+ updated sample validatos...

bfg · Mar 29, 2007 · b9e2de5 · b9e2de5
1 parent 684d029
commit b9e2de5
Showing 1 changed file with 55 additions and 0 deletions.
diff --git a/etc/sample_validation_functions.conf b/etc/sample_validation_functions.conf
@@ -3,6 +3,11 @@
 #       for AuthStruct authenticatin module
 #
 
+# $Id$
+# $LastChangedRevision$
+# $LastChangedBy$
+# $LastChangedDate$
+
 # WARNING: DO NOT REMOVE THE FOLLOWING LINES:
 use strict;
 use warnings;
@@ -75,6 +80,33 @@ use warnings;
 sub sample_authstruct_validator {
 	# fetch Log::Log4perl logging object
 	my $log = shift;
+
+	#
+	# Client's authentication structure now becomes
+	# $_[0]...
+	#
+	# AUTHENTICATION STRUCTURE structure ;)
+	#
+	# This structure contains authentication data provided by
+	# connected OpenVPN client
+	#
+	# $_[0] = {
+	# 	# client's username
+	# 	username => 'some_username',
+	#
+	#	# client's password
+	# 	password => 'xyz',
+	#
+	#	# x509 certificate common name
+	# 	common_name => 'some_username.vpn.example.org',
+	#
+	# 	# client's connecting ip address
+	# 	untrusted_ip => '1.2.3.4',
+	#
+	#	# client's source port...
+	# 	untrusted_port => 4376
+	# };
+	#
 
 	#
 	# we really hate user 'joe'.
@@ -95,6 +127,29 @@ sub sample_authstruct_validator {
 		$log->warn("Rewriting username 'kaya' to 'pretty_c_minus'.")
 		$_[0]->{username} = 'pretty_c_minus';
 	}
+
+	# We want that certificate common name (CN) somehow
+	# matches client's username...
+	if ($_[0]->{common_name} =~ m/^([^\.]+)\.vpn\.example\.org$/i) {
+		# if username doesn't match fail the authentication...
+		if (lc($1) ne lc($_[0]->{username})) {
+			$log->error("Client's username " . $_[0]->{username} . " doesn't match it's x509 certificate CN " . $_[0]->{common_name});
+			return 0;
+		} 
+	} else {
+		$log->error("Client's x509 certificate common name is not valid.");
+		return 0;
+	}
+
+	# hm, we don't like that someone connects
+	# with source port less than 5000
+	#
+	# (yeah, i know, this is silly, but it's just proof of
+	# concept what you can really do here...)
+	if ($_[0]->{untrusted_port} < 5000) {
+		$log->error("We don't like clients which connect with source port < 5000.");
+		return 0;
+	}
 
 	# return "authentication" success
 	return 1;