X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Facl.c;h=4b11753d38769fcf780c242334c7105ce51e1aa7;hb=b74b7c232d9d02e9c20d7144c6cbe17f93cf0d5b;hp=7572598beff5f1b2b6d9dd048126d30355311e95;hpb=ffe20229dc2a3c0b69c327d49dbbea172d213e4c;p=openldap diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 7572598bef..4b11753d38 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1998-2005 The OpenLDAP Foundation. + * Copyright 1998-2009 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -39,57 +39,20 @@ #define ACL_BUF_SIZE 1024 /* use most appropriate size */ -/* - * speed up compares - */ -static struct berval - aci_bv_entry = BER_BVC("entry"), - aci_bv_children = BER_BVC("children"), - aci_bv_onelevel = BER_BVC("onelevel"), - aci_bv_subtree = BER_BVC("subtree"), - aci_bv_br_entry = BER_BVC("[entry]"), - aci_bv_br_all = BER_BVC("[all]"), - aci_bv_access_id = BER_BVC("access-id"), -#if 0 - aci_bv_anonymous = BER_BVC("anonymous"), -#endif - aci_bv_public = BER_BVC("public"), - aci_bv_users = BER_BVC("users"), - aci_bv_self = BER_BVC("self"), - aci_bv_dnattr = BER_BVC("dnattr"), - aci_bv_group = BER_BVC("group"), - aci_bv_role = BER_BVC("role"), - aci_bv_set = BER_BVC("set"), - aci_bv_set_ref = BER_BVC("set-ref"), - aci_bv_grant = BER_BVC("grant"), - aci_bv_deny = BER_BVC("deny"), - - aci_bv_ip_eq = BER_BVC("IP="), +static const struct berval acl_bv_ip_eq = BER_BVC( "IP=" ); +#ifdef LDAP_PF_INET6 +static const struct berval acl_bv_ipv6_eq = BER_BVC( "IP=[" ); +#endif /* LDAP_PF_INET6 */ #ifdef LDAP_PF_LOCAL - aci_bv_path_eq = BER_BVC("PATH="), -#if 0 - aci_bv_dirsep = BER_BVC(LDAP_DIRSEP), -#endif +static const struct berval acl_bv_path_eq = BER_BVC("PATH="); #endif /* LDAP_PF_LOCAL */ - - aci_bv_group_class = BER_BVC(SLAPD_GROUP_CLASS), - aci_bv_group_attr = BER_BVC(SLAPD_GROUP_ATTR), - aci_bv_role_class = BER_BVC(SLAPD_ROLE_CLASS), - aci_bv_role_attr = BER_BVC(SLAPD_ROLE_ATTR), - aci_bv_set_attr = BER_BVC(SLAPD_ACI_SET_ATTR); - -typedef enum slap_aci_scope_t { - SLAP_ACI_SCOPE_ENTRY = 0x1, - SLAP_ACI_SCOPE_CHILDREN = 0x2, - SLAP_ACI_SCOPE_SUBTREE = ( SLAP_ACI_SCOPE_ENTRY | SLAP_ACI_SCOPE_CHILDREN ) -} slap_aci_scope_t; static AccessControl * slap_acl_get( AccessControl *ac, int *count, Operation *op, Entry *e, AttributeDescription *desc, struct berval *val, - int nmatch, regmatch_t *matches, + AclRegexMatches *matches, AccessControlState *state ); static slap_control_t slap_acl_mask( @@ -97,40 +60,25 @@ static slap_control_t slap_acl_mask( Operation *op, Entry *e, AttributeDescription *desc, struct berval *val, - int nmatch, - regmatch_t *matches, + AclRegexMatches *matches, int count, - AccessControlState *state ); - -#ifdef SLAPD_ACI_ENABLED -static int aci_mask( - Operation *op, Entry *e, - AttributeDescription *desc, - struct berval *val, - struct berval *aci, - int nmatch, - regmatch_t *matches, - slap_access_t *grant, - slap_access_t *deny, - slap_aci_scope_t scope); -#endif /* SLAPD_ACI_ENABLED */ + AccessControlState *state, + slap_access_t access ); static int regex_matches( - struct berval *pat, char *str, char *buf, - int nmatch, regmatch_t *matches); -static int string_expand( - struct berval *newbuf, struct berval *pattern, - char *match, int nmatch, regmatch_t *matches); - -typedef struct AciSetCookie { - Operation *op; - Entry *e; -} AciSetCookie; - -SLAP_SET_GATHER aci_set_gather; -SLAP_SET_GATHER aci_set_gather2; -static int aci_match_set ( struct berval *subj, Operation *op, - Entry *e, int setref ); + struct berval *pat, char *str, + struct berval *dn_matches, struct berval *val_matches, + AclRegexMatches *matches); + +typedef struct AclSetCookie { + SetCookie asc_cookie; +#define asc_op asc_cookie.set_op + Entry *asc_e; +} AclSetCookie; + + +SLAP_SET_GATHER acl_set_gather; +SLAP_SET_GATHER acl_set_gather2; /* * access_allowed - check whether op->o_ndn is allowed the requested access @@ -151,7 +99,6 @@ static int aci_match_set ( struct berval *subj, Operation *op, * - can be legally called with op->o_bd == NULL */ -#ifdef SLAP_OVERLAY_ACCESS int slap_access_always_allowed( Operation *op, @@ -164,11 +111,23 @@ slap_access_always_allowed( { assert( maskp != NULL ); - ACL_PRIV_SET( *maskp, ACL_ACCESS2PRIV( access ) ); + /* assign all */ + ACL_LVL_ASSIGN_MANAGE( *maskp ); return 1; } +#define MATCHES_DNMAXCOUNT(m) \ + ( sizeof ( (m)->dn_data ) / sizeof( *(m)->dn_data ) ) +#define MATCHES_VALMAXCOUNT(m) \ + ( sizeof ( (m)->val_data ) / sizeof( *(m)->val_data ) ) +#define MATCHES_MEMSET(m) do { \ + memset( (m)->dn_data, '\0', sizeof( (m)->dn_data ) ); \ + memset( (m)->val_data, '\0', sizeof( (m)->val_data ) ); \ + (m)->dn_count = MATCHES_DNMAXCOUNT( (m) ); \ + (m)->val_count = MATCHES_VALMAXCOUNT( (m) ); \ +} while ( 0 /* CONSTCOND */ ) + int slap_access_allowed( Operation *op, @@ -190,8 +149,8 @@ slap_access_allowed( slap_control_t control; slap_access_t access_level; const char *attr; - regmatch_t matches[MAXREMATCHES]; - int st_same_attr = 0; + AclRegexMatches matches; + AccessControlState acl_state = ACL_STATE_INIT; assert( op != NULL ); assert( e != NULL ); @@ -203,6 +162,8 @@ slap_access_allowed( assert( attr != NULL ); + ACL_INIT( mask ); + /* grant database root access */ if ( be_isroot( op ) ) { Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 ); @@ -214,8 +175,13 @@ slap_access_allowed( * no-user-modification operational attributes are ignored * by ACL_WRITE checking as any found here are not provided * by the user + * + * NOTE: but they are not ignored for ACL_MANAGE, because + * if we get here it means a non-root user is trying to + * manage data, so we need to check its privileges. */ - if ( access_level >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) + if ( access_level == ACL_WRITE + && is_at_no_user_mod( desc->ad_type ) && desc != slap_schema.si_ad_entry && desc != slap_schema.si_ad_children ) { @@ -226,7 +192,7 @@ slap_access_allowed( } /* use backend default access if no backend acls */ - if ( op->o_bd->be_acl == NULL ) { + if ( op->o_bd->be_acl == NULL && frontendDB->be_acl == NULL ) { int i; Debug( LDAP_DEBUG_ACL, @@ -248,40 +214,68 @@ slap_access_allowed( ret = 0; control = ACL_BREAK; - if ( st_same_attr ) { - assert( state->as_vd_acl != NULL ); - + if ( state == NULL ) + state = &acl_state; + if ( state->as_vd_ad == desc ) { a = state->as_vd_acl; count = state->as_vd_acl_count; - if ( !ACL_IS_INVALID( state->as_vd_acl_mask ) ) { - mask = state->as_vd_acl_mask; - AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) ); - goto vd_access; - } - + if ( state->as_fe_done ) + state->as_fe_done--; } else { - if ( state ) state->as_vi_acl = NULL; + state->as_vi_acl = NULL; + a = NULL; - ACL_PRIV_ASSIGN( mask, *maskp ); count = 0; - memset( matches, '\0', sizeof( matches ) ); } + if ( a == NULL ) + state->as_fe_done = 0; + + ACL_PRIV_ASSIGN( mask, *maskp ); + MATCHES_MEMSET( &matches ); while ( ( a = slap_acl_get( a, &count, op, e, desc, val, - MAXREMATCHES, matches, state ) ) != NULL ) + &matches, state ) ) != NULL ) { - int i; + int i; + int dnmaxcount = MATCHES_DNMAXCOUNT( &matches ); + int valmaxcount = MATCHES_VALMAXCOUNT( &matches ); + regmatch_t *dn_data = matches.dn_data; + regmatch_t *val_data = matches.val_data; + + /* DN matches */ + for ( i = 0; i < dnmaxcount && dn_data[i].rm_eo > 0; i++ ) { + char *data = e->e_ndn; + + Debug( LDAP_DEBUG_ACL, "=> match[dn%d]: %d %d ", i, + (int)dn_data[i].rm_so, + (int)dn_data[i].rm_eo ); + if ( dn_data[i].rm_so <= dn_data[0].rm_eo ) { + int n; + for ( n = dn_data[i].rm_so; + n < dn_data[i].rm_eo; n++ ) { + Debug( LDAP_DEBUG_ACL, "%c", + data[n], 0, 0 ); + } + } + Debug( LDAP_DEBUG_ACL, "\n", 0, 0, 0 ); + } - for ( i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++ ) { - Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i, - (int)matches[i].rm_so, (int)matches[i].rm_eo ); - if ( matches[i].rm_so <= matches[0].rm_eo ) { + /* val matches */ + for ( i = 0; i < valmaxcount && val_data[i].rm_eo > 0; i++ ) { + char *data = val->bv_val; + + Debug( LDAP_DEBUG_ACL, "=> match[val%d]: %d %d ", i, + (int)val_data[i].rm_so, + (int)val_data[i].rm_eo ); + if ( val_data[i].rm_so <= val_data[0].rm_eo ) { int n; - for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++ ) { - Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 ); + for ( n = val_data[i].rm_so; + n < val_data[i].rm_eo; n++ ) { + Debug( LDAP_DEBUG_ACL, "%c", + data[n], 0, 0 ); } } - Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 ); + Debug( LDAP_DEBUG_ACL, "\n", 0, 0, 0 ); } if ( state ) { @@ -289,26 +283,25 @@ slap_access_allowed( ( state->as_recorded & ACL_STATE_RECORDED_NV ) ) { Debug( LDAP_DEBUG_ACL, - "=> slap_access_allowed: result from state (%s)\n", + "=> slap_access_allowed: result was in cache (%s)\n", attr, 0, 0 ); ret = state->as_result; goto done; } else { Debug( LDAP_DEBUG_ACL, - "=> slap_access_allowed: no res from state (%s)\n", + "=> slap_access_allowed: result not in cache (%s)\n", attr, 0, 0 ); } } -vd_access: control = slap_acl_mask( a, &mask, op, - e, desc, val, MAXREMATCHES, matches, count, state ); + e, desc, val, &matches, count, state, access ); if ( control != ACL_BREAK ) { break; } - memset( matches, '\0', sizeof( matches ) ); + MATCHES_MEMSET( &matches ); } if ( ACL_IS_INVALID( mask ) ) { @@ -336,6 +329,40 @@ done: return ret; } +int +fe_access_allowed( + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + slap_access_t access, + AccessControlState *state, + slap_mask_t *maskp ) +{ + BackendDB *be_orig; + int rc; + + /* + * NOTE: control gets here if FIXME + * if an appropriate backend cannot be selected for the operation, + * we assume that the frontend should handle this + * FIXME: should select_backend() take care of this, + * and return frontendDB instead of NULL? maybe for some value + * of the flags? + */ + be_orig = op->o_bd; + + if ( op->o_bd == NULL ) { + op->o_bd = select_backend( &op->o_req_ndn, 0 ); + if ( op->o_bd == NULL ) + op->o_bd = frontendDB; + } + rc = slap_access_allowed( op, e, desc, val, access, state, maskp ); + op->o_bd = be_orig; + + return rc; +} + int access_allowed_mask( Operation *op, @@ -354,10 +381,8 @@ access_allowed_mask( char accessmaskbuf[ACCESSMASK_MAXLEN]; #endif slap_mask_t mask; - slap_control_t control; slap_access_t access_level; const char *attr; - int st_same_attr = 0; static AccessControlState state_init = ACL_STATE_INIT; assert( e != NULL ); @@ -374,32 +399,33 @@ access_allowed_mask( assert( attr != NULL ); - if ( op && op->o_is_auth_check && - ( access_level == ACL_SEARCH || access_level == ACL_READ ) ) - { - access = ACL_AUTH; + if ( op ) { + if ( op->o_acl_priv != ACL_NONE ) { + access = op->o_acl_priv; + + } else if ( op->o_is_auth_check && + ( access_level == ACL_SEARCH || access_level == ACL_READ ) ) + { + access = ACL_AUTH; + + } else if ( get_relax( op ) && access_level == ACL_WRITE && + desc == slap_schema.si_ad_entry ) + { + access = ACL_MANAGE; + } } if ( state ) { if ( state->as_vd_ad == desc ) { - if ( state->as_recorded ) { - if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) && - val == NULL ) - { - return state->as_result; + if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) && + val == NULL ) + { + return state->as_result; - } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) && - val != NULL && state->as_vd_acl == NULL ) - { - return state->as_result; - } } - st_same_attr = 1; } else { *state = state_init; } - - state->as_vd_ad = desc; } Debug( LDAP_DEBUG_ACL, @@ -415,25 +441,26 @@ access_allowed_mask( op->o_bd = LDAP_STAILQ_FIRST( &backendDB ); be_null = 1; -#ifdef LDAP_DEVEL - /* - * FIXME: experimental; use first backend rules - * iff there is no global_acl (ITS#3100) */ + /* FIXME: experimental; use first backend rules + * iff there is no global_acl (ITS#3100) + */ if ( frontendDB->be_acl != NULL ) { op->o_bd = frontendDB; } -#endif /* LDAP_DEVEL */ } assert( op->o_bd != NULL ); /* this is enforced in backend_add() */ if ( op->o_bd->bd_info->bi_access_allowed ) { /* delegate to backend */ - ret = op->o_bd->bd_info->bi_access_allowed( op, e, desc, val, access, state, &mask ); + ret = op->o_bd->bd_info->bi_access_allowed( op, e, + desc, val, access, state, &mask ); } else { - /* use default */ - ret = slap_access_allowed( op, e, desc, val, access, state, &mask ); + /* use default (but pass through frontend + * for global ACL overlays) */ + ret = frontendDB->bd_info->bi_access_allowed( op, e, + desc, val, access, state, &mask ); } if ( !ret ) { @@ -443,14 +470,12 @@ access_allowed_mask( e->e_dn, attr, 0 ); ACL_INIT( mask ); - } else if ( control == ACL_BREAK ) { + } else { Debug( LDAP_DEBUG_ACL, "=> access_allowed: no more rules\n", 0, 0, 0 ); goto done; } - - ret = ACL_GRANT( mask, access ); } Debug( LDAP_DEBUG_ACL, @@ -466,408 +491,157 @@ done: state->as_result = ret; } state->as_recorded |= ACL_STATE_RECORDED; + state->as_vd_ad = desc; } if ( be_null ) op->o_bd = NULL; if ( maskp ) ACL_PRIV_ASSIGN( *maskp, mask ); return ret; } -#else /* !SLAP_OVERLAY_ACCESS */ -int -access_allowed_mask( - Operation *op, - Entry *e, - AttributeDescription *desc, - struct berval *val, - slap_access_t access, - AccessControlState *state, - slap_mask_t *maskp ) -{ - int ret = 1; - int count; - AccessControl *a = NULL; - Backend *be; - int be_null = 0; +/* + * slap_acl_get - return the acl applicable to entry e, attribute + * attr. the acl returned is suitable for use in subsequent calls to + * acl_access_allowed(). + */ -#ifdef LDAP_DEBUG - char accessmaskbuf[ACCESSMASK_MAXLEN]; -#endif - slap_mask_t mask; - slap_control_t control; - slap_access_t access_level; - const char *attr; - regmatch_t matches[MAXREMATCHES]; - int st_same_attr = 0; - static AccessControlState state_init = ACL_STATE_INIT; +static AccessControl * +slap_acl_get( + AccessControl *a, + int *count, + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + AclRegexMatches *matches, + AccessControlState *state ) +{ + const char *attr; + ber_len_t dnlen; + AccessControl *prev; assert( e != NULL ); + assert( count != NULL ); assert( desc != NULL ); - - access_level = ACL_LEVEL( access ); - - assert( access_level > ACL_NONE ); - if ( maskp ) ACL_INVALIDATE( *maskp ); + assert( state != NULL ); attr = desc->ad_cname.bv_val; assert( attr != NULL ); - if ( op && op->o_is_auth_check && - ( access_level == ACL_SEARCH || access_level == ACL_READ ) ) - { - access = ACL_AUTH; - } - - if ( state ) { - if ( state->as_vd_ad == desc ) { - if ( state->as_recorded ) { - if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) && - val == NULL ) - { - return state->as_result; - - } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) && - val != NULL && state->as_vd_acl == NULL ) - { - return state->as_result; - } - } - st_same_attr = 1; + if( a == NULL ) { + if( op->o_bd == NULL || op->o_bd->be_acl == NULL ) { + a = frontendDB->be_acl; } else { - *state = state_init; + a = op->o_bd->be_acl; } + prev = NULL; - state->as_vd_ad=desc; - } - - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: %s access to \"%s\" \"%s\" requested\n", - access2str( access ), e->e_dn, attr ); - - if ( op == NULL ) { - /* no-op call */ - goto done; + assert( a != NULL ); + if ( a == frontendDB->be_acl ) + state->as_fe_done = 1; + } else { + prev = a; + a = a->acl_next; } - be = op->o_bd; - if ( be == NULL ) { - be = LDAP_STAILQ_FIRST(&backendDB); - be_null = 1; -#ifdef LDAP_DEVEL - /* - * FIXME: experimental; use first backend rules - * iff there is no global_acl (ITS#3100) */ - if ( frontendDB->be_acl == NULL ) -#endif - { - op->o_bd = be; - } - } - assert( be != NULL ); + dnlen = e->e_nname.bv_len; - /* grant database root access */ - if ( be_isroot( op ) ) { - Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 ); - if ( maskp ) { - mask = ACL_LVL_MANAGE; - } + retry: + for ( ; a != NULL; prev = a, a = a->acl_next ) { + (*count) ++; - goto done; - } + if ( a != frontendDB->be_acl && state->as_fe_done ) + state->as_fe_done++; - /* - * no-user-modification operational attributes are ignored - * by ACL_WRITE checking as any found here are not provided - * by the user - */ - if ( access_level >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) - && desc != slap_schema.si_ad_entry - && desc != slap_schema.si_ad_children ) - { - Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:" - " %s access granted\n", - attr, 0, 0 ); - goto done; - } + if ( a->acl_dn_pat.bv_len || ( a->acl_dn_style != ACL_STYLE_REGEX )) { + if ( a->acl_dn_style == ACL_STYLE_REGEX ) { + Debug( LDAP_DEBUG_ACL, "=> dnpat: [%d] %s nsub: %d\n", + *count, a->acl_dn_pat.bv_val, (int) a->acl_dn_re.re_nsub ); + if ( regexec ( &a->acl_dn_re, + e->e_ndn, + matches->dn_count, + matches->dn_data, 0 ) ) + continue; - /* use backend default access if no backend acls */ - if ( be->be_acl == NULL ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: backend default %s " - "access %s to \"%s\"\n", - access2str( access ), - be->be_dfltaccess >= access_level ? "granted" : "denied", - op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" ); - ret = be->be_dfltaccess >= access_level; + } else { + ber_len_t patlen; - if ( maskp ) { - int i; + Debug( LDAP_DEBUG_ACL, "=> dn: [%d] %s\n", + *count, a->acl_dn_pat.bv_val, 0 ); + patlen = a->acl_dn_pat.bv_len; + if ( dnlen < patlen ) + continue; - mask = ACL_PRIV_LEVEL; - for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) { - mask |= ACL_ACCESS2PRIV( i ); - } - } + if ( a->acl_dn_style == ACL_STYLE_BASE ) { + /* base dn -- entire object DN must match */ + if ( dnlen != patlen ) + continue; - goto done; + } else if ( a->acl_dn_style == ACL_STYLE_ONE ) { + ber_len_t rdnlen = 0; + ber_len_t sep = 0; -#ifdef notdef - /* be is always non-NULL */ - /* use global default access if no global acls */ - } else if ( be == NULL && frontendDB->be_acl == NULL ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: global default %s access %s to \"%s\"\n", - access2str( access ), - frontendDB->be_dfltaccess >= access_level ? - "granted" : "denied", op->o_dn.bv_val ); - ret = frontendDB->be_dfltaccess >= access_level; + if ( dnlen <= patlen ) + continue; - if ( maskp ) { - int i; + if ( patlen > 0 ) { + if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) ) + continue; + sep = 1; + } - mask = ACL_PRIV_LEVEL; - for ( i = ACL_NONE; i <= global_default_access; i++ ) { - mask |= ACL_ACCESS2PRIV( i ); - } - } + rdnlen = dn_rdnlen( NULL, &e->e_nname ); + if ( rdnlen + patlen + sep != dnlen ) + continue; - goto done; -#endif - } + } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) { + if ( dnlen > patlen && !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) ) + continue; - ret = 0; - control = ACL_BREAK; + } else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) { + if ( dnlen <= patlen ) + continue; + if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) ) + continue; + } - if ( st_same_attr ) { - assert( state->as_vd_acl != NULL ); + if ( strcmp( a->acl_dn_pat.bv_val, e->e_ndn + dnlen - patlen ) != 0 ) + continue; + } - a = state->as_vd_acl; - count = state->as_vd_acl_count; - if ( !ACL_IS_INVALID( state->as_vd_acl_mask ) ) { - mask = state->as_vd_acl_mask; - AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) ); - goto vd_access; + Debug( LDAP_DEBUG_ACL, "=> acl_get: [%d] matched\n", + *count, 0, 0 ); } - } else { - if ( state ) state->as_vi_acl = NULL; - a = NULL; - ACL_INIT(mask); - count = 0; - memset( matches, '\0', sizeof(matches) ); - } + if ( a->acl_attrs && !ad_inlist( desc, a->acl_attrs ) ) { + matches->dn_data[0].rm_so = -1; + matches->dn_data[0].rm_eo = -1; + matches->val_data[0].rm_so = -1; + matches->val_data[0].rm_eo = -1; + continue; + } - while ( ( a = slap_acl_get( a, &count, op, e, desc, val, - MAXREMATCHES, matches, state ) ) != NULL ) - { - int i; + /* Is this ACL only for a specific value? */ + if ( a->acl_attrval.bv_len ) { + if ( val == NULL ) { + continue; + } - for ( i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++ ) { - Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i, - (int)matches[i].rm_so, (int)matches[i].rm_eo ); - if ( matches[i].rm_so <= matches[0].rm_eo ) { - int n; - for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++ ) { - Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 ); - } + if( !( state->as_recorded & ACL_STATE_RECORDED_VD )) { + state->as_recorded |= ACL_STATE_RECORDED_VD; + state->as_vd_acl = prev; + state->as_vd_acl_count = *count - 1; } - Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 ); - } - if ( state ) { - if ( state->as_vi_acl == a && - ( state->as_recorded & ACL_STATE_RECORDED_NV ) ) - { - Debug( LDAP_DEBUG_ACL, - "access_allowed: result from state (%s)\n", - attr, 0, 0 ); - ret = state->as_result; - goto done; - } else { - Debug( LDAP_DEBUG_ACL, - "access_allowed: no res from state (%s)\n", - attr, 0, 0 ); - } - } - -vd_access: - control = slap_acl_mask( a, &mask, op, - e, desc, val, MAXREMATCHES, matches, count, state ); - - if ( control != ACL_BREAK ) { - break; - } - - memset( matches, '\0', sizeof(matches) ); - } - - if ( ACL_IS_INVALID( mask ) ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: \"%s\" (%s) invalid!\n", - e->e_dn, attr, 0 ); - ACL_INIT(mask); - - } else if ( control == ACL_BREAK ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: no more rules\n", 0, 0, 0 ); - - goto done; - } - - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: %s access %s by %s\n", - access2str( access ), - ACL_GRANT(mask, access) ? "granted" : "denied", - accessmask2str( mask, accessmaskbuf, 1 ) ); - - ret = ACL_GRANT(mask, access); - -done: - if ( state != NULL ) { - /* If not value-dependent, save ACL in case of more attrs */ - if ( !( state->as_recorded & ACL_STATE_RECORDED_VD ) ) { - state->as_vi_acl = a; - state->as_result = ret; - } - state->as_recorded |= ACL_STATE_RECORDED; - } - if ( be_null ) op->o_bd = NULL; - if ( maskp ) *maskp = mask; - return ret; -} - -#endif /* SLAP_OVERLAY_ACCESS */ - -/* - * slap_acl_get - return the acl applicable to entry e, attribute - * attr. the acl returned is suitable for use in subsequent calls to - * acl_access_allowed(). - */ - -static AccessControl * -slap_acl_get( - AccessControl *a, - int *count, - Operation *op, - Entry *e, - AttributeDescription *desc, - struct berval *val, - int nmatch, - regmatch_t *matches, - AccessControlState *state ) -{ - const char *attr; - int dnlen, patlen; - AccessControl *prev; - - assert( e != NULL ); - assert( count != NULL ); - assert( desc != NULL ); - - attr = desc->ad_cname.bv_val; - - assert( attr != NULL ); - - if( a == NULL ) { - if( op->o_bd == NULL ) { - a = frontendDB->be_acl; - } else { - a = op->o_bd->be_acl; - } - prev = NULL; - - assert( a != NULL ); - - } else { - prev = a; - a = a->acl_next; - } - - dnlen = e->e_nname.bv_len; - - for ( ; a != NULL; a = a->acl_next ) { - (*count) ++; - - if ( a->acl_dn_pat.bv_len || ( a->acl_dn_style != ACL_STYLE_REGEX )) { - if ( a->acl_dn_style == ACL_STYLE_REGEX ) { - Debug( LDAP_DEBUG_ACL, "=> dnpat: [%d] %s nsub: %d\n", - *count, a->acl_dn_pat.bv_val, (int) a->acl_dn_re.re_nsub ); - if (regexec(&a->acl_dn_re, e->e_ndn, nmatch, matches, 0)) - continue; - - } else { - Debug( LDAP_DEBUG_ACL, "=> dn: [%d] %s\n", - *count, a->acl_dn_pat.bv_val, 0 ); - patlen = a->acl_dn_pat.bv_len; - if ( dnlen < patlen ) - continue; - - if ( a->acl_dn_style == ACL_STYLE_BASE ) { - /* base dn -- entire object DN must match */ - if ( dnlen != patlen ) - continue; - - } else if ( a->acl_dn_style == ACL_STYLE_ONE ) { - int rdnlen = -1, sep = 0; - - if ( dnlen <= patlen ) - continue; - - if ( patlen > 0 ) { - if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) ) - continue; - sep = 1; - } - - rdnlen = dn_rdnlen( NULL, &e->e_nname ); - if ( rdnlen != dnlen - patlen - sep ) - continue; - - } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) { - if ( dnlen > patlen && !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) ) - continue; - - } else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) { - if ( dnlen <= patlen ) - continue; - if ( !DN_SEPARATOR( e->e_ndn[dnlen - patlen - 1] ) ) - continue; - } - - if ( strcmp( a->acl_dn_pat.bv_val, e->e_ndn + dnlen - patlen ) != 0 ) - continue; - } - - Debug( LDAP_DEBUG_ACL, "=> acl_get: [%d] matched\n", - *count, 0, 0 ); - } - - if ( a->acl_attrs && !ad_inlist( desc, a->acl_attrs ) ) { - matches[0].rm_so = matches[0].rm_eo = -1; - continue; - } - - /* Is this ACL only for a specific value? */ - if ( a->acl_attrval.bv_len ) { - if ( val == NULL ) { - continue; - } - - if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { - state->as_recorded |= ACL_STATE_RECORDED_VD; - state->as_vd_acl = a; - state->as_vd_acl_count = *count; - state->as_vd_access = a->acl_access; - state->as_vd_access_count = 1; - ACL_INVALIDATE( state->as_vd_acl_mask ); - } - - if ( a->acl_attrval_style == ACL_STYLE_REGEX ) { + if ( a->acl_attrval_style == ACL_STYLE_REGEX ) { Debug( LDAP_DEBUG_ACL, "acl_get: valpat %s\n", a->acl_attrval.bv_val, 0, 0 ); - if ( regexec( &a->acl_attrval_re, val->bv_val, 0, NULL, 0 ) ) + if ( regexec ( &a->acl_attrval_re, + val->bv_val, + matches->val_count, + matches->val_data, 0 ) ) { continue; } @@ -881,13 +655,13 @@ slap_acl_get( if ( a->acl_attrs[0].an_desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) { if (value_match( &match, desc, - /* desc->ad_type->sat_equality */ a->acl_attrval_mr, 0, + a->acl_attrval_mr, 0, val, &a->acl_attrval, &text ) != LDAP_SUCCESS || match ) continue; } else { - int patlen, vdnlen; + ber_len_t patlen, vdnlen; patlen = a->acl_attrval.bv_len; vdnlen = val->bv_len; @@ -900,13 +674,13 @@ slap_acl_get( continue; } else if ( a->acl_attrval_style == ACL_STYLE_ONE ) { - int rdnlen = -1; + ber_len_t rdnlen = 0; if ( !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) ) continue; rdnlen = dn_rdnlen( NULL, val ); - if ( rdnlen != vdnlen - patlen - 1 ) + if ( rdnlen + patlen + 1 != vdnlen ) continue; } else if ( a->acl_attrval_style == ACL_STYLE_SUBTREE ) { @@ -921,7 +695,7 @@ slap_acl_get( continue; } - if ( strcmp( a->acl_attrval.bv_val, val->bv_val + vdnlen - patlen )) + if ( strcmp( a->acl_attrval.bv_val, val->bv_val + vdnlen - patlen ) ) continue; } } @@ -939,18 +713,35 @@ slap_acl_get( return a; } + if ( !state->as_fe_done ) { + state->as_fe_done = 1; + a = frontendDB->be_acl; + goto retry; + } + Debug( LDAP_DEBUG_ACL, "<= acl_get: done.\n", 0, 0, 0 ); return( NULL ); } +/* + * Record value-dependent access control state + */ +#define ACL_RECORD_VALUE_STATE do { \ + if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { \ + state->as_recorded |= ACL_STATE_RECORDED_VD; \ + state->as_vd_acl = a; \ + state->as_vd_acl_count = count; \ + } \ + } while( 0 ) + static int acl_mask_dn( Operation *op, Entry *e, + struct berval *val, AccessControl *a, - int nmatch, - regmatch_t *matches, - slap_dn_access *b, + AclRegexMatches *matches, + slap_dn_access *bdn, struct berval *opndn ) { /* @@ -962,19 +753,20 @@ acl_mask_dn( * NOTE: styles "anonymous", "users" and "self" * have been moved to enum slap_style_t, whose * value is set in a_dn_style; however, the string - * is maintaned in a_dn_pat. + * is maintained in a_dn_pat. */ - if ( b->a_style == ACL_STYLE_ANONYMOUS ) { + + if ( bdn->a_style == ACL_STYLE_ANONYMOUS ) { if ( !BER_BVISEMPTY( opndn ) ) { return 1; } - } else if ( b->a_style == ACL_STYLE_USERS ) { + } else if ( bdn->a_style == ACL_STYLE_USERS ) { if ( BER_BVISEMPTY( opndn ) ) { return 1; } - } else if ( b->a_style == ACL_STYLE_SELF ) { + } else if ( bdn->a_style == ACL_STYLE_SELF ) { struct berval ndn, selfndn; int level; @@ -982,7 +774,7 @@ acl_mask_dn( return 1; } - level = b->a_self_level; + level = bdn->a_self_level; if ( level < 0 ) { selfndn = *opndn; ndn = e->e_nname; @@ -1005,37 +797,40 @@ acl_mask_dn( return 1; } - } else if ( b->a_style == ACL_STYLE_REGEX ) { - if ( !ber_bvccmp( &b->a_pat, '*' ) ) { - int tmp_nmatch; - regmatch_t tmp_matches[2], - *tmp_matchesp = tmp_matches; - + } else if ( bdn->a_style == ACL_STYLE_REGEX ) { + if ( !ber_bvccmp( &bdn->a_pat, '*' ) ) { + AclRegexMatches tmp_matches, + *tmp_matchesp = &tmp_matches; int rc = 0; + regmatch_t *tmp_data; + + MATCHES_MEMSET( &tmp_matches ); + tmp_data = &tmp_matches.dn_data[0]; - switch ( a->acl_dn_style ) { + if ( a->acl_attrval_style == ACL_STYLE_REGEX ) + tmp_matchesp = matches; + else switch ( a->acl_dn_style ) { case ACL_STYLE_REGEX: if ( !BER_BVISNULL( &a->acl_dn_pat ) ) { - tmp_matchesp = matches; - tmp_nmatch = nmatch; + tmp_matchesp = matches; break; } /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */ case ACL_STYLE_BASE: - tmp_matches[0].rm_so = 0; - tmp_matches[0].rm_eo = e->e_nname.bv_len; - tmp_nmatch = 1; + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + tmp_matches.dn_count = 1; break; case ACL_STYLE_ONE: case ACL_STYLE_SUBTREE: case ACL_STYLE_CHILDREN: - tmp_matches[0].rm_so = 0; - tmp_matches[0].rm_eo = e->e_nname.bv_len; - tmp_matches[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; - tmp_matches[1].rm_eo = e->e_nname.bv_len; - tmp_nmatch = 2; + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + tmp_data[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; + tmp_data[1].rm_eo = e->e_nname.bv_len; + tmp_matches.dn_count = 2; break; default: @@ -1048,8 +843,8 @@ acl_mask_dn( return 1; } - if ( !regex_matches( &b->a_pat, opndn->bv_val, - e->e_ndn, tmp_nmatch, tmp_matchesp ) ) + if ( !regex_matches( &bdn->a_pat, opndn->bv_val, + &e->e_nname, NULL, tmp_matchesp ) ) { return 1; } @@ -1063,42 +858,46 @@ acl_mask_dn( if ( e->e_dn == NULL ) return 1; - if ( b->a_expand ) { + if ( bdn->a_expand ) { struct berval bv; char buf[ACL_BUF_SIZE]; - int tmp_nmatch; - regmatch_t tmp_matches[2], - *tmp_matchesp = tmp_matches; - + AclRegexMatches tmp_matches, + *tmp_matchesp = &tmp_matches; int rc = 0; + regmatch_t *tmp_data; + + MATCHES_MEMSET( &tmp_matches ); + tmp_data = &tmp_matches.dn_data[0]; bv.bv_len = sizeof( buf ) - 1; bv.bv_val = buf; - switch ( a->acl_dn_style ) { + /* Expand value regex */ + if ( a->acl_attrval_style == ACL_STYLE_REGEX ) + tmp_matchesp = matches; + else switch ( a->acl_dn_style ) { case ACL_STYLE_REGEX: if ( !BER_BVISNULL( &a->acl_dn_pat ) ) { tmp_matchesp = matches; - tmp_nmatch = nmatch; break; } /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */ case ACL_STYLE_BASE: - tmp_matches[0].rm_so = 0; - tmp_matches[0].rm_eo = e->e_nname.bv_len; - tmp_nmatch = 1; + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + tmp_matches.dn_count = 1; break; case ACL_STYLE_ONE: case ACL_STYLE_SUBTREE: case ACL_STYLE_CHILDREN: - tmp_matches[0].rm_so = 0; - tmp_matches[0].rm_eo = e->e_nname.bv_len; - tmp_matches[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; - tmp_matches[1].rm_eo = e->e_nname.bv_len; - tmp_nmatch = 2; + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + tmp_data[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; + tmp_data[1].rm_eo = e->e_nname.bv_len; + tmp_matches.dn_count = 2; break; default: @@ -1111,9 +910,9 @@ acl_mask_dn( return 1; } - if ( string_expand( &bv, &b->a_pat, - e->e_nname.bv_val, - tmp_nmatch, tmp_matchesp ) ) + if ( acl_string_expand( &bv, &bdn->a_pat, + &e->e_nname, + val, tmp_matchesp ) ) { return 1; } @@ -1127,7 +926,7 @@ acl_mask_dn( } } else { - pat = b->a_pat; + pat = bdn->a_pat; } patlen = pat.bv_len; @@ -1137,14 +936,14 @@ acl_mask_dn( } - if ( b->a_style == ACL_STYLE_BASE ) { + if ( bdn->a_style == ACL_STYLE_BASE ) { /* base dn -- entire object DN must match */ if ( odnlen != patlen ) { goto dn_match_cleanup; } - } else if ( b->a_style == ACL_STYLE_ONE ) { - int rdnlen = -1; + } else if ( bdn->a_style == ACL_STYLE_ONE ) { + ber_len_t rdnlen = 0; if ( odnlen <= patlen ) { goto dn_match_cleanup; @@ -1155,16 +954,16 @@ acl_mask_dn( } rdnlen = dn_rdnlen( NULL, opndn ); - if ( rdnlen != odnlen - patlen - 1 ) { + if ( rdnlen - ( odnlen - patlen - 1 ) != 0 ) { goto dn_match_cleanup; } - } else if ( b->a_style == ACL_STYLE_SUBTREE ) { + } else if ( bdn->a_style == ACL_STYLE_SUBTREE ) { if ( odnlen > patlen && !DN_SEPARATOR( opndn->bv_val[odnlen - patlen - 1] ) ) { goto dn_match_cleanup; } - } else if ( b->a_style == ACL_STYLE_CHILDREN ) { + } else if ( bdn->a_style == ACL_STYLE_CHILDREN ) { if ( odnlen <= patlen ) { goto dn_match_cleanup; } @@ -1173,9 +972,9 @@ acl_mask_dn( goto dn_match_cleanup; } - } else if ( b->a_style == ACL_STYLE_LEVEL ) { - int level; - struct berval ndn; + } else if ( bdn->a_style == ACL_STYLE_LEVEL ) { + int level = bdn->a_level; + struct berval ndn; if ( odnlen <= patlen ) { goto dn_match_cleanup; @@ -1186,7 +985,6 @@ acl_mask_dn( goto dn_match_cleanup; } - level = b->a_level; ndn = *opndn; for ( ; level > 0; level-- ) { if ( BER_BVISEMPTY( &ndn ) ) { @@ -1206,7 +1004,7 @@ acl_mask_dn( got_match = !strcmp( pat.bv_val, &opndn->bv_val[ odnlen - patlen ] ); dn_match_cleanup:; - if ( pat.bv_val != b->a_pat.bv_val ) { + if ( pat.bv_val != bdn->a_pat.bv_val ) { slap_sl_free( pat.bv_val, op->o_tmpmemctx ); } @@ -1218,30 +1016,12 @@ dn_match_cleanup:; return 0; } -/* - * Record value-dependent access control state - */ -#define ACL_RECORD_VALUE_STATE do { \ - if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { \ - state->as_recorded |= ACL_STATE_RECORDED_VD; \ - state->as_vd_acl = a; \ - AC_MEMCPY( state->as_vd_acl_matches, matches, \ - sizeof( state->as_vd_acl_matches )) ; \ - state->as_vd_acl_count = count; \ - state->as_vd_access = b; \ - state->as_vd_access_count = i; \ - } \ - } while( 0 ) - static int acl_mask_dnattr( Operation *op, Entry *e, struct berval *val, AccessControl *a, - Access *b, - int i, - regmatch_t *matches, int count, AccessControlState *state, slap_dn_access *bdn, @@ -1267,11 +1047,10 @@ acl_mask_dnattr( at != NULL; at = attrs_find( at->a_next, bdn->a_at ) ) { - if ( value_find_ex( bdn->a_at, + if ( attr_valfind( at, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, - at->a_nvals, - &bv, op->o_tmpmemctx ) == 0 ) + &bv, NULL, op->o_tmpmemctx ) == 0 ) { /* found it */ match = 1; @@ -1304,7 +1083,7 @@ acl_mask_dnattr( return 1; ACL_RECORD_VALUE_STATE; - + /* this is a self clause, check if the target is an * attribute. */ @@ -1344,20 +1123,20 @@ slap_acl_mask( Entry *e, AttributeDescription *desc, struct berval *val, - int nmatch, - regmatch_t *matches, + AclRegexMatches *matches, int count, - AccessControlState *state ) + AccessControlState *state, + slap_access_t access ) { int i; - Access *b; + Access *b; #ifdef LDAP_DEBUG - char accessmaskbuf[ACCESSMASK_MAXLEN]; -#if !defined( SLAP_DYNACL ) && defined( SLAPD_ACI_ENABLED ) - char accessmaskbuf1[ACCESSMASK_MAXLEN]; -#endif /* !SLAP_DYNACL && SLAPD_ACI_ENABLED */ + char accessmaskbuf[ACCESSMASK_MAXLEN]; #endif /* DEBUG */ - const char *attr; + const char *attr; +#ifdef SLAP_DYNACL + slap_mask_t a2pmask = ACL_ACCESS2PRIV( access ); +#endif /* SLAP_DYNACL */ assert( a != NULL ); assert( mask != NULL ); @@ -1378,16 +1157,8 @@ slap_acl_mask( accessmask2str( *mask, accessmaskbuf, 1 ) ); - if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD ) - && state->as_vd_acl == a ) - { - b = state->as_vd_access; - i = state->as_vd_access_count; - - } else { - b = a->acl_access; - i = 1; - } + b = a->acl_access; + i = 1; for ( ; b != NULL; b = b->a_next, i++ ) { slap_mask_t oldmask, modmask; @@ -1407,10 +1178,10 @@ slap_acl_mask( * NOTE: styles "anonymous", "users" and "self" * have been moved to enum slap_style_t, whose * value is set in a_dn_style; however, the string - * is maintaned in a_dn_pat. + * is maintained in a_dn_pat. */ - if ( acl_mask_dn( op, e, a, nmatch, matches, + if ( acl_mask_dn( op, e, val, a, matches, &b->a_dn, &op->o_ndn ) ) { continue; @@ -1431,7 +1202,7 @@ slap_acl_mask( * NOTE: styles "anonymous", "users" and "self" * have been moved to enum slap_style_t, whose * value is set in a_dn_style; however, the string - * is maintaned in a_dn_pat. + * is maintained in a_dn_pat. */ if ( op->o_conn && !BER_BVISNULL( &op->o_conn->c_ndn ) ) @@ -1441,7 +1212,7 @@ slap_acl_mask( ndn = op->o_ndn; } - if ( acl_mask_dn( op, e, a, nmatch, matches, + if ( acl_mask_dn( op, e, val, a, matches, &b->a_realdn, &ndn ) ) { continue; @@ -1457,8 +1228,8 @@ slap_acl_mask( if ( !ber_bvccmp( &b->a_sockurl_pat, '*' ) ) { if ( b->a_sockurl_style == ACL_STYLE_REGEX) { - if (!regex_matches( &b->a_sockurl_pat, op->o_conn->c_listener_url.bv_val, - e->e_ndn, nmatch, matches ) ) + if ( !regex_matches( &b->a_sockurl_pat, op->o_conn->c_listener_url.bv_val, + &e->e_nname, val, matches ) ) { continue; } @@ -1469,8 +1240,7 @@ slap_acl_mask( bv.bv_len = sizeof( buf ) - 1; bv.bv_val = buf; - if ( string_expand( &bv, &b->a_sockurl_pat, - e->e_ndn, nmatch, matches ) ) + if ( acl_string_expand( &bv, &b->a_sockurl_pat, &e->e_nname, val, matches ) ) { continue; } @@ -1497,8 +1267,8 @@ slap_acl_mask( b->a_domain_pat.bv_val, 0, 0 ); if ( !ber_bvccmp( &b->a_domain_pat, '*' ) ) { if ( b->a_domain_style == ACL_STYLE_REGEX) { - if (!regex_matches( &b->a_domain_pat, op->o_conn->c_peer_domain.bv_val, - e->e_ndn, nmatch, matches ) ) + if ( !regex_matches( &b->a_domain_pat, op->o_conn->c_peer_domain.bv_val, + &e->e_nname, val, matches ) ) { continue; } @@ -1514,8 +1284,7 @@ slap_acl_mask( bv.bv_len = sizeof(buf) - 1; bv.bv_val = buf; - if ( string_expand(&bv, &b->a_domain_pat, - e->e_ndn, nmatch, matches) ) + if ( acl_string_expand(&bv, &b->a_domain_pat, &e->e_nname, val, matches) ) { continue; } @@ -1552,8 +1321,8 @@ slap_acl_mask( b->a_peername_pat.bv_val, 0, 0 ); if ( !ber_bvccmp( &b->a_peername_pat, '*' ) ) { if ( b->a_peername_style == ACL_STYLE_REGEX ) { - if (!regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val, - e->e_ndn, nmatch, matches ) ) + if ( !regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val, + &e->e_nname, val, matches ) ) { continue; } @@ -1571,8 +1340,7 @@ slap_acl_mask( bv.bv_len = sizeof( buf ) - 1; bv.bv_val = buf; - if ( string_expand( &bv, &b->a_peername_pat, - e->e_ndn, nmatch, matches ) ) + if ( acl_string_expand( &bv, &b->a_peername_pat, &e->e_nname, val, matches ) ) { continue; } @@ -1584,26 +1352,24 @@ slap_acl_mask( /* extract IP and try exact match */ } else if ( b->a_peername_style == ACL_STYLE_IP ) { char *port; - char buf[] = "255.255.255.255"; + char buf[STRLENOF("255.255.255.255") + 1]; struct berval ip; unsigned long addr; int port_number = -1; if ( strncasecmp( op->o_conn->c_peer_name.bv_val, - aci_bv_ip_eq.bv_val, aci_bv_ip_eq.bv_len ) != 0 ) + acl_bv_ip_eq.bv_val, + acl_bv_ip_eq.bv_len ) != 0 ) continue; - ip.bv_val = op->o_conn->c_peer_name.bv_val + aci_bv_ip_eq.bv_len; - ip.bv_len = op->o_conn->c_peer_name.bv_len - aci_bv_ip_eq.bv_len; + ip.bv_val = op->o_conn->c_peer_name.bv_val + acl_bv_ip_eq.bv_len; + ip.bv_len = op->o_conn->c_peer_name.bv_len - acl_bv_ip_eq.bv_len; port = strrchr( ip.bv_val, ':' ); if ( port ) { - char *next; - ip.bv_len = port - ip.bv_val; ++port; - port_number = strtol( port, &next, 10 ); - if ( next[0] != '\0' ) + if ( lutil_atoi( &port_number, port ) != 0 ) continue; } @@ -1627,17 +1393,64 @@ slap_acl_mask( if ( (addr & b->a_peername_mask) != b->a_peername_addr ) continue; +#ifdef LDAP_PF_INET6 + /* extract IPv6 and try exact match */ + } else if ( b->a_peername_style == ACL_STYLE_IPV6 ) { + char *port; + char buf[STRLENOF("FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF") + 1]; + struct berval ip; + struct in6_addr addr; + int port_number = -1; + + if ( strncasecmp( op->o_conn->c_peer_name.bv_val, + acl_bv_ipv6_eq.bv_val, + acl_bv_ipv6_eq.bv_len ) != 0 ) + continue; + + ip.bv_val = op->o_conn->c_peer_name.bv_val + acl_bv_ipv6_eq.bv_len; + ip.bv_len = op->o_conn->c_peer_name.bv_len - acl_bv_ipv6_eq.bv_len; + + port = strrchr( ip.bv_val, ']' ); + if ( port ) { + ip.bv_len = port - ip.bv_val; + ++port; + if ( port[0] == ':' && lutil_atoi( &port_number, ++port ) != 0 ) + continue; + } + + /* the port check can be anticipated here */ + if ( b->a_peername_port != -1 && port_number != b->a_peername_port ) + continue; + + /* address longer than expected? */ + if ( ip.bv_len >= sizeof(buf) ) + continue; + + AC_MEMCPY( buf, ip.bv_val, ip.bv_len ); + buf[ ip.bv_len ] = '\0'; + + if ( inet_pton( AF_INET6, buf, &addr ) != 1 ) + continue; + + /* check mask */ + if ( !slap_addr6_mask( &addr, &b->a_peername_mask6, &b->a_peername_addr6 ) ) + continue; +#endif /* LDAP_PF_INET6 */ + #ifdef LDAP_PF_LOCAL /* extract path and try exact match */ } else if ( b->a_peername_style == ACL_STYLE_PATH ) { struct berval path; if ( strncmp( op->o_conn->c_peer_name.bv_val, - aci_bv_path_eq.bv_val, aci_bv_path_eq.bv_len ) != 0 ) + acl_bv_path_eq.bv_val, + acl_bv_path_eq.bv_len ) != 0 ) continue; - path.bv_val = op->o_conn->c_peer_name.bv_val + aci_bv_path_eq.bv_len; - path.bv_len = op->o_conn->c_peer_name.bv_len - aci_bv_path_eq.bv_len; + path.bv_val = op->o_conn->c_peer_name.bv_val + + acl_bv_path_eq.bv_len; + path.bv_len = op->o_conn->c_peer_name.bv_len + - acl_bv_path_eq.bv_len; if ( ber_bvcmp( &b->a_peername_pat, &path ) != 0 ) continue; @@ -1660,8 +1473,8 @@ slap_acl_mask( b->a_sockname_pat.bv_val, 0, 0 ); if ( !ber_bvccmp( &b->a_sockname_pat, '*' ) ) { if ( b->a_sockname_style == ACL_STYLE_REGEX) { - if (!regex_matches( &b->a_sockname_pat, op->o_conn->c_sock_name.bv_val, - e->e_ndn, nmatch, matches ) ) + if ( !regex_matches( &b->a_sockname_pat, op->o_conn->c_sock_name.bv_val, + &e->e_nname, val, matches ) ) { continue; } @@ -1672,8 +1485,7 @@ slap_acl_mask( bv.bv_len = sizeof( buf ) - 1; bv.bv_val = buf; - if ( string_expand( &bv, &b->a_sockname_pat, - e->e_ndn, nmatch, matches ) ) + if ( acl_string_expand( &bv, &b->a_sockname_pat, &e->e_nname, val, matches ) ) { continue; } @@ -1691,8 +1503,8 @@ slap_acl_mask( } if ( b->a_dn_at != NULL ) { - if ( acl_mask_dnattr( op, e, val, a, b, i, - matches, count, state, + if ( acl_mask_dnattr( op, e, val, a, + count, state, &b->a_dn, &op->o_ndn ) ) { continue; @@ -1709,8 +1521,8 @@ slap_acl_mask( ndn = op->o_ndn; } - if ( acl_mask_dnattr( op, e, val, a, b, i, - matches, count, state, + if ( acl_mask_dnattr( op, e, val, a, + count, state, &b->a_realdn, &ndn ) ) { continue; @@ -1726,6 +1538,9 @@ slap_acl_mask( continue; } + Debug( LDAP_DEBUG_ACL, "<= check a_group_pat: %s\n", + b->a_group_pat.bv_val, 0, 0 ); + /* b->a_group is an unexpanded entry name, expanded it should be an * entry with objectclass group* and we test to see if odn is one of * the values in the attribute group @@ -1733,38 +1548,43 @@ slap_acl_mask( /* see if asker is listed in dnattr */ if ( b->a_group_style == ACL_STYLE_EXPAND ) { char buf[ACL_BUF_SIZE]; - int tmp_nmatch; - regmatch_t tmp_matches[2], - *tmp_matchesp = tmp_matches; + AclRegexMatches tmp_matches, + *tmp_matchesp = &tmp_matches; + regmatch_t *tmp_data; + + MATCHES_MEMSET( &tmp_matches ); + tmp_data = &tmp_matches.dn_data[0]; bv.bv_len = sizeof(buf) - 1; bv.bv_val = buf; rc = 0; - switch ( a->acl_dn_style ) { + if ( a->acl_attrval_style == ACL_STYLE_REGEX ) + tmp_matchesp = matches; + else switch ( a->acl_dn_style ) { case ACL_STYLE_REGEX: if ( !BER_BVISNULL( &a->acl_dn_pat ) ) { tmp_matchesp = matches; - tmp_nmatch = nmatch; break; } /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */ case ACL_STYLE_BASE: - tmp_matches[0].rm_so = 0; - tmp_matches[0].rm_eo = e->e_nname.bv_len; - tmp_nmatch = 1; + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + tmp_matches.dn_count = 1; break; case ACL_STYLE_ONE: case ACL_STYLE_SUBTREE: case ACL_STYLE_CHILDREN: - tmp_matches[0].rm_so = 0; - tmp_matches[0].rm_eo = e->e_nname.bv_len; - tmp_matches[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; - tmp_matches[1].rm_eo = e->e_nname.bv_len; - tmp_nmatch = 2; + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + + tmp_data[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; + tmp_data[1].rm_eo = e->e_nname.bv_len; + tmp_matches.dn_count = 2; break; default: @@ -1777,9 +1597,9 @@ slap_acl_mask( continue; } - if ( string_expand( &bv, &b->a_group_pat, - e->e_nname.bv_val, - tmp_nmatch, tmp_matchesp ) ) + if ( acl_string_expand( &bv, &b->a_group_pat, + &e->e_nname, val, + tmp_matchesp ) ) { continue; } @@ -1813,40 +1633,46 @@ slap_acl_mask( struct berval bv; char buf[ACL_BUF_SIZE]; + Debug( LDAP_DEBUG_ACL, "<= check a_set_pat: %s\n", + b->a_set_pat.bv_val, 0, 0 ); + if ( b->a_set_style == ACL_STYLE_EXPAND ) { - int tmp_nmatch; - regmatch_t tmp_matches[2], - *tmp_matchesp = tmp_matches; + AclRegexMatches tmp_matches, + *tmp_matchesp = &tmp_matches; int rc = 0; + regmatch_t *tmp_data; + + MATCHES_MEMSET( &tmp_matches ); + tmp_data = &tmp_matches.dn_data[0]; bv.bv_len = sizeof( buf ) - 1; bv.bv_val = buf; rc = 0; - switch ( a->acl_dn_style ) { + if ( a->acl_attrval_style == ACL_STYLE_REGEX ) + tmp_matchesp = matches; + else switch ( a->acl_dn_style ) { case ACL_STYLE_REGEX: if ( !BER_BVISNULL( &a->acl_dn_pat ) ) { tmp_matchesp = matches; - tmp_nmatch = nmatch; break; } /* FALLTHRU: applies also to ACL_STYLE_REGEX when pattern is "*" */ case ACL_STYLE_BASE: - tmp_matches[0].rm_so = 0; - tmp_matches[0].rm_eo = e->e_nname.bv_len; - tmp_nmatch = 1; + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + tmp_matches.dn_count = 1; break; case ACL_STYLE_ONE: case ACL_STYLE_SUBTREE: case ACL_STYLE_CHILDREN: - tmp_matches[0].rm_so = 0; - tmp_matches[0].rm_eo = e->e_nname.bv_len; - tmp_matches[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; - tmp_matches[1].rm_eo = e->e_nname.bv_len; - tmp_nmatch = 2; + tmp_data[0].rm_so = 0; + tmp_data[0].rm_eo = e->e_nname.bv_len; + tmp_data[1].rm_so = e->e_nname.bv_len - a->acl_dn_pat.bv_len; + tmp_data[1].rm_eo = e->e_nname.bv_len; tmp_matches.dn_count = 2; break; default: @@ -1859,9 +1685,9 @@ slap_acl_mask( continue; } - if ( string_expand( &bv, &b->a_set_pat, - e->e_nname.bv_val, - tmp_nmatch, tmp_matchesp ) ) + if ( acl_string_expand( &bv, &b->a_set_pat, + &e->e_nname, val, + tmp_matchesp ) ) { continue; } @@ -1870,7 +1696,7 @@ slap_acl_mask( bv = b->a_set_pat; } - if ( aci_match_set( &bv, op, e, 0 ) == 0 ) { + if ( acl_match_set( &bv, op, e, NULL ) == 0 ) { continue; } } @@ -1910,35 +1736,77 @@ slap_acl_mask( } } + /* check for the "self" modifier in the field */ + if ( b->a_dn.a_self ) { + const char *dummy; + int rc, match = 0; + + ACL_RECORD_VALUE_STATE; + + /* must have DN syntax */ + if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName && + !is_at_syntax( desc->ad_type, SLAPD_NAMEUID_SYNTAX )) continue; + + /* check if the target is an attribute. */ + if ( val == NULL ) continue; + + /* a DN must be present */ + if ( BER_BVISEMPTY( &op->o_ndn ) ) { + continue; + } + + /* target is attribute, check if the attribute value + * is the op dn. + */ + rc = value_match( &match, desc, + desc->ad_type->sat_equality, 0, + val, &op->o_ndn, &dummy ); + /* on match error or no match, fail the ACL clause */ + if ( rc != LDAP_SUCCESS || match != 0 ) + continue; + } + #ifdef SLAP_DYNACL if ( b->a_dynacl ) { slap_dynacl_t *da; slap_access_t tgrant, tdeny; + Debug( LDAP_DEBUG_ACL, "<= check a_dynacl\n", + 0, 0, 0 ); + /* this case works different from the others above. - * since aci's themselves give permissions, we need + * since dynamic ACL's themselves give permissions, we need * to first check b->a_access_mask, the ACL's access level. */ - if ( BER_BVISEMPTY( &e->e_nname ) ) { - /* no ACIs in the root DSE */ - continue; - } - /* first check if the right being requested * is allowed by the ACL clause. */ - if ( ! ACL_GRANT( b->a_access_mask, *mask ) ) { + if ( ! ACL_PRIV_ISSET( b->a_access_mask, a2pmask ) ) { continue; } /* start out with nothing granted, nothing denied */ - ACL_INIT(tgrant); - ACL_INIT(tdeny); + ACL_INVALIDATE(tgrant); + ACL_INVALIDATE(tdeny); for ( da = b->a_dynacl; da; da = da->da_next ) { - slap_access_t grant, deny; + slap_access_t grant, + deny; + + ACL_INVALIDATE(grant); + ACL_INVALIDATE(deny); - (void)( *da->da_mask )( da->da_private, op, e, desc, val, nmatch, matches, &grant, &deny ); + Debug( LDAP_DEBUG_ACL, " <= check a_dynacl: %s\n", + da->da_name, 0, 0 ); + + /* + * XXXmanu Only DN matches are supplied + * sending attribute values matches require + * an API update + */ + (void)da->da_mask( da->da_private, op, e, desc, + val, matches->dn_count, matches->dn_data, + &grant, &deny ); tgrant |= grant; tdeny |= deny; @@ -1972,161 +1840,7 @@ slap_acl_mask( } } else -#else /* !SLAP_DYNACL */ - -#ifdef SLAPD_ACI_ENABLED - if ( b->a_aci_at != NULL ) { - Attribute *at; - slap_access_t grant, deny, tgrant, tdeny; - struct berval parent_ndn; - BerVarray bvals = NULL; - int ret, stop; - - /* this case works different from the others above. - * since aci's themselves give permissions, we need - * to first check b->a_access_mask, the ACL's access level. - */ - - if ( BER_BVISEMPTY( &e->e_nname ) ) { - /* no ACIs in the root DSE */ - continue; - } - - /* first check if the right being requested - * is allowed by the ACL clause. - */ - if ( ! ACL_GRANT( b->a_access_mask, *mask ) ) { - continue; - } - /* start out with nothing granted, nothing denied */ - ACL_INIT(tgrant); - ACL_INIT(tdeny); - - /* get the aci attribute */ - at = attr_find( e->e_attrs, b->a_aci_at ); - if ( at != NULL ) { -#if 0 - /* FIXME: this breaks acl caching; - * see also ACL_RECORD_VALUE_STATE below */ - ACL_RECORD_VALUE_STATE; -#endif - /* the aci is an multi-valued attribute. The - * rights are determined by OR'ing the individual - * rights given by the acis. - */ - for ( i = 0; !BER_BVISNULL( &at->a_nvals[i] ); i++ ) { - if (aci_mask( op, - e, desc, val, - &at->a_nvals[i], - nmatch, matches, - &grant, &deny, SLAP_ACI_SCOPE_ENTRY ) != 0) - { - tgrant |= grant; - tdeny |= deny; - } - } - Debug(LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", - accessmask2str(tgrant, accessmaskbuf, 1), - accessmask2str(tdeny, accessmaskbuf1, 1), 0); - - } - /* If the entry level aci didn't contain anything valid for the - * current operation, climb up the tree and evaluate the - * acis with scope set to subtree - */ - if ( (tgrant == ACL_PRIV_NONE) && (tdeny == ACL_PRIV_NONE) ) { - dnParent( &e->e_nname, &parent_ndn ); - while ( !BER_BVISEMPTY( &parent_ndn ) ) { - Debug(LDAP_DEBUG_ACL, "checking ACI of %s\n", parent_ndn.bv_val, 0, 0); - ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals, ACL_AUTH); - switch(ret){ - case LDAP_SUCCESS : - stop = 0; - if (!bvals){ - break; - } - - for( i = 0; bvals[i].bv_val != NULL; i++){ -#if 0 - /* FIXME: this breaks acl caching; - * see also ACL_RECORD_VALUE_STATE above */ - ACL_RECORD_VALUE_STATE; -#endif - if (aci_mask(op, e, desc, val, &bvals[i], - nmatch, matches, - &grant, &deny, SLAP_ACI_SCOPE_CHILDREN ) != 0 ) - { - tgrant |= grant; - tdeny |= deny; - /* evaluation stops as soon as either a "deny" or a - * "grant" directive matches. - */ - if( (tgrant != ACL_PRIV_NONE) || (tdeny != ACL_PRIV_NONE) ){ - stop = 1; - } - } - Debug(LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", - accessmask2str(tgrant, accessmaskbuf, 1), - accessmask2str(tdeny, accessmaskbuf1, 1), 0); - } - break; - - case LDAP_NO_SUCH_ATTRIBUTE: - /* just go on if the aci-Attribute is not present in - * the current entry - */ - Debug(LDAP_DEBUG_ACL, "no such attribute\n", 0, 0, 0); - stop = 0; - break; - - case LDAP_NO_SUCH_OBJECT: - /* We have reached the base object */ - Debug(LDAP_DEBUG_ACL, "no such object\n", 0, 0, 0); - stop = 1; - break; - - default: - stop = 1; - break; - } - if (stop){ - break; - } - dnParent( &parent_ndn, &parent_ndn ); - } - } - - - /* remove anything that the ACL clause does not allow */ - tgrant &= b->a_access_mask & ACL_PRIV_MASK; - tdeny &= ACL_PRIV_MASK; - - /* see if we have anything to contribute */ - if( ACL_IS_INVALID(tgrant) && ACL_IS_INVALID(tdeny) ) { - continue; - } - - /* this could be improved by changing slap_acl_mask so that it can deal with - * by clauses that return grant/deny pairs. Right now, it does either - * additive or subtractive rights, but not both at the same time. So, - * we need to combine the grant/deny pair into a single rights mask in - * a smart way: if either grant or deny is "empty", then we use the - * opposite as is, otherwise we remove any denied rights from the grant - * rights mask and construct an additive mask. - */ - if (ACL_IS_INVALID(tdeny)) { - modmask = tgrant | ACL_PRIV_ADDITIVE; - - } else if (ACL_IS_INVALID(tgrant)) { - modmask = tdeny | ACL_PRIV_SUBSTRACTIVE; - - } else { - modmask = (tgrant & ~tdeny) | ACL_PRIV_ADDITIVE; - } - - } else -#endif /* SLAPD_ACI_ENABLED */ -#endif /* !SLAP_DYNACL */ +#endif /* SLAP_DYNACL */ { modmask = b->a_access_mask; } @@ -2196,8 +1910,7 @@ int acl_check_modlist( Operation *op, Entry *e, - Modifications *mlist -) + Modifications *mlist ) { struct berval *bv; AccessControlState state = ACL_STATE_INIT; @@ -2213,6 +1926,10 @@ acl_check_modlist( } assert( be != NULL ); + /* If ADD attribute checking is not enabled, just allow it */ + if ( op->o_tag == LDAP_REQ_ADD && !SLAP_DBACL_ADD( be )) + return 1; + /* short circuit root database access */ if ( be_isroot( op ) ) { Debug( LDAP_DEBUG_ACL, @@ -2222,7 +1939,7 @@ acl_check_modlist( } /* use backend default access if no backend acls */ - if( op->o_bd != NULL && op->o_bd->be_acl == NULL ) { + if( op->o_bd != NULL && op->o_bd->be_acl == NULL && frontendDB->be_acl == NULL ) { Debug( LDAP_DEBUG_ACL, "=> access_allowed: backend default %s access %s to \"%s\"\n", access2str( ACL_WRITE ), @@ -2249,7 +1966,9 @@ acl_check_modlist( * by ACL_WRITE checking as any found here are not provided * by the user */ - if ( is_at_no_user_mod( mlist->sml_desc->ad_type ) ) { + if ( is_at_no_user_mod( mlist->sml_desc->ad_type ) + && ! ( mlist->sml_flags & SLAP_MOD_MANAGING ) ) + { Debug( LDAP_DEBUG_ACL, "acl: no-user-mod %s:" " modify access granted\n", mlist->sml_desc->ad_cname.bv_val, 0, 0 ); @@ -2258,13 +1977,16 @@ acl_check_modlist( switch ( mlist->sml_op ) { case LDAP_MOD_REPLACE: + case LDAP_MOD_INCREMENT: /* * We must check both permission to delete the whole * attribute and permission to add the specific attributes. * This prevents abuse from selfwriters. */ if ( ! access_allowed( op, e, - mlist->sml_desc, NULL, ACL_WDEL, &state ) ) + mlist->sml_desc, NULL, + ( mlist->sml_flags & SLAP_MOD_MANAGING ) ? ACL_MANAGE : ACL_WDEL, + &state ) ) { ret = 0; goto done; @@ -2282,7 +2004,9 @@ acl_check_modlist( bv->bv_val != NULL; bv++ ) { if ( ! access_allowed( op, e, - mlist->sml_desc, bv, ACL_WADD, &state ) ) + mlist->sml_desc, bv, + ( mlist->sml_flags & SLAP_MOD_MANAGING ) ? ACL_MANAGE : ACL_WADD, + &state ) ) { ret = 0; goto done; @@ -2293,7 +2017,9 @@ acl_check_modlist( case LDAP_MOD_DELETE: if ( mlist->sml_values == NULL ) { if ( ! access_allowed( op, e, - mlist->sml_desc, NULL, ACL_WDEL, NULL ) ) + mlist->sml_desc, NULL, + ( mlist->sml_flags & SLAP_MOD_MANAGING ) ? ACL_MANAGE : ACL_WDEL, + NULL ) ) { ret = 0; goto done; @@ -2305,7 +2031,9 @@ acl_check_modlist( bv->bv_val != NULL; bv++ ) { if ( ! access_allowed( op, e, - mlist->sml_desc, bv, ACL_WDEL, &state ) ) + mlist->sml_desc, bv, + ( mlist->sml_flags & SLAP_MOD_MANAGING ) ? ACL_MANAGE : ACL_WDEL, + &state ) ) { ret = 0; goto done; @@ -2330,8 +2058,8 @@ done: return( ret ); } -static int -aci_get_part( +int +acl_get_part( struct berval *list, int ix, char sep, @@ -2373,15 +2101,15 @@ aci_get_part( return bv->bv_len; } -typedef struct aci_set_gather_t { +typedef struct acl_set_gather_t { SetCookie *cookie; BerVarray bvals; -} aci_set_gather_t; +} acl_set_gather_t; static int -aci_set_cb_gather( Operation *op, SlapReply *rs ) +acl_set_cb_gather( Operation *op, SlapReply *rs ) { - aci_set_gather_t *p = (aci_set_gather_t *)op->o_callback->sc_private; + acl_set_gather_t *p = (acl_set_gather_t *)op->o_callback->sc_private; if ( rs->sr_type == REP_SEARCH ) { BerValue bvals[ 2 ]; @@ -2390,6 +2118,10 @@ aci_set_cb_gather( Operation *op, SlapReply *rs ) for ( j = 0; !BER_BVISNULL( &rs->sr_attrs[ j ].an_name ); j++ ) { AttributeDescription *desc = rs->sr_attrs[ j ].an_desc; + + if ( desc == NULL ) { + continue; + } if ( desc == slap_schema.si_ad_entryDN ) { bvalsp = bvals; @@ -2401,19 +2133,14 @@ aci_set_cb_gather( Operation *op, SlapReply *rs ) a = attr_find( rs->sr_entry->e_attrs, desc ); if ( a != NULL ) { - int i; - - for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) - ; - bvalsp = a->a_nvals; } } - } - if ( bvals ) { - p->bvals = slap_set_join( p->cookie, p->bvals, - ( '|' | SLAP_SET_RREF ), bvalsp ); + if ( bvalsp ) { + p->bvals = slap_set_join( p->cookie, p->bvals, + ( '|' | SLAP_SET_RREF ), bvalsp ); + } } } else { @@ -2424,30 +2151,32 @@ aci_set_cb_gather( Operation *op, SlapReply *rs ) } BerVarray -aci_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *desc ) +acl_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *desc ) { - AciSetCookie *cp = (AciSetCookie *)cookie; + AclSetCookie *cp = (AclSetCookie *)cookie; int rc = 0; LDAPURLDesc *ludp = NULL; Operation op2 = { 0 }; SlapReply rs = {REP_RESULT}; AttributeName anlist[ 2 ], *anlistp = NULL; int nattrs = 0; - slap_callback cb = { NULL, aci_set_cb_gather, NULL, NULL }; - aci_set_gather_t p = { 0 }; - const char *text = NULL; - static struct berval defaultFilter_bv = BER_BVC( "(objectClass=*)" ); + slap_callback cb = { NULL, acl_set_cb_gather, NULL, NULL }; + acl_set_gather_t p = { 0 }; /* this routine needs to return the bervals instead of * plain strings, since syntax is not known. It should * also return the syntax or some "comparison cookie". */ if ( strncasecmp( name->bv_val, "ldap:///", STRLENOF( "ldap:///" ) ) != 0 ) { - return aci_set_gather2( cookie, name, desc ); + return acl_set_gather2( cookie, name, desc ); } rc = ldap_url_parse( name->bv_val, &ludp ); if ( rc != LDAP_URL_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: unable to parse URL=\"%s\"\n", + cp->asc_op->o_log_prefix, name->bv_val, 0 ); + rc = LDAP_PROTOCOL_ERROR; goto url_done; } @@ -2456,6 +2185,10 @@ aci_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *de { /* host part must be empty */ /* extensions parts must be empty */ + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: host/exts must be absent in URL=\"%s\"\n", + cp->asc_op->o_log_prefix, name->bv_val, 0 ); + rc = LDAP_PROTOCOL_ERROR; goto url_done; } @@ -2463,14 +2196,22 @@ aci_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *de /* Grab the searchbase and see if an appropriate database can be found */ ber_str2bv( ludp->lud_dn, 0, 0, &op2.o_req_dn ); rc = dnNormalize( 0, NULL, NULL, &op2.o_req_dn, - &op2.o_req_ndn, cp->op->o_tmpmemctx ); + &op2.o_req_ndn, cp->asc_op->o_tmpmemctx ); BER_BVZERO( &op2.o_req_dn ); if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: DN=\"%s\" normalize failed\n", + cp->asc_op->o_log_prefix, ludp->lud_dn, 0 ); + goto url_done; } - op2.o_bd = select_backend( &op2.o_req_ndn, 0, 1 ); + op2.o_bd = select_backend( &op2.o_req_ndn, 1 ); if ( ( op2.o_bd == NULL ) || ( op2.o_bd->be_search == NULL ) ) { + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: no database could be selected for DN=\"%s\"\n", + cp->asc_op->o_log_prefix, op2.o_req_ndn.bv_val, 0 ); + rc = LDAP_NO_SUCH_OBJECT; goto url_done; } @@ -2478,36 +2219,47 @@ aci_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *de /* Grab the filter */ if ( ludp->lud_filter ) { ber_str2bv_x( ludp->lud_filter, 0, 0, &op2.ors_filterstr, - cp->op->o_tmpmemctx ); + cp->asc_op->o_tmpmemctx ); + op2.ors_filter = str2filter_x( cp->asc_op, op2.ors_filterstr.bv_val ); + if ( op2.ors_filter == NULL ) { + Debug( LDAP_DEBUG_TRACE, + "%s acl_set_gather: unable to parse filter=\"%s\"\n", + cp->asc_op->o_log_prefix, op2.ors_filterstr.bv_val, 0 ); + + rc = LDAP_PROTOCOL_ERROR; + goto url_done; + } } else { - op2.ors_filterstr = defaultFilter_bv; + op2.ors_filterstr = *slap_filterstr_objectClass_pres; + op2.ors_filter = (Filter *)slap_filter_objectClass_pres; } - op2.ors_filter = str2filter_x( cp->op, op2.ors_filterstr.bv_val ); - if ( op2.ors_filter == NULL ) { - rc = LDAP_PROTOCOL_ERROR; - goto url_done; - } /* Grab the scope */ op2.ors_scope = ludp->lud_scope; /* Grap the attributes */ if ( ludp->lud_attrs ) { + int i; + for ( ; ludp->lud_attrs[ nattrs ]; nattrs++ ) ; - anlistp = slap_sl_malloc( sizeof( AttributeName ) * ( nattrs + 2 ), - cp->op->o_tmpmemctx ); + anlistp = slap_sl_calloc( sizeof( AttributeName ), nattrs + 2, + cp->asc_op->o_tmpmemctx ); + + for ( i = 0, nattrs = 0; ludp->lud_attrs[ i ]; i++ ) { + struct berval name; + AttributeDescription *desc = NULL; + const char *text = NULL; - for ( ; ludp->lud_attrs[ nattrs ]; nattrs++ ) { - ber_str2bv( ludp->lud_attrs[ nattrs ], 0, 0, &anlistp[ nattrs ].an_name ); - anlistp[ nattrs ].an_desc = NULL; - rc = slap_bv2ad( &anlistp[ nattrs ].an_name, - &anlistp[ nattrs ].an_desc, &text ); - if ( rc != LDAP_SUCCESS ) { - goto url_done; + ber_str2bv( ludp->lud_attrs[ i ], 0, 0, &name ); + rc = slap_bv2ad( &name, &desc, &text ); + if ( rc == LDAP_SUCCESS ) { + anlistp[ nattrs ].an_name = name; + anlistp[ nattrs ].an_desc = desc; + nattrs++; } } @@ -2522,19 +2274,20 @@ aci_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *de p.cookie = cookie; - op2.o_hdr = cp->op->o_hdr; + op2.o_hdr = cp->asc_op->o_hdr; op2.o_tag = LDAP_REQ_SEARCH; op2.o_ndn = op2.o_bd->be_rootndn; op2.o_callback = &cb; - op2.o_time = slap_get_time(); + slap_op_time( &op2.o_time, &op2.o_tincr ); op2.o_do_not_cache = 1; op2.o_is_auth_check = 0; - ber_dupbv_x( &op2.o_req_dn, &op2.o_req_ndn, cp->op->o_tmpmemctx ); + ber_dupbv_x( &op2.o_req_dn, &op2.o_req_ndn, cp->asc_op->o_tmpmemctx ); op2.ors_slimit = SLAP_NO_LIMIT; op2.ors_tlimit = SLAP_NO_LIMIT; op2.ors_attrs = anlistp; op2.ors_attrsonly = 0; - op2.o_private = cp->op->o_private; + op2.o_private = cp->asc_op->o_private; + op2.o_extra = cp->asc_op->o_extra; cb.sc_private = &p; @@ -2544,29 +2297,29 @@ aci_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *de } url_done:; - if ( op2.ors_filter ) { - filter_free_x( cp->op, op2.ors_filter ); + if ( op2.ors_filter && op2.ors_filter != slap_filter_objectClass_pres ) { + filter_free_x( cp->asc_op, op2.ors_filter, 1 ); } if ( !BER_BVISNULL( &op2.o_req_ndn ) ) { - slap_sl_free( op2.o_req_ndn.bv_val, cp->op->o_tmpmemctx ); + slap_sl_free( op2.o_req_ndn.bv_val, cp->asc_op->o_tmpmemctx ); } if ( !BER_BVISNULL( &op2.o_req_dn ) ) { - slap_sl_free( op2.o_req_dn.bv_val, cp->op->o_tmpmemctx ); + slap_sl_free( op2.o_req_dn.bv_val, cp->asc_op->o_tmpmemctx ); } if ( ludp ) { ldap_free_urldesc( ludp ); } if ( anlistp && anlistp != anlist ) { - slap_sl_free( anlistp, cp->op->o_tmpmemctx ); + slap_sl_free( anlistp, cp->asc_op->o_tmpmemctx ); } return p.bvals; } BerVarray -aci_set_gather2( SetCookie *cookie, struct berval *name, AttributeDescription *desc ) +acl_set_gather2( SetCookie *cookie, struct berval *name, AttributeDescription *desc ) { - AciSetCookie *cp = (AciSetCookie *)cookie; + AclSetCookie *cp = (AclSetCookie *)cookie; BerVarray bvals = NULL; struct berval ndn; int rc = 0; @@ -2575,57 +2328,56 @@ aci_set_gather2( SetCookie *cookie, struct berval *name, AttributeDescription *d * plain strings, since syntax is not known. It should * also return the syntax or some "comparison cookie". */ - rc = dnNormalize( 0, NULL, NULL, name, &ndn, cp->op->o_tmpmemctx ); + rc = dnNormalize( 0, NULL, NULL, name, &ndn, cp->asc_op->o_tmpmemctx ); if ( rc == LDAP_SUCCESS ) { if ( desc == slap_schema.si_ad_entryDN ) { bvals = (BerVarray)slap_sl_malloc( sizeof( BerValue ) * 2, - cp->op->o_tmpmemctx ); + cp->asc_op->o_tmpmemctx ); bvals[ 0 ] = ndn; BER_BVZERO( &bvals[ 1 ] ); BER_BVZERO( &ndn ); } else { - backend_attribute( cp->op, - cp->e, &ndn, desc, &bvals, ACL_NONE ); + backend_attribute( cp->asc_op, + cp->asc_e, &ndn, desc, &bvals, ACL_NONE ); } if ( !BER_BVISNULL( &ndn ) ) { - slap_sl_free( ndn.bv_val, cp->op->o_tmpmemctx ); + slap_sl_free( ndn.bv_val, cp->asc_op->o_tmpmemctx ); } } return bvals; } -static int -aci_match_set ( +int +acl_match_set ( struct berval *subj, Operation *op, Entry *e, - int setref -) + struct berval *default_set_attribute ) { struct berval set = BER_BVNULL; int rc = 0; - AciSetCookie cookie; + AclSetCookie cookie; - if ( setref == 0 ) { - ber_dupbv_x( &set, subj, op->o_tmpmemctx ); + if ( default_set_attribute == NULL ) { + set = *subj; } else { struct berval subjdn, ndn = BER_BVNULL; struct berval setat; - BerVarray bvals; + BerVarray bvals = NULL; const char *text; AttributeDescription *desc = NULL; /* format of string is "entry/setAttrName" */ - if ( aci_get_part( subj, 0, '/', &subjdn ) < 0 ) { + if ( acl_get_part( subj, 0, '/', &subjdn ) < 0 ) { return 0; } - if ( aci_get_part( subj, 1, '/', &setat ) < 0 ) { - setat = aci_bv_set_attr; + if ( acl_get_part( subj, 1, '/', &setat ) < 0 ) { + setat = *default_set_attribute; } /* @@ -2653,708 +2405,20 @@ aci_match_set ( } if ( !BER_BVISNULL( &set ) ) { - cookie.op = op; - cookie.e = e; - rc = ( slap_set_filter( aci_set_gather, (SetCookie *)&cookie, &set, + cookie.asc_op = op; + cookie.asc_e = e; + rc = ( slap_set_filter( + acl_set_gather, + (SetCookie *)&cookie, &set, &op->o_ndn, &e->e_nname, NULL ) > 0 ); - slap_sl_free( set.bv_val, op->o_tmpmemctx ); - } - - return(rc); -} - -#ifdef SLAPD_ACI_ENABLED -static int -aci_list_map_rights( - struct berval *list ) -{ - struct berval bv; - slap_access_t mask; - int i; - - ACL_INIT(mask); - for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) { - if (bv.bv_len <= 0) - continue; - switch (*bv.bv_val) { - case 'c': - ACL_PRIV_SET(mask, ACL_PRIV_COMPARE); - break; - case 's': - /* **** NOTE: draft-ietf-ldapext-aci-model-0.3.txt defines - * the right 's' to mean "set", but in the examples states - * that the right 's' means "search". The latter definition - * is used here. - */ - ACL_PRIV_SET(mask, ACL_PRIV_SEARCH); - break; - case 'r': - ACL_PRIV_SET(mask, ACL_PRIV_READ); - break; - case 'w': - ACL_PRIV_SET(mask, ACL_PRIV_WRITE); - break; - case 'x': - /* **** NOTE: draft-ietf-ldapext-aci-model-0.3.txt does not - * define any equivalent to the AUTH right, so I've just used - * 'x' for now. - */ - ACL_PRIV_SET(mask, ACL_PRIV_AUTH); - break; - default: - break; - } - - } - return(mask); -} - -static int -aci_list_has_attr( - struct berval *list, - const struct berval *attr, - struct berval *val ) -{ - struct berval bv, left, right; - int i; - - for (i = 0; aci_get_part(list, i, ',', &bv) >= 0; i++) { - if (aci_get_part(&bv, 0, '=', &left) < 0 - || aci_get_part(&bv, 1, '=', &right) < 0) - { - if (ber_bvstrcasecmp(attr, &bv) == 0) - return(1); - } else if (val == NULL) { - if (ber_bvstrcasecmp(attr, &left) == 0) - return(1); - } else { - if (ber_bvstrcasecmp(attr, &left) == 0) { - /* this is experimental code that implements a - * simple (prefix) match of the attribute value. - * the ACI draft does not provide for aci's that - * apply to specific values, but it would be - * nice to have. If the part of an aci's - * rights list is of the form =, - * that means the aci applies only to attrs with - * the given value. Furthermore, if the attr is - * of the form =*, then is - * treated as a prefix, and the aci applies to - * any value with that prefix. - * - * Ideally, this would allow r.e. matches. - */ - if (aci_get_part(&right, 0, '*', &left) < 0 - || right.bv_len <= left.bv_len) - { - if (ber_bvstrcasecmp(val, &right) == 0) - return(1); - } else if (val->bv_len >= left.bv_len) { - if (strncasecmp( val->bv_val, left.bv_val, left.bv_len ) == 0) - return(1); - } - } - } - } - return(0); -} - -static slap_access_t -aci_list_get_attr_rights( - struct berval *list, - const struct berval *attr, - struct berval *val ) -{ - struct berval bv; - slap_access_t mask; - int i; - - /* loop through each rights/attr pair, skip first part (action) */ - ACL_INIT(mask); - for (i = 1; aci_get_part(list, i + 1, ';', &bv) >= 0; i += 2) { - if (aci_list_has_attr(&bv, attr, val) == 0) - continue; - if (aci_get_part(list, i, ';', &bv) < 0) - continue; - mask |= aci_list_map_rights(&bv); - } - return(mask); -} - -static int -aci_list_get_rights( - struct berval *list, - const struct berval *attr, - struct berval *val, - slap_access_t *grant, - slap_access_t *deny ) -{ - struct berval perm, actn; - slap_access_t *mask; - int i, found; - - if (attr == NULL || attr->bv_len == 0 - || ber_bvstrcasecmp( attr, &aci_bv_entry ) == 0) { - attr = &aci_bv_br_entry; - } - - found = 0; - ACL_INIT(*grant); - ACL_INIT(*deny); - /* loop through each permissions clause */ - for (i = 0; aci_get_part(list, i, '$', &perm) >= 0; i++) { - if (aci_get_part(&perm, 0, ';', &actn) < 0) - continue; - if (ber_bvstrcasecmp( &aci_bv_grant, &actn ) == 0) { - mask = grant; - } else if (ber_bvstrcasecmp( &aci_bv_deny, &actn ) == 0) { - mask = deny; - } else { - continue; - } - - found = 1; - *mask |= aci_list_get_attr_rights(&perm, attr, val); - *mask |= aci_list_get_attr_rights(&perm, &aci_bv_br_all, NULL); - } - return(found); -} - -static int -aci_group_member ( - struct berval *subj, - struct berval *defgrpoc, - struct berval *defgrpat, - Operation *op, - Entry *e, - int nmatch, - regmatch_t *matches -) -{ - struct berval subjdn; - struct berval grpoc; - struct berval grpat; - ObjectClass *grp_oc = NULL; - AttributeDescription *grp_ad = NULL; - const char *text; - int rc; - - /* format of string is "group/objectClassValue/groupAttrName" */ - if (aci_get_part(subj, 0, '/', &subjdn) < 0) { - return(0); - } - - if (aci_get_part(subj, 1, '/', &grpoc) < 0) { - grpoc = *defgrpoc; - } - - if (aci_get_part(subj, 2, '/', &grpat) < 0) { - grpat = *defgrpat; - } - - rc = slap_bv2ad( &grpat, &grp_ad, &text ); - if( rc != LDAP_SUCCESS ) { - rc = 0; - goto done; - } - rc = 0; - - grp_oc = oc_bvfind( &grpoc ); - - if (grp_oc != NULL && grp_ad != NULL ) { - char buf[ACL_BUF_SIZE]; - struct berval bv, ndn; - bv.bv_len = sizeof( buf ) - 1; - bv.bv_val = (char *)&buf; - if ( string_expand(&bv, &subjdn, - e->e_ndn, nmatch, matches) ) - { - rc = LDAP_OTHER; - goto done; - } - if ( dnNormalize( 0, NULL, NULL, &bv, &ndn, op->o_tmpmemctx ) == LDAP_SUCCESS ) { - rc = ( backend_group( op, e, &ndn, &op->o_ndn, - grp_oc, grp_ad ) == 0 ); - slap_sl_free( ndn.bv_val, op->o_tmpmemctx ); + if ( set.bv_val != subj->bv_val ) { + slap_sl_free( set.bv_val, op->o_tmpmemctx ); } } -done: return(rc); } -static int -aci_mask( - Operation *op, - Entry *e, - AttributeDescription *desc, - struct berval *val, - struct berval *aci, - int nmatch, - regmatch_t *matches, - slap_access_t *grant, - slap_access_t *deny, - slap_aci_scope_t asserted_scope -) -{ - struct berval bv, scope, perms, type, sdn; - int rc; - - - assert( !BER_BVISNULL( &desc->ad_cname ) ); - - /* parse an aci of the form: - oid # scope # action;rights;attr;rights;attr - $ action;rights;attr;rights;attr # type # subject - - [NOTE: the following comment is very outdated, - as the draft version it refers to (Ando, 2004-11-20)]. - - See draft-ietf-ldapext-aci-model-04.txt section 9.1 for - a full description of the format for this attribute. - Differences: "this" in the draft is "self" here, and - "self" and "public" is in the position of type. - - = {entry|children|subtree} - = {public|users|access-id|subtree|onelevel|children| - self|dnattr|group|role|set|set-ref} - - This routine now supports scope={ENTRY,CHILDREN} - with the semantics: - - ENTRY applies to "entry" and "subtree"; - - CHILDREN aplies to "children" and "subtree" - */ - - /* check that the aci has all 5 components */ - if ( aci_get_part( aci, 4, '#', NULL ) < 0 ) { - return 0; - } - - /* check that the aci family is supported */ - if ( aci_get_part( aci, 0, '#', &bv ) < 0 ) { - return 0; - } - - /* check that the scope matches */ - if ( aci_get_part( aci, 1, '#', &scope ) < 0 ) { - return 0; - } - - /* note: scope can be either ENTRY or CHILDREN; - * they respectively match "entry" and "children" in bv - * both match "subtree" */ - switch ( asserted_scope ) { - case SLAP_ACI_SCOPE_ENTRY: - if ( ber_bvstrcasecmp( &scope, &aci_bv_entry ) != 0 - && ber_bvstrcasecmp( &scope, &aci_bv_subtree ) != 0 ) - { - return 0; - } - break; - - case SLAP_ACI_SCOPE_CHILDREN: - if ( ber_bvstrcasecmp( &scope, &aci_bv_children ) != 0 - && ber_bvstrcasecmp( &scope, &aci_bv_subtree ) != 0 ) - { - return 0; - } - break; - - default: - return 0; - } - - /* get the list of permissions clauses, bail if empty */ - if ( aci_get_part( aci, 2, '#', &perms ) <= 0 ) { - return 0; - } - - /* check if any permissions allow desired access */ - if ( aci_list_get_rights( &perms, &desc->ad_cname, val, grant, deny ) == 0 ) { - return 0; - } - - /* see if we have a DN match */ - if ( aci_get_part( aci, 3, '#', &type ) < 0 ) { - return 0; - } - - /* see if we have a public (i.e. anonymous) access */ - if ( ber_bvstrcasecmp( &aci_bv_public, &type ) == 0 ) { - return 1; - } - - /* otherwise require an identity */ - if ( BER_BVISNULL( &op->o_ndn ) || BER_BVISEMPTY( &op->o_ndn ) ) { - return 0; - } - - /* see if we have a users access */ - if ( ber_bvstrcasecmp( &aci_bv_users, &type ) == 0 ) { - return 1; - } - - /* NOTE: this may fail if a DN contains a valid '#' (unescaped); - * just grab all the berval up to its end (ITS#3303). - * NOTE: the problem could be solved by providing the DN with - * the embedded '#' encoded as hexpairs: "cn=Foo#Bar" would - * become "cn=Foo\23Bar" and be safely used by aci_mask(). */ -#if 0 - if ( aci_get_part( aci, 4, '#', &sdn ) < 0 ) { - return 0; - } -#endif - sdn.bv_val = type.bv_val + type.bv_len + STRLENOF( "#" ); - sdn.bv_len = aci->bv_len - ( sdn.bv_val - aci->bv_val ); - - if ( ber_bvstrcasecmp( &aci_bv_access_id, &type ) == 0 ) { - struct berval ndn; - - rc = dnNormalize( 0, NULL, NULL, &sdn, &ndn, op->o_tmpmemctx ); - if ( rc != LDAP_SUCCESS ) { - return 0; - } - - if ( dn_match( &op->o_ndn, &ndn ) ) { - rc = 1; - } - slap_sl_free( ndn.bv_val, op->o_tmpmemctx ); - - return rc; - - } else if ( ber_bvstrcasecmp( &aci_bv_subtree, &type ) == 0 ) { - struct berval ndn; - - rc = dnNormalize( 0, NULL, NULL, &sdn, &ndn, op->o_tmpmemctx ); - if ( rc != LDAP_SUCCESS ) { - return 0; - } - - if ( dnIsSuffix( &op->o_ndn, &ndn ) ) { - rc = 1; - } - slap_sl_free( ndn.bv_val, op->o_tmpmemctx ); - - return rc; - - } else if ( ber_bvstrcasecmp( &aci_bv_onelevel, &type ) == 0 ) { - struct berval ndn, pndn; - - rc = dnNormalize( 0, NULL, NULL, &sdn, &ndn, op->o_tmpmemctx ); - if ( rc != LDAP_SUCCESS ) { - return 0; - } - - dnParent( &ndn, &pndn ); - - if ( dn_match( &op->o_ndn, &pndn ) ) { - rc = 1; - } - slap_sl_free( ndn.bv_val, op->o_tmpmemctx ); - - return rc; - - } else if ( ber_bvstrcasecmp( &aci_bv_children, &type ) == 0 ) { - struct berval ndn; - - rc = dnNormalize( 0, NULL, NULL, &sdn, &ndn, op->o_tmpmemctx ); - if ( rc != LDAP_SUCCESS ) { - return 0; - } - - if ( !dn_match( &op->o_ndn, &ndn ) - && dnIsSuffix( &op->o_ndn, &ndn ) ) - { - rc = 1; - } - slap_sl_free( ndn.bv_val, op->o_tmpmemctx ); - - return rc; - - } else if ( ber_bvstrcasecmp( &aci_bv_self, &type ) == 0 ) { - if ( dn_match( &op->o_ndn, &e->e_nname ) ) { - return 1; - } - - } else if ( ber_bvstrcasecmp( &aci_bv_dnattr, &type ) == 0 ) { - Attribute *at; - AttributeDescription *ad = NULL; - const char *text; - - rc = slap_bv2ad( &sdn, &ad, &text ); - - if( rc != LDAP_SUCCESS ) { - return 0; - } - - rc = 0; - - for ( at = attrs_find( e->e_attrs, ad ); - at != NULL; - at = attrs_find( at->a_next, ad ) ) - { - if ( value_find_ex( ad, - SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | - SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, - at->a_nvals, - &op->o_ndn, op->o_tmpmemctx ) == 0 ) - { - rc = 1; - break; - } - } - - return rc; - - } else if ( ber_bvstrcasecmp( &aci_bv_group, &type ) == 0 ) { - if ( aci_group_member( &sdn, &aci_bv_group_class, - &aci_bv_group_attr, op, e, nmatch, matches ) ) - { - return 1; - } - - } else if ( ber_bvstrcasecmp( &aci_bv_role, &type ) == 0 ) { - if ( aci_group_member( &sdn, &aci_bv_role_class, - &aci_bv_role_attr, op, e, nmatch, matches ) ) - { - return 1; - } - - } else if ( ber_bvstrcasecmp( &aci_bv_set, &type ) == 0 ) { - if ( aci_match_set( &sdn, op, e, 0 ) ) { - return 1; - } - - } else if ( ber_bvstrcasecmp( &aci_bv_set_ref, &type ) == 0 ) { - if ( aci_match_set( &sdn, op, e, 1 ) ) { - return 1; - } - } - - return 0; -} - -#ifdef SLAP_DYNACL -/* - * FIXME: there is a silly dependence that makes it difficult - * to move ACIs in a run-time loadable module under the "dynacl" - * umbrella, because sets share some helpers with ACIs. - */ -static int -dynacl_aci_parse( const char *fname, int lineno, slap_style_t sty, const char *right, void **privp ) -{ - AttributeDescription *ad = NULL; - const char *text = NULL; - - if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) { - fprintf( stderr, "%s: line %d: " - "inappropriate style \"%s\" in \"aci\" by clause\n", - fname, lineno, style_strings[sty] ); - return -1; - } - - if ( right != NULL && *right != '\0' ) { - if ( slap_str2ad( right, &ad, &text ) != LDAP_SUCCESS ) { - fprintf( stderr, - "%s: line %d: aci \"%s\": %s\n", - fname, lineno, right, text ); - return -1; - } - - } else { - ad = slap_schema.si_ad_aci; - } - - if ( !is_at_syntax( ad->ad_type, SLAPD_ACI_SYNTAX) ) { - fprintf( stderr, "%s: line %d: " - "aci \"%s\": inappropriate syntax: %s\n", - fname, lineno, right, - ad->ad_type->sat_syntax_oid ); - return -1; - } - - *privp = (void *)ad; - - return 0; -} - -static int -dynacl_aci_unparse( void *priv, struct berval *bv ) -{ - AttributeDescription *ad = ( AttributeDescription * )priv; - char *ptr; - - assert( ad != NULL ); - - bv->bv_val = ch_malloc( STRLENOF(" aci=") + ad->ad_cname.bv_len + 1 ); - ptr = lutil_strcopy( bv->bv_val, " aci=" ); - ptr = lutil_strcopy( ptr, ad->ad_cname.bv_val ); - bv->bv_len = ptr - bv->bv_val; - - return 0; -} - - -static int -dynacl_aci_mask( - void *priv, - Operation *op, - Entry *e, - AttributeDescription *desc, - struct berval *val, - int nmatch, - regmatch_t *matches, - slap_access_t *grantp, - slap_access_t *denyp ) -{ - AttributeDescription *ad = ( AttributeDescription * )priv; - Attribute *at; - slap_access_t tgrant, tdeny, grant, deny; -#ifdef LDAP_DEBUG - char accessmaskbuf[ACCESSMASK_MAXLEN]; - char accessmaskbuf1[ACCESSMASK_MAXLEN]; -#endif /* LDAP_DEBUG */ - - /* start out with nothing granted, nothing denied */ - ACL_INIT(tgrant); - ACL_INIT(tdeny); - - /* get the aci attribute */ - at = attr_find( e->e_attrs, ad ); - if ( at != NULL ) { - int i; - - /* the aci is an multi-valued attribute. The - * rights are determined by OR'ing the individual - * rights given by the acis. - */ - for ( i = 0; !BER_BVISNULL( &at->a_nvals[i] ); i++ ) { - if ( aci_mask( op, e, desc, val, &at->a_nvals[i], - nmatch, matches, &grant, &deny, - SLAP_ACI_SCOPE_ENTRY ) != 0 ) - { - tgrant |= grant; - tdeny |= deny; - } - } - - Debug( LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", - accessmask2str( tgrant, accessmaskbuf, 1 ), - accessmask2str( tdeny, accessmaskbuf1, 1 ), 0 ); - } - - /* If the entry level aci didn't contain anything valid for the - * current operation, climb up the tree and evaluate the - * acis with scope set to subtree - */ - if ( tgrant == ACL_PRIV_NONE && tdeny == ACL_PRIV_NONE ) { - struct berval parent_ndn; - -#if 1 - /* to solve the chicken'n'egg problem of accessing - * the OpenLDAPaci attribute, the direct access - * to the entry's attribute is unchecked; however, - * further accesses to OpenLDAPaci values in the - * ancestors occur through backend_attribute(), i.e. - * with the identity of the operation, requiring - * further access checking. For uniformity, this - * makes further requests occur as the rootdn, if - * any, i.e. searching for the OpenLDAPaci attribute - * is considered an internal search. If this is not - * acceptable, then the same check needs be performed - * when accessing the entry's attribute. */ - Operation op2 = *op; - - if ( !BER_BVISNULL( &op->o_bd->be_rootndn ) ) { - op2.o_dn = op->o_bd->be_rootdn; - op2.o_ndn = op->o_bd->be_rootndn; - } -#endif - - dnParent( &e->e_nname, &parent_ndn ); - while ( !BER_BVISEMPTY( &parent_ndn ) ){ - int i; - BerVarray bvals = NULL; - int ret, stop; - - Debug( LDAP_DEBUG_ACL, "checking ACI of \"%s\"\n", parent_ndn.bv_val, 0, 0 ); - ret = backend_attribute( &op2, NULL, &parent_ndn, ad, &bvals, ACL_AUTH ); - - switch ( ret ) { - case LDAP_SUCCESS : - stop = 0; - if ( !bvals ) { - break; - } - - for ( i = 0; !BER_BVISNULL( &bvals[i] ); i++) { - if ( aci_mask( op, e, desc, val, - &bvals[i], - nmatch, matches, - &grant, &deny, - SLAP_ACI_SCOPE_CHILDREN ) != 0 ) - { - tgrant |= grant; - tdeny |= deny; - /* evaluation stops as soon as either a "deny" or a - * "grant" directive matches. - */ - if ( tgrant != ACL_PRIV_NONE || tdeny != ACL_PRIV_NONE ) { - stop = 1; - } - } - Debug( LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", - accessmask2str( tgrant, accessmaskbuf, 1 ), - accessmask2str( tdeny, accessmaskbuf1, 1 ), 0 ); - } - break; - - case LDAP_NO_SUCH_ATTRIBUTE: - /* just go on if the aci-Attribute is not present in - * the current entry - */ - Debug( LDAP_DEBUG_ACL, "no such attribute\n", 0, 0, 0 ); - stop = 0; - break; - - case LDAP_NO_SUCH_OBJECT: - /* We have reached the base object */ - Debug( LDAP_DEBUG_ACL, "no such object\n", 0, 0, 0 ); - stop = 1; - break; - - default: - stop = 1; - break; - } - - if ( stop ) { - break; - } - dnParent( &parent_ndn, &parent_ndn ); - } - } - - *grantp = tgrant; - *denyp = tdeny; - - return 0; -} - -/* need to register this at some point */ -static slap_dynacl_t dynacl_aci = { - "aci", - dynacl_aci_parse, - dynacl_aci_unparse, - dynacl_aci_mask, - NULL, - NULL, - NULL -}; - -#endif /* SLAP_DYNACL */ - -#endif /* SLAPD_ACI_ENABLED */ - #ifdef SLAP_DYNACL /* @@ -3412,47 +2476,55 @@ slap_dynacl_get( const char *name ) } #endif /* SLAP_DYNACL */ +/* + * statically built-in dynamic ACL initialization + */ +static int (*acl_init_func[])( void ) = { +#ifdef SLAP_DYNACL + /* TODO: remove when ACI will only be dynamic */ +#if SLAPD_ACI_ENABLED == SLAPD_MOD_STATIC + dynacl_aci_init, +#endif /* SLAPD_ACI_ENABLED */ +#endif /* SLAP_DYNACL */ + + NULL +}; + int acl_init( void ) { - int i, rc; -#ifdef SLAP_DYNACL - slap_dynacl_t *known_dynacl[] = { -#ifdef SLAPD_ACI_ENABLED - &dynacl_aci, -#endif /* SLAPD_ACI_ENABLED */ - NULL - }; + int i, rc; - for ( i = 0; known_dynacl[ i ]; i++ ) { - rc = slap_dynacl_register( known_dynacl[ i ] ); - if ( rc ) { + for ( i = 0; acl_init_func[ i ] != NULL; i++ ) { + rc = (*(acl_init_func[ i ]))(); + if ( rc != 0 ) { return rc; } } -#endif /* SLAP_DYNACL */ return 0; } -static int -string_expand( +int +acl_string_expand( struct berval *bv, struct berval *pat, - char *match, - int nmatch, - regmatch_t *matches) + struct berval *dn_matches, + struct berval *val_matches, + AclRegexMatches *matches) { ber_len_t size; char *sp; char *dp; int flag; + enum { DN_FLAG, VAL_FLAG } tflag; size = 0; bv->bv_val[0] = '\0'; bv->bv_len--; /* leave space for lone $ */ flag = 0; + tflag = DN_FLAG; for ( dp = bv->bv_val, sp = pat->bv_val; size < bv->bv_len && sp < pat->bv_val + pat->bv_len ; sp++ ) { @@ -3462,11 +2534,21 @@ string_expand( *dp++ = '$'; size++; flag = 0; + tflag = DN_FLAG; + + } else if ( flag == 2 && *sp == 'v' /*'}'*/) { + tflag = VAL_FLAG; + + } else if ( flag == 2 && *sp == 'd' /*'}'*/) { + tflag = DN_FLAG; } else if ( flag == 1 && *sp == '{' /*'}'*/) { flag = 2; } else if ( *sp >= '0' && *sp <= '9' ) { + int nm; + regmatch_t *m; + char *data; int n; int i; int l; @@ -3486,20 +2568,40 @@ string_expand( } } - if ( n >= nmatch ) { + switch (tflag) { + case DN_FLAG: + nm = matches->dn_count; + m = matches->dn_data; + data = dn_matches ? dn_matches->bv_val : NULL; + break; + case VAL_FLAG: + nm = matches->val_count; + m = matches->val_data; + data = val_matches ? val_matches->bv_val : NULL; + break; + default: + assert( 0 ); + } + if ( n >= nm ) { + /* FIXME: error */ + return 1; + } + if ( data == NULL ) { /* FIXME: error */ return 1; } *dp = '\0'; - i = matches[n].rm_so; - l = matches[n].rm_eo; + i = m[n].rm_so; + l = m[n].rm_eo; + for ( ; size < bv->bv_len && i < l; size++, i++ ) { - *dp++ = match[i]; + *dp++ = data[i]; } *dp = '\0'; flag = 0; + tflag = DN_FLAG; } } else { if (*sp == '$') { @@ -3520,8 +2622,8 @@ string_expand( *dp = '\0'; bv->bv_len = size; - Debug( LDAP_DEBUG_TRACE, "=> string_expand: pattern: %.*s\n", (int)pat->bv_len, pat->bv_val, 0 ); - Debug( LDAP_DEBUG_TRACE, "=> string_expand: expanded: %s\n", bv->bv_val, 0, 0 ); + Debug( LDAP_DEBUG_ACL, "=> acl_string_expand: pattern: %.*s\n", (int)pat->bv_len, pat->bv_val, 0 ); + Debug( LDAP_DEBUG_ACL, "=> acl_string_expand: expanded: %s\n", bv->bv_val, 0, 0 ); return 0; } @@ -3530,9 +2632,9 @@ static int regex_matches( struct berval *pat, /* pattern to expand and match against */ char *str, /* string to match against pattern */ - char *buf, /* buffer with $N expansion variables */ - int nmatch, /* size of the matches array */ - regmatch_t *matches /* offsets in buffer for $N expansion variables */ + struct berval *dn_matches, /* buffer with $N expansion variables from DN */ + struct berval *val_matches, /* buffer with $N expansion variables from val */ + AclRegexMatches *matches /* offsets in buffer for $N expansion variables */ ) { regex_t re; @@ -3547,7 +2649,7 @@ regex_matches( str = ""; }; - string_expand( &bv, pat, buf, nmatch, matches ); + acl_string_expand( &bv, pat, dn_matches, val_matches, matches ); rc = regcomp( &re, newbuf, REG_EXTENDED|REG_ICASE ); if ( rc ) { char error[ACL_BUF_SIZE];