2 # The following policies generate targeted IDs for ABFAB (Moonshot)
4 # This policy requires that the UUID package is installed on your platform
5 # and that this is called from the inner-tunnel
7 # The following string attributes need to exist in the UKERNA dictionary
8 # Moonshot-Host-TargetedId (138)
9 # Moonshot-Realm-TargetedId (139)
10 # Moonshot-TR-COI-TargetedId (140)
12 # These attributes should also be listed in the attr_filter policies
13 # post-proxy and pre-proxy when you use attribute filtering:
14 # Moonshot-Host-TargetedId =* ANY,
15 # Moonshot-Realm-TargetedId =* ANY,
16 # Moonshot-TR-COI-TargetedId =* ANY,
20 # targeted_id_salt definition
21 # This salt serves the purpose of protecting targeted IDs against
22 # dictionary attacks, therefore should be chosen as a "random"
23 # string and kept secret.
25 # If you use special characters %, { and }, escape them with a \ first
27 targeted_id_salt = 'changeme'
31 # These namespaces are used for UUID generation.
32 # They should not be changed by implementors
34 moonshot_host_namespace = 'a574a04e-b7ff-4850-aa24-a8599c7de1c6'
35 moonshot_realm_namespace = 'dea5f26d-a013-4444-977d-d09fc990d2e6'
36 moonshot_coi_namespace = '145d7e7e-7d54-43ee-bbcb-3c6ad9428247'
38 # This policy generates a host-specific targeted ID
40 moonshot_host_tid.post-auth {
41 # generate a UUID for Moonshot-Host-TargetedId
42 # targeted id = (uuid -v 5 [namespace] [username][salt][RP host name])@[IdP realm name]
43 if (&outer.request:GSS-Acceptor-Host-Name) {
44 if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_host_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}}" =~ /^([^ ]+)([ ]*)$/) {
45 update outer.session-state {
46 Moonshot-Host-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
48 if (&outer.session-state:Moonshot-Host-TargetedId =~ /([\%\{\}]+)/) {
49 update outer.session-state {
50 Moonshot-Host-TargetedId !* ANY
51 Module-Failure-Message = 'Invalid Moonshot-Host-TargetedId, check your targeted_id_salt!'
58 # This policy generates a realm-specific targeted ID
60 moonshot_realm_tid.post-auth {
61 # generate a UUID for Moonshot-Realm-TargetedId
62 # targeted id = (uuid -v 5 [namespace] [username][salt][RP realm name])@[IdP realm name]
63 if (&outer.request:GSS-Acceptor-Realm-Name) {
64 if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_realm_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}}" =~ /^([^ ]+)([ ]*)$/) {
65 update outer.session-state {
66 Moonshot-Realm-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
68 if (&outer.session-state:Moonshot-Realm-TargetedId =~ /([\%\{\}]+)/) {
69 update outer.session-state {
70 Moonshot-Realm-TargetedId !* ANY
71 Module-Failure-Message = 'Invalid Moonshot-Realm-TargetedId, check your targeted_id_salt!'
78 # This policy generates a COI-specific targeted ID
80 moonshot_coi_tid.post-auth {
81 # generate a UUID for Moonshot-TR-COI-TargetedId
82 # targeted id = (uuid -v 5 [namespace] [username][salt][RP COI name])@[IdP realm name]
83 if (&outer.request:Trust-Router-COI) {
84 if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_coi_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:Trust-Router-COI}}}" =~ /^([^ ]+)([ ]*)$/) {
85 update outer.session-state {
86 Moonshot-TR-COI-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
88 if (&outer.session-state:Moonshot-TR-COI-TargetedId =~ /([\%\{\}]+)/) {
89 update outer.session-state {
90 Moonshot-TR-COI-TargetedId !* ANY
91 Module-Failure-Message = 'Invalid Moonshot-TR-COI-TargetedId, check your targeted_id_salt!'