[389-devel] [lib389] Review only, aci parsing utilities

William Brown william at blackhats.net.au
Mon Aug 24 02:09:13 UTC 2015 

On Thu, 2015-08-20 at 13:29 +0930, William Brown wrote:
> On Wed, 2015-08-19 at 11:35 -0400, Mark Reynolds wrote:
> > Hi William,
> > 
> > Still reviewing your patch, but I noticed that you are missing 
> > "authmethod" from your ACI class keys, as well as "ip", "dns", 
> > "userattr", and perhaps others.
> 
> 
> Quite likely I have missed some. I'll add these and review the documents you
> referenced to see if there are more. 

Here is an updated patch for review. It's still not complete, but I welcome
comments and suggestions.

It can now parse all the bind rule types as you previously mentioned.

It can also parse an aci such as:

(targetattr !="cn || sn || uid")(targetfilter ="(ou=Product
Development)")(version 3.0;acl "Engineering Group Permissions";allow
(write)(groupdn = "ldap:///cn=PD Managers,ou=groups,dc=example,dc=com");)

Turn it into a set of dictionaries:

---------
dayofweek : []
allow : [{'values': ['write']}]
dns : []
target : []
targetattr : [{'values': ['cn', 'sn', 'uid'], 'equal': False}]
targattrfilters : []
authmethod : []
userattr : []
userdn : []
acl : [{'values': ['Engineering Group Permissions']}]
targetattrfilters : []
version 3.0; : []
targetfilter : [{'values': ['(ou=Product Development)'], 'equal': True}]
targetscope : []
ip : []
roledn : []
timeofday : []
groupdn : [{'values': ['cn=PD Managers,ou=groups,dc=example,dc=com'], 'equal':
True}]

Then use this to re-create acis:

(targetfilter ="(ou=Product Development)")(targetattr !="cn || sn ||
uid")(version 3.0; acl "Engineering Group Permissions";allow (write)(groupdn
="ldap:///cn=PD Managers,ou=groups,dc=example,dc=com");)

This means we can edit the contents of the EntryAci, then potentially save this
back to LDAP.

Right now, complex bind rules won't work (IE anything with and, or, not) and
certain ldap urls in userdn, roledn, and groupdn with filters in them may not
parse correctly.

I still need to add more complex tests also.

Finally, there are likely some code clean ups and clarity improvements to make.

I can see this being useful for:

* Programmatic updates of acis in systems.
* Ability to automatically invert acis (turn != into = targetattr acis).
* Be able to write better unit tests regarding aci functionality.
* Easily able to discover acis.
* Autogenerated tests can take advantage of this, so we could make randomised /
complex acis easily.

Sincerely,

-- 
William Brown <william at blackhats.net.au>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-aci-parsing-utilities-which-will-return-an-Entry.patch
Type: text/x-patch
Size: 14623 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/389-devel/attachments/20150824/a9660371/attachment.bin>

More information about the 389-devel mailing list