Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

util: Improve re_expression defaults #6646

Closed
wants to merge 2 commits into from
Closed

Conversation

thalman
Copy link
Contributor

@thalman thalman commented Mar 24, 2023

The original defaults of re_expressions did not use "^" so they
may skip/ignore some leading character (@ and ).

The new defaults uses ^ and $ to be sure that all characters
are used.

Resolves: #6635

src/util/util.h Outdated
@@ -250,11 +250,11 @@ struct sss_names_ctx {
sss_regexp_t *re;
};

#define SSS_DEFAULT_RE "(?P<name>[^@]+)@?(?P<domain>[^@]*$)"
#define SSS_DEFAULT_RE "^((?P<name>.+)@(?P<domain>[^@]*)|(?P<name>[^@]+))$"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC, this regex accepts the expression name@ as valid and considers the domain is an empty string. Shouldn't we have a + instead of the * in the domain part (?P<domain>[^@]*) ?

Copy link
Contributor Author

@thalman thalman Mar 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aplopez - yes you are right but the old expression allowed the same thing.

It looks like we also have tests for that trailing/leading @ and they should fail (but they do not)

sss_parse_name_check(test_ctx, "@"NAME, ERR_REGEX_NOMATCH, NULL, NULL);
).

Thanks for pointing that out. I will fix it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aplopez - the tests were using only IPA/AD regexp in this negative test. I extended them to have this tested also for default regular expression.

The * is now replaced by + as you suggested. Please take a look.

Copy link
Contributor

@aplopez aplopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! LGTM

@@ -3554,12 +3568,6 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
default the third one is introduced to allow easy
integration of users from Windows domains.
</para>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

I think it might be worth to spell out the character restrictions explicitly here as well. E.g, with respect to group names with an @ in the name. To make this work a fully-qualified name has to be used since we do not allow @ in short names. If a user wants to use short name with an @ character they have to create their own expression.

bye,
Sumit

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good Idea. Man page updated.

The original defaults of re_expressions did not use "^" so they
may skip/ignore some leading character (@ and \).

The new defaults uses ^ and $ to be sure that all characters
are used.

Resolves: SSSD#6635
Update ifp and ssh responders to use regular expression
defined centrally.
Copy link
Contributor

@sumit-bose sumit-bose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi,

thanks for the update, ACK.

bye,
Sumit

@alexey-tikhonov
Copy link
Member

Pushed PR: #6646

  • master
    • b78b508 - responder: regexp cleanup
    • 526aea3 - util: Improve re_expression defaults

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bugzilla no-backport This should go to target branch only. Pushed Trivial
Projects
None yet
Development

Successfully merging this pull request may close these issues.

sss allows extraneous @ characters prefixed to username
4 participants