X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=051e4a6fb4ace6f12a3614915d89552ae188d208;hb=c3960b98d3b5fbd6ebeb200ca7799ece7b766d50;hp=0b018c1094143a80bcdfa6300034358f7b11ee82;hpb=eb9a3c18767fe87d2a1f7fbbc6b3d676779eb5b7;p=openldap diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index 0b018c1094..051e4a6fb4 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -52,6 +52,7 @@ char *style_strings[] = { "users", "self", "ip", + "ipv6", "path", NULL }; @@ -804,6 +805,14 @@ parse_acl( } else if ( strcasecmp( style, "ip" ) == 0 ) { sty = ACL_STYLE_IP; + } else if ( strcasecmp( style, "ipv6" ) == 0 ) { +#ifndef LDAP_PF_INET6 + Debug( LDAP_DEBUG_ANY, + "%s: line %d: IPv6 not supported\n", + fname, lineno, 0 ); +#endif /* ! LDAP_PF_INET6 */ + sty = ACL_STYLE_IPV6; + } else if ( strcasecmp( style, "path" ) == 0 ) { sty = ACL_STYLE_PATH; #ifndef LDAP_PF_LOCAL @@ -1270,13 +1279,13 @@ parse_acl( { int rc; - struct berval vals[2]; + ObjectClass *ocs[2]; - ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] ); - BER_BVZERO( &vals[1] ); + ocs[0] = b->a_group_oc; + ocs[1] = NULL; rc = oc_check_allowed( b->a_group_at->ad_type, - vals, NULL ); + ocs, NULL ); if( rc != 0 ) { char buf[ SLAP_TEXT_BUFLEN ]; @@ -1301,6 +1310,7 @@ parse_acl( case ACL_STYLE_EXPAND: /* cheap replacement to regex for simple expansion */ case ACL_STYLE_IP: + case ACL_STYLE_IPV6: case ACL_STYLE_PATH: /* legal, peername specific */ break; @@ -1384,6 +1394,52 @@ parse_acl( goto fail; } } + +#ifdef LDAP_PF_INET6 + } else if ( sty == ACL_STYLE_IPV6 ) { + char *addr = NULL, + *mask = NULL, + *port = NULL; + + split( right, '{', &addr, &port ); + split( addr, '%', &addr, &mask ); + + if ( inet_pton( AF_INET6, addr, &b->a_peername_addr6 ) != 1 ) { + /* illegal address */ + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "illegal peername address \"%s\".\n", + fname, lineno, addr ); + goto fail; + } + + if ( mask == NULL ) { + mask = "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF"; + } + + if ( inet_pton( AF_INET6, mask, &b->a_peername_mask6 ) != 1 ) { + /* illegal mask */ + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "illegal peername address mask " + "\"%s\".\n", + fname, lineno, mask ); + goto fail; + } + + b->a_peername_port = -1; + if ( port ) { + char *end = NULL; + + b->a_peername_port = strtol( port, &end, 10 ); + if ( end == port || end[0] != '}' ) { + /* illegal port */ + Debug( LDAP_DEBUG_ANY, "%s: line %d: " + "illegal peername port specification " + "\"{%s}\".\n", + fname, lineno, port ); + goto fail; + } + } +#endif /* LDAP_PF_INET6 */ } } continue; @@ -1784,6 +1840,7 @@ parse_acl( /* out of arguments or plain stop */ ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE ); + ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE); b->a_type = ACL_STOP; access_append( &a->acl_access, b ); @@ -1794,6 +1851,7 @@ parse_acl( /* plain continue */ ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE ); + ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE); b->a_type = ACL_CONTINUE; access_append( &a->acl_access, b ); @@ -1804,6 +1862,7 @@ parse_acl( /* plain continue */ ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE); + ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE); b->a_type = ACL_BREAK; access_append( &a->acl_access, b ); @@ -1814,6 +1873,7 @@ parse_acl( /* we've gone too far */ --i; ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE ); + ACL_PRIV_SET( b->a_access_mask, ACL_PRIV_NONE); b->a_type = ACL_STOP; access_append( &a->acl_access, b ); @@ -1821,16 +1881,19 @@ parse_acl( } /* get */ - if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) { - b->a_dn_self = 1; - ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) ); + { + char *lleft = left; - } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) { - b->a_realdn_self = 1; - ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) ); + if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) { + b->a_dn_self = 1; + lleft = &left[ STRLENOF( "self" ) ]; - } else { - ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) ); + } else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) { + b->a_realdn_self = 1; + lleft = &left[ STRLENOF( "realself" ) ]; + } + + ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( lleft ) ); } if ( ACL_IS_INVALID( b->a_access_mask ) ) { @@ -2131,7 +2194,10 @@ str2accessmask( const char *str ) } else if( TOLOWER((unsigned char) str[i]) == 'd' ) { ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE); - } else if( str[i] != '0' ) { + } else if( str[i] == '0' ) { + ACL_PRIV_SET(mask, ACL_PRIV_NONE); + + } else { ACL_INVALIDATE(mask); return mask; } @@ -2182,9 +2248,9 @@ acl_usage( void ) { char *access = " ::= access to " - "[ by [ ] ]+ \n"; + "[ by [ ] [ ] ]+ \n"; char *what = - " ::= * | [dn[.]=] [filter=] [attrs=]\n" + " ::= * | dn[.=] [filter=] [attrs=]\n" " ::= [val[/][.]=] | \n" " ::= [ , ]\n" " ::= | @ | ! | entry | children\n"; @@ -2206,7 +2272,7 @@ acl_usage( void ) "exact | regex\n" " ::= exact | regex | base(Object) | one(level) | " "sub(tree) | children\n" - " ::= exact | regex | ip | path\n" + " ::= exact | regex | ip | ipv6 | path\n" " ::= exact | regex | base(Object) | sub(tree)\n" " ::= [[real]self]{|}\n" " ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"