Extend checks to substrings rules. Need to kludge around

[openldap] / servers / slapd / saslauthz.c

diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
index 918d6cd97577abaf986d36fe865a3755787d514c..ded88611f42a3dd73d799493f69b308984cfa54e 100644 (file)
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -98,7 +98,7 @@ static int slap_parseURI( struct berval *uri,
                bv.bv_val = uri->bv_val + sizeof("dn:")-1;
                bv.bv_val += strspn( bv.bv_val, " " );
 
-is_dn:         bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
+is_dn: bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
 
                rc = dnNormalize2( NULL, &bv, searchbase );
                if( rc == LDAP_SUCCESS ) {
@@ -114,12 +114,15 @@ is_dn:            bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
        }
 
        if ( rc != LDAP_URL_SUCCESS ) {
-               return( LDAP_PROTOCOL_ERROR );
+               return LDAP_PROTOCOL_ERROR;
        }
 
-       if ( ludp->lud_host && *ludp->lud_host ) {
+       if (( ludp->lud_host && *ludp->lud_host )
+               || ludp->lud_attrs || ludp->lud_exts )
+       {
                /* host part should be empty */
-               return( LDAP_PROTOCOL_ERROR );
+               /* attrs and extensions parts should be empty */
+               return LDAP_PROTOCOL_ERROR;
        }
 
        /* Grab the scope */
@@ -130,14 +133,18 @@ is_dn:            bv.bv_len = uri->bv_len - (bv.bv_val - uri->bv_val);
                *filter = str2filter( ludp->lud_filter );
                if ( *filter == NULL ) {
                        rc = LDAP_PROTOCOL_ERROR;
+                       goto done;
                }
        }
 
        /* Grab the searchbase */
-       if ( rc == LDAP_URL_SUCCESS ) {
-               bv.bv_val = ludp->lud_dn;
-               bv.bv_len = strlen( bv.bv_val );
-               rc = dnNormalize2( NULL, &bv, searchbase );
+       bv.bv_val = ludp->lud_dn;
+       bv.bv_len = strlen( bv.bv_val );
+       rc = dnNormalize2( NULL, &bv, searchbase );
+
+done:
+       if( rc != LDAP_SUCCESS ) {
+               if( *filter ) filter_free( *filter );
        }
 
        ldap_free_urldesc( ludp );
@@ -186,15 +193,14 @@ static int slap_sasl_rx_off(char *rep, int *off)
 
 int slap_sasl_regexp_config( const char *match, const char *replace )
 {
-       const char *c;
-       int rc, n;
+       int rc;
        SaslRegexp_t *reg;
-       struct berval bv;
-       Filter *filter;
 
        SaslRegexp = (SaslRegexp_t *) ch_realloc( (char *) SaslRegexp,
          (nSaslRegexp + 1) * sizeof(SaslRegexp_t) );
 
+       reg = &SaslRegexp[nSaslRegexp];
+
        reg->sr_match = ch_strdup( match );
        reg->sr_replace = ch_strdup( replace );
 
@@ -280,7 +286,6 @@ static void slap_sasl_rx_exp(
 static int slap_sasl_regexp( struct berval *in, struct berval *out )
 {
        char *saslname = in->bv_val;
-       char *scope[] = { "base", "one", "sub" };
        SaslRegexp_t *reg;
        int i;
 
@@ -321,7 +326,7 @@ static int slap_sasl_regexp( struct berval *in, struct berval *out )
                out->bv_len ? out->bv_val : "", 0, 0 );
 #else
        Debug( LDAP_DEBUG_TRACE,
-          "slap_sasl_regexp: converted SASL name to ldap:///%s??%s?%s\n",
+               "slap_sasl_regexp: converted SASL name to %s\n",
                out->bv_len ? out->bv_val : "", 0, 0 );
 #endif
 
@@ -329,14 +334,14 @@ static int slap_sasl_regexp( struct berval *in, struct berval *out )
 }
 
 /* Two empty callback functions to avoid sending results */
-static void sasl_sc_r( Connection *conn, Operation *o, ber_tag_t tag,
+void slap_cb_null_response( Connection *conn, Operation *o, ber_tag_t tag,
        ber_int_t msgid, ber_int_t err, const char *matched,
        const char *text, BerVarray ref, const char *resoid,
        struct berval *resdata, struct berval *sasldata, LDAPControl **c)
 {
 }
 
-static void sasl_sc_s( Connection *conn, Operation *o, ber_int_t err,
+void slap_cb_null_sresult( Connection *conn, Operation *o, ber_int_t err,
        const char *matched, const char *text, BerVarray refs, LDAPControl **c,
        int nentries)
 {
@@ -380,11 +385,11 @@ void slap_sasl2dn( Connection *conn,
        struct berval *saslname, struct berval *sasldn )
 {
        int rc;
-       Backend *be;
+       Backend *be = NULL;
        struct berval dn = { 0, NULL };
        int scope = LDAP_SCOPE_BASE;
        Filter *filter = NULL;
-       slap_callback cb = {sasl_sc_r, sasl_sc_s, sasl_sc_sasl2dn, NULL};
+       slap_callback cb = {slap_cb_null_response, slap_cb_null_sresult, sasl_sc_sasl2dn, NULL};
        Operation op = {0};
        struct berval regout = { 0, NULL };
 
@@ -444,6 +449,7 @@ void slap_sasl2dn( Connection *conn,
        op.o_callback = &cb;
        op.o_time = slap_get_time();
        op.o_do_not_cache = 1;
+       op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
 
        (*be->be_search)( be, conn, &op, NULL, &dn,
                scope, LDAP_DEREF_NEVER, 1, 0,
@@ -504,7 +510,7 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
        Filter *filter=NULL;
        regex_t reg;
        smatch_info sm;
-       slap_callback cb = { sasl_sc_r, sasl_sc_s, sasl_sc_smatch, NULL };
+       slap_callback cb = { slap_cb_null_response, slap_cb_null_sresult, sasl_sc_smatch, NULL };
        Operation op = {0};
 
 #ifdef NEW_LOGGING
@@ -564,6 +570,7 @@ int slap_sasl_match(Connection *conn, struct berval *rule, struct berval *assert
        op.o_callback = &cb;
        op.o_time = slap_get_time();
        op.o_do_not_cache = 1;
+       op.o_threadctx = conn->c_sasl_bindop->o_threadctx;
 
        (*be->be_search)( be, conn, &op, /*base=*/NULL, &searchbase,
           scope, /*deref=*/1, /*sizelimit=*/0, /*time=*/0, filter, /*fstr=*/NULL,
@@ -617,7 +624,7 @@ slap_sasl_check_authz( Connection *conn,
           assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
 #endif
 
-       rc = backend_attribute( NULL, NULL, NULL, NULL, searchDN, ad, &vals );
+       rc = backend_attribute( NULL, NULL, conn->c_sasl_bindop, NULL, searchDN, ad, &vals );
        if( rc != LDAP_SUCCESS )
                goto COMPLETE;