blob: 3a088538b5acc09aebc80b40391febf1d57a617a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
#
# ABFAB Trust router policies.
#
# $Id$
#
#
# Verify rp parameters
#
psk_authorize {
if (&TLS-PSK-Identity) {
# TODO: may need to check trust-router-apc as well
if ("%{psksql:select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;}") {
# do things here
}
else {
update reply {
Reply-Message = "RP not authorized for this ABFAB request"
}
reject
}
}
}
abfab_client_check {
# check that GSS-Acceptor-Host-Name is correct
if ("%{client:gss_acceptor_host_name}") {
if (&request:GSS-Acceptor-Host-Name) {
if (&request:GSS-Acceptor-Host-Name != "%{client:gss_acceptor_host_name}") {
update reply {
Reply-Message = "GSS-Acceptor-Host-Name incorrect"
}
reject
}
}
else {
# set GSS-Acceptor-Host-Name if it is not set by the mechanism
# but it is defined in the client configuration
update request {
GSS-Acceptor-Host-Name = "%{client:gss_acceptor_host_name}"
}
}
}
# set Trust-Router-COI attribute from the client configuration
if ("%{client:trust_router_coi}") {
update request {
Trust-Router-COI := "%{client:trust_router_coi}"
}
}
# set GSS-Acceptor-Realm-Name attribute from the client configuration
if ("%{client:gss_acceptor_realm_name}") {
update request {
GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}"
}
}
# set GSS-Acceptor-Service-Name attribute from the client configuration
if ("%{client:gss_acceptor_service_name}") {
update request {
GSS-Acceptor-Service-Name = "%{client:gss_acceptor_service_name}"
}
}
}
# A policy which is used to validate channel-bindings.
#
abfab_channel_bindings {
if (&GSS-Acceptor-Service-Name && (&outer.request:GSS-Acceptor-Service-Name != &GSS-Acceptor-Service-Name)) {
reject
}
if (&GSS-Acceptor-Host-Name && &outer.request:GSS-Acceptor-Host-Name != &GSS-Acceptor-Host-Name ) {
reject
}
if (&GSS-Acceptor-Realm-Name && &outer.request:GSS-Acceptor-Realm-Name != &GSS-Acceptor-Realm-Name ) {
reject
}
if (&GSS-Acceptor-Service-Name || &GSS-Acceptor-Realm-Name || &GSS-Acceptor-Host-Name) {
update control {
&Chbind-Response-Code := success
}
#
# ACK the attributes in the request.
#
# If any one of these attributes don't exist in the request,
# then they won't be copied to the reply.
#
update reply {
&GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name
&GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name
&GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name
}
}
#
# Return "handled" so that the "authenticate" section isn't used.
#
handled
}
|
