X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faclparse.c;h=f41c702ca6f9e3efe76ce6fc861fada46f6a4b3f;hb=2ece0ee378a47df99a05a0dd0db3763bdf9bb125;hp=7f008dfd0300248efd09249c2de6280b5c7bb778;hpb=0ec43c31bab5c343bd3b930829a695e9dcd2f15e;p=openldap diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index 7f008dfd03..f41c702ca6 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -1,7 +1,7 @@ -/* acl.c - routines to parse and check acl's */ +/* aclparse.c - routines to parse and check acl's */ /* $OpenLDAP$ */ /* - * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ @@ -92,9 +92,11 @@ parse_acl( ) { int i; - char *left, *right; + char *left, *right, *style; AccessControl *a; Access *b; + int rc; + const char *text; a = NULL; for ( i = 1; i < argc; i++ ) { @@ -132,6 +134,14 @@ parse_acl( } split( argv[i], '=', &left, &right ); + split( left, '.', &left, &style ); + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in to clause\n", + fname, lineno, left ); + acl_usage(); + } if ( strcasecmp( left, "dn" ) == 0 ) { if( a->acl_dn_pat != NULL ) { @@ -142,40 +152,49 @@ parse_acl( acl_usage(); } - if ( right == NULL ) { - fprintf( stderr, - "%s: line %d: missing \"=\" in \"%s\" in to clause\n", - fname, lineno, left ); - acl_usage(); - } + if ( style == NULL || *style == '\0' + || strcasecmp( style, "regex" ) == 0 ) + { + a->acl_dn_style = ACL_STYLE_REGEX; + if ( strcmp(right, "*") == 0 + || strcmp(right, ".*") == 0 + || strcmp(right, ".*$") == 0 + || strcmp(right, "^.*") == 0 + || strcmp(right, "^.*$$") == 0 + || strcmp(right, ".*$$") == 0 + || strcmp(right, "^.*$$") == 0 ) + { + a->acl_dn_pat = ch_strdup( "*" ); - if( *right == '\0' ) { - a->acl_dn_pat = ch_strdup("^$"); + } else { + a->acl_dn_pat = ch_strdup( right ); + } + } else if ( strcasecmp( style, "base" ) == 0 ) { + a->acl_dn_style = ACL_STYLE_BASE; + a->acl_dn_pat = ch_strdup( right ); - } else if ( strcmp(right, "*") == 0 - || strcmp(right, ".*") == 0 - || strcmp(right, ".*$") == 0 - || strcmp(right, "^.*") == 0 - || strcmp(right, "^.*$$") == 0 - || strcmp(right, ".*$$") == 0 - || strcmp(right, "^.*$$") == 0 ) - { - a->acl_dn_pat = ch_strdup( "*" ); + } else if ( strcasecmp( style, "one" ) == 0 ) { + a->acl_dn_style = ACL_STYLE_ONE; + a->acl_dn_pat = ch_strdup( right ); - } else { + } else if ( strcasecmp( style, "subtree" ) == 0 ) { + a->acl_dn_style = ACL_STYLE_SUBTREE; + a->acl_dn_pat = ch_strdup( right ); + + } else if ( strcasecmp( style, "children" ) == 0 ) { + a->acl_dn_style = ACL_STYLE_CHILDREN; a->acl_dn_pat = ch_strdup( right ); + + } else { + fprintf( stderr, + "%s: line %d: unknown dn style \"%s\" in to clause\n", + fname, lineno, style ); + acl_usage(); } continue; } - if ( right == NULL || *right == '\0' ) { - fprintf( stderr, - "%s: line %d: missing \"=\" in (or value after) \"%s\" in to clause\n", - fname, lineno, left ); - acl_usage(); - } - if ( strcasecmp( left, "filter" ) == 0 ) { if ( (a->acl_filter = str2filter( right )) == NULL ) { @@ -206,15 +225,21 @@ parse_acl( } if( a->acl_dn_pat != NULL ) { - int e = regcomp( &a->acl_dn_re, a->acl_dn_pat, - REG_EXTENDED | REG_ICASE ); - if ( e ) { - char buf[512]; - regerror( e, &a->acl_dn_re, buf, sizeof(buf) ); - fprintf( stderr, - "%s: line %d: regular expression \"%s\" bad because of %s\n", - fname, lineno, right, buf ); - acl_usage(); + if ( a->acl_dn_style != ACL_STYLE_REGEX ) + { + dn_normalize(a->acl_dn_pat); + + } else { + int e = regcomp( &a->acl_dn_re, a->acl_dn_pat, + REG_EXTENDED | REG_ICASE ); + if ( e ) { + char buf[512]; + regerror( e, &a->acl_dn_re, buf, sizeof(buf) ); + fprintf( stderr, + "%s: line %d: regular expression \"%s\" bad because of %s\n", + fname, lineno, right, buf ); + acl_usage(); + } } } @@ -245,7 +270,30 @@ parse_acl( /* get */ for ( ; i < argc; i++ ) { char *pat; + slap_style_t sty = ACL_STYLE_REGEX; + split( argv[i], '=', &left, &right ); + split( left, '.', &left, &style ); + if ( style == NULL || *style == '\0' + || strcasecmp( style, "regex" ) == 0 ) + { + sty = ACL_STYLE_REGEX; + } else if ( strcasecmp( style, "exact" ) == 0 ) { + sty = ACL_STYLE_EXACT; + } else if ( strcasecmp( style, "base" ) == 0 ) { + sty = ACL_STYLE_BASE; + } else if ( strcasecmp( style, "one" ) == 0 ) { + sty = ACL_STYLE_ONE; + } else if ( strcasecmp( style, "subtree" ) == 0 ) { + sty = ACL_STYLE_SUBTREE; + } else if ( strcasecmp( style, "children" ) == 0 ) { + sty = ACL_STYLE_CHILDREN; + } else { + fprintf( stderr, + "%s: line %d: unknown style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } if ( strcasecmp( argv[i], "*" ) == 0 ) { pat = ch_strdup( "*" ); @@ -260,39 +308,50 @@ parse_acl( pat = ch_strdup( "users" ); } else if ( strcasecmp( left, "dn" ) == 0 ) { - if( right == NULL ) { - /* no '=' */ - pat = ch_strdup( "users" ); - - } else if (*right == '\0' ) { - /* dn="" */ - pat = ch_strdup( "anonymous" ); - - } else if ( strcmp( right, "*" ) == 0 ) { - /* dn=* / - /* any or users? any for now */ - pat = ch_strdup( "users" ); - - } else if ( strcmp( right, ".+" ) == 0 - || strcmp( right, "^.+" ) == 0 - || strcmp( right, ".+$" ) == 0 - || strcmp( right, "^.+$" ) == 0 - || strcmp( right, ".+$$" ) == 0 - || strcmp( right, "^.+$$" ) == 0 ) - { - pat = ch_strdup( "users" ); - - } else if ( strcmp( right, ".*" ) == 0 - || strcmp( right, "^.*" ) == 0 - || strcmp( right, ".*$" ) == 0 - || strcmp( right, "^.*$" ) == 0 - || strcmp( right, ".*$$" ) == 0 - || strcmp( right, "^.*$$" ) == 0 ) - { - pat = ch_strdup( "*" ); + if ( sty == ACL_STYLE_REGEX ) { + b->a_dn_style = ACL_STYLE_REGEX; + if( right == NULL ) { + /* no '=' */ + pat = ch_strdup( "users" ); + + } else if (*right == '\0' ) { + /* dn="" */ + pat = ch_strdup( "anonymous" ); + + } else if ( strcmp( right, "*" ) == 0 ) { + /* dn=* */ + /* any or users? users for now */ + pat = ch_strdup( "users" ); + + } else if ( strcmp( right, ".+" ) == 0 + || strcmp( right, "^.+" ) == 0 + || strcmp( right, ".+$" ) == 0 + || strcmp( right, "^.+$" ) == 0 + || strcmp( right, ".+$$" ) == 0 + || strcmp( right, "^.+$$" ) == 0 ) + { + pat = ch_strdup( "users" ); + + } else if ( strcmp( right, ".*" ) == 0 + || strcmp( right, "^.*" ) == 0 + || strcmp( right, ".*$" ) == 0 + || strcmp( right, "^.*$" ) == 0 + || strcmp( right, ".*$$" ) == 0 + || strcmp( right, "^.*$$" ) == 0 ) + { + pat = ch_strdup( "*" ); + + } else { + regtest(fname, lineno, right); + pat = ch_strdup( right ); + } + } else if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: missing \"=\" in (or value after) \"%s\" in by clause\n", + fname, lineno, left ); + acl_usage(); } else { - regtest(fname, lineno, right); pat = ch_strdup( right ); } @@ -309,21 +368,51 @@ parse_acl( } b->a_dn_pat = pat; + b->a_dn_style = sty; + if ( sty != ACL_STYLE_REGEX ) + dn_normalize(pat); continue; } if ( strcasecmp( left, "dnattr" ) == 0 ) { - if( b->a_dn_pat != NULL ) { + if( b->a_dn_at != NULL ) { fprintf( stderr, - "%s: line %d: dnaddr already specified.\n", + "%s: line %d: dnattr already specified.\n", fname, lineno ); acl_usage(); } - b->a_dn_at = ch_strdup( right ); + rc = slap_str2ad( right, &b->a_dn_at, &text ); + + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: dnattr \"%s\": %s\n", + fname, lineno, right, text ); + acl_usage(); + } + + + if( !is_at_syntax( b->a_dn_at->ad_type, + SLAPD_DN_SYNTAX ) ) + { + fprintf( stderr, + "%s: line %d: dnattr \"%s\": " + "inappropriate syntax: %s\n", + fname, lineno, right, + b->a_dn_at->ad_type->sat_syntax_oid ); + acl_usage(); + } + continue; } + if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + fprintf( stderr, + "%s: line %d: inappropriate style \"%s\" in by clause\n", + fname, lineno, style ); + acl_usage(); + } + if ( strncasecmp( left, "group", sizeof("group")-1 ) == 0 ) { char *name = NULL; char *value = NULL; @@ -338,28 +427,117 @@ parse_acl( /* format of string is "group/objectClassValue/groupAttrName" */ if ((value = strchr(left, '/')) != NULL) { *value++ = '\0'; - if (value && *value + if (*value && (name = strchr(value, '/')) != NULL) { *name++ = '\0'; } } - regtest(fname, lineno, right); - b->a_group_pat = ch_strdup( right ); + b->a_group_style = sty; + if (sty == ACL_STYLE_REGEX) { + regtest(fname, lineno, right); + b->a_group_pat = ch_strdup( right ); + } else { + b->a_group_pat = ch_strdup( right ); + dn_normalize(b->a_group_pat); + } if (value && *value) { - b->a_group_oc = ch_strdup(value); + b->a_group_oc = oc_find( value ); *--value = '/'; + + if( b->a_group_oc == NULL ) { + fprintf( stderr, + "%s: line %d: group objectclass " + "\"%s\" unknown\n", + fname, lineno, value ); + acl_usage(); + } } else { - b->a_group_oc = ch_strdup("groupOfNames"); + b->a_group_oc = oc_find(SLAPD_GROUP_CLASS); + + if( b->a_group_oc == NULL ) { + fprintf( stderr, + "%s: line %d: group default objectclass " + "\"%s\" unknown\n", + fname, lineno, SLAPD_GROUP_CLASS ); + acl_usage(); + } + } - if (name && *name) { - b->a_group_at = ch_strdup(name); - *--name = '/'; + if( is_object_subclass( b->a_group_oc, + slap_schema.si_oc_referral ) ) + { + fprintf( stderr, + "%s: line %d: group objectclass \"%s\" " + "is subclass of referral\n", + fname, lineno, value ); + acl_usage(); + } - } else { - b->a_group_at = ch_strdup("member"); + if( is_object_subclass( b->a_group_oc, + slap_schema.si_oc_alias ) ) + { + fprintf( stderr, + "%s: line %d: group objectclass \"%s\" " + "is subclass of alias\n", + fname, lineno, value ); + acl_usage(); + } + + if (name && *name) { + rc = slap_str2ad( right, &b->a_group_at, &text ); + + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: group \"%s\": %s\n", + fname, lineno, right, text ); + acl_usage(); + } + *--name = '/'; + } else { + rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text ); + + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: group \"%s\": %s\n", + fname, lineno, SLAPD_GROUP_ATTR, text ); + acl_usage(); + } + } + + if( !is_at_syntax( b->a_group_at->ad_type, + SLAPD_DN_SYNTAX ) ) + { + fprintf( stderr, + "%s: line %d: group \"%s\": inappropriate syntax: %s\n", + fname, lineno, right, + b->a_group_at->ad_type->sat_syntax_oid ); + acl_usage(); + } + + + { + int rc; + struct berval val; + struct berval *vals[2]; + + val.bv_val = b->a_group_oc->soc_oid; + val.bv_len = strlen(val.bv_val); + vals[0] = &val; + vals[1] = NULL; + + + rc = oc_check_allowed( b->a_group_at->ad_type, vals ); + + if( rc != 0 ) { + fprintf( stderr, + "%s: line %d: group: \"%s\" not allowed by \"%s\"\n", + fname, lineno, + b->a_group_at->ad_cname->bv_val, + b->a_group_oc->soc_oid ); + acl_usage(); } } continue; @@ -373,7 +551,10 @@ parse_acl( acl_usage(); } - regtest(fname, lineno, right); + b->a_peername_style = sty; + if (sty == ACL_STYLE_REGEX) { + regtest(fname, lineno, right); + } b->a_peername_pat = ch_strdup( right ); continue; } @@ -386,7 +567,10 @@ parse_acl( acl_usage(); } - regtest(fname, lineno, right); + b->a_sockname_style = sty; + if (sty == ACL_STYLE_REGEX) { + regtest(fname, lineno, right); + } b->a_sockname_pat = ch_strdup( right ); continue; } @@ -399,7 +583,10 @@ parse_acl( acl_usage(); } - regtest(fname, lineno, right); + b->a_domain_style = sty; + if (sty == ACL_STYLE_REGEX) { + regtest(fname, lineno, right); + } b->a_domain_pat = ch_strdup( right ); continue; } @@ -412,11 +599,35 @@ parse_acl( acl_usage(); } - regtest(fname, lineno, right); + b->a_sockurl_style = sty; + if (sty == ACL_STYLE_REGEX) { + regtest(fname, lineno, right); + } b->a_sockurl_pat = ch_strdup( right ); continue; } + if ( strcasecmp( left, "set" ) == 0 ) { + if( b->a_set_pat != NULL ) { + fprintf( stderr, + "%s: line %d: set attribute already specified.\n", + fname, lineno ); + acl_usage(); + } + + if ( right == NULL || *right == '\0' ) { + fprintf( stderr, + "%s: line %d: no set is defined\n", + fname, lineno ); + acl_usage(); + } + + b->a_set_style = sty; + b->a_set_pat = ch_strdup(right); + + continue; + } + #ifdef SLAPD_ACI_ENABLED if ( strcasecmp( left, "aci" ) == 0 ) { if( b->a_aci_at != NULL ) { @@ -426,13 +637,40 @@ parse_acl( acl_usage(); } - if ( right != NULL && *right != '\0' ) - b->a_aci_at = ch_strdup( right ); - else - b->a_aci_at = ch_strdup( SLAPD_ACI_DEFAULT_ATTR ); + if ( right != NULL && *right != '\0' ) { + rc = slap_str2ad( right, &b->a_aci_at, &text ); + + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: aci \"%s\": %s\n", + fname, lineno, right, text ); + acl_usage(); + } + + } else { + rc = slap_str2ad( SLAPD_ACI_ATTR, &b->a_aci_at, &text ); + + if( rc != LDAP_SUCCESS ) { + fprintf( stderr, + "%s: line %d: aci \"%s\": %s\n", + fname, lineno, SLAPD_ACI_ATTR, text ); + acl_usage(); + } + } + + if( !is_at_syntax( b->a_aci_at->ad_type, + SLAPD_ACI_SYNTAX) ) + { + fprintf( stderr, + "%s: line %d: aci \"%s\": inappropriate syntax: %s\n", + fname, lineno, right, + b->a_aci_at->ad_type->sat_syntax_oid ); + acl_usage(); + } + continue; } -#endif +#endif /* SLAPD_ACI_ENABLED */ if( right != NULL ) { /* unsplit */ @@ -647,7 +885,7 @@ str2accessmask( const char *str ) { slap_access_mask_t mask; - if( !isalpha(str[0]) ) { + if( !ASCII_ALPHA(str[0]) ) { int i; if ( str[0] == '=' ) { @@ -771,8 +1009,67 @@ acl_append( AccessControl **l, AccessControl *a ) *l = a; } +char * +access2str( slap_access_t access ) +{ + if ( access == ACL_NONE ) { + return "none"; + + } else if ( access == ACL_AUTH ) { + return "auth"; + + } else if ( access == ACL_COMPARE ) { + return "compare"; + + } else if ( access == ACL_SEARCH ) { + return "search"; + + } else if ( access == ACL_READ ) { + return "read"; + + } else if ( access == ACL_WRITE ) { + return "write"; + } + + return "unknown"; +} + +slap_access_t +str2access( const char *str ) +{ + if ( strcasecmp( str, "none" ) == 0 ) { + return ACL_NONE; + + } else if ( strcasecmp( str, "auth" ) == 0 ) { + return ACL_AUTH; + + } else if ( strcasecmp( str, "compare" ) == 0 ) { + return ACL_COMPARE; + + } else if ( strcasecmp( str, "search" ) == 0 ) { + return ACL_SEARCH; + + } else if ( strcasecmp( str, "read" ) == 0 ) { + return ACL_READ; + + } else if ( strcasecmp( str, "write" ) == 0 ) { + return ACL_WRITE; + } + + return( ACL_INVALID_ACCESS ); +} + #ifdef LDAP_DEBUG +static char *style_strings[5] = { + "regex", + "base", + "one", + "subtree", + "children" + }; + + static void print_access( Access *b ) { @@ -789,22 +1086,23 @@ print_access( Access *b ) fprintf( stderr, " %s", b->a_dn_pat ); } else { - fprintf( stderr, " dn=%s", b->a_dn_pat ); + fprintf( stderr, " dn.%s=%s", style_strings[b->a_dn_style], b->a_dn_pat ); } } if ( b->a_dn_at != NULL ) { - fprintf( stderr, " dnattr=%s", b->a_dn_at ); + fprintf( stderr, " dnattr=%s", b->a_dn_at->ad_cname->bv_val ); } if ( b->a_group_pat != NULL ) { - fprintf( stderr, " group: %s", b->a_group_pat ); + fprintf( stderr, " group=%s", b->a_group_pat ); if ( b->a_group_oc ) { - fprintf( stderr, " objectClass: %s", b->a_group_oc ); + fprintf( stderr, " objectClass: %s", + b->a_group_oc->soc_oclass.oc_oid ); if ( b->a_group_at ) { - fprintf( stderr, " attributeType: %s", b->a_group_at ); + fprintf( stderr, " attributeType: %s", b->a_group_at->ad_cname->bv_val ); } } } @@ -827,7 +1125,7 @@ print_access( Access *b ) #ifdef SLAPD_ACI_ENABLED if ( b->a_aci_at != NULL ) { - fprintf( stderr, " aci=%s", b->a_aci_at ); + fprintf( stderr, " aci=%s", b->a_aci_at->ad_cname->bv_val ); } #endif @@ -848,56 +1146,6 @@ print_access( Access *b ) fprintf( stderr, "\n" ); } -char * -access2str( slap_access_t access ) -{ - if ( access == ACL_NONE ) { - return "none"; - - } else if ( access == ACL_AUTH ) { - return "auth"; - - } else if ( access == ACL_COMPARE ) { - return "compare"; - - } else if ( access == ACL_SEARCH ) { - return "search"; - - } else if ( access == ACL_READ ) { - return "read"; - - } else if ( access == ACL_WRITE ) { - return "write"; - } - - return "unknown"; -} - -slap_access_t -str2access( const char *str ) -{ - if ( strcasecmp( str, "none" ) == 0 ) { - return ACL_NONE; - - } else if ( strcasecmp( str, "auth" ) == 0 ) { - return ACL_AUTH; - - } else if ( strcasecmp( str, "compare" ) == 0 ) { - return ACL_COMPARE; - - } else if ( strcasecmp( str, "search" ) == 0 ) { - return ACL_SEARCH; - - } else if ( strcasecmp( str, "read" ) == 0 ) { - return ACL_READ; - - } else if ( strcasecmp( str, "write" ) == 0 ) { - return ACL_WRITE; - } - - return( ACL_INVALID_ACCESS ); -} - static void print_acl( Backend *be, AccessControl *a ) @@ -910,8 +1158,8 @@ print_acl( Backend *be, AccessControl *a ) if ( a->acl_dn_pat != NULL ) { to++; - fprintf( stderr, " dn=%s\n", - a->acl_dn_pat ); + fprintf( stderr, " dn.%s=%s\n", + style_strings[a->acl_dn_style], a->acl_dn_pat ); } if ( a->acl_filter != NULL ) {