1 /* acl.c - routines to parse and check acl's */
10 #include <ac/string.h>
11 #include <ac/unistd.h>
15 extern Filter *str2filter();
16 extern struct acl *global_acl;
17 extern char **str2charray();
18 extern char *dn_upcase();
21 static void acl_append();
22 static void access_append();
23 static void acl_usage();
25 static void print_acl();
26 static void print_access();
30 regtest(char *fname, int lineno, char *pat) {
46 for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
48 if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
65 if ( size >= (sizeof(buf)-1) ) {
67 "%s: line %d: regular expression \"%s\" too large\n",
68 fname, lineno, pat, 0 );
72 if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
74 regerror(e, &re, error, sizeof(error));
76 "%s: line %d: regular expression \"%s\" bad because of %s\n",
77 fname, lineno, pat, error );
95 char *e, *left, *right;
100 for ( i = 1; i < argc; i++ ) {
101 /* to clause - select which entries are protected */
102 if ( strcasecmp( argv[i], "to" ) == 0 ) {
105 "%s: line %d: only one to clause allowed in access line\n",
109 a = (struct acl *) ch_calloc( 1, sizeof(struct acl) );
110 for ( ++i; i < argc; i++ ) {
111 if ( strcasecmp( argv[i], "by" ) == 0 ) {
116 if ( strcasecmp( argv[i], "*" ) == 0 ) {
118 if ((e = regcomp( &a->acl_dnre, ".*",
119 REG_EXTENDED|REG_ICASE)))
122 regerror(e, &a->acl_dnre, buf, sizeof(buf));
124 "%s: line %d: regular expression \"%s\" bad because of %s\n",
125 fname, lineno, right, buf );
128 a->acl_dnpat = strdup( ".*" );
132 split( argv[i], '=', &left, &right );
133 if ( right == NULL || *right == '\0' ) {
135 "%s: line %d: missing \"=\" in (or value after) \"%s\" in to clause\n",
136 fname, lineno, left );
140 if ( strcasecmp( left, "filter" ) == 0 ) {
141 if ( (a->acl_filter = str2filter(
144 "%s: line %d: bad filter \"%s\" in to clause\n",
145 fname, lineno, right );
148 } else if ( strcasecmp( left, "dn" ) == 0 ) {
150 if ((e = regcomp(&a->acl_dnre, right,
151 REG_EXTENDED|REG_ICASE))) {
153 regerror(e, &a->acl_dnre, buf, sizeof(buf));
155 "%s: line %d: regular expression \"%s\" bad because of %s\n",
156 fname, lineno, right, buf );
160 a->acl_dnpat = dn_upcase(strdup( right ));
162 } else if ( strncasecmp( left, "attr", 4 )
166 alist = str2charray( right, "," );
167 charray_merge( &a->acl_attrs, alist );
171 "%s: line %d: expecting <what> got \"%s\"\n",
172 fname, lineno, left );
177 /* by clause - select who has what access to entries */
178 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
181 "%s: line %d: to clause required before by clause in access line\n",
186 * by clause consists of <who> and <access>
189 b = (struct access *) ch_calloc( 1,
190 sizeof(struct access) );
194 "%s: line %d: premature eol: expecting <who>\n",
200 split( argv[i], '=', &left, &right );
201 if ( strcasecmp( argv[i], "*" ) == 0 ) {
202 b->a_dnpat = strdup( ".*" );
203 } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
204 b->a_dnpat = strdup( "self" );
205 } else if ( strcasecmp( left, "dn" ) == 0 ) {
206 regtest(fname, lineno, right);
207 b->a_dnpat = dn_upcase( strdup( right ) );
208 } else if ( strcasecmp( left, "dnattr" ) == 0 ) {
209 b->a_dnattr = strdup( right );
211 #ifdef SLAPD_ACLGROUPS
212 } else if ( strcasecmp( left, "group" ) == 0 ) {
215 regtest(fname, lineno, right);
217 /* format of string is "group/objectClassValue/groupAttrName"
219 if ((value = strchr(right, '/')) != NULL) {
221 if (value && *value && (name = strchr(value, '/')) != NULL)
225 b->a_group = dn_upcase(strdup( right ));
227 if (value && *value) {
228 b->a_objectclassvalue = strdup(value);
232 b->a_objectclassvalue = strdup("groupOfNames");
235 b->a_groupattrname = strdup(name);
239 b->a_groupattrname = strdup("member");
243 #endif /* SLAPD_ACLGROUPS */
244 } else if ( strcasecmp( left, "domain" ) == 0 ) {
246 regtest(fname, lineno, right);
247 b->a_domainpat = strdup( right );
249 /* normalize the domain */
250 for ( s = b->a_domainpat; *s; s++ ) {
253 } else if ( strcasecmp( left, "addr" ) == 0 ) {
254 regtest(fname, lineno, right);
255 b->a_addrpat = strdup( right );
258 "%s: line %d: expecting <who> got \"%s\"\n",
259 fname, lineno, left );
265 "%s: line %d: premature eol: expecting <access>\n",
271 split( argv[i], '=', &left, &right );
272 if ( (b->a_access = str2access( left )) == -1 ) {
274 "%s: line %d: expecting <access> got \"%s\"\n",
275 fname, lineno, left );
278 access_append( &a->acl_access, b );
282 "%s: line %d: expecting \"to\" or \"by\" got \"%s\"\n",
283 fname, lineno, argv[i] );
288 /* if we have no real access clause, complain and do nothing */
291 "%s: line %d: warning: no access clause(s) specified in access line\n",
296 if (ldap_debug&LDAP_DEBUG_ACL)
300 if ( a->acl_access == NULL ) {
302 "%s: line %d: warning: no by clause(s) specified in access line\n",
307 acl_append( &be->be_acl, a );
309 acl_append( &global_acl, a );
315 access2str( int access )
319 if ( access & ACL_SELF ) {
320 strcpy( buf, "self" );
325 if ( access & ACL_NONE ) {
326 strcat( buf, "none" );
327 } else if ( access & ACL_COMPARE ) {
328 strcat( buf, "compare" );
329 } else if ( access & ACL_SEARCH ) {
330 strcat( buf, "search" );
331 } else if ( access & ACL_READ ) {
332 strcat( buf, "read" );
333 } else if ( access & ACL_WRITE ) {
334 strcat( buf, "write" );
336 strcat( buf, "unknown" );
343 str2access( char *str )
348 if ( strncasecmp( str, "self", 4 ) == 0 ) {
353 if ( strcasecmp( str, "none" ) == 0 ) {
355 } else if ( strcasecmp( str, "compare" ) == 0 ) {
356 access |= ACL_COMPARE;
357 } else if ( strcasecmp( str, "search" ) == 0 ) {
358 access |= ACL_SEARCH;
359 } else if ( strcasecmp( str, "read" ) == 0 ) {
361 } else if ( strcasecmp( str, "write" ) == 0 ) {
373 fprintf( stderr, "\n<access clause> ::= access to <what> [ by <who> <access> ]+ \n" );
374 fprintf( stderr, "<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]\n" );
375 fprintf( stderr, "<attrlist> ::= <attr> | <attr> , <attrlist>\n" );
376 fprintf( stderr, "<attr> ::= <attrname> | entry | children\n" );
377 fprintf( stderr, "<who> ::= * | self | dn=<regex> | addr=<regex> |\n\tdomain=<regex> | dnattr=<dnattrname>\n" );
378 fprintf( stderr, "<access> ::= [self]{none | compare | search | read | write }\n" );
391 if ( (*right = strchr( line, splitchar )) != NULL ) {
392 *((*right)++) = '\0';
397 access_append( struct access **l, struct access *a )
399 for ( ; *l != NULL; l = &(*l)->a_next )
406 acl_append( struct acl **l, struct acl *a )
408 for ( ; *l != NULL; l = &(*l)->acl_next )
417 print_access( struct access *b )
420 if ( b->a_dnpat != NULL ) {
421 fprintf( stderr, " dn=%s", b->a_dnpat );
422 } else if ( b->a_addrpat != NULL ) {
423 fprintf( stderr, " addr=%s", b->a_addrpat );
424 } else if ( b->a_domainpat != NULL ) {
425 fprintf( stderr, " domain=%s", b->a_domainpat );
426 } else if ( b->a_dnattr != NULL ) {
427 fprintf( stderr, " dnattr=%s", b->a_dnattr );
429 #ifdef SLAPD_ACLGROUPS
430 else if ( b->a_group != NULL ) {
431 fprintf( stderr, " group: %s", b->a_group );
432 if ( b->a_objectclassvalue )
433 fprintf( stderr, " objectClassValue: %s", b->a_objectclassvalue );
434 if ( b->a_groupattrname )
435 fprintf( stderr, " groupAttrName: %s", b->a_groupattrname );
438 fprintf( stderr, "\n" );
442 print_acl( struct acl *a )
448 fprintf( stderr, "NULL\n" );
450 fprintf( stderr, "ACL: access to" );
451 if ( a->acl_filter != NULL ) {
452 fprintf( stderr," filter=" );
453 filter_print( a->acl_filter );
455 if ( a->acl_dnpat != NULL ) {
456 fprintf( stderr, " dn=" );
457 fprintf( stderr, a->acl_dnpat );
459 if ( a->acl_attrs != NULL ) {
462 fprintf( stderr, "\n attrs=" );
463 for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
465 fprintf( stderr, "," );
467 fprintf( stderr, a->acl_attrs[i] );
471 fprintf( stderr, "\n" );
472 for ( b = a->acl_access; b != NULL; b = b->a_next ) {
475 fprintf( stderr, "\n" );
478 #endif /* LDAP_DEBUG */