X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Facl.c;h=48f93c81966e13ef2a29442da677e0b231b100d3;hb=3bf9998d7885ef6bbc4690d4229e5cb5068a35de;hp=954714cf7778e649f808d42cacc1d8fed9bb92cb;hpb=86f1f7e0471cb870f94bcbf1c4e9c97053e5f0d5;p=openldap diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 954714cf77..48f93c8196 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1998-2006 The OpenLDAP Foundation. + * Copyright 1998-2008 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -40,6 +40,9 @@ #define ACL_BUF_SIZE 1024 /* use most appropriate size */ static const struct berval acl_bv_ip_eq = BER_BVC( "IP=" ); +#ifdef LDAP_PF_INET6 +static const struct berval acl_bv_ipv6_eq = BER_BVC( "IP=[" ); +#endif /* LDAP_PF_INET6 */ #ifdef LDAP_PF_LOCAL static const struct berval acl_bv_path_eq = BER_BVC("PATH="); #endif /* LDAP_PF_LOCAL */ @@ -231,18 +234,17 @@ slap_access_allowed( ( state->as_recorded & ACL_STATE_RECORDED_NV ) ) { Debug( LDAP_DEBUG_ACL, - "=> slap_access_allowed: result from state (%s)\n", + "=> slap_access_allowed: result was in cache (%s)\n", attr, 0, 0 ); ret = state->as_result; goto done; } else { Debug( LDAP_DEBUG_ACL, - "=> slap_access_allowed: no res from state (%s)\n", + "=> slap_access_allowed: result not in cache (%s)\n", attr, 0, 0 ); } } -vd_access: control = slap_acl_mask( a, &mask, op, e, desc, val, MAXREMATCHES, matches, count, state ); @@ -302,7 +304,7 @@ fe_access_allowed( be_orig = op->o_bd; if ( op->o_bd == NULL ) { - op->o_bd = select_backend( &op->o_req_ndn, 0, 0 ); + op->o_bd = select_backend( &op->o_req_ndn, 0 ); if ( op->o_bd == NULL ) op->o_bd = frontendDB; } @@ -349,12 +351,15 @@ access_allowed_mask( assert( attr != NULL ); if ( op ) { - if ( op->o_is_auth_check && + if ( op->o_acl_priv != ACL_NONE ) { + access = op->o_acl_priv; + + } else if ( op->o_is_auth_check && ( access_level == ACL_SEARCH || access_level == ACL_READ ) ) { access = ACL_AUTH; - } else if ( get_manageDIT( op ) && access_level == ACL_WRITE && + } else if ( get_relax( op ) && access_level == ACL_WRITE && desc == slap_schema.si_ad_entry ) { access = ACL_MANAGE; @@ -387,14 +392,12 @@ access_allowed_mask( op->o_bd = LDAP_STAILQ_FIRST( &backendDB ); be_null = 1; -#ifdef LDAP_DEVEL - /* - * FIXME: experimental; use first backend rules - * iff there is no global_acl (ITS#3100) */ + /* FIXME: experimental; use first backend rules + * iff there is no global_acl (ITS#3100) + */ if ( frontendDB->be_acl != NULL ) { op->o_bd = frontendDB; } -#endif /* LDAP_DEVEL */ } assert( op->o_bd != NULL ); @@ -649,6 +652,17 @@ slap_acl_get( return( NULL ); } +/* + * Record value-dependent access control state + */ +#define ACL_RECORD_VALUE_STATE do { \ + if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { \ + state->as_recorded |= ACL_STATE_RECORDED_VD; \ + state->as_vd_acl = a; \ + state->as_vd_acl_count = count; \ + } \ + } while( 0 ) + static int acl_mask_dn( Operation *op, @@ -670,7 +684,7 @@ acl_mask_dn( * NOTE: styles "anonymous", "users" and "self" * have been moved to enum slap_style_t, whose * value is set in a_dn_style; however, the string - * is maintaned in a_dn_pat. + * is maintained in a_dn_pat. */ if ( bdn->a_style == ACL_STYLE_ANONYMOUS ) { @@ -960,11 +974,10 @@ acl_mask_dnattr( at != NULL; at = attrs_find( at->a_next, bdn->a_at ) ) { - if ( value_find_ex( bdn->a_at, + if ( attr_valfind( at, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, - at->a_nvals, - &bv, op->o_tmpmemctx ) == 0 ) + &bv, NULL, op->o_tmpmemctx ) == 0 ) { /* found it */ match = 1; @@ -996,6 +1009,8 @@ acl_mask_dnattr( if ( ! bdn->a_self ) return 1; + ACL_RECORD_VALUE_STATE; + /* this is a self clause, check if the target is an * attribute. */ @@ -1088,7 +1103,7 @@ slap_acl_mask( * NOTE: styles "anonymous", "users" and "self" * have been moved to enum slap_style_t, whose * value is set in a_dn_style; however, the string - * is maintaned in a_dn_pat. + * is maintained in a_dn_pat. */ if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches, @@ -1112,7 +1127,7 @@ slap_acl_mask( * NOTE: styles "anonymous", "users" and "self" * have been moved to enum slap_style_t, whose * value is set in a_dn_style; however, the string - * is maintaned in a_dn_pat. + * is maintained in a_dn_pat. */ if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) ) @@ -1265,7 +1280,7 @@ slap_acl_mask( /* extract IP and try exact match */ } else if ( b->a_peername_style == ACL_STYLE_IP ) { char *port; - char buf[] = "255.255.255.255"; + char buf[STRLENOF("255.255.255.255") + 1]; struct berval ip; unsigned long addr; int port_number = -1; @@ -1306,6 +1321,50 @@ slap_acl_mask( if ( (addr & b->a_peername_mask) != b->a_peername_addr ) continue; +#ifdef LDAP_PF_INET6 + /* extract IPv6 and try exact match */ + } else if ( b->a_peername_style == ACL_STYLE_IPV6 ) { + char *port; + char buf[STRLENOF("FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF") + 1]; + struct berval ip; + struct in6_addr addr; + int port_number = -1; + + if ( strncasecmp( op->o_conn->c_peer_name.bv_val, + acl_bv_ipv6_eq.bv_val, + acl_bv_ipv6_eq.bv_len ) != 0 ) + continue; + + ip.bv_val = op->o_conn->c_peer_name.bv_val + acl_bv_ipv6_eq.bv_len; + ip.bv_len = op->o_conn->c_peer_name.bv_len - acl_bv_ipv6_eq.bv_len; + + port = strrchr( ip.bv_val, ']' ); + if ( port ) { + ip.bv_len = port - ip.bv_val; + ++port; + if ( port[0] == ':' && lutil_atoi( &port_number, ++port ) != 0 ) + continue; + } + + /* the port check can be anticipated here */ + if ( b->a_peername_port != -1 && port_number != b->a_peername_port ) + continue; + + /* address longer than expected? */ + if ( ip.bv_len >= sizeof(buf) ) + continue; + + AC_MEMCPY( buf, ip.bv_val, ip.bv_len ); + buf[ ip.bv_len ] = '\0'; + + if ( inet_pton( AF_INET6, buf, &addr ) != 1 ) + continue; + + /* check mask */ + if ( !slap_addr6_mask( &addr, &b->a_peername_mask6, &b->a_peername_addr6 ) ) + continue; +#endif /* LDAP_PF_INET6 */ + #ifdef LDAP_PF_LOCAL /* extract path and try exact match */ } else if ( b->a_peername_style == ACL_STYLE_PATH ) { @@ -1603,6 +1662,8 @@ slap_acl_mask( const char *dummy; int rc, match = 0; + ACL_RECORD_VALUE_STATE; + /* must have DN syntax */ if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName && !is_at_syntax( desc->ad_type, SLAPD_NAMEUID_SYNTAX )) continue; @@ -1659,7 +1720,8 @@ slap_acl_mask( Debug( LDAP_DEBUG_ACL, " <= check a_dynacl: %s\n", da->da_name, 0, 0 ); - (void)( *da->da_mask )( da->da_private, op, e, desc, val, nmatch, matches, &grant, &deny ); + (void)da->da_mask( da->da_private, op, e, desc, + val, nmatch, matches, &grant, &deny ); tgrant |= grant; tdeny |= deny; @@ -1969,6 +2031,10 @@ acl_set_cb_gather( Operation *op, SlapReply *rs ) for ( j = 0; !BER_BVISNULL( &rs->sr_attrs[ j ].an_name ); j++ ) { AttributeDescription *desc = rs->sr_attrs[ j ].an_desc; + + if ( desc == NULL ) { + continue; + } if ( desc == slap_schema.si_ad_entryDN ) { bvalsp = bvals; @@ -1980,17 +2046,12 @@ acl_set_cb_gather( Operation *op, SlapReply *rs ) a = attr_find( rs->sr_entry->e_attrs, desc ); if ( a != NULL ) { - int i; - - for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) - ; - bvalsp = a->a_nvals; } } } - if ( bvals ) { + if ( bvalsp ) { p->bvals = slap_set_join( p->cookie, p->bvals, ( '|' | SLAP_SET_RREF ), bvalsp ); } @@ -2014,8 +2075,6 @@ acl_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *de int nattrs = 0; slap_callback cb = { NULL, acl_set_cb_gather, NULL, NULL }; acl_set_gather_t p = { 0 }; - const char *text = NULL; - static struct berval defaultFilter_bv = BER_BVC( "(objectClass=*)" ); /* this routine needs to return the bervals instead of * plain strings, since syntax is not known. It should @@ -2027,6 +2086,10 @@ acl_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *de rc = ldap_url_parse( name->bv_val, &ludp ); if ( rc != LDAP_URL_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: unable to parse URL=\"%s\"\n", + cp->asc_op->o_log_prefix, name->bv_val, 0 ); + rc = LDAP_PROTOCOL_ERROR; goto url_done; } @@ -2035,6 +2098,10 @@ acl_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *de { /* host part must be empty */ /* extensions parts must be empty */ + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: host/exts must be absent in URL=\"%s\"\n", + cp->asc_op->o_log_prefix, name->bv_val, 0 ); + rc = LDAP_PROTOCOL_ERROR; goto url_done; } @@ -2045,11 +2112,19 @@ acl_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *de &op2.o_req_ndn, cp->asc_op->o_tmpmemctx ); BER_BVZERO( &op2.o_req_dn ); if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: DN=\"%s\" normalize failed\n", + cp->asc_op->o_log_prefix, op2.o_req_dn.bv_val, 0 ); + goto url_done; } - op2.o_bd = select_backend( &op2.o_req_ndn, 0, 1 ); + op2.o_bd = select_backend( &op2.o_req_ndn, 1 ); if ( ( op2.o_bd == NULL ) || ( op2.o_bd->be_search == NULL ) ) { + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: no database could be selected for DN=\"%s\"\n", + cp->asc_op->o_log_prefix, op2.o_req_ndn.bv_val, 0 ); + rc = LDAP_NO_SUCH_OBJECT; goto url_done; } @@ -2058,35 +2133,46 @@ acl_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *de if ( ludp->lud_filter ) { ber_str2bv_x( ludp->lud_filter, 0, 0, &op2.ors_filterstr, cp->asc_op->o_tmpmemctx ); + op2.ors_filter = str2filter_x( cp->asc_op, op2.ors_filterstr.bv_val ); + if ( op2.ors_filter == NULL ) { + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: unable to parse filter=\"%s\"\n", + cp->asc_op->o_log_prefix, op2.ors_filterstr.bv_val, 0 ); + + rc = LDAP_PROTOCOL_ERROR; + goto url_done; + } } else { - op2.ors_filterstr = defaultFilter_bv; + op2.ors_filterstr = *slap_filterstr_objectClass_pres; + op2.ors_filter = (Filter *)slap_filter_objectClass_pres; } - op2.ors_filter = str2filter_x( cp->asc_op, op2.ors_filterstr.bv_val ); - if ( op2.ors_filter == NULL ) { - rc = LDAP_PROTOCOL_ERROR; - goto url_done; - } /* Grab the scope */ op2.ors_scope = ludp->lud_scope; /* Grap the attributes */ if ( ludp->lud_attrs ) { + int i; + for ( ; ludp->lud_attrs[ nattrs ]; nattrs++ ) ; - anlistp = slap_sl_malloc( sizeof( AttributeName ) * ( nattrs + 2 ), + anlistp = slap_sl_calloc( sizeof( AttributeName ), nattrs + 2, cp->asc_op->o_tmpmemctx ); - for ( ; ludp->lud_attrs[ nattrs ]; nattrs++ ) { - ber_str2bv( ludp->lud_attrs[ nattrs ], 0, 0, &anlistp[ nattrs ].an_name ); - anlistp[ nattrs ].an_desc = NULL; - rc = slap_bv2ad( &anlistp[ nattrs ].an_name, - &anlistp[ nattrs ].an_desc, &text ); - if ( rc != LDAP_SUCCESS ) { - goto url_done; + for ( i = 0, nattrs = 0; ludp->lud_attrs[ i ]; i++ ) { + struct berval name; + AttributeDescription *desc = NULL; + const char *text = NULL; + + ber_str2bv( ludp->lud_attrs[ i ], 0, 0, &name ); + rc = slap_bv2ad( &name, &desc, &text ); + if ( rc == LDAP_SUCCESS ) { + anlistp[ nattrs ].an_name = name; + anlistp[ nattrs ].an_desc = desc; + nattrs++; } } @@ -2123,7 +2209,7 @@ acl_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *de } url_done:; - if ( op2.ors_filter ) { + if ( op2.ors_filter && op2.ors_filter != slap_filter_objectClass_pres ) { filter_free_x( cp->asc_op, op2.ors_filter ); } if ( !BER_BVISNULL( &op2.o_req_ndn ) ) {