X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Facl.c;h=76e54530c6ad935ab5b476facf5778b05f7b7f9f;hb=6147119dc8526a758a7c576940fe8483e2b93915;hp=6917f5e1715aa85c82bf07ee20fdeef6fb5775eb;hpb=2ec25ef8810f15f5aa13ec47b593a18cb96fcbdf;p=openldap diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 6917f5e171..76e54530c6 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -1,34 +1,26 @@ /* acl.c - routines to parse and check acl's */ +/* + * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved. + * COPYING RESTRICTIONS APPLY, see COPYRIGHT file + */ -#include -#include -#include -#include -#include -#include -#include - -#include "slap.h" +#include "portable.h" -extern Attribute *attr_find(); -extern struct acl *global_acl; -extern int global_default_access; -extern char *access2str(); -extern char *dn_normalize_case(); +#include -int acl_access_allowed(); -int access_allowed(); -struct acl *acl_get_applicable(); +#include +#include +#include -static int regex_matches(); +#include "slap.h" -static string_expand(char *newbuf, int bufsiz, char *pattern, - char *match, regmatch_t *matches); +static int regex_matches(char *pat, char *str, char *buf, regmatch_t *matches); +static void string_expand(char *newbuf, int bufsiz, char *pattern, + char *match, regmatch_t *matches); -extern Entry * be_dn2entry(Backend *be, char *bdn, char **matched); /* - * access_allowed - check whether dn is allowed the requested access + * access_allowed - check whether op->o_ndn is allowed the requested access * to entry e, attribute attr, value val. if val is null, access to * the whole attribute is assumed (all values). this routine finds * the applicable acl and calls acl_access_allowed() to make the @@ -46,12 +38,11 @@ access_allowed( Entry *e, char *attr, struct berval *val, - char *dn, int access ) { int rc; - struct acl *a; + AccessControl *a; char *edn; regmatch_t matches[MAXREMATCHES]; @@ -62,30 +53,26 @@ access_allowed( return( 0 ); } - edn = dn_normalize_case( strdup( e->e_dn ) ); + edn = e->e_ndn; + Debug( LDAP_DEBUG_ACL, "\n=> access_allowed: entry (%s) attr (%s)\n", e->e_dn, attr, 0 ); /* the lastmod attributes are ignored by ACL checking */ - if ( strcasecmp( attr, "modifiersname" ) == 0 || - strcasecmp( attr, "modifytimestamp" ) == 0 || - strcasecmp( attr, "creatorsname" ) == 0 || - strcasecmp( attr, "createtimestamp" ) == 0 ) - { - Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n", + if ( oc_check_no_usermod_attr( attr ) ) { + Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n", attr, 0, 0 ); - free( edn ); return(1); } memset(matches, 0, sizeof(matches)); - a = acl_get_applicable( be, op, e, attr, edn, MAXREMATCHES, matches ); + a = acl_get_applicable( be, op, e, attr, MAXREMATCHES, matches ); if (a) { for (i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++) { - Debug( LDAP_DEBUG_ARGS, "=> match[%d]: %d %d ", - i, matches[i].rm_so, matches[i].rm_eo ); + Debug( LDAP_DEBUG_ARGS, "=> match[%d]: %d %d ", i, + (int)matches[i].rm_so, (int)matches[i].rm_eo ); if( matches[i].rm_so <= matches[0].rm_eo ) { for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++) { @@ -97,7 +84,6 @@ access_allowed( } rc = acl_access_allowed( a, be, conn, e, val, op, access, edn, matches ); - free( edn ); Debug( LDAP_DEBUG_ACL, "\n=> access_allowed: exit (%s) attr (%s)\n", e->e_dn, attr, 0); @@ -111,43 +97,47 @@ access_allowed( * acl_access_allowed(). */ -struct acl * +AccessControl * acl_get_applicable( Backend *be, Operation *op, Entry *e, char *attr, - char *edn, int nmatch, regmatch_t *matches ) { - int i, j; - struct acl *a; + int i; + AccessControl *a; + char *edn; Debug( LDAP_DEBUG_ACL, "\n=> acl_get: entry (%s) attr (%s)\n", e->e_dn, attr, 0 ); - if ( be_isroot( be, op->o_dn ) ) { + if ( be_isroot( be, op->o_ndn ) ) { Debug( LDAP_DEBUG_ACL, "<= acl_get: no acl applicable to database root\n", 0, 0, 0 ); return( NULL ); } + edn = e->e_ndn; + Debug( LDAP_DEBUG_ARGS, "=> acl_get: edn %s\n", edn, 0, 0 ); /* check for a backend-specific acl that matches the entry */ for ( i = 1, a = be->be_acl; a != NULL; a = a->acl_next, i++ ) { - if (a->acl_dnpat != NULL) { + if (a->acl_dn_pat != NULL) { Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n", - i, a->acl_dnpat, a->acl_dnre.re_nsub); + i, a->acl_dn_pat, (int) a->acl_dn_re.re_nsub); - if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) + if (regexec(&a->acl_dn_re, edn, nmatch, matches, 0)) { continue; - else + + } else { Debug( LDAP_DEBUG_TRACE, "=> acl_get:[%d] backend ACL match\n", i, 0, 0); + } } if ( a->acl_filter != NULL ) { @@ -170,12 +160,13 @@ acl_get_applicable( /* check for a global acl that matches the entry */ for ( i = 1, a = global_acl; a != NULL; a = a->acl_next, i++ ) { - if (a->acl_dnpat != NULL) { - Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n", - i, a->acl_dnpat, a->acl_dnre.re_nsub); + if (a->acl_dn_pat != NULL) { + Debug( LDAP_DEBUG_TRACE, "=> dn pat: [%d] %s nsub: %d\n", + i, a->acl_dn_pat, (int) a->acl_dn_re.re_nsub); - if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) { + if (regexec(&a->acl_dn_re, edn, nmatch, matches, 0)) { continue; + } else { Debug( LDAP_DEBUG_TRACE, "=> acl_get: [%d] global ACL match\n", i, 0, 0); @@ -216,7 +207,7 @@ acl_get_applicable( int acl_access_allowed( - struct acl *a, + AccessControl *a, Backend *be, Connection *conn, Entry *e, @@ -228,10 +219,7 @@ acl_access_allowed( ) { int i; - char *odn; - struct access *b; - Attribute *at; - struct berval bv; + Access *b; int default_access; Debug( LDAP_DEBUG_ACL, @@ -242,9 +230,9 @@ acl_access_allowed( "\n=> acl_access_allowed: %s access to value \"%s\" by \"%s\"\n", access2str( access ), val ? val->bv_val : "any", - op->o_dn ? op->o_dn : "" ); + op->o_ndn ? op->o_ndn : "" ); - if ( be_isroot( be, op->o_dn ) ) { + if ( be_isroot( be, op->o_ndn ) ) { Debug( LDAP_DEBUG_ACL, "<= acl_access_allowed: granted to database root\n", 0, 0, 0 ); @@ -260,135 +248,143 @@ acl_access_allowed( return( default_access >= access ); } - odn = NULL; - if ( op->o_dn != NULL ) { - odn = dn_normalize_case( strdup( op->o_dn ) ); - bv.bv_val = odn; - bv.bv_len = strlen( odn ); - } for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) { - if ( b->a_dnpat != NULL ) { - Debug( LDAP_DEBUG_TRACE, "<= check a_dnpat: %s\n", - b->a_dnpat, 0, 0); + /* AND clauses */ + if ( b->a_dn_pat != NULL ) { + Debug( LDAP_DEBUG_TRACE, "<= check a_dn_pat: %s\n", + b->a_dn_pat, 0, 0); /* * if access applies to the entry itself, and the * user is bound as somebody in the same namespace as * the entry, OR the given dn matches the dn pattern */ - if ( strcasecmp( b->a_dnpat, "self" ) == 0 && - op->o_dn != NULL && *(op->o_dn) && e->e_dn != NULL ) - { - if ( strcasecmp( edn, op->o_dn ) == 0 ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, (b->a_access & ~ACL_SELF) >= - access ? "granted" : "denied", 0 ); - - if ( odn ) free( odn ); - return( (b->a_access & ~ACL_SELF) >= access ); + if ( strcasecmp( b->a_dn_pat, "anonymous" ) == 0 ) { + if (op->o_ndn != NULL && op->o_ndn[0] != '\0' ) { + continue; } - } else { - if ( regex_matches( b->a_dnpat, odn, edn, matches ) ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, (b->a_access & ~ACL_SELF) >= access ? - "granted" : "denied", 0 ); - - if ( odn ) free( odn ); - return( (b->a_access & ~ACL_SELF) >= access ); + + } else if ( strcasecmp( b->a_dn_pat, "self" ) == 0 ) { + if( op->o_ndn == NULL || op->o_ndn[0] == '\0' ) { + continue; } + + if ( e->e_dn == NULL || strcmp( edn, op->o_ndn ) != 0 ) { + continue; + } + + } else if ( strcmp( b->a_dn_pat, ".*" ) != 0 && + !regex_matches( b->a_dn_pat, op->o_ndn, edn, matches ) ) + { + continue; } } - if ( b->a_addrpat != NULL ) { - if ( regex_matches( b->a_addrpat, conn->c_addr, edn, matches ) ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, (b->a_access & ~ACL_SELF) >= access ? - "granted" : "denied", 0 ); - - if ( odn ) free( odn ); - return( (b->a_access & ~ACL_SELF) >= access ); + + if ( b->a_sockurl_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_sockurl_pat: %s\n", + b->a_sockurl_pat, 0, 0 ); + + if ( strcmp( b->a_sockurl_pat, ".*" ) != 0 && + !regex_matches( b->a_sockurl_pat, conn->c_listener_url, + edn, matches ) ) + { + continue; + } + } + + if ( b->a_domain_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_domain_pat: %s\n", + b->a_domain_pat, 0, 0 ); + + if ( strcmp( b->a_domain_pat, ".*" ) != 0 && + !regex_matches( b->a_domain_pat, conn->c_peer_domain, + edn, matches ) ) + { + continue; } } - if ( b->a_domainpat != NULL ) { - Debug( LDAP_DEBUG_ARGS, "<= check a_domainpath: %s\n", - b->a_domainpat, 0, 0 ); - if ( regex_matches( b->a_domainpat, conn->c_domain, edn, matches ) ) + + if ( b->a_peername_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_peername_path: %s\n", + b->a_peername_pat, 0, 0 ); + + if ( strcmp( b->a_peername_pat, ".*" ) != 0 && + !regex_matches( b->a_peername_pat, conn->c_peer_name, + edn, matches ) ) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d access %s\n", - i, (b->a_access & ~ACL_SELF) >= access ? - "granted" : "denied", 0 ); + continue; + } + } - if ( odn ) free( odn ); - return( (b->a_access & ~ACL_SELF) >= access ); + if ( b->a_sockname_pat != NULL ) { + Debug( LDAP_DEBUG_ARGS, "<= check a_sockname_path: %s\n", + b->a_sockname_pat, 0, 0 ); + + if ( strcmp( b->a_sockname_pat, ".*" ) != 0 && + !regex_matches( b->a_sockname_pat, conn->c_sock_name, + edn, matches ) ) + { + continue; } } - if ( b->a_dnattr != NULL && op->o_dn != NULL ) { - Debug( LDAP_DEBUG_ARGS, "<= check a_dnattr: %s\n", - b->a_dnattr, 0, 0); - /* see if asker is listed in dnattr */ - if ( (at = attr_find( e->e_attrs, b->a_dnattr )) != NULL && + + if ( b->a_dn_at != NULL && op->o_ndn != NULL ) { + Attribute *at; + struct berval bv; + + Debug( LDAP_DEBUG_ARGS, "<= check a_dn_at: %s\n", + b->a_dn_at, 0, 0); + + bv.bv_val = op->o_ndn; + bv.bv_len = strlen( bv.bv_val ); + + /* see if asker is listed in dnattr */ + if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL && value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 ) { - if ( (b->a_access & ACL_SELF) && + if ( ACL_IS_SELF(b->a_access) && (val == NULL || value_cmp( &bv, val, at->a_syntax, 2 )) ) { continue; } - if ( odn ) free( odn ); - Debug( LDAP_DEBUG_ACL, - "<= acl_acces_allowed: matched by clause #%d access %s\n", - i, (b->a_access & ~ACL_SELF) >= access ? - "granted" : "denied", 0 ); - - return( (b->a_access & ~ACL_SELF) >= access ); - } - /* asker not listed in dnattr - check for self access */ - if ( ! (b->a_access & ACL_SELF) || val == NULL || + } else if ( ! ACL_IS_SELF(b->a_access) || val == NULL || value_cmp( &bv, val, at->a_syntax, 2 ) != 0 ) { continue; } - - if ( odn ) free( odn ); - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d (self) access %s\n", - i, (b->a_access & ~ACL_SELF) >= access ? "granted" - : "denied", 0 ); - - return( (b->a_access & ~ACL_SELF) >= access ); } -#ifdef ACLGROUP - if ( b->a_group != NULL && op->o_dn != NULL ) { - char buf[512]; + + if ( b->a_group_pat != NULL && op->o_ndn != NULL ) { + char buf[1024]; /* b->a_group is an unexpanded entry name, expanded it should be an * entry with objectclass group* and we test to see if odn is one of - * the values in the attribute uniquegroup + * the values in the attribute group */ - Debug( LDAP_DEBUG_ARGS, "<= check a_group: %s\n", - b->a_group, 0, 0); - Debug( LDAP_DEBUG_ARGS, "<= check a_group: odn: %s\n", - odn, 0, 0); - /* see if asker is listed in dnattr */ - string_expand(buf, sizeof(buf), b->a_group, edn, matches); - - if (be_group(be, buf, odn) == 0) { - Debug( LDAP_DEBUG_ACL, - "<= acl_access_allowed: matched by clause #%d (group) access granted\n", - i, 0, 0 ); - if ( odn ) free( odn ); - return( (b->a_access & ~ACL_SELF) >= access ); + string_expand(buf, sizeof(buf), b->a_group_pat, edn, matches); + if ( dn_normalize_case(buf) == NULL ) { + /* did not expand to a valid dn */ + continue; + } + + if (backend_group(be, e, buf, op->o_ndn, + b->a_group_oc, b->a_group_at) != 0) + { + continue; } } -#endif /* ACLGROUP */ + + Debug( LDAP_DEBUG_ACL, + "<= acl_access_allowed: matched by clause #%d access %s\n", + i, + ACL_GRANT(b->a_access, access) ? "granted" : "denied", + 0 ); + + return ACL_GRANT(b->a_access, access ); } - if ( odn ) free( odn ); Debug( LDAP_DEBUG_ACL, "<= acl_access_allowed: %s by default (no matching by)\n", default_access >= access ? "granted" : "denied", 0, 0 ); @@ -397,7 +393,7 @@ acl_access_allowed( } /* - * acl_check_mods - check access control on the given entry to see if + * acl_check_modlist - check access control on the given entry to see if * it allows the given modifications by the user associated with op. * returns LDAP_SUCCESS mods allowed ok * anything else mods not allowed - return is an error @@ -405,68 +401,59 @@ acl_access_allowed( */ int -acl_check_mods( +acl_check_modlist( Backend *be, Connection *conn, Operation *op, Entry *e, - LDAPMod *mods + LDAPModList *mlist ) { int i; - struct acl *a; - char *edn; - - edn = dn_normalize_case( strdup( e->e_dn ) ); + AccessControl *a; + char *edn = e->e_ndn; - for ( ; mods != NULL; mods = mods->mod_next ) { + for ( ; mlist != NULL; mlist = mlist->ml_next ) { regmatch_t matches[MAXREMATCHES]; /* the lastmod attributes are ignored by ACL checking */ - if ( strcasecmp( mods->mod_type, "modifiersname" ) == 0 || - strcasecmp( mods->mod_type, "modifytimestamp" ) == 0 || - strcasecmp( mods->mod_type, "creatorsname" ) == 0 || - strcasecmp( mods->mod_type, "createtimestamp" ) == 0 ) - { - Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n", - mods->mod_type, 0, 0 ); + if ( oc_check_no_usermod_attr( mlist->ml_type ) ) { + Debug( LDAP_DEBUG_ACL, "Operational attribute: %s access allowed\n", + mlist->ml_type, 0, 0 ); continue; } - a = acl_get_applicable( be, op, e, mods->mod_type, edn, + a = acl_get_applicable( be, op, e, mlist->ml_type, MAXREMATCHES, matches ); - switch ( mods->mod_op & ~LDAP_MOD_BVALUES ) { + switch ( mlist->ml_op & ~LDAP_MOD_BVALUES ) { case LDAP_MOD_REPLACE: case LDAP_MOD_ADD: - if ( mods->mod_bvalues == NULL ) { + if ( mlist->ml_bvalues == NULL ) { break; } - for ( i = 0; mods->mod_bvalues[i] != NULL; i++ ) { - if ( ! acl_access_allowed( a, be, conn, e, mods->mod_bvalues[i], + for ( i = 0; mlist->ml_bvalues[i] != NULL; i++ ) { + if ( ! acl_access_allowed( a, be, conn, e, mlist->ml_bvalues[i], op, ACL_WRITE, edn, matches) ) { - free(edn); return( LDAP_INSUFFICIENT_ACCESS ); } } break; case LDAP_MOD_DELETE: - if ( mods->mod_bvalues == NULL ) { + if ( mlist->ml_bvalues == NULL ) { if ( ! acl_access_allowed( a, be, conn, e, NULL, op, ACL_WRITE, edn, matches) ) { - free(edn); return( LDAP_INSUFFICIENT_ACCESS ); } break; } - for ( i = 0; mods->mod_bvalues[i] != NULL; i++ ) { - if ( ! acl_access_allowed( a, be, conn, e, mods->mod_bvalues[i], + for ( i = 0; mlist->ml_bvalues[i] != NULL; i++ ) { + if ( ! acl_access_allowed( a, be, conn, e, mlist->ml_bvalues[i], op, ACL_WRITE, edn, matches) ) { - free(edn); return( LDAP_INSUFFICIENT_ACCESS ); } } @@ -474,11 +461,11 @@ acl_check_mods( } } - free(edn); return( LDAP_SUCCESS ); } -static string_expand( +static void +string_expand( char *newbuf, int bufsiz, char *pat, @@ -494,7 +481,7 @@ static string_expand( newbuf[0] = '\0'; flag = 0; - for ( dp = newbuf, sp = pat; size < 512 && *sp ; sp++) { + for ( dp = newbuf, sp = pat; size < bufsiz && *sp ; sp++) { /* did we previously see a $ */ if (flag) { if (*sp == '$') { @@ -503,7 +490,6 @@ static string_expand( } else if (*sp >= '0' && *sp <= '9' ) { int n; int i; - char *ep; int l; n = *sp - '0'; @@ -544,12 +530,14 @@ regex_matches( char newbuf[512]; int rc; + if(str == NULL) str = ""; + string_expand(newbuf, sizeof(newbuf), pat, buf, matches); if (( rc = regcomp(&re, newbuf, REG_EXTENDED|REG_ICASE))) { char error[512]; regerror(rc, &re, error, sizeof(error)); - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "compile( \"%s\", \"%s\") failed %s\n", pat, str, error ); return( 0 ); @@ -558,9 +546,9 @@ regex_matches( rc = regexec(&re, str, 0, NULL, 0); regfree( &re ); - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "=> regex_matches: string: %s\n", str, 0, 0 ); - Debug( LDAP_DEBUG_ANY, + Debug( LDAP_DEBUG_TRACE, "=> regex_matches: rc: %d %s\n", rc, !rc ? "matches" : "no matches", 0 ); return( !rc );