From: Arran Cudbard-Bell Date: Mon, 22 Oct 2012 09:23:07 +0000 (+0100) Subject: Fixup formatting and errors in cui policy and dependencies X-Git-Tag: release_3_0_0_beta1~1655 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5416720dc8d010f82b57a4aedaa70243d23af81;p=thirdparty%2Ffreeradius-server.git Fixup formatting and errors in cui policy and dependencies Include sql cui queries by default, as the cuisql module won't be instantiated in the default config. Change cui_has_key value to make it clear that it should be changed. Use string (yes/no) for bool in cui_require_operator_name for consistancy, ideally the parser would pre-evaluate comparisons between literal strings, but the performance hit does not outweigh consistency. Remove spurious spaces around conditions. Literal strings should be literal (i.e. single quotes). Packet-Type is still provided by a magic xlat expension. Substitute 8 spaces for tabs (config files have same formatting rules as C src) Use outer.request:EAP-Message to check whether were in an inner or outer tunnel, should be forwards compatible. ${} values are pre-expanded, so do not require double quotes. control:Proxy-To-Realm is not a magic attribute, it's a standard attribute in the control list (even when set by rlm_realm). cui virtual module does not have xlat method, should use cuisql. --- diff --git a/raddb/mods-available/cui b/raddb/mods-available/cui index f64cc3d00c1..9fac3fc6f4f 100644 --- a/raddb/mods-available/cui +++ b/raddb/mods-available/cui @@ -33,5 +33,6 @@ sql cuisql { } cui_table = "cui" sql_user_name = "%{User-Name}" -#$INCLUDE sql/${database}/cui.conf + + $INCLUDE sql/${database}/cui.conf } diff --git a/raddb/policy.d/cui b/raddb/policy.d/cui index b0df5b3391f..224d07da577 100644 --- a/raddb/policy.d/cui +++ b/raddb/policy.d/cui @@ -12,14 +12,14 @@ # dictionary attacks, therefore should be chosen as a "random" # string and kept secret. # -cui_hash_key = "some_hash_key" +cui_hash_key = "changeme" # # cui_require_operator_name switch # If this is set to nonzero value then CUI will only be added # when a non-empty Operator-Name value is present in the request # -cui_require_operator_name = 0 +cui_require_operator_name = "no" # # The client indicates it can do CUI by sending a CUI attribute @@ -39,7 +39,7 @@ cui_require_operator_name = 0 # } # cui.authorize { - if ( "%{client:add-cui}" == "yes" ) { + if ("%{client:add-cui}" == 'yes') { update request { Chargeable-User-Identity := '\\000' } @@ -51,13 +51,13 @@ cui.authorize { # attribute should be added, unless it is already present in the request. # cui.pre-proxy { - if (Packet-Type == Access-Request && "%{client:add-cui}" == "yes") { + if (("%{request:Packet-Type}" == 'Access-Request') && ("%{client:add-cui}" == 'yes')) { update proxy-request { Chargeable-User-Identity = '\\000' } } } - + # # Add a CUI attribute based on the User-Name, and a secret key @@ -66,26 +66,26 @@ cui.pre-proxy { # use_tunneled_reply parameter MUST be set to yes # cui.post-auth { - if (Freeradius-Proxied-To == 127.0.0.1) { - if (outer.request:Chargeable-User-Identity && \ - (outer.request:Operator-Name || !("${policy.cui_require_operator_name}"))) { - update reply { - Chargeable-User-Identity:="%{md5:${policy.cui_hash_key}%{User-Name}%{outer.request:Operator-Name:-}}" - } - } - } - else { - if (!("%{control:Proxy-To-Realm}") && \ - Chargeable-User-Identity && \ - !(reply:Chargeable-User-Identity) && \ - (Operator-Name || !("${policy.cui_require_operator_name}")) ) { - update reply { - Chargeable-User-Identity="%{md5:${policy.cui_hash_key}%{User-Name}%{%{Operator-Name}:-}}" - } - } - update reply { - User-Name-="%{reply:User-Name}" - } + if (outer.request:EAP-Message) { + if (outer.request:Chargeable-User-Identity && \ + (outer.request:Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) { + update reply { + Chargeable-User-Identity := "%{md5:${policy.cui_hash_key}%{User-Name}%{%{outer.request:Operator-Name}:-}}" + } + } + } + else { + if (!control:Proxy-To-Realm && \ + Chargeable-User-Identity && \ + !reply:Chargeable-User-Identity && \ + (Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) { + update reply { + Chargeable-User-Identity = "%{md5:${policy.cui_hash_key}%{User-Name}%{%{Operator-Name}:-}}" + } + } + update reply { + User-Name -= "%{reply:User-Name}" + } # # The section below will store a CUI for the User in the DB. # You need to configure the cuisql module and your database for this to work. @@ -111,7 +111,7 @@ cui.accounting { # if (!Chargeable-User-Identity) { update request { - Chargeable-User-Identity := "%{cui: SELECT cui FROM cui WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}" + Chargeable-User-Identity := "%{cuisql:SELECT cui FROM cui WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'}" } } @@ -119,7 +119,7 @@ cui.accounting { # If it exists now, then write out when we last saw # this CUI. # - if (Chargeable-User-Identity && (Chargeable-User-Identity != "")) { + if (Chargeable-User-Identity && (Chargeable-User-Identity != '')) { cuisql } } diff --git a/raddb/policy.d/operator-name b/raddb/policy.d/operator-name index afd996181cb..4591312944b 100644 --- a/raddb/policy.d/operator-name +++ b/raddb/policy.d/operator-name @@ -26,7 +26,7 @@ # an Operator-Name attribute # operator-name.authorize { - if ( "%{client:Operator-Name}" ) { + if ("%{client:Operator-Name}") { update request { Operator-Name = "%{client:Operator-Name}" } @@ -38,7 +38,7 @@ operator-name.authorize { # attribute identifying this site if the operator-name is found for this client # operator-name.pre-proxy { - if ("%{request:Packet-Type}" == "Access-Request" && "%{client:Operator-Name}") { + if (("%{request:Packet-Type}" == 'Access-Request') && "%{client:Operator-Name}") { update proxy-request { Operator-Name := "%{client:Operator-Name}" }