From c00b3fac15439828ce0ecffa181d1b263ad505a7 Mon Sep 17 00:00:00 2001

From: Martin Babinsky <mbabinsk@redhat.com>

Date: Thu, 23 Jul 2015 15:45:35 +0200

Subject: [PATCH] ACI plugin: correctly parse bind rules enclosed in

 parentheses

Since bind rule such as `(userdn = "ldap:///anyone")` is also a valid

statement, the ipalib ACI parser was updated to handle this case.

https://fedorahosted.org/freeipa/ticket/5037

Reviewed-By: Martin Basti <mbasti@redhat.com>

---

 ipalib/aci.py | 8 ++++++--

 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ipalib/aci.py b/ipalib/aci.py

index a55732bf19e58d8a4b36fa18bee2725d5b6584da..f78c5327dbe659240f046ae15622e798c8552829 100755

--- a/ipalib/aci.py

+++ b/ipalib/aci.py

@@ -26,10 +26,11 @@ import re

 ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE)

 # Break the permissions/bind_rules out

-PermPat = re.compile(r'(\w+)\s*\((.*)\)\s+(.*)', re.UNICODE)

+PermPat = re.compile(r'(\w+)\s*\(([^()]*)\)\s*(.*)', re.UNICODE)

 # Break the bind rule out

-BindPat = re.compile(r'([a-zA-Z0-9;\.]+)\s*(\!?=)\s*(.*)', re.UNICODE)

+BindPat = re.compile(r'\(?([a-zA-Z0-9;\.]+)\s*(\!?=)\s*\"(.*)\"\)?',

+                     re.UNICODE)

 ACTIONS = ["allow", "deny"]

@@ -193,6 +194,9 @@ class ACI:

         self.target['target']['operator'] = operator

     def set_bindrule(self, bindrule):

+        if bindrule.startswith('(') != bindrule.endswith(')'):

+            raise SyntaxError("non-matching parentheses in bindrule")

+

         match = BindPat.match(bindrule)

         if not match or len(match.groups()) < 3:

             raise SyntaxError, "malformed bind rule"

-- 

2.4.3