Radius enforce roles (librenms#15294)

Add new setting to specify if user roles will be set at login or not. Without this setting enabled, roles are only set when the user is first created and never after that. If roles set via Filter-ID attribute or radius.default_roles change, they will never be reflected on existing users. For that reason, the default is set to enabled. Historically, radius did not enforce roles.
ppasserini · Sep 7, 2023 · b51ae39 · b51ae39
1 parent 2618a99
commit b51ae39
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/LibreNMS/Authentication/RadiusAuthorizer.php b/LibreNMS/Authentication/RadiusAuthorizer.php
@@ -42,6 +42,7 @@ public function authenticate($credentials)
                 'auth_type' => LegacyAuth::getType(),
                 'can_modify_passwd' => 0,
             ]);
+            $new_user = ! $user->exists;
             $user->save();
 
             // cache a single role from the Filter-ID attribute now because attributes are cleared every accessRequest
@@ -50,7 +51,9 @@ public function authenticate($credentials)
                 $this->roles[$credentials['username']] = [substr($filter_id_attribute, 14)];
             }
 
-            $user->setRoles($this->roles[$credentials['username']] ?? $this->getDefaultRoles(), true);
+            if (Config::get('radius.enforce_roles') || $new_user) {
+                $user->setRoles($this->roles[$credentials['username']] ?? $this->getDefaultRoles(), true);
+            }
 
             return true;
         }

diff --git a/lang/en/settings.php b/lang/en/settings.php
@@ -1265,6 +1265,10 @@
                 'description' => 'Default user roles',
                 'help' => 'Sets the roles that will be assigned to the user unless Radius sends attributes that specify role(s)',
             ],
+            'enforce_roles' => [
+                'description' => 'Enforce roles at login',
+                'help' => 'If enabled, roles will be set to the ones specified by the Filter-ID attribute or radius.default_roles at login.  Otherwise, they will be set when the user is created and never changed after that.',
+            ],
         ],
         'reporting' => [
             'error' => [

diff --git a/misc/config_definitions.json b/misc/config_definitions.json
@@ -33,7 +33,7 @@
                  "value": "array",
                  "value.*": "string"
              }
-        },	
+        },
         "alert_colour.ok": {
             "default": "#00ff00",
             "type": "color"
@@ -5111,6 +5111,13 @@
             "order": 3,
             "type": "array"
         },
+        "radius.enforce_roles": {
+            "default": true,
+            "group": "auth",
+            "section": "radius",
+            "order": 4,
+            "type": "boolean"
+        },
         "rancid_configs": {
             "default": [],
             "type": "array"