ITS#6035 olcAuthIDRewrite insert/delete support

2026-01-08 08:02:16 -05:00 · 2015-08-31 16:54:34 -07:00 · 2015-08-31 16:54:34 -07:00 · 1d562a7a52
commit 1d562a7a52
parent c4db906107
5 changed files with 230 additions and 145 deletions
--- a/servers/slapd/back-meta/config.c
+++ b/servers/slapd/back-meta/config.c
@ -696,47 +696,6 @@ meta_suffixm_config(
 	return rc;
 }

-static int
-slap_bv_x_ordered_unparse( BerVarray in, BerVarray *out )
-{
-	int		i;
-	BerVarray	bva = NULL;
-	char		ibuf[32], *ptr;
-	struct berval	idx;
-
-	assert( in != NULL );
-
-	for ( i = 0; !BER_BVISNULL( &in[i] ); i++ )
-		/* count'em */ ;
-
-	if ( i == 0 ) {
-		return 1;
-	}
-
-	idx.bv_val = ibuf;
-
-	bva = ch_malloc( ( i + 1 ) * sizeof(struct berval) );
-	BER_BVZERO( &bva[ 0 ] );
-
-	for ( i = 0; !BER_BVISNULL( &in[i] ); i++ ) {
-		idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
-		if ( idx.bv_len >= sizeof( ibuf ) ) {
-			ber_bvarray_free( bva );
-			return 1;
-		}
-
-		bva[i].bv_len = idx.bv_len + in[i].bv_len;
-		bva[i].bv_val = ch_malloc( bva[i].bv_len + 1 );
-		ptr = lutil_strcopy( bva[i].bv_val, ibuf );
-		ptr = lutil_strcopy( ptr, in[i].bv_val );
-		*ptr = '\0';
-		BER_BVZERO( &bva[ i + 1 ] );
-	}
-
-	*out = bva;
-	return 0;
-}
-
 int
 meta_subtree_free( metasubtree_t *ms )
 {
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@ -81,9 +81,6 @@ static CfBackInfo cfBackInfo;
 static char	*passwd_salt;
 static FILE *logfile;
 static char	*logfileName;
-#ifdef SLAP_AUTH_REWRITE
-static BerVarray authz_rewrites;
-#endif
 static AccessControl *defacl_parsed = NULL;

 static struct berval cfdir;
@ -335,7 +332,7 @@ static ConfigTable config_back_cf_table[] = {
 				NULL, NULL },
 	{ "authid-rewrite", "rewrite", 2, 0, STRLENOF( "authid-rewrite" ),
 #ifdef SLAP_AUTH_REWRITE
-		ARG_MAGIC|CFG_REWRITE|ARG_NO_INSERT, &config_generic,
+		ARG_MAGIC|CFG_REWRITE, &config_generic,
 #else
 		ARG_IGNORED, NULL,
 #endif
@ -1401,29 +1398,7 @@ config_generic(ConfigArgs *c) {
 #endif
 #ifdef SLAP_AUTH_REWRITE
 		case CFG_REWRITE:
-			if ( authz_rewrites ) {
-				struct berval bv, idx;
-				char ibuf[32];
-				int i;
-
-				idx.bv_val = ibuf;
-				for ( i=0; !BER_BVISNULL( &authz_rewrites[i] ); i++ ) {
-					idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
-					if ( idx.bv_len >= sizeof( ibuf ) ) {
-						ber_bvarray_free_x( c->rvalue_vals, NULL );
-						c->rvalue_vals = NULL;
-						break;
-					}
-					bv.bv_len = idx.bv_len + authz_rewrites[i].bv_len;
-					bv.bv_val = ch_malloc( bv.bv_len + 1 );
-					AC_MEMCPY( bv.bv_val, idx.bv_val, idx.bv_len );
-					AC_MEMCPY( &bv.bv_val[ idx.bv_len ],
-						authz_rewrites[i].bv_val,
-						authz_rewrites[i].bv_len + 1 );
-					ber_bvarray_add( &c->rvalue_vals, &bv );
-				}
-			}
-			if ( !c->rvalue_vals ) rc = 1;
+			rc = slap_sasl_rewrite_unparse( &c->rvalue_vals );
 			break;
 #endif
 		default:
@ -1455,7 +1430,6 @@ config_generic(ConfigArgs *c) {
 		/* no-ops, requires slapd restart */
 		case CFG_PLUGIN:
 		case CFG_MODLOAD:
-		case CFG_REWRITE:
 			snprintf(c->log, sizeof( c->log ), "change requires slapd restart");
 			break;

@ -1499,6 +1473,12 @@ config_generic(ConfigArgs *c) {
 			rc = slap_sasl_regexp_delete( c->valx );
 			break;

+#ifdef SLAP_AUTH_REWRITE
+		case CFG_REWRITE:
+			rc = slap_sasl_rewrite_delete( c->valx );
+			break;
+#endif /* SLAP_AUTH_REWRITE */
+
 		case CFG_SALT:
 			ch_free( passwd_salt );
 			passwd_salt = NULL;
@ -2448,36 +2428,13 @@ sortval_reject:

 #ifdef SLAP_AUTH_REWRITE
 		case CFG_REWRITE: {
-			struct berval bv;
-			char *line;
-			int rc = 0;
+			int rc;

 			if ( c->op == LDAP_MOD_ADD ) {
 				c->argv++;
 				c->argc--;
 			}
-			if(slap_sasl_rewrite_config(c->fname, c->lineno, c->argc, c->argv))
-				rc = 1;
-			if ( rc == 0 ) {
-
-				if ( c->argc > 1 ) {
-					char	*s;
-
-					/* quote all args but the first */
-					line = ldap_charray2str( c->argv, "\" \"" );
-					ber_str2bv( line, 0, 0, &bv );
-					s = ber_bvchr( &bv, '"' );
-					assert( s != NULL );
-					/* move the trailing quote of argv[0] to the end */
-					AC_MEMCPY( s, s + 1, bv.bv_len - ( s - bv.bv_val ) );
-					bv.bv_val[ bv.bv_len - 1 ] = '"';
-
-				} else {
-					ber_str2bv( c->argv[ 0 ], 0, 1, &bv );
-				}
-
-				ber_bvarray_add( &authz_rewrites, &bv );
-			}
+			rc = slap_sasl_rewrite_config(c->fname, c->lineno, c->argc, c->argv, c->valx);
 			if ( c->op == LDAP_MOD_ADD ) {
 				c->argv--;
 				c->argc++;
@ -3992,6 +3949,47 @@ anlist_unparse( AttributeName *an, char *ptr, ber_len_t buflen ) {
 	return ptr;
 }

+int
+slap_bv_x_ordered_unparse( BerVarray in, BerVarray *out )
+{
+	int		i;
+	BerVarray	bva = NULL;
+	char		ibuf[32], *ptr;
+	struct berval	idx;
+
+	assert( in != NULL );
+
+	for ( i = 0; !BER_BVISNULL( &in[i] ); i++ )
+		/* count'em */ ;
+
+	if ( i == 0 ) {
+		return 1;
+	}
+
+	idx.bv_val = ibuf;
+
+	bva = ch_malloc( ( i + 1 ) * sizeof(struct berval) );
+	BER_BVZERO( &bva[ 0 ] );
+
+	for ( i = 0; !BER_BVISNULL( &in[i] ); i++ ) {
+		idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), SLAP_X_ORDERED_FMT, i );
+		if ( idx.bv_len >= sizeof( ibuf ) ) {
+			ber_bvarray_free( bva );
+			return 1;
+		}
+
+		bva[i].bv_len = idx.bv_len + in[i].bv_len;
+		bva[i].bv_val = ch_malloc( bva[i].bv_len + 1 );
+		ptr = lutil_strcopy( bva[i].bv_val, ibuf );
+		ptr = lutil_strcopy( ptr, in[i].bv_val );
+		*ptr = '\0';
+		BER_BVZERO( &bva[ i + 1 ] );
+	}
+
+	*out = bva;
+	return 0;
+}
+
 static int
 config_updatedn(ConfigArgs *c) {
 	if (c->op == SLAP_CONFIG_EMIT) {
--- a/servers/slapd/overlays/rwm.c
+++ b/servers/slapd/overlays/rwm.c
@ -1968,46 +1968,6 @@ static ConfigOCs rwmocs[] = {
 	{ NULL, 0, NULL }
 };

-static void
-slap_bv_x_ordered_unparse( BerVarray in, BerVarray *out )
-{
-	int		i;
-	BerVarray	bva = NULL;
-	char		ibuf[32], *ptr;
-	struct berval	idx;
-
-	assert( in != NULL );
-
-	for ( i = 0; !BER_BVISNULL( &in[i] ); i++ )
-		/* count'em */ ;
-
-	if ( i == 0 ) {
-		return;
-	}
-
-	idx.bv_val = ibuf;
-
-	bva = ch_malloc( ( i + 1 ) * sizeof(struct berval) );
-	BER_BVZERO( &bva[ 0 ] );
-
-	for ( i = 0; !BER_BVISNULL( &in[i] ); i++ ) {
-		idx.bv_len = snprintf( idx.bv_val, sizeof( ibuf ), "{%d}", i );
-		if ( idx.bv_len >= sizeof( ibuf ) ) {
-			ber_bvarray_free( bva );
-			return;
-		}
-
-		bva[i].bv_len = idx.bv_len + in[i].bv_len;
-		bva[i].bv_val = ch_malloc( bva[i].bv_len + 1 );
-		ptr = lutil_strcopy( bva[i].bv_val, ibuf );
-		ptr = lutil_strcopy( ptr, in[i].bv_val );
-		*ptr = '\0';
-		BER_BVZERO( &bva[ i + 1 ] );
-	}
-
-	*out = bva;
-}
-
 static int
 rwm_bva_add(
 	BerVarray		*bva,
@ -2108,10 +2068,7 @@ rwm_cf_gen( ConfigArgs *c )
 				rc = 1;

 			} else {
-				slap_bv_x_ordered_unparse( rwmap->rwm_bva_rewrite, &c->rvalue_vals );
-				if ( !c->rvalue_vals ) {
-					rc = 1;
-				}
+				rc = slap_bv_x_ordered_unparse( rwmap->rwm_bva_rewrite, &c->rvalue_vals );
 			}
 			break;

--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@ -760,6 +760,7 @@ LDAP_SLAPD_F (int) slap_client_connect LDAP_P(( LDAP **ldp, slap_bindconf *sb ))
 LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be,
 	const char *fname, int lineno, int argc, char **argv ));
 LDAP_SLAPD_F (char *) anlist_unparse LDAP_P(( AttributeName *, char *, ber_len_t buflen ));
+LDAP_SLAPD_F (int) slap_bv_x_ordered_unparse LDAP_P(( BerVarray in, BerVarray *out ));
 LDAP_SLAPD_F (int) slap_keepalive_parse( struct berval *val, void *bc,
 	slap_cf_aux_table *tab0, const char *tabmsg, int unparse );

@ -1723,7 +1724,10 @@ LDAP_SLAPD_F (int) slap_sasl_rewrite_config LDAP_P((
 	const char *fname,
 	int lineno,
 	int argc, 
-	char **argv ));
+	char **argv,
+	int valx ));
+LDAP_SLAPD_F (int) slap_sasl_rewrite_delete LDAP_P(( int valx ));
+LDAP_SLAPD_F (int) slap_sasl_rewrite_unparse LDAP_P(( BerVarray *bva ));
 #endif /* SLAP_AUTH_REWRITE */
 LDAP_SLAPD_F (void) slap_sasl_regexp_destroy LDAP_P(( void ));
 LDAP_SLAPD_F (int) slap_sasl_regexp_delete LDAP_P(( int valx ));
--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@ -28,6 +28,7 @@
 #include "slap.h"

 #include "lutil.h"
+#include "config.h"

 #define SASLREGEX_REPLACE 10

@ -82,6 +83,7 @@ static SaslRegexp_t *SaslRegexp = NULL;
 #include "rewrite.h"
 struct rewrite_info	*sasl_rwinfo = NULL;
 #define AUTHID_CONTEXT	"authid"
+static BerVarray	authz_rewrites = NULL;
 #endif /* SLAP_AUTH_REWRITE */

 /* What SASL proxy authorization policies are allowed? */
@ -1281,7 +1283,7 @@ static int slap_sasl_rx_off(char *rep, int *off)
 #endif /* ! SLAP_AUTH_REWRITE */

 #ifdef SLAP_AUTH_REWRITE
-int slap_sasl_rewrite_config( 
+static int slap_sasl_rewrite_config_argv(
 		const char	*fname,
 		int		lineno,
 		int		argc,
@ -1289,22 +1291,80 @@ int slap_sasl_rewrite_config(
 )
 {
 	int	rc;
-	char	*savearg0;
+	char	*argv0 = NULL;
+
+	if ( strncasecmp( argv[0], "authid-", STRLENOF( "authid-" ) ) == 0 ) {
+		/* strip "authid-" prefix for parsing */
+		argv0 = argv[0];
+		argv[0] = &argv0[ STRLENOF( "authid-" ) ];
+	}

 	/* init at first call */
 	if ( sasl_rwinfo == NULL ) {
 		sasl_rwinfo = rewrite_info_init( REWRITE_MODE_USE_DEFAULT );
 	}

-	/* strip "authid-" prefix for parsing */
-	savearg0 = argv[0];
-	argv[0] += STRLENOF( "authid-" );
 	rc = rewrite_parse( sasl_rwinfo, fname, lineno, argc, argv );
-	argv[0] = savearg0;
+
+	if ( argv0 )
+		argv[0] = argv0;

 	return rc;
 }

+static int slap_sasl_rewrite_config_bv(
+		const char	*fname,
+		int		lineno,
+		struct berval	bv
+)
+{
+	int rc;
+	ConfigArgs ca = { 0 };
+
+	ca.line = bv.bv_val;
+	ca.argc = 0;
+	config_fp_parse_line( &ca );
+
+	rc = slap_sasl_rewrite_config_argv( fname, lineno, ca.argc, ca.argv );
+
+	ch_free( ca.tline );
+	ch_free( ca.argv );
+
+	return rc;
+}
+
+static void
+slap_sasl_rewrite_bva_add(
+		BerVarray	*bva,
+		int		idx,
+		int		argc,
+		char		**argv
+)
+{
+	char		*line, *s;
+	struct berval	bv;
+
+	if ( argc > 1 ) {
+		/* quote all args but the first */
+		line = ldap_charray2str( argv, "\" \"" );
+		ber_str2bv( line, 0, 0, &bv );
+		s = ber_bvchr( &bv, '"' );
+		assert( s != NULL );
+
+		/* move the trailing quote of argv[0] to the end */
+		AC_MEMCPY( s, s + 1, bv.bv_len - ( s - bv.bv_val ) );
+		bv.bv_val[ bv.bv_len - 1 ] = '"';
+	} else {
+		ber_str2bv( argv[ 0 ], 0, 1, &bv );
+	}
+
+	if ( idx == -1 ) {
+		ber_bvarray_add( bva, &bv );
+	} else {
+		(*bva)[ idx ] = bv;
+	}
+}
+
 static int
 slap_sasl_rewrite_destroy( void )
 {
@ -1316,6 +1376,113 @@ slap_sasl_rewrite_destroy( void )
 	return 0;
 }

+int slap_sasl_rewrite_config(
+		const char	*fname,
+		int		lineno,
+		int		argc,
+		char		**argv,
+		int		valx
+)
+{
+	int	rc, i, last;
+	char	*line;
+	struct berval bv;
+	struct rewrite_info *rw = sasl_rwinfo;
+
+	for ( last = 0; authz_rewrites && !BER_BVISNULL( &authz_rewrites[ last ] ); last++ )
+		/* count'em */ ;
+
+	if ( valx == -1 || valx >= last ) {
+		valx = -1;
+		rc = slap_sasl_rewrite_config_argv( fname, lineno, argc, argv );
+		if ( rc == 0 ) {
+			slap_sasl_rewrite_bva_add( &authz_rewrites, valx, argc, argv );
+		}
+		return rc;
+	}
+
+	sasl_rwinfo = NULL;
+
+	for ( i = 0; i < valx; i++ )
+	{
+		rc = slap_sasl_rewrite_config_bv( fname, lineno, authz_rewrites[ i ] );
+		assert( rc == 0 );
+	}
+
+	rc = slap_sasl_rewrite_config_argv( fname, lineno, argc, argv );
+	if ( rc != 0 ) {
+		slap_sasl_rewrite_destroy();
+		sasl_rwinfo = rw;
+		return 1;
+	}
+
+	for ( i = valx; authz_rewrites && !BER_BVISNULL( &authz_rewrites[ i ] ); i++ )
+	{
+		rc = slap_sasl_rewrite_config_bv( fname, lineno, authz_rewrites[ i ] );
+		assert( rc == 0 );
+	}
+
+	authz_rewrites = ch_realloc( authz_rewrites,
+			( last + 2 )*sizeof( struct berval ) );
+	BER_BVZERO( &authz_rewrites[ last + 1 ] );
+
+	for ( i = last - 1; i >= valx; i-- )
+	{
+		authz_rewrites[ i + 1 ] = authz_rewrites[ i ];
+	}
+
+	slap_sasl_rewrite_bva_add( &authz_rewrites, valx, argc, argv );
+
+	if ( rw )
+		rewrite_info_delete( &rw );
+
+	return rc;
+}
+
+int slap_sasl_rewrite_delete( int valx ) {
+	int rc, i;
+
+	if ( valx == -1 ) {
+		slap_sasl_rewrite_destroy();
+		if ( authz_rewrites ) {
+			ber_bvarray_free( authz_rewrites );
+			authz_rewrites = NULL;
+		}
+		return 0;
+	}
+
+	for ( i = 0; !BER_BVISNULL( &authz_rewrites[ i ] ); i++ )
+		/* count'em */ ;
+
+	if ( valx >= i ) {
+		return 1;
+	}
+
+	ber_memfree( authz_rewrites[ i ].bv_val );
+	for ( i = valx; !BER_BVISNULL( &authz_rewrites[ i + 1 ] ); i++ )
+	{
+		authz_rewrites[ i ] = authz_rewrites[ i + 1 ];
+	}
+	BER_BVZERO( &authz_rewrites[ i ] );
+
+	slap_sasl_rewrite_destroy();
+
+	for ( i = 0; !BER_BVISNULL( &authz_rewrites[ i ] ); i++ )
+	{
+		rc = slap_sasl_rewrite_config_bv( "slapd", 0, authz_rewrites[ i ] );
+		assert( rc == 0 );
+	}
+
+	return rc;
+}
+
+int slap_sasl_rewrite_unparse( BerVarray *bva ) {
+	if ( authz_rewrites ) {
+		return slap_bv_x_ordered_unparse( authz_rewrites, bva );
+	}
+	return 0;
+}
+
 static int
 slap_sasl_regexp_rewrite_config(
 		struct rewrite_info	**rwinfo,