1 files changed, 106 insertions, 0 deletions
diff --git a/raddb/policy.d/abfab-tr b/raddb/policy.d/abfab-tr
new file mode 100644
index 0000000..3a08853
--- /dev/null
+++ b/raddb/policy.d/abfab-tr
@@ -0,0 +1,106 @@
+#
+#  ABFAB Trust router policies.
+#
+#	$Id$
+#
+
+
+#
+# Verify rp parameters
+#
+psk_authorize {
+	if (&TLS-PSK-Identity) {
+		# TODO: may need to check trust-router-apc as well
+		if ("%{psksql:select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;}") {
+			# do things here
+		}
+		else {
+		update reply {
+			Reply-Message = "RP not authorized for this ABFAB request"
+			}
+			reject
+		}
+	}
+}
+
+abfab_client_check {
+	# check that GSS-Acceptor-Host-Name is correct
+	if ("%{client:gss_acceptor_host_name}") {
+		if (&request:GSS-Acceptor-Host-Name) {
+			if (&request:GSS-Acceptor-Host-Name != "%{client:gss_acceptor_host_name}") {
+				update reply {
+				        Reply-Message = "GSS-Acceptor-Host-Name incorrect"
+					}
+				reject
+			}
+		}
+		else {
+			# set GSS-Acceptor-Host-Name if it is not set by the mechanism 
+			# but it is defined in the client configuration
+			update request {
+				GSS-Acceptor-Host-Name = "%{client:gss_acceptor_host_name}"
+			}
+		}
+	}
+
+	# set Trust-Router-COI attribute from the client configuration
+	if ("%{client:trust_router_coi}") {
+		update request {
+			Trust-Router-COI := "%{client:trust_router_coi}"
+		}
+	}
+
+	# set GSS-Acceptor-Realm-Name attribute from the client configuration
+	if ("%{client:gss_acceptor_realm_name}") {
+		update request {
+			GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}"
+		}
+	}
+	
+	# set GSS-Acceptor-Service-Name attribute from the client configuration
+	if ("%{client:gss_acceptor_service_name}") {
+		update request {
+			GSS-Acceptor-Service-Name = "%{client:gss_acceptor_service_name}"
+		}
+	}
+
+}
+
+#  A policy which is used to validate channel-bindings.
+#
+abfab_channel_bindings {
+	if (&GSS-Acceptor-Service-Name && (&outer.request:GSS-Acceptor-Service-Name != &GSS-Acceptor-Service-Name)) {
+		reject
+	}
+
+	if (&GSS-Acceptor-Host-Name && &outer.request:GSS-Acceptor-Host-Name != &GSS-Acceptor-Host-Name ) {
+		reject
+	}
+
+	if (&GSS-Acceptor-Realm-Name && &outer.request:GSS-Acceptor-Realm-Name != &GSS-Acceptor-Realm-Name ) {
+		reject
+	}
+
+	if (&GSS-Acceptor-Service-Name || &GSS-Acceptor-Realm-Name || &GSS-Acceptor-Host-Name) {
+		update control {
+			&Chbind-Response-Code := success
+		}
+
+		#
+		#  ACK the attributes in the request.
+		#
+		#  If any one of these attributes don't exist in the request,
+		#  then they won't be copied to the reply.
+		#
+		update reply {
+			&GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name
+			&GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name
+			&GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name
+		}
+	}
+
+	#
+	#  Return "handled" so that the "authenticate" section isn't used.
+	#
+	handled
+}