Recursive string expansion

[Dan Breslau]

I have an issue with recursive string expansion -- that is, it is 
recursing in a situation where I'd rather it didn't. Specifically, with 
freeradius 3.0.13, in policy.d/moonshot_targeted_ids, if I set


targeted_id_salt = '${changeme'


then I get the error:


Fri May 26 20:23:37 2017 : Error: 
/etc/freeradius/policy.d/moonshot-targeted-ids[40]: Reference 
"${changeme%{tolower}" not found
Fri May 26 20:23:37 2017 : Error: Failed expanding section name
Fri May 26 20:23:37 2017 : Error: 
/etc/freeradius/policy.d/moonshot-targeted-ids[41]: Failed allocating 
memory for section
Fri May 26 20:23:37 2017 : Error: Errors reading or parsing 
/etc/freeradius/radiusd.conf

This seems to be a reference to these two lines (starting at line 40) :


         if (&outer.request:GSS-Acceptor-Host-Name) {
                 if ("%{echo:/usr/bin/uuid -v 5 
${policy.moonshot_host_namespace} 
%{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}}" 
=~ /^([^ ]+)([ ]*)$/) {


So it definitely looks like ${policy.targeted_id_salt} is expanded once, 
and then something attempts to expand the expanded string, which fails 
because '${changeme' is invalid xlat syntax.


I haven't found any user documentation indicating whether string 
expansion is recursive. I did find an older post by Arran where he says 
that "rlm_sql does recursive xlat" (see 
(http://lists.freeradius.org/pipermail/freeradius-users/2009-April/037249.html). 
This makes me wonder whether this behavior is decided upon by the 
module's implementer.


If there is a way to prevent this behavior (i.e., force a string to be 
expanded non-recursively), I'd love to hear about it. I'd be happy to 
file a bug (or feature request) if that would be appropriate.


Thanks,


Dan Breslau