summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Babinsky <mbabinsk@redhat.com>2015-07-23 15:45:35 +0200
committerMartin Basti <mbasti@redhat.com>2015-07-29 16:40:32 +0200
commita2ba9373070b19c158be8be78f7fbeee5ccab081 (patch)
tree460cc8cc55533380779604fa1406ee0eaff8498f
parentf7dbaa6382caac118acd6f5379cc7ec691f39b28 (diff)
downloadfreeipa-a2ba9373070b19c158be8be78f7fbeee5ccab081.zip
freeipa-a2ba9373070b19c158be8be78f7fbeee5ccab081.tar.gz
freeipa-a2ba9373070b19c158be8be78f7fbeee5ccab081.tar.xz
ACI plugin: correctly parse bind rules enclosed in parentheses
Since bind rule such as `(userdn = "ldap:///anyone")` is also a valid statement, the ipalib ACI parser was updated to handle this case. https://fedorahosted.org/freeipa/ticket/5037 Reviewed-By: Martin Basti <mbasti@redhat.com>
-rwxr-xr-xipalib/aci.py8
1 files changed, 6 insertions, 2 deletions
diff --git a/ipalib/aci.py b/ipalib/aci.py
index a55732b..f78c532 100755
--- a/ipalib/aci.py
+++ b/ipalib/aci.py
@@ -26,10 +26,11 @@ import re
ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE)
# Break the permissions/bind_rules out
-PermPat = re.compile(r'(\w+)\s*\((.*)\)\s+(.*)', re.UNICODE)
+PermPat = re.compile(r'(\w+)\s*\(([^()]*)\)\s*(.*)', re.UNICODE)
# Break the bind rule out
-BindPat = re.compile(r'([a-zA-Z0-9;\.]+)\s*(\!?=)\s*(.*)', re.UNICODE)
+BindPat = re.compile(r'\(?([a-zA-Z0-9;\.]+)\s*(\!?=)\s*\"(.*)\"\)?',
+ re.UNICODE)
ACTIONS = ["allow", "deny"]
@@ -193,6 +194,9 @@ class ACI:
self.target['target']['operator'] = operator
def set_bindrule(self, bindrule):
+ if bindrule.startswith('(') != bindrule.endswith(')'):
+ raise SyntaxError("non-matching parentheses in bindrule")
+
match = BindPat.match(bindrule)
if not match or len(match.groups()) < 3:
raise SyntaxError, "malformed bind rule"