URL: https://github.com/SSSD/sssd/pull/53
Author: fidencio
 Title: #53: Fixes in the config API related to secrets responder
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/53/head:pr53
git checkout pr53
From 1f1b205991b51667d02c589627d880d92063dedb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com>
Date: Mon, 17 Oct 2016 17:07:56 +0200
Subject: [PATCH 1/2] SECRETS: Fix secrets rule in the allowed sections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We have been matching an invalid subsection of the secrets' section,
like:
[secrets/users/]

Let's ensure that we only match the following cases:
[secrets]
[secrets/users/[0-9]+]

Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com>
---
 src/config/cfg_rules.ini | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index b6316be..23dda12 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -8,7 +8,7 @@ section = autofs
 section = ssh
 section = pac
 section = ifp
-section_re = ^secrets\(/users/\([0-9]\+\)\?\)\?$
+section_re = ^secrets\(/users/[0-9]\+\)\?$
 section_re = ^domain/.*$
 
 [rule/allowed_sssd_options]
@@ -212,7 +212,7 @@ option = user_attributes
 
 [rule/allowed_sec_options]
 validator = ini_allowed_options
-section_re = ^secrets\(/users/\([0-9]\+\)\?\)\?$
+section_re = ^secrets\(/users/[0-9]\+\)\?$
 
 option = timeout
 option = debug

From 9b289639cd318b166eaf89fb02737480638f9b74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com>
Date: Mon, 17 Oct 2016 18:58:50 +0200
Subject: [PATCH 2/2] SECRETS: Add allowed_sec_users_options
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There are options (the proxying related ones) that only apply to the
secrets' subsections. In order to make config API able to catch those,
let's create a new section called allowed_sec_users_options) and move
there these proxying options.

Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com>
---
 src/config/cfg_rules.ini | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
index 23dda12..0aecf7e 100644
--- a/src/config/cfg_rules.ini
+++ b/src/config/cfg_rules.ini
@@ -210,9 +210,10 @@ option = description
 option = allowed_uids
 option = user_attributes
 
+# Secrets service
 [rule/allowed_sec_options]
 validator = ini_allowed_options
-section_re = ^secrets\(/users/[0-9]\+\)\?$
+section_re = ^secrets$
 
 option = timeout
 option = debug
@@ -225,11 +226,14 @@ option = reconnection_retries
 option = fd_limit
 option = client_idle_timeout
 option = description
-
-# Secrets service
 option = provider
 option = containers_nest_level
 option = max_secrets
+
+[rule/allowed_sec_users_options]
+validator = ini_allowed_options
+section_re = ^secrets/users/[0-9]\+$
+
 # Secrets service - proxy
 option = proxy_url
 option = auth_type
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to