freeradius-config 3.0.12+dfsg-5+deb9u1 / etc / freeradius / 3.0 / policy.d / moonshot-targeted-ids

This file is indexed.

/etc/freeradius/3.0/policy.d/moonshot-targeted-ids is in freeradius-config 3.0.12+dfsg-5+deb9u1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#
#  The following policies generate targeted IDs for ABFAB (Moonshot)
#
#  This policy requires that the UUID package is installed on your platform
#  and that this is called from the inner-tunnel
#
#  The following string attributes need to exist in the UKERNA dictionary
#  Moonshot-Host-TargetedId (138)
#  Moonshot-Realm-TargetedId (139)
#  Moonshot-TR-COI-TargetedId (140)
#
#  These attributes should also be listed in the attr_filter policies
#  post-proxy and pre-proxy when you use attribute filtering:
#       Moonshot-Host-TargetedId =* ANY,
#       Moonshot-Realm-TargetedId =* ANY,
#       Moonshot-TR-COI-TargetedId =* ANY,
#
 
#
#  targeted_id_salt definition
#  This salt serves the purpose of protecting targeted IDs against
#  dictionary attacks, therefore should be chosen as a "random"
#  string and kept secret.
#
targeted_id_salt = "changeme"
#
#  Moonshot namespaces
#  These namespaces are used for UUID generation.
#  They should not be changed by implementors
#
moonshot_host_namespace = "a574a04e-b7ff-4850-aa24-a8599c7de1c6"
moonshot_realm_namespace = "dea5f26d-a013-4444-977d-d09fc990d2e6"
moonshot_coi_namespace = "145d7e7e-7d54-43ee-bbcb-3c6ad9428247"
 
#  This policy generates a host-specific targeted ID
#
moonshot_host_tid.post-auth {
	#  generate a UUID for Moonshot-Host-TargetedId
	#  targeted id = (uuid -v 5 [namespace] [username][salt][RP host name])@[IdP realm name]
	if (&outer.request:GSS-Acceptor-Host-Name) {
		if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_host_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}}" =~ /^([^ ]+)([ ]*)$/) {
			update outer.session-state {
				Moonshot-Host-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
			}
		}
	}
}
#  This policy generates a realm-specific targeted ID
#
moonshot_realm_tid.post-auth {
	#  generate a UUID for Moonshot-Realm-TargetedId
	#  targeted id = (uuid -v 5 [namespace] [username][salt][RP realm name])@[IdP realm name]
	if (&outer.request:GSS-Acceptor-Realm-Name) {
		if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_realm_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}}" =~ /^([^ ]+)([ ]*)$/) {
			update outer.session-state {
				Moonshot-Realm-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
			}
		}
	}
}
#  This policy generates a COI-specific targeted ID
#
moonshot_coi_tid.post-auth {
	#  generate a UUID for Moonshot-TR-COI-TargetedId
	#  targeted id = (uuid -v 5 [namespace] [username][salt][RP COI name])@[IdP realm name]
	if (&outer.request:Trust-Router-COI) {
		if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_coi_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:Trust-Router-COI}}}" =~ /^([^ ]+)([ ]*)$/) {
			update outer.session-state {
				Moonshot-TR-COI-TargetedId := "%{1}@%{tolower:%{request:Realm}}"
			}
		}
	}
}

APT Browse - Built by Thomas Orozco.