rewrite
Rewrite directive for modifying attribute values based on their current value
rewrite
Modifies the value of an attribute in place by applying a regular expression substitution. The current value of the attribute is matched against a regex pattern and the matched portion is replaced with a replacement string.
Syntax
rewrite <attribute> /<pattern>/ "<replacement>";
| Parameter | Description |
|---|---|
<attribute> | The attribute to read and rewrite, specified as a dotted accessor (e.g. aaa.identity, radiusproxy.request.attr.User-Name). The attribute must be in a writable namespace. |
/<pattern>/ | A regular expression pattern enclosed in forward slashes. Uses Rust regex syntax. Capture groups can be defined with parentheses (). Optional flags can be appended after the closing slash (e.g. /<pattern>/i). Lookahead and lookbehind assertions are not supported. |
"<replacement>" | A quoted replacement string. Use $1, $2, etc. to reference captured groups from the pattern. |
Regex flags
Flags can be appended after the closing slash of the pattern:
| Flag | Description |
|---|---|
i | Case-insensitive matching |
m | Multi-line mode (^ and $ match line boundaries) |
s | Dot matches newlines (enabled by default) |
x | Ignore whitespace in pattern |
Example with flag: rewrite aaa.identity /^([a-z]+)@.*/i "$1";
Action result
| Result | Condition |
|---|---|
true | The regex matched and the attribute value was rewritten. |
ignore | The attribute does not exist, or the regex did not match the current value. |
Examples
Strip realm from identity
Remove the domain portion from a user identity such as user1@example.com
so that only user1 remains:
aaa {
policy "DEFAULT" {
handler "AUTHENTICATION" {
authentication {
rewrite aaa.identity /^([^@]+).*/ "$1";
accept;
}
}
}
}
With an incoming identity of user1@example.com, the regex ^([^@]+).*
captures everything before the @ sign into group $1. The replacement "$1"
writes back only the captured portion, resulting in user1.