This is a quick fix for https://fedorahosted.org/freeipa/ticket/5037

--
Martin^3 Babinsky
From 72ef56f5673152c91a1de571518d8ea232d35143 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Thu, 23 Jul 2015 15:45:35 +0200
Subject: [PATCH] ACI plugin: correctly parse bind rules enclosed in
 parentheses

Since bind rule such as `(userdn = "ldap:///anyone";)` is also a valid
statement, the ipalib ACI parser was updated to handle this case.

https://fedorahosted.org/freeipa/ticket/5037
---
 ipalib/aci.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ipalib/aci.py b/ipalib/aci.py
index a55732bf19e58d8a4b36fa18bee2725d5b6584da..fd15db89ca9e5f93738dee05bb2bccbed3b78daa 100755
--- a/ipalib/aci.py
+++ b/ipalib/aci.py
@@ -26,10 +26,11 @@ import re
 ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE)
 
 # Break the permissions/bind_rules out
-PermPat = re.compile(r'(\w+)\s*\((.*)\)\s+(.*)', re.UNICODE)
+PermPat = re.compile(r'(\w+)\s*\(([a-zA-z0-9,\s]+)\)\s*(.*)', re.UNICODE)
 
 # Break the bind rule out
-BindPat = re.compile(r'([a-zA-Z0-9;\.]+)\s*(\!?=)\s*(.*)', re.UNICODE)
+BindPat = re.compile(r'\(?([a-zA-Z0-9;\.]+)\s*(\!?=)\s*\"(.*)\"\)?',
+                     re.UNICODE)
 
 ACTIONS = ["allow", "deny"]
 
@@ -193,6 +194,9 @@ class ACI:
         self.target['target']['operator'] = operator
 
     def set_bindrule(self, bindrule):
+        if bindrule.startswith('(') != bindrule.endswith(')'):
+            raise SyntaxError("non-matching parentheses in bindrule")
+
         match = BindPat.match(bindrule)
         if not match or len(match.groups()) < 3:
             raise SyntaxError, "malformed bind rule"
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to