URL: https://github.com/SSSD/sssd/pull/226 Author: mzidek-rh Title: #226: Config check regex Action: opened
PR body: """ Some updates for src/config/cfg_rules.ini The most controversial is the third patch. It removes the special rule for application domains and only uses the rule for normal domains in both application and normal domains. The reason is that the validator ini_allowed_options checks all sections that match the regex in section_re and allows only listed options. This is done for all rules that use that validator *separately and there is not 'include' directive or anything like that. So we can either duplicate all the options from domain section or allow the one mistake where the inherit_from used in normal domain section will be undetected. I am more in favor of the second option, because adding inherit_from by mistake is unlikely and the rules look better this way. However it would be good to enhance the libini to add solution for this by introducing the ability to somehow merger the rules. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/226/head:pr226 git checkout pr226
From 74d1382e98852723e1611341020faef193aa85e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= <[email protected]> Date: Tue, 4 Apr 2017 18:01:02 +0200 Subject: [PATCH 1/3] VALIDATORS: Update domain section regex Update the domain section regex to catch special characters in domain name as a mistake. Resolves: https://pagure.io/SSSD/sssd/issue/3334 --- src/config/cfg_rules.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index e47ff33..13e4adc 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -11,7 +11,7 @@ section = ifp section = secrets section = kcm section_re = ^secrets/users/[0-9]\+$ -section_re = ^domain/.*$ +section_re = ^domain/[0-9A-Za-z.]\+$ section_re = ^application/.*$ [rule/allowed_sssd_options] From 0590988a1396b7291cfb45aa112c61d069c43a5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= <[email protected]> Date: Tue, 4 Apr 2017 19:01:57 +0200 Subject: [PATCH 2/3] VALIDATORS: Add subdomain section Add separate rule for subdomain sections. Resolves: https://pagure.io/SSSD/sssd/issue/3334 --- src/config/cfg_rules.ini | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 13e4adc..81b023a 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -12,6 +12,7 @@ section = secrets section = kcm section_re = ^secrets/users/[0-9]\+$ section_re = ^domain/[0-9A-Za-z.]\+$ +section_re = ^domain/[0-9A-Za-z.]\+/[0-9A-Za-z.]\+$ section_re = ^application/.*$ [rule/allowed_sssd_options] @@ -698,3 +699,17 @@ validator = ini_allowed_options section_re = ^application/.*$ option = inherit_from + +[rule/allowed_subdomain_options] +validator = ini_allowed_options +section_re = ^domain/[0-9A-Za-z.]\+/[0-9A-Za-z.]\+$ + +option = ldap_search_base +option = ldap_user_search_base +option = ldap_group_search_base +option = ldap_netgroup_search_base +option = ldap_service_search_base +option = ad_server +option = ad_backup_server +option = ad_site +option = use_fully_qualified_names From 1745646e8086a97d48626c929aae360bf2c2f732 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= <[email protected]> Date: Tue, 4 Apr 2017 19:07:12 +0200 Subject: [PATCH 3/3] VALIDATORS: Remove application section domain Application domains can use the same options as normal domains section with one more additional option. We could either duplicate all options from the domain section also in the application domain section + add the one additional aoption or add this one option to the domain section even though it is not meant to be used there to avoid duplication of all domain options in the rule for application section. It would be could to enhance the validators in libini to allow something like 'include' section in order to avoid this issue in the future. Resolves: https://pagure.io/SSSD/sssd/issue/3356 --- src/config/cfg_rules.ini | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 81b023a..3f04dc5 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -694,10 +694,7 @@ option = ldap_user_uid_number option = ldap_user_uuid option = ldap_use_tokengroups -[rule/allowed_application_options] -validator = ini_allowed_options -section_re = ^application/.*$ - +# For application domains option = inherit_from [rule/allowed_subdomain_options]
_______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
