X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Facl.c;h=d6e92eb53b42d643afb4004199f5cf986536ae0c;hb=d2d574858005d9f81129a7502b663a5cd9c0f22d;hp=a5fd38abbdb3edffb99493c1ba321efd0526566b;hpb=4a5d740e2ee4e700e76b2eac6f079e39f0134c94;p=openldap

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index a5fd38abbd..d6e92eb53b 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -1,33 +1,22 @@
 /* acl.c - routines to parse and check acl's */
 
-#include <stdio.h>
-#include <string.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <regex.h>
-
-#include "slap.h"
+#include "portable.h"
 
-extern Attribute	*attr_find();
-extern struct acl	*global_acl;
-extern int		global_default_access;
-extern char		*access2str();
-extern char		*dn_normalize_case();
+#include <stdio.h>
 
-int		acl_access_allowed();
-int		access_allowed();
-struct acl	*acl_get_applicable();
+#include <ac/regex.h>
+#include <ac/socket.h>
+#include <ac/string.h>
 
-static int	regex_matches();
+#include "slap.h"
 
-static string_expand(char *newbuf, int bufsiz, char *pattern,
-	char *match, regmatch_t *matches);
+static int	regex_matches(char *pat, char *str, char *buf, regmatch_t *matches);
+static void	string_expand(char *newbuf, int bufsiz, char *pattern,
+			      char *match, regmatch_t *matches);
 
 
 /*
- * access_allowed - check whether dn is allowed the requested access
+ * access_allowed - check whether op->o_ndn is allowed the requested access
  * to entry e, attribute attr, value val.  if val is null, access to
  * the whole attribute is assumed (all values).  this routine finds
  * the applicable acl and calls acl_access_allowed() to make the
@@ -45,7 +34,6 @@ access_allowed(
     Entry		*e,
     char		*attr,
     struct berval	*val,
-    char		*dn,
     int			access
 )
 {
@@ -61,7 +49,8 @@ access_allowed(
 		return( 0 );
 	}
 
-	edn = dn_normalize_case( strdup( e->e_dn ) );
+	edn = e->e_ndn;
+
 	Debug( LDAP_DEBUG_ACL, "\n=> access_allowed: entry (%s) attr (%s)\n",
 		e->e_dn, attr, 0 );
 
@@ -73,18 +62,17 @@ access_allowed(
 	{
  		Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
 			attr, 0, 0 );
-		free( edn );
 		return(1);
 	}
 
 	memset(matches, 0, sizeof(matches));
 
-	a = acl_get_applicable( be, op, e, attr, edn, MAXREMATCHES, matches );
+	a = acl_get_applicable( be, op, e, attr, MAXREMATCHES, matches );
 
 	if (a) {
 		for (i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++) {
-			Debug( LDAP_DEBUG_ARGS, "=> match[%d]: %d %d ",
-				i, matches[i].rm_so, matches[i].rm_eo );
+			Debug( LDAP_DEBUG_ARGS, "=> match[%d]: %d %d ", i,
+			       (int)matches[i].rm_so, (int)matches[i].rm_eo );
 
 			if( matches[i].rm_so <= matches[0].rm_eo ) {
 				for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++) {
@@ -96,7 +84,6 @@ access_allowed(
 	}
 
 	rc = acl_access_allowed( a, be, conn, e, val, op, access, edn, matches );
-	free( edn );
 
 	Debug( LDAP_DEBUG_ACL, "\n=> access_allowed: exit (%s) attr (%s)\n",
 		e->e_dn, attr, 0);
@@ -116,31 +103,33 @@ acl_get_applicable(
     Operation		*op,
     Entry		*e,
     char		*attr,
-    char		*edn,
     int			nmatch,
     regmatch_t	*matches
 )
 {
 	int		i, j;
 	struct acl	*a;
+    char		*edn;
 
 	Debug( LDAP_DEBUG_ACL, "\n=> acl_get: entry (%s) attr (%s)\n",
 		e->e_dn, attr, 0 );
 
-	if ( be_isroot( be, op->o_dn ) ) {
+	if ( be_isroot( be, op->o_ndn ) ) {
 		Debug( LDAP_DEBUG_ACL,
 		    "<= acl_get: no acl applicable to database root\n", 0, 0,
 		    0 );
 		return( NULL );
 	}
 
+    edn = e->e_ndn;
+
 	Debug( LDAP_DEBUG_ARGS, "=> acl_get: edn %s\n", edn, 0, 0 );
 
 	/* check for a backend-specific acl that matches the entry */
 	for ( i = 1, a = be->be_acl; a != NULL; a = a->acl_next, i++ ) {
 		if (a->acl_dnpat != NULL) {
 			Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n", 
-				i, a->acl_dnpat, a->acl_dnre.re_nsub);
+				i, a->acl_dnpat, (int) a->acl_dnre.re_nsub);
 
 			if (regexec(&a->acl_dnre, edn, nmatch, matches, 0))
 				continue;
@@ -171,7 +160,7 @@ acl_get_applicable(
 	for ( i = 1, a = global_acl; a != NULL; a = a->acl_next, i++ ) {
 		if (a->acl_dnpat != NULL) {
 			Debug( LDAP_DEBUG_TRACE, "=> dnpat: [%d] %s nsub: %d\n", 
-				i, a->acl_dnpat, a->acl_dnre.re_nsub);
+				i, a->acl_dnpat, (int) a->acl_dnre.re_nsub);
 
 			if (regexec(&a->acl_dnre, edn, nmatch, matches, 0)) {
 				continue;
@@ -241,9 +230,9 @@ acl_access_allowed(
 		"\n=> acl_access_allowed: %s access to value \"%s\" by \"%s\"\n",
 	    access2str( access ),
 		val ? val->bv_val : "any",
-		op->o_dn ?  op->o_dn : "" );
+		op->o_ndn ?  op->o_ndn : "" );
 
-	if ( be_isroot( be, op->o_dn ) ) {
+	if ( be_isroot( be, op->o_ndn ) ) {
 		Debug( LDAP_DEBUG_ACL,
 			"<= acl_access_allowed: granted to database root\n",
 		    0, 0, 0 );
@@ -259,12 +248,13 @@ acl_access_allowed(
 		return( default_access >= access );
 	}
 
-	odn = NULL;
-	if ( op->o_dn != NULL ) {
-		odn = dn_normalize_case( strdup( op->o_dn ) );
+	odn = op->o_ndn;
+
+	if ( odn != NULL ) {
 		bv.bv_val = odn;
 		bv.bv_len = strlen( odn );
 	}
+
 	for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) {
 		if ( b->a_dnpat != NULL ) {
 			Debug( LDAP_DEBUG_TRACE, "<= check a_dnpat: %s\n",
@@ -275,15 +265,14 @@ acl_access_allowed(
 			 * the entry, OR the given dn matches the dn pattern
 			 */
 			if ( strcasecmp( b->a_dnpat, "self" ) == 0 && 
-				op->o_dn != NULL && *(op->o_dn) && e->e_dn != NULL ) 
+				op->o_ndn != NULL && *(op->o_ndn) && e->e_dn != NULL ) 
 			{
-				if ( strcasecmp( edn, op->o_dn ) == 0 ) {
+				if ( strcmp( edn, op->o_ndn ) == 0 ) {
 					Debug( LDAP_DEBUG_ACL,
 					"<= acl_access_allowed: matched by clause #%d access %s\n",
 					    i, (b->a_access & ~ACL_SELF) >=
 					    access ? "granted" : "denied", 0 );
 
-					if ( odn ) free( odn );
 					return( (b->a_access & ~ACL_SELF) >= access );
 				}
 			} else {
@@ -293,7 +282,6 @@ acl_access_allowed(
 				    i, (b->a_access & ~ACL_SELF) >= access ?
 					    "granted" : "denied", 0 );
 
-					if ( odn ) free( odn );
 					return( (b->a_access & ~ACL_SELF) >= access );
 				}
 			}
@@ -305,7 +293,6 @@ acl_access_allowed(
 				    i, (b->a_access & ~ACL_SELF) >= access ?
 				    "granted" : "denied", 0 );
 
-				if ( odn ) free( odn );
 				return( (b->a_access & ~ACL_SELF) >= access );
 			}
 		}
@@ -319,11 +306,10 @@ acl_access_allowed(
 				    i, (b->a_access & ~ACL_SELF) >= access ?
 				    "granted" : "denied", 0 );
 
-				if ( odn ) free( odn );
 				return( (b->a_access & ~ACL_SELF) >= access );
 			}
 		}
-		if ( b->a_dnattr != NULL && op->o_dn != NULL ) {
+		if ( b->a_dnattr != NULL && op->o_ndn != NULL ) {
 			Debug( LDAP_DEBUG_ARGS, "<= check a_dnattr: %s\n",
 				b->a_dnattr, 0, 0);
 			/* see if asker is listed in dnattr */
@@ -336,7 +322,6 @@ acl_access_allowed(
 					continue;
 				}
 
-				if ( odn ) free( odn );
 				Debug( LDAP_DEBUG_ACL,
 				    "<= acl_acces_allowed: matched by clause #%d access %s\n",
 				    i, (b->a_access & ~ACL_SELF) >= access ?
@@ -352,7 +337,6 @@ acl_access_allowed(
 				continue;
 			}
 
-			if ( odn ) free( odn );
 			Debug( LDAP_DEBUG_ACL,
 				"<= acl_access_allowed: matched by clause #%d (self) access %s\n",
 			    i, (b->a_access & ~ACL_SELF) >= access ? "granted"
@@ -360,34 +344,30 @@ acl_access_allowed(
 
 			return( (b->a_access & ~ACL_SELF) >= access );
 		}
-#ifdef ACLGROUP
-		if ( b->a_group != NULL && op->o_dn != NULL ) {
-			char buf[512];
+#ifdef SLAPD_ACLGROUPS
+		if ( b->a_group != NULL && op->o_ndn != NULL ) {
+			char buf[1024];
 
 			/* b->a_group is an unexpanded entry name, expanded it should be an 
 			 * entry with objectclass group* and we test to see if odn is one of
-			 * the values in the attribute uniquegroup
+			 * the values in the attribute group
 			 */
-			Debug( LDAP_DEBUG_ARGS, "<= check a_group: %s\n",
-				b->a_group, 0, 0);
-			Debug( LDAP_DEBUG_ARGS, "<= check a_group: odn: %s\n",
-				odn, 0, 0);
-
 			/* see if asker is listed in dnattr */
 			string_expand(buf, sizeof(buf), b->a_group, edn, matches);
+			(void) dn_normalize_case(buf);
 
-			if (be_group(be, buf, odn) == 0) {
+			if (backend_group(be, e, buf, odn,
+				b->a_objectclassvalue, b->a_groupattrname) == 0)
+			{
 				Debug( LDAP_DEBUG_ACL,
 					"<= acl_access_allowed: matched by clause #%d (group) access granted\n",
 					i, 0, 0 );
-				if ( odn ) free( odn );
 				return( (b->a_access & ~ACL_SELF) >= access );
 			}
 		}
-#endif /* ACLGROUP */
+#endif /* SLAPD_ACLGROUPS */
 	}
 
-	if ( odn ) free( odn );
 	Debug( LDAP_DEBUG_ACL,
 		"<= acl_access_allowed: %s by default (no matching by)\n",
 	    default_access >= access ? "granted" : "denied", 0, 0 );
@@ -396,7 +376,7 @@ acl_access_allowed(
 }
 
 /*
- * acl_check_mods - check access control on the given entry to see if
+ * acl_check_modlist - check access control on the given entry to see if
  * it allows the given modifications by the user associated with op.
  * returns	LDAP_SUCCESS	mods allowed ok
  *		anything else	mods not allowed - return is an error
@@ -404,68 +384,63 @@ acl_access_allowed(
  */
 
 int
-acl_check_mods(
+acl_check_modlist(
     Backend	*be,
     Connection	*conn,
     Operation	*op,
     Entry	*e,
-    LDAPMod	*mods
+    LDAPModList	*mlist
 )
 {
 	int		i;
 	struct acl	*a;
-	char            *edn;
-
-	edn = dn_normalize_case( strdup( e->e_dn ) );
+	char	*edn = e->e_ndn;
 
-	for ( ; mods != NULL; mods = mods->mod_next ) {
+	for ( ; mlist != NULL; mlist = mlist->ml_next ) {
 		regmatch_t       matches[MAXREMATCHES];
 
 		/* the lastmod attributes are ignored by ACL checking */
-		if ( strcasecmp( mods->mod_type, "modifiersname" ) == 0 ||
-			strcasecmp( mods->mod_type, "modifytimestamp" ) == 0 ||
-			strcasecmp( mods->mod_type, "creatorsname" ) == 0 ||
-			strcasecmp( mods->mod_type, "createtimestamp" ) == 0 ) 
+		if ( strcasecmp( mlist->ml_type, "modifiersname" ) == 0 ||
+			strcasecmp( mlist->ml_type, "modifytimestamp" ) == 0 ||
+			strcasecmp( mlist->ml_type, "creatorsname" ) == 0 ||
+			strcasecmp( mlist->ml_type, "createtimestamp" ) == 0 ) 
 		{
 			Debug( LDAP_DEBUG_ACL, "LASTMOD attribute: %s access allowed\n",
-				mods->mod_type, 0, 0 );
+				mlist->ml_type, 0, 0 );
 			continue;
 		}
 
-		a = acl_get_applicable( be, op, e, mods->mod_type, edn,
+		a = acl_get_applicable( be, op, e, mlist->ml_type,
 			MAXREMATCHES, matches );
 
-		switch ( mods->mod_op & ~LDAP_MOD_BVALUES ) {
+		switch ( mlist->ml_op & ~LDAP_MOD_BVALUES ) {
 		case LDAP_MOD_REPLACE:
 		case LDAP_MOD_ADD:
-			if ( mods->mod_bvalues == NULL ) {
+			if ( mlist->ml_bvalues == NULL ) {
 				break;
 			}
-			for ( i = 0; mods->mod_bvalues[i] != NULL; i++ ) {
-				if ( ! acl_access_allowed( a, be, conn, e, mods->mod_bvalues[i], 
+			for ( i = 0; mlist->ml_bvalues[i] != NULL; i++ ) {
+				if ( ! acl_access_allowed( a, be, conn, e, mlist->ml_bvalues[i], 
 					op, ACL_WRITE, edn, matches) ) 
 				{
-					free(edn);
 					return( LDAP_INSUFFICIENT_ACCESS );
 				}
 			}
 			break;
 
 		case LDAP_MOD_DELETE:
-			if ( mods->mod_bvalues == NULL ) {
+			if ( mlist->ml_bvalues == NULL ) {
 				if ( ! acl_access_allowed( a, be, conn, e,
 					NULL, op, ACL_WRITE, edn, matches) ) 
 				{
-					free(edn);
 					return( LDAP_INSUFFICIENT_ACCESS );
 				}
 				break;
 			}
-			for ( i = 0; mods->mod_bvalues[i] != NULL; i++ ) {
-				if ( ! acl_access_allowed( a, be, conn, e, mods->mod_bvalues[i], 
+			for ( i = 0; mlist->ml_bvalues[i] != NULL; i++ ) {
+				if ( ! acl_access_allowed( a, be, conn, e, mlist->ml_bvalues[i], 
 					op, ACL_WRITE, edn, matches) ) 
 				{
-					free(edn);
 					return( LDAP_INSUFFICIENT_ACCESS );
 				}
 			}
@@ -473,11 +448,11 @@ acl_check_mods(
 		}
 	}
 
-	free(edn);
 	return( LDAP_SUCCESS );
 }
 
-static string_expand(
+static void
+string_expand(
 	char *newbuf,
 	int bufsiz,
 	char *pat,
@@ -493,7 +468,7 @@ static string_expand(
 	newbuf[0] = '\0';
 
 	flag = 0;
-	for ( dp = newbuf, sp = pat; size < 512 && *sp ; sp++) {
+	for ( dp = newbuf, sp = pat; size < bufsiz && *sp ; sp++) {
 		/* did we previously see a $ */
 		if (flag) {
 			if (*sp == '$') {