Re: [Pki-devel] [PATCH] 0140 Allow ':' to appear in ACL expressions

2016-12-11 Thread Fraser Tweedale 
Acked by alee:
https://github.com/frasertweedale/pki/commit/037c16e3e78bccfa16e3d50ef840675ad2e0f3ec

Pushed to master (7ab1bbb708d539d4db4e494418fedb952e4880bc)

Thanks,
Fraser

On Tue, Nov 29, 2016 at 07:08:48PM +1000, Fraser Tweedale wrote:
> With current ACL parsing, if you have a ':' in a group name (as
> occurs with FreeIPA permissions, which matter for upcoming external
> principal support) you are stuffed.  This commit fixes that.
> 
> It is really a band aid - the existing parsing code is poor and
> should be replaced with a nice combinatorial parser... but who has
> the time for that right now? ¯\_(ツ)_/¯
> 
> Note that if there is a ':' in any of the ACL descriptions/comments
> (the final field) this change breaks it.  We don't have any
> occurrences of that in our codebase.
> 
> Thanks,
> Fraser

> From 4e13cd0c960558b0f590c5f74ef0b52f0eb667f2 Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale 
> Date: Fri, 25 Nov 2016 18:04:22 +1000
> Subject: [PATCH 140/141] Allow ':' to appear in ACL expressions
> 
> Currently if ':' appears in an ACL expression (e.g. a group name, as
> occurs in FreeIPA permissions), the ACL gets parsed incorrectly.
> 
> Look backwards from end of string for the final ':', so that the ACL
> parses correctly.
> 
> Part of: https://fedorahosted.org/pki/ticket/1359
> ---
>  base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java 
> b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
> index 
> e37ba25e0446108e266a1b068a7ba2a6e60fb769..9b87f6e2437a398ffd6c4956a8e91809918ab8b9
>  100644
> --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
> +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
> @@ -681,8 +681,10 @@ public class CMSEngine implements ICMSEngine {
>  
>  acl = new ACL(resource, rights, resACLs);
>  
> +// search *backwards* for final instance of ':', to handle case
> +// where acl expressions contain colon, e.g. in a group name.
>  String stx = st.substring(idx2 + 1);
> -int idx3 = stx.indexOf(":");
> +int idx3 = stx.lastIndexOf(":");
>  String aclStr = stx.substring(0, idx3);
>  
>  // getting list of acl entries
> -- 
> 2.7.4
> 

> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0140 Allow ':' to appear in ACL expressions

2016-11-29 Thread Fraser Tweedale 
With current ACL parsing, if you have a ':' in a group name (as
occurs with FreeIPA permissions, which matter for upcoming external
principal support) you are stuffed.  This commit fixes that.

It is really a band aid - the existing parsing code is poor and
should be replaced with a nice combinatorial parser... but who has
the time for that right now? ¯\_(ツ)_/¯

Note that if there is a ':' in any of the ACL descriptions/comments
(the final field) this change breaks it.  We don't have any
occurrences of that in our codebase.

Thanks,
Fraser
From 4e13cd0c960558b0f590c5f74ef0b52f0eb667f2 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Fri, 25 Nov 2016 18:04:22 +1000
Subject: [PATCH 140/141] Allow ':' to appear in ACL expressions

Currently if ':' appears in an ACL expression (e.g. a group name, as
occurs in FreeIPA permissions), the ACL gets parsed incorrectly.

Look backwards from end of string for the final ':', so that the ACL
parses correctly.

Part of: https://fedorahosted.org/pki/ticket/1359
---
 base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java 
b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index 
e37ba25e0446108e266a1b068a7ba2a6e60fb769..9b87f6e2437a398ffd6c4956a8e91809918ab8b9
 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -681,8 +681,10 @@ public class CMSEngine implements ICMSEngine {
 
 acl = new ACL(resource, rights, resACLs);
 
+// search *backwards* for final instance of ':', to handle case
+// where acl expressions contain colon, e.g. in a group name.
 String stx = st.substring(idx2 + 1);
-int idx3 = stx.indexOf(":");
+int idx3 = stx.lastIndexOf(":");
 String aclStr = stx.substring(0, idx3);
 
 // getting list of acl entries
-- 
2.7.4

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel