/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 1998-2004 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
#include "lber_pvt.h"
#include "lutil.h"
-static char *style_strings[] = { "regex",
- "base", "one", "subtree", "children", NULL };
+static char *style_strings[] = {
+ "regex",
+ "expand",
+ "base",
+ "one",
+ "subtree",
+ "children",
+ "attrof",
+ "ip",
+ "path",
+ NULL
+};
static void split(char *line, int splitchar, char **left, char **right);
static void access_append(Access **l, Access *a);
static void print_access(Access *b);
#endif
+#ifdef LDAP_DEVEL
+static int
+check_scope( BackendDB *be, AccessControl *a );
+#endif /* LDAP_DEVEL */
+
+#ifdef SLAP_DYNACL
+static int
+slap_dynacl_config( const char *fname, int lineno, Access *b, const char *name, slap_style_t sty, const char *right )
+{
+ slap_dynacl_t *da, *tmp;
+ int rc = 0;
+
+ for ( da = b->a_dynacl; da; da = da->da_next ) {
+ if ( strcasecmp( da->da_name, name ) == 0 ) {
+ fprintf( stderr,
+ "%s: line %d: dynacl \"%s\" already specified.\n",
+ fname, lineno, name );
+ acl_usage();
+ }
+ }
+
+ da = slap_dynacl_get( name );
+ if ( da == NULL ) {
+ return -1;
+ }
+
+ tmp = ch_malloc( sizeof( slap_dynacl_t ) );
+ *tmp = *da;
+
+ if ( tmp->da_parse ) {
+ rc = ( *tmp->da_parse )( fname, lineno, sty, right, &tmp->da_private );
+ if ( rc ) {
+ ch_free( tmp );
+ return rc;
+ }
+ }
+
+ tmp->da_next = b->a_dynacl;
+ b->a_dynacl = tmp;
+
+ return 0;
+}
+#endif /* SLAP_DYNACL */
+
static void
regtest(const char *fname, int lineno, char *pat) {
int e;
}
*dp = '\0';
- if ( size >= (sizeof(buf)-1) ) {
+ if ( size >= (sizeof(buf) - 1) ) {
fprintf( stderr,
"%s: line %d: regular expression \"%s\" too large\n",
fname, lineno, pat );
regfree(&re);
}
+#ifdef LDAP_DEVEL
+/*
+ * Experimental
+ *
+ * Check if the pattern of an ACL, if any, matches the scope
+ * of the backend it is defined within.
+ */
+#define ACL_SCOPE_UNKNOWN (-2)
+#define ACL_SCOPE_ERR (-1)
+#define ACL_SCOPE_OK (0)
+#define ACL_SCOPE_PARTIAL (1)
+#define ACL_SCOPE_WARN (2)
+
+static int
+check_scope( BackendDB *be, AccessControl *a )
+{
+ int patlen;
+ struct berval dn;
+
+ dn = be->be_nsuffix[0];
+
+ if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
+ a->acl_dn_style != ACL_STYLE_REGEX )
+ {
+ slap_style_t style = a->acl_dn_style;
+
+ if ( style == ACL_STYLE_REGEX ) {
+ char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
+ char rebuf[SLAP_LDAPDN_MAXLEN + 1];
+ ber_len_t rebuflen;
+ regex_t re;
+ int rc;
+
+ /* add trailing '$' to database suffix to form
+ * a simple trial regex pattern "<suffix>$" */
+ AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
+ be->be_nsuffix[0].bv_len );
+ dnbuf[be->be_nsuffix[0].bv_len] = '$';
+ dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
+
+ if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
+ return ACL_SCOPE_WARN;
+ }
+
+ /* remove trailing ')$', if any, from original
+ * regex pattern */
+ rebuflen = a->acl_dn_pat.bv_len;
+ AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
+ if ( rebuf[rebuflen - 1] == '$' ) {
+ rebuf[--rebuflen] = '\0';
+ }
+ while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
+ rebuf[--rebuflen] = '\0';
+ }
+ if ( rebuflen == be->be_nsuffix[0].bv_len ) {
+ rc = ACL_SCOPE_WARN;
+ goto regex_done;
+ }
+
+ /* not a clear indication of scoping error, though */
+ rc = regexec( &re, rebuf, 0, NULL, 0 )
+ ? ACL_SCOPE_WARN : ACL_SCOPE_OK;
+
+regex_done:;
+ regfree( &re );
+ return rc;
+ }
+
+ patlen = a->acl_dn_pat.bv_len;
+ /* If backend suffix is longer than pattern,
+ * it is a potential mismatch (in the sense
+ * that a superior naming context could
+ * match */
+ if ( dn.bv_len > patlen ) {
+ /* base is blatantly wrong */
+ if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
+
+ /* a style of one can be wrong if there is
+ * more than one level between the suffix
+ * and the pattern */
+ if ( style == ACL_STYLE_ONE ) {
+ int rdnlen = -1, sep = 0;
+
+ if ( patlen > 0 ) {
+ if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
+ return ACL_SCOPE_ERR;
+ }
+ sep = 1;
+ }
+
+ rdnlen = dn_rdnlen( NULL, &dn );
+ if ( rdnlen != dn.bv_len - patlen - sep )
+ return ACL_SCOPE_ERR;
+ }
+
+ /* if the trailing part doesn't match,
+ * then it's an error */
+ if ( strcmp( a->acl_dn_pat.bv_val,
+ &dn.bv_val[dn.bv_len - patlen] ) != 0 )
+ {
+ return ACL_SCOPE_ERR;
+ }
+
+ return ACL_SCOPE_PARTIAL;
+ }
+
+ switch ( style ) {
+ case ACL_STYLE_BASE:
+ case ACL_STYLE_ONE:
+ case ACL_STYLE_CHILDREN:
+ case ACL_STYLE_SUBTREE:
+ break;
+
+ default:
+ assert( 0 );
+ break;
+ }
+
+ if ( dn.bv_len < patlen &&
+ !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
+ {
+ return ACL_SCOPE_ERR;
+ }
+
+ if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
+ != 0 )
+ {
+ return ACL_SCOPE_ERR;
+ }
+
+ return ACL_SCOPE_OK;
+ }
+
+ return ACL_SCOPE_UNKNOWN;
+}
+#endif /* LDAP_DEVEL */
+
void
parse_acl(
Backend *be,
)
{
int i;
- char *left, *right, *style;
+ char *left, *right, *style, *next;
struct berval bv;
AccessControl *a;
Access *b;
}
if ( strcasecmp( argv[i], "*" ) == 0 ) {
- if( a->acl_dn_pat.bv_len ||
- ( a->acl_dn_style != ACL_STYLE_REGEX ) )
+ if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
+ a->acl_dn_style != ACL_STYLE_REGEX )
{
fprintf( stderr,
"%s: line %d: dn pattern"
acl_usage();
}
- a->acl_dn_pat.bv_val = ch_strdup( "*" );
- a->acl_dn_pat.bv_len = 1;
+ ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
continue;
}
}
if ( strcasecmp( left, "dn" ) == 0 ) {
- if( a->acl_dn_pat.bv_len != 0 ||
- ( a->acl_dn_style != ACL_STYLE_REGEX ) )
+ if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
+ a->acl_dn_style != ACL_STYLE_REGEX )
{
fprintf( stderr,
"%s: line %d: dn pattern"
}
if ( style == NULL || *style == '\0' ||
- ( strcasecmp( style, "base" ) == 0 ) ||
- ( strcasecmp( style, "exact" ) == 0 ))
+ strcasecmp( style, "baseObject" ) == 0 ||
+ strcasecmp( style, "base" ) == 0 ||
+ strcasecmp( style, "exact" ) == 0 )
{
a->acl_dn_style = ACL_STYLE_BASE;
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
- } else if ( strcasecmp( style, "one" ) == 0 ) {
+ } else if ( strcasecmp( style, "oneLevel" ) == 0 ||
+ strcasecmp( style, "one" ) == 0 )
+ {
a->acl_dn_style = ACL_STYLE_ONE;
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
- } else if ( strcasecmp( style, "subtree" ) == 0
- || strcasecmp( style, "sub" ) == 0 )
+ } else if ( strcasecmp( style, "subtree" ) == 0 ||
+ strcasecmp( style, "sub" ) == 0 )
{
if( *right == '\0' ) {
- a->acl_dn_pat.bv_val = ch_strdup( "*" );
- a->acl_dn_pat.bv_len = 1;
+ ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
} else {
a->acl_dn_style = ACL_STYLE_SUBTREE;
|| strcmp(right, ".*$$") == 0
|| strcmp(right, "^.*$$") == 0 )
{
- a->acl_dn_pat.bv_val = ch_strdup( "*" );
- a->acl_dn_pat.bv_len = sizeof("*")-1;
+ ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
} else {
acl_regex_normalized_dn( right, &a->acl_dn_pat );
acl_usage();
}
- } else if ( strncasecmp( left, "attr", 4 ) == 0 ) {
+ } else if ( strcasecmp( left, "attr" ) == 0
+ || strcasecmp( left, "attrs" ) == 0 ) {
a->acl_attrs = str2anlist( a->acl_attrs,
right, "," );
if ( a->acl_attrs == NULL ) {
}
} else if ( strncasecmp( left, "val", 3 ) == 0 ) {
- if ( a->acl_attrval.bv_len ) {
+ if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
fprintf( stderr,
"%s: line %d: attr val already specified in to clause.\n",
fname, lineno );
acl_usage();
}
- if ( a->acl_attrs == NULL || a->acl_attrs[1].an_name.bv_val ) {
+ if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
+ {
fprintf( stderr,
"%s: line %d: attr val requires a single attribute.\n",
fname, lineno );
}
a->acl_attrval_style = ACL_STYLE_REGEX;
} else {
- /* FIXME: if the attribute has DN syntax,
- * we might allow one, subtree and children styles as well */
+ /* FIXME: if the attribute has DN syntax, we might
+ * allow one, subtree and children styles as well */
if ( !strcasecmp( style, "exact" ) ) {
a->acl_attrval_style = ACL_STYLE_BASE;
- } else if ( a->acl_attrs[0].an_desc->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) {
- if ( !strcasecmp( style, "base" ) ) {
+ } else if ( a->acl_attrs[0].an_desc->ad_type->
+ sat_syntax == slap_schema.si_syn_distinguishedName )
+ {
+ if ( !strcasecmp( style, "baseObject" ) ||
+ !strcasecmp( style, "base" ) )
+ {
a->acl_attrval_style = ACL_STYLE_BASE;
- } else if ( !strcasecmp( style, "onelevel" ) || !strcasecmp( style, "one" ) ) {
+ } else if ( !strcasecmp( style, "onelevel" ) ||
+ !strcasecmp( style, "one" ) )
+ {
a->acl_attrval_style = ACL_STYLE_ONE;
- } else if ( !strcasecmp( style, "subtree" ) || !strcasecmp( style, "sub" ) ) {
+ } else if ( !strcasecmp( style, "subtree" ) ||
+ !strcasecmp( style, "sub" ) )
+ {
a->acl_attrval_style = ACL_STYLE_SUBTREE;
} else if ( !strcasecmp( style, "children" ) ) {
a->acl_attrval_style = ACL_STYLE_CHILDREN;
} else {
fprintf( stderr,
"%s: line %d: unknown val.<style> \"%s\" "
- "for attributeType \"%s\" with DN syntax; using \"base\"\n",
+ "for attributeType \"%s\" with DN syntax; "
+ "using \"base\"\n",
fname, lineno, style,
a->acl_attrs[0].an_desc->ad_cname.bv_val );
a->acl_attrval_style = ACL_STYLE_BASE;
}
}
- if ( a->acl_dn_pat.bv_len != 0 &&
- strcmp(a->acl_dn_pat.bv_val, "*") == 0 )
+ if ( !BER_BVISNULL( &a->acl_dn_pat ) &&
+ ber_bvccmp( &a->acl_dn_pat, '*' ) )
{
free( a->acl_dn_pat.bv_val );
- a->acl_dn_pat.bv_val = NULL;
- a->acl_dn_pat.bv_len = 0;
+ BER_BVZERO( &a->acl_dn_pat );
}
- if( a->acl_dn_pat.bv_len != 0 ||
- ( a->acl_dn_style != ACL_STYLE_REGEX ) )
+ if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
+ a->acl_dn_style != ACL_STYLE_REGEX )
{
if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
struct berval bv;
}
free( a->acl_dn_pat.bv_val );
a->acl_dn_pat = bv;
+
} else {
int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
REG_EXTENDED | REG_ICASE );
if ( style == NULL || *style == '\0' ||
strcasecmp( style, "exact" ) == 0 ||
+ strcasecmp( style, "baseObject" ) == 0 ||
strcasecmp( style, "base" ) == 0 )
{
sty = ACL_STYLE_BASE;
- } else if ( strcasecmp( style, "one" ) == 0 ) {
+ } else if ( strcasecmp( style, "onelevel" ) == 0 ||
+ strcasecmp( style, "one" ) == 0 )
+ {
sty = ACL_STYLE_ONE;
} else if ( strcasecmp( style, "subtree" ) == 0 ||
} else if ( strcasecmp( style, "regex" ) == 0 ) {
sty = ACL_STYLE_REGEX;
+ } else if ( strcasecmp( style, "expand" ) == 0 ) {
+ sty = ACL_STYLE_EXPAND;
+
+ } else if ( strcasecmp( style, "ip" ) == 0 ) {
+ sty = ACL_STYLE_IP;
+
+ } else if ( strcasecmp( style, "path" ) == 0 ) {
+ sty = ACL_STYLE_PATH;
+#ifndef LDAP_PF_LOCAL
+ fprintf( stderr, "%s: line %d: "
+ "path style modifier is useless without local\n",
+ fname, lineno );
+#endif /* LDAP_PF_LOCAL */
+
} else {
fprintf( stderr,
"%s: line %d: unknown style \"%s\" in by clause\n",
if ( style_modifier &&
strcasecmp( style_modifier, "expand" ) == 0 )
{
- expand = 1;
+ switch ( sty ) {
+ case ACL_STYLE_REGEX:
+ fprintf( stderr, "%s: line %d: "
+ "\"regex\" style implies "
+ "\"expand\" modifier (ignored)\n",
+ fname, lineno );
+ break;
+
+ case ACL_STYLE_EXPAND:
+#if 0
+ /* FIXME: now it's legal... */
+ fprintf( stderr, "%s: line %d: "
+ "\"expand\" style used "
+ "in conjunction with "
+ "\"expand\" modifier (ignored)\n",
+ fname, lineno );
+#endif
+ break;
+
+ default:
+ /* we'll see later if it's pertinent */
+ expand = 1;
+ break;
+ }
+ }
+
+ /* expand in <who> needs regex in <what> */
+ if ( ( sty == ACL_STYLE_EXPAND || expand )
+ && a->acl_dn_style != ACL_STYLE_REGEX )
+ {
+ fprintf( stderr, "%s: line %d: "
+ "\"expand\" style or modifier used "
+ "in conjunction with "
+ "a non-regex <what> clause\n",
+ fname, lineno );
}
if ( strcasecmp( argv[i], "*" ) == 0 ) {
- bv.bv_val = ch_strdup( "*" );
- bv.bv_len = 1;
+ ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
sty = ACL_STYLE_REGEX;
} else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
- ber_str2bv("anonymous", sizeof("anonymous")-1, 1, &bv);
- sty = ACL_STYLE_REGEX;
-
- } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
- ber_str2bv("self", sizeof("self")-1, 1, &bv);
- sty = ACL_STYLE_REGEX;
+ ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
+ sty = ACL_STYLE_ANONYMOUS;
} else if ( strcasecmp( argv[i], "users" ) == 0 ) {
- ber_str2bv("users", sizeof("users")-1, 1, &bv);
- sty = ACL_STYLE_REGEX;
+ ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
+ sty = ACL_STYLE_USERS;
+
+ } else if ( strcasecmp( argv[i], "self" ) == 0 ) {
+ ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
+ sty = ACL_STYLE_SELF;
} else if ( strcasecmp( left, "dn" ) == 0 ) {
if ( sty == ACL_STYLE_REGEX ) {
b->a_dn_style = ACL_STYLE_REGEX;
- if( right == NULL ) {
+ if ( right == NULL ) {
/* no '=' */
ber_str2bv("users",
- sizeof("users")-1,
+ STRLENOF( "users" ),
1, &bv);
+ b->a_dn_style = ACL_STYLE_USERS;
+
} else if (*right == '\0' ) {
/* dn="" */
ber_str2bv("anonymous",
- sizeof("anonymous")-1,
+ STRLENOF( "anonymous" ),
1, &bv);
+ b->a_dn_style = ACL_STYLE_ANONYMOUS;
+
} else if ( strcmp( right, "*" ) == 0 ) {
/* dn=* */
/* any or users? users for now */
ber_str2bv("users",
- sizeof("users")-1,
+ STRLENOF( "users" ),
1, &bv);
+ b->a_dn_style = ACL_STYLE_USERS;
+
} else if ( strcmp( right, ".+" ) == 0
|| strcmp( right, "^.+" ) == 0
|| strcmp( right, ".+$" ) == 0
|| strcmp( right, "^.+$$" ) == 0 )
{
ber_str2bv("users",
- sizeof("users")-1,
+ STRLENOF( "users" ),
1, &bv);
+ b->a_dn_style = ACL_STYLE_USERS;
+
} else if ( strcmp( right, ".*" ) == 0
|| strcmp( right, "^.*" ) == 0
|| strcmp( right, ".*$" ) == 0
|| strcmp( right, "^.*$$" ) == 0 )
{
ber_str2bv("*",
- sizeof("*")-1,
+ STRLENOF( "*" ),
1, &bv);
} else {
acl_regex_normalized_dn( right, &bv );
if ( !ber_bvccmp( &bv, '*' ) ) {
- regtest(fname, lineno, bv.bv_val);
+ regtest( fname, lineno, bv.bv_val );
}
}
+
} else if ( right == NULL || *right == '\0' ) {
fprintf( stderr, "%s: line %d: "
"missing \"=\" in (or value after) \"%s\" "
}
} else {
- bv.bv_val = NULL;
+ BER_BVZERO( &bv );
}
- if( bv.bv_val != NULL ) {
- if( b->a_dn_pat.bv_len != 0 ) {
+ if ( !BER_BVISNULL( &bv ) ) {
+ if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
fprintf( stderr,
"%s: line %d: dn pattern already specified.\n",
fname, lineno );
acl_usage();
}
- if ( sty != ACL_STYLE_REGEX && expand == 0 ) {
+ if ( sty != ACL_STYLE_REGEX &&
+ sty != ACL_STYLE_ANONYMOUS &&
+ sty != ACL_STYLE_USERS &&
+ sty != ACL_STYLE_SELF &&
+ expand == 0 )
+ {
rc = dnNormalize(0, NULL, NULL,
&bv, &b->a_dn_pat, NULL);
if ( rc != LDAP_SUCCESS ) {
fname, lineno, bv.bv_val );
acl_usage();
}
- free(bv.bv_val);
+ free( bv.bv_val );
+
} else {
b->a_dn_pat = bv;
}
}
if ( strcasecmp( left, "dnattr" ) == 0 ) {
- if ( right == NULL || right[ 0 ] == '\0' ) {
- fprintf( stderr,
- "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
+ if ( right == NULL || right[0] == '\0' ) {
+ fprintf( stderr, "%s: line %d: "
+ "missing \"=\" in (or value after) \"%s\" "
+ "in by clause\n",
fname, lineno, left );
acl_usage();
}
continue;
}
- if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) {
+ if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
char *name = NULL;
char *value = NULL;
- if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
+ switch ( sty ) {
+ case ACL_STYLE_REGEX:
+ /* legacy, tolerated */
+ fprintf( stderr, "%s: line %d: "
+ "deprecated group style \"regex\"; "
+ "use \"expand\" instead\n",
+ fname, lineno, style );
+ sty = ACL_STYLE_EXPAND;
+ break;
+
+ case ACL_STYLE_BASE:
+ /* legal, traditional */
+ case ACL_STYLE_EXPAND:
+ /* legal, substring expansion; supersedes regex */
+ break;
+
+ default:
+ /* unknown */
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
- fname, lineno, style );
+ fname, lineno, style );
acl_usage();
}
- if ( right == NULL || right[ 0 ] == '\0' ) {
+ if ( right == NULL || right[0] == '\0' ) {
fprintf( stderr, "%s: line %d: "
"missing \"=\" in (or value after) \"%s\" "
"in by clause\n",
acl_usage();
}
- if( b->a_group_pat.bv_len ) {
+ if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
fprintf( stderr,
"%s: line %d: group pattern already specified.\n",
fname, lineno );
/* format of string is
"group/objectClassValue/groupAttrName" */
- if ((value = strchr(left, '/')) != NULL) {
+ if ( ( value = strchr(left, '/') ) != NULL ) {
*value++ = '\0';
- if (*value && (name = strchr(value, '/')) != NULL) {
+ if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
*name++ = '\0';
}
}
b->a_group_style = sty;
- if (sty == ACL_STYLE_REGEX) {
+ if ( sty == ACL_STYLE_EXPAND ) {
acl_regex_normalized_dn( right, &bv );
if ( !ber_bvccmp( &bv, '*' ) ) {
- regtest(fname, lineno, bv.bv_val);
+ regtest( fname, lineno, bv.bv_val );
}
b->a_group_pat = bv;
+
} else {
ber_str2bv( right, 0, 0, &bv );
rc = dnNormalize( 0, NULL, NULL, &bv,
}
}
- if (value && *value) {
+ if ( value && *value ) {
b->a_group_oc = oc_find( value );
*--value = '/';
- if( b->a_group_oc == NULL ) {
+ if ( b->a_group_oc == NULL ) {
fprintf( stderr,
"%s: line %d: group objectclass "
"\"%s\" unknown\n",
fname, lineno, value );
acl_usage();
}
+
} else {
b->a_group_oc = oc_find(SLAPD_GROUP_CLASS);
}
}
- if( is_object_subclass( slap_schema.si_oc_referral,
- b->a_group_oc ))
+ if ( is_object_subclass( slap_schema.si_oc_referral,
+ b->a_group_oc ) )
{
fprintf( stderr,
"%s: line %d: group objectclass \"%s\" "
acl_usage();
}
- if( is_object_subclass( slap_schema.si_oc_alias,
- b->a_group_oc ))
+ if ( is_object_subclass( slap_schema.si_oc_alias,
+ b->a_group_oc ) )
{
fprintf( stderr,
"%s: line %d: group objectclass \"%s\" "
acl_usage();
}
- if (name && *name) {
+ if ( name && *name ) {
rc = slap_str2ad( name, &b->a_group_at, &text );
if( rc != LDAP_SUCCESS ) {
acl_usage();
}
*--name = '/';
+
} else {
rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
- if( rc != LDAP_SUCCESS ) {
+ if ( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: group \"%s\": %s\n",
fname, lineno, SLAPD_GROUP_ATTR, text );
}
}
- if( !is_at_syntax( b->a_group_at->ad_type,
+ if ( !is_at_syntax( b->a_group_at->ad_type,
SLAPD_DN_SYNTAX ) &&
- !is_at_syntax( b->a_group_at->ad_type,
+ !is_at_syntax( b->a_group_at->ad_type,
SLAPD_NAMEUID_SYNTAX ) &&
- !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ))
+ !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) )
{
fprintf( stderr,
"%s: line %d: group \"%s\": inappropriate syntax: %s\n",
int rc;
struct berval vals[2];
- vals[0].bv_val = b->a_group_oc->soc_oid;
- vals[0].bv_len = strlen(vals[0].bv_val);
- vals[1].bv_val = NULL;
-
+ ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] );
+ BER_BVZERO( &vals[1] );
rc = oc_check_allowed( b->a_group_at->ad_type,
vals, NULL );
}
if ( strcasecmp( left, "peername" ) == 0 ) {
- if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
+ switch ( sty ) {
+ case ACL_STYLE_REGEX:
+ case ACL_STYLE_BASE:
+ /* legal, traditional */
+ case ACL_STYLE_EXPAND:
+ /* cheap replacement to regex for simple expansion */
+ case ACL_STYLE_IP:
+ case ACL_STYLE_PATH:
+ /* legal, peername specific */
+ break;
+
+ default:
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
fname, lineno, style );
acl_usage();
}
- if ( right == NULL || right[ 0 ] == '\0' ) {
+ if ( right == NULL || right[0] == '\0' ) {
fprintf( stderr, "%s: line %d: "
"missing \"=\" in (or value after) \"%s\" "
"in by clause\n",
acl_usage();
}
- if( b->a_peername_pat.bv_len ) {
+ if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
fprintf( stderr, "%s: line %d: "
"peername pattern already specified.\n",
fname, lineno );
}
b->a_peername_style = sty;
- if (sty == ACL_STYLE_REGEX) {
+ if ( sty == ACL_STYLE_REGEX ) {
acl_regex_normalized_dn( right, &bv );
if ( !ber_bvccmp( &bv, '*' ) ) {
- regtest(fname, lineno, bv.bv_val);
+ regtest( fname, lineno, bv.bv_val );
}
b->a_peername_pat = bv;
+
} else {
ber_str2bv( right, 0, 1, &b->a_peername_pat );
+
+ if ( sty == ACL_STYLE_IP ) {
+ char *addr = NULL,
+ *mask = NULL,
+ *port = NULL;
+
+ split( right, '{', &addr, &port );
+ split( addr, '%', &addr, &mask );
+
+ b->a_peername_addr = inet_addr( addr );
+ if ( b->a_peername_addr == (unsigned long)(-1) ) {
+ /* illegal address */
+ fprintf( stderr, "%s: line %d: "
+ "illegal peername address \"%s\".\n",
+ fname, lineno, addr );
+ acl_usage();
+ }
+
+ b->a_peername_mask = (unsigned long)(-1);
+ if ( mask != NULL ) {
+ b->a_peername_mask = inet_addr( mask );
+ if ( b->a_peername_mask ==
+ (unsigned long)(-1) )
+ {
+ /* illegal mask */
+ fprintf( stderr, "%s: line %d: "
+ "illegal peername address mask "
+ "\"%s\".\n",
+ fname, lineno, mask );
+ acl_usage();
+ }
+ }
+
+ b->a_peername_port = -1;
+ if ( port ) {
+ char *end = NULL;
+
+ b->a_peername_port = strtol( port, &end, 10 );
+ if ( end[0] != '}' ) {
+ /* illegal port */
+ fprintf( stderr, "%s: line %d: "
+ "illegal peername port specification "
+ "\"{%s}\".\n",
+ fname, lineno, port );
+ acl_usage();
+ }
+ }
+ }
}
continue;
}
if ( strcasecmp( left, "sockname" ) == 0 ) {
- if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
+ switch ( sty ) {
+ case ACL_STYLE_REGEX:
+ case ACL_STYLE_BASE:
+ /* legal, traditional */
+ case ACL_STYLE_EXPAND:
+ /* cheap replacement to regex for simple expansion */
+ break;
+
+ default:
+ /* unknown */
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
fname, lineno, style );
acl_usage();
}
- if ( right == NULL || right[ 0 ] == '\0' ) {
+ if ( right == NULL || right[0] == '\0' ) {
fprintf( stderr, "%s: line %d: "
"missing \"=\" in (or value after) \"%s\" "
"in by clause\n",
acl_usage();
}
- if( b->a_sockname_pat.bv_len ) {
+ if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
fprintf( stderr, "%s: line %d: "
"sockname pattern already specified.\n",
fname, lineno );
}
b->a_sockname_style = sty;
- if (sty == ACL_STYLE_REGEX) {
+ if ( sty == ACL_STYLE_REGEX ) {
acl_regex_normalized_dn( right, &bv );
if ( !ber_bvccmp( &bv, '*' ) ) {
- regtest(fname, lineno, bv.bv_val);
+ regtest( fname, lineno, bv.bv_val );
}
b->a_sockname_pat = bv;
+
} else {
ber_str2bv( right, 0, 1, &b->a_sockname_pat );
}
case ACL_STYLE_REGEX:
case ACL_STYLE_BASE:
case ACL_STYLE_SUBTREE:
+ /* legal, traditional */
+ break;
+
+ case ACL_STYLE_EXPAND:
+ /* tolerated: means exact,expand */
+ if ( expand ) {
+ fprintf( stderr,
+ "%s: line %d: "
+ "\"expand\" modifier "
+ "with \"expand\" style\n",
+ fname, lineno );
+ }
+ sty = ACL_STYLE_BASE;
+ expand = 1;
break;
default:
- fprintf( stderr,
- "%s: line %d: inappropriate style \"%s\" in by clause\n",
+ /* unknown */
+ fprintf( stderr, "%s: line %d: "
+ "inappropriate style \"%s\" in by clause\n",
fname, lineno, style );
acl_usage();
}
- if ( right == NULL || right[ 0 ] == '\0' ) {
- fprintf( stderr,
- "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
+ if ( right == NULL || right[0] == '\0' ) {
+ fprintf( stderr, "%s: line %d: "
+ "missing \"=\" in (or value after) \"%s\" "
+ "in by clause\n",
fname, lineno, left );
acl_usage();
}
- if( b->a_domain_pat.bv_len ) {
+ if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
fprintf( stderr,
"%s: line %d: domain pattern already specified.\n",
fname, lineno );
b->a_domain_style = sty;
b->a_domain_expand = expand;
- if (sty == ACL_STYLE_REGEX) {
+ if ( sty == ACL_STYLE_REGEX ) {
acl_regex_normalized_dn( right, &bv );
if ( !ber_bvccmp( &bv, '*' ) ) {
- regtest(fname, lineno, bv.bv_val);
+ regtest( fname, lineno, bv.bv_val );
}
b->a_domain_pat = bv;
+
} else {
ber_str2bv( right, 0, 1, &b->a_domain_pat );
}
}
if ( strcasecmp( left, "sockurl" ) == 0 ) {
- if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
- fprintf( stderr,
- "%s: line %d: inappropriate style \"%s\" in by clause\n",
+ switch ( sty ) {
+ case ACL_STYLE_REGEX:
+ case ACL_STYLE_BASE:
+ /* legal, traditional */
+ case ACL_STYLE_EXPAND:
+ /* cheap replacement to regex for simple expansion */
+ break;
+
+ default:
+ /* unknown */
+ fprintf( stderr, "%s: line %d: "
+ "inappropriate style \"%s\" in by clause\n",
fname, lineno, style );
acl_usage();
}
- if ( right == NULL || right[ 0 ] == '\0' ) {
- fprintf( stderr,
- "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n",
+ if ( right == NULL || right[0] == '\0' ) {
+ fprintf( stderr, "%s: line %d: "
+ "missing \"=\" in (or value after) \"%s\" "
+ "in by clause\n",
fname, lineno, left );
acl_usage();
}
- if( b->a_sockurl_pat.bv_len ) {
+ if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
fprintf( stderr,
"%s: line %d: sockurl pattern already specified.\n",
fname, lineno );
}
b->a_sockurl_style = sty;
- if (sty == ACL_STYLE_REGEX) {
+ if ( sty == ACL_STYLE_REGEX ) {
acl_regex_normalized_dn( right, &bv );
if ( !ber_bvccmp( &bv, '*' ) ) {
- regtest(fname, lineno, bv.bv_val);
+ regtest( fname, lineno, bv.bv_val );
}
b->a_sockurl_pat = bv;
+
} else {
ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
}
}
if ( strcasecmp( left, "set" ) == 0 ) {
- if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
- fprintf( stderr,
- "%s: line %d: inappropriate style \"%s\" in by clause\n",
- fname, lineno, style );
+ switch ( sty ) {
+ /* deprecated */
+ case ACL_STYLE_REGEX:
+ fprintf( stderr, "%s: line %d: "
+ "deprecated set style "
+ "\"regex\" in <by> clause; "
+ "use \"expand\" instead\n",
+ fname, lineno );
+ sty = ACL_STYLE_EXPAND;
+ /* FALLTHRU */
+
+ case ACL_STYLE_BASE:
+ case ACL_STYLE_EXPAND:
+ break;
+
+ default:
+ fprintf( stderr, "%s: line %d: "
+ "inappropriate style \"%s\" in by clause\n",
+ fname, lineno, style );
acl_usage();
}
- if( b->a_set_pat.bv_len != 0 ) {
+ if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
fprintf( stderr,
"%s: line %d: set attribute already specified.\n",
fname, lineno );
continue;
}
+#ifdef SLAP_DYNACL
+ {
+ char *name = NULL;
+
+ if ( strcasecmp( left, "aci" ) == 0 ) {
+ name = "aci";
+
+ } else if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
+ name = &left[ STRLENOF( "dynacl/" ) ];
+ }
+
+ if ( name ) {
+ if ( slap_dynacl_config( fname, lineno, b, name, sty, right ) ) {
+ fprintf( stderr, "%s: line %d: "
+ "unable to configure dynacl \"%s\"\n",
+ fname, lineno, name );
+ acl_usage();
+ }
+
+ continue;
+ }
+ }
+#else /* ! SLAP_DYNACL */
+
#ifdef SLAPD_ACI_ENABLED
if ( strcasecmp( left, "aci" ) == 0 ) {
if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
- fprintf( stderr,
- "%s: line %d: inappropriate style \"%s\" in by clause\n",
+ fprintf( stderr, "%s: line %d: "
+ "inappropriate style \"%s\" in by clause\n",
fname, lineno, style );
acl_usage();
}
if( !is_at_syntax( b->a_aci_at->ad_type,
SLAPD_ACI_SYNTAX) )
{
- fprintf( stderr,
- "%s: line %d: aci \"%s\": inappropriate syntax: %s\n",
+ fprintf( stderr, "%s: line %d: "
+ "aci \"%s\": inappropriate syntax: %s\n",
fname, lineno, right,
b->a_aci_at->ad_type->sat_syntax_oid );
acl_usage();
continue;
}
#endif /* SLAPD_ACI_ENABLED */
+#endif /* ! SLAP_DYNACL */
if ( strcasecmp( left, "ssf" ) == 0 ) {
- if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
- fprintf( stderr,
- "%s: line %d: inappropriate style \"%s\" in by clause\n",
+ if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
+ fprintf( stderr, "%s: line %d: "
+ "inappropriate style \"%s\" in by clause\n",
fname, lineno, style );
acl_usage();
}
- if( b->a_authz.sai_ssf ) {
+ if ( b->a_authz.sai_ssf ) {
fprintf( stderr,
"%s: line %d: ssf attribute already specified.\n",
fname, lineno );
acl_usage();
}
- b->a_authz.sai_ssf = atoi( right );
+ b->a_authz.sai_ssf = strtol( right, &next, 10 );
+ if ( next == NULL || next[0] != '\0' ) {
+ fprintf( stderr,
+ "%s: line %d: unable to parse ssf value (%s)\n",
+ fname, lineno, right );
+ acl_usage();
+ }
- if( !b->a_authz.sai_ssf ) {
+ if ( !b->a_authz.sai_ssf ) {
fprintf( stderr,
"%s: line %d: invalid ssf value (%s)\n",
fname, lineno, right );
}
if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
- if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
- fprintf( stderr,
- "%s: line %d: inappropriate style \"%s\" in by clause\n",
- fname, lineno, style );
+ if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
+ fprintf( stderr, "%s: line %d: "
+ "inappropriate style \"%s\" in by clause\n",
+ fname, lineno, style );
acl_usage();
}
- if( b->a_authz.sai_transport_ssf ) {
- fprintf( stderr,
- "%s: line %d: transport_ssf attribute already specified.\n",
+ if ( b->a_authz.sai_transport_ssf ) {
+ fprintf( stderr, "%s: line %d: "
+ "transport_ssf attribute already specified.\n",
fname, lineno );
acl_usage();
}
acl_usage();
}
- b->a_authz.sai_transport_ssf = atoi( right );
+ b->a_authz.sai_transport_ssf = strtol( right, &next, 10 );
+ if ( next == NULL || next[0] != '\0' ) {
+ fprintf( stderr, "%s: line %d: "
+ "unable to parse transport_ssf value (%s)\n",
+ fname, lineno, right );
+ acl_usage();
+ }
- if( !b->a_authz.sai_transport_ssf ) {
+ if ( !b->a_authz.sai_transport_ssf ) {
fprintf( stderr,
"%s: line %d: invalid transport_ssf value (%s)\n",
fname, lineno, right );
}
if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
- if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
- fprintf( stderr,
- "%s: line %d: inappropriate style \"%s\" in by clause\n",
- fname, lineno, style );
+ if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
+ fprintf( stderr, "%s: line %d: "
+ "inappropriate style \"%s\" in by clause\n",
+ fname, lineno, style );
acl_usage();
}
- if( b->a_authz.sai_tls_ssf ) {
- fprintf( stderr,
- "%s: line %d: tls_ssf attribute already specified.\n",
+ if ( b->a_authz.sai_tls_ssf ) {
+ fprintf( stderr, "%s: line %d: "
+ "tls_ssf attribute already specified.\n",
fname, lineno );
acl_usage();
}
acl_usage();
}
- b->a_authz.sai_tls_ssf = atoi( right );
+ b->a_authz.sai_tls_ssf = strtol( right, &next, 10 );
+ if ( next == NULL || next[0] != '\0' ) {
+ fprintf( stderr, "%s: line %d: "
+ "unable to parse tls_ssf value (%s)\n",
+ fname, lineno, right );
+ acl_usage();
+ }
- if( !b->a_authz.sai_tls_ssf ) {
+ if ( !b->a_authz.sai_tls_ssf ) {
fprintf( stderr,
"%s: line %d: invalid tls_ssf value (%s)\n",
fname, lineno, right );
}
if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
- if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
- fprintf( stderr,
- "%s: line %d: inappropriate style \"%s\" in by clause\n",
- fname, lineno, style );
+ if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
+ fprintf( stderr, "%s: line %d: "
+ "inappropriate style \"%s\" in by clause\n",
+ fname, lineno, style );
acl_usage();
}
- if( b->a_authz.sai_sasl_ssf ) {
- fprintf( stderr,
- "%s: line %d: sasl_ssf attribute already specified.\n",
+ if ( b->a_authz.sai_sasl_ssf ) {
+ fprintf( stderr, "%s: line %d: "
+ "sasl_ssf attribute already specified.\n",
fname, lineno );
acl_usage();
}
acl_usage();
}
- b->a_authz.sai_sasl_ssf = atoi( right );
+ b->a_authz.sai_sasl_ssf = strtol( right, &next, 10 );
+ if ( next == NULL || next[0] != '\0' ) {
+ fprintf( stderr, "%s: line %d: "
+ "unable to parse sasl_ssf value (%s)\n",
+ fname, lineno, right );
+ acl_usage();
+ }
- if( !b->a_authz.sai_sasl_ssf ) {
+ if ( !b->a_authz.sai_sasl_ssf ) {
fprintf( stderr,
"%s: line %d: invalid sasl_ssf value (%s)\n",
fname, lineno, right );
continue;
}
- if( right != NULL ) {
+ if ( right != NULL ) {
/* unsplit */
right[-1] = '=';
}
break;
}
- if( i == argc || ( strcasecmp( left, "stop" ) == 0 )) {
+ if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) {
/* out of arguments or plain stop */
- ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
+ ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
b->a_type = ACL_STOP;
access_append( &a->acl_access, b );
continue;
}
- if( strcasecmp( left, "continue" ) == 0 ) {
+ if ( strcasecmp( left, "continue" ) == 0 ) {
/* plain continue */
- ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
+ ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
b->a_type = ACL_CONTINUE;
access_append( &a->acl_access, b );
continue;
}
- if( strcasecmp( left, "break" ) == 0 ) {
+ if ( strcasecmp( left, "break" ) == 0 ) {
/* plain continue */
ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
if ( strcasecmp( left, "by" ) == 0 ) {
/* we've gone too far */
--i;
- ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
+ ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
b->a_type = ACL_STOP;
access_append( &a->acl_access, b );
}
/* get <access> */
- if( strncasecmp( left, "self", 4 ) == 0 ) {
+ if ( strncasecmp( left, "self", 4 ) == 0 ) {
b->a_dn_self = 1;
ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[4] ) );
ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
}
- if( ACL_IS_INVALID( b->a_access_mask ) ) {
+ if ( ACL_IS_INVALID( b->a_access_mask ) ) {
fprintf( stderr,
"%s: line %d: expecting <access> got \"%s\"\n",
fname, lineno, left );
b->a_type = ACL_STOP;
- if( ++i == argc ) {
+ if ( ++i == argc ) {
/* out of arguments or plain stop */
access_append( &a->acl_access, b );
continue;
}
- if( strcasecmp( argv[i], "continue" ) == 0 ) {
+ if ( strcasecmp( argv[i], "continue" ) == 0 ) {
/* plain continue */
b->a_type = ACL_CONTINUE;
- } else if( strcasecmp( argv[i], "break" ) == 0 ) {
+ } else if ( strcasecmp( argv[i], "break" ) == 0 ) {
/* plain continue */
b->a_type = ACL_BREAK;
} else {
fprintf( stderr,
- "%s: line %d: expecting \"to\" or \"by\" got \"%s\"\n",
- fname, lineno, argv[i] );
+ "%s: line %d: expecting \"to\" "
+ "or \"by\" got \"%s\"\n",
+ fname, lineno, argv[i] );
acl_usage();
}
}
/* if we have no real access clause, complain and do nothing */
if ( a == NULL ) {
- fprintf( stderr,
- "%s: line %d: warning: no access clause(s) specified in access line\n",
- fname, lineno );
+ fprintf( stderr, "%s: line %d: "
+ "warning: no access clause(s) specified in access line\n",
+ fname, lineno );
} else {
#ifdef LDAP_DEBUG
- if (ldap_debug & LDAP_DEBUG_ACL)
- print_acl(be, a);
+ if ( ldap_debug & LDAP_DEBUG_ACL ) {
+ print_acl( be, a );
+ }
#endif
if ( a->acl_access == NULL ) {
- fprintf( stderr,
- "%s: line %d: warning: no by clause(s) specified in access line\n",
- fname, lineno );
+ fprintf( stderr, "%s: line %d: "
+ "warning: no by clause(s) specified in access line\n",
+ fname, lineno );
}
if ( be != NULL ) {
+#ifdef LDAP_DEVEL
+ if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
+ fprintf( stderr, "%s: line %d: warning: "
+ "scope checking only applies to single-valued "
+ "suffix databases\n",
+ fname, lineno );
+ /* go ahead, since checking is not authoritative */
+ }
+
+ switch ( check_scope( be, a ) ) {
+ case ACL_SCOPE_UNKNOWN:
+ fprintf( stderr, "%s: line %d: warning: "
+ "cannot assess the validity of the ACL scope within "
+ "backend naming context\n",
+ fname, lineno );
+ break;
+
+ case ACL_SCOPE_WARN:
+ fprintf( stderr, "%s: line %d: warning: "
+ "ACL could be out of scope within backend naming context\n",
+ fname, lineno );
+ break;
+
+ case ACL_SCOPE_PARTIAL:
+ fprintf( stderr, "%s: line %d: warning: "
+ "ACL appears to be partially out of scope within "
+ "backend naming context\n",
+ fname, lineno );
+ break;
+
+ case ACL_SCOPE_ERR:
+ fprintf( stderr, "%s: line %d: warning: "
+ "ACL appears to be out of scope within "
+ "backend naming context\n",
+ fname, lineno );
+ break;
+
+ default:
+ break;
+ }
+#endif /* LDAP_DEVEL */
acl_append( &be->be_acl, a );
+
} else {
- acl_append( &global_acl, a );
+ acl_append( &frontendDB->be_acl, a );
}
}
}
char *
accessmask2str( slap_mask_t mask, char *buf )
{
- int none=1;
- char *ptr = buf;
+ int none = 1;
+ char *ptr = buf;
assert( buf != NULL );
static void
acl_usage( void )
{
- fprintf( stderr, "%s%s\n",
+ fprintf( stderr, "%s%s%s\n",
"<access clause> ::= access to <what> "
"[ by <who> <access> [ <control> ] ]+ \n"
"<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
"<attrlist> ::= <attr> [val[.<style>]=<value>] | <attr> , <attrlist>\n"
- "<attr> ::= <attrname> | entry | children\n"
+ "<attr> ::= <attrname> | entry | children\n",
"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
"\t[dnattr=<attrname>]\n"
"\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
- "\t[peername[.<style>]=<peer>] [sockname[.<style>]=<name>]\n",
- "\t[domain[.<style>]=<domain>] [sockurl[.<style>]=<url>]\n"
+ "\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
+ "\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
#ifdef SLAPD_ACI_ENABLED
"\t[aci=<attrname>]\n"
#endif
- "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n"
- "<dnstyle> ::= base | exact | one | subtree | children | regex\n"
- "<style> ::= regex | base | exact\n"
+ "\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
+ "<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
+ "exact | regex\n"
+ "<style> ::= exact | regex | base(Object)\n"
+ "<peernamestyle> ::= exact | regex | ip | path\n"
+ "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
"<access> ::= [self]{<level>|<priv>}\n"
"<level> ::= none | auth | compare | search | read | write\n"
"<priv> ::= {=|+|-}{w|r|s|c|x|0}+\n"
static void
acl_regex_normalized_dn(
const char *src,
- struct berval *pattern
-)
+ struct berval *pattern )
{
char *str, *p;
ber_len_t len;
str = ch_strdup( src );
len = strlen( src );
- for ( p = str; p && p[ 0 ]; p++ ) {
+ for ( p = str; p && p[0]; p++ ) {
/* escape */
- if ( p[ 0 ] == '\\' && p[ 1 ] ) {
+ if ( p[0] == '\\' && p[1] ) {
/*
* if escaping a hex pair we should
* increment p twice; however, in that
p++;
}
- if ( p[ 0 ] == ',' ) {
- if ( p[ 1 ] == ' ' ) {
- char *q;
+ if ( p[0] == ',' && p[1] == ' ' ) {
+ char *q;
- /*
- * too much space should be
- * an error if we are pedantic
- */
- for ( q = &p[ 2 ]; q[ 0 ] == ' '; q++ ) {
- /* DO NOTHING */ ;
- }
- AC_MEMCPY( p+1, q, len-(q-str)+1);
+ /*
+ * too much space should be an error if we are pedantic
+ */
+ for ( q = &p[2]; q[0] == ' '; q++ ) {
+ /* DO NOTHING */ ;
}
+ AC_MEMCPY( p+1, q, len-(q-str)+1);
}
}
pattern->bv_val = str;
- pattern->bv_len = p-str;
+ pattern->bv_len = p - str;
return;
}
char *line,
int splitchar,
char **left,
- char **right
-)
+ char **right )
{
*left = line;
if ( (*right = strchr( line, splitchar )) != NULL ) {
static void
access_append( Access **l, Access *a )
{
- for ( ; *l != NULL; l = &(*l)->a_next )
- ; /* NULL */
+ for ( ; *l != NULL; l = &(*l)->a_next ) {
+ ; /* Empty */
+ }
*l = a;
}
void
acl_append( AccessControl **l, AccessControl *a )
{
- for ( ; *l != NULL; l = &(*l)->acl_next )
- ; /* NULL */
+ for ( ; *l != NULL; l = &(*l)->acl_next ) {
+ ; /* Empty */
+ }
*l = a;
}
static void
access_free( Access *a )
{
- if ( a->a_dn_pat.bv_val )
- free ( a->a_dn_pat.bv_val );
- if ( a->a_peername_pat.bv_val )
- free ( a->a_peername_pat.bv_val );
- if ( a->a_sockname_pat.bv_val )
- free ( a->a_sockname_pat.bv_val );
- if ( a->a_domain_pat.bv_val )
- free ( a->a_domain_pat.bv_val );
- if ( a->a_sockurl_pat.bv_val )
- free ( a->a_sockurl_pat.bv_val );
- if ( a->a_set_pat.bv_len )
- free ( a->a_set_pat.bv_val );
- if ( a->a_group_pat.bv_len )
- free ( a->a_group_pat.bv_val );
+ if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
+ free( a->a_dn_pat.bv_val );
+ }
+ if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
+ free( a->a_peername_pat.bv_val );
+ }
+ if ( !BER_BVISNULL( &a->a_sockname_pat ) ) {
+ free( a->a_sockname_pat.bv_val );
+ }
+ if ( !BER_BVISNULL( &a->a_domain_pat ) ) {
+ free( a->a_domain_pat.bv_val );
+ }
+ if ( !BER_BVISNULL( &a->a_sockurl_pat ) ) {
+ free( a->a_sockurl_pat.bv_val );
+ }
+ if ( !BER_BVISNULL( &a->a_set_pat ) ) {
+ free( a->a_set_pat.bv_val );
+ }
+ if ( !BER_BVISNULL( &a->a_group_pat ) ) {
+ free( a->a_group_pat.bv_val );
+ }
free( a );
}
Access *n;
AttributeName *an;
- if ( a->acl_filter )
+ if ( a->acl_filter ) {
filter_free( a->acl_filter );
- if ( a->acl_dn_pat.bv_len )
+ }
+ if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
free ( a->acl_dn_pat.bv_val );
+ }
if ( a->acl_attrs ) {
- for ( an = a->acl_attrs; an->an_name.bv_val; an++ ) {
+ for ( an = a->acl_attrs; !BER_BVISNULL( &an->an_name ); an++ ) {
free( an->an_name.bv_val );
}
free( a->acl_attrs );
}
- for (; a->acl_access; a->acl_access = n) {
+ for ( ; a->acl_access; a->acl_access = n ) {
n = a->acl_access->a_next;
access_free( a->acl_access );
}
fprintf( stderr, "\tby" );
- if ( b->a_dn_pat.bv_len != 0 ) {
- if( strcmp(b->a_dn_pat.bv_val, "*") == 0
- || strcmp(b->a_dn_pat.bv_val, "users") == 0
- || strcmp(b->a_dn_pat.bv_val, "anonymous") == 0
- || strcmp(b->a_dn_pat.bv_val, "self") == 0 )
+ if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
+ if ( ber_bvccmp( &b->a_dn_pat, '*' ) ||
+ b->a_dn_style == ACL_STYLE_ANONYMOUS /* strcmp( b->a_dn_pat.bv_val, "anonymous" ) == 0 */ ||
+ b->a_dn_style == ACL_STYLE_USERS /* strcmp( b->a_dn_pat.bv_val, "users" ) == 0 */ ||
+ b->a_dn_style == ACL_STYLE_SELF /* strcmp( b->a_dn_pat.bv_val, "self" ) == 0 */ )
{
fprintf( stderr, " %s", b->a_dn_pat.bv_val );
fprintf( stderr, " dnattr=%s", b->a_dn_at->ad_cname.bv_val );
}
- if ( b->a_group_pat.bv_len ) {
+ if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
fprintf( stderr, " group/%s/%s.%s=\"%s\"",
b->a_group_oc ? b->a_group_oc->soc_cname.bv_val : "groupOfNames",
b->a_group_at ? b->a_group_at->ad_cname.bv_val : "member",
style_strings[b->a_group_style],
b->a_group_pat.bv_val );
- }
+ }
- if ( b->a_peername_pat.bv_len != 0 ) {
+ if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
fprintf( stderr, " peername=\"%s\"", b->a_peername_pat.bv_val );
}
- if ( b->a_sockname_pat.bv_len != 0 ) {
+ if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
fprintf( stderr, " sockname=\"%s\"", b->a_sockname_pat.bv_val );
}
- if ( b->a_domain_pat.bv_len != 0 ) {
+ if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
fprintf( stderr, " domain=%s", b->a_domain_pat.bv_val );
}
- if ( b->a_sockurl_pat.bv_len != 0 ) {
+ if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
fprintf( stderr, " sockurl=\"%s\"", b->a_sockurl_pat.bv_val );
}
+ if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
+ fprintf( stderr, " set=\"%s\"", b->a_set_pat.bv_val );
+ }
+
+#ifdef SLAP_DYNACL
+ if ( b->a_dynacl ) {
+ slap_dynacl_t *da;
+
+ for ( da = b->a_dynacl; da; da = da->da_next ) {
+ if ( da->da_print ) {
+ (void)( *da->da_print )( da->da_private );
+ }
+ }
+ }
+#else /* ! SLAP_DYNACL */
#ifdef SLAPD_ACI_ENABLED
if ( b->a_aci_at != NULL ) {
fprintf( stderr, " aci=%s", b->a_aci_at->ad_cname.bv_val );
}
#endif
+#endif /* SLAP_DYNACL */
/* Security Strength Factors */
if ( b->a_authz.sai_ssf ) {
fprintf( stderr, "%s ACL: access to",
be == NULL ? "Global" : "Backend" );
- if ( a->acl_dn_pat.bv_len != 0 ) {
+ if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ) {
to++;
fprintf( stderr, " dn.%s=\"%s\"\n",
style_strings[a->acl_dn_style], a->acl_dn_pat.bv_val );
}
if ( a->acl_filter != NULL ) {
- struct berval bv = { 0, NULL };
+ struct berval bv = BER_BVNULL;
+
to++;
filter2bv( a->acl_filter, &bv );
fprintf( stderr, " filter=%s\n", bv.bv_val );
to++;
fprintf( stderr, " attrs=" );
- for ( an = a->acl_attrs; an && an->an_name.bv_val; an++ ) {
- if ( ! first ) {
- fprintf( stderr, "," );
- }
+ for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
+ if ( ! first ) fprintf( stderr, "," );
if (an->an_oc) {
fputc( an->an_oc_exclude ? '!' : '@', stderr);
+ fputs( an->an_oc->soc_cname.bv_val, stderr );
+
+ } else {
+ fputs( an->an_name.bv_val, stderr );
}
- fputs( an->an_name.bv_val, stderr );
first = 0;
}
fprintf( stderr, "\n" );
}
- if ( a->acl_attrval.bv_len != 0 ) {
+ if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
to++;
fprintf( stderr, " val.%s=\"%s\"\n",
style_strings[a->acl_attrval_style], a->acl_attrval.bv_val );
}
- if( !to ) {
- fprintf( stderr, " *\n" );
- }
+ if( !to ) fprintf( stderr, " *\n" );
for ( b = a->acl_access; b != NULL; b = b->a_next ) {
print_access( b );
fprintf( stderr, "\n" );
}
-
#endif /* LDAP_DEBUG */