From 064eb88ef8415d668a85f36a7c1545f52fa5ba6f Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Mon, 15 Nov 2004 22:15:28 +0000 Subject: [PATCH] move special dn patterns to style enum; add creator special dn pattern --- servers/slapd/acl.c | 158 +++++++++++++------- servers/slapd/aclparse.c | 307 +++++++++++++++++++++++---------------- servers/slapd/slap.h | 4 + 3 files changed, 285 insertions(+), 184 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index ca88758241..b16987e4e4 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -55,6 +55,7 @@ static struct berval aci_bv_public = BER_BVC("public"), aci_bv_users = BER_BVC("users"), aci_bv_self = BER_BVC("self"), + aci_bv_creator = BER_BVC("creator"), aci_bv_dnattr = BER_BVC("dnattr"), aci_bv_group = BER_BVC("group"), aci_bv_role = BER_BVC("role"), @@ -688,7 +689,7 @@ acl_mask( ACL_INVALIDATE( modmask ); /* AND clauses */ - if ( b->a_dn_pat.bv_len != 0 ) { + if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) { Debug( LDAP_DEBUG_ACL, "<= check a_dn_pat: %s\n", b->a_dn_pat.bv_val, 0, 0); /* @@ -696,17 +697,23 @@ acl_mask( * user is bound as somebody in the same namespace as * the entry, OR the given dn matches the dn pattern */ - if ( bvmatch( &b->a_dn_pat, &aci_bv_anonymous ) ) { + /* + * NOTE: styles "anonymous", "users", "self" + * and "creator" have been moved to an enumeration, + * whose value is set in a_dn_style; however, + * the string is maintaned in a_dn_pat. + */ + if ( b->a_dn_style == ACL_STYLE_ANONYMOUS /* bvmatch( &b->a_dn_pat, &aci_bv_anonymous ) */ ) { if ( op->o_ndn.bv_len != 0 ) { continue; } - } else if ( bvmatch( &b->a_dn_pat, &aci_bv_users ) ) { + } else if ( b->a_dn_style == ACL_STYLE_USERS /* bvmatch( &b->a_dn_pat, &aci_bv_users ) */ ) { if ( op->o_ndn.bv_len == 0 ) { continue; } - } else if ( bvmatch( &b->a_dn_pat, &aci_bv_self ) ) { + } else if ( b->a_dn_style == ACL_STYLE_SELF /* bvmatch( &b->a_dn_pat, &aci_bv_self ) */ ) { if ( op->o_ndn.bv_len == 0 ) { continue; } @@ -715,6 +722,20 @@ acl_mask( continue; } + } else if ( b->a_dn_style == ACL_STYLE_CREATOR /* bvmatch ( &b->a_dn_pat, &aci_bv_creator ) */ ) { + /* creator */ + Attribute *a; + + for ( a = e->e_attrs; a; a = a->a_next ) { + if ( a->a_desc == slap_schema.si_ad_creatorsName ) { + break; + } + } + + if ( a == NULL || !dn_match( &a->a_nvals[ 0 ], &op->o_ndn ) ) { + continue; + } + } else if ( b->a_dn_style == ACL_STYLE_REGEX ) { if ( !ber_bvccmp( &b->a_dn_pat, '*' ) ) { int tmp_nmatch; @@ -2321,11 +2342,11 @@ aci_mask( struct berval *scope ) { - struct berval bv, perms, sdn; - int rc; + struct berval bv, perms, sdn; + int rc; - assert( desc->ad_cname.bv_val != NULL ); + assert( !BER_BVISNULL( &desc->ad_cname ) ); /* parse an aci of the form: oid#scope#action;rights;attr;rights;attr$action;rights;attr;rights;attr#dnType#subjectDN @@ -2338,57 +2359,79 @@ aci_mask( For now, this routine only supports scope=entry. */ /* check that the aci has all 5 components */ - if (aci_get_part(aci, 4, '#', NULL) < 0) - return(0); + if ( aci_get_part( aci, 4, '#', NULL ) < 0 ) { + return 0; + } /* check that the aci family is supported */ - if (aci_get_part(aci, 0, '#', &bv) < 0) - return(0); + if ( aci_get_part( aci, 0, '#', &bv ) < 0 ) { + return 0; + } /* check that the scope matches */ - if (aci_get_part(aci, 1, '#', &bv) < 0 - || ber_bvstrcasecmp( scope, &bv ) != 0) + if ( aci_get_part( aci, 1, '#', &bv ) < 0 + || ber_bvstrcasecmp( scope, &bv ) != 0 ) { - return(0); + return 0; } /* get the list of permissions clauses, bail if empty */ - if (aci_get_part(aci, 2, '#', &perms) <= 0) - return(0); + if ( aci_get_part( aci, 2, '#', &perms ) <= 0 ) { + return 0; + } /* check if any permissions allow desired access */ - if (aci_list_get_rights(&perms, &desc->ad_cname, val, grant, deny) == 0) - return(0); + if ( aci_list_get_rights( &perms, &desc->ad_cname, val, grant, deny ) == 0 ) { + return 0; + } /* see if we have a DN match */ - if (aci_get_part(aci, 3, '#', &bv) < 0) - return(0); + if ( aci_get_part( aci, 3, '#', &bv ) < 0 ) { + return 0; + } - if (aci_get_part(aci, 4, '#', &sdn) < 0) - return(0); + if ( aci_get_part( aci, 4, '#', &sdn ) < 0 ) { + return 0; + } - if (ber_bvstrcasecmp( &aci_bv_access_id, &bv ) == 0) { + if ( ber_bvstrcasecmp( &aci_bv_access_id, &bv ) == 0 ) { struct berval ndn; + rc = 0; - if ( dnNormalize( 0, NULL, NULL, &sdn, &ndn, op->o_tmpmemctx ) == LDAP_SUCCESS ) { + if ( dnNormalize( 0, NULL, NULL, &sdn, &ndn, op->o_tmpmemctx ) == LDAP_SUCCESS ) + { if ( dn_match( &op->o_ndn, &ndn ) ) { rc = 1; } slap_sl_free( ndn.bv_val, op->o_tmpmemctx ); } - return (rc); + return rc; + + } else if ( ber_bvstrcasecmp( &aci_bv_public, &bv ) == 0 ) { + return 1; - } else if (ber_bvstrcasecmp( &aci_bv_public, &bv ) == 0) { - return(1); + } else if ( ber_bvstrcasecmp( &aci_bv_self, &bv ) == 0 ) { + if ( dn_match( &op->o_ndn, &e->e_nname ) ) { + return 1; + } - } else if (ber_bvstrcasecmp( &aci_bv_self, &bv ) == 0) { - if (dn_match(&op->o_ndn, &e->e_nname)) - return(1); + } else if ( ber_bvstrcasecmp( &aci_bv_creator, &bv ) == 0 ) { + Attribute *a; - } else if (ber_bvstrcasecmp( &aci_bv_dnattr, &bv ) == 0) { - Attribute *at; - AttributeDescription *ad = NULL; - const char *text; + for ( a = e->e_attrs; a; a = a->a_next ) { + if ( a->a_desc == slap_schema.si_ad_creatorsName ) { + break; + } + } + + if ( a != NULL && dn_match( &op->o_ndn, &a->a_nvals[ 0 ] ) ) { + return 1; + } + + } else if ( ber_bvstrcasecmp( &aci_bv_dnattr, &bv ) == 0 ) { + Attribute *at; + AttributeDescription *ad = NULL; + const char *text; rc = slap_bv2ad( &sdn, &ad, &text ); @@ -2400,15 +2443,15 @@ aci_mask( bv = op->o_ndn; - for(at = attrs_find( e->e_attrs, ad ); - at != NULL; - at = attrs_find( at->a_next, ad ) ) + for ( at = attrs_find( e->e_attrs, ad ); + at != NULL; + at = attrs_find( at->a_next, ad ) ) { - if (value_find_ex( ad, + if ( value_find_ex( ad, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, at->a_nvals, - &bv, op->o_tmpmemctx) == 0 ) + &bv, op->o_tmpmemctx ) == 0 ) { rc = 1; break; @@ -2418,27 +2461,32 @@ aci_mask( return rc; - } else if (ber_bvstrcasecmp( &aci_bv_group, &bv ) == 0) { - if (aci_group_member(&sdn, &aci_bv_group_class, - &aci_bv_group_attr, op, e, nmatch, matches)) - return(1); - - } else if (ber_bvstrcasecmp( &aci_bv_role, &bv ) == 0) { - if (aci_group_member(&sdn, &aci_bv_role_class, - &aci_bv_role_attr, op, e, nmatch, matches)) - return(1); + } else if ( ber_bvstrcasecmp( &aci_bv_group, &bv ) == 0 ) { + if ( aci_group_member( &sdn, &aci_bv_group_class, + &aci_bv_group_attr, op, e, nmatch, matches ) ) + { + return 1; + } - } else if (ber_bvstrcasecmp( &aci_bv_set, &bv ) == 0) { - if (aci_match_set(&sdn, op, e, 0)) - return(1); + } else if ( ber_bvstrcasecmp( &aci_bv_role, &bv ) == 0 ) { + if ( aci_group_member( &sdn, &aci_bv_role_class, + &aci_bv_role_attr, op, e, nmatch, matches ) ) + { + return 1; + } - } else if (ber_bvstrcasecmp( &aci_bv_set_ref, &bv ) == 0) { - if (aci_match_set(&sdn, op, e, 1)) - return(1); + } else if ( ber_bvstrcasecmp( &aci_bv_set, &bv ) == 0 ) { + if ( aci_match_set( &sdn, op, e, 0 ) ) { + return 1; + } + } else if ( ber_bvstrcasecmp( &aci_bv_set_ref, &bv ) == 0 ) { + if ( aci_match_set( &sdn, op, e, 1 ) ) { + return 1; + } } - return(0); + return 0; } #endif /* SLAPD_ACI_ENABLED */ diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index 7084a4ba5d..0f78503599 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -142,7 +142,9 @@ check_scope( BackendDB *be, AccessControl *a ) dn = be->be_nsuffix[0]; - if ( a->acl_dn_pat.bv_len || a->acl_dn_style != ACL_STYLE_REGEX ) { + if ( !BER_BVISEMPTY( &a->acl_dn_pat ) || + a->acl_dn_style != ACL_STYLE_REGEX ) + { slap_style_t style = a->acl_dn_style; if ( style == ACL_STYLE_REGEX ) { @@ -227,7 +229,8 @@ check_scope( BackendDB *be, AccessControl *a ) } if ( dn.bv_len < patlen && - !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen -dn.bv_len - 1] )) { + !DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] )) + { return ACL_SCOPE_ERR; } @@ -279,8 +282,8 @@ parse_acl( } if ( strcasecmp( argv[i], "*" ) == 0 ) { - if( a->acl_dn_pat.bv_len || - ( a->acl_dn_style != ACL_STYLE_REGEX ) ) + if ( !BER_BVISEMPTY( &a->acl_dn_pat ) || + a->acl_dn_style != ACL_STYLE_REGEX ) { fprintf( stderr, "%s: line %d: dn pattern" @@ -289,8 +292,7 @@ parse_acl( acl_usage(); } - a->acl_dn_pat.bv_val = ch_strdup( "*" ); - a->acl_dn_pat.bv_len = 1; + ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat ); continue; } @@ -305,8 +307,8 @@ parse_acl( } if ( strcasecmp( left, "dn" ) == 0 ) { - if( a->acl_dn_pat.bv_len != 0 || - ( a->acl_dn_style != ACL_STYLE_REGEX ) ) + if ( !BER_BVISEMPTY( &a->acl_dn_pat ) || + a->acl_dn_style != ACL_STYLE_REGEX ) { fprintf( stderr, "%s: line %d: dn pattern" @@ -333,8 +335,7 @@ parse_acl( strcasecmp( style, "sub" ) == 0 ) { if( *right == '\0' ) { - a->acl_dn_pat.bv_val = ch_strdup( "*" ); - a->acl_dn_pat.bv_len = 1; + ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat ); } else { a->acl_dn_style = ACL_STYLE_SUBTREE; @@ -361,8 +362,7 @@ parse_acl( || strcmp(right, ".*$$") == 0 || strcmp(right, "^.*$$") == 0 ) { - a->acl_dn_pat.bv_val = ch_strdup( "*" ); - a->acl_dn_pat.bv_len = STRLENOF("*"); + ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat ); } else { acl_regex_normalized_dn( right, &a->acl_dn_pat ); @@ -398,13 +398,14 @@ parse_acl( } } else if ( strncasecmp( left, "val", 3 ) == 0 ) { - if ( a->acl_attrval.bv_len ) { + if ( !BER_BVISEMPTY( &a->acl_attrval ) ) { fprintf( stderr, "%s: line %d: attr val already specified in to clause.\n", fname, lineno ); acl_usage(); } - if ( a->acl_attrs == NULL || a->acl_attrs[1].an_name.bv_val ) { + if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) ) + { fprintf( stderr, "%s: line %d: attr val requires a single attribute.\n", fname, lineno ); @@ -481,8 +482,8 @@ parse_acl( BER_BVZERO( &a->acl_dn_pat ); } - if( a->acl_dn_pat.bv_len != 0 || - ( a->acl_dn_style != ACL_STYLE_REGEX ) ) + if ( !BER_BVISEMPTY( &a->acl_dn_pat ) || + a->acl_dn_style != ACL_STYLE_REGEX ) { if ( a->acl_dn_style != ACL_STYLE_REGEX ) { struct berval bv; @@ -495,6 +496,7 @@ parse_acl( } free( a->acl_dn_pat.bv_val ); a->acl_dn_pat = bv; + } else { int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val, REG_EXTENDED | REG_ICASE ); @@ -630,41 +632,50 @@ parse_acl( } if ( strcasecmp( argv[i], "*" ) == 0 ) { - bv.bv_val = ch_strdup( "*" ); - bv.bv_len = 1; + ber_str2bv( "*", STRLENOF( "*" ), 1, &bv ); sty = ACL_STYLE_REGEX; } else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) { ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv); - sty = ACL_STYLE_REGEX; + sty = ACL_STYLE_ANONYMOUS; + + } else if ( strcasecmp( argv[i], "users" ) == 0 ) { + ber_str2bv("users", STRLENOF( "users" ), 1, &bv); + sty = ACL_STYLE_USERS; } else if ( strcasecmp( argv[i], "self" ) == 0 ) { ber_str2bv("self", STRLENOF( "self" ), 1, &bv); - sty = ACL_STYLE_REGEX; + sty = ACL_STYLE_SELF; - } else if ( strcasecmp( argv[i], "users" ) == 0 ) { - ber_str2bv("users", STRLENOF( "users" ), 1, &bv); - sty = ACL_STYLE_REGEX; + } else if ( strcasecmp( argv[i], "creator" ) == 0 ) { + ber_str2bv("creator", STRLENOF( "creator" ), 1, &bv); + sty = ACL_STYLE_CREATOR; } else if ( strcasecmp( left, "dn" ) == 0 ) { if ( sty == ACL_STYLE_REGEX ) { b->a_dn_style = ACL_STYLE_REGEX; - if( right == NULL ) { + if ( right == NULL ) { /* no '=' */ ber_str2bv("users", STRLENOF( "users" ), 1, &bv); + b->a_dn_style = ACL_STYLE_USERS; + } else if (*right == '\0' ) { /* dn="" */ ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv); + b->a_dn_style = ACL_STYLE_ANONYMOUS; + } else if ( strcmp( right, "*" ) == 0 ) { /* dn=* */ /* any or users? users for now */ ber_str2bv("users", STRLENOF( "users" ), 1, &bv); + b->a_dn_style = ACL_STYLE_USERS; + } else if ( strcmp( right, ".+" ) == 0 || strcmp( right, "^.+" ) == 0 || strcmp( right, ".+$" ) == 0 @@ -675,6 +686,8 @@ parse_acl( ber_str2bv("users", STRLENOF( "users" ), 1, &bv); + b->a_dn_style = ACL_STYLE_USERS; + } else if ( strcmp( right, ".*" ) == 0 || strcmp( right, "^.*" ) == 0 || strcmp( right, ".*$" ) == 0 @@ -689,9 +702,10 @@ parse_acl( } else { acl_regex_normalized_dn( right, &bv ); if ( !ber_bvccmp( &bv, '*' ) ) { - regtest(fname, lineno, bv.bv_val); + regtest( fname, lineno, bv.bv_val ); } } + } else if ( right == NULL || *right == '\0' ) { fprintf( stderr, "%s: line %d: " "missing \"=\" in (or value after) \"%s\" " @@ -704,18 +718,24 @@ parse_acl( } } else { - bv.bv_val = NULL; + BER_BVZERO( &bv ); } - if( bv.bv_val != NULL ) { - if( b->a_dn_pat.bv_len != 0 ) { + if ( !BER_BVISNULL( &bv ) ) { + if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) { fprintf( stderr, "%s: line %d: dn pattern already specified.\n", fname, lineno ); acl_usage(); } - if ( sty != ACL_STYLE_REGEX && expand == 0 ) { + if ( sty != ACL_STYLE_REGEX && + sty != ACL_STYLE_ANONYMOUS && + sty != ACL_STYLE_USERS && + sty != ACL_STYLE_SELF && + sty != ACL_STYLE_CREATOR && + expand == 0 ) + { rc = dnNormalize(0, NULL, NULL, &bv, &b->a_dn_pat, NULL); if ( rc != LDAP_SUCCESS ) { @@ -724,7 +744,8 @@ parse_acl( fname, lineno, bv.bv_val ); acl_usage(); } - free(bv.bv_val); + free( bv.bv_val ); + } else { b->a_dn_pat = bv; } @@ -819,7 +840,7 @@ parse_acl( acl_usage(); } - if( b->a_group_pat.bv_len ) { + if ( !BER_BVISEMPTY( &b->a_group_pat ) ) { fprintf( stderr, "%s: line %d: group pattern already specified.\n", fname, lineno ); @@ -828,20 +849,21 @@ parse_acl( /* format of string is "group/objectClassValue/groupAttrName" */ - if ((value = strchr(left, '/')) != NULL) { + if ( ( value = strchr(left, '/') ) != NULL ) { *value++ = '\0'; - if (*value && (name = strchr(value, '/')) != NULL) { + if ( *value && ( name = strchr( value, '/' ) ) != NULL ) { *name++ = '\0'; } } b->a_group_style = sty; - if (sty == ACL_STYLE_EXPAND) { + if ( sty == ACL_STYLE_EXPAND ) { acl_regex_normalized_dn( right, &bv ); if ( !ber_bvccmp( &bv, '*' ) ) { - regtest(fname, lineno, bv.bv_val); + regtest( fname, lineno, bv.bv_val ); } b->a_group_pat = bv; + } else { ber_str2bv( right, 0, 0, &bv ); rc = dnNormalize( 0, NULL, NULL, &bv, @@ -854,17 +876,18 @@ parse_acl( } } - if (value && *value) { + if ( value && *value ) { b->a_group_oc = oc_find( value ); *--value = '/'; - if( b->a_group_oc == NULL ) { + if ( b->a_group_oc == NULL ) { fprintf( stderr, "%s: line %d: group objectclass " "\"%s\" unknown\n", fname, lineno, value ); acl_usage(); } + } else { b->a_group_oc = oc_find(SLAPD_GROUP_CLASS); @@ -877,8 +900,8 @@ parse_acl( } } - if( is_object_subclass( slap_schema.si_oc_referral, - b->a_group_oc )) + if ( is_object_subclass( slap_schema.si_oc_referral, + b->a_group_oc ) ) { fprintf( stderr, "%s: line %d: group objectclass \"%s\" " @@ -887,8 +910,8 @@ parse_acl( acl_usage(); } - if( is_object_subclass( slap_schema.si_oc_alias, - b->a_group_oc )) + if ( is_object_subclass( slap_schema.si_oc_alias, + b->a_group_oc ) ) { fprintf( stderr, "%s: line %d: group objectclass \"%s\" " @@ -897,7 +920,7 @@ parse_acl( acl_usage(); } - if (name && *name) { + if ( name && *name ) { rc = slap_str2ad( name, &b->a_group_at, &text ); if( rc != LDAP_SUCCESS ) { @@ -907,10 +930,11 @@ parse_acl( acl_usage(); } *--name = '/'; + } else { rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text ); - if( rc != LDAP_SUCCESS ) { + if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "%s: line %d: group \"%s\": %s\n", fname, lineno, SLAPD_GROUP_ATTR, text ); @@ -918,11 +942,11 @@ parse_acl( } } - if( !is_at_syntax( b->a_group_at->ad_type, + if ( !is_at_syntax( b->a_group_at->ad_type, SLAPD_DN_SYNTAX ) && - !is_at_syntax( b->a_group_at->ad_type, + !is_at_syntax( b->a_group_at->ad_type, SLAPD_NAMEUID_SYNTAX ) && - !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type )) + !is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) ) { fprintf( stderr, "%s: line %d: group \"%s\": inappropriate syntax: %s\n", @@ -936,10 +960,8 @@ parse_acl( int rc; struct berval vals[2]; - vals[0].bv_val = b->a_group_oc->soc_oid; - vals[0].bv_len = strlen(vals[0].bv_val); - vals[1].bv_val = NULL; - + ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] ); + BER_BVZERO( &vals[1] ); rc = oc_check_allowed( b->a_group_at->ad_type, vals, NULL ); @@ -957,7 +979,7 @@ parse_acl( } if ( strcasecmp( left, "peername" ) == 0 ) { - switch (sty) { + switch ( sty ) { case ACL_STYLE_REGEX: case ACL_STYLE_BASE: /* legal, traditional */ @@ -983,7 +1005,7 @@ parse_acl( acl_usage(); } - if( b->a_peername_pat.bv_len ) { + if ( BER_BVISEMPTY( &b->a_peername_pat ) ) { fprintf( stderr, "%s: line %d: " "peername pattern already specified.\n", fname, lineno ); @@ -991,10 +1013,10 @@ parse_acl( } b->a_peername_style = sty; - if (sty == ACL_STYLE_REGEX) { + if ( sty == ACL_STYLE_REGEX ) { acl_regex_normalized_dn( right, &bv ); if ( !ber_bvccmp( &bv, '*' ) ) { - regtest(fname, lineno, bv.bv_val); + regtest( fname, lineno, bv.bv_val ); } b->a_peername_pat = bv; @@ -1010,7 +1032,7 @@ parse_acl( split( addr, '%', &addr, &mask ); b->a_peername_addr = inet_addr( addr ); - if ( b->a_peername_addr == (unsigned long)(-1)) { + if ( b->a_peername_addr == (unsigned long)(-1) ) { /* illegal address */ fprintf( stderr, "%s: line %d: " "illegal peername address \"%s\".\n", @@ -1022,7 +1044,7 @@ parse_acl( if ( mask != NULL ) { b->a_peername_mask = inet_addr( mask ); if ( b->a_peername_mask == - (unsigned long)(-1)) + (unsigned long)(-1) ) { /* illegal mask */ fprintf( stderr, "%s: line %d: " @@ -1053,7 +1075,7 @@ parse_acl( } if ( strcasecmp( left, "sockname" ) == 0 ) { - switch (sty) { + switch ( sty ) { case ACL_STYLE_REGEX: case ACL_STYLE_BASE: /* legal, traditional */ @@ -1077,7 +1099,7 @@ parse_acl( acl_usage(); } - if( b->a_sockname_pat.bv_len ) { + if ( !BER_BVISNULL( &b->a_sockname_pat ) ) { fprintf( stderr, "%s: line %d: " "sockname pattern already specified.\n", fname, lineno ); @@ -1085,12 +1107,13 @@ parse_acl( } b->a_sockname_style = sty; - if (sty == ACL_STYLE_REGEX) { + if ( sty == ACL_STYLE_REGEX ) { acl_regex_normalized_dn( right, &bv ); if ( !ber_bvccmp( &bv, '*' ) ) { - regtest(fname, lineno, bv.bv_val); + regtest( fname, lineno, bv.bv_val ); } b->a_sockname_pat = bv; + } else { ber_str2bv( right, 0, 1, &b->a_sockname_pat ); } @@ -1134,7 +1157,7 @@ parse_acl( acl_usage(); } - if( b->a_domain_pat.bv_len ) { + if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) { fprintf( stderr, "%s: line %d: domain pattern already specified.\n", fname, lineno ); @@ -1143,12 +1166,13 @@ parse_acl( b->a_domain_style = sty; b->a_domain_expand = expand; - if (sty == ACL_STYLE_REGEX) { + if ( sty == ACL_STYLE_REGEX ) { acl_regex_normalized_dn( right, &bv ); if ( !ber_bvccmp( &bv, '*' ) ) { - regtest(fname, lineno, bv.bv_val); + regtest( fname, lineno, bv.bv_val ); } b->a_domain_pat = bv; + } else { ber_str2bv( right, 0, 1, &b->a_domain_pat ); } @@ -1156,7 +1180,7 @@ parse_acl( } if ( strcasecmp( left, "sockurl" ) == 0 ) { - switch (sty) { + switch ( sty ) { case ACL_STYLE_REGEX: case ACL_STYLE_BASE: /* legal, traditional */ @@ -1180,7 +1204,7 @@ parse_acl( acl_usage(); } - if( b->a_sockurl_pat.bv_len ) { + if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) { fprintf( stderr, "%s: line %d: sockurl pattern already specified.\n", fname, lineno ); @@ -1188,12 +1212,13 @@ parse_acl( } b->a_sockurl_style = sty; - if (sty == ACL_STYLE_REGEX) { + if ( sty == ACL_STYLE_REGEX ) { acl_regex_normalized_dn( right, &bv ); if ( !ber_bvccmp( &bv, '*' ) ) { - regtest(fname, lineno, bv.bv_val); + regtest( fname, lineno, bv.bv_val ); } b->a_sockurl_pat = bv; + } else { ber_str2bv( right, 0, 1, &b->a_sockurl_pat ); } @@ -1223,7 +1248,7 @@ parse_acl( acl_usage(); } - if( b->a_set_pat.bv_len != 0 ) { + if ( !BER_BVISEMPTY( &b->a_set_pat ) ) { fprintf( stderr, "%s: line %d: set attribute already specified.\n", fname, lineno ); @@ -1288,14 +1313,14 @@ parse_acl( #endif /* SLAPD_ACI_ENABLED */ if ( strcasecmp( left, "ssf" ) == 0 ) { - if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) { fprintf( stderr, "%s: line %d: " "inappropriate style \"%s\" in by clause\n", fname, lineno, style ); acl_usage(); } - if( b->a_authz.sai_ssf ) { + if ( b->a_authz.sai_ssf ) { fprintf( stderr, "%s: line %d: ssf attribute already specified.\n", fname, lineno ); @@ -1317,7 +1342,7 @@ parse_acl( acl_usage(); } - if( !b->a_authz.sai_ssf ) { + if ( !b->a_authz.sai_ssf ) { fprintf( stderr, "%s: line %d: invalid ssf value (%s)\n", fname, lineno, right ); @@ -1327,14 +1352,14 @@ parse_acl( } if ( strcasecmp( left, "transport_ssf" ) == 0 ) { - if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) { fprintf( stderr, "%s: line %d: " "inappropriate style \"%s\" in by clause\n", - fname, lineno, style ); + fname, lineno, style ); acl_usage(); } - if( b->a_authz.sai_transport_ssf ) { + if ( b->a_authz.sai_transport_ssf ) { fprintf( stderr, "%s: line %d: " "transport_ssf attribute already specified.\n", fname, lineno ); @@ -1356,7 +1381,7 @@ parse_acl( acl_usage(); } - if( !b->a_authz.sai_transport_ssf ) { + if ( !b->a_authz.sai_transport_ssf ) { fprintf( stderr, "%s: line %d: invalid transport_ssf value (%s)\n", fname, lineno, right ); @@ -1366,14 +1391,14 @@ parse_acl( } if ( strcasecmp( left, "tls_ssf" ) == 0 ) { - if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) { fprintf( stderr, "%s: line %d: " "inappropriate style \"%s\" in by clause\n", - fname, lineno, style ); + fname, lineno, style ); acl_usage(); } - if( b->a_authz.sai_tls_ssf ) { + if ( b->a_authz.sai_tls_ssf ) { fprintf( stderr, "%s: line %d: " "tls_ssf attribute already specified.\n", fname, lineno ); @@ -1395,7 +1420,7 @@ parse_acl( acl_usage(); } - if( !b->a_authz.sai_tls_ssf ) { + if ( !b->a_authz.sai_tls_ssf ) { fprintf( stderr, "%s: line %d: invalid tls_ssf value (%s)\n", fname, lineno, right ); @@ -1405,14 +1430,14 @@ parse_acl( } if ( strcasecmp( left, "sasl_ssf" ) == 0 ) { - if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { + if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) { fprintf( stderr, "%s: line %d: " "inappropriate style \"%s\" in by clause\n", - fname, lineno, style ); + fname, lineno, style ); acl_usage(); } - if( b->a_authz.sai_sasl_ssf ) { + if ( b->a_authz.sai_sasl_ssf ) { fprintf( stderr, "%s: line %d: " "sasl_ssf attribute already specified.\n", fname, lineno ); @@ -1434,7 +1459,7 @@ parse_acl( acl_usage(); } - if( !b->a_authz.sai_sasl_ssf ) { + if ( !b->a_authz.sai_sasl_ssf ) { fprintf( stderr, "%s: line %d: invalid sasl_ssf value (%s)\n", fname, lineno, right ); @@ -1443,34 +1468,34 @@ parse_acl( continue; } - if( right != NULL ) { + if ( right != NULL ) { /* unsplit */ right[-1] = '='; } break; } - if( i == argc || ( strcasecmp( left, "stop" ) == 0 )) { + if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) { /* out of arguments or plain stop */ - ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE); + ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE ); b->a_type = ACL_STOP; access_append( &a->acl_access, b ); continue; } - if( strcasecmp( left, "continue" ) == 0 ) { + if ( strcasecmp( left, "continue" ) == 0 ) { /* plain continue */ - ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE); + ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE ); b->a_type = ACL_CONTINUE; access_append( &a->acl_access, b ); continue; } - if( strcasecmp( left, "break" ) == 0 ) { + if ( strcasecmp( left, "break" ) == 0 ) { /* plain continue */ ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE); @@ -1483,7 +1508,7 @@ parse_acl( if ( strcasecmp( left, "by" ) == 0 ) { /* we've gone too far */ --i; - ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE); + ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE ); b->a_type = ACL_STOP; access_append( &a->acl_access, b ); @@ -1491,7 +1516,7 @@ parse_acl( } /* get */ - if( strncasecmp( left, "self", 4 ) == 0 ) { + if ( strncasecmp( left, "self", 4 ) == 0 ) { b->a_dn_self = 1; ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[4] ) ); @@ -1499,7 +1524,7 @@ parse_acl( ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) ); } - if( ACL_IS_INVALID( b->a_access_mask ) ) { + if ( ACL_IS_INVALID( b->a_access_mask ) ) { fprintf( stderr, "%s: line %d: expecting got \"%s\"\n", fname, lineno, left ); @@ -1508,17 +1533,17 @@ parse_acl( b->a_type = ACL_STOP; - if( ++i == argc ) { + if ( ++i == argc ) { /* out of arguments or plain stop */ access_append( &a->acl_access, b ); continue; } - if( strcasecmp( argv[i], "continue" ) == 0 ) { + if ( strcasecmp( argv[i], "continue" ) == 0 ) { /* plain continue */ b->a_type = ACL_CONTINUE; - } else if( strcasecmp( argv[i], "break" ) == 0 ) { + } else if ( strcasecmp( argv[i], "break" ) == 0 ) { /* plain continue */ b->a_type = ACL_BREAK; @@ -1531,8 +1556,9 @@ parse_acl( } else { fprintf( stderr, - "%s: line %d: expecting \"to\" or \"by\" got \"%s\"\n", - fname, lineno, argv[i] ); + "%s: line %d: expecting \"to\" " + "or \"by\" got \"%s\"\n", + fname, lineno, argv[i] ); acl_usage(); } } @@ -1545,13 +1571,15 @@ parse_acl( } else { #ifdef LDAP_DEBUG - if (ldap_debug & LDAP_DEBUG_ACL) print_acl(be, a); + if ( ldap_debug & LDAP_DEBUG_ACL ) { + print_acl( be, a ); + } #endif if ( a->acl_access == NULL ) { fprintf( stderr, "%s: line %d: " "warning: no by clause(s) specified in access line\n", - fname, lineno ); + fname, lineno ); } if ( be != NULL ) { @@ -1589,6 +1617,7 @@ parse_acl( } #endif /* LDAP_DEVEL */ acl_append( &be->be_acl, a ); + } else { acl_append( &frontendDB->be_acl, a ); } @@ -1598,8 +1627,8 @@ parse_acl( char * accessmask2str( slap_mask_t mask, char *buf ) { - int none=1; - char *ptr = buf; + int none = 1; + char *ptr = buf; assert( buf != NULL ); @@ -1768,7 +1797,7 @@ acl_usage( void ) " ::= * | [dn[.]=] [filter=] [attrs=]\n" " ::= [val[.