Problems to use regex policy
Hi, I have a use case of EAP for which I have to verify that the outer identify has a realm. Before writing this verification under a new policy module, I just tried to use those existing by defaut under policy.d/filter. I don't know if it is really a mistake but the filter "deny_realms" seems to be wrong. I just try to call the filter "deny_realms" under the section authorize {} of the site default. I tried with freeradius 3.0.4 and 3.0.13, both packages on centOS 7.3 and 7.4. In both case, radiusd do not start because of syntax error in regex : - error on freeradius 3.0.4 /etc/raddb/policy.d/filter[6]: Invalid regular expression @|\: bad escape sequence at offset 3 - error on freeradius 3.0.13 /etc/raddb/policy.d/filter[6]: Invalid regular expression: /etc/raddb/policy.d/filter[6]: @|\ /etc/raddb/policy.d/filter[6]: ^ Pattern compilation failed: \ at end of pattern The line number 6 is this test : if (&User-Name && (&User-Name =~ /@|\\/)) { If I replace it with this test, radiusd starts correctly : if (&User-Name && (&User-Name =~ /@|\\{1}/)) { Then, after this first step, I have a second issue with the filter "filter_username". I would be interested to use it inside the inner tunnel to sanitize the inner identity. One of this tests is always true and I don't understand the reason why : if (&User-Name =~ /\.\./ ) { update request { &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s' } reject } Whatever the identity I'm using, the test on double dot caracter is verified. I tried to call the filter "filter_username" under the section authorize {} of the site default or inner-tunnel. In both cas, It seems to have issue (below log from site default). Ready to process requests (0) Received Access-Request Id 0 from 10.10.10.12:36315 to 10.10.11.11:1812 length 146 (0) User-Name = "anonymous@mydomain.fr" (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = "xx-xx-xx-xx-xx-xx" (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "Test client - app" (0) EAP-Message = 0x0200001701616e6f6e796d6f757340696e7269612e6672 (0) Message-Authenticator = 0x02df880a5342968b4e6455cc5e5d9841 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> TRUE (0) if (&User-Name =~ /\.\./ ) { (0) update request { (0) &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s' (0) } # update request = noop (0) [reject] = reject (0) } # if (&User-Name =~ /\.\./ ) = reject (0) } # if (&User-Name) = reject (0) } # policy filter_username = reject (0) } # authorize = reject (0) Invalid user (Rejected: User-Name contains multiple ..s): [anonymous@mydomain.fr] (from client app port 0 cli xx-xx-xx-xx-xx-xx) (0) Using Post-Auth-Type Reject Later, I will try to use also the filter "filter_inner_identity". Thanks you for this ! Have a nice day Regards, -- Jérôme BERTHIER
On Mon, 2017-12-04 at 12:34 +0100, Jérôme BERTHIER wrote:
Before writing this verification under a new policy module, I just tried to use those existing by defaut under policy.d/filter.
I don't know if it is really a mistake but the filter "deny_realms" seems to be wrong.
It's fine.
/etc/raddb/policy.d/filter[6]: Invalid regular expression @|\: bad escape sequence at offset 3
Set "correct_escapes = true" in radiusd.conf, and don't use 3.0.4. Then try everything again. -- Matthew
Le 04/12/2017 à 13:11, Matthew Newton a écrit :
Set "correct_escapes = true" in radiusd.conf, and don't use 3.0.4.
Then try everything again.
OK it works. This attribute was not included my setup because it has been commited on freeradius 3.0.5 but I wrote a puppet module based on freeradius 3.0.4 (packaged on CentOS 7.3). I have to diff my files with those of each new freeradius release to avoid this kind of issue. Thanks for your help Regards -- Jérôme BERTHIER
On Dec 4, 2017, at 9:57 AM, Jérôme BERTHIER <Jerome.Berthier@inria.fr> wrote:
I have to diff my files with those of each new freeradius release to avoid this kind of issue.
The file doc/ChangeLog describes what changes are necessary. You don't need to 'diff' anything. Alan DeKok.
participants (3)
-
Alan DeKok -
Jérôme BERTHIER -
Matthew Newton