From 3261f219a32926922ddae9bc2616377d2a34a940 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Tue, 26 Oct 1999 03:19:41 +0000
Subject: [PATCH] Add support for Root DSE ACLs. Add "users" shorthand
 (dn="^.+$") Add regex short circuiting for common dn regexs.

---
 servers/slapd/acl.c      |  28 ++++++----
 servers/slapd/aclparse.c | 115 +++++++++++++++++++++++++++++++++------
 2 files changed, 116 insertions(+), 27 deletions(-)

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index e324182bac..d605a07c44 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -306,12 +306,17 @@ acl_mask(
 			 * user is bound as somebody in the same namespace as
 			 * the entry, OR the given dn matches the dn pattern
 			 */
-			if ( strcasecmp( b->a_dn_pat, "anonymous" ) == 0 ) {
+			if ( strcmp( b->a_dn_pat, "anonymous" ) == 0 ) {
 				if (op->o_ndn != NULL && op->o_ndn[0] != '\0' ) {
 					continue;
 				}
 
-			} else if ( strcasecmp( b->a_dn_pat, "self" ) == 0 ) {
+			} else if ( strcmp( b->a_dn_pat, "users" ) == 0 ) {
+				if (op->o_ndn == NULL || op->o_ndn[0] == '\0' ) {
+					continue;
+				}
+
+			} else if ( strcmp( b->a_dn_pat, "self" ) == 0 ) {
 				if( op->o_ndn == NULL || op->o_ndn[0] == '\0' ) {
 					continue;
 				}
@@ -320,10 +325,13 @@ acl_mask(
 					continue;
 				}
 
-			} else if ( strcmp( b->a_dn_pat, ".*" ) != 0 &&
-				!regex_matches( b->a_dn_pat, op->o_ndn, e->e_ndn, matches ) )
-			{
-				continue;
+			} else if ( strcmp( b->a_dn_pat, "*" ) != 0 ) {
+				int ret = regex_matches( b->a_dn_pat,
+					op->o_ndn, e->e_ndn, matches );
+
+				if( ret == 0 ) {
+					continue;
+				}
 			}
 		}
 
@@ -331,7 +339,7 @@ acl_mask(
 			Debug( LDAP_DEBUG_ACL, "<= check a_sockurl_pat: %s\n",
 				b->a_sockurl_pat, 0, 0 );
 
-			if ( strcmp( b->a_sockurl_pat, ".*" ) != 0 &&
+			if ( strcmp( b->a_sockurl_pat, "*" ) != 0 &&
 				!regex_matches( b->a_sockurl_pat, conn->c_listener_url,
 				e->e_ndn, matches ) ) 
 			{
@@ -343,7 +351,7 @@ acl_mask(
 			Debug( LDAP_DEBUG_ACL, "<= check a_domain_pat: %s\n",
 				b->a_domain_pat, 0, 0 );
 
-			if ( strcmp( b->a_domain_pat, ".*" ) != 0 &&
+			if ( strcmp( b->a_domain_pat, "*" ) != 0 &&
 				!regex_matches( b->a_domain_pat, conn->c_peer_domain,
 				e->e_ndn, matches ) ) 
 			{
@@ -355,7 +363,7 @@ acl_mask(
 			Debug( LDAP_DEBUG_ACL, "<= check a_peername_path: %s\n",
 				b->a_peername_pat, 0, 0 );
 
-			if ( strcmp( b->a_peername_pat, ".*" ) != 0 &&
+			if ( strcmp( b->a_peername_pat, "*" ) != 0 &&
 				!regex_matches( b->a_peername_pat, conn->c_peer_name,
 				e->e_ndn, matches ) )
 			{
@@ -367,7 +375,7 @@ acl_mask(
 			Debug( LDAP_DEBUG_ACL, "<= check a_sockname_path: %s\n",
 				b->a_sockname_pat, 0, 0 );
 
-			if ( strcmp( b->a_sockname_pat, ".*" ) != 0 &&
+			if ( strcmp( b->a_sockname_pat, "*" ) != 0 &&
 				!regex_matches( b->a_sockname_pat, conn->c_sock_name,
 				e->e_ndn, matches ) )
 			{
diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index 8c7ca3ed00..2180a120c1 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -119,11 +119,54 @@ parse_acl(
 				}
 
 				if ( strcasecmp( argv[i], "*" ) == 0 ) {
-					a->acl_dn_pat = ch_strdup( ".*" );
+					if( a->acl_dn_pat != NULL ) {
+						fprintf( stderr,
+							"%s: line %d: dn pattern"
+							" already specified in to clause.\n",
+							fname, lineno );
+						acl_usage();
+					}
+
+					a->acl_dn_pat = ch_strdup( "*" );
 					continue;
 				}
 
 				split( argv[i], '=', &left, &right );
+
+				if ( strcasecmp( left, "dn" ) == 0 ) {
+					if( a->acl_dn_pat != NULL ) {
+						fprintf( stderr,
+							"%s: line %d: dn pattern"
+							" already specified in to clause.\n",
+							fname, lineno );
+						acl_usage();
+					}
+
+					if ( right == NULL ) {
+						fprintf( stderr,
+	"%s: line %d: missing \"=\" in \"%s\" in to clause\n",
+						    fname, lineno, left );
+						acl_usage();
+					}
+
+					if( *right == '\0' ) {
+						a->acl_dn_pat = ch_strdup("^$");
+
+					} else if ( strcmp(right, "*") == 0 
+						|| strcmp(right, ".*") == 0 
+						|| strcmp(right, ".*$") == 0 
+						|| strcmp(right, "^.*") == 0 
+						|| strcmp(right, "^.*$") == 0 )
+					{
+						a->acl_dn_pat = ch_strdup( "*" );
+
+					} else {
+						a->acl_dn_pat = ch_strdup( right );
+					}
+
+					continue;
+				}
+
 				if ( right == NULL || *right == '\0' ) {
 					fprintf( stderr,
 	"%s: line %d: missing \"=\" in (or value after) \"%s\" in to clause\n",
@@ -140,9 +183,6 @@ parse_acl(
 						acl_usage();
 					}
 
-				} else if ( strcasecmp( left, "dn" ) == 0 ) {
-						a->acl_dn_pat = ch_strdup( right );
-
 				} else if ( strncasecmp( left, "attr", 4 ) == 0 ) {
 					char	**alist;
 
@@ -158,7 +198,12 @@ parse_acl(
 				}
 			}
 
-			if ( a->acl_dn_pat != NULL ) {
+			if ( a->acl_dn_pat != NULL && strcmp(a->acl_dn_pat, "*") == 0) {
+				free( a->acl_dn_pat );
+				a->acl_dn_pat = NULL;
+			}
+			
+			if( a->acl_dn_pat != NULL ) {
 				int e = regcomp( &a->acl_dn_re, a->acl_dn_pat,
 				                 REG_EXTENDED | REG_ICASE );
 				if ( e ) {
@@ -201,14 +246,50 @@ parse_acl(
 				split( argv[i], '=', &left, &right );
 
 				if ( strcasecmp( argv[i], "*" ) == 0 ) {
-					pat = ch_strdup( ".*" );
+					pat = ch_strdup( "*" );
+
 				} else if ( strcasecmp( argv[i], "anonymous" ) == 0 ) {
 					pat = ch_strdup( "anonymous" );
+
 				} else if ( strcasecmp( argv[i], "self" ) == 0 ) {
 					pat = ch_strdup( "self" );
+
+				} else if ( strcasecmp( argv[i], "users" ) == 0 ) {
+					pat = ch_strdup( "users" );
+
 				} else if ( strcasecmp( left, "dn" ) == 0 ) {
-					regtest(fname, lineno, right);
-					pat = ch_strdup( right );
+					if( right == NULL ) {
+						/* no '=' */
+						pat = ch_strdup( "users" );
+
+					} else if (*right == '\0' ) {
+						/* dn="" */
+						pat = ch_strdup( "anonymous" );
+
+					} else if ( strcmp( right, "*" ) == 0 ) {
+						/* dn=* /
+						/* any or users?  any for now */
+						pat = ch_strdup( "users" );
+
+					} else if ( strcmp( right, ".+" ) == 0
+						|| strcmp( right, "^.+" ) == 0
+						|| strcmp( right, ".+$" ) == 0
+						|| strcmp( right, "^.+$" ) == 0 )
+					{
+						pat = ch_strdup( "users" );
+
+					} else if ( strcmp( right, ".*" ) == 0
+						|| strcmp( right, "^.*" ) == 0
+						|| strcmp( right, ".*$" ) == 0
+						|| strcmp( right, "^.*$" ) == 0 )
+					{
+						pat = ch_strdup( "*" );
+
+					} else {
+						regtest(fname, lineno, right);
+						pat = ch_strdup( right );
+					}
+
 				} else {
 					pat = NULL;
 				}
@@ -448,10 +529,9 @@ parse_acl(
 			    fname, lineno );
 
 	} else {
-
 #ifdef LDAP_DEBUG
-                if (ldap_debug & LDAP_DEBUG_ACL)
-                    print_acl(be, a);
+		if (ldap_debug & LDAP_DEBUG_ACL)
+			print_acl(be, a);
 #endif
 	
 		if ( a->acl_access == NULL ) {
@@ -637,7 +717,7 @@ acl_usage( void )
 		"<what> ::= * | [dn=<regex>] [filter=<ldapfilter>] [attrs=<attrlist>]\n"
 		"<attrlist> ::= <attr> | <attr> , <attrlist>\n"
 		"<attr> ::= <attrname> | entry | children\n"
-		"<who> ::= [ * | anonymous | self | dn=<regex> ]\n"
+		"<who> ::= [ * | anonymous | users | self | dn=<regex> ]\n"
 			"\t[dnattr=<attrname>]\n"
 			"\t[group[/<objectclass>[/<attrname>]]=<regex>]\n"
 			"\t[peername=<regex>] [sockname=<regex>]\n"
@@ -695,11 +775,12 @@ print_access( Access *b )
 	fprintf( stderr, "\tby" );
 
 	if ( b->a_dn_pat != NULL ) {
-		if( strcmp(b->a_dn_pat, "anonymous") == 0 ) {
-			fprintf( stderr, " anonymous" );
-
-		} else if( strcmp(b->a_dn_pat, "self") == 0 ) {
-			fprintf( stderr, " self" );
+		if( strcmp(b->a_dn_pat, "*") == 0
+			|| strcmp(b->a_dn_pat, "users") == 0 
+			|| strcmp(b->a_dn_pat, "anonymous") == 0 
+			|| strcmp(b->a_dn_pat, "self") == 0 )
+		{
+			fprintf( stderr, " %s", b->a_dn_pat );
 
 		} else {
 			fprintf( stderr, " dn=%s", b->a_dn_pat );
-- 
2.39.5