X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=e22f3263ec5a715c7550dc5f20dc42c43942534c;hb=437d2ce5a920d12402b557b4b814e6d14cd40c9d;hp=5b9363714c8e8258345444d1679c35832b0bc901;hpb=f6829ee903c2cc6ddb78d7ae4754d3a20a362da6;p=openldap diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index 5b9363714c..e22f3263ec 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -1,7 +1,7 @@ -/* acl.c - routines to parse and check acl's */ +/* aclparse.c - routines to parse and check acl's */ /* $OpenLDAP$ */ /* - * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ @@ -16,17 +16,21 @@ #include #include "slap.h" +#include "lber_pvt.h" +#include "lutil.h" static void split(char *line, int splitchar, char **left, char **right); static void access_append(Access **l, Access *a); static void acl_usage(void) LDAP_GCCATTR((noreturn)); +static void acl_regex_normalized_dn(const char *src, struct berval *pat); + #ifdef LDAP_DEBUG static void print_acl(Backend *be, AccessControl *a); static void print_access(Access *b); #endif -static int +static void regtest(const char *fname, int lineno, char *pat) { int e; regex_t re; @@ -76,10 +80,8 @@ regtest(const char *fname, int lineno, char *pat) { "%s: line %d: regular expression \"%s\" bad because of %s\n", fname, lineno, pat, error ); acl_usage(); - return(0); } regfree(&re); - return(1); } void @@ -92,9 +94,12 @@ parse_acl( ) { int i; - char *left, *right; + char *left, *right, *style; + struct berval bv; AccessControl *a; Access *b; + int rc; + const char *text; a = NULL; for ( i = 1; i < argc; i++ ) { @@ -107,11 +112,6 @@ parse_acl( acl_usage(); } a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) ); - a->acl_filter = NULL; - a->acl_dn_pat = NULL; - a->acl_attrs = NULL; - a->acl_access = NULL; - a->acl_next = NULL; for ( ++i; i < argc; i++ ) { if ( strcasecmp( argv[i], "by" ) == 0 ) { i--; @@ -119,37 +119,105 @@ parse_acl( } if ( strcasecmp( argv[i], "*" ) == 0 ) { - a->acl_dn_pat = ch_strdup( ".*" ); + if( a->acl_dn_pat.bv_len || + ( a->acl_dn_style != ACL_STYLE_REGEX ) ) + { + fprintf( stderr, + "%s: line %d: dn pattern" + " already specified in to clause.\n", + fname, lineno ); + acl_usage(); + } + + a->acl_dn_pat.bv_val = ch_strdup( "*" ); + a->acl_dn_pat.bv_len = 1; continue; } split( argv[i], '=', &left, &right ); - if ( right == NULL || *right == '\0' ) { + split( left, '.', &left, &style ); + + if ( right == NULL ) { fprintf( stderr, - "%s: line %d: missing \"=\" in (or value after) \"%s\" in to clause\n", + "%s: line %d: missing \"=\" in \"%s\" in to clause\n", fname, lineno, left ); acl_usage(); } + if ( strcasecmp( left, "dn" ) == 0 ) { + if( a->acl_dn_pat.bv_len != 0 || + ( a->acl_dn_style != ACL_STYLE_REGEX ) ) + { + fprintf( stderr, + "%s: line %d: dn pattern" + " already specified in to clause.\n", + fname, lineno ); + acl_usage(); + } + + if ( style == NULL || *style == '\0' + || strcasecmp( style, "regex" ) == 0 ) + { + a->acl_dn_style = ACL_STYLE_REGEX; + + if ( *right == '\0' ) { + /* empty regex should match empty DN */ + a->acl_dn_style = ACL_STYLE_BASE; + ber_str2bv( right, 0, 1, &a->acl_dn_pat ); + + } else if ( strcmp(right, "*") == 0 + || strcmp(right, ".*") == 0 + || strcmp(right, ".*$") == 0 + || strcmp(right, "^.*") == 0 + || strcmp(right, "^.*$") == 0 + || strcmp(right, ".*$$") == 0 + || strcmp(right, "^.*$$") == 0 ) + { + a->acl_dn_pat.bv_val = ch_strdup( "*" ); + a->acl_dn_pat.bv_len = sizeof("*")-1; + + } else { + acl_regex_normalized_dn( right, &a->acl_dn_pat ); + } + } else if ( strcasecmp( style, "base" ) == 0 ) { + a->acl_dn_style = ACL_STYLE_BASE; + ber_str2bv( right, 0, 1, &a->acl_dn_pat ); + } else if ( strcasecmp( style, "one" ) == 0 ) { + a->acl_dn_style = ACL_STYLE_ONE; + ber_str2bv( right, 0, 1, &a->acl_dn_pat ); + } else if ( strcasecmp( style, "subtree" ) == 0 || strcasecmp( style, "sub" ) == 0 ) { + a->acl_dn_style = ACL_STYLE_SUBTREE; + ber_str2bv( right, 0, 1, &a->acl_dn_pat ); + } else if ( strcasecmp( style, "children" ) == 0 ) { + a->acl_dn_style = ACL_STYLE_CHILDREN; + ber_str2bv( right, 0, 1, &a->acl_dn_pat ); + } else { + fprintf( stderr, + "%s: line %d: unknown dn style \"%s\" in to clause\n", + fname, lineno, style ); + acl_usage(); + } + + continue; + } + if ( strcasecmp( left, "filter" ) == 0 ) { - if ( (a->acl_filter = str2filter( - right )) == NULL ) { + if ( (a->acl_filter = str2filter( right )) == NULL ) { fprintf( stderr, "%s: line %d: bad filter \"%s\" in to clause\n", fname, lineno, right ); acl_usage(); } - } else if ( strcasecmp( left, "dn" ) == 0 ) { - a->acl_dn_pat = ch_strdup( right ); - } else if ( strncasecmp( left, "attr", 4 ) == 0 ) { - char **alist; - - alist = str2charray( right, "," ); - charray_merge( &a->acl_attrs, alist ); - charray_free( alist ); - + a->acl_attrs = str2anlist( a->acl_attrs, + right, "," ); + if ( a->acl_attrs == NULL ) { + fprintf( stderr, + "%s: line %d: unknown attr \"%s\" in to clause\n", + fname, lineno, right ); + acl_usage(); + } } else { fprintf( stderr, "%s: line %d: expecting got \"%s\"\n", @@ -158,16 +226,39 @@ parse_acl( } } - if ( a->acl_dn_pat != NULL ) { - int e = regcomp( &a->acl_dn_re, a->acl_dn_pat, - REG_EXTENDED | REG_ICASE ); - if ( e ) { - char buf[512]; - regerror( e, &a->acl_dn_re, buf, sizeof(buf) ); - fprintf( stderr, - "%s: line %d: regular expression \"%s\" bad because of %s\n", - fname, lineno, right, buf ); - acl_usage(); + if ( a->acl_dn_pat.bv_len != 0 && + strcmp(a->acl_dn_pat.bv_val, "*") == 0 ) + { + free( a->acl_dn_pat.bv_val ); + a->acl_dn_pat.bv_val = NULL; + a->acl_dn_pat.bv_len = 0; + } + + if( a->acl_dn_pat.bv_len != 0 || + ( a->acl_dn_style != ACL_STYLE_REGEX ) ) + { + if ( a->acl_dn_style != ACL_STYLE_REGEX ) { + struct berval bv; + rc = dnNormalize2( NULL, &a->acl_dn_pat, &bv); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: bad DN \"%s\"\n", + fname, lineno, a->acl_dn_pat.bv_val ); + acl_usage(); + } + free( a->acl_dn_pat.bv_val ); + a->acl_dn_pat = bv; + } else { + int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val, + REG_EXTENDED | REG_ICASE ); + if ( e ) { + char buf[512]; + regerror( e, &a->acl_dn_re, buf, sizeof(buf) ); + fprintf( stderr, "%s: line %d: " + "regular expression \"%s\" bad because of %s\n", + fname, lineno, right, buf ); + acl_usage(); + } } } @@ -186,7 +277,7 @@ parse_acl( b = (Access *) ch_calloc( 1, sizeof(Access) ); - ACL_INVALIDATE( b->a_mask ); + ACL_INVALIDATE( b->a_access_mask ); if ( ++i == argc ) { fprintf( stderr, @@ -197,43 +288,191 @@ parse_acl( /* get */ for ( ; i < argc; i++ ) { - char *pat; + slap_style_t sty = ACL_STYLE_REGEX; + char *style_modifier = NULL; + int expand = 0; + split( argv[i], '=', &left, &right ); + split( left, '.', &left, &style ); + if ( style ) { + split( style, ',', &style, &style_modifier); + } + if ( style == NULL || *style == '\0' + || strcasecmp( style, "regex" ) == 0 ) + { + sty = ACL_STYLE_REGEX; + } else if ( strcasecmp( style, "exact" ) == 0 ) { + sty = ACL_STYLE_EXACT; + } else if ( strcasecmp( style, "base" ) == 0 ) { + sty = ACL_STYLE_BASE; + } else if ( strcasecmp( style, "one" ) == 0 ) { + sty = ACL_STYLE_ONE; + } else if ( strcasecmp( style, "subtree" ) == 0 || strcasecmp( style, "sub" ) == 0 ) { + sty = ACL_STYLE_SUBTREE; + } else if ( strcasecmp( style, "children" ) == 0 ) { + sty = ACL_STYLE_CHILDREN; + } else { + fprintf( stderr, + "%s: line %d: unknown style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } + + if ( style_modifier && strcasecmp( style_modifier, "expand" ) == 0 ) { + expand = 1; + } if ( strcasecmp( argv[i], "*" ) == 0 ) { - pat = ch_strdup( ".*" ); + bv.bv_val = ch_strdup( "*" ); + bv.bv_len = 1; + } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) { - pat = ch_strdup( "anonymous" ); + ber_str2bv("anonymous", + sizeof("anonymous")-1, + 1, &bv); + } else if ( strcasecmp( argv[i], "self" ) == 0 ) { - pat = ch_strdup( "self" ); + ber_str2bv("self", + sizeof("self")-1, + 1, &bv); + + } else if ( strcasecmp( argv[i], "users" ) == 0 ) { + ber_str2bv("users", + sizeof("users")-1, + 1, &bv); + } else if ( strcasecmp( left, "dn" ) == 0 ) { - regtest(fname, lineno, right); - pat = ch_strdup( right ); + if ( sty == ACL_STYLE_REGEX ) { + b->a_dn_style = ACL_STYLE_REGEX; + if( right == NULL ) { + /* no '=' */ + ber_str2bv("users", + sizeof("users")-1, + 1, &bv); + } else if (*right == '\0' ) { + /* dn="" */ + ber_str2bv("anonymous", + sizeof("anonymous")-1, + 1, &bv); + } else if ( strcmp( right, "*" ) == 0 ) { + /* dn=* */ + /* any or users? users for now */ + ber_str2bv("users", + sizeof("users")-1, + 1, &bv); + } else if ( strcmp( right, ".+" ) == 0 + || strcmp( right, "^.+" ) == 0 + || strcmp( right, ".+$" ) == 0 + || strcmp( right, "^.+$" ) == 0 + || strcmp( right, ".+$$" ) == 0 + || strcmp( right, "^.+$$" ) == 0 ) + { + ber_str2bv("users", + sizeof("users")-1, + 1, &bv); + } else if ( strcmp( right, ".*" ) == 0 + || strcmp( right, "^.*" ) == 0 + || strcmp( right, ".*$" ) == 0 + || strcmp( right, "^.*$" ) == 0 + || strcmp( right, ".*$$" ) == 0 + || strcmp( right, "^.*$$" ) == 0 ) + { + ber_str2bv("*", + sizeof("*")-1, + 1, &bv); + + } else { + acl_regex_normalized_dn( right, &bv ); + if ( !ber_bvccmp( &bv, '*' ) ) { + regtest(fname, lineno, bv.bv_val); + } + } + } else if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); + + } else { + ber_str2bv( right, 0, 1, &bv ); + } + } else { - pat = NULL; + bv.bv_val = NULL; } - if( pat != NULL ) { - if( b->a_dn_pat != NULL ) { + if( bv.bv_val != NULL ) { + if( b->a_dn_pat.bv_len != 0 ) { fprintf( stderr, "%s: line %d: dn pattern already specified.\n", fname, lineno ); acl_usage(); } - b->a_dn_pat = pat; + if ( sty != ACL_STYLE_REGEX && expand == 0 ) { + rc = dnNormalize2(NULL, &bv, &b->a_dn_pat); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: bad DN \"%s\"\n", + fname, lineno, bv.bv_val ); + acl_usage(); + } + free(bv.bv_val); + } else { + b->a_dn_pat = bv; + } + b->a_dn_style = sty; + b->a_dn_expand = expand; continue; } if ( strcasecmp( left, "dnattr" ) == 0 ) { - if( b->a_dn_pat != NULL ) { + if ( right == NULL || right[ 0 ] == '\0' ) { fprintf( stderr, - "%s: line %d: dnaddr already specified.\n", + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); + } + + if( b->a_dn_at != NULL ) { + fprintf( stderr, + "%s: line %d: dnattr already specified.\n", fname, lineno ); acl_usage(); } - b->a_dn_at = ch_strdup( right ); + rc = slap_str2ad( right, &b->a_dn_at, &text ); + + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: dnattr \"%s\": %s\n", + fname, lineno, right, text ); + acl_usage(); + } + + + if( !is_at_syntax( b->a_dn_at->ad_type, + SLAPD_DN_SYNTAX ) && + !is_at_syntax( b->a_dn_at->ad_type, + SLAPD_NAMEUID_SYNTAX )) + { + fprintf( stderr, + "%s: line %d: dnattr \"%s\": " + "inappropriate syntax: %s\n", + fname, lineno, right, + b->a_dn_at->ad_type->sat_syntax_oid ); + acl_usage(); + } + + if( b->a_dn_at->ad_type->sat_equality == NULL ) + { + fprintf( stderr, + "%s: line %d: dnattr \"%s\": " + "inappropriate matching (no EQUALITY)\n", + fname, lineno, right ); + acl_usage(); + } + continue; } @@ -241,7 +480,21 @@ parse_acl( char *name = NULL; char *value = NULL; - if( b->a_group_pat != NULL ) { + if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + fprintf( stderr, + "%s: line %d: inappropriate style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } + + if ( right == NULL || right[ 0 ] == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); + } + + if( b->a_group_pat.bv_len ) { fprintf( stderr, "%s: line %d: group pattern already specified.\n", fname, lineno ); @@ -251,87 +504,315 @@ parse_acl( /* format of string is "group/objectClassValue/groupAttrName" */ if ((value = strchr(left, '/')) != NULL) { *value++ = '\0'; - if (value && *value + if (*value && (name = strchr(value, '/')) != NULL) { *name++ = '\0'; } } - regtest(fname, lineno, right); - b->a_group_pat = ch_strdup( right ); + b->a_group_style = sty; + if (sty == ACL_STYLE_REGEX) { + acl_regex_normalized_dn( right, &bv ); + if ( !ber_bvccmp( &bv, '*' ) ) { + regtest(fname, lineno, bv.bv_val); + } + b->a_group_pat = bv; + } else { + ber_str2bv( right, 0, 0, &bv ); + rc = dnNormalize2( NULL, &bv, &b->a_group_pat ); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: bad DN \"%s\"\n", + fname, lineno, right ); + acl_usage(); + } + } if (value && *value) { - b->a_group_oc = ch_strdup(value); + b->a_group_oc = oc_find( value ); *--value = '/'; + + if( b->a_group_oc == NULL ) { + fprintf( stderr, + "%s: line %d: group objectclass " + "\"%s\" unknown\n", + fname, lineno, value ); + acl_usage(); + } } else { - b->a_group_oc = ch_strdup("groupOfNames"); + b->a_group_oc = oc_find(SLAPD_GROUP_CLASS); + + if( b->a_group_oc == NULL ) { + fprintf( stderr, + "%s: line %d: group default objectclass " + "\"%s\" unknown\n", + fname, lineno, SLAPD_GROUP_CLASS ); + acl_usage(); + } + } - if (name && *name) { - b->a_group_at = ch_strdup(name); - *--name = '/'; + if( is_object_subclass( slap_schema.si_oc_referral, + b->a_group_oc )) + { + fprintf( stderr, + "%s: line %d: group objectclass \"%s\" " + "is subclass of referral\n", + fname, lineno, value ); + acl_usage(); + } - } else { - b->a_group_at = ch_strdup("member"); + if( is_object_subclass( slap_schema.si_oc_alias, + b->a_group_oc )) + { + fprintf( stderr, + "%s: line %d: group objectclass \"%s\" " + "is subclass of alias\n", + fname, lineno, value ); + acl_usage(); + } + + if (name && *name) { + rc = slap_str2ad( name, &b->a_group_at, &text ); + + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: group \"%s\": %s\n", + fname, lineno, right, text ); + acl_usage(); + } + *--name = '/'; + } else { + rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text ); + + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: group \"%s\": %s\n", + fname, lineno, SLAPD_GROUP_ATTR, text ); + acl_usage(); + } + } + + if( !is_at_syntax( b->a_group_at->ad_type, + SLAPD_DN_SYNTAX ) && + !is_at_syntax( b->a_group_at->ad_type, + SLAPD_NAMEUID_SYNTAX ) ) + { + fprintf( stderr, + "%s: line %d: group \"%s\": inappropriate syntax: %s\n", + fname, lineno, right, + b->a_group_at->ad_type->sat_syntax_oid ); + acl_usage(); + } + + + { + int rc; + struct berval vals[2]; + + vals[0].bv_val = b->a_group_oc->soc_oid; + vals[0].bv_len = strlen(vals[0].bv_val); + vals[1].bv_val = NULL; + + + rc = oc_check_allowed( b->a_group_at->ad_type, vals, NULL ); + + if( rc != 0 ) { + fprintf( stderr, + "%s: line %d: group: \"%s\" not allowed by \"%s\"\n", + fname, lineno, + b->a_group_at->ad_cname.bv_val, + b->a_group_oc->soc_oid ); + acl_usage(); } } continue; } if ( strcasecmp( left, "peername" ) == 0 ) { - if( b->a_peername_pat != NULL ) { + if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + fprintf( stderr, + "%s: line %d: inappropriate style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } + + if ( right == NULL || right[ 0 ] == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); + } + + if( b->a_peername_pat.bv_len ) { fprintf( stderr, "%s: line %d: peername pattern already specified.\n", fname, lineno ); acl_usage(); } - regtest(fname, lineno, right); - b->a_peername_pat = ch_strdup( right ); + b->a_peername_style = sty; + if (sty == ACL_STYLE_REGEX) { + acl_regex_normalized_dn( right, &bv ); + if ( !ber_bvccmp( &bv, '*' ) ) { + regtest(fname, lineno, bv.bv_val); + } + b->a_peername_pat = bv; + } else { + ber_str2bv( right, 0, 1, &b->a_peername_pat ); + } continue; } if ( strcasecmp( left, "sockname" ) == 0 ) { - if( b->a_sockname_pat != NULL ) { + if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + fprintf( stderr, + "%s: line %d: inappropriate style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } + + if ( right == NULL || right[ 0 ] == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); + } + + if( b->a_sockname_pat.bv_len ) { fprintf( stderr, "%s: line %d: sockname pattern already specified.\n", fname, lineno ); acl_usage(); } - regtest(fname, lineno, right); - b->a_sockname_pat = ch_strdup( right ); + b->a_sockname_style = sty; + if (sty == ACL_STYLE_REGEX) { + acl_regex_normalized_dn( right, &bv ); + if ( !ber_bvccmp( &bv, '*' ) ) { + regtest(fname, lineno, bv.bv_val); + } + b->a_sockname_pat = bv; + } else { + ber_str2bv( right, 0, 1, &b->a_sockname_pat ); + } continue; } if ( strcasecmp( left, "domain" ) == 0 ) { - if( b->a_domain_pat != NULL ) { + switch ( sty ) { + case ACL_STYLE_REGEX: + case ACL_STYLE_BASE: + case ACL_STYLE_SUBTREE: + break; + + default: + fprintf( stderr, + "%s: line %d: inappropriate style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } + + if ( right == NULL || right[ 0 ] == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); + } + + if( b->a_domain_pat.bv_len ) { fprintf( stderr, "%s: line %d: domain pattern already specified.\n", fname, lineno ); acl_usage(); } - regtest(fname, lineno, right); - b->a_domain_pat = ch_strdup( right ); + b->a_domain_style = sty; + b->a_domain_expand = expand; + if (sty == ACL_STYLE_REGEX) { + acl_regex_normalized_dn( right, &bv ); + if ( !ber_bvccmp( &bv, '*' ) ) { + regtest(fname, lineno, bv.bv_val); + } + b->a_domain_pat = bv; + } else { + ber_str2bv( right, 0, 1, &b->a_domain_pat ); + } continue; } if ( strcasecmp( left, "sockurl" ) == 0 ) { - if( b->a_sockurl_pat != NULL ) { + if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + fprintf( stderr, + "%s: line %d: inappropriate style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } + + if ( right == NULL || right[ 0 ] == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); + } + + if( b->a_sockurl_pat.bv_len ) { fprintf( stderr, "%s: line %d: sockurl pattern already specified.\n", fname, lineno ); acl_usage(); } - regtest(fname, lineno, right); - b->a_sockurl_pat = ch_strdup( right ); + b->a_sockurl_style = sty; + if (sty == ACL_STYLE_REGEX) { + acl_regex_normalized_dn( right, &bv ); + if ( !ber_bvccmp( &bv, '*' ) ) { + regtest(fname, lineno, bv.bv_val); + } + b->a_sockurl_pat = bv; + } else { + ber_str2bv( right, 0, 1, &b->a_sockurl_pat ); + } + continue; + } + + if ( strcasecmp( left, "set" ) == 0 ) { + if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + fprintf( stderr, + "%s: line %d: inappropriate style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } + + if( b->a_set_pat.bv_len != 0 ) { + fprintf( stderr, + "%s: line %d: set attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no set is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_set_style = sty; + ber_str2bv( right, 0, 1, &b->a_set_pat ); + continue; } #ifdef SLAPD_ACI_ENABLED if ( strcasecmp( left, "aci" ) == 0 ) { + if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + fprintf( stderr, + "%s: line %d: inappropriate style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } + if( b->a_aci_at != NULL ) { fprintf( stderr, "%s: line %d: aci attribute already specified.\n", @@ -339,13 +820,165 @@ parse_acl( acl_usage(); } - if ( right != NULL && *right != '\0' ) - b->a_aci_at = ch_strdup( right ); - else - b->a_aci_at = ch_strdup( SLAPD_ACI_DEFAULT_ATTR ); + if ( right != NULL && *right != '\0' ) { + rc = slap_str2ad( right, &b->a_aci_at, &text ); + + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: aci \"%s\": %s\n", + fname, lineno, right, text ); + acl_usage(); + } + + } else { + b->a_aci_at = slap_schema.si_ad_aci; + } + + if( !is_at_syntax( b->a_aci_at->ad_type, + SLAPD_ACI_SYNTAX) ) + { + fprintf( stderr, + "%s: line %d: aci \"%s\": inappropriate syntax: %s\n", + fname, lineno, right, + b->a_aci_at->ad_type->sat_syntax_oid ); + acl_usage(); + } + + continue; + } +#endif /* SLAPD_ACI_ENABLED */ + + if ( strcasecmp( left, "ssf" ) == 0 ) { + if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + fprintf( stderr, + "%s: line %d: inappropriate style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } + + if( b->a_authz.sai_ssf ) { + fprintf( stderr, + "%s: line %d: ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_ssf = atoi( right ); + + if( !b->a_authz.sai_ssf ) { + fprintf( stderr, + "%s: line %d: invalid ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + + if ( strcasecmp( left, "transport_ssf" ) == 0 ) { + if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + fprintf( stderr, + "%s: line %d: inappropriate style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } + + if( b->a_authz.sai_transport_ssf ) { + fprintf( stderr, + "%s: line %d: transport_ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no transport_ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_transport_ssf = atoi( right ); + + if( !b->a_authz.sai_transport_ssf ) { + fprintf( stderr, + "%s: line %d: invalid transport_ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + + if ( strcasecmp( left, "tls_ssf" ) == 0 ) { + if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + fprintf( stderr, + "%s: line %d: inappropriate style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } + + if( b->a_authz.sai_tls_ssf ) { + fprintf( stderr, + "%s: line %d: tls_ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no tls_ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_tls_ssf = atoi( right ); + + if( !b->a_authz.sai_tls_ssf ) { + fprintf( stderr, + "%s: line %d: invalid tls_ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } + continue; + } + + if ( strcasecmp( left, "sasl_ssf" ) == 0 ) { + if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + fprintf( stderr, + "%s: line %d: inappropriate style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } + + if( b->a_authz.sai_sasl_ssf ) { + fprintf( stderr, + "%s: line %d: sasl_ssf attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no sasl_ssf is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_authz.sai_sasl_ssf = atoi( right ); + + if( !b->a_authz.sai_sasl_ssf ) { + fprintf( stderr, + "%s: line %d: invalid sasl_ssf value (%s)\n", + fname, lineno, right ); + acl_usage(); + } continue; } -#endif if( right != NULL ) { /* unsplit */ @@ -357,7 +990,7 @@ parse_acl( if( i == argc || ( strcasecmp( left, "stop" ) == 0 )) { /* out of arguments or plain stop */ - ACL_PRIV_ASSIGN(b->a_mask, ACL_NONE); + ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE); b->a_type = ACL_STOP; access_append( &a->acl_access, b ); @@ -367,7 +1000,7 @@ parse_acl( if( strcasecmp( left, "continue" ) == 0 ) { /* plain continue */ - ACL_PRIV_ASSIGN(b->a_mask, ACL_NONE); + ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE); b->a_type = ACL_CONTINUE; access_append( &a->acl_access, b ); @@ -377,7 +1010,7 @@ parse_acl( if( strcasecmp( left, "break" ) == 0 ) { /* plain continue */ - ACL_PRIV_ASSIGN(b->a_mask, ACL_NONE); + ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE); b->a_type = ACL_BREAK; access_append( &a->acl_access, b ); @@ -387,7 +1020,7 @@ parse_acl( if ( strcasecmp( left, "by" ) == 0 ) { /* we've gone too far */ --i; - ACL_PRIV_ASSIGN(b->a_mask, ACL_NONE); + ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE); b->a_type = ACL_STOP; access_append( &a->acl_access, b ); @@ -397,13 +1030,13 @@ parse_acl( /* get */ if( strncasecmp( left, "self", 4 ) == 0 ) { b->a_dn_self = 1; - ACL_PRIV_ASSIGN( b->a_mask, str2accessmask( &left[4] ) ); + ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[4] ) ); } else { - ACL_PRIV_ASSIGN( b->a_mask, str2accessmask( left ) ); + ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) ); } - if( ACL_IS_INVALID( b->a_mask ) ) { + if( ACL_IS_INVALID( b->a_access_mask ) ) { fprintf( stderr, "%s: line %d: expecting got \"%s\"\n", fname, lineno, left ); @@ -448,10 +1081,9 @@ parse_acl( fname, lineno ); } else { - #ifdef LDAP_DEBUG - if (ldap_debug & LDAP_DEBUG_ACL) - print_acl(be, a); + if (ldap_debug & LDAP_DEBUG_ACL) + print_acl(be, a); #endif if ( a->acl_access == NULL ) { @@ -469,10 +1101,12 @@ parse_acl( } char * -accessmask2str( slap_access_mask_t mask ) +accessmask2str( slap_mask_t mask, char *buf ) { - static char buf[sizeof("unknown (+wrsca0)")]; int none=1; + char *ptr = buf; + + assert( buf != NULL ); if ( ACL_IS_INVALID( mask ) ) { return "invalid"; @@ -482,80 +1116,88 @@ accessmask2str( slap_access_mask_t mask ) if ( ACL_IS_LEVEL( mask ) ) { if ( ACL_LVL_IS_NONE(mask) ) { - strcat( buf, "none" ); + ptr = lutil_strcopy( ptr, "none" ); } else if ( ACL_LVL_IS_AUTH(mask) ) { - strcat( buf, "auth" ); + ptr = lutil_strcopy( ptr, "auth" ); } else if ( ACL_LVL_IS_COMPARE(mask) ) { - strcat( buf, "compare" ); + ptr = lutil_strcopy( ptr, "compare" ); } else if ( ACL_LVL_IS_SEARCH(mask) ) { - strcat( buf, "search" ); + ptr = lutil_strcopy( ptr, "search" ); } else if ( ACL_LVL_IS_READ(mask) ) { - strcat( buf, "read" ); + ptr = lutil_strcopy( ptr, "read" ); } else if ( ACL_LVL_IS_WRITE(mask) ) { - strcat( buf, "write" ); + ptr = lutil_strcopy( ptr, "write" ); } else { - strcat( buf, "unknown" ); + ptr = lutil_strcopy( ptr, "unknown" ); } - strcat(buf, " ("); + *ptr++ = '('; } if( ACL_IS_ADDITIVE( mask ) ) { - strcat( buf, "+" ); + *ptr++ = '+'; } else if( ACL_IS_SUBTRACTIVE( mask ) ) { - strcat( buf, "-" ); + *ptr++ = '-'; } else { - strcat( buf, "=" ); + *ptr++ = '='; } if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) { none = 0; - strcat( buf, "w" ); + *ptr++ = 'w'; } if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) { none = 0; - strcat( buf, "r" ); + *ptr++ = 'r'; } if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) { none = 0; - strcat( buf, "s" ); + *ptr++ = 's'; } if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) { none = 0; - strcat( buf, "c" ); + *ptr++ = 'c'; } if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) { none = 0; - strcat( buf, "x" ); + *ptr++ = 'x'; } if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) { - strcat( buf, "0" ); + none = 0; + *ptr++ = 'n'; } + if ( none ) { + *ptr++ = '0'; + } + if ( ACL_IS_LEVEL( mask ) ) { - strcat(buf, ")"); - } + *ptr++ = ')'; + } + + *ptr = '\0'; + return buf; } -slap_access_mask_t +slap_mask_t str2accessmask( const char *str ) { - slap_access_mask_t mask; + slap_mask_t mask; - if( !isalpha(str[0]) ) { + if( !ASCII_ALPHA(str[0]) ) { int i; if ( str[0] == '=' ) { @@ -573,22 +1215,22 @@ str2accessmask( const char *str ) } for( i=1; str[i] != '\0'; i++ ) { - if( TOLOWER(str[i]) == 'w' ) { + if( TOLOWER((unsigned char) str[i]) == 'w' ) { ACL_PRIV_SET(mask, ACL_PRIV_WRITE); - } else if( TOLOWER(str[0]) == 'r' ) { + } else if( TOLOWER((unsigned char) str[i]) == 'r' ) { ACL_PRIV_SET(mask, ACL_PRIV_READ); - } else if( TOLOWER(str[0]) == 's' ) { + } else if( TOLOWER((unsigned char) str[i]) == 's' ) { ACL_PRIV_SET(mask, ACL_PRIV_SEARCH); - } else if( TOLOWER(str[0]) == 'c' ) { + } else if( TOLOWER((unsigned char) str[i]) == 'c' ) { ACL_PRIV_SET(mask, ACL_PRIV_COMPARE); - } else if( TOLOWER(str[0]) == 'x' ) { + } else if( TOLOWER((unsigned char) str[i]) == 'x' ) { ACL_PRIV_SET(mask, ACL_PRIV_AUTH); - } else { + } else if( str[i] != '0' ) { ACL_INVALIDATE(mask); return mask; } @@ -627,18 +1269,22 @@ acl_usage( void ) { fprintf( stderr, "\n" " ::= access to " - "[ by ]+ \n" - " ::= * | [dn=] [filter=] [attrs=]\n" + "[ by [ ] ]+ \n" + " ::= * | [dn[.]=] [filter=] [attrs=]\n" " ::= | , \n" " ::= | entry | children\n" - " ::= [ * | anonymous | self | dn= ]\n" + " ::= [ * | anonymous | users | self | dn[.]= ]\n" "\t[dnattr=]\n" - "\t[group[/[/]]=]\n" - "\t[peername=] [sockname=]\n" - "\t[domain=] [sockurl=]\n" + "\t[group[/[/]][.