raddb/policy.d/moonshot-targeted-ids

   1 #
   2 #  The following policies generate targeted IDs for ABFAB (Moonshot)
   3 #
   4 #  This policy requires that the UUID package is installed on your platform
   5 #  and that this is called from the inner-tunnel
   6 #
   7 #  The following string attributes need to exist in the UKERNA dictionary
   8 #  Moonshot-Host-TargetedId (138)
   9 #  Moonshot-Realm-TargetedId (139)
  10 #  Moonshot-TR-COI-TargetedId (140)
  11 #  Moonshot-MSTID-GSS-Acceptor (141)
  12 #  Moonshot-MSTID-Namespace (142)
  13 #  Moonshot-MSTID-TargetedId (143)
  14 #
  15 #  These attributes should also be listed in the attr_filter policies
  16 #  post-proxy and pre-proxy when you use attribute filtering:
  17 #       Moonshot-Host-TargetedId =* ANY,
  18 #       Moonshot-Realm-TargetedId =* ANY,
  19 #       Moonshot-TR-COI-TargetedId =* ANY,
  20 #
  21
  22 #
  23 #  targeted_id_salt definition
  24 #  This salt serves the purpose of protecting targeted IDs against
  25 #  dictionary attacks, therefore should be chosen as a "random"
  26 #  string and kept secret.
  27 #
  28 #  If you use special characters %, { and }, escape them with a \ first
  29 #
  30 targeted_id_salt = 'changeme'
  31
  32 #
  33 #  Moonshot namespaces
  34 #  These namespaces are used for UUID generation.
  35 #  They should not be changed by implementors
  36 #
  37 moonshot_host_namespace = 'a574a04e-b7ff-4850-aa24-a8599c7de1c6'
  38 moonshot_realm_namespace = 'dea5f26d-a013-4444-977d-d09fc990d2e6'
  39 moonshot_coi_namespace = '145d7e7e-7d54-43ee-bbcb-3c6ad9428247'
  40
  41
  42 #  This policy generates a host-specific TargetedId
  43 #
  44 moonshot_host_tid.post-auth {
  45         #  retrieve or generate a UUID for Moonshot-Host-TargetedId
  46         if (&outer.request:GSS-Acceptor-Host-Name) {
  47                 # prep some variables (used regardless of SQL backing or not!)
  48                 update control {
  49                         Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}"
  50                         Moonshot-MSTID-Namespace := "${policy.moonshot_host_namespace}"
  51                 }
  52
  53                 #  if you want to use SQL-based backing, remove the comment from
  54                 #  this line. You also have to configure and enable the
  55                 #  moonshot-targeted-ids sql module in mods-enabled.
  56                 #
  57 #               moonshot_get_targeted_id
  58
  59                 #  generate a UUID for Moonshot-Host-TargetedId
  60                 if (!&control:Moonshot-MSTID-TargetedId) {
  61                         #  generate the TID
  62                         moonshot_make_targeted_id
  63
  64                         #  if you want to store your TargetedId in SQL-based backing,
  65                         #  remove the comment from this line. You also have to configure
  66                         #  and enable the moonshot-targeted-ids sql module in mods-enabled.
  67                         #
  68 #                       moonshot_tid_sql
  69                 }
  70
  71                 #  set the actual TargetedId in the session-state list
  72                 if (&control:Moonshot-MSTID-TargetedId) {
  73                         update outer.session-state {
  74                                 Moonshot-Host-TargetedId := &control:Moonshot-MSTID-TargetedId
  75                         }
  76                         update control {
  77                                 Moonshot-MSTID-TargetedId !* ANY
  78                         }
  79                 }
  80         }
  81 }
  82
  83 #  This policy generates a realm-specific TargetedId
  84 #
  85 moonshot_realm_tid.post-auth {
  86         #  retrieve or generate a UUID for Moonshot-Realm-TargetedId
  87         if (&outer.request:GSS-Acceptor-Realm-Name) {
  88                 # prep some variables (used regardless of SQL backing or not!)
  89                 update control {
  90                         Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}"
  91                         Moonshot-MSTID-Namespace := "${policy.moonshot_realm_namespace}"
  92                 }
  93
  94                 #  if you want to use SQL-based backing, remove the comment from
  95                 #  this line. You also have to configure and enable the
  96                 #  moonshot-targeted-ids sql module in mods-enabled.
  97                 #
  98 #               moonshot_get_targeted_id
  99
 100                 #  generate a UUID for Moonshot-Realm-TargetedId
 101                 if (!&control:Moonshot-MSTID-TargetedId) {
 102                         #  generate the TID
 103                         moonshot_make_targeted_id
 104
 105                         #  if you want to store your TargetedId in SQL-based backing,
 106                         #  remove the comment from this line. You also have to configure
 107                         #  and enable the moonshot-targeted-ids sql module in mods-enabled.
 108                         #
 109 #                       moonshot_tid_sql
 110                 }
 111
 112                 #  set the actual TargetedId in the session-state list
 113                 if (&control:Moonshot-MSTID-TargetedId) {
 114                         update outer.session-state {
 115                                 Moonshot-Realm-TargetedId := &control:Moonshot-MSTID-TargetedId
 116                         }
 117                         update control {
 118                                 Moonshot-MSTID-TargetedId !* ANY
 119                         }
 120                 }
 121         }
 122 }
 123
 124 #  This policy generates a COI-specific targeted ID
 125 #
 126 moonshot_coi_tid.post-auth {
 127         #  retrieve or generate a UUID for Moonshot-TR-COI-TargetedId
 128         if (&outer.request:Trust-Router-COI) {
 129                 # prep some variables (used regardless of SQL backing or not!)
 130                 update control {
 131                         Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:Trust-Router-COI}}"
 132                         Moonshot-MSTID-Namespace := "${policy.moonshot_coi_namespace}"
 133                 }
 134
 135                 #  if you want to use SQL-based backing, remove the comment from
 136                 #  this line. You also have to configure and enable the
 137                 #  moonshot-targeted-ids sql module in mods-enabled.
 138                 #
 139 #               moonshot_get_targeted_id
 140
 141                 #  generate a UUID for Moonshot-TR-COI-TargetedId
 142                 if (!&control:Moonshot-MSTID-TargetedId) {
 143                         #  generate the TID
 144                         moonshot_make_targeted_id
 145
 146                         #  if you want to store your TargetedId in SQL-based backing,
 147                         #  remove the comment from this line. You also have to configure
 148                         #  and enable the moonshot-targeted-ids sql module in mods-enabled.
 149                         #
 150 #                       moonshot_tid_sql
 151                 }
 152
 153                 #  set the actual TargetedId in the session-state list
 154                 if (&control:Moonshot-MSTID-TargetedId) {
 155                         update outer.session-state {
 156                                 Moonshot-TR-COI-TargetedId := &control:Moonshot-MSTID-TargetedId
 157                         }
 158                         update control {
 159                                 Moonshot-MSTID-TargetedId !* ANY
 160                         }
 161                 }
 162         }
 163 }
 164
 165 #  This is the generic generation policy. It requires moonshot_host_tid, moonshot_realm_tid, or moonshot_coi_tid to set variables
 166 #
 167 moonshot_make_targeted_id.post-auth {
 168         #  uses variables set in the control list
 169         #
 170         if (&control:Moonshot-MSTID-Namespace && &control:Moonshot-MSTID-GSS-Acceptor) {
 171                 #  targeted id = (uuid -v 5 [namespace] [username][salt][GSS acceptor value])@[IdP realm name]
 172                 #
 173                 if ("%{echo:/usr/bin/uuid -v 5 %{control:Moonshot-MSTID-Namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{control:Moonshot-MSTID-GSS-Acceptor}}" =~ /^([^ ]+)([ ]*)$/) {
 174                         update control {
 175                                 Moonshot-MSTID-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
 176                         }
 177                         if (&control:Moonshot-MSTID-TargetedId =~ /([\%\{\}]+)/) {
 178                                 update control {
 179                                         Moonshot-MSTID-TargetedId !* ANY
 180                                 }
 181                                 update outer.session-state {
 182                                         Module-Failure-Message = 'Invalid TargetedId generated, check your targeted_id_salt!'
 183                                 }
 184                                 reject
 185                         }
 186                 }
 187                 else {
 188                         #  we simply return the 'echo' error message as the Module-Failure-Message, usually a lack of 'uuid'
 189                         reject
 190                 }
 191         }
 192         else {
 193                 #  Our variables were not set, so we'll throw an error because there's no point in continuing!
 194                 update outer.session-state {
 195                         Module-Failure-Message = 'Required variables for moonshot_make_targeted_id not set!'
 196                 }
 197                 reject
 198         }
 199 }
 200
 201 #  This is the generic generation policy. It requires moonshot_host_tid, moonshot_realm_tid, or moonshot_coi_tid to set variables
 202 #
 203 moonshot_get_targeted_id.post-auth {
 204         #  uses variables set in the control list
 205         #
 206         if (&control:Moonshot-MSTID-Namespace && &control:Moonshot-MSTID-GSS-Acceptor) {
 207                 #  retrieve the TargetedId
 208                 #
 209                 update control {
 210                         Moonshot-MSTID-TargetedId := "%{moonshot_tid_sql:\
 211                                 SELECT targeted_id FROM `moonshot-targeted-ids` \
 212                                 WHERE gss_acceptor = '%{control:Moonshot-MSTID-GSS-Acceptor}' \
 213                                 AND namespace = '%{control:Moonshot-MSTID-Namespace}' \
 214                                 AND username = '%{tolower:%{User-Name}}'}"
 215                 }
 216
 217                 #  if the value is empty, there's no point in setting it and delete it from the control list!
 218                 if (&control:Moonshot-MSTID-TargetedId == '') {
 219                         update control {
 220                                 Moonshot-MSTID-TargetedId !* ANY
 221                         }
 222                 }
 223         }
 224         else {
 225                 #  Our variables were not set, so we'll throw an error because there's no point in continuing!
 226                 update outer.session-state {
 227                         Module-Failure-Message = 'Required variables for moonshot_get_targeted_id not set!'
 228                 }
 229                 reject
 230         }
 231 }