[models] Sanitize MAC addresses in called_station_id field #624

This change implements MAC address sanitization in the called_station_id
field of RadiusAccounting to ensure consistent formatting across different
input formats. MAC addresses are now automatically converted to lowercase
colon-separated format (aa:bb:cc:dd:ee:ff) while preserving non-MAC values
unchanged for RFC compliance.

Changes:
- Added sanitize_mac_address function in base/models.py using netaddr.EUI
- Integrated automatic MAC sanitization in AbstractRadiusAccounting.save()
- Updated test imports to use sanitize_mac_address from base.models
- Supports multiple MAC formats: colon, dash, dot, and no separators

Fixes #624

Author: Eeshu-Yadav

docs/user/rest-api.rst

@@ -297,7 +297,7 @@ Accounting
     /api/v1/freeradius/accounting/
 
 GET
-...
+^^^
 
 Returns a list of accounting objects
 
@@ -338,7 +338,7 @@ Returns a list of accounting objects
     ]
 
 POST
-....
+^^^^
 
 Add or update accounting information (start, interim-update, stop); does
 not return any JSON response so that freeradius will avoid processing the
@@ -374,7 +374,7 @@ framed_ip_address     framed IP address
 ===================== =====================
 
 Pagination
-''''''''''
+""""""""""
 
 Pagination is provided using a Link header pagination. Check `here for
 more information about traversing with pagination
@@ -397,7 +397,7 @@ more information about traversing with pagination
     parameter.
 
 Filters
-'''''''
+"""""""
 
 The JSON objects returned using the GET endpoint can be filtered/queried
 using specific parameters.
@@ -490,7 +490,7 @@ is disabled for a particular org, an empty string will be acceptable.
 .. _radius_registering_to_multiple_organizations:
 
 Registering to Multiple Organizations
-.....................................
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 An **HTTP 409** response will be returned if an existing user tries to
 register on a URL of a different organization (because the account already

openwisp_radius/api/freeradius_views.py

@@ -28,6 +28,7 @@
 
 from .. import registration
 from .. import settings as app_settings
+from ..base.models import sanitize_mac_address
 from ..counters.base import BaseCounter
 from ..counters.exceptions import MaxQuotaReached
 from ..signals import radius_accounting_success
@@ -370,10 +371,12 @@ def _check_simultaneous_use(
         # can remain open even though the user is not authenticated
         # on the NAS anymore, for this reason, we shall allow re-authentication
         # of the same client on the same NAS.
+        # Sanitize MAC addresses to ensure consistent comparison
+        # since the database stores sanitized values.
         if called_station_id and calling_station_id:
             open_sessions = open_sessions.exclude(
-                called_station_id=called_station_id,
-                calling_station_id=calling_station_id,
+                called_station_id=sanitize_mac_address(called_station_id),
+                calling_station_id=sanitize_mac_address(calling_station_id),
             )
         open_sessions = open_sessions.count()
         if open_sessions >= max_simultaneous:

openwisp_radius/base/models.py

@@ -31,49 +31,6 @@
 from phonenumber_field.modelfields import PhoneNumberField
 from private_storage.fields import PrivateFileField
 
-def sanitize_mac_address(mac):
-    """
-    Sanitize a MAC address string to the colon-separated lowercase format.
-    If the input is not a valid MAC address, return it unchanged.
-    
-    Handles various MAC address formats:
-    - 00:1A:2B:3C:4D:5E -> 00:1a:2b:3c:4d:5e
-    - 00-1A-2B-3C-4D-5E -> 00:1a:2b:3c:4d:5e
-    - 001A.2B3C.4D5E -> 00:1a:2b:3c:4d:5e
-    - 001A2B3C4D5E -> 00:1a:2b:3c:4d:5e
-    """
-    # Return empty string or non-string input as is
-    if not mac or not isinstance(mac, str):
-        return mac
-        
-    # Check if it's an IP address (IPv4) - preserve unchanged
-    if re.match(r'^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$', mac):
-        return mac
-    
-    # Try to extract MAC address from the string
-    # Look for MAC address patterns, including those with additional text
-    mac_patterns = [
-        r'([0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}',  # Standard MAC with : or -
-        r'([0-9A-Fa-f]{4}\.){2}[0-9A-Fa-f]{4}',    # Cisco format
-        r'[0-9A-Fa-f]{12}'                          # No separators
-    ]
-    
-    for pattern in mac_patterns:
-        match = re.search(pattern, mac)
-        if match:
-            mac_candidate = match.group(0)
-            try:
-                # Try to parse as EUI to validate
-                eui = EUI(mac_candidate)
-                # Return sanitized MAC address in colon-separated lowercase format
-                return ':'.join(['%02x' % x for x in eui.words]).lower()
-            except (AddrFormatError, ValueError, TypeError):
-                continue
-    
-    # If no valid MAC found, return original string unchanged
-    return mac
-
-import swapper
 from openwisp_radius.registration import (
     REGISTRATION_METHOD_CHOICES,
     get_registration_choices,
@@ -223,6 +180,49 @@ def sanitize_mac_address(mac):
 OPTIONAL_SETTINGS = app_settings.OPTIONAL_REGISTRATION_FIELDS
 
 
+def sanitize_mac_address(mac):
+    """
+    Sanitize a MAC address string to the colon-separated lowercase format.
+    If the input is not a valid MAC address, return it unchanged.
+
+    Handles various MAC address formats:
+    - 00:1A:2B:3C:4D:5E -> 00:1a:2b:3c:4d:5e
+    - 00-1A-2B-3C-4D-5E -> 00:1a:2b:3c:4d:5e
+    - 001A.2B3C.4D5E -> 00:1a:2b:3c:4d:5e
+    - 001A2B3C4D5E -> 00:1a:2b:3c:4d:5e
+    """
+    # Return empty string or non-string input as is
+    if not mac or not isinstance(mac, str):
+        return mac
+
+    # Check if it's an IP address (IPv4) - preserve unchanged
+    if re.match(r"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$", mac):
+        return mac
+
+    # Try to extract MAC address from the string
+    # Look for MAC address patterns, including those with additional text
+    mac_patterns = [
+        r"([0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}",  # Standard MAC with : or -
+        r"([0-9A-Fa-f]{4}\.){2}[0-9A-Fa-f]{4}",  # Cisco format
+        r"[0-9A-Fa-f]{12}",  # No separators
+    ]
+
+    for pattern in mac_patterns:
+        match = re.search(pattern, mac)
+        if match:
+            mac_candidate = match.group(0)
+            try:
+                # Try to parse as EUI to validate
+                eui = EUI(mac_candidate)
+                # Return sanitized MAC address in colon-separated lowercase format
+                return ":".join(["%02x" % x for x in eui.words]).lower()
+            except (AddrFormatError, ValueError, TypeError):
+                continue
+
+    # If no valid MAC found, return original string unchanged
+    return mac
+
+
 class AutoUsernameMixin(object):
     def clean(self):
         """
@@ -624,8 +624,9 @@ def _close_stale_sessions_on_nas_boot(cls, called_station_id):
         """
         if not called_station_id:
             return 0
+        sanitized_called_station_id = sanitize_mac_address(called_station_id)
         stale_sessions = cls.objects.filter(
-            called_station_id=called_station_id,
+            called_station_id=sanitized_called_station_id,
             stop_time__isnull=True,
         )
         closed_count = stale_sessions.update(