voxpupuli · towo · Aug 25, 2022 · Aug 31, 2022 · Aug 31, 2022 · smortex
diff --git a/lib/puppet/provider/openldap_access/olc.rb b/lib/puppet/provider/openldap_access/olc.rb
@@ -30,7 +30,7 @@ def self.instances
           suffix = line.split[1]
         when %r{^olcAccess: }
           begin
-            position, what, bys = line.match(%r{^olcAccess:\s+\{(\d+)\}to\s+(\S+(?:\s+filter=\S+)?(?:\s+attrs=\S+)?(?:\s+val=\S+)?)(\s+by\s+.*)+$}).captures
+            position, what, bys = line.match(%r{^olcAccess:\s+\{(\d+)\}to\s+((?:\S*"[^"]+"|\S+)?(?:\s+filter=\S+)?(?:\s+attrs=\S+)?(?:\s+val=\S+)?)(\s+by\s+.*)+$}).captures
           rescue StandardError
             raise Puppet::Error, "Failed to parse olcAccess for suffix '#{suffix}': #{line}"
           end

diff --git a/spec/unit/puppet/provider/openldap_access/olc_spec.rb b/spec/unit/puppet/provider/openldap_access/olc_spec.rb
@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Puppet::Type.type(:openldap_access).provider(:olc) do
+  describe '::instances' do
+    context 'with Debian defaults' do
+      it do
+        allow(described_class).to receive(:slapcat).with('(olcAccess=*)').and_return(<<~SLAPCAT)
+          # Debian defaults
+          dn: olcDatabase={-1}frontend,cn=config
+          olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
+          olcAccess: {1}to dn.exact="" by * read
+          olcAccess: {2}to dn.base="cn=Subschema" by * read
+
+          dn: olcDatabase={0}config,cn=config
+          olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
+
+          dn: olcDatabase={1}mdb,cn=config
+          olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
+          olcAccess: {1}to attrs=shadowLastChange by self write by * read
+          olcAccess: {2}to * by * read
+        SLAPCAT
+      end
+
+      it 'parses olcAccess' do
+        allow(described_class.instances.size).to eq(7)
+      end
+    end
+
+    context 'with spaces' do
+      it do
+        allow(described_class).to receive(:slapcat).with('(olcAccess=*)').and_return(<<~SLAPCAT)
+          dn: olcDatabase={-1}frontend,cn=config
+          olcAccess: {0}to dn.base="cn=Sub Schema" by * read
+        SLAPCAT
+      end
+
+      it 'parses olcAccess' do
+        allow(described_class.instances.size).to eq(1)
+      end
+    end
+  end
+end
diff --git a/spec/unit/puppet/type/openldap_acess_spec.rb b/spec/unit/puppet/type/openldap_acess_spec.rb
@@ -13,5 +13,15 @@
       access = described_class.new(name: '0 on dc=example,dc=com', access: 'by dn="cn=admin,dc=example,dc=com" write by anonymous auth')
       expect(access[:access]).to eq([['by dn="cn=admin,dc=example,dc=com" write', 'by anonymous auth']])
     end
+
+    it 'handles target with spaces with prefix' do
+      access = described_class.new(name: '0 on dn.subtree="cn=Some String,dc=example,dc=com"', access: 'by dn="cn=admin,dc=example,dc=com" write by anonymous auth')
+      expect(access[:access]).to eq([['by dn="cn=admin,dc=example,dc=com" write', 'by anonymous auth']])
+    end
+
+    it 'handles target with spaces without prefix' do
+      access = described_class.new(name: '0 on "cn=Some String,dc=example,dc=com"', access: 'by dn="cn=admin,dc=example,dc=com" write by anonymous auth')
+      expect(access[:access]).to eq([['by dn="cn=admin,dc=example,dc=com" write', 'by anonymous auth']])
+    end
   end
 end