From: Alan T. DeKok Date: Fri, 6 Oct 2023 12:16:54 +0000 (-0400) Subject: get rid of old function syntax everywhere except old examples X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d405afee5be62a39c706b7ea67627eb836bd6b16;p=thirdparty%2Ffreeradius-server.git get rid of old function syntax everywhere except old examples --- diff --git a/doc/antora/modules/howto/pages/modules/mschap/index.adoc b/doc/antora/modules/howto/pages/modules/mschap/index.adoc index f56bb46f53..d20d3ac4cc 100644 --- a/doc/antora/modules/howto/pages/modules/mschap/index.adoc +++ b/doc/antora/modules/howto/pages/modules/mschap/index.adoc @@ -43,7 +43,7 @@ several options for the arguments, in particular username and domain: * `–username=%{User-Name}` - this will fail if you’re using realms or host-based auth -* `–username=%(mschap:User-Name)` - this will fail if using using suffix +* `–username=%mschap(User-Name)` - this will fail if using using suffix i.e. user@domain You’ll need to fit this to your local needs. @@ -132,7 +132,7 @@ For example, you might use an SQL stored procedure to change passwords:: ``` mschap { passchange { - local_cpw = %{sql:select change_password('%{User-Name}','%{MS-CHAP-New-NT-Password}')}' + local_cpw = %sql("select change_password('%{User-Name}','%{MS-CHAP-New-NT-Password}')") } } ``` @@ -167,8 +167,7 @@ This allows you to do things like:: . update via ``` -SQL local_cpw = %{sql:update radcheck set value='%{MS-CHAP-New-NT-Password}' where username=%{User-Name} and -attribute=’Password.NT'} +SQL local_cpw = %sql("update radcheck set value='%{MS-CHAP-New-NT-Password}' where username=%{User-Name} and attribute=’Password.NT'") ``` Or: @@ -176,7 +175,7 @@ Or: . update via exec/script ``` -local_cpw = `%(exec:/my/script %{User-Name} %{MS-CHAP-New-Password.Cleartext})` +local_cpw = `%exec('/my/script', %{User-Name}, %{MS-CHAP-New-Password.Cleartext})` ``` WARNING: Wherever possible, you should use `MS-CHAP-New-NT-Password`. The diff --git a/doc/antora/modules/installation/pages/upgrade.adoc b/doc/antora/modules/installation/pages/upgrade.adoc index 50d2d8873e..5de8dbd1ab 100644 --- a/doc/antora/modules/installation/pages/upgrade.adoc +++ b/doc/antora/modules/installation/pages/upgrade.adoc @@ -630,10 +630,10 @@ update reply { } ``` -In v4, you can remove the `update`, and also remove the double quotes: +In v4, you can remove the `update`, and rewrite the SQL call to: ``` -&reply.Framed-IP-Address := %{sql:SELECT ...} +&reply.Framed-IP-Address := %sql("SELECT ...") ``` Using double quotes everywhere means that every bit of data gets @@ -720,7 +720,7 @@ The following modules are new in v4. This module handles the `%{client:..}` xlat expansions. -The `Client-Shortname` attribute has been removed. You should use `%{client:shortname}` instead. +The `Client-Shortname` attribute has been removed. You should use `%client(shortname)` instead. === rlm_radius @@ -819,15 +819,18 @@ checks to see if you want to execute the module. === rlm_expr -Allow `&Attr-Name[*]` to mean _sum_. Previously, it just referred to -the first attribute. +The `expr` module is no longer necessary and has been removed. -Using `%{expr:0 + &Attr-Name[*]}` will cause it to return the sum of -the values of all attributes with the given name. +The xref:reference:xlat/index.adoc[xlat] expansions just support math +natively. For example: -Note that `%{expr:1 * &Attr-Name[*]}` does _not_ mean repeated -multiplication. Instead, the sum of the attributes is taken as before, -and then the result is multiplied by one. +``` +&Reply-Message := "1 + 2 = %{1 + 2}" +``` + +will return the string `1 + 2 = 3`. The contents of the expansion can +be any math or condition. Attribute assignments in expansions are not +supported. === rlm_expiration @@ -837,14 +840,18 @@ attribute should continue to work the same as with v3. === rlm_ldap -The `ldap` module provides an expansion `%{ldap.memberof:}` instead of +The `ldap` module provides an expansion `%ldap.memberof()` instead of `LDAP-Group` for dynamically testing group membership. The old method of ``` -LDAP-Group == "foo" +if (LDAP-Group == "foo") { ... ``` -will no longer work. +will no longer work. Instead, use + +``` +if (%ldap.memberof(foo)) { ... +``` The cacheing of group membership into attributes in the `control` list is still available, so @@ -876,9 +883,7 @@ names to lowercase: ``` recv Access-Request { - update request { - &Stripped-User-Name := "%{tolower:%{User-Name}}" - } + &Stripped-User-Name := %tolower(%{User-Name}) ... } ``` @@ -907,11 +912,11 @@ that it is now possible to do group comparisons based on regular expressions. It is possible to force a dynamic group lookup via the expansion -`%{sql.group:foo}`. This expansion returns `true` if the user is a +`%sql.group(foo)`. This expansion returns `true` if the user is a member of that SQL group, and `false` otherwise. ``` -if (%{sql.group:sales}) { +if (%sql.group(sales)) { ... } ``` @@ -998,7 +1003,7 @@ more information. === rlm_unix -The `unix` module uses an expansion `%{unix.group:}` instead of +The `unix` module uses an expansion `%unix.group()` instead of `Unix-Group`, `Group` or `Group-Name`. The old method of doing ``` @@ -1009,7 +1014,7 @@ will no longer work. === rlm_winbind -The `winbind` module uses an expansion `%{winbind.group:}` instead of +The `winbind` module uses an expansion `%(winbind.group()` instead of `Winbind-Group == `. == Deleted Modules @@ -1044,13 +1049,13 @@ result in an error. Many "virtual" or "fake" attributes have been removed or renamed. -`&Module-Return-Code` should be replaced by `%(interpreter:rcode)`. +`&Module-Return-Code` should be replaced by `%interpreter(rcode)`. `&Response-Packet-Type` should be replaced by `&reply.Packet-Type`. -`&Virtual-Server` should be replaced by `%(interpreter:server)`. +`&Virtual-Server` should be replaced by `%interpreter(server)`. -`&Packet-Authentication-Vector` should be replaced by `%{radius.packet.vector:}`. +`&Packet-Authentication-Vector` should be replaced by `%radius.packet.vector()`. `&Packet-Dst-IP-Address` and `&Packet-Dst-IPv6-Address` should be replaced by `&Net.Dst.IP`. diff --git a/doc/antora/modules/raddb/pages/sites-available/detail.adoc b/doc/antora/modules/raddb/pages/sites-available/detail.adoc index f636d32902..af94573af7 100644 --- a/doc/antora/modules/raddb/pages/sites-available/detail.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/detail.adoc @@ -19,6 +19,11 @@ says "load the detail file processor, and not the typical RADIUS UDP / TCP socket IO. +Overrides the default transport prefix set by +namespace and loads the detail reader code. + + + Types of packets we are reading. @@ -200,6 +205,7 @@ The detail file reader runs the normal RADIUS / DHCP / etc. processing sections. + We handled the packet successfully. Run the "send ok" section. @@ -237,6 +243,7 @@ server detail { namespace = radius directory = ${radacctdir}/detail listen detail { + proto = detail type = Accounting-Request # priority = 1 file { @@ -258,7 +265,12 @@ server detail { } } recv Accounting-Request { - &request.Acct-Delay-Time := "%{expr:%{%{Acct-Delay-Time}:-0} + %c - %(integer:%{%{Event-Timestamp}:-%{Packet-Original-Timestamp}})}" + if (!&Event-Timestamp) { + &Event-Timestamp := &Packet-Original-Timestamp + } + if (&Event-Timestamp < %c) { + &request.Acct-Delay-Time += %c - &Event-Timestamp + } ok } send Accounting-Response { diff --git a/doc/antora/modules/raddb/pages/sites-available/resource-check.adoc b/doc/antora/modules/raddb/pages/sites-available/resource-check.adoc index c4d206613f..94732c2b2c 100644 --- a/doc/antora/modules/raddb/pages/sites-available/resource-check.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/resource-check.adoc @@ -129,12 +129,12 @@ listen { } recv Status-Server { if ("%sql('SELECT pg_is_in_recovery()')" != "f") { - if ("%{db_online:}" != "fail") { - %{db_online:fail} + if (%db_online() != "fail") { + %db_online(fail) } } else { - if ("%{db_online:}" != "alive") { - %{db_online:alive} + if (%db_online() != "alive") { + %db_online(alive) } } } diff --git a/doc/antora/modules/reference/pages/type/cast.adoc b/doc/antora/modules/reference/pages/type/cast.adoc index e3af9aab07..8be651a0af 100644 --- a/doc/antora/modules/reference/pages/type/cast.adoc +++ b/doc/antora/modules/reference/pages/type/cast.adoc @@ -14,7 +14,7 @@ expression is an IP address. It could instead be interpreted as a string [source,unlang] ---- -if ("%{sql:SELECT ipaddress FROM table WHERE user=%{User-Name}}" == 192.0.2.1) } +if (%sql("SELECT ipaddress FROM table WHERE user=%{User-Name}") == 192.0.2.1) } .... } ---- @@ -42,7 +42,7 @@ We can add a cast to the above example, as follows: .Example [source,unlang] ---- -if ("%{sql:SELECT ipaddress FROM table WHERE user=%{User-Name}}" == (ipaddr)192.0.2.1) } +if (%sql("SELECT ipaddress FROM table WHERE user=%{User-Name}") == (ipaddr)192.0.2.1) } .... } ---- @@ -113,7 +113,7 @@ Casting any data type to `string` means _printing_ the data type to a string, and assigning the resulting value to the `string`. For a value of typ e `octets`, this means that the output is a hex string, prefixed with `0x`. In order to get the "raw" hex values of an -`octets` data type, the `%{hex:...}` expansion is used. It prints out +`octets` data type, the `%hex(...)` expansion is used. It prints out the hex value of its input, without the leading `0x` characters. Casting a `string` value to another data type means _parsing_ the diff --git a/doc/antora/modules/reference/pages/unlang/condition/index.adoc b/doc/antora/modules/reference/pages/unlang/condition/index.adoc index f5ce3f9285..ff863d68fa 100644 --- a/doc/antora/modules/reference/pages/unlang/condition/index.adoc +++ b/doc/antora/modules/reference/pages/unlang/condition/index.adoc @@ -40,7 +40,7 @@ if ( &Framed-IP-Address == 127.0.0.1 ) { ... } -if ( &Calling-Station-Id == "%{sql:SELECT ...}" ) { +if ( &Calling-Station-Id == "%sql("SELECT ...") ) { ... } ---- @@ -117,6 +117,5 @@ In general, the following rules apply: * If you want to check that an attribute exists _and_ has a particular value, use `if !(&Attr == value)`, instead of `if (&Attr != value)`. The difference us that if the attribute does not exist, it will match the condition `(&Attr != value)`, because the attribute has no value. - // Copyright (C) 2021 Network RADIUS SAS. Licenced under CC-by-NC 4.0. // This documentation was developed by Network RADIUS SAS. diff --git a/doc/antora/modules/reference/pages/unlang/condition/regex.adoc b/doc/antora/modules/reference/pages/unlang/condition/regex.adoc index 1c5a737140..18ec7d0bb8 100644 --- a/doc/antora/modules/reference/pages/unlang/condition/regex.adoc +++ b/doc/antora/modules/reference/pages/unlang/condition/regex.adoc @@ -119,7 +119,7 @@ matched. The expansions + When using libpcre[2], named capture groups may also be accessed using the built-in expansion + -`%{regex:}`. +`%regex()`. Please see the xref:xlat/builtin.adoc#_0_32[xlat documentation] for more information on regular expression matching. diff --git a/doc/antora/modules/reference/pages/unlang/edit.adoc b/doc/antora/modules/reference/pages/unlang/edit.adoc index 676d82a5a8..ac2960e637 100644 --- a/doc/antora/modules/reference/pages/unlang/edit.adoc +++ b/doc/antora/modules/reference/pages/unlang/edit.adoc @@ -328,7 +328,7 @@ The above example has the same result as the earlier example of adding ==== [source,unlang] ---- -&reply += "%{sql:SELECT pairs FROM pair_table WHERE username = '%{User-Name}'}" +&reply += "sql("SELECT pairs FROM pair_table WHERE username = '%{User-Name}'") ---- ==== diff --git a/doc/antora/modules/reference/pages/unlang/expression.adoc b/doc/antora/modules/reference/pages/unlang/expression.adoc index 821cb94e1b..462d2fcb59 100644 --- a/doc/antora/modules/reference/pages/unlang/expression.adoc +++ b/doc/antora/modules/reference/pages/unlang/expression.adoc @@ -112,7 +112,7 @@ deprecated. [source,unlang] ---- -&NAS-Port-Id = (uint32) "%{sql: SELECT...}" + 4 +&NAS-Port-Id = (uint32) "%sql("SELECT...") + 4 ---- == Errors diff --git a/doc/antora/modules/reference/pages/unlang/index.adoc b/doc/antora/modules/reference/pages/unlang/index.adoc index 46192e5b76..6b8909b138 100644 --- a/doc/antora/modules/reference/pages/unlang/index.adoc +++ b/doc/antora/modules/reference/pages/unlang/index.adoc @@ -101,7 +101,7 @@ attributes, databases, and scripts. .Example [source,unlang] ---- -&reply.Framed-IP-Address := "%{sql:SELECT static_ip from table WHERE user = '%{User-Name}'}" +&reply.Framed-IP-Address := %sql("SELECT static_ip from table WHERE user = '%{User-Name}'") ---- == Data Types diff --git a/doc/antora/modules/reference/pages/unlang/load-balance.adoc b/doc/antora/modules/reference/pages/unlang/load-balance.adoc index cc59979171..a3b85ec73f 100644 --- a/doc/antora/modules/reference/pages/unlang/load-balance.adoc +++ b/doc/antora/modules/reference/pages/unlang/load-balance.adoc @@ -45,7 +45,7 @@ places. Instead of copying the same text multiple times, a `load-balance` section can be defined as a module in the `mods-enabled/` directory. -For example, the following file can be placed into +For example, the following text can be placed into the file `mods-enabled/sql123`. Once it is there, it can be used as a module named `sql123`, and used anywhere a module is allowed to use. @@ -61,8 +61,8 @@ load-balance sql123 { In previous versions of the server, this definition would be placed into the `instantiate` section of `radiusd.conf. This configuration -is no longer used, and the `sql123` definition can just be placed into -a module definition in the `mods-enabled/` directory. +is no longer used, and the `sql123` definition can just be placed as +a module definition into the `mods-enabled/` directory. == Load-Balance Expansions @@ -72,7 +72,7 @@ in a xref:xlat/index.adoc[dynamic expansion]: .Example of Load-Balance SQL module [source,unlang] ---- -&Reply-Message := %{sql123:SELECT message FROM table WHERE name='%{User-Name}'} +&Reply-Message := %sql123("SELECT message FROM table WHERE name='%{User-Name}'") } ---- diff --git a/doc/antora/modules/reference/pages/unlang/redundant-load-balance.adoc b/doc/antora/modules/reference/pages/unlang/redundant-load-balance.adoc index 80cc84aa51..39277fc9fb 100644 --- a/doc/antora/modules/reference/pages/unlang/redundant-load-balance.adoc +++ b/doc/antora/modules/reference/pages/unlang/redundant-load-balance.adoc @@ -52,7 +52,7 @@ places. Instead of copying the same text multiple times, a `redundant-load-balance` section can be defined as a module in the `mods-enabled/` directory. -For example, the following file can be placed into +For example, the following text can be placed into the file `mods-enabled/sql123`. Once it is there, it can be used as a module named `sql123`, and used anywhere a module is allowed to use. @@ -68,8 +68,8 @@ redundant-load-balance sql123 { In previous versions of the server, this definition would be placed into the `instantiate` section of `radiusd.conf. This configuration -is no longer used, and the `sql123` definition can just be placed into -a module definition in the `mods-enabled/` directory. +is no longer used, and the `sql123` definition can just be placed as +a module definition into the `mods-enabled/` directory. == Redundant-Load-Balance Expansions @@ -79,7 +79,7 @@ in a xref:xlat/index.adoc[dynamic expansion]: .Example of Redundant-Load-Balance SQL module [source,unlang] ---- -&Reply-Message := %{sql123:SELECT message FROM table WHERE name='%{User-Name}'} +&Reply-Message := %sql123("SELECT message FROM table WHERE name='%{User-Name}'") } ---- diff --git a/doc/antora/modules/reference/pages/unlang/redundant.adoc b/doc/antora/modules/reference/pages/unlang/redundant.adoc index 99b14eb259..0c995bbe2f 100644 --- a/doc/antora/modules/reference/pages/unlang/redundant.adoc +++ b/doc/antora/modules/reference/pages/unlang/redundant.adoc @@ -45,7 +45,7 @@ places. Instead of copying the same text multiple times, a `redundant` section can be defined as a module in the `mods-enabled/` directory. -For example, the following file can be placed into +For example, the following text can be placed into the file `mods-enabled/sql123`. Once it is there, it can be used as a module named `sql123`, and used anywhere a module is allowed to use. @@ -61,8 +61,8 @@ redundant sql123 { In previous versions of the server, this definition would be placed into the `instantiate` section of `radiusd.conf. This configuration -is no longer used, and the `sql123` definition can just be placed into -a module definition in the `mods-enabled/` directory. +is no longer used, and the `sql123` definition can just be placed as +a module definition into the `mods-enabled/` directory. == Redundant Expansions @@ -72,7 +72,7 @@ in a xref:xlat/index.adoc[dynamic expansion]: .Example of Redundant SQL module [source,unlang] ---- -&Reply-Message := %{sql123:SELECT message FROM table WHERE name='%{User-Name}'} +&Reply-Message := %sql123("SELECT message FROM table WHERE name='%{User-Name}'") } ---- diff --git a/doc/antora/modules/tutorials/pages/final_group_project.adoc b/doc/antora/modules/tutorials/pages/final_group_project.adoc index 2f0ee4d49d..0aa7c9f04f 100644 --- a/doc/antora/modules/tutorials/pages/final_group_project.adoc +++ b/doc/antora/modules/tutorials/pages/final_group_project.adoc @@ -177,7 +177,7 @@ The following backend modules have an built in authorization method: - `rest` - `sql` -The redis module has a string expansion %{redis:} which can be used +The redis module has a string expansion %redis() which can be used to retrieve a single value from the datastore. Call the backend module's authorize method (or run an appropriate expansion) to diff --git a/raddb/sites-available/resource-check b/raddb/sites-available/resource-check index 6640d86ae3..087698c8a1 100644 --- a/raddb/sites-available/resource-check +++ b/raddb/sites-available/resource-check @@ -121,15 +121,15 @@ recv Status-Server { if ("%sql('SELECT pg_is_in_recovery()')" != "f") { # Fail the db_online module, if it isn't already - if ("%{db_online:}" != "fail") { - %{db_online:fail} + if (%db_online() != "fail") { + %db_online(fail) } } else { # Set the db_online module status to alive, if it isn't already - if ("%{db_online:}" != "alive") { - %{db_online:alive} + if (%db_online() != "alive") { + %db_online(alive) } }