Documentation

Filters

Transform and modify values in expressions and format strings

Following filters are supported:

  • hex: Converts a string or a byte value into a hexadecimal string
  • string: Converts a non-string or a byte value into a string
  • uppercase: Converts a string value into uppercase
  • lowercase: Converts a string value into lowercase
  • value: Converts to a raw value format
  • printable: Converts byte data to a printable ASCII string
  • normalize_mac: Normalizes MAC address format
  • escape_double_quotes: Escapes double quotes in a string
  • ldap_dn_escape: Escapes special characters in LDAP distinguished names
  • substring: Extracts a substring from the value
  • default: Provides a default value if the attribute is empty or doesn't exist
  • ldap_escape: Escapes special characters in LDAP search strings
  • url_escape: Performs URL encoding on the string
  • xml_escape: Escapes special characters in XML content
  • type Get internal type information of a value
  • default(<default value>) Provides a default value if the value is none
  • json Parse string value to JSON
  • jsonpath("<jsonpath expression>") Extract value from JSON using a JSONPath expression
  • regex Parse string value to regex
  • recover(<fallback>) If a filter fails, use this to recover from the error using the fallback value
  • join(<separator>) Join array elements into a single string using the specified separator
  • reveal Reveals masked passwords. Ex. radius.request.password | reveal
    • NOTE: Masked password can be compared directly without revealing!

Usage

Filters can be used in any expression. The syntax is:

modify {
    radius.reply.attr.Alc-Subsc-ID-Str = vars.subscriber_id | substring(2, 10) | uppercase;
}

It is also possible to use filters in format strings:

modify {
    radius.reply.attr.Alc-Subsc-ID-Str = "FIBER.%{ vars.subscriber_id | substring(2, 10) | uppercase }";
}

Working with JSON data

The jsonpath filter only works with JSON data. Some backends may return JSON data directly, but if the data is in string format, it needs to be parsed first using the json filter.

modify {
    vars.user_name = vars.user_data | json | jsonpath("$.name");
}

If you need to call jsonpath multiple times on the same JSON data, it's more efficient to first parse the JSON and store it in a variable:

modify {
    vars.user_json = vars.user_data | json;
    vars.user_name = vars.user_json | jsonpath("$.name");
    vars.user_email = vars.user_json | jsonpath("$.email");
}

Error handling

Sometimes a filter can fail. For example, when trying to parse invalid input with the json filter or regexes with the regex filter, they will produce an error value.

You may recover from these errors using the recover filter. For example:

modify {
    vars.user_json = vars.user_data | json | recover("{\"name\": \"unknown\"}" | json);
    vars.user_name = vars.user_json | jsonpath("$.name");
}

Filter errors do not cause execution pipeline errors immediately, but if an error value is attempted to be assigned, for example to a RADIUS reply attribute, it will cause a pipeline error and the authentication will be rejected. However, the error values are allowed to be logged.

The error value is false in all comparison operations and all filters just pass it through.