/etc/freeradius/3.0/policy.d/abfab-tr is in freeradius-config 3.0.12+dfsg-5+deb9u1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 | #
# ABFAB Trust router policies.
#
# $Id: 87d01a5e71df1dbf548c4215e50e2ee271d0a83c $
#
#
# Verify rp parameters
#
psk_authorize {
if (&TLS-PSK-Identity) {
# TODO: may need to check trust-router-apc as well
if ("%{psksql:select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;}") {
# do things here
}
else {
update reply {
Reply-Message = "RP not authorized for this ABFAB request"
}
reject
}
}
}
abfab_client_check {
# check that the acceptor host name is correct
if ("%{client:gss_acceptor_host_name}" && &gss-acceptor-host-name) {
if ("%{client:gss_acceptor_host_name}" != "%{gss-acceptor-host-name}") {
update reply {
Reply-Message = "GSS-Acceptor-Host-Name incorrect"
}
reject
}
}
# set trust-router-coi attribute from the client configuration
if ("%{client:trust_router_coi}") {
update request {
Trust-Router-COI := "%{client:trust_router_coi}"
}
}
# set gss-acceptor-realm-name attribute from the client configuration
if ("%{client:gss_acceptor_realm_name}") {
update request {
GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}"
}
}
}
# A policy which is used to validate channel-bindings.
#
abfab_channel_bindings {
if (&GSS-Acceptor-Service-Name && (&outer.request:GSS-Acceptor-Service-Name != &GSS-Acceptor-Service-Name)) {
reject
}
if (&GSS-Acceptor-Host-Name && &outer.request:GSS-Acceptor-Host-Name != &GSS-Acceptor-Host-Name ) {
reject
}
if (&GSS-Acceptor-Realm-Name && &outer.request:GSS-Acceptor-Realm-Name != &GSS-Acceptor-Realm-Name ) {
reject
}
if (&GSS-Acceptor-Service-Name || &GSS-Acceptor-Realm-Name || &GSS-Acceptor-Host-Name) {
update control {
&Chbind-Response-Code := success
}
#
# ACK the attributes in the request.
#
# If any one of these attributes don't exist in the request,
# then they won't be copied to the reply.
#
update reply {
&GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name
&GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name
&GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name
}
}
#
# Return "handled" so that the "authenticate" section isn't used.
#
handled
}
|