2000-02-14 15:57:34 -05:00
/* aclparse.c - routines to parse and check acl's */
1999-09-08 15:06:24 -04:00
/* $OpenLDAP$ */
2003-11-26 20:17:14 -05:00
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
2019-01-14 13:46:16 -05:00
* Copyright 1998 - 2019 The OpenLDAP Foundation .
2003-11-26 20:17:14 -05:00
* All rights reserved .
*
* Redistribution and use in source and binary forms , with or without
* modification , are permitted only as authorized by the OpenLDAP
* Public License .
*
* A copy of this license is available in the file LICENSE in the
* top - level directory of the distribution or , alternatively , at
* < http : //www.OpenLDAP.org/license.html>.
*/
/* Portions Copyright (c) 1995 Regents of the University of Michigan.
* All rights reserved .
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and that due credit is given
* to the University of Michigan at Ann Arbor . The name of the University
* may not be used to endorse or promote products derived from this
* software without specific prior written permission . This software
* is provided ` ` as is ' ' without express or implied warranty .
1999-08-06 19:07:46 -04:00
*/
1998-08-08 20:43:13 -04:00
1998-10-24 21:41:42 -04:00
# include "portable.h"
1998-08-08 20:43:13 -04:00
# include <stdio.h>
1998-10-24 21:41:42 -04:00
# include <ac/ctype.h>
# include <ac/regex.h>
# include <ac/socket.h>
# include <ac/string.h>
# include <ac/unistd.h>
1998-08-21 02:33:42 -04:00
1998-08-08 20:43:13 -04:00
# include "slap.h"
2002-04-02 03:18:30 -05:00
# include "lber_pvt.h"
2002-08-05 22:36:34 -04:00
# include "lutil.h"
1998-08-08 20:43:13 -04:00
2005-05-09 20:51:28 -04:00
static const char style_base [ ] = " base " ;
2007-12-15 10:23:23 -05:00
const char * style_strings [ ] = {
2004-03-08 13:49:12 -05:00
" regex " ,
2004-03-09 11:33:05 -05:00
" expand " ,
2005-05-09 20:51:28 -04:00
" exact " ,
2004-03-08 13:49:12 -05:00
" one " ,
" subtree " ,
" children " ,
2005-03-31 13:10:11 -05:00
" level " ,
2004-03-08 13:49:12 -05:00
" attrof " ,
2005-03-31 13:10:11 -05:00
" anonymous " ,
" users " ,
" self " ,
2004-03-08 13:49:12 -05:00
" ip " ,
2006-12-14 21:10:22 -05:00
" ipv6 " ,
2004-03-08 13:49:12 -05:00
" path " ,
NULL
} ;
2003-12-16 05:56:21 -05:00
2010-08-16 20:54:11 -04:00
# define ACLBUF_CHUNKSIZE 8192
static struct berval aclbuf ;
Protoized, moved extern definitions to .h files, fixed related bugs.
Most function and variable definitions are now preceded by its extern
definition, for error checking. Retyped a number of functions, usually
to return void. Fixed a number of printf format errors.
API changes (in ldap/include):
Added avl_dup_ok, avl_prefixapply, removed ber_fatten (probably typo
for ber_flatten), retyped ldap_sort_strcasecmp, grew lutil.h.
A number of `extern' declarations are left (some added by protoize), to
be cleaned away later. Mostly strdup(), strcasecmp(), mktemp(), optind,
optarg, errno.
1998-11-15 17:40:11 -05:00
static void split ( char * line , int splitchar , char * * left , char * * right ) ;
1999-07-19 15:40:33 -04:00
static void access_append ( Access * * l , Access * a ) ;
2006-03-31 16:59:39 -05:00
static void access_free ( Access * a ) ;
2005-10-31 11:00:51 -05:00
static int acl_usage ( void ) ;
1999-10-21 13:53:56 -04:00
2002-04-15 16:44:05 -04:00
static void acl_regex_normalized_dn ( const char * src , struct berval * pat ) ;
2001-11-12 06:29:40 -05:00
1998-08-08 20:43:13 -04:00
# ifdef LDAP_DEBUG
1999-10-21 13:53:56 -04:00
static void print_acl ( Backend * be , AccessControl * a ) ;
1998-08-08 20:43:13 -04:00
# endif
2005-01-08 00:26:18 -05:00
static int check_scope ( BackendDB * be , AccessControl * a ) ;
2004-04-20 15:16:21 -04:00
2004-11-19 20:27:03 -05:00
# ifdef SLAP_DYNACL
static int
2005-08-22 12:28:50 -04:00
slap_dynacl_config (
const char * fname ,
int lineno ,
Access * b ,
const char * name ,
const char * opts ,
slap_style_t sty ,
const char * right )
2004-11-19 20:27:03 -05:00
{
slap_dynacl_t * da , * tmp ;
int rc = 0 ;
for ( da = b - > a_dynacl ; da ; da = da - > da_next ) {
if ( strcasecmp ( da - > da_name , name ) = = 0 ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2004-11-19 20:27:03 -05:00
" %s: line %d: dynacl \" %s \" already specified. \n " ,
fname , lineno , name ) ;
2005-10-31 11:00:51 -05:00
return acl_usage ( ) ;
2004-11-19 20:27:03 -05:00
}
}
da = slap_dynacl_get ( name ) ;
if ( da = = NULL ) {
return - 1 ;
}
tmp = ch_malloc ( sizeof ( slap_dynacl_t ) ) ;
* tmp = * da ;
if ( tmp - > da_parse ) {
2005-08-22 12:28:50 -04:00
rc = ( * tmp - > da_parse ) ( fname , lineno , opts , sty , right , & tmp - > da_private ) ;
2004-11-19 20:27:03 -05:00
if ( rc ) {
ch_free ( tmp ) ;
return rc ;
}
}
tmp - > da_next = b - > a_dynacl ;
b - > a_dynacl = tmp ;
return 0 ;
}
# endif /* SLAP_DYNACL */
2002-04-15 16:44:05 -04:00
static void
1999-08-20 15:00:44 -04:00
regtest ( const char * fname , int lineno , char * pat ) {
1998-08-21 02:33:42 -04:00
int e ;
regex_t re ;
2005-09-10 14:42:33 -04:00
char buf [ SLAP_TEXT_BUFLEN ] ;
unsigned size ;
1998-08-21 02:33:42 -04:00
char * sp ;
char * dp ;
int flag ;
sp = pat ;
dp = buf ;
size = 0 ;
buf [ 0 ] = ' \0 ' ;
for ( size = 0 , flag = 0 ; ( size < sizeof ( buf ) ) & & * sp ; sp + + ) {
if ( flag ) {
if ( * sp = = ' $ ' | | ( * sp > = ' 0 ' & & * sp < = ' 9 ' ) ) {
* dp + + = * sp ;
size + + ;
}
flag = 0 ;
} else {
if ( * sp = = ' $ ' ) {
flag = 1 ;
} else {
* dp + + = * sp ;
size + + ;
}
}
}
* dp = ' \0 ' ;
2004-10-06 18:03:33 -04:00
if ( size > = ( sizeof ( buf ) - 1 ) ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
1998-08-21 02:33:42 -04:00
" %s: line %d: regular expression \" %s \" too large \n " ,
1999-08-28 20:26:44 -04:00
fname , lineno , pat ) ;
2005-10-31 11:00:51 -05:00
( void ) acl_usage ( ) ;
exit ( EXIT_FAILURE ) ;
1998-08-21 02:33:42 -04:00
}
if ( ( e = regcomp ( & re , buf , REG_EXTENDED | REG_ICASE ) ) ) {
2005-09-10 14:42:33 -04:00
char error [ SLAP_TEXT_BUFLEN ] ;
1998-08-21 02:33:42 -04:00
regerror ( e , & re , error , sizeof ( error ) ) ;
2005-09-10 14:42:33 -04:00
2019-02-15 11:50:54 -05:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: regular expression \" %s \" bad because of %s \n " ,
fname , lineno , pat , error ) ;
1998-08-21 02:33:42 -04:00
acl_usage ( ) ;
2005-10-31 11:00:51 -05:00
exit ( EXIT_FAILURE ) ;
1998-08-21 02:33:42 -04:00
}
regfree ( & re ) ;
}
2004-04-20 15:16:21 -04:00
/*
* Experimental
*
* Check if the pattern of an ACL , if any , matches the scope
* of the backend it is defined within .
*/
# define ACL_SCOPE_UNKNOWN (-2)
# define ACL_SCOPE_ERR (-1)
# define ACL_SCOPE_OK (0)
# define ACL_SCOPE_PARTIAL (1)
# define ACL_SCOPE_WARN (2)
static int
check_scope ( BackendDB * be , AccessControl * a )
{
2005-09-10 14:42:33 -04:00
ber_len_t patlen ;
2004-04-20 15:16:21 -04:00
struct berval dn ;
2004-06-28 02:42:00 -04:00
dn = be - > be_nsuffix [ 0 ] ;
2004-04-20 15:16:21 -04:00
2005-01-11 19:53:50 -05:00
if ( BER_BVISEMPTY ( & dn ) ) {
return ACL_SCOPE_OK ;
}
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & a - > acl_dn_pat ) | |
a - > acl_dn_style ! = ACL_STYLE_REGEX )
{
2004-04-20 15:16:21 -04:00
slap_style_t style = a - > acl_dn_style ;
if ( style = = ACL_STYLE_REGEX ) {
2004-11-30 17:50:07 -05:00
char dnbuf [ SLAP_LDAPDN_MAXLEN + 2 ] ;
char rebuf [ SLAP_LDAPDN_MAXLEN + 1 ] ;
ber_len_t rebuflen ;
regex_t re ;
int rc ;
2004-04-20 15:16:21 -04:00
2004-11-30 17:50:07 -05:00
/* add trailing '$' to database suffix to form
* a simple trial regex pattern " <suffix>$ " */
2004-06-28 02:42:00 -04:00
AC_MEMCPY ( dnbuf , be - > be_nsuffix [ 0 ] . bv_val ,
be - > be_nsuffix [ 0 ] . bv_len ) ;
dnbuf [ be - > be_nsuffix [ 0 ] . bv_len ] = ' $ ' ;
dnbuf [ be - > be_nsuffix [ 0 ] . bv_len + 1 ] = ' \0 ' ;
2004-04-20 15:16:21 -04:00
if ( regcomp ( & re , dnbuf , REG_EXTENDED | REG_ICASE ) ) {
return ACL_SCOPE_WARN ;
}
2004-11-30 17:50:07 -05:00
/* remove trailing ')$', if any, from original
* regex pattern */
rebuflen = a - > acl_dn_pat . bv_len ;
AC_MEMCPY ( rebuf , a - > acl_dn_pat . bv_val , rebuflen + 1 ) ;
if ( rebuf [ rebuflen - 1 ] = = ' $ ' ) {
rebuf [ - - rebuflen ] = ' \0 ' ;
}
while ( rebuflen > be - > be_nsuffix [ 0 ] . bv_len & & rebuf [ rebuflen - 1 ] = = ' ) ' ) {
rebuf [ - - rebuflen ] = ' \0 ' ;
}
if ( rebuflen = = be - > be_nsuffix [ 0 ] . bv_len ) {
rc = ACL_SCOPE_WARN ;
goto regex_done ;
2004-04-20 15:16:21 -04:00
}
/* not a clear indication of scoping error, though */
rc = regexec ( & re , rebuf , 0 , NULL , 0 )
? ACL_SCOPE_WARN : ACL_SCOPE_OK ;
2004-11-30 17:50:07 -05:00
regex_done : ;
2004-04-20 15:16:21 -04:00
regfree ( & re ) ;
return rc ;
}
patlen = a - > acl_dn_pat . bv_len ;
/* If backend suffix is longer than pattern,
* it is a potential mismatch ( in the sense
* that a superior naming context could
* match */
if ( dn . bv_len > patlen ) {
/* base is blatantly wrong */
2004-06-28 02:42:00 -04:00
if ( style = = ACL_STYLE_BASE ) return ACL_SCOPE_ERR ;
2004-04-20 15:16:21 -04:00
2004-11-30 17:50:07 -05:00
/* a style of one can be wrong if there is
* more than one level between the suffix
2004-04-20 15:16:21 -04:00
* and the pattern */
if ( style = = ACL_STYLE_ONE ) {
2005-09-10 14:42:33 -04:00
ber_len_t rdnlen = 0 ;
int sep = 0 ;
2004-04-20 15:16:21 -04:00
if ( patlen > 0 ) {
2004-06-28 02:42:00 -04:00
if ( ! DN_SEPARATOR ( dn . bv_val [ dn . bv_len - patlen - 1 ] ) ) {
2004-04-20 15:16:21 -04:00
return ACL_SCOPE_ERR ;
2004-06-28 02:42:00 -04:00
}
2004-04-20 15:16:21 -04:00
sep = 1 ;
}
2005-09-10 14:59:35 -04:00
rdnlen = dn_rdnlen ( NULL , & dn ) ;
2004-04-20 15:16:21 -04:00
if ( rdnlen ! = dn . bv_len - patlen - sep )
return ACL_SCOPE_ERR ;
}
/* if the trailing part doesn't match,
* then it ' s an error */
2004-06-28 02:42:00 -04:00
if ( strcmp ( a - > acl_dn_pat . bv_val ,
& dn . bv_val [ dn . bv_len - patlen ] ) ! = 0 )
{
2004-04-20 15:16:21 -04:00
return ACL_SCOPE_ERR ;
}
return ACL_SCOPE_PARTIAL ;
}
switch ( style ) {
case ACL_STYLE_BASE :
case ACL_STYLE_ONE :
case ACL_STYLE_CHILDREN :
case ACL_STYLE_SUBTREE :
break ;
default :
assert ( 0 ) ;
break ;
}
2004-06-28 02:42:00 -04:00
if ( dn . bv_len < patlen & &
2004-11-15 17:15:28 -05:00
! DN_SEPARATOR ( a - > acl_dn_pat . bv_val [ patlen - dn . bv_len - 1 ] ) )
{
2004-04-20 15:16:21 -04:00
return ACL_SCOPE_ERR ;
}
2004-06-28 02:42:00 -04:00
if ( strcmp ( & a - > acl_dn_pat . bv_val [ patlen - dn . bv_len ] , dn . bv_val )
! = 0 )
{
2004-04-20 15:16:21 -04:00
return ACL_SCOPE_ERR ;
}
return ACL_SCOPE_OK ;
}
return ACL_SCOPE_UNKNOWN ;
}
2005-10-31 11:00:51 -05:00
int
1998-08-08 20:43:13 -04:00
parse_acl (
2005-10-31 11:00:51 -05:00
Backend * be ,
const char * fname ,
int lineno ,
int argc ,
char * * argv ,
2005-04-19 12:39:48 -04:00
int pos )
1998-08-08 20:43:13 -04:00
{
int i ;
2005-11-25 17:17:24 -05:00
char * left , * right , * style ;
2001-12-25 23:17:49 -05:00
struct berval bv ;
2006-03-31 16:59:39 -05:00
AccessControl * a = NULL ;
Access * b = NULL ;
2000-02-14 15:57:34 -05:00
int rc ;
2000-05-21 23:46:57 -04:00
const char * text ;
1998-08-08 20:43:13 -04:00
for ( i = 1 ; i < argc ; i + + ) {
/* to clause - select which entries are protected */
if ( strcasecmp ( argv [ i ] , " to " ) = = 0 ) {
if ( a ! = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2003-05-30 01:24:39 -04:00
" only one to clause allowed in access line \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-04-02 17:16:06 -04:00
goto fail ;
1998-08-08 20:43:13 -04:00
}
1999-07-19 15:40:33 -04:00
a = ( AccessControl * ) ch_calloc ( 1 , sizeof ( AccessControl ) ) ;
2010-04-14 13:01:39 -04:00
a - > acl_attrval_style = ACL_STYLE_NONE ;
1998-08-08 20:43:13 -04:00
for ( + + i ; i < argc ; i + + ) {
if ( strcasecmp ( argv [ i ] , " by " ) = = 0 ) {
i - - ;
break ;
}
1999-04-01 22:45:33 -05:00
if ( strcasecmp ( argv [ i ] , " * " ) = = 0 ) {
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & a - > acl_dn_pat ) | |
a - > acl_dn_style ! = ACL_STYLE_REGEX )
2002-07-10 21:45:22 -04:00
{
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
1999-10-25 23:19:41 -04:00
" %s: line %d: dn pattern "
" already specified in to clause. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1999-10-25 23:19:41 -04:00
}
2004-11-15 17:15:28 -05:00
ber_str2bv ( " * " , STRLENOF ( " * " ) , 1 , & a - > acl_dn_pat ) ;
1998-08-08 20:43:13 -04:00
continue ;
}
split ( argv [ i ] , ' = ' , & left , & right ) ;
2000-06-11 21:35:15 -04:00
split ( left , ' . ' , & left , & style ) ;
2001-09-01 01:01:31 -04:00
if ( right = = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2003-05-30 01:24:39 -04:00
" missing \" = \" in \" %s \" in to clause \n " ,
2000-06-11 21:35:15 -04:00
fname , lineno , left ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-06-11 21:35:15 -04:00
}
1999-10-25 23:19:41 -04:00
if ( strcasecmp ( left , " dn " ) = = 0 ) {
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & a - > acl_dn_pat ) | |
a - > acl_dn_style ! = ACL_STYLE_REGEX )
2002-07-10 21:45:22 -04:00
{
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
1999-10-25 23:19:41 -04:00
" %s: line %d: dn pattern "
" already specified in to clause. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1999-10-25 23:19:41 -04:00
}
2003-05-30 01:24:39 -04:00
if ( style = = NULL | | * style = = ' \0 ' | |
2004-06-28 02:42:00 -04:00
strcasecmp ( style , " baseObject " ) = = 0 | |
strcasecmp ( style , " base " ) = = 0 | |
strcasecmp ( style , " exact " ) = = 0 )
2003-05-30 01:24:39 -04:00
{
a - > acl_dn_style = ACL_STYLE_BASE ;
ber_str2bv ( right , 0 , 1 , & a - > acl_dn_pat ) ;
2004-06-28 02:42:00 -04:00
} else if ( strcasecmp ( style , " oneLevel " ) = = 0 | |
strcasecmp ( style , " one " ) = = 0 )
{
2003-05-30 01:24:39 -04:00
a - > acl_dn_style = ACL_STYLE_ONE ;
ber_str2bv ( right , 0 , 1 , & a - > acl_dn_pat ) ;
2004-06-28 02:42:00 -04:00
} else if ( strcasecmp ( style , " subtree " ) = = 0 | |
strcasecmp ( style , " sub " ) = = 0 )
2000-06-11 21:35:15 -04:00
{
2003-09-09 22:33:36 -04:00
if ( * right = = ' \0 ' ) {
2004-11-15 17:15:28 -05:00
ber_str2bv ( " * " , STRLENOF ( " * " ) , 1 , & a - > acl_dn_pat ) ;
2003-09-09 22:33:36 -04:00
} else {
a - > acl_dn_style = ACL_STYLE_SUBTREE ;
ber_str2bv ( right , 0 , 1 , & a - > acl_dn_pat ) ;
}
2003-05-30 01:24:39 -04:00
} else if ( strcasecmp ( style , " children " ) = = 0 ) {
a - > acl_dn_style = ACL_STYLE_CHILDREN ;
ber_str2bv ( right , 0 , 1 , & a - > acl_dn_pat ) ;
} else if ( strcasecmp ( style , " regex " ) = = 0 ) {
2000-06-11 21:35:15 -04:00
a - > acl_dn_style = ACL_STYLE_REGEX ;
2002-02-08 13:32:12 -05:00
if ( * right = = ' \0 ' ) {
/* empty regex should match empty DN */
a - > acl_dn_style = ACL_STYLE_BASE ;
ber_str2bv ( right , 0 , 1 , & a - > acl_dn_pat ) ;
} else if ( strcmp ( right , " * " ) = = 0
2000-06-11 21:35:15 -04:00
| | strcmp ( right , " .* " ) = = 0
| | strcmp ( right , " .*$ " ) = = 0
| | strcmp ( right , " ^.* " ) = = 0
2002-04-15 16:44:05 -04:00
| | strcmp ( right , " ^.*$ " ) = = 0
2000-06-11 21:35:15 -04:00
| | strcmp ( right , " .*$$ " ) = = 0
| | strcmp ( right , " ^.*$$ " ) = = 0 )
{
2004-11-15 17:15:28 -05:00
ber_str2bv ( " * " , STRLENOF ( " * " ) , 1 , & a - > acl_dn_pat ) ;
1999-10-25 23:19:41 -04:00
2000-06-11 21:35:15 -04:00
} else {
2002-04-15 16:44:05 -04:00
acl_regex_normalized_dn ( right , & a - > acl_dn_pat ) ;
2000-06-11 21:35:15 -04:00
}
2003-05-30 01:24:39 -04:00
2000-06-11 21:35:15 -04:00
} else {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2003-05-30 01:24:39 -04:00
" unknown dn style \" %s \" in to clause \n " ,
2000-06-11 21:35:15 -04:00
fname , lineno , style ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1999-10-25 23:19:41 -04:00
}
continue ;
}
1998-08-08 20:43:13 -04:00
if ( strcasecmp ( left , " filter " ) = = 0 ) {
2002-07-23 14:35:12 -04:00
if ( ( a - > acl_filter = str2filter ( right ) ) = = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
1998-08-08 20:43:13 -04:00
" %s: line %d: bad filter \" %s \" in to clause \n " ,
fname , lineno , right ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1998-08-08 20:43:13 -04:00
}
1999-07-21 16:54:23 -04:00
2005-05-03 08:13:16 -04:00
} else if ( strcasecmp ( left , " attr " ) = = 0 /* TOLERATED */
| | strcasecmp ( left , " attrs " ) = = 0 ) /* DOCUMENTED */
{
2005-09-16 11:00:13 -04:00
if ( strcasecmp ( left , " attr " ) = = 0 ) {
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: \" attr \" "
" is deprecated (and undocumented); "
" use \" attrs \" instead. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2005-09-16 11:00:13 -04:00
}
2001-12-31 06:35:52 -05:00
a - > acl_attrs = str2anlist ( a - > acl_attrs ,
2001-12-26 03:17:44 -05:00
right , " , " ) ;
2002-01-10 04:54:14 -05:00
if ( a - > acl_attrs = = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2002-01-10 04:54:14 -05:00
" %s: line %d: unknown attr \" %s \" in to clause \n " ,
fname , lineno , right ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-01-10 04:54:14 -05:00
}
2003-05-30 01:24:39 -04:00
2003-09-19 23:23:10 -04:00
} else if ( strncasecmp ( left , " val " , 3 ) = = 0 ) {
2005-12-09 05:33:01 -05:00
struct berval bv ;
char * mr ;
2005-07-05 08:00:14 -04:00
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & a - > acl_attrval ) ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2003-09-19 23:23:10 -04:00
" %s: line %d: attr val already specified in to clause. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2003-09-19 23:23:10 -04:00
}
2004-11-15 17:15:28 -05:00
if ( a - > acl_attrs = = NULL | | ! BER_BVISEMPTY ( & a - > acl_attrs [ 1 ] . an_name ) )
{
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2003-09-19 23:23:10 -04:00
" %s: line %d: attr val requires a single attribute. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2003-09-19 23:23:10 -04:00
}
2005-07-05 08:00:14 -04:00
2005-12-09 05:33:01 -05:00
ber_str2bv ( right , 0 , 0 , & bv ) ;
2005-05-03 08:13:16 -04:00
a - > acl_attrval_style = ACL_STYLE_BASE ;
2005-07-05 08:00:14 -04:00
mr = strchr ( left , ' / ' ) ;
if ( mr ! = NULL ) {
mr [ 0 ] = ' \0 ' ;
mr + + ;
a - > acl_attrval_mr = mr_find ( mr ) ;
if ( a - > acl_attrval_mr = = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2005-07-05 08:00:14 -04:00
" invalid matching rule \" %s \" . \n " ,
fname , lineno , mr ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2005-07-05 08:00:14 -04:00
}
if ( ! mr_usable_with_at ( a - > acl_attrval_mr , a - > acl_attrs [ 0 ] . an_desc - > ad_type ) )
{
2019-02-15 11:50:54 -05:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: matching rule \" %s \" use " " with attr \" %s \" not appropriate. \n " ,
fname , lineno ,
mr ,
a - > acl_attrs [ 0 ] . an_name . bv_val ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2005-07-05 08:00:14 -04:00
}
}
2005-05-03 08:13:16 -04:00
if ( style ! = NULL ) {
if ( strcasecmp ( style , " regex " ) = = 0 ) {
2005-12-09 05:33:01 -05:00
int e = regcomp ( & a - > acl_attrval_re , bv . bv_val ,
2008-11-15 02:18:39 -05:00
REG_EXTENDED | REG_ICASE ) ;
2005-05-03 08:13:16 -04:00
if ( e ) {
2005-09-10 14:42:33 -04:00
char err [ SLAP_TEXT_BUFLEN ] ,
buf [ SLAP_TEXT_BUFLEN ] ;
regerror ( e , & a - > acl_attrval_re , err , sizeof ( err ) ) ;
2019-02-15 11:50:54 -05:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: regular expression \" %s \" bad because of %s \n " ,
fname ,
lineno ,
right ,
err ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2005-05-03 08:13:16 -04:00
}
a - > acl_attrval_style = ACL_STYLE_REGEX ;
2003-12-15 19:49:10 -05:00
2005-05-03 08:13:16 -04:00
} else {
/* FIXME: if the attribute has DN syntax, we might
* allow one , subtree and children styles as well */
2005-05-05 17:47:40 -04:00
if ( ! strcasecmp ( style , " base " ) | |
! strcasecmp ( style , " exact " ) ) {
2003-12-15 19:49:10 -05:00
a - > acl_attrval_style = ACL_STYLE_BASE ;
2005-05-03 08:13:16 -04:00
} else if ( a - > acl_attrs [ 0 ] . an_desc - > ad_type - >
sat_syntax = = slap_schema . si_syn_distinguishedName )
2004-06-28 02:42:00 -04:00
{
2005-05-03 08:13:16 -04:00
if ( ! strcasecmp ( style , " baseObject " ) | |
! strcasecmp ( style , " base " ) )
{
a - > acl_attrval_style = ACL_STYLE_BASE ;
} else if ( ! strcasecmp ( style , " onelevel " ) | |
! strcasecmp ( style , " one " ) )
{
a - > acl_attrval_style = ACL_STYLE_ONE ;
} else if ( ! strcasecmp ( style , " subtree " ) | |
! strcasecmp ( style , " sub " ) )
{
a - > acl_attrval_style = ACL_STYLE_SUBTREE ;
} else if ( ! strcasecmp ( style , " children " ) ) {
a - > acl_attrval_style = ACL_STYLE_CHILDREN ;
} else {
2019-02-15 11:50:54 -05:00
Debug ( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL ,
" %s: line %d: unknown val.<style> \" %s \" for attributeType \" %s \" " " with DN syntax. \n " ,
fname ,
lineno ,
style ,
a - > acl_attrs [ 0 ] . an_desc - > ad_cname . bv_val ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2005-05-03 08:13:16 -04:00
}
2005-07-05 08:00:14 -04:00
rc = dnNormalize ( 0 , NULL , NULL , & bv , & a - > acl_attrval , NULL ) ;
if ( rc ! = LDAP_SUCCESS ) {
2019-02-15 11:50:54 -05:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: unable to normalize DN \" %s \" " " for attributeType \" %s \" (%d). \n " ,
fname ,
lineno ,
bv . bv_val ,
a - > acl_attrs [ 0 ] . an_desc - > ad_cname . bv_val ,
rc ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2005-07-05 08:00:14 -04:00
}
2003-12-15 19:49:10 -05:00
} else {
2019-02-15 11:50:54 -05:00
Debug ( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL ,
" %s: line %d: unknown val.<style> \" %s \" for attributeType \" %s \" . \n " ,
fname ,
lineno ,
style ,
a - > acl_attrs [ 0 ] . an_desc - > ad_cname . bv_val ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2003-12-15 19:49:10 -05:00
}
}
2003-09-19 23:23:10 -04:00
}
2005-07-05 08:00:14 -04:00
/* Check for appropriate matching rule */
2005-12-09 05:33:01 -05:00
if ( a - > acl_attrval_style = = ACL_STYLE_REGEX ) {
ber_dupbv ( & a - > acl_attrval , & bv ) ;
} else if ( BER_BVISNULL ( & a - > acl_attrval ) ) {
int rc ;
const char * text ;
2005-07-05 08:00:14 -04:00
if ( a - > acl_attrval_mr = = NULL ) {
a - > acl_attrval_mr = a - > acl_attrs [ 0 ] . an_desc - > ad_type - > sat_equality ;
}
if ( a - > acl_attrval_mr = = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2005-12-09 05:33:01 -05:00
" attr \" %s \" does not have an EQUALITY matching rule. \n " ,
2005-07-05 08:00:14 -04:00
fname , lineno , a - > acl_attrs [ 0 ] . an_name . bv_val ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2005-07-05 08:00:14 -04:00
}
2005-12-09 05:33:01 -05:00
rc = asserted_value_validate_normalize (
a - > acl_attrs [ 0 ] . an_desc ,
a - > acl_attrval_mr ,
SLAP_MR_EQUALITY | SLAP_MR_VALUE_OF_ASSERTION_SYNTAX ,
& bv ,
& a - > acl_attrval ,
& text ,
NULL ) ;
if ( rc ! = LDAP_SUCCESS ) {
2019-02-15 11:50:54 -05:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: %s: line %d: " " attr \" %s \" normalization failed (%d: %s). \n " ,
fname , lineno ,
fname , lineno ,
a - > acl_attrs [ 0 ] . an_name . bv_val ,
rc , text ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2005-12-09 05:33:01 -05:00
}
2005-07-05 08:00:14 -04:00
}
1998-08-08 20:43:13 -04:00
} else {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
1998-08-21 02:33:42 -04:00
" %s: line %d: expecting <what> got \" %s \" \n " ,
1998-08-08 20:43:13 -04:00
fname , lineno , left ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1998-08-08 20:43:13 -04:00
}
}
2004-10-06 18:03:33 -04:00
if ( ! BER_BVISNULL ( & a - > acl_dn_pat ) & &
ber_bvccmp ( & a - > acl_dn_pat , ' * ' ) )
2002-02-08 13:32:12 -05:00
{
2001-12-24 10:43:27 -05:00
free ( a - > acl_dn_pat . bv_val ) ;
2004-10-06 18:03:33 -04:00
BER_BVZERO ( & a - > acl_dn_pat ) ;
2005-05-23 16:29:01 -04:00
a - > acl_dn_style = ACL_STYLE_REGEX ;
1999-10-25 23:19:41 -04:00
}
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & a - > acl_dn_pat ) | |
a - > acl_dn_style ! = ACL_STYLE_REGEX )
2002-07-10 21:45:22 -04:00
{
2002-02-08 13:32:12 -05:00
if ( a - > acl_dn_style ! = ACL_STYLE_REGEX ) {
2001-12-28 23:48:00 -05:00
struct berval bv ;
2003-04-29 14:28:14 -04:00
rc = dnNormalize ( 0 , NULL , NULL , & a - > acl_dn_pat , & bv , NULL ) ;
2002-04-15 16:44:05 -04:00
if ( rc ! = LDAP_SUCCESS ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2003-05-30 01:24:39 -04:00
" %s: line %d: bad DN \" %s \" in to DN clause \n " ,
2002-04-15 16:44:05 -04:00
fname , lineno , a - > acl_dn_pat . bv_val ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-04-15 16:44:05 -04:00
}
2001-12-24 10:43:27 -05:00
free ( a - > acl_dn_pat . bv_val ) ;
2001-12-28 23:48:00 -05:00
a - > acl_dn_pat = bv ;
2004-11-15 17:15:28 -05:00
2000-06-11 21:35:15 -04:00
} else {
2001-12-24 10:43:27 -05:00
int e = regcomp ( & a - > acl_dn_re , a - > acl_dn_pat . bv_val ,
2002-02-08 13:32:12 -05:00
REG_EXTENDED | REG_ICASE ) ;
2000-06-11 21:35:15 -04:00
if ( e ) {
2005-09-10 14:42:33 -04:00
char err [ SLAP_TEXT_BUFLEN ] ,
buf [ SLAP_TEXT_BUFLEN ] ;
regerror ( e , & a - > acl_dn_re , err , sizeof ( err ) ) ;
2019-02-15 11:50:54 -05:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: regular expression \" %s \" bad because of %s \n " ,
fname , lineno , right ,
err ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-06-11 21:35:15 -04:00
}
1999-08-21 23:30:45 -04:00
}
}
1998-08-08 20:43:13 -04:00
/* by clause - select who has what access to entries */
} else if ( strcasecmp ( argv [ i ] , " by " ) = = 0 ) {
if ( a = = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2003-05-30 01:24:39 -04:00
" to clause required before by clause in access line \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1998-08-08 20:43:13 -04:00
}
1999-10-21 13:53:56 -04:00
1998-08-08 20:43:13 -04:00
/*
* by clause consists of < who > and < access >
*/
if ( + + i = = argc ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: premature EOL: expecting <who> \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1998-08-08 20:43:13 -04:00
}
2006-03-31 16:59:39 -05:00
b = ( Access * ) ch_calloc ( 1 , sizeof ( Access ) ) ;
ACL_INVALIDATE ( b - > a_access_mask ) ;
1998-08-08 20:43:13 -04:00
/* get <who> */
1999-07-21 16:54:23 -04:00
for ( ; i < argc ; i + + ) {
2005-04-02 20:59:03 -05:00
slap_style_t sty = ACL_STYLE_REGEX ;
char * style_modifier = NULL ;
char * style_level = NULL ;
int level = 0 ;
int expand = 0 ;
slap_dn_access * bdn = & b - > a_dn ;
int is_realdn = 0 ;
2000-06-11 21:35:15 -04:00
1999-07-21 16:54:23 -04:00
split ( argv [ i ] , ' = ' , & left , & right ) ;
2000-06-11 21:35:15 -04:00
split ( left , ' . ' , & left , & style ) ;
2002-04-03 10:42:19 -05:00
if ( style ) {
2005-03-31 13:10:11 -05:00
split ( style , ' , ' , & style , & style_modifier ) ;
if ( strncasecmp ( style , " level " , STRLENOF ( " level " ) ) = = 0 ) {
split ( style , ' { ' , & style , & style_level ) ;
if ( style_level ! = NULL ) {
char * p = strchr ( style_level , ' } ' ) ;
if ( p = = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2005-03-31 13:10:11 -05:00
" %s: line %d: premature eol: "
" expecting closing '}' in \" level{n} \" \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2005-03-31 13:10:11 -05:00
} else if ( p = = style_level ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2005-03-31 13:10:11 -05:00
" %s: line %d: empty level "
" in \" level{n} \" \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-04-02 17:16:06 -04:00
goto fail ;
2005-03-31 13:10:11 -05:00
}
p [ 0 ] = ' \0 ' ;
}
}
2002-04-03 10:42:19 -05:00
}
2003-05-30 01:24:39 -04:00
if ( style = = NULL | | * style = = ' \0 ' | |
strcasecmp ( style , " exact " ) = = 0 | |
2004-06-28 02:42:00 -04:00
strcasecmp ( style , " baseObject " ) = = 0 | |
2003-05-30 01:24:39 -04:00
strcasecmp ( style , " base " ) = = 0 )
2000-06-11 21:35:15 -04:00
{
sty = ACL_STYLE_BASE ;
2003-05-30 01:24:39 -04:00
2003-12-20 10:18:21 -05:00
} else if ( strcasecmp ( style , " onelevel " ) = = 0 | |
2004-06-28 02:42:00 -04:00
strcasecmp ( style , " one " ) = = 0 )
{
2000-06-11 21:35:15 -04:00
sty = ACL_STYLE_ONE ;
2003-05-30 01:24:39 -04:00
} else if ( strcasecmp ( style , " subtree " ) = = 0 | |
strcasecmp ( style , " sub " ) = = 0 )
{
2000-06-11 21:35:15 -04:00
sty = ACL_STYLE_SUBTREE ;
2003-05-30 01:24:39 -04:00
2000-06-11 21:35:15 -04:00
} else if ( strcasecmp ( style , " children " ) = = 0 ) {
sty = ACL_STYLE_CHILDREN ;
2003-05-30 01:24:39 -04:00
2005-03-31 13:10:11 -05:00
} else if ( strcasecmp ( style , " level " ) = = 0 )
{
2005-11-23 20:10:05 -05:00
if ( lutil_atoi ( & level , style_level ) ! = 0 ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2005-03-31 13:10:11 -05:00
" %s: line %d: unable to parse level "
" in \" level{n} \" \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2005-03-31 13:10:11 -05:00
}
sty = ACL_STYLE_LEVEL ;
2003-05-30 01:24:39 -04:00
} else if ( strcasecmp ( style , " regex " ) = = 0 ) {
sty = ACL_STYLE_REGEX ;
2004-03-09 11:33:05 -05:00
} else if ( strcasecmp ( style , " expand " ) = = 0 ) {
sty = ACL_STYLE_EXPAND ;
2004-03-08 13:49:12 -05:00
} else if ( strcasecmp ( style , " ip " ) = = 0 ) {
sty = ACL_STYLE_IP ;
2006-12-14 20:11:11 -05:00
} else if ( strcasecmp ( style , " ipv6 " ) = = 0 ) {
# ifndef LDAP_PF_INET6
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: IPv6 not supported \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-12-14 20:11:11 -05:00
# endif /* ! LDAP_PF_INET6 */
sty = ACL_STYLE_IPV6 ;
2004-03-08 13:49:12 -05:00
} else if ( strcasecmp ( style , " path " ) = = 0 ) {
sty = ACL_STYLE_PATH ;
# ifndef LDAP_PF_LOCAL
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL ,
" %s: line %d: "
2006-01-23 23:40:01 -05:00
" \" path \" style modifier is useless without local. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2004-03-08 13:49:12 -05:00
# endif /* LDAP_PF_LOCAL */
2000-06-11 21:35:15 -04:00
} else {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2000-06-11 21:35:15 -04:00
" %s: line %d: unknown style \" %s \" in by clause \n " ,
2005-09-10 14:42:33 -04:00
fname , lineno , style ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-06-11 21:35:15 -04:00
}
1999-07-21 16:54:23 -04:00
2003-05-30 01:24:39 -04:00
if ( style_modifier & &
strcasecmp ( style_modifier , " expand " ) = = 0 )
{
2004-03-09 11:33:05 -05:00
switch ( sty ) {
case ACL_STYLE_REGEX :
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2006-01-23 23:40:01 -05:00
" \" regex \" style implies \" expand \" modifier. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2004-03-09 11:33:05 -05:00
break ;
case ACL_STYLE_EXPAND :
break ;
default :
2004-03-09 14:44:14 -05:00
/* we'll see later if it's pertinent */
2004-03-09 11:33:05 -05:00
expand = 1 ;
break ;
}
}
2005-04-02 20:59:03 -05:00
if ( strncasecmp ( left , " real " , STRLENOF ( " real " ) ) = = 0 ) {
is_realdn = 1 ;
bdn = & b - > a_realdn ;
left + = STRLENOF ( " real " ) ;
}
if ( strcasecmp ( left , " * " ) = = 0 ) {
if ( is_realdn ) {
2006-03-31 16:59:39 -05:00
goto fail ;
2005-04-02 20:59:03 -05:00
}
2004-11-15 17:15:28 -05:00
ber_str2bv ( " * " , STRLENOF ( " * " ) , 1 , & bv ) ;
2003-05-30 01:24:39 -04:00
sty = ACL_STYLE_REGEX ;
1999-10-25 23:19:41 -04:00
2005-04-02 20:59:03 -05:00
} else if ( strcasecmp ( left , " anonymous " ) = = 0 ) {
2004-10-06 18:03:33 -04:00
ber_str2bv ( " anonymous " , STRLENOF ( " anonymous " ) , 1 , & bv ) ;
2004-11-15 17:15:28 -05:00
sty = ACL_STYLE_ANONYMOUS ;
2005-04-02 20:59:03 -05:00
} else if ( strcasecmp ( left , " users " ) = = 0 ) {
2004-11-15 17:15:28 -05:00
ber_str2bv ( " users " , STRLENOF ( " users " ) , 1 , & bv ) ;
sty = ACL_STYLE_USERS ;
1999-10-25 23:19:41 -04:00
2005-04-02 20:59:03 -05:00
} else if ( strcasecmp ( left , " self " ) = = 0 ) {
2004-10-06 18:03:33 -04:00
ber_str2bv ( " self " , STRLENOF ( " self " ) , 1 , & bv ) ;
2004-11-15 17:15:28 -05:00
sty = ACL_STYLE_SELF ;
1999-10-25 23:19:41 -04:00
1999-07-21 16:54:23 -04:00
} else if ( strcasecmp ( left , " dn " ) = = 0 ) {
2000-06-11 21:35:15 -04:00
if ( sty = = ACL_STYLE_REGEX ) {
2005-04-02 20:59:03 -05:00
bdn - > a_style = ACL_STYLE_REGEX ;
2004-11-15 17:15:28 -05:00
if ( right = = NULL ) {
2000-06-11 21:35:15 -04:00
/* no '=' */
2001-12-26 08:47:10 -05:00
ber_str2bv ( " users " ,
2004-10-06 18:03:33 -04:00
STRLENOF ( " users " ) ,
2001-12-26 08:47:10 -05:00
1 , & bv ) ;
2005-04-02 20:59:03 -05:00
bdn - > a_style = ACL_STYLE_USERS ;
2004-11-15 17:15:28 -05:00
2000-06-11 21:35:15 -04:00
} else if ( * right = = ' \0 ' ) {
/* dn="" */
2001-12-26 08:47:10 -05:00
ber_str2bv ( " anonymous " ,
2004-10-06 18:03:33 -04:00
STRLENOF ( " anonymous " ) ,
2001-12-26 08:47:10 -05:00
1 , & bv ) ;
2005-04-02 20:59:03 -05:00
bdn - > a_style = ACL_STYLE_ANONYMOUS ;
2004-11-15 17:15:28 -05:00
2000-06-11 21:35:15 -04:00
} else if ( strcmp ( right , " * " ) = = 0 ) {
/* dn=* */
/* any or users? users for now */
2001-12-26 08:47:10 -05:00
ber_str2bv ( " users " ,
2004-10-06 18:03:33 -04:00
STRLENOF ( " users " ) ,
2001-12-26 08:47:10 -05:00
1 , & bv ) ;
2005-04-02 20:59:03 -05:00
bdn - > a_style = ACL_STYLE_USERS ;
2004-11-15 17:15:28 -05:00
2000-06-11 21:35:15 -04:00
} else if ( strcmp ( right , " .+ " ) = = 0
| | strcmp ( right , " ^.+ " ) = = 0
| | strcmp ( right , " .+$ " ) = = 0
| | strcmp ( right , " ^.+$ " ) = = 0
| | strcmp ( right , " .+$$ " ) = = 0
| | strcmp ( right , " ^.+$$ " ) = = 0 )
{
2001-12-26 08:47:10 -05:00
ber_str2bv ( " users " ,
2004-10-06 18:03:33 -04:00
STRLENOF ( " users " ) ,
2001-12-26 08:47:10 -05:00
1 , & bv ) ;
2005-04-02 20:59:03 -05:00
bdn - > a_style = ACL_STYLE_USERS ;
2004-11-15 17:15:28 -05:00
2000-06-11 21:35:15 -04:00
} else if ( strcmp ( right , " .* " ) = = 0
| | strcmp ( right , " ^.* " ) = = 0
| | strcmp ( right , " .*$ " ) = = 0
| | strcmp ( right , " ^.*$ " ) = = 0
| | strcmp ( right , " .*$$ " ) = = 0
| | strcmp ( right , " ^.*$$ " ) = = 0 )
{
2001-12-26 08:47:10 -05:00
ber_str2bv ( " * " ,
2004-10-06 18:03:33 -04:00
STRLENOF ( " * " ) ,
2001-12-26 08:47:10 -05:00
1 , & bv ) ;
2000-06-11 21:35:15 -04:00
} else {
2002-04-15 16:44:05 -04:00
acl_regex_normalized_dn ( right , & bv ) ;
2002-04-02 03:18:30 -05:00
if ( ! ber_bvccmp ( & bv , ' * ' ) ) {
2004-11-15 17:15:28 -05:00
regtest ( fname , lineno , bv . bv_val ) ;
2002-04-02 03:18:30 -05:00
}
2000-06-11 21:35:15 -04:00
}
2004-11-15 17:15:28 -05:00
2000-06-11 21:35:15 -04:00
} else if ( right = = NULL | | * right = = ' \0 ' ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2003-05-30 01:24:39 -04:00
" missing \" = \" in (or value after) \" %s \" "
" in by clause \n " ,
2005-09-10 14:42:33 -04:00
fname , lineno , left ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1999-10-25 23:19:41 -04:00
} else {
2001-12-26 08:47:10 -05:00
ber_str2bv ( right , 0 , 1 , & bv ) ;
1999-10-25 23:19:41 -04:00
}
1999-07-21 17:08:05 -04:00
} else {
2004-11-15 17:15:28 -05:00
BER_BVZERO ( & bv ) ;
1999-07-21 16:54:23 -04:00
}
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISNULL ( & bv ) ) {
2005-04-02 20:59:03 -05:00
if ( ! BER_BVISEMPTY ( & bdn - > a_pat ) ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: dn pattern already specified. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1999-07-21 16:54:23 -04:00
}
2004-11-15 17:15:28 -05:00
if ( sty ! = ACL_STYLE_REGEX & &
sty ! = ACL_STYLE_ANONYMOUS & &
sty ! = ACL_STYLE_USERS & &
sty ! = ACL_STYLE_SELF & &
expand = = 0 )
{
2003-05-30 01:24:39 -04:00
rc = dnNormalize ( 0 , NULL , NULL ,
2005-04-02 20:59:03 -05:00
& bv , & bdn - > a_pat , NULL ) ;
2002-04-15 16:44:05 -04:00
if ( rc ! = LDAP_SUCCESS ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2003-05-30 01:24:39 -04:00
" %s: line %d: bad DN \" %s \" in by DN clause \n " ,
2002-04-15 16:44:05 -04:00
fname , lineno , bv . bv_val ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-04-15 16:44:05 -04:00
}
2004-11-15 17:15:28 -05:00
free ( bv . bv_val ) ;
2005-09-16 11:00:13 -04:00
if ( sty = = ACL_STYLE_BASE
& & be ! = NULL
& & ! BER_BVISNULL ( & be - > be_rootndn )
& & dn_match ( & bdn - > a_pat , & be - > be_rootndn ) )
{
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: rootdn is always granted "
" unlimited privileges. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2005-09-16 11:00:13 -04:00
}
2004-11-15 17:15:28 -05:00
2001-12-25 23:17:49 -05:00
} else {
2005-04-02 20:59:03 -05:00
bdn - > a_pat = bv ;
2001-12-25 23:17:49 -05:00
}
2005-04-02 20:59:03 -05:00
bdn - > a_style = sty ;
2005-05-06 12:42:03 -04:00
if ( expand ) {
char * exp ;
int gotit = 0 ;
for ( exp = strchr ( bdn - > a_pat . bv_val , ' $ ' ) ;
2006-01-23 23:40:01 -05:00
exp & & ( ber_len_t ) ( exp - bdn - > a_pat . bv_val )
< bdn - > a_pat . bv_len ;
exp = strchr ( exp , ' $ ' ) )
2005-05-06 12:42:03 -04:00
{
2008-11-15 02:18:39 -05:00
if ( ( isdigit ( ( unsigned char ) exp [ 1 ] ) | |
exp [ 1 ] = = ' { ' ) ) {
2005-05-06 12:42:03 -04:00
gotit = 1 ;
break ;
}
}
if ( gotit = = 1 ) {
bdn - > a_expand = expand ;
} else {
2006-01-23 23:40:01 -05:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" \" expand \" used with no expansions in \" pattern \" . \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2005-05-06 12:42:03 -04:00
}
}
2005-03-31 13:10:11 -05:00
if ( sty = = ACL_STYLE_SELF ) {
2005-04-02 20:59:03 -05:00
bdn - > a_self_level = level ;
2005-03-31 13:10:11 -05:00
} else {
if ( level < 0 ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2005-03-31 13:10:11 -05:00
" %s: line %d: bad negative level \" %d \" "
" in by DN clause \n " ,
fname , lineno , level ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2005-03-31 13:10:11 -05:00
} else if ( level = = 1 ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2005-03-31 13:10:11 -05:00
" %s: line %d: \" onelevel \" should be used "
" instead of \" level{1} \" in by DN clause \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2005-03-31 13:10:11 -05:00
} else if ( level = = 0 & & sty = = ACL_STYLE_LEVEL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2005-03-31 13:10:11 -05:00
" %s: line %d: \" base \" should be used "
" instead of \" level{0} \" in by DN clause \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2005-03-31 13:10:11 -05:00
}
2005-04-02 20:59:03 -05:00
bdn - > a_level = level ;
2005-03-31 13:10:11 -05:00
}
1999-07-21 16:54:23 -04:00
continue ;
}
if ( strcasecmp ( left , " dnattr " ) = = 0 ) {
2004-06-28 02:42:00 -04:00
if ( right = = NULL | | right [ 0 ] = = ' \0 ' ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2004-06-28 02:42:00 -04:00
" missing \" = \" in (or value after) \" %s \" "
" in by clause \n " ,
2001-10-29 03:14:12 -05:00
fname , lineno , left ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2001-10-29 03:14:12 -05:00
}
2005-04-02 20:59:03 -05:00
if ( bdn - > a_at ! = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2000-01-28 15:01:00 -05:00
" %s: line %d: dnattr already specified. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1999-07-05 02:26:26 -04:00
}
1999-07-21 16:54:23 -04:00
2005-04-02 20:59:03 -05:00
rc = slap_str2ad ( right , & bdn - > a_at , & text ) ;
2000-01-28 15:01:00 -05:00
2000-02-14 15:57:34 -05:00
if ( rc ! = LDAP_SUCCESS ) {
2019-02-15 11:50:54 -05:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: dnattr \" %s \" : %s \n " ,
fname , lineno , right ,
text ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-01-28 15:01:00 -05:00
}
2000-05-27 15:33:08 -04:00
2005-04-02 20:59:03 -05:00
if ( ! is_at_syntax ( bdn - > a_at - > ad_type ,
2001-03-14 23:48:29 -05:00
SLAPD_DN_SYNTAX ) & &
2005-04-02 20:59:03 -05:00
! is_at_syntax ( bdn - > a_at - > ad_type ,
2001-03-14 23:48:29 -05:00
SLAPD_NAMEUID_SYNTAX ) )
2000-01-28 15:01:00 -05:00
{
2019-02-15 11:50:54 -05:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: dnattr \" %s \" : " " inappropriate syntax: %s \n \n " ,
fname , lineno , right ,
bdn - > a_at - > ad_type - > sat_syntax_oid ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-01-28 15:01:00 -05:00
}
2000-05-27 15:33:08 -04:00
2005-04-02 20:59:03 -05:00
if ( bdn - > a_at - > ad_type - > sat_equality = = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2002-11-25 13:37:04 -05:00
" %s: line %d: dnattr \" %s \" : "
" inappropriate matching (no EQUALITY) \n " ,
fname , lineno , right ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-11-25 13:37:04 -05:00
}
1999-07-21 16:54:23 -04:00
continue ;
1999-07-05 02:26:26 -04:00
}
1998-10-26 21:07:12 -05:00
2004-10-06 18:03:33 -04:00
if ( strncasecmp ( left , " group " , STRLENOF ( " group " ) ) = = 0 ) {
1999-07-21 16:54:23 -04:00
char * name = NULL ;
char * value = NULL ;
2007-01-11 15:41:43 -05:00
char * attr_name = SLAPD_GROUP_ATTR ;
1998-10-26 21:07:12 -05:00
2004-03-09 11:33:05 -05:00
switch ( sty ) {
case ACL_STYLE_REGEX :
2004-03-09 14:44:14 -05:00
/* legacy, tolerated */
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL ,
" %s: line %d: "
2004-03-09 11:33:05 -05:00
" deprecated group style \" regex \" ; "
2005-09-10 14:42:33 -04:00
" use \" expand \" instead. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2004-03-09 11:33:05 -05:00
sty = ACL_STYLE_EXPAND ;
break ;
case ACL_STYLE_BASE :
2004-03-09 14:44:14 -05:00
/* legal, traditional */
case ACL_STYLE_EXPAND :
/* legal, substring expansion; supersedes regex */
2004-03-09 11:33:05 -05:00
break ;
default :
2004-03-09 14:44:14 -05:00
/* unknown */
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: "
" inappropriate style \" %s \" in by clause. \n " ,
2004-03-09 11:33:05 -05:00
fname , lineno , style ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-04-03 10:42:19 -05:00
}
2004-06-28 02:42:00 -04:00
if ( right = = NULL | | right [ 0 ] = = ' \0 ' ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: "
2003-05-30 01:24:39 -04:00
" missing \" = \" in (or value after) \" %s \" "
2005-09-10 14:42:33 -04:00
" in by clause. \n " ,
2001-10-29 03:14:12 -05:00
fname , lineno , left ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2001-10-29 03:14:12 -05:00
}
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & b - > a_group_pat ) ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
1999-07-21 16:54:23 -04:00
" %s: line %d: group pattern already specified. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1999-07-21 16:54:23 -04:00
}
2003-05-30 01:24:39 -04:00
/* format of string is
" group/objectClassValue/groupAttrName " */
2004-11-15 17:15:28 -05:00
if ( ( value = strchr ( left , ' / ' ) ) ! = NULL ) {
1999-07-21 16:54:23 -04:00
* value + + = ' \0 ' ;
2004-11-15 17:15:28 -05:00
if ( * value & & ( name = strchr ( value , ' / ' ) ) ! = NULL ) {
1999-07-21 16:54:23 -04:00
* name + + = ' \0 ' ;
}
}
1998-10-26 21:07:12 -05:00
2000-06-11 21:35:15 -04:00
b - > a_group_style = sty ;
2004-11-15 17:15:28 -05:00
if ( sty = = ACL_STYLE_EXPAND ) {
2002-04-15 16:44:05 -04:00
acl_regex_normalized_dn ( right , & bv ) ;
2002-04-02 03:18:30 -05:00
if ( ! ber_bvccmp ( & bv , ' * ' ) ) {
2004-11-15 17:15:28 -05:00
regtest ( fname , lineno , bv . bv_val ) ;
2002-04-02 03:18:30 -05:00
}
2001-12-25 23:17:49 -05:00
b - > a_group_pat = bv ;
2004-11-15 17:15:28 -05:00
2000-06-11 21:35:15 -04:00
} else {
2001-12-26 08:47:10 -05:00
ber_str2bv ( right , 0 , 0 , & bv ) ;
2003-05-30 01:24:39 -04:00
rc = dnNormalize ( 0 , NULL , NULL , & bv ,
& b - > a_group_pat , NULL ) ;
2002-04-15 16:44:05 -04:00
if ( rc ! = LDAP_SUCCESS ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: bad DN \" %s \" . \n " ,
2002-04-15 16:44:05 -04:00
fname , lineno , right ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-04-15 16:44:05 -04:00
}
2000-06-11 21:35:15 -04:00
}
1998-10-26 21:07:12 -05:00
2004-11-15 17:15:28 -05:00
if ( value & & * value ) {
2000-05-28 12:36:34 -04:00
b - > a_group_oc = oc_find ( value ) ;
2000-05-28 14:58:09 -04:00
* - - value = ' / ' ;
2004-11-15 17:15:28 -05:00
if ( b - > a_group_oc = = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2000-05-28 14:58:09 -04:00
" %s: line %d: group objectclass "
2005-09-10 14:42:33 -04:00
" \" %s \" unknown. \n " ,
2000-05-28 12:36:34 -04:00
fname , lineno , value ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-05-28 12:36:34 -04:00
}
2004-11-15 17:15:28 -05:00
2000-05-28 14:58:09 -04:00
} else {
2005-08-17 04:08:23 -04:00
b - > a_group_oc = oc_find ( SLAPD_GROUP_CLASS ) ;
2000-05-28 12:36:34 -04:00
2000-05-28 14:58:09 -04:00
if ( b - > a_group_oc = = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2000-05-28 14:58:09 -04:00
" %s: line %d: group default objectclass "
2005-09-10 14:42:33 -04:00
" \" %s \" unknown. \n " ,
2000-05-28 18:17:34 -04:00
fname , lineno , SLAPD_GROUP_CLASS ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-05-28 12:36:34 -04:00
}
2000-01-14 22:48:37 -05:00
}
1999-07-21 16:54:23 -04:00
2004-11-15 17:15:28 -05:00
if ( is_object_subclass ( slap_schema . si_oc_referral ,
b - > a_group_oc ) )
2000-05-28 14:58:09 -04:00
{
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2000-05-28 14:58:09 -04:00
" %s: line %d: group objectclass \" %s \" "
2005-09-10 14:42:33 -04:00
" is subclass of referral. \n " ,
2000-05-28 14:58:09 -04:00
fname , lineno , value ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-05-28 14:58:09 -04:00
}
2004-11-15 17:15:28 -05:00
if ( is_object_subclass ( slap_schema . si_oc_alias ,
b - > a_group_oc ) )
2000-05-28 14:58:09 -04:00
{
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2000-05-28 14:58:09 -04:00
" %s: line %d: group objectclass \" %s \" "
2005-09-10 14:42:33 -04:00
" is subclass of alias. \n " ,
2000-05-28 14:58:09 -04:00
fname , lineno , value ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-05-28 14:58:09 -04:00
}
2000-05-28 12:36:34 -04:00
2004-11-15 17:15:28 -05:00
if ( name & & * name ) {
2007-01-11 15:41:43 -05:00
attr_name = name ;
2000-01-14 22:48:37 -05:00
* - - name = ' / ' ;
2004-11-15 17:15:28 -05:00
2007-01-11 15:41:43 -05:00
}
2000-05-28 14:58:09 -04:00
2007-01-11 15:41:43 -05:00
rc = slap_str2ad ( attr_name , & b - > a_group_at , & text ) ;
if ( rc ! = LDAP_SUCCESS ) {
2019-02-15 11:50:54 -05:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: group \" %s \" : %s. \n " ,
fname , lineno , right ,
text ) ;
2007-01-11 15:41:43 -05:00
goto fail ;
2000-01-28 15:01:00 -05:00
}
2004-11-15 17:15:28 -05:00
if ( ! is_at_syntax ( b - > a_group_at - > ad_type ,
2007-01-11 15:41:43 -05:00
SLAPD_DN_SYNTAX ) /* e.g. "member" */
& & ! is_at_syntax ( b - > a_group_at - > ad_type ,
SLAPD_NAMEUID_SYNTAX ) /* e.g. memberUID */
& & ! is_at_subtype ( b - > a_group_at - > ad_type ,
slap_schema . si_ad_labeledURI - > ad_type ) /* e.g. memberURL */ )
2000-05-28 14:58:09 -04:00
{
2019-02-15 11:50:54 -05:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: group \" %s \" attr \" %s \" : inappropriate syntax: %s; " " must be " SLAPD_DN_SYNTAX " (DN), " SLAPD_NAMEUID_SYNTAX " (NameUID) " " or a subtype of labeledURI. \n " ,
fname , lineno , right ,
attr_name ,
at_syntax ( b - > a_group_at - > ad_type ) ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-01-28 15:01:00 -05:00
}
2000-05-28 12:36:34 -04:00
{
int rc ;
2006-11-27 14:59:59 -05:00
ObjectClass * ocs [ 2 ] ;
2000-05-28 12:36:34 -04:00
2006-11-27 14:59:59 -05:00
ocs [ 0 ] = b - > a_group_oc ;
ocs [ 1 ] = NULL ;
2000-05-28 12:36:34 -04:00
2003-05-30 01:24:39 -04:00
rc = oc_check_allowed ( b - > a_group_at - > ad_type ,
2006-11-27 14:59:59 -05:00
ocs , NULL ) ;
2000-05-28 12:36:34 -04:00
if ( rc ! = 0 ) {
2019-02-15 11:50:54 -05:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: group: \" %s \" not allowed by \" %s \" . \n " ,
fname , lineno ,
b - > a_group_at - > ad_cname . bv_val ,
b - > a_group_oc - > soc_oid ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-05-28 12:36:34 -04:00
}
}
1999-07-21 16:54:23 -04:00
continue ;
1999-07-05 02:26:26 -04:00
}
1998-10-26 21:07:12 -05:00
1999-07-21 16:54:23 -04:00
if ( strcasecmp ( left , " peername " ) = = 0 ) {
2004-11-15 17:15:28 -05:00
switch ( sty ) {
2004-03-08 13:49:12 -05:00
case ACL_STYLE_REGEX :
case ACL_STYLE_BASE :
2004-03-09 14:44:14 -05:00
/* legal, traditional */
case ACL_STYLE_EXPAND :
/* cheap replacement to regex for simple expansion */
2004-03-08 13:49:12 -05:00
case ACL_STYLE_IP :
2006-12-14 20:11:11 -05:00
case ACL_STYLE_IPV6 :
2004-03-08 13:49:12 -05:00
case ACL_STYLE_PATH :
2004-03-09 14:44:14 -05:00
/* legal, peername specific */
2004-03-08 13:49:12 -05:00
break ;
default :
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" inappropriate style \" %s \" in by clause. \n " ,
2002-04-03 10:42:19 -05:00
fname , lineno , style ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-04-03 10:42:19 -05:00
}
2004-06-28 02:42:00 -04:00
if ( right = = NULL | | right [ 0 ] = = ' \0 ' ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2003-05-30 01:24:39 -04:00
" missing \" = \" in (or value after) \" %s \" "
2005-09-10 14:42:33 -04:00
" in by clause. \n " ,
2001-10-29 03:14:12 -05:00
fname , lineno , left ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2001-10-29 03:14:12 -05:00
}
2004-12-03 03:41:06 -05:00
if ( ! BER_BVISEMPTY ( & b - > a_peername_pat ) ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2003-05-30 01:24:39 -04:00
" peername pattern already specified. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1999-07-21 16:54:23 -04:00
}
1998-08-21 02:33:42 -04:00
2000-06-11 21:35:15 -04:00
b - > a_peername_style = sty ;
2004-11-15 17:15:28 -05:00
if ( sty = = ACL_STYLE_REGEX ) {
2002-04-15 16:44:05 -04:00
acl_regex_normalized_dn ( right , & bv ) ;
2002-04-02 03:18:30 -05:00
if ( ! ber_bvccmp ( & bv , ' * ' ) ) {
2004-11-15 17:15:28 -05:00
regtest ( fname , lineno , bv . bv_val ) ;
2002-04-02 03:18:30 -05:00
}
2002-01-28 06:41:07 -05:00
b - > a_peername_pat = bv ;
2004-03-08 13:49:12 -05:00
2001-11-12 06:29:40 -05:00
} else {
2002-01-28 06:41:07 -05:00
ber_str2bv ( right , 0 , 1 , & b - > a_peername_pat ) ;
2004-03-08 13:49:12 -05:00
if ( sty = = ACL_STYLE_IP ) {
char * addr = NULL ,
* mask = NULL ,
* port = NULL ;
split ( right , ' { ' , & addr , & port ) ;
split ( addr , ' % ' , & addr , & mask ) ;
b - > a_peername_addr = inet_addr ( addr ) ;
2004-11-15 17:15:28 -05:00
if ( b - > a_peername_addr = = ( unsigned long ) ( - 1 ) ) {
2004-03-08 13:49:12 -05:00
/* illegal address */
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2004-03-08 13:49:12 -05:00
" illegal peername address \" %s \" . \n " ,
fname , lineno , addr ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2004-03-08 13:49:12 -05:00
}
b - > a_peername_mask = ( unsigned long ) ( - 1 ) ;
if ( mask ! = NULL ) {
b - > a_peername_mask = inet_addr ( mask ) ;
2004-06-28 02:42:00 -04:00
if ( b - > a_peername_mask = =
2004-11-15 17:15:28 -05:00
( unsigned long ) ( - 1 ) )
2004-06-28 02:42:00 -04:00
{
2004-03-08 13:49:12 -05:00
/* illegal mask */
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2004-06-28 02:42:00 -04:00
" illegal peername address mask "
" \" %s \" . \n " ,
2004-03-08 13:49:12 -05:00
fname , lineno , mask ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2004-03-08 13:49:12 -05:00
}
}
b - > a_peername_port = - 1 ;
if ( port ) {
char * end = NULL ;
b - > a_peername_port = strtol ( port , & end , 10 ) ;
2005-11-23 20:10:05 -05:00
if ( end = = port | | end [ 0 ] ! = ' } ' ) {
2004-03-08 13:49:12 -05:00
/* illegal port */
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2004-06-28 02:42:00 -04:00
" illegal peername port specification "
" \" {%s} \" . \n " ,
2004-03-08 13:49:12 -05:00
fname , lineno , port ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2004-03-08 13:49:12 -05:00
}
}
2006-12-14 20:11:11 -05:00
# ifdef LDAP_PF_INET6
} else if ( sty = = ACL_STYLE_IPV6 ) {
char * addr = NULL ,
* mask = NULL ,
* port = NULL ;
split ( right , ' { ' , & addr , & port ) ;
split ( addr , ' % ' , & addr , & mask ) ;
if ( inet_pton ( AF_INET6 , addr , & b - > a_peername_addr6 ) ! = 1 ) {
/* illegal address */
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" illegal peername address \" %s \" . \n " ,
fname , lineno , addr ) ;
goto fail ;
}
if ( mask = = NULL ) {
mask = " FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF " ;
}
if ( inet_pton ( AF_INET6 , mask , & b - > a_peername_mask6 ) ! = 1 ) {
/* illegal mask */
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" illegal peername address mask "
" \" %s \" . \n " ,
fname , lineno , mask ) ;
goto fail ;
}
b - > a_peername_port = - 1 ;
if ( port ) {
char * end = NULL ;
b - > a_peername_port = strtol ( port , & end , 10 ) ;
if ( end = = port | | end [ 0 ] ! = ' } ' ) {
/* illegal port */
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" illegal peername port specification "
" \" {%s} \" . \n " ,
fname , lineno , port ) ;
goto fail ;
}
}
# endif /* LDAP_PF_INET6 */
2004-03-08 13:49:12 -05:00
}
2000-06-11 21:35:15 -04:00
}
1999-07-21 16:54:23 -04:00
continue ;
1998-08-08 20:43:13 -04:00
}
1999-07-21 16:54:23 -04:00
if ( strcasecmp ( left , " sockname " ) = = 0 ) {
2004-11-15 17:15:28 -05:00
switch ( sty ) {
2004-03-09 14:44:14 -05:00
case ACL_STYLE_REGEX :
case ACL_STYLE_BASE :
/* legal, traditional */
case ACL_STYLE_EXPAND :
/* cheap replacement to regex for simple expansion */
break ;
default :
/* unknown */
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2003-05-30 01:24:39 -04:00
" inappropriate style \" %s \" in by clause \n " ,
2002-04-03 10:42:19 -05:00
fname , lineno , style ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-04-03 10:42:19 -05:00
}
2004-06-28 02:42:00 -04:00
if ( right = = NULL | | right [ 0 ] = = ' \0 ' ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2003-05-30 01:24:39 -04:00
" missing \" = \" in (or value after) \" %s \" "
" in by clause \n " ,
2001-10-29 03:14:12 -05:00
fname , lineno , left ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2001-10-29 03:14:12 -05:00
}
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISNULL ( & b - > a_sockname_pat ) ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2003-05-30 01:24:39 -04:00
" sockname pattern already specified. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1999-07-21 16:54:23 -04:00
}
1998-08-08 20:43:13 -04:00
2000-06-11 21:35:15 -04:00
b - > a_sockname_style = sty ;
2004-11-15 17:15:28 -05:00
if ( sty = = ACL_STYLE_REGEX ) {
2002-04-15 16:44:05 -04:00
acl_regex_normalized_dn ( right , & bv ) ;
2002-04-02 03:18:30 -05:00
if ( ! ber_bvccmp ( & bv , ' * ' ) ) {
2004-11-15 17:15:28 -05:00
regtest ( fname , lineno , bv . bv_val ) ;
2002-04-02 03:18:30 -05:00
}
2002-01-28 06:41:07 -05:00
b - > a_sockname_pat = bv ;
2004-11-15 17:15:28 -05:00
2001-11-12 06:29:40 -05:00
} else {
2002-01-28 06:41:07 -05:00
ber_str2bv ( right , 0 , 1 , & b - > a_sockname_pat ) ;
2000-06-11 21:35:15 -04:00
}
1999-07-21 16:54:23 -04:00
continue ;
}
1998-08-08 20:43:13 -04:00
1999-07-21 16:54:23 -04:00
if ( strcasecmp ( left , " domain " ) = = 0 ) {
2002-04-03 10:42:19 -05:00
switch ( sty ) {
case ACL_STYLE_REGEX :
case ACL_STYLE_BASE :
case ACL_STYLE_SUBTREE :
2004-03-09 14:44:14 -05:00
/* legal, traditional */
break ;
case ACL_STYLE_EXPAND :
/* tolerated: means exact,expand */
if ( expand ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2004-03-09 14:44:14 -05:00
" %s: line %d: "
2004-10-06 18:20:30 -04:00
" \" expand \" modifier "
2005-09-10 14:42:33 -04:00
" with \" expand \" style. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2004-03-09 14:44:14 -05:00
}
sty = ACL_STYLE_BASE ;
expand = 1 ;
2002-04-03 10:42:19 -05:00
break ;
default :
2004-03-09 14:44:14 -05:00
/* unknown */
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" inappropriate style \" %s \" in by clause. \n " ,
2002-04-03 10:42:19 -05:00
fname , lineno , style ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-04-03 10:42:19 -05:00
}
2004-06-28 02:42:00 -04:00
if ( right = = NULL | | right [ 0 ] = = ' \0 ' ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2004-06-28 02:42:00 -04:00
" missing \" = \" in (or value after) \" %s \" "
2005-09-10 14:42:33 -04:00
" in by clause. \n " ,
2001-10-29 03:14:12 -05:00
fname , lineno , left ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2001-10-29 03:14:12 -05:00
}
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & b - > a_domain_pat ) ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
1999-07-21 16:54:23 -04:00
" %s: line %d: domain pattern already specified. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1999-07-21 16:54:23 -04:00
}
2000-06-11 21:35:15 -04:00
b - > a_domain_style = sty ;
2002-04-03 10:42:19 -05:00
b - > a_domain_expand = expand ;
2004-11-15 17:15:28 -05:00
if ( sty = = ACL_STYLE_REGEX ) {
2002-04-15 16:44:05 -04:00
acl_regex_normalized_dn ( right , & bv ) ;
2002-04-02 03:18:30 -05:00
if ( ! ber_bvccmp ( & bv , ' * ' ) ) {
2004-11-15 17:15:28 -05:00
regtest ( fname , lineno , bv . bv_val ) ;
2002-04-02 03:18:30 -05:00
}
2002-01-28 06:41:07 -05:00
b - > a_domain_pat = bv ;
2004-11-15 17:15:28 -05:00
2001-11-12 06:29:40 -05:00
} else {
2002-01-28 06:41:07 -05:00
ber_str2bv ( right , 0 , 1 , & b - > a_domain_pat ) ;
2000-06-11 21:35:15 -04:00
}
1999-07-21 16:54:23 -04:00
continue ;
}
1999-07-21 20:50:11 -04:00
if ( strcasecmp ( left , " sockurl " ) = = 0 ) {
2004-11-15 17:15:28 -05:00
switch ( sty ) {
2004-03-09 14:44:14 -05:00
case ACL_STYLE_REGEX :
case ACL_STYLE_BASE :
/* legal, traditional */
case ACL_STYLE_EXPAND :
/* cheap replacement to regex for simple expansion */
break ;
default :
/* unknown */
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" inappropriate style \" %s \" in by clause. \n " ,
2002-04-03 10:42:19 -05:00
fname , lineno , style ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-04-03 10:42:19 -05:00
}
2004-06-28 02:42:00 -04:00
if ( right = = NULL | | right [ 0 ] = = ' \0 ' ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2004-06-28 02:42:00 -04:00
" missing \" = \" in (or value after) \" %s \" "
2005-09-10 14:42:33 -04:00
" in by clause. \n " ,
2001-10-29 03:14:12 -05:00
fname , lineno , left ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2001-10-29 03:14:12 -05:00
}
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & b - > a_sockurl_pat ) ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
1999-07-21 20:50:11 -04:00
" %s: line %d: sockurl pattern already specified. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1999-07-21 16:54:23 -04:00
}
2000-06-11 21:35:15 -04:00
b - > a_sockurl_style = sty ;
2004-11-15 17:15:28 -05:00
if ( sty = = ACL_STYLE_REGEX ) {
2002-04-15 16:44:05 -04:00
acl_regex_normalized_dn ( right , & bv ) ;
2002-04-02 03:18:30 -05:00
if ( ! ber_bvccmp ( & bv , ' * ' ) ) {
2004-11-15 17:15:28 -05:00
regtest ( fname , lineno , bv . bv_val ) ;
2002-04-02 03:18:30 -05:00
}
2002-01-28 06:41:07 -05:00
b - > a_sockurl_pat = bv ;
2004-11-15 17:15:28 -05:00
2001-11-12 06:29:40 -05:00
} else {
2002-01-28 06:41:07 -05:00
ber_str2bv ( right , 0 , 1 , & b - > a_sockurl_pat ) ;
2000-06-11 21:35:15 -04:00
}
1999-07-21 16:54:23 -04:00
continue ;
}
2000-06-29 17:41:54 -04:00
if ( strcasecmp ( left , " set " ) = = 0 ) {
2004-10-07 13:05:48 -04:00
switch ( sty ) {
/* deprecated */
case ACL_STYLE_REGEX :
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_CONFIG | LDAP_DEBUG_ACL ,
" %s: line %d: "
2004-10-07 13:05:48 -04:00
" deprecated set style "
" \" regex \" in <by> clause; "
2005-09-10 14:42:33 -04:00
" use \" expand \" instead. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2004-10-07 13:05:48 -04:00
sty = ACL_STYLE_EXPAND ;
/* FALLTHRU */
case ACL_STYLE_BASE :
case ACL_STYLE_EXPAND :
break ;
default :
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" inappropriate style \" %s \" in by clause. \n " ,
2004-10-07 13:05:48 -04:00
fname , lineno , style ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-04-03 10:42:19 -05:00
}
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & b - > a_set_pat ) ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2000-06-29 17:41:54 -04:00
" %s: line %d: set attribute already specified. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-06-29 17:41:54 -04:00
}
if ( right = = NULL | | * right = = ' \0 ' ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: no set is defined. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-06-29 17:41:54 -04:00
}
b - > a_set_style = sty ;
2001-12-26 08:47:10 -05:00
ber_str2bv ( right , 0 , 1 , & b - > a_set_pat ) ;
2000-06-29 17:41:54 -04:00
continue ;
}
2004-11-19 20:27:03 -05:00
# ifdef SLAP_DYNACL
{
2005-08-22 12:28:50 -04:00
char * name = NULL ,
* opts = NULL ;
2006-01-06 12:12:35 -05:00
# if 1 /* tolerate legacy "aci" <who> */
2004-11-19 20:27:03 -05:00
if ( strcasecmp ( left , " aci " ) = = 0 ) {
2006-01-06 12:12:35 -05:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" undocumented deprecated \" aci \" directive "
" is superseded by \" dynacl/aci \" . \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2004-11-19 20:27:03 -05:00
name = " aci " ;
2006-01-06 12:12:35 -05:00
} else
# endif /* tolerate legacy "aci" <who> */
if ( strncasecmp ( left , " dynacl/ " , STRLENOF ( " dynacl/ " ) ) = = 0 ) {
2004-11-19 20:27:03 -05:00
name = & left [ STRLENOF ( " dynacl/ " ) ] ;
2005-08-22 12:28:50 -04:00
opts = strchr ( name , ' / ' ) ;
if ( opts ) {
opts [ 0 ] = ' \0 ' ;
opts + + ;
}
2004-11-19 20:27:03 -05:00
}
if ( name ) {
2005-08-22 12:28:50 -04:00
if ( slap_dynacl_config ( fname , lineno , b , name , opts , sty , right ) ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" unable to configure dynacl \" %s \" . \n " ,
2004-11-19 20:27:03 -05:00
fname , lineno , name ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2004-11-19 20:27:03 -05:00
}
continue ;
}
}
2006-01-06 12:12:35 -05:00
# endif /* SLAP_DYNACL */
1999-08-20 18:42:04 -04:00
2000-08-28 14:38:48 -04:00
if ( strcasecmp ( left , " ssf " ) = = 0 ) {
2004-11-15 17:15:28 -05:00
if ( sty ! = ACL_STYLE_REGEX & & sty ! = ACL_STYLE_BASE ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" inappropriate style \" %s \" in by clause. \n " ,
2002-04-03 10:42:19 -05:00
fname , lineno , style ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-04-03 10:42:19 -05:00
}
2004-11-15 17:15:28 -05:00
if ( b - > a_authz . sai_ssf ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2000-08-28 14:38:48 -04:00
" %s: line %d: ssf attribute already specified. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-08-28 14:38:48 -04:00
}
if ( right = = NULL | | * right = = ' \0 ' ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: no ssf is defined. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-08-28 14:38:48 -04:00
}
2005-11-23 20:10:05 -05:00
if ( lutil_atou ( & b - > a_authz . sai_ssf , right ) ! = 0 ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: unable to parse ssf value (%s). \n " ,
2004-06-18 05:11:53 -04:00
fname , lineno , right ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2004-06-18 05:11:53 -04:00
}
2000-08-28 14:38:48 -04:00
2004-11-15 17:15:28 -05:00
if ( ! b - > a_authz . sai_ssf ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: invalid ssf value (%s). \n " ,
2000-08-28 14:38:48 -04:00
fname , lineno , right ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-08-28 14:38:48 -04:00
}
continue ;
}
if ( strcasecmp ( left , " transport_ssf " ) = = 0 ) {
2004-11-15 17:15:28 -05:00
if ( sty ! = ACL_STYLE_REGEX & & sty ! = ACL_STYLE_BASE ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" inappropriate style \" %s \" in by clause. \n " ,
2004-11-15 17:15:28 -05:00
fname , lineno , style ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-04-03 10:42:19 -05:00
}
2004-11-15 17:15:28 -05:00
if ( b - > a_authz . sai_transport_ssf ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2004-06-28 02:42:00 -04:00
" transport_ssf attribute already specified. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-08-28 14:38:48 -04:00
}
if ( right = = NULL | | * right = = ' \0 ' ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: no transport_ssf is defined. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-08-28 14:38:48 -04:00
}
2005-11-23 20:10:05 -05:00
if ( lutil_atou ( & b - > a_authz . sai_transport_ssf , right ) ! = 0 ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" unable to parse transport_ssf value (%s). \n " ,
2004-06-18 05:11:53 -04:00
fname , lineno , right ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2004-06-18 05:11:53 -04:00
}
2000-08-28 14:38:48 -04:00
2004-11-15 17:15:28 -05:00
if ( ! b - > a_authz . sai_transport_ssf ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: invalid transport_ssf value (%s). \n " ,
2000-08-28 14:38:48 -04:00
fname , lineno , right ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-08-28 14:38:48 -04:00
}
continue ;
}
if ( strcasecmp ( left , " tls_ssf " ) = = 0 ) {
2004-11-15 17:15:28 -05:00
if ( sty ! = ACL_STYLE_REGEX & & sty ! = ACL_STYLE_BASE ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" inappropriate style \" %s \" in by clause. \n " ,
2004-11-15 17:15:28 -05:00
fname , lineno , style ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-04-03 10:42:19 -05:00
}
2004-11-15 17:15:28 -05:00
if ( b - > a_authz . sai_tls_ssf ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2004-06-28 02:42:00 -04:00
" tls_ssf attribute already specified. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-08-28 14:38:48 -04:00
}
if ( right = = NULL | | * right = = ' \0 ' ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2000-08-28 14:38:48 -04:00
" %s: line %d: no tls_ssf is defined \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-08-28 14:38:48 -04:00
}
2005-11-23 20:10:05 -05:00
if ( lutil_atou ( & b - > a_authz . sai_tls_ssf , right ) ! = 0 ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" unable to parse tls_ssf value (%s). \n " ,
2004-06-18 05:11:53 -04:00
fname , lineno , right ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2004-06-18 05:11:53 -04:00
}
2000-08-28 14:38:48 -04:00
2004-11-15 17:15:28 -05:00
if ( ! b - > a_authz . sai_tls_ssf ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: invalid tls_ssf value (%s). \n " ,
2000-08-28 14:38:48 -04:00
fname , lineno , right ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-08-28 14:38:48 -04:00
}
continue ;
}
if ( strcasecmp ( left , " sasl_ssf " ) = = 0 ) {
2004-11-15 17:15:28 -05:00
if ( sty ! = ACL_STYLE_REGEX & & sty ! = ACL_STYLE_BASE ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" inappropriate style \" %s \" in by clause. \n " ,
2004-11-15 17:15:28 -05:00
fname , lineno , style ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2002-04-03 10:42:19 -05:00
}
2004-11-15 17:15:28 -05:00
if ( b - > a_authz . sai_sasl_ssf ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2004-06-28 02:42:00 -04:00
" sasl_ssf attribute already specified. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-08-28 14:38:48 -04:00
}
if ( right = = NULL | | * right = = ' \0 ' ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: no sasl_ssf is defined. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-08-28 14:38:48 -04:00
}
2005-11-23 20:10:05 -05:00
if ( lutil_atou ( & b - > a_authz . sai_sasl_ssf , right ) ! = 0 ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
" unable to parse sasl_ssf value (%s). \n " ,
2004-06-18 05:11:53 -04:00
fname , lineno , right ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2004-06-18 05:11:53 -04:00
}
2000-08-28 14:38:48 -04:00
2004-11-15 17:15:28 -05:00
if ( ! b - > a_authz . sai_sasl_ssf ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: invalid sasl_ssf value (%s). \n " ,
2000-08-28 14:38:48 -04:00
fname , lineno , right ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
2000-08-28 14:38:48 -04:00
}
continue ;
}
2004-11-15 17:15:28 -05:00
if ( right ! = NULL ) {
1999-10-21 13:53:56 -04:00
/* unsplit */
right [ - 1 ] = ' = ' ;
1999-07-21 16:54:23 -04:00
}
break ;
}
1999-10-21 13:53:56 -04:00
2004-11-15 17:15:28 -05:00
if ( i = = argc | | ( strcasecmp ( left , " stop " ) = = 0 ) ) {
1999-10-21 13:53:56 -04:00
/* out of arguments or plain stop */
2004-11-15 17:15:28 -05:00
ACL_PRIV_ASSIGN ( b - > a_access_mask , ACL_PRIV_ADDITIVE ) ;
2006-05-10 18:25:06 -04:00
ACL_PRIV_SET ( b - > a_access_mask , ACL_PRIV_NONE ) ;
1999-10-21 13:53:56 -04:00
b - > a_type = ACL_STOP ;
access_append ( & a - > acl_access , b ) ;
continue ;
}
2004-11-15 17:15:28 -05:00
if ( strcasecmp ( left , " continue " ) = = 0 ) {
1999-10-21 13:53:56 -04:00
/* plain continue */
2004-11-15 17:15:28 -05:00
ACL_PRIV_ASSIGN ( b - > a_access_mask , ACL_PRIV_ADDITIVE ) ;
2006-05-10 18:25:06 -04:00
ACL_PRIV_SET ( b - > a_access_mask , ACL_PRIV_NONE ) ;
1999-10-21 13:53:56 -04:00
b - > a_type = ACL_CONTINUE ;
access_append ( & a - > acl_access , b ) ;
continue ;
}
2004-11-15 17:15:28 -05:00
if ( strcasecmp ( left , " break " ) = = 0 ) {
1999-10-21 13:53:56 -04:00
/* plain continue */
2000-08-25 21:14:05 -04:00
ACL_PRIV_ASSIGN ( b - > a_access_mask , ACL_PRIV_ADDITIVE ) ;
2006-05-10 18:25:06 -04:00
ACL_PRIV_SET ( b - > a_access_mask , ACL_PRIV_NONE ) ;
1999-10-21 13:53:56 -04:00
b - > a_type = ACL_BREAK ;
access_append ( & a - > acl_access , b ) ;
continue ;
}
if ( strcasecmp ( left , " by " ) = = 0 ) {
/* we've gone too far */
- - i ;
2004-11-15 17:15:28 -05:00
ACL_PRIV_ASSIGN ( b - > a_access_mask , ACL_PRIV_ADDITIVE ) ;
2006-05-10 18:25:06 -04:00
ACL_PRIV_SET ( b - > a_access_mask , ACL_PRIV_NONE ) ;
1999-10-21 13:53:56 -04:00
b - > a_type = ACL_STOP ;
access_append ( & a - > acl_access , b ) ;
continue ;
}
/* get <access> */
2006-05-10 18:25:06 -04:00
{
char * lleft = left ;
2005-04-02 20:59:03 -05:00
2006-05-10 18:25:06 -04:00
if ( strncasecmp ( left , " self " , STRLENOF ( " self " ) ) = = 0 ) {
b - > a_dn_self = 1 ;
lleft = & left [ STRLENOF ( " self " ) ] ;
1999-10-21 13:53:56 -04:00
2006-05-10 18:25:06 -04:00
} else if ( strncasecmp ( left , " realself " , STRLENOF ( " realself " ) ) = = 0 ) {
b - > a_realdn_self = 1 ;
lleft = & left [ STRLENOF ( " realself " ) ] ;
}
ACL_PRIV_ASSIGN ( b - > a_access_mask , str2accessmask ( lleft ) ) ;
1999-10-21 13:53:56 -04:00
}
2004-11-15 17:15:28 -05:00
if ( ACL_IS_INVALID ( b - > a_access_mask ) ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
" %s: line %d: expecting <access> got \" %s \" . \n " ,
1999-10-21 13:53:56 -04:00
fname , lineno , left ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1999-10-21 13:53:56 -04:00
}
b - > a_type = ACL_STOP ;
2004-11-15 17:15:28 -05:00
if ( + + i = = argc ) {
1999-10-21 13:53:56 -04:00
/* out of arguments or plain stop */
access_append ( & a - > acl_access , b ) ;
continue ;
}
2004-11-15 17:15:28 -05:00
if ( strcasecmp ( argv [ i ] , " continue " ) = = 0 ) {
1999-10-21 13:53:56 -04:00
/* plain continue */
b - > a_type = ACL_CONTINUE ;
2004-11-15 17:15:28 -05:00
} else if ( strcasecmp ( argv [ i ] , " break " ) = = 0 ) {
1999-10-21 13:53:56 -04:00
/* plain continue */
b - > a_type = ACL_BREAK ;
} else if ( strcasecmp ( argv [ i ] , " stop " ) ! = 0 ) {
/* gone to far */
i - - ;
}
access_append ( & a - > acl_access , b ) ;
2006-03-31 16:59:39 -05:00
b = NULL ;
1999-10-21 13:53:56 -04:00
1998-08-08 20:43:13 -04:00
} else {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY ,
2004-11-15 17:15:28 -05:00
" %s: line %d: expecting \" to \" "
" or \" by \" got \" %s \" \n " ,
fname , lineno , argv [ i ] ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1998-08-08 20:43:13 -04:00
}
}
/* if we have no real access clause, complain and do nothing */
if ( a = = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2006-01-23 23:40:01 -05:00
" warning: no access clause(s) specified in access line. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1998-08-08 20:43:13 -04:00
} else {
1998-11-05 00:03:12 -05:00
# ifdef LDAP_DEBUG
2005-11-28 05:55:07 -05:00
if ( slap_debug & LDAP_DEBUG_ACL ) {
2004-11-15 17:15:28 -05:00
print_acl ( be , a ) ;
}
1998-11-05 00:03:12 -05:00
# endif
1998-08-08 20:43:13 -04:00
if ( a - > acl_access = = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ANY , " %s: line %d: "
2006-01-23 23:40:01 -05:00
" warning: no by clause(s) specified in access line. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-03-31 16:59:39 -05:00
goto fail ;
1998-08-08 20:43:13 -04:00
}
if ( be ! = NULL ) {
2006-01-05 16:38:31 -05:00
if ( be - > be_nsuffix = = NULL ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ACL , " %s: line %d: warning: "
2006-01-05 16:38:31 -05:00
" scope checking needs suffix before ACLs. \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2004-11-30 17:50:07 -05:00
/* go ahead, since checking is not authoritative */
2006-01-05 16:38:31 -05:00
} else if ( ! BER_BVISNULL ( & be - > be_nsuffix [ 1 ] ) ) {
2005-09-10 14:42:33 -04:00
Debug ( LDAP_DEBUG_ACL , " %s: line %d: warning: "
2006-01-05 16:38:31 -05:00
" scope checking only applies to single-valued "
" suffix databases \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-01-05 16:38:31 -05:00
/* go ahead, since checking is not authoritative */
} else {
switch ( check_scope ( be , a ) ) {
case ACL_SCOPE_UNKNOWN :
Debug ( LDAP_DEBUG_ACL , " %s: line %d: warning: "
" cannot assess the validity of the ACL scope within "
" backend naming context \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-01-05 16:38:31 -05:00
break ;
2004-04-20 15:16:21 -04:00
2006-01-05 16:38:31 -05:00
case ACL_SCOPE_WARN :
Debug ( LDAP_DEBUG_ACL , " %s: line %d: warning: "
" ACL could be out of scope within backend naming context \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-01-05 16:38:31 -05:00
break ;
2004-04-20 15:16:21 -04:00
2006-01-05 16:38:31 -05:00
case ACL_SCOPE_PARTIAL :
Debug ( LDAP_DEBUG_ACL , " %s: line %d: warning: "
" ACL appears to be partially out of scope within "
" backend naming context \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-01-05 16:38:31 -05:00
break ;
case ACL_SCOPE_ERR :
Debug ( LDAP_DEBUG_ACL , " %s: line %d: warning: "
" ACL appears to be out of scope within "
" backend naming context \n " ,
2019-02-15 11:49:52 -05:00
fname , lineno ) ;
2006-01-05 16:38:31 -05:00
break ;
2004-04-20 15:16:21 -04:00
2006-01-05 16:38:31 -05:00
default :
break ;
}
2004-04-20 15:16:21 -04:00
}
2005-04-19 12:39:48 -04:00
acl_append ( & be - > be_acl , a , pos ) ;
2004-11-15 17:15:28 -05:00
1998-08-08 20:43:13 -04:00
} else {
2005-04-19 12:39:48 -04:00
acl_append ( & frontendDB - > be_acl , a , pos ) ;
1998-08-08 20:43:13 -04:00
}
}
2005-10-31 11:00:51 -05:00
return 0 ;
2006-03-31 16:59:39 -05:00
fail :
if ( b ) access_free ( b ) ;
if ( a ) acl_free ( a ) ;
return acl_usage ( ) ;
1998-08-08 20:43:13 -04:00
}
char *
2005-02-22 07:02:34 -05:00
accessmask2str ( slap_mask_t mask , char * buf , int debug )
1998-08-08 20:43:13 -04:00
{
2004-11-15 17:15:28 -05:00
int none = 1 ;
char * ptr = buf ;
1998-08-08 20:43:13 -04:00
1999-10-21 19:19:22 -04:00
assert ( buf ! = NULL ) ;
1999-10-21 13:53:56 -04:00
if ( ACL_IS_INVALID ( mask ) ) {
return " invalid " ;
1998-08-08 20:43:13 -04:00
}
1999-10-21 13:53:56 -04:00
buf [ 0 ] = ' \0 ' ;
if ( ACL_IS_LEVEL ( mask ) ) {
if ( ACL_LVL_IS_NONE ( mask ) ) {
2002-07-26 20:24:02 -04:00
ptr = lutil_strcopy ( ptr , " none " ) ;
1999-10-21 13:53:56 -04:00
2005-01-08 00:26:18 -05:00
} else if ( ACL_LVL_IS_DISCLOSE ( mask ) ) {
ptr = lutil_strcopy ( ptr , " disclose " ) ;
1999-10-21 13:53:56 -04:00
} else if ( ACL_LVL_IS_AUTH ( mask ) ) {
2002-07-26 20:24:02 -04:00
ptr = lutil_strcopy ( ptr , " auth " ) ;
1999-10-21 13:53:56 -04:00
} else if ( ACL_LVL_IS_COMPARE ( mask ) ) {
2002-07-26 20:24:02 -04:00
ptr = lutil_strcopy ( ptr , " compare " ) ;
1999-10-21 13:53:56 -04:00
} else if ( ACL_LVL_IS_SEARCH ( mask ) ) {
2002-07-26 20:24:02 -04:00
ptr = lutil_strcopy ( ptr , " search " ) ;
1999-10-21 13:53:56 -04:00
} else if ( ACL_LVL_IS_READ ( mask ) ) {
2002-07-26 20:24:02 -04:00
ptr = lutil_strcopy ( ptr , " read " ) ;
1999-10-21 13:53:56 -04:00
} else if ( ACL_LVL_IS_WRITE ( mask ) ) {
2002-07-26 20:24:02 -04:00
ptr = lutil_strcopy ( ptr , " write " ) ;
2005-01-08 00:26:18 -05:00
2005-04-07 20:18:24 -04:00
} else if ( ACL_LVL_IS_WADD ( mask ) ) {
ptr = lutil_strcopy ( ptr , " add " ) ;
} else if ( ACL_LVL_IS_WDEL ( mask ) ) {
ptr = lutil_strcopy ( ptr , " delete " ) ;
2005-01-08 00:26:18 -05:00
} else if ( ACL_LVL_IS_MANAGE ( mask ) ) {
ptr = lutil_strcopy ( ptr , " manage " ) ;
1999-10-21 13:53:56 -04:00
} else {
2002-07-26 20:24:02 -04:00
ptr = lutil_strcopy ( ptr , " unknown " ) ;
1999-10-21 13:53:56 -04:00
}
2005-02-22 07:02:34 -05:00
if ( ! debug ) {
* ptr = ' \0 ' ;
return buf ;
}
2001-12-26 11:25:18 -05:00
* ptr + + = ' ( ' ;
1999-10-21 13:53:56 -04:00
}
if ( ACL_IS_ADDITIVE ( mask ) ) {
2001-12-26 11:25:18 -05:00
* ptr + + = ' + ' ;
1999-10-21 13:53:56 -04:00
} else if ( ACL_IS_SUBTRACTIVE ( mask ) ) {
2001-12-26 11:25:18 -05:00
* ptr + + = ' - ' ;
1999-07-15 22:45:46 -04:00
1998-08-08 20:43:13 -04:00
} else {
2001-12-26 11:25:18 -05:00
* ptr + + = ' = ' ;
1998-08-08 20:43:13 -04:00
}
2005-01-08 00:26:18 -05:00
if ( ACL_PRIV_ISSET ( mask , ACL_PRIV_MANAGE ) ) {
none = 0 ;
* ptr + + = ' m ' ;
}
1999-10-21 13:53:56 -04:00
if ( ACL_PRIV_ISSET ( mask , ACL_PRIV_WRITE ) ) {
none = 0 ;
2001-12-26 11:25:18 -05:00
* ptr + + = ' w ' ;
1999-10-21 13:53:56 -04:00
2005-04-12 19:10:48 -04:00
} else if ( ACL_PRIV_ISSET ( mask , ACL_PRIV_WADD ) ) {
2005-04-07 20:18:24 -04:00
none = 0 ;
* ptr + + = ' a ' ;
2005-04-12 19:10:48 -04:00
} else if ( ACL_PRIV_ISSET ( mask , ACL_PRIV_WDEL ) ) {
2005-04-07 20:18:24 -04:00
none = 0 ;
* ptr + + = ' z ' ;
}
1999-10-21 13:53:56 -04:00
if ( ACL_PRIV_ISSET ( mask , ACL_PRIV_READ ) ) {
none = 0 ;
2001-12-26 11:25:18 -05:00
* ptr + + = ' r ' ;
1999-10-21 13:53:56 -04:00
}
if ( ACL_PRIV_ISSET ( mask , ACL_PRIV_SEARCH ) ) {
none = 0 ;
2001-12-26 11:25:18 -05:00
* ptr + + = ' s ' ;
1999-10-21 13:53:56 -04:00
}
if ( ACL_PRIV_ISSET ( mask , ACL_PRIV_COMPARE ) ) {
none = 0 ;
2001-12-26 11:25:18 -05:00
* ptr + + = ' c ' ;
1999-10-21 13:53:56 -04:00
}
if ( ACL_PRIV_ISSET ( mask , ACL_PRIV_AUTH ) ) {
none = 0 ;
2001-12-26 11:25:18 -05:00
* ptr + + = ' x ' ;
1999-10-21 13:53:56 -04:00
}
2005-01-08 00:26:18 -05:00
if ( ACL_PRIV_ISSET ( mask , ACL_PRIV_DISCLOSE ) ) {
none = 0 ;
* ptr + + = ' d ' ;
}
1999-10-21 13:53:56 -04:00
if ( none & & ACL_PRIV_ISSET ( mask , ACL_PRIV_NONE ) ) {
1999-10-21 14:44:26 -04:00
none = 0 ;
2005-04-07 20:18:24 -04:00
* ptr + + = ' 0 ' ;
1999-10-21 13:53:56 -04:00
}
1999-10-21 14:44:26 -04:00
if ( none ) {
2005-02-22 07:02:34 -05:00
ptr = buf ;
1999-10-21 14:44:26 -04:00
}
1999-10-21 13:53:56 -04:00
if ( ACL_IS_LEVEL ( mask ) ) {
2001-12-29 05:30:23 -05:00
* ptr + + = ' ) ' ;
}
* ptr = ' \0 ' ;
1999-10-21 13:53:56 -04:00
return buf ;
1998-08-08 20:43:13 -04:00
}
2000-08-25 21:14:05 -04:00
slap_mask_t
1999-10-21 13:53:56 -04:00
str2accessmask ( const char * str )
1998-08-08 20:43:13 -04:00
{
2000-08-25 21:14:05 -04:00
slap_mask_t mask ;
1999-10-21 13:53:56 -04:00
2000-06-20 13:05:15 -04:00
if ( ! ASCII_ALPHA ( str [ 0 ] ) ) {
1999-10-21 13:53:56 -04:00
int i ;
if ( str [ 0 ] = = ' = ' ) {
ACL_INIT ( mask ) ;
} else if ( str [ 0 ] = = ' + ' ) {
ACL_PRIV_ASSIGN ( mask , ACL_PRIV_ADDITIVE ) ;
} else if ( str [ 0 ] = = ' - ' ) {
ACL_PRIV_ASSIGN ( mask , ACL_PRIV_SUBSTRACTIVE ) ;
1998-08-08 20:43:13 -04:00
1999-10-21 13:53:56 -04:00
} else {
ACL_INVALIDATE ( mask ) ;
return mask ;
}
for ( i = 1 ; str [ i ] ! = ' \0 ' ; i + + ) {
2005-01-08 00:26:18 -05:00
if ( TOLOWER ( ( unsigned char ) str [ i ] ) = = ' m ' ) {
ACL_PRIV_SET ( mask , ACL_PRIV_MANAGE ) ;
} else if ( TOLOWER ( ( unsigned char ) str [ i ] ) = = ' w ' ) {
1999-10-21 13:53:56 -04:00
ACL_PRIV_SET ( mask , ACL_PRIV_WRITE ) ;
2005-04-07 20:18:24 -04:00
} else if ( TOLOWER ( ( unsigned char ) str [ i ] ) = = ' a ' ) {
ACL_PRIV_SET ( mask , ACL_PRIV_WADD ) ;
} else if ( TOLOWER ( ( unsigned char ) str [ i ] ) = = ' z ' ) {
ACL_PRIV_SET ( mask , ACL_PRIV_WDEL ) ;
2002-04-15 16:42:42 -04:00
} else if ( TOLOWER ( ( unsigned char ) str [ i ] ) = = ' r ' ) {
1999-10-21 13:53:56 -04:00
ACL_PRIV_SET ( mask , ACL_PRIV_READ ) ;
2002-04-15 16:42:42 -04:00
} else if ( TOLOWER ( ( unsigned char ) str [ i ] ) = = ' s ' ) {
1999-10-21 13:53:56 -04:00
ACL_PRIV_SET ( mask , ACL_PRIV_SEARCH ) ;
2002-04-15 16:42:42 -04:00
} else if ( TOLOWER ( ( unsigned char ) str [ i ] ) = = ' c ' ) {
1999-10-21 13:53:56 -04:00
ACL_PRIV_SET ( mask , ACL_PRIV_COMPARE ) ;
2002-04-15 16:42:42 -04:00
} else if ( TOLOWER ( ( unsigned char ) str [ i ] ) = = ' x ' ) {
1999-10-21 13:53:56 -04:00
ACL_PRIV_SET ( mask , ACL_PRIV_AUTH ) ;
2005-01-08 00:26:18 -05:00
} else if ( TOLOWER ( ( unsigned char ) str [ i ] ) = = ' d ' ) {
ACL_PRIV_SET ( mask , ACL_PRIV_DISCLOSE ) ;
2006-05-10 18:25:06 -04:00
} else if ( str [ i ] = = ' 0 ' ) {
ACL_PRIV_SET ( mask , ACL_PRIV_NONE ) ;
} else {
1999-10-21 13:53:56 -04:00
ACL_INVALIDATE ( mask ) ;
return mask ;
}
}
1999-07-04 14:46:24 -04:00
1999-10-21 13:53:56 -04:00
return mask ;
1998-08-08 20:43:13 -04:00
}
if ( strcasecmp ( str , " none " ) = = 0 ) {
1999-10-21 13:53:56 -04:00
ACL_LVL_ASSIGN_NONE ( mask ) ;
2005-01-08 00:26:18 -05:00
} else if ( strcasecmp ( str , " disclose " ) = = 0 ) {
ACL_LVL_ASSIGN_DISCLOSE ( mask ) ;
1999-07-04 14:46:24 -04:00
} else if ( strcasecmp ( str , " auth " ) = = 0 ) {
1999-10-21 13:53:56 -04:00
ACL_LVL_ASSIGN_AUTH ( mask ) ;
1998-08-08 20:43:13 -04:00
} else if ( strcasecmp ( str , " compare " ) = = 0 ) {
1999-10-21 13:53:56 -04:00
ACL_LVL_ASSIGN_COMPARE ( mask ) ;
1998-08-08 20:43:13 -04:00
} else if ( strcasecmp ( str , " search " ) = = 0 ) {
1999-10-21 13:53:56 -04:00
ACL_LVL_ASSIGN_SEARCH ( mask ) ;
1998-08-08 20:43:13 -04:00
} else if ( strcasecmp ( str , " read " ) = = 0 ) {
1999-10-21 13:53:56 -04:00
ACL_LVL_ASSIGN_READ ( mask ) ;
2005-04-07 20:18:24 -04:00
} else if ( strcasecmp ( str , " add " ) = = 0 ) {
ACL_LVL_ASSIGN_WADD ( mask ) ;
} else if ( strcasecmp ( str , " delete " ) = = 0 ) {
ACL_LVL_ASSIGN_WDEL ( mask ) ;
1998-08-08 20:43:13 -04:00
} else if ( strcasecmp ( str , " write " ) = = 0 ) {
1999-10-21 13:53:56 -04:00
ACL_LVL_ASSIGN_WRITE ( mask ) ;
2005-01-08 00:26:18 -05:00
} else if ( strcasecmp ( str , " manage " ) = = 0 ) {
ACL_LVL_ASSIGN_MANAGE ( mask ) ;
1998-08-08 20:43:13 -04:00
} else {
1999-10-21 13:53:56 -04:00
ACL_INVALIDATE ( mask ) ;
1998-08-08 20:43:13 -04:00
}
1999-10-21 13:53:56 -04:00
return mask ;
1998-08-08 20:43:13 -04:00
}
2005-10-31 11:00:51 -05:00
static int
Protoized, moved extern definitions to .h files, fixed related bugs.
Most function and variable definitions are now preceded by its extern
definition, for error checking. Retyped a number of functions, usually
to return void. Fixed a number of printf format errors.
API changes (in ldap/include):
Added avl_dup_ok, avl_prefixapply, removed ber_fatten (probably typo
for ber_flatten), retyped ldap_sort_strcasecmp, grew lutil.h.
A number of `extern' declarations are left (some added by protoize), to
be cleaned away later. Mostly strdup(), strcasecmp(), mktemp(), optind,
optarg, errno.
1998-11-15 17:40:11 -05:00
acl_usage ( void )
1998-08-08 20:43:13 -04:00
{
2005-09-19 18:17:22 -04:00
char * access =
1999-10-21 13:53:56 -04:00
" <access clause> ::= access to <what> "
2006-05-12 07:48:57 -04:00
" [ by <who> [ <access> ] [ <control> ] ]+ \n " ;
2005-09-19 18:17:22 -04:00
char * what =
2006-05-12 07:48:57 -04:00
" <what> ::= * | dn[.<dnstyle>=<DN>] [filter=<filter>] [attrs=<attrspec>] \n "
2005-10-31 11:40:11 -05:00
" <attrspec> ::= <attrname> [val[/<matchingRule>][.<attrstyle>]=<value>] | <attrlist> \n "
" <attrlist> ::= <attr> [ , <attrlist> ] \n "
" <attr> ::= <attrname> | @<objectClass> | !<objectClass> | entry | children \n " ;
2005-09-19 18:17:22 -04:00
char * who =
2004-11-15 17:57:03 -05:00
" <who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ] \n "
2005-04-04 08:24:50 -04:00
" \t [ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ] \n "
1999-07-21 20:50:11 -04:00
" \t [dnattr=<attrname>] \n "
2005-04-04 08:24:50 -04:00
" \t [realdnattr=<attrname>] \n "
2003-05-30 01:24:39 -04:00
" \t [group[/<objectclass>[/<attrname>]][.<style>]=<group>] \n "
2004-07-17 20:47:35 -04:00
" \t [peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>] \n "
2004-03-08 13:49:12 -05:00
" \t [domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>] \n "
2005-04-04 08:24:50 -04:00
# ifdef SLAP_DYNACL
2005-08-22 12:28:50 -04:00
" \t [dynacl/<name>[/<options>][.<dynstyle>][=<pattern>]] \n "
2006-01-06 12:12:35 -05:00
# endif /* SLAP_DYNACL */
2005-09-19 18:17:22 -04:00
" \t [ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>] \n "
2005-01-12 09:25:08 -05:00
" <style> ::= exact | regex | base(Object) \n "
2004-06-28 02:42:00 -04:00
" <dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
" exact | regex \n "
2005-01-12 09:25:08 -05:00
" <attrstyle> ::= exact | regex | base(Object) | one(level) | "
" sub(tree) | children \n "
2006-12-14 21:10:22 -05:00
" <peernamestyle> ::= exact | regex | ip | ipv6 | path \n "
2004-06-28 02:42:00 -04:00
" <domainstyle> ::= exact | regex | base(Object) | sub(tree) \n "
2005-04-04 08:24:50 -04:00
" <access> ::= [[real]self]{<level>|<priv>} \n "
2005-04-07 20:18:24 -04:00
" <level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage \n "
" <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+ \n "
1999-10-21 13:53:56 -04:00
" <control> ::= [ stop | continue | break ] \n "
2005-09-06 10:26:53 -04:00
# ifdef SLAP_DYNACL
# ifdef SLAPD_ACI_ENABLED
" dynacl: \n "
" \t <name>=ACI \t <pattern>=<attrname> \n "
# endif /* SLAPD_ACI_ENABLED */
# endif /* ! SLAP_DYNACL */
2005-09-19 18:17:22 -04:00
" " ;
2005-10-31 11:40:11 -05:00
Debug ( LDAP_DEBUG_ANY , " %s%s%s \n " , access , what , who ) ;
2005-10-31 11:00:51 -05:00
return 1 ;
1998-08-08 20:43:13 -04:00
}
2001-11-12 06:29:40 -05:00
/*
2002-04-15 16:44:05 -04:00
* Set pattern to a " normalized " DN from src .
2001-11-12 06:29:40 -05:00
* At present it simply eats the ( optional ) space after
* a RDN separator ( , )
* Eventually will evolve in a more complete normalization
*/
2001-12-25 23:17:49 -05:00
static void
2001-11-12 06:29:40 -05:00
acl_regex_normalized_dn (
2002-04-15 16:44:05 -04:00
const char * src ,
2004-06-28 02:42:00 -04:00
struct berval * pattern )
2001-11-12 06:29:40 -05:00
{
char * str , * p ;
2002-04-15 16:44:05 -04:00
ber_len_t len ;
2001-11-12 06:29:40 -05:00
2002-04-15 16:44:05 -04:00
str = ch_strdup ( src ) ;
len = strlen ( src ) ;
2001-11-12 06:29:40 -05:00
2004-06-28 02:42:00 -04:00
for ( p = str ; p & & p [ 0 ] ; p + + ) {
2001-11-12 06:29:40 -05:00
/* escape */
2004-06-28 02:42:00 -04:00
if ( p [ 0 ] = = ' \\ ' & & p [ 1 ] ) {
2001-12-28 13:18:16 -05:00
/*
* if escaping a hex pair we should
* increment p twice ; however , in that
* case the second hex number does
* no harm
*/
2001-11-12 06:29:40 -05:00
p + + ;
}
2004-06-28 02:42:00 -04:00
if ( p [ 0 ] = = ' , ' & & p [ 1 ] = = ' ' ) {
char * q ;
2001-11-12 06:29:40 -05:00
2004-06-28 02:42:00 -04:00
/*
* too much space should be an error if we are pedantic
*/
for ( q = & p [ 2 ] ; q [ 0 ] = = ' ' ; q + + ) {
/* DO NOTHING */ ;
2001-11-12 06:29:40 -05:00
}
2004-06-28 02:42:00 -04:00
AC_MEMCPY ( p + 1 , q , len - ( q - str ) + 1 ) ;
2001-11-12 06:29:40 -05:00
}
}
2001-12-25 23:17:49 -05:00
pattern - > bv_val = str ;
2004-11-15 17:15:28 -05:00
pattern - > bv_len = p - str ;
2001-11-12 06:29:40 -05:00
2001-12-25 23:17:49 -05:00
return ;
2001-11-12 06:29:40 -05:00
}
1998-08-08 20:43:13 -04:00
static void
split (
char * line ,
int splitchar ,
char * * left ,
2004-06-28 02:42:00 -04:00
char * * right )
1998-08-08 20:43:13 -04:00
{
* left = line ;
if ( ( * right = strchr ( line , splitchar ) ) ! = NULL ) {
* ( ( * right ) + + ) = ' \0 ' ;
}
}
static void
1999-07-19 15:40:33 -04:00
access_append ( Access * * l , Access * a )
1998-08-08 20:43:13 -04:00
{
2004-06-28 02:42:00 -04:00
for ( ; * l ! = NULL ; l = & ( * l ) - > a_next ) {
; /* Empty */
}
1998-08-08 20:43:13 -04:00
* l = a ;
}
1999-10-21 13:53:56 -04:00
void
2005-04-19 12:39:48 -04:00
acl_append ( AccessControl * * l , AccessControl * a , int pos )
1998-08-08 20:43:13 -04:00
{
2005-04-19 12:39:48 -04:00
int i ;
for ( i = 0 ; i ! = pos & & * l ! = NULL ; l = & ( * l ) - > acl_next , i + + ) {
2004-06-28 02:42:00 -04:00
; /* Empty */
}
2005-04-19 12:39:48 -04:00
if ( * l & & a )
a - > acl_next = * l ;
1998-08-08 20:43:13 -04:00
* l = a ;
}
2001-12-15 07:41:53 -05:00
static void
access_free ( Access * a )
{
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISNULL ( & a - > a_dn_pat ) ) {
free ( a - > a_dn_pat . bv_val ) ;
}
2005-04-02 20:59:03 -05:00
if ( ! BER_BVISNULL ( & a - > a_realdn_pat ) ) {
free ( a - > a_realdn_pat . bv_val ) ;
}
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISNULL ( & a - > a_peername_pat ) ) {
free ( a - > a_peername_pat . bv_val ) ;
}
if ( ! BER_BVISNULL ( & a - > a_sockname_pat ) ) {
free ( a - > a_sockname_pat . bv_val ) ;
}
if ( ! BER_BVISNULL ( & a - > a_domain_pat ) ) {
free ( a - > a_domain_pat . bv_val ) ;
}
if ( ! BER_BVISNULL ( & a - > a_sockurl_pat ) ) {
free ( a - > a_sockurl_pat . bv_val ) ;
}
if ( ! BER_BVISNULL ( & a - > a_set_pat ) ) {
free ( a - > a_set_pat . bv_val ) ;
}
if ( ! BER_BVISNULL ( & a - > a_group_pat ) ) {
free ( a - > a_group_pat . bv_val ) ;
}
2005-08-17 18:41:30 -04:00
# ifdef SLAP_DYNACL
2005-08-17 10:44:41 -04:00
if ( a - > a_dynacl ! = NULL ) {
slap_dynacl_t * da ;
for ( da = a - > a_dynacl ; da ; ) {
slap_dynacl_t * tmp = da ;
da = da - > da_next ;
if ( tmp - > da_destroy ) {
tmp - > da_destroy ( tmp - > da_private ) ;
}
ch_free ( tmp ) ;
}
}
2005-08-17 18:41:30 -04:00
# endif /* SLAP_DYNACL */
2001-12-15 07:41:53 -05:00
free ( a ) ;
}
void
acl_free ( AccessControl * a )
{
Access * n ;
2001-12-31 06:35:52 -05:00
AttributeName * an ;
2001-12-15 07:41:53 -05:00
2004-11-15 17:15:28 -05:00
if ( a - > acl_filter ) {
filter_free ( a - > acl_filter ) ;
}
if ( ! BER_BVISNULL ( & a - > acl_dn_pat ) ) {
2005-08-17 10:44:41 -04:00
if ( a - > acl_dn_style = = ACL_STYLE_REGEX ) {
regfree ( & a - > acl_dn_re ) ;
}
2004-11-15 17:15:28 -05:00
free ( a - > acl_dn_pat . bv_val ) ;
}
2002-01-03 00:38:26 -05:00
if ( a - > acl_attrs ) {
2004-11-15 17:15:28 -05:00
for ( an = a - > acl_attrs ; ! BER_BVISNULL ( & an - > an_name ) ; an + + ) {
2002-01-03 00:38:26 -05:00
free ( an - > an_name . bv_val ) ;
}
2001-12-31 06:35:52 -05:00
free ( a - > acl_attrs ) ;
2006-01-06 11:22:47 -05:00
if ( a - > acl_attrval_style = = ACL_STYLE_REGEX ) {
regfree ( & a - > acl_attrval_re ) ;
}
if ( ! BER_BVISNULL ( & a - > acl_attrval ) ) {
ber_memfree ( a - > acl_attrval . bv_val ) ;
}
2001-12-31 06:35:52 -05:00
}
2004-11-15 17:15:28 -05:00
for ( ; a - > acl_access ; a - > acl_access = n ) {
2001-12-15 07:41:53 -05:00
n = a - > acl_access - > a_next ;
access_free ( a - > acl_access ) ;
}
free ( a ) ;
}
void
2008-11-11 16:40:39 -05:00
acl_destroy ( AccessControl * a )
2001-12-15 07:41:53 -05:00
{
AccessControl * n ;
2008-11-11 16:40:39 -05:00
for ( ; a ; a = n ) {
2001-12-15 07:41:53 -05:00
n = a - > acl_next ;
acl_free ( a ) ;
}
2010-08-16 20:54:11 -04:00
if ( ! BER_BVISNULL ( & aclbuf ) ) {
ch_free ( aclbuf . bv_val ) ;
BER_BVZERO ( & aclbuf ) ;
}
2001-12-15 07:41:53 -05:00
}
1999-11-10 15:28:42 -05:00
char *
access2str ( slap_access_t access )
{
if ( access = = ACL_NONE ) {
return " none " ;
2005-01-08 00:26:18 -05:00
} else if ( access = = ACL_DISCLOSE ) {
return " disclose " ;
1999-11-10 15:28:42 -05:00
} else if ( access = = ACL_AUTH ) {
return " auth " ;
} else if ( access = = ACL_COMPARE ) {
return " compare " ;
} else if ( access = = ACL_SEARCH ) {
return " search " ;
} else if ( access = = ACL_READ ) {
return " read " ;
} else if ( access = = ACL_WRITE ) {
return " write " ;
2005-01-08 00:26:18 -05:00
2005-04-07 20:18:24 -04:00
} else if ( access = = ACL_WADD ) {
return " add " ;
} else if ( access = = ACL_WDEL ) {
return " delete " ;
2005-01-08 00:26:18 -05:00
} else if ( access = = ACL_MANAGE ) {
return " manage " ;
1999-11-10 15:28:42 -05:00
}
return " unknown " ;
}
slap_access_t
str2access ( const char * str )
{
if ( strcasecmp ( str , " none " ) = = 0 ) {
return ACL_NONE ;
2005-01-08 00:26:18 -05:00
} else if ( strcasecmp ( str , " disclose " ) = = 0 ) {
return ACL_DISCLOSE ;
1999-11-10 15:28:42 -05:00
} else if ( strcasecmp ( str , " auth " ) = = 0 ) {
return ACL_AUTH ;
} else if ( strcasecmp ( str , " compare " ) = = 0 ) {
return ACL_COMPARE ;
} else if ( strcasecmp ( str , " search " ) = = 0 ) {
return ACL_SEARCH ;
} else if ( strcasecmp ( str , " read " ) = = 0 ) {
return ACL_READ ;
} else if ( strcasecmp ( str , " write " ) = = 0 ) {
return ACL_WRITE ;
2005-01-08 00:26:18 -05:00
2005-04-07 20:18:24 -04:00
} else if ( strcasecmp ( str , " add " ) = = 0 ) {
return ACL_WADD ;
} else if ( strcasecmp ( str , " delete " ) = = 0 ) {
return ACL_WDEL ;
2005-01-08 00:26:18 -05:00
} else if ( strcasecmp ( str , " manage " ) = = 0 ) {
return ACL_MANAGE ;
1999-11-10 15:28:42 -05:00
}
return ( ACL_INVALID_ACCESS ) ;
}
2010-08-16 20:54:11 -04:00
static char *
safe_strncopy ( char * ptr , const char * src , size_t n , struct berval * buf )
{
2010-08-16 21:05:40 -04:00
while ( ptr + n > = buf - > bv_val + buf - > bv_len ) {
2010-08-16 20:54:11 -04:00
char * tmp = ch_realloc ( buf - > bv_val , 2 * buf - > bv_len ) ;
if ( tmp = = NULL ) {
return NULL ;
}
ptr = tmp + ( ptr - buf - > bv_val ) ;
buf - > bv_val = tmp ;
buf - > bv_len * = 2 ;
}
return lutil_strncopy ( ptr , src , n ) ;
}
static char *
safe_strcopy ( char * ptr , const char * s , struct berval * buf )
{
size_t n = strlen ( s ) ;
return safe_strncopy ( ptr , s , n , buf ) ;
}
static char *
safe_strbvcopy ( char * ptr , const struct berval * bv , struct berval * buf )
{
return safe_strncopy ( ptr , bv - > bv_val , bv - > bv_len , buf ) ;
}
1998-08-08 20:43:13 -04:00
2010-08-16 20:54:11 -04:00
# define acl_safe_strcopy( ptr, s ) safe_strcopy( (ptr), (s), &aclbuf )
# define acl_safe_strncopy( ptr, s, n ) safe_strncopy( (ptr), (s), (n), &aclbuf )
# define acl_safe_strbvcopy( ptr, bv ) safe_strbvcopy( (ptr), (bv), &aclbuf )
2005-02-22 07:02:34 -05:00
2005-04-02 20:59:03 -05:00
static char *
dnaccess2text ( slap_dn_access * bdn , char * ptr , int is_realdn )
{
* ptr + + = ' ' ;
if ( is_realdn ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " real " ) ;
2005-04-02 20:59:03 -05:00
}
if ( ber_bvccmp ( & bdn - > a_pat , ' * ' ) | |
bdn - > a_style = = ACL_STYLE_ANONYMOUS | |
bdn - > a_style = = ACL_STYLE_USERS | |
bdn - > a_style = = ACL_STYLE_SELF )
{
if ( is_realdn ) {
assert ( ! ber_bvccmp ( & bdn - > a_pat , ' * ' ) ) ;
}
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strbvcopy ( ptr , & bdn - > a_pat ) ;
2005-04-02 20:59:03 -05:00
if ( bdn - > a_style = = ACL_STYLE_SELF & & bdn - > a_self_level ! = 0 ) {
2010-08-16 20:54:11 -04:00
char buf [ SLAP_TEXT_BUFLEN ] ;
int n = snprintf ( buf , sizeof ( buf ) , " .level{%d} " , bdn - > a_self_level ) ;
2005-04-02 20:59:03 -05:00
if ( n > 0 ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strncopy ( ptr , buf , n ) ;
2005-04-02 20:59:03 -05:00
} /* else ? */
}
} else {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " dn. " ) ;
2005-05-09 20:51:28 -04:00
if ( bdn - > a_style = = ACL_STYLE_BASE )
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , style_base ) ;
2005-05-09 20:51:28 -04:00
else
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , style_strings [ bdn - > a_style ] ) ;
2005-04-02 20:59:03 -05:00
if ( bdn - > a_style = = ACL_STYLE_LEVEL ) {
2010-08-16 20:54:11 -04:00
char buf [ SLAP_TEXT_BUFLEN ] ;
int n = snprintf ( buf , sizeof ( buf ) , " {%d} " , bdn - > a_level ) ;
2005-04-02 20:59:03 -05:00
if ( n > 0 ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strncopy ( ptr , buf , n ) ;
2005-04-02 20:59:03 -05:00
} /* else ? */
}
if ( bdn - > a_expand ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " ,expand " ) ;
2005-04-02 20:59:03 -05:00
}
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " = \" " ) ;
ptr = acl_safe_strbvcopy ( ptr , & bdn - > a_pat ) ;
ptr = acl_safe_strcopy ( ptr , " \" " ) ;
2005-04-02 20:59:03 -05:00
}
return ptr ;
}
2005-02-22 07:02:34 -05:00
static char *
access2text ( Access * b , char * ptr )
1998-08-08 20:43:13 -04:00
{
1999-10-21 19:19:22 -04:00
char maskbuf [ ACCESSMASK_MAXLEN ] ;
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " \t by " ) ;
1998-12-04 14:29:17 -05:00
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & b - > a_dn_pat ) ) {
2005-04-02 20:59:03 -05:00
ptr = dnaccess2text ( & b - > a_dn , ptr , 0 ) ;
1999-07-21 16:54:23 -04:00
}
2005-04-21 03:15:02 -04:00
if ( b - > a_dn_at ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " dnattr= " ) ;
ptr = acl_safe_strbvcopy ( ptr , & b - > a_dn_at - > ad_cname ) ;
2005-04-21 03:15:02 -04:00
}
1999-07-21 16:54:23 -04:00
2005-04-02 20:59:03 -05:00
if ( ! BER_BVISEMPTY ( & b - > a_realdn_pat ) ) {
ptr = dnaccess2text ( & b - > a_realdn , ptr , 1 ) ;
1999-07-21 16:54:23 -04:00
}
2005-04-21 03:15:02 -04:00
if ( b - > a_realdn_at ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " realdnattr= " ) ;
ptr = acl_safe_strbvcopy ( ptr , & b - > a_realdn_at - > ad_cname ) ;
2005-04-21 03:15:02 -04:00
}
1999-07-21 16:54:23 -04:00
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & b - > a_group_pat ) ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " group/ " ) ;
ptr = acl_safe_strcopy ( ptr , b - > a_group_oc ?
2005-08-06 07:29:08 -04:00
b - > a_group_oc - > soc_cname . bv_val : SLAPD_GROUP_CLASS ) ;
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " / " ) ;
ptr = acl_safe_strcopy ( ptr , b - > a_group_at ?
2005-08-06 07:29:08 -04:00
b - > a_group_at - > ad_cname . bv_val : SLAPD_GROUP_ATTR ) ;
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " . " ) ;
ptr = acl_safe_strcopy ( ptr , style_strings [ b - > a_group_style ] ) ;
ptr = acl_safe_strcopy ( ptr , " = \" " ) ;
ptr = acl_safe_strbvcopy ( ptr , & b - > a_group_pat ) ;
ptr = acl_safe_strcopy ( ptr , " \" " ) ;
2004-11-15 17:15:28 -05:00
}
1999-07-21 16:54:23 -04:00
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & b - > a_peername_pat ) ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " peername " ) ;
ptr = acl_safe_strcopy ( ptr , " . " ) ;
ptr = acl_safe_strcopy ( ptr , style_strings [ b - > a_peername_style ] ) ;
ptr = acl_safe_strcopy ( ptr , " = \" " ) ;
ptr = acl_safe_strbvcopy ( ptr , & b - > a_peername_pat ) ;
ptr = acl_safe_strcopy ( ptr , " \" " ) ;
1999-07-21 16:54:23 -04:00
}
1999-10-21 13:53:56 -04:00
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & b - > a_sockname_pat ) ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " sockname " ) ;
ptr = acl_safe_strcopy ( ptr , " . " ) ;
ptr = acl_safe_strcopy ( ptr , style_strings [ b - > a_sockname_style ] ) ;
ptr = acl_safe_strcopy ( ptr , " = \" " ) ;
ptr = acl_safe_strbvcopy ( ptr , & b - > a_sockname_pat ) ;
ptr = acl_safe_strcopy ( ptr , " \" " ) ;
1999-07-21 16:54:23 -04:00
}
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & b - > a_domain_pat ) ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " domain " ) ;
ptr = acl_safe_strcopy ( ptr , " . " ) ;
ptr = acl_safe_strcopy ( ptr , style_strings [ b - > a_domain_style ] ) ;
2005-05-09 20:32:43 -04:00
if ( b - > a_domain_expand ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " ,expand " ) ;
2005-05-09 20:32:43 -04:00
}
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " = " ) ;
ptr = acl_safe_strbvcopy ( ptr , & b - > a_domain_pat ) ;
1999-07-21 16:54:23 -04:00
}
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & b - > a_sockurl_pat ) ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " sockurl " ) ;
ptr = acl_safe_strcopy ( ptr , " . " ) ;
ptr = acl_safe_strcopy ( ptr , style_strings [ b - > a_sockurl_style ] ) ;
ptr = acl_safe_strcopy ( ptr , " = \" " ) ;
ptr = acl_safe_strbvcopy ( ptr , & b - > a_sockurl_pat ) ;
ptr = acl_safe_strcopy ( ptr , " \" " ) ;
1999-07-21 16:54:23 -04:00
}
2004-11-15 17:15:28 -05:00
if ( ! BER_BVISEMPTY ( & b - > a_set_pat ) ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " set " ) ;
ptr = acl_safe_strcopy ( ptr , " . " ) ;
ptr = acl_safe_strcopy ( ptr , style_strings [ b - > a_set_style ] ) ;
ptr = acl_safe_strcopy ( ptr , " = \" " ) ;
ptr = acl_safe_strbvcopy ( ptr , & b - > a_set_pat ) ;
ptr = acl_safe_strcopy ( ptr , " \" " ) ;
2004-03-08 06:09:49 -05:00
}
2004-11-19 20:27:03 -05:00
# ifdef SLAP_DYNACL
if ( b - > a_dynacl ) {
slap_dynacl_t * da ;
for ( da = b - > a_dynacl ; da ; da = da - > da_next ) {
2005-02-22 07:02:34 -05:00
if ( da - > da_unparse ) {
2005-08-17 10:44:41 -04:00
struct berval bv = BER_BVNULL ;
2005-02-22 07:02:34 -05:00
( void ) ( * da - > da_unparse ) ( da - > da_private , & bv ) ;
2005-08-17 10:44:41 -04:00
assert ( ! BER_BVISNULL ( & bv ) ) ;
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strbvcopy ( ptr , & bv ) ;
2005-02-22 07:02:34 -05:00
ch_free ( bv . bv_val ) ;
2004-11-19 20:27:03 -05:00
}
}
}
# endif /* SLAP_DYNACL */
1999-08-20 18:42:04 -04:00
2000-08-28 14:38:48 -04:00
/* Security Strength Factors */
if ( b - > a_authz . sai_ssf ) {
2010-08-16 20:54:11 -04:00
char buf [ SLAP_TEXT_BUFLEN ] ;
int n = snprintf ( buf , sizeof ( buf ) , " ssf=%u " ,
2000-08-28 14:38:48 -04:00
b - > a_authz . sai_ssf ) ;
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strncopy ( ptr , buf , n ) ;
2000-08-28 14:38:48 -04:00
}
if ( b - > a_authz . sai_transport_ssf ) {
2010-08-16 20:54:11 -04:00
char buf [ SLAP_TEXT_BUFLEN ] ;
int n = snprintf ( buf , sizeof ( buf ) , " transport_ssf=%u " ,
2000-08-28 14:38:48 -04:00
b - > a_authz . sai_transport_ssf ) ;
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strncopy ( ptr , buf , n ) ;
2000-08-28 14:38:48 -04:00
}
if ( b - > a_authz . sai_tls_ssf ) {
2010-08-16 20:54:11 -04:00
char buf [ SLAP_TEXT_BUFLEN ] ;
int n = snprintf ( buf , sizeof ( buf ) , " tls_ssf=%u " ,
2000-08-28 14:38:48 -04:00
b - > a_authz . sai_tls_ssf ) ;
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strncopy ( ptr , buf , n ) ;
2000-08-28 14:38:48 -04:00
}
if ( b - > a_authz . sai_sasl_ssf ) {
2010-08-16 20:54:11 -04:00
char buf [ SLAP_TEXT_BUFLEN ] ;
int n = snprintf ( buf , sizeof ( buf ) , " sasl_ssf=%u " ,
2000-08-28 14:38:48 -04:00
b - > a_authz . sai_sasl_ssf ) ;
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strncopy ( ptr , buf , n ) ;
2000-08-28 14:38:48 -04:00
}
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " " ) ;
2005-04-02 20:59:03 -05:00
if ( b - > a_dn_self ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " self " ) ;
2005-04-02 20:59:03 -05:00
} else if ( b - > a_realdn_self ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " realself " ) ;
2005-04-02 20:59:03 -05:00
}
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , accessmask2str ( b - > a_access_mask , maskbuf , 0 ) ) ;
2005-02-22 07:02:34 -05:00
if ( ! maskbuf [ 0 ] ) ptr - - ;
1999-10-21 13:53:56 -04:00
1999-10-21 14:44:26 -04:00
if ( b - > a_type = = ACL_BREAK ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " break " ) ;
1999-10-21 14:44:26 -04:00
} else if ( b - > a_type = = ACL_CONTINUE ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " continue " ) ;
1999-10-21 14:44:26 -04:00
} else if ( b - > a_type ! = ACL_STOP ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " unknown-control " ) ;
2005-02-22 07:02:34 -05:00
} else {
2010-08-16 20:54:11 -04:00
if ( ! maskbuf [ 0 ] ) ptr = acl_safe_strcopy ( ptr , " stop " ) ;
1999-10-21 14:44:26 -04:00
}
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " \n " ) ;
1999-10-21 14:44:26 -04:00
2005-02-22 07:02:34 -05:00
return ptr ;
1998-08-08 20:43:13 -04:00
}
2005-02-22 07:02:34 -05:00
void
acl_unparse ( AccessControl * a , struct berval * bv )
1998-08-08 20:43:13 -04:00
{
2005-04-11 17:35:34 -04:00
Access * b ;
char * ptr ;
int to = 0 ;
1998-08-08 20:43:13 -04:00
2010-08-16 20:54:11 -04:00
if ( BER_BVISNULL ( & aclbuf ) ) {
aclbuf . bv_val = ch_malloc ( ACLBUF_CHUNKSIZE ) ;
aclbuf . bv_len = ACLBUF_CHUNKSIZE ;
}
2005-02-22 07:02:34 -05:00
bv - > bv_len = 0 ;
1999-10-21 13:53:56 -04:00
2010-08-16 21:05:40 -04:00
ptr = aclbuf . bv_val ;
2005-02-22 07:02:34 -05:00
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " to " ) ;
2005-02-22 07:02:34 -05:00
if ( ! BER_BVISNULL ( & a - > acl_dn_pat ) ) {
1999-10-21 13:53:56 -04:00
to + + ;
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " dn. " ) ;
2005-05-09 20:51:28 -04:00
if ( a - > acl_dn_style = = ACL_STYLE_BASE )
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , style_base ) ;
2005-05-09 20:51:28 -04:00
else
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , style_strings [ a - > acl_dn_style ] ) ;
ptr = acl_safe_strcopy ( ptr , " = \" " ) ;
ptr = acl_safe_strbvcopy ( ptr , & a - > acl_dn_pat ) ;
ptr = acl_safe_strcopy ( ptr , " \" \n " ) ;
1998-08-08 20:43:13 -04:00
}
1999-10-21 13:53:56 -04:00
1998-08-08 20:43:13 -04:00
if ( a - > acl_filter ! = NULL ) {
2010-08-16 20:54:11 -04:00
struct berval fbv = BER_BVNULL ;
2004-11-15 17:15:28 -05:00
1999-10-21 13:53:56 -04:00
to + + ;
2010-08-16 20:54:11 -04:00
filter2bv ( a - > acl_filter , & fbv ) ;
ptr = acl_safe_strcopy ( ptr , " filter= \" " ) ;
ptr = acl_safe_strbvcopy ( ptr , & fbv ) ;
ptr = acl_safe_strcopy ( ptr , " \" \n " ) ;
ch_free ( fbv . bv_val ) ;
1998-08-08 20:43:13 -04:00
}
1999-10-21 13:53:56 -04:00
1998-08-08 20:43:13 -04:00
if ( a - > acl_attrs ! = NULL ) {
2001-12-31 06:35:52 -05:00
int first = 1 ;
AttributeName * an ;
1999-10-21 13:53:56 -04:00
to + + ;
1998-08-08 20:43:13 -04:00
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " attrs= " ) ;
2004-11-15 17:15:28 -05:00
for ( an = a - > acl_attrs ; an & & ! BER_BVISNULL ( & an - > an_name ) ; an + + ) {
2010-08-16 20:54:11 -04:00
if ( ! first ) ptr = acl_safe_strcopy ( ptr , " , " ) ;
2003-12-15 19:49:10 -05:00
if ( an - > an_oc ) {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , ( an - > an_flags & SLAP_AN_OCEXCLUDE ) ? " ! " : " @ " ) ;
ptr = acl_safe_strbvcopy ( ptr , & an - > an_oc - > soc_cname ) ;
2004-12-03 03:41:06 -05:00
} else {
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strbvcopy ( ptr , & an - > an_name ) ;
2003-12-15 19:49:10 -05:00
}
1998-08-08 20:43:13 -04:00
first = 0 ;
}
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " \n " ) ;
1998-08-08 20:43:13 -04:00
}
1999-10-21 13:53:56 -04:00
2012-08-22 18:05:54 -04:00
if ( ! BER_BVISNULL ( & a - > acl_attrval ) ) {
2003-09-19 23:23:10 -04:00
to + + ;
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , " val. " ) ;
2005-05-09 20:51:28 -04:00
if ( a - > acl_attrval_style = = ACL_STYLE_BASE & &
a - > acl_attrs [ 0 ] . an_desc - > ad_type - > sat_syntax = =
slap_schema . si_syn_distinguishedName )
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , style_base ) ;
2005-05-09 20:51:28 -04:00
else
2010-08-16 20:54:11 -04:00
ptr = acl_safe_strcopy ( ptr , style_strings [ a - > acl_attrval_style ] ) ;
ptr = acl_safe_strcopy ( ptr , " = \" " ) ;
ptr = acl_safe_strbvcopy ( ptr , & a - > acl_attrval ) ;
ptr = acl_safe_strcopy ( ptr , " \" \n " ) ;
2003-09-19 23:23:10 -04:00
}
2010-08-16 20:54:11 -04:00
if ( ! to ) {
ptr = acl_safe_strcopy ( ptr , " * \n " ) ;
2005-02-22 07:02:34 -05:00
}
1999-10-21 13:53:56 -04:00
1998-08-08 20:43:13 -04:00
for ( b = a - > acl_access ; b ! = NULL ; b = b - > a_next ) {
2005-02-22 07:02:34 -05:00
ptr = access2text ( b , ptr ) ;
1998-08-08 20:43:13 -04:00
}
2005-02-22 07:02:34 -05:00
* ptr = ' \0 ' ;
2010-08-16 21:05:40 -04:00
bv - > bv_val = aclbuf . bv_val ;
2005-02-22 07:02:34 -05:00
bv - > bv_len = ptr - bv - > bv_val ;
}
# ifdef LDAP_DEBUG
static void
print_acl ( Backend * be , AccessControl * a )
{
struct berval bv ;
1999-10-21 13:53:56 -04:00
2005-02-22 07:02:34 -05:00
acl_unparse ( a , & bv ) ;
2005-03-01 18:17:54 -05:00
fprintf ( stderr , " %s ACL: access %s \n " ,
2005-02-22 07:02:34 -05:00
be = = NULL ? " Global " : " Backend " , bv . bv_val ) ;
1998-08-08 20:43:13 -04:00
}
1998-08-21 02:33:42 -04:00
# endif /* LDAP_DEBUG */
