Make groups-based authz for rootzone suffix-based, not exact-match

[iaean]

There is a user with the following groups claim inside a valid ID token:

"groups": [
  "[<prefix>]write",
  "[<prefix>]example.com" ]

There is a dns3ld with the follwing root zones config:

rtzn:
  - root: foo.example.com.

If this user tries to claim a certificate dns3ld is complaining with the following unexpected error: {"code":500,"message":"user has no permission for zone 'foo.example.com.'"}

Expected behaviour is that privilege escalation based on less specific domain suffix is used what enables the user to modify anything under example.com as mentioned in docs.

Docs seems to be not specific enough and API is missing a statement. What will be fixed soon.

[lnobach]

Yes, this can be changed, but needs a little change in the data structure. I suggest to require at least the TLD to be specific, otherwise a DNS3L_ group will allow everything. Planned.

[iaean]

Thx. Please avoid new config syntax. We are just changing semantics. An empty TLD is invalid, of course. IMHO its a bug if a group with prefix and empty TLD is (mis)interpreted as none empty TLD.