1 /* acl.c - routines to parse and check acl's */
10 #include <ac/string.h>
11 #include <ac/unistd.h>
15 static void split(char *line, int splitchar, char **left, char **right);
16 static void acl_append(struct acl **l, struct acl *a);
17 static void access_append(struct access **l, struct access *a);
18 static void acl_usage(void);
20 static void print_acl(struct acl *a);
21 static void print_access(struct access *b);
25 regtest(char *fname, int lineno, char *pat) {
41 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
43 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
60 if ( size >= (sizeof(buf)-1) ) {
62 "%s: line %d: regular expression \"%s\" too large\n",
63 fname, lineno, pat, 0 );
67 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
69 regerror(e, &re, error, sizeof(error));
71 "%s: line %d: regular expression \"%s\" bad because of %s\n",
72 fname, lineno, pat, error );
95 for ( i = 1; i < argc; i++ ) {
96 /* to clause - select which entries are protected */
97 if ( strcasecmp( argv[i], "to" ) == 0 ) {
100 "%s: line %d: only one to clause allowed in access line\n",
104 a = (struct acl *) ch_calloc( 1, sizeof(struct acl) );
105 for ( ++i; i < argc; i++ ) {
106 if ( strcasecmp( argv[i], "by" ) == 0 ) {
111 if ( strcasecmp( argv[i], "*" ) == 0 ) {
113 if ((e = regcomp( &a->acl_dnre, ".*",
114 REG_EXTENDED|REG_ICASE)))
117 regerror(e, &a->acl_dnre, buf, sizeof(buf));
119 "%s: line %d: regular expression \"%s\" bad because of %s\n",
120 fname, lineno, right, buf );
123 a->acl_dnpat = ch_strdup( ".*" );
127 split( argv[i], '=', &left, &right );
128 if ( right == NULL || *right == '\0' ) {
130 "%s: line %d: missing \"=\" in (or value after) \"%s\" in to clause\n",
131 fname, lineno, left );
135 if ( strcasecmp( left, "filter" ) == 0 ) {
136 if ( (a->acl_filter = str2filter(
139 "%s: line %d: bad filter \"%s\" in to clause\n",
140 fname, lineno, right );
143 } else if ( strcasecmp( left, "dn" ) == 0 ) {
145 if ((e = regcomp(&a->acl_dnre, right,
146 REG_EXTENDED|REG_ICASE))) {
148 regerror(e, &a->acl_dnre, buf, sizeof(buf));
150 "%s: line %d: regular expression \"%s\" bad because of %s\n",
151 fname, lineno, right, buf );
155 a->acl_dnpat = dn_upcase(ch_strdup( right ));
157 } else if ( strncasecmp( left, "attr", 4 )
161 alist = str2charray( right, "," );
162 charray_merge( &a->acl_attrs, alist );
163 charray_free( alist );
166 "%s: line %d: expecting <what> got \"%s\"\n",
167 fname, lineno, left );
172 /* by clause - select who has what access to entries */
173 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
176 "%s: line %d: to clause required before by clause in access line\n",
181 * by clause consists of <who> and <access>
184 b = (struct access *) ch_calloc( 1, sizeof(struct access) );
188 "%s: line %d: premature eol: expecting <who>\n",
194 split( argv[i], '=', &left, &right );
195 if ( strcasecmp( argv[i], "*" ) == 0 ) {
196 b->a_dnpat = ch_strdup( ".*" );
197 } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
198 b->a_dnpat = ch_strdup( "anonymous" );
199 } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
200 b->a_dnpat = ch_strdup( "self" );
201 } else if ( strcasecmp( left, "dn" ) == 0 ) {
202 regtest(fname, lineno, right);
203 b->a_dnpat = dn_upcase( ch_strdup( right ) );
204 } else if ( strcasecmp( left, "dnattr" ) == 0 ) {
205 b->a_dnattr = ch_strdup( right );
207 #ifdef SLAPD_ACLGROUPS
208 } else if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) {
212 /* format of string is "group/objectClassValue/groupAttrName"
214 if ((value = strchr(left, '/')) != NULL) {
216 if (value && *value && (name = strchr(value, '/')) != NULL)
220 regtest(fname, lineno, right);
221 b->a_group = dn_upcase(ch_strdup( right ));
223 if (value && *value) {
224 b->a_group_oc = ch_strdup(value);
228 b->a_group_oc = ch_strdup("groupOfNames");
231 b->a_group_at = ch_strdup(name);
235 b->a_group_at = ch_strdup("member");
239 #endif /* SLAPD_ACLGROUPS */
240 } else if ( strcasecmp( left, "domain" ) == 0 ) {
242 regtest(fname, lineno, right);
243 b->a_domainpat = ch_strdup( right );
245 /* normalize the domain */
246 for ( s = b->a_domainpat; *s; s++ ) {
247 *s = TOLOWER( (unsigned char) *s );
249 } else if ( strcasecmp( left, "addr" ) == 0 ) {
250 regtest(fname, lineno, right);
251 b->a_addrpat = ch_strdup( right );
254 "%s: line %d: expecting <who> got \"%s\"\n",
255 fname, lineno, left );
261 "%s: line %d: premature eol: expecting <access>\n",
267 split( argv[i], '=', &left, &right );
268 if ( ACL_IS_INVALID(ACL_SET(b->a_access,str2access( left ))) ) {
270 "%s: line %d: expecting <access> got \"%s\"\n",
271 fname, lineno, left );
274 access_append( &a->acl_access, b );
278 "%s: line %d: expecting \"to\" or \"by\" got \"%s\"\n",
279 fname, lineno, argv[i] );
284 /* if we have no real access clause, complain and do nothing */
287 "%s: line %d: warning: no access clause(s) specified in access line\n",
293 if (ldap_debug & LDAP_DEBUG_ACL)
297 if ( a->acl_access == NULL ) {
299 "%s: line %d: warning: no by clause(s) specified in access line\n",
304 acl_append( &be->be_acl, a );
306 acl_append( &global_acl, a );
312 access2str( int access )
316 if ( ACL_IS_SELF( access ) ) {
317 strcpy( buf, "self" );
322 if ( ACL_IS_NONE(access) ) {
323 strcat( buf, "none" );
325 } else if ( ACL_IS_AUTH(access) ) {
326 strcat( buf, "auth" );
328 } else if ( ACL_IS_COMPARE(access) ) {
329 strcat( buf, "compare" );
330 } else if ( ACL_IS_SEARCH(access) ) {
331 strcat( buf, "search" );
332 } else if ( ACL_IS_READ(access) ) {
333 strcat( buf, "read" );
334 } else if ( ACL_IS_WRITE(access) ) {
335 strcat( buf, "write" );
337 strcat( buf, "unknown" );
344 str2access( char *str )
350 if ( strncasecmp( str, "self", 4 ) == 0 ) {
351 ACL_SET_SELF(access);
355 if ( strcasecmp( str, "none" ) == 0 ) {
356 ACL_SET_NONE(access);
358 } else if ( strcasecmp( str, "auth" ) == 0 ) {
359 ACL_SET_AUTH(access);
361 } else if ( strcasecmp( str, "compare" ) == 0 ) {
362 ACL_SET_COMPARE(access);
363 } else if ( strcasecmp( str, "search" ) == 0 ) {
364 ACL_SET_SEARCH(access);
365 } else if ( strcasecmp( str, "read" ) == 0 ) {
366 ACL_SET_READ(access);
367 } else if ( strcasecmp( str, "write" ) == 0 ) {
368 ACL_SET_WRITE(access);
370 ACL_SET_INVALID(access);
379 fprintf( stderr, "\n"
380 "<access clause> ::= access to <what> [ by <who> <access> ]+ \n"
381 "<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]\n"
382 "<attrlist> ::= <attr> | <attr> , <attrlist>\n"
383 "<attr> ::= <attrname> | entry | children\n"
384 "<who> ::= * | anonymous | self | dn=<regex> | addr=<regex>\n"
385 "\t| domain=<regex> | dnattr=<dnattrname>\n"
386 #ifdef SLAPD_ACLGROUPS
387 "\t| group[/<objectclass>[/<attrname>]]=<regex>\n"
390 "<access> ::= [self]{none|auth|compare|search|read|write}\n"
392 "<access> ::= [self]{none|auth|compare|search|read|write}\n"
407 if ( (*right = strchr( line, splitchar )) != NULL ) {
408 *((*right)++) = '\0';
413 access_append( struct access **l, struct access *a )
415 for ( ; *l != NULL; l = &(*l)->a_next )
422 acl_append( struct acl **l, struct acl *a )
424 for ( ; *l != NULL; l = &(*l)->acl_next )
433 print_access( struct access *b )
435 fprintf( stderr, "\tby" );
437 if ( b->a_dnpat != NULL ) {
438 if( strcmp(b->a_dnpat, "anonymous") == 0 ) {
439 fprintf( stderr, " anonymous" );
440 } else if( strcmp(b->a_dnpat, "self") == 0 ) {
441 fprintf( stderr, " self" );
443 fprintf( stderr, " dn=%s", b->a_dnpat );
445 } else if ( b->a_addrpat != NULL ) {
446 fprintf( stderr, " addr=%s", b->a_addrpat );
447 } else if ( b->a_domainpat != NULL ) {
448 fprintf( stderr, " domain=%s", b->a_domainpat );
449 } else if ( b->a_dnattr != NULL ) {
450 fprintf( stderr, " dnattr=%s", b->a_dnattr );
452 #ifdef SLAPD_ACLGROUPS
453 else if ( b->a_group != NULL ) {
454 fprintf( stderr, " group: %s", b->a_group );
456 fprintf( stderr, " objectClass: %s", b->a_group_oc );
458 fprintf( stderr, " attributeType: %s", b->a_group_at );
461 fprintf( stderr, "\n" );
465 print_acl( struct acl *a )
471 fprintf( stderr, "NULL\n" );
473 fprintf( stderr, "ACL: access to" );
474 if ( a->acl_filter != NULL ) {
475 fprintf( stderr," filter=" );
476 filter_print( a->acl_filter );
478 if ( a->acl_dnpat != NULL ) {
479 fprintf( stderr, " dn=" );
480 fprintf( stderr, a->acl_dnpat );
482 if ( a->acl_attrs != NULL ) {
485 fprintf( stderr, "\n attrs=" );
486 for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
488 fprintf( stderr, "," );
490 fprintf( stderr, a->acl_attrs[i] );
494 fprintf( stderr, "\n" );
495 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
498 fprintf( stderr, "\n" );
501 #endif /* LDAP_DEBUG */