6525036

Super Contributor.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-04-22
11:07
295 views
Regex DN matching woes
I'm feeling abit stupid here, but I simply cannot see what the problem is:
The following code, should in my opinion match, and thus set the local variable lOK to "false".
But it does not..... why oh why, here is the rule:
And here is the relevant portion of the trace:
Why does it not match? Anyone?
-Nicolai
The following code, should in my opinion match, and thus set the local variable lOK to "false".
But it does not..... why oh why, here is the rule:
<do-for-each>
<arg-node-set>
<token-src-attr name="nrfAssociatedRoles"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="lcurrChild" scope="policy">
<arg-node-set>
<token-query datastore="src">
<arg-dn>
<token-xpath expression="$current-node/component[@name='volume']/text()"/>
</arg-dn>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-local-variable name="lcurrChild"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="lOK" scope="policy">
<arg-string>
<token-text xml:space="preserve">true</token-text>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lCurrentRole" scope="policy">
<arg-string>
<token-xpath expression="$current-node/@src-dn"/>
</arg-string>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-global-variable name="drv.except"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="lContainer" scope="policy">
<arg-string>
<token-xpath expression='$current-node/definition[@name="container"]/value/text()'/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="regex" name="lCurrentRole" op="equal">.*$lContainer$.*</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="lOK" scope="policy">
<arg-string>
<token-text xml:space="preserve">false</token-text>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-for-each>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="lOK" op="equal">true</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="lAssignments" scope="policy">
<arg-string>
<token-local-variable name="lAssignments"/>
<token-parse-dn dest-dn-format="ldap" src-dn-format="qualified-slash">
<token-xpath expression="$current-node/@qualified-src-dn"/>
</token-parse-dn>
<token-text xml:space="preserve">|</token-text>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-for-each>
</arg-actions>
</do-for-each>
And here is the relevant portion of the trace:
Action: do-set-local-variable("lOK",scope="policy","true").
arg-string("true")
token-text("true")
Arg Value: "true".
Action: do-set-local-variable("lCurrentRole",scope="policy",token-xpath("$current-node/@src-dn")).
arg-string(token-xpath("$current-node/@src-dn"))
token-xpath("$current-node/@src-dn")
Token Value: "\BLACKPILL\system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation\Struct\Dept\956e45e0-b465-ce28-5ee0-c54a6ae8229e".
Arg Value: "\BLACKPILL\system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation\Struct\Dept\956e45e0-b465-ce28-5ee0-c54a6ae8229e".
Action: do-for-each(arg-node-set(token-global-variable("drv.except"))).
arg-node-set(token-global-variable("drv.except"))
token-global-variable("drv.except")
Token Value: {<instance>}.
Arg Value: {<instance>}.
Performing actions for local-variable(current-node) = <instance>.
Action: do-set-local-variable("lContainer",scope="policy",token-xpath("$current-node/definition[@name="container"]/value/text()")).
arg-string(token-xpath("$current-node/definition[@name="container"]/value/text()"))
token-xpath("$current-node/definition[@name="container"]/value/text()")
Token Value: "system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation".
Arg Value: "system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation".
Action: do-if().
Evaluating conditions.
Expanded variable reference '$lContainer$' to 'system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation'.
(if-local-variable 'lCurrentRole' match ".*$lContainer$.*") = FALSE.
Performing else actions.
Action: do-if().
Evaluating conditions.
(if-local-variable 'lOK' equal "true") = TRUE.
Why does it not match? Anyone?
-Nicolai
3 Replies

Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-04-22
11:43
Re: Regex DN matching woes
6525036 wrote:
> Expanded variable reference '$lContainer$' to 'system\driverset1\User
> Application
> Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation'.
> (if-local-variable 'lCurrentRole' match ".*$lContainer$.*") = FALSE.
Probably because the backslashes in your expanded variable value are no literal
backslashes in a regex context but an escape char. You'd have to escape them
with another backslash for the regex to match.
Why don't you use if-xpath with:
contains($lCurrentRole, $lContainer)
or even more reliable:
starts-with($lCurrentRole, concat('\',$dirxml.auto.treename,'\',$lContainer))
--
http://www.is4it.de/en/solution/identity-access-management/
(If you find this post helpful, please click on the star below.)
> Expanded variable reference '$lContainer$' to 'system\driverset1\User
> Application
> Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation'.
> (if-local-variable 'lCurrentRole' match ".*$lContainer$.*") = FALSE.
Probably because the backslashes in your expanded variable value are no literal
backslashes in a regex context but an escape char. You'd have to escape them
with another backslash for the regex to match.
Why don't you use if-xpath with:
contains($lCurrentRole, $lContainer)
or even more reliable:
starts-with($lCurrentRole, concat('\',$dirxml.auto.treename,'\',$lContainer))
--
http://www.is4it.de/en/solution/identity-access-management/
(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
https://www.is4it.de/identity-access-management
Highlighted
6525036

Super Contributor.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-04-22
11:59
Re: Regex DN matching woes
Nothing short of brilliant.
Thanks a lot.
Thanks a lot.

Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-04-22
21:49
Re: Regex DN matching woes
On 4/22/2019 6:14 AM, 6525036 wrote:
>
> I'm feeling abit stupid here, but I simply cannot see what the problem
> is:
>
> The following code, should in my opinion match, and thus set the local
> variable lOK to "false".
> But it does not..... why oh why, here is the rule:
>
>
> Code:
> --------------------
> <do-for-each>
> <arg-node-set>
> <token-src-attr name="nrfAssociatedRoles"/>
> </arg-node-set>
> <arg-actions>
> <do-set-local-variable name="lcurrChild" scope="policy">
> <arg-node-set>
> <token-query datastore="src">
> <arg-dn>
> <token-xpath expression="$current-node/component[@name='volume']/text()"/>
> </arg-dn>
> </token-query>
> </arg-node-set>
> </do-set-local-variable>
> <do-for-each>
> <arg-node-set>
> <token-local-variable name="lcurrChild"/>
> </arg-node-set>
> <arg-actions>
> <do-set-local-variable name="lOK" scope="policy">
> <arg-string>
> <token-text xml:space="preserve">true</token-text>
> </arg-string>
> </do-set-local-variable>
> <do-set-local-variable name="lCurrentRole" scope="policy">
> <arg-string>
> <token-xpath expression="$current-node/@src-dn"/>
> </arg-string>
> </do-set-local-variable>
> <do-for-each>
> <arg-node-set>
> <token-global-variable name="drv.except"/>
> </arg-node-set>
> <arg-actions>
> <do-set-local-variable name="lContainer" scope="policy">
> <arg-string>
> <token-xpath expression='$current-node/definition[@name="container"]/value/text()'/>
> </arg-string>
> </do-set-local-variable>
> <do-if>
> <arg-conditions>
> <and>
> <if-local-variable mode="regex" name="lCurrentRole" op="equal">.*$lContainer$.*</if-local-variable>
> </and>
> </arg-conditions>
> <arg-actions>
> <do-set-local-variable name="lOK" scope="policy">
> <arg-string>
> <token-text xml:space="preserve">false</token-text>
> </arg-string>
> </do-set-local-variable>
> </arg-actions>
> <arg-actions/>
> </do-if>
> </arg-actions>
> </do-for-each>
> <do-if>
> <arg-conditions>
> <and>
> <if-local-variable mode="nocase" name="lOK" op="equal">true</if-local-variable>
> </and>
> </arg-conditions>
> <arg-actions>
> <do-set-local-variable name="lAssignments" scope="policy">
> <arg-string>
> <token-local-variable name="lAssignments"/>
> <token-parse-dn dest-dn-format="ldap" src-dn-format="qualified-slash">
> <token-xpath expression="$current-node/@qualified-src-dn"/>
> </token-parse-dn>
> <token-text xml:space="preserve">|</token-text>
> </arg-string>
> </do-set-local-variable>
> </arg-actions>
> <arg-actions/>
> </do-if>
> </arg-actions>
> </do-for-each>
> </arg-actions>
> </do-for-each>
> --------------------
>
>
> And here is the relevant portion of the trace:
>
>
> Code:
> --------------------
> Action: do-set-local-variable("lOK",scope="policy","true").
> arg-string("true")
> token-text("true")
> Arg Value: "true".
> Action: do-set-local-variable("lCurrentRole",scope="policy",token-xpath("$current-node/@src-dn")).
> arg-string(token-xpath("$current-node/@src-dn"))
> token-xpath("$current-node/@src-dn")
> Token Value: "\BLACKPILL\system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation\Struct\Dept\956e45e0-b465-ce28-5ee0-c54a6ae8229e".
> Arg Value: "\BLACKPILL\system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation\Struct\Dept\956e45e0-b465-ce28-5ee0-c54a6ae8229e".
> Action: do-for-each(arg-node-set(token-global-variable("drv.except"))).
> arg-node-set(token-global-variable("drv.except"))
> token-global-variable("drv.except")
> Token Value: {<instance>}.
> Arg Value: {<instance>}.
> Performing actions for local-variable(current-node) = <instance>.
> Action: do-set-local-variable("lContainer",scope="policy",token-xpath("$current-node/definition[@name="container"]/value/text()")).
> arg-string(token-xpath("$current-node/definition[@name="container"]/value/text()"))
> token-xpath("$current-node/definition[@name="container"]/value/text()")
> Token Value: "system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation".
> Arg Value: "system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation".
> Action: do-if().
> Evaluating conditions.
> Expanded variable reference '$lContainer$' to 'system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation'.
> (if-local-variable 'lCurrentRole' match ".*$lContainer$.*") = FALSE.
> Performing else actions.
> Action: do-if().
> Evaluating conditions.
> (if-local-variable 'lOK' equal "true") = TRUE.
Since you know the engine is going to return the TREE at the root ofthe
path, why not just add it with a leading backslash, for your compare?
Designer's simulator will NOT show the tree name but the engine will.
>
> I'm feeling abit stupid here, but I simply cannot see what the problem
> is:
>
> The following code, should in my opinion match, and thus set the local
> variable lOK to "false".
> But it does not..... why oh why, here is the rule:
>
>
> Code:
> --------------------
> <do-for-each>
> <arg-node-set>
> <token-src-attr name="nrfAssociatedRoles"/>
> </arg-node-set>
> <arg-actions>
> <do-set-local-variable name="lcurrChild" scope="policy">
> <arg-node-set>
> <token-query datastore="src">
> <arg-dn>
> <token-xpath expression="$current-node/component[@name='volume']/text()"/>
> </arg-dn>
> </token-query>
> </arg-node-set>
> </do-set-local-variable>
> <do-for-each>
> <arg-node-set>
> <token-local-variable name="lcurrChild"/>
> </arg-node-set>
> <arg-actions>
> <do-set-local-variable name="lOK" scope="policy">
> <arg-string>
> <token-text xml:space="preserve">true</token-text>
> </arg-string>
> </do-set-local-variable>
> <do-set-local-variable name="lCurrentRole" scope="policy">
> <arg-string>
> <token-xpath expression="$current-node/@src-dn"/>
> </arg-string>
> </do-set-local-variable>
> <do-for-each>
> <arg-node-set>
> <token-global-variable name="drv.except"/>
> </arg-node-set>
> <arg-actions>
> <do-set-local-variable name="lContainer" scope="policy">
> <arg-string>
> <token-xpath expression='$current-node/definition[@name="container"]/value/text()'/>
> </arg-string>
> </do-set-local-variable>
> <do-if>
> <arg-conditions>
> <and>
> <if-local-variable mode="regex" name="lCurrentRole" op="equal">.*$lContainer$.*</if-local-variable>
> </and>
> </arg-conditions>
> <arg-actions>
> <do-set-local-variable name="lOK" scope="policy">
> <arg-string>
> <token-text xml:space="preserve">false</token-text>
> </arg-string>
> </do-set-local-variable>
> </arg-actions>
> <arg-actions/>
> </do-if>
> </arg-actions>
> </do-for-each>
> <do-if>
> <arg-conditions>
> <and>
> <if-local-variable mode="nocase" name="lOK" op="equal">true</if-local-variable>
> </and>
> </arg-conditions>
> <arg-actions>
> <do-set-local-variable name="lAssignments" scope="policy">
> <arg-string>
> <token-local-variable name="lAssignments"/>
> <token-parse-dn dest-dn-format="ldap" src-dn-format="qualified-slash">
> <token-xpath expression="$current-node/@qualified-src-dn"/>
> </token-parse-dn>
> <token-text xml:space="preserve">|</token-text>
> </arg-string>
> </do-set-local-variable>
> </arg-actions>
> <arg-actions/>
> </do-if>
> </arg-actions>
> </do-for-each>
> </arg-actions>
> </do-for-each>
> --------------------
>
>
> And here is the relevant portion of the trace:
>
>
> Code:
> --------------------
> Action: do-set-local-variable("lOK",scope="policy","true").
> arg-string("true")
> token-text("true")
> Arg Value: "true".
> Action: do-set-local-variable("lCurrentRole",scope="policy",token-xpath("$current-node/@src-dn")).
> arg-string(token-xpath("$current-node/@src-dn"))
> token-xpath("$current-node/@src-dn")
> Token Value: "\BLACKPILL\system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation\Struct\Dept\956e45e0-b465-ce28-5ee0-c54a6ae8229e".
> Arg Value: "\BLACKPILL\system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation\Struct\Dept\956e45e0-b465-ce28-5ee0-c54a6ae8229e".
> Action: do-for-each(arg-node-set(token-global-variable("drv.except"))).
> arg-node-set(token-global-variable("drv.except"))
> token-global-variable("drv.except")
> Token Value: {<instance>}.
> Arg Value: {<instance>}.
> Performing actions for local-variable(current-node) = <instance>.
> Action: do-set-local-variable("lContainer",scope="policy",token-xpath("$current-node/definition[@name="container"]/value/text()")).
> arg-string(token-xpath("$current-node/definition[@name="container"]/value/text()"))
> token-xpath("$current-node/definition[@name="container"]/value/text()")
> Token Value: "system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation".
> Arg Value: "system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation".
> Action: do-if().
> Evaluating conditions.
> Expanded variable reference '$lContainer$' to 'system\driverset1\User Application Driver\AppConfig\RoleConfig\RoleDefs\Level20\NonRequestable\Organisation'.
> (if-local-variable 'lCurrentRole' match ".*$lContainer$.*") = FALSE.
> Performing else actions.
> Action: do-if().
> Evaluating conditions.
> (if-local-variable 'lOK' equal "true") = TRUE.
Since you know the engine is going to return the TREE at the root ofthe
path, why not just add it with a leading backslash, for your compare?
Designer's simulator will NOT show the tree name but the engine will.