2 # The following policies generate targeted IDs for ABFAB (Moonshot)
4 # This policy requires that the UUID package is installed on your platform
5 # and that this is called from the inner-tunnel
7 # The following string attributes need to exist in the UKERNA dictionary
8 # Moonshot-Host-TargetedId (138)
9 # Moonshot-Realm-TargetedId (139)
10 # Moonshot-TR-COI-TargetedId (140)
11 # Moonshot-MSTID-GSS-Acceptor (141)
12 # Moonshot-MSTID-Namespace (142)
13 # Moonshot-MSTID-TargetedId (143)
15 # These attributes should also be listed in the attr_filter policies
16 # post-proxy and pre-proxy when you use attribute filtering:
17 # Moonshot-Host-TargetedId =* ANY,
18 # Moonshot-Realm-TargetedId =* ANY,
19 # Moonshot-TR-COI-TargetedId =* ANY,
23 # targeted_id_salt definition
24 # This salt serves the purpose of protecting targeted IDs against
25 # dictionary attacks, therefore should be chosen as a "random"
26 # string and kept secret.
28 # If you use special characters %, { and }, escape them with a \ first
30 targeted_id_salt = 'changeme'
34 # These namespaces are used for UUID generation.
35 # They should not be changed by implementors
37 moonshot_host_namespace = 'a574a04e-b7ff-4850-aa24-a8599c7de1c6'
38 moonshot_realm_namespace = 'dea5f26d-a013-4444-977d-d09fc990d2e6'
39 moonshot_coi_namespace = '145d7e7e-7d54-43ee-bbcb-3c6ad9428247'
42 # This policy generates a host-specific TargetedId
44 moonshot_host_tid.post-auth {
45 # retrieve or generate a UUID for Moonshot-Host-TargetedId
46 if (&outer.request:GSS-Acceptor-Host-Name) {
47 # prep some variables (used regardless of SQL backing or not!)
49 Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}"
50 Moonshot-MSTID-Namespace := "${policy.moonshot_host_namespace}"
53 # if you want to use SQL-based backing, remove the comment from
54 # this line. You also have to configure and enable the
55 # moonshot-targeted-ids sql module in mods-enabled.
57 # moonshot_get_targeted_id
59 # generate a UUID for Moonshot-Host-TargetedId
60 if (!&control:Moonshot-MSTID-TargetedId) {
62 moonshot_make_targeted_id
64 # if you want to store your TargetedId in SQL-based backing,
65 # remove the comment from this line. You also have to configure
66 # and enable the moonshot-targeted-ids sql module in mods-enabled.
71 # set the actual TargetedId in the session-state list
72 if (&control:Moonshot-MSTID-TargetedId) {
73 update outer.session-state {
74 Moonshot-Host-TargetedId := &control:Moonshot-MSTID-TargetedId
77 Moonshot-MSTID-TargetedId !* ANY
83 # This policy generates a realm-specific TargetedId
85 moonshot_realm_tid.post-auth {
86 # retrieve or generate a UUID for Moonshot-Realm-TargetedId
87 if (&outer.request:GSS-Acceptor-Realm-Name) {
88 # prep some variables (used regardless of SQL backing or not!)
90 Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}"
91 Moonshot-MSTID-Namespace := "${policy.moonshot_realm_namespace}"
94 # if you want to use SQL-based backing, remove the comment from
95 # this line. You also have to configure and enable the
96 # moonshot-targeted-ids sql module in mods-enabled.
98 # moonshot_get_targeted_id
100 # generate a UUID for Moonshot-Realm-TargetedId
101 if (!&control:Moonshot-MSTID-TargetedId) {
103 moonshot_make_targeted_id
105 # if you want to store your TargetedId in SQL-based backing,
106 # remove the comment from this line. You also have to configure
107 # and enable the moonshot-targeted-ids sql module in mods-enabled.
112 # set the actual TargetedId in the session-state list
113 if (&control:Moonshot-MSTID-TargetedId) {
114 update outer.session-state {
115 Moonshot-Realm-TargetedId := &control:Moonshot-MSTID-TargetedId
118 Moonshot-MSTID-TargetedId !* ANY
124 # This policy generates a COI-specific targeted ID
126 moonshot_coi_tid.post-auth {
127 # retrieve or generate a UUID for Moonshot-TR-COI-TargetedId
128 if (&outer.request:Trust-Router-COI) {
129 # prep some variables (used regardless of SQL backing or not!)
131 Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:Trust-Router-COI}}"
132 Moonshot-MSTID-Namespace := "${policy.moonshot_coi_namespace}"
135 # if you want to use SQL-based backing, remove the comment from
136 # this line. You also have to configure and enable the
137 # moonshot-targeted-ids sql module in mods-enabled.
139 # moonshot_get_targeted_id
141 # generate a UUID for Moonshot-TR-COI-TargetedId
142 if (!&control:Moonshot-MSTID-TargetedId) {
144 moonshot_make_targeted_id
146 # if you want to store your TargetedId in SQL-based backing,
147 # remove the comment from this line. You also have to configure
148 # and enable the moonshot-targeted-ids sql module in mods-enabled.
153 # set the actual TargetedId in the session-state list
154 if (&control:Moonshot-MSTID-TargetedId) {
155 update outer.session-state {
156 Moonshot-TR-COI-TargetedId := &control:Moonshot-MSTID-TargetedId
159 Moonshot-MSTID-TargetedId !* ANY
165 # This is the generic generation policy. It requires moonshot_host_tid, moonshot_realm_tid, or moonshot_coi_tid to set variables
167 moonshot_make_targeted_id.post-auth {
168 # uses variables set in the control list
170 if (&control:Moonshot-MSTID-Namespace && &control:Moonshot-MSTID-GSS-Acceptor) {
171 # targeted id = (uuid -v 5 [namespace] [username][salt][GSS acceptor value])@[IdP realm name]
173 if ("%{echo:/usr/bin/uuid -v 5 %{control:Moonshot-MSTID-Namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{control:Moonshot-MSTID-GSS-Acceptor}}" =~ /^([^ ]+)([ ]*)$/) {
175 Moonshot-MSTID-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
177 if (&control:Moonshot-MSTID-TargetedId =~ /([\%\{\}]+)/) {
179 Moonshot-MSTID-TargetedId !* ANY
181 update outer.session-state {
182 Module-Failure-Message = 'Invalid TargetedId generated, check your targeted_id_salt!'
188 # we simply return the 'echo' error message as the Module-Failure-Message, usually a lack of 'uuid'
193 # Our variables were not set, so we'll throw an error because there's no point in continuing!
194 update outer.session-state {
195 Module-Failure-Message = 'Required variables for moonshot_make_targeted_id not set!'
201 # This is the generic generation policy. It requires moonshot_host_tid, moonshot_realm_tid, or moonshot_coi_tid to set variables
203 moonshot_get_targeted_id.post-auth {
204 # uses variables set in the control list
206 if (&control:Moonshot-MSTID-Namespace && &control:Moonshot-MSTID-GSS-Acceptor) {
207 # retrieve the TargetedId
210 Moonshot-MSTID-TargetedId := "%{moonshot_tid_sql:\
211 SELECT targeted_id FROM `moonshot-targeted-ids` \
212 WHERE gss_acceptor = '%{control:Moonshot-MSTID-GSS-Acceptor}' \
213 AND namespace = '%{control:Moonshot-MSTID-Namespace}' \
214 AND username = '%{tolower:%{User-Name}}'}"
217 # if the value is empty, there's no point in setting it and delete it from the control list!
218 if (&control:Moonshot-MSTID-TargetedId == '') {
220 Moonshot-MSTID-TargetedId !* ANY
225 # Our variables were not set, so we'll throw an error because there's no point in continuing!
226 update outer.session-state {
227 Module-Failure-Message = 'Required variables for moonshot_get_targeted_id not set!'