diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-06-30 20:56:23 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-07-01 09:35:38 +0200 |
commit | fdef2e1bd80d688467aeb8ac425e9010bf00c530 (patch) | |
tree | c45a6e2cfd4de61db7a82280d3657f83cb8f390f /ipalib/plugins/permission.py | |
parent | 5ff8e3d8b36a3c52477da459bbf79bb8af809078 (diff) | |
download | freeipa-fdef2e1bd80d688467aeb8ac425e9010bf00c530.tar.gz freeipa-fdef2e1bd80d688467aeb8ac425e9010bf00c530.tar.xz freeipa-fdef2e1bd80d688467aeb8ac425e9010bf00c530.zip |
permission plugin: Ignore unparseable ACIs
When manipulating a permission for an entry that has an ACI
that the parser cannot process, skip this ACI instead of
failing.
Add a test that manipulates permission in cn=accounts,
where there are complex ipaAllowedOperation-based ACIs.
Workaround for: https://fedorahosted.org/freeipa/ticket/4376
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipalib/plugins/permission.py')
-rw-r--r-- | ipalib/plugins/permission.py | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index e7bd22091..30571bea3 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -641,7 +641,12 @@ class permission(baseldap.LDAPObject): acientry = ldap.make_entry(location) acis = acientry.get('aci', ()) for acistring in acis: - aci = ACI(acistring) + try: + aci = ACI(acistring) + except SyntaxError as e: + self.log.warning('Unparseable ACI %s: %s (at %s)', + acistring, e, location) + continue if aci.name == wanted_aciname: return acientry, acistring else: |