# # ABFAB Trust router policies. # # $Id: 3a088538b5acc09aebc80b40391febf1d57a617a $ # # # Verify rp parameters # psk_authorize { if (&TLS-PSK-Identity) { # TODO: may need to check trust-router-apc as well if ("%{psksql:select distinct keyid from authorizations_keys where keyid = '%{tls-psk-identity}' and '%{trust-router-coi}' like coi and '%{gss-acceptor-realm-name}' like acceptor_realm and '%{gss-acceptor-host-name}' like hostname;}") { # do things here } else { update reply { Reply-Message = "RP not authorized for this ABFAB request" } reject } } } abfab_client_check { # check that GSS-Acceptor-Host-Name is correct if ("%{client:gss_acceptor_host_name}") { if (&request:GSS-Acceptor-Host-Name) { if (&request:GSS-Acceptor-Host-Name != "%{client:gss_acceptor_host_name}") { update reply { Reply-Message = "GSS-Acceptor-Host-Name incorrect" } reject } } else { # set GSS-Acceptor-Host-Name if it is not set by the mechanism # but it is defined in the client configuration update request { GSS-Acceptor-Host-Name = "%{client:gss_acceptor_host_name}" } } } # set Trust-Router-COI attribute from the client configuration if ("%{client:trust_router_coi}") { update request { Trust-Router-COI := "%{client:trust_router_coi}" } } # set GSS-Acceptor-Realm-Name attribute from the client configuration if ("%{client:gss_acceptor_realm_name}") { update request { GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}" } } # set GSS-Acceptor-Service-Name attribute from the client configuration if ("%{client:gss_acceptor_service_name}") { update request { GSS-Acceptor-Service-Name = "%{client:gss_acceptor_service_name}" } } } # A policy which is used to validate channel-bindings. # abfab_channel_bindings { if (&GSS-Acceptor-Service-Name && (&outer.request:GSS-Acceptor-Service-Name != &GSS-Acceptor-Service-Name)) { reject } if (&GSS-Acceptor-Host-Name && &outer.request:GSS-Acceptor-Host-Name != &GSS-Acceptor-Host-Name ) { reject } if (&GSS-Acceptor-Realm-Name && &outer.request:GSS-Acceptor-Realm-Name != &GSS-Acceptor-Realm-Name ) { reject } if (&GSS-Acceptor-Service-Name || &GSS-Acceptor-Realm-Name || &GSS-Acceptor-Host-Name) { update control { &Chbind-Response-Code := success } # # ACK the attributes in the request. # # If any one of these attributes don't exist in the request, # then they won't be copied to the reply. # update reply { &GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name &GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name &GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name } } # # Return "handled" so that the "authenticate" section isn't used. # handled }