From efd9322ccb72848c0d22d8d3947ba4d7186faccc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 12 Nov 2024 10:34:14 +0100
Subject: [PATCH] Fix sssd_enable_smartcards

If `authselect` doesn't exist and no entry for group + control + module
is present in `/etc/pam.d/system-auth` the Bash remediation inserted
square brackets with backslashes to `system-auth`. The backslashes
shouldn't be inserted there.

The issue manifested when the Bash remediation is used during a build
of a bootable container image.

The solution is to escape the control string only if it's a part of
a regular expression (in `sed` and `grep` commands) but not escape the
control string if it's used in `echo` command.
---
 .../sssd/sssd_enable_smartcards/bash/shared.sh       |  2 +-
 .../sssd_parameter_missing_remove_authselect.fail.sh |  5 +++++
 shared/macros/10-bash.jinja                          | 12 +++++++-----
 ssg/utils.py                                         |  2 +-
 4 files changed, 14 insertions(+), 7 deletions(-)
 create mode 100644 linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_remove_authselect.fail.sh

diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh
index b896f4f7d9b..7cf204f5569 100644
--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/bash/shared.sh
@@ -18,6 +18,6 @@ if [ -f /usr/bin/authselect ]; then
     {{{ bash_enable_authselect_feature('with-smartcard') | indent(4) }}}
 else
     {{{ bash_ensure_pam_module_option('/etc/pam.d/smartcard-auth', 'auth', 'sufficient', 'pam_sss.so', 'allow_missing_name', '', '') | indent(4) }}}
-    {{{ bash_ensure_pam_module_option('/etc/pam.d/system-auth', 'auth', '\[success=done authinfo_unavail=ignore ignore=ignore default=die\]', 'pam_sss.so', 'try_cert_auth', '', '') | indent(4) }}}
+    {{{ bash_ensure_pam_module_option('/etc/pam.d/system-auth', 'auth', '[success=done authinfo_unavail=ignore ignore=ignore default=die]', 'pam_sss.so', 'try_cert_auth', '', '') | indent(4) }}}
 fi
 {{% endif %}}
diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_remove_authselect.fail.sh b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_remove_authselect.fail.sh
new file mode 100644
index 00000000000..c2363d5b816
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/tests/sssd_parameter_missing_remove_authselect.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = sssd
+rm -rf /usr/bin/authselect
+SSSD_FILE="/etc/sssd/sssd.conf"
+rm -f $SSSD_FILE
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index d9ad023124a..016b5b72c9a 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -2164,7 +2164,8 @@ fi
 
 #}}
 {{%- macro bash_ensure_pam_module_line(pam_file, group, control, module, after_match='') -%}}
-if ! grep -qP "^\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s*.*" "{{{ pam_file }}}"; then
+{{% set control_regex = control | escape_regex %}}
+if ! grep -qP "^\s*{{{ group }}}\s+{{{ control_regex }}}\s+{{{ module }}}\s*.*" "{{{ pam_file }}}"; then
     # Line matching group + control + module was not found. Check group + module.
     if [ "$(grep -cP '^\s*{{{ group }}}\s+.*\s+{{{ module }}}\s*' "{{{ pam_file }}}")" -eq 1 ]; then
         # The control is updated only if one single line matches.
@@ -2207,19 +2208,20 @@ fi
 
 #}}
 {{%- macro bash_ensure_pam_module_option(pam_file, group, control, module, option, value='', after_match='') -%}}
+{{% set control_regex = control | escape_regex %}}
 {{{ bash_ensure_pam_module_line(pam_file, group, control, module, after_match) }}}
 # Check the option
-if ! grep -qP "^\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s*.*\s{{{ option }}}\b" "{{{ pam_file }}}"; then
+if ! grep -qP "^\s*{{{ group }}}\s+{{{ control_regex }}}\s+{{{ module }}}\s*.*\s{{{ option }}}\b" "{{{ pam_file }}}"; then
     {{%- if value == '' %}}
-    sed -i -E --follow-symlinks "/\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}.*/ s/$/ {{{ option }}}/" "{{{ pam_file }}}"
+    sed -i -E --follow-symlinks "/\s*{{{ group }}}\s+{{{ control_regex }}}\s+{{{ module }}}.*/ s/$/ {{{ option }}}/" "{{{ pam_file }}}"
     {{%- else %}}
-    sed -i -E --follow-symlinks "/\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}.*/ s/$/ {{{ option }}}={{{ value }}}/" "{{{ pam_file }}}"
+    sed -i -E --follow-symlinks "/\s*{{{ group }}}\s+{{{ control_regex }}}\s+{{{ module }}}.*/ s/$/ {{{ option }}}={{{ value }}}/" "{{{ pam_file }}}"
     {{%- endif %}}
 {{%- if value == '' %}}
 fi
 {{%- else %}}
 else
-    sed -i -E --follow-symlinks "s/(\s*{{{ group }}}\s+{{{ control }}}\s+{{{ module }}}\s+.*)({{{ option }}}=)[[:alnum:]]+\s*(.*)/\1\2{{{ value }}} \3/" "{{{ pam_file }}}"
+    sed -i -E --follow-symlinks "s/(\s*{{{ group }}}\s+{{{ control_regex }}}\s+{{{ module }}}\s+.*)({{{ option }}}=)[[:alnum:]]+\s*(.*)/\1\2{{{ value }}} \3/" "{{{ pam_file }}}"
 fi
 {{%- endif %}}
 {{%- endmacro -%}}
diff --git a/ssg/utils.py b/ssg/utils.py
index a1da491a543..31bcea09bae 100644
--- a/ssg/utils.py
+++ b/ssg/utils.py
@@ -363,7 +363,7 @@ def escape_regex(text):
     # In python 3.7 the set of charaters escaped by re.escape is reasonable, so lets mimic it.
     # See https://docs.python.org/3/library/re.html#re.sub
     # '!', '"', '%', "'", ',', '/', ':', ';', '<', '=', '>', '@', and "`" are not escaped.
-    return re.sub(r"([#$&*+.^`|~:()-])", r"\\\1", text)
+    return re.sub(r"([#$&*+.^`|~:()-\[\]])", r"\\\1", text)
 
 
 def escape_id(text):