Handle subyptes in ACIs

While enabling console output in the server installation the
"Allow trust agents to retrieve keytab keys for cross realm
principals" ACI was throwing an unparseable error because
it has a subkey which broke parsing (the extra semi-colon):

userattr="ipaAllowedToPerform;read_keys#GROUPDN";

The regular expression pattern needed to be updated to handle
this case.

Related: https://pagure.io/freeipa/issue/6760

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>

ipalib/aci.py

@@ -25,7 +25,8 @@ import six
 # The Python re module doesn't do nested parenthesis
 
 # Break the ACI into 3 pieces: target, name, permissions/bind_rules
-ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE)
+ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;'
+                    r'\s*(.*);\s*\)', re.UNICODE)
 
 # Break the permissions/bind_rules out
 PermPat = re.compile(r'(\w+)\s*\(([^()]*)\)\s*(.*)', re.UNICODE)