src/test/setup/radius-config/freeradius/policy.d/cui - cord-tester - Gitiles

 #
 #  The following policies are for the Chargeable-User-Identity
 #  (CUI) configuration.
 #
 #  The policies below can be called as just 'cui' (not
 #  cui.authorize etc..)  from the various config sections.
 #

 #
 #  cui_hash_key definition
 #  This key serves the purpose of protecting CUI values against
 #  dictionary attacks, therefore should be chosen as a "random"
 #  string and kept secret.
 #
 cui_hash_key = "changeme"

 #
 # cui_require_operator_name switch
 # If this is set to nonzero value then CUI will only be added
 # when a non-empty Operator-Name value is present in the request
 #
 cui_require_operator_name = "no"

 #
 #  The client indicates it can do CUI by sending a CUI attribute
 #  containing one zero byte.
 #  A non-empty value in Operator-Name can be an additional requirement.
 #  Normally CUI support is turned on only for such requests.
 #  CUI support can be used for local clients which do not
 #  supports CUI themselves, the server can simulate a CUI request
 #  adding the missing NUL CUI value and the Operator-Name attribute.
 #  Clients which are supposed to get this treatment should
 #  be marked by add_cui flag in clients.conf
 #  We assume that local clients are marked in the client.conf with
 #  add_cui flag, e.g.
 #  client xxxx {
 #    ...
 #    add_cui = yes
 #  }
 #
 cui.authorize {
 	if ("%{client:add_cui}" == 'yes') {
 		update request {
 			Chargeable-User-Identity := '\\000'
 		}
 	}
 }

 #
 #  Before proxing an Access-Request to a remote server, a NUL CUI
 #  attribute should be added, unless it is already present in the request.
 #
 cui.pre-proxy {
 	if (("%{request:Packet-Type}" == 'Access-Request') && ("%{client:add_cui}" == 'yes')) {
 		update proxy-request {
 			Chargeable-User-Identity = '\\000'
 		}
 	}
 }


 #
 #  Add a CUI attribute based on the User-Name, and a secret key
 #  known only to this server.
 #  For EAP-TTLS and EAP-PEAP methods
 #  use_tunneled_reply parameter MUST be set to yes
 #
 cui.post-auth {
 	if (!control:Proxy-To-Realm && Chargeable-User-Identity && !reply:Chargeable-User-Identity && \
 	    (Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) {
 		update reply {
 			Chargeable-User-Identity = "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}}"
 		}
 	}

 	update reply {
 		User-Name !* ANY	# remove User-Name from the reply for security
 	}

 	#
 	#  The section below will store a CUI for the User in the DB.
 	#  You need to configure the cuisql module and your database for this to work.
 	#  If your NAS can do CUI based accounting themselves or you do not care about
 	#  accounting, comment out the three lines below.
 	#
 	if (reply:Chargeable-User-Identity) {
 		cuisql
 	}
 }


 cui-inner.post-auth {
 	if (outer.request:Chargeable-User-Identity && \
 	    (outer.request:Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) {
 		update reply {
 			Chargeable-User-Identity := "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request:Operator-Name}:-}}}"
 		}
 	}
 }

 #
 #  If your NAS can do CUI based accounting or you do not care about
 #  accounting then just comment out the call to cui in ......
 #
 #  If we had stored a CUI for the User, add it to the request.
 #
 cui.accounting {
 	#
 	#  If the CUI isn't in the packet, see if we can find it
 	#  in the DB.
 	#
 	if (!Chargeable-User-Identity) {
 		update request {
 			Chargeable-User-Identity := "%{cuisql:\
 				SELECT cui FROM cui \
 				WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \
 				AND callingstationid = '%{Calling-Station-Id}' \
 				AND username = '%{User-Name}'}"
 		}
 	}

 	#
 	#  If it exists now, then write out when we last saw
 	#  this CUI.
 	#
 	if (Chargeable-User-Identity && (Chargeable-User-Identity != '')) {
 		cuisql
 	}
 }
	#
	# The following policies are for the Chargeable-User-Identity
	# (CUI) configuration.
	#
	# The policies below can be called as just 'cui' (not
	# cui.authorize etc..) from the various config sections.
	#

	#
	# cui_hash_key definition
	# This key serves the purpose of protecting CUI values against
	# dictionary attacks, therefore should be chosen as a "random"
	# string and kept secret.
	#
	cui_hash_key = "changeme"

	#
	# cui_require_operator_name switch
	# If this is set to nonzero value then CUI will only be added
	# when a non-empty Operator-Name value is present in the request
	#
	cui_require_operator_name = "no"

	#
	# The client indicates it can do CUI by sending a CUI attribute
	# containing one zero byte.
	# A non-empty value in Operator-Name can be an additional requirement.
	# Normally CUI support is turned on only for such requests.
	# CUI support can be used for local clients which do not
	# supports CUI themselves, the server can simulate a CUI request
	# adding the missing NUL CUI value and the Operator-Name attribute.
	# Clients which are supposed to get this treatment should
	# be marked by add_cui flag in clients.conf
	# We assume that local clients are marked in the client.conf with
	# add_cui flag, e.g.
	# client xxxx {
	# ...
	# add_cui = yes
	# }
	#
	cui.authorize {
	if ("%{client:add_cui}" == 'yes') {
	update request {
	Chargeable-User-Identity := '\\000'
	}
	}
	}

	#
	# Before proxing an Access-Request to a remote server, a NUL CUI
	# attribute should be added, unless it is already present in the request.
	#
	cui.pre-proxy {
	if (("%{request:Packet-Type}" == 'Access-Request') && ("%{client:add_cui}" == 'yes')) {
	update proxy-request {
	Chargeable-User-Identity = '\\000'
	}
	}
	}


	#
	# Add a CUI attribute based on the User-Name, and a secret key
	# known only to this server.
	# For EAP-TTLS and EAP-PEAP methods
	# use_tunneled_reply parameter MUST be set to yes
	#
	cui.post-auth {
	if (!control:Proxy-To-Realm && Chargeable-User-Identity && !reply:Chargeable-User-Identity && \
	(Operator-Name \|\| ('${policy.cui_require_operator_name}' != 'yes')) ) {
	update reply {
	Chargeable-User-Identity = "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}}"
	}
	}

	update reply {
	User-Name !* ANY # remove User-Name from the reply for security
	}

	#
	# The section below will store a CUI for the User in the DB.
	# You need to configure the cuisql module and your database for this to work.
	# If your NAS can do CUI based accounting themselves or you do not care about
	# accounting, comment out the three lines below.
	#
	if (reply:Chargeable-User-Identity) {
	cuisql
	}
	}


	cui-inner.post-auth {
	if (outer.request:Chargeable-User-Identity && \
	(outer.request:Operator-Name \|\| ('${policy.cui_require_operator_name}' != 'yes'))) {
	update reply {
	Chargeable-User-Identity := "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request:Operator-Name}:-}}}"
	}
	}
	}

	#
	# If your NAS can do CUI based accounting or you do not care about
	# accounting then just comment out the call to cui in ......
	#
	# If we had stored a CUI for the User, add it to the request.
	#
	cui.accounting {
	#
	# If the CUI isn't in the packet, see if we can find it
	# in the DB.
	#
	if (!Chargeable-User-Identity) {
	update request {
	Chargeable-User-Identity := "%{cuisql:\
	SELECT cui FROM cui \
	WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \
	AND callingstationid = '%{Calling-Station-Id}' \
	AND username = '%{User-Name}'}"
	}
	}

	#
	# If it exists now, then write out when we last saw
	# this CUI.
	#
	if (Chargeable-User-Identity && (Chargeable-User-Identity != '')) {
	cuisql
	}
	}