1 /* aclparse.c - routines to parse and check acl's */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2004 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
33 #include <ac/socket.h>
34 #include <ac/string.h>
35 #include <ac/unistd.h>
41 static char *style_strings[] = {
54 static void split(char *line, int splitchar, char **left, char **right);
55 static void access_append(Access **l, Access *a);
56 static void acl_usage(void) LDAP_GCCATTR((noreturn));
58 static void acl_regex_normalized_dn(const char *src, struct berval *pat);
61 static void print_acl(Backend *be, AccessControl *a);
62 static void print_access(Access *b);
66 regtest(const char *fname, int lineno, char *pat) {
82 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
84 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
101 if ( size >= (sizeof(buf)-1) ) {
103 "%s: line %d: regular expression \"%s\" too large\n",
104 fname, lineno, pat );
108 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
110 regerror(e, &re, error, sizeof(error));
112 "%s: line %d: regular expression \"%s\" bad because of %s\n",
113 fname, lineno, pat, error );
129 char *left, *right, *style;
137 for ( i = 1; i < argc; i++ ) {
138 /* to clause - select which entries are protected */
139 if ( strcasecmp( argv[i], "to" ) == 0 ) {
141 fprintf( stderr, "%s: line %d: "
142 "only one to clause allowed in access line\n",
146 a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
147 for ( ++i; i < argc; i++ ) {
148 if ( strcasecmp( argv[i], "by" ) == 0 ) {
153 if ( strcasecmp( argv[i], "*" ) == 0 ) {
154 if( a->acl_dn_pat.bv_len ||
155 ( a->acl_dn_style != ACL_STYLE_REGEX ) )
158 "%s: line %d: dn pattern"
159 " already specified in to clause.\n",
164 a->acl_dn_pat.bv_val = ch_strdup( "*" );
165 a->acl_dn_pat.bv_len = 1;
169 split( argv[i], '=', &left, &right );
170 split( left, '.', &left, &style );
172 if ( right == NULL ) {
173 fprintf( stderr, "%s: line %d: "
174 "missing \"=\" in \"%s\" in to clause\n",
175 fname, lineno, left );
179 if ( strcasecmp( left, "dn" ) == 0 ) {
180 if( a->acl_dn_pat.bv_len != 0 ||
181 ( a->acl_dn_style != ACL_STYLE_REGEX ) )
184 "%s: line %d: dn pattern"
185 " already specified in to clause.\n",
190 if ( style == NULL || *style == '\0' ||
191 ( strcasecmp( style, "base" ) == 0 ) ||
192 ( strcasecmp( style, "exact" ) == 0 ))
194 a->acl_dn_style = ACL_STYLE_BASE;
195 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
197 } else if ( strcasecmp( style, "onelevel" ) == 0
198 || strcasecmp( style, "one" ) == 0 ) {
199 a->acl_dn_style = ACL_STYLE_ONE;
200 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
202 } else if ( strcasecmp( style, "subtree" ) == 0
203 || strcasecmp( style, "sub" ) == 0 )
205 if( *right == '\0' ) {
206 a->acl_dn_pat.bv_val = ch_strdup( "*" );
207 a->acl_dn_pat.bv_len = 1;
210 a->acl_dn_style = ACL_STYLE_SUBTREE;
211 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
214 } else if ( strcasecmp( style, "children" ) == 0 ) {
215 a->acl_dn_style = ACL_STYLE_CHILDREN;
216 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
218 } else if ( strcasecmp( style, "regex" ) == 0 ) {
219 a->acl_dn_style = ACL_STYLE_REGEX;
221 if ( *right == '\0' ) {
222 /* empty regex should match empty DN */
223 a->acl_dn_style = ACL_STYLE_BASE;
224 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
226 } else if ( strcmp(right, "*") == 0
227 || strcmp(right, ".*") == 0
228 || strcmp(right, ".*$") == 0
229 || strcmp(right, "^.*") == 0
230 || strcmp(right, "^.*$") == 0
231 || strcmp(right, ".*$$") == 0
232 || strcmp(right, "^.*$$") == 0 )
234 a->acl_dn_pat.bv_val = ch_strdup( "*" );
235 a->acl_dn_pat.bv_len = sizeof("*")-1;
238 acl_regex_normalized_dn( right, &a->acl_dn_pat );
242 fprintf( stderr, "%s: line %d: "
243 "unknown dn style \"%s\" in to clause\n",
244 fname, lineno, style );
251 if ( strcasecmp( left, "filter" ) == 0 ) {
252 if ( (a->acl_filter = str2filter( right )) == NULL ) {
254 "%s: line %d: bad filter \"%s\" in to clause\n",
255 fname, lineno, right );
259 } else if ( strcasecmp( left, "attr" ) == 0
260 || strcasecmp( left, "attrs" ) == 0 ) {
261 a->acl_attrs = str2anlist( a->acl_attrs,
263 if ( a->acl_attrs == NULL ) {
265 "%s: line %d: unknown attr \"%s\" in to clause\n",
266 fname, lineno, right );
270 } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
271 if ( a->acl_attrval.bv_len ) {
273 "%s: line %d: attr val already specified in to clause.\n",
277 if ( a->acl_attrs == NULL || a->acl_attrs[1].an_name.bv_val ) {
279 "%s: line %d: attr val requires a single attribute.\n",
283 ber_str2bv( right, 0, 1, &a->acl_attrval );
284 if ( style && strcasecmp( style, "regex" ) == 0 ) {
285 int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
286 REG_EXTENDED | REG_ICASE | REG_NOSUB );
289 regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
290 fprintf( stderr, "%s: line %d: "
291 "regular expression \"%s\" bad because of %s\n",
292 fname, lineno, right, buf );
295 a->acl_attrval_style = ACL_STYLE_REGEX;
297 /* FIXME: if the attribute has DN syntax,
298 * we might allow one, subtree and children styles as well */
299 if ( !strcasecmp( style, "exact" ) ) {
300 a->acl_attrval_style = ACL_STYLE_BASE;
302 } else if ( a->acl_attrs[0].an_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) {
303 if ( !strcasecmp( style, "base" ) ) {
304 a->acl_attrval_style = ACL_STYLE_BASE;
305 } else if ( !strcasecmp( style, "onelevel" ) || !strcasecmp( style, "one" ) ) {
306 a->acl_attrval_style = ACL_STYLE_ONE;
307 } else if ( !strcasecmp( style, "subtree" ) || !strcasecmp( style, "sub" ) ) {
308 a->acl_attrval_style = ACL_STYLE_SUBTREE;
309 } else if ( !strcasecmp( style, "children" ) ) {
310 a->acl_attrval_style = ACL_STYLE_CHILDREN;
313 "%s: line %d: unknown val.<style> \"%s\" "
314 "for attributeType \"%s\" with DN syntax; using \"base\"\n",
315 fname, lineno, style,
316 a->acl_attrs[0].an_desc->ad_cname.bv_val );
317 a->acl_attrval_style = ACL_STYLE_BASE;
322 "%s: line %d: unknown val.<style> \"%s\" "
323 "for attributeType \"%s\"; using \"exact\"\n",
324 fname, lineno, style,
325 a->acl_attrs[0].an_desc->ad_cname.bv_val );
326 a->acl_attrval_style = ACL_STYLE_BASE;
332 "%s: line %d: expecting <what> got \"%s\"\n",
333 fname, lineno, left );
338 if ( a->acl_dn_pat.bv_len != 0 &&
339 strcmp(a->acl_dn_pat.bv_val, "*") == 0 )
341 free( a->acl_dn_pat.bv_val );
342 a->acl_dn_pat.bv_val = NULL;
343 a->acl_dn_pat.bv_len = 0;
346 if( a->acl_dn_pat.bv_len != 0 ||
347 ( a->acl_dn_style != ACL_STYLE_REGEX ) )
349 if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
351 rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
352 if ( rc != LDAP_SUCCESS ) {
354 "%s: line %d: bad DN \"%s\" in to DN clause\n",
355 fname, lineno, a->acl_dn_pat.bv_val );
358 free( a->acl_dn_pat.bv_val );
361 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
362 REG_EXTENDED | REG_ICASE );
365 regerror( e, &a->acl_dn_re, buf, sizeof(buf) );
366 fprintf( stderr, "%s: line %d: "
367 "regular expression \"%s\" bad because of %s\n",
368 fname, lineno, right, buf );
374 /* by clause - select who has what access to entries */
375 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
377 fprintf( stderr, "%s: line %d: "
378 "to clause required before by clause in access line\n",
384 * by clause consists of <who> and <access>
387 b = (Access *) ch_calloc( 1, sizeof(Access) );
389 ACL_INVALIDATE( b->a_access_mask );
393 "%s: line %d: premature eol: expecting <who>\n",
399 for ( ; i < argc; i++ ) {
400 slap_style_t sty = ACL_STYLE_REGEX;
401 char *style_modifier = NULL;
404 split( argv[i], '=', &left, &right );
405 split( left, '.', &left, &style );
407 split( style, ',', &style, &style_modifier);
410 if ( style == NULL || *style == '\0' ||
411 strcasecmp( style, "exact" ) == 0 ||
412 strcasecmp( style, "base" ) == 0 )
414 sty = ACL_STYLE_BASE;
416 } else if ( strcasecmp( style, "onelevel" ) == 0 ||
417 strcasecmp( style, "one" ) == 0 ) {
420 } else if ( strcasecmp( style, "subtree" ) == 0 ||
421 strcasecmp( style, "sub" ) == 0 )
423 sty = ACL_STYLE_SUBTREE;
425 } else if ( strcasecmp( style, "children" ) == 0 ) {
426 sty = ACL_STYLE_CHILDREN;
428 } else if ( strcasecmp( style, "regex" ) == 0 ) {
429 sty = ACL_STYLE_REGEX;
431 } else if ( strcasecmp( style, "expand" ) == 0 ) {
432 sty = ACL_STYLE_EXPAND;
434 } else if ( strcasecmp( style, "ip" ) == 0 ) {
437 } else if ( strcasecmp( style, "path" ) == 0 ) {
438 sty = ACL_STYLE_PATH;
439 #ifndef LDAP_PF_LOCAL
440 fprintf( stderr, "%s: line %d: "
441 "path style modifier is useless without local\n",
443 #endif /* LDAP_PF_LOCAL */
447 "%s: line %d: unknown style \"%s\" in by clause\n",
448 fname, lineno, style );
452 if ( style_modifier &&
453 strcasecmp( style_modifier, "expand" ) == 0 )
456 case ACL_STYLE_REGEX:
457 fprintf( stderr, "%s: line %d: "
458 "\"regex\" style implies "
459 "\"expand\" modifier (ignored)\n",
463 case ACL_STYLE_EXPAND:
464 fprintf( stderr, "%s: line %d: "
465 "\"expand\" style used "
466 "in conjunction with "
467 "\"expand\" modifier (ignored)\n",
472 /* we'll see later if it's pertinent */
478 /* expand in <who> needs regex in <what> */
479 if ( ( sty == ACL_STYLE_EXPAND || expand )
480 && a->acl_dn_style != ACL_STYLE_REGEX )
482 fprintf( stderr, "%s: line %d: "
483 "\"expand\" style or modifier used "
484 "in conjunction with "
485 "a non-regex <what> clause\n",
490 if ( strcasecmp( argv[i], "*" ) == 0 ) {
491 bv.bv_val = ch_strdup( "*" );
493 sty = ACL_STYLE_REGEX;
495 } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
496 ber_str2bv("anonymous", sizeof("anonymous")-1, 1, &bv);
497 sty = ACL_STYLE_REGEX;
499 } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
500 ber_str2bv("self", sizeof("self")-1, 1, &bv);
501 sty = ACL_STYLE_REGEX;
503 } else if ( strcasecmp( argv[i], "users" ) == 0 ) {
504 ber_str2bv("users", sizeof("users")-1, 1, &bv);
505 sty = ACL_STYLE_REGEX;
507 } else if ( strcasecmp( left, "dn" ) == 0 ) {
508 if ( sty == ACL_STYLE_REGEX ) {
509 b->a_dn_style = ACL_STYLE_REGEX;
510 if( right == NULL ) {
515 } else if (*right == '\0' ) {
517 ber_str2bv("anonymous",
518 sizeof("anonymous")-1,
520 } else if ( strcmp( right, "*" ) == 0 ) {
522 /* any or users? users for now */
526 } else if ( strcmp( right, ".+" ) == 0
527 || strcmp( right, "^.+" ) == 0
528 || strcmp( right, ".+$" ) == 0
529 || strcmp( right, "^.+$" ) == 0
530 || strcmp( right, ".+$$" ) == 0
531 || strcmp( right, "^.+$$" ) == 0 )
536 } else if ( strcmp( right, ".*" ) == 0
537 || strcmp( right, "^.*" ) == 0
538 || strcmp( right, ".*$" ) == 0
539 || strcmp( right, "^.*$" ) == 0
540 || strcmp( right, ".*$$" ) == 0
541 || strcmp( right, "^.*$$" ) == 0 )
548 acl_regex_normalized_dn( right, &bv );
549 if ( !ber_bvccmp( &bv, '*' ) ) {
550 regtest(fname, lineno, bv.bv_val);
553 } else if ( right == NULL || *right == '\0' ) {
554 fprintf( stderr, "%s: line %d: "
555 "missing \"=\" in (or value after) \"%s\" "
557 fname, lineno, left );
561 ber_str2bv( right, 0, 1, &bv );
568 if( bv.bv_val != NULL ) {
569 if( b->a_dn_pat.bv_len != 0 ) {
571 "%s: line %d: dn pattern already specified.\n",
576 if ( sty != ACL_STYLE_REGEX && expand == 0 ) {
577 rc = dnNormalize(0, NULL, NULL,
578 &bv, &b->a_dn_pat, NULL);
579 if ( rc != LDAP_SUCCESS ) {
581 "%s: line %d: bad DN \"%s\" in by DN clause\n",
582 fname, lineno, bv.bv_val );
590 b->a_dn_expand = expand;
594 if ( strcasecmp( left, "dnattr" ) == 0 ) {
595 if ( right == NULL || right[ 0 ] == '\0' ) {
597 "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
598 fname, lineno, left );
602 if( b->a_dn_at != NULL ) {
604 "%s: line %d: dnattr already specified.\n",
609 rc = slap_str2ad( right, &b->a_dn_at, &text );
611 if( rc != LDAP_SUCCESS ) {
613 "%s: line %d: dnattr \"%s\": %s\n",
614 fname, lineno, right, text );
619 if( !is_at_syntax( b->a_dn_at->ad_type,
621 !is_at_syntax( b->a_dn_at->ad_type,
622 SLAPD_NAMEUID_SYNTAX ))
625 "%s: line %d: dnattr \"%s\": "
626 "inappropriate syntax: %s\n",
627 fname, lineno, right,
628 b->a_dn_at->ad_type->sat_syntax_oid );
632 if( b->a_dn_at->ad_type->sat_equality == NULL ) {
634 "%s: line %d: dnattr \"%s\": "
635 "inappropriate matching (no EQUALITY)\n",
636 fname, lineno, right );
643 if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) {
648 case ACL_STYLE_REGEX:
649 /* legacy, tolerated */
650 fprintf( stderr, "%s: line %d: "
651 "deprecated group style \"regex\"; "
652 "use \"expand\" instead\n",
653 fname, lineno, style );
654 sty = ACL_STYLE_EXPAND;
658 /* legal, traditional */
659 case ACL_STYLE_EXPAND:
660 /* legal, substring expansion; supersedes regex */
665 fprintf( stderr, "%s: line %d: "
666 "inappropriate style \"%s\" in by clause\n",
667 fname, lineno, style );
671 if ( right == NULL || right[ 0 ] == '\0' ) {
672 fprintf( stderr, "%s: line %d: "
673 "missing \"=\" in (or value after) \"%s\" "
675 fname, lineno, left );
679 if( b->a_group_pat.bv_len ) {
681 "%s: line %d: group pattern already specified.\n",
686 /* format of string is
687 "group/objectClassValue/groupAttrName" */
688 if ((value = strchr(left, '/')) != NULL) {
690 if (*value && (name = strchr(value, '/')) != NULL) {
695 b->a_group_style = sty;
696 if (sty == ACL_STYLE_EXPAND) {
697 acl_regex_normalized_dn( right, &bv );
698 if ( !ber_bvccmp( &bv, '*' ) ) {
699 regtest(fname, lineno, bv.bv_val);
703 ber_str2bv( right, 0, 0, &bv );
704 rc = dnNormalize( 0, NULL, NULL, &bv,
705 &b->a_group_pat, NULL );
706 if ( rc != LDAP_SUCCESS ) {
708 "%s: line %d: bad DN \"%s\"\n",
709 fname, lineno, right );
714 if (value && *value) {
715 b->a_group_oc = oc_find( value );
718 if( b->a_group_oc == NULL ) {
720 "%s: line %d: group objectclass "
722 fname, lineno, value );
726 b->a_group_oc = oc_find(SLAPD_GROUP_CLASS);
728 if( b->a_group_oc == NULL ) {
730 "%s: line %d: group default objectclass "
732 fname, lineno, SLAPD_GROUP_CLASS );
737 if( is_object_subclass( slap_schema.si_oc_referral,
741 "%s: line %d: group objectclass \"%s\" "
742 "is subclass of referral\n",
743 fname, lineno, value );
747 if( is_object_subclass( slap_schema.si_oc_alias,
751 "%s: line %d: group objectclass \"%s\" "
752 "is subclass of alias\n",
753 fname, lineno, value );
758 rc = slap_str2ad( name, &b->a_group_at, &text );
760 if( rc != LDAP_SUCCESS ) {
762 "%s: line %d: group \"%s\": %s\n",
763 fname, lineno, right, text );
768 rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
770 if( rc != LDAP_SUCCESS ) {
772 "%s: line %d: group \"%s\": %s\n",
773 fname, lineno, SLAPD_GROUP_ATTR, text );
778 if( !is_at_syntax( b->a_group_at->ad_type,
780 !is_at_syntax( b->a_group_at->ad_type,
781 SLAPD_NAMEUID_SYNTAX ) &&
782 !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ))
785 "%s: line %d: group \"%s\": inappropriate syntax: %s\n",
786 fname, lineno, right,
787 b->a_group_at->ad_type->sat_syntax_oid );
794 struct berval vals[2];
796 vals[0].bv_val = b->a_group_oc->soc_oid;
797 vals[0].bv_len = strlen(vals[0].bv_val);
798 vals[1].bv_val = NULL;
801 rc = oc_check_allowed( b->a_group_at->ad_type,
805 fprintf( stderr, "%s: line %d: "
806 "group: \"%s\" not allowed by \"%s\"\n",
808 b->a_group_at->ad_cname.bv_val,
809 b->a_group_oc->soc_oid );
816 if ( strcasecmp( left, "peername" ) == 0 ) {
818 case ACL_STYLE_REGEX:
820 /* legal, traditional */
821 case ACL_STYLE_EXPAND:
822 /* cheap replacement to regex for simple expansion */
825 /* legal, peername specific */
829 fprintf( stderr, "%s: line %d: "
830 "inappropriate style \"%s\" in by clause\n",
831 fname, lineno, style );
835 if ( right == NULL || right[ 0 ] == '\0' ) {
836 fprintf( stderr, "%s: line %d: "
837 "missing \"=\" in (or value after) \"%s\" "
839 fname, lineno, left );
843 if( b->a_peername_pat.bv_len ) {
844 fprintf( stderr, "%s: line %d: "
845 "peername pattern already specified.\n",
850 b->a_peername_style = sty;
851 if (sty == ACL_STYLE_REGEX) {
852 acl_regex_normalized_dn( right, &bv );
853 if ( !ber_bvccmp( &bv, '*' ) ) {
854 regtest(fname, lineno, bv.bv_val);
856 b->a_peername_pat = bv;
859 ber_str2bv( right, 0, 1, &b->a_peername_pat );
861 if ( sty == ACL_STYLE_IP ) {
866 split( right, '{', &addr, &port );
867 split( addr, '%', &addr, &mask );
869 b->a_peername_addr = inet_addr( addr );
870 if ( b->a_peername_addr == (unsigned long)(-1)) {
871 /* illegal address */
872 fprintf( stderr, "%s: line %d: "
873 "illegal peername address \"%s\".\n",
874 fname, lineno, addr );
878 b->a_peername_mask = (unsigned long)(-1);
879 if ( mask != NULL ) {
880 b->a_peername_mask = inet_addr( mask );
881 if ( b->a_peername_mask == (unsigned long)(-1)) {
883 fprintf( stderr, "%s: line %d: "
884 "illegal peername address mask \"%s\".\n",
885 fname, lineno, mask );
890 b->a_peername_port = -1;
894 b->a_peername_port = strtol( port, &end, 10 );
895 if ( end[ 0 ] != '}' ) {
897 fprintf( stderr, "%s: line %d: "
898 "illegal peername port specification \"{%s}\".\n",
899 fname, lineno, port );
908 if ( strcasecmp( left, "sockname" ) == 0 ) {
910 case ACL_STYLE_REGEX:
912 /* legal, traditional */
913 case ACL_STYLE_EXPAND:
914 /* cheap replacement to regex for simple expansion */
919 fprintf( stderr, "%s: line %d: "
920 "inappropriate style \"%s\" in by clause\n",
921 fname, lineno, style );
925 if ( right == NULL || right[ 0 ] == '\0' ) {
926 fprintf( stderr, "%s: line %d: "
927 "missing \"=\" in (or value after) \"%s\" "
929 fname, lineno, left );
933 if( b->a_sockname_pat.bv_len ) {
934 fprintf( stderr, "%s: line %d: "
935 "sockname pattern already specified.\n",
940 b->a_sockname_style = sty;
941 if (sty == ACL_STYLE_REGEX) {
942 acl_regex_normalized_dn( right, &bv );
943 if ( !ber_bvccmp( &bv, '*' ) ) {
944 regtest(fname, lineno, bv.bv_val);
946 b->a_sockname_pat = bv;
948 ber_str2bv( right, 0, 1, &b->a_sockname_pat );
953 if ( strcasecmp( left, "domain" ) == 0 ) {
955 case ACL_STYLE_REGEX:
957 case ACL_STYLE_SUBTREE:
958 /* legal, traditional */
961 case ACL_STYLE_EXPAND:
962 /* tolerated: means exact,expand */
966 "\"expand\" modifier with \"expand\" style\n",
969 sty = ACL_STYLE_BASE;
976 "%s: line %d: inappropriate style \"%s\" in by clause\n",
977 fname, lineno, style );
981 if ( right == NULL || right[ 0 ] == '\0' ) {
983 "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
984 fname, lineno, left );
988 if( b->a_domain_pat.bv_len ) {
990 "%s: line %d: domain pattern already specified.\n",
995 b->a_domain_style = sty;
996 b->a_domain_expand = expand;
997 if (sty == ACL_STYLE_REGEX) {
998 acl_regex_normalized_dn( right, &bv );
999 if ( !ber_bvccmp( &bv, '*' ) ) {
1000 regtest(fname, lineno, bv.bv_val);
1002 b->a_domain_pat = bv;
1004 ber_str2bv( right, 0, 1, &b->a_domain_pat );
1009 if ( strcasecmp( left, "sockurl" ) == 0 ) {
1011 case ACL_STYLE_REGEX:
1012 case ACL_STYLE_BASE:
1013 /* legal, traditional */
1014 case ACL_STYLE_EXPAND:
1015 /* cheap replacement to regex for simple expansion */
1020 fprintf( stderr, "%s: line %d: "
1021 "inappropriate style \"%s\" in by clause\n",
1022 fname, lineno, style );
1026 if ( right == NULL || right[ 0 ] == '\0' ) {
1028 "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
1029 fname, lineno, left );
1033 if( b->a_sockurl_pat.bv_len ) {
1035 "%s: line %d: sockurl pattern already specified.\n",
1040 b->a_sockurl_style = sty;
1041 if (sty == ACL_STYLE_REGEX) {
1042 acl_regex_normalized_dn( right, &bv );
1043 if ( !ber_bvccmp( &bv, '*' ) ) {
1044 regtest(fname, lineno, bv.bv_val);
1046 b->a_sockurl_pat = bv;
1048 ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
1053 if ( strcasecmp( left, "set" ) == 0 ) {
1054 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1056 "%s: line %d: inappropriate style \"%s\" in by clause\n",
1057 fname, lineno, style );
1061 if( b->a_set_pat.bv_len != 0 ) {
1063 "%s: line %d: set attribute already specified.\n",
1068 if ( right == NULL || *right == '\0' ) {
1070 "%s: line %d: no set is defined\n",
1075 b->a_set_style = sty;
1076 ber_str2bv( right, 0, 1, &b->a_set_pat );
1081 #ifdef SLAPD_ACI_ENABLED
1082 if ( strcasecmp( left, "aci" ) == 0 ) {
1083 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1085 "%s: line %d: inappropriate style \"%s\" in by clause\n",
1086 fname, lineno, style );
1090 if( b->a_aci_at != NULL ) {
1092 "%s: line %d: aci attribute already specified.\n",
1097 if ( right != NULL && *right != '\0' ) {
1098 rc = slap_str2ad( right, &b->a_aci_at, &text );
1100 if( rc != LDAP_SUCCESS ) {
1102 "%s: line %d: aci \"%s\": %s\n",
1103 fname, lineno, right, text );
1108 b->a_aci_at = slap_schema.si_ad_aci;
1111 if( !is_at_syntax( b->a_aci_at->ad_type,
1115 "%s: line %d: aci \"%s\": inappropriate syntax: %s\n",
1116 fname, lineno, right,
1117 b->a_aci_at->ad_type->sat_syntax_oid );
1123 #endif /* SLAPD_ACI_ENABLED */
1125 if ( strcasecmp( left, "ssf" ) == 0 ) {
1126 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1128 "%s: line %d: inappropriate style \"%s\" in by clause\n",
1129 fname, lineno, style );
1133 if( b->a_authz.sai_ssf ) {
1135 "%s: line %d: ssf attribute already specified.\n",
1140 if ( right == NULL || *right == '\0' ) {
1142 "%s: line %d: no ssf is defined\n",
1147 b->a_authz.sai_ssf = atoi( right );
1149 if( !b->a_authz.sai_ssf ) {
1151 "%s: line %d: invalid ssf value (%s)\n",
1152 fname, lineno, right );
1158 if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
1159 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1161 "%s: line %d: inappropriate style \"%s\" in by clause\n",
1162 fname, lineno, style );
1166 if( b->a_authz.sai_transport_ssf ) {
1168 "%s: line %d: transport_ssf attribute already specified.\n",
1173 if ( right == NULL || *right == '\0' ) {
1175 "%s: line %d: no transport_ssf is defined\n",
1180 b->a_authz.sai_transport_ssf = atoi( right );
1182 if( !b->a_authz.sai_transport_ssf ) {
1184 "%s: line %d: invalid transport_ssf value (%s)\n",
1185 fname, lineno, right );
1191 if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
1192 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1194 "%s: line %d: inappropriate style \"%s\" in by clause\n",
1195 fname, lineno, style );
1199 if( b->a_authz.sai_tls_ssf ) {
1201 "%s: line %d: tls_ssf attribute already specified.\n",
1206 if ( right == NULL || *right == '\0' ) {
1208 "%s: line %d: no tls_ssf is defined\n",
1213 b->a_authz.sai_tls_ssf = atoi( right );
1215 if( !b->a_authz.sai_tls_ssf ) {
1217 "%s: line %d: invalid tls_ssf value (%s)\n",
1218 fname, lineno, right );
1224 if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
1225 if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1227 "%s: line %d: inappropriate style \"%s\" in by clause\n",
1228 fname, lineno, style );
1232 if( b->a_authz.sai_sasl_ssf ) {
1234 "%s: line %d: sasl_ssf attribute already specified.\n",
1239 if ( right == NULL || *right == '\0' ) {
1241 "%s: line %d: no sasl_ssf is defined\n",
1246 b->a_authz.sai_sasl_ssf = atoi( right );
1248 if( !b->a_authz.sai_sasl_ssf ) {
1250 "%s: line %d: invalid sasl_ssf value (%s)\n",
1251 fname, lineno, right );
1257 if( right != NULL ) {
1264 if( i == argc || ( strcasecmp( left, "stop" ) == 0 )) {
1265 /* out of arguments or plain stop */
1267 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1268 b->a_type = ACL_STOP;
1270 access_append( &a->acl_access, b );
1274 if( strcasecmp( left, "continue" ) == 0 ) {
1275 /* plain continue */
1277 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1278 b->a_type = ACL_CONTINUE;
1280 access_append( &a->acl_access, b );
1284 if( strcasecmp( left, "break" ) == 0 ) {
1285 /* plain continue */
1287 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1288 b->a_type = ACL_BREAK;
1290 access_append( &a->acl_access, b );
1294 if ( strcasecmp( left, "by" ) == 0 ) {
1295 /* we've gone too far */
1297 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1298 b->a_type = ACL_STOP;
1300 access_append( &a->acl_access, b );
1305 if( strncasecmp( left, "self", 4 ) == 0 ) {
1307 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[4] ) );
1310 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
1313 if( ACL_IS_INVALID( b->a_access_mask ) ) {
1315 "%s: line %d: expecting <access> got \"%s\"\n",
1316 fname, lineno, left );
1320 b->a_type = ACL_STOP;
1323 /* out of arguments or plain stop */
1324 access_append( &a->acl_access, b );
1328 if( strcasecmp( argv[i], "continue" ) == 0 ) {
1329 /* plain continue */
1330 b->a_type = ACL_CONTINUE;
1332 } else if( strcasecmp( argv[i], "break" ) == 0 ) {
1333 /* plain continue */
1334 b->a_type = ACL_BREAK;
1336 } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
1341 access_append( &a->acl_access, b );
1345 "%s: line %d: expecting \"to\" or \"by\" got \"%s\"\n",
1346 fname, lineno, argv[i] );
1351 /* if we have no real access clause, complain and do nothing */
1354 "%s: line %d: warning: no access clause(s) specified in access line\n",
1359 if (ldap_debug & LDAP_DEBUG_ACL)
1363 if ( a->acl_access == NULL ) {
1365 "%s: line %d: warning: no by clause(s) specified in access line\n",
1370 acl_append( &be->be_acl, a );
1372 acl_append( &global_acl, a );
1378 accessmask2str( slap_mask_t mask, char *buf )
1383 assert( buf != NULL );
1385 if ( ACL_IS_INVALID( mask ) ) {
1391 if ( ACL_IS_LEVEL( mask ) ) {
1392 if ( ACL_LVL_IS_NONE(mask) ) {
1393 ptr = lutil_strcopy( ptr, "none" );
1395 } else if ( ACL_LVL_IS_AUTH(mask) ) {
1396 ptr = lutil_strcopy( ptr, "auth" );
1398 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
1399 ptr = lutil_strcopy( ptr, "compare" );
1401 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
1402 ptr = lutil_strcopy( ptr, "search" );
1404 } else if ( ACL_LVL_IS_READ(mask) ) {
1405 ptr = lutil_strcopy( ptr, "read" );
1407 } else if ( ACL_LVL_IS_WRITE(mask) ) {
1408 ptr = lutil_strcopy( ptr, "write" );
1410 ptr = lutil_strcopy( ptr, "unknown" );
1416 if( ACL_IS_ADDITIVE( mask ) ) {
1419 } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
1426 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
1431 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
1436 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
1441 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
1446 if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
1451 if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
1460 if ( ACL_IS_LEVEL( mask ) ) {
1470 str2accessmask( const char *str )
1474 if( !ASCII_ALPHA(str[0]) ) {
1477 if ( str[0] == '=' ) {
1480 } else if( str[0] == '+' ) {
1481 ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
1483 } else if( str[0] == '-' ) {
1484 ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
1487 ACL_INVALIDATE(mask);
1491 for( i=1; str[i] != '\0'; i++ ) {
1492 if( TOLOWER((unsigned char) str[i]) == 'w' ) {
1493 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
1495 } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
1496 ACL_PRIV_SET(mask, ACL_PRIV_READ);
1498 } else if( TOLOWER((unsigned char) str[i]) == 's' ) {
1499 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
1501 } else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
1502 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
1504 } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
1505 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
1507 } else if( str[i] != '0' ) {
1508 ACL_INVALIDATE(mask);
1516 if ( strcasecmp( str, "none" ) == 0 ) {
1517 ACL_LVL_ASSIGN_NONE(mask);
1519 } else if ( strcasecmp( str, "auth" ) == 0 ) {
1520 ACL_LVL_ASSIGN_AUTH(mask);
1522 } else if ( strcasecmp( str, "compare" ) == 0 ) {
1523 ACL_LVL_ASSIGN_COMPARE(mask);
1525 } else if ( strcasecmp( str, "search" ) == 0 ) {
1526 ACL_LVL_ASSIGN_SEARCH(mask);
1528 } else if ( strcasecmp( str, "read" ) == 0 ) {
1529 ACL_LVL_ASSIGN_READ(mask);
1531 } else if ( strcasecmp( str, "write" ) == 0 ) {
1532 ACL_LVL_ASSIGN_WRITE(mask);
1535 ACL_INVALIDATE( mask );
1544 fprintf( stderr, "%s%s\n",
1545 "<access clause> ::= access to <what> "
1546 "[ by <who> <access> [ <control> ] ]+ \n"
1547 "<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
1548 "<attrlist> ::= <attr> [val[.<style>]=<value>] | <attr> , <attrlist>\n"
1549 "<attr> ::= <attrname> | entry | children\n"
1550 "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
1551 "\t[dnattr=<attrname>]\n"
1552 "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
1553 "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n",
1554 "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
1555 #ifdef SLAPD_ACI_ENABLED
1556 "\t[aci=<attrname>]\n"
1558 "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
1559 "<dnstyle> ::= base | exact | one(level) | sub(tree) | children | regex\n"
1560 "<style> ::= regex | base | exact\n"
1561 "<peernamestyle> ::= regex | exact | ip | path\n"
1562 "<domainstyle> ::= regex | base | exact | sub(tree)\n"
1563 "<access> ::= [self]{<level>|<priv>}\n"
1564 "<level> ::= none | auth | compare | search | read | write\n"
1565 "<priv> ::= {=|+|-}{w|r|s|c|x|0}+\n"
1566 "<control> ::= [ stop | continue | break ]\n"
1568 exit( EXIT_FAILURE );
1572 * Set pattern to a "normalized" DN from src.
1573 * At present it simply eats the (optional) space after
1574 * a RDN separator (,)
1575 * Eventually will evolve in a more complete normalization
1578 acl_regex_normalized_dn(
1580 struct berval *pattern
1586 str = ch_strdup( src );
1587 len = strlen( src );
1589 for ( p = str; p && p[ 0 ]; p++ ) {
1591 if ( p[ 0 ] == '\\' && p[ 1 ] ) {
1593 * if escaping a hex pair we should
1594 * increment p twice; however, in that
1595 * case the second hex number does
1601 if ( p[ 0 ] == ',' ) {
1602 if ( p[ 1 ] == ' ' ) {
1606 * too much space should be
1607 * an error if we are pedantic
1609 for ( q = &p[ 2 ]; q[ 0 ] == ' '; q++ ) {
1612 AC_MEMCPY( p+1, q, len-(q-str)+1);
1616 pattern->bv_val = str;
1617 pattern->bv_len = p-str;
1631 if ( (*right = strchr( line, splitchar )) != NULL ) {
1632 *((*right)++) = '\0';
1637 access_append( Access **l, Access *a )
1639 for ( ; *l != NULL; l = &(*l)->a_next )
1646 acl_append( AccessControl **l, AccessControl *a )
1648 for ( ; *l != NULL; l = &(*l)->acl_next )
1655 access_free( Access *a )
1657 if ( a->a_dn_pat.bv_val )
1658 free ( a->a_dn_pat.bv_val );
1659 if ( a->a_peername_pat.bv_val )
1660 free ( a->a_peername_pat.bv_val );
1661 if ( a->a_sockname_pat.bv_val )
1662 free ( a->a_sockname_pat.bv_val );
1663 if ( a->a_domain_pat.bv_val )
1664 free ( a->a_domain_pat.bv_val );
1665 if ( a->a_sockurl_pat.bv_val )
1666 free ( a->a_sockurl_pat.bv_val );
1667 if ( a->a_set_pat.bv_len )
1668 free ( a->a_set_pat.bv_val );
1669 if ( a->a_group_pat.bv_len )
1670 free ( a->a_group_pat.bv_val );
1675 acl_free( AccessControl *a )
1680 if ( a->acl_filter )
1681 filter_free( a->acl_filter );
1682 if ( a->acl_dn_pat.bv_len )
1683 free ( a->acl_dn_pat.bv_val );
1684 if ( a->acl_attrs ) {
1685 for ( an = a->acl_attrs; an->an_name.bv_val; an++ ) {
1686 free( an->an_name.bv_val );
1688 free( a->acl_attrs );
1690 for (; a->acl_access; a->acl_access = n) {
1691 n = a->acl_access->a_next;
1692 access_free( a->acl_access );
1697 /* Because backend_startup uses acl_append to tack on the global_acl to
1698 * the end of each backend's acl, we cannot just take one argument and
1699 * merrily free our way to the end of the list. backend_destroy calls us
1700 * with the be_acl in arg1, and global_acl in arg2 to give us a stopping
1701 * point. config_destroy calls us with global_acl in arg1 and NULL in
1702 * arg2, so we then proceed to polish off the global_acl.
1705 acl_destroy( AccessControl *a, AccessControl *end )
1709 for (; a && a!= end; a=n) {
1716 access2str( slap_access_t access )
1718 if ( access == ACL_NONE ) {
1721 } else if ( access == ACL_AUTH ) {
1724 } else if ( access == ACL_COMPARE ) {
1727 } else if ( access == ACL_SEARCH ) {
1730 } else if ( access == ACL_READ ) {
1733 } else if ( access == ACL_WRITE ) {
1741 str2access( const char *str )
1743 if ( strcasecmp( str, "none" ) == 0 ) {
1746 } else if ( strcasecmp( str, "auth" ) == 0 ) {
1749 } else if ( strcasecmp( str, "compare" ) == 0 ) {
1752 } else if ( strcasecmp( str, "search" ) == 0 ) {
1755 } else if ( strcasecmp( str, "read" ) == 0 ) {
1758 } else if ( strcasecmp( str, "write" ) == 0 ) {
1762 return( ACL_INVALID_ACCESS );
1768 print_access( Access *b )
1770 char maskbuf[ACCESSMASK_MAXLEN];
1772 fprintf( stderr, "\tby" );
1774 if ( b->a_dn_pat.bv_len != 0 ) {
1775 if( strcmp(b->a_dn_pat.bv_val, "*") == 0
1776 || strcmp(b->a_dn_pat.bv_val, "users") == 0
1777 || strcmp(b->a_dn_pat.bv_val, "anonymous") == 0
1778 || strcmp(b->a_dn_pat.bv_val, "self") == 0 )
1780 fprintf( stderr, " %s", b->a_dn_pat.bv_val );
1783 fprintf( stderr, " dn.%s=\"%s\"",
1784 style_strings[b->a_dn_style], b->a_dn_pat.bv_val );
1788 if ( b->a_dn_at != NULL ) {
1789 fprintf( stderr, " dnattr=%s", b->a_dn_at->ad_cname.bv_val );
1792 if ( b->a_group_pat.bv_len ) {
1793 fprintf( stderr, " group/%s/%s.%s=\"%s\"",
1794 b->a_group_oc ? b->a_group_oc->soc_cname.bv_val : "groupOfNames",
1795 b->a_group_at ? b->a_group_at->ad_cname.bv_val : "member",
1796 style_strings[b->a_group_style],
1797 b->a_group_pat.bv_val );
1800 if ( b->a_peername_pat.bv_len != 0 ) {
1801 fprintf( stderr, " peername=\"%s\"", b->a_peername_pat.bv_val );
1804 if ( b->a_sockname_pat.bv_len != 0 ) {
1805 fprintf( stderr, " sockname=\"%s\"", b->a_sockname_pat.bv_val );
1808 if ( b->a_domain_pat.bv_len != 0 ) {
1809 fprintf( stderr, " domain=%s", b->a_domain_pat.bv_val );
1812 if ( b->a_sockurl_pat.bv_len != 0 ) {
1813 fprintf( stderr, " sockurl=\"%s\"", b->a_sockurl_pat.bv_val );
1816 if ( b->a_set_pat.bv_len != 0 ) {
1817 fprintf( stderr, " set=\"%s\"", b->a_set_pat.bv_val );
1820 #ifdef SLAPD_ACI_ENABLED
1821 if ( b->a_aci_at != NULL ) {
1822 fprintf( stderr, " aci=%s", b->a_aci_at->ad_cname.bv_val );
1826 /* Security Strength Factors */
1827 if ( b->a_authz.sai_ssf ) {
1828 fprintf( stderr, " ssf=%u",
1829 b->a_authz.sai_ssf );
1831 if ( b->a_authz.sai_transport_ssf ) {
1832 fprintf( stderr, " transport_ssf=%u",
1833 b->a_authz.sai_transport_ssf );
1835 if ( b->a_authz.sai_tls_ssf ) {
1836 fprintf( stderr, " tls_ssf=%u",
1837 b->a_authz.sai_tls_ssf );
1839 if ( b->a_authz.sai_sasl_ssf ) {
1840 fprintf( stderr, " sasl_ssf=%u",
1841 b->a_authz.sai_sasl_ssf );
1844 fprintf( stderr, " %s%s",
1845 b->a_dn_self ? "self" : "",
1846 accessmask2str( b->a_access_mask, maskbuf ) );
1848 if( b->a_type == ACL_BREAK ) {
1849 fprintf( stderr, " break" );
1851 } else if( b->a_type == ACL_CONTINUE ) {
1852 fprintf( stderr, " continue" );
1854 } else if( b->a_type != ACL_STOP ) {
1855 fprintf( stderr, " unknown-control" );
1858 fprintf( stderr, "\n" );
1863 print_acl( Backend *be, AccessControl *a )
1868 fprintf( stderr, "%s ACL: access to",
1869 be == NULL ? "Global" : "Backend" );
1871 if ( a->acl_dn_pat.bv_len != 0 ) {
1873 fprintf( stderr, " dn.%s=\"%s\"\n",
1874 style_strings[a->acl_dn_style], a->acl_dn_pat.bv_val );
1877 if ( a->acl_filter != NULL ) {
1878 struct berval bv = BER_BVNULL;
1880 filter2bv( a->acl_filter, &bv );
1881 fprintf( stderr, " filter=%s\n", bv.bv_val );
1882 ch_free( bv.bv_val );
1885 if ( a->acl_attrs != NULL ) {
1890 fprintf( stderr, " attrs=" );
1891 for ( an = a->acl_attrs; an && an->an_name.bv_val; an++ ) {
1893 fprintf( stderr, "," );
1896 fputc( an->an_oc_exclude ? '!' : '@', stderr);
1898 fputs( an->an_name.bv_val, stderr );
1901 fprintf( stderr, "\n" );
1904 if ( a->acl_attrval.bv_len != 0 ) {
1906 fprintf( stderr, " val.%s=\"%s\"\n",
1907 style_strings[a->acl_attrval_style], a->acl_attrval.bv_val );
1912 fprintf( stderr, " *\n" );
1915 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
1919 fprintf( stderr, "\n" );
1922 #endif /* LDAP_DEBUG */