push.rocks/smartradius
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
smartradius/test/server/test.pap.ts

283 lines
7.3 KiB
TypeScript
Raw Permalink Normal View History

feat(smartradius): Implement full RADIUS server and client with RFC 2865/2866 compliance, including packet handling, authenticators, attributes, secrets manager, client APIs, and comprehensive tests and documentation
2026-02-01 17:40:36 +00:00
import { expect, tap } from '@git.zone/tstest/tapbundle';
fix(imports): use node: built-in imports and remove dead smartpromise/smartdelay exports
2026-02-11 15:57:37 +00:00
import * as crypto from 'node:crypto';
feat(smartradius): Implement full RADIUS server and client with RFC 2865/2866 compliance, including packet handling, authenticators, attributes, secrets manager, client APIs, and comprehensive tests and documentation
2026-02-01 17:40:36 +00:00
import { RadiusAuthenticator } from '../../ts_server/index.js';
tap.test('should encrypt and decrypt short password (< 16 chars)', async () => {
const password = 'secret';
const requestAuthenticator = crypto.randomBytes(16);
const secret = 'testing123';
const encrypted = RadiusAuthenticator.encryptPassword(
password,
requestAuthenticator,
secret
);
// Encrypted length should be multiple of 16
expect(encrypted.length).toEqual(16);
const decrypted = RadiusAuthenticator.decryptPassword(
encrypted,
requestAuthenticator,
secret
);
expect(decrypted).toEqual(password);
});
tap.test('should encrypt and decrypt exactly 16-char password', async () => {
const password = '1234567890123456'; // Exactly 16 characters
const requestAuthenticator = crypto.randomBytes(16);
const secret = 'testing123';
const encrypted = RadiusAuthenticator.encryptPassword(
password,
requestAuthenticator,
secret
);
expect(encrypted.length).toEqual(16);
const decrypted = RadiusAuthenticator.decryptPassword(
encrypted,
requestAuthenticator,
secret
);
expect(decrypted).toEqual(password);
});
tap.test('should encrypt and decrypt long password (> 16 chars)', async () => {
const password = 'thisisaverylongpasswordthatexceeds16characters';
const requestAuthenticator = crypto.randomBytes(16);
const secret = 'testing123';
const encrypted = RadiusAuthenticator.encryptPassword(
password,
requestAuthenticator,
secret
);
// Should be padded to next multiple of 16
expect(encrypted.length % 16).toEqual(0);
expect(encrypted.length).toBeGreaterThan(16);
const decrypted = RadiusAuthenticator.decryptPassword(
encrypted,
requestAuthenticator,
secret
);
expect(decrypted).toEqual(password);
});
tap.test('should encrypt and decrypt password near max length (128 chars)', async () => {
const password = 'a'.repeat(120); // Near max of 128
const requestAuthenticator = crypto.randomBytes(16);
const secret = 'testing123';
const encrypted = RadiusAuthenticator.encryptPassword(
password,
requestAuthenticator,
secret
);
// Should be limited to 128 bytes
expect(encrypted.length).toBeLessThanOrEqual(128);
const decrypted = RadiusAuthenticator.decryptPassword(
encrypted,
requestAuthenticator,
secret
);
expect(decrypted).toEqual(password);
});
tap.test('should truncate password exceeding 128 chars', async () => {
const password = 'a'.repeat(150); // Exceeds max
const requestAuthenticator = crypto.randomBytes(16);
const secret = 'testing123';
const encrypted = RadiusAuthenticator.encryptPassword(
password,
requestAuthenticator,
secret
);
// Should be exactly 128 bytes (max)
expect(encrypted.length).toEqual(128);
// Decrypted will be truncated to 128 chars
const decrypted = RadiusAuthenticator.decryptPassword(
encrypted,
requestAuthenticator,
secret
);
expect(decrypted.length).toBeLessThanOrEqual(128);
});
tap.test('should handle empty password', async () => {
const password = '';
const requestAuthenticator = crypto.randomBytes(16);
const secret = 'testing123';
const encrypted = RadiusAuthenticator.encryptPassword(
password,
requestAuthenticator,
secret
);
// Even empty password is padded to 16 bytes
expect(encrypted.length).toEqual(16);
const decrypted = RadiusAuthenticator.decryptPassword(
encrypted,
requestAuthenticator,
secret
);
expect(decrypted).toEqual(password);
});
tap.test('should fail to decrypt with wrong secret', async () => {
const password = 'mypassword';
const requestAuthenticator = crypto.randomBytes(16);
const secret = 'testing123';
const wrongSecret = 'wrongsecret';
const encrypted = RadiusAuthenticator.encryptPassword(
password,
requestAuthenticator,
secret
);
const decrypted = RadiusAuthenticator.decryptPassword(
encrypted,
requestAuthenticator,
wrongSecret
);
// Should not match original password
expect(decrypted).not.toEqual(password);
});
tap.test('should fail to decrypt with wrong authenticator', async () => {
const password = 'mypassword';
const requestAuthenticator = crypto.randomBytes(16);
const wrongAuthenticator = crypto.randomBytes(16);
const secret = 'testing123';
const encrypted = RadiusAuthenticator.encryptPassword(
password,
requestAuthenticator,
secret
);
const decrypted = RadiusAuthenticator.decryptPassword(
encrypted,
wrongAuthenticator,
secret
);
// Should not match original password
expect(decrypted).not.toEqual(password);
});
tap.test('should handle special characters in password', async () => {
const password = '!@#$%^&*()_+-=[]{}|;:,.<>?';
const requestAuthenticator = crypto.randomBytes(16);
const secret = 'testing123';
const encrypted = RadiusAuthenticator.encryptPassword(
password,
requestAuthenticator,
secret
);
const decrypted = RadiusAuthenticator.decryptPassword(
encrypted,
requestAuthenticator,
secret
);
expect(decrypted).toEqual(password);
});
tap.test('should handle unicode characters in password', async () => {
const password = 'パスワード密码'; // Japanese + Chinese
const requestAuthenticator = crypto.randomBytes(16);
const secret = 'testing123';
const encrypted = RadiusAuthenticator.encryptPassword(
password,
requestAuthenticator,
secret
);
const decrypted = RadiusAuthenticator.decryptPassword(
encrypted,
requestAuthenticator,
secret
);
expect(decrypted).toEqual(password);
});
tap.test('should reject invalid encrypted password length', async () => {
const requestAuthenticator = crypto.randomBytes(16);
const secret = 'testing123';
// Not a multiple of 16
const invalidEncrypted = Buffer.alloc(15);
let error: Error | undefined;
try {
RadiusAuthenticator.decryptPassword(invalidEncrypted, requestAuthenticator, secret);
} catch (e) {
error = e as Error;
}
expect(error).toBeDefined();
expect(error!.message).toInclude('Invalid');
});
tap.test('PAP encryption matches RFC 2865 algorithm', async () => {
// Test that our implementation matches the RFC 2865 algorithm:
// b1 = MD5(S + RA) c(1) = p1 xor b1
// b2 = MD5(S + c(1)) c(2) = p2 xor b2
const password = 'testpassword12345678'; // Longer than 16 to test chaining
const requestAuth = Buffer.alloc(16, 0x42); // Fixed for deterministic test
const secret = 'sharedsecret';
// Our implementation
const encrypted = RadiusAuthenticator.encryptPassword(password, requestAuth, secret);
// Manual calculation per RFC
const paddedLength = Math.ceil(password.length / 16) * 16;
const padded = Buffer.alloc(paddedLength, 0);
Buffer.from(password, 'utf8').copy(padded);
const expected = Buffer.alloc(paddedLength);
let previousCipher = requestAuth;
for (let i = 0; i < paddedLength; i += 16) {
const md5 = crypto.createHash('md5');
md5.update(Buffer.from(secret, 'utf8'));
md5.update(previousCipher);
const b = md5.digest();
for (let j = 0; j < 16; j++) {
expected[i + j] = padded[i + j] ^ b[j];
}
previousCipher = expected.subarray(i, i + 16);
}
expect(encrypted.equals(expected)).toBeTruthy();
});
export default tap.start();
Reference in New Issue Copy Permalink