Hello, The first patch adds "==" to ACI object to simplify comparisons. The second patch moves existing "tests" to the test suite.
The third patch adds support for an alternate "aci" keyword that DS supports (but I couldn't get any documentaion on it). Dogtag adds ACIs with this keyword to cn=config, so we'll need this fix when parsing ACIs there.
Rob, you wrote the parser; does this look OK to you? -- PetrĀ³
From 346d21d35a56c287772443bc49cfd0c9e15f1493 Mon Sep 17 00:00:00 2001 From: Petr Viktorin <pvikt...@redhat.com> Date: Wed, 30 Apr 2014 17:24:06 +0200 Subject: [PATCH] ipalib.aci: Add support for == and != operators to ACI This allows more natural comparisons. --- ipalib/aci.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ipalib/aci.py b/ipalib/aci.py index c911da18846e6b313387856f6652614d5092ede3..93b1c2d1c9d960a0739033c4c8fab61cfd381237 100755 --- a/ipalib/aci.py +++ b/ipalib/aci.py @@ -253,6 +253,12 @@ def isequal(self, b): # We got this far so lets declare them the same return True + __eq__ = isequal + + def __neq__(self, b): + return not self == b + + if __name__ == '__main__': # a = ACI('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)') # print a -- 1.9.0
From e1cebbd7a9ede60bf1f719616ab8f1ecbe825fb8 Mon Sep 17 00:00:00 2001 From: Petr Viktorin <pvikt...@redhat.com> Date: Thu, 29 Mar 2012 04:20:03 -0400 Subject: [PATCH] Move ACI tests to the testsuite Make old debug code into regression tests for ACI parsing and output. --- ipalib/aci.py | 52 ----------------------- ipatests/test_ipalib/test_aci.py | 89 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+), 52 deletions(-) create mode 100644 ipatests/test_ipalib/test_aci.py diff --git a/ipalib/aci.py b/ipalib/aci.py index 93b1c2d1c9d960a0739033c4c8fab61cfd381237..5f33b81fe8354adbd05707d8639a0f803474a2ed 100755 --- a/ipalib/aci.py +++ b/ipalib/aci.py @@ -257,55 +257,3 @@ def isequal(self, b): def __neq__(self, b): return not self == b - - -if __name__ == '__main__': -# a = ACI('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)') -# print a -# a = ACI('(target="ldap:///uid=bjensen,dc=example,dc=com")(targetattr=*) (version 3.0;acl "aci1";allow (write) userdn="ldap:///self";)') -# print a -# a = ACI(' (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)') -# print a - - a = ACI('(target="ldap:///uid=*,cn=users,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user";allow (add) groupdn="ldap:///cn=add_user,cn=taskgroups,dc=example,dc=com";)') - print a - print "---" - - a = ACI('(targetattr=member)(target="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)') - print a - print "---" - - a = ACI('(targetattr!=member)(target="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)') - print a - print "---" - - a = ACI('(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "change_password"; allow (write) groupdn = "ldap:///cn=change_password,cn=taskgroups,dc=example,dc=com";)') - print a - print "---" - - a = ACI() - a.name ="foo" - a.set_target_attr(['title','givenname'], "!=") -# a.set_bindrule("groupdn = \"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") - a.set_bindrule_keyword("groupdn") - a.set_bindrule_operator("=") - a.set_bindrule_expression ("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") - a.permissions = ['read','write','add'] - print a - - b = ACI() - b.name ="foo" - b.set_target_attr(['givenname','title'], "!=") - b.set_bindrule_keyword("groupdn") - b.set_bindrule_operator("=") - b.set_bindrule_expression ("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") - b.permissions = ['add','read','write'] - print b - - print a.isequal(b) - - a = ACI('(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)') - print a - - a = ACI('(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)') - print a diff --git a/ipatests/test_ipalib/test_aci.py b/ipatests/test_ipalib/test_aci.py new file mode 100644 index 0000000000000000000000000000000000000000..e89dbff0bb7933e4339675a51d874aafde428bc8 --- /dev/null +++ b/ipatests/test_ipalib/test_aci.py @@ -0,0 +1,89 @@ +# Authors: +# Rob Crittenden <rcrit...@redhat.com> +# Petr Viktorin <pvikt...@redhat.com> +# +# Copyright (C) 2008 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +""" +Test the `ipalib.aci` module. +""" + +from ipalib.aci import ACI + +def check_aci_parsing(source, expected): + a = ACI(source) + print 'ACI was: ', a + print 'Expected:', expected + assert str(ACI(source)) == expected + +def test_aci_parsing_1(): + check_aci_parsing('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)', + '(targetattr = "title")(targetfilter = "(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn = "ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)') + +def test_aci_parsing_2(): + check_aci_parsing('(target="ldap:///uid=bjensen,dc=example,dc=com")(targetattr=*) (version 3.0;acl "aci1";allow (write) userdn="ldap:///self";)', + '(targetattr = "*")(target = "ldap:///uid=bjensen,dc=example,dc=com")(version 3.0;acl "aci1";allow (write) userdn = "ldap:///self";)') + +def test_aci_parsing_3(): + check_aci_parsing(' (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)', + '(targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)') + +def test_aci_parsing_4(): + check_aci_parsing('(target="ldap:///uid=*,cn=users,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user";allow (add) groupdn="ldap:///cn=add_user,cn=taskgroups,dc=example,dc=com";)', + '(target = "ldap:///uid=*,cn=users,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user";allow (add) groupdn = "ldap:///cn=add_user,cn=taskgroups,dc=example,dc=com";)') + +def test_aci_parsing_5(): + check_aci_parsing('(targetattr=member)(target="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)', + '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)') + +def test_aci_parsing_6(): + check_aci_parsing('(targetattr!=member)(targe="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)', + '(targetattr != "member")(targe = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)') + +def test_aci_parsing_7(): + check_aci_parsing('(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "change_password"; allow (write) groupdn = "ldap:///cn=change_password,cn=taskgroups,dc=example,dc=com";)', + '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (write) groupdn = "ldap:///cn=change_password,cn=taskgroups,dc=example,dc=com";)') + +def test_aci_equality(): + a = ACI() + a.name ="foo" + a.set_target_attr(['title','givenname'], "!=") + a.set_bindrule_keyword("groupdn") + a.set_bindrule_operator("=") + a.set_bindrule_expression("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") + a.permissions = ['read','write','add'] + print a + + b = ACI() + b.name ="foo" + b.set_target_attr(['givenname','title'], "!=") + b.set_bindrule_keyword("groupdn") + b.set_bindrule_operator("=") + b.set_bindrule_expression("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") + b.permissions = ['add','read','write'] + print b + + assert a.isequal(b) + assert a == b + +def test_aci_parsing_8(): + check_aci_parsing('(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)', + '(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0;acl "Enable Anonymous access";allow (read,search,compare) userdn = "ldap:///anyone";)') + +def test_aci_parsing_9(): + check_aci_parsing('(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)', + '(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(version 3.0;acl "Account Admins can manage Users and Groups";allow (add,delete,read,write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)') -- 1.9.0
From ba1ddec1b025bdf437a977f96c2bb2e599c95688 Mon Sep 17 00:00:00 2001 From: Petr Viktorin <pvikt...@redhat.com> Date: Mon, 28 Apr 2014 13:35:13 +0200 Subject: [PATCH] ipalib.aci: Allow alternate "aci" keyword in ACIs Dogtag adds some ACIs that use an alternate keyword: version 3.0; aci instead of version 3.0; acl Add support for this so the parser does not fail on these ACIs. --- ipalib/aci.py | 2 +- ipatests/test_ipalib/test_aci.py | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ipalib/aci.py b/ipalib/aci.py index 5f33b81fe8354adbd05707d8639a0f803474a2ed..cea61a9c43dda589e95e2bc555da61edbed5ce50 100755 --- a/ipalib/aci.py +++ b/ipalib/aci.py @@ -23,7 +23,7 @@ # The Python re module doesn't do nested parenthesis # Break the ACI into 3 pieces: target, name, permissions/bind_rules -ACIPat = re.compile(r'\(version\s+3.0\s*;\s*acl\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE) +ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE) # Break the permissions/bind_rules out PermPat = re.compile(r'(\w+)\s*\((.*)\)\s+(.*)', re.UNICODE) diff --git a/ipatests/test_ipalib/test_aci.py b/ipatests/test_ipalib/test_aci.py index e89dbff0bb7933e4339675a51d874aafde428bc8..6b8e64e71baef671308c8e3124e27ec4fe704a7c 100644 --- a/ipatests/test_ipalib/test_aci.py +++ b/ipatests/test_ipalib/test_aci.py @@ -34,6 +34,10 @@ def test_aci_parsing_1(): check_aci_parsing('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)', '(targetattr = "title")(targetfilter = "(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn = "ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)') +def test_aci_parsing_1_with_aci_keyword(): + check_aci_parsing('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;aci "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)', + '(targetattr = "title")(targetfilter = "(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn = "ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)') + def test_aci_parsing_2(): check_aci_parsing('(target="ldap:///uid=bjensen,dc=example,dc=com")(targetattr=*) (version 3.0;acl "aci1";allow (write) userdn="ldap:///self";)', '(targetattr = "*")(target = "ldap:///uid=bjensen,dc=example,dc=com")(version 3.0;acl "aci1";allow (write) userdn = "ldap:///self";)') -- 1.9.0
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel