Updates to abfab policy

* Move policy from pre-proxy to authorize because we need to run some of the updates prior to realm because they now influence generated trust router requests. * Include setting reply messages
FreeRADIUS · Mar 18, 2015 · 3182652 · 3182652
1 parent 93f87d9
commit 3182652
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 6 deletions.
diff --git a/raddb/policy.d/abfab-tr b/raddb/policy.d/abfab-tr
@@ -15,29 +15,35 @@ psk_authorize {
 			# do things here
 		}
 		else {
+		update reply {
+			Reply-Message = "RP not authorized for this ABFAB request"
+			}
 			reject
 		}
 	}
 }
 
-abfab_pre_proxy {
+abfab_client_check {
 	# check that the acceptor host name is correct
 	if ("%{client:gss_acceptor_host_name}" && "%{gss-acceptor-host-name}") {
 		if ("%{client:gss_acceptor_host_name}" != "%{gss-acceptor-host-name}") {
+			update reply {
+			        Reply-Message = "GSS-Acceptor-Host-Name incorrect"
+				}
 			reject
 		}
 	}
 
 	# set trust-router-coi attribute from the client configuration
 	if ("%{client:trust_router_coi}") {
-		update proxy-request {
+		update request {
 			Trust-Router-COI := "%{client:trust_router_coi}"
 		}
 	}
 
 	# set gss-acceptor-realm-name attribute from the client configuration
 	if ("%{client:gss_acceptor_realm_name}") {
-		update proxy-request {
+		update request {
 			GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}"
 		}
 	}

diff --git a/raddb/sites-available/abfab-tr-idp b/raddb/sites-available/abfab-tr-idp
@@ -13,6 +13,7 @@
 server abfab-idp {
 authorize {
         psk_authorize
+	abfab_client_check
 	filter_username
 	preprocess
 
@@ -95,8 +96,12 @@ post-auth {
 
 		# Insert EAP-Failure message if the request was
 		# rejected by policy instead of because of an
-		# authentication failure
-		eap
+		# authentication failure And already has an EAP message
+		# For non-ABFAB, we insert the failure all the time, but for ABFAB
+		# It's more desirable to preserve reply-message when we can
+if &reply:Eap-Message {
+			eap
+			}
 
 		#  Remove reply message if the response contains an EAP-Message
 		remove_reply_message_if_eap
@@ -116,7 +121,6 @@ pre-proxy {
 	# No need to uncomment this if you have already enabled this in
 	# the authorize section.
 #	operator-name
-	abfab_pre_proxy
 
 	#  The client requests the CUI by sending a CUI attribute
 	#  containing one zero byte.