Using the rest module
Francis Augusto Medeiros-Logeay
r_f at med-lo.eu
Sun Nov 17 13:44:14 UTC 2024
> On 17 Nov 2024, at 12:16, Nick Porter <nick at portercomputing.co.uk> wrote:
>
>
> On 16/11/2024 18:06, Francis Augusto Medeiros-Logeay via Freeradius-Users wrote:
>> In my case, I need simply to evaluate a value of a nested json key that doesn’t really match any existing attributes.
>
> When called as a module, in FreeRADIUS v3, rest module only handles a limited number of formats of return JSON, intended for populating attributes with data retrieved from the REST endpoint.
>
> If your returned JSON is relatively small and consistent in format you may be able to do what you want by using the %{rest: } xlat and then doing a regex match on the returned string - that would need some experimentation.e.g.
>
> update { &control:Tmp-String-1 := "%{rest: <URL>}" }
>
> if (&control.Tmp-String-1 =~ /<regex to extract match from JSON>/) { ... }
>
Thanks a lot, Nick. I’ll look into it, though we have a few constraints and flow control, I think I might stick to perl while I am on RHEL 9 and only using the official package.
>> I saw that there is a json module that might be used with the rest, but it doesn’t seem to be available for the version I am using (3.0.21 on RHEL 9).
>
> The JSON module in FreeRADIUS 3.2 is only a helper for encoding - intended for converting attribute lists to JSON for sending to log destinations or as body data for POST requests.
>
> 3.0.21 is also pretty old - 3.2.6 is the current stable release - available as packages from https://packages.networkradius.com/
Yesterday I compiled FR 4 from source, but got some errors when running, so I didn’t go further. But I think I’ll try it again soon.
>
>> I have three api calls, to three different url’s, so I figured out how to create multiple instances of the rest module, which is great. It’s just the response logic that I’m failing to understand.
>
> If the xlat approach works, you would only need one module instance since the URL is built in the xlat call.
It could work, but it’d be too complex, I think. With perl things were easier to implement and I felt I had more control over the various scenarios I have to handle.
> Really the functionality you want is all in the up-coming FreeRADIUS v4 - that can extract arbitrary components from JSON. Whether v4 will work for you depends on the precise features you require - there are still a few gaps being worked on.
I don’t need more than that, really. We want to use FR just for MFA, and it basically will send API calls to our MFA server and handle OTP and Push notifications. So I believe FR 4 might just be what we want. I’ll google a bit more to find out how to run it properly.
Best,
Francis
More information about the Freeradius-Users
mailing list