Applying the same rule to multiple values in an attribute/config value

Stefan Paetow Stefan.Paetow at jisc.ac.uk
Mon Feb 11 17:41:41 CET 2019 

Howdy!

So, we're reviving the old RFC7542 chestnut because we've found that there is appetite for it. The basic policy for it is done, but a question was raised about the capability to apply the functionality to multiple realms. 

The basics are this:

  if (&request:User-Name =~ /([a-zA-Z0-9\.-]+)!([a-zA-Z0-9\.-]*)\@(.+)/) {
    #  Store the three parts of the User-Name, store the original User-Name too
    update control {
      RFC7542-User-Name := &User-Name
    }

    #  Format: not_local_realm!... at local_realm: Rewrite User-Name for suffix
    if (("%{1}" != "${policy.rfc7542_suffix}") && ("%{3}" == "${policy.rfc7542_suffix}")) {
      update request {
        User-Name := "%{2}@%{1}"
      }
    }

    #  Format: local_realm!... at not_local_realm: Rewrite User-Name for suffix
    if (("%{1}" == "${policy.rfc7542_suffix}") && ("%{3}" != "${policy.rfc7542_suffix}")) {
      update request {
        User-Name := "%{2}@%{1}"
      }
    }
  # end of if

  suffix

  #  Restore the User-Name to its original glory.
  if (&control:RFC7542-User-Name && (&request:User-Name != &control:RFC7542-User-Name)) {
    update request {
      User-Name := &control:RFC7542-User-Name
    }
    update control {
      RFC7542-User-Name !* ANY
    }
  }

The question now is the '$policy.rfc7542_suffix' bit. This is currently just defined as a simple value, i.e. 'blahblah.realm'. If we were to define it as a multiple value (semicolon-separated), would it make sense to use a foreach() loop across it, turn each entry into a variable and just check if the value is contained in the regex?

The worry I have here is that there's a lot of processing to do, a lot of looping, and if the powers that be (Alan, Arran, Matthew et al) have a better suggestion, I'd love to hear it. Please remember, this is for 3.0.x, with looking at upstreaming this to you guys to give FR RFC7542 capabilities.

I await your suggestions :-)

With Regards

Stefan Paetow
Consultant, Trust and Identity

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

More information about the Freeradius-Users mailing list