[jira] [Commented] (DISPATCH-1011) Policy username substitution fails to match certain user names

["ASF GitHub Bot (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/DISPATCH-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16497998#comment-16497998 ] 

ASF GitHub Bot commented on DISPATCH-1011:
------------------------------------------

GitHub user ChugR opened a pull request:

    https://github.com/apache/qpid-dispatch/pull/311

    Dispatch 1011- Policy username substition failures; Coverity issues

    ## Problem statement
    * The defect is described in [DISPATCH-1011](https://issues.apache.org/jira/browse/DISPATCH-1011)
    * Coverity pointed out the possibility of an unterminated string.
    
    ## Resolution
    Both issues are addressed with this PR.
    * Username substitutions are processed at creation time to divide the policy rule into a prefix before the username and a suffix after the user name. Now there is no ambiguity about where the username substitution goes during policy application to proposed link source or target addresses.
    * Username substitution tokens in match patterns are limited in form and placement to eliminate ambiguity in conjunction with address match wildcards.
    * The code Coverity observed is replaced wholesale.
    
    ## Restrictions
    This PR adds some restrictions to the use of username substitutions in source and target address patterns. 
    * The username substitution token must stand alone as a delimited search token. It may not be concatenated with fixed text strings. Example: token forms _abc-${user}_ and _${user}-xyz_ are not allowed.
    * The username substitution token may only be specified as the first or the last token in a rule clause. It may not be embedded somewhere in the middle of a rule. Example: match patterns _#.${user}.*_  and _fa.#.la.lala.${user}.la.#.la.lalala_ are not allowed.


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ChugR/qpid-dispatch DISPATCH-1011

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/qpid-dispatch/pull/311.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #311
    
----
commit 864ed3af3d0c69a1f62444a7cd056db137841a77
Author: Chuck Rolke <cr...@...>
Date:   2018-05-31T17:35:49Z

    DISPATCH-1011: Improve user name substitution token logic and code
    
    Remove code flagged by Coverity.
    Add scheme that specifies precisely where user name substitution goes.

commit 74251cd14a5e5ee8163dd2796f6516afca76ed96
Author: Chuck Rolke <cr...@...>
Date:   2018-05-31T18:02:18Z

    DISPATCH-1011: Describe user name substitution changes in doc

commit 7c9798135e728143377be54ce18313bf2c60894c
Author: Chuck Rolke <cr...@...>
Date:   2018-05-31T19:52:39Z

    DISPATCH-1011: Parse tree exports separators. Improve self tests.
    
    Test sourcePattern suffixes found latent paste error in code.
    More through test cases to hit more conditional code paths.

----


> Policy username substitution fails to match certain user names
> --------------------------------------------------------------
>
>                 Key: DISPATCH-1011
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-1011
>             Project: Qpid Dispatch
>          Issue Type: Bug
>          Components: Policy Engine
>    Affects Versions: 1.0.1
>            Reporter: Chuck Rolke
>            Assignee: Chuck Rolke
>            Priority: Major
>
> If a username is a substring of a policy rule's static text then the username substitution fails. For example:
> {{    if (!_qd_policy_approve_link_name("em", "temp-${user}", "temp-em"))}}
> {{        return "proposed link 'temp-em' should match allowed links with ${user} but does not";}}
> Since the username *em* is found in the fixed text of *temp-* then the substitution logic goes awry and the match fails. Thanks to aconway for making this observation.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org