From a2ba9373070b19c158be8be78f7fbeee5ccab081 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Thu, 23 Jul 2015 15:45:35 +0200
Subject: ACI plugin: correctly parse bind rules enclosed in parentheses

Since bind rule such as `(userdn = "ldap:///anyone")` is also a valid
statement, the ipalib ACI parser was updated to handle this case.

https://fedorahosted.org/freeipa/ticket/5037

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipalib/aci.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ipalib/aci.py b/ipalib/aci.py
index a55732bf1..f78c5327d 100755
--- a/ipalib/aci.py
+++ b/ipalib/aci.py
@@ -26,10 +26,11 @@ import re
 ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE)
 
 # Break the permissions/bind_rules out
-PermPat = re.compile(r'(\w+)\s*\((.*)\)\s+(.*)', re.UNICODE)
+PermPat = re.compile(r'(\w+)\s*\(([^()]*)\)\s*(.*)', re.UNICODE)
 
 # Break the bind rule out
-BindPat = re.compile(r'([a-zA-Z0-9;\.]+)\s*(\!?=)\s*(.*)', re.UNICODE)
+BindPat = re.compile(r'\(?([a-zA-Z0-9;\.]+)\s*(\!?=)\s*\"(.*)\"\)?',
+                     re.UNICODE)
 
 ACTIONS = ["allow", "deny"]
 
@@ -193,6 +194,9 @@ class ACI:
         self.target['target']['operator'] = operator
 
     def set_bindrule(self, bindrule):
+        if bindrule.startswith('(') != bindrule.endswith(')'):
+            raise SyntaxError("non-matching parentheses in bindrule")
+
         match = BindPat.match(bindrule)
         if not match or len(match.groups()) < 3:
             raise SyntaxError, "malformed bind rule"
-- 
cgit