X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=567e2b63f37071d511e0c52fc0900a31a022fef7;hb=fa1f4d3c38b332fc5faf6d84911df2618ce9af09;hp=02703af4706bfa0f80dd51d884936b0a7a77f6db;hpb=ef3d895cb80a5b0830817ffaa5dc0a92edd93723;p=openldap
diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index 02703af470..567e2b63f3 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -1,8 +1,27 @@
/* aclparse.c - routines to parse and check acl's */
/* $OpenLDAP$ */
-/*
- * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
- * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
+/* This work is part of OpenLDAP Software .
+ *
+ * Copyright 1998-2006 The OpenLDAP Foundation.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * .
+ */
+/* Portions Copyright (c) 1995 Regents of the University of Michigan.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that this notice is preserved and that due credit is given
+ * to the University of Michigan at Ann Arbor. The name of the University
+ * may not be used to endorse or promote products derived from this
+ * software without specific prior written permission. This software
+ * is provided ``as is'' without express or implied warranty.
*/
#include "portable.h"
@@ -17,25 +36,91 @@
#include "slap.h"
#include "lber_pvt.h"
+#include "lutil.h"
+
+static const char style_base[] = "base";
+char *style_strings[] = {
+ "regex",
+ "expand",
+ "exact",
+ "one",
+ "subtree",
+ "children",
+ "level",
+ "attrof",
+ "anonymous",
+ "users",
+ "self",
+ "ip",
+ "path",
+ NULL
+};
static void split(char *line, int splitchar, char **left, char **right);
static void access_append(Access **l, Access *a);
-static void acl_usage(void) LDAP_GCCATTR((noreturn));
+static int acl_usage(void);
static void acl_regex_normalized_dn(const char *src, struct berval *pat);
#ifdef LDAP_DEBUG
static void print_acl(Backend *be, AccessControl *a);
-static void print_access(Access *b);
#endif
+static int check_scope( BackendDB *be, AccessControl *a );
+
+#ifdef SLAP_DYNACL
+static int
+slap_dynacl_config(
+ const char *fname,
+ int lineno,
+ Access *b,
+ const char *name,
+ const char *opts,
+ slap_style_t sty,
+ const char *right )
+{
+ slap_dynacl_t *da, *tmp;
+ int rc = 0;
+
+ for ( da = b->a_dynacl; da; da = da->da_next ) {
+ if ( strcasecmp( da->da_name, name ) == 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: dynacl \"%s\" already specified.\n",
+ fname, lineno, name );
+ return acl_usage();
+ }
+ }
+
+ da = slap_dynacl_get( name );
+ if ( da == NULL ) {
+ return -1;
+ }
+
+ tmp = ch_malloc( sizeof( slap_dynacl_t ) );
+ *tmp = *da;
+
+ if ( tmp->da_parse ) {
+ rc = ( *tmp->da_parse )( fname, lineno, opts, sty, right, &tmp->da_private );
+ if ( rc ) {
+ ch_free( tmp );
+ return rc;
+ }
+ }
+
+ tmp->da_next = b->a_dynacl;
+ b->a_dynacl = tmp;
+
+ return 0;
+}
+#endif /* SLAP_DYNACL */
+
static void
regtest(const char *fname, int lineno, char *pat) {
int e;
regex_t re;
- char buf[512];
- unsigned size;
+ char buf[ SLAP_TEXT_BUFLEN ];
+ unsigned size;
char *sp;
char *dp;
@@ -65,32 +150,179 @@ regtest(const char *fname, int lineno, char *pat) {
}
*dp = '\0';
- if ( size >= (sizeof(buf)-1) ) {
- fprintf( stderr,
+ if ( size >= (sizeof(buf) - 1) ) {
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: regular expression \"%s\" too large\n",
fname, lineno, pat );
- acl_usage();
+ (void)acl_usage();
+ exit( EXIT_FAILURE );
}
if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
- char error[512];
+ char error[ SLAP_TEXT_BUFLEN ];
+
regerror(e, &re, error, sizeof(error));
- fprintf( stderr,
- "%s: line %d: regular expression \"%s\" bad because of %s\n",
- fname, lineno, pat, error );
+
+ snprintf( buf, sizeof( buf ),
+ "regular expression \"%s\" bad because of %s",
+ pat, error );
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: %s\n",
+ fname, lineno, buf );
acl_usage();
+ exit( EXIT_FAILURE );
}
regfree(&re);
}
-void
+/*
+ * Experimental
+ *
+ * Check if the pattern of an ACL, if any, matches the scope
+ * of the backend it is defined within.
+ */
+#define ACL_SCOPE_UNKNOWN (-2)
+#define ACL_SCOPE_ERR (-1)
+#define ACL_SCOPE_OK (0)
+#define ACL_SCOPE_PARTIAL (1)
+#define ACL_SCOPE_WARN (2)
+
+static int
+check_scope( BackendDB *be, AccessControl *a )
+{
+ ber_len_t patlen;
+ struct berval dn;
+
+ dn = be->be_nsuffix[0];
+
+ if ( BER_BVISEMPTY( &dn ) ) {
+ return ACL_SCOPE_OK;
+ }
+
+ if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
+ a->acl_dn_style != ACL_STYLE_REGEX )
+ {
+ slap_style_t style = a->acl_dn_style;
+
+ if ( style == ACL_STYLE_REGEX ) {
+ char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
+ char rebuf[SLAP_LDAPDN_MAXLEN + 1];
+ ber_len_t rebuflen;
+ regex_t re;
+ int rc;
+
+ /* add trailing '$' to database suffix to form
+ * a simple trial regex pattern "$" */
+ AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
+ be->be_nsuffix[0].bv_len );
+ dnbuf[be->be_nsuffix[0].bv_len] = '$';
+ dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
+
+ if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
+ return ACL_SCOPE_WARN;
+ }
+
+ /* remove trailing ')$', if any, from original
+ * regex pattern */
+ rebuflen = a->acl_dn_pat.bv_len;
+ AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
+ if ( rebuf[rebuflen - 1] == '$' ) {
+ rebuf[--rebuflen] = '\0';
+ }
+ while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
+ rebuf[--rebuflen] = '\0';
+ }
+ if ( rebuflen == be->be_nsuffix[0].bv_len ) {
+ rc = ACL_SCOPE_WARN;
+ goto regex_done;
+ }
+
+ /* not a clear indication of scoping error, though */
+ rc = regexec( &re, rebuf, 0, NULL, 0 )
+ ? ACL_SCOPE_WARN : ACL_SCOPE_OK;
+
+regex_done:;
+ regfree( &re );
+ return rc;
+ }
+
+ patlen = a->acl_dn_pat.bv_len;
+ /* If backend suffix is longer than pattern,
+ * it is a potential mismatch (in the sense
+ * that a superior naming context could
+ * match */
+ if ( dn.bv_len > patlen ) {
+ /* base is blatantly wrong */
+ if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
+
+ /* a style of one can be wrong if there is
+ * more than one level between the suffix
+ * and the pattern */
+ if ( style == ACL_STYLE_ONE ) {
+ ber_len_t rdnlen = 0;
+ int sep = 0;
+
+ if ( patlen > 0 ) {
+ if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
+ return ACL_SCOPE_ERR;
+ }
+ sep = 1;
+ }
+
+ rdnlen = dn_rdnlen( NULL, &dn );
+ if ( rdnlen != dn.bv_len - patlen - sep )
+ return ACL_SCOPE_ERR;
+ }
+
+ /* if the trailing part doesn't match,
+ * then it's an error */
+ if ( strcmp( a->acl_dn_pat.bv_val,
+ &dn.bv_val[dn.bv_len - patlen] ) != 0 )
+ {
+ return ACL_SCOPE_ERR;
+ }
+
+ return ACL_SCOPE_PARTIAL;
+ }
+
+ switch ( style ) {
+ case ACL_STYLE_BASE:
+ case ACL_STYLE_ONE:
+ case ACL_STYLE_CHILDREN:
+ case ACL_STYLE_SUBTREE:
+ break;
+
+ default:
+ assert( 0 );
+ break;
+ }
+
+ if ( dn.bv_len < patlen &&
+ !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
+ {
+ return ACL_SCOPE_ERR;
+ }
+
+ if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
+ != 0 )
+ {
+ return ACL_SCOPE_ERR;
+ }
+
+ return ACL_SCOPE_OK;
+ }
+
+ return ACL_SCOPE_UNKNOWN;
+}
+
+int
parse_acl(
- Backend *be,
- const char *fname,
- int lineno,
- int argc,
- char **argv
-)
+ Backend *be,
+ const char *fname,
+ int lineno,
+ int argc,
+ char **argv,
+ int pos )
{
int i;
char *left, *right, *style;
@@ -105,10 +337,10 @@ parse_acl(
/* to clause - select which entries are protected */
if ( strcasecmp( argv[i], "to" ) == 0 ) {
if ( a != NULL ) {
- fprintf( stderr,
- "%s: line %d: only one to clause allowed in access line\n",
- fname, lineno );
- acl_usage();
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "only one to clause allowed in access line\n",
+ fname, lineno, 0 );
+ return acl_usage();
}
a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
for ( ++i; i < argc; i++ ) {
@@ -118,18 +350,17 @@ parse_acl(
}
if ( strcasecmp( argv[i], "*" ) == 0 ) {
- if( a->acl_dn_pat.bv_len ||
- ( a->acl_dn_style != ACL_STYLE_REGEX ) )
+ if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
+ a->acl_dn_style != ACL_STYLE_REGEX )
{
- fprintf( stderr,
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: dn pattern"
" already specified in to clause.\n",
- fname, lineno );
- acl_usage();
+ fname, lineno, 0 );
+ return acl_usage();
}
- a->acl_dn_pat.bv_val = ch_strdup( "*" );
- a->acl_dn_pat.bv_len = 1;
+ ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
continue;
}
@@ -137,26 +368,53 @@ parse_acl(
split( left, '.', &left, &style );
if ( right == NULL ) {
- fprintf( stderr,
- "%s: line %d: missing \"=\" in \"%s\" in to clause\n",
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "missing \"=\" in \"%s\" in to clause\n",
fname, lineno, left );
- acl_usage();
+ return acl_usage();
}
if ( strcasecmp( left, "dn" ) == 0 ) {
- if( a->acl_dn_pat.bv_len != 0 ||
- ( a->acl_dn_style != ACL_STYLE_REGEX ) )
+ if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
+ a->acl_dn_style != ACL_STYLE_REGEX )
{
- fprintf( stderr,
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: dn pattern"
" already specified in to clause.\n",
- fname, lineno );
- acl_usage();
+ fname, lineno, 0 );
+ return acl_usage();
}
- if ( style == NULL || *style == '\0'
- || strcasecmp( style, "regex" ) == 0 )
+ if ( style == NULL || *style == '\0' ||
+ strcasecmp( style, "baseObject" ) == 0 ||
+ strcasecmp( style, "base" ) == 0 ||
+ strcasecmp( style, "exact" ) == 0 )
+ {
+ a->acl_dn_style = ACL_STYLE_BASE;
+ ber_str2bv( right, 0, 1, &a->acl_dn_pat );
+
+ } else if ( strcasecmp( style, "oneLevel" ) == 0 ||
+ strcasecmp( style, "one" ) == 0 )
+ {
+ a->acl_dn_style = ACL_STYLE_ONE;
+ ber_str2bv( right, 0, 1, &a->acl_dn_pat );
+
+ } else if ( strcasecmp( style, "subtree" ) == 0 ||
+ strcasecmp( style, "sub" ) == 0 )
{
+ if( *right == '\0' ) {
+ ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
+
+ } else {
+ a->acl_dn_style = ACL_STYLE_SUBTREE;
+ ber_str2bv( right, 0, 1, &a->acl_dn_pat );
+ }
+
+ } else if ( strcasecmp( style, "children" ) == 0 ) {
+ a->acl_dn_style = ACL_STYLE_CHILDREN;
+ ber_str2bv( right, 0, 1, &a->acl_dn_pat );
+
+ } else if ( strcasecmp( style, "regex" ) == 0 ) {
a->acl_dn_style = ACL_STYLE_REGEX;
if ( *right == '\0' ) {
@@ -172,92 +430,279 @@ parse_acl(
|| strcmp(right, ".*$$") == 0
|| strcmp(right, "^.*$$") == 0 )
{
- a->acl_dn_pat.bv_val = ch_strdup( "*" );
- a->acl_dn_pat.bv_len = sizeof("*")-1;
+ ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
} else {
acl_regex_normalized_dn( right, &a->acl_dn_pat );
}
- } else if ( strcasecmp( style, "base" ) == 0 ) {
- a->acl_dn_style = ACL_STYLE_BASE;
- ber_str2bv( right, 0, 1, &a->acl_dn_pat );
- } else if ( strcasecmp( style, "one" ) == 0 ) {
- a->acl_dn_style = ACL_STYLE_ONE;
- ber_str2bv( right, 0, 1, &a->acl_dn_pat );
- } else if ( strcasecmp( style, "subtree" ) == 0 ) {
- a->acl_dn_style = ACL_STYLE_SUBTREE;
- ber_str2bv( right, 0, 1, &a->acl_dn_pat );
- } else if ( strcasecmp( style, "children" ) == 0 ) {
- a->acl_dn_style = ACL_STYLE_CHILDREN;
- ber_str2bv( right, 0, 1, &a->acl_dn_pat );
+
} else {
- fprintf( stderr,
- "%s: line %d: unknown dn style \"%s\" in to clause\n",
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "unknown dn style \"%s\" in to clause\n",
fname, lineno, style );
- acl_usage();
+ return acl_usage();
}
continue;
}
if ( strcasecmp( left, "filter" ) == 0 ) {
- if ( (a->acl_filter = str2filter(
- right )) == NULL ) {
- fprintf( stderr,
+ if ( (a->acl_filter = str2filter( right )) == NULL ) {
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: bad filter \"%s\" in to clause\n",
fname, lineno, right );
- acl_usage();
+ return acl_usage();
+ }
+
+ } else if ( strcasecmp( left, "attr" ) == 0 /* TOLERATED */
+ || strcasecmp( left, "attrs" ) == 0 ) /* DOCUMENTED */
+ {
+ if ( strcasecmp( left, "attr" ) == 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: \"attr\" "
+ "is deprecated (and undocumented); "
+ "use \"attrs\" instead.\n",
+ fname, lineno, 0 );
}
- } else if ( strncasecmp( left, "attr", 4 ) == 0 ) {
a->acl_attrs = str2anlist( a->acl_attrs,
right, "," );
if ( a->acl_attrs == NULL ) {
- fprintf( stderr,
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: unknown attr \"%s\" in to clause\n",
fname, lineno, right );
- acl_usage();
+ return acl_usage();
+ }
+
+ } else if ( strncasecmp( left, "val", 3 ) == 0 ) {
+ struct berval bv;
+ char *mr;
+
+ if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: attr val already specified in to clause.\n",
+ fname, lineno, 0 );
+ return acl_usage();
+ }
+ if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
+ {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: attr val requires a single attribute.\n",
+ fname, lineno, 0 );
+ return acl_usage();
+ }
+
+ ber_str2bv( right, 0, 0, &bv );
+ a->acl_attrval_style = ACL_STYLE_BASE;
+
+ mr = strchr( left, '/' );
+ if ( mr != NULL ) {
+ mr[ 0 ] = '\0';
+ mr++;
+
+ a->acl_attrval_mr = mr_find( mr );
+ if ( a->acl_attrval_mr == NULL ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "invalid matching rule \"%s\".\n",
+ fname, lineno, mr );
+ return acl_usage();
+ }
+
+ if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
+ {
+ char buf[ SLAP_TEXT_BUFLEN ];
+
+ snprintf( buf, sizeof( buf ),
+ "matching rule \"%s\" use "
+ "with attr \"%s\" not appropriate.",
+ mr, a->acl_attrs[ 0 ].an_name.bv_val );
+
+
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
+ fname, lineno, buf );
+ return acl_usage();
+ }
+ }
+
+ if ( style != NULL ) {
+ if ( strcasecmp( style, "regex" ) == 0 ) {
+ int e = regcomp( &a->acl_attrval_re, bv.bv_val,
+ REG_EXTENDED | REG_ICASE | REG_NOSUB );
+ if ( e ) {
+ char err[SLAP_TEXT_BUFLEN],
+ buf[ SLAP_TEXT_BUFLEN ];
+
+ regerror( e, &a->acl_attrval_re, err, sizeof( err ) );
+
+ snprintf( buf, sizeof( buf ),
+ "regular expression \"%s\" bad because of %s",
+ right, err );
+
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
+ fname, lineno, buf );
+ return acl_usage();
+ }
+ a->acl_attrval_style = ACL_STYLE_REGEX;
+
+ } else {
+ /* FIXME: if the attribute has DN syntax, we might
+ * allow one, subtree and children styles as well */
+ if ( !strcasecmp( style, "base" ) ||
+ !strcasecmp( style, "exact" ) ) {
+ a->acl_attrval_style = ACL_STYLE_BASE;
+
+ } else if ( a->acl_attrs[0].an_desc->ad_type->
+ sat_syntax == slap_schema.si_syn_distinguishedName )
+ {
+ if ( !strcasecmp( style, "baseObject" ) ||
+ !strcasecmp( style, "base" ) )
+ {
+ a->acl_attrval_style = ACL_STYLE_BASE;
+ } else if ( !strcasecmp( style, "onelevel" ) ||
+ !strcasecmp( style, "one" ) )
+ {
+ a->acl_attrval_style = ACL_STYLE_ONE;
+ } else if ( !strcasecmp( style, "subtree" ) ||
+ !strcasecmp( style, "sub" ) )
+ {
+ a->acl_attrval_style = ACL_STYLE_SUBTREE;
+ } else if ( !strcasecmp( style, "children" ) ) {
+ a->acl_attrval_style = ACL_STYLE_CHILDREN;
+ } else {
+ char buf[ SLAP_TEXT_BUFLEN ];
+
+ /* FIXME: should be an error */
+
+ snprintf( buf, sizeof( buf ),
+ "unknown val.