#!/usr/bin/python3
#
# Univention RADIUS 802.1X
#  NTLM-Authentication program
#
# SPDX-FileCopyrightText: 2012-2025 Univention GmbH
# SPDX-License-Identifier: AGPL-3.0-only


import argparse
import codecs
import sys

from univention.radius import get_NetworkAccess, pyMsChapV2
from univention.radius.networkaccess import NetworkAccessError


LOGFILE = '/var/log/univention/radius_ntlm_auth.log'


def main() -> int:
    parser = argparse.ArgumentParser()
    parser.add_argument('--request-nt-key', action='store_true', required=True)
    parser.add_argument('--username', required=True)
    parser.add_argument('--challenge', required=True)
    parser.add_argument('--nt-response', required=True)
    parser.add_argument('--station-id')
    options = parser.parse_args()
    options.challenge = codecs.decode(options.challenge, 'hex')
    options.nt_response = codecs.decode(options.nt_response, 'hex')
    NetworkAccess = get_NetworkAccess()
    try:
        networkAccess = NetworkAccess(options.username, options.station_id, logfile=LOGFILE)
        try:
            PasswordHash = networkAccess.getNTPasswordHash()
        except NetworkAccessError as exc:
            PasswordHash = None
            networkAccess.logger.warning(exc.msg)
        if PasswordHash and pyMsChapV2.ChallengeResponse(options.challenge, PasswordHash) == options.nt_response:
            print('NT_KEY: %s' % (codecs.encode(pyMsChapV2.HashNtPasswordHash(PasswordHash), 'hex').decode('ASCII').upper(), ))
            return 0
        else:
            print('Logon failure (0xc000006d)')
            return 1
    except Exception:
        print(f'ERROR: Please check logfile {LOGFILE!r} (0xc000006d)')
        networkAccess.logger.exception('UNABLE TO AUTHENTICATE USER:')
        return 1


if __name__ == "__main__":
    sys.exit(main())
