abfab_psk_authorize {
if (&TLS-PSK-Identity) {
# TODO: may need to check trust-router-apc as well
- if ("%{psksql:select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;}") {
+ if ("%psksql(select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;)") {
# do things here
}
else {
abfab_client_check {
# check that the acceptor host name is correct
- if ("%(client:gss_acceptor_host_name)" && &GSS-acceptor-host-name) {
- if ("%(client:gss_acceptor_host_name)" != "%{gss-acceptor-host-name}") {
+ if ("%client(gss_acceptor_host_name)" && &GSS-acceptor-host-name) {
+ if ("%client(gss_acceptor_host_name)" != "%{gss-acceptor-host-name}") {
&reply.Reply-Message = "GSS-Acceptor-Host-Name incorrect"
reject
}
# set trust-router-coi attribute from the client configuration
- if ("%(client:trust_router_coi)") {
- &request.Trust-Router-COI := "%(client:trust_router_coi)"
+ if ("%client(trust_router_coi)") {
+ &request.Trust-Router-COI := "%client(trust_router_coi)"
}
# set gss-acceptor-realm-name attribute from the client configuration
- if ("%(client:gss_acceptor_realm_name)") {
- &request.GSS-Acceptor-Realm-Name := "%(client:gss_acceptor_realm_name)"
+ if ("%client(gss_acceptor_realm_name)") {
+ &request.GSS-Acceptor-Realm-Name := "%client(gss_acceptor_realm_name)"
}
}
# result in the string `192.0.2.1`, but will instead be
# represented internally as 32-bits of binary data `c0000201`.
# The MD5 hash of those inputs will then be different.
-# We fix this issue by using `%{string:..}` to convert the
+# We fix this issue by using `%string(..}` to convert the
# inputs to MD5 into printable string form.
#
-# Similarly, the output of `%{md5:..}` is binary safe, and is
+# Similarly, the output of `%md5(..}` is binary safe, and is
# therefore a binary blob. We therefore convert the output
-# of it to a printable string via `%{hex:...}`
+# of it to a printable string via `%hex(...}`
#
acct_unique {
#
# initial authentication session (Common in a
# wireless environment).
#
- if ("%{string:Class}" =~ /${policy.class_value_prefix}([0-9a-f]{32})/i) {
- &request.Acct-Unique-Session-Id := "%{hex:%{md5:%{string:%{1},%{Acct-Session-ID}}}}"
+ if ("%string(Class)" =~ /${policy.class_value_prefix}([0-9a-f]{32})/i) {
+ &request.Acct-Unique-Session-Id := "%hex(%md5(%string(%{1},%{Acct-Session-ID})))"
}
#
# is not included
#
else {
- &request.Acct-Unique-Session-Id := "%{hex:%{md5:%{string:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}}}"
+ &request.Acct-Unique-Session-Id := "%hex(%md5(%string(%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port})))"
}
}
# Insert a (hopefully unique) value into class
#
insert_acct_class {
- &reply.Class = "${policy.class_value_prefix}%{md5:%t,%I,%{Net.Src.Port},%{Net.Src.IP},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name}}"
+ &reply.Class = "${policy.class_value_prefix}%md5(%t,%I,%{Net.Src.Port},%{Net.Src.IP},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name})"
}
#
&request.Acct-Input-Octets64 := "%{%{Acct-Input-Octets}:-0}"
}
else {
- &request.Acct-Input-Octets64 = "%{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets}"
+ &request.Acct-Input-Octets64 = (((uint64) &Acct-Input-Gigawords) << 32) | (uint64) &Acct-Input-Octets
}
if (!&Acct-Output-Gigawords) {
&request.Acct-Output-Octets64 := "%{%{Acct-Output-Octets}:-0}"
}
else {
- &request.Acct-Output-Octets64 = "%{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets}"
+ &request.Acct-Output-Octets64 = (((uint64) &Acct-Output-Gigawords) << 32) | (uint64) &Acct-Output-Octets
}
}
#
rewrite_called_station_id {
if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) {
- &request.Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
+ &request.Called-Station-Id := "%toupper(%{1}-%{2}-%{3}-%{4}-%{5}-%{6})"
# SSID component?
if ("%{8}") {
#
rewrite_calling_station_id {
if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) {
- &request.Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
+ &request.Calling-Station-Id := "%toupper(%{1}-%{2}-%{3}-%{4}-%{5}-%{6})"
updated
}
# }
#
cui.authorize {
- if ("%(client:add_cui)" == 'yes') {
+ if ("%client(add_cui)" == 'yes') {
&request.Chargeable-User-Identity := 0x00
}
}
cui.post-auth {
if (!&control.Proxy-To-Realm && &Chargeable-User-Identity && !&reply.Chargeable-User-Identity &&
(&Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) {
- &reply.Chargeable-User-Identity = "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}}"
+ &reply.Chargeable-User-Identity = "%sha1(${policy.cui_hash_key}%tolower(%{User-Name}%{%{Operator-Name}:-}))"
}
#
cui-inner.post-auth {
if (&outer.request.Chargeable-User-Identity && \
(&outer.request.Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) {
- &reply.Chargeable-User-Identity := "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request.Operator-Name}:-}}}"
+ &reply.Chargeable-User-Identity := "%sha1(${policy.cui_hash_key}%tolower(%{User-Name}%{%{outer.request.Operator-Name}:-}))"
}
}
# in the DB.
#
if (!&Chargeable-User-Identity) {
- &request.Chargeable-User-Identity := %{cuisql:\
+ &request.Chargeable-User-Identity := %cuisql(\
SELECT cui FROM cui \
WHERE clientipaddress = '%{Net.Src.IP}' \
AND callingstationid = '%{Calling-Station-Id}' \
- AND username = '%{User-Name}'}
+ AND username = '%{User-Name}')
}
#
#
# reject mixed case e.g. "UseRNaMe"
#
- #if (&User-Name != "%{tolower:%{User-Name}}") {
+ #if (&User-Name != "%tolower(%{User-Name}}") {
# reject
#}
#
filter_password {
if (&User-Password && \
- (&User-Password != "%{string:User-Password}")) {
- &request.Tmp-String-0 := %{string:User-Password}
- &request.User-Password := %{string:Tmp-String-0}
+ (&User-Password != "%string(User-Password}")) {
+ &request.Tmp-String-0 := %string(User-Password)
+ &request.User-Password := %string(Tmp-String-0)
}
}
# Get the outer realm.
#
if (&outer.request.User-Name =~ /@([^@]+)$/) {
- &request.Outer-Realm-Name = "%{1}"
+ &request.Outer-Realm-Name = %{1}
#
# When we have an outer realm name, the user portion
# Get the inner realm.
#
if (&User-Name =~ /@([^@]+)$/) {
- &request.Inner-Realm-Name = "%{1}"
+ &request.Inner-Realm-Name = %{1}
#
# Note that we do EQUALITY checks for realm names.
projects / thirdparty / freeradius-server.git / commitdiff
