How to properly deal with HTTP 200 response with body with rlm_rest?

Zenon Mousmoulas zmousm at noc.grnet.gr
Tue Apr 23 07:28:07 CEST 2019


April 22, 2019 7:50 PM, "Arran Cudbard-Bell" <a.cudbardb at freeradius.org> wrote:

>> On Apr 22, 2019, at 12:12 PM, Martin Gignac <martin.gignac at gmail.com> wrote:
>> 
>> Hi Arran,
>> 
>> Thanks for you response. I initially assumed that I should put:
>> 
>> rest
>> if (updated) {
>> ok
>> }
> 
> rest {
> updated = 1
> }
> if (updated) {
> ok
> }
> 
> It's because the default action for updated in authenticate is return, so it just exits the
> authenticate section.
> 
> Authenticate in FreeRADIUS is meant to be for a module that runs locally on the server and does
> some sort of authentication by comparing the contents of the incoming packet with some secret
> information the server has access to. Local authentication modules don't usually return updated,
> which is why its counted as a failure if one does.
> 
> There's no real issue doing what you're doing though, just explaining why it doesn't work out of
> the box and you need to jump through a couple of extra hoops.
> 
> ...and arguably the action for updated probably shouldn't be return, as it strongly hints there are
> more modules that need to be called. I guess the return code priorities/actions were probably set
> in < v1.0.x, where there was no policy language, and there you really would only ever call one
> module in authenticate.
> 
> So that leaves two more permanent fixes, either:
> 
> - rlm_rest only returns "OK" for its authenticate method, which probably means it should just
> ignore body data. Then if you wanted to do what you're doing now you'd call rest.authorize instead.

Reading https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/rest#L144 and relating to HTTP 204 vs. 200 semantics I would think "updated" rcode is a natural fit for rest.authorize, right? I am also still unsure about rest.authenticate though.

> - The updated rcode in should be given a non 'return' priority.
> 
> I don't know if we can make either of those changes in v3.0.x, but maybe we can change it in
> v4.0.x.
> 
> Any though's Alan DeKok, Matthew Newton et al?
> 
> -Arran
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list