Merge branch 'tmp-ocserv-group' into 'master'

radius: ignore redundant group class

Closes #332

See merge request openconnect/ocserv!213

NEWS

@@ -6,7 +6,7 @@
 - Added namespace support for listen address by introducing the
   listen-netns  option (#316)
 - Disable TLS1.3 when cisco client compatibility is enabled. New
-  anyconnect clients seem to supporting TLS1.3 but unable to handle
+  anyconnect clients seem to supporting TLS1.3 but are unable to handle
   a client with an RSA key (#318)
 - Enable a race free user disconnection via occtl (#59)
 - Added the config option of a pre-login-banner (#313)
@@ -14,6 +14,8 @@
   with the number of ocserv-sm process dependent on maximum clients and
   number of CPUs. Configuration option sec-mod-scale can be used to override
   the heuristics.
+- Fixed issue with group selection on radius servers sending multiple
+  group class attribute (#322).
 
 
 * Version 1.1.0 (released 2020-06-16)

src/auth/radius.c

@@ -216,10 +216,8 @@ static void parse_groupnames(struct radius_ctx_st *pctx, const char *full)
 	char *p, *p2;
 	unsigned i;
 
-	pctx->groupnames_size = 0;
-
-	syslog(LOG_DEBUG, "radius-auth: found group string %s", full);
-	if (strncmp(full, "OU=", 3) == 0) {
+	if (pctx->groupnames_size == 0 && strncmp(full, "OU=", 3) == 0) {
+		syslog(LOG_DEBUG, "radius-auth: found group string %s", full);
 		full += 3;
 
 		p = talloc_strdup(pctx, full);
@@ -241,10 +239,16 @@ static void parse_groupnames(struct radius_ctx_st *pctx, const char *full)
 				break;
 		}
 	} else {
-		pctx->groupnames[0] = talloc_strdup(pctx, full);
-		if (pctx->groupnames[0] == NULL)
-			return;
-		pctx->groupnames_size = 1;
+		if (pctx->groupnames_size == 0) {
+			syslog(LOG_DEBUG, "radius-auth: found group string %s", full);
+
+			pctx->groupnames[0] = talloc_strdup(pctx, full);
+			if (pctx->groupnames[0] == NULL)
+				return;
+			pctx->groupnames_size = 1;
+		} else {
+			syslog(LOG_DEBUG, "radius-auth: ignoring redundant group string");
+		}
 	}
 }
 

tests/data/raddb/users

@@ -98,6 +98,7 @@ test-class	Cleartext-Password := "test-class"
 	Framed-IP-Netmask = 255.255.255.0,
 	Framed-Routing = Broadcast-Listen,
 	Class = "OU=group1;group2",
+	Class = "unknown",
 	Framed-MTU = 1500
 
 testtime	Cleartext-Password := "test"

tests/ns.sh

@@ -116,7 +116,7 @@ test -n "${ADDRESS2}" && ${IP} -n ${NSNAME2} route add ${CLI_ADDRESS2}/32 via ${
 ${IP} -n ${NSNAME2} addr
 ${IP} -n ${NSNAME2} route
 ${IP} -n ${NSNAME1} route
-${IP} -n ${NSNAME3} route
+test -n "${CLI_ADDRESS2}" && ${IP} -n ${NSNAME3} route
 
 ${IP} netns exec ${NSNAME1} ping -c 1 ${ADDRESS} >/dev/null 
 ${IP} netns exec ${NSNAME2} ping -c 1 ${ADDRESS} >/dev/null