rewrite

Rewrite action for modifying attribute values based on their current value

rewrite

Modifies the value of an attribute in place by applying a regular expression substitution. The current value of the attribute is matched against a regex pattern and the matched portion is replaced with a replacement string.

Syntax

rewrite <attribute> /<pattern>/ "<replacement>";

Parameter	Description
`<attribute>`	The attribute to read and rewrite, specified as a dotted accessor (e.g. `aaa.identity`, `radiusproxy.request.attr.User-Name`). The attribute must be in a writable namespace.
`/<pattern>/`	A regular expression pattern enclosed in forward slashes. Uses Rust regex syntax. Capture groups can be defined with parentheses `()`. Optional flags can be appended after the closing slash (e.g. `/<pattern>/i`). Lookahead and lookbehind assertions are not supported.
`"<replacement>"`	A quoted replacement string. Use `$1`, `$2`, etc. to reference captured groups from the pattern.

Regex flags

Flags can be appended after the closing slash of the pattern:

Flag	Description
`g`	Global replacement (replace all matches)
`i`	Case-insensitive matching
`m`	Multi-line mode (`^` and `$` match line boundaries)
`s`	Dot matches newlines (enabled by default)
`x`	Ignore whitespace in pattern

Example with flag: rewrite aaa.identity /^([a-z]+)@.*/i "$1";

Action result

Result	Condition
`true`	The regex matched and the attribute value was rewritten.
`ignore`	The attribute does not exist, or the regex did not match the current value.

Examples

Strip realm from identity

Remove the domain portion from a user identity such as user1@example.com so that only user1 remains:

aaa {
    policy "DEFAULT" {
        handler "AUTHENTICATION" {
            authentication {
                rewrite aaa.identity /^([^@]+).*/ "$1";
                accept;
            }
        }
    }
}

With an incoming identity of user1@example.com, the regex ^([^@]+).* captures everything before the @ sign into group $1. The replacement "$1" writes back only the captured portion, resulting in user1.

Replace all occurrences

Remove all dashes from a phone number like 123-456-7890:

aaa {
    policy "DEFAULT" {
        handler "AUTHENTICATION" {
            authentication {
                rewrite aaa.identity /-/g "";
                accept;
            }
        }
    }
}

The g flag causes all matches of the pattern to be replaced, not just the first one. Without the g flag, only the first dash would be removed.

set - unconditionally assign a value to an attribute
replace - replace an attribute with a new value
modify - block syntax for multiple variable assignments
if - conditional execution based on attribute values