Generated by Claude Code
Generated by Claude Code
Generated by Claude Code
The parser only matched spaced forms like groupdn = "ldap:///..." but not compact forms like groupdn="ldap:///...". When the compact form was used, no bind rule pattern matched and the default BindRule::Authenticated was kept, silently replacing the actual groupdn with userdn="ldap:///all" in generated output. Add .or_else() fallbacks for compact (no-space) variants of userdn, groupdn, target, and targetfilter keywords, matching the pattern already used for targetattr parsing. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Add extract_keyword_value() helper that tries all four spacing combinations (keyword = ", keyword=", keyword =", keyword= ") for any keyword/operator pair. Refactor targetattr, target, targetfilter, userdn, and groupdn extraction to use it, replacing the ad-hoc two-variant .or_else() chains that missed space-before-only and space-after-only forms. Previously, ACIs using compact syntax like groupdn="ldap:///..." silently fell through to the BindRule::Authenticated default, replacing the actual group binding with userdn="ldap:///all". Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Replace extract_keyword_value()'s four hardcoded spacing patterns with a character-level scan that skips arbitrary ASCII whitespace (spaces, tabs, multiple spaces) between keyword, operator, and opening quote. Includes word boundary checking so that e.g. "target" does not match inside "targetattr". Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Replace the hardcoded "; allow (" / ";allow (" pattern selection with
extract_grant_permissions(), which scans for "allow" or "deny" as a
word boundary, then skips arbitrary whitespace before the opening
parenthesis. Same approach as extract_keyword_value() for = / !=.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Search and compare are server-side operations — the attribute value is never returned to the client. Only read permission actually exposes password hashes. The previous check treated search and compare as equivalent to read, producing false positives for legitimate ACIs like "Search existence of password and kerberos keys". Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
No due date set.
No dependencies set.
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?