Radiator Server Documentation — v10.33.3

rewrite

Rewrite action for modifying attribute values based on their current value

Table of Contents
  • rewrite
  • Syntax
  • Regex flags
  • Action result
  • Examples
  • Strip realm from identity
  • Replace all occurrences
  • Related

rewrite

Modifies the value of an attribute in place by applying a regular expression substitution. The current value of the attribute is matched against a regex pattern and the matched portion is replaced with a replacement string.

Syntax

rewrite <attribute> /<pattern>/ "<replacement>";
ParameterDescription
<attribute>The attribute to read and rewrite, specified as a dotted accessor (e.g. aaa.identity, radiusproxy.request.attr.User-Name). The attribute must be in a writable namespace.
/<pattern>/A regular expression pattern enclosed in forward slashes. Uses Rust regex syntax. Capture groups can be defined with parentheses (). Optional flags can be appended after the closing slash (e.g. /<pattern>/i). Lookahead and lookbehind assertions are not supported.
"<replacement>"A quoted replacement string. Use $1, $2, etc. to reference captured groups from the pattern.

Regex flags

Flags can be appended after the closing slash of the pattern:

FlagDescription
gGlobal replacement (replace all matches)
iCase-insensitive matching
mMulti-line mode (^ and $ match line boundaries)
sDot matches newlines (enabled by default)
xIgnore whitespace in pattern

Example with flag: rewrite aaa.identity /^([a-z]+)@.*/i "$1";

Action result

The rewrite action modifies an attribute in place and preserves the previous action result. This is true whether the value is rewritten, the attribute is missing, or the regex does not match.

Examples

Strip realm from identity

Remove the domain portion from a user identity such as user1@example.com so that only user1 remains:

aaa {
    policy "DEFAULT" {
        handler "AUTHENTICATION" {
            authentication {
                rewrite aaa.identity /^([^@]+).*/ "$1";
                accept;
            }
        }
    }
}

With an incoming identity of user1@example.com, the regex ^([^@]+).* captures everything before the @ sign into group $1. The replacement "$1" writes back only the captured portion, resulting in user1.

Replace all occurrences

Remove all dashes from a phone number like 123-456-7890:

aaa {
    policy "DEFAULT" {
        handler "AUTHENTICATION" {
            authentication {
                rewrite aaa.identity /-/g "";
                accept;
            }
        }
    }
}

The g flag causes all matches of the pattern to be replaced, not just the first one. Without the g flag, only the first dash would be removed.

  • set - unconditionally assign a value to an attribute
  • replace - replace an attribute with a new value
  • modify - block syntax for multiple variable assignments
  • if - conditional execution based on attribute values
Table of Contents
Navigation
Home

  • accept

  • append

  • assert

  • backend

  • challenge

  • chap

  • conditions

  • copy

  • count

  • debug

  • discard

  • EAP

  • error

  • filter

  • hotp

  • http-basic-auth

  • if

  • ignore

  • invoke

  • log

  • map

  • message

  • modify

  • mschap

  • mschapv2

  • must

  • pap

  • reason

  • reject

  • reject_errors

  • replace

  • reply

  • rewrite

  • set

  • sleep

  • sometimes

  • stop

  • totp

  • trace

  • try

  • until

  • yubikey

Navigation
Home