Multivalued attribute[*] comparisons

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at sath.nhs.uk
Thu Nov 6 09:52:44 CET 2014 

This is great news for us, will make condition checking much more
straightforward.
Thanks Arran!

.. now waiting for multiple SQL attributes from a single xlat.. 
:-) :-) :-)


-----Original Message-----
From:
freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradiu
s.org] On Behalf Of Arran Cudbard-Bell
Sent: 05 November 2014 22:59
To: FreeRadius users mailing list
Subject: Multivalued attribute[*] comparisons

Master branch which will become 3.1 now supports multivalued conditions.

If an attribute with the '*' index is used in a condition, all values of
that attribute will be evaluated against the other operand.

If one set of values evaluates to true, no further values are checked
and the condition returns true.

update request {
	Tmp-String-0 := 'foo'
	Tmp-String-0 += 'bar'
	Tmp-String-0 += 'baz'

	Tmp-String-1 := 'aaa'
	Tmp-String-1 += 'bbb'
	Tmp-String-1 += 'ccc'
	Tmp-String-1 += 'bar'
}

#
# Yes this is O(N^2) - worse case here is 12 comparisons # if
(&Tmp-String-0[*] == &Tmp-String-1[*]) -> TRUE

if (&Tmp-String-1[*] =~ /cc$/) -> TRUE

If used with capture groups, contents will be from the first value that
matched.

if (&Tmp-String-1 == 'bar') -> FALSE

if (&Tmp-String-1[*] == 'bar') -> TRUE

In theory this will allow

update request {
	Admin-Groups := 'admins'
	Admin-Groups += 'net-admins'
	Admin-Groups += 'Administrators'
}

if (LDAP-Group == &Admin-Groups[*])

But I believe the parser's condition rules will currently prevent that
(will be fixed before 3.1 is released).

It also works for integers:

update request {
	Tmp-Integer-0 := 5
	Tmp-Integer-0 += 10
	Tmp-Integer-0 += 15
}

if (Tmp-Integer-0[*] > 15) -> FALSE

if (Tmp-Integer-0[*] < 5) -> FALSE

if (Tmp-Integer-0[*] < 10) -> TRUE

The evaluation code also avoids many of the temporary mallocs that it
previously did, as the cast and comparison functions have been updated
to work with value data, as well as value pairs.

The main use case for this feature is checking multiple group or
authorizational attributes for a value.

It also works with tag qualifiers.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org> FreeRADIUS development
team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list