1
0
Fork
You've already forked aci-validator
0

rework parser #2

Merged
abbra merged 5 commits from feedback into main 2026年06月29日 10:54:07 +02:00
Owner
Copy link

Generated by Claude Code

Generated by Claude Code
The parser only matched spaced forms like groupdn = "ldap:///..." but
not compact forms like groupdn="ldap:///...". When the compact form
was used, no bind rule pattern matched and the default
BindRule::Authenticated was kept, silently replacing the actual
groupdn with userdn="ldap:///all" in generated output.
Add .or_else() fallbacks for compact (no-space) variants of userdn,
groupdn, target, and targetfilter keywords, matching the pattern
already used for targetattr parsing.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Add extract_keyword_value() helper that tries all four spacing
combinations (keyword = ", keyword=", keyword =", keyword= ") for
any keyword/operator pair. Refactor targetattr, target, targetfilter,
userdn, and groupdn extraction to use it, replacing the ad-hoc
two-variant .or_else() chains that missed space-before-only and
space-after-only forms.
Previously, ACIs using compact syntax like groupdn="ldap:///..."
silently fell through to the BindRule::Authenticated default,
replacing the actual group binding with userdn="ldap:///all".
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Replace extract_keyword_value()'s four hardcoded spacing patterns with
a character-level scan that skips arbitrary ASCII whitespace (spaces,
tabs, multiple spaces) between keyword, operator, and opening quote.
Includes word boundary checking so that e.g. "target" does not match
inside "targetattr".
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Replace the hardcoded "; allow (" / ";allow (" pattern selection with
extract_grant_permissions(), which scans for "allow" or "deny" as a
word boundary, then skips arbitrary whitespace before the opening
parenthesis. Same approach as extract_keyword_value() for = / !=.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Search and compare are server-side operations — the attribute value
is never returned to the client. Only read permission actually
exposes password hashes. The previous check treated search and
compare as equivalent to read, producing false positives for
legitimate ACIs like "Search existence of password and kerberos keys".
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
abbra deleted branch feedback 2026年06月29日 10:54:07 +02:00
Sign in to join this conversation.
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
abbra/aci-validator!2
Reference in a new issue
abbra/aci-validator
No description provided.
Delete branch "feedback"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?