X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Facl.c;h=4b11753d38769fcf780c242334c7105ce51e1aa7;hb=3bbaa8103b351f3268b08f8a276ea49ac7067b47;hp=377b5b9b4ff131f73aec7619e6153b2ceecb9028;hpb=4c60645bfbaea8d5f05eb8a42a5c4227ad3fcd23;p=openldap diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 377b5b9b4f..4b11753d38 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1998-2008 The OpenLDAP Foundation. + * Copyright 1998-2009 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -66,7 +66,8 @@ static slap_control_t slap_acl_mask( slap_access_t access ); static int regex_matches( - struct berval *pat, char *str, char *buf, + struct berval *pat, char *str, + struct berval *dn_matches, struct berval *val_matches, AclRegexMatches *matches); typedef struct AclSetCookie { @@ -120,7 +121,7 @@ slap_access_always_allowed( ( sizeof ( (m)->dn_data ) / sizeof( *(m)->dn_data ) ) #define MATCHES_VALMAXCOUNT(m) \ ( sizeof ( (m)->val_data ) / sizeof( *(m)->val_data ) ) -#define MATCHES_MEMSET(m) { \ +#define MATCHES_MEMSET(m) do { \ memset( (m)->dn_data, '\0', sizeof( (m)->dn_data ) ); \ memset( (m)->val_data, '\0', sizeof( (m)->val_data ) ); \ (m)->dn_count = MATCHES_DNMAXCOUNT( (m) ); \ @@ -243,10 +244,9 @@ slap_access_allowed( /* DN matches */ for ( i = 0; i < dnmaxcount && dn_data[i].rm_eo > 0; i++ ) { - char *debugmsg = "=> match[dn%d]: %d %d "; char *data = e->e_ndn; - Debug( LDAP_DEBUG_ACL, debugmsg, i, + Debug( LDAP_DEBUG_ACL, "=> match[dn%d]: %d %d ", i, (int)dn_data[i].rm_so, (int)dn_data[i].rm_eo ); if ( dn_data[i].rm_so <= dn_data[0].rm_eo ) { @@ -262,10 +262,9 @@ slap_access_allowed( /* val matches */ for ( i = 0; i < valmaxcount && val_data[i].rm_eo > 0; i++ ) { - char *debugmsg = "=> match[val%d]: %d %d "; char *data = val->bv_val; - Debug( LDAP_DEBUG_ACL, debugmsg, i, + Debug( LDAP_DEBUG_ACL, "=> match[val%d]: %d %d ", i, (int)val_data[i].rm_so, (int)val_data[i].rm_eo ); if ( val_data[i].rm_so <= val_data[0].rm_eo ) { @@ -518,7 +517,7 @@ slap_acl_get( AccessControlState *state ) { const char *attr; - int dnlen, patlen; + ber_len_t dnlen; AccessControl *prev; assert( e != NULL ); @@ -566,6 +565,8 @@ slap_acl_get( continue; } else { + ber_len_t patlen; + Debug( LDAP_DEBUG_ACL, "=> dn: [%d] %s\n", *count, a->acl_dn_pat.bv_val, 0 ); patlen = a->acl_dn_pat.bv_len; @@ -579,7 +580,7 @@ slap_acl_get( } else if ( a->acl_dn_style == ACL_STYLE_ONE ) { ber_len_t rdnlen = 0; - int sep = 0; + ber_len_t sep = 0; if ( dnlen <= patlen ) continue; @@ -591,7 +592,7 @@ slap_acl_get( } rdnlen = dn_rdnlen( NULL, &e->e_nname ); - if ( rdnlen != dnlen - patlen - sep ) + if ( rdnlen + patlen + sep != dnlen ) continue; } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) { @@ -634,12 +635,10 @@ slap_acl_get( } if ( a->acl_attrval_style == ACL_STYLE_REGEX ) { - int rc; - Debug( LDAP_DEBUG_ACL, "acl_get: valpat %s\n", a->acl_attrval.bv_val, 0, 0 ); - if ( rc = regexec ( &a->acl_attrval_re, + if ( regexec ( &a->acl_attrval_re, val->bv_val, matches->val_count, matches->val_data, 0 ) ) @@ -662,7 +661,7 @@ slap_acl_get( continue; } else { - int patlen, vdnlen; + ber_len_t patlen, vdnlen; patlen = a->acl_attrval.bv_len; vdnlen = val->bv_len; @@ -681,7 +680,7 @@ slap_acl_get( continue; rdnlen = dn_rdnlen( NULL, val ); - if ( rdnlen != vdnlen - patlen - 1 ) + if ( rdnlen + patlen + 1 != vdnlen ) continue; } else if ( a->acl_attrval_style == ACL_STYLE_SUBTREE ) { @@ -739,7 +738,6 @@ static int acl_mask_dn( Operation *op, Entry *e, - AttributeDescription *desc, struct berval *val, AccessControl *a, AclRegexMatches *matches, @@ -804,7 +802,6 @@ acl_mask_dn( AclRegexMatches tmp_matches, *tmp_matchesp = &tmp_matches; int rc = 0; - int dnoffset; regmatch_t *tmp_data; MATCHES_MEMSET( &tmp_matches ); @@ -847,7 +844,7 @@ acl_mask_dn( } if ( !regex_matches( &bdn->a_pat, opndn->bv_val, - e->e_ndn, tmp_matchesp ) ) + &e->e_nname, NULL, tmp_matchesp ) ) { return 1; } @@ -914,8 +911,8 @@ acl_mask_dn( } if ( acl_string_expand( &bv, &bdn->a_pat, - e->e_nname.bv_val, - val->bv_val, tmp_matchesp ) ) + &e->e_nname, + val, tmp_matchesp ) ) { return 1; } @@ -1025,9 +1022,6 @@ acl_mask_dnattr( Entry *e, struct berval *val, AccessControl *a, - Access *b, - int i, - AclRegexMatches *matches, int count, AccessControlState *state, slap_dn_access *bdn, @@ -1140,7 +1134,9 @@ slap_acl_mask( char accessmaskbuf[ACCESSMASK_MAXLEN]; #endif /* DEBUG */ const char *attr; +#ifdef SLAP_DYNACL slap_mask_t a2pmask = ACL_ACCESS2PRIV( access ); +#endif /* SLAP_DYNACL */ assert( a != NULL ); assert( mask != NULL ); @@ -1185,7 +1181,7 @@ slap_acl_mask( * is maintained in a_dn_pat. */ - if ( acl_mask_dn( op, e, desc, val, a, matches, + if ( acl_mask_dn( op, e, val, a, matches, &b->a_dn, &op->o_ndn ) ) { continue; @@ -1216,7 +1212,7 @@ slap_acl_mask( ndn = op->o_ndn; } - if ( acl_mask_dn( op, e, desc, val, a, matches, + if ( acl_mask_dn( op, e, val, a, matches, &b->a_realdn, &ndn ) ) { continue; @@ -1232,8 +1228,8 @@ slap_acl_mask( if ( !ber_bvccmp( &b->a_sockurl_pat, '*' ) ) { if ( b->a_sockurl_style == ACL_STYLE_REGEX) { - if (!regex_matches( &b->a_sockurl_pat, op->o_conn->c_listener_url.bv_val, - e->e_ndn, matches ) ) + if ( !regex_matches( &b->a_sockurl_pat, op->o_conn->c_listener_url.bv_val, + &e->e_nname, val, matches ) ) { continue; } @@ -1244,7 +1240,7 @@ slap_acl_mask( bv.bv_len = sizeof( buf ) - 1; bv.bv_val = buf; - if ( acl_string_expand( &bv, &b->a_sockurl_pat, e->e_ndn, val->bv_val, matches ) ) + if ( acl_string_expand( &bv, &b->a_sockurl_pat, &e->e_nname, val, matches ) ) { continue; } @@ -1271,8 +1267,8 @@ slap_acl_mask( b->a_domain_pat.bv_val, 0, 0 ); if ( !ber_bvccmp( &b->a_domain_pat, '*' ) ) { if ( b->a_domain_style == ACL_STYLE_REGEX) { - if (!regex_matches( &b->a_domain_pat, op->o_conn->c_peer_domain.bv_val, - e->e_ndn, matches ) ) + if ( !regex_matches( &b->a_domain_pat, op->o_conn->c_peer_domain.bv_val, + &e->e_nname, val, matches ) ) { continue; } @@ -1288,7 +1284,7 @@ slap_acl_mask( bv.bv_len = sizeof(buf) - 1; bv.bv_val = buf; - if ( acl_string_expand(&bv, &b->a_domain_pat, e->e_ndn, val->bv_val, matches) ) + if ( acl_string_expand(&bv, &b->a_domain_pat, &e->e_nname, val, matches) ) { continue; } @@ -1325,8 +1321,8 @@ slap_acl_mask( b->a_peername_pat.bv_val, 0, 0 ); if ( !ber_bvccmp( &b->a_peername_pat, '*' ) ) { if ( b->a_peername_style == ACL_STYLE_REGEX ) { - if (!regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val, - e->e_ndn, matches ) ) + if ( !regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val, + &e->e_nname, val, matches ) ) { continue; } @@ -1344,7 +1340,7 @@ slap_acl_mask( bv.bv_len = sizeof( buf ) - 1; bv.bv_val = buf; - if ( acl_string_expand( &bv, &b->a_peername_pat, e->e_ndn, val->bv_val, matches ) ) + if ( acl_string_expand( &bv, &b->a_peername_pat, &e->e_nname, val, matches ) ) { continue; } @@ -1477,8 +1473,8 @@ slap_acl_mask( b->a_sockname_pat.bv_val, 0, 0 ); if ( !ber_bvccmp( &b->a_sockname_pat, '*' ) ) { if ( b->a_sockname_style == ACL_STYLE_REGEX) { - if (!regex_matches( &b->a_sockname_pat, op->o_conn->c_sock_name.bv_val, - e->e_ndn, matches ) ) + if ( !regex_matches( &b->a_sockname_pat, op->o_conn->c_sock_name.bv_val, + &e->e_nname, val, matches ) ) { continue; } @@ -1489,7 +1485,7 @@ slap_acl_mask( bv.bv_len = sizeof( buf ) - 1; bv.bv_val = buf; - if ( acl_string_expand( &bv, &b->a_sockname_pat, e->e_ndn, val->bv_val, matches ) ) + if ( acl_string_expand( &bv, &b->a_sockname_pat, &e->e_nname, val, matches ) ) { continue; } @@ -1507,8 +1503,8 @@ slap_acl_mask( } if ( b->a_dn_at != NULL ) { - if ( acl_mask_dnattr( op, e, val, a, b, i, - matches, count, state, + if ( acl_mask_dnattr( op, e, val, a, + count, state, &b->a_dn, &op->o_ndn ) ) { continue; @@ -1525,8 +1521,8 @@ slap_acl_mask( ndn = op->o_ndn; } - if ( acl_mask_dnattr( op, e, val, a, b, i, - matches, count, state, + if ( acl_mask_dnattr( op, e, val, a, + count, state, &b->a_realdn, &ndn ) ) { continue; @@ -1602,7 +1598,7 @@ slap_acl_mask( } if ( acl_string_expand( &bv, &b->a_group_pat, - e->e_nname.bv_val, val->bv_val, + &e->e_nname, val, tmp_matchesp ) ) { continue; @@ -1690,7 +1686,7 @@ slap_acl_mask( } if ( acl_string_expand( &bv, &b->a_set_pat, - e->e_nname.bv_val, val->bv_val, + &e->e_nname, val, tmp_matchesp ) ) { continue; @@ -1809,7 +1805,7 @@ slap_acl_mask( * an API update */ (void)da->da_mask( da->da_private, op, e, desc, - val, matches.dn_count, matches.dn_data, + val, matches->dn_count, matches->dn_data, &grant, &deny ); tgrant |= grant; @@ -2513,8 +2509,8 @@ int acl_string_expand( struct berval *bv, struct berval *pat, - char *dn_match, - char *val_match, + struct berval *dn_matches, + struct berval *val_matches, AclRegexMatches *matches) { ber_len_t size; @@ -2576,13 +2572,15 @@ acl_string_expand( case DN_FLAG: nm = matches->dn_count; m = matches->dn_data; - data = dn_match; + data = dn_matches ? dn_matches->bv_val : NULL; break; case VAL_FLAG: nm = matches->val_count; m = matches->val_data; - data = val_match; + data = val_matches ? val_matches->bv_val : NULL; break; + default: + assert( 0 ); } if ( n >= nm ) { /* FIXME: error */ @@ -2634,7 +2632,8 @@ static int regex_matches( struct berval *pat, /* pattern to expand and match against */ char *str, /* string to match against pattern */ - char *buf, /* buffer with $N expansion variables */ + struct berval *dn_matches, /* buffer with $N expansion variables from DN */ + struct berval *val_matches, /* buffer with $N expansion variables from val */ AclRegexMatches *matches /* offsets in buffer for $N expansion variables */ ) { @@ -2650,7 +2649,7 @@ regex_matches( str = ""; }; - acl_string_expand( &bv, pat, buf, NULL, matches ); + acl_string_expand( &bv, pat, dn_matches, val_matches, matches ); rc = regcomp( &re, newbuf, REG_EXTENDED|REG_ICASE ); if ( rc ) { char error[ACL_BUF_SIZE];