request-key: Find best match rather than first match

When an upcall happens currently, either a file by the name
"/etc/request-key.d/<type>.conf" is scanned or the default file
"/etc/request-key.conf" is scanned and then the first match (including
wildcards) is selected.

Change this to read all the files in the conf directory and then read the
default file.  The best rule is then chosen and executed.

"Best" is defined as the rule with the least number of characters that are
skipped by matching a wildcard (e.g. string "foo:bar" matches pattern
"foo:*" with the number of characters being skipped being 3).

Further, the operation, type, description and callout_info columns are
matched individually and in order, so that a skip of 1 in the operation
column, say, is less preferable than an exact match there and a skip of 2
in the type column.

For example, take:

	create  dns_resolver afsdb:*	*	/sbin/key.afsdb %k
	create  dns_resolver afsdb:*	hello*	/sbin/key.xxxx %k

if both lines match, the second one will be picked, but, on the other hand,
with:

	create  dns_resolver afsdb:*	*	/sbin/key.afsdb %k
	creat*  dns_resolver afsdb:*	hello*	/sbin/key.xxxx %k

the first will be picked.

Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Dave Jiang <dave.jiang@intel.com>

2 files changed, 47 insertions, 20 deletions

diff --git a/man/request-key.8 b/man/request-key.8
index b008d80..50a7506 100644
--- a/man/request-key.8
+++ b/man/request-key.8
@@ -18,18 +18,41 @@ This program is invoked by the kernel when the kernel is asked for a key that
 it doesn't have immediately available. The kernel creates a partially set up
 key and then calls out to this program to instantiate it. It is not intended
 to be called directly.
+.PP
+However, for debugging purposes, it can be given some options on the command
+line:
+.IP \fB-d\fP
+Turn on debugging mode.  In this mode, no attempts are made to access any keys
+and, if a handler program is selected, it won't be executed; instead, this
+program will print a message and exit 0.
+.IP \fB-D <description>\fP
+In debugging mode, use the proposed key description specified with this rather
+than the sample ("user;0;0;1f0000;debug:1234") built into the program.
+.IP \fB-l\fP
+Use configuration from the current directory.  The program will use
+.IR request-key.d/* " and " request-key.conf
+from the current directory rather than from
+.IR /etc .
+.IP \fB-n\fP
+Don't log to the system log.  Ordinarily, error messages and debugging messages
+will be copied to the system log - this will prevent that.
+.IP \fB-v\fP
+Turn on debugging output.  This may be specified multiple times to produce
+increasing levels of verbosity.
+.IP \fB--version\fP
+Print the program version and exit.
 .SH ERRORS
 All errors will be logged to the syslog.
 .SH FILES
 .ul
-/etc/request\-key.conf
+/etc/request\-key.d/*.conf
 .ul 0
-Instantiation handler configuration file.
+Individual configuration files.
 .P
 .ul
-/etc/request\-key.d/<keytype>.conf
+/etc/request\-key.conf
 .ul 0
-Keytype specific configuration file.
+Fallback configuration file.
 .SH SEE ALSO
 .ad l
 .nh
diff --git a/man/request-key.conf.5 b/man/request-key.conf.5
index 49facad..276c771 100644
--- a/man/request-key.conf.5
+++ b/man/request-key.conf.5
@@ -12,20 +12,24 @@
 request\-key.conf \- Instantiation handler configuration file
 .SH DESCRIPTION
 .P
-This file and its associated key-type specific variants are used by the
-/sbin/request\-key program to determine which program it should run to
-instantiate a key.
+These files are used by the /sbin/request\-key program to determine which
+program it should run to instantiate a key.
 .P
-request\-key looks first in /etc/request\-key.d/ for a file of the key type name
-plus ".conf" that it can use.  If that is not found, it will fall back to
-/etc/request\-key.conf.
+request\-key looks for the best match, reading all the following files:
+.IP
+	/etc/request\-key.d/*.conf
+.br
+	/etc/request\-key.conf
+.P
+If it doesn't find a match, it will return an error
+and the kernel will automatically negate the key.
 .P
-request\-key scans through the chosen file one line at a time until it
-finds a match, which it will then use. If it doesn't find a match, it'll return
-an error and the kernel will automatically negate the key.
+The best match is defined as the line with the shortest wildcard skips, ranking
+the columns in order left to right.  If two lines have the same length skips,
+then the first read is the one taken.
 .P
-Any blank line or line beginning with a hash mark '#' is considered to be a
-comment and ignored.
+In the files, any blank line or line beginning with a hash mark '#' is
+considered to be a comment and ignored.
 .P
 All other lines are assumed to be command lines with a number of white space
 separated fields:
@@ -36,10 +40,10 @@ The first four fields are used to match the parameters passed to request\-key by
 the kernel. \fIop\fR is the operation type; currently the only supported
 operation is "create".
 .P
-\fItype\fR, \fIdescription\fR and \fIcallout\-info\fR match the three parameters
-passed to \fBkeyctl request2\fR or the \fBrequest_key()\fR system call. Each of
-these may contain one or more asterisk '*' characters as wildcards anywhere
-within the string.
+\fItype\fR, \fIdescription\fR and \fIcallout\-info\fR match the three
+parameters passed to \fBkeyctl request2\fR or the \fBrequest_key()\fR system
+call.  Each of these may contain one asterisk '*' character as a wildcard
+anywhere within the string.
 .P
 Should a match be made, the program specified by <prog> will be exec'd. This
 must have a fully qualified path name. argv[0] will be set from the part of the
@@ -135,7 +139,7 @@ the payload.
 .ul 0
 .br
 .ul
-/etc/request\-key.d/<keytype>.conf
+/etc/request\-key.d/*.conf
 .ul 0
 .SH SEE ALSO
 \fBkeyctl\fR(1), \fBrequest\-key.conf\fR(5)