X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=d0de1d1d436b79530e574459ec2afff043cdf3f5;hb=bc74d3f82f4db4868502eeb2ca1d27587d203d4f;hp=10fa6a07210cd7681b2599953df1ceabeee7d107;hpb=42e0d83cb3a1a1c5b25183f1ab74ce7edbe25de7;p=openldap diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index 10fa6a0721..d0de1d1d43 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -1,31 +1,82 @@ /* acl.c - routines to parse and check acl's */ +#include "portable.h" #include -#include -#include -#include -#include -#include -#include "regex.h" -#include "slap.h" -#include "portable.h" -extern Filter *str2filter(); -extern char *re_comp(); -extern struct acl *global_acl; -extern char **str2charray(); -extern char *dn_upcase(); +#include +#include +#include +#include +#include -static void split(); -static void acl_append(); -static void access_append(); -static void acl_usage(); +#include "slap.h" + +static void split(char *line, int splitchar, char **left, char **right); +static void acl_append(struct acl **l, struct acl *a); +static void access_append(struct access **l, struct access *a); +static void acl_usage(void); #ifdef LDAP_DEBUG -static void print_acl(); -static void print_access(); +static void print_acl(struct acl *a); +static void print_access(struct access *b); #endif +static int +regtest(char *fname, int lineno, char *pat) { + int e; + regex_t re; + + char buf[512]; + unsigned size; + + char *sp; + char *dp; + int flag; + + sp = pat; + dp = buf; + size = 0; + buf[0] = '\0'; + + for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) { + if (flag) { + if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) { + *dp++ = *sp; + size++; + } + flag = 0; + + } else { + if (*sp == '$') { + flag = 1; + } else { + *dp++ = *sp; + size++; + } + } + } + + *dp = '\0'; + if ( size >= (sizeof(buf)-1) ) { + fprintf( stderr, + "%s: line %d: regular expression \"%s\" too large\n", + fname, lineno, pat, 0 ); + acl_usage(); + } + + if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) { + char error[512]; + regerror(e, &re, error, sizeof(error)); + fprintf( stderr, + "%s: line %d: regular expression \"%s\" bad because of %s\n", + fname, lineno, pat, error ); + acl_usage(); + return(0); + } + regfree(&re); + return(1); +} + void parse_acl( Backend *be, @@ -58,7 +109,18 @@ parse_acl( } if ( strcasecmp( argv[i], "*" ) == 0 ) { - a->acl_dnpat = strdup( ".*" ); + int e; + if ((e = regcomp( &a->acl_dnre, ".*", + REG_EXTENDED|REG_ICASE))) + { + char buf[512]; + regerror(e, &a->acl_dnre, buf, sizeof(buf)); + fprintf( stderr, + "%s: line %d: regular expression \"%s\" bad because of %s\n", + fname, lineno, right, buf ); + acl_usage(); + } + a->acl_dnpat = ch_strdup( ".*" ); continue; } @@ -79,24 +141,29 @@ parse_acl( acl_usage(); } } else if ( strcasecmp( left, "dn" ) == 0 ) { - if ( (e = re_comp( right )) != NULL ) { + int e; + if ((e = regcomp(&a->acl_dnre, right, + REG_EXTENDED|REG_ICASE))) { + char buf[512]; + regerror(e, &a->acl_dnre, buf, sizeof(buf)); fprintf( stderr, - "%s: line %d: regular expression \"%s\" bad because of %s\n", - fname, lineno, right, e ); + "%s: line %d: regular expression \"%s\" bad because of %s\n", + fname, lineno, right, buf ); acl_usage(); + + } else { + a->acl_dnpat = dn_upcase(ch_strdup( right )); } - a->acl_dnpat = dn_upcase( strdup( - right ) ); } else if ( strncasecmp( left, "attr", 4 ) == 0 ) { char **alist; alist = str2charray( right, "," ); charray_merge( &a->acl_attrs, alist ); - free( alist ); + charray_free( alist ); } else { fprintf( stderr, - "%s: line %d: expecting got \"%s\"\n", + "%s: line %d: expecting got \"%s\"\n", fname, lineno, left ); acl_usage(); } @@ -106,7 +173,7 @@ parse_acl( } else if ( strcasecmp( argv[i], "by" ) == 0 ) { if ( a == NULL ) { fprintf( stderr, - "%s: line %d: to clause required before by clause in access line\n", + "%s: line %d: to clause required before by clause in access line\n", fname, lineno ); acl_usage(); } @@ -127,43 +194,60 @@ parse_acl( /* get */ split( argv[i], '=', &left, &right ); if ( strcasecmp( argv[i], "*" ) == 0 ) { - b->a_dnpat = strdup( ".*" ); + b->a_dnpat = ch_strdup( ".*" ); } else if ( strcasecmp( argv[i], "self" ) == 0 ) { - b->a_dnpat = strdup( "self" ); + b->a_dnpat = ch_strdup( "self" ); } else if ( strcasecmp( left, "dn" ) == 0 ) { - if ( (e = re_comp( right )) != NULL ) { - fprintf( stderr, - "%s: line %d: regular expression \"%s\" bad: %s\n", - fname, lineno, right, e ); - acl_usage(); - } - b->a_dnpat = dn_upcase( strdup( right ) ); - } else if ( strcasecmp( left, "dnattr" ) - == 0 ) { - b->a_dnattr = strdup( right ); - } else if ( strcasecmp( left, "domain" ) - == 0 ) { + regtest(fname, lineno, right); + b->a_dnpat = dn_upcase( ch_strdup( right ) ); + } else if ( strcasecmp( left, "dnattr" ) == 0 ) { + b->a_dnattr = ch_strdup( right ); + +#ifdef SLAPD_ACLGROUPS + } else if ( strcasecmp( left, "group" ) == 0 ) { + char *name = NULL; + char *value = NULL; + regtest(fname, lineno, right); + + /* format of string is "group/objectClassValue/groupAttrName" + */ + if ((value = strchr(right, '/')) != NULL) { + *value++ = '\0'; + if (value && *value && (name = strchr(value, '/')) != NULL) + *name++ = '\0'; + } + + b->a_group = dn_upcase(ch_strdup( right )); + + if (value && *value) { + b->a_objectclassvalue = ch_strdup(value); + *--value = '/'; + } + else + b->a_objectclassvalue = ch_strdup("groupOfNames"); + + if (name && *name) { + b->a_groupattrname = ch_strdup(name); + *--name = '/'; + } + else + b->a_groupattrname = ch_strdup("member"); + + + +#endif /* SLAPD_ACLGROUPS */ + } else if ( strcasecmp( left, "domain" ) == 0 ) { char *s; + regtest(fname, lineno, right); + b->a_domainpat = ch_strdup( right ); - if ( (e = re_comp( right )) != NULL ) { - fprintf( stderr, - "%s: line %d: regular expression \"%s\" bad: %s\n", - fname, lineno, right, e ); - acl_usage(); - } - b->a_domainpat = strdup( right ); /* normalize the domain */ for ( s = b->a_domainpat; *s; s++ ) { *s = TOLOWER( *s ); } } else if ( strcasecmp( left, "addr" ) == 0 ) { - if ( (e = re_comp( right )) != NULL ) { - fprintf( stderr, - "%s: line %d: regular expression \"%s\" bad: %s\n", - fname, lineno, right, e ); - acl_usage(); - } - b->a_addrpat = strdup( right ); + regtest(fname, lineno, right); + b->a_addrpat = ch_strdup( right ); } else { fprintf( stderr, "%s: line %d: expecting got \"%s\"\n", @@ -198,16 +282,20 @@ parse_acl( /* if we have no real access clause, complain and do nothing */ if ( a == NULL ) { - fprintf( stderr, - "%s: line %d: warning: no access clause(s) specified in access line\n", + "%s: line %d: warning: no access clause(s) specified in access line\n", fname, lineno ); } else { + +#ifdef LDAP_DEBUG + if (ldap_debug & LDAP_DEBUG_ACL) + print_acl(a); +#endif if ( a->acl_access == NULL ) { fprintf( stderr, - "%s: line %d: warning: no by clause(s) specified in access line\n", + "%s: line %d: warning: no by clause(s) specified in access line\n", fname, lineno ); } @@ -276,7 +364,7 @@ str2access( char *str ) } static void -acl_usage() +acl_usage( void ) { fprintf( stderr, "\n ::= access to [ by ]+ \n" ); fprintf( stderr, " ::= * | [dn=] [filter=] [attrs=]\n" ); @@ -324,17 +412,27 @@ acl_append( struct acl **l, struct acl *a ) static void print_access( struct access *b ) { - printf( "\tby" ); + fprintf( stderr, "\tby" ); + if ( b->a_dnpat != NULL ) { - printf( " dn=%s", b->a_dnpat ); + fprintf( stderr, " dn=%s", b->a_dnpat ); } else if ( b->a_addrpat != NULL ) { - printf( " addr=%s", b->a_addrpat ); + fprintf( stderr, " addr=%s", b->a_addrpat ); } else if ( b->a_domainpat != NULL ) { - printf( " domain=%s", b->a_domainpat ); + fprintf( stderr, " domain=%s", b->a_domainpat ); } else if ( b->a_dnattr != NULL ) { - printf( " dnattr=%s", b->a_dnattr ); + fprintf( stderr, " dnattr=%s", b->a_dnattr ); } - printf( " %s\n", access2str( b->a_access ) ); +#ifdef SLAPD_ACLGROUPS + else if ( b->a_group != NULL ) { + fprintf( stderr, " group: %s", b->a_group ); + if ( b->a_objectclassvalue ) + fprintf( stderr, " objectClassValue: %s", b->a_objectclassvalue ); + if ( b->a_groupattrname ) + fprintf( stderr, " groupAttrName: %s", b->a_groupattrname ); + } +#endif + fprintf( stderr, "\n" ); } static void @@ -344,33 +442,34 @@ print_acl( struct acl *a ) struct access *b; if ( a == NULL ) { - printf( "NULL\n" ); + fprintf( stderr, "NULL\n" ); } - printf( "access to" ); + fprintf( stderr, "ACL: access to" ); if ( a->acl_filter != NULL ) { - printf( " filter=" ); + fprintf( stderr," filter=" ); filter_print( a->acl_filter ); } if ( a->acl_dnpat != NULL ) { - printf( " dn=" ); - printf( a->acl_dnpat ); + fprintf( stderr, " dn=" ); + fprintf( stderr, a->acl_dnpat ); } if ( a->acl_attrs != NULL ) { int first = 1; - printf( " attrs=" ); + fprintf( stderr, "\n attrs=" ); for ( i = 0; a->acl_attrs[i] != NULL; i++ ) { if ( ! first ) { - printf( "," ); + fprintf( stderr, "," ); } - printf( a->acl_attrs[i] ); + fprintf( stderr, a->acl_attrs[i] ); first = 0; } } - printf( "\n" ); + fprintf( stderr, "\n" ); for ( b = a->acl_access; b != NULL; b = b->a_next ) { print_access( b ); } + fprintf( stderr, "\n" ); } -#endif +#endif /* LDAP_DEBUG */