Multivalued attribute[*] comparisons
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Nov 5 23:59:22 CET 2014
Master branch which will become 3.1 now supports multivalued conditions.
If an attribute with the '*' index is used in a condition, all values of that
attribute will be evaluated against the other operand.
If one set of values evaluates to true, no further values are checked and
the condition returns true.
update request {
Tmp-String-0 := 'foo'
Tmp-String-0 += 'bar'
Tmp-String-0 += 'baz'
Tmp-String-1 := 'aaa'
Tmp-String-1 += 'bbb'
Tmp-String-1 += 'ccc'
Tmp-String-1 += 'bar'
}
#
# Yes this is O(N^2) - worse case here is 12 comparisons
#
if (&Tmp-String-0[*] == &Tmp-String-1[*]) -> TRUE
if (&Tmp-String-1[*] =~ /cc$/) -> TRUE
If used with capture groups, contents will be from the first value that matched.
if (&Tmp-String-1 == 'bar') -> FALSE
if (&Tmp-String-1[*] == 'bar') -> TRUE
In theory this will allow
update request {
Admin-Groups := 'admins'
Admin-Groups += 'net-admins'
Admin-Groups += 'Administrators'
}
if (LDAP-Group == &Admin-Groups[*])
But I believe the parser's condition rules will currently prevent that
(will be fixed before 3.1 is released).
It also works for integers:
update request {
Tmp-Integer-0 := 5
Tmp-Integer-0 += 10
Tmp-Integer-0 += 15
}
if (Tmp-Integer-0[*] > 15) -> FALSE
if (Tmp-Integer-0[*] < 5) -> FALSE
if (Tmp-Integer-0[*] < 10) -> TRUE
The evaluation code also avoids many of the temporary mallocs that it previously did, as the cast and comparison functions have been updated to work with value data, as well as value pairs.
The main use case for this feature is checking multiple group or authorizational attributes for a value.
It also works with tag qualifiers.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Users
mailing list