X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Facl.c;h=15bbcd4fba8b16150251b30e1e3a8a0cafad2c65;hb=04c5711506f17cc7403240c1f335527c6bccaa33;hp=f029d3ccfd47b20005e9671cdef33d98c0fa6676;hpb=5ef648a109669cd4a8a776f2233a51436cebcdb8;p=openldap diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index f029d3ccfd..15bbcd4fba 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -38,7 +38,7 @@ access_allowed( ) { int rc; - struct acl *a; + AccessControl *a; char *edn; regmatch_t matches[MAXREMATCHES]; @@ -55,12 +55,8 @@ access_allowed( e->e_dn, attr, 0 ); /* the lastmod attributes are ignored by ACL checking */ - if ( strcasecmp( attr, "modifiersname" ) == 0 || - strcasecmp( attr, "modifytimestamp" ) == 0 || - strcasecmp( attr, "creatorsname" ) == 0 || - strcasecmp( attr, "createtimestamp" ) == 0 ) - { - Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n", + if ( oc_check_no_usermod_attr( attr ) ) { + Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n", attr, 0, 0 ); return(1); } @@ -97,7 +93,7 @@ access_allowed( * acl_access_allowed(). */ -struct acl * +AccessControl * acl_get_applicable( Backend *be, Operation *op, @@ -108,7 +104,7 @@ acl_get_applicable( ) { int i; - struct acl *a; + AccessControl *a; char *edn; Debug( LDAP_DEBUG_ACL, "\n=> acl_get: entry (%s) attr (%s)\n", @@ -127,15 +123,17 @@ acl_get_applicable( /* check for a backend-specific acl that matches the entry */ for ( i = 1, a = be->be_acl; a != NULL; a = a->acl_next, i++ ) { - if (a->acl_dnpat != NULL) { + if (a->acl_dn_pat != NULL) { Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n", - i, a->acl_dnpat, (int) a->acl_dnre.re_nsub); + i, a->acl_dn_pat, (int) a->acl_dn_re.re_nsub); - if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) + if (regexec(&a->acl_dn_re, edn, nmatch, matches, 0)) { continue; - else + + } else { Debug( LDAP_DEBUG_TRACE, "=> acl_get:[%d] backend ACL match\n", i, 0, 0); + } } if ( a->acl_filter != NULL ) { @@ -158,12 +156,13 @@ acl_get_applicable( /* check for a global acl that matches the entry */ for ( i = 1, a = global_acl; a != NULL; a = a->acl_next, i++ ) { - if (a->acl_dnpat != NULL) { - Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n", - i, a->acl_dnpat, (int) a->acl_dnre.re_nsub); + if (a->acl_dn_pat != NULL) { + Debug( LDAP_DEBUG_TRACE, "=> dn pat: [%d] %s nsub: %d\n", + i, a->acl_dn_pat, (int) a->acl_dn_re.re_nsub); - if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) { + if (regexec(&a->acl_dn_re, edn, nmatch, matches, 0)) { continue; + } else { Debug( LDAP_DEBUG_TRACE, "=> acl_get: [%d] global ACL match\n", i, 0, 0); @@ -204,7 +203,7 @@ acl_get_applicable( int acl_access_allowed( - struct acl *a, + AccessControl *a, Backend *be, Connection *conn, Entry *e, @@ -216,10 +215,7 @@ acl_access_allowed( ) { int i; - char *odn; - struct access *b; - Attribute *at; - struct berval bv; + Access *b; int default_access; Debug( LDAP_DEBUG_ACL, @@ -248,104 +244,114 @@ acl_access_allowed( return( default_access >= access ); } - odn = op->o_ndn; - - if ( odn != NULL ) { - bv.bv_val = odn; - bv.bv_len = strlen( odn ); - } - for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) { - if ( b->a_dnpat != NULL ) { - Debug( LDAP_DEBUG_TRACE, "<= check a_dnpat: %s\n", - b->a_dnpat, 0, 0); + /* AND clauses */ + if ( b->a_dn_pat != NULL ) { + Debug( LDAP_DEBUG_TRACE, "<= check a_dn_pat: %s\n", + b->a_dn_pat, 0, 0); /* * if access applies to the entry itself, and the * user is bound as somebody in the same namespace as * the entry, OR the given dn matches the dn pattern */ - if ( strcasecmp( b->a_dnpat, "self" ) == 0 && - op->o_ndn != NULL && *(op->o_ndn) && e->e_dn != NULL ) - { - if ( strcmp( edn, op->o_ndn ) == 0 ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, (b->a_access & ~ACL_SELF) >= - access ? "granted" : "denied", 0 ); - - return( (b->a_access & ~ACL_SELF) >= access ); + if ( strcasecmp( b->a_dn_pat, "anonymous" ) == 0 ) { + if (op->o_ndn != NULL && op->o_ndn[0] != '\0' ) { + continue; } - } else { - if ( regex_matches( b->a_dnpat, odn, edn, matches ) ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, (b->a_access & ~ACL_SELF) >= access ? - "granted" : "denied", 0 ); - return( (b->a_access & ~ACL_SELF) >= access ); + } else if ( strcasecmp( b->a_dn_pat, "self" ) == 0 ) { + if( op->o_ndn == NULL || op->o_ndn[0] == '\0' ) { + continue; + } + + if ( e->e_dn == NULL || strcmp( edn, op->o_ndn ) != 0 ) { + continue; } + + } else if ( strcmp( b->a_dn_pat, ".*" ) != 0 && + !regex_matches( b->a_dn_pat, op->o_ndn, edn, matches ) ) + { + continue; } } - if ( b->a_addrpat != NULL ) { - if ( regex_matches( b->a_addrpat, conn->c_addr, edn, matches ) ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, (b->a_access & ~ACL_SELF) >= access ? - "granted" : "denied", 0 ); - - return( (b->a_access & ~ACL_SELF) >= access ); + + if ( b->a_sockurl_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_sockurl_pat: %s\n", + b->a_sockurl_pat, 0, 0 ); + + if ( strcmp( b->a_sockurl_pat, ".*" ) != 0 && + !regex_matches( b->a_sockurl_pat, conn->c_listener_url, + edn, matches ) ) + { + continue; } } - if ( b->a_domainpat != NULL ) { - Debug( LDAP_DEBUG_ARGS, "<= check a_domainpath: %s\n", - b->a_domainpat, 0, 0 ); - if ( regex_matches( b->a_domainpat, conn->c_domain, edn, matches ) ) + + if ( b->a_domain_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_domain_pat: %s\n", + b->a_domain_pat, 0, 0 ); + + if ( strcmp( b->a_domain_pat, ".*" ) != 0 && + !regex_matches( b->a_domain_pat, conn->c_peer_domain, + edn, matches ) ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, (b->a_access & ~ACL_SELF) >= access ? - "granted" : "denied", 0 ); + continue; + } + } + + if ( b->a_peername_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_peername_path: %s\n", + b->a_peername_pat, 0, 0 ); - return( (b->a_access & ~ACL_SELF) >= access ); + if ( strcmp( b->a_peername_pat, ".*" ) != 0 && + !regex_matches( b->a_peername_pat, conn->c_peer_name, + edn, matches ) ) + { + continue; } } - if ( b->a_dnattr != NULL && op->o_ndn != NULL ) { - Debug( LDAP_DEBUG_ARGS, "<= check a_dnattr: %s\n", - b->a_dnattr, 0, 0); - /* see if asker is listed in dnattr */ - if ( (at = attr_find( e->e_attrs, b->a_dnattr )) != NULL && + + if ( b->a_sockname_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_sockname_path: %s\n", + b->a_sockname_pat, 0, 0 ); + + if ( strcmp( b->a_sockname_pat, ".*" ) != 0 && + !regex_matches( b->a_sockname_pat, conn->c_sock_name, + edn, matches ) ) + { + continue; + } + } + + if ( b->a_dn_at != NULL && op->o_ndn != NULL ) { + Attribute *at; + struct berval bv; + + Debug( LDAP_DEBUG_ARGS, "<= check a_dn_at: %s\n", + b->a_dn_at, 0, 0); + + bv.bv_val = op->o_ndn; + bv.bv_len = strlen( bv.bv_val ); + + /* see if asker is listed in dnattr */ + if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL && value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 ) { - if ( (b->a_access & ACL_SELF) && + if ( ACL_IS_SELF(b->a_access) && (val == NULL || value_cmp( &bv, val, at->a_syntax, 2 )) ) { continue; } - Debug( LDAP_DEBUG_ACL, - "<= acl_acces_allowed: matched by clause #%d access %s\n", - i, (b->a_access & ~ACL_SELF) >= access ? - "granted" : "denied", 0 ); - - return( (b->a_access & ~ACL_SELF) >= access ); - } - /* asker not listed in dnattr - check for self access */ - if ( ! (b->a_access & ACL_SELF) || val == NULL || + } else if ( ! ACL_IS_SELF(b->a_access) || val == NULL || value_cmp( &bv, val, at->a_syntax, 2 ) != 0 ) { continue; } - - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d (self) access %s\n", - i, (b->a_access & ~ACL_SELF) >= access ? "granted" - : "denied", 0 ); - - return( (b->a_access & ~ACL_SELF) >= access ); } -#ifdef SLAPD_ACLGROUPS - if ( b->a_group != NULL && op->o_ndn != NULL ) { + + if ( b->a_group_pat != NULL && op->o_ndn != NULL ) { char buf[1024]; /* b->a_group is an unexpanded entry name, expanded it should be an @@ -353,19 +359,26 @@ acl_access_allowed( * the values in the attribute group */ /* see if asker is listed in dnattr */ - string_expand(buf, sizeof(buf), b->a_group, edn, matches); - (void) dn_normalize_case(buf); + string_expand(buf, sizeof(buf), b->a_group_pat, edn, matches); + if ( dn_normalize_case(buf) == NULL ) { + /* did not expand to a valid dn */ + continue; + } - if (backend_group(be, e, buf, odn, - b->a_objectclassvalue, b->a_groupattrname) == 0) + if (backend_group(be, e, buf, op->o_ndn, + b->a_group_oc, b->a_group_at) != 0) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d (group) access granted\n", - i, 0, 0 ); - return( (b->a_access & ~ACL_SELF) >= access ); + continue; } } -#endif /* SLAPD_ACLGROUPS */ + + Debug( LDAP_DEBUG_ACL, + "<= acl_access_allowed: matched by clause #%d access %s\n", + i, + ACL_GRANT(b->a_access, access) ? "granted" : "denied", + 0 ); + + return ACL_GRANT(b->a_access, access ); } Debug( LDAP_DEBUG_ACL, @@ -393,19 +406,15 @@ acl_check_modlist( ) { int i; - struct acl *a; + AccessControl *a; char *edn = e->e_ndn; for ( ; mlist != NULL; mlist = mlist->ml_next ) { regmatch_t matches[MAXREMATCHES]; /* the lastmod attributes are ignored by ACL checking */ - if ( strcasecmp( mlist->ml_type, "modifiersname" ) == 0 || - strcasecmp( mlist->ml_type, "modifytimestamp" ) == 0 || - strcasecmp( mlist->ml_type, "creatorsname" ) == 0 || - strcasecmp( mlist->ml_type, "createtimestamp" ) == 0 ) - { - Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n", + if ( oc_check_no_usermod_attr( mlist->ml_type ) ) { + Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n", mlist->ml_type, 0, 0 ); continue; } @@ -517,6 +526,8 @@ regex_matches( char newbuf[512]; int rc; + if(str == NULL) str = ""; + string_expand(newbuf, sizeof(newbuf), pat, buf, matches); if (( rc = regcomp(&re, newbuf, REG_EXTENDED|REG_ICASE))) { char error[512];