raddb/policy.d/moonshot-targeted-ids

   1 #
   2 #  The following policies generate targeted IDs for ABFAB (Moonshot)
   3 #
   4 #  This policy requires that the UUID package is installed on your platform
   5 #  and that this is called from the inner-tunnel
   6 #
   7 #  The following string attributes need to exist in the UKERNA dictionary
   8 #  Moonshot-Host-TargetedId (138)
   9 #  Moonshot-Realm-TargetedId (139)
  10 #  Moonshot-TR-COI-TargetedId (140)
  11 #
  12 #  These attributes should also be listed in the attr_filter policies
  13 #  post-proxy and pre-proxy when you use attribute filtering:
  14 #       Moonshot-Host-TargetedId =* ANY,
  15 #       Moonshot-Realm-TargetedId =* ANY,
  16 #       Moonshot-TR-COI-TargetedId =* ANY,
  17 #
  18
  19 #
  20 #  targeted_id_salt definition
  21 #  This salt serves the purpose of protecting targeted IDs against
  22 #  dictionary attacks, therefore should be chosen as a "random"
  23 #  string and kept secret.
  24 #
  25 targeted_id_salt = "changeme"
  26 #
  27 #  Moonshot namespaces
  28 #  These namespaces are used for UUID generation.
  29 #  They should not be changed by implementors
  30 #
  31 moonshot_host_namespace = "a574a04e-b7ff-4850-aa24-a8599c7de1c6"
  32 moonshot_realm_namespace = "dea5f26d-a013-4444-977d-d09fc990d2e6"
  33 moonshot_coi_namespace = "145d7e7e-7d54-43ee-bbcb-3c6ad9428247"
  34
  35 #  This policy generates a host-specific targeted ID
  36 #
  37 moonshot_host_tid.post-auth {
  38         #  generate a UUID for Moonshot-Host-TargetedId
  39         #  targeted id = (uuid -v 5 [namespace] [username][salt][RP host name])@[IdP realm name]
  40         if (&outer.request:GSS-Acceptor-Host-Name) {
  41                 if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_host_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}}" =~ /^([^ ]+)([ ]*)$/) {
  42                         update outer.session-state {
  43                                 Moonshot-Host-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
  44                         }
  45                 }
  46         }
  47 }
  48 #  This policy generates a realm-specific targeted ID
  49 #
  50 moonshot_realm_tid.post-auth {
  51         #  generate a UUID for Moonshot-Realm-TargetedId
  52         #  targeted id = (uuid -v 5 [namespace] [username][salt][RP realm name])@[IdP realm name]
  53         if (&outer.request:GSS-Acceptor-Realm-Name) {
  54                 if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_realm_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}}" =~ /^([^ ]+)([ ]*)$/) {
  55                         update outer.session-state {
  56                                 Moonshot-Realm-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
  57                         }
  58                 }
  59         }
  60 }
  61 #  This policy generates a COI-specific targeted ID
  62 #
  63 moonshot_coi_tid.post-auth {
  64         #  generate a UUID for Moonshot-TR-COI-TargetedId
  65         #  targeted id = (uuid -v 5 [namespace] [username][salt][RP COI name])@[IdP realm name]
  66         if (&outer.request:Trust-Router-COI) {
  67                 if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_coi_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:Trust-Router-COI}}}" =~ /^([^ ]+)([ ]*)$/) {
  68                         update outer.session-state {
  69                                 Moonshot-TR-COI-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
  70                         }
  71                 }
  72         }
  73 }