sockname[.<style>]=<sockname>
domain[.<domainstyle>[,<modifier>]]=<domain>
sockurl[.<style>]=<sockurl>
- set[.<style>]=<pattern>
+ set[.<s
etstyle>]=<pattern>
ssf=<n>
transport_ssf=<n>
.nf
<dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children}
<groupstyle>={exact|expand}
- <style>={exact|regex}
- <peernamestyle>={exact|regex|ip|path}
+ <style>={exact|regex|expand}
+ <peernamestyle>={<style>|ip|path}
<domainstyle>={exact|regex|sub(tree)}
+ <setstyle>={exact|regex}
<modifier>={expand}
.fi
.LP
.B style
rules for pattern match described for the
.B group
-case apply.
+case apply, plus the
+.B regex
+style, which implies submatch
+.B expand
+and
+.BR regex (7)
+match of the corresponding connection parameters.
The
.B exact
style of the
exactly matches the
.BR domain
pattern.
+The
+.B expand
+style is allowed, implying an
+.B exact
+match with submatch expansion; the use of
+.B expand
+as a style modifier is considered more appropriate.
As an example,
.B domain.subtree=example.com
will match www.example.com, but will not match www.anotherexample.com.
{
continue;
}
+
+ } else if ( b->a_sockurl_style == ACL_STYLE_EXPAND ) {
+ struct berval bv;
+ char buf[ACL_BUF_SIZE];
+
+ bv.bv_len = sizeof( buf ) - 1;
+ bv.bv_val = buf;
+ string_expand( &bv, &b->a_sockurl_pat, e->e_ndn, matches );
+
+ if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_listener_url ) != 0 ) {
+ continue;
+ }
+
} else {
if ( ber_bvstrcasecmp( &b->a_sockurl_pat, &op->o_conn->c_listener_url ) != 0 )
continue;
b->a_peername_pat.bv_val, 0, 0 );
#endif
if ( !ber_bvccmp( &b->a_peername_pat, '*' ) ) {
- if ( b->a_peername_style == ACL_STYLE_REGEX) {
+ if ( b->a_peername_style == ACL_STYLE_REGEX ) {
if (!regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val,
e->e_ndn, matches ) )
{
} else {
/* try exact match */
if ( b->a_peername_style == ACL_STYLE_BASE ) {
- if ( ber_bvstrcasecmp( &b->a_peername_pat, &op->o_conn->c_peer_name ) != 0 )
+ if ( ber_bvstrcasecmp( &b->a_peername_pat, &op->o_conn->c_peer_name ) != 0 ) {
continue;
+ }
+
+ } else if ( b->a_peername_style == ACL_STYLE_EXPAND ) {
+ struct berval bv;
+ char buf[ACL_BUF_SIZE];
+
+ bv.bv_len = sizeof( buf ) - 1;
+ bv.bv_val = buf;
+ string_expand( &bv, &b->a_peername_pat, e->e_ndn, matches );
+
+ if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_peer_name ) != 0 ) {
+ continue;
+ }
/* extract IP and try exact match */
} else if ( b->a_peername_style == ACL_STYLE_IP ) {
{
continue;
}
+
+ } else if ( b->a_sockname_style == ACL_STYLE_EXPAND ) {
+ struct berval bv;
+ char buf[ACL_BUF_SIZE];
+
+ bv.bv_len = sizeof( buf ) - 1;
+ bv.bv_val = buf;
+ string_expand( &bv, &b->a_sockname_pat, e->e_ndn, matches );
+
+ if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_sock_name ) != 0 ) {
+ continue;
+ }
+
} else {
if ( ber_bvstrcasecmp( &b->a_sockname_pat, &op->o_conn->c_sock_name ) != 0 )
continue;
break;
default:
+ /* we'll see later if it's pertinent */
expand = 1;
break;
}
}
+ /* expand in <who> needs regex in <what> */
if ( ( sty == ACL_STYLE_EXPAND || expand )
- && ( a->acl_dn_pat.bv_len && a->acl_dn_style != ACL_STYLE_REGEX) )
+ && a->acl_dn_style != ACL_STYLE_REGEX )
{
fprintf( stderr, "%s: line %d: "
"\"expand\" style or modifier used "
switch ( sty ) {
case ACL_STYLE_REGEX:
- /* legacy */
+ /* legacy, tolerated */
fprintf( stderr, "%s: line %d: "
"deprecated group style \"regex\"; "
"use \"expand\" instead\n",
sty = ACL_STYLE_EXPAND;
break;
- case ACL_STYLE_EXPAND:
case ACL_STYLE_BASE:
- /* legal */
+ /* legal, traditional */
+ case ACL_STYLE_EXPAND:
+ /* legal, substring expansion; supersedes regex */
break;
default:
- /* unhandled */
+ /* unknown */
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
fname, lineno, style );
switch (sty) {
case ACL_STYLE_REGEX:
case ACL_STYLE_BASE:
+ /* legal, traditional */
+ case ACL_STYLE_EXPAND:
+ /* cheap replacement to regex for simple expansion */
case ACL_STYLE_IP:
case ACL_STYLE_PATH:
+ /* legal, peername specific */
break;
default:
}
if ( strcasecmp( left, "sockname" ) == 0 ) {
- if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
+ switch (sty) {
+ case ACL_STYLE_REGEX:
+ case ACL_STYLE_BASE:
+ /* legal, traditional */
+ case ACL_STYLE_EXPAND:
+ /* cheap replacement to regex for simple expansion */
+ break;
+
+ default:
+ /* unknown */
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
fname, lineno, style );
case ACL_STYLE_REGEX:
case ACL_STYLE_BASE:
case ACL_STYLE_SUBTREE:
+ /* legal, traditional */
+ break;
+
+ case ACL_STYLE_EXPAND:
+ /* tolerated: means exact,expand */
+ if ( expand ) {
+ fprintf( stderr,
+ "%s: line %d: "
+ "\"expand\" modifier with \"expand\" style\n",
+ fname, lineno );
+ }
+ sty = ACL_STYLE_BASE;
+ expand = 1;
break;
default:
+ /* unknown */
fprintf( stderr,
"%s: line %d: inappropriate style \"%s\" in by clause\n",
fname, lineno, style );
}
if ( strcasecmp( left, "sockurl" ) == 0 ) {
- if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
- fprintf( stderr,
- "%s: line %d: inappropriate style \"%s\" in by clause\n",
+ switch (sty) {
+ case ACL_STYLE_REGEX:
+ case ACL_STYLE_BASE:
+ /* legal, traditional */
+ case ACL_STYLE_EXPAND:
+ /* cheap replacement to regex for simple expansion */
+ break;
+
+ default:
+ /* unknown */
+ fprintf( stderr, "%s: line %d: "
+ "inappropriate style \"%s\" in by clause\n",
fname, lineno, style );
acl_usage();
}
projects / openldap / commitdiff