X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Facl.c;h=15bbcd4fba8b16150251b30e1e3a8a0cafad2c65;hb=04c5711506f17cc7403240c1f335527c6bccaa33;hp=85cdda55152c974db148e163e54c83f021c4ad56;hpb=106eef41d8489ab5e55813f2b995e48884f64e16;p=openldap diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 85cdda5515..15bbcd4fba 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -38,7 +38,7 @@ access_allowed( ) { int rc; - struct acl *a; + AccessControl *a; char *edn; regmatch_t matches[MAXREMATCHES]; @@ -55,7 +55,7 @@ access_allowed( e->e_dn, attr, 0 ); /* the lastmod attributes are ignored by ACL checking */ - if ( oc_check_operational( attr ) ) { + if ( oc_check_no_usermod_attr( attr ) ) { Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n", attr, 0, 0 ); return(1); @@ -93,7 +93,7 @@ access_allowed( * acl_access_allowed(). */ -struct acl * +AccessControl * acl_get_applicable( Backend *be, Operation *op, @@ -104,7 +104,7 @@ acl_get_applicable( ) { int i; - struct acl *a; + AccessControl *a; char *edn; Debug( LDAP_DEBUG_ACL, "\n=> acl_get: entry (%s) attr (%s)\n", @@ -123,15 +123,17 @@ acl_get_applicable( /* check for a backend-specific acl that matches the entry */ for ( i = 1, a = be->be_acl; a != NULL; a = a->acl_next, i++ ) { - if (a->acl_dnpat != NULL) { + if (a->acl_dn_pat != NULL) { Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n", - i, a->acl_dnpat, (int) a->acl_dnre.re_nsub); + i, a->acl_dn_pat, (int) a->acl_dn_re.re_nsub); - if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) + if (regexec(&a->acl_dn_re, edn, nmatch, matches, 0)) { continue; - else + + } else { Debug( LDAP_DEBUG_TRACE, "=> acl_get:[%d] backend ACL match\n", i, 0, 0); + } } if ( a->acl_filter != NULL ) { @@ -154,12 +156,13 @@ acl_get_applicable( /* check for a global acl that matches the entry */ for ( i = 1, a = global_acl; a != NULL; a = a->acl_next, i++ ) { - if (a->acl_dnpat != NULL) { - Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n", - i, a->acl_dnpat, (int) a->acl_dnre.re_nsub); + if (a->acl_dn_pat != NULL) { + Debug( LDAP_DEBUG_TRACE, "=> dn pat: [%d] %s nsub: %d\n", + i, a->acl_dn_pat, (int) a->acl_dn_re.re_nsub); - if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) { + if (regexec(&a->acl_dn_re, edn, nmatch, matches, 0)) { continue; + } else { Debug( LDAP_DEBUG_TRACE, "=> acl_get: [%d] global ACL match\n", i, 0, 0); @@ -200,7 +203,7 @@ acl_get_applicable( int acl_access_allowed( - struct acl *a, + AccessControl *a, Backend *be, Connection *conn, Entry *e, @@ -212,10 +215,7 @@ acl_access_allowed( ) { int i; - char *odn; - struct access *b; - Attribute *at; - struct berval bv; + Access *b; int default_access; Debug( LDAP_DEBUG_ACL, @@ -244,75 +244,97 @@ acl_access_allowed( return( default_access >= access ); } - odn = op->o_ndn; - - if ( odn != NULL ) { - bv.bv_val = odn; - bv.bv_len = strlen( odn ); - } - for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) { - if ( b->a_dnpat != NULL ) { - Debug( LDAP_DEBUG_TRACE, "<= check a_dnpat: %s\n", - b->a_dnpat, 0, 0); + /* AND clauses */ + if ( b->a_dn_pat != NULL ) { + Debug( LDAP_DEBUG_TRACE, "<= check a_dn_pat: %s\n", + b->a_dn_pat, 0, 0); /* * if access applies to the entry itself, and the * user is bound as somebody in the same namespace as * the entry, OR the given dn matches the dn pattern */ - if ( strcasecmp( b->a_dnpat, "self" ) == 0 && - op->o_ndn != NULL && *(op->o_ndn) && e->e_dn != NULL ) - { - if ( strcmp( edn, op->o_ndn ) == 0 ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, ACL_GRANT(b->a_access, access) - ? "granted" : "denied", 0 ); - - return ACL_GRANT(b->a_access, access ); + if ( strcasecmp( b->a_dn_pat, "anonymous" ) == 0 ) { + if (op->o_ndn != NULL && op->o_ndn[0] != '\0' ) { + continue; } - } else { - if ( regex_matches( b->a_dnpat, odn, edn, matches ) ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, ACL_GRANT(b->a_access, access) - ? "granted" : "denied", 0 ); - return ACL_GRANT(b->a_access, access ); + } else if ( strcasecmp( b->a_dn_pat, "self" ) == 0 ) { + if( op->o_ndn == NULL || op->o_ndn[0] == '\0' ) { + continue; + } + + if ( e->e_dn == NULL || strcmp( edn, op->o_ndn ) != 0 ) { + continue; } + + } else if ( strcmp( b->a_dn_pat, ".*" ) != 0 && + !regex_matches( b->a_dn_pat, op->o_ndn, edn, matches ) ) + { + continue; } } - if ( b->a_addrpat != NULL ) { - if ( regex_matches( b->a_addrpat, conn->c_client_addr, - edn, matches ) ) - { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, ACL_GRANT(b->a_access, access) - ? "granted" : "denied", 0 ); - return ACL_GRANT(b->a_access, access ); + if ( b->a_sockurl_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_sockurl_pat: %s\n", + b->a_sockurl_pat, 0, 0 ); + + if ( strcmp( b->a_sockurl_pat, ".*" ) != 0 && + !regex_matches( b->a_sockurl_pat, conn->c_listener_url, + edn, matches ) ) + { + continue; } } - if ( b->a_domainpat != NULL ) { - Debug( LDAP_DEBUG_ARGS, "<= check a_domainpath: %s\n", - b->a_domainpat, 0, 0 ); - if ( regex_matches( b->a_domainpat, conn->c_client_name, + + if ( b->a_domain_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_domain_pat: %s\n", + b->a_domain_pat, 0, 0 ); + + if ( strcmp( b->a_domain_pat, ".*" ) != 0 && + !regex_matches( b->a_domain_pat, conn->c_peer_domain, edn, matches ) ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, ACL_GRANT(b->a_access, access) - ? "granted" : "denied", 0 ); + continue; + } + } + + if ( b->a_peername_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_peername_path: %s\n", + b->a_peername_pat, 0, 0 ); + + if ( strcmp( b->a_peername_pat, ".*" ) != 0 && + !regex_matches( b->a_peername_pat, conn->c_peer_name, + edn, matches ) ) + { + continue; + } + } + + if ( b->a_sockname_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_sockname_path: %s\n", + b->a_sockname_pat, 0, 0 ); - return ACL_GRANT(b->a_access, access ); + if ( strcmp( b->a_sockname_pat, ".*" ) != 0 && + !regex_matches( b->a_sockname_pat, conn->c_sock_name, + edn, matches ) ) + { + continue; } } - if ( b->a_dnattr != NULL && op->o_ndn != NULL ) { - Debug( LDAP_DEBUG_ARGS, "<= check a_dnattr: %s\n", - b->a_dnattr, 0, 0); - /* see if asker is listed in dnattr */ - if ( (at = attr_find( e->e_attrs, b->a_dnattr )) != NULL && + + if ( b->a_dn_at != NULL && op->o_ndn != NULL ) { + Attribute *at; + struct berval bv; + + Debug( LDAP_DEBUG_ARGS, "<= check a_dn_at: %s\n", + b->a_dn_at, 0, 0); + + bv.bv_val = op->o_ndn; + bv.bv_len = strlen( bv.bv_val ); + + /* see if asker is listed in dnattr */ + if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL && value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 ) { if ( ACL_IS_SELF(b->a_access) && @@ -321,30 +343,15 @@ acl_access_allowed( continue; } - Debug( LDAP_DEBUG_ACL, - "<= acl_acces_allowed: matched by clause #%d access %s\n", - i, ACL_GRANT(b->a_access, access) - ? "granted" : "denied", 0 ); - - return ACL_GRANT(b->a_access, access ); - } - /* asker not listed in dnattr - check for self access */ - if ( ! ACL_IS_SELF(b->a_access) || val == NULL || + } else if ( ! ACL_IS_SELF(b->a_access) || val == NULL || value_cmp( &bv, val, at->a_syntax, 2 ) != 0 ) { continue; } - - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d (self) access %s\n", - i, ACL_GRANT(b->a_access, access) - ? "granted" : "denied", 0 ); - - return ACL_GRANT(b->a_access, access ); } -#ifdef SLAPD_ACLGROUPS - if ( b->a_group != NULL && op->o_ndn != NULL ) { + + if ( b->a_group_pat != NULL && op->o_ndn != NULL ) { char buf[1024]; /* b->a_group is an unexpanded entry name, expanded it should be an @@ -352,19 +359,26 @@ acl_access_allowed( * the values in the attribute group */ /* see if asker is listed in dnattr */ - string_expand(buf, sizeof(buf), b->a_group, edn, matches); - (void) dn_normalize_case(buf); + string_expand(buf, sizeof(buf), b->a_group_pat, edn, matches); + if ( dn_normalize_case(buf) == NULL ) { + /* did not expand to a valid dn */ + continue; + } - if (backend_group(be, e, buf, odn, - b->a_group_oc, b->a_group_at) == 0) + if (backend_group(be, e, buf, op->o_ndn, + b->a_group_oc, b->a_group_at) != 0) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d (group) access granted\n", - i, 0, 0 ); - return ACL_GRANT(b->a_access, access ); + continue; } } -#endif /* SLAPD_ACLGROUPS */ + + Debug( LDAP_DEBUG_ACL, + "<= acl_access_allowed: matched by clause #%d access %s\n", + i, + ACL_GRANT(b->a_access, access) ? "granted" : "denied", + 0 ); + + return ACL_GRANT(b->a_access, access ); } Debug( LDAP_DEBUG_ACL, @@ -392,14 +406,14 @@ acl_check_modlist( ) { int i; - struct acl *a; + AccessControl *a; char *edn = e->e_ndn; for ( ; mlist != NULL; mlist = mlist->ml_next ) { regmatch_t matches[MAXREMATCHES]; /* the lastmod attributes are ignored by ACL checking */ - if ( oc_check_operational( mlist->ml_type ) ) { + if ( oc_check_no_usermod_attr( mlist->ml_type ) ) { Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n", mlist->ml_type, 0, 0 ); continue; @@ -512,6 +526,8 @@ regex_matches( char newbuf[512]; int rc; + if(str == NULL) str = ""; + string_expand(newbuf, sizeof(newbuf), pat, buf, matches); if (( rc = regcomp(&re, newbuf, REG_EXTENDED|REG_ICASE))) { char error[512];