ACI plugin: correctly parse bind rules enclosed in parentheses

Since bind rule such as `(userdn = "ldap:///anyone")` is also a valid statement, the ipalib ACI parser was updated to handle this case. https://fedorahosted.org/freeipa/ticket/5037 Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-01-26 16:16:31 -06:00 · 2015-07-23 15:45:35 +02:00 · 2015-07-23 15:45:35 +02:00 · a2ba937307
commit a2ba937307
parent f7dbaa6382
1 changed files with 6 additions and 2 deletions
--- a/ipalib/aci.py
+++ b/ipalib/aci.py
@ -26,10 +26,11 @@ import re
 ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE)

 # Break the permissions/bind_rules out
-PermPat = re.compile(r'(\w+)\s*\((.*)\)\s+(.*)', re.UNICODE)
+PermPat = re.compile(r'(\w+)\s*\(([^()]*)\)\s*(.*)', re.UNICODE)

 # Break the bind rule out
-BindPat = re.compile(r'([a-zA-Z0-9;\.]+)\s*(\!?=)\s*(.*)', re.UNICODE)
+BindPat = re.compile(r'\(?([a-zA-Z0-9;\.]+)\s*(\!?=)\s*\"(.*)\"\)?',
+                     re.UNICODE)

 ACTIONS = ["allow", "deny"]

@ -193,6 +194,9 @@ class ACI:
        self.target['target']['operator'] = operator

    def set_bindrule(self, bindrule):
+        if bindrule.startswith('(') != bindrule.endswith(')'):
+            raise SyntaxError("non-matching parentheses in bindrule")
+
        match = BindPat.match(bindrule)
        if not match or len(match.groups()) < 3:
            raise SyntaxError, "malformed bind rule"