From 036d51d5143a142e6a3070e6328a7bcd9b2125f0 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 2 May 2018 16:14:56 -0400 Subject: [PATCH] Handle subyptes in ACIs While enabling console output in the server installation the "Allow trust agents to retrieve keytab keys for cross realm principals" ACI was throwing an unparseable error because it has a subkey which broke parsing (the extra semi-colon): userattr="ipaAllowedToPerform;read_keys#GROUPDN"; The regular expression pattern needed to be updated to handle this case. Related: https://pagure.io/freeipa/issue/6760 Signed-off-by: Rob Crittenden Reviewed-By: Stanislav Laznicka Reviewed-By: Christian Heimes --- ipalib/aci.py | 3 ++- ipatests/test_ipalib/test_aci.py | 12 ++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/ipalib/aci.py b/ipalib/aci.py index 38cc12642..a207024f6 100755 --- a/ipalib/aci.py +++ b/ipalib/aci.py @@ -25,7 +25,8 @@ import six # The Python re module doesn't do nested parenthesis # Break the ACI into 3 pieces: target, name, permissions/bind_rules -ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE) +ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;' + r'\s*(.*);\s*\)', re.UNICODE) # Break the permissions/bind_rules out PermPat = re.compile(r'(\w+)\s*\(([^()]*)\)\s*(.*)', re.UNICODE) diff --git a/ipatests/test_ipalib/test_aci.py b/ipatests/test_ipalib/test_aci.py index 5ce23dbcc..9ddcc54b7 100644 --- a/ipatests/test_ipalib/test_aci.py +++ b/ipatests/test_ipalib/test_aci.py @@ -162,3 +162,15 @@ def test_aci_parsing_8(): def test_aci_parsing_9(): check_aci_parsing('(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)', '(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(version 3.0;acl "Account Admins can manage Users and Groups";allow (add,delete,read,write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)') + + +def test_aci_parsing_10(): + """test subtypes""" + check_aci_parsing('(targetattr="ipaProtectedOperation;read_keys")' + '(version 3.0; acl "Allow trust agents to retrieve ' + 'keytab keys for cross realm principals"; allow(read) ' + 'userattr="ipaAllowedToPerform;read_keys#GROUPDN";)', + '(targetattr = "ipaProtectedOperation;read || keys")' + '(version 3.0;acl "Allow trust agents to retrieve ' + 'keytab keys for cross realm principals";allow (read) ' + 'userattr = "ipaAllowedToPerform;read_keys#GROUPDN";)')