configurable fail-over in unlang or policy doesn't force return?

Wed Aug 27 12:17:00 CEST 2014

On 2014-08-27 10:42, Arran Cudbard-Bell wrote:
> On 27 Aug 2014, at 08:10, Zenon Mousmoulas <zmousm at noc.grnet.gr> wrote:
> 
>> 27 Αυγ 2014, 3:43, ο/η Alan DeKok <aland at deployingradius.com> έγραψε:
>> 
>>> Zenon Mousmoulas wrote:
>>>> Forcing return within a policy doesn't seem to work; the return code
>>>> propagates correctly but processing doesn't stop.
>>> 
>>> Yes.  Policies are like subroutines.  You can return from a policy,
>>> but it doesn't affect the function which called the policy.
>> 
>> Unlang blocks as well?
> 
> I'm fairly sure it should return out of unlang blocks.

Using 3.0.4rc2 and such a configuration:

server inner_shortcircuit {
     authorize {
         mschap
         update request {
             EAP-VHost-ID := "%{outer.request:EAP-VHost-ID}"
         }
         update control {
             Proxy-To-Realm := LOCAL
         }
         if (&User-Name) {
             eap_abc {
                 ok = return
             }
         }
         files
         pap
     }
     [...]
}

Return doesn't seem to "short-circuit the rest of authorize":

Wed Aug 27 12:54:03 2014 : Debug: (6)  # Executing section authorize 
from file /etc/freeradius/sites-enabled/inner_shortcircuit
Wed Aug 27 12:54:03 2014 : Debug: (6)    authorize {
Wed Aug 27 12:54:03 2014 : Debug: (6)   modsingle[authorize]: calling 
mschap (rlm_mschap) for request 6
Wed Aug 27 12:54:03 2014 : Debug: (6)  modsingle[authorize]: returned 
from mschap (rlm_mschap) for request 6
Wed Aug 27 12:54:03 2014 : Debug: (6)    [mschap] = noop
Wed Aug 27 12:54:03 2014 : Debug: (6)    update request {
Wed Aug 27 12:54:03 2014 : Debug: (6)  EXPAND 
%{outer.request:EAP-VHost-ID}
Wed Aug 27 12:54:03 2014 : Debug: (6)     --> abc
Wed Aug 27 12:54:03 2014 : Debug: (6)  	EAP-VHost-ID := "abc"
Wed Aug 27 12:54:03 2014 : Debug: (6)    } # update request = noop
Wed Aug 27 12:54:03 2014 : Debug: (6)    update control {
Wed Aug 27 12:54:03 2014 : Debug: (6)  	Proxy-To-Realm := 'LOCAL'
Wed Aug 27 12:54:03 2014 : Debug: (6)    } # update control = noop
Wed Aug 27 12:54:03 2014 : Debug: (6)     if (&User-Name)
Wed Aug 27 12:54:03 2014 : Debug: (6)     if (&User-Name)  -> TRUE
Wed Aug 27 12:54:03 2014 : Debug: (6)    if (&User-Name)  {
Wed Aug 27 12:54:03 2014 : Debug: (6)   modsingle[authorize]: calling 
eap_abc (rlm_eap) for request 6
Wed Aug 27 12:54:03 2014 : Debug: (6)   eap_abc : Peer sent code 
Response (2) ID 6 length 14
Wed Aug 27 12:54:03 2014 : Debug: (6)   eap_abc : EAP-Identity reply, 
returning 'ok' so we can short-circuit the rest of authorize
Wed Aug 27 12:54:03 2014 : Debug: (6)  modsingle[authorize]: returned 
from eap_abc (rlm_eap) for request 6
Wed Aug 27 12:54:03 2014 : Debug: (6)     [eap_abc] = ok
Wed Aug 27 12:54:03 2014 : Debug: (6)    } # if (&User-Name)  = ok
Wed Aug 27 12:54:03 2014 : Debug: (6)   modsingle[authorize]: calling 
files (rlm_files) for request 6
Wed Aug 27 12:54:03 2014 : Debug: (6)   files : users: Matched entry 
localuser at line 1
Wed Aug 27 12:54:03 2014 : Debug: (6)   files : ::: FROM 0 TO 0 MAX 0
Wed Aug 27 12:54:03 2014 : Debug: (6)   files : ::: TO in 0 out 0
Wed Aug 27 12:54:03 2014 : Debug: (6)  modsingle[authorize]: returned 
from files (rlm_files) for request 6
Wed Aug 27 12:54:03 2014 : Debug: (6)    [files] = ok
Wed Aug 27 12:54:03 2014 : Debug: (6)   modsingle[authorize]: calling 
pap (rlm_pap) for request 6
Wed Aug 27 12:54:03 2014 : WARNING: (6)   pap : Auth-Type already set.  
Not setting to PAP
Wed Aug 27 12:54:03 2014 : Debug: (6)  modsingle[authorize]: returned 
from pap (rlm_pap) for request 6
Wed Aug 27 12:54:03 2014 : Debug: (6)    [pap] = noop
Wed Aug 27 12:54:03 2014 : Debug: (6)   } #  authorize = ok

While it does work if I remove the unlang block wrapping eap_abc:

[...]
Wed Aug 27 13:10:17 2014 : Debug: (16)   eap_abc : Peer sent code 
Response (2) ID 6 length 14
Wed Aug 27 13:10:17 2014 : Debug: (16)   eap_abc : EAP-Identity reply, 
returning 'ok' so we can short-circuit the rest of authorize
Wed Aug 27 13:10:17 2014 : Debug: (16)  modsingle[authorize]: returned 
from eap_abc (rlm_eap) for request 16
Wed Aug 27 13:10:17 2014 : Debug: (16)    [eap_abc] = ok
Wed Aug 27 13:10:17 2014 : Debug: (16)   } #  authorize = ok

>>>> I'm not sure if this is by design? Using v3.0.x (not head but 
>>>> close).
>>> 
>>> It's by design.
> 
> Yes it's actually quite nice if the return stops at the depth of the
> policy call.

OK. If I can't return, I think I can't do this "short-circuit" for eap. 
Unless I am missing something?

Thanks,
Z.