On 08/02/2012 02:43 AM, Raphaël Pinson wrote:
On Thu, Aug 2, 2012 at 9:32 AM, Raphaël Pinson
<[email protected] <mailto:[email protected]>>
wrote:
On Wed, Aug 1, 2012 at 5:06 PM, Pat Riehecky <[email protected]
<mailto:[email protected]>> wrote:
On 08/01/2012 09:22 AM, Raphaël Pinson wrote:
Hi Pat,
Sorry for the long delay in replying to you.
No worries, I've been busy too!
On Thu, Apr 19, 2012 at 11:47 PM, Pat Riehecky
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
(Apologies for the return of this old thread, but the
history
seemed to help provide context)
I've almost got this working the way I think it should
and reading
my site's krb5.conf. The only remaining issue I'm
running into is
with 'default_tgs_enctypes'. I'd love to get it into
a sequence,
but I can't seem to figure out how. The attached
patch gets me
really close, where I've got a sequence called 'type'
under
default_tgs_enctypes, but the extra part of the tree
seems to be
extra rather than useful, plus it seems to make
setting those
things a bit messy when it wasn't before - Was
/files/etc/krb5.conf/libdefaults/default_tgs_enctypes
= 'thing' my
changes make
/files/etc/krb5.conf/libdefaults/default_tgs_enctypes/type[x]
=
'thing' which is not right.....
The patch you attached leads to an ambiguity:
$ augparse -I . krb5.aug
Syntax error in lens definition
krb5.aug:49.0-53.87:Failed to compile libdefaults
krb5.aug:47.26-.71:exception: ambiguous iteration
Iterated regexp:
/([a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+)([ \t,]*)/
'A-A-AAA-A-A' can be split into
'A-A-A|=|AA-A-A'
and
'A-A-AA|=|A-A-A'
Iterated lens: krb5.aug:47.26-.70:
Hmmm, this is quite the puzzle.
When one value is specified ('A-A-A') it is followed by a new
line, read terminates, no problem. When multiples are set
they are delimited by spaces, tabs, commas, or a combination
of all three. However, the one at the end may or may not have
a trailing delimiter. So I'm not sure I can enforce
delimiters to separate the items.
Currently the third item ('A-A-B', the B) seems to be limited
to 3 or 4 characters with a minimum of 3, but it appears that
a smaller one is possible. Grumble.... All of these appear
to be valid entries: rc4-hmac arcfour-hmac arcfour-hmac-md5
aes128-cts des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc
Can augeas do word boundaries? Most of my regex is perl style
rather than POSIX That should solve the ambiguity but my
googling is only turning up perl style....
I think what you want is Build.opt_list (see all lenses using it,
there's many):
Build.opt_list enctype_re valsep
To be more specific, this passes:
let valsep = del /[ \t,]+/ " "
let enctype_list (kw:regexp) (sep:lens) = [ indent . key kw .
sep . Build.opt_list [ label "type" . store
enctype_re] valsep . (comment|eol) ]
Now you should really write some unit tests in test_krb5.aug to ensure
that your changes actually bring the features you want.
Thanks for all the help!
How does this look?
Pat
--- lenses/krb5.aug.upstream 2011-11-28 17:51:05.000000000 -0600
+++ lenses/krb5.aug 2012-08-03 11:51:12.434825271 -0500
@@ -8,6 +8,7 @@ let eol = Inifile.eol
let dels = Util.del_str
let indent = del /[ \t]*/ ""
+let valsep = del /[ \t,]*/ " "
let eq = del /[ \t]*=[ \t]*/ " = "
let eq_openbr = del /[ \t]*=[ \t\n]*\{([ \t]*\n)*/ " = {"
let closebr = del /[ \t]*\}/ "}"
@@ -37,13 +38,32 @@ let record (t:string) (e:lens) =
let title = Inifile.indented_title t in
Inifile.record title e
+let v4_name_convert (subsec:lens) = [ indent . key "v4_name_convert" .
+ eq_openbr . subsec* . closebr . eol ]
+
+let enctype_keys = /permitted_enctypes|default_tgs_enctypes|default_tkt_enctypes/
+
+let permitted_enctypes = del /permitted_enctypes/ "permitted_enctypes"
+let default_tgs_enctypes = del /default_tgs_enctypes/ "default_tgs_enctypes"
+let default_tkt_enctypes = del /default_tkt_enctypes/ "default_tkt_enctypes"
+
+(*
+ For the enctypes this appears to be a list of the valid entries:
+ c4-hmac arcfour-hmac aes128-cts rc4-hmac
+ arcfour-hmac-md5 des3-cbc-sha1 des-cbc-md5 des-cbc-crc
+*)
+let enctype_re = /[a-zA-Z0-9-]{3,8}[a-zA-Z0-9]{3,5}[a-zA-Z0-9-]*/
+
+let all_permitted_enctypes = indent . permitted_enctypes . eq . Build.opt_list ([ label "permitted_enctypes" . store enctype_re]) valsep . (comment|eol)
+let all_default_tgs_enctypes = indent . default_tgs_enctypes . eq . Build.opt_list ([ label "default_tgs_enctypes" . store enctype_re]) valsep . (comment|eol)
+let all_default_tkt_enctypes = indent . default_tkt_enctypes . eq . Build.opt_list ([ label "default_tkt_enctypes" . store enctype_re]) valsep . (comment|eol)
+let enctypes = (all_permitted_enctypes) | (all_default_tgs_enctypes) | (all_default_tkt_enctypes)
+
let libdefaults =
- let option = entry (name_re - "v4_name_convert") eq comment in
+ let option = entry (name_re - "v4_name_convert" - enctype_keys) eq comment in
let subsec = [ indent . key /host|plain/ . eq_openbr .
(entry name_re eq comment)* . closebr . eol ] in
- let v4_name_convert = [ indent . key "v4_name_convert" . eq_openbr .
- subsec* . closebr . eol ] in
- record "libdefaults" (option|v4_name_convert)
+ record "libdefaults" (option|(enctypes)|(v4_name_convert subsec))
let login =
let keys = /krb[45]_get_tickets|krb4_convert|krb_run_aklog/
@@ -61,13 +81,15 @@ let appdefaults =
let realms =
let simple_option = /kdc|admin_server|database_module|default_domain/
|/v4_realm|auth_to_local(_names)?|master_kdc|kpasswd_server/
- |/admin_server/ in
+ |/admin_server|ticket_lifetime/ in
let subsec_option = /v4_instance_convert/ in
let option = entry simple_option eq comment in
let subsec = [ indent . key subsec_option . eq_openbr .
(entry name_re eq comment)* . closebr . eol ] in
+ let v4subsec = [ indent . key /host|plain/ . eq_openbr .
+ (entry name_re eq comment)* . closebr . eol ] in
let realm = [ indent . label "realm" . store realm_re .
- eq_openbr . (option|subsec)* . closebr . eol ] in
+ eq_openbr . (option|subsec|(v4_name_convert v4subsec))* . closebr . eol ] in
record "realms" (realm|comment)
let domain_realm =
--- tests/root/etc/krb5.conf.upstream 2012-08-03 11:46:01.964489615 -0500
+++ tests/root/etc/krb5.conf 2012-08-03 11:50:49.477062738 -0500
@@ -1,3 +1,4 @@
+# this is a comment
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
@@ -9,12 +10,21 @@
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
+ permitted_enctypes = arcfour-hmac-md5 arcfour-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes128-cts
+ default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5
+ default_tkt_enctypes = des-cbc-md5
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
+ ticket_lifetime = 12h
+ v4_name_convert = {
+ host = {
+ rcmd = host
+ }
+ }
}
[domain_realm]
--- /dev/null 2012-08-01 14:51:52.192438229 -0500
+++ tests/test-augtool/krb5-add-enctype.sh 2012-08-03 13:33:16.273552324 -0500
@@ -0,0 +1,26 @@
+commands="
+ins default_tkt_enctypes after /files/etc/krb5.conf/libdefaults/default_tkt_enctypes[last()]
+set /files/etc/krb5.conf/libdefaults/default_tkt_enctypes[last()] arcfour-hmac
+rm /files/etc/krb5.conf/libdefaults/default_tgs_enctypes[1]
+ins permitted_enctypes after /files/etc/krb5.conf/libdefaults/permitted_enctypes[last()]
+set /files/etc/krb5.conf/libdefaults/permitted_enctypes[last()] rc4-hmac
+"
+
+lens=Krb5.lns
+file="/etc/krb5.conf"
+
+diff='--- /etc/krb5.conf
++++ /etc/krb5.conf.augnew
+@@ -10,9 +10,9 @@
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ forwardable = yes
+- permitted_enctypes = arcfour-hmac-md5 arcfour-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes128-cts
+- default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5
+- default_tkt_enctypes = des-cbc-md5
++ permitted_enctypes = arcfour-hmac-md5 arcfour-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes128-cts rc4-hmac
++ default_tgs_enctypes = des-cbc-md5
++ default_tkt_enctypes = des-cbc-md5 arcfour-hmac
+
+ [realms]
+ EXAMPLE.COM = {
_______________________________________________
augeas-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/augeas-devel
