/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2008 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
slap_access_t access );
static int regex_matches(
- struct berval *pat, char *str, char *buf,
+ struct berval *pat, char *str,
+ struct berval *dn_matches, struct berval *val_matches,
AclRegexMatches *matches);
typedef struct AclSetCookie {
( sizeof ( (m)->dn_data ) / sizeof( *(m)->dn_data ) )
#define MATCHES_VALMAXCOUNT(m) \
( sizeof ( (m)->val_data ) / sizeof( *(m)->val_data ) )
-#define MATCHES_MEMSET(m) { \
+#define MATCHES_MEMSET(m) do { \
memset( (m)->dn_data, '\0', sizeof( (m)->dn_data ) ); \
memset( (m)->val_data, '\0', sizeof( (m)->val_data ) ); \
(m)->dn_count = MATCHES_DNMAXCOUNT( (m) ); \
/* DN matches */
for ( i = 0; i < dnmaxcount && dn_data[i].rm_eo > 0; i++ ) {
- char *debugmsg = "=> match[dn%d]: %d %d ";
char *data = e->e_ndn;
- Debug( LDAP_DEBUG_ACL, debugmsg, i,
+ Debug( LDAP_DEBUG_ACL, "=> match[dn%d]: %d %d ", i,
(int)dn_data[i].rm_so,
(int)dn_data[i].rm_eo );
if ( dn_data[i].rm_so <= dn_data[0].rm_eo ) {
/* val matches */
for ( i = 0; i < valmaxcount && val_data[i].rm_eo > 0; i++ ) {
- char *debugmsg = "=> match[val%d]: %d %d ";
char *data = val->bv_val;
- Debug( LDAP_DEBUG_ACL, debugmsg, i,
+ Debug( LDAP_DEBUG_ACL, "=> match[val%d]: %d %d ", i,
(int)val_data[i].rm_so,
(int)val_data[i].rm_eo );
if ( val_data[i].rm_so <= val_data[0].rm_eo ) {
AccessControlState *state )
{
const char *attr;
- int dnlen, patlen;
+ ber_len_t dnlen;
AccessControl *prev;
assert( e != NULL );
continue;
} else {
+ ber_len_t patlen;
+
Debug( LDAP_DEBUG_ACL, "=> dn: [%d] %s\n",
*count, a->acl_dn_pat.bv_val, 0 );
patlen = a->acl_dn_pat.bv_len;
} else if ( a->acl_dn_style == ACL_STYLE_ONE ) {
ber_len_t rdnlen = 0;
- int sep = 0;
+ ber_len_t sep = 0;
if ( dnlen <= patlen )
continue;
}
rdnlen = dn_rdnlen( NULL, &e->e_nname );
- if ( rdnlen != dnlen - patlen - sep )
+ if ( rdnlen + patlen + sep != dnlen )
continue;
} else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) {
}
if ( a->acl_attrval_style == ACL_STYLE_REGEX ) {
- int rc;
-
Debug( LDAP_DEBUG_ACL,
"acl_get: valpat %s\n",
a->acl_attrval.bv_val, 0, 0 );
- if ( rc = regexec ( &a->acl_attrval_re,
+ if ( regexec ( &a->acl_attrval_re,
val->bv_val,
matches->val_count,
matches->val_data, 0 ) )
continue;
} else {
- int patlen, vdnlen;
+ ber_len_t patlen, vdnlen;
patlen = a->acl_attrval.bv_len;
vdnlen = val->bv_len;
continue;
rdnlen = dn_rdnlen( NULL, val );
- if ( rdnlen != vdnlen - patlen - 1 )
+ if ( rdnlen + patlen + 1 != vdnlen )
continue;
} else if ( a->acl_attrval_style == ACL_STYLE_SUBTREE ) {
acl_mask_dn(
Operation *op,
Entry *e,
- AttributeDescription *desc,
struct berval *val,
AccessControl *a,
AclRegexMatches *matches,
AclRegexMatches tmp_matches,
*tmp_matchesp = &tmp_matches;
int rc = 0;
- int dnoffset;
regmatch_t *tmp_data;
MATCHES_MEMSET( &tmp_matches );
}
if ( !regex_matches( &bdn->a_pat, opndn->bv_val,
- e->e_ndn, tmp_matchesp ) )
+ &e->e_nname, NULL, tmp_matchesp ) )
{
return 1;
}
}
if ( acl_string_expand( &bv, &bdn->a_pat,
- e->e_nname.bv_val,
- val->bv_val, tmp_matchesp ) )
+ &e->e_nname,
+ val, tmp_matchesp ) )
{
return 1;
}
Entry *e,
struct berval *val,
AccessControl *a,
- Access *b,
- int i,
- AclRegexMatches *matches,
int count,
AccessControlState *state,
slap_dn_access *bdn,
char accessmaskbuf[ACCESSMASK_MAXLEN];
#endif /* DEBUG */
const char *attr;
+#ifdef SLAP_DYNACL
slap_mask_t a2pmask = ACL_ACCESS2PRIV( access );
+#endif /* SLAP_DYNACL */
assert( a != NULL );
assert( mask != NULL );
* is maintained in a_dn_pat.
*/
- if ( acl_mask_dn( op, e, desc, val, a, matches,
+ if ( acl_mask_dn( op, e, val, a, matches,
&b->a_dn, &op->o_ndn ) )
{
continue;
ndn = op->o_ndn;
}
- if ( acl_mask_dn( op, e, desc, val, a, matches,
+ if ( acl_mask_dn( op, e, val, a, matches,
&b->a_realdn, &ndn ) )
{
continue;
if ( !ber_bvccmp( &b->a_sockurl_pat, '*' ) ) {
if ( b->a_sockurl_style == ACL_STYLE_REGEX) {
- if (!regex_matches( &b->a_sockurl_pat, op->o_conn->c_listener_url.bv_val,
- e->e_ndn, matches ) )
+ if ( !regex_matches( &b->a_sockurl_pat, op->o_conn->c_listener_url.bv_val,
+ &e->e_nname, val, matches ) )
{
continue;
}
bv.bv_len = sizeof( buf ) - 1;
bv.bv_val = buf;
- if ( acl_string_expand( &bv, &b->a_sockurl_pat, e->e_ndn, val->bv_val, matches ) )
+ if ( acl_string_expand( &bv, &b->a_sockurl_pat, &e->e_nname, val, matches ) )
{
continue;
}
b->a_domain_pat.bv_val, 0, 0 );
if ( !ber_bvccmp( &b->a_domain_pat, '*' ) ) {
if ( b->a_domain_style == ACL_STYLE_REGEX) {
- if (!regex_matches( &b->a_domain_pat, op->o_conn->c_peer_domain.bv_val,
- e->e_ndn, matches ) )
+ if ( !regex_matches( &b->a_domain_pat, op->o_conn->c_peer_domain.bv_val,
+ &e->e_nname, val, matches ) )
{
continue;
}
bv.bv_len = sizeof(buf) - 1;
bv.bv_val = buf;
- if ( acl_string_expand(&bv, &b->a_domain_pat, e->e_ndn, val->bv_val, matches) )
+ if ( acl_string_expand(&bv, &b->a_domain_pat, &e->e_nname, val, matches) )
{
continue;
}
b->a_peername_pat.bv_val, 0, 0 );
if ( !ber_bvccmp( &b->a_peername_pat, '*' ) ) {
if ( b->a_peername_style == ACL_STYLE_REGEX ) {
- if (!regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val,
- e->e_ndn, matches ) )
+ if ( !regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val,
+ &e->e_nname, val, matches ) )
{
continue;
}
bv.bv_len = sizeof( buf ) - 1;
bv.bv_val = buf;
- if ( acl_string_expand( &bv, &b->a_peername_pat, e->e_ndn, val->bv_val, matches ) )
+ if ( acl_string_expand( &bv, &b->a_peername_pat, &e->e_nname, val, matches ) )
{
continue;
}
b->a_sockname_pat.bv_val, 0, 0 );
if ( !ber_bvccmp( &b->a_sockname_pat, '*' ) ) {
if ( b->a_sockname_style == ACL_STYLE_REGEX) {
- if (!regex_matches( &b->a_sockname_pat, op->o_conn->c_sock_name.bv_val,
- e->e_ndn, matches ) )
+ if ( !regex_matches( &b->a_sockname_pat, op->o_conn->c_sock_name.bv_val,
+ &e->e_nname, val, matches ) )
{
continue;
}
bv.bv_len = sizeof( buf ) - 1;
bv.bv_val = buf;
- if ( acl_string_expand( &bv, &b->a_sockname_pat, e->e_ndn, val->bv_val, matches ) )
+ if ( acl_string_expand( &bv, &b->a_sockname_pat, &e->e_nname, val, matches ) )
{
continue;
}
}
if ( b->a_dn_at != NULL ) {
- if ( acl_mask_dnattr( op, e, val, a, b, i,
- matches, count, state,
+ if ( acl_mask_dnattr( op, e, val, a,
+ count, state,
&b->a_dn, &op->o_ndn ) )
{
continue;
ndn = op->o_ndn;
}
- if ( acl_mask_dnattr( op, e, val, a, b, i,
- matches, count, state,
+ if ( acl_mask_dnattr( op, e, val, a,
+ count, state,
&b->a_realdn, &ndn ) )
{
continue;
}
if ( acl_string_expand( &bv, &b->a_group_pat,
- e->e_nname.bv_val, val->bv_val,
+ &e->e_nname, val,
tmp_matchesp ) )
{
continue;
}
if ( acl_string_expand( &bv, &b->a_set_pat,
- e->e_nname.bv_val, val->bv_val,
+ &e->e_nname, val,
tmp_matchesp ) )
{
continue;
* an API update
*/
(void)da->da_mask( da->da_private, op, e, desc,
- val, matches.dn_count, matches.dn_data,
+ val, matches->dn_count, matches->dn_data,
&grant, &deny );
tgrant |= grant;
acl_string_expand(
struct berval *bv,
struct berval *pat,
- char *dn_match,
- char *val_match,
+ struct berval *dn_matches,
+ struct berval *val_matches,
AclRegexMatches *matches)
{
ber_len_t size;
case DN_FLAG:
nm = matches->dn_count;
m = matches->dn_data;
- data = dn_match;
+ data = dn_matches ? dn_matches->bv_val : NULL;
break;
case VAL_FLAG:
nm = matches->val_count;
m = matches->val_data;
- data = val_match;
+ data = val_matches ? val_matches->bv_val : NULL;
break;
+ default:
+ assert( 0 );
}
if ( n >= nm ) {
/* FIXME: error */
regex_matches(
struct berval *pat, /* pattern to expand and match against */
char *str, /* string to match against pattern */
- char *buf, /* buffer with $N expansion variables */
+ struct berval *dn_matches, /* buffer with $N expansion variables from DN */
+ struct berval *val_matches, /* buffer with $N expansion variables from val */
AclRegexMatches *matches /* offsets in buffer for $N expansion variables */
)
{
str = "";
};
- acl_string_expand( &bv, pat, buf, NULL, matches );
+ acl_string_expand( &bv, pat, dn_matches, val_matches, matches );
rc = regcomp( &re, newbuf, REG_EXTENDED|REG_ICASE );
if ( rc ) {
char error[ACL_BUF_SIZE];
projects / openldap / blobdiff