Munge discard overridden by accept

PackeTsar commented 7 years ago

Reported by Marcus Cooke on the PacketPushers blog.

A discard step in a munge rule is not successfully stopping the processing of rules.

Rulebase:

radiuid clear munge all
!
radiuid set munge 10.0 match "host/" partial
!
radiuid set munge 10.10 discard
!
radiuid set munge 100.0 match "laptop" partial
!
radiuid set munge 100.10 set-variable domain from-string "mydomain"
!
radiuid set munge 100.15 set-variable slash from-string "\\"
!
radiuid set munge 100.20 set-variable user from-match "([^@]+)"
!
radiuid set munge 100.30 assemble domain slash user
!
radiuid set munge 100.40 accept

Debug Output

[root radiuid]# radiuid request munge-test host/laptop-111111 debug          
########################## MUNGE TEST ##########################
################################################################

----- Sorted index of rules and steps: {'rules': ['rule10', 'rule100'], 'rule100': ['step10', 'step15', 'step20', 'step30', 'step40'], 'rule10': ['step10']} -----

----- Input String: host/laptop-111111 -----

        ----- rule10 -----
                ----- Rule beginning with input: host/laptop-111111 -----
                ----- Loaded Rule: -----
                        <root>
                                <match>
                                        <regex>host/</regex>
                                        <criterion>partial</criterion>
                                </match>
                                <step10>
                                        <discard />
                                </step10>
                        </root>
                ----- Rule match statement regex returned: -----
                        ['host/']

                ----- Matched pattern {'regex': 'host/', 'criterion': 'partial'} for rule10 in input host/laptop-111111 -----

                ----- Loaded step10: {'discard': None} -----
                        ----- 'Discard' interrupt detected and set, breaking out of rule-set and discarding input -----

        ----- rule100 -----
                ----- Rule beginning with input: host/laptop-111111 -----
                ----- Loaded Rule: -----
                        <root>
                                <step30>
                                        <assemble>
                                                <variable1>domain</variable1>
                                                <variable3>user</variable3>
                                                <variable2>slash</variable2>
                                        </assemble>
                                </step30>
                                <step20>
                                        <from-match>([^@]+)</from-match>
                                        <set-variable>user</set-variable>
                                </step20>
                                <step15>
                                        <from-string>\</from-string>
                                        <set-variable>slash</set-variable>
                                </step15>
                                <step10>
                                        <from-string>mydomain</from-string>
                                        <set-variable>domain</set-variable>
                                </step10>
                                <step40>
                                        <accept />
                                </step40>
                                <match>
                                        <regex>laptop</regex>
                                        <criterion>partial</criterion>
                                </match>
                        </root>
                ----- Rule match statement regex returned: -----
                        ['laptop']

                ----- Matched pattern {'regex': 'laptop', 'criterion': 'partial'} for rule100 in input host/laptop-111111 -----

                ----- Loaded step10: {'from-string': 'mydomain', 'set-variable': 'domain'} -----
                        ----- Setting variable domain as value mydomain -----
                        ----- Current variables in the variable list: {'domain': 'mydomain'} -----

                ----- Loaded step15: {'from-string': '\\', 'set-variable': 'slash'} -----
                        ----- Setting variable slash as value \ -----
                        ----- Current variables in the variable list: {'domain': 'mydomain', 'slash': '\\'} -----

                ----- Loaded step20: {'from-match': '([^@]+)', 'set-variable': 'user'} -----
                        ----- Setting variable user as value host/laptop-111111 -----
                        ----- Current variables in the variable list: {'domain': 'mydomain', 'user': 'host/laptop-111111', 'slash': '\\'} -----

                ----- Loaded step30: {'assemble': {'variable1': 'domain', 'variable3': 'user', 'variable2': 'slash'}} -----
                        ----- Assembling Variables: ['variable1', 'variable2', 'variable3'] -----
                        ----- Assemble Result: mydomain\host/laptop-111111 -----

                ----- Loaded step40: {'accept': None} -----
                        ----- 'Accept' interrupt detected and set, breaking out of rule-set and adding input to result -----
        ----- Input mydomain\host/laptop-111111 added to result due to 'accept' interrupt -----
        ----- Current result list: -----
        ----- ['mydomain\\host/laptop-111111'] -----

String input from command line:  host/laptop-111111

String returned by Munge Engine: mydomain\host/laptop-111111

################################################################
################################################################

PackeTsar commented 7 years ago

Repaired. This was due to a bug in the munge engine which only recognized the accept interrupt to break the looping through the rule base. If the discard interrupt carried through the other rules, then the input was discarded at the end, but if there was an accept step configured in a rule (after the discard) which matched the input and processed it, then the discard interrupt was overwritten and not processed at the end.

PackeTsar commented 7 years ago

Output after fix

[root radiuid]# python radiuid.py request munge-test host/laptop-111111 debug
########################## MUNGE TEST ##########################
################################################################

----- Sorted index of rules and steps: {'rules': ['rule10', 'rule100'], 'rule100': ['step10', 'step15', 'step20', 'step30', 'step40'], 'rule10': ['step10']} -----

----- Input String: host/laptop-111111 -----

        ----- rule10 -----
                ----- Rule beginning with input: host/laptop-111111 -----
                ----- Loaded Rule: -----
                        <root>
                                <match>
                                        <regex>host/</regex>
                                        <criterion>partial</criterion>
                                </match>
                                <step10>
                                        <discard />
                                </step10>
                        </root>
                ----- Rule match statement regex returned: -----
                        ['host/']

                ----- Matched pattern {'regex': 'host/', 'criterion': 'partial'} for rule10 in input host/laptop-111111 -----

                ----- Loaded step10: {'discard': None} -----
                        ----- 'Discard' interrupt detected and set, breaking out of rule-set and discarding input -----

        ----- rule100 -----
                ----- Rule beginning with input: host/laptop-111111 -----

No string returned by Munge Engine. It was discarded

################################################################
################################################################

PackeTsar / radiuid

Munge discard overridden by accept #30