e.g.
from ipalib.aci import ACI acistr = '(targetattr=nsslapd-readonly)(version 3.0; acl "Allow marking the database readonly"; allow (write) userdn = "ldap:///anyone";)' ACI(acistr)
gives:
Traceback (most recent call last): File "<stdin>", line 1, in <module> File "ipalib/aci.py", line 55, in __init__ self._parse_acistr(acistr) File "ipalib/aci.py", line 139, in _parse_acistr self._parse_target(acistr[:vstart-1]) File "ipalib/aci.py", line 119, in _parse_target raise SyntaxError('No end parenthesis in target, got %s' % end) SyntaxError: No end parenthesis in target, got -
because the parser uses shlex, which considers "nsslapd-readonly" to be two tokens.
The ACI parser is now only used to convert old permissions, and in the selfservice & delegation plugins, so fixing this is probably not worth it.
I'll bet you just need to add - to lexer.wordchars.
That might work, until I try an ACI with unquoted targetattr:
(targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
Yes, though this have a different cause. python doesn't have a nice way to count parens, quotes, etc, which makes lexing pretty difficult.
Had to invoke the 80/20 rule, and given that the majority of the ACI's are generated via permission it was good enough.
As stated on the triage meeting, if someone did such exotic modification by ldapmodify, FreeIPA (permission-find command) would be broken already.
The risk is thus small and we do not plan to fix it in 4.0. Thus moving to Deferred.
Workaround pushed for FreeIPA 4.0 release:
master:
Metadata Update from @pviktori: - Issue assigned to someone - Issue set to the milestone: Tickets Deferred
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.