2 # The following policies generate targeted IDs for ABFAB (Moonshot)
4 # This policy requires that the UUID package is installed on your platform
5 # and that this is called from the inner-tunnel
7 # The following string attributes need to exist in the UKERNA dictionary
8 # Moonshot-Host-TargetedId (138)
9 # Moonshot-Realm-TargetedId (139)
10 # Moonshot-TR-COI-TargetedId (140)
12 # These attributes should also be listed in the attr_filter policies
13 # post-proxy and pre-proxy when you use attribute filtering:
14 # Moonshot-Host-TargetedId =* ANY,
15 # Moonshot-Realm-TargetedId =* ANY,
16 # Moonshot-TR-COI-TargetedId =* ANY,
20 # targeted_id_salt definition
21 # This salt serves the purpose of protecting targeted IDs against
22 # dictionary attacks, therefore should be chosen as a "random"
23 # string and kept secret.
25 targeted_id_salt = "changeme"
28 # These namespaces are used for UUID generation.
29 # They should not be changed by implementors
31 moonshot_host_namespace = "a574a04e-b7ff-4850-aa24-a8599c7de1c6"
32 moonshot_realm_namespace = "dea5f26d-a013-4444-977d-d09fc990d2e6"
33 moonshot_coi_namespace = "145d7e7e-7d54-43ee-bbcb-3c6ad9428247"
35 # This policy generates a host-specific targeted ID
37 moonshot_host_tid.post-auth {
38 # generate a UUID for Moonshot-Host-TargetedId
39 # targeted id = (uuid -v 5 [namespace] [username][salt][RP host name])@[IdP realm name]
40 if (&outer.request:GSS-Acceptor-Host-Name) {
41 if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_host_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}}" =~ /^([^ ]+)([ ]*)$/) {
42 update outer.session-state {
43 Moonshot-Host-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
48 # This policy generates a realm-specific targeted ID
50 moonshot_realm_tid.post-auth {
51 # generate a UUID for Moonshot-Realm-TargetedId
52 # targeted id = (uuid -v 5 [namespace] [username][salt][RP realm name])@[IdP realm name]
53 if (&outer.request:GSS-Acceptor-Realm-Name) {
54 if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_realm_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}}" =~ /^([^ ]+)([ ]*)$/) {
55 update outer.session-state {
56 Moonshot-Realm-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
61 # This policy generates a COI-specific targeted ID
63 moonshot_coi_tid.post-auth {
64 # generate a UUID for Moonshot-TR-COI-TargetedId
65 # targeted id = (uuid -v 5 [namespace] [username][salt][RP COI name])@[IdP realm name]
66 if (&outer.request:Trust-Router-COI) {
67 if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_coi_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:Trust-Router-COI}}}" =~ /^([^ ]+)([ ]*)$/) {
68 update outer.session-state {
69 Moonshot-TR-COI-TargetedId := "%{1}@%{tolower:%{request:Realm}}"