/* acl.c - routines to parse and check acl's */
-#include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <regex.h>
-
-#include "slap.h"
+#include "portable.h"
-extern Attribute *attr_find();
-extern struct acl *global_acl;
-extern int global_default_access;
-extern char *access2str();
-extern char *dn_normalize_case();
+#include <stdio.h>
-int acl_access_allowed();
-int access_allowed();
-struct acl *acl_get_applicable();
+#include <ac/regex.h>
+#include <ac/socket.h>
+#include <ac/string.h>
-static int regex_matches();
+#include "slap.h"
-static string_expand(char *newbuf, int bufsiz, char *pattern,
- char *match, regmatch_t *matches);
+static int regex_matches(char *pat, char *str, char *buf, regmatch_t *matches);
+static void string_expand(char *newbuf, int bufsiz, char *pattern,
+ char *match, regmatch_t *matches);
/*
- * access_allowed - check whether dn is allowed the requested access
+ * access_allowed - check whether op->o_ndn is allowed the requested access
* to entry e, attribute attr, value val. if val is null, access to
* the whole attribute is assumed (all values). this routine finds
* the applicable acl and calls acl_access_allowed() to make the
Entry *e,
char *attr,
struct berval *val,
- char *dn,
int access
)
{
int rc;
- struct acl *a;
+ AccessControl *a;
char *edn;
regmatch_t matches[MAXREMATCHES];
return( 0 );
}
- edn = dn_normalize_case( strdup( e->e_dn ) );
+ edn = e->e_ndn;
+
Debug( LDAP_DEBUG_ACL, "\n=> access_allowed: entry (%s) attr (%s)\n",
e->e_dn, attr, 0 );
/* the lastmod attributes are ignored by ACL checking */
- if ( strcasecmp( attr, "modifiersname" ) == 0 ||
- strcasecmp( attr, "modifytimestamp" ) == 0 ||
- strcasecmp( attr, "creatorsname" ) == 0 ||
- strcasecmp( attr, "createtimestamp" ) == 0 )
- {
- Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
+ if ( oc_check_no_usermod_attr( attr ) ) {
+ Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
attr, 0, 0 );
- free( edn );
return(1);
}
memset(matches, 0, sizeof(matches));
- a = acl_get_applicable( be, op, e, attr, edn, MAXREMATCHES, matches );
+ a = acl_get_applicable( be, op, e, attr, MAXREMATCHES, matches );
if (a) {
for (i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++) {
- Debug( LDAP_DEBUG_ARGS, "=> match[%d]: %d %d ",
- i, matches[i].rm_so, matches[i].rm_eo );
+ Debug( LDAP_DEBUG_ARGS, "=> match[%d]: %d %d ", i,
+ (int)matches[i].rm_so, (int)matches[i].rm_eo );
if( matches[i].rm_so <= matches[0].rm_eo ) {
for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++) {
}
rc = acl_access_allowed( a, be, conn, e, val, op, access, edn, matches );
- free( edn );
Debug( LDAP_DEBUG_ACL, "\n=> access_allowed: exit (%s) attr (%s)\n",
e->e_dn, attr, 0);
* acl_access_allowed().
*/
-struct acl *
+AccessControl *
acl_get_applicable(
Backend *be,
Operation *op,
Entry *e,
char *attr,
- char *edn,
int nmatch,
regmatch_t *matches
)
{
- int i, j;
- struct acl *a;
+ int i;
+ AccessControl *a;
+ char *edn;
Debug( LDAP_DEBUG_ACL, "\n=> acl_get: entry (%s) attr (%s)\n",
e->e_dn, attr, 0 );
- if ( be_isroot( be, op->o_dn ) ) {
+ if ( be_isroot( be, op->o_ndn ) ) {
Debug( LDAP_DEBUG_ACL,
"<= acl_get: no acl applicable to database root\n", 0, 0,
0 );
return( NULL );
}
+ edn = e->e_ndn;
+
Debug( LDAP_DEBUG_ARGS, "=> acl_get: edn %s\n", edn, 0, 0 );
/* check for a backend-specific acl that matches the entry */
for ( i = 1, a = be->be_acl; a != NULL; a = a->acl_next, i++ ) {
- if (a->acl_dnpat != NULL) {
+ if (a->acl_dn_pat != NULL) {
Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n",
- i, a->acl_dnpat, a->acl_dnre.re_nsub);
+ i, a->acl_dn_pat, (int) a->acl_dn_re.re_nsub);
- if (regexec(&a->acl_dnre, edn, nmatch, matches, 0))
+ if (regexec(&a->acl_dn_re, edn, nmatch, matches, 0)) {
continue;
- else
+
+ } else {
Debug( LDAP_DEBUG_TRACE, "=> acl_get:[%d] backend ACL match\n",
i, 0, 0);
+ }
}
if ( a->acl_filter != NULL ) {
/* check for a global acl that matches the entry */
for ( i = 1, a = global_acl; a != NULL; a = a->acl_next, i++ ) {
- if (a->acl_dnpat != NULL) {
- Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n",
- i, a->acl_dnpat, a->acl_dnre.re_nsub);
+ if (a->acl_dn_pat != NULL) {
+ Debug( LDAP_DEBUG_TRACE, "=> dn pat: [%d] %s nsub: %d\n",
+ i, a->acl_dn_pat, (int) a->acl_dn_re.re_nsub);
- if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) {
+ if (regexec(&a->acl_dn_re, edn, nmatch, matches, 0)) {
continue;
+
} else {
Debug( LDAP_DEBUG_TRACE, "=> acl_get: [%d] global ACL match\n",
i, 0, 0);
int
acl_access_allowed(
- struct acl *a,
+ AccessControl *a,
Backend *be,
Connection *conn,
Entry *e,
)
{
int i;
- char *odn;
- struct access *b;
- Attribute *at;
- struct berval bv;
+ Access *b;
int default_access;
Debug( LDAP_DEBUG_ACL,
"\n=> acl_access_allowed: %s access to value \"%s\" by \"%s\"\n",
access2str( access ),
val ? val->bv_val : "any",
- op->o_dn ? op->o_dn : "" );
+ op->o_ndn ? op->o_ndn : "" );
- if ( be_isroot( be, op->o_dn ) ) {
+ if ( be_isroot( be, op->o_ndn ) ) {
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: granted to database root\n",
0, 0, 0 );
return( default_access >= access );
}
- odn = NULL;
- if ( op->o_dn != NULL ) {
- odn = dn_normalize_case( strdup( op->o_dn ) );
- bv.bv_val = odn;
- bv.bv_len = strlen( odn );
- }
for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) {
- if ( b->a_dnpat != NULL ) {
- Debug( LDAP_DEBUG_TRACE, "<= check a_dnpat: %s\n",
- b->a_dnpat, 0, 0);
+ /* AND <who> clauses */
+ if ( b->a_dn_pat != NULL ) {
+ Debug( LDAP_DEBUG_TRACE, "<= check a_dn_pat: %s\n",
+ b->a_dn_pat, 0, 0);
/*
* if access applies to the entry itself, and the
* user is bound as somebody in the same namespace as
* the entry, OR the given dn matches the dn pattern
*/
- if ( strcasecmp( b->a_dnpat, "self" ) == 0 &&
- op->o_dn != NULL && *(op->o_dn) && e->e_dn != NULL )
- {
- if ( strcasecmp( edn, op->o_dn ) == 0 ) {
- Debug( LDAP_DEBUG_ACL,
- "<= acl_access_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >=
- access ? "granted" : "denied", 0 );
-
- if ( odn ) free( odn );
- return( (b->a_access & ~ACL_SELF) >= access );
+ if ( strcasecmp( b->a_dn_pat, "anonymous" ) == 0 ) {
+ if (op->o_ndn != NULL && op->o_ndn[0] != '\0' ) {
+ continue;
}
- } else {
- if ( regex_matches( b->a_dnpat, odn, edn, matches ) ) {
- Debug( LDAP_DEBUG_ACL,
- "<= acl_access_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ?
- "granted" : "denied", 0 );
-
- if ( odn ) free( odn );
- return( (b->a_access & ~ACL_SELF) >= access );
+
+ } else if ( strcasecmp( b->a_dn_pat, "self" ) == 0 ) {
+ if( op->o_ndn == NULL || op->o_ndn[0] == '\0' ) {
+ continue;
+ }
+
+ if ( e->e_dn == NULL || strcmp( edn, op->o_ndn ) != 0 ) {
+ continue;
}
+
+ } else if ( strcmp( b->a_dn_pat, ".*" ) != 0 &&
+ !regex_matches( b->a_dn_pat, op->o_ndn, edn, matches ) )
+ {
+ continue;
+ }
+ }
+
+ if ( b->a_sockurl_pat != NULL ) {
+ Debug( LDAP_DEBUG_ARGS, "<= check a_sockurl_pat: %s\n",
+ b->a_sockurl_pat, 0, 0 );
+
+ if ( strcmp( b->a_sockurl_pat, ".*" ) != 0 &&
+ !regex_matches( b->a_sockurl_pat, conn->c_listener_url,
+ edn, matches ) )
+ {
+ continue;
}
}
- if ( b->a_addrpat != NULL ) {
- if ( regex_matches( b->a_addrpat, conn->c_addr, edn, matches ) ) {
- Debug( LDAP_DEBUG_ACL,
- "<= acl_access_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ?
- "granted" : "denied", 0 );
-
- if ( odn ) free( odn );
- return( (b->a_access & ~ACL_SELF) >= access );
+
+ if ( b->a_domain_pat != NULL ) {
+ Debug( LDAP_DEBUG_ARGS, "<= check a_domain_pat: %s\n",
+ b->a_domain_pat, 0, 0 );
+
+ if ( strcmp( b->a_domain_pat, ".*" ) != 0 &&
+ !regex_matches( b->a_domain_pat, conn->c_peer_domain,
+ edn, matches ) )
+ {
+ continue;
}
}
- if ( b->a_domainpat != NULL ) {
- Debug( LDAP_DEBUG_ARGS, "<= check a_domainpath: %s\n",
- b->a_domainpat, 0, 0 );
- if ( regex_matches( b->a_domainpat, conn->c_domain, edn, matches ) )
+
+ if ( b->a_peername_pat != NULL ) {
+ Debug( LDAP_DEBUG_ARGS, "<= check a_peername_path: %s\n",
+ b->a_peername_pat, 0, 0 );
+
+ if ( strcmp( b->a_peername_pat, ".*" ) != 0 &&
+ !regex_matches( b->a_peername_pat, conn->c_peer_name,
+ edn, matches ) )
{
- Debug( LDAP_DEBUG_ACL,
- "<= acl_access_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ?
- "granted" : "denied", 0 );
+ continue;
+ }
+ }
+
+ if ( b->a_sockname_pat != NULL ) {
+ Debug( LDAP_DEBUG_ARGS, "<= check a_sockname_path: %s\n",
+ b->a_sockname_pat, 0, 0 );
- if ( odn ) free( odn );
- return( (b->a_access & ~ACL_SELF) >= access );
+ if ( strcmp( b->a_sockname_pat, ".*" ) != 0 &&
+ !regex_matches( b->a_sockname_pat, conn->c_sock_name,
+ edn, matches ) )
+ {
+ continue;
}
}
- if ( b->a_dnattr != NULL && op->o_dn != NULL ) {
- Debug( LDAP_DEBUG_ARGS, "<= check a_dnattr: %s\n",
- b->a_dnattr, 0, 0);
- /* see if asker is listed in dnattr */
- if ( (at = attr_find( e->e_attrs, b->a_dnattr )) != NULL &&
+
+ if ( b->a_dn_at != NULL && op->o_ndn != NULL ) {
+ Attribute *at;
+ struct berval bv;
+
+ Debug( LDAP_DEBUG_ARGS, "<= check a_dn_at: %s\n",
+ b->a_dn_at, 0, 0);
+
+ bv.bv_val = op->o_ndn;
+ bv.bv_len = strlen( bv.bv_val );
+
+ /* see if asker is listed in dnattr */
+ if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL &&
value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 )
{
- if ( (b->a_access & ACL_SELF) &&
+ if ( ACL_IS_SELF(b->a_access) &&
(val == NULL || value_cmp( &bv, val, at->a_syntax, 2 )) )
{
continue;
}
- if ( odn ) free( odn );
- Debug( LDAP_DEBUG_ACL,
- "<= acl_acces_allowed: matched by clause #%d access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ?
- "granted" : "denied", 0 );
-
- return( (b->a_access & ~ACL_SELF) >= access );
- }
-
/* asker not listed in dnattr - check for self access */
- if ( ! (b->a_access & ACL_SELF) || val == NULL ||
+ } else if ( ! ACL_IS_SELF(b->a_access) || val == NULL ||
value_cmp( &bv, val, at->a_syntax, 2 ) != 0 )
{
continue;
}
-
- if ( odn ) free( odn );
- Debug( LDAP_DEBUG_ACL,
- "<= acl_access_allowed: matched by clause #%d (self) access %s\n",
- i, (b->a_access & ~ACL_SELF) >= access ? "granted"
- : "denied", 0 );
-
- return( (b->a_access & ~ACL_SELF) >= access );
}
-#ifdef ACLGROUP
- if ( b->a_group != NULL && op->o_dn != NULL ) {
- char buf[512];
+
+ if ( b->a_group_pat != NULL && op->o_ndn != NULL ) {
+ char buf[1024];
/* b->a_group is an unexpanded entry name, expanded it should be an
* entry with objectclass group* and we test to see if odn is one of
- * the values in the attribute uniquegroup
+ * the values in the attribute group
*/
- Debug( LDAP_DEBUG_ARGS, "<= check a_group: %s\n",
- b->a_group, 0, 0);
- Debug( LDAP_DEBUG_ARGS, "<= check a_group: odn: %s\n",
- odn, 0, 0);
-
/* see if asker is listed in dnattr */
- string_expand(buf, sizeof(buf), b->a_group, edn, matches);
-
- if (be_group(be, buf, odn) == 0) {
- Debug( LDAP_DEBUG_ACL,
- "<= acl_access_allowed: matched by clause #%d (group) access granted\n",
- i, 0, 0 );
- if ( odn ) free( odn );
- return( (b->a_access & ~ACL_SELF) >= access );
+ string_expand(buf, sizeof(buf), b->a_group_pat, edn, matches);
+ if ( dn_normalize_case(buf) == NULL ) {
+ /* did not expand to a valid dn */
+ continue;
+ }
+
+ if (backend_group(be, e, buf, op->o_ndn,
+ b->a_group_oc, b->a_group_at) != 0)
+ {
+ continue;
}
}
-#endif /* ACLGROUP */
+
+ Debug( LDAP_DEBUG_ACL,
+ "<= acl_access_allowed: matched by clause #%d access %s\n",
+ i,
+ ACL_GRANT(b->a_access, access) ? "granted" : "denied",
+ 0 );
+
+ return ACL_GRANT(b->a_access, access );
}
- if ( odn ) free( odn );
Debug( LDAP_DEBUG_ACL,
"<= acl_access_allowed: %s by default (no matching by)\n",
default_access >= access ? "granted" : "denied", 0, 0 );
}
/*
- * acl_check_mods - check access control on the given entry to see if
+ * acl_check_modlist - check access control on the given entry to see if
* it allows the given modifications by the user associated with op.
* returns LDAP_SUCCESS mods allowed ok
* anything else mods not allowed - return is an error
*/
int
-acl_check_mods(
+acl_check_modlist(
Backend *be,
Connection *conn,
Operation *op,
Entry *e,
- LDAPMod *mods
+ LDAPModList *mlist
)
{
int i;
- struct acl *a;
- char *edn;
-
- edn = dn_normalize_case( strdup( e->e_dn ) );
+ AccessControl *a;
+ char *edn = e->e_ndn;
- for ( ; mods != NULL; mods = mods->mod_next ) {
+ for ( ; mlist != NULL; mlist = mlist->ml_next ) {
regmatch_t matches[MAXREMATCHES];
/* the lastmod attributes are ignored by ACL checking */
- if ( strcasecmp( mods->mod_type, "modifiersname" ) == 0 ||
- strcasecmp( mods->mod_type, "modifytimestamp" ) == 0 ||
- strcasecmp( mods->mod_type, "creatorsname" ) == 0 ||
- strcasecmp( mods->mod_type, "createtimestamp" ) == 0 )
- {
- Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
- mods->mod_type, 0, 0 );
+ if ( oc_check_no_usermod_attr( mlist->ml_type ) ) {
+ Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n",
+ mlist->ml_type, 0, 0 );
continue;
}
- a = acl_get_applicable( be, op, e, mods->mod_type, edn,
+ a = acl_get_applicable( be, op, e, mlist->ml_type,
MAXREMATCHES, matches );
- switch ( mods->mod_op & ~LDAP_MOD_BVALUES ) {
+ switch ( mlist->ml_op & ~LDAP_MOD_BVALUES ) {
case LDAP_MOD_REPLACE:
case LDAP_MOD_ADD:
- if ( mods->mod_bvalues == NULL ) {
+ if ( mlist->ml_bvalues == NULL ) {
break;
}
- for ( i = 0; mods->mod_bvalues[i] != NULL; i++ ) {
- if ( ! acl_access_allowed( a, be, conn, e, mods->mod_bvalues[i],
+ for ( i = 0; mlist->ml_bvalues[i] != NULL; i++ ) {
+ if ( ! acl_access_allowed( a, be, conn, e, mlist->ml_bvalues[i],
op, ACL_WRITE, edn, matches) )
{
- free(edn);
return( LDAP_INSUFFICIENT_ACCESS );
}
}
break;
case LDAP_MOD_DELETE:
- if ( mods->mod_bvalues == NULL ) {
+ if ( mlist->ml_bvalues == NULL ) {
if ( ! acl_access_allowed( a, be, conn, e,
NULL, op, ACL_WRITE, edn, matches) )
{
- free(edn);
return( LDAP_INSUFFICIENT_ACCESS );
}
break;
}
- for ( i = 0; mods->mod_bvalues[i] != NULL; i++ ) {
- if ( ! acl_access_allowed( a, be, conn, e, mods->mod_bvalues[i],
+ for ( i = 0; mlist->ml_bvalues[i] != NULL; i++ ) {
+ if ( ! acl_access_allowed( a, be, conn, e, mlist->ml_bvalues[i],
op, ACL_WRITE, edn, matches) )
{
- free(edn);
return( LDAP_INSUFFICIENT_ACCESS );
}
}
}
}
- free(edn);
return( LDAP_SUCCESS );
}
-static string_expand(
+static void
+string_expand(
char *newbuf,
int bufsiz,
char *pat,
newbuf[0] = '\0';
flag = 0;
- for ( dp = newbuf, sp = pat; size < 512 && *sp ; sp++) {
+ for ( dp = newbuf, sp = pat; size < bufsiz && *sp ; sp++) {
/* did we previously see a $ */
if (flag) {
if (*sp == '$') {
} else if (*sp >= '0' && *sp <= '9' ) {
int n;
int i;
- char *ep;
int l;
n = *sp - '0';
char newbuf[512];
int rc;
+ if(str == NULL) str = "";
+
string_expand(newbuf, sizeof(newbuf), pat, buf, matches);
if (( rc = regcomp(&re, newbuf, REG_EXTENDED|REG_ICASE))) {
char error[512];