nemesifier · December 11, 2022 13:01 · Tayyab-Ilahi12 · Sep 13, 2022
diff --git a/rml_rest.conf b/rml_rest.conf
 # /etc/freeradius/mods-enabled/rest

 rest {
 	#
 	#  This subsection configures the tls related items
 	#  that control how FreeRADIUS connects to a HTTPS
 	#  server.
 	#
 	tls {
 #		ca_file	= ${certdir}/cacert.pem
 #		ca_path	= ${certdir}
 #		certificate_file        = /path/to/radius.crt
 #		private_key_file	= /path/to/radius.key
 #		private_key_password	= "supersecret"
 #		random_file		= /dev/urandom
 		#  Server certificate verification requirements.  Can be:
 		#    "no"  (don't even bother trying)
 		#    "yes" (verify the cert was issued by one of the
 		#	   trusted CAs)
 		#
 		#  The default is "yes"
 #		check_cert = no
 		#  Server certificate CN verification requirements.  Can be:
 		#    "no"  (don't even bother trying)
 		#    "yes" (verify the CN in the certificate matches the host
 		#	   in the URI)
 		#
 		#  The default is "yes"
 #		check_cert_cn = no
 	}

 	# rlm_rest will open a connection to the server specified in connect_uri
 	# to populate the connection cache, ready for the first request.
 	# The server will not start if the server specified is unreachable.
 	#
 	# If you wish to disable this pre-caching and reachability check,
 	# comment out the configuration item below.
 	connect_uri = "https://ninux.nodeshot.org"

 	#
 	#  How long before new connection attempts timeout, defaults to 4.0 seconds.
 	#
 #	connect_timeout = 4.0

 	#
 	#  The following config items can be used in each of the sections.
 	#  The sections themselves reflect the sections in the server.
 	#  For example if you list rest in the authorize section of a virtual server,
 	#  the settings from the authorize section here will be used.
 	#
 	#  The following config items may be listed in any of the sections:
 	#    uri          - to send the request to.
 	#    method       - HTTP method to use, one of 'get', 'post', 'put', 'patch',
 	#                   'delete' or any custom HTTP method.
 	#    body         - The format of the HTTP body sent to the remote server.
 	#                   May be 'none', 'post' or 'json', defaults to 'none'.
 	#    data         - Send custom freeform data in the HTTP body. Content-type
 	#                   may be specified with 'body'. Will be expanded.
 	#                   Values from expansion will not be escaped, this should be
 	#                   done using the appropriate xlat method e.g. %{urlencode:<attr>}.
 	#    force_to     - Force the response to be decoded with this decoder.
 	#                   May be 'plain' (creates reply:REST-HTTP-Body), 'post'
 	#                   or 'json'.
 	#    tls          - TLS settings for HTTPS.
 	#    auth         - HTTP auth method to use, one of 'none', 'srp', 'basic',
 	#                   'digest', 'digest-ie', 'gss-negotiate', 'ntlm',
 	#                   'ntlm-winbind', 'any', 'safe'. defaults to 'none'.
 	#    username     - User to authenticate as, will be expanded.
 	#    password     - Password to use for authentication, will be expanded.
 	#    require_auth - Require HTTP authentication.
 	#    timeout      - HTTP request timeout in seconds, defaults to 4.0.
 	#
 	#  Additional HTTP headers may be specified with control:REST-HTTP-Header.
 	#  The values of those attributes should be in the format:
 	#    <attribute>: <value>
 	#
 	#  control:REST-HTTP-Header attributes will be consumed after each call
 	#  to the rest module, and each %{rest:} expansion.

 	#
 	#  Body encodings are the same for requests and responses
 	#
 	#  POST - All attributes and values are urlencoded
 	#  [outer.][<list>:]<attribute0>=<value0>&[outer.][<list>:]<attributeN>=<valueN>
 	#
 	#  JSON - All attributes and values are escaped according to the JSON specification
 	#  {
 	#      "<attribute0>":{
 	#          "type":"<type0>",
 	#          "value":[<value0>,<value1>,<valueN>]
 	#      },
 	#      "<attribute1>":{
 	#          "type":"<type1>",
 	#          "value":[...]
 	#      },
 	#      "<attributeN>":{
 	#          "type":"<typeN>",
 	#          "value":[...]
 	#      },
 	#  }
 	#
 	#  The response format adds three optional fields:
 	#  - do_xlat	If true, any values will be xlat expanded. Defaults to true.
 	#  - is_json	If true, any nested JSON data will be copied to the attribute
 	#               in string form. Defaults to true.
 	#  - op	        Controls how the attribute is inserted into the target list.
 	#               Defaults to ':='.
 	#  {
 	#      "<attribute0>":{
 	#          "is_json":<bool>,
 	#          "do_xlat":<bool>,
 	#          "op":"<operator>",
 	#          "value":[<value0>,<value1>,<valueN>]
 	#      },
 	#      "<attribute1>":"value",
 	#      "<attributeN>":[<value0>,<value1>,<valueN>]
 	#  }

 	#
 	#  Module return codes are determined by HTTP response codes. These vary depending on the
 	#  section.
 	#
 	#  If the body is processed and found to be malformed or unsupported fail will be returned.
 	#  If the body is processed and found to contain attribute updated will be returned,
 	#  except in the case of a 401 code.
 	#

 	#  Authorize/Authenticate
 	#
 	#  Code   Meaning       Process body  Module code
 	#  404    not found     no            notfound
 	#  410    gone          no            notfound
 	#  403    forbidden     no            userlock
 	#  401    unauthorized  yes           reject
 	#  204    no content    no            ok
 	#  2xx    successful    yes           ok/updated
 	#  5xx    server error  no            fail
 	#  xxx    -             no            invalid
 	authorize {
 		uri = "${..connect_uri}/api/v1/account/login/?format=json"
 		method = 'post'
    body = 'json'
 		data = '{"username": "%{User-Name}", "password": "%{User-Password}", "remember": false}'
 		tls = ${..tls}
 	}
 	authenticate {
 		uri = "${..connect_uri}/api/v1/account/login/?format=json"
 		method = 'post'
 		body = 'json'
    data = '{"username": "%{User-Name}", "password": "%{User-Password}", "remember": false}'
 		tls = ${..tls}
 	}

 	#  Accounting/Post-auth
 	#
 	#  Code   Meaning       Process body  Module code
 	#  204    no content    no            ok
 	#  2xx    successful    yes           ok/updated
 	#  5xx    server error  no            fail
 	#  xxx    -             no            invalid
 	accounting {
 		uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}"
 		method = 'post'
 		tls = ${..tls}
 	}
 	post-auth {
 		uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth"
 		method = 'post'
 		tls = ${..tls}
 	}

 	#
 	#  The connection pool is new for 3.0, and will be used in many
 	#  modules, for all kinds of connection-related activity.
 	#
 	pool {
 		#  Connections to create during module instantiation.
 		#  If the server cannot create specified number of
 		#  connections during instantiation it will exit.
 		#  Set to 0 to allow the server to start without the
 		#  web service being available.
 		start = ${thread[pool].start_servers}

 		#  Minimum number of connections to keep open
 		min = ${thread[pool].min_spare_servers}

 		#  Maximum number of connections
 		#
 		#  If these connections are all in use and a new one
 		#  is requested, the request will NOT get a connection.
 		#
 		#  Setting 'max' to LESS than the number of threads means
 		#  that some threads may starve, and you will see errors
 		#  like 'No connections available and at max connection limit'
 		#
 		#  Setting 'max' to MORE than the number of threads means
 		#  that there are more connections than necessary.
 		max = ${thread[pool].max_servers}

 		#  Spare connections to be left idle
 		#
 		#  NOTE: Idle connections WILL be closed if "idle_timeout"
 		#  is set.  This should be less than or equal to "max" above.
 		spare = ${thread[pool].max_spare_servers}

 		#  Number of uses before the connection is closed
 		#
 		# 0 means "infinite"
 		uses = 0

 		#  The number of seconds to wait after the server tries
 		#  to open a connection, and fails.  During this time,
 		#  no new connections will be opened.
 		retry_delay = 30

 		#  The lifetime (in seconds) of the connection
 		lifetime = 0

 		#  idle timeout (in seconds).  A connection which is
 		#  unused for this length of time will be closed.
 		idle_timeout = 60

 		#  NOTE: All configuration settings are enforced.  If a
 		#  connection is closed because of "idle_timeout",
 		#  "uses", or "lifetime", then the total number of
 		#  connections MAY fall below "min".  When that
 		#  happens, it will open a new connection.  It will
 		#  also log a WARNING message.
 		#
 		#  The solution is to either lower the "min" connections,
 		#  or increase lifetime/idle_timeout.
 	}
 }
	# /etc/freeradius/mods-enabled/rest

	rest {
	#
	# This subsection configures the tls related items
	# that control how FreeRADIUS connects to a HTTPS
	# server.
	#
	tls {
	# ca_file = ${certdir}/cacert.pem
	# ca_path = ${certdir}
	# certificate_file = /path/to/radius.crt
	# private_key_file = /path/to/radius.key
	# private_key_password = "supersecret"
	# random_file = /dev/urandom
	# Server certificate verification requirements. Can be:
	# "no" (don't even bother trying)
	# "yes" (verify the cert was issued by one of the
	# trusted CAs)
	#
	# The default is "yes"
	# check_cert = no
	# Server certificate CN verification requirements. Can be:
	# "no" (don't even bother trying)
	# "yes" (verify the CN in the certificate matches the host
	# in the URI)
	#
	# The default is "yes"
	# check_cert_cn = no
	}

	# rlm_rest will open a connection to the server specified in connect_uri
	# to populate the connection cache, ready for the first request.
	# The server will not start if the server specified is unreachable.
	#
	# If you wish to disable this pre-caching and reachability check,
	# comment out the configuration item below.
	connect_uri = "https://ninux.nodeshot.org"

	#
	# How long before new connection attempts timeout, defaults to 4.0 seconds.
	#
	# connect_timeout = 4.0

	#
	# The following config items can be used in each of the sections.
	# The sections themselves reflect the sections in the server.
	# For example if you list rest in the authorize section of a virtual server,
	# the settings from the authorize section here will be used.
	#
	# The following config items may be listed in any of the sections:
	# uri - to send the request to.
	# method - HTTP method to use, one of 'get', 'post', 'put', 'patch',
	# 'delete' or any custom HTTP method.
	# body - The format of the HTTP body sent to the remote server.
	# May be 'none', 'post' or 'json', defaults to 'none'.
	# data - Send custom freeform data in the HTTP body. Content-type
	# may be specified with 'body'. Will be expanded.
	# Values from expansion will not be escaped, this should be
	# done using the appropriate xlat method e.g. %{urlencode:<attr>}.
	# force_to - Force the response to be decoded with this decoder.
	# May be 'plain' (creates reply:REST-HTTP-Body), 'post'
	# or 'json'.
	# tls - TLS settings for HTTPS.
	# auth - HTTP auth method to use, one of 'none', 'srp', 'basic',
	# 'digest', 'digest-ie', 'gss-negotiate', 'ntlm',
	# 'ntlm-winbind', 'any', 'safe'. defaults to 'none'.
	# username - User to authenticate as, will be expanded.
	# password - Password to use for authentication, will be expanded.
	# require_auth - Require HTTP authentication.
	# timeout - HTTP request timeout in seconds, defaults to 4.0.
	#
	# Additional HTTP headers may be specified with control:REST-HTTP-Header.
	# The values of those attributes should be in the format:
	# <attribute>: <value>
	#
	# control:REST-HTTP-Header attributes will be consumed after each call
	# to the rest module, and each %{rest:} expansion.

	#
	# Body encodings are the same for requests and responses
	#
	# POST - All attributes and values are urlencoded
	# [outer.][<list>:]<attribute0>=<value0>&[outer.][<list>:]<attributeN>=<valueN>
	#
	# JSON - All attributes and values are escaped according to the JSON specification
	# {
	# "<attribute0>":{
	# "type":"<type0>",
	# "value":[<value0>,<value1>,<valueN>]
	# },
	# "<attribute1>":{
	# "type":"<type1>",
	# "value":[...]
	# },
	# "<attributeN>":{
	# "type":"<typeN>",
	# "value":[...]
	# },
	# }
	#
	# The response format adds three optional fields:
	# - do_xlat If true, any values will be xlat expanded. Defaults to true.
	# - is_json If true, any nested JSON data will be copied to the attribute
	# in string form. Defaults to true.
	# - op Controls how the attribute is inserted into the target list.
	# Defaults to ':='.
	# {
	# "<attribute0>":{
	# "is_json":<bool>,
	# "do_xlat":<bool>,
	# "op":"<operator>",
	# "value":[<value0>,<value1>,<valueN>]
	# },
	# "<attribute1>":"value",
	# "<attributeN>":[<value0>,<value1>,<valueN>]
	# }

	#
	# Module return codes are determined by HTTP response codes. These vary depending on the
	# section.
	#
	# If the body is processed and found to be malformed or unsupported fail will be returned.
	# If the body is processed and found to contain attribute updated will be returned,
	# except in the case of a 401 code.
	#

	# Authorize/Authenticate
	#
	# Code Meaning Process body Module code
	# 404 not found no notfound
	# 410 gone no notfound
	# 403 forbidden no userlock
	# 401 unauthorized yes reject
	# 204 no content no ok
	# 2xx successful yes ok/updated
	# 5xx server error no fail
	# xxx - no invalid
	authorize {
	uri = "${..connect_uri}/api/v1/account/login/?format=json"
	method = 'post'
	body = 'json'
	data = '{"username": "%{User-Name}", "password": "%{User-Password}", "remember": false}'
	tls = ${..tls}
	}
	authenticate {
	uri = "${..connect_uri}/api/v1/account/login/?format=json"
	method = 'post'
	body = 'json'
	data = '{"username": "%{User-Name}", "password": "%{User-Password}", "remember": false}'
	tls = ${..tls}
	}

	# Accounting/Post-auth
	#
	# Code Meaning Process body Module code
	# 204 no content no ok
	# 2xx successful yes ok/updated
	# 5xx server error no fail
	# xxx - no invalid
	accounting {
	uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}"
	method = 'post'
	tls = ${..tls}
	}
	post-auth {
	uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth"
	method = 'post'
	tls = ${..tls}
	}

	#
	# The connection pool is new for 3.0, and will be used in many
	# modules, for all kinds of connection-related activity.
	#
	pool {
	# Connections to create during module instantiation.
	# If the server cannot create specified number of
	# connections during instantiation it will exit.
	# Set to 0 to allow the server to start without the
	# web service being available.
	start = ${thread[pool].start_servers}

	# Minimum number of connections to keep open
	min = ${thread[pool].min_spare_servers}

	# Maximum number of connections
	#
	# If these connections are all in use and a new one
	# is requested, the request will NOT get a connection.
	#
	# Setting 'max' to LESS than the number of threads means
	# that some threads may starve, and you will see errors
	# like 'No connections available and at max connection limit'
	#
	# Setting 'max' to MORE than the number of threads means
	# that there are more connections than necessary.
	max = ${thread[pool].max_servers}

	# Spare connections to be left idle
	#
	# NOTE: Idle connections WILL be closed if "idle_timeout"
	# is set. This should be less than or equal to "max" above.
	spare = ${thread[pool].max_spare_servers}

	# Number of uses before the connection is closed
	#
	# 0 means "infinite"
	uses = 0

	# The number of seconds to wait after the server tries
	# to open a connection, and fails. During this time,
	# no new connections will be opened.
	retry_delay = 30

	# The lifetime (in seconds) of the connection
	lifetime = 0

	# idle timeout (in seconds). A connection which is
	# unused for this length of time will be closed.
	idle_timeout = 60

	# NOTE: All configuration settings are enforced. If a
	# connection is closed because of "idle_timeout",
	# "uses", or "lifetime", then the total number of
	# connections MAY fall below "min". When that
	# happens, it will open a new connection. It will
	# also log a WARNING message.
	#
	# The solution is to either lower the "min" connections,
	# or increase lifetime/idle_timeout.
	}
	}