X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=00c93c23b1ea036d99c88214c4cd57981883ffd9;hb=0f30fb0d8f0adbbb7b41fd455c57aa56d64c9853;hp=e32e5ee67564449905e6c4050b1065be532e433f;hpb=51d1c90887295721530ded3ae86985062a9889da;p=openldap diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index e32e5ee675..00c93c23b1 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -1,4 +1,9 @@ -/* acl.c - routines to parse and check acl's */ +/* aclparse.c - routines to parse and check acl's */ +/* $OpenLDAP$ */ +/* + * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. + * COPYING RESTRICTIONS APPLY, see COPYRIGHT file + */ #include "portable.h" @@ -13,16 +18,18 @@ #include "slap.h" static void split(char *line, int splitchar, char **left, char **right); -static void acl_append(struct acl **l, struct acl *a); -static void access_append(struct access **l, struct access *a); -static void acl_usage(void); +static void access_append(Access **l, Access *a); +static void acl_usage(void) LDAP_GCCATTR((noreturn)); + +static char *acl_regex_normalized_dn(const char *pattern); + #ifdef LDAP_DEBUG -static void print_acl(struct acl *a); -static void print_access(struct access *b); +static void print_acl(Backend *be, AccessControl *a); +static void print_access(Access *b); #endif static int -regtest(char *fname, int lineno, char *pat) { +regtest(const char *fname, int lineno, char *pat) { int e; regex_t re; @@ -60,7 +67,7 @@ regtest(char *fname, int lineno, char *pat) { if ( size >= (sizeof(buf)-1) ) { fprintf( stderr, "%s: line %d: regular expression \"%s\" too large\n", - fname, lineno, pat, 0 ); + fname, lineno, pat ); acl_usage(); } @@ -80,16 +87,18 @@ regtest(char *fname, int lineno, char *pat) { void parse_acl( Backend *be, - char *fname, + const char *fname, int lineno, int argc, char **argv ) { int i; - char *left, *right; - struct acl *a; - struct access *b; + char *left, *right, *style; + AccessControl *a; + Access *b; + int rc; + const char *text; a = NULL; for ( i = 1; i < argc; i++ ) { @@ -101,7 +110,12 @@ parse_acl( fname, lineno ); acl_usage(); } - a = (struct acl *) ch_calloc( 1, sizeof(struct acl) ); + a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) ); + a->acl_filter = NULL; + a->acl_dn_pat = NULL; + a->acl_attrs = NULL; + a->acl_access = NULL; + a->acl_next = NULL; for ( ++i; i < argc; i++ ) { if ( strcasecmp( argv[i], "by" ) == 0 ) { i--; @@ -109,29 +123,80 @@ parse_acl( } if ( strcasecmp( argv[i], "*" ) == 0 ) { - int e; - if ((e = regcomp( &a->acl_dnre, ".*", - REG_EXTENDED|REG_ICASE))) - { - char buf[512]; - regerror(e, &a->acl_dnre, buf, sizeof(buf)); + if( a->acl_dn_pat != NULL ) { fprintf( stderr, - "%s: line %d: regular expression \"%s\" bad because of %s\n", - fname, lineno, right, buf ); + "%s: line %d: dn pattern" + " already specified in to clause.\n", + fname, lineno ); acl_usage(); } - a->acl_dnpat = ch_strdup( ".*" ); + + a->acl_dn_pat = ch_strdup( "*" ); continue; } split( argv[i], '=', &left, &right ); - if ( right == NULL || *right == '\0' ) { + split( left, '.', &left, &style ); + + if ( right == NULL ) { fprintf( stderr, - "%s: line %d: missing \"=\" in (or value after) \"%s\" in to clause\n", + "%s: line %d: missing \"=\" in \"%s\" in to clause\n", fname, lineno, left ); acl_usage(); } + if ( strcasecmp( left, "dn" ) == 0 ) { + if( a->acl_dn_pat != NULL ) { + fprintf( stderr, + "%s: line %d: dn pattern" + " already specified in to clause.\n", + fname, lineno ); + acl_usage(); + } + + if ( style == NULL || *style == '\0' + || strcasecmp( style, "regex" ) == 0 ) + { + a->acl_dn_style = ACL_STYLE_REGEX; + if ( strcmp(right, "*") == 0 + || strcmp(right, ".*") == 0 + || strcmp(right, ".*$") == 0 + || strcmp(right, "^.*") == 0 + || strcmp(right, "^.*$$") == 0 + || strcmp(right, ".*$$") == 0 + || strcmp(right, "^.*$$") == 0 ) + { + a->acl_dn_pat = ch_strdup( "*" ); + + } else { + a->acl_dn_pat = acl_regex_normalized_dn( right ); + } + } else if ( strcasecmp( style, "base" ) == 0 ) { + a->acl_dn_style = ACL_STYLE_BASE; + a->acl_dn_pat = ch_strdup( right ); + + } else if ( strcasecmp( style, "one" ) == 0 ) { + a->acl_dn_style = ACL_STYLE_ONE; + a->acl_dn_pat = ch_strdup( right ); + + } else if ( strcasecmp( style, "subtree" ) == 0 ) { + a->acl_dn_style = ACL_STYLE_SUBTREE; + a->acl_dn_pat = ch_strdup( right ); + + } else if ( strcasecmp( style, "children" ) == 0 ) { + a->acl_dn_style = ACL_STYLE_CHILDREN; + a->acl_dn_pat = ch_strdup( right ); + + } else { + fprintf( stderr, + "%s: line %d: unknown dn style \"%s\" in to clause\n", + fname, lineno, style ); + acl_usage(); + } + + continue; + } + if ( strcasecmp( left, "filter" ) == 0 ) { if ( (a->acl_filter = str2filter( right )) == NULL ) { @@ -140,27 +205,14 @@ parse_acl( fname, lineno, right ); acl_usage(); } - } else if ( strcasecmp( left, "dn" ) == 0 ) { - int e; - if ((e = regcomp(&a->acl_dnre, right, - REG_EXTENDED|REG_ICASE))) { - char buf[512]; - regerror(e, &a->acl_dnre, buf, sizeof(buf)); - fprintf( stderr, - "%s: line %d: regular expression \"%s\" bad because of %s\n", - fname, lineno, right, buf ); - acl_usage(); - } else { - a->acl_dnpat = dn_upcase(ch_strdup( right )); - } - } else if ( strncasecmp( left, "attr", 4 ) - == 0 ) { + } else if ( strncasecmp( left, "attr", 4 ) == 0 ) { char **alist; alist = str2charray( right, "," ); charray_merge( &a->acl_attrs, alist ); charray_free( alist ); + } else { fprintf( stderr, "%s: line %d: expecting got \"%s\"\n", @@ -169,6 +221,30 @@ parse_acl( } } + if ( a->acl_dn_pat != NULL && strcmp(a->acl_dn_pat, "*") == 0) { + free( a->acl_dn_pat ); + a->acl_dn_pat = NULL; + } + + if( a->acl_dn_pat != NULL ) { + if ( a->acl_dn_style != ACL_STYLE_REGEX ) + { + dn_normalize(a->acl_dn_pat); + + } else { + int e = regcomp( &a->acl_dn_re, a->acl_dn_pat, + REG_EXTENDED | REG_ICASE ); + if ( e ) { + char buf[512]; + regerror( e, &a->acl_dn_re, buf, sizeof(buf) ); + fprintf( stderr, + "%s: line %d: regular expression \"%s\" bad because of %s\n", + fname, lineno, right, buf ); + acl_usage(); + } + } + } + /* by clause - select who has what access to entries */ } else if ( strcasecmp( argv[i], "by" ) == 0 ) { if ( a == NULL ) { @@ -177,11 +253,14 @@ parse_acl( fname, lineno ); acl_usage(); } + /* * by clause consists of and */ - b = (struct access *) ch_calloc( 1, sizeof(struct access) ); + b = (Access *) ch_calloc( 1, sizeof(Access) ); + + ACL_INVALIDATE( b->a_access_mask ); if ( ++i == argc ) { fprintf( stderr, @@ -191,85 +270,657 @@ parse_acl( } /* get */ - split( argv[i], '=', &left, &right ); - if ( strcasecmp( argv[i], "*" ) == 0 ) { - b->a_dnpat = ch_strdup( ".*" ); - } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) { - b->a_dnpat = ch_strdup( "anonymous" ); - } else if ( strcasecmp( argv[i], "self" ) == 0 ) { - b->a_dnpat = ch_strdup( "self" ); - } else if ( strcasecmp( left, "dn" ) == 0 ) { - regtest(fname, lineno, right); - b->a_dnpat = dn_upcase( ch_strdup( right ) ); - } else if ( strcasecmp( left, "dnattr" ) == 0 ) { - b->a_dnattr = ch_strdup( right ); - - } else if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) { - char *name = NULL; - char *value = NULL; - - /* format of string is "group/objectClassValue/groupAttrName" */ - if ((value = strchr(left, '/')) != NULL) { - *value++ = '\0'; - if (value && *value - && (name = strchr(value, '/')) != NULL) + for ( ; i < argc; i++ ) { + char *pat; + slap_style_t sty = ACL_STYLE_REGEX; + + split( argv[i], '=', &left, &right ); + split( left, '.', &left, &style ); + if ( style == NULL || *style == '\0' + || strcasecmp( style, "regex" ) == 0 ) + { + sty = ACL_STYLE_REGEX; + } else if ( strcasecmp( style, "exact" ) == 0 ) { + sty = ACL_STYLE_EXACT; + } else if ( strcasecmp( style, "base" ) == 0 ) { + sty = ACL_STYLE_BASE; + } else if ( strcasecmp( style, "one" ) == 0 ) { + sty = ACL_STYLE_ONE; + } else if ( strcasecmp( style, "subtree" ) == 0 ) { + sty = ACL_STYLE_SUBTREE; + } else if ( strcasecmp( style, "children" ) == 0 ) { + sty = ACL_STYLE_CHILDREN; + } else { + fprintf( stderr, + "%s: line %d: unknown style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } + + if ( strcasecmp( argv[i], "*" ) == 0 ) { + pat = ch_strdup( "*" ); + + } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) { + pat = ch_strdup( "anonymous" ); + + } else if ( strcasecmp( argv[i], "self" ) == 0 ) { + pat = ch_strdup( "self" ); + + } else if ( strcasecmp( argv[i], "users" ) == 0 ) { + pat = ch_strdup( "users" ); + + } else if ( strcasecmp( left, "dn" ) == 0 ) { + if ( sty == ACL_STYLE_REGEX ) { + b->a_dn_style = ACL_STYLE_REGEX; + if( right == NULL ) { + /* no '=' */ + pat = ch_strdup( "users" ); + + } else if (*right == '\0' ) { + /* dn="" */ + pat = ch_strdup( "anonymous" ); + + } else if ( strcmp( right, "*" ) == 0 ) { + /* dn=* */ + /* any or users? users for now */ + pat = ch_strdup( "users" ); + + } else if ( strcmp( right, ".+" ) == 0 + || strcmp( right, "^.+" ) == 0 + || strcmp( right, ".+$" ) == 0 + || strcmp( right, "^.+$" ) == 0 + || strcmp( right, ".+$$" ) == 0 + || strcmp( right, "^.+$$" ) == 0 ) + { + pat = ch_strdup( "users" ); + + } else if ( strcmp( right, ".*" ) == 0 + || strcmp( right, "^.*" ) == 0 + || strcmp( right, ".*$" ) == 0 + || strcmp( right, "^.*$" ) == 0 + || strcmp( right, ".*$$" ) == 0 + || strcmp( right, "^.*$$" ) == 0 ) + { + pat = ch_strdup( "*" ); + + } else { + pat = acl_regex_normalized_dn( right ); + regtest(fname, lineno, pat); + } + } else if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); + + } else { + pat = ch_strdup( right ); + } + + } else { + pat = NULL; + } + + if( pat != NULL ) { + if( b->a_dn_pat != NULL ) { + fprintf( stderr, + "%s: line %d: dn pattern already specified.\n", + fname, lineno ); + acl_usage(); + } + + b->a_dn_pat = pat; + b->a_dn_style = sty; + if ( sty != ACL_STYLE_REGEX ) + dn_normalize(pat); + continue; + } + + if ( strcasecmp( left, "dnattr" ) == 0 ) { + if ( right == NULL || right[ 0 ] == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); + } + + if( b->a_dn_at != NULL ) { + fprintf( stderr, + "%s: line %d: dnattr already specified.\n", + fname, lineno ); + acl_usage(); + } + + rc = slap_str2ad( right, &b->a_dn_at, &text ); + + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: dnattr \"%s\": %s\n", + fname, lineno, right, text ); + acl_usage(); + } + + + if( !is_at_syntax( b->a_dn_at->ad_type, + SLAPD_DN_SYNTAX ) && + !is_at_syntax( b->a_dn_at->ad_type, + SLAPD_NAMEUID_SYNTAX )) { - *name++ = '\0'; + fprintf( stderr, + "%s: line %d: dnattr \"%s\": " + "inappropriate syntax: %s\n", + fname, lineno, right, + b->a_dn_at->ad_type->sat_syntax_oid ); + acl_usage(); } + + continue; } - regtest(fname, lineno, right); - b->a_group = dn_upcase(ch_strdup( right )); + if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + fprintf( stderr, + "%s: line %d: inappropriate style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } - if (value && *value) { - b->a_group_oc = ch_strdup(value); - *--value = '/'; - } else { - b->a_group_oc = ch_strdup("groupOfNames"); + if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) { + char *name = NULL; + char *value = NULL; + + if ( right == NULL || right[ 0 ] == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); + } + + if( b->a_group_pat != NULL ) { + fprintf( stderr, + "%s: line %d: group pattern already specified.\n", + fname, lineno ); + acl_usage(); + } + + /* format of string is "group/objectClassValue/groupAttrName" */ + if ((value = strchr(left, '/')) != NULL) { + *value++ = '\0'; + if (*value + && (name = strchr(value, '/')) != NULL) + { + *name++ = '\0'; + } + } + + b->a_group_style = sty; + if (sty == ACL_STYLE_REGEX) { + char *tmp = acl_regex_normalized_dn( right ); + regtest(fname, lineno, tmp); + b->a_group_pat = tmp; + } else { + b->a_group_pat = ch_strdup( right ); + dn_normalize(b->a_group_pat); + } + + if (value && *value) { + b->a_group_oc = oc_find( value ); + *--value = '/'; + + if( b->a_group_oc == NULL ) { + fprintf( stderr, + "%s: line %d: group objectclass " + "\"%s\" unknown\n", + fname, lineno, value ); + acl_usage(); + } + } else { + b->a_group_oc = oc_find(SLAPD_GROUP_CLASS); + + if( b->a_group_oc == NULL ) { + fprintf( stderr, + "%s: line %d: group default objectclass " + "\"%s\" unknown\n", + fname, lineno, SLAPD_GROUP_CLASS ); + acl_usage(); + } + } + + if( is_object_subclass( b->a_group_oc, + slap_schema.si_oc_referral ) ) + { + fprintf( stderr, + "%s: line %d: group objectclass \"%s\" " + "is subclass of referral\n", + fname, lineno, value ); + acl_usage(); + } + + if( is_object_subclass( b->a_group_oc, + slap_schema.si_oc_alias ) ) + { + fprintf( stderr, + "%s: line %d: group objectclass \"%s\" " + "is subclass of alias\n", + fname, lineno, value ); + acl_usage(); + } if (name && *name) { - b->a_group_at = ch_strdup(name); + rc = slap_str2ad( name, &b->a_group_at, &text ); + + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: group \"%s\": %s\n", + fname, lineno, right, text ); + acl_usage(); + } *--name = '/'; + } else { + rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text ); + + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: group \"%s\": %s\n", + fname, lineno, SLAPD_GROUP_ATTR, text ); + acl_usage(); + } + } + + if( !is_at_syntax( b->a_group_at->ad_type, + SLAPD_DN_SYNTAX ) && + !is_at_syntax( b->a_group_at->ad_type, + SLAPD_NAMEUID_SYNTAX ) ) + { + fprintf( stderr, + "%s: line %d: group \"%s\": inappropriate syntax: %s\n", + fname, lineno, right, + b->a_group_at->ad_type->sat_syntax_oid ); + acl_usage(); + } + + + { + int rc; + struct berval val; + struct berval *vals[2]; + + val.bv_val = b->a_group_oc->soc_oid; + val.bv_len = strlen(val.bv_val); + vals[0] = &val; + vals[1] = NULL; + + rc = oc_check_allowed( b->a_group_at->ad_type, vals ); + + if( rc != 0 ) { + fprintf( stderr, + "%s: line %d: group: \"%s\" not allowed by \"%s\"\n", + fname, lineno, + b->a_group_at->ad_cname.bv_val, + b->a_group_oc->soc_oid ); + acl_usage(); + } + } + continue; + } + + if ( strcasecmp( left, "peername" ) == 0 ) { + if ( right == NULL || right[ 0 ] == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); + } + + if( b->a_peername_pat != NULL ) { + fprintf( stderr, + "%s: line %d: peername pattern already specified.\n", + fname, lineno ); + acl_usage(); + } + + b->a_peername_style = sty; + if (sty == ACL_STYLE_REGEX) { + char *tmp = acl_regex_normalized_dn( right ); + regtest(fname, lineno, tmp); + b->a_peername_pat = tmp; } else { - b->a_group_at = ch_strdup("member"); + b->a_peername_pat = ch_strdup( right ); } + continue; } - } else if ( strcasecmp( left, "domain" ) == 0 ) { - char *s; - regtest(fname, lineno, right); - b->a_domainpat = ch_strdup( right ); + if ( strcasecmp( left, "sockname" ) == 0 ) { + if ( right == NULL || right[ 0 ] == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); + } + + if( b->a_sockname_pat != NULL ) { + fprintf( stderr, + "%s: line %d: sockname pattern already specified.\n", + fname, lineno ); + acl_usage(); + } - /* normalize the domain */ - for ( s = b->a_domainpat; *s; s++ ) { - *s = TOLOWER( (unsigned char) *s ); + b->a_sockname_style = sty; + if (sty == ACL_STYLE_REGEX) { + char *tmp = acl_regex_normalized_dn( right ); + regtest(fname, lineno, tmp); + b->a_sockname_pat = tmp; + } else { + b->a_sockname_pat = ch_strdup( right ); + } + continue; } - } else if ( strcasecmp( left, "addr" ) == 0 ) { - regtest(fname, lineno, right); - b->a_addrpat = ch_strdup( right ); - } else { - fprintf( stderr, - "%s: line %d: expecting got \"%s\"\n", - fname, lineno, left ); - acl_usage(); + + if ( strcasecmp( left, "domain" ) == 0 ) { + if ( right == NULL || right[ 0 ] == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); + } + + if( b->a_domain_pat != NULL ) { + fprintf( stderr, + "%s: line %d: domain pattern already specified.\n", + fname, lineno ); + acl_usage(); + } + + b->a_domain_style = sty; + if (sty == ACL_STYLE_REGEX) { + char *tmp = acl_regex_normalized_dn( right ); + regtest(fname, lineno, tmp); + b->a_domain_pat = tmp; + } else { + b->a_domain_pat = ch_strdup( right ); + } + continue; + } + + if ( strcasecmp( left, "sockurl" ) == 0 ) { + if ( right == NULL || right[ 0 ] == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); + } + + if( b->a_sockurl_pat != NULL ) { + fprintf( stderr, + "%s: line %d: sockurl pattern already specified.\n", + fname, lineno ); + acl_usage(); + } + + b->a_sockurl_style = sty; + if (sty == ACL_STYLE_REGEX) { + char *tmp = acl_regex_normalized_dn( right ); + regtest(fname, lineno, tmp); + b->a_sockurl_pat = tmp; + } else { + b->a_sockurl_pat = ch_strdup( right ); + } + continue; + } + + if ( strcasecmp( left, "set" ) == 0 ) { + if( b->a_set_pat != NULL ) { + fprintf( stderr, + "%s: line %d: set attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no set is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_set_style = sty; + b->a_set_pat = ch_strdup(right); + + continue; + } + +#ifdef SLAPD_ACI_ENABLED + if ( strcasecmp( left, "aci" ) == 0 ) { + if( b->a_aci_at != NULL ) { + fprintf( stderr, + "%s: line %d: aci attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right != NULL && *right != '\0' ) { + rc = slap_str2ad( right, &b->a_aci_at, &text ); + + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: aci \"%s\": %s\n", + fname, lineno, right, text ); + acl_usage(); + } + + } else { + rc = slap_str2ad( SLAPD_ACI_ATTR, &b->a_aci_at, &text ); + + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: aci \"%s\": %s\n", + fname, lineno, SLAPD_ACI_ATTR, text ); + acl_usage(); + } + } + + if( !is_at_syntax( b->a_aci_at->ad_type, + SLAPD_ACI_SYNTAX) ) + { + fprintf( stderr, + "%s: line %d: aci \"%s\": inappropriate syntax: %s\n", + fname, lineno, right, + b->a_aci_at->ad_type->sat_syntax_oid ); + acl_usage(); + } + + continue; + } +#endif /* SLAPD_ACI_ENABLED */ + + if ( strcasecmp( left, "ssf" ) == 0 ) { + if( b->a_authz.sai_ssf ) { + fprintf( stderr, + "%s: line %d: ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_ssf = atoi( right ); + + if( !b->a_authz.sai_ssf ) { + fprintf( stderr, + "%s: line %d: invalid ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + + if ( strcasecmp( left, "transport_ssf" ) == 0 ) { + if( b->a_authz.sai_transport_ssf ) { + fprintf( stderr, + "%s: line %d: transport_ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no transport_ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_transport_ssf = atoi( right ); + + if( !b->a_authz.sai_transport_ssf ) { + fprintf( stderr, + "%s: line %d: invalid transport_ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + + if ( strcasecmp( left, "tls_ssf" ) == 0 ) { + if( b->a_authz.sai_tls_ssf ) { + fprintf( stderr, + "%s: line %d: tls_ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no tls_ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_tls_ssf = atoi( right ); + + if( !b->a_authz.sai_tls_ssf ) { + fprintf( stderr, + "%s: line %d: invalid tls_ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + + if ( strcasecmp( left, "sasl_ssf" ) == 0 ) { + if( b->a_authz.sai_sasl_ssf ) { + fprintf( stderr, + "%s: line %d: sasl_ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no sasl_ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_sasl_ssf = atoi( right ); + + if( !b->a_authz.sai_sasl_ssf ) { + fprintf( stderr, + "%s: line %d: invalid sasl_ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + + if( right != NULL ) { + /* unsplit */ + right[-1] = '='; + } + break; } - if ( ++i == argc ) { - fprintf( stderr, - "%s: line %d: premature eol: expecting \n", - fname, lineno ); - acl_usage(); + if( i == argc || ( strcasecmp( left, "stop" ) == 0 )) { + /* out of arguments or plain stop */ + + ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE); + b->a_type = ACL_STOP; + + access_append( &a->acl_access, b ); + continue; + } + + if( strcasecmp( left, "continue" ) == 0 ) { + /* plain continue */ + + ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE); + b->a_type = ACL_CONTINUE; + + access_append( &a->acl_access, b ); + continue; + } + + if( strcasecmp( left, "break" ) == 0 ) { + /* plain continue */ + + ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE); + b->a_type = ACL_BREAK; + + access_append( &a->acl_access, b ); + continue; + } + + if ( strcasecmp( left, "by" ) == 0 ) { + /* we've gone too far */ + --i; + ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE); + b->a_type = ACL_STOP; + + access_append( &a->acl_access, b ); + continue; } /* get */ - split( argv[i], '=', &left, &right ); - if ( ACL_IS_INVALID(ACL_SET(b->a_access,str2access( left ))) ) { + if( strncasecmp( left, "self", 4 ) == 0 ) { + b->a_dn_self = 1; + ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[4] ) ); + + } else { + ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) ); + } + + if( ACL_IS_INVALID( b->a_access_mask ) ) { fprintf( stderr, - "%s: line %d: expecting got \"%s\"\n", - fname, lineno, left ); + "%s: line %d: expecting got \"%s\"\n", + fname, lineno, left ); acl_usage(); } + + b->a_type = ACL_STOP; + + if( ++i == argc ) { + /* out of arguments or plain stop */ + access_append( &a->acl_access, b ); + continue; + } + + if( strcasecmp( argv[i], "continue" ) == 0 ) { + /* plain continue */ + b->a_type = ACL_CONTINUE; + + } else if( strcasecmp( argv[i], "break" ) == 0 ) { + /* plain continue */ + b->a_type = ACL_BREAK; + + } else if ( strcasecmp( argv[i], "stop" ) != 0 ) { + /* gone to far */ + i--; + } + access_append( &a->acl_access, b ); } else { @@ -287,10 +938,9 @@ parse_acl( fname, lineno ); } else { - #ifdef LDAP_DEBUG - if (ldap_debug & LDAP_DEBUG_ACL) - print_acl(a); + if (ldap_debug & LDAP_DEBUG_ACL) + print_acl(be, a); #endif if ( a->acl_access == NULL ) { @@ -308,80 +958,231 @@ parse_acl( } char * -access2str( int access ) +accessmask2str( slap_mask_t mask, char *buf ) { - static char buf[12]; + int none=1; + + assert( buf != NULL ); + + if ( ACL_IS_INVALID( mask ) ) { + return "invalid"; + } + + buf[0] = '\0'; + + if ( ACL_IS_LEVEL( mask ) ) { + if ( ACL_LVL_IS_NONE(mask) ) { + strcat( buf, "none" ); + + } else if ( ACL_LVL_IS_AUTH(mask) ) { + strcat( buf, "auth" ); + + } else if ( ACL_LVL_IS_COMPARE(mask) ) { + strcat( buf, "compare" ); + + } else if ( ACL_LVL_IS_SEARCH(mask) ) { + strcat( buf, "search" ); + + } else if ( ACL_LVL_IS_READ(mask) ) { + strcat( buf, "read" ); + + } else if ( ACL_LVL_IS_WRITE(mask) ) { + strcat( buf, "write" ); + } else { + strcat( buf, "unknown" ); + } + + strcat(buf, " ("); + } + + if( ACL_IS_ADDITIVE( mask ) ) { + strcat( buf, "+" ); + + } else if( ACL_IS_SUBTRACTIVE( mask ) ) { + strcat( buf, "-" ); - if ( ACL_IS_SELF( access ) ) { - strcpy( buf, "self" ); - } else { - buf[0] = '\0'; - } - - if ( ACL_IS_NONE(access) ) { - strcat( buf, "none" ); - } else if ( ACL_IS_AUTH(access) ) { - strcat( buf, "auth" ); - } else if ( ACL_IS_COMPARE(access) ) { - strcat( buf, "compare" ); - } else if ( ACL_IS_SEARCH(access) ) { - strcat( buf, "search" ); - } else if ( ACL_IS_READ(access) ) { - strcat( buf, "read" ); - } else if ( ACL_IS_WRITE(access) ) { - strcat( buf, "write" ); } else { - strcat( buf, "unknown" ); + strcat( buf, "=" ); } - return( buf ); + if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) { + none = 0; + strcat( buf, "w" ); + } + + if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) { + none = 0; + strcat( buf, "r" ); + } + + if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) { + none = 0; + strcat( buf, "s" ); + } + + if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) { + none = 0; + strcat( buf, "c" ); + } + + if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) { + none = 0; + strcat( buf, "x" ); + } + + if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) { + none = 0; + strcat( buf, "n" ); + } + + if ( none ) { + strcat( buf, "0" ); + } + + if ( ACL_IS_LEVEL( mask ) ) { + strcat(buf, ")"); + } + return buf; } -int -str2access( char *str ) +slap_mask_t +str2accessmask( const char *str ) { - int access; + slap_mask_t mask; + + if( !ASCII_ALPHA(str[0]) ) { + int i; + + if ( str[0] == '=' ) { + ACL_INIT(mask); + + } else if( str[0] == '+' ) { + ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE); + + } else if( str[0] == '-' ) { + ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE); + + } else { + ACL_INVALIDATE(mask); + return mask; + } + + for( i=1; str[i] != '\0'; i++ ) { + if( TOLOWER(str[i]) == 'w' ) { + ACL_PRIV_SET(mask, ACL_PRIV_WRITE); + + } else if( TOLOWER(str[i]) == 'r' ) { + ACL_PRIV_SET(mask, ACL_PRIV_READ); + + } else if( TOLOWER(str[i]) == 's' ) { + ACL_PRIV_SET(mask, ACL_PRIV_SEARCH); + + } else if( TOLOWER(str[i]) == 'c' ) { + ACL_PRIV_SET(mask, ACL_PRIV_COMPARE); - ACL_CLR(access); + } else if( TOLOWER(str[i]) == 'x' ) { + ACL_PRIV_SET(mask, ACL_PRIV_AUTH); - if ( strncasecmp( str, "self", 4 ) == 0 ) { - ACL_SET_SELF(access); - str += 4; + } else if( str[i] != '0' ) { + ACL_INVALIDATE(mask); + return mask; + } + } + + return mask; } if ( strcasecmp( str, "none" ) == 0 ) { - ACL_SET_NONE(access); + ACL_LVL_ASSIGN_NONE(mask); + } else if ( strcasecmp( str, "auth" ) == 0 ) { - ACL_SET_AUTH(access); + ACL_LVL_ASSIGN_AUTH(mask); + } else if ( strcasecmp( str, "compare" ) == 0 ) { - ACL_SET_COMPARE(access); + ACL_LVL_ASSIGN_COMPARE(mask); + } else if ( strcasecmp( str, "search" ) == 0 ) { - ACL_SET_SEARCH(access); + ACL_LVL_ASSIGN_SEARCH(mask); + } else if ( strcasecmp( str, "read" ) == 0 ) { - ACL_SET_READ(access); + ACL_LVL_ASSIGN_READ(mask); + } else if ( strcasecmp( str, "write" ) == 0 ) { - ACL_SET_WRITE(access); + ACL_LVL_ASSIGN_WRITE(mask); + } else { - ACL_SET_INVALID(access); + ACL_INVALIDATE( mask ); } - return( access ); + return mask; } static void acl_usage( void ) { fprintf( stderr, "\n" - " ::= access to [ by ]+ \n" - " ::= * | [dn=] [filter=] [attrs=]\n" + " ::= access to " + "[ by [ ] ]+ \n" + " ::= * | [dn[.]=] [filter=] [attrs=]\n" " ::= | , \n" " ::= | entry | children\n" - " ::= * | anonymous | self | dn= | addr=\n" - "\t| domain= | dnattr=\n" - "\t| group[/[/]]=\n" - " ::= [self]{none|auth|compare|search|read|write}\n" + " ::= [ * | anonymous | users | self | dn[.]= ]\n" + "\t[dnattr=]\n" + "\t[group[/[/]][.