ipa-python/aci.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

# Copyright (C) 2007    Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 or later
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.    See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#

import re
import urllib

import ipa.ipautil

class ACI:
    """
    Holds the basic data for an ACI entry, as stored in the cn=accounts
    entry in LDAP.  Has methods to parse an ACI string and export to an
    ACI String.
    """

    def __init__(self,acistr=None):
        self.name = ''
        self.source_group = ''
        self.dest_group = ''
        self.attrs = []
        self.orig_acistr = acistr
        if acistr is not None:
            self.parse_acistr(acistr)

    def export_to_string(self):
        """Converts the ACI to a string suitable for an LDAP aci attribute."""
        attrs_str = ' || '.join(self.attrs)

        # dest_group and source_group are assumed to be pre-escaped.
        # dn's aren't typed in, but searched for, and the search results
        # will return escaped dns

        acistr = ('(targetattr="%s")' +
                  '(targetfilter="(memberOf=%s)")' +
                  '(version 3.0;' +
                  'acl "%s";' +
                  'allow (write) ' +
                  'groupdn="ldap:///%s";)') % (attrs_str,
                                       self.dest_group,
                                       self.name,
                                       urllib.quote(self.source_group, "/=, "))
        return acistr

    def to_dict(self):
        result = ipa.ipautil.CIDict()
        result['name'] = self.name
        result['source_group'] = self.source_group
        result['dest_group'] = self.dest_group
        result['attrs'] = self.attrs
        result['orig_acistr'] = self.orig_acistr

        return result

    def _match(self, prefix, inputstr):
        """Returns inputstr with prefix removed, or else raises a
           SyntaxError."""
        if inputstr.startswith(prefix):
            return inputstr[len(prefix):]
        else:
            raise SyntaxError, "'%s' not found at '%s'" % (prefix, inputstr)

    def _match_str(self, inputstr):
        """Tries to extract a " delimited string from the front of inputstr.
           Returns (string, inputstr) where:
             - string is the extracted string (minus the enclosing " chars)
             - inputstr is the parameter with the string removed.
           Raises SyntaxError is a string is not found."""
        if not inputstr.startswith('"'):
            raise SyntaxError, "string not found at '%s'" % inputstr

        found = False
        start_index = 1
        final_index = 1
        while not found and (final_index < len(inputstr)):
            if inputstr[final_index] == '\\':
                final_index += 2
            elif inputstr[final_index] == '"':
                found = True
            else:
                final_index += 1
        if not found:
            raise SyntaxError, "string not found at '%s'" % inputstr

        match = inputstr[start_index:final_index]
        inputstr = inputstr[final_index + 1:]

        return(match, inputstr)

    def parse_acistr(self, acistr):
        """Parses the acistr.  If the string isn't recognized, a SyntaxError
           is raised."""
        self.orig_acistr = acistr

        acistr = self._match('(targetattr=', acistr)
        (attrstr, acistr) = self._match_str(acistr)
        self.attrs = attrstr.split(' || ')

        acistr = self._match(')(targetfilter=', acistr)
        (target_dn_str, acistr) = self._match_str(acistr)
        target_dn_str = self._match('(memberOf=', target_dn_str)
        if target_dn_str.endswith(')'):
            self.dest_group = target_dn_str[:-1]
        else:
            raise SyntaxError, "illegal dest_group at '%s'" % target_dn_str

        acistr = self._match(')(version 3.0;acl ', acistr)
        (name_str, acistr) = self._match_str(acistr)
        self.name = name_str

        acistr = self._match(';allow (write) groupdn=', acistr)
        (src_dn_str, acistr) = self._match_str(acistr)
        src_dn_str = self._match('ldap:///', src_dn_str)
        self.source_group = urllib.unquote(src_dn_str)

        acistr = self._match(';)', acistr)
        if len(acistr) > 0:
            raise SyntaxError, "unexpected aci suffix at '%s'" % acistr