diff options
| author | Martin Babinsky <mbabinsk@redhat.com> | 2015-07-23 15:45:35 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2015-07-29 16:40:32 +0200 |
| commit | a2ba9373070b19c158be8be78f7fbeee5ccab081 (patch) | |
| tree | 460cc8cc55533380779604fa1406ee0eaff8498f | |
| parent | f7dbaa6382caac118acd6f5379cc7ec691f39b28 (diff) | |
| download | freeipa-a2ba9373070b19c158be8be78f7fbeee5ccab081.tar.gz freeipa-a2ba9373070b19c158be8be78f7fbeee5ccab081.tar.xz freeipa-a2ba9373070b19c158be8be78f7fbeee5ccab081.zip | |
ACI plugin: correctly parse bind rules enclosed in parentheses
Since bind rule such as `(userdn = "ldap:///anyone")` is also a valid
statement, the ipalib ACI parser was updated to handle this case.
https://fedorahosted.org/freeipa/ticket/5037
Reviewed-By: Martin Basti <mbasti@redhat.com>
| -rwxr-xr-x | ipalib/aci.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/ipalib/aci.py b/ipalib/aci.py index a55732bf1..f78c5327d 100755 --- a/ipalib/aci.py +++ b/ipalib/aci.py @@ -26,10 +26,11 @@ import re ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE) # Break the permissions/bind_rules out -PermPat = re.compile(r'(\w+)\s*\((.*)\)\s+(.*)', re.UNICODE) +PermPat = re.compile(r'(\w+)\s*\(([^()]*)\)\s*(.*)', re.UNICODE) # Break the bind rule out -BindPat = re.compile(r'([a-zA-Z0-9;\.]+)\s*(\!?=)\s*(.*)', re.UNICODE) +BindPat = re.compile(r'\(?([a-zA-Z0-9;\.]+)\s*(\!?=)\s*\"(.*)\"\)?', + re.UNICODE) ACTIONS = ["allow", "deny"] @@ -193,6 +194,9 @@ class ACI: self.target['target']['operator'] = operator def set_bindrule(self, bindrule): + if bindrule.startswith('(') != bindrule.endswith(')'): + raise SyntaxError("non-matching parentheses in bindrule") + match = BindPat.match(bindrule) if not match or len(match.groups()) < 3: raise SyntaxError, "malformed bind rule" |