1 /* acl.c - routines to parse and check acl's */
7 #include <sys/socket.h>
8 #include <netinet/in.h>
16 extern Filter *str2filter();
17 extern struct acl *global_acl;
18 extern char **str2charray();
19 extern char *dn_upcase();
22 static void acl_append();
23 static void access_append();
24 static void acl_usage();
26 static void print_acl();
27 static void print_access();
31 regtest(char *fname, int lineno, char *pat) {
47 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
49 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
66 if ( size >= (sizeof(buf)-1) ) {
68 "%s: line %d: regular expression \"%s\" too large\n",
69 fname, lineno, pat, 0 );
73 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
75 regerror(e, &re, error, sizeof(error));
77 "%s: line %d: regular expression \"%s\" bad because of %s\n",
78 fname, lineno, pat, error );
96 char *e, *left, *right;
101 for ( i = 1; i < argc; i++ ) {
102 /* to clause - select which entries are protected */
103 if ( strcasecmp( argv[i], "to" ) == 0 ) {
106 "%s: line %d: only one to clause allowed in access line\n",
110 a = (struct acl *) ch_calloc( 1, sizeof(struct acl) );
111 for ( ++i; i < argc; i++ ) {
112 if ( strcasecmp( argv[i], "by" ) == 0 ) {
117 if ( strcasecmp( argv[i], "*" ) == 0 ) {
119 if ((e = regcomp( &a->acl_dnre, ".*",
120 REG_EXTENDED|REG_ICASE)))
123 regerror(e, &a->acl_dnre, buf, sizeof(buf));
125 "%s: line %d: regular expression \"%s\" bad because of %s\n",
126 fname, lineno, right, buf );
129 a->acl_dnpat = strdup( ".*" );
133 split( argv[i], '=', &left, &right );
134 if ( right == NULL || *right == '\0' ) {
136 "%s: line %d: missing \"=\" in (or value after) \"%s\" in to clause\n",
137 fname, lineno, left );
141 if ( strcasecmp( left, "filter" ) == 0 ) {
142 if ( (a->acl_filter = str2filter(
145 "%s: line %d: bad filter \"%s\" in to clause\n",
146 fname, lineno, right );
149 } else if ( strcasecmp( left, "dn" ) == 0 ) {
151 if ((e = regcomp(&a->acl_dnre, right,
152 REG_EXTENDED|REG_ICASE))) {
154 regerror(e, &a->acl_dnre, buf, sizeof(buf));
156 "%s: line %d: regular expression \"%s\" bad because of %s\n",
157 fname, lineno, right, buf );
161 a->acl_dnpat = dn_upcase(strdup( right ));
163 } else if ( strncasecmp( left, "attr", 4 )
167 alist = str2charray( right, "," );
168 charray_merge( &a->acl_attrs, alist );
172 "%s: line %d: expecting <what> got \"%s\"\n",
173 fname, lineno, left );
178 /* by clause - select who has what access to entries */
179 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
182 "%s: line %d: to clause required before by clause in access line\n",
187 * by clause consists of <who> and <access>
190 b = (struct access *) ch_calloc( 1,
191 sizeof(struct access) );
195 "%s: line %d: premature eol: expecting <who>\n",
201 split( argv[i], '=', &left, &right );
202 if ( strcasecmp( argv[i], "*" ) == 0 ) {
203 b->a_dnpat = strdup( ".*" );
204 } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
205 b->a_dnpat = strdup( "self" );
206 } else if ( strcasecmp( left, "dn" ) == 0 ) {
207 regtest(fname, lineno, right);
208 b->a_dnpat = dn_upcase( strdup( right ) );
209 } else if ( strcasecmp( left, "dnattr" ) == 0 ) {
210 b->a_dnattr = strdup( right );
213 } else if ( strcasecmp( left, "group" ) == 0 ) {
214 regtest(fname, lineno, right);
215 b->a_group = dn_upcase(strdup( right ));
216 #endif /* ACLGROUP */
217 } else if ( strcasecmp( left, "domain" ) == 0 ) {
219 regtest(fname, lineno, right);
220 b->a_domainpat = strdup( right );
222 /* normalize the domain */
223 for ( s = b->a_domainpat; *s; s++ ) {
226 } else if ( strcasecmp( left, "addr" ) == 0 ) {
227 regtest(fname, lineno, right);
228 b->a_addrpat = strdup( right );
231 "%s: line %d: expecting <who> got \"%s\"\n",
232 fname, lineno, left );
238 "%s: line %d: premature eol: expecting <access>\n",
244 split( argv[i], '=', &left, &right );
245 if ( (b->a_access = str2access( left )) == -1 ) {
247 "%s: line %d: expecting <access> got \"%s\"\n",
248 fname, lineno, left );
251 access_append( &a->acl_access, b );
255 "%s: line %d: expecting \"to\" or \"by\" got \"%s\"\n",
256 fname, lineno, argv[i] );
261 /* if we have no real access clause, complain and do nothing */
264 "%s: line %d: warning: no access clause(s) specified in access line\n",
269 if ( a->acl_access == NULL ) {
271 "%s: line %d: warning: no by clause(s) specified in access line\n",
276 acl_append( &be->be_acl, a );
278 acl_append( &global_acl, a );
284 access2str( int access )
288 if ( access & ACL_SELF ) {
289 strcpy( buf, "self" );
294 if ( access & ACL_NONE ) {
295 strcat( buf, "none" );
296 } else if ( access & ACL_COMPARE ) {
297 strcat( buf, "compare" );
298 } else if ( access & ACL_SEARCH ) {
299 strcat( buf, "search" );
300 } else if ( access & ACL_READ ) {
301 strcat( buf, "read" );
302 } else if ( access & ACL_WRITE ) {
303 strcat( buf, "write" );
305 strcat( buf, "unknown" );
312 str2access( char *str )
317 if ( strncasecmp( str, "self", 4 ) == 0 ) {
322 if ( strcasecmp( str, "none" ) == 0 ) {
324 } else if ( strcasecmp( str, "compare" ) == 0 ) {
325 access |= ACL_COMPARE;
326 } else if ( strcasecmp( str, "search" ) == 0 ) {
327 access |= ACL_SEARCH;
328 } else if ( strcasecmp( str, "read" ) == 0 ) {
330 } else if ( strcasecmp( str, "write" ) == 0 ) {
342 fprintf( stderr, "\n<access clause> ::= access to <what> [ by <who> <access> ]+ \n" );
343 fprintf( stderr, "<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]\n" );
344 fprintf( stderr, "<attrlist> ::= <attr> | <attr> , <attrlist>\n" );
345 fprintf( stderr, "<attr> ::= <attrname> | entry | children\n" );
346 fprintf( stderr, "<who> ::= * | self | dn=<regex> | addr=<regex> |\n\tdomain=<regex> | dnattr=<dnattrname>\n" );
347 fprintf( stderr, "<access> ::= [self]{none | compare | search | read | write }\n" );
360 if ( (*right = strchr( line, splitchar )) != NULL ) {
361 *((*right)++) = '\0';
366 access_append( struct access **l, struct access *a )
368 for ( ; *l != NULL; l = &(*l)->a_next )
375 acl_append( struct acl **l, struct acl *a )
377 for ( ; *l != NULL; l = &(*l)->acl_next )
386 print_access( struct access *b )
389 if ( b->a_dnpat != NULL ) {
390 printf( " dn=%s", b->a_dnpat );
391 } else if ( b->a_addrpat != NULL ) {
392 printf( " addr=%s", b->a_addrpat );
393 } else if ( b->a_domainpat != NULL ) {
394 printf( " domain=%s", b->a_domainpat );
395 } else if ( b->a_dnattr != NULL ) {
396 printf( " dnattr=%s", b->a_dnattr );
398 printf( " %s\n", access2str( b->a_access ) );
402 print_acl( struct acl *a )
410 printf( "access to" );
411 if ( a->acl_filter != NULL ) {
412 printf( " filter=" );
413 filter_print( a->acl_filter );
415 if ( a->acl_dnpat != NULL ) {
417 printf( a->acl_dnpat );
419 if ( a->acl_attrs != NULL ) {
423 for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
427 printf( a->acl_attrs[i] );
432 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
437 #endif /* LDAP_DEBUG */
projects / openldap / blob