IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Handle subyptes in ACIs

Browse Source 
While enabling console output in the server installation the
"Allow trust agents to retrieve keytab keys for cross realm
principals" ACI was throwing an unparseable error because
it has a subkey which broke parsing (the extra semi-colon):

userattr="ipaAllowedToPerform;read_keys#GROUPDN";

The regular expression pattern needed to be updated to handle
this case.

Related: https://pagure.io/freeipa/issue/6760

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Rob Crittenden 2018-05-02 16:14:56 -04:00 committed by Tibor Dudlák
parent 00ddb5dd53
commit 036d51d514
No known key found for this signature in database
GPG Key ID: 12B8BD343576CDF5
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ipalib/aci.py
View File

@ -25,7 +25,8 @@ import six
# The Python re module doesn't do nested parenthesis
# Break the ACI into 3 pieces: target, name, permissions/bind_rules
ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE)
ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;'
r'\s*(.*);\s*\)', re.UNICODE)
# Break the permissions/bind_rules out
PermPat = re.compile(r'(\w+)\s*\(([^()]*)\)\s*(.*)', re.UNICODE)

12
ipatests/test_ipalib/test_aci.py
View File

@ -162,3 +162,15 @@ def test_aci_parsing_8():
def test_aci_parsing_9():
check_aci_parsing('(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)',
'(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(version 3.0;acl "Account Admins can manage Users and Groups";allow (add,delete,read,write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)')
def test_aci_parsing_10():
"""test subtypes"""
check_aci_parsing('(targetattr="ipaProtectedOperation;read_keys")'
'(version 3.0; acl "Allow trust agents to retrieve '
'keytab keys for cross realm principals"; allow(read) '
'userattr="ipaAllowedToPerform;read_keys#GROUPDN";)',
'(targetattr = "ipaProtectedOperation;read || keys")'
'(version 3.0;acl "Allow trust agents to retrieve '
'keytab keys for cross realm principals";allow (read) '
'userattr = "ipaAllowedToPerform;read_keys#GROUPDN";)')