From: Stefan Paetow Date: Thu, 22 Sep 2016 13:03:49 +0000 (+0200) Subject: Create moonshot-targeted-ids X-Git-Tag: release_3_0_12~33^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fbdbc7e227e3552a1f9339b2a8970d0f35034729;p=thirdparty%2Ffreeradius-server.git Create moonshot-targeted-ids Formally include the three Moonshot TargetedIds in the FreeRADIUS policy space so that it can be updated accordingly as the other policies (and features) progress. --- diff --git a/raddb/policy.d/moonshot-targeted-ids b/raddb/policy.d/moonshot-targeted-ids new file mode 100644 index 00000000000..e85b2913da1 --- /dev/null +++ b/raddb/policy.d/moonshot-targeted-ids @@ -0,0 +1,73 @@ +# +# The following policies generate targeted IDs for ABFAB (Moonshot) +# +# This policy requires that the UUID package is installed on your platform +# and that this is called from the inner-tunnel +# +# The following string attributes need to exist in the UKERNA dictionary +# Moonshot-Host-TargetedId (138) +# Moonshot-Realm-TargetedId (139) +# Moonshot-TR-COI-TargetedId (140) +# +# These attributes should also be listed in the attr_filter policies +# post-proxy and pre-proxy when you use attribute filtering: +# Moonshot-Host-TargetedId =* ANY, +# Moonshot-Realm-TargetedId =* ANY, +# Moonshot-TR-COI-TargetedId =* ANY, +# + +# +# targeted_id_salt definition +# This salt serves the purpose of protecting targeted IDs against +# dictionary attacks, therefore should be chosen as a "random" +# string and kept secret. +# +targeted_id_salt = "changeme" +# +# Moonshot namespaces +# These namespaces are used for UUID generation. +# They should not be changed by implementors +# +moonshot_host_namespace = "a574a04e-b7ff-4850-aa24-a8599c7de1c6" +moonshot_realm_namespace = "dea5f26d-a013-4444-977d-d09fc990d2e6" +moonshot_coi_namespace = "145d7e7e-7d54-43ee-bbcb-3c6ad9428247" + +# This policy generates a host-specific targeted ID +# +moonshot_host_tid.post-auth { + # generate a UUID for Moonshot-Host-TargetedId + # targeted id = (uuid -v 5 [namespace] [username][salt][RP host name])@[IdP realm name] + if (&outer.request:GSS-Acceptor-Host-Name) { + if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_host_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}}" =~ /^([^ ]+)([ ]*)$/) { + update outer.session-state { + Moonshot-Host-TargetedId := "%{1}@%{tolower:%{request:Realm}}" + } + } + } +} +# This policy generates a realm-specific targeted ID +# +moonshot_realm_tid.post-auth { + # generate a UUID for Moonshot-Realm-TargetedId + # targeted id = (uuid -v 5 [namespace] [username][salt][RP realm name])@[IdP realm name] + if (&outer.request:GSS-Acceptor-Realm-Name) { + if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_realm_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}}" =~ /^([^ ]+)([ ]*)$/) { + update outer.session-state { + Moonshot-Realm-TargetedId := "%{1}@%{tolower:%{request:Realm}}" + } + } + } +} +# This policy generates a COI-specific targeted ID +# +moonshot_coi_tid.post-auth { + # generate a UUID for Moonshot-TR-COI-TargetedId + # targeted id = (uuid -v 5 [namespace] [username][salt][RP COI name])@[IdP realm name] + if (&outer.request:Trust-Router-COI) { + if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_coi_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:Trust-Router-COI}}}" =~ /^([^ ]+)([ ]*)$/) { + update outer.session-state { + Moonshot-TR-COI-TargetedId := "%{1}@%{tolower:%{request:Realm}}" + } + } + } +}