Search code examples
jsonrestapirestful-authenticationfreeradius

freeradius 3.0.17 rlm_rest parsing json response

I'm trying to authenticate RADIUS Requests against a RESTful API (provided by Customer) using rlm_rest.

The problem I am facing is that response JSON format (of REST API provided by Customer), is different from rlm_rest default format (indicated in etc/raddb/mods-enabled/rest).

My Virtual Server configuration as below:

Default

authorize {
...
...
rest
if (ok) {
    update control {
        Auth-Type := rest
        }
    }
}

mods-enabled/rest

authorize {
    uri = "https://3rd-party-API/auth"
    method = 'post'
    body = 'json'
    chunk = 0
    tls = ${..tls}
    data = '{
        "code": 1,
        "identifier": %I,
        "avps": {
            "User-Name": ["%{User-Name}"],
            "NAS-IP-Address": ["%{NAS-IP-Address}"],
            "Called-Station-Id": ["%{Called-Station-Id}"],
            "Calling-Station-Id": ["%{Calling-Station-Id}"],
            "NAS-Identifier": ["%{NAS-Identifier}"]
        }
    }'
}

Result

/sbin/radiusd -Xxx

HTTP response code

200

JSON Body

{
    "code": "2",
    "identifier": "91",
    "avps": {
        "Customer-Attributes": "Hello"
        ...
        ...
        "Acct-Interim-Interval": "300"
    }
}

The JSON structure is different from the example, and xlat parse "code" "identifier" "avps"

And, of course, xlat finds no attributes match with the dictionary, while it cannot find "avps" and won't dig deeper.

So I was wondering is there anyway to either

  1. Define the response JSON structure for xlat to parsing
  2. Insert a "is_json" or "do_xlat" flag into the JSON ("avps"), and hope xlat will then dig deeper
  3. Save the JSON and parse with exec/rlm_exec (using JQ or any other bash/JSON tools)

Please advise if there is any workaround. Thanks!

Solution

  • In FreeRADIUS version 4, there's a rlm_json module, which implements a custom node query language based on xpath (jpath), it is extremely limited and only supports some very basic queries (feel free to enhance it via PR :) ).

    Below is an example I pulled out of my library of customer configurations. You can see here it's pulling out two keys (externalID and macAddress) from the root level of the JSON doc and assigning them to a couple of custom attributes (Subscriber-ID and Provisioned-MAC).

    map json "%{rest_api:https://${modules.rest[rest_api].server}/admin/api/${modules.rest[rest_api].api_key}/external/getDeviceBySerialNumber?certificateSerialNumber=%{lpad:&TLS-Client-Cert-Serial 40 0}}" {
    &Subscriber-ID := '$.externalId'
    &Provisioned-MAC := '$.macAddress'
}

    The xlat expansion can also be modified to send HTTP body data. Just put a space after the URL and pass your custom JSON blob.