Gitiles
Code Review Sign In
gerrit.opencord.org / cord-tester / 98cc4581b77c27f0430c9f045a2079877e26aaf9 / . / src / test / setup / radius-config / freeradius / policy.d / filter
blob: c881b3dabb40ec05a915c47b461f3794bb25f8f9 [file] [log] [blame]
Chetan Gaonker7f4bf742016-05-04 15:56:08 -0700[diff] [blame]1#
2# Example of forbidding all attempts to login via
3# realms.
4#
5deny_realms {
6 if (User-Name =~ /@|\\/) {
7 reject
8 }
9}
10
11#
12# Filter the username
13#
14# Force some sanity on User-Name. This helps to avoid issues
15# issues where the back-end database is "forgiving" about
16# what constitutes a user name.
17#
18filter_username {
19 #
20 # reject mixed case
21 # e.g. "UseRNaMe"
22 #
23 if (User-Name != "%{tolower:%{User-Name}}") {
24 reject
25 }
26
27 #
28 # reject all whitespace
29 # e.g. "user@ site.com", or "us er", or " user", or "user "
30 #
31 if (User-Name =~ / /) {
32 update reply {
33 Reply-Message += "Rejected: Username contains whitespace"
34 }
35 reject
36 }
37
38 #
39 # reject Multiple @'s
40 # e.g. "user@site.com@site.com"
41 #
42 if(User-Name =~ /@.*@/ ) {
43 update reply {
44 Reply-Message += "Rejected: Multiple @ in username"
45 }
46 reject
47 }
48
49 #
50 # reject double dots
51 # e.g. "user@site..com"
52 #
53 if (User-Name =~ /\\.\\./ ) {
54 update reply {
55 Reply-Message += "Rejected: Username contains ..s"
56 }
57 reject
58 }
59
60 #
61 # must have at least 1 string-dot-string after @
62 # e.g. "user@site.com"
63 #
64 if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) {
65 update reply {
66 Reply-Message += "Rejected: Realm does not have at least one dot separator"
67 }
68 reject
69 }
70
71 #
72 # Realm ends with a dot
73 # e.g. "user@site.com."
74 #
75 if (User-Name =~ /\\.$/) {
76 update reply {
77 Reply-Message += "Rejected: Realm ends with a dot"
78 }
79 reject
80 }
81
82 #
83 # Realm begins with a dot
84 # e.g. "user@.site.com"
85 #
86 if (User-Name =~ /@\\./) {
87 update reply {
88 Reply-Message += "Rejected: Realm begins with a dot"
89 }
90 reject
91 }
92}
93