When performing the Authorize section using the REst module, is it possible to add a module failure message to the 403 response?

Tue Jan 23 15:32:53 UTC 2024

First of all, please understand that I am not able to receive replies to
existing questions due to incorrect system settings, so I cannot reply and
am asking a new question.

The link to the existing question is this.

https://lists.freeradius.org/pipermail/freeradius-users/2024-January/104052.html

rlm_rest (rest): Reserved connection (2)
(16) rest: Expanding URI components
(16) rest: EXPAND http://0.0.0.0:9012
(16) rest:    --> http://0.0.0.0:9012
(16) rest: EXPAND
/auth/user/%{User-Name}?callingStationId=%{Calling-Station-Id}&calledStationId=%{Called-Station-Id}&eapType=%{EAP-Type}
(16) rest:    -->
/auth/user/test?callingStationId=00-D7-B2-E6-FA-00&calledStationId=00-03-84-B6-00-CC%3Aradius%20122&eapType=PEAP
(16) rest: Sending HTTP GET to "
http://0.0.0.0:9012/auth/user/test?callingStationId=00-00-B0-E0-0A-80&calledStationId=00-00-00-B6-D0-00%3Aradius%20122&eapType=PEAP
"
(16) rest: Processing response header
(16) rest:   Status : 403 ()
(16) rest:   Type   : json (application/json)
(16) rest: Adding reply:REST-HTTP-Status-Code = "403"
(16) rest: ERROR: Server returned:
(16) rest: ERROR: {"request:Module-Failure-Message":"add message but..."}
rlm_rest (rest): Released connection (2)
Need more connections to reach 10 spares
rlm_rest (rest): Opening additional connection (6), 1 of 26 pending slots
used
rlm_rest (rest): Connecting to "http://0.0.0.0:9012"
(16)         [rest] = userlock
(16)       } # if (!&outer.session-state:Done-Rest)  = userlock
(16)     } # authorize = userlock
(16)   Using Post-Auth-Type Reject
(16)   # Executing group from file
/etc/freeradius/sites-enabled/inner-tunnel
(16)     Post-Auth-Type REJECT {
(16)       update {
(16)         &Calling-Station-Id = &outer.request:Calling-Station-Id ->
'00-00-00-00-00-00'
(16)         &Called-Station-Id = &outer.request:Called-Station-Id ->
'00-03-00-00-00-00:radius'
(16)         &EAP-Type := &outer.request:EAP-Type -> PEAP
(16)       } # update = noop

First of all, I am from Korea and it is difficult to translate what you are
saying.

The FreeRADIUS version I am using is 3.0.24.

To summarize the question again,

When performing the Authorize step in a Rest Module, is it possible to
(rest.authorize) deliver a 403 HTTP Status Code response and a message and
attach it to "Module-Failure-Message"?

Alan DeKok said it was in "Sure" and in "rlm_rest.c".

Probably "rlm_rest.c" is
 I think you mean "mods-enabled/rest".

However, I find this module difficult to handle.

No matter how many explanations I read, I couldn't find an answer to this.
sorry.

I guess it's hard for me to interpret Alan DeKok's answer because I'm not
very smart.

Is it “possible” or “I can figure it out if I read the description of this
module.”

Which of the two did you mean?

Looking at the message you wrote later, I don't know whether you meant
"It's possible" or "It's impossible and I'll think about it."

I'm really sorry, but I wonder if what I want to do is possible. If
possible, please explain in more detail what section I should refer to.