config/cfg_rules.ini: Make regexp's more POSIX compliant

[arrowd]

According to section 9.3.2 BRE Ordinary Characters [1], the '+' sequence may work as a plain character or like ERE special character. It is the latter for Linux, but it is the former for FreeBSD.

Instead, use '{1,}' as a portable way of expressing "one or many".

This fixes most of config validation tests on FreeBSD.

[1] https://pubs.opengroup.org/onlinepubs/9799919799.2024edition/basedefs/V1_chap09.html#tag_09_03_02

[gemini-code-assist]

Code Review

This pull request improves the POSIX compliance of regular expressions in src/config/cfg_rules.ini by replacing the non-standard \+ quantifier with the more portable \{1,\}. This change is well-motivated, as it fixes configuration validation on platforms like FreeBSD where \+ is not supported in Basic Regular Expressions. The changes are correct and have been applied consistently. I've reviewed the modifications and find them to be a good improvement for portability. No issues were found.

[arrowd]

One test still fails even after this change:

[rule/allowed_domain_options]
validator = ini_allowed_options
section_re = ^\(domain\|application\)/[^/]\{1,\}$

It uses \| operator, which is also not guaranteed to work in BRE mode. FreeBSD man says:

Obsolete (“basic”) regular expressions differ in several respects.  ‘|’
is an ordinary character and there is no equivalent for its
functionality.

Not sure how to fix this properly given the rule itself is huge.

[thalman]

One test still fails even after this change:

[rule/allowed_domain_options]
validator = ini_allowed_options
section_re = ^\(domain\|application\)/[^/]\{1,\}$

It uses \| operator, which is also not guaranteed to work in BRE mode. FreeBSD man says:

Obsolete (“basic”) regular expressions differ in several respects.  ‘|’
is an ordinary character and there is no equivalent for its
functionality.

Not sure how to fix this properly given the rule itself is huge.

Hi, I did not look into the sssd code but it should be possible to use section_re multiple times like

section_re = ^application/[^/]\{1,\}$
section_re = ^domain/[^/]\{1,\}$

Does that help?

[arrowd]

The code that processes these rules is not in SSSD, but in ding-libs. Since it is a just an INI file, I don't think that listing the same key twice will append to its value, but I'll try your suggestion nevertheless.

[alexey-tikhonov]

but in ding-libs. Since it is a just an INI file, I don't think that listing the same key twice will append to its value

No, in 'libini_config' "last key wins".

[alexey-tikhonov]

Actually, we would like to port SSSD to use 'libeconf' instead of 'libini_config'.

But I don't know yet if 'libeconf' has any support for config validation (and what to do if it doesn't).

[thalman]

Actually, we would like to port SSSD to use 'libeconf' instead of 'libini_config'.

But I don't know yet if 'libeconf' has any support for config validation (and what to do if it doesn't).

Why we have this?:

sssd/src/config/cfg_rules.ini

Lines 14 to 20 in 637b7bc

	section_re = ^prompting/password/[^/\@]\+$
	section_re = ^prompting/2fa$
	section_re = ^prompting/2fa/[^/\@]\+$
	section_re = ^prompting/passkey$
	section_re = ^prompting/passkey/[^/\@]\+$
	section_re = ^domain/[^/\@]\+$
	section_re = ^domain/[^/\@]\+/[^/\@]\+$

[alexey-tikhonov]

Why we have this?:

sssd/src/config/cfg_rules.ini

Lines 14 to 20 in 637b7bc

There is an explanation in commit message of 4526858

[arrowd]

I think Tomáš meant "we already have duplicated keys and they seem to work". I'll dive into the code once I get free time.

[alexey-tikhonov]

JFTR: feature was added around SSSD/ding-libs@edf8547

[thalman]

Yes, exactly - we have duplicit keys and they are working, as Alexey mentioned that is supported by dinglibs.

[alexey-tikhonov]

Yes, exactly - we have duplicit keys and they are working, as Alexey mentioned that is supported by dinglibs.

Honestly, I don't know, just searched where feature was added.
But since SSSD uses it this way...

[thalman]

@arrowd - I added a label change requested, I assume that you will try to split and push the problematic rule.

[arrowd]

So, yes, it is an intended usage of libini: https://github.com/SSSD/ding-libs/blob/9078835b3c30bbd382d80f1b9e7dbc599e1190b5/ini/ini_configobj.h#L385-L393

[thalman]

It looks like the config_check_test_bad_appdomain_option_name unit test fails.

[arrowd]

Alas, the "ini_allowed_options" validator uses INI_GET_FIRST_VALUE when parsing section_re: https://github.com/SSSD/ding-libs/blob/9078835b3c30bbd382d80f1b9e7dbc599e1190b5/ini/ini_configobj.c#L1398-L1402

So we're stuck with \| again.

[arrowd]

We can modify ding-libs and teach validator to use multiple re's when matching a rule.

Or we can modify ding-libs to use ERE's instead of BRE's. Unfortunately, either way requires modifications to ding-libs, making a new release and then waiting for it to be packaged downstreams.

[thalman]

We can modify ding-libs and teach validator to use multiple re's when matching a rule.

Or we can modify ding-libs to use ERE's instead of BRE's. Unfortunately, either way requires modifications to ding-libs, making a new release and then waiting for it to be packaged downstreams.

As Alexey mentioned, we are moving away from ding-libs. It does not make much sense to invest into it.

[alexey-tikhonov]

Is there anything "merge-able" in this PR without ding-libs update? (Sorry I didn't look into patch details)

[thalman]

@alexey-tikhonov yes, all the updates are fine. I will check why splitting the one with (|) is not working. IMO it should since we have that in other sections.

[thalman]

For the sake of future development I spent few minutes investigating this. Multiple section_re are allowed where validator = ini_allowed_sections. For allowed_domain_options we use validator = ini_allowed_options which indeed does not support multiple section_re.

The only solution available at the moment for you (@arrowd) is to duplicate whole section into [rule/allowed_domain_options] and [rule/allowed_application_options] with two individual section_re. But that is something I do not want upstream, maybe some packaging script can do it until we move away from ding-lib.

Otherwise it looks good, ACK

[aplopez]

@arrowd Are you OK with the proposed solution?

[arrowd]

Yes, I will arrange the CI appropriately.

[aplopez]

LGTM

[sssd-bot]

The pull request was accepted by @aplopez with the following PR CI status:

---

🟢 CodeFactor (success)
🟢 CodeQL (success)
🟢 osh-diff-scan:fedora-rawhide-x86_64:upstream (success)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-41-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-41) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-41) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🟢 ci / system (fedora-44) (success)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.