From 273787f2cf48fab8e01b466853b36ce9937ad515 Mon Sep 17 00:00:00 2001
From: Lukas Oyen <oyen@univention.de>
Date: Tue, 24 Jan 2017 12:55:54 +0100
Subject: [PATCH] Bug #32086: s4-connector: escape ignore_filters in mapping.py

---
 .../etc/univention/s4connector/s4/mapping.py       | 72 +++++++++-------------
 .../modules/univention/s4connector/s4/mapping.py   | 37 +++++++++++
 2 files changed, 66 insertions(+), 43 deletions(-)

diff --git a/services/univention-s4-connector/conffiles/etc/univention/s4connector/s4/mapping.py b/services/univention-s4-connector/conffiles/etc/univention/s4connector/s4/mapping.py
index ff74ffd..8932cfb 100644
--- a/services/univention-s4-connector/conffiles/etc/univention/s4connector/s4/mapping.py
+++ b/services/univention-s4-connector/conffiles/etc/univention/s4connector/s4/mapping.py
@@ -40,6 +40,7 @@ import univention.s4connector.s4.dc
 import univention.s4connector.s4.computer
 
 @!@
+
 global_ignore_subtree=['cn=univention,@%@ldap/base@%@','cn=policies,@%@ldap/base@%@',
 			'cn=shares,@%@ldap/base@%@','cn=printers,@%@ldap/base@%@',
 			'cn=networks,@%@ldap/base@%@', 'cn=kerberos,@%@ldap/base@%@',
@@ -102,12 +103,10 @@ else:
 			con_search_filter='(&(objectClass=user)(!(objectClass=computer))(userAccountControl:1.2.840.113556.1.4.803:=512))',
 			match_filter='(&(|(&(objectClass=posixAccount)(objectClass=krb5Principal))(objectClass=user))(!(objectClass=univentionHost)))',
 @!@
-ignore_filter = ''
-for user in configRegistry.get('connector/s4/mapping/user/ignorelist', '').split(','):
-	if user:
-		ignore_filter += '(uid=%s)(CN=%s)' % (user, user)
+from univention.s4connector.s4.mapping import ignore_filter_parts_from_tmpl
+ignore_filter = ignore_filter_parts_from_tmpl('(uid={0!e})(CN={0!e})', 'connector/s4/mapping/user/ignorelist')
 if ignore_filter:
-	print "			ignore_filter='(|%s)'," % ignore_filter
+	print "			ignore_filter='%s'," % ignore_filter
 @!@
 			ignore_subtree = global_ignore_subtree,
 			
@@ -313,13 +312,12 @@ else:
 			scope='sub',
 
 @!@
-ignore_filter = ''
+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr
+ignore_filter = ignore_filter_parts_from_attr('cn', 'connector/s4/mapping/group/ignorelist')
 if configRegistry.is_false('connector/s4/mapping/group/grouptype', False):
-	ignore_filter += '(sambaGroupType=5)(groupType=5)'
-for group in configRegistry.get('connector/s4/mapping/group/ignorelist', '').split(','):
-	if group:
-		ignore_filter += '(cn=%s)' % (group)
-print "			ignore_filter='(|%s)'," % ignore_filter
+	ignore_filter = '(|{}{})'.format('(sambaGroupType=5)(groupType=5)', ignore_filter)
+if ignore_filter:
+	print "			ignore_filter='%s'," % ignore_filter
 @!@
 
 			ignore_subtree = global_ignore_subtree,
@@ -431,12 +429,10 @@ if group_map:
 			# and this subobject would avoid a deletion of this DC in S4
 			con_subtree_delete_objects = [ 'cn=rid set' ],
 @!@
-ignore_filter = ''
-for dc in configRegistry.get('connector/s4/mapping/dc/ignorelist', '').split(','):
-	if dc:
-		ignore_filter += '(cn=%s)' % (dc)
+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr
+ignore_filter = ignore_filter_parts_from_attr('cn', 'connector/s4/mapping/dc/ignorelist')
 if ignore_filter:
-	print "			ignore_filter='(|%s)'," % ignore_filter
+	print "			ignore_filter='%s'," % ignore_filter
 @!@
 	
 			@!@
@@ -533,12 +529,10 @@ else:
 
 			ignore_subtree = global_ignore_subtree,
 @!@
-ignore_filter = ''
-for computer in configRegistry.get('connector/s4/mapping/windowscomputer/ignorelist', '').split(','):
-	if computer:
-		ignore_filter += '(cn=%s)' % (computer)
+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr
+ignore_filter = ignore_filter_parts_from_attr('cn', 'connector/s4/mapping/windowscomputer/ignorelist')
 if ignore_filter:
-	print "			ignore_filter='(|%s)'," % ignore_filter
+	print "			ignore_filter='%s'," % ignore_filter
 @!@
 
 			con_create_objectclass=['top', 'computer' ],
@@ -653,12 +647,10 @@ if ignore_filter:
 
 print dns_section
 
+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr
 
 if configRegistry.is_true('connector/s4/mapping/gpo', True):
-	ignore_filter = ''
-	for gpo in configRegistry.get('connector/s4/mapping/gpo/ignorelist', '').split(','):
-		if gpo:
-			ignore_filter += '(cn=%s)' % (gpo)
+	ignore_filter = ignore_filter_parts_from_attr('cn', 'connector/s4/mapping/gpo/ignorelist')
 	if configRegistry.get('connector/s4/mapping/ou/syncmode'):
 		sync_mode_ou=configRegistry.get('connector/s4/mapping/ou/syncmode')
 	else:
@@ -772,11 +764,10 @@ if configRegistry.is_true('connector/s4/mapping/gpo', True):
 '''
 	print section
 
+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr
+
 if configRegistry.is_true('connector/s4/mapping/wmifilter', False):
-	ignore_filter = ''
-	for wmifilter in configRegistry.get('connector/s4/mapping/wmifilter/ignorelist', '').split(','):
-		if wmifilter:
-			ignore_filter += '(cn=%s)' % (wmifilter)
+	ignore_filter = ignore_filter_parts_from_attr('cn', 'connector/s4/mapping/wmifilter/ignorelist')
 	if configRegistry.get('connector/s4/mapping/ou/syncmode'):
 		sync_mode_ou=configRegistry.get('connector/s4/mapping/ou/syncmode')
 	else:
@@ -901,11 +892,10 @@ if configRegistry.is_true('connector/s4/mapping/wmifilter', False):
 		),
 ''' % {'ignore_filter': ignore_filter, 'sync_mode_ou': sync_mode_ou}
 
+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr
+
 if configRegistry.is_true('connector/s4/mapping/msprintconnectionpolicy', False):
-	ignore_filter = ''
-	for cfilter in configRegistry.get('connector/s4/mapping/msprintconnectionpolicy/ignorelist', '').split(','):
-		if cfilter:
-			ignore_filter += '(cn=%s)' % (cfilter)
+	ignore_filter = ignore_filter_parts_from_attr('cn', 'connector/s4/mapping/msprintconnectionpolicy/ignorelist')
 	if configRegistry.get('connector/s4/mapping/ou/syncmode'):
 		sync_mode_ou=configRegistry.get('connector/s4/mapping/ou/syncmode')
 	else:
@@ -984,12 +974,10 @@ else:
 			con_search_filter='(&(|(objectClass=container)(objectClass=builtinDomain))(!(objectClass=groupPolicyContainer)))', # builtinDomain is cn=builtin (with group cn=Administrators)
 
 @!@
-ignore_filter = ''
-for cn in configRegistry.get('connector/s4/mapping/container/ignorelist', 'mail,kerberos,MicrosoftDNS').split(','):
-	if cn:
-		ignore_filter += '(cn=%s)' % (cn)
+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr
+ignore_filter = ignore_filter_parts_from_attr('cn', 'connector/s4/mapping/container/ignorelist', 'mail,kerberos,MicrosoftDNS')
 if ignore_filter:
-	print "			ignore_filter='(|%s)'," % ignore_filter
+	print "			ignore_filter='%s'," % ignore_filter
 @!@
 
 			ignore_subtree = global_ignore_subtree,
@@ -1041,12 +1029,10 @@ else:
 			con_search_filter='objectClass=organizationalUnit',
 
 @!@
-ignore_filter = ''
-for ou in configRegistry.get('connector/s4/mapping/ou/ignorelist', '').split(','):
-	if ou:
-		ignore_filter += '(ou=%s)' % (ou)
+from univention.s4connector.s4.mapping import ignore_filter_parts_from_attr
+ignore_filter = ignore_filter_parts_from_attr('ou', 'connector/s4/mapping/ou/ignorelist')
 if ignore_filter:
-	print "			ignore_filter='(|%s)'," % ignore_filter
+	print "			ignore_filter='%s'," % ignore_filter
 @!@
 
 			ignore_subtree = global_ignore_subtree,
diff --git a/services/univention-s4-connector/modules/univention/s4connector/s4/mapping.py b/services/univention-s4-connector/modules/univention/s4connector/s4/mapping.py
index 437db91..307a101 100644
--- a/services/univention-s4-connector/modules/univention/s4connector/s4/mapping.py
+++ b/services/univention-s4-connector/modules/univention/s4connector/s4/mapping.py
@@ -36,10 +36,47 @@ import univention.config_registry as ucr
 import univention.debug2 as ud
 import univention.s4connector.s4
 
+from univention.s4connector.s4 import format_escaped
+
 configRegistry = ucr.ConfigRegistry()
 configRegistry.load()
 
 
+def ignore_filter_parts_from_tmpl(template, ucr_key, default=''):
+	"""
+	Construct an `ignore_filter` from a `ucr_key`
+	(`connector/s4/mapping/*/ignorelist`, a comma delimited list of values), as
+	specified by `template` while correctly escaping the filter-expression.
+
+	`template` must be formatted as required by `format_escaped`.
+
+	>>> ignore_filter_parts_from_tmpl('(cn={0!e})',
+	... 'connector/s4/mapping/nonexistend/ignorelist',
+	... 'one,two,three')
+	'(|(cn=one)(cn=two)(cn=three))'
+	"""
+	variables = [v for v in configRegistry.get(ucr_key, default).split(',') if v]
+	filter_parts = [format_escaped(template, v) for v in variables]
+	if filter_parts:
+		return '(|{})'.format(''.join(filter_parts))
+	return ''
+
+
+def ignore_filter_parts_from_attr(attribute, ucr_key, default=''):
+	"""
+	Convenience-wrapper arround `ignore_filter_from_tmpl()`.
+
+	This expects a single `attribute` instead of a `template` argument.
+
+	>>> ignore_filter_parts_from_attr('cn',
+	... 'connector/s4/mapping/nonexistend/ignorelist',
+	... 'one,two,three')
+	'(|(cn=one)(cn=two)(cn=three))'
+	"""
+	template = '({}={{0!e}})'.format(attribute)
+	return ignore_filter_parts_from_tmpl(template, ucr_key, default)
+
+
 def ucs2s4_sid(s4connector, key, object):
 	_d = ud.function('mapping.ucs2s4_sid -- not implemented')
 
-- 
2.7.4