]> git.sur5r.net Git - openldap/blob - servers/slapd/aclparse.c
Happy new year
[openldap] / servers / slapd / aclparse.c
1 /* aclparse.c - routines to parse and check acl's */
2 /* $OpenLDAP$ */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4  *
5  * Copyright 1998-2004 The OpenLDAP Foundation.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted only as authorized by the OpenLDAP
10  * Public License.
11  *
12  * A copy of this license is available in the file LICENSE in the
13  * top-level directory of the distribution or, alternatively, at
14  * <http://www.OpenLDAP.org/license.html>.
15  */
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17  * All rights reserved.
18  *
19  * Redistribution and use in source and binary forms are permitted
20  * provided that this notice is preserved and that due credit is given
21  * to the University of Michigan at Ann Arbor. The name of the University
22  * may not be used to endorse or promote products derived from this
23  * software without specific prior written permission. This software
24  * is provided ``as is'' without express or implied warranty.
25  */
26
27 #include "portable.h"
28
29 #include <stdio.h>
30
31 #include <ac/ctype.h>
32 #include <ac/regex.h>
33 #include <ac/socket.h>
34 #include <ac/string.h>
35 #include <ac/unistd.h>
36
37 #include "slap.h"
38 #include "lber_pvt.h"
39 #include "lutil.h"
40
41 static char *style_strings[] = { "regex",
42         "base", "one", "subtree", "children", NULL };
43
44 static void             split(char *line, int splitchar, char **left, char **right);
45 static void             access_append(Access **l, Access *a);
46 static void             acl_usage(void) LDAP_GCCATTR((noreturn));
47
48 static void             acl_regex_normalized_dn(const char *src, struct berval *pat);
49
50 #ifdef LDAP_DEBUG
51 static void             print_acl(Backend *be, AccessControl *a);
52 static void             print_access(Access *b);
53 #endif
54
55 static void
56 regtest(const char *fname, int lineno, char *pat) {
57         int e;
58         regex_t re;
59
60         char buf[512];
61         unsigned size;
62
63         char *sp;
64         char *dp;
65         int  flag;
66
67         sp = pat;
68         dp = buf;
69         size = 0;
70         buf[0] = '\0';
71
72         for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
73                 if (flag) {
74                         if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
75                                 *dp++ = *sp;
76                                 size++;
77                         }
78                         flag = 0;
79
80                 } else {
81                         if (*sp == '$') {
82                                 flag = 1;
83                         } else {
84                                 *dp++ = *sp;
85                                 size++;
86                         }
87                 }
88         }
89
90         *dp = '\0';
91         if ( size >= (sizeof(buf)-1) ) {
92                 fprintf( stderr,
93                         "%s: line %d: regular expression \"%s\" too large\n",
94                         fname, lineno, pat );
95                 acl_usage();
96         }
97
98         if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
99                 char error[512];
100                 regerror(e, &re, error, sizeof(error));
101                 fprintf( stderr,
102                         "%s: line %d: regular expression \"%s\" bad because of %s\n",
103                         fname, lineno, pat, error );
104                 acl_usage();
105         }
106         regfree(&re);
107 }
108
109 void
110 parse_acl(
111     Backend     *be,
112     const char  *fname,
113     int         lineno,
114     int         argc,
115     char        **argv
116 )
117 {
118         int             i;
119         char            *left, *right, *style;
120         struct berval   bv;
121         AccessControl   *a;
122         Access  *b;
123         int rc;
124         const char *text;
125
126         a = NULL;
127         for ( i = 1; i < argc; i++ ) {
128                 /* to clause - select which entries are protected */
129                 if ( strcasecmp( argv[i], "to" ) == 0 ) {
130                         if ( a != NULL ) {
131                                 fprintf( stderr, "%s: line %d: "
132                                         "only one to clause allowed in access line\n",
133                                     fname, lineno );
134                                 acl_usage();
135                         }
136                         a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
137                         for ( ++i; i < argc; i++ ) {
138                                 if ( strcasecmp( argv[i], "by" ) == 0 ) {
139                                         i--;
140                                         break;
141                                 }
142
143                                 if ( strcasecmp( argv[i], "*" ) == 0 ) {
144                                         if( a->acl_dn_pat.bv_len ||
145                                                 ( a->acl_dn_style != ACL_STYLE_REGEX ) )
146                                         {
147                                                 fprintf( stderr,
148                                                         "%s: line %d: dn pattern"
149                                                         " already specified in to clause.\n",
150                                                         fname, lineno );
151                                                 acl_usage();
152                                         }
153
154                                         a->acl_dn_pat.bv_val = ch_strdup( "*" );
155                                         a->acl_dn_pat.bv_len = 1;
156                                         continue;
157                                 }
158
159                                 split( argv[i], '=', &left, &right );
160                                 split( left, '.', &left, &style );
161
162                                 if ( right == NULL ) {
163                                         fprintf( stderr, "%s: line %d: "
164                                                 "missing \"=\" in \"%s\" in to clause\n",
165                                             fname, lineno, left );
166                                         acl_usage();
167                                 }
168
169                                 if ( strcasecmp( left, "dn" ) == 0 ) {
170                                         if( a->acl_dn_pat.bv_len != 0 ||
171                                                 ( a->acl_dn_style != ACL_STYLE_REGEX ) )
172                                         {
173                                                 fprintf( stderr,
174                                                         "%s: line %d: dn pattern"
175                                                         " already specified in to clause.\n",
176                                                         fname, lineno );
177                                                 acl_usage();
178                                         }
179
180                                         if ( style == NULL || *style == '\0' ||
181                                                 ( strcasecmp( style, "base" ) == 0 ) ||
182                                                 ( strcasecmp( style, "exact" ) == 0 ))
183                                         {
184                                                 a->acl_dn_style = ACL_STYLE_BASE;
185                                                 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
186
187                                         } else if ( strcasecmp( style, "onelevel" ) == 0
188                                                 || strcasecmp( style, "one" ) == 0 ) {
189                                                 a->acl_dn_style = ACL_STYLE_ONE;
190                                                 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
191
192                                         } else if ( strcasecmp( style, "subtree" ) == 0
193                                                 || strcasecmp( style, "sub" ) == 0 )
194                                         {
195                                                 if( *right == '\0' ) {
196                                                         a->acl_dn_pat.bv_val = ch_strdup( "*" );
197                                                         a->acl_dn_pat.bv_len = 1;
198
199                                                 } else {
200                                                         a->acl_dn_style = ACL_STYLE_SUBTREE;
201                                                         ber_str2bv( right, 0, 1, &a->acl_dn_pat );
202                                                 }
203
204                                         } else if ( strcasecmp( style, "children" ) == 0 ) {
205                                                 a->acl_dn_style = ACL_STYLE_CHILDREN;
206                                                 ber_str2bv( right, 0, 1, &a->acl_dn_pat );
207
208                                         } else if ( strcasecmp( style, "regex" ) == 0 ) {
209                                                 a->acl_dn_style = ACL_STYLE_REGEX;
210
211                                                 if ( *right == '\0' ) {
212                                                         /* empty regex should match empty DN */
213                                                         a->acl_dn_style = ACL_STYLE_BASE;
214                                                         ber_str2bv( right, 0, 1, &a->acl_dn_pat );
215
216                                                 } else if ( strcmp(right, "*") == 0 
217                                                         || strcmp(right, ".*") == 0 
218                                                         || strcmp(right, ".*$") == 0 
219                                                         || strcmp(right, "^.*") == 0 
220                                                         || strcmp(right, "^.*$") == 0
221                                                         || strcmp(right, ".*$$") == 0 
222                                                         || strcmp(right, "^.*$$") == 0 )
223                                                 {
224                                                         a->acl_dn_pat.bv_val = ch_strdup( "*" );
225                                                         a->acl_dn_pat.bv_len = sizeof("*")-1;
226
227                                                 } else {
228                                                         acl_regex_normalized_dn( right, &a->acl_dn_pat );
229                                                 }
230
231                                         } else {
232                                                 fprintf( stderr, "%s: line %d: "
233                                                         "unknown dn style \"%s\" in to clause\n",
234                                                     fname, lineno, style );
235                                                 acl_usage();
236                                         }
237
238                                         continue;
239                                 }
240
241                                 if ( strcasecmp( left, "filter" ) == 0 ) {
242                                         if ( (a->acl_filter = str2filter( right )) == NULL ) {
243                                                 fprintf( stderr,
244                                 "%s: line %d: bad filter \"%s\" in to clause\n",
245                                                     fname, lineno, right );
246                                                 acl_usage();
247                                         }
248
249                                 } else if ( strcasecmp( left, "attr" ) == 0
250                                                 || strcasecmp( left, "attrs" ) == 0 ) {
251                                         a->acl_attrs = str2anlist( a->acl_attrs,
252                                                 right, "," );
253                                         if ( a->acl_attrs == NULL ) {
254                                                 fprintf( stderr,
255                                 "%s: line %d: unknown attr \"%s\" in to clause\n",
256                                                     fname, lineno, right );
257                                                 acl_usage();
258                                         }
259
260                                 } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
261                                         if ( a->acl_attrval.bv_len ) {
262                                                 fprintf( stderr,
263                                 "%s: line %d: attr val already specified in to clause.\n",
264                                                         fname, lineno );
265                                                 acl_usage();
266                                         }
267                                         if ( a->acl_attrs == NULL || a->acl_attrs[1].an_name.bv_val ) {
268                                                 fprintf( stderr,
269                                 "%s: line %d: attr val requires a single attribute.\n",
270                                                         fname, lineno );
271                                                 acl_usage();
272                                         }
273                                         ber_str2bv( right, 0, 1, &a->acl_attrval );
274                                         if ( style && strcasecmp( style, "regex" ) == 0 ) {
275                                                 int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
276                                                         REG_EXTENDED | REG_ICASE | REG_NOSUB );
277                                                 if ( e ) {
278                                                         char buf[512];
279                                                         regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
280                                                         fprintf( stderr, "%s: line %d: "
281                                                                 "regular expression \"%s\" bad because of %s\n",
282                                                                 fname, lineno, right, buf );
283                                                         acl_usage();
284                                                 }
285                                                 a->acl_attrval_style = ACL_STYLE_REGEX;
286                                         } else {
287                                                 /* FIXME: if the attribute has DN syntax,
288                                                  * we might allow one, subtree and children styles as well */
289                                                 if ( !strcasecmp( style, "exact" ) ) {
290                                                         a->acl_attrval_style = ACL_STYLE_BASE;
291
292                                                 } else if ( a->acl_attrs[0].an_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) {
293                                                         if ( !strcasecmp( style, "base" ) ) {
294                                                                 a->acl_attrval_style = ACL_STYLE_BASE;
295                                                         } else if ( !strcasecmp( style, "onelevel" ) || !strcasecmp( style, "one" ) ) {
296                                                                 a->acl_attrval_style = ACL_STYLE_ONE;
297                                                         } else if ( !strcasecmp( style, "subtree" ) || !strcasecmp( style, "sub" ) ) {
298                                                                 a->acl_attrval_style = ACL_STYLE_SUBTREE;
299                                                         } else if ( !strcasecmp( style, "children" ) ) {
300                                                                 a->acl_attrval_style = ACL_STYLE_CHILDREN;
301                                                         } else {
302                                                                 fprintf( stderr, 
303                                                                         "%s: line %d: unknown val.<style> \"%s\" "
304                                                                         "for attributeType \"%s\" with DN syntax; using \"base\"\n",
305                                                                         fname, lineno, style,
306                                                                         a->acl_attrs[0].an_desc->ad_cname.bv_val );
307                                                                 a->acl_attrval_style = ACL_STYLE_BASE;
308                                                         }
309                                                         
310                                                 } else {
311                                                         fprintf( stderr, 
312                                                                 "%s: line %d: unknown val.<style> \"%s\" "
313                                                                 "for attributeType \"%s\"; using \"exact\"\n",
314                                                                 fname, lineno, style,
315                                                                 a->acl_attrs[0].an_desc->ad_cname.bv_val );
316                                                         a->acl_attrval_style = ACL_STYLE_BASE;
317                                                 }
318                                         }
319                                         
320                                 } else {
321                                         fprintf( stderr,
322                                                 "%s: line %d: expecting <what> got \"%s\"\n",
323                                             fname, lineno, left );
324                                         acl_usage();
325                                 }
326                         }
327
328                         if ( a->acl_dn_pat.bv_len != 0 &&
329                                 strcmp(a->acl_dn_pat.bv_val, "*") == 0 )
330                         {
331                                 free( a->acl_dn_pat.bv_val );
332                                 a->acl_dn_pat.bv_val = NULL;
333                                 a->acl_dn_pat.bv_len = 0;
334                         }
335                         
336                         if( a->acl_dn_pat.bv_len != 0 ||
337                                 ( a->acl_dn_style != ACL_STYLE_REGEX ) )
338                         {
339                                 if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
340                                         struct berval bv;
341                                         rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
342                                         if ( rc != LDAP_SUCCESS ) {
343                                                 fprintf( stderr,
344                                                         "%s: line %d: bad DN \"%s\" in to DN clause\n",
345                                                         fname, lineno, a->acl_dn_pat.bv_val );
346                                                 acl_usage();
347                                         }
348                                         free( a->acl_dn_pat.bv_val );
349                                         a->acl_dn_pat = bv;
350                                 } else {
351                                         int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
352                                                 REG_EXTENDED | REG_ICASE );
353                                         if ( e ) {
354                                                 char buf[512];
355                                                 regerror( e, &a->acl_dn_re, buf, sizeof(buf) );
356                                                 fprintf( stderr, "%s: line %d: "
357                                                         "regular expression \"%s\" bad because of %s\n",
358                                                         fname, lineno, right, buf );
359                                                 acl_usage();
360                                         }
361                                 }
362                         }
363
364                 /* by clause - select who has what access to entries */
365                 } else if ( strcasecmp( argv[i], "by" ) == 0 ) {
366                         if ( a == NULL ) {
367                                 fprintf( stderr, "%s: line %d: "
368                                         "to clause required before by clause in access line\n",
369                                     fname, lineno );
370                                 acl_usage();
371                         }
372
373                         /*
374                          * by clause consists of <who> and <access>
375                          */
376
377                         b = (Access *) ch_calloc( 1, sizeof(Access) );
378
379                         ACL_INVALIDATE( b->a_access_mask );
380
381                         if ( ++i == argc ) {
382                                 fprintf( stderr,
383                             "%s: line %d: premature eol: expecting <who>\n",
384                                     fname, lineno );
385                                 acl_usage();
386                         }
387
388                         /* get <who> */
389                         for ( ; i < argc; i++ ) {
390                                 slap_style_t sty = ACL_STYLE_REGEX;
391                                 char *style_modifier = NULL;
392                                 int expand = 0;
393
394                                 split( argv[i], '=', &left, &right );
395                                 split( left, '.', &left, &style );
396                                 if ( style ) {
397                                         split( style, ',', &style, &style_modifier);
398                                 }
399
400                                 if ( style == NULL || *style == '\0' ||
401                                         strcasecmp( style, "exact" ) == 0 ||
402                                         strcasecmp( style, "base" ) == 0 )
403                                 {
404                                         sty = ACL_STYLE_BASE;
405
406                                 } else if ( strcasecmp( style, "onelevel" ) == 0 ||
407                                         strcasecmp( style, "one" ) == 0 ) {
408                                         sty = ACL_STYLE_ONE;
409
410                                 } else if ( strcasecmp( style, "subtree" ) == 0 ||
411                                         strcasecmp( style, "sub" ) == 0 )
412                                 {
413                                         sty = ACL_STYLE_SUBTREE;
414
415                                 } else if ( strcasecmp( style, "children" ) == 0 ) {
416                                         sty = ACL_STYLE_CHILDREN;
417
418                                 } else if ( strcasecmp( style, "regex" ) == 0 ) {
419                                         sty = ACL_STYLE_REGEX;
420
421                                 } else {
422                                         fprintf( stderr,
423                                                 "%s: line %d: unknown style \"%s\" in by clause\n",
424                                             fname, lineno, style );
425                                         acl_usage();
426                                 }
427
428                                 if ( style_modifier &&
429                                         strcasecmp( style_modifier, "expand" ) == 0 )
430                                 {
431                                         expand = 1;
432                                 }
433
434                                 if ( strcasecmp( argv[i], "*" ) == 0 ) {
435                                         bv.bv_val = ch_strdup( "*" );
436                                         bv.bv_len = 1;
437                                         sty = ACL_STYLE_REGEX;
438
439                                 } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
440                                         ber_str2bv("anonymous", sizeof("anonymous")-1, 1, &bv);
441                                         sty = ACL_STYLE_REGEX;
442
443                                 } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
444                                         ber_str2bv("self", sizeof("self")-1, 1, &bv);
445                                         sty = ACL_STYLE_REGEX;
446
447                                 } else if ( strcasecmp( argv[i], "users" ) == 0 ) {
448                                         ber_str2bv("users", sizeof("users")-1, 1, &bv);
449                                         sty = ACL_STYLE_REGEX;
450
451                                 } else if ( strcasecmp( left, "dn" ) == 0 ) {
452                                         if ( sty == ACL_STYLE_REGEX ) {
453                                                 b->a_dn_style = ACL_STYLE_REGEX;
454                                                 if( right == NULL ) {
455                                                         /* no '=' */
456                                                         ber_str2bv("users",
457                                                                 sizeof("users")-1,
458                                                                 1, &bv);
459                                                 } else if (*right == '\0' ) {
460                                                         /* dn="" */
461                                                         ber_str2bv("anonymous",
462                                                                 sizeof("anonymous")-1,
463                                                                 1, &bv);
464                                                 } else if ( strcmp( right, "*" ) == 0 ) {
465                                                         /* dn=* */
466                                                         /* any or users?  users for now */
467                                                         ber_str2bv("users",
468                                                                 sizeof("users")-1,
469                                                                 1, &bv);
470                                                 } else if ( strcmp( right, ".+" ) == 0
471                                                         || strcmp( right, "^.+" ) == 0
472                                                         || strcmp( right, ".+$" ) == 0
473                                                         || strcmp( right, "^.+$" ) == 0
474                                                         || strcmp( right, ".+$$" ) == 0
475                                                         || strcmp( right, "^.+$$" ) == 0 )
476                                                 {
477                                                         ber_str2bv("users",
478                                                                 sizeof("users")-1,
479                                                                 1, &bv);
480                                                 } else if ( strcmp( right, ".*" ) == 0
481                                                         || strcmp( right, "^.*" ) == 0
482                                                         || strcmp( right, ".*$" ) == 0
483                                                         || strcmp( right, "^.*$" ) == 0
484                                                         || strcmp( right, ".*$$" ) == 0
485                                                         || strcmp( right, "^.*$$" ) == 0 )
486                                                 {
487                                                         ber_str2bv("*",
488                                                                 sizeof("*")-1,
489                                                                 1, &bv);
490
491                                                 } else {
492                                                         acl_regex_normalized_dn( right, &bv );
493                                                         if ( !ber_bvccmp( &bv, '*' ) ) {
494                                                                 regtest(fname, lineno, bv.bv_val);
495                                                         }
496                                                 }
497                                         } else if ( right == NULL || *right == '\0' ) {
498                                                 fprintf( stderr, "%s: line %d: "
499                                                         "missing \"=\" in (or value after) \"%s\" "
500                                                         "in by clause\n",
501                                                     fname, lineno, left );
502                                                 acl_usage();
503
504                                         } else {
505                                                 ber_str2bv( right, 0, 1, &bv );
506                                         }
507
508                                 } else {
509                                         bv.bv_val = NULL;
510                                 }
511
512                                 if( bv.bv_val != NULL ) {
513                                         if( b->a_dn_pat.bv_len != 0 ) {
514                                                 fprintf( stderr,
515                                                     "%s: line %d: dn pattern already specified.\n",
516                                                     fname, lineno );
517                                                 acl_usage();
518                                         }
519
520                                         if ( sty != ACL_STYLE_REGEX && expand == 0 ) {
521                                                 rc = dnNormalize(0, NULL, NULL,
522                                                         &bv, &b->a_dn_pat, NULL);
523                                                 if ( rc != LDAP_SUCCESS ) {
524                                                         fprintf( stderr,
525                                                                 "%s: line %d: bad DN \"%s\" in by DN clause\n",
526                                                                 fname, lineno, bv.bv_val );
527                                                         acl_usage();
528                                                 }
529                                                 free(bv.bv_val);
530                                         } else {
531                                                 b->a_dn_pat = bv;
532                                         }
533                                         b->a_dn_style = sty;
534                                         b->a_dn_expand = expand;
535                                         continue;
536                                 }
537
538                                 if ( strcasecmp( left, "dnattr" ) == 0 ) {
539                                         if ( right == NULL || right[ 0 ] == '\0' ) {
540                                                 fprintf( stderr,
541                                                         "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
542                                                         fname, lineno, left );
543                                                 acl_usage();
544                                         }
545
546                                         if( b->a_dn_at != NULL ) {
547                                                 fprintf( stderr,
548                                                         "%s: line %d: dnattr already specified.\n",
549                                                         fname, lineno );
550                                                 acl_usage();
551                                         }
552
553                                         rc = slap_str2ad( right, &b->a_dn_at, &text );
554
555                                         if( rc != LDAP_SUCCESS ) {
556                                                 fprintf( stderr,
557                                                         "%s: line %d: dnattr \"%s\": %s\n",
558                                                         fname, lineno, right, text );
559                                                 acl_usage();
560                                         }
561
562
563                                         if( !is_at_syntax( b->a_dn_at->ad_type,
564                                                 SLAPD_DN_SYNTAX ) &&
565                                                 !is_at_syntax( b->a_dn_at->ad_type,
566                                                 SLAPD_NAMEUID_SYNTAX ))
567                                         {
568                                                 fprintf( stderr,
569                                                         "%s: line %d: dnattr \"%s\": "
570                                                         "inappropriate syntax: %s\n",
571                                                         fname, lineno, right,
572                                                         b->a_dn_at->ad_type->sat_syntax_oid );
573                                                 acl_usage();
574                                         }
575
576                                         if( b->a_dn_at->ad_type->sat_equality == NULL ) {
577                                                 fprintf( stderr,
578                                                         "%s: line %d: dnattr \"%s\": "
579                                                         "inappropriate matching (no EQUALITY)\n",
580                                                         fname, lineno, right );
581                                                 acl_usage();
582                                         }
583
584                                         continue;
585                                 }
586
587                                 if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) {
588                                         char *name = NULL;
589                                         char *value = NULL;
590
591                                         if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
592                                                 fprintf( stderr, "%s: line %d: "
593                                                         "inappropriate style \"%s\" in by clause\n",
594                                                     fname, lineno, style );
595                                                 acl_usage();
596                                         }
597
598                                         if ( right == NULL || right[ 0 ] == '\0' ) {
599                                                 fprintf( stderr, "%s: line %d: "
600                                                         "missing \"=\" in (or value after) \"%s\" "
601                                                         "in by clause\n",
602                                                         fname, lineno, left );
603                                                 acl_usage();
604                                         }
605
606                                         if( b->a_group_pat.bv_len ) {
607                                                 fprintf( stderr,
608                                                         "%s: line %d: group pattern already specified.\n",
609                                                         fname, lineno );
610                                                 acl_usage();
611                                         }
612
613                                         /* format of string is
614                                                 "group/objectClassValue/groupAttrName" */
615                                         if ((value = strchr(left, '/')) != NULL) {
616                                                 *value++ = '\0';
617                                                 if (*value && (name = strchr(value, '/')) != NULL) {
618                                                         *name++ = '\0';
619                                                 }
620                                         }
621
622                                         b->a_group_style = sty;
623                                         if (sty == ACL_STYLE_REGEX) {
624                                                 acl_regex_normalized_dn( right, &bv );
625                                                 if ( !ber_bvccmp( &bv, '*' ) ) {
626                                                         regtest(fname, lineno, bv.bv_val);
627                                                 }
628                                                 b->a_group_pat = bv;
629                                         } else {
630                                                 ber_str2bv( right, 0, 0, &bv );
631                                                 rc = dnNormalize( 0, NULL, NULL, &bv,
632                                                         &b->a_group_pat, NULL );
633                                                 if ( rc != LDAP_SUCCESS ) {
634                                                         fprintf( stderr,
635                                                                 "%s: line %d: bad DN \"%s\"\n",
636                                                                 fname, lineno, right );
637                                                         acl_usage();
638                                                 }
639                                         }
640
641                                         if (value && *value) {
642                                                 b->a_group_oc = oc_find( value );
643                                                 *--value = '/';
644
645                                                 if( b->a_group_oc == NULL ) {
646                                                         fprintf( stderr,
647                                                                 "%s: line %d: group objectclass "
648                                                                 "\"%s\" unknown\n",
649                                                                 fname, lineno, value );
650                                                         acl_usage();
651                                                 }
652                                         } else {
653                                                 b->a_group_oc = oc_find(SLAPD_GROUP_CLASS);
654
655                                                 if( b->a_group_oc == NULL ) {
656                                                         fprintf( stderr,
657                                                                 "%s: line %d: group default objectclass "
658                                                                 "\"%s\" unknown\n",
659                                                                 fname, lineno, SLAPD_GROUP_CLASS );
660                                                         acl_usage();
661                                                 }
662                                         }
663
664                                         if( is_object_subclass( slap_schema.si_oc_referral,
665                                                 b->a_group_oc ))
666                                         {
667                                                 fprintf( stderr,
668                                                         "%s: line %d: group objectclass \"%s\" "
669                                                         "is subclass of referral\n",
670                                                         fname, lineno, value );
671                                                 acl_usage();
672                                         }
673
674                                         if( is_object_subclass( slap_schema.si_oc_alias,
675                                                 b->a_group_oc ))
676                                         {
677                                                 fprintf( stderr,
678                                                         "%s: line %d: group objectclass \"%s\" "
679                                                         "is subclass of alias\n",
680                                                         fname, lineno, value );
681                                                 acl_usage();
682                                         }
683
684                                         if (name && *name) {
685                                                 rc = slap_str2ad( name, &b->a_group_at, &text );
686
687                                                 if( rc != LDAP_SUCCESS ) {
688                                                         fprintf( stderr,
689                                                                 "%s: line %d: group \"%s\": %s\n",
690                                                                 fname, lineno, right, text );
691                                                         acl_usage();
692                                                 }
693                                                 *--name = '/';
694                                         } else {
695                                                 rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
696
697                                                 if( rc != LDAP_SUCCESS ) {
698                                                         fprintf( stderr,
699                                                                 "%s: line %d: group \"%s\": %s\n",
700                                                                 fname, lineno, SLAPD_GROUP_ATTR, text );
701                                                         acl_usage();
702                                                 }
703                                         }
704
705                                         if( !is_at_syntax( b->a_group_at->ad_type,
706                                                 SLAPD_DN_SYNTAX ) &&
707                                             !is_at_syntax( b->a_group_at->ad_type,
708                                                 SLAPD_NAMEUID_SYNTAX ) &&
709                                                 !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ))
710                                         {
711                                                 fprintf( stderr,
712                                                         "%s: line %d: group \"%s\": inappropriate syntax: %s\n",
713                                                         fname, lineno, right,
714                                                         b->a_group_at->ad_type->sat_syntax_oid );
715                                                 acl_usage();
716                                         }
717
718
719                                         {
720                                                 int rc;
721                                                 struct berval vals[2];
722
723                                                 vals[0].bv_val = b->a_group_oc->soc_oid;
724                                                 vals[0].bv_len = strlen(vals[0].bv_val);
725                                                 vals[1].bv_val = NULL;
726
727
728                                                 rc = oc_check_allowed( b->a_group_at->ad_type,
729                                                         vals, NULL );
730
731                                                 if( rc != 0 ) {
732                                                         fprintf( stderr, "%s: line %d: "
733                                                                 "group: \"%s\" not allowed by \"%s\"\n",
734                                                                 fname, lineno,
735                                                                 b->a_group_at->ad_cname.bv_val,
736                                                                 b->a_group_oc->soc_oid );
737                                                         acl_usage();
738                                                 }
739                                         }
740                                         continue;
741                                 }
742
743                                 if ( strcasecmp( left, "peername" ) == 0 ) {
744                                         if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
745                                                 fprintf( stderr, "%s: line %d: "
746                                                         "inappropriate style \"%s\" in by clause\n",
747                                                     fname, lineno, style );
748                                                 acl_usage();
749                                         }
750
751                                         if ( right == NULL || right[ 0 ] == '\0' ) {
752                                                 fprintf( stderr, "%s: line %d: "
753                                                         "missing \"=\" in (or value after) \"%s\" "
754                                                         "in by clause\n",
755                                                         fname, lineno, left );
756                                                 acl_usage();
757                                         }
758
759                                         if( b->a_peername_pat.bv_len ) {
760                                                 fprintf( stderr, "%s: line %d: "
761                                                         "peername pattern already specified.\n",
762                                                         fname, lineno );
763                                                 acl_usage();
764                                         }
765
766                                         b->a_peername_style = sty;
767                                         if (sty == ACL_STYLE_REGEX) {
768                                                 acl_regex_normalized_dn( right, &bv );
769                                                 if ( !ber_bvccmp( &bv, '*' ) ) {
770                                                         regtest(fname, lineno, bv.bv_val);
771                                                 }
772                                                 b->a_peername_pat = bv;
773                                         } else {
774                                                 ber_str2bv( right, 0, 1, &b->a_peername_pat );
775                                         }
776                                         continue;
777                                 }
778
779                                 if ( strcasecmp( left, "sockname" ) == 0 ) {
780                                         if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
781                                                 fprintf( stderr, "%s: line %d: "
782                                                         "inappropriate style \"%s\" in by clause\n",
783                                                     fname, lineno, style );
784                                                 acl_usage();
785                                         }
786
787                                         if ( right == NULL || right[ 0 ] == '\0' ) {
788                                                 fprintf( stderr, "%s: line %d: "
789                                                         "missing \"=\" in (or value after) \"%s\" "
790                                                         "in by clause\n",
791                                                         fname, lineno, left );
792                                                 acl_usage();
793                                         }
794
795                                         if( b->a_sockname_pat.bv_len ) {
796                                                 fprintf( stderr, "%s: line %d: "
797                                                         "sockname pattern already specified.\n",
798                                                         fname, lineno );
799                                                 acl_usage();
800                                         }
801
802                                         b->a_sockname_style = sty;
803                                         if (sty == ACL_STYLE_REGEX) {
804                                                 acl_regex_normalized_dn( right, &bv );
805                                                 if ( !ber_bvccmp( &bv, '*' ) ) {
806                                                         regtest(fname, lineno, bv.bv_val);
807                                                 }
808                                                 b->a_sockname_pat = bv;
809                                         } else {
810                                                 ber_str2bv( right, 0, 1, &b->a_sockname_pat );
811                                         }
812                                         continue;
813                                 }
814
815                                 if ( strcasecmp( left, "domain" ) == 0 ) {
816                                         switch ( sty ) {
817                                         case ACL_STYLE_REGEX:
818                                         case ACL_STYLE_BASE:
819                                         case ACL_STYLE_SUBTREE:
820                                                 break;
821
822                                         default:
823                                                 fprintf( stderr,
824                                                         "%s: line %d: inappropriate style \"%s\" in by clause\n",
825                                                     fname, lineno, style );
826                                                 acl_usage();
827                                         }
828
829                                         if ( right == NULL || right[ 0 ] == '\0' ) {
830                                                 fprintf( stderr,
831                                                         "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
832                                                         fname, lineno, left );
833                                                 acl_usage();
834                                         }
835
836                                         if( b->a_domain_pat.bv_len ) {
837                                                 fprintf( stderr,
838                                                         "%s: line %d: domain pattern already specified.\n",
839                                                         fname, lineno );
840                                                 acl_usage();
841                                         }
842
843                                         b->a_domain_style = sty;
844                                         b->a_domain_expand = expand;
845                                         if (sty == ACL_STYLE_REGEX) {
846                                                 acl_regex_normalized_dn( right, &bv );
847                                                 if ( !ber_bvccmp( &bv, '*' ) ) {
848                                                         regtest(fname, lineno, bv.bv_val);
849                                                 }
850                                                 b->a_domain_pat = bv;
851                                         } else {
852                                                 ber_str2bv( right, 0, 1, &b->a_domain_pat );
853                                         }
854                                         continue;
855                                 }
856
857                                 if ( strcasecmp( left, "sockurl" ) == 0 ) {
858                                         if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
859                                                 fprintf( stderr,
860                                                         "%s: line %d: inappropriate style \"%s\" in by clause\n",
861                                                     fname, lineno, style );
862                                                 acl_usage();
863                                         }
864
865                                         if ( right == NULL || right[ 0 ] == '\0' ) {
866                                                 fprintf( stderr,
867                                                         "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
868                                                         fname, lineno, left );
869                                                 acl_usage();
870                                         }
871
872                                         if( b->a_sockurl_pat.bv_len ) {
873                                                 fprintf( stderr,
874                                                         "%s: line %d: sockurl pattern already specified.\n",
875                                                         fname, lineno );
876                                                 acl_usage();
877                                         }
878
879                                         b->a_sockurl_style = sty;
880                                         if (sty == ACL_STYLE_REGEX) {
881                                                 acl_regex_normalized_dn( right, &bv );
882                                                 if ( !ber_bvccmp( &bv, '*' ) ) {
883                                                         regtest(fname, lineno, bv.bv_val);
884                                                 }
885                                                 b->a_sockurl_pat = bv;
886                                         } else {
887                                                 ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
888                                         }
889                                         continue;
890                                 }
891
892                                 if ( strcasecmp( left, "set" ) == 0 ) {
893                                         if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
894                                                 fprintf( stderr,
895                                                         "%s: line %d: inappropriate style \"%s\" in by clause\n",
896                                                     fname, lineno, style );
897                                                 acl_usage();
898                                         }
899
900                                         if( b->a_set_pat.bv_len != 0 ) {
901                                                 fprintf( stderr,
902                                                         "%s: line %d: set attribute already specified.\n",
903                                                         fname, lineno );
904                                                 acl_usage();
905                                         }
906
907                                         if ( right == NULL || *right == '\0' ) {
908                                                 fprintf( stderr,
909                                                         "%s: line %d: no set is defined\n",
910                                                         fname, lineno );
911                                                 acl_usage();
912                                         }
913
914                                         b->a_set_style = sty;
915                                         ber_str2bv( right, 0, 1, &b->a_set_pat );
916
917                                         continue;
918                                 }
919
920 #ifdef SLAPD_ACI_ENABLED
921                                 if ( strcasecmp( left, "aci" ) == 0 ) {
922                                         if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
923                                                 fprintf( stderr,
924                                                         "%s: line %d: inappropriate style \"%s\" in by clause\n",
925                                                     fname, lineno, style );
926                                                 acl_usage();
927                                         }
928
929                                         if( b->a_aci_at != NULL ) {
930                                                 fprintf( stderr,
931                                                         "%s: line %d: aci attribute already specified.\n",
932                                                         fname, lineno );
933                                                 acl_usage();
934                                         }
935
936                                         if ( right != NULL && *right != '\0' ) {
937                                                 rc = slap_str2ad( right, &b->a_aci_at, &text );
938
939                                                 if( rc != LDAP_SUCCESS ) {
940                                                         fprintf( stderr,
941                                                                 "%s: line %d: aci \"%s\": %s\n",
942                                                                 fname, lineno, right, text );
943                                                         acl_usage();
944                                                 }
945
946                                         } else {
947                                                 b->a_aci_at = slap_schema.si_ad_aci;
948                                         }
949
950                                         if( !is_at_syntax( b->a_aci_at->ad_type,
951                                                 SLAPD_ACI_SYNTAX) )
952                                         {
953                                                 fprintf( stderr,
954                                                         "%s: line %d: aci \"%s\": inappropriate syntax: %s\n",
955                                                         fname, lineno, right,
956                                                         b->a_aci_at->ad_type->sat_syntax_oid );
957                                                 acl_usage();
958                                         }
959
960                                         continue;
961                                 }
962 #endif /* SLAPD_ACI_ENABLED */
963
964                                 if ( strcasecmp( left, "ssf" ) == 0 ) {
965                                         if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
966                                                 fprintf( stderr,
967                                                         "%s: line %d: inappropriate style \"%s\" in by clause\n",
968                                                     fname, lineno, style );
969                                                 acl_usage();
970                                         }
971
972                                         if( b->a_authz.sai_ssf ) {
973                                                 fprintf( stderr,
974                                                         "%s: line %d: ssf attribute already specified.\n",
975                                                         fname, lineno );
976                                                 acl_usage();
977                                         }
978
979                                         if ( right == NULL || *right == '\0' ) {
980                                                 fprintf( stderr,
981                                                         "%s: line %d: no ssf is defined\n",
982                                                         fname, lineno );
983                                                 acl_usage();
984                                         }
985
986                                         b->a_authz.sai_ssf = atoi( right );
987
988                                         if( !b->a_authz.sai_ssf ) {
989                                                 fprintf( stderr,
990                                                         "%s: line %d: invalid ssf value (%s)\n",
991                                                         fname, lineno, right );
992                                                 acl_usage();
993                                         }
994                                         continue;
995                                 }
996
997                                 if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
998                                         if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
999                                                 fprintf( stderr,
1000                                                         "%s: line %d: inappropriate style \"%s\" in by clause\n",
1001                                                     fname, lineno, style );
1002                                                 acl_usage();
1003                                         }
1004
1005                                         if( b->a_authz.sai_transport_ssf ) {
1006                                                 fprintf( stderr,
1007                                                         "%s: line %d: transport_ssf attribute already specified.\n",
1008                                                         fname, lineno );
1009                                                 acl_usage();
1010                                         }
1011
1012                                         if ( right == NULL || *right == '\0' ) {
1013                                                 fprintf( stderr,
1014                                                         "%s: line %d: no transport_ssf is defined\n",
1015                                                         fname, lineno );
1016                                                 acl_usage();
1017                                         }
1018
1019                                         b->a_authz.sai_transport_ssf = atoi( right );
1020
1021                                         if( !b->a_authz.sai_transport_ssf ) {
1022                                                 fprintf( stderr,
1023                                                         "%s: line %d: invalid transport_ssf value (%s)\n",
1024                                                         fname, lineno, right );
1025                                                 acl_usage();
1026                                         }
1027                                         continue;
1028                                 }
1029
1030                                 if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
1031                                         if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1032                                                 fprintf( stderr,
1033                                                         "%s: line %d: inappropriate style \"%s\" in by clause\n",
1034                                                     fname, lineno, style );
1035                                                 acl_usage();
1036                                         }
1037
1038                                         if( b->a_authz.sai_tls_ssf ) {
1039                                                 fprintf( stderr,
1040                                                         "%s: line %d: tls_ssf attribute already specified.\n",
1041                                                         fname, lineno );
1042                                                 acl_usage();
1043                                         }
1044
1045                                         if ( right == NULL || *right == '\0' ) {
1046                                                 fprintf( stderr,
1047                                                         "%s: line %d: no tls_ssf is defined\n",
1048                                                         fname, lineno );
1049                                                 acl_usage();
1050                                         }
1051
1052                                         b->a_authz.sai_tls_ssf = atoi( right );
1053
1054                                         if( !b->a_authz.sai_tls_ssf ) {
1055                                                 fprintf( stderr,
1056                                                         "%s: line %d: invalid tls_ssf value (%s)\n",
1057                                                         fname, lineno, right );
1058                                                 acl_usage();
1059                                         }
1060                                         continue;
1061                                 }
1062
1063                                 if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
1064                                         if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
1065                                                 fprintf( stderr,
1066                                                         "%s: line %d: inappropriate style \"%s\" in by clause\n",
1067                                                     fname, lineno, style );
1068                                                 acl_usage();
1069                                         }
1070
1071                                         if( b->a_authz.sai_sasl_ssf ) {
1072                                                 fprintf( stderr,
1073                                                         "%s: line %d: sasl_ssf attribute already specified.\n",
1074                                                         fname, lineno );
1075                                                 acl_usage();
1076                                         }
1077
1078                                         if ( right == NULL || *right == '\0' ) {
1079                                                 fprintf( stderr,
1080                                                         "%s: line %d: no sasl_ssf is defined\n",
1081                                                         fname, lineno );
1082                                                 acl_usage();
1083                                         }
1084
1085                                         b->a_authz.sai_sasl_ssf = atoi( right );
1086
1087                                         if( !b->a_authz.sai_sasl_ssf ) {
1088                                                 fprintf( stderr,
1089                                                         "%s: line %d: invalid sasl_ssf value (%s)\n",
1090                                                         fname, lineno, right );
1091                                                 acl_usage();
1092                                         }
1093                                         continue;
1094                                 }
1095
1096                                 if( right != NULL ) {
1097                                         /* unsplit */
1098                                         right[-1] = '=';
1099                                 }
1100                                 break;
1101                         }
1102
1103                         if( i == argc || ( strcasecmp( left, "stop" ) == 0 )) { 
1104                                 /* out of arguments or plain stop */
1105
1106                                 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1107                                 b->a_type = ACL_STOP;
1108
1109                                 access_append( &a->acl_access, b );
1110                                 continue;
1111                         }
1112
1113                         if( strcasecmp( left, "continue" ) == 0 ) {
1114                                 /* plain continue */
1115
1116                                 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1117                                 b->a_type = ACL_CONTINUE;
1118
1119                                 access_append( &a->acl_access, b );
1120                                 continue;
1121                         }
1122
1123                         if( strcasecmp( left, "break" ) == 0 ) {
1124                                 /* plain continue */
1125
1126                                 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1127                                 b->a_type = ACL_BREAK;
1128
1129                                 access_append( &a->acl_access, b );
1130                                 continue;
1131                         }
1132
1133                         if ( strcasecmp( left, "by" ) == 0 ) {
1134                                 /* we've gone too far */
1135                                 --i;
1136                                 ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
1137                                 b->a_type = ACL_STOP;
1138
1139                                 access_append( &a->acl_access, b );
1140                                 continue;
1141                         }
1142
1143                         /* get <access> */
1144                         if( strncasecmp( left, "self", 4 ) == 0 ) {
1145                                 b->a_dn_self = 1;
1146                                 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[4] ) );
1147
1148                         } else {
1149                                 ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
1150                         }
1151
1152                         if( ACL_IS_INVALID( b->a_access_mask ) ) {
1153                                 fprintf( stderr,
1154                                         "%s: line %d: expecting <access> got \"%s\"\n",
1155                                         fname, lineno, left );
1156                                 acl_usage();
1157                         }
1158
1159                         b->a_type = ACL_STOP;
1160
1161                         if( ++i == argc ) {
1162                                 /* out of arguments or plain stop */
1163                                 access_append( &a->acl_access, b );
1164                                 continue;
1165                         }
1166
1167                         if( strcasecmp( argv[i], "continue" ) == 0 ) {
1168                                 /* plain continue */
1169                                 b->a_type = ACL_CONTINUE;
1170
1171                         } else if( strcasecmp( argv[i], "break" ) == 0 ) {
1172                                 /* plain continue */
1173                                 b->a_type = ACL_BREAK;
1174
1175                         } else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
1176                                 /* gone to far */
1177                                 i--;
1178                         }
1179
1180                         access_append( &a->acl_access, b );
1181
1182                 } else {
1183                         fprintf( stderr,
1184                     "%s: line %d: expecting \"to\" or \"by\" got \"%s\"\n",
1185                             fname, lineno, argv[i] );
1186                         acl_usage();
1187                 }
1188         }
1189
1190         /* if we have no real access clause, complain and do nothing */
1191         if ( a == NULL ) {
1192                         fprintf( stderr,
1193                                 "%s: line %d: warning: no access clause(s) specified in access line\n",
1194                             fname, lineno );
1195
1196         } else {
1197 #ifdef LDAP_DEBUG
1198                 if (ldap_debug & LDAP_DEBUG_ACL)
1199                         print_acl(be, a);
1200 #endif
1201         
1202                 if ( a->acl_access == NULL ) {
1203                         fprintf( stderr,
1204                         "%s: line %d: warning: no by clause(s) specified in access line\n",
1205                             fname, lineno );
1206                 }
1207
1208                 if ( be != NULL ) {
1209                         acl_append( &be->be_acl, a );
1210                 } else {
1211                         acl_append( &global_acl, a );
1212                 }
1213         }
1214 }
1215
1216 char *
1217 accessmask2str( slap_mask_t mask, char *buf )
1218 {
1219         int none=1;
1220         char *ptr = buf;
1221
1222         assert( buf != NULL );
1223
1224         if ( ACL_IS_INVALID( mask ) ) {
1225                 return "invalid";
1226         }
1227
1228         buf[0] = '\0';
1229
1230         if ( ACL_IS_LEVEL( mask ) ) {
1231                 if ( ACL_LVL_IS_NONE(mask) ) {
1232                         ptr = lutil_strcopy( ptr, "none" );
1233
1234                 } else if ( ACL_LVL_IS_AUTH(mask) ) {
1235                         ptr = lutil_strcopy( ptr, "auth" );
1236
1237                 } else if ( ACL_LVL_IS_COMPARE(mask) ) {
1238                         ptr = lutil_strcopy( ptr, "compare" );
1239
1240                 } else if ( ACL_LVL_IS_SEARCH(mask) ) {
1241                         ptr = lutil_strcopy( ptr, "search" );
1242
1243                 } else if ( ACL_LVL_IS_READ(mask) ) {
1244                         ptr = lutil_strcopy( ptr, "read" );
1245
1246                 } else if ( ACL_LVL_IS_WRITE(mask) ) {
1247                         ptr = lutil_strcopy( ptr, "write" );
1248                 } else {
1249                         ptr = lutil_strcopy( ptr, "unknown" );
1250                 }
1251                 
1252                 *ptr++ = '(';
1253         }
1254
1255         if( ACL_IS_ADDITIVE( mask ) ) {
1256                 *ptr++ = '+';
1257
1258         } else if( ACL_IS_SUBTRACTIVE( mask ) ) {
1259                 *ptr++ = '-';
1260
1261         } else {
1262                 *ptr++ = '=';
1263         }
1264
1265         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
1266                 none = 0;
1267                 *ptr++ = 'w';
1268         } 
1269
1270         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
1271                 none = 0;
1272                 *ptr++ = 'r';
1273         } 
1274
1275         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
1276                 none = 0;
1277                 *ptr++ = 's';
1278         } 
1279
1280         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
1281                 none = 0;
1282                 *ptr++ = 'c';
1283         } 
1284
1285         if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
1286                 none = 0;
1287                 *ptr++ = 'x';
1288         } 
1289
1290         if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
1291                 none = 0;
1292                 *ptr++ = 'n';
1293         } 
1294
1295         if ( none ) {
1296                 *ptr++ = '0';
1297         }
1298
1299         if ( ACL_IS_LEVEL( mask ) ) {
1300                 *ptr++ = ')';
1301         }
1302
1303         *ptr = '\0';
1304
1305         return buf;
1306 }
1307
1308 slap_mask_t
1309 str2accessmask( const char *str )
1310 {
1311         slap_mask_t     mask;
1312
1313         if( !ASCII_ALPHA(str[0]) ) {
1314                 int i;
1315
1316                 if ( str[0] == '=' ) {
1317                         ACL_INIT(mask);
1318
1319                 } else if( str[0] == '+' ) {
1320                         ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
1321
1322                 } else if( str[0] == '-' ) {
1323                         ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
1324
1325                 } else {
1326                         ACL_INVALIDATE(mask);
1327                         return mask;
1328                 }
1329
1330                 for( i=1; str[i] != '\0'; i++ ) {
1331                         if( TOLOWER((unsigned char) str[i]) == 'w' ) {
1332                                 ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
1333
1334                         } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
1335                                 ACL_PRIV_SET(mask, ACL_PRIV_READ);
1336
1337                         } else if( TOLOWER((unsigned char) str[i]) == 's' ) {
1338                                 ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
1339
1340                         } else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
1341                                 ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
1342
1343                         } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
1344                                 ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
1345
1346                         } else if( str[i] != '0' ) {
1347                                 ACL_INVALIDATE(mask);
1348                                 return mask;
1349                         }
1350                 }
1351
1352                 return mask;
1353         }
1354
1355         if ( strcasecmp( str, "none" ) == 0 ) {
1356                 ACL_LVL_ASSIGN_NONE(mask);
1357
1358         } else if ( strcasecmp( str, "auth" ) == 0 ) {
1359                 ACL_LVL_ASSIGN_AUTH(mask);
1360
1361         } else if ( strcasecmp( str, "compare" ) == 0 ) {
1362                 ACL_LVL_ASSIGN_COMPARE(mask);
1363
1364         } else if ( strcasecmp( str, "search" ) == 0 ) {
1365                 ACL_LVL_ASSIGN_SEARCH(mask);
1366
1367         } else if ( strcasecmp( str, "read" ) == 0 ) {
1368                 ACL_LVL_ASSIGN_READ(mask);
1369
1370         } else if ( strcasecmp( str, "write" ) == 0 ) {
1371                 ACL_LVL_ASSIGN_WRITE(mask);
1372
1373         } else {
1374                 ACL_INVALIDATE( mask );
1375         }
1376
1377         return mask;
1378 }
1379
1380 static void
1381 acl_usage( void )
1382 {
1383         fprintf( stderr, "%s%s\n",
1384                 "<access clause> ::= access to <what> "
1385                                 "[ by <who> <access> [ <control> ] ]+ \n"
1386                 "<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
1387                 "<attrlist> ::= <attr> [val[.<style>]=<value>] | <attr> , <attrlist>\n"
1388                 "<attr> ::= <attrname> | entry | children\n"
1389                 "<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
1390                         "\t[dnattr=<attrname>]\n"
1391                         "\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
1392                         "\t[peername[.<style>]=<peer>] [sockname[.<style>]=<name>]\n",
1393                         "\t[domain[.<style>]=<domain>] [sockurl[.<style>]=<url>]\n"
1394 #ifdef SLAPD_ACI_ENABLED
1395                         "\t[aci=<attrname>]\n"
1396 #endif
1397                         "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
1398                 "<dnstyle> ::= base | exact | one | subtree | children | regex\n"
1399                 "<style> ::= regex | base | exact\n"
1400                 "<access> ::= [self]{<level>|<priv>}\n"
1401                 "<level> ::= none | auth | compare | search | read | write\n"
1402                 "<priv> ::= {=|+|-}{w|r|s|c|x|0}+\n"
1403                 "<control> ::= [ stop | continue | break ]\n"
1404         );
1405         exit( EXIT_FAILURE );
1406 }
1407
1408 /*
1409  * Set pattern to a "normalized" DN from src.
1410  * At present it simply eats the (optional) space after 
1411  * a RDN separator (,)
1412  * Eventually will evolve in a more complete normalization
1413  */
1414 static void
1415 acl_regex_normalized_dn(
1416         const char *src,
1417         struct berval *pattern
1418 )
1419 {
1420         char *str, *p;
1421         ber_len_t len;
1422
1423         str = ch_strdup( src );
1424         len = strlen( src );
1425
1426         for ( p = str; p && p[ 0 ]; p++ ) {
1427                 /* escape */
1428                 if ( p[ 0 ] == '\\' && p[ 1 ] ) {
1429                         /* 
1430                          * if escaping a hex pair we should
1431                          * increment p twice; however, in that 
1432                          * case the second hex number does 
1433                          * no harm
1434                          */
1435                         p++;
1436                 }
1437
1438                 if ( p[ 0 ] == ',' ) {
1439                         if ( p[ 1 ] == ' ' ) {
1440                                 char *q;
1441                         
1442                                 /*
1443                                  * too much space should be 
1444                                  * an error if we are pedantic
1445                                  */
1446                                 for ( q = &p[ 2 ]; q[ 0 ] == ' '; q++ ) {
1447                                         /* DO NOTHING */ ;
1448                                 }
1449                                 AC_MEMCPY( p+1, q, len-(q-str)+1);
1450                         }
1451                 }
1452         }
1453         pattern->bv_val = str;
1454         pattern->bv_len = p-str;
1455
1456         return;
1457 }
1458
1459 static void
1460 split(
1461     char        *line,
1462     int         splitchar,
1463     char        **left,
1464     char        **right
1465 )
1466 {
1467         *left = line;
1468         if ( (*right = strchr( line, splitchar )) != NULL ) {
1469                 *((*right)++) = '\0';
1470         }
1471 }
1472
1473 static void
1474 access_append( Access **l, Access *a )
1475 {
1476         for ( ; *l != NULL; l = &(*l)->a_next )
1477                 ;       /* NULL */
1478
1479         *l = a;
1480 }
1481
1482 void
1483 acl_append( AccessControl **l, AccessControl *a )
1484 {
1485         for ( ; *l != NULL; l = &(*l)->acl_next )
1486                 ;       /* NULL */
1487
1488         *l = a;
1489 }
1490
1491 static void
1492 access_free( Access *a )
1493 {
1494         if ( a->a_dn_pat.bv_val )
1495                 free ( a->a_dn_pat.bv_val );
1496         if ( a->a_peername_pat.bv_val )
1497                 free ( a->a_peername_pat.bv_val );
1498         if ( a->a_sockname_pat.bv_val )
1499                 free ( a->a_sockname_pat.bv_val );
1500         if ( a->a_domain_pat.bv_val )
1501                 free ( a->a_domain_pat.bv_val );
1502         if ( a->a_sockurl_pat.bv_val )
1503                 free ( a->a_sockurl_pat.bv_val );
1504         if ( a->a_set_pat.bv_len )
1505                 free ( a->a_set_pat.bv_val );
1506         if ( a->a_group_pat.bv_len )
1507                 free ( a->a_group_pat.bv_val );
1508         free( a );
1509 }
1510
1511 void
1512 acl_free( AccessControl *a )
1513 {
1514         Access *n;
1515         AttributeName *an;
1516
1517         if ( a->acl_filter )
1518                 filter_free( a->acl_filter );
1519         if ( a->acl_dn_pat.bv_len )
1520                 free ( a->acl_dn_pat.bv_val );
1521         if ( a->acl_attrs ) {
1522                 for ( an = a->acl_attrs; an->an_name.bv_val; an++ ) {
1523                         free( an->an_name.bv_val );
1524                 }
1525                 free( a->acl_attrs );
1526         }
1527         for (; a->acl_access; a->acl_access = n) {
1528                 n = a->acl_access->a_next;
1529                 access_free( a->acl_access );
1530         }
1531         free( a );
1532 }
1533
1534 /* Because backend_startup uses acl_append to tack on the global_acl to
1535  * the end of each backend's acl, we cannot just take one argument and
1536  * merrily free our way to the end of the list. backend_destroy calls us
1537  * with the be_acl in arg1, and global_acl in arg2 to give us a stopping
1538  * point. config_destroy calls us with global_acl in arg1 and NULL in
1539  * arg2, so we then proceed to polish off the global_acl.
1540  */
1541 void
1542 acl_destroy( AccessControl *a, AccessControl *end )
1543 {
1544         AccessControl *n;
1545
1546         for (; a && a!= end; a=n) {
1547                 n = a->acl_next;
1548                 acl_free( a );
1549         }
1550 }
1551
1552 char *
1553 access2str( slap_access_t access )
1554 {
1555         if ( access == ACL_NONE ) {
1556                 return "none";
1557
1558         } else if ( access == ACL_AUTH ) {
1559                 return "auth";
1560
1561         } else if ( access == ACL_COMPARE ) {
1562                 return "compare";
1563
1564         } else if ( access == ACL_SEARCH ) {
1565                 return "search";
1566
1567         } else if ( access == ACL_READ ) {
1568                 return "read";
1569
1570         } else if ( access == ACL_WRITE ) {
1571                 return "write";
1572         }
1573
1574         return "unknown";
1575 }
1576
1577 slap_access_t
1578 str2access( const char *str )
1579 {
1580         if ( strcasecmp( str, "none" ) == 0 ) {
1581                 return ACL_NONE;
1582
1583         } else if ( strcasecmp( str, "auth" ) == 0 ) {
1584                 return ACL_AUTH;
1585
1586         } else if ( strcasecmp( str, "compare" ) == 0 ) {
1587                 return ACL_COMPARE;
1588
1589         } else if ( strcasecmp( str, "search" ) == 0 ) {
1590                 return ACL_SEARCH;
1591
1592         } else if ( strcasecmp( str, "read" ) == 0 ) {
1593                 return ACL_READ;
1594
1595         } else if ( strcasecmp( str, "write" ) == 0 ) {
1596                 return ACL_WRITE;
1597         }
1598
1599         return( ACL_INVALID_ACCESS );
1600 }
1601
1602 #ifdef LDAP_DEBUG
1603
1604 static void
1605 print_access( Access *b )
1606 {
1607         char maskbuf[ACCESSMASK_MAXLEN];
1608
1609         fprintf( stderr, "\tby" );
1610
1611         if ( b->a_dn_pat.bv_len != 0 ) {
1612                 if( strcmp(b->a_dn_pat.bv_val, "*") == 0
1613                         || strcmp(b->a_dn_pat.bv_val, "users") == 0 
1614                         || strcmp(b->a_dn_pat.bv_val, "anonymous") == 0 
1615                         || strcmp(b->a_dn_pat.bv_val, "self") == 0 )
1616                 {
1617                         fprintf( stderr, " %s", b->a_dn_pat.bv_val );
1618
1619                 } else {
1620                         fprintf( stderr, " dn.%s=\"%s\"",
1621                                 style_strings[b->a_dn_style], b->a_dn_pat.bv_val );
1622                 }
1623         }
1624
1625         if ( b->a_dn_at != NULL ) {
1626                 fprintf( stderr, " dnattr=%s", b->a_dn_at->ad_cname.bv_val );
1627         }
1628
1629         if ( b->a_group_pat.bv_len ) {
1630                 fprintf( stderr, " group/%s/%s.%s=\"%s\"",
1631                         b->a_group_oc ? b->a_group_oc->soc_cname.bv_val : "groupOfNames",
1632                         b->a_group_at ? b->a_group_at->ad_cname.bv_val : "member",
1633                         style_strings[b->a_group_style],
1634                         b->a_group_pat.bv_val );
1635     }
1636
1637         if ( b->a_peername_pat.bv_len != 0 ) {
1638                 fprintf( stderr, " peername=\"%s\"", b->a_peername_pat.bv_val );
1639         }
1640
1641         if ( b->a_sockname_pat.bv_len != 0 ) {
1642                 fprintf( stderr, " sockname=\"%s\"", b->a_sockname_pat.bv_val );
1643         }
1644
1645         if ( b->a_domain_pat.bv_len != 0 ) {
1646                 fprintf( stderr, " domain=%s", b->a_domain_pat.bv_val );
1647         }
1648
1649         if ( b->a_sockurl_pat.bv_len != 0 ) {
1650                 fprintf( stderr, " sockurl=\"%s\"", b->a_sockurl_pat.bv_val );
1651         }
1652
1653 #ifdef SLAPD_ACI_ENABLED
1654         if ( b->a_aci_at != NULL ) {
1655                 fprintf( stderr, " aci=%s", b->a_aci_at->ad_cname.bv_val );
1656         }
1657 #endif
1658
1659         /* Security Strength Factors */
1660         if ( b->a_authz.sai_ssf ) {
1661                 fprintf( stderr, " ssf=%u",
1662                         b->a_authz.sai_ssf );
1663         }
1664         if ( b->a_authz.sai_transport_ssf ) {
1665                 fprintf( stderr, " transport_ssf=%u",
1666                         b->a_authz.sai_transport_ssf );
1667         }
1668         if ( b->a_authz.sai_tls_ssf ) {
1669                 fprintf( stderr, " tls_ssf=%u",
1670                         b->a_authz.sai_tls_ssf );
1671         }
1672         if ( b->a_authz.sai_sasl_ssf ) {
1673                 fprintf( stderr, " sasl_ssf=%u",
1674                         b->a_authz.sai_sasl_ssf );
1675         }
1676
1677         fprintf( stderr, " %s%s",
1678                 b->a_dn_self ? "self" : "",
1679                 accessmask2str( b->a_access_mask, maskbuf ) );
1680
1681         if( b->a_type == ACL_BREAK ) {
1682                 fprintf( stderr, " break" );
1683
1684         } else if( b->a_type == ACL_CONTINUE ) {
1685                 fprintf( stderr, " continue" );
1686
1687         } else if( b->a_type != ACL_STOP ) {
1688                 fprintf( stderr, " unknown-control" );
1689         }
1690
1691         fprintf( stderr, "\n" );
1692 }
1693
1694
1695 static void
1696 print_acl( Backend *be, AccessControl *a )
1697 {
1698         int             to = 0;
1699         Access  *b;
1700
1701         fprintf( stderr, "%s ACL: access to",
1702                 be == NULL ? "Global" : "Backend" );
1703
1704         if ( a->acl_dn_pat.bv_len != 0 ) {
1705                 to++;
1706                 fprintf( stderr, " dn.%s=\"%s\"\n",
1707                         style_strings[a->acl_dn_style], a->acl_dn_pat.bv_val );
1708         }
1709
1710         if ( a->acl_filter != NULL ) {
1711                 struct berval bv = { 0, NULL };
1712                 to++;
1713                 filter2bv( a->acl_filter, &bv );
1714                 fprintf( stderr, " filter=%s\n", bv.bv_val );
1715                 ch_free( bv.bv_val );
1716         }
1717
1718         if ( a->acl_attrs != NULL ) {
1719                 int     first = 1;
1720                 AttributeName *an;
1721                 to++;
1722
1723                 fprintf( stderr, " attrs=" );
1724                 for ( an = a->acl_attrs; an && an->an_name.bv_val; an++ ) {
1725                         if ( ! first ) {
1726                                 fprintf( stderr, "," );
1727                         }
1728                         if (an->an_oc) {
1729                                 fputc( '@', stderr);
1730                         }
1731                         fputs( an->an_name.bv_val, stderr );
1732                         first = 0;
1733                 }
1734                 fprintf(  stderr, "\n" );
1735         }
1736
1737         if ( a->acl_attrval.bv_len != 0 ) {
1738                 to++;
1739                 fprintf( stderr, " val.%s=\"%s\"\n",
1740                         style_strings[a->acl_attrval_style], a->acl_attrval.bv_val );
1741
1742         }
1743
1744         if( !to ) {
1745                 fprintf( stderr, " *\n" );
1746         }
1747
1748         for ( b = a->acl_access; b != NULL; b = b->a_next ) {
1749                 print_access( b );
1750         }
1751
1752         fprintf( stderr, "\n" );
1753 }
1754
1755 #endif /* LDAP_DEBUG */