tests: add radius otp test

tests (radius-otp): add a check radcli version (atleast 1.2.7), since debian uses version
1.2.6, which does not support Access-Challenge server response.

tests: show debug messages only in VERBOSE mode

tests (radius-otp): replace test for option max_challenge to macro MAX_CHALLENGE

Signed-off-by: Alexey Dotsenko <lex@rwx.su>

tests/data/raddb/access_challenge

@@ -0,0 +1,19 @@
+#
+#	Configuration file for the rlm_attr_filter module.
+#	Please see rlm_attr_filter(5) manpage for more information.
+#
+#	$Id: 12ed619cf16f7322221ef2dfaf28f9c36c616e3c $
+#
+#	This configuration file is used to remove almost all of the
+#	attributes From an Access-Challenge message.  The RFCs say
+#	that an Access-Challenge packet can contain only a few
+#	attributes.  We enforce that here.
+#
+DEFAULT
+	EAP-Message =* ANY,
+	State =* ANY,
+	Message-Authenticator =* ANY,
+	Reply-Message =* ANY,
+	Proxy-State =* ANY,
+	Session-Timeout =* ANY,
+	Idle-Timeout =* ANY

tests/data/raddb/radiusd.conf

@@ -667,6 +667,13 @@ modules {
 		key = "%{User-Name}"
 		filename = ${confdir}/accounting_response
 	}
+	attr_filter attr_filter.access_challenge {
+		key = "%{User-Name}"
+		filename = ${confdir}/access_challenge
+	}
+	expr {
+		safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
+	}
 }
 
 # Instantiation
@@ -1145,6 +1152,15 @@ authorize {
 	#expiration
 	#logintime
 
+	#
+	# Multifactor authentification used if User-Name format test[0123456789]*-otp
+	# and attribute &control:Tmp-Integer-0 (number of challenges) have a non zero value
+	if (User-Name =~ /^test[0123456789]*-otp$/m && (!&State || &control:Tmp-Integer-0 > "%{expr: %{string:State}}") && &control:Tmp-Integer-0 > 0) {
+		update control {
+			&Auth-Type := "OTP"
+		}
+	}
+
 	#
 	#  If no other module has claimed responsibility for
 	#  authentication, then try to use PAP.  This allows the
@@ -1197,6 +1213,36 @@ authorize {
 #  the post-auth section is for.
 #
 authenticate {
+	#
+	#  Challenge PAP authentication, when a back-end database listed
+	#  in the 'authorize' section supplies a password and Auth-Type=OTP. The
+	#  password can be clear-text, or encrypted. Initial State value is 1.
+	#  Number of challenges is a value of &control:Tmp-Octets-0. Default is 0 -
+	#  module skiped.
+	Auth-Type OTP {
+		pap {
+			ok = 1
+			reject = 1
+		}
+		if (ok) {
+			update reply {
+				&State := "%{expr: %{%{string:State}:-0} + 1}"
+				&Reply-Message = "Please enter challenge password %{string:reply:State}."
+			}
+		}
+		elsif (reject) {
+			if (&State && User-Name == "test3-otp") {
+				update reply {
+					&State := "%{string:State}"
+					&Reply-Message = "Please enter challenge password %{string:reply:State}."
+				}
+			}
+		}
+		update control {
+			&Response-Packet-Type = Access-Challenge
+		}
+	}
+
 	#
 	#  PAP authentication, when a back-end database listed
 	#  in the 'authorize' section supplies a password.  The
@@ -1561,7 +1607,7 @@ post-auth {
 	#
 	Post-Auth-Type Challenge {
 #		remove_reply_message_if_eap
-#		attr_filter.access_challenge.post-auth
+		attr_filter.access_challenge
 	}
 
 }

tests/data/raddb/users

@@ -110,3 +110,26 @@ testtime	Cleartext-Password := "test"
 	Session-Timeout = 60,
 	Acct-Interim-Interval = 20
 
+test1-otp            Cleartext-Password := "test1-otp-stage%{string:State}", Tmp-Integer-0 := 3
+        Service-Type = Framed-User,
+        Framed-Protocol = PPP,
+        Framed-IP-Address = 192.168.55.190,
+        Framed-IP-Netmask = 255.255.255.0,
+        Framed-Routing = Broadcast-Listen,
+        Framed-MTU = 1500
+
+test2-otp            Cleartext-Password := "test2-otp-stage%{string:State}", Tmp-Integer-0 := 17
+        Service-Type = Framed-User,
+        Framed-Protocol = PPP,
+        Framed-IP-Address = 192.168.55.191,
+        Framed-IP-Netmask = 255.255.255.0,
+        Framed-Routing = Broadcast-Listen,
+        Framed-MTU = 1500
+
+test3-otp            Cleartext-Password := "test3-otp-stage%{string:State}", Tmp-Integer-0 := 3
+        Service-Type = Framed-User,
+        Framed-Protocol = PPP,
+        Framed-IP-Address = 192.168.55.192,
+        Framed-IP-Netmask = 255.255.255.0,
+        Framed-Routing = Broadcast-Listen,
+        Framed-MTU = 1500