From 50b37d4a27d3295a29afca2286f1a5a086142cec Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 28 Apr 2024 11:49:46 +0200
Subject: Adding upstream version 3.2.1+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 raddb/policy.d/cui | 131 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 131 insertions(+)
 create mode 100644 raddb/policy.d/cui

(limited to 'raddb/policy.d/cui')

diff --git a/raddb/policy.d/cui b/raddb/policy.d/cui
new file mode 100644
index 0000000..08b2c91
--- /dev/null
+++ b/raddb/policy.d/cui
@@ -0,0 +1,131 @@
+#
+#  The following policies are for the Chargeable-User-Identity
+#  (CUI) configuration.
+#
+#  The policies below can be called as just 'cui' (not
+#  cui.authorize etc..)  from the various config sections.
+#
+
+#
+#  cui_hash_key definition
+#  This key serves the purpose of protecting CUI values against
+#  dictionary attacks, therefore should be chosen as a "random"
+#  string and kept secret.
+#
+cui_hash_key = "changeme"
+
+#
+# cui_require_operator_name switch
+# If this is set to nonzero value then CUI will only be added
+# when a non-empty Operator-Name value is present in the request
+#
+cui_require_operator_name = "no"
+
+#
+#  The client indicates it can do CUI by sending a CUI attribute
+#  containing one zero byte.
+#  A non-empty value in Operator-Name can be an additional requirement.
+#  Normally CUI support is turned on only for such requests.
+#  CUI support can be used for local clients which do not
+#  supports CUI themselves, the server can simulate a CUI request
+#  adding the missing NUL CUI value and the Operator-Name attribute.
+#  Clients which are supposed to get this treatment should
+#  be marked by add_cui flag in clients.conf
+#  We assume that local clients are marked in the client.conf with
+#  add_cui flag, e.g.
+#  client xxxx {
+#    ...
+#    add_cui = yes
+#  }
+#
+cui.authorize {
+	if ("%{client:add_cui}" == 'yes') {
+		update request {
+			&Chargeable-User-Identity := 0x00
+		}
+	}
+}
+
+#
+#  Before proxing an Access-Request to a remote server, a NUL CUI
+#  attribute should be added, unless it is already present in the request.
+#
+cui.pre-proxy {
+	if (("%{request:Packet-Type}" == 'Access-Request') && ("%{client:add_cui}" == 'yes')) {
+		update proxy-request {
+			&Chargeable-User-Identity = 0x00
+		}
+	}
+}
+
+
+#
+#  Add a CUI attribute based on the User-Name, and a secret key
+#  known only to this server.
+#  For EAP-TTLS and EAP-PEAP methods
+#  use_tunneled_reply parameter MUST be set to yes
+#
+cui.post-auth {
+	if (!&control:Proxy-To-Realm && &Chargeable-User-Identity && !&reply:Chargeable-User-Identity && \
+	    (&Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) {
+		update reply {
+			&Chargeable-User-Identity = "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}}"
+		}
+	}
+
+	#
+	#  The section below will store a CUI for the User in the DB and remove the
+	#  User-Name attribute from the reply if a CUI is present.
+	#
+	#  You need to configure the cuisql module and your database for this to work.
+	#  If your NAS can do CUI based accounting themselves or you do not care about
+	#  accounting, comment out the 'cuisql' line below.
+	#
+	if (&reply:Chargeable-User-Identity) {
+		# Force User-Name to be the User-Name from the request
+		update {
+			&reply:User-Name := &request:User-Name
+		}
+		cuisql
+	}
+}
+
+
+cui-inner.post-auth {
+	if (&outer.request:Chargeable-User-Identity && \
+	    (&outer.request:Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) {
+		update reply {
+			&Chargeable-User-Identity := "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request:Operator-Name}:-}}}"
+		}
+	}
+}
+
+#
+#  If your NAS can do CUI based accounting or you do not care about
+#  accounting then just comment out the call to cui in ......
+#
+#  If we had stored a CUI for the User, add it to the request.
+#
+cui.accounting {
+	#
+	#  If the CUI isn't in the packet, see if we can find it
+	#  in the DB.
+	#
+	if (!&Chargeable-User-Identity) {
+		update request {
+			&Chargeable-User-Identity := "%{cuisql:\
+				SELECT cui FROM cui \
+				WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \
+				AND callingstationid = '%{Calling-Station-Id}' \
+				AND username = '%{User-Name}'}"
+		}
+	}
+
+	#
+	#  If it exists now, then write out when we last saw
+	#  this CUI.
+	#
+	if (&Chargeable-User-Identity && (&Chargeable-User-Identity != '')) {
+		cuisql
+	}
+}
-- 
cgit v1.2.3