1 /* acl.c - routines to parse and check acl's */
7 #include <sys/socket.h>
8 #include <netinet/in.h>
14 extern Filter *str2filter();
15 extern char *re_comp();
16 extern struct acl *global_acl;
17 extern char **str2charray();
18 extern char *dn_upcase();
21 static void acl_append();
22 static void access_append();
23 static void acl_usage();
25 static void print_acl();
26 static void print_access();
39 char *e, *left, *right;
44 for ( i = 1; i < argc; i++ ) {
45 /* to clause - select which entries are protected */
46 if ( strcasecmp( argv[i], "to" ) == 0 ) {
49 "%s: line %d: only one to clause allowed in access line\n",
53 a = (struct acl *) ch_calloc( 1, sizeof(struct acl) );
54 for ( ++i; i < argc; i++ ) {
55 if ( strcasecmp( argv[i], "by" ) == 0 ) {
60 if ( strcasecmp( argv[i], "*" ) == 0 ) {
61 a->acl_dnpat = strdup( ".*" );
65 split( argv[i], '=', &left, &right );
66 if ( right == NULL || *right == '\0' ) {
68 "%s: line %d: missing \"=\" in (or value after) \"%s\" in to clause\n",
69 fname, lineno, left );
73 if ( strcasecmp( left, "filter" ) == 0 ) {
74 if ( (a->acl_filter = str2filter(
77 "%s: line %d: bad filter \"%s\" in to clause\n",
78 fname, lineno, right );
81 } else if ( strcasecmp( left, "dn" ) == 0 ) {
82 if ( (e = re_comp( right )) != NULL ) {
84 "%s: line %d: regular expression \"%s\" bad because of %s\n",
85 fname, lineno, right, e );
88 a->acl_dnpat = dn_upcase( strdup(
90 } else if ( strncasecmp( left, "attr", 4 )
94 alist = str2charray( right, "," );
95 charray_merge( &a->acl_attrs, alist );
99 "%s: line %d: expecting <what> got \"%s\"\n",
100 fname, lineno, left );
105 /* by clause - select who has what access to entries */
106 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
109 "%s: line %d: to clause required before by clause in access line\n",
114 * by clause consists of <who> and <access>
117 b = (struct access *) ch_calloc( 1,
118 sizeof(struct access) );
122 "%s: line %d: premature eol: expecting <who>\n",
128 split( argv[i], '=', &left, &right );
129 if ( strcasecmp( argv[i], "*" ) == 0 ) {
130 b->a_dnpat = strdup( ".*" );
131 } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
132 b->a_dnpat = strdup( "self" );
133 } else if ( strcasecmp( left, "dn" ) == 0 ) {
134 if ( (e = re_comp( right )) != NULL ) {
136 "%s: line %d: regular expression \"%s\" bad: %s\n",
137 fname, lineno, right, e );
140 b->a_dnpat = dn_upcase( strdup( right ) );
141 } else if ( strcasecmp( left, "dnattr" )
143 b->a_dnattr = strdup( right );
144 } else if ( strcasecmp( left, "domain" )
148 if ( (e = re_comp( right )) != NULL ) {
150 "%s: line %d: regular expression \"%s\" bad: %s\n",
151 fname, lineno, right, e );
154 b->a_domainpat = strdup( right );
155 /* normalize the domain */
156 for ( s = b->a_domainpat; *s; s++ ) {
159 } else if ( strcasecmp( left, "addr" ) == 0 ) {
160 if ( (e = re_comp( right )) != NULL ) {
162 "%s: line %d: regular expression \"%s\" bad: %s\n",
163 fname, lineno, right, e );
166 b->a_addrpat = strdup( right );
169 "%s: line %d: expecting <who> got \"%s\"\n",
170 fname, lineno, left );
176 "%s: line %d: premature eol: expecting <access>\n",
182 split( argv[i], '=', &left, &right );
183 if ( (b->a_access = str2access( left )) == -1 ) {
185 "%s: line %d: expecting <access> got \"%s\"\n",
186 fname, lineno, left );
189 access_append( &a->acl_access, b );
193 "%s: line %d: expecting \"to\" or \"by\" got \"%s\"\n",
194 fname, lineno, argv[i] );
199 /* if we have no real access clause, complain and do nothing */
203 "%s: line %d: warning: no access clause(s) specified in access line\n",
208 if ( a->acl_access == NULL ) {
210 "%s: line %d: warning: no by clause(s) specified in access line\n",
215 acl_append( &be->be_acl, a );
217 acl_append( &global_acl, a );
223 access2str( int access )
227 if ( access & ACL_SELF ) {
228 strcpy( buf, "self" );
233 if ( access & ACL_NONE ) {
234 strcat( buf, "none" );
235 } else if ( access & ACL_COMPARE ) {
236 strcat( buf, "compare" );
237 } else if ( access & ACL_SEARCH ) {
238 strcat( buf, "search" );
239 } else if ( access & ACL_READ ) {
240 strcat( buf, "read" );
241 } else if ( access & ACL_WRITE ) {
242 strcat( buf, "write" );
244 strcat( buf, "unknown" );
251 str2access( char *str )
256 if ( strncasecmp( str, "self", 4 ) == 0 ) {
261 if ( strcasecmp( str, "none" ) == 0 ) {
263 } else if ( strcasecmp( str, "compare" ) == 0 ) {
264 access |= ACL_COMPARE;
265 } else if ( strcasecmp( str, "search" ) == 0 ) {
266 access |= ACL_SEARCH;
267 } else if ( strcasecmp( str, "read" ) == 0 ) {
269 } else if ( strcasecmp( str, "write" ) == 0 ) {
281 fprintf( stderr, "\n<access clause> ::= access to <what> [ by <who> <access> ]+ \n" );
282 fprintf( stderr, "<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]\n" );
283 fprintf( stderr, "<attrlist> ::= <attr> | <attr> , <attrlist>\n" );
284 fprintf( stderr, "<attr> ::= <attrname> | entry | children\n" );
285 fprintf( stderr, "<who> ::= * | self | dn=<regex> | addr=<regex> |\n\tdomain=<regex> | dnattr=<dnattrname>\n" );
286 fprintf( stderr, "<access> ::= [self]{none | compare | search | read | write }\n" );
299 if ( (*right = strchr( line, splitchar )) != NULL ) {
300 *((*right)++) = '\0';
305 access_append( struct access **l, struct access *a )
307 for ( ; *l != NULL; l = &(*l)->a_next )
314 acl_append( struct acl **l, struct acl *a )
316 for ( ; *l != NULL; l = &(*l)->acl_next )
325 print_access( struct access *b )
328 if ( b->a_dnpat != NULL ) {
329 printf( " dn=%s", b->a_dnpat );
330 } else if ( b->a_addrpat != NULL ) {
331 printf( " addr=%s", b->a_addrpat );
332 } else if ( b->a_domainpat != NULL ) {
333 printf( " domain=%s", b->a_domainpat );
334 } else if ( b->a_dnattr != NULL ) {
335 printf( " dnattr=%s", b->a_dnattr );
337 printf( " %s\n", access2str( b->a_access ) );
341 print_acl( struct acl *a )
349 printf( "access to" );
350 if ( a->acl_filter != NULL ) {
351 printf( " filter=" );
352 filter_print( a->acl_filter );
354 if ( a->acl_dnpat != NULL ) {
356 printf( a->acl_dnpat );
358 if ( a->acl_attrs != NULL ) {
362 for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
366 printf( a->acl_attrs[i] );
371 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
projects / openldap / blob