git.sur5r.net Git - openldap/blob - servers/slapd/aclparse.c

   1 /* aclparse.c - routines to parse and check acl's */
   2 /* $OpenLDAP$ */
   3 /*
   4  * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
   5  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
   6  */
   7
   8 #include "portable.h"
   9
  10 #include <stdio.h>
  11
  12 #include <ac/ctype.h>
  13 #include <ac/regex.h>
  14 #include <ac/socket.h>
  15 #include <ac/string.h>
  16 #include <ac/unistd.h>
  17
  18 #include "slap.h"
  19
  20 static void             split(char *line, int splitchar, char **left, char **right);
  21 static void             access_append(Access **l, Access *a);
  22 static void             acl_usage(void) LDAP_GCCATTR((noreturn));
  23
  24 #ifdef LDAP_DEBUG
  25 static void             print_acl(Backend *be, AccessControl *a);
  26 static void             print_access(Access *b);
  27 #endif
  28
  29 static int
  30 regtest(const char *fname, int lineno, char *pat) {
  31         int e;
  32         regex_t re;
  33
  34         char buf[512];
  35         unsigned size;
  36
  37         char *sp;
  38         char *dp;
  39         int  flag;
  40
  41         sp = pat;
  42         dp = buf;
  43         size = 0;
  44         buf[0] = '\0';
  45
  46         for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
  47                 if (flag) {
  48                         if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
  49                                 *dp++ = *sp;
  50                                 size++;
  51                         }
  52                         flag = 0;
  53
  54                 } else {
  55                         if (*sp == '$') {
  56                                 flag = 1;
  57                         } else {
  58                                 *dp++ = *sp;
  59                                 size++;
  60                         }
  61                 }
  62         }
  63
  64         *dp = '\0';
  65         if ( size >= (sizeof(buf)-1) ) {
  66                 fprintf( stderr,
  67                         "%s: line %d: regular expression \"%s\" too large\n",
  68                         fname, lineno, pat );
  69                 acl_usage();
  70         }
  71
  72         if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
  73                 char error[512];
  74                 regerror(e, &re, error, sizeof(error));
  75                 fprintf( stderr,
  76                         "%s: line %d: regular expression \"%s\" bad because of %s\n",
  77                         fname, lineno, pat, error );
  78                 acl_usage();
  79                 return(0);
  80         }
  81         regfree(&re);
  82         return(1);
  83 }
  84
  85 void
  86 parse_acl(
  87     Backend     *be,
  88     const char  *fname,
  89     int         lineno,
  90     int         argc,
  91     char        **argv
  92 )
  93 {
  94         int             i;
  95         char            *left, *right;
  96         AccessControl   *a;
  97         Access  *b;
  98 #ifdef SLAPD_SCHEMA_NOT_COMPAT
  99         int rc;
 100         const char *text;
 101         AttributeDescription *ad_distinguishedName = slap_schema.si_ad_distinguishedName;
 102         AttributeDescription *ad_member = slap_schema.si_ad_member;
 103 #ifdef SLAPD_ACI_ENABLED
 104         AttributeDescription *ad_aci = slap_schema.si_ad_aci;
 105 #endif
 106 #else
 107         static char *ad_aci = "aci";
 108         static char *ad_member = "member";
 109 #endif
 110
 111         a = NULL;
 112         for ( i = 1; i < argc; i++ ) {
 113                 /* to clause - select which entries are protected */
 114                 if ( strcasecmp( argv[i], "to" ) == 0 ) {
 115                         if ( a != NULL ) {
 116                                 fprintf( stderr,
 117                 "%s: line %d: only one to clause allowed in access line\n",
 118                                     fname, lineno );
 119                                 acl_usage();
 120                         }
 121                         a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
 122                         a->acl_filter = NULL;
 123                         a->acl_dn_pat = NULL;
 124                         a->acl_attrs  = NULL;
 125                         a->acl_access = NULL;
 126                         a->acl_next   = NULL;
 127                         for ( ++i; i < argc; i++ ) {
 128                                 if ( strcasecmp( argv[i], "by" ) == 0 ) {
 129                                         i--;
 130                                         break;
 131                                 }
 132
 133                                 if ( strcasecmp( argv[i], "*" ) == 0 ) {
 134                                         if( a->acl_dn_pat != NULL ) {
 135                                                 fprintf( stderr,
 136                                                         "%s: line %d: dn pattern"
 137                                                         " already specified in to clause.\n",
 138                                                         fname, lineno );
 139                                                 acl_usage();
 140                                         }
 141
 142                                         a->acl_dn_pat = ch_strdup( "*" );
 143                                         continue;
 144                                 }
 145
 146                                 split( argv[i], '=', &left, &right );
 147
 148                                 if ( strcasecmp( left, "dn" ) == 0 ) {
 149                                         if( a->acl_dn_pat != NULL ) {
 150                                                 fprintf( stderr,
 151                                                         "%s: line %d: dn pattern"
 152                                                         " already specified in to clause.\n",
 153                                                         fname, lineno );
 154                                                 acl_usage();
 155                                         }
 156
 157                                         if ( right == NULL ) {
 158                                                 fprintf( stderr,
 159         "%s: line %d: missing \"=\" in \"%s\" in to clause\n",
 160                                                     fname, lineno, left );
 161                                                 acl_usage();
 162                                         }
 163
 164                                         if( *right == '\0' ) {
 165                                                 a->acl_dn_pat = ch_strdup("^$");
 166
 167                                         } else if ( strcmp(right, "*") == 0
 168                                                 || strcmp(right, ".*") == 0
 169                                                 || strcmp(right, ".*$") == 0
 170                                                 || strcmp(right, "^.*") == 0
 171                                                 || strcmp(right, "^.*$$") == 0
 172                                                 || strcmp(right, ".*$$") == 0
 173                                                 || strcmp(right, "^.*$$") == 0 )
 174                                         {
 175                                                 a->acl_dn_pat = ch_strdup( "*" );
 176
 177                                         } else {
 178                                                 a->acl_dn_pat = ch_strdup( right );
 179                                         }
 180
 181                                         continue;
 182                                 }
 183
 184                                 if ( right == NULL || *right == '\0' ) {
 185                                         fprintf( stderr,
 186         "%s: line %d: missing \"=\" in (or value after) \"%s\" in to clause\n",
 187                                             fname, lineno, left );
 188                                         acl_usage();
 189                                 }
 190
 191                                 if ( strcasecmp( left, "filter" ) == 0 ) {
 192                                         if ( (a->acl_filter = str2filter(
 193                                             right )) == NULL ) {
 194                                                 fprintf( stderr,
 195                                 "%s: line %d: bad filter \"%s\" in to clause\n",
 196                                                     fname, lineno, right );
 197                                                 acl_usage();
 198                                         }
 199
 200                                 } else if ( strncasecmp( left, "attr", 4 ) == 0 ) {
 201                                         char    **alist;
 202
 203                                         alist = str2charray( right, "," );
 204                                         charray_merge( &a->acl_attrs, alist );
 205                                         charray_free( alist );
 206
 207                                 } else {
 208                                         fprintf( stderr,
 209                                                 "%s: line %d: expecting <what> got \"%s\"\n",
 210                                             fname, lineno, left );
 211                                         acl_usage();
 212                                 }
 213                         }
 214
 215                         if ( a->acl_dn_pat != NULL && strcmp(a->acl_dn_pat, "*") == 0) {
 216                                 free( a->acl_dn_pat );
 217                                 a->acl_dn_pat = NULL;
 218                         }
 219
 220                         if( a->acl_dn_pat != NULL ) {
 221                                 int e = regcomp( &a->acl_dn_re, a->acl_dn_pat,
 222                                                  REG_EXTENDED | REG_ICASE );
 223                                 if ( e ) {
 224                                         char buf[512];
 225                                         regerror( e, &a->acl_dn_re, buf, sizeof(buf) );
 226                                         fprintf( stderr,
 227                                 "%s: line %d: regular expression \"%s\" bad because of %s\n",
 228                                                  fname, lineno, right, buf );
 229                                         acl_usage();
 230                                 }
 231                         }
 232
 233                 /* by clause - select who has what access to entries */
 234                 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
 235                         if ( a == NULL ) {
 236                                 fprintf( stderr,
 237                                         "%s: line %d: to clause required before by clause in access line\n",
 238                                     fname, lineno );
 239                                 acl_usage();
 240                         }
 241
 242                         /*
 243                          * by clause consists of <who> and <access>
 244                          */
 245
 246                         b = (Access *) ch_calloc( 1, sizeof(Access) );
 247
 248                         ACL_INVALIDATE( b->a_mask );
 249
 250                         if ( ++i == argc ) {
 251                                 fprintf( stderr,
 252                             "%s: line %d: premature eol: expecting <who>\n",
 253                                     fname, lineno );
 254                                 acl_usage();
 255                         }
 256
 257                         /* get <who> */
 258                         for ( ; i < argc; i++ ) {
 259                                 char *pat;
 260                                 split( argv[i], '=', &left, &right );
 261
 262                                 if ( strcasecmp( argv[i], "*" ) == 0 ) {
 263                                         pat = ch_strdup( "*" );
 264
 265                                 } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
 266                                         pat = ch_strdup( "anonymous" );
 267
 268                                 } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
 269                                         pat = ch_strdup( "self" );
 270
 271                                 } else if ( strcasecmp( argv[i], "users" ) == 0 ) {
 272                                         pat = ch_strdup( "users" );
 273
 274                                 } else if ( strcasecmp( left, "dn" ) == 0 ) {
 275                                         if( right == NULL ) {
 276                                                 /* no '=' */
 277                                                 pat = ch_strdup( "users" );
 278
 279                                         } else if (*right == '\0' ) {
 280                                                 /* dn="" */
 281                                                 pat = ch_strdup( "anonymous" );
 282
 283                                         } else if ( strcmp( right, "*" ) == 0 ) {
 284                                                 /* dn=* */
 285                                                 /* any or users?  any for now */
 286                                                 pat = ch_strdup( "users" );
 287
 288                                         } else if ( strcmp( right, ".+" ) == 0
 289                                                 || strcmp( right, "^.+" ) == 0
 290                                                 || strcmp( right, ".+$" ) == 0
 291                                                 || strcmp( right, "^.+$" ) == 0
 292                                                 || strcmp( right, ".+$$" ) == 0
 293                                                 || strcmp( right, "^.+$$" ) == 0 )
 294                                         {
 295                                                 pat = ch_strdup( "users" );
 296
 297                                         } else if ( strcmp( right, ".*" ) == 0
 298                                                 || strcmp( right, "^.*" ) == 0
 299                                                 || strcmp( right, ".*$" ) == 0
 300                                                 || strcmp( right, "^.*$" ) == 0
 301                                                 || strcmp( right, ".*$$" ) == 0
 302                                                 || strcmp( right, "^.*$$" ) == 0 )
 303                                         {
 304                                                 pat = ch_strdup( "*" );
 305
 306                                         } else {
 307                                                 regtest(fname, lineno, right);
 308                                                 pat = ch_strdup( right );
 309                                         }
 310
 311                                 } else {
 312                                         pat = NULL;
 313                                 }
 314
 315                                 if( pat != NULL ) {
 316                                         if( b->a_dn_pat != NULL ) {
 317                                                 fprintf( stderr,
 318                                                     "%s: line %d: dn pattern already specified.\n",
 319                                                     fname, lineno );
 320                                                 acl_usage();
 321                                         }
 322
 323                                         b->a_dn_pat = pat;
 324                                         continue;
 325                                 }
 326
 327                                 if ( strcasecmp( left, "dnattr" ) == 0 ) {
 328                                         if( b->a_dn_at != NULL ) {
 329                                                 fprintf( stderr,
 330                                                         "%s: line %d: dnattr already specified.\n",
 331                                                         fname, lineno );
 332                                                 acl_usage();
 333                                         }
 334
 335 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 336                                         rc = slap_str2ad( right, &b->a_dn_at, &text );
 337
 338                                         if( rc != LDAP_SUCCESS ) {
 339                                                 fprintf( stderr,
 340                                                         "%s: line %d: dnattr \"%s\": %s\n",
 341                                                         fname, lineno, right, text );
 342                                                 acl_usage();
 343                                         }
 344
 345
 346                                         if( b->a_dn_at->ad_type->sat_syntax
 347                                                 != ad_distinguishedName->ad_type->sat_syntax )
 348                                         {
 349                                                 fprintf( stderr,
 350                                                         "%s: line %d: dnattr \"%s\": inappropriate syntax: %s\n",
 351                                                         fname, lineno, right,
 352                                                         b->a_dn_at->ad_type->sat_syntax_oid );
 353                                                 acl_usage();
 354                                         }
 355
 356 #else
 357                                         b->a_dn_at = ch_strdup( right );
 358 #endif
 359                                         continue;
 360                                 }
 361
 362                                 if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) {
 363                                         char *name = NULL;
 364                                         char *value = NULL;
 365
 366                                         if( b->a_group_pat != NULL ) {
 367                                                 fprintf( stderr,
 368                                                         "%s: line %d: group pattern already specified.\n",
 369                                                         fname, lineno );
 370                                                 acl_usage();
 371                                         }
 372
 373                                         /* format of string is "group/objectClassValue/groupAttrName" */
 374                                         if ((value = strchr(left, '/')) != NULL) {
 375                                                 *value++ = '\0';
 376                                                 if (*value
 377                                                         && (name = strchr(value, '/')) != NULL)
 378                                                 {
 379                                                         *name++ = '\0';
 380                                                 }
 381                                         }
 382
 383                                         regtest(fname, lineno, right);
 384                                         b->a_group_pat = ch_strdup( right );
 385
 386                                         if (value && *value) {
 387 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 388                                                 b->a_group_oc = oc_find( value );
 389 #else
 390                                                 b->a_group_oc = ch_strdup(value);
 391 #endif
 392                                                 if( b->a_group_oc == NULL ) {
 393                                                         fprintf( stderr,
 394                                                                 "%s: line %d: group objectclass \"%s\" unknown\n",
 395                                                                 fname, lineno, value );
 396                                                         acl_usage();
 397                                                 }
 398
 399 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 400                                                 if( is_object_subclass( b->a_group_oc,
 401                                                         slap_schema.si_oc_referral ) )
 402                                                 {
 403                                                         fprintf( stderr,
 404                                                                 "%s: line %d: group objectclass \"%s\" is subclass of referral\n",
 405                                                                 fname, lineno, value );
 406                                                         acl_usage();
 407                                                 }
 408
 409                                                 if( is_object_subclass( b->a_group_oc,
 410                                                         slap_schema.si_oc_alias ) )
 411                                                 {
 412                                                         fprintf( stderr,
 413                                                                 "%s: line %d: group objectclass \"%s\" is subclass of alias\n",
 414                                                                 fname, lineno, value );
 415                                                         acl_usage();
 416                                                 }
 417 #endif
 418
 419                                                 *--value = '/';
 420
 421                                         } else {
 422 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 423                                                 b->a_group_oc = slap_schema.si_oc_groupOfNames;
 424 #else
 425                                                 b->a_group_oc = ch_strdup("groupOfNames");
 426 #endif
 427                                         }
 428
 429
 430                                         if (name && *name) {
 431 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 432                                                 rc = slap_str2ad( right, &b->a_group_at, &text );
 433
 434                                                 if( rc != LDAP_SUCCESS ) {
 435                                                         fprintf( stderr,
 436                                                                 "%s: line %d: group \"%s\": %s\n",
 437                                                                 fname, lineno, right, text );
 438                                                         acl_usage();
 439                                                 }
 440
 441                                                 if( b->a_group_at->ad_type->sat_syntax
 442                                                         != ad_member->ad_type->sat_syntax )
 443                                                 {
 444                                                         fprintf( stderr,
 445                                                                 "%s: line %d: group \"%s\": inappropriate syntax: %s\n",
 446                                                                 fname, lineno, right,
 447                                                                 b->a_group_at->ad_type->sat_syntax_oid );
 448                                                         acl_usage();
 449                                                 }
 450 #else
 451                                                 b->a_group_at = ch_strdup(name);
 452 #endif
 453                                                 *--name = '/';
 454
 455                                         } else {
 456 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 457                                                 b->a_group_at = ad_dup( ad_member );
 458 #else
 459                                                 b->a_group_at = ch_strdup( ad_member );
 460 #endif
 461                                         }
 462
 463 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 464                                         if( b->a_group_at == NULL ) {
 465                                                 fprintf( stderr,
 466                                                         "%s: line %d: group attribute type undefined.\n",
 467                                                         fname, lineno );
 468                                                 acl_usage();
 469                                         }
 470
 471
 472                                         {
 473                                                 int rc;
 474                                                 struct berval val;
 475                                                 struct berval *vals[2];
 476
 477                                                 val.bv_val = b->a_group_oc->soc_oid;
 478                                                 val.bv_len = strlen(val.bv_val);
 479                                                 vals[0] = &val;
 480                                                 vals[1] = NULL;
 481
 482
 483                                                 rc = oc_check_allowed( b->a_group_at->ad_type, vals );
 484
 485                                                 if( rc != 0 ) {
 486                                                         fprintf( stderr,
 487                                                                 "%s: line %d: group: \"%s\" not allowed by \"%s\"\n",
 488                                                                 fname, lineno,
 489                                                                 b->a_group_at->ad_type,
 490                                                                 b->a_group_oc->soc_oid );
 491                                                         acl_usage();
 492                                                 }
 493                                         }
 494
 495 #endif /* SLAPD_SCHEMA_NOT_COMPAT */
 496                                         continue;
 497                                 }
 498
 499                                 if ( strcasecmp( left, "peername" ) == 0 ) {
 500                                         if( b->a_peername_pat != NULL ) {
 501                                                 fprintf( stderr,
 502                                                         "%s: line %d: peername pattern already specified.\n",
 503                                                         fname, lineno );
 504                                                 acl_usage();
 505                                         }
 506
 507                                         regtest(fname, lineno, right);
 508                                         b->a_peername_pat = ch_strdup( right );
 509                                         continue;
 510                                 }
 511
 512                                 if ( strcasecmp( left, "sockname" ) == 0 ) {
 513                                         if( b->a_sockname_pat != NULL ) {
 514                                                 fprintf( stderr,
 515                                                         "%s: line %d: sockname pattern already specified.\n",
 516                                                         fname, lineno );
 517                                                 acl_usage();
 518                                         }
 519
 520                                         regtest(fname, lineno, right);
 521                                         b->a_sockname_pat = ch_strdup( right );
 522                                         continue;
 523                                 }
 524
 525                                 if ( strcasecmp( left, "domain" ) == 0 ) {
 526                                         if( b->a_domain_pat != NULL ) {
 527                                                 fprintf( stderr,
 528                                                         "%s: line %d: domain pattern already specified.\n",
 529                                                         fname, lineno );
 530                                                 acl_usage();
 531                                         }
 532
 533                                         regtest(fname, lineno, right);
 534                                         b->a_domain_pat = ch_strdup( right );
 535                                         continue;
 536                                 }
 537
 538                                 if ( strcasecmp( left, "sockurl" ) == 0 ) {
 539                                         if( b->a_sockurl_pat != NULL ) {
 540                                                 fprintf( stderr,
 541                                                         "%s: line %d: sockurl pattern already specified.\n",
 542                                                         fname, lineno );
 543                                                 acl_usage();
 544                                         }
 545
 546                                         regtest(fname, lineno, right);
 547                                         b->a_sockurl_pat = ch_strdup( right );
 548                                         continue;
 549                                 }
 550
 551 #ifdef SLAPD_ACI_ENABLED
 552                                 if ( strcasecmp( left, "aci" ) == 0 ) {
 553                                         if( b->a_aci_at != NULL ) {
 554                                                 fprintf( stderr,
 555                                                         "%s: line %d: aci attribute already specified.\n",
 556                                                         fname, lineno );
 557                                                 acl_usage();
 558                                         }
 559
 560 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 561                                         if ( right != NULL && *right != '\0' ) {
 562                                                 rc = slap_str2ad( right, &b->a_aci_at, &text );
 563
 564                                                 if( rc != LDAP_SUCCESS ) {
 565                                                         fprintf( stderr,
 566                                                                 "%s: line %d: aci \"%s\": %s\n",
 567                                                                 fname, lineno, right, text );
 568                                                         acl_usage();
 569                                                 }
 570
 571                                                 if( b->a_aci_at->ad_type->sat_syntax
 572                                                         != ad_aci->ad_type->sat_syntax )
 573                                                 {
 574                                                         fprintf( stderr,
 575                                                                 "%s: line %d: aci \"%s\": inappropriate syntax: %s\n",
 576                                                                 fname, lineno, right,
 577                                                                 b->a_aci_at->ad_type->sat_syntax_oid );
 578                                                         acl_usage();
 579                                                 }
 580                                         } else {
 581                                                 b->a_aci_at = ad_dup( ad_aci );
 582                                         }
 583
 584                                         if( b->a_aci_at == NULL ) {
 585                                                 fprintf( stderr,
 586                                                         "%s: line %d: aci attribute type undefined.\n",
 587                                                         fname, lineno );
 588                                                 acl_usage();
 589                                         }
 590
 591 #else
 592                                         if ( right != NULL && *right != '\0' ) {
 593                                                 b->a_aci_at = ch_strdup( right );
 594                                         } else {
 595                                                 b->a_aci_at = ch_strdup( SLAPD_ACI_DEFAULT_ATTR );
 596                                         }
 597 #endif
 598                                         continue;
 599                                 }
 600 #endif /* SLAPD_ACI_ENABLED */
 601
 602                                 if( right != NULL ) {
 603                                         /* unsplit */
 604                                         right[-1] = '=';
 605                                 }
 606                                 break;
 607                         }
 608
 609                         if( i == argc || ( strcasecmp( left, "stop" ) == 0 )) {
 610                                 /* out of arguments or plain stop */
 611
 612                                 ACL_PRIV_ASSIGN(b->a_mask, ACL_PRIV_ADDITIVE);
 613                                 b->a_type = ACL_STOP;
 614
 615                                 access_append( &a->acl_access, b );
 616                                 continue;
 617                         }
 618
 619                         if( strcasecmp( left, "continue" ) == 0 ) {
 620                                 /* plain continue */
 621
 622                                 ACL_PRIV_ASSIGN(b->a_mask, ACL_PRIV_ADDITIVE);
 623                                 b->a_type = ACL_CONTINUE;
 624
 625                                 access_append( &a->acl_access, b );
 626                                 continue;
 627                         }
 628
 629                         if( strcasecmp( left, "break" ) == 0 ) {
 630                                 /* plain continue */
 631
 632                                 ACL_PRIV_ASSIGN(b->a_mask, ACL_PRIV_ADDITIVE);
 633                                 b->a_type = ACL_BREAK;
 634
 635                                 access_append( &a->acl_access, b );
 636                                 continue;
 637                         }
 638
 639                         if ( strcasecmp( left, "by" ) == 0 ) {
 640                                 /* we've gone too far */
 641                                 --i;
 642                                 ACL_PRIV_ASSIGN(b->a_mask, ACL_PRIV_ADDITIVE);
 643                                 b->a_type = ACL_STOP;
 644
 645                                 access_append( &a->acl_access, b );
 646                                 continue;
 647                         }
 648
 649                         /* get <access> */
 650                         if( strncasecmp( left, "self", 4 ) == 0 ) {
 651                                 b->a_dn_self = 1;
 652                                 ACL_PRIV_ASSIGN( b->a_mask, str2accessmask( &left[4] ) );
 653
 654                         } else {
 655                                 ACL_PRIV_ASSIGN( b->a_mask, str2accessmask( left ) );
 656                         }
 657
 658                         if( ACL_IS_INVALID( b->a_mask ) ) {
 659                                 fprintf( stderr,
 660                                         "%s: line %d: expecting <access> got \"%s\"\n",
 661                                         fname, lineno, left );
 662                                 acl_usage();
 663                         }
 664
 665                         b->a_type = ACL_STOP;
 666
 667                         if( ++i == argc ) {
 668                                 /* out of arguments or plain stop */
 669                                 access_append( &a->acl_access, b );
 670                                 continue;
 671                         }
 672
 673                         if( strcasecmp( argv[i], "continue" ) == 0 ) {
 674                                 /* plain continue */
 675                                 b->a_type = ACL_CONTINUE;
 676
 677                         } else if( strcasecmp( argv[i], "break" ) == 0 ) {
 678                                 /* plain continue */
 679                                 b->a_type = ACL_BREAK;
 680
 681                         } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
 682                                 /* gone to far */
 683                                 i--;
 684                         }
 685
 686                         access_append( &a->acl_access, b );
 687
 688                 } else {
 689                         fprintf( stderr,
 690                     "%s: line %d: expecting \"to\" or \"by\" got \"%s\"\n",
 691                             fname, lineno, argv[i] );
 692                         acl_usage();
 693                 }
 694         }
 695
 696         /* if we have no real access clause, complain and do nothing */
 697         if ( a == NULL ) {
 698                         fprintf( stderr,
 699                                 "%s: line %d: warning: no access clause(s) specified in access line\n",
 700                             fname, lineno );
 701
 702         } else {
 703 #ifdef LDAP_DEBUG
 704                 if (ldap_debug & LDAP_DEBUG_ACL)
 705                         print_acl(be, a);
 706 #endif
 707
 708                 if ( a->acl_access == NULL ) {
 709                         fprintf( stderr,
 710                         "%s: line %d: warning: no by clause(s) specified in access line\n",
 711                             fname, lineno );
 712                 }
 713
 714                 if ( be != NULL ) {
 715                         acl_append( &be->be_acl, a );
 716                 } else {
 717                         acl_append( &global_acl, a );
 718                 }
 719         }
 720 }
 721
 722 char *
 723 accessmask2str( slap_access_mask_t mask, char *buf )
 724 {
 725         int none=1;
 726
 727         assert( buf != NULL );
 728
 729         if ( ACL_IS_INVALID( mask ) ) {
 730                 return "invalid";
 731         }
 732
 733         buf[0] = '\0';
 734
 735         if ( ACL_IS_LEVEL( mask ) ) {
 736                 if ( ACL_LVL_IS_NONE(mask) ) {
 737                         strcat( buf, "none" );
 738
 739                 } else if ( ACL_LVL_IS_AUTH(mask) ) {
 740                         strcat( buf, "auth" );
 741
 742                 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
 743                         strcat( buf, "compare" );
 744
 745                 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
 746                         strcat( buf, "search" );
 747
 748                 } else if ( ACL_LVL_IS_READ(mask) ) {
 749                         strcat( buf, "read" );
 750
 751                 } else if ( ACL_LVL_IS_WRITE(mask) ) {
 752                         strcat( buf, "write" );
 753                 } else {
 754                         strcat( buf, "unknown" );
 755                 }
 756
 757                 strcat(buf, " (");
 758         }
 759
 760         if( ACL_IS_ADDITIVE( mask ) ) {
 761                 strcat( buf, "+" );
 762
 763         } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
 764                 strcat( buf, "-" );
 765
 766         } else {
 767                 strcat( buf, "=" );
 768         }
 769
 770         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
 771                 none = 0;
 772                 strcat( buf, "w" );
 773         }
 774
 775         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
 776                 none = 0;
 777                 strcat( buf, "r" );
 778         }
 779
 780         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
 781                 none = 0;
 782                 strcat( buf, "s" );
 783         }
 784
 785         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
 786                 none = 0;
 787                 strcat( buf, "c" );
 788         }
 789
 790         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
 791                 none = 0;
 792                 strcat( buf, "x" );
 793         }
 794
 795         if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
 796                 none = 0;
 797                 strcat( buf, "n" );
 798         }
 799
 800         if ( none ) {
 801                 strcat( buf, "0" );
 802         }
 803
 804         if ( ACL_IS_LEVEL( mask ) ) {
 805                 strcat(buf, ")");
 806         }
 807         return buf;
 808 }
 809
 810 slap_access_mask_t
 811 str2accessmask( const char *str )
 812 {
 813         slap_access_mask_t      mask;
 814
 815         if( !isalpha(str[0]) ) {
 816                 int i;
 817
 818                 if ( str[0] == '=' ) {
 819                         ACL_INIT(mask);
 820
 821                 } else if( str[0] == '+' ) {
 822                         ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
 823
 824                 } else if( str[0] == '-' ) {
 825                         ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
 826
 827                 } else {
 828                         ACL_INVALIDATE(mask);
 829                         return mask;
 830                 }
 831
 832                 for( i=1; str[i] != '\0'; i++ ) {
 833                         if( TOLOWER(str[i]) == 'w' ) {
 834                                 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
 835
 836                         } else if( TOLOWER(str[i]) == 'r' ) {
 837                                 ACL_PRIV_SET(mask, ACL_PRIV_READ);
 838
 839                         } else if( TOLOWER(str[i]) == 's' ) {
 840                                 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
 841
 842                         } else if( TOLOWER(str[i]) == 'c' ) {
 843                                 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
 844
 845                         } else if( TOLOWER(str[i]) == 'x' ) {
 846                                 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
 847
 848                         } else if( str[i] != '0' ) {
 849                                 ACL_INVALIDATE(mask);
 850                                 return mask;
 851                         }
 852                 }
 853
 854                 return mask;
 855         }
 856
 857         if ( strcasecmp( str, "none" ) == 0 ) {
 858                 ACL_LVL_ASSIGN_NONE(mask);
 859
 860         } else if ( strcasecmp( str, "auth" ) == 0 ) {
 861                 ACL_LVL_ASSIGN_AUTH(mask);
 862
 863         } else if ( strcasecmp( str, "compare" ) == 0 ) {
 864                 ACL_LVL_ASSIGN_COMPARE(mask);
 865
 866         } else if ( strcasecmp( str, "search" ) == 0 ) {
 867                 ACL_LVL_ASSIGN_SEARCH(mask);
 868
 869         } else if ( strcasecmp( str, "read" ) == 0 ) {
 870                 ACL_LVL_ASSIGN_READ(mask);
 871
 872         } else if ( strcasecmp( str, "write" ) == 0 ) {
 873                 ACL_LVL_ASSIGN_WRITE(mask);
 874
 875         } else {
 876                 ACL_INVALIDATE( mask );
 877         }
 878
 879         return mask;
 880 }
 881
 882 static void
 883 acl_usage( void )
 884 {
 885         fprintf( stderr, "\n"
 886                 "<access clause> ::= access to <what> "
 887                                 "[ by <who> <access> <control> ]+ \n"
 888                 "<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]\n"
 889                 "<attrlist> ::= <attr> | <attr> , <attrlist>\n"
 890                 "<attr> ::= <attrname> | entry | children\n"
 891                 "<who> ::= [ * | anonymous | users | self | dn=<regex> ]\n"
 892                         "\t[dnattr=<attrname>]\n"
 893                         "\t[group[/<objectclass>[/<attrname>]]=<regex>]\n"
 894                         "\t[peername=<regex>] [sockname=<regex>]\n"
 895                         "\t[domain=<regex>] [sockurl=<regex>]\n"
 896 #ifdef SLAPD_ACI_ENABLED
 897                         "\t[aci=<attrname>]\n"
 898 #endif
 899                 "<access> ::= [self]{<level>|<priv>}\n"
 900                 "<level> ::= none | auth | compare | search | read | write\n"
 901                 "<priv> ::= {=|+|-}{w|r|s|c|x}+\n"
 902                 "<control> ::= [ stop | continue | break ]\n"
 903                 );
 904         exit( EXIT_FAILURE );
 905 }
 906
 907 static void
 908 split(
 909     char        *line,
 910     int         splitchar,
 911     char        **left,
 912     char        **right
 913 )
 914 {
 915         *left = line;
 916         if ( (*right = strchr( line, splitchar )) != NULL ) {
 917                 *((*right)++) = '\0';
 918         }
 919 }
 920
 921 static void
 922 access_append( Access **l, Access *a )
 923 {
 924         for ( ; *l != NULL; l = &(*l)->a_next )
 925                 ;       /* NULL */
 926
 927         *l = a;
 928 }
 929
 930 void
 931 acl_append( AccessControl **l, AccessControl *a )
 932 {
 933         for ( ; *l != NULL; l = &(*l)->acl_next )
 934                 ;       /* NULL */
 935
 936         *l = a;
 937 }
 938
 939 char *
 940 access2str( slap_access_t access )
 941 {
 942         if ( access == ACL_NONE ) {
 943                 return "none";
 944
 945         } else if ( access == ACL_AUTH ) {
 946                 return "auth";
 947
 948         } else if ( access == ACL_COMPARE ) {
 949                 return "compare";
 950
 951         } else if ( access == ACL_SEARCH ) {
 952                 return "search";
 953
 954         } else if ( access == ACL_READ ) {
 955                 return "read";
 956
 957         } else if ( access == ACL_WRITE ) {
 958                 return "write";
 959         }
 960
 961         return "unknown";
 962 }
 963
 964 slap_access_t
 965 str2access( const char *str )
 966 {
 967         if ( strcasecmp( str, "none" ) == 0 ) {
 968                 return ACL_NONE;
 969
 970         } else if ( strcasecmp( str, "auth" ) == 0 ) {
 971                 return ACL_AUTH;
 972
 973         } else if ( strcasecmp( str, "compare" ) == 0 ) {
 974                 return ACL_COMPARE;
 975
 976         } else if ( strcasecmp( str, "search" ) == 0 ) {
 977                 return ACL_SEARCH;
 978
 979         } else if ( strcasecmp( str, "read" ) == 0 ) {
 980                 return ACL_READ;
 981
 982         } else if ( strcasecmp( str, "write" ) == 0 ) {
 983                 return ACL_WRITE;
 984         }
 985
 986         return( ACL_INVALID_ACCESS );
 987 }
 988
 989 #ifdef LDAP_DEBUG
 990
 991 static void
 992 print_access( Access *b )
 993 {
 994         char maskbuf[ACCESSMASK_MAXLEN];
 995
 996         fprintf( stderr, "\tby" );
 997
 998         if ( b->a_dn_pat != NULL ) {
 999                 if( strcmp(b->a_dn_pat, "*") == 0
1000                         || strcmp(b->a_dn_pat, "users") == 0
1001                         || strcmp(b->a_dn_pat, "anonymous") == 0
1002                         || strcmp(b->a_dn_pat, "self") == 0 )
1003                 {
1004                         fprintf( stderr, " %s", b->a_dn_pat );
1005
1006                 } else {
1007                         fprintf( stderr, " dn=%s", b->a_dn_pat );
1008                 }
1009         }
1010
1011         if ( b->a_dn_at != NULL ) {
1012 #ifdef SLAPD_SCHEMA_NOT_COMPAT
1013                 fprintf( stderr, " dnattr=%s", b->a_dn_at->ad_cname->bv_val );
1014 #else
1015                 fprintf( stderr, " dnattr=%s", b->a_dn_at );
1016 #endif
1017         }
1018
1019         if ( b->a_group_pat != NULL ) {
1020                 fprintf( stderr, " group: %s", b->a_group_pat );
1021
1022                 if ( b->a_group_oc ) {
1023                         fprintf( stderr, " objectClass: %s", b->a_group_oc );
1024
1025                         if ( b->a_group_at ) {
1026 #ifdef SLAPD_SCHEMA_NOT_COMPAT
1027                                 fprintf( stderr, " attributeType: %s", b->a_group_at->ad_cname->bv_val );
1028 #else
1029                                 fprintf( stderr, " attributeType: %s", b->a_group_at );
1030 #endif
1031                         }
1032                 }
1033     }
1034
1035         if ( b->a_peername_pat != NULL ) {
1036                 fprintf( stderr, " peername=%s", b->a_peername_pat );
1037         }
1038
1039         if ( b->a_sockname_pat != NULL ) {
1040                 fprintf( stderr, " sockname=%s", b->a_sockname_pat );
1041         }
1042
1043         if ( b->a_domain_pat != NULL ) {
1044                 fprintf( stderr, " domain=%s", b->a_domain_pat );
1045         }
1046
1047         if ( b->a_sockurl_pat != NULL ) {
1048                 fprintf( stderr, " sockurl=%s", b->a_sockurl_pat );
1049         }
1050
1051 #ifdef SLAPD_ACI_ENABLED
1052         if ( b->a_aci_at != NULL ) {
1053 #ifdef SLAPD_SCHEMA_NOT_COMPAT
1054                 fprintf( stderr, " aci=%s", b->a_aci_at->ad_cname->bv_val );
1055 #else
1056                 fprintf( stderr, " aci=%s", b->a_aci_at );
1057 #endif
1058         }
1059 #endif
1060
1061         fprintf( stderr, " %s%s",
1062                 b->a_dn_self ? "self" : "",
1063                 accessmask2str( b->a_mask, maskbuf ) );
1064
1065         if( b->a_type == ACL_BREAK ) {
1066                 fprintf( stderr, " break" );
1067
1068         } else if( b->a_type == ACL_CONTINUE ) {
1069                 fprintf( stderr, " continue" );
1070
1071         } else if( b->a_type != ACL_STOP ) {
1072                 fprintf( stderr, " unknown-control" );
1073         }
1074
1075         fprintf( stderr, "\n" );
1076 }
1077
1078
1079 static void
1080 print_acl( Backend *be, AccessControl *a )
1081 {
1082         int             to = 0;
1083         Access  *b;
1084
1085         fprintf( stderr, "%s ACL: access to",
1086                 be == NULL ? "Global" : "Backend" );
1087
1088         if ( a->acl_dn_pat != NULL ) {
1089                 to++;
1090                 fprintf( stderr, " dn=%s\n",
1091                         a->acl_dn_pat );
1092         }
1093
1094         if ( a->acl_filter != NULL ) {
1095                 to++;
1096                 fprintf( stderr, " filter=" );
1097                 filter_print( a->acl_filter );
1098                 fprintf( stderr, "\n" );
1099         }
1100
1101         if ( a->acl_attrs != NULL ) {
1102                 int     i, first = 1;
1103                 to++;
1104
1105                 fprintf( stderr, " attrs=" );
1106                 for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
1107                         if ( ! first ) {
1108                                 fprintf( stderr, "," );
1109                         }
1110                         fprintf( stderr, a->acl_attrs[i] );
1111                         first = 0;
1112                 }
1113                 fprintf(  stderr, "\n" );
1114         }
1115
1116         if( !to ) {
1117                 fprintf( stderr, " *\n" );
1118         }
1119
1120         for ( b = a->acl_access; b != NULL; b = b->a_next ) {
1121                 print_access( b );
1122         }
1123
1124         fprintf( stderr, "\n" );
1125 }
1126
1127 #endif /* LDAP_DEBUG */