I'm configuring a freeradius server for authenticating Wifi clients with EAP-TLS.
The solution should check certificates with EAP-TLS and everything is working fine, but checking the "extended key usage" to reply with a specific VLAN is not working as expected.
So in my site config I have:
if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/){
if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") {
update reply {
&Tunnel-Type = 13,
&Tunnel-Medium-Type = 6,
&Tunnel-Private-Group-Id = "1"
}
}
if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") {
update reply {
&Tunnel-Type = 13,
&Tunnel-Medium-Type = 6,
&Tunnel-Private-Group-Id = "2"
}
}
} elsif (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XYZ\.xxxxx\.de$/) {
if(TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.16530950.3") {
update reply {
&Tunnel-Type = 13,
&Tunnel-Medium-Type = 6,
&Tunnel-Private-Group-Id = "3"
}
}
} else {
update reply {
Reply-Message := "Certificate Extended-Key-Usage with wrong or missing Group."
Auth-Type := Reject
}
reject
}
In the log I see that the Attribute is in the tls-cert:
freeradius | (342) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "user.XY.xxxxx.de"
freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7"
freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
freeradius | (342) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2"
But when I scroll down, I see that the result of the if-check is false:
freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/){
freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) -> TRUE
freeradius | (343) if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) {
freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") {
freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15380538.1") -> FALSE
freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") {
freeradius | (343) if (TLS-Client-Cert-X509v3-Extended-Key-Usage-OID == "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.2") -> FALSE ### This should be TRUE ###
freeradius | (343) } # if (TLS-Client-Cert-Issuer == "/DC=de/DC=xxxxx/CN=XXX Sub CA" && TLS-Client-Cert-Subject-Alt-Name-Dns =~ /\.XY\.xxxxx\.de$/) = noop
TLS-Client-Cert-X509v3-Extended-Key-Usage-OID is a list, do I have to check it in a different way?
Thanks in advance.
Daniel
Related
I have a table in a table structure like this:
[1] = {
[1] = {
category = "WORD",
cursor = <filtered>,
ptype = "STATEMENT",
ttype = "SERVICE",
value = "service",
<metatable> = <filtered>
},
[2] = {
category = "VARIABLE",
cursor = <filtered>,
ptype = "STATEMENT",
ttype = "IDENTIFIER",
value = "TestService",
<metatable> = <filtered>
},
[3] = {
ttype = "BRACE_BLOCK",
value = {
[1] = { ...
...
[2] = {
[1] = {
category = "WORD",
cursor = <filtered>,
ptype = "STATEMENT",
ttype = "SERVICE",
value = "service",
<metatable> = <filtered>
},
[2] = {
category = "VARIABLE",
cursor = <filtered>,
ptype = "STATEMENT",
ttype = "IDENTIFIER",
value = "HelloWorld",
<metatable> = <filtered>
},
I programmed a simply loop which looks for the first table with the ttype, filtered that information out and would like to assign the rest of the tokens until the next Service starts to corresponding service. My idea looks like that:
local found_service = 0
if found_service == 0 then
for k1, v1 in pairs (parse_tree) do
for i=1,#v1 do
if v1[i].ttype == "SERVICE" then
--Store wanted data in an object
found_service = 1
end
if (found_service == 1 and v1[i].ttype ~= "SERVICE") then
-- ->assign the rest to last found service
end
if found_service == 1 and v1[i].ttype == "SERVICE" then
-- ->Found the next service -->starting over
found_service = 0
end
end
end
end
The problem is that I stuck at index i, and v1[i] is a "SERVICE", so he enters directly the last if-clause, too. How do I end one loop-iteration (after the first if-clause). Or ist there a much better way to do this?
Thanks in advise.
Theo
I'm not sure if I understand your general idea, but here is the answer of how to skip loop body on first "SERVICE" capture event.
local found_service = 0
if found_service == 0 then
for k1, v1 in pairs (parse_tree) do
for i=1,#v1 do
if (found_service == 0 and v1[i].ttype == "SERVICE") then
--Store wanted data in an object
found_service = 1
else
if (found_service == 1 and v1[i].ttype ~= "SERVICE") then
-- ->assign the rest to last found service
end
if found_service == 1 and v1[i].ttype == "SERVICE" then
-- ->Found the next service -->starting over
found_service = 0
end
end
end
end
end
But I'm still don't get it what should be done on current record not "SERVICE" and found_service == 0. By the way, in my answer after found_service become 0 in third if, the first if could be true again.
If your idea is to build some kind of vector like:
SERVICE_1 (other ttype tables until next SERVICE)
SERVICE_2 (other ttype tables until next SERVICE)
...
In that case code could be:
local found_service = 0
if found_service == 0 then
for k1, v1 in pairs (parse_tree) do
for i=1,#v1 do
if (found_service == 0 and v1[i].ttype == "SERVICE") then
--Store wanted data in an object
found_service = 1
current_service = v1[i]
else
if (found_service == 1 and v1[i].ttype ~= "SERVICE") then
-- ->assign the rest to last found service
end
if found_service == 1 and v1[i].ttype == "SERVICE" then
-- ->Found the next service -->starting over
current_service = v1[i]
end
end
end
end
end
So I am trying to build my twitch bot through mIRC and I have been wanting it to timeout links for everysite except for any links from http://osu.ppy.sh/ and any links from http://puu.sh/ but block out anything else.
I have found script and tutorials but I cannot find anything that explains how to make an exception in enough detail to explain what each part of the exception is for nor can I find anything that includes these domains in the exception
Here is my old link protection script
on #*:text:*:#:linkpost $1-
on #*:action:*:#:linkpost $1-
on #*:notice:*:#:linkpost $1-
alias -l linkpost {
if ((!%p) && (!$hfind(permit,$nick))) { inc -u4 %p
var %purge /^!(link\so(n|ff)|(permit))\b/iS
var %domain com|edu|gov|mil|net|org|biz|info|name|museum|us|ca|uk
var %link /(?<=^|\s)((?>\S{3,8}:\/\/|w{3}\56)\S+)|\56( $+ %domain $+ )\b/iS
if ($findtok(%chanon1,#,1,32)) && ($nick(#,$nick,vr)) && ($regex($1-,%link)) {
timeout # $nick | /mode # -b $nick
msg # $nick You did not have permission to post a link ask a mod to !permit you
msg # /timeout $nick 1
}
elseif (($regex($1-,%purge)) && ($regml(1) = permit) && ($nick isop #) && ($$2 ison #)) {
hadd -mz permit $v1 30 | notice $v1 You have 30 seconds to post a link. Starting now!
msg # You now have 30 seconds to post a link!
}
elseif (($regml(1) = link on) && ($nick isop #)) {
goto $iif(!$istok(%chanon1,#,32),a,b) | :a | set %chanon1 $addtok(%chanon,#,32)
.msg # My Link Protection Is Now on in: $+($chr(2),#)
halt | :b | .msg # $nick $+ , my link protection is already on in $&
$+($chr(2),#,$chr(2)) !
}
elseif (($regml(1) = link off) && ($nick isop #)) {
goto $iif($istok(%chanon1,#,32),c,d) | :c | set %chanon1 $remtok(%chanon,#,1,32)
.msg # My Link Protection Is Now off in: $+($chr(2),#)
halt | :d | .msg # $nick $+ , My link protection is already off . $&
!
}
}
}
Any will be appreciated, there is no other commands or script currently for the bot.
Code after edit
on #*:text:*:#:linkpost $1-
on #*:action:*:#:linkpost $1-
on #*:notice:*:#:linkpost $1-
alias -l linkpost {
if ((!%p) && (!$hfind(permit,$nick))) { inc -u4 %p
var %purge /^!(link\so(n|ff)|(permit))\b/iS
var %domain com|edu|gov|mil|net|org|biz|info|name|museum|us|ca|uk
var %link /(?<=^|\s)((?>\S{3,8}:\/\/|w{3}\56)\S+)|\56( $+ %domain $+ )\b/iS
var %whitelistPattern = /.*http:\/\/(osu.ppy.sh|puu.sh)\/.*/i
if (!$regex($1-, %whitelistPattern)) {
return
}
if ($findtok(%chanon1,#,1,32)) && ($nick(#,$nick,vr)) && ($regex($1-,%link)) {
timeout # $nick | /mode # -b $nick
msg # $nick You did not have permission to post a link ask a mod to !permit you
msg # /timeout $nick 1
}
elseif (($regex($1-,%purge)) && ($regml(1) = permit) && ($nick isop #) && ($$2 ison #)) {
hadd -mz permit $v1 30 | notice $v1 You have 30 seconds to post a link. Starting now!
msg # You now have 30 seconds to post a link!
}
elseif (($regml(1) = link on) && ($nick isop #)) {
goto $iif(!$istok(%chanon1,#,32),a,b) | :a | set %chanon1 $addtok(%chanon,#,32)
.msg # My Link Protection Is Now on in: $+($chr(2),#)
halt | :b | .msg # $nick $+ , my link protection is already on in $&
$+($chr(2),#,$chr(2)) !
}
elseif (($regml(1) = link off) && ($nick isop #)) {
goto $iif($istok(%chanon1,#,32),c,d) | :c | set %chanon1 $remtok(%chanon,#,1,32)
.msg # My Link Protection Is Now off in: $+($chr(2),#)
halt | :d | .msg # $nick $+ , My link protection is already off . $&
!
}
}
}
A naive solution will be to add condition that will check the host and to stop the script from happening if it's not in the white list.
Change to this:
alias -l linkpost {
var %whitelistPattern = /.*http:\/\/(osu.ppy.sh|puu.sh)\/.*/i
if (!$regex($1-, %whitelistPattern)) {
return
}
; Rest of the current script
Fix: Forgot adding % before variable name.
I want to configure a freeradius server in the way that an authentication is successful only if NAS-IP-Address attribute is not empty and equals to some specific IP (of course a user name and a password match).
How should I do it? I have tried to read the documentation without success:
http://freeradius.org/rfc/attributes.html
http://freeradius.org/rfc/rfc2865.html#NAS-IP-Address
Sure, there are many ways of doing this.
authorize {
if (!NAS-IP-Address) {
reject
}
if (NAS-IP-Address != 192.168.0.2) {
reject
}
if ("%{sql:SELECT count(*) FROM table WHERE User-Name = '%{User-Name}' AND IP-Address = '%{NAS-IP-Address}'" == 0) {
reject
}
}
In v3.0.x subnet matching is also supported, where < > are reassigned to mean the set operators (< subset of) (> superset of).
if (!(<ipv4prefix>NAS-IP-Address < 192.168.0.0/16)) {
reject
}
NAS-IP-Address = 192.168.0.2
(0) ? if (<ipv4prefix>NAS-IP-Address < 192.168.0.0/16)
(0) ? if (<ipv4prefix>NAS-IP-Address < 192.168.0.0/16) -> TRUE
NAS-IP-Address = 192.169.0.2
(0) ? if (<ipv4prefix>NAS-IP-Address < 192.168.0.0/16)
(0) ? if (<ipv4prefix>NAS-IP-Address < 192.168.0.0/16) -> FALSE
I have list of days (from monday till sunday).
When a user selects monday till friday or saturday and sunday I want my app to show it's hyponym (weekdays/weekends).
Does iOS provide some default functionality for this (If i'm not mistaken the iOS Alarm app does the same) or do I have to write this functionality myself?
Provided that you have a NSArray with the selected days as numbers, named selectedDays, and that 0 and 6 are weekend days:
NSString *name = nil; // Fill this with the default values (concatenate all names of selected days)
bool days[] = {0,0,0,0,0,0,0};
for (NSNumber *day in selectedDays)
{
int d = [day intValue];
if (d >= 0 && d <= 6) days[d] = true;
}
if ( days[0] == true
&& days[1] == false
&& days[2] == false
&& days[3] == false
&& days[4] == false
&& days[5] == false
&& days[6] == true)
{
name = #"Weekend";
}
if ( days[0] == false
&& days[1] == true
&& days[2] == true
&& days[3] == true
&& days[4] == true
&& days[5] == true
&& days[6] == false)
{
name = #"Weekdays";
}
I am trying to run the following mplayer command in rails using session:
mplayer -identify -vo null -ao null -frames 0 text.mov
I use require "session" and the following code works great in an individual ruby file.
mb = "mplayer"
mi = "-identify -vo null -ao null -frames 0"
dimensions_bitrate = Hash.new
stdout, stderr = '', ''
shell = Session::Shell.new
shell.execute "#{mb} #{mi} #{filename}", :stdout => stdout, :stderr => stderr
vars = (stdout.split(/\n/).collect! { |o| o if o =~ /^ID_/ } ).compact!
vars.each { |v|
a, b = v.split("=")
eval "##{a.to_s.downcase} = \"#{b}\""
if a == "ID_VIDEO_WIDTH"
dimensions_bitrate[0] = b.to_i
elsif a == "ID_VIDEO_HEIGHT"
dimensions_bitrate[1] = b.to_i
elsif a == "ID_VIDEO_BITRATE"
dimensions_bitrate[2] = b.to_i
end
}
HOWEVER, I am unable to load the session gem into ROR. I am not sure what the problem is. If I add require "session", I get the following error:
no such file to load -- session
I figure I am missing something relatively straightforward.
Any ideas?
I could not get this to work, so I did the following:
stdout = %x["mplayer" "-identify" "-vo" "-ao" "null" "-frames" "0" "#{filename}"]
vars = (stdout.split(/\n/).collect! { |o| o if o =~ /^ID_/ } ).compact!
vars.each { |v|
a, b = v.split("=")
eval "##{a.to_s.downcase} = \"#{b}\""
if a == "ID_VIDEO_WIDTH"
dimensions_bitrate[0] = b.to_i
elsif a == "ID_VIDEO_HEIGHT"
dimensions_bitrate[1] = b.to_i
elsif a == "ID_VIDEO_BITRATE"
dimensions_bitrate[2] = b.to_i
end
}
and it worked great. hope this is of use to someone running command line from ROR. The key is to set each parameter as a string.