Message-Authenticator hashes

(received in packet, and calculated) do not match.

Received packets that throw this error should be ‘silently dropped’ (logging is fine).

exception chewie.radius.InvalidResponseAuthenticatorError

Bases: Exception

To be used when the ResponseAuthenticator hashes (received in packet, and calculated) do not match.

class chewie.radius.Radius

Bases: object

Radius packet interface which will determin the correct RadiusPacket child class to use

ACCESS_ACCEPT = 2

ACCESS_CHALLENGE = 11

ACCESS_REJECT = 3

ACCESS_REQUEST = 1

ACCOUNTING_REQUEST = 4

ACCOUNTING_RESPONSE = 5

STATUS_CLIENT = 13

STATUS_SERVER = 12

pack()

static parse(packed_message, secret, radius_lifecycle=None)

Args:

packed_message: secret (str): Shared sceret between chewie and RADIUS server. radius_lifecycle: RadiusLifecycle object

Returns:

RadiusPacket - RadiusAccessChallenge/RadiusAccessRequest/

RadiusAccessAccept/RadiusAccessFailure

Raises:

MessageParseError: if packed_message cannot be parsed

class chewie.radius.RadiusAccessAccept(packet_id, authenticator, attributes)

Bases: RadiusPacket

CODE = 2

class chewie.radius.RadiusAccessChallenge(packet_id, authenticator, attributes)

Bases: RadiusPacket

CODE = 11

class chewie.radius.RadiusAccessReject(packet_id, authenticator, attributes)

Bases: RadiusPacket

CODE = 3

class chewie.radius.RadiusAccessRequest(packet_id, authenticator, attributes)

Bases: RadiusPacket

CODE = 1

class chewie.radius.RadiusAttributesList(attributes)

Bases: object

Container class for the Radius Attribute Value Pairs

classmethod extract_attributes(attributes_data, attributes, attributes_to_concat)

Extracts Radius Attributes from a packed payload. Keeps track of attribute ordering. Args:

attributes_data (): data to extract from (input). attributes: attributes extracted (output variable). attributes_to_concat (dict): (output variable).

Raises:

MessageParseError: RadiusAttribute.parse will raise error if it cannot parse the attribute’s data

find(item)

Find first attribute that has the matching description Args:

item (str): description of attribute to find

Returns:

attribute or None if not found

indexof(item)

Finds the position (number of bytes) that item is at in list. Args:

item (str): description of attribute to find index of.

Returns:

int - number of bytes to item.

Raises:

ValueErrpr: if cannot find item

classmethod merge_concat_attributes(attributes, attributes_to_concat)

Removes concat attributes for attributes list, and inserts a single new master attribute for all concat attributes of the same type (e.g. EAPMessage, EAPMessage, = 1 EAPMessage) Args:

attributes (list): attributes_to_concat (dict): attribute - position.

Returns:

attributes (list)

Raises:

MessageParseError: RadiusAttribute.parse will raise error if it cannot parse the attribute’s data

pack()

classmethod parse(attributes_data)

Args:

attributes_data:

Returns:

RadiusAttributeList

Raises:

MessageParseError: if unable to parse an attribute’s data.

to_dict()

class chewie.radius.RadiusPacket(packet_id, authenticator, attributes)

Bases: Radius

super class for different radius packets

CODE = None

build(secret=None)

Only call this once, or else the MessageAuthenticator will not be zeros,

resulting in the wrong hash Args:

secret (str): Shared sceret between chewie and RADIUS server.

Returns:

packed packet (bytes)

pack()

packed = None

classmethod parse(packet_id, request_authenticator, attributes)

Args:

packed_message: secret (str): Shared sceret between chewie and RADIUS server. radius_lifecycle: RadiusLifecycle object

Returns:

RadiusPacket - RadiusAccessChallenge/RadiusAccessRequest/

RadiusAccessAccept/RadiusAccessFailure

Raises:

MessageParseError: if packed_message cannot be parsed

static validate_message_authenticator(radius_packet, secret, request_authenticator)

validate_packet(secret, request_authenticator=None, code=None)

Calculates the Response Authenticator (in Radius Header) and MessageAuthenticator (a Radius Attribute) hashes and compares with what was provided. Args:

code (int): The RADIUS Code (e.g. Access-Challenge) secret (str): secret shared between RADIUS and chewie. request_authenticator (): the original request authenticator for this

packet (which is a response)

Raises:

ValueError: if secret is None or empty string. InvalidResponseAuthenticatorError: if Response Authenticator does not match calculated. InvalidMessageAuthenticatorError: if MessageAuthenticator does not match calculated.

static validate_response_authenticator(radius_packet, request_authenticator, secret, code)

chewie.radius.register_packet_type_parser(cls)