src/test/setup/radius-config/freeradius/policy.d/filter - cord-tester - Gitiles

 #
 #	Example of forbidding all attempts to login via
 #	realms.
 #
 deny_realms {
 	if (User-Name =~ /@|\\/) {
 		reject
 	}
 }

 #
 #	Filter the username
 #
 #  Force some sanity on User-Name. This helps to avoid issues
 #  issues where the back-end database is "forgiving" about
 #  what constitutes a user name.
 #
 filter_username {
 	#
 	#  reject mixed case
 	#  e.g. "UseRNaMe"
 	#
 	if (User-Name != "%{tolower:%{User-Name}}") {
 		reject
 	}

 	#
 	#  reject all whitespace
 	#  e.g. "user@ site.com", or "us er", or " user", or "user "
 	#
 	if (User-Name =~ / /) {
 		update reply {
 			Reply-Message += "Rejected: Username contains whitespace"
 		}
 		reject
 	}

 	#
 	#  reject Multiple @'s
 	#  e.g. "user@site.com@site.com"
 	#
 	if(User-Name =~ /@.*@/ ) {
 		update reply {
 			Reply-Message += "Rejected: Multiple @ in username"
 		}
 		reject
 	}

 	#
 	#  reject double dots
 	#  e.g. "user@site..com"
 	#
 	if (User-Name =~ /\\.\\./ ) {
 		update reply {
 			Reply-Message += "Rejected: Username contains ..s"
 		}
 		reject
 	}

 	#
 	#  must have at least 1 string-dot-string after @
 	#  e.g. "user@site.com"
 	#
 	if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))  {
 		update reply {
 			Reply-Message += "Rejected: Realm does not have at least one dot separator"
 		}
 		reject
 	}

 	#
 	#  Realm ends with a dot
 	#  e.g. "user@site.com."
 	#
 	if (User-Name =~ /\\.$/)  {
 		update reply {
 			Reply-Message += "Rejected: Realm ends with a dot"
 		}
 		reject
 	}

 	#
 	#  Realm begins with a dot
 	#  e.g. "user@.site.com"
 	#
 	if (User-Name =~ /@\\./)  {
 		update reply {
 			Reply-Message += "Rejected: Realm begins with a dot"
 		}
 		reject
 	}
 }
	#
	# Example of forbidding all attempts to login via
	# realms.
	#
	deny_realms {
	if (User-Name =~ /@\|\\/) {
	reject
	}
	}

	#
	# Filter the username
	#
	# Force some sanity on User-Name. This helps to avoid issues
	# issues where the back-end database is "forgiving" about
	# what constitutes a user name.
	#
	filter_username {
	#
	# reject mixed case
	# e.g. "UseRNaMe"
	#
	if (User-Name != "%{tolower:%{User-Name}}") {
	reject
	}

	#
	# reject all whitespace
	# e.g. "user@ site.com", or "us er", or " user", or "user "
	#
	if (User-Name =~ / /) {
	update reply {
	Reply-Message += "Rejected: Username contains whitespace"
	}
	reject
	}

	#
	# reject Multiple @'s
	# e.g. "user@site.com@site.com"
	#
	if(User-Name =~ /@.*@/ ) {
	update reply {
	Reply-Message += "Rejected: Multiple @ in username"
	}
	reject
	}

	#
	# reject double dots
	# e.g. "user@site..com"
	#
	if (User-Name =~ /\\.\\./ ) {
	update reply {
	Reply-Message += "Rejected: Username contains ..s"
	}
	reject
	}

	#
	# must have at least 1 string-dot-string after @
	# e.g. "user@site.com"
	#
	if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) {
	update reply {
	Reply-Message += "Rejected: Realm does not have at least one dot separator"
	}
	reject
	}

	#
	# Realm ends with a dot
	# e.g. "user@site.com."
	#
	if (User-Name =~ /\\.$/) {
	update reply {
	Reply-Message += "Rejected: Realm ends with a dot"
	}
	reject
	}

	#
	# Realm begins with a dot
	# e.g. "user@.site.com"
	#
	if (User-Name =~ /@\\./) {
	update reply {
	Reply-Message += "Rejected: Realm begins with a dot"
	}
	reject
	}
	}