how to order freeradius attributes - attributes

I am configuring Freeradius. Input message is Access-Request with Proxy-State = 3134
Freeradius succesfully performs authentication but he places Proxy-State at the bottom of Access-Accept. How can I canfigure that Freeradius places Framed-IP-Address at the bottom of the message?
It tried to configure "users" as:
381603854966 Auth-Type := Accept, User-Password == "123456"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Netmask = 255.255.255.0,
User-Name = 381603854966,
Framed-IP-Address = 10.10.40.22,
but without success - freeradius still puts Proxy-State and the bottom of Access-Accept. I also tried to configure policy.txt file like:
if (User-Name == "381603854966") {
reply .= {
Framed-IP-Address += "10.10.40.22"
}
}
I also tried this in policy.txt:
reply .= {
Framed-IP-Address = 10.10.40.22
}
didn't work. Anybody knows how can I place certain attribute at the bottom of the message?
Thank you, Mark

You can't. The server will add Proxy-State to the request before forwarding it upstream, and it'll always add it at the end of the list of attributes.
RFC 2865 section 5 states:
If multiple Attributes with the same Type are present, the order of
Attributes with the same Type MUST be preserved by any proxies. The
order of Attributes of different Types is not required to be
preserved. A RADIUS server or client MUST NOT have any dependencies
on the order of attributes of different types. A RADIUS server or
client MUST NOT require attributes of the same type to be contiguous.
If your application requires ordering of attributes of different types, it's not implementing the RADIUS protocol correctly and should be fixed.

Related

"Dereference" a sub-resource in the Azure Python SDK return value

I would like to retrieve the public IP address associated with a given network interface. I need to do something like
client = NetworkManagementClient(...)
interface = client.network_interfaces.get('rg', 'nic-name')
ip_config_id = interface[0].public_ip_address.id
ip_config = some_magic(ip_config_id) # What goes here?
return ip_config.ip_address
This question suggests that in order to implement the some_magic routine, I should parse the ID (by splitting on slashes) and call client.public_ip_addresses.get(). This question indicates that I can call resource_client.resources.get_by_uid, but that doesn't return a PublicIPAddress object (I know I can call as_dict on it and get the data that way).
Is there a way to get an object of the appropriate type (in this case PublicIPAddress) from an object's ID in Azure (without manually parsing the ID)?
Update:
Due to this issue: public_ip_address method within NetworkManagementClient will not return values, we cannot fetch the ip address from PublicIPAddress.
So currently, you can use any other workaround, For example:
myip = client.public_ip_addresses.get(" resource_group_name","public_ip_address_name")
print(myip.ip_address)
You can change this line of code ip_config_id = interface[0].public_ip_address.id to something like my_public_ip_address = interface.ip_configurations[0].public_ip_address, then the return type is PublicIPAddress.
For example:

Zstack read attribute

I want to know how can I read some attribute on local and remote zigbee device using TI zstack and how to put its value to uart. I'm zstack beginner. I managed to use uart with usb to uart converter and can send data to my pc. So I need to know how to get the attribute data. I've read api manual but didn't anderstand how to use zcl_SendRead function. Thanks.
Follow section "3.3 Send Read" of the "Z-Stack ZCL API.pdf" this should contain enough info for getting the read attr to the correct destination device. The contents of the readCmd is an array of attribute ID's, specific to the attribute(s) you want to read. You will need to consult the ZCL specification or device documentation to determine the correct Attr ID and Cluster ID.
An example for sending a read attr is shown below. It reads the ATTRID_MS_TEMPERATURE_MEASURED_VALUE attribute (from the ZCL_CLUSTER_ID_MS_TEMPERATURE_MEASUREMENT cluster) from device with short address 0x1234 and endpoint 0x1.
afAddrType_t dstAddr;
dstAddr.addrMode = afAddr16Bit;
dstAddr.addr.shortAddr = 0x1234; //set this to correct address
dstAddr.addr.endPoint = 0x1; // set this to correct ep
zclReadCmd_t *cmd = osal_mem_alloc((sizeof zclReadCmd_t) + sizeof(uint16));
cmd->numAttr = 1;
cmd->attrID[0] = ATTRID_MS_TEMPERATURE_MEASURED_VALUE;
zcl_SendRead( SAMPLETHERMOSTAT_ENDPOINT, &dstAddr,
ZCL_CLUSTER_ID_MS_TEMPERATURE_MEASUREMENT,
&cmd, ZCL_FRAME_CLIENT_SERVER_DIR,
hdr->fc.disableDefaultRsp, hdr->transSeqNum );
Once this command is sent you need to process the received the response, you will notice that the functions are contained in the ZStack Sample Applications but not populated, for instance the SampleSwitch application has zclSampleSw_ProcessInReadRspCmd() function, this will be called to process the read attr response and you will need to populate it to do what you want to do with the response.
Regards,
TC.

What are the concepts of policies and attributes in generic netlink?

I am new in netlink programming. I am writing a generic netlink program for creating a netlink protocol family. I have searched many documents on the internet and I found something "Attributes and Policies" like things
for defining a netlink family.
I am totally confused with these things.
I found something like bellow about attributes in linux/netlink.h
<------- NLA_HDRLEN ------> <-- NLA_ALIGN(payload)-->
+---------------------------+- - -+- - - - - - - - - -+- - -+
| Header | Pad | Payload | Pad |
| (struct nlattr) | ing | | ing |
+---------------------------+- - -+- - - - - - - - - -+- - -+
<-------------------- nlattr->nla_len -------------->
And policy is an array of nla_policy structures.
My questions are:
What is the relation between header and attribute? Please explain
"Attributes".
What is policy, what is need of it and why do we use an array for this?
I found something about policies like "it defines types of attributes",
what does this mean? I mean "what is the meaning of type of attribute?"
It may be a nonsense question, but I am totally confused. I have been trying to understand these things for more than three days, please help me.
Thanks..
When creating/using netlink protocols, netlink attributes are intended to give the protocol a clean self documenting layout that allows for future extensibility. Meaning if you were wanting to use a different data type in addition to the ones that already exist in your current protocol, the code would be compatible without breaking the operations that already exist.
The "attributes" are protocol dependent, and relate to a specific message
being sent using said protocol.
Using the taskstats interface as an example:
taskstat attributes:
enum {
TASKSTATS_CMD_ATTR_UNSPEC = 0,
TASKSTATS_CMD_ATTR_PID,
TASKSTATS_CMD_ATTR_TGID,
TASKSTATS_CMD_ATTR_REGISTER_CPUMASK,
TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK,
__TASKSTATS_CMD_ATTR_MAX,
};
In these attributes you could easily "extend" them by adding in a custom attribute between UNSPEC and MAX mapping that attribute to a specific function or operation needed.
kernel-space taskstat policy:
static const struct nla_policy taskstats_cmd_get_policy[TASKSTATS_CMD_ATTR_MAX+1] = {
[TASKSTATS_CMD_ATTR_PID] = { .type = NLA_U32 },
[TASKSTATS_CMD_ATTR_TGID] = { .type = NLA_U32 },
[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK] = { .type = NLA_STRING },
[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK] = { .type = NLA_STRING },};
I believe you've already come across the definition for struct nlattr, an example of loading this struct's fields using the NETLINK_GENERIC protocol and the taskstats interface:
struct nlattr na;
na.nla_type = CTRL_ATTR_FAMILY_NAME; // defined in linux/genetlink.h
na.nla_len = strlen(TASKSTATS_GENL_NAME) + 1 // defined in linux/taskstats.h
// note: you will need to copy/access nlattr data in the same way the NLMSG_DATA
// macro operates.
Now on the kernel side when parsing these attributes the associated functions will be called and intended actions on how to proceed.
I'm not sure if the diagram you posted is throwing you off but, to zoom out a bit
to give you a larger perspective:
As per the kernel source v3.16 include/net/netlink.h:
/* ========================================================================
* Netlink Messages and Attributes Interface (As Seen On TV)
* ------------------------------------------------------------------------
* Messages Interface
* ------------------------------------------------------------------------
*
* Message Format:
* <--- nlmsg_total_size(payload) --->
* <-- nlmsg_msg_size(payload) ->
* +----------+- - -+-------------+- - -+-------- - -
* | nlmsghdr | Pad | Payload | Pad | nlmsghdr
* +----------+- - -+-------------+- - -+-------- - -
* nlmsg_data(nlh)---^ ^
* nlmsg_next(nlh)-----------------------+
*
* Payload Format:
* <---------------------- nlmsg_len(nlh) --------------------->
* <------ hdrlen ------> <- nlmsg_attrlen(nlh, hdrlen) ->
* +----------------------+- - -+--------------------------------+
* | Family Header | Pad | Attributes |
* +----------------------+- - -+--------------------------------+
* nlmsg_attrdata(nlh, hdrlen)---^
Here you can see that the header and payload diagram you posted are but parts of a larger payload. That segment goes along with a struct nlmsghdr in the message format.
Now on policy, when sending netlink messages the sender needs to adhere to the protocol
format. The receiver of the message will use struct nla_policy to validate the attributes before the payload is accessed.
The "family" or identifier is used by the kernel to keep track of the appropriate protocol interface to be communicating with, whether standard protocol or custom as with Generic Netlink.
When you ask "Can we avoid this?", if you're extending netlink by writing your own custom generic netlink protocol these exist to allow that protocol to be easily adjusted and maintained without going through and changing/fixing all operations associated with it or flat-out having the protocol break down. How else would you suggest parsing through nested messages with different data-types without an associated length or type? The type and length are there to allow parsing of the message on the correct alignments and allow the desired actions to take place. Without the attributes type giving the payload a label how would you interpret it, "what is" the payload? Without the length how would you know "how large" the payload is? There could be multiple payloads all with different lengths without something to distinguish their sizes there is no way to be able to tell where one starts and the other ends.
Here is a link to the libnl (a library for working with netlink sockets, and is highly recommended) documentation attributes.

Cakephp get details about security component error

I am using security component in my projects and is there any way to get the detailed description about the error while developing ? For ex:- if any field is added in view without using cakephp's form method, it is returning error as 'auth' in my blackHoleCallback function. Instead I need beacuse of what reason it returned that error. Because it is taking so much time to rectify the problem. Is there any way to get the detailed error description ?
All you have to do is look in the right place
Check your app/tmp/logs/error.log file
If you look in the error log you'll see an entry like this:
2013-03-16 17:24:29 Error: [BadRequestException] The request has been black-holed
#0 root/lib/Cake/Controller/Component/SecurityComponent.php(228): SecurityComponent->blackHole(Object(FacebookUsersController), 'csrf')
#1 [internal function]: SecurityComponent->startup(Object(FacebookUsersController))
#2 root/lib/Cake/Utility/ObjectCollection.php(130): call_user_func_array(Array, Array)
#3 [internal function]: ObjectCollection->trigger(Object(CakeEvent))
#4 root/lib/Cake/Event/CakeEventManager.php(246): call_user_func(Array, Object(CakeEvent))
#5 root/lib/Cake/Controller/Controller.php(670): CakeEventManager->dispatch(Object(CakeEvent))
#6 root/lib/Cake/Routing/Dispatcher.php(183): Controller->startupProcess()
#7 root/lib/Cake/Routing/Dispatcher.php(161): Dispatcher->_invoke(Object(FacebookUsersController), Object(CakeRequest), Object(CakeResponse))
#8 root/app/webroot/index.php(96): Dispatcher->dispatch(Object(CakeRequest), Object(CakeResponse))
#9 {main}
Read the error that is on screen
If you are in debug mode, this error is also shown on screen when the error happens. e.g.:
The request has been black-holed
Error: The requested address '/admin/fooby/edit/1' was not found on this server.
Stack Trace
CORE/Cake/Controller/Component/SecurityComponent.php line 228 → SecurityComponent->blackHole(FacebookUsersController, string)
[internal function] → SecurityComponent->startup(FacebookUsersController)
CORE/Cake/Utility/ObjectCollection.php line 130 → call_user_func_array(array, array)
[internal function] → ObjectCollection->trigger(CakeEvent)
CORE/Cake/Event/CakeEventManager.php line 246 → call_user_func(array, CakeEvent)
CORE/Cake/Controller/Controller.php line 670 → CakeEventManager->dispatch(CakeEvent)
CORE/Cake/Routing/Dispatcher.php line 183 → Controller->startupProcess()
CORE/Cake/Routing/Dispatcher.php line 161 → Dispatcher->_invoke(FacebookUsersController, CakeRequest, CakeResponse)
APP/webroot/index.php line 96 → Dispatcher->dispatch(CakeRequest, CakeResponse)
Handling csrf errors
With the details of a specific error (i.e. the data you are posting, and the exact token data in your session at the time) it would be possible to answer what problem brought you here, in the absense of that:
look at the line throwing the error.
In the stack trace above, the error is coming from CORE/Cake/Controller/Component/SecurityComponent.php line 228 - Open the file and look what that code is:
if ($isPost && $isNotRequestAction && $this->csrfCheck) {
if ($this->_validateCsrf($controller) === false) {
return $this->blackHole($controller, 'csrf');
}
}
What should be obvious from this is that the function _validateCsrf is responsible for the request being blackholed. This should not really be much of a surprise.
Look at the source of that function:
protected function _validateCsrf(Controller $controller) {
$token = $this->Session->read('_Token');
$requestToken = $controller->request->data('_Token.key');
if (isset($token['csrfTokens'][$requestToken]) && $token['csrfTokens'][$requestToken] >= time()) {
if ($this->csrfUseOnce) {
$this->Session->delete('_Token.csrfTokens.' . $requestToken);
}
return true;
}
return false;
}
Depending on why that function returns false, determines how you continue to debug.
Correct configuration of the component
The inevitable consequence of debugging a CSRF error is you'll need to modify the configuration of the Security component.
Do you, for example, want to be reusing tokens, because your app is submitting the same form multiple times between page loads?
Are you self-invalidating the form requests by adding new fields to the form data - You can use the unlockedFields property to exclude these fields from the csrf checks.
You can also simply disable CSRF checks completey. That has obvious security consequences - but if you're struggling to work with the component, it's an easy way to work around and problems you currently face.
In order to see the mechanisms I dug into the code to see how the FormHelper hash is created vs. how the SecurityComponent validation checks the hash. Here's how to see exactly what is happening behind the scenes.
Checking the input to the FormHelper. Open CORE/Cake/View/Helper/FormHelper.php. In the secure() function add some pr lines around the $files=Security::hash line to see how the tokens are built:
pr($fields);//hashed into computed token on next line
$fields = Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt'), 'sha1');
pr($unlocked); //hashed into computed token
pr(Configure::read('Security.salt')); //hashed into computed token
pr($fields); //computed token passed via hidden token field in form
Check how form is processed
Now check how the submitted form is processed and compared to the passed token:
Open the CORE/Cake/Controller/Component/SecurityComponent.php. Insert some pr lines in the _validatePost() routine at the end:
pr($fieldList); //hashed into computed token
pr($unlocked); //hashed into computed token
pr(Configure::read('Security.salt')); //hashed into computed token
pr($token); //passed token from FormHelper
pr($check); //computed token
Hopefully this helps someone else who has problems with locked/unlocked or missing fields quickly figure out what is going on inside of your cake.
Remember also that you have to have an exact match between the Token generated by the FormHelper and that retrieved bu cake using Session. The mismatch can happen, as the doc says, when you dynamically generate input or when make ajax call: remember to serialize the form and submit it via ajax!
If you have input tag generated not generated by using the FormHelper, you have to unlock'em. For example in your beforeFilter():
$this->Security->unlockedFields =
array('MyModel.some_field1','MyModel.some_field2')
where field1 and field2 are fields generated "by hand", i.e. by not using the Helper.
To answer the question: "Is there any way to get the detailed error description?"
First thing is to add more valuable debugging to your controller when it comes to SecurityComponent. Here's one way to do it:
public function beforeFilter() {
parent::beforeFilter();
//your beforeFilter code
//Enable CSRF and other protections
$this->Security->csrfExpires = '+1 hour';
$this->Security->csrfUseOnce = true;
$this->Security->blackHoleCallback = 'blackhole';
}
public function blackhole($errorType) {
$errorMap['auth'] = 'form validation error, or a controller/action mismatch error.';
$errorMap['csrf'] = 'CSRF error.';
$errorMap['get'] = 'HTTP method restriction failure.';
$errorMap['post'] = $errorMap['get'];
$errorMap['put'] = $errorMap['get'];
$errorMap['delete'] = $errorMap['get'];
$errorMap['secure'] = 'SSL method restriction failure.';
$errorMap['myMoreValuableErrorType'] = 'My custom and very ' .
'specific reason for the error type.';
CakeLog::notice("Request to the '{$this->request->params['action']}' " .
"endpoint was blackholed by SecurityComponent due to a {$errorMap[$errorType]}");
}
As AD7six mentioned take a look at the CORE/Cake/Controller/Component/SecurityComponent.php. Specifically SecurityComponent::startup(). In that method you will notice that SecurityComponent::blackhole() method is ran a few times. It's ran whenever the criteria fails a security check and looks like this:
return $this->blackHole($controller, 'auth');
In this case 'auth' represents the type of security check that failed. You could customize the 'auth' string to be more valuable. For example instead of 'auth' use 'myMoreValuableErrorType' and then map that to something more meaningful.
So instead of running $this->blackHole($controller, 'auth') when a security check fails, you would run $this->blackHole($controller, 'myMoreValuableErrorType') and then map 'myMoreValuableErrorType' to a specific reason on why it failed by using the code above.

Searching the Registry for a key - JScript

Is there a way to search the Registry for a specific key using Windows Scripting Host?
I'm using JavaScript (Jscript/VBScript?) to do so, and the msdn Library doesn't mention any such method: http://msdn.microsoft.com/en-us/library/2x3w20xf(v=VS.85).aspx
Thanks,
So here's an update to the problem:
The problem is a bit more complicated than a direct registry search. I have to look through the installed products on a windows box, to find a specific product entry that i want to delete. The registry path is defined as:
HKEY_LOCAL_MACHINE\Software\Microsoft...\Products.
Within the Products key, the installed products are listed, but their keys are defined as hash codes. Within the product keys are other keys with defined names and defined values. I want to be able to search on the latter keys and values. How can I do that, by-passing the unknown hash codes?
For example, I need to find a product with DisplayVersion key = 1.0.0. The path to that key is:
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\Products\A949EBE4EED5FD113A0CB40EED7D0258\InstallProperties\DisplayVersion.
How can I either pick up, or avoid writing, the product key: A949EBE4EED5FD113A0CB40EED7D0258 ??
Assuming you're using JScript via the Windows Scripting Host (and not JavaScript from a browser) you can get the value of a specific key using the WScript.RegRead method:
// MyScript.js
var key = 'HKEY_CURRENT_USER\\SessionInformation\\ProgramCount'
, wsh = WScript.CreateObject('WScript.Shell')
, val = wsh.RegRead(key);
WScript.Echo('You are currently running ' + val + ' programs.');
If you actually need to search for a key or value based on some conditions rather than a known registry key then you can to implement your own recursive search algorithm where registry values of type "REG_SZ" are leaf nodes.
As an exercise to get more familiar with JScript on the Windows Scripting Host, I've made a small interface to the registry that does exactly this. The example included in the project shows how to perform such a registry search in a WSF script:
<job id="FindDisplayVersions">
<script language="jscript" src="../registry.js"/>
<script language="jscript">
// Search the registry and gather 20 DisplayVersion values.
var reg = new Registry()
, rootKey = 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products'
, keyRegex = /Products\\(.*?)\\InstallProperties\\DisplayVersion$/
, valRegex = /^1\./
, maxResults = 20
, uids = [];
reg.find(rootKey, function(path, value) {
var keyMatch = keyRegex.exec(path);
if (keyMatch) {
if (valRegex.exec(value)) {
uids.push(keyMatch[1] + '\t=\t' + value);
if (uids.length >= maxResults) { return false; } // Stop searching
}
}
return true; // Keep searching.
});
WScript.Echo(uids.join("\n"));
</script>
</job>
Note that, as #Robert Harvey points out, this could take a really long time if the root key is too deeply connected. Simple testing takes only a few seconds on the key I chose but your mileage may vary; of course, no warranty or fitness for a purpose, don't blame me if your computer blows up.
http://code.google.com/p/jslibs/
if you don't find it there, you have to implement it yourself

Resources