X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=9b0e8e7acb507e733e7b45a378e3745fe82fd3b9;hb=86bd3651e1bc6129cf2bd4ba271f33207843aaff;hp=d7a99c0351d55a7169bba68e7806d0ff09ffac51;hpb=8866a28fb3dda4425a731bf99bf3fd6dae7f5157;p=openldap
diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index d7a99c0351..9b0e8e7acb 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software .
*
- * Copyright 1998-2004 The OpenLDAP Foundation.
+ * Copyright 1998-2005 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -38,14 +38,19 @@
#include "lber_pvt.h"
#include "lutil.h"
-static char *style_strings[] = {
+static const char style_base[] = "base";
+char *style_strings[] = {
"regex",
"expand",
- "base",
+ "exact",
"one",
"subtree",
"children",
+ "level",
"attrof",
+ "anonymous",
+ "users",
+ "self",
"ip",
"path",
NULL
@@ -59,24 +64,27 @@ static void acl_regex_normalized_dn(const char *src, struct berval *pat);
#ifdef LDAP_DEBUG
static void print_acl(Backend *be, AccessControl *a);
-static void print_access(Access *b);
#endif
-#ifdef LDAP_DEVEL
-static int
-check_scope( BackendDB *be, AccessControl *a );
-#endif /* LDAP_DEVEL */
+static int check_scope( BackendDB *be, AccessControl *a );
#ifdef SLAP_DYNACL
static int
-slap_dynacl_config( const char *fname, int lineno, Access *b, const char *name, slap_style_t sty, const char *right )
+slap_dynacl_config(
+ const char *fname,
+ int lineno,
+ Access *b,
+ const char *name,
+ const char *opts,
+ slap_style_t sty,
+ const char *right )
{
slap_dynacl_t *da, *tmp;
int rc = 0;
for ( da = b->a_dynacl; da; da = da->da_next ) {
if ( strcasecmp( da->da_name, name ) == 0 ) {
- fprintf( stderr,
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: dynacl \"%s\" already specified.\n",
fname, lineno, name );
acl_usage();
@@ -92,7 +100,7 @@ slap_dynacl_config( const char *fname, int lineno, Access *b, const char *name,
*tmp = *da;
if ( tmp->da_parse ) {
- rc = ( *tmp->da_parse )( fname, lineno, sty, right, &tmp->da_private );
+ rc = ( *tmp->da_parse )( fname, lineno, opts, sty, right, &tmp->da_private );
if ( rc ) {
ch_free( tmp );
return rc;
@@ -111,8 +119,8 @@ regtest(const char *fname, int lineno, char *pat) {
int e;
regex_t re;
- char buf[512];
- unsigned size;
+ char buf[ SLAP_TEXT_BUFLEN ];
+ unsigned size;
char *sp;
char *dp;
@@ -143,24 +151,28 @@ regtest(const char *fname, int lineno, char *pat) {
*dp = '\0';
if ( size >= (sizeof(buf) - 1) ) {
- fprintf( stderr,
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: regular expression \"%s\" too large\n",
fname, lineno, pat );
acl_usage();
}
if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
- char error[512];
+ char error[ SLAP_TEXT_BUFLEN ];
+
regerror(e, &re, error, sizeof(error));
- fprintf( stderr,
- "%s: line %d: regular expression \"%s\" bad because of %s\n",
- fname, lineno, pat, error );
+
+ snprintf( buf, sizeof( buf ),
+ "regular expression \"%s\" bad because of %s",
+ pat, error );
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: %s\n",
+ fname, lineno, buf );
acl_usage();
}
regfree(&re);
}
-#ifdef LDAP_DEVEL
/*
* Experimental
*
@@ -176,11 +188,15 @@ regtest(const char *fname, int lineno, char *pat) {
static int
check_scope( BackendDB *be, AccessControl *a )
{
- int patlen;
+ ber_len_t patlen;
struct berval dn;
dn = be->be_nsuffix[0];
+ if ( BER_BVISEMPTY( &dn ) ) {
+ return ACL_SCOPE_OK;
+ }
+
if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
a->acl_dn_style != ACL_STYLE_REGEX )
{
@@ -241,7 +257,8 @@ regex_done:;
* more than one level between the suffix
* and the pattern */
if ( style == ACL_STYLE_ONE ) {
- int rdnlen = -1, sep = 0;
+ ber_len_t rdnlen = 0;
+ int sep = 0;
if ( patlen > 0 ) {
if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
@@ -295,7 +312,6 @@ regex_done:;
return ACL_SCOPE_UNKNOWN;
}
-#endif /* LDAP_DEVEL */
void
parse_acl(
@@ -303,8 +319,8 @@ parse_acl(
const char *fname,
int lineno,
int argc,
- char **argv
-)
+ char **argv,
+ int pos )
{
int i;
char *left, *right, *style, *next;
@@ -319,9 +335,9 @@ parse_acl(
/* to clause - select which entries are protected */
if ( strcasecmp( argv[i], "to" ) == 0 ) {
if ( a != NULL ) {
- fprintf( stderr, "%s: line %d: "
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"only one to clause allowed in access line\n",
- fname, lineno );
+ fname, lineno, 0 );
acl_usage();
}
a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
@@ -335,10 +351,10 @@ parse_acl(
if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
a->acl_dn_style != ACL_STYLE_REGEX )
{
- fprintf( stderr,
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: dn pattern"
" already specified in to clause.\n",
- fname, lineno );
+ fname, lineno, 0 );
acl_usage();
}
@@ -350,7 +366,7 @@ parse_acl(
split( left, '.', &left, &style );
if ( right == NULL ) {
- fprintf( stderr, "%s: line %d: "
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"missing \"=\" in \"%s\" in to clause\n",
fname, lineno, left );
acl_usage();
@@ -360,10 +376,10 @@ parse_acl(
if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
a->acl_dn_style != ACL_STYLE_REGEX )
{
- fprintf( stderr,
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: dn pattern"
" already specified in to clause.\n",
- fname, lineno );
+ fname, lineno, 0 );
acl_usage();
}
@@ -419,7 +435,7 @@ parse_acl(
}
} else {
- fprintf( stderr, "%s: line %d: "
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
"unknown dn style \"%s\" in to clause\n",
fname, lineno, style );
acl_usage();
@@ -430,95 +446,204 @@ parse_acl(
if ( strcasecmp( left, "filter" ) == 0 ) {
if ( (a->acl_filter = str2filter( right )) == NULL ) {
- fprintf( stderr,
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: bad filter \"%s\" in to clause\n",
fname, lineno, right );
acl_usage();
}
- } else if ( strcasecmp( left, "attr" ) == 0
- || strcasecmp( left, "attrs" ) == 0 ) {
+ } else if ( strcasecmp( left, "attr" ) == 0 /* TOLERATED */
+ || strcasecmp( left, "attrs" ) == 0 ) /* DOCUMENTED */
+ {
+ if ( strcasecmp( left, "attr" ) == 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "%s: line %d: \"attr\" "
+ "is deprecated (and undocumented); "
+ "use \"attrs\" instead.\n",
+ fname, lineno, 0 );
+ }
+
a->acl_attrs = str2anlist( a->acl_attrs,
right, "," );
if ( a->acl_attrs == NULL ) {
- fprintf( stderr,
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: unknown attr \"%s\" in to clause\n",
fname, lineno, right );
acl_usage();
}
} else if ( strncasecmp( left, "val", 3 ) == 0 ) {
+ char *mr;
+
if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
- fprintf( stderr,
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: attr val already specified in to clause.\n",
- fname, lineno );
+ fname, lineno, 0 );
acl_usage();
}
if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
{
- fprintf( stderr,
+ Debug( LDAP_DEBUG_ANY,
"%s: line %d: attr val requires a single attribute.\n",
- fname, lineno );
+ fname, lineno, 0 );
acl_usage();
}
+
ber_str2bv( right, 0, 1, &a->acl_attrval );
- if ( style && strcasecmp( style, "regex" ) == 0 ) {
- int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
- REG_EXTENDED | REG_ICASE | REG_NOSUB );
- if ( e ) {
- char buf[512];
- regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
- fprintf( stderr, "%s: line %d: "
- "regular expression \"%s\" bad because of %s\n",
- fname, lineno, right, buf );
+ a->acl_attrval_style = ACL_STYLE_BASE;
+
+ mr = strchr( left, '/' );
+ if ( mr != NULL ) {
+ mr[ 0 ] = '\0';
+ mr++;
+
+ a->acl_attrval_mr = mr_find( mr );
+ if ( a->acl_attrval_mr == NULL ) {
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: "
+ "invalid matching rule \"%s\".\n",
+ fname, lineno, mr );
acl_usage();
}
- a->acl_attrval_style = ACL_STYLE_REGEX;
- } else {
- /* FIXME: if the attribute has DN syntax, we might
- * allow one, subtree and children styles as well */
- if ( !strcasecmp( style, "exact" ) ) {
- a->acl_attrval_style = ACL_STYLE_BASE;
- } else if ( a->acl_attrs[0].an_desc->ad_type->
- sat_syntax == slap_schema.si_syn_distinguishedName )
+ if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
{
- if ( !strcasecmp( style, "baseObject" ) ||
- !strcasecmp( style, "base" ) )
- {
+ char buf[ SLAP_TEXT_BUFLEN ];
+
+ snprintf( buf, sizeof( buf ),
+ "matching rule \"%s\" use "
+ "with attr \"%s\" not appropriate.",
+ mr, a->acl_attrs[ 0 ].an_name.bv_val );
+
+
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
+ fname, lineno, buf );
+ acl_usage();
+ }
+ }
+
+ if ( style != NULL ) {
+ if ( strcasecmp( style, "regex" ) == 0 ) {
+ int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
+ REG_EXTENDED | REG_ICASE | REG_NOSUB );
+ if ( e ) {
+ char err[SLAP_TEXT_BUFLEN],
+ buf[ SLAP_TEXT_BUFLEN ];
+
+ regerror( e, &a->acl_attrval_re, err, sizeof( err ) );
+
+ snprintf( buf, sizeof( buf ),
+ "regular expression \"%s\" bad because of %s",
+ right, err );
+
+ Debug( LDAP_DEBUG_ANY, "%s: line %d: %s\n",
+ fname, lineno, buf );
+ acl_usage();
+ }
+ a->acl_attrval_style = ACL_STYLE_REGEX;
+
+ } else {
+ /* FIXME: if the attribute has DN syntax, we might
+ * allow one, subtree and children styles as well */
+ if ( !strcasecmp( style, "base" ) ||
+ !strcasecmp( style, "exact" ) ) {
a->acl_attrval_style = ACL_STYLE_BASE;
- } else if ( !strcasecmp( style, "onelevel" ) ||
- !strcasecmp( style, "one" ) )
- {
- a->acl_attrval_style = ACL_STYLE_ONE;
- } else if ( !strcasecmp( style, "subtree" ) ||
- !strcasecmp( style, "sub" ) )
+
+ } else if ( a->acl_attrs[0].an_desc->ad_type->
+ sat_syntax == slap_schema.si_syn_distinguishedName )
{
- a->acl_attrval_style = ACL_STYLE_SUBTREE;
- } else if ( !strcasecmp( style, "children" ) ) {
- a->acl_attrval_style = ACL_STYLE_CHILDREN;
+ struct berval bv;
+
+ if ( !strcasecmp( style, "baseObject" ) ||
+ !strcasecmp( style, "base" ) )
+ {
+ a->acl_attrval_style = ACL_STYLE_BASE;
+ } else if ( !strcasecmp( style, "onelevel" ) ||
+ !strcasecmp( style, "one" ) )
+ {
+ a->acl_attrval_style = ACL_STYLE_ONE;
+ } else if ( !strcasecmp( style, "subtree" ) ||
+ !strcasecmp( style, "sub" ) )
+ {
+ a->acl_attrval_style = ACL_STYLE_SUBTREE;
+ } else if ( !strcasecmp( style, "children" ) ) {
+ a->acl_attrval_style = ACL_STYLE_CHILDREN;
+ } else {
+ char buf[ SLAP_TEXT_BUFLEN ];
+
+ /* FIXME: should be an error */
+
+ snprintf( buf, sizeof( buf ),
+ "unknown val.