Applying the same rule to multiple values in an attribute/config value

[Stefan Paetow]

Wicked, thank you. 

Also, I also figured out how to resolve the other problem. Instead of looping, I do this:

Define rfc7542_suffix = 'example.com|another.example.com|example.obsolete.com|still.in.use.com'

rfc7542.authorize {
    if (&request:User-Name =~ /([a-zA-Z0-9\.-]+)!([a-zA-Z0-9\.-]*)\@(.+)/) {
        #  do this otherwise %{3} does not resolve in the comparison
        update control {
            RFC7542-String-1 := "%{1}"
            RFC7542-String-2 := "%{3}"
        }
        if (!(&control:RFC7542-String-1 =~ /^(${policy.rfc7542_suffix})$/) && \
            (&control:RFC7542-String-2 =~ /^(${policy.rfc7542_suffix})$/)) {
            bangpath
        }
        if ((&control:RFC7542-String-1 =~ /^(${policy.rfc7542_suffix})$/) && \
            !(&control:RFC7542-String-2 =~ /^(${policy.rfc7542_suffix})$/)) {
            bangpath
        }
        update control {
            RFC7542-String-1 !* ANY
            RFC7542-String-2 !* ANY
        }
    }
}

The ${policy.rfc7542_suffix} value gets expanded into a pretty /^(value|value2|value3)$/ regex, and hey presto... I look for the realm in the list, regex says yes or no, and I can apply the new 'bangpath' realm processor. 

The only thing where I and someone else diverge on is that I've defined two strings because I don't accidentally want to trample all over any potentially-defined Tmp-String-* attributes. What say you? Better this way, or Tmp-String-* be damned?

:-)

Stefan Paetow
Consultant, Trust and Identity

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
 

On 12/02/2019, 17:42, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk at lists.freeradius.org on behalf of aland at deployingradius.com> wrote:

    On Feb 12, 2019, at 10:54 AM, Stefan Paetow <Stefan.Paetow at JISC.AC.UK> wrote:
    > What would you like me to call that new realm configuration (if I were to want to submit this upstream)?
    > 
    > bangrealm? bang_realm? 
    > 
    > Gimme a name and I'll submit an upstream PR for the new realm entry :-)
    
      Call it "bangpath".  It's a familiar term, and people should know what it means.
    
      Alan DeKok.
    
    
    -
    List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html