providers/radius: fix panic when no cert is configured (#17762)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

Author: BeryJu

internal/outpost/radius/handler_eap.go

@@ -41,95 +41,92 @@ func (pi *ProviderInstance) SetEAPState(key string, state *protocol.State) {
 }
 
 func (pi *ProviderInstance) GetEAPSettings() protocol.Settings {
-	protocols := []protocol.ProtocolConstructor{
-		identity.Protocol,
-		legacy_nak.Protocol,
+	settings := protocol.Settings{
+		Logger: &logrusAdapter{pi.log},
+		Protocols: []protocol.ProtocolConstructor{
+			identity.Protocol,
+			legacy_nak.Protocol,
+		},
 	}
 
 	certId := pi.certId
 	if certId == "" {
-		return protocol.Settings{
-			Protocols: protocols,
-		}
+		return settings
 	}
 
 	cert := pi.s.cryptoStore.Get(certId)
 	if cert == nil {
-		return protocol.Settings{
-			Protocols: protocols,
-		}
+		return settings
 	}
 
-	return protocol.Settings{
-		Logger:    &logrusAdapter{entry: pi.log},
-		Protocols: append(protocols, tls.Protocol, peap.Protocol),
-		ProtocolPriority: []protocol.Type{
-			identity.TypeIdentity,
-			tls.TypeTLS,
-		},
-		ProtocolSettings: map[protocol.Type]interface{}{
-			tls.TypeTLS: tls.Settings{
-				Config: &ttls.Config{
-					Certificates: []ttls.Certificate{*cert},
-					ClientAuth:   ttls.RequireAnyClientCert,
-				},
-				HandshakeSuccessful: func(ctx protocol.Context, certs []*x509.Certificate) protocol.Status {
-					ident := ctx.GetProtocolState(identity.TypeIdentity).(*identity.State).Identity
+	settings.Protocols = append(settings.Protocols, tls.Protocol, peap.Protocol)
+	settings.ProtocolPriority = []protocol.Type{
+		identity.TypeIdentity,
+		tls.TypeTLS,
+	}
+	settings.ProtocolSettings = map[protocol.Type]any{
+		tls.TypeTLS: tls.Settings{
+			Config: &ttls.Config{
+				Certificates: []ttls.Certificate{*cert},
+				ClientAuth:   ttls.RequireAnyClientCert,
+			},
+			HandshakeSuccessful: func(ctx protocol.Context, certs []*x509.Certificate) protocol.Status {
+				ident := ctx.GetProtocolState(identity.TypeIdentity).(*identity.State).Identity
 
-					ctx.Log().Debug("Starting authn flow")
-					pem := pem.EncodeToMemory(&pem.Block{
-						Type:  "CERTIFICATE",
-						Bytes: certs[0].Raw,
-					})
+				ctx.Log().Debug("Starting authn flow")
+				pem := pem.EncodeToMemory(&pem.Block{
+					Type:  "CERTIFICATE",
+					Bytes: certs[0].Raw,
+				})
 
-					fe := flow.NewFlowExecutor(context.Background(), pi.flowSlug, pi.s.ac.Client.GetConfig(), log.Fields{
-						"client":   utils.GetIP(ctx.Packet().RemoteAddr),
-						"identity": ident,
-					})
-					fe.Answers[flow.StageIdentification] = ident
-					fe.DelegateClientIP(utils.GetIP(ctx.Packet().RemoteAddr))
-					fe.Params.Add("goauthentik.io/outpost/radius", "true")
-					fe.AddHeader("X-Authentik-Outpost-Certificate", url.QueryEscape(string(pem)))
+				fe := flow.NewFlowExecutor(context.Background(), pi.flowSlug, pi.s.ac.Client.GetConfig(), log.Fields{
+					"client":   utils.GetIP(ctx.Packet().RemoteAddr),
+					"identity": ident,
+				})
+				fe.Answers[flow.StageIdentification] = ident
+				fe.DelegateClientIP(utils.GetIP(ctx.Packet().RemoteAddr))
+				fe.Params.Add("goauthentik.io/outpost/radius", "true")
+				fe.AddHeader("X-Authentik-Outpost-Certificate", url.QueryEscape(string(pem)))
 
-					passed, err := fe.Execute()
-					if err != nil {
-						ctx.Log().Warn("failed to execute flow", "error", err)
-						return protocol.StatusError
-					}
-					ctx.Log().Debug("Finished flow")
-					if !passed {
-						return protocol.StatusError
-					}
-					access, _, err := fe.ApiClient().OutpostsApi.OutpostsRadiusAccessCheck(context.Background(), pi.providerId).AppSlug(pi.appSlug).Execute()
-					if err != nil {
-						ctx.Log().Warn("failed to check access: %v", err)
-						return protocol.StatusError
-					}
-					if !access.Access.Passing {
-						ctx.Log().Info("Access denied for user")
-						return protocol.StatusError
-					}
-					if access.HasAttributes() {
-						ctx.AddResponseModifier(func(r, q *radius.Packet) error {
-							rawData, err := base64.StdEncoding.DecodeString(access.GetAttributes())
-							if err != nil {
-								ctx.Log().Warn("failed to decode attributes from core: %v", err)
-								return errors.New("attribute_decode_failed")
-							}
-							p, err := radius.Parse(rawData, pi.SharedSecret)
-							if err != nil {
-								ctx.Log().Warn("failed to parse attributes from core: %v", err)
-								return errors.New("attribute_parse_failed")
-							}
-							for _, attr := range p.Attributes {
-								r.Add(attr.Type, attr.Attribute)
-							}
-							return nil
-						})
-					}
-					return protocol.StatusSuccess
-				},
+				passed, err := fe.Execute()
+				if err != nil {
+					ctx.Log().Warn("failed to execute flow", "error", err)
+					return protocol.StatusError
+				}
+				ctx.Log().Debug("Finished flow")
+				if !passed {
+					return protocol.StatusError
+				}
+				access, _, err := fe.ApiClient().OutpostsApi.OutpostsRadiusAccessCheck(context.Background(), pi.providerId).AppSlug(pi.appSlug).Execute()
+				if err != nil {
+					ctx.Log().Warn("failed to check access: %v", err)
+					return protocol.StatusError
+				}
+				if !access.Access.Passing {
+					ctx.Log().Info("Access denied for user")
+					return protocol.StatusError
+				}
+				if access.HasAttributes() {
+					ctx.AddResponseModifier(func(r, q *radius.Packet) error {
+						rawData, err := base64.StdEncoding.DecodeString(access.GetAttributes())
+						if err != nil {
+							ctx.Log().Warn("failed to decode attributes from core: %v", err)
+							return errors.New("attribute_decode_failed")
+						}
+						p, err := radius.Parse(rawData, pi.SharedSecret)
+						if err != nil {
+							ctx.Log().Warn("failed to parse attributes from core: %v", err)
+							return errors.New("attribute_parse_failed")
+						}
+						for _, attr := range p.Attributes {
+							r.Add(attr.Type, attr.Attribute)
+						}
+						return nil
+					})
+				}
+				return protocol.StatusSuccess
 			},
 		},
 	}
+	return settings
 }