a

}�f+�@sddd
lZdd
l
Z
dd
lZe
�de
j�Ze
�de
j�Ze
�de
j�ZddgZgd�
Z	Gdd	�d	�Z
d
S)
�Nz<\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;\s*(.*);\s*\)z(\w+)\s*\(([^()]*)\)\s*(.*)z+\(?([a-zA-Z0-9;\.]+)\s*(\!?=)\s*\"(.*)\"\)?�allowZdeny)	�read�write�add�delete�searchZcompareZ	selfwrite�proxy�allc@s�eZ
dZd
ZdZd*dd�
Zdd�Zdd�Zd	d
�Zdd�Z	d
d�Z
dd�Zdd�Zdd�Z
dd�Zd+dd�
Zd,dd�
Zd-dd�
Zdd�Zd d!�Zd"d#�Zd$d%�Zd&d'�ZeZd(d)�ZdS).�ACIz�
    Holds the basic data for an ACI entry, as stored in the cn=accounts
    entry in LDAP.  Has methods to parse an ACI string and export to an
    ACI String.
    NcCsHd|_d|_
d|_|
|_i|_d
|_dg
|_i|_|
du
rD|�|
�

dS)Nrr)	�name�source_group�
dest_groupZorig_acistr�target�action�permissions�bindrule�
_parse_acistr)�self�acistr�r�./usr/lib/python3.9/site-packages/ipalib/aci.py�__init__4s









zACI.__init__cCs:|
d
kr|jS|
dkr|j
S|
dkr*|jStd|
�
�
dS)z*Fake getting attributes by key for sortingr
�
�zUnknown key value %sN)rrr
�	TypeError)r�keyrrr�__getitem__@s





zACI.__getitem__c

Cs|��S)
zAn alias for export_to_string())
�export_to_string)
rrrr�__repr__JszACI.__repr__c
	Cs�|��
d
}
t
|j���
D]~\}}|d}t|d�
ttfvr�d
}|�|d�
D]}||d}qP|dd�}|
d|||f}
q|
d|||df}
q|
d|j|j	d	�
|j�
|jd
|jd|jdfd}
|
S)z/Output a Directory Server-compatible ACI string��operator�
expressionz || N���z(%s %s "%s")z((version 3.0;acl "%s";%s (%s) %s %s "%s"�
,�keywordz;))
�validate�sortedr�items�type�tuple�list�_unique_listrr�joinrr)r�aci�
t�
v�opr�
lrrrrNs









:
zACI.export_to_stringcCs$g}|
D]}||v
r|�|�

q|S)
a

        A set() doesn't maintain order so make a list unique ourselves.

        The number of entries in our lists are always going to be
        relatively low and this code will be called infrequently
        anyway so the overhead will be small.
        )
�append)rr1�unique�itemrrrr+_s




zACI._unique_listcCs0|
�d
�
r|
dd�}
|
�
d
�
r,|
dd�}
|
S)N�
"r���)�
startswith�endswith)r�
srrr�_remove_quotesms






zACI._remove_quotesc
Cs
tj
r|
�d
�
}
t�|
�
}|jd|_d}d}|D]�}|dkr�t|�
��}t|�
}|dv
rz|t|�
}|dv
rztd|�
�
|}t|�
��}|�|�
}t|�
}|dkr�td	|�
�
|d
kr�t	�
d|�}	i|j|<||j|d<|	|j|d
<q2i|j|<||j|d<||j|d
<q2dS)Nzutf-8�
.F�
=�
()r<z!=zNo operator in target, got '%s'�
)z$No end parenthesis in target, got %s�
targetattrz[^a-zA-Z0-9;\*]+r r!)�sixZPY2�encode�shlexZ	wordchars�next�strip�SyntaxErrorr:�re�splitr)
rr-Zlexer�varr0�tokenr �val�endr.rrr�
_parse_targetus8


























zACI._parse_targetcCs�|
�d
�
}|dkrt
d|
�
�
t�|
|dd��
}|rHt|���
dkrTt
d|
�
�
|�|
d|d��

|�d�
|_t	�|�d�
�
}|r�t|���
dkr�t
d|
�
�
|�d�
|_
|�|�d�
�d	d
��
d�
�
|_|�|�d�
�

dS)Nzversion 3.0r
z(malformed ACI, unable to find version %srrz8malformed ACI, match for version and bind rule failed %s�z*malformed ACI, permissions match failed %s�
 rr#)�findrE�ACIPat�match�len�groupsrL�groupr�PermPatrr+�replacerGr�set_bindrule)rrZvstartZacimatchZ	bindpermsrrrr�s 














�zACI._parse_acistrc
Cs�t|j
�
ttfv
rtd
�
�
|j
D]}
|
��tv
r td|
�
�
q |jsLtd�
�
t|jt	�s`td�
�
t|j
t�rzt|j
�
dkr�td�
�
t|j
t�s�td�
�
|j
�d�
r�|j
�d	�
r�|j
�d
�
s�td�
�
dS)
zyDo some basic verification that this will produce a
           valid LDAP ACI.

           returns True if valid
        zpermissions must be a listzinvalid permission: '%s'zname must be setzname must be a stringr
z%target must be a non-empty dictionaryzbindrule must be a dictionaryr r$r!zbindrule is missing a componentT)r(rr)r*rE�lower�PERMISSIONSr�
isinstance�strr�dictrRr�get)r�
prrrr%�s 













$

zACI.validatecCs&t|
�
t
tfv
r|
g
}
|�|
�
|_dS�
N)r(r)r*r+r)rrrrr�set_permissions�s


zACI.set_permissionsr<cCs@i|jd
<|
�
d�
s d|
d}
|
|jd
d<||jd
d<dS)N�targetfilterr=r>r!r )rr7)r�filterr rrr�set_target_filter�s







zACI.set_target_filtercCs`|
sd
|jvr|jd
=dSt
|
�
ttfv
r0|
g
}
i|jd
<|�|
�
|jd
d<||jd
d<dS)Nr?r!r )rr(r)r*r+)r�attrr rrr�set_target_attr�s










zACI.set_target_attrcCs8|
�d
�
sJ�
i|j
d<|
|j
dd<||j
dd<dS)Nzldap:///rr!r )r7r)rrr rrr�
set_target�s




zACI.set_targetcCs~|
�d
�
|
�
d�
krtd�
�
t�|
�
}|r:t|���
dkrBtd�
�
|�|�d�
�

|�	|�d�
�

|�
|�d�
�dd	��

dS)
Nr=r>z$non-matching parentheses in bindrulerMzmalformed bind rulerrr5r)r7r8rE�BindPatrQrRrS�set_bindrule_keywordrT�set_bindrule_operator�set_bindrule_expressionrV)rrrQrrrrW�s







zACI.set_bindrulecCs|
|jd
<dS)Nr$�
r)rr$rrrrh�s
zACI.set_bindrule_keywordcCs|
|jd
<dS)Nr rk)rr rrrri�s
zACI.set_bindrule_operatorcCs|
|jd
<dS)Nr!rk)rr!rrrrj�s
zACI.set_bindrule_expressioncCs�
t|
t
�sJ�
�
z�|j��|
j��kr,Wd
St|j�
t|
j�
krFWd
S|j�d�
|
j�d�
krdWd
S|j�d�
|
j�d�
kr�Wd
S|j�d�
|
j�d�
kr�Wd
S|j�di��d�
|
j�di��d�
kr�Wd
S|j�di��d�
|
j�di��d�
kr�Wd
St|j�di��dd��
t|
j�di��dd��
k�
r8Wd
S|j�di��d�
|
j�di��d�
k�
rhWd
S|j�di��d�
|
j�di��d�
k�
r�Wd
S|j�di��d�
|
j�di��d�
k�
r�Wd
SWnt	�
y�


Yd
S0d	S)
z�
        Compare the current ACI to another one to see if they are
        the same.

        returns True if equal, False if not.
        Fr$r r!rar?rrT)
rZr
rrX�setrrr]r�	Exception�r�
brrr�isequal�s6








(

(
6

*
*

*

zACI.isequalcCs
||
kSr_rrnrrr�__ne__!
s
z
ACI.__ne__)
N)
r<)
r<)
r<)�__name__�
__module__�__qualname__�__doc__�__hash__rrrrr+r:rLrr%r`rcrerfrWrhrirjrp�__eq__rqrrrrr
,s,


$


,r
)rBrFr@�compile�UNICODErPrUrgZACTIONSrYr
rrrr�<module>s

�
�