Hello,
The first patch adds "==" to ACI object to simplify comparisons.
The second patch moves existing "tests" to the test suite.
The third patch adds support for an alternate "aci" keyword that DS
supports (but I couldn't get any documentaion on it). Dogtag adds ACIs
with this keyword to cn=config, so we'll need this fix when parsing ACIs
there.
Rob, you wrote the parser; does this look OK to you?
--
PetrĀ³
From 346d21d35a56c287772443bc49cfd0c9e15f1493 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 30 Apr 2014 17:24:06 +0200
Subject: [PATCH] ipalib.aci: Add support for == and != operators to ACI
This allows more natural comparisons.
---
ipalib/aci.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ipalib/aci.py b/ipalib/aci.py
index c911da18846e6b313387856f6652614d5092ede3..93b1c2d1c9d960a0739033c4c8fab61cfd381237 100755
--- a/ipalib/aci.py
+++ b/ipalib/aci.py
@@ -253,6 +253,12 @@ def isequal(self, b):
# We got this far so lets declare them the same
return True
+ __eq__ = isequal
+
+ def __neq__(self, b):
+ return not self == b
+
+
if __name__ == '__main__':
# a = ACI('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";;)')
# print a
--
1.9.0
From e1cebbd7a9ede60bf1f719616ab8f1ecbe825fb8 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Thu, 29 Mar 2012 04:20:03 -0400
Subject: [PATCH] Move ACI tests to the testsuite
Make old debug code into regression tests for ACI parsing and output.
---
ipalib/aci.py | 52 -----------------------
ipatests/test_ipalib/test_aci.py | 89 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 89 insertions(+), 52 deletions(-)
create mode 100644 ipatests/test_ipalib/test_aci.py
diff --git a/ipalib/aci.py b/ipalib/aci.py
index 93b1c2d1c9d960a0739033c4c8fab61cfd381237..5f33b81fe8354adbd05707d8639a0f803474a2ed 100755
--- a/ipalib/aci.py
+++ b/ipalib/aci.py
@@ -257,55 +257,3 @@ def isequal(self, b):
def __neq__(self, b):
return not self == b
-
-
-if __name__ == '__main__':
-# a = ACI('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";;)')
-# print a
-# a = ACI('(target="ldap:///uid=bjensen,dc=example,dc=com";)(targetattr=*) (version 3.0;acl "aci1";allow (write) userdn="ldap:///self";;)')
-# print a
-# a = ACI(' (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";;)')
-# print a
-
- a = ACI('(target="ldap:///uid=*,cn=users,cn=accounts,dc=example,dc=com";)(version 3.0;acl "add_user";allow (add) groupdn="ldap:///cn=add_user,cn=taskgroups,dc=example,dc=com";;)')
- print a
- print "---"
-
- a = ACI('(targetattr=member)(target="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com";)(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";;)')
- print a
- print "---"
-
- a = ACI('(targetattr!=member)(target="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com";)(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";;)')
- print a
- print "---"
-
- a = ACI('(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "change_password"; allow (write) groupdn = "ldap:///cn=change_password,cn=taskgroups,dc=example,dc=com";;)')
- print a
- print "---"
-
- a = ACI()
- a.name ="foo"
- a.set_target_attr(['title','givenname'], "!=")
-# a.set_bindrule("groupdn = \"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"";)
- a.set_bindrule_keyword("groupdn")
- a.set_bindrule_operator("=")
- a.set_bindrule_expression ("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"";)
- a.permissions = ['read','write','add']
- print a
-
- b = ACI()
- b.name ="foo"
- b.set_target_attr(['givenname','title'], "!=")
- b.set_bindrule_keyword("groupdn")
- b.set_bindrule_operator("=")
- b.set_bindrule_expression ("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"";)
- b.permissions = ['add','read','write']
- print b
-
- print a.isequal(b)
-
- a = ACI('(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)')
- print a
-
- a = ACI('(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";;)')
- print a
diff --git a/ipatests/test_ipalib/test_aci.py b/ipatests/test_ipalib/test_aci.py
new file mode 100644
index 0000000000000000000000000000000000000000..e89dbff0bb7933e4339675a51d874aafde428bc8
--- /dev/null
+++ b/ipatests/test_ipalib/test_aci.py
@@ -0,0 +1,89 @@
+# Authors:
+# Rob Crittenden <rcrit...@redhat.com>
+# Petr Viktorin <pvikt...@redhat.com>
+#
+# Copyright (C) 2008 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Test the `ipalib.aci` module.
+"""
+
+from ipalib.aci import ACI
+
+def check_aci_parsing(source, expected):
+ a = ACI(source)
+ print 'ACI was: ', a
+ print 'Expected:', expected
+ assert str(ACI(source)) == expected
+
+def test_aci_parsing_1():
+ check_aci_parsing('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";;)',
+ '(targetattr = "title")(targetfilter = "(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn = "ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";;)')
+
+def test_aci_parsing_2():
+ check_aci_parsing('(target="ldap:///uid=bjensen,dc=example,dc=com";)(targetattr=*) (version 3.0;acl "aci1";allow (write) userdn="ldap:///self";;)',
+ '(targetattr = "*")(target = "ldap:///uid=bjensen,dc=example,dc=com";)(version 3.0;acl "aci1";allow (write) userdn = "ldap:///self";;)')
+
+def test_aci_parsing_3():
+ check_aci_parsing(' (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";;)',
+ '(targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";;)')
+
+def test_aci_parsing_4():
+ check_aci_parsing('(target="ldap:///uid=*,cn=users,cn=accounts,dc=example,dc=com";)(version 3.0;acl "add_user";allow (add) groupdn="ldap:///cn=add_user,cn=taskgroups,dc=example,dc=com";;)',
+ '(target = "ldap:///uid=*,cn=users,cn=accounts,dc=example,dc=com";)(version 3.0;acl "add_user";allow (add) groupdn = "ldap:///cn=add_user,cn=taskgroups,dc=example,dc=com";;)')
+
+def test_aci_parsing_5():
+ check_aci_parsing('(targetattr=member)(target="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com";)(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";;)',
+ '(targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com";)(version 3.0;acl "add_user_to_default_group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";;)')
+
+def test_aci_parsing_6():
+ check_aci_parsing('(targetattr!=member)(targe="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com";)(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";;)',
+ '(targetattr != "member")(targe = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com";)(version 3.0;acl "add_user_to_default_group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";;)')
+
+def test_aci_parsing_7():
+ check_aci_parsing('(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "change_password"; allow (write) groupdn = "ldap:///cn=change_password,cn=taskgroups,dc=example,dc=com";;)',
+ '(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (write) groupdn = "ldap:///cn=change_password,cn=taskgroups,dc=example,dc=com";;)')
+
+def test_aci_equality():
+ a = ACI()
+ a.name ="foo"
+ a.set_target_attr(['title','givenname'], "!=")
+ a.set_bindrule_keyword("groupdn")
+ a.set_bindrule_operator("=")
+ a.set_bindrule_expression("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"";)
+ a.permissions = ['read','write','add']
+ print a
+
+ b = ACI()
+ b.name ="foo"
+ b.set_target_attr(['givenname','title'], "!=")
+ b.set_bindrule_keyword("groupdn")
+ b.set_bindrule_operator("=")
+ b.set_bindrule_expression("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"";)
+ b.permissions = ['add','read','write']
+ print b
+
+ assert a.isequal(b)
+ assert a == b
+
+def test_aci_parsing_8():
+ check_aci_parsing('(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)',
+ '(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0;acl "Enable Anonymous access";allow (read,search,compare) userdn = "ldap:///anyone";;)')
+
+def test_aci_parsing_9():
+ check_aci_parsing('(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";;)',
+ '(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(version 3.0;acl "Account Admins can manage Users and Groups";allow (add,delete,read,write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";;)')
--
1.9.0
From ba1ddec1b025bdf437a977f96c2bb2e599c95688 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Mon, 28 Apr 2014 13:35:13 +0200
Subject: [PATCH] ipalib.aci: Allow alternate "aci" keyword in ACIs
Dogtag adds some ACIs that use an alternate keyword:
version 3.0; aci
instead of
version 3.0; acl
Add support for this so the parser does not fail on these ACIs.
---
ipalib/aci.py | 2 +-
ipatests/test_ipalib/test_aci.py | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/ipalib/aci.py b/ipalib/aci.py
index 5f33b81fe8354adbd05707d8639a0f803474a2ed..cea61a9c43dda589e95e2bc555da61edbed5ce50 100755
--- a/ipalib/aci.py
+++ b/ipalib/aci.py
@@ -23,7 +23,7 @@
# The Python re module doesn't do nested parenthesis
# Break the ACI into 3 pieces: target, name, permissions/bind_rules
-ACIPat = re.compile(r'\(version\s+3.0\s*;\s*acl\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE)
+ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE)
# Break the permissions/bind_rules out
PermPat = re.compile(r'(\w+)\s*\((.*)\)\s+(.*)', re.UNICODE)
diff --git a/ipatests/test_ipalib/test_aci.py b/ipatests/test_ipalib/test_aci.py
index e89dbff0bb7933e4339675a51d874aafde428bc8..6b8e64e71baef671308c8e3124e27ec4fe704a7c 100644
--- a/ipatests/test_ipalib/test_aci.py
+++ b/ipatests/test_ipalib/test_aci.py
@@ -34,6 +34,10 @@ def test_aci_parsing_1():
check_aci_parsing('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";;)',
'(targetattr = "title")(targetfilter = "(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn = "ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";;)')
+def test_aci_parsing_1_with_aci_keyword():
+ check_aci_parsing('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;aci "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";;)',
+ '(targetattr = "title")(targetfilter = "(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn = "ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";;)')
+
def test_aci_parsing_2():
check_aci_parsing('(target="ldap:///uid=bjensen,dc=example,dc=com";)(targetattr=*) (version 3.0;acl "aci1";allow (write) userdn="ldap:///self";;)',
'(targetattr = "*")(target = "ldap:///uid=bjensen,dc=example,dc=com";)(version 3.0;acl "aci1";allow (write) userdn = "ldap:///self";;)')
--
1.9.0
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
