From 6c2a54bab71f2ba5c64cdd49f54167c6b6257a1e Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Fri, 6 Oct 2023 08:25:41 -0400 Subject: [PATCH] more move to new function syntax --- .../howto/pages/modules/ldap/authorization/groups.adoc | 6 +++--- .../modules/ldap/authorization/locating_the_user.adoc | 2 +- .../pages/modules/ldap/base_configuration/index.adoc | 4 ++-- .../modules/raddb/pages/sites-available/eap-aka-sim.adoc | 4 ++-- .../raddb/pages/sites-available/resource-check.adoc | 2 +- doc/antora/modules/reference/pages/unlang/edit.adoc | 2 +- doc/antora/modules/reference/pages/unlang/local.adoc | 6 +++--- doc/antora/modules/reference/pages/xlat/builtin.adoc | 6 +++--- doc/antora/modules/reference/pages/xlat/character.adoc | 2 +- .../modules/tutorials/pages/dynamic-translation.adoc | 8 ++++---- raddb/mods-available/linelog | 4 ++-- raddb/mods-available/mschap | 2 +- raddb/mods-config/perl/example.pl | 2 +- raddb/policy.d/debug | 8 ++++---- raddb/policy.d/operator-name | 4 ++-- raddb/sites-available/eap-aka-sim | 4 ++-- raddb/sites-available/resource-check | 2 +- 17 files changed, 34 insertions(+), 34 deletions(-) diff --git a/doc/antora/modules/howto/pages/modules/ldap/authorization/groups.adoc b/doc/antora/modules/howto/pages/modules/ldap/authorization/groups.adoc index a8293a7d80..fbd1e29cf6 100644 --- a/doc/antora/modules/howto/pages/modules/ldap/authorization/groups.adoc +++ b/doc/antora/modules/howto/pages/modules/ldap/authorization/groups.adoc @@ -129,7 +129,7 @@ specified as a DN, and if the directory implements _variant 2_, then the group would be specified by name. ==== -Group checks can be performed using the xlat `%(ldap.memberof:)`. +Group checks can be performed using the xlat `%ldap.memberof()`. Using this xlat, will, (if group caching is not enabled or the ldap module has not already been called) result in one or more queries being sent to the LDAP Directory to determine if the @@ -143,7 +143,7 @@ appropriately. [source,unlang] ---- -if (%(ldap.memberof:cn=foo,ou=groups,dc=example,dc=com) == true) { +if (%ldap.memberof(cn=foo,ou=groups,dc=example,dc=com) == true) { &reply.Reply-Message := "Welcome member of group 'foo'" } ---- @@ -152,7 +152,7 @@ if (%(ldap.memberof:cn=foo,ou=groups,dc=example,dc=com) == true) { [source,unlang] ---- -if (%(ldap.memberof:foo) == true) { +if (%ldap.memberof(foo) == true) { &reply.Reply-Message := "Welcome member of group 'foo'" } ---- diff --git a/doc/antora/modules/howto/pages/modules/ldap/authorization/locating_the_user.adoc b/doc/antora/modules/howto/pages/modules/ldap/authorization/locating_the_user.adoc index 5f31631f45..2bec592fbe 100644 --- a/doc/antora/modules/howto/pages/modules/ldap/authorization/locating_the_user.adoc +++ b/doc/antora/modules/howto/pages/modules/ldap/authorization/locating_the_user.adoc @@ -1,7 +1,7 @@ = Locating the user No matter how the LDAP module is called (via its `authorize`, `authenticate`, -`accounting` methods or the `%(ldap.memberof:)` xlat) the first operation the +`accounting` methods or the `%ldap.memberof()` xlat) the first operation the module performs it to populate `&control.LDAP-UserDN` with the location of the authenticating user's object in LDAP. diff --git a/doc/antora/modules/howto/pages/modules/ldap/base_configuration/index.adoc b/doc/antora/modules/howto/pages/modules/ldap/base_configuration/index.adoc index 23ab9e9f2e..d2ee36b851 100644 --- a/doc/antora/modules/howto/pages/modules/ldap/base_configuration/index.adoc +++ b/doc/antora/modules/howto/pages/modules/ldap/base_configuration/index.adoc @@ -110,7 +110,7 @@ server default { } ---- -Group checks may be performed using the xlat `%(ldap.memberof:)`. +Group checks may be performed using the xlat `%ldap.memberof()`. [source,unlang] ---- @@ -118,7 +118,7 @@ server default { ... recv Access-Request { ldap - if (%(ldap.memberof:cn=authorized_users,ou=groups,dc=example,dc=com) == true) { + if (%ldap.memberof(cn=authorized_users,ou=groups,dc=example,dc=com) == true) { reject } ... diff --git a/doc/antora/modules/raddb/pages/sites-available/eap-aka-sim.adoc b/doc/antora/modules/raddb/pages/sites-available/eap-aka-sim.adoc index f23085ef08..e4bb0c0ff7 100644 --- a/doc/antora/modules/raddb/pages/sites-available/eap-aka-sim.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/eap-aka-sim.adoc @@ -302,7 +302,7 @@ modules. Usually this is not an issue because EAP Negotiation allows the supplicant and server to negotiate a mutually acceptable EAP type. If, however, you want to avoid the additional round trips involved in that negotiation, you can use -`%(aka_sim_id_method:%{User-Name})` in the top level virtual server, +`%aka_sim_id_method(%{User-Name})` in the top level virtual server, which will return the EAP method hinted by the identity, and then set `&control.EAP-Type` to an appropriate value before calling the EAP module. @@ -484,7 +484,7 @@ The following facilitates may be useful when generating pseudonym values: - The encrypt expansions of the `rlm_cipher` module. -- The `%(3gpp_pseudonym_encrypt:)` expansion. +- The `%3gpp_pseudonym_encrypt()` expansion. - The `%randstr()` expansion. NOTE: Add a `&reply.Next-Pseudonym-Id` attribute in this section to diff --git a/doc/antora/modules/raddb/pages/sites-available/resource-check.adoc b/doc/antora/modules/raddb/pages/sites-available/resource-check.adoc index 94732c2b2c..a1da89cf30 100644 --- a/doc/antora/modules/raddb/pages/sites-available/resource-check.adoc +++ b/doc/antora/modules/raddb/pages/sites-available/resource-check.adoc @@ -100,7 +100,7 @@ db_online control module. Other modules could be used here. -You can even invoke synchronous checks using the %(exec:...) xlat in +You can even invoke synchronous checks using the %exec(...) xlat in which case timeout should be set to less than the check trigger interval to avoid buildup of checks when resources do not respond. See rlm_exec for details. diff --git a/doc/antora/modules/reference/pages/unlang/edit.adoc b/doc/antora/modules/reference/pages/unlang/edit.adoc index ac2960e637..d0483d5ac4 100644 --- a/doc/antora/modules/reference/pages/unlang/edit.adoc +++ b/doc/antora/modules/reference/pages/unlang/edit.adoc @@ -86,7 +86,7 @@ retrieving data from a database. [source,unlang] ---- group { - &reply.Reply-Message += %(sql:SELECT ...) + &reply.Reply-Message += %sql("SELECT ...") &reply.Filter-Id := "foo" } ---- diff --git a/doc/antora/modules/reference/pages/unlang/local.adoc b/doc/antora/modules/reference/pages/unlang/local.adoc index 871fbd522b..de25bde0e6 100644 --- a/doc/antora/modules/reference/pages/unlang/local.adoc +++ b/doc/antora/modules/reference/pages/unlang/local.adoc @@ -38,7 +38,7 @@ Local variables _cannot_ be deleted. When the current scope exits, the local va if (&User-Name == "bob") { uint32 len - &len := %(length:%{User-Name}) + &len := %length(%{User-Name}) &Reply-Message := "Length of %{User-Name} is %{len}" } @@ -60,13 +60,13 @@ if (&User-Name == "bob") { } # "len" is created, and can now be used - &len := %(length:%{User-Name}) + &len := %length(%{User-Name}) &Reply-Message := "Length of %{User-Name} is %{len}" } ---- -The variable declaration and assignment must be sepaarted. Constructions like `uint32 len = %(length:%{User-Name})` are not allowed. +The variable declaration and assignment must be sepaarted. Constructions like `uint32 len = %length(%{User-Name})` are not allowed. // Copyright (C) 2023 Network RADIUS SAS. Licenced under CC-by-NC 4.0. // This documentation was developed by Network RADIUS SAS. diff --git a/doc/antora/modules/reference/pages/xlat/builtin.adoc b/doc/antora/modules/reference/pages/xlat/builtin.adoc index acdb42d7f1..a548a83dca 100644 --- a/doc/antora/modules/reference/pages/xlat/builtin.adoc +++ b/doc/antora/modules/reference/pages/xlat/builtin.adoc @@ -247,7 +247,7 @@ recv Access-Request { ... ``` -=== %(debug_attr:) +=== %debug_attr() Print to debug output all instances of current attribute, or all attributes in a list. expands to a zero-length string. @@ -260,7 +260,7 @@ expands to a zero-length string. ---- recv Access-Request { if (&request.User-Name == "bob") { - "%(debug_attr:request[*])" + "%debug_attr(request[*])" } ... } @@ -278,7 +278,7 @@ recv Access-Request { (0) &request.NAS-IP-Address = 127.0.1.1 (0) &request.NAS-Port = 1 (0) &request.Message-Authenticator = 0x9210ee447a9f4c522f5300eb8fc15e14 -(0) EXPAND %(debug_attr:request[*]) +(0) EXPAND %debug_attr(request[*]) (0) } # if (&request.User-Name == "bob") (...) ... ``` diff --git a/doc/antora/modules/reference/pages/xlat/character.adoc b/doc/antora/modules/reference/pages/xlat/character.adoc index 1c08a7b566..5df20e7956 100644 --- a/doc/antora/modules/reference/pages/xlat/character.adoc +++ b/doc/antora/modules/reference/pages/xlat/character.adoc @@ -35,7 +35,7 @@ since the Unix epoch. This expansion is only useful where the time resolution is in seconds. If more resolution is needed, the xref:xlat/builtin.adoc[builtin] -`%(time:...)` expansion should be used instead. +`%time(...)` expansion should be used instead. `%Y()`:: diff --git a/doc/antora/modules/tutorials/pages/dynamic-translation.adoc b/doc/antora/modules/tutorials/pages/dynamic-translation.adoc index 4d457e31b2..16cf7b67a0 100644 --- a/doc/antora/modules/tutorials/pages/dynamic-translation.adoc +++ b/doc/antora/modules/tutorials/pages/dynamic-translation.adoc @@ -22,7 +22,7 @@ top: ------------------------------------------------------------------------------- bob Password.Cleartext := "hello" - Callback-Id = "%(exec:/bin/echo Hello, there)" + Callback-Id = "%exec('/bin/echo', "Hello, there") ------------------------------------------------------------------------------- The `echo` program may be in `/usr/bin/echo`, depending on your local system. On @@ -43,7 +43,7 @@ the server should print messages similar to the following. (0) files : users: Matched entry bob at line 1 Executing: /bin/echo Hello, there: Program returned code (0) and output 'Hello, there' -(0) files : EXPAND %(exec:/bin/echo Hello, there) +(0) files : EXPAND %exec('/bin/echo', "Hello, there") (0) files : --> Hello, there (0) [files] = ok ------------------------------------------------------------------------------- @@ -81,11 +81,11 @@ You should use the `bob-login-one.sh` script to send a request to match the first entry and should send another request with a different NAS-Port. ------------------------------------------------------------------------------- -bob Password.Cleartext := "hello", NAS-Port == "%(exec:/usr/bin/id -u)" +bob Password.Cleartext := "hello", NAS-Port == "%exec('/usr/bin/id', '-u')" Reply-Message = "Your port is very nice.", Session-Timeout = "%{60 * 60}" -bob Password.Cleartext := "hello", NAS-Port != "%(exec:/usr/bin/id -u)" +bob Password.Cleartext := "hello", NAS-Port != "%exec('/usr/bin/id', '-u')" Reply-Message = "Your port is less nice.", Session-Timeout = "%{60 * 2}" ------------------------------------------------------------------------------- diff --git a/raddb/mods-available/linelog b/raddb/mods-available/linelog index 81e89c1cca..0eee660bbe 100644 --- a/raddb/mods-available/linelog +++ b/raddb/mods-available/linelog @@ -66,7 +66,7 @@ linelog { # # May be an attribute reference, e.g. `&User-Name`, or `xlat`, `literal` or `exec`. # - reference = "messages.%{&reply.Packet-Type || default}" + reference = "messages.%{&reply.Packet-Type || 'default'}" # # messages { ... }:: @@ -392,7 +392,7 @@ linelog log_accounting { permissions = 0600 } - reference = "Accounting-Request.%{&Acct-Status-Type || unknown}" + reference = "Accounting-Request.%{&Acct-Status-Type || 'unknown'}" # # Example for `Accounting-Request`. diff --git a/raddb/mods-available/mschap b/raddb/mods-available/mschap index 13d92a4cc5..6f688c353f 100644 --- a/raddb/mods-available/mschap +++ b/raddb/mods-available/mschap @@ -336,7 +336,7 @@ mschap { # TIP: We give both examples here, but *only one should be used*. # # local_cpw = %exec('/path/to/script', %mschap(User-Name), %{MS-CHAP-New-Password.Cleartext}) - local_cpw = %sql("UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{User-Name}' and attribute='Password.NT'") +# local_cpw = %sql("UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{User-Name}' and attribute='Password.NT'") } diff --git a/raddb/mods-config/perl/example.pl b/raddb/mods-config/perl/example.pl index 3fa1467467..8412765af4 100644 --- a/raddb/mods-config/perl/example.pl +++ b/raddb/mods-config/perl/example.pl @@ -126,7 +126,7 @@ sub authenticate { return RLM_MODULE_REJECT; } else { # Accept user and set some attribute - if (&radiusd::xlat("%(client:group)") eq 'UltraAllInclusive') { + if (&radiusd::xlat("%client(group)") eq 'UltraAllInclusive') { # User called from NAS with unlim plan set, set higher limits $RAD_REPLY{'h323-credit-amount'} = "1000000"; } else { diff --git a/raddb/policy.d/debug b/raddb/policy.d/debug index b106b8b81f..76420d3e7a 100644 --- a/raddb/policy.d/debug +++ b/raddb/policy.d/debug @@ -2,7 +2,7 @@ # Outputs the contents of the control list in debugging (-X) mode # debug_control { - if (%(debug_attr:control)) { + if (%debug_attr(control)) { noop } } @@ -11,7 +11,7 @@ debug_control { # Outputs the contents of the request list in debugging (-X) mode # debug_request { - if (%(debug_attr:request)) { + if (%debug_attr(request)) { noop } } @@ -20,7 +20,7 @@ debug_request { # Outputs the contents of the reply list in debugging (-X) mode # debug_reply { - if (%(debug_attr:reply)) { + if (%debug_attr(reply)) { noop } } @@ -29,7 +29,7 @@ debug_reply { # Outputs the contents of the session state list in debugging (-X) mode # debug_session_state { - if (%(debug_attr:session-state)) { + if (%debug_attr(session-state)) { noop } } diff --git a/raddb/policy.d/operator-name b/raddb/policy.d/operator-name index d3abae9b3a..9cba1a86dd 100644 --- a/raddb/policy.d/operator-name +++ b/raddb/policy.d/operator-name @@ -26,7 +26,7 @@ # an Operator-Name attribute # operator-name.authorize { - if ("%(client:Operator-Name)") { - &request.Operator-Name = "%(client:Operator-Name)" + if ("%client(Operator-Name)") { + &request.Operator-Name = "%client(Operator-Name)" } } diff --git a/raddb/sites-available/eap-aka-sim b/raddb/sites-available/eap-aka-sim index 8f49bce7d8..0a82460e72 100644 --- a/raddb/sites-available/eap-aka-sim +++ b/raddb/sites-available/eap-aka-sim @@ -332,7 +332,7 @@ server eap-aka-sim { # allows the supplicant and server to negotiate a mutually acceptable # EAP type. If, however, you want to avoid the additional round trips # involved in that negotiation, you can use - # `%(aka_sim_id_method:%{User-Name})` in the top level virtual server, + # `%aka_sim_id_method(%{User-Name})` in the top level virtual server, # which will return the EAP method hinted by the identity, and then # set `&control.EAP-Type` to an appropriate value before calling the # EAP module. @@ -529,7 +529,7 @@ server eap-aka-sim { # values: # # - The encrypt expansions of the `rlm_cipher` module. - # - The `%(3gpp_pseudonym_encrypt:)` expansion. + # - The `%3gpp_pseudonym_encrypt()` expansion. # - The `%randstr()` expansion. # # NOTE: Add a `&reply.Next-Pseudonym-Id` attribute in this section to diff --git a/raddb/sites-available/resource-check b/raddb/sites-available/resource-check index 087698c8a1..f61a335255 100644 --- a/raddb/sites-available/resource-check +++ b/raddb/sites-available/resource-check @@ -113,7 +113,7 @@ recv Status-Server { # # Other modules could be used here. # - # You can even invoke synchronous checks using the %(exec:...) xlat in + # You can even invoke synchronous checks using the %exec(...) xlat in # which case timeout should be set to less than the check trigger # interval to avoid buildup of checks when resources do not respond. # See rlm_exec for details. -- 2.47.2