summaryrefslogtreecommitdiffstats
path: root/raddb/policy.d/rfc7542
diff options
context:
space:
mode:
Diffstat (limited to 'raddb/policy.d/rfc7542')
-rw-r--r--raddb/policy.d/rfc754246
1 files changed, 46 insertions, 0 deletions
diff --git a/raddb/policy.d/rfc7542 b/raddb/policy.d/rfc7542
new file mode 100644
index 0000000..84a5c17
--- /dev/null
+++ b/raddb/policy.d/rfc7542
@@ -0,0 +1,46 @@
+#
+# The following policy is for RFC7542-style bang path
+# management.
+#
+# It hands control from the standard 'suffix' realm
+# processor to the 'bangpath' processer, allowing the
+# definition of specific routing information in the
+# decoration of the User-Name.
+#
+# Use this with caution. In particular, read the following
+# RFC document sections for reasons why you shouldn't use
+# this, and also why this is used:
+#
+# 1. https://tools.ietf.org/html/rfc4282#section-2.7
+# 2. https://tools.ietf.org/html/rfc7542#section-3.3.1
+#
+# $Id$
+#
+
+# This is a |-separated list of realms this specific service
+# is responsible for. We cannot read this from the proxy.conf
+# file, so we turn this into an 'or list' regex.
+# Examples: rfc7542_realms = 'example.com'
+# rfc7542_realms = 'example.com|another.net|this.org'
+#
+rfc7542_realms = 'changeme'
+
+# This policy checks the User-Name attribute whether it is in
+# RFC7542 bang-path format. If it is, it lets the bangpath realm
+# processor handle it, otherwise it leaves it for suffix to handle
+#
+rfc7542.authorize {
+ # Format: not_local_realm!...@local_realm: Handle with bangpath
+ if ( (&request:User-Name =~ /(.+)!(.*)\@(${policy.rfc7542_realms})/) && \
+ !(&request:User-Name =~ /(${policy.rfc7542_realms})!(.*)\@(.+)/) ) {
+ bangpath
+ updated
+ }
+
+ # Format: local_realm!...@not_local_realm: Handle with bangpath
+ elsif ( (&request:User-Name =~ /(${policy.rfc7542_realms})!(.*)\@(.+)/) && \
+ !(&request:User-Name =~ /(.+)!(.*)\@(${policy.rfc7542_realms})/) ) {
+ bangpath
+ updated
+ }
+}