More "update {....}" to edit against policy.d/*

author Jorge Pereira <jpereiran@gmail.com>

Tue, 16 Aug 2022 01:27:10 +0000 (22:27 -0300)

committer Alan T. DeKok <aland@freeradius.org>

Tue, 16 Aug 2022 21:25:25 +0000 (17:25 -0400)
author Jorge Pereira <jpereiran@gmail.com>
Tue, 16 Aug 2022 01:27:10 +0000 (22:27 -0300)
committer Alan T. DeKok <aland@freeradius.org>
Tue, 16 Aug 2022 21:25:25 +0000 (17:25 -0400)
diff --git a/raddb/policy.d/abfab-tr b/raddb/policy.d/abfab-tr

index 37c001340fa0e566a679148a8b4748cb1fbc2b40..816ac5f63139c93039d28334c2b11ddbddfb03b4 100644 (file)
--- a/raddb/policy.d/abfab-tr
+++ b/raddb/policy.d/abfab-tr
@@ -15,9 +15,8 @@ abfab_psk_authorize {
                         # do things here
                 }
                 else {
-                       update reply {
-                               &Reply-Message = "RP not authorized for this ABFAB request"
-                       }
+                       &reply.Reply-Message = "RP not authorized for this ABFAB request"
+
                         reject
                 }
         }
@@ -27,25 +26,20 @@ abfab_client_check {
         # check that the acceptor host name is correct
         if ("%(client:gss_acceptor_host_name)" && &GSS-acceptor-host-name) {
                 if ("%(client:gss_acceptor_host_name)" != "%{gss-acceptor-host-name}") {
-                       update reply {
-                               &Reply-Message = "GSS-Acceptor-Host-Name incorrect"
-                       }
+                       &reply.Reply-Message = "GSS-Acceptor-Host-Name incorrect"
+
                         reject
                 }
         }
  
         # set trust-router-coi attribute from the client configuration
         if ("%(client:trust_router_coi)") {
-               update request {
-                       &Trust-Router-COI := "%(client:trust_router_coi)"
-               }
+               &request.Trust-Router-COI := "%(client:trust_router_coi)"
         }
  
         # set gss-acceptor-realm-name attribute from the client configuration
         if ("%(client:gss_acceptor_realm_name)") {
-               update request {
-                       &GSS-Acceptor-Realm-Name := "%(client:gss_acceptor_realm_name)"
-               }
+               &request.GSS-Acceptor-Realm-Name := "%(client:gss_acceptor_realm_name)"
         }
  }
  
@@ -65,9 +59,7 @@ abfab_channel_bindings {
         }
  
         if (&GSS-Acceptor-Service-Name || &GSS-Acceptor-Realm-Name || &GSS-Acceptor-Host-Name) {
-               update control {
-                       &Chbind-Response-Code := success
-               }
+               &control.Chbind-Response-Code := success
  
                 #
                 #  ACK the attributes in the request.
@@ -75,11 +67,9 @@ abfab_channel_bindings {
                 #  If any one of these attributes don't exist in the request,
                 #  then they won't be copied to the reply.
                 #
-               update reply {
-                       &GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name
-                       &GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name
-                       &GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name
-               }
+               &reply.GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name
+               &reply.GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name
+               &reply.GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name
         }
  
         #
diff --git a/raddb/policy.d/accounting b/raddb/policy.d/accounting

index 38789616a99eba6be917084909f5ebc672fd090d..dd7215396194f9758566e8d9572e29658c440dbd 100644 (file)
--- a/raddb/policy.d/accounting
+++ b/raddb/policy.d/accounting
@@ -52,9 +52,7 @@ acct_unique {
         #  wireless environment).
         #
         if ("%{string:Class}" =~ /${policy.class_value_prefix}([0-9a-f]{32})/i) {
-               update request {
-                       &Acct-Unique-Session-Id := "%{hex:%{md5:%{string:%{1},%{Acct-Session-ID}}}}"
-               }
+               &request.Acct-Unique-Session-Id := "%{hex:%{md5:%{string:%{1},%{Acct-Session-ID}}}}"
         }
  
         #
@@ -64,23 +62,17 @@ acct_unique {
         #  is not included
         #
         else {
-               update request {
-                       &Acct-Unique-Session-Id := "%{hex:%{md5:%{string:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}}}"
-                }
+               &request.Acct-Unique-Session-Id := %{hex:%{md5:%{string:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}}}
         }
  
-       update request {
-               &Tmp-String-9 !* ANY
-       }
+       &request -= &Tmp-String-9[*]
  }
  
  #
  #      Insert a (hopefully unique) value into class
  #
  insert_acct_class {
-       update reply {
-               &Class = "${policy.class_value_prefix}%{md5:%t,%I,%{Packet-Src-Port},%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name}}"
-       }
+       &reply.Class = "${policy.class_value_prefix}%{md5:%t,%I,%{Packet-Src-Port},%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name}}"
  }
  
  #
@@ -90,24 +82,16 @@ insert_acct_class {
  #
  acct_counters64.preacct {
         if (!&Acct-Input-Gigawords) {
-               update request {
-                       &Acct-Input-Octets64 := "%{%{Acct-Input-Octets}:-0}"
-               }
+               &request.Acct-Input-Octets64 := "%{%{Acct-Input-Octets}:-0}"
         }
         else {
-               update request {
-                       &Acct-Input-Octets64 = "%{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets}"
-               }
+               &request.Acct-Input-Octets64 = "%{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets}"
         }
         if (!&Acct-Output-Gigawords) {
-               update request {
-                       &Acct-Output-Octets64 := "%{%{Acct-Output-Octets}:-0}"
-               }
+               &request.Acct-Output-Octets64 := "%{%{Acct-Output-Octets}:-0}"
         }
         else {
-               update request {
-                       &Acct-Output-Octets64 = "%{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets}"
-               }
+               &request.Acct-Output-Octets64 = "%{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets}"
         }
  }
  
diff --git a/raddb/policy.d/canonicalisation b/raddb/policy.d/canonicalisation

index 96f39497ed1ea5c377f345294b6cdfbc1aeb506d..9d42a00631216117ce3b4455d8e66259705ee28b 100644 (file)
--- a/raddb/policy.d/canonicalisation
+++ b/raddb/policy.d/canonicalisation
@@ -18,17 +18,14 @@ nai_regexp = '^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$'
  
  split_username_nai {
         if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)) {
-               update request {
-                       &Stripped-User-Name := "%{1}"
-               }
+               &request.Stripped-User-Name := "%{1}"
+
  
                 # Only add the Stripped-User-Domain attribute if
                 # we have a domain. This means presence checks
                 # for Stripped-User-Domain work.
                 if ("%{3}" != '') {
-                       update request {
-                               &Stripped-User-Domain = "%{3}"
-                       }
+                       &request.Stripped-User-Domain = "%{3}"
                 }
  
                 # If any of the expansions result in a null
@@ -55,15 +52,11 @@ mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^
  #
  rewrite_called_station_id {
         if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) {
-               update request {
-                       &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
-               }
+               &request.Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
  
                 # SSID component?
                 if ("%{8}") {
-                       update request {
-                               &Called-Station-SSID := "%{8}"
-                       }
+                       &request.Called-Station-SSID := "%{8}"
                 }
                 updated
         }
@@ -81,13 +74,11 @@ rewrite_called_station_id {
  #
  rewrite_calling_station_id {
         if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) {
-               update request {
-                       &Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
-               }
+               &request.Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
+
                 updated
         }
         else {
                 noop
         }
  }
-
diff --git a/raddb/policy.d/control b/raddb/policy.d/control

index b890a8f30928dfb76dc44fd00cf5f519dcba808f..1393c052a348a11d1f8514631419f9efb9cd164a 100644 (file)
--- a/raddb/policy.d/control
+++ b/raddb/policy.d/control
@@ -3,9 +3,8 @@
  #  then use the "do_not_respond" policy.
  #
  do_not_respond {
-       update reply {
-               &Packet-Type := Do-Not-Respond
-       }
+       &reply.Packet-Type := Do-Not-Respond
+
         handled
  }
  
@@ -13,9 +12,8 @@ do_not_respond {
  #  Send Access-Accept immediately
  #
  accept {
-       update reply {
-               &Packet-Type := Access-Accept
-       }
+       &reply.Packet-Type := Access-Accept
+
         handled
  }
  
@@ -23,9 +21,8 @@ accept {
  #  Send Access-Challenge immediately
  #
  challenge {
-       update reply {
-               &Packet-Type := Access-Challenge
-       }
+       &reply.Packet-Type := Access-Challenge
+
         handled
  }
  
@@ -33,9 +30,8 @@ challenge {
  #  Send an Accounting-Response immediately
  #
  acct_response {
-       update reply {
-               &Packet-Type := Accounting-Response
-       }
+       &reply.Packet-Type := Accounting-Response
+
         handled
  }
  
@@ -46,10 +42,9 @@ acct_response {
  #  include the original packet code in the reply.
  #
  protocol_error {
-       update reply {
-               &Packet-Type := Accounting-Response
-               &Original-Packet-Code := "%{Packet-Type}"
-       }
+       &reply.Packet-Type := Accounting-Response
+       &reply.Original-Packet-Code := "%{Packet-Type}"
+
         handled
  }
  
@@ -57,8 +52,7 @@ protocol_error {
  #  Discard the packet without replying
  #
  discard {
-       update reply {
-               &Packet-Type := Do-Not-Respond
-       }
+       &reply.Packet-Type := Do-Not-Respond
+
         handled
  }
diff --git a/raddb/policy.d/cui b/raddb/policy.d/cui

index 4cfbc68ea2df9b1d05f95ff5cccee09d75908001..93f20f141e479391767b269accc7f083f32d6ee6 100644 (file)
--- a/raddb/policy.d/cui
+++ b/raddb/policy.d/cui
@@ -40,9 +40,7 @@ cui_require_operator_name = "no"
  #
  cui.authorize {
         if ("%(client:add_cui)" == 'yes') {
-               update request {
-                       &Chargeable-User-Identity := 0x00
-               }
+               &request.Chargeable-User-Identity := 0x00
         }
  }
  
@@ -56,9 +54,7 @@ cui.authorize {
  cui.post-auth {
         if (!&control.Proxy-To-Realm && &Chargeable-User-Identity && !&reply.Chargeable-User-Identity &&
             (&Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) {
-               update reply {
-                       &Chargeable-User-Identity = "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}}"
-               }
+               &reply.Chargeable-User-Identity = %{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}}
         }
  
         #
@@ -71,9 +67,8 @@ cui.post-auth {
         #
         if (&reply.Chargeable-User-Identity) {
                 # Force User-Name to be the User-Name from the request
-               update {
-                       &reply.User-Name := &request.User-Name
-               }
+               &reply.User-Name := &request.User-Name
+
                 cuisql
         }
  }
@@ -82,9 +77,7 @@ cui.post-auth {
  cui-inner.post-auth {
         if (&outer.request.Chargeable-User-Identity && \
             (&outer.request.Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) {
-               update reply {
-                       &Chargeable-User-Identity := "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request.Operator-Name}:-}}}"
-               }
+               &reply.Chargeable-User-Identity := %{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request.Operator-Name}:-}}}
         }
  }
  
@@ -100,13 +93,11 @@ cui.accounting {
         #  in the DB.
         #
         if (!&Chargeable-User-Identity) {
-               update request {
-                       &Chargeable-User-Identity := "%{cuisql:\
+               &request.Chargeable-User-Identity := %{cuisql:\
                                 SELECT cui FROM cui \
                                 WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \
                                 AND callingstationid = '%{Calling-Station-Id}' \
-                               AND username = '%{User-Name}'}"
-               }
+                               AND username = '%{User-Name}'}
         }
  
         #
diff --git a/raddb/policy.d/dhcp b/raddb/policy.d/dhcp

index db0d4536d240453cd89fca03da0418d374353c12..5a5b15222aa2cd263040b951bb8a9180c2638310 100644 (file)
--- a/raddb/policy.d/dhcp
+++ b/raddb/policy.d/dhcp
@@ -3,13 +3,11 @@ dhcp_common {
         #  The contents here are invented.  Change them!
         #  Lease time is referencing the lease time set in the
         #  named module instance configuration
-       update reply {
-               &Domain-Name-Server = 127.0.0.1
-               &Domain-Name-Server = 127.0.0.2
-               &Subnet-Mask = 255.255.255.0
-               &Router-Address = 192.0.2.1
-               &IP-Address-Lease-Time = 7200
-#              &IP-Address-Lease-Time = "${modules.sqlippool[dhcp_sqlippool].lease_duration}"
-               &Server-Identifier = &control.Server-Identifier
-       }
+       &reply.Domain-Name-Server = 127.0.0.1
+       &reply.Domain-Name-Server = 127.0.0.2
+       &reply.Subnet-Mask = 255.255.255.0
+       &reply.Router-Address = 192.0.2.1
+       &reply.IP-Address-Lease-Time = 7200
+#      &reply.IP-Address-Lease-Time = "${modules.sqlippool[dhcp_sqlippool].lease_duration}"
+       &reply.Server-Identifier = &control.Server-Identifier
  }
diff --git a/raddb/policy.d/eap b/raddb/policy.d/eap

index 0309e83ae69a318383164043ac3a24c75d60d09c..0800c0f72b7616c1bcb4f2a81b5807af54af8fad 100644 (file)
--- a/raddb/policy.d/eap
+++ b/raddb/policy.d/eap
@@ -8,14 +8,11 @@ Xeap.authorize {
                 #       Expire previous cache entry
                 #
                 if (&control.State) {
-                       update control {
-                               &Cache-TTL := 0
-                       }
+                       &control.Cache-TTL := 0
+
                         cache_eap
  
-                       update control {
-                               &State !* ANY
-                       }
+                       &control -= &State[*]
                 }
  
                 handled
@@ -74,9 +71,7 @@ permit_only_eap {
  #
  remove_reply_message_if_eap {
         if (&reply.EAP-Message && &reply.Reply-Message) {
-               update reply {
-                       &Reply-Message !* ANY
-               }
+               &reply -= &Reply-Message[*]
         }
         else {
                 noop
@@ -91,10 +86,8 @@ remove_reply_message_if_eap {
  #      to copy now have to be explicitly listed.
  #
  copy_request_to_tunnel {
-       update request {
-               Calling-Station-Id = &outer.request.Calling-Station-Id
-               Called-Station-Id = &outer.request.Called-Station-Id
-       }
+       &request.Calling-Station-Id = &outer.request.Calling-Station-Id
+       &request.Called-Station-Id = &outer.request.Called-Station-Id
  }
  
  #
@@ -109,16 +102,7 @@ use_tunneled_reply {
         #  These attributes are for the inner-tunnel only,
         #  and MUST NOT be copied to the outer reply.
         #
-       update reply {
-               User-Name !* ANY
-               Message-Authenticator !* ANY
-               EAP-Message !* ANY
-               Proxy-State !* ANY
-               MS-CHAP-NT-Enc-PW !* ANY
-               MS-MPPE-Encryption-Types !* ANY
-               MS-MPPE-Send-Key !* ANY
-               MS-MPPE-Recv-Key !* ANY
-       }
+       &reply -= &User-Name[*]
  
         #
         #  Copy the remaining inner reply attributes to the outer
@@ -129,8 +113,6 @@ use_tunneled_reply {
         #  'send Access-Accept' policy in sites-available/default will
         #  copy the outer session-state list to the final reply.
         #
-       update {
-               &outer.session-state. += &reply
-       }
+       &outer.session-state += &reply
  }
  
diff --git a/raddb/policy.d/filter b/raddb/policy.d/filter

index f8443a4171c07a91ea4df13273bad460a0dea39d..b5733e06bec7a22d1d9cc9067df1dedb9e301dee 100644 (file)
--- a/raddb/policy.d/filter
+++ b/raddb/policy.d/filter
@@ -19,15 +19,15 @@ filter_username {
         if (&State) {
                 if (&User-Name) {
                         if (!&session-state.Session-State-User-Name) {
-                               update request {
-                                       &Module-Failure-Message += 'No cached session-state.Session-State-User-Name'
+                               &request += {
+                                       &Module-Failure-Message = "No cached session-state.Session-State-User-Name"
                                 }
                                 reject
                         }
  
                         if (&User-Name != &session-state.Session-State-User-Name) {
-                               update request {
-                                       &Module-Failure-Message += 'User-Name does not match cached session-state.Session-State-User-Name'
+                               &request += {
+                                       &Module-Failure-Message = "User-Name does not match cached session-state.Session-State-User-Name"
                                 }
                                 reject
                         }
@@ -46,8 +46,8 @@ filter_username {
                 #  e.g. "user@ site.com", or "us er", or " user", or "user "
                 #
                 if (&User-Name =~ / /) {
-                       update request {
-                               &Module-Failure-Message += 'User-Name contains whitespace'
+                       &request += {
+                               &Module-Failure-Message = "User-Name contains whitespace"
                         }
                         reject
                 }
@@ -57,8 +57,8 @@ filter_username {
                 #  e.g. "user@site.com@site.com"
                 #
                 if (&User-Name =~ /@[^@]*@/ ) {
-                       update request {
-                               &Module-Failure-Message += 'Multiple @ in User-Name'
+                       &request += {
+                               &Module-Failure-Message = "Multiple @ in User-Name"
                         }
                         reject
                 }
@@ -68,8 +68,8 @@ filter_username {
                 #  e.g. "user@site..com"
                 #
                 if (&User-Name =~ /\.\./ ) {
-                       update request {
-                               &Module-Failure-Message += 'User-Name contains multiple dots (e.g. user@site..com)'
+                       &request += {
+                               &Module-Failure-Message = "User-Name contains multiple dots (e.g. user@site..com)"
                         }
                         reject
                 }
@@ -79,8 +79,8 @@ filter_username {
                 #  e.g. "user@site.com"
                 #
                 if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/))  {
-                       update request {
-                               &Module-Failure-Message += 'Realm does not have at least one dot separator'
+                       &request += {
+                               &Module-Failure-Message = "Realm does not have at least one dot separator"
                         }
                         reject
                 }
@@ -90,8 +90,8 @@ filter_username {
                 #  e.g. "user@site.com."
                 #
                 if (&User-Name =~ /\.$/)  {
-                       update request {
-                               &Module-Failure-Message += 'Realm ends with a dot'
+                       &request += {
+                               &Module-Failure-Message = "Realm ends with a dot"
                         }
                         reject
                 }
@@ -101,15 +101,13 @@ filter_username {
                 #  e.g. "user@.site.com"
                 #
                 if (&User-Name =~ /@\./)  {
-                       update request {
-                               &Module-Failure-Message += 'Realm begins with a dot'
+                       &request += {
+                               &Module-Failure-Message = "Realm begins with a dot"
                         }
                         reject
                 }
  
-               update session-state {
-                       &Session-State-User-Name := &User-Name
-               }
+               &session-state.Session-State-User-Name := &User-Name
         }
  }
  
@@ -122,10 +120,8 @@ filter_username {
  filter_password {
         if (&User-Password && \
            (&User-Password != "%{string:User-Password}")) {
-               update request {
-                       &Tmp-String-0 := "%{string:User-Password}"
-                       &User-Password := "%{string:Tmp-String-0}"
-               }
+               &request.Tmp-String-0 := %{string:User-Password}
+               &request.User-Password := %{string:Tmp-String-0}
          }
  }
  
@@ -134,8 +130,8 @@ filter_inner_identity {
         #  No names, reject.
         #
         if (!&outer.request.User-Name || !&User-Name) {
-               update request {
-                       &Module-Failure-Message += "User-Name is required for tunneled authentication"
+               &request += {
+                       &Module-Failure-Message = "User-Name is required for tunneled authentication"
                 }
                 reject
         }
@@ -152,9 +148,7 @@ filter_inner_identity {
                 #  Get the outer realm.
                 #
                 if (&outer.request.User-Name =~ /@([^@]+)$/) {
-                       update request {
-                               &Outer-Realm-Name = "%{1}"
-                       }
+                       &request.Outer-Realm-Name = "%{1}"
  
                         #
                         #  When we have an outer realm name, the user portion
@@ -164,8 +158,8 @@ filter_inner_identity {
                         #  some vendors don't follow the standards.
                         #
                         if (&outer.request.User-Name !~ /^(anon|@)/) {
-                               update request {
-                                       &Module-Failure-Message += "User-Name is not anonymized"
+                               &request += {
+                                       &Module-Failure-Message = "User-Name is not anonymized"
                                 }
                                 reject
                         }
@@ -179,8 +173,8 @@ filter_inner_identity {
                 #  and we'd have no idea which one was correct.
                 #
                 elsif (&outer.request.User-Name !~ /^anon/) {
-                       update request {
-                               &Module-Failure-Message += "User-Name is not anonymized"
+                       &request += {
+                               &Module-Failure-Message = "User-Name is not anonymized"
                         }
                         reject
                 }
@@ -189,9 +183,7 @@ filter_inner_identity {
                 #  Get the inner realm.
                 #
                 if (&User-Name =~ /@([^@]+)$/) {
-                       update request {
-                               &Inner-Realm-Name = "%{1}"
-                       }
+                       &request.Inner-Realm-Name = "%{1}"
  
                         #
                         #  Note that we do EQUALITY checks for realm names.
@@ -207,8 +199,8 @@ filter_inner_identity {
                         if (&Outer-Realm-Name && \
                             (&Inner-Realm-Name != &Outer-Realm-Name) && \
                             (&Inner-Realm-Name !~ /\.%{Outer-Realm-Name}$/)) {
-                               update request {
-                                       &Module-Failure-Message += "Inner realm '%{Inner-Realm-Name}' and outer realm '%{Outer-Realm-Name}' are not from the same domain."
+                               &request += {
+                                       &Module-Failure-Message = "Inner realm '%{Inner-Realm-Name}' and outer realm '%{Outer-Realm-Name}' are not from the same domain."
                                 }
                                 reject
                         }
diff --git a/raddb/policy.d/operator-name b/raddb/policy.d/operator-name

index 279e2932dc2c1f6097d058a54fb3d9c2a6a15813..d3abae9b3ada33934e3f0725b6decc7d366a72b9 100644 (file)
--- a/raddb/policy.d/operator-name
+++ b/raddb/policy.d/operator-name
@@ -27,8 +27,6 @@
  #
  operator-name.authorize {
         if ("%(client:Operator-Name)") {
-               update request {
-                       &Operator-Name = "%(client:Operator-Name)"
-               }
+               &request.Operator-Name = "%(client:Operator-Name)"
         }
  }
diff --git a/raddb/policy.d/tacacs b/raddb/policy.d/tacacs

index 09c097ba206bfb6330f513e036a2056743bef2eb..d79d4b785ac312b8b9bd07ea4d4290c196bdd3ae 100644 (file)
--- a/raddb/policy.d/tacacs
+++ b/raddb/policy.d/tacacs
@@ -4,23 +4,18 @@
  
  tacacs_set_authentication_status {
         if (ok) {
-               update reply {
-                       &Authentication-Status = Pass
-               }
+               &reply.Authentication-Status = Pass
         } else {
-               update reply {
-                       &Authentication-Status = Fail
-               }
+               &reply.Authentication-Status = Fail
         }
  }
  
  tacacs_pap {
         subrequest RADIUS.Access-Request {
-               update {
-                       &request.User-Name := &parent.request.User-Name
-                       &request.User-Password := &parent.request.Data
-                       &control.Password.Cleartext := &parent.control.Password.Cleartext
-               }
+               &request.User-Name := &parent.request.User-Name
+               &request.User-Password := &parent.request.Data
+               &control.Password.Cleartext := &parent.control.Password.Cleartext
+
                 pap.authorize
                 pap.authenticate
         }
@@ -30,21 +25,20 @@ tacacs_pap {
  
  tacacs_chap {
         subrequest RADIUS.Access-Request {
-               update {
-                       &request.User-Name := &parent.request.User-Name
+               &request.User-Name := &parent.request.User-Name
+
+               #
+               #  Data length N is 1 octet of ID, followed by
+               #  N-17 octets of challenge, followed by 16 octets of
+               #  CHAP-Password.
+               #
+               #  @todo - update code to create these, so that the
+               #  poor user doesn't need to.
+               #
+#              &request.CHAP-Password := ...
+#              &request.CHAP-Challenge := ...
+               &control.Password.Cleartext := &parent.control.Password.Cleartext
  
-                       #
-                       #  Data length N is 1 octet of ID, followed by
-                       #  N-17 octets of challenge, followed by 16 octets of
-                       #  CHAP-Password.
-                       #
-                       #  @todo - update code to create these, so that the
-                       #  poor user doesn't need to.
-                       #
-#                      &request.CHAP-Password := ...
-#                      &request.CHAP-Challenge := ...
-                       &control.Password.Cleartext := &parent.control.Password.Cleartext
-               }
                 chap.authenticate
         }
  
@@ -53,21 +47,20 @@ tacacs_chap {
  
  tacacs_mschap {
         subrequest RADIUS.Access-Request {
-               update {
-                       &request.User-Name := &parent.request.User-Name
+               &request.User-Name := &parent.request.User-Name
+
+               #
+               #  Data length N is 1 octet of ID, followed by
+               #  N-49 octets of challenge, followed by 49 octets of
+               #  MS-CHAP stuff.
+               #
+               #  @todo - update code to create these, so that the
+               #  poor user doesn't need to.
+               #
+#              &request.MS-CHAP-Challenge := ...
+#              &request.MS-CHAP-Response := ...
+               &control.Password.Cleartext := &parent.control.Password.Cleartext
  
-                       #
-                       #  Data length N is 1 octet of ID, followed by
-                       #  N-49 octets of challenge, followed by 49 octets of
-                       #  MS-CHAP stuff.
-                       #
-                       #  @todo - update code to create these, so that the
-                       #  poor user doesn't need to.
-                       #
-#                      &request.MS-CHAP-Challenge := ...
-#                      &request.MS-CHAP-Response := ...
-                       &control.Password.Cleartext := &parent.control.Password.Cleartext
-               }
                 chap.authenticate
         }
  
diff --git a/raddb/policy.d/time b/raddb/policy.d/time

index 709f267cda8d3925cbcd1f31cf2af41d1fff6249..f9dd0e5078123fced38811796d520aa429b1f805 100644 (file)
--- a/raddb/policy.d/time
+++ b/raddb/policy.d/time
@@ -2,18 +2,14 @@
  #
  # Sets Tmp-uint64-0 with the current epoch time in ms
  time_current_ms {
-       update request {
-               Tmp-uint64-0 := "%{expr:(%c*1000) + (%C/1000)}"
-       }
+       &request.Tmp-uint64-0 := %{expr:(%c*1000) + (%C/1000)}
  }
  
  # Returns elapsed time in ms since time_current_ms
  #
  # Sets Tmp-uint64-1 with number of milliseconds
  time_elapsed_ms {
-       update request {
-               Tmp-uint64-1 := "%{expr:(%c*1000) + (%C/1000) - %{Tmp-uint64-0}}"
-       }
+       &request.Tmp-uint64-1 := %{expr:(%c*1000) + (%C/1000) - %{Tmp-uint64-0}}
  }
  
  # Handles the Expiration attribute
@@ -25,9 +21,7 @@ expiration {
                 }
  
                 elsif (!&reply.Session-Timeout || (&Session-Timeout > "%{expr:%{Expiration} - %l}")) {
-                       update reply {
-                               &Session-Timeout := "%{expr:%{Expiration} - %l}"
-                       }
+                       &reply.Session-Timeout := %{expr:%{Expiration} - %l}
                 }
         }
  }
diff --git a/raddb/policy.d/vendor b/raddb/policy.d/vendor

index 5358c121f6c136b478e84c7d96b2458b47858c89..eb7c68ba79dfab265bd641768c38dc2a05a61887 100644 (file)
--- a/raddb/policy.d/vendor
+++ b/raddb/policy.d/vendor
@@ -7,9 +7,8 @@
  broadsoft-decode {
         foreach &BroadSoft-Attr-255 {
                 if ("%{Foreach-Variable-0}" =~ /^([0-9]+)=(.*)$/) {
-                       update request {
-#                              Broadsoft-Attr-255 -= "%{Foreach-Variable-0}"
-                               "BroadSoft-Attr-%{1}" += "%{2}"
+#                              &request.Broadsoft-Attr-255 -= "%{Foreach-Variable-0}"
+                               "&request.BroadSoft-Attr-%{1}" += "%{2}"
                         }
                 }
         }
diff --git a/raddb/radclient.conf b/raddb/radclient.conf

index 79dc7922266546491e3bf67375b43562d3a31643..024cbde237279cd4dbe68c41e9ca480d22d47ac6 100644 (file)
--- a/raddb/radclient.conf
+++ b/raddb/radclient.conf
@@ -54,9 +54,7 @@ server default {
         recv Access-Request {
                 radius
                 if (ok) {
-                       update reply {
-                               &Packet-Type := Access-Accept
-                       }
+                       &reply.Packet-Type := Access-Accept
                 }
         }
         send Access-Accept {
author	Jorge Pereira <jpereiran@gmail.com>
	Tue, 16 Aug 2022 01:27:10 +0000 (22:27 -0300)
committer	Alan T. DeKok <aland@freeradius.org>
	Tue, 16 Aug 2022 21:25:25 +0000 (17:25 -0400)
raddb/policy.d/abfab-tr		patch \| blob \| blame \| history
raddb/policy.d/accounting		patch \| blob \| blame \| history
raddb/policy.d/canonicalisation		patch \| blob \| blame \| history
raddb/policy.d/control		patch \| blob \| blame \| history
raddb/policy.d/cui		patch \| blob \| blame \| history
raddb/policy.d/dhcp		patch \| blob \| blame \| history
raddb/policy.d/eap		patch \| blob \| blame \| history
raddb/policy.d/filter		patch \| blob \| blame \| history
raddb/policy.d/operator-name		patch \| blob \| blame \| history
raddb/policy.d/tacacs		patch \| blob \| blame \| history
raddb/policy.d/time		patch \| blob \| blame \| history
raddb/policy.d/vendor		patch \| blob \| blame \| history
raddb/radclient.conf		patch \| blob \| blame \| history