[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [augeas-devel] adjustment to the krb5.aug lense



On 08/02/2012 02:43 AM, Raphaël Pinson wrote:
On Thu, Aug 2, 2012 at 9:32 AM, Raphaël Pinson <raphael pinson camptocamp com <mailto:raphael pinson camptocamp com>> wrote:

    On Wed, Aug 1, 2012 at 5:06 PM, Pat Riehecky <riehecky fnal gov
    <mailto:riehecky fnal gov>> wrote:

        On 08/01/2012 09:22 AM, Raphaël Pinson wrote:

            Hi Pat,

            Sorry for the long delay in replying to you.


        No worries, I've been busy too!



            On Thu, Apr 19, 2012 at 11:47 PM, Pat Riehecky
            <riehecky fnal gov <mailto:riehecky fnal gov>
            <mailto:riehecky fnal gov <mailto:riehecky fnal gov>>> wrote:


                (Apologies for the return of this old thread, but the
            history
                seemed to help provide context)

                I've almost got this working the way I think it should
            and reading
                my site's krb5.conf.  The only remaining issue I'm
            running into is
                with 'default_tgs_enctypes'.  I'd love to get it into
            a sequence,
                but I can't seem to figure out how.  The attached
            patch gets me
                really close, where I've got a sequence called 'type'
            under
                default_tgs_enctypes, but the extra part of the tree
            seems to be
                extra rather than useful, plus it seems to make
            setting those
                things a bit messy when it wasn't before - Was
                /files/etc/krb5.conf/libdefaults/default_tgs_enctypes
            = 'thing' my
                changes make
/files/etc/krb5.conf/libdefaults/default_tgs_enctypes/type[x]
            =
                'thing' which is not right.....



            The patch you attached leads to an ambiguity:

            $ augparse -I . krb5.aug
            Syntax error in lens definition
            krb5.aug:49.0-53.87:Failed to compile libdefaults
            krb5.aug:47.26-.71:exception: ambiguous iteration
                  Iterated regexp:
            /([a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+)([ \t,]*)/
                  'A-A-AAA-A-A' can be split into
                  'A-A-A|=|AA-A-A'

                 and
                  'A-A-AA|=|A-A-A'

                Iterated lens: krb5.aug:47.26-.70:

        Hmmm, this is quite the puzzle.

        When one value is specified ('A-A-A') it is followed by a new
        line, read terminates, no problem.  When multiples are set
        they are delimited by spaces, tabs, commas, or a combination
        of all three.  However, the one at the end may or may not have
        a trailing delimiter.  So I'm not sure I can enforce
        delimiters to separate the items.

        Currently the third item ('A-A-B', the B) seems to be limited
        to 3 or 4 characters with a minimum of 3, but it appears that
        a smaller one is possible.  Grumble....  All of these appear
        to be valid entries: rc4-hmac arcfour-hmac arcfour-hmac-md5
        aes128-cts des3-cbc-sha1 rc4-hmac des-cbc-md5 des-cbc-crc

        Can augeas do word boundaries?  Most of my regex is perl style
        rather than POSIX  That should solve the ambiguity but my
        googling is only turning up perl style....



    I think what you want is Build.opt_list (see all lenses using it,
    there's many):

    Build.opt_list enctype_re valsep




To be more specific, this passes:

let valsep = del /[ \t,]+/ " "

let enctype_list (kw:regexp) (sep:lens) = [ indent .  key kw .
sep . Build.opt_list [ label "type" . store enctype_re] valsep . (comment|eol) ]



Now you should really write some unit tests in test_krb5.aug to ensure that your changes actually bring the features you want.


Thanks for all the help!

How does this look?

Pat
--- lenses/krb5.aug.upstream	2011-11-28 17:51:05.000000000 -0600
+++ lenses/krb5.aug	2012-08-03 11:51:12.434825271 -0500
@@ -8,6 +8,7 @@ let eol = Inifile.eol
 let dels = Util.del_str
 
 let indent = del /[ \t]*/ ""
+let valsep = del /[ \t,]*/ " "
 let eq = del /[ \t]*=[ \t]*/ " = "
 let eq_openbr = del /[ \t]*=[ \t\n]*\{([ \t]*\n)*/ " = {"
 let closebr = del /[ \t]*\}/ "}"
@@ -37,13 +38,32 @@ let record (t:string) (e:lens) =
   let title = Inifile.indented_title t in
     Inifile.record title e
 
+let v4_name_convert (subsec:lens) = [ indent . key "v4_name_convert" .
+                        eq_openbr .  subsec* . closebr . eol ]
+
+let enctype_keys = /permitted_enctypes|default_tgs_enctypes|default_tkt_enctypes/
+
+let permitted_enctypes = del /permitted_enctypes/ "permitted_enctypes"
+let default_tgs_enctypes = del /default_tgs_enctypes/ "default_tgs_enctypes"
+let default_tkt_enctypes = del /default_tkt_enctypes/ "default_tkt_enctypes"
+
+(*
+  For the enctypes this appears to be a list of the valid entries:
+       c4-hmac arcfour-hmac aes128-cts rc4-hmac
+       arcfour-hmac-md5 des3-cbc-sha1 des-cbc-md5 des-cbc-crc
+*)
+let enctype_re = /[a-zA-Z0-9-]{3,8}[a-zA-Z0-9]{3,5}[a-zA-Z0-9-]*/ 
+
+let all_permitted_enctypes = indent . permitted_enctypes . eq . Build.opt_list ([ label "permitted_enctypes" . store enctype_re]) valsep . (comment|eol)
+let all_default_tgs_enctypes = indent . default_tgs_enctypes . eq . Build.opt_list ([ label "default_tgs_enctypes" . store enctype_re]) valsep . (comment|eol)
+let all_default_tkt_enctypes = indent . default_tkt_enctypes . eq . Build.opt_list ([ label "default_tkt_enctypes" . store enctype_re]) valsep . (comment|eol)
+let enctypes = (all_permitted_enctypes) | (all_default_tgs_enctypes) | (all_default_tkt_enctypes)
+
 let libdefaults =
-  let option = entry (name_re - "v4_name_convert") eq comment in
+  let option = entry (name_re - "v4_name_convert" - enctype_keys) eq comment in
   let subsec = [ indent . key /host|plain/ . eq_openbr .
                    (entry name_re eq comment)* . closebr . eol ] in
-  let v4_name_convert = [ indent . key "v4_name_convert" . eq_openbr .
-                          subsec* . closebr . eol ] in
-  record "libdefaults" (option|v4_name_convert)
+  record "libdefaults" (option|(enctypes)|(v4_name_convert subsec))
 
 let login =
   let keys = /krb[45]_get_tickets|krb4_convert|krb_run_aklog/
@@ -61,13 +81,15 @@ let appdefaults =
 let realms =
   let simple_option = /kdc|admin_server|database_module|default_domain/
       |/v4_realm|auth_to_local(_names)?|master_kdc|kpasswd_server/
-      |/admin_server/ in
+      |/admin_server|ticket_lifetime/ in
   let subsec_option = /v4_instance_convert/ in
   let option = entry simple_option eq comment in
   let subsec = [ indent . key subsec_option . eq_openbr .
                    (entry name_re eq comment)* . closebr . eol ] in
+  let v4subsec = [ indent . key /host|plain/ . eq_openbr .
+                   (entry name_re eq comment)* . closebr . eol ] in
   let realm = [ indent . label "realm" . store realm_re .
-                  eq_openbr . (option|subsec)* . closebr . eol ] in
+                  eq_openbr . (option|subsec|(v4_name_convert v4subsec))* . closebr . eol ] in
     record "realms" (realm|comment)
 
 let domain_realm =
--- tests/root/etc/krb5.conf.upstream	2012-08-03 11:46:01.964489615 -0500
+++ tests/root/etc/krb5.conf	2012-08-03 11:50:49.477062738 -0500
@@ -1,3 +1,4 @@
+# this is a comment
 [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
@@ -9,12 +10,21 @@
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  forwardable = yes
+ permitted_enctypes = arcfour-hmac-md5 arcfour-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes128-cts
+ default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5
+ default_tkt_enctypes = des-cbc-md5
 
 [realms]
  EXAMPLE.COM = {
   kdc = kerberos.example.com:88
   admin_server = kerberos.example.com:749
   default_domain = example.com
+  ticket_lifetime = 12h
+  v4_name_convert = {
+     host = {
+       rcmd = host
+     }
+  }
  }
 
 [domain_realm]
--- /dev/null	2012-08-01 14:51:52.192438229 -0500
+++ tests/test-augtool/krb5-add-enctype.sh	2012-08-03 13:33:16.273552324 -0500
@@ -0,0 +1,26 @@
+commands="
+ins default_tkt_enctypes after /files/etc/krb5.conf/libdefaults/default_tkt_enctypes[last()]
+set /files/etc/krb5.conf/libdefaults/default_tkt_enctypes[last()] arcfour-hmac
+rm /files/etc/krb5.conf/libdefaults/default_tgs_enctypes[1]
+ins permitted_enctypes after /files/etc/krb5.conf/libdefaults/permitted_enctypes[last()]
+set /files/etc/krb5.conf/libdefaults/permitted_enctypes[last()] rc4-hmac
+"
+
+lens=Krb5.lns
+file="/etc/krb5.conf"
+
+diff='--- /etc/krb5.conf
++++ /etc/krb5.conf.augnew
+@@ -10,9 +10,9 @@
+  dns_lookup_kdc = false
+  ticket_lifetime = 24h
+  forwardable = yes
+- permitted_enctypes = arcfour-hmac-md5 arcfour-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes128-cts
+- default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5
+- default_tkt_enctypes = des-cbc-md5
++ permitted_enctypes = arcfour-hmac-md5 arcfour-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes128-cts rc4-hmac
++ default_tgs_enctypes = des-cbc-md5
++ default_tkt_enctypes = des-cbc-md5 arcfour-hmac
+ 
+ [realms]
+  EXAMPLE.COM = {

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]