X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=b1760206ffa8092121459363cd1a52cedb4aa798;hb=46fab059977aed107f53c96ced0f35cfff8c7836;hp=5a7184a25ee60a748f6f5445f66d59d546f920e7;hpb=b5ef8ea6f404e4c7d6e288a55ec3156959cec744;p=openldap

diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index 5a7184a25e..b1760206ff 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -38,10 +38,11 @@
 #include "lber_pvt.h"
 #include "lutil.h"
 
-static char *style_strings[] = {
+static const char style_base[] = "base";
+char *style_strings[] = {
 	"regex",
 	"expand",
-	"base",
+	"exact",
 	"one",
 	"subtree",
 	"children",
@@ -438,8 +439,9 @@ parse_acl(
 						acl_usage();
 					}
 
-				} else if ( strcasecmp( left, "attr" ) == 0
-						|| strcasecmp( left, "attrs" ) == 0 ) {
+				} else if ( strcasecmp( left, "attr" ) == 0		/* TOLERATED */
+						|| strcasecmp( left, "attrs" ) == 0 )	/* DOCUMENTED */
+				{
 					a->acl_attrs = str2anlist( a->acl_attrs,
 						right, "," );
 					if ( a->acl_attrs == NULL ) {
@@ -450,6 +452,8 @@ parse_acl(
 					}
 
 				} else if ( strncasecmp( left, "val", 3 ) == 0 ) {
+					char	*mr;
+					
 					if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
 						fprintf( stderr,
 				"%s: line %d: attr val already specified in to clause.\n",
@@ -463,62 +467,121 @@ parse_acl(
 							fname, lineno );
 						acl_usage();
 					}
+
 					ber_str2bv( right, 0, 1, &a->acl_attrval );
-					if ( style && strcasecmp( style, "regex" ) == 0 ) {
-						int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
-							REG_EXTENDED | REG_ICASE | REG_NOSUB );
-						if ( e ) {
-							char buf[512];
-							regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
+					a->acl_attrval_style = ACL_STYLE_BASE;
+
+					mr = strchr( left, '/' );
+					if ( mr != NULL ) {
+						mr[ 0 ] = '\0';
+						mr++;
+
+						a->acl_attrval_mr = mr_find( mr );
+						if ( a->acl_attrval_mr == NULL ) {
 							fprintf( stderr, "%s: line %d: "
-								"regular expression \"%s\" bad because of %s\n",
-								fname, lineno, right, buf );
+								"invalid matching rule \"%s\".\n",
+								fname, lineno, mr );
 							acl_usage();
 						}
-						a->acl_attrval_style = ACL_STYLE_REGEX;
-					} else {
-						/* FIXME: if the attribute has DN syntax, we might
-						 * allow one, subtree and children styles as well */
-						if ( !strcasecmp( style, "exact" ) ) {
-							a->acl_attrval_style = ACL_STYLE_BASE;
 
-						} else if ( a->acl_attrs[0].an_desc->ad_type->
-							sat_syntax == slap_schema.si_syn_distinguishedName )
+						if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
 						{
-							if ( !strcasecmp( style, "baseObject" ) ||
-								!strcasecmp( style, "base" ) )
-							{
+							fprintf( stderr, "%s: line %d: "
+								"matching rule \"%s\" use "
+								"with attr \"%s\" not appropriate.\n",
+								fname, lineno, mr,
+								a->acl_attrs[ 0 ].an_name.bv_val );
+							acl_usage();
+						}
+					}
+					
+					if ( style != NULL ) {
+						if ( strcasecmp( style, "regex" ) == 0 ) {
+							int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
+								REG_EXTENDED | REG_ICASE | REG_NOSUB );
+							if ( e ) {
+								char buf[512];
+								regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
+								fprintf( stderr, "%s: line %d: "
+									"regular expression \"%s\" bad because of %s\n",
+									fname, lineno, right, buf );
+								acl_usage();
+							}
+							a->acl_attrval_style = ACL_STYLE_REGEX;
+
+						} else {
+							/* FIXME: if the attribute has DN syntax, we might
+							 * allow one, subtree and children styles as well */
+							if ( !strcasecmp( style, "base" ) ||
+								!strcasecmp( style, "exact" ) ) {
 								a->acl_attrval_style = ACL_STYLE_BASE;
-							} else if ( !strcasecmp( style, "onelevel" ) ||
-								!strcasecmp( style, "one" ) )
-							{
-								a->acl_attrval_style = ACL_STYLE_ONE;
-							} else if ( !strcasecmp( style, "subtree" ) ||
-								!strcasecmp( style, "sub" ) )
+
+							} else if ( a->acl_attrs[0].an_desc->ad_type->
+								sat_syntax == slap_schema.si_syn_distinguishedName )
 							{
-								a->acl_attrval_style = ACL_STYLE_SUBTREE;
-							} else if ( !strcasecmp( style, "children" ) ) {
-								a->acl_attrval_style = ACL_STYLE_CHILDREN;
+								struct berval	bv;
+
+								if ( !strcasecmp( style, "baseObject" ) ||
+									!strcasecmp( style, "base" ) )
+								{
+									a->acl_attrval_style = ACL_STYLE_BASE;
+								} else if ( !strcasecmp( style, "onelevel" ) ||
+									!strcasecmp( style, "one" ) )
+								{
+									a->acl_attrval_style = ACL_STYLE_ONE;
+								} else if ( !strcasecmp( style, "subtree" ) ||
+									!strcasecmp( style, "sub" ) )
+								{
+									a->acl_attrval_style = ACL_STYLE_SUBTREE;
+								} else if ( !strcasecmp( style, "children" ) ) {
+									a->acl_attrval_style = ACL_STYLE_CHILDREN;
+								} else {
+									fprintf( stderr, 
+										"%s: line %d: unknown val.<style> \"%s\" "
+										"for attributeType \"%s\" with DN syntax; "
+										"using \"base\"\n",
+										fname, lineno, style,
+										a->acl_attrs[0].an_desc->ad_cname.bv_val );
+									a->acl_attrval_style = ACL_STYLE_BASE;
+								}
+
+								bv = a->acl_attrval;
+								rc = dnNormalize( 0, NULL, NULL, &bv, &a->acl_attrval, NULL );
+								if ( rc != LDAP_SUCCESS ) {
+									fprintf( stderr, 
+										"%s: line %d: unable to normalize DN \"%s\" "
+										"for attributeType \"%s\" (%d).\n",
+										fname, lineno, bv.bv_val,
+										a->acl_attrs[0].an_desc->ad_cname.bv_val, rc );
+									acl_usage();
+								}
+								ber_memfree( bv.bv_val );
+
 							} else {
 								fprintf( stderr, 
 									"%s: line %d: unknown val.<style> \"%s\" "
-									"for attributeType \"%s\" with DN syntax; "
-									"using \"base\"\n",
+									"for attributeType \"%s\"; using \"exact\"\n",
 									fname, lineno, style,
 									a->acl_attrs[0].an_desc->ad_cname.bv_val );
 								a->acl_attrval_style = ACL_STYLE_BASE;
 							}
+						}
+					}
 
-						} else {
-							fprintf( stderr, 
-								"%s: line %d: unknown val.<style> \"%s\" "
-								"for attributeType \"%s\"; using \"exact\"\n",
-								fname, lineno, style,
-								a->acl_attrs[0].an_desc->ad_cname.bv_val );
-							a->acl_attrval_style = ACL_STYLE_BASE;
+					/* Check for appropriate matching rule */
+					if ( a->acl_attrval_style != ACL_STYLE_REGEX ) {
+						if ( a->acl_attrval_mr == NULL ) {
+							a->acl_attrval_mr = a->acl_attrs[ 0 ].an_desc->ad_type->sat_equality;
+						}
+
+						if ( a->acl_attrval_mr == NULL ) {
+							fprintf( stderr, "%s: line %d: "
+								"attr \"%s\" must have an EQUALITY matching rule.\n",
+								fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val );
+							acl_usage();
 						}
 					}
-					
+
 				} else {
 					fprintf( stderr,
 						"%s: line %d: expecting <what> got \"%s\"\n",
@@ -532,6 +595,7 @@ parse_acl(
 			{
 				free( a->acl_dn_pat.bv_val );
 				BER_BVZERO( &a->acl_dn_pat );
+				a->acl_dn_style = ACL_STYLE_REGEX;
 			}
 			
 			if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
@@ -690,8 +754,12 @@ parse_acl(
 					case ACL_STYLE_REGEX:
 						fprintf( stderr, "%s: line %d: "
 							"\"regex\" style implies "
-							"\"expand\" modifier (ignored)\n",
+							"\"expand\" modifier" 
+							SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 							fname, lineno );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+						acl_usage();
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 						break;
 
 					case ACL_STYLE_EXPAND:
@@ -700,8 +768,12 @@ parse_acl(
 						fprintf( stderr, "%s: line %d: "
 							"\"expand\" style used "
 							"in conjunction with "
-							"\"expand\" modifier (ignored)\n",
+							"\"expand\" modifier"
+							SLAPD_CONF_UNKNOWN_IGNORED ".\n",
 							fname, lineno );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+						acl_usage();
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
 #endif
 						break;
 
@@ -847,7 +919,34 @@ parse_acl(
 						bdn->a_pat = bv;
 					}
 					bdn->a_style = sty;
-					bdn->a_expand = expand;
+					if ( expand ) {
+						char	*exp;
+						int	gotit = 0;
+
+						for ( exp = strchr( bdn->a_pat.bv_val, '$' );
+								exp && exp - bdn->a_pat.bv_val < bdn->a_pat.bv_len;
+								exp = strchr( exp, '$' ) )
+						{
+							if ( isdigit( exp[ 1 ] ) ) {
+								gotit = 1;
+								break;
+							}
+						}
+
+						if ( gotit == 1 ) {
+							bdn->a_expand = expand;
+
+						} else {
+							fprintf( stderr,
+								"%s: line %d: \"expand\" used "
+								"with no expansions in \"pattern\""
+								SLAPD_CONF_UNKNOWN_IGNORED ".\n",
+								fname, lineno );
+#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
+							acl_usage();
+#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
+						} 
+					}
 					if ( sty == ACL_STYLE_SELF ) {
 						bdn->a_self_level = level;
 
@@ -2010,7 +2109,7 @@ acl_usage( void )
 		"<access clause> ::= access to <what> "
 				"[ by <who> <access> [ <control> ] ]+ \n"
 		"<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
-		"<attrlist> ::= <attr> [val[.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
+		"<attrlist> ::= <attr> [val[/matchingRule][.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
 		"<attr> ::= <attrname> | entry | children\n",
 		"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
 			"\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
@@ -2308,7 +2407,10 @@ dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
 
 	} else {
 		ptr = lutil_strcopy( ptr, "dn." );
-		ptr = lutil_strcopy( ptr, style_strings[bdn->a_style] );
+		if ( bdn->a_style == ACL_STYLE_BASE )
+			ptr = lutil_strcopy( ptr, style_base );
+		else 
+			ptr = lutil_strcopy( ptr, style_strings[bdn->a_style] );
 		if ( bdn->a_style == ACL_STYLE_LEVEL ) {
 			int n = sprintf( ptr, "{%d}", bdn->a_level );
 			if ( n > 0 ) {
@@ -2323,16 +2425,6 @@ dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
 		ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
 		*ptr++ = '"';
 	}
-
-	if ( bdn->a_at != NULL ) {
-		*ptr++ = ' ';
-		if ( is_realdn ) {
-			ptr = lutil_strcopy( ptr, "real" );
-		}
-		ptr = lutil_strcopy( ptr, "dnattr=" );
-		ptr = lutil_strcopy( ptr, bdn->a_at->ad_cname.bv_val );
-	}
-
 	return ptr;
 }
 
@@ -2346,10 +2438,18 @@ access2text( Access *b, char *ptr )
 	if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
 		ptr = dnaccess2text( &b->a_dn, ptr, 0 );
 	}
+	if ( b->a_dn_at ) {
+		ptr = lutil_strcopy( ptr, " dnattr=" );
+		ptr = lutil_strcopy( ptr, b->a_dn_at->ad_cname.bv_val );
+	}
 
 	if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
 		ptr = dnaccess2text( &b->a_realdn, ptr, 1 );
 	}
+	if ( b->a_realdn_at ) {
+		ptr = lutil_strcopy( ptr, " realdnattr=" );
+		ptr = lutil_strcopy( ptr, b->a_realdn_at->ad_cname.bv_val );
+	}
 
 	if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
 		ptr = lutil_strcopy( ptr, " group/" );
@@ -2367,30 +2467,52 @@ access2text( Access *b, char *ptr )
 	}
 
 	if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
-		ptr = lutil_strcopy( ptr, " peername=\"" );
+		ptr = lutil_strcopy( ptr, " peername" );
+		*ptr++ = '.';
+		ptr = lutil_strcopy( ptr, style_strings[b->a_peername_style] );
+		*ptr++ = '=';
+		*ptr++ = '"';
 		ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val );
 		*ptr++ = '"';
 	}
 
 	if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
-		ptr = lutil_strcopy( ptr, " sockname=\"" );
+		ptr = lutil_strcopy( ptr, " sockname" );
+		*ptr++ = '.';
+		ptr = lutil_strcopy( ptr, style_strings[b->a_sockname_style] );
+		*ptr++ = '=';
+		*ptr++ = '"';
 		ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val );
 		*ptr++ = '"';
 	}
 
 	if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
-		ptr = lutil_strcopy( ptr, " domain=" );
+		ptr = lutil_strcopy( ptr, " domain" );
+		*ptr++ = '.';
+		ptr = lutil_strcopy( ptr, style_strings[b->a_domain_style] );
+		if ( b->a_domain_expand ) {
+			ptr = lutil_strcopy( ptr, ",expand" );
+		}
+		*ptr++ = '=';
 		ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val );
 	}
 
 	if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
-		ptr = lutil_strcopy( ptr, " sockurl=\"" );
+		ptr = lutil_strcopy( ptr, " sockurl" );
+		*ptr++ = '.';
+		ptr = lutil_strcopy( ptr, style_strings[b->a_sockurl_style] );
+		*ptr++ = '=';
+		*ptr++ = '"';
 		ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val );
 		*ptr++ = '"';
 	}
 
 	if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
-		ptr = lutil_strcopy( ptr, " set=\"" );
+		ptr = lutil_strcopy( ptr, " set" );
+		*ptr++ = '.';
+		ptr = lutil_strcopy( ptr, style_strings[b->a_set_style] );
+		*ptr++ = '=';
+		*ptr++ = '"';
 		ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val );
 		*ptr++ = '"';
 	}
@@ -2476,7 +2598,10 @@ acl_unparse( AccessControl *a, struct berval *bv )
 	if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
 		to++;
 		ptr = lutil_strcopy( ptr, " dn." );
-		ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
+		if ( a->acl_dn_style == ACL_STYLE_BASE )
+			ptr = lutil_strcopy( ptr, style_base );
+		else
+			ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
 		*ptr++ = '=';
 		*ptr++ = '"';
 		ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val );
@@ -2518,7 +2643,12 @@ acl_unparse( AccessControl *a, struct berval *bv )
 	if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
 		to++;
 		ptr = lutil_strcopy( ptr, " val." );
-		ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
+		if ( a->acl_attrval_style == ACL_STYLE_BASE &&
+			a->acl_attrs[0].an_desc->ad_type->sat_syntax ==
+				slap_schema.si_syn_distinguishedName )
+			ptr = lutil_strcopy( ptr, style_base );
+		else
+			ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
 		*ptr++ = '=';
 		*ptr++ = '"';
 		ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val );