Multivalued attribute[*] comparisons

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Nov 5 23:59:22 CET 2014


Master branch which will become 3.1 now supports multivalued conditions.

If an attribute with the '*' index is used in a condition, all values of that
attribute will be evaluated against the other operand.

If one set of values evaluates to true, no further values are checked and
the condition returns true.

update request {
	Tmp-String-0 := 'foo'
	Tmp-String-0 += 'bar'
	Tmp-String-0 += 'baz'

	Tmp-String-1 := 'aaa'
	Tmp-String-1 += 'bbb'
	Tmp-String-1 += 'ccc'
	Tmp-String-1 += 'bar'
}

#
# Yes this is O(N^2) - worse case here is 12 comparisons
#
if (&Tmp-String-0[*] == &Tmp-String-1[*]) -> TRUE

if (&Tmp-String-1[*] =~ /cc$/) -> TRUE

If used with capture groups, contents will be from the first value that matched.

if (&Tmp-String-1 == 'bar') -> FALSE

if (&Tmp-String-1[*] == 'bar') -> TRUE

In theory this will allow

update request {
	Admin-Groups := 'admins'
	Admin-Groups += 'net-admins'
	Admin-Groups += 'Administrators'
}

if (LDAP-Group == &Admin-Groups[*])

But I believe the parser's condition rules will currently prevent that 
(will be fixed before 3.1 is released).

It also works for integers:

update request {
	Tmp-Integer-0 := 5
	Tmp-Integer-0 += 10
	Tmp-Integer-0 += 15
}

if (Tmp-Integer-0[*] > 15) -> FALSE

if (Tmp-Integer-0[*] < 5) -> FALSE

if (Tmp-Integer-0[*] < 10) -> TRUE

The evaluation code also avoids many of the temporary mallocs that it previously did, as the cast and comparison functions have been updated to work with value data, as well as value pairs.

The main use case for this feature is checking multiple group or authorizational attributes for a value.

It also works with tag qualifiers.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2



More information about the Freeradius-Users mailing list