mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2024-12-21 03:10:25 +08:00
Code Issues Packages Projects Releases Wiki Activity
4c1339cf22
openldap/servers/slapd/aclparse.c

2682 lines
65 KiB
C
Raw Normal View History

Another round of changes behind -DSLAPD_SCHEMA_NOT_COMPAT plus these changes unhidden changes: remove now meaning --enable-discreteaci configure option fix ITS#451, slapd filters Add ber_bvecadd() to support above constify ldap_pvt_find_wildcard() and misc slapd routines renamed some slap.h macros likely broken something
2000-02-15 04:57:34 +08:00
/* aclparse.c - routines to parse and check acl's */
Add OpenLDAP RCSid to *.[ch] in clients, libraries, and servers. Replace old Id as needed (back-tcl). Leave updating of contribWare to contributors (for now).
1999-09-09 03:06:24 +08:00
/* $OpenLDAP$ */
Updated notices
2003-11-27 09:17:14 +08:00
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
Happy New Year!
2005-01-02 04:49:32 +08:00
* Copyright 1998-2005 The OpenLDAP Foundation.
Updated notices
2003-11-27 09:17:14 +08:00
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
/* Portions Copyright (c) 1995 Regents of the University of Michigan.
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and that due credit is given
* to the University of Michigan at Ann Arbor. The name of the University
* may not be used to endorse or promote products derived from this
* software without specific prior written permission. This software
* is provided ``as is'' without express or implied warranty.
Add copyright notices.
1999-08-07 07:07:46 +08:00
*/
Initial revision
1998-08-09 08:43:13 +08:00
merged with autoconf branch
1998-10-25 09:41:42 +08:00
#include "portable.h"
Initial revision
1998-08-09 08:43:13 +08:00
#include <stdio.h>
merged with autoconf branch
1998-10-25 09:41:42 +08:00
#include <ac/ctype.h>
#include <ac/regex.h>
#include <ac/socket.h>
#include <ac/string.h>
#include <ac/unistd.h>
Merged files from branch REGEX_REMOVAL. Despite name, this merge adds POSIX RegEx (and removes BSD re_comp/re_exec) support. * POSIX RegEx is not currently included in the distribution, however we will probably add Henry Spencer's REGEX library soon. * ACL Group functionality is also included in this merge!
1998-08-21 14:33:42 +08:00
Initial revision
1998-08-09 08:43:13 +08:00
#include "slap.h"
the logic of this check was completely reversed; in case '*' is used, on't test the regula expression
2002-04-02 16:18:30 +08:00
#include "lber_pvt.h"
Add #include "lutil.h" for lutil_str* functions
2002-08-06 10:36:34 +08:00
#include "lutil.h"
Initial revision
1998-08-09 08:43:13 +08:00
More value ACL style tweaks
2005-05-10 08:51:28 +08:00
static const char style_base[] = "base";
Format fix: Make style_strings[] global for debug output in dynacl_aci_parse()
2005-07-04 14:25:02 +08:00
char *style_strings[] = {
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
"regex",
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
"expand",
More value ACL style tweaks
2005-05-10 08:51:28 +08:00
"exact",
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
"one",
"subtree",
"children",
initial commit of "level" styles for "dn" and "self" by clauses (ITS#3615)
2005-04-01 02:10:11 +08:00
"level",
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
"attrof",
initial commit of "level" styles for "dn" and "self" by clauses (ITS#3615)
2005-04-01 02:10:11 +08:00
"anonymous",
"users",
"self",
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
"ip",
"path",
NULL
};
improve error handling for attr val ACL syntax
2003-12-16 18:56:21 +08:00
Protoized, moved extern definitions to .h files, fixed related bugs. Most function and variable definitions are now preceded by its extern definition, for error checking. Retyped a number of functions, usually to return void. Fixed a number of printf format errors. API changes (in ldap/include): Added avl_dup_ok, avl_prefixapply, removed ber_fatten (probably typo for ber_flatten), retyped ldap_sort_strcasecmp, grew lutil.h. A number of `extern' declarations are left (some added by protoize), to be cleaned away later. Mostly strdup(), strcasecmp(), mktemp(), optind, optarg, errno.
1998-11-16 06:40:11 +08:00
static void split(char *line, int splitchar, char **left, char **right);
Namespace changes added slap_ and ldbm_ to many structures added typedefs to many structures used typedefs New main.c argument parsing with ldap url support (replacing -a address). New sockaddr_in handling and support for multiple listeners.
1999-07-20 03:40:33 +08:00
static void access_append(Access **l, Access *a);
Introduce and use LDAP_GCCATTR() = __attributes__() in gcc
1999-09-04 05:06:33 +08:00
static void acl_usage(void) LDAP_GCCATTR((noreturn));
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
static void acl_regex_normalized_dn(const char *src, struct berval *pat);
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
Initial revision
1998-08-09 08:43:13 +08:00
#ifdef LDAP_DEBUG
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
static void print_acl(Backend *be, AccessControl *a);
Initial revision
1998-08-09 08:43:13 +08:00
#endif
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
static int check_scope( BackendDB *be, AccessControl *a );
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
move ACIs under a dynamic infrastructure that allows run-time loadable custom access control logic (needs work)
2004-11-20 09:27:03 +08:00
#ifdef SLAP_DYNACL
static int
slap_dynacl_config( const char *fname, int lineno, Access *b, const char *name, slap_style_t sty, const char *right )
{
slap_dynacl_t *da, *tmp;
int rc = 0;
for ( da = b->a_dynacl; da; da = da->da_next ) {
if ( strcasecmp( da->da_name, name ) == 0 ) {
fprintf( stderr,
"%s: line %d: dynacl \"%s\" already specified.\n",
fname, lineno, name );
acl_usage();
}
}
da = slap_dynacl_get( name );
if ( da == NULL ) {
return -1;
}
tmp = ch_malloc( sizeof( slap_dynacl_t ) );
*tmp = *da;
if ( tmp->da_parse ) {
rc = ( *tmp->da_parse )( fname, lineno, sty, right, &tmp->da_private );
if ( rc ) {
ch_free( tmp );
return rc;
}
}
tmp->da_next = b->a_dynacl;
b->a_dynacl = tmp;
return 0;
}
#endif /* SLAP_DYNACL */
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
static void
const'fication
1999-08-21 03:00:44 +08:00
regtest(const char *fname, int lineno, char *pat) {
Merged files from branch REGEX_REMOVAL. Despite name, this merge adds POSIX RegEx (and removes BSD re_comp/re_exec) support. * POSIX RegEx is not currently included in the distribution, however we will probably add Henry Spencer's REGEX library soon. * ACL Group functionality is also included in this merge!
1998-08-21 14:33:42 +08:00
int e;
regex_t re;
char buf[512];
Protoized, moved extern definitions to .h files, fixed related bugs. Most function and variable definitions are now preceded by its extern definition, for error checking. Retyped a number of functions, usually to return void. Fixed a number of printf format errors. API changes (in ldap/include): Added avl_dup_ok, avl_prefixapply, removed ber_fatten (probably typo for ber_flatten), retyped ldap_sort_strcasecmp, grew lutil.h. A number of `extern' declarations are left (some added by protoize), to be cleaned away later. Mostly strdup(), strcasecmp(), mktemp(), optind, optarg, errno.
1998-11-16 06:40:11 +08:00
unsigned size;
Merged files from branch REGEX_REMOVAL. Despite name, this merge adds POSIX RegEx (and removes BSD re_comp/re_exec) support. * POSIX RegEx is not currently included in the distribution, however we will probably add Henry Spencer's REGEX library soon. * ACL Group functionality is also included in this merge!
1998-08-21 14:33:42 +08:00
char *sp;
char *dp;
int flag;
sp = pat;
dp = buf;
size = 0;
buf[0] = '\0';
for (size = 0, flag = 0; (size < sizeof(buf)) && *sp; sp++) {
if (flag) {
if (*sp == '$'|| (*sp >= '0' && *sp <= '9')) {
*dp++ = *sp;
size++;
}
flag = 0;
} else {
if (*sp == '$') {
flag = 1;
} else {
*dp++ = *sp;
size++;
}
}
}
*dp = '\0';
extend the availability of submatches to non-regex DN patterns
2004-10-07 06:03:33 +08:00
if ( size >= (sizeof(buf) - 1) ) {
Merged files from branch REGEX_REMOVAL. Despite name, this merge adds POSIX RegEx (and removes BSD re_comp/re_exec) support. * POSIX RegEx is not currently included in the distribution, however we will probably add Henry Spencer's REGEX library soon. * ACL Group functionality is also included in this merge!
1998-08-21 14:33:42 +08:00
fprintf( stderr,
"%s: line %d: regular expression \"%s\" too large\n",
Fix fprintf format args
1999-08-29 08:26:44 +08:00
fname, lineno, pat );
Merged files from branch REGEX_REMOVAL. Despite name, this merge adds POSIX RegEx (and removes BSD re_comp/re_exec) support. * POSIX RegEx is not currently included in the distribution, however we will probably add Henry Spencer's REGEX library soon. * ACL Group functionality is also included in this merge!
1998-08-21 14:33:42 +08:00
acl_usage();
}
if ((e = regcomp(&re, buf, REG_EXTENDED|REG_ICASE))) {
char error[512];
regerror(e, &re, error, sizeof(error));
fprintf( stderr,
"%s: line %d: regular expression \"%s\" bad because of %s\n",
fname, lineno, pat, error );
acl_usage();
}
regfree(&re);
}
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
/*
* Experimental
*
* Check if the pattern of an ACL, if any, matches the scope
* of the backend it is defined within.
*/
#define ACL_SCOPE_UNKNOWN (-2)
#define ACL_SCOPE_ERR (-1)
#define ACL_SCOPE_OK (0)
#define ACL_SCOPE_PARTIAL (1)
#define ACL_SCOPE_WARN (2)
static int
check_scope( BackendDB *be, AccessControl *a )
{
int patlen;
struct berval dn;
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
dn = be->be_nsuffix[0];
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
silence warning for global scoped global ACLs
2005-01-12 08:53:50 +08:00
if ( BER_BVISEMPTY( &dn ) ) {
return ACL_SCOPE_OK;
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
a->acl_dn_style != ACL_STYLE_REGEX )
{
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
slap_style_t style = a->acl_dn_style;
if ( style == ACL_STYLE_REGEX ) {
don't yell at regex styling that wraps all the suffix in a submatch
2004-12-01 06:50:07 +08:00
char dnbuf[SLAP_LDAPDN_MAXLEN + 2];
char rebuf[SLAP_LDAPDN_MAXLEN + 1];
ber_len_t rebuflen;
regex_t re;
int rc;
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
don't yell at regex styling that wraps all the suffix in a submatch
2004-12-01 06:50:07 +08:00
/* add trailing '$' to database suffix to form
* a simple trial regex pattern "<suffix>$" */
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
AC_MEMCPY( dnbuf, be->be_nsuffix[0].bv_val,
be->be_nsuffix[0].bv_len );
dnbuf[be->be_nsuffix[0].bv_len] = '$';
dnbuf[be->be_nsuffix[0].bv_len + 1] = '\0';
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
if ( regcomp( &re, dnbuf, REG_EXTENDED|REG_ICASE ) ) {
return ACL_SCOPE_WARN;
}
don't yell at regex styling that wraps all the suffix in a submatch
2004-12-01 06:50:07 +08:00
/* remove trailing ')$', if any, from original
* regex pattern */
rebuflen = a->acl_dn_pat.bv_len;
AC_MEMCPY( rebuf, a->acl_dn_pat.bv_val, rebuflen + 1 );
if ( rebuf[rebuflen - 1] == '$' ) {
rebuf[--rebuflen] = '\0';
}
while ( rebuflen > be->be_nsuffix[0].bv_len && rebuf[rebuflen - 1] == ')' ) {
rebuf[--rebuflen] = '\0';
}
if ( rebuflen == be->be_nsuffix[0].bv_len ) {
rc = ACL_SCOPE_WARN;
goto regex_done;
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
}
/* not a clear indication of scoping error, though */
rc = regexec( &re, rebuf, 0, NULL, 0 )
? ACL_SCOPE_WARN : ACL_SCOPE_OK;
don't yell at regex styling that wraps all the suffix in a submatch
2004-12-01 06:50:07 +08:00
regex_done:;
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
regfree( &re );
return rc;
}
patlen = a->acl_dn_pat.bv_len;
/* If backend suffix is longer than pattern,
* it is a potential mismatch (in the sense
* that a superior naming context could
* match */
if ( dn.bv_len > patlen ) {
/* base is blatantly wrong */
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( style == ACL_STYLE_BASE ) return ACL_SCOPE_ERR;
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
don't yell at regex styling that wraps all the suffix in a submatch
2004-12-01 06:50:07 +08:00
/* a style of one can be wrong if there is
* more than one level between the suffix
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
* and the pattern */
if ( style == ACL_STYLE_ONE ) {
int rdnlen = -1, sep = 0;
if ( patlen > 0 ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( !DN_SEPARATOR( dn.bv_val[dn.bv_len - patlen - 1] )) {
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
return ACL_SCOPE_ERR;
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
}
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
sep = 1;
}
rdnlen = dn_rdnlen( NULL, &dn );
if ( rdnlen != dn.bv_len - patlen - sep )
return ACL_SCOPE_ERR;
}
/* if the trailing part doesn't match,
* then it's an error */
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( strcmp( a->acl_dn_pat.bv_val,
&dn.bv_val[dn.bv_len - patlen] ) != 0 )
{
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
return ACL_SCOPE_ERR;
}
return ACL_SCOPE_PARTIAL;
}
switch ( style ) {
case ACL_STYLE_BASE:
case ACL_STYLE_ONE:
case ACL_STYLE_CHILDREN:
case ACL_STYLE_SUBTREE:
break;
default:
assert( 0 );
break;
}
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( dn.bv_len < patlen &&
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
!DN_SEPARATOR( a->acl_dn_pat.bv_val[patlen - dn.bv_len - 1] ))
{
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
return ACL_SCOPE_ERR;
}
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( strcmp( &a->acl_dn_pat.bv_val[patlen - dn.bv_len], dn.bv_val )
!= 0 )
{
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
return ACL_SCOPE_ERR;
}
return ACL_SCOPE_OK;
}
return ACL_SCOPE_UNKNOWN;
}
Initial revision
1998-08-09 08:43:13 +08:00
void
parse_acl(
Backend *be,
const'fication
1999-08-21 03:00:44 +08:00
const char *fname,
Initial revision
1998-08-09 08:43:13 +08:00
int lineno,
int argc,
More modify support. ACL editing works.
2005-04-20 00:39:48 +08:00
char **argv,
int pos )
Initial revision
1998-08-09 08:43:13 +08:00
{
int i;
improve parsing - first step
2004-06-18 17:11:53 +08:00
char *left, *right, *style, *next;
More struct berval changes, dnNormalize migration...
2001-12-26 12:17:49 +08:00
struct berval bv;
Namespace changes added slap_ and ldbm_ to many structures added typedefs to many structures used typedefs New main.c argument parsing with ldap url support (replacing -a address). New sockaddr_in handling and support for multiple listeners.
1999-07-20 03:40:33 +08:00
AccessControl *a;
Access *b;
Another round of changes behind -DSLAPD_SCHEMA_NOT_COMPAT plus these changes unhidden changes: remove now meaning --enable-discreteaci configure option fix ITS#451, slapd filters Add ber_bvecadd() to support above constify ldap_pvt_find_wildcard() and misc slapd routines renamed some slap.h macros likely broken something
2000-02-15 04:57:34 +08:00
int rc;
Const'ification SASL mech removed from backend bind callback (as SASL is managed by frontend) Changes to some backends are untested (as I don't have all dependent software install)
2000-05-22 11:46:57 +08:00
const char *text;
Initial revision
1998-08-09 08:43:13 +08:00
a = NULL;
for ( i = 1; i < argc; i++ ) {
/* to clause - select which entries are protected */
if ( strcasecmp( argv[i], "to" ) == 0 ) {
if ( a != NULL ) {
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
fprintf( stderr, "%s: line %d: "
"only one to clause allowed in access line\n",
Initial revision
1998-08-09 08:43:13 +08:00
fname, lineno );
acl_usage();
}
Namespace changes added slap_ and ldbm_ to many structures added typedefs to many structures used typedefs New main.c argument parsing with ldap url support (replacing -a address). New sockaddr_in handling and support for multiple listeners.
1999-07-20 03:40:33 +08:00
a = (AccessControl *) ch_calloc( 1, sizeof(AccessControl) );
Initial revision
1998-08-09 08:43:13 +08:00
for ( ++i; i < argc; i++ ) {
if ( strcasecmp( argv[i], "by" ) == 0 ) {
i--;
break;
}
UNDO LAST COMMIT.
1999-04-02 11:45:33 +08:00
if ( strcasecmp( argv[i], "*" ) == 0 ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
a->acl_dn_style != ACL_STYLE_REGEX )
More ACL to dn="" bug fixing... and add test006-acl check
2002-07-11 09:45:22 +08:00
{
Add support for Root DSE ACLs. Add "users" shorthand (dn="^.+$") Add regex short circuiting for common dn regexs.
1999-10-26 11:19:41 +08:00
fprintf( stderr,
"%s: line %d: dn pattern"
" already specified in to clause.\n",
fname, lineno );
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
Initial revision
1998-08-09 08:43:13 +08:00
continue;
}
split( argv[i], '=', &left, &right );
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
split( left, '.', &left, &style );
Allow dn.base=""
2001-09-01 13:01:31 +08:00
if ( right == NULL ) {
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
fprintf( stderr, "%s: line %d: "
"missing \"=\" in \"%s\" in to clause\n",
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
fname, lineno, left );
acl_usage();
}
Add support for Root DSE ACLs. Add "users" shorthand (dn="^.+$") Add regex short circuiting for common dn regexs.
1999-10-26 11:19:41 +08:00
if ( strcasecmp( left, "dn" ) == 0 ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
a->acl_dn_style != ACL_STYLE_REGEX )
More ACL to dn="" bug fixing... and add test006-acl check
2002-07-11 09:45:22 +08:00
{
Add support for Root DSE ACLs. Add "users" shorthand (dn="^.+$") Add regex short circuiting for common dn regexs.
1999-10-26 11:19:41 +08:00
fprintf( stderr,
"%s: line %d: dn pattern"
" already specified in to clause.\n",
fname, lineno );
acl_usage();
}
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
if ( style == NULL || *style == '\0' ||
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
strcasecmp( style, "baseObject" ) == 0 ||
strcasecmp( style, "base" ) == 0 ||
strcasecmp( style, "exact" ) == 0 )
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
{
a->acl_dn_style = ACL_STYLE_BASE;
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
} else if ( strcasecmp( style, "oneLevel" ) == 0 ||
strcasecmp( style, "one" ) == 0 )
{
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
a->acl_dn_style = ACL_STYLE_ONE;
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
} else if ( strcasecmp( style, "subtree" ) == 0 ||
strcasecmp( style, "sub" ) == 0 )
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
{
ITS#2707: fix 'access to dn.subtree="" by ...' directives
2003-09-10 10:33:36 +08:00
if( *right == '\0' ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
ber_str2bv( "*", STRLENOF( "*" ), 1, &a->acl_dn_pat );
ITS#2707: fix 'access to dn.subtree="" by ...' directives
2003-09-10 10:33:36 +08:00
} else {
a->acl_dn_style = ACL_STYLE_SUBTREE;
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
}
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
} else if ( strcasecmp( style, "children" ) == 0 ) {
a->acl_dn_style = ACL_STYLE_CHILDREN;
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
} else if ( strcasecmp( style, "regex" ) == 0 ) {
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
a->acl_dn_style = ACL_STYLE_REGEX;
Treat access to dn="" as access to dn.base="". Avoid empty regex. Note: by dn="" already treated as anonymous.
2002-02-09 02:32:12 +08:00
if ( *right == '\0' ) {
/* empty regex should match empty DN */
a->acl_dn_style = ACL_STYLE_BASE;
ber_str2bv( right, 0, 1, &a->acl_dn_pat );
} else if ( strcmp(right, "*") == 0
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
|| strcmp(right, ".*") == 0
|| strcmp(right, ".*$") == 0
|| strcmp(right, "^.*") == 0
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
|| strcmp(right, "^.*$") == 0
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
|| strcmp(right, ".*$$") == 0
|| strcmp(right, "^.*$$") == 0 )
{
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
ber_str2bv( "*", STRLENOF("*"), 1, &a->acl_dn_pat );
Add support for Root DSE ACLs. Add "users" shorthand (dn="^.+$") Add regex short circuiting for common dn regexs.
1999-10-26 11:19:41 +08:00
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
} else {
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
acl_regex_normalized_dn( right, &a->acl_dn_pat );
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
}
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
} else {
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
fprintf( stderr, "%s: line %d: "
"unknown dn style \"%s\" in to clause\n",
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
fname, lineno, style );
acl_usage();
Add support for Root DSE ACLs. Add "users" shorthand (dn="^.+$") Add regex short circuiting for common dn regexs.
1999-10-26 11:19:41 +08:00
}
continue;
}
Initial revision
1998-08-09 08:43:13 +08:00
if ( strcasecmp( left, "filter" ) == 0 ) {
misc cleanup
2002-07-24 02:35:12 +08:00
if ( (a->acl_filter = str2filter( right )) == NULL ) {
Initial revision
1998-08-09 08:43:13 +08:00
fprintf( stderr,
"%s: line %d: bad filter \"%s\" in to clause\n",
fname, lineno, right );
acl_usage();
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
fix SIGSEGV when default style is used for "val" (ITS#3700)
2005-05-03 20:13:16 +08:00
} else if ( strcasecmp( left, "attr" ) == 0 /* TOLERATED */
|| strcasecmp( left, "attrs" ) == 0 ) /* DOCUMENTED */
{
Changed search attrs from struct berval ** to AttributeName *
2001-12-31 19:35:52 +08:00
a->acl_attrs = str2anlist( a->acl_attrs,
Changed search attrs to struct berval **. Use typedefs for all backend functions, to minimize work in future API updates. (back-*/external.h will never need updating in the future.)
2001-12-26 16:17:44 +08:00
right, "," );
Added an_oc to AttributeName for caching ObjectClass lookups. Added error checking to str2anlist; if the attr name doesn't match any attribute or objectclass the offending attr name is displayed.
2002-01-10 17:54:14 +08:00
if ( a->acl_attrs == NULL ) {
fprintf( stderr,
"%s: line %d: unknown attr \"%s\" in to clause\n",
fname, lineno, right );
acl_usage();
}
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
ITS#2497, implement value-level ACLs: access to attr=foo val.regex=bar.*
2003-09-20 11:23:10 +08:00
} else if ( strncasecmp( left, "val", 3 ) == 0 ) {
fix further ITS#3830 issues; allow to specify a matching rule for non-DN match
2005-07-05 20:00:14 +08:00
char *mr;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
ITS#2497, implement value-level ACLs: access to attr=foo val.regex=bar.*
2003-09-20 11:23:10 +08:00
fprintf( stderr,
"%s: line %d: attr val already specified in to clause.\n",
fname, lineno );
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( a->acl_attrs == NULL || !BER_BVISEMPTY( &a->acl_attrs[1].an_name ) )
{
ITS#2497, implement value-level ACLs: access to attr=foo val.regex=bar.*
2003-09-20 11:23:10 +08:00
fprintf( stderr,
"%s: line %d: attr val requires a single attribute.\n",
fname, lineno );
acl_usage();
}
fix further ITS#3830 issues; allow to specify a matching rule for non-DN match
2005-07-05 20:00:14 +08:00
ITS#2497, implement value-level ACLs: access to attr=foo val.regex=bar.*
2003-09-20 11:23:10 +08:00
ber_str2bv( right, 0, 1, &a->acl_attrval );
fix SIGSEGV when default style is used for "val" (ITS#3700)
2005-05-03 20:13:16 +08:00
a->acl_attrval_style = ACL_STYLE_BASE;
fix further ITS#3830 issues; allow to specify a matching rule for non-DN match
2005-07-05 20:00:14 +08:00
mr = strchr( left, '/' );
if ( mr != NULL ) {
mr[ 0 ] = '\0';
mr++;
a->acl_attrval_mr = mr_find( mr );
if ( a->acl_attrval_mr == NULL ) {
fprintf( stderr, "%s: line %d: "
"invalid matching rule \"%s\".\n",
fname, lineno, mr );
acl_usage();
}
if( !mr_usable_with_at( a->acl_attrval_mr, a->acl_attrs[ 0 ].an_desc->ad_type ) )
{
fprintf( stderr, "%s: line %d: "
"matching rule \"%s\" use "
"with attr \"%s\" not appropriate.\n",
fname, lineno, mr,
a->acl_attrs[ 0 ].an_name.bv_val );
acl_usage();
}
}
fix SIGSEGV when default style is used for "val" (ITS#3700)
2005-05-03 20:13:16 +08:00
if ( style != NULL ) {
if ( strcasecmp( style, "regex" ) == 0 ) {
int e = regcomp( &a->acl_attrval_re, a->acl_attrval.bv_val,
REG_EXTENDED | REG_ICASE | REG_NOSUB );
if ( e ) {
char buf[512];
regerror( e, &a->acl_attrval_re, buf, sizeof(buf) );
fprintf( stderr, "%s: line %d: "
"regular expression \"%s\" bad because of %s\n",
fname, lineno, right, buf );
acl_usage();
}
a->acl_attrval_style = ACL_STYLE_REGEX;
add to 'val[.<style>=<value>' ACLs special match styles for DN-valued attributes; add negated objectClass to attribute name lists for ACLs and partial replication
2003-12-16 08:49:10 +08:00
fix SIGSEGV when default style is used for "val" (ITS#3700)
2005-05-03 20:13:16 +08:00
} else {
/* FIXME: if the attribute has DN syntax, we might
* allow one, subtree and children styles as well */
Must always accept "base" for ACL_STYLE_BASE since that is always how it gets unparsed.
2005-05-06 05:47:40 +08:00
if ( !strcasecmp( style, "base" ) ||
!strcasecmp( style, "exact" ) ) {
add to 'val[.<style>=<value>' ACLs special match styles for DN-valued attributes; add negated objectClass to attribute name lists for ACLs and partial replication
2003-12-16 08:49:10 +08:00
a->acl_attrval_style = ACL_STYLE_BASE;
fix SIGSEGV when default style is used for "val" (ITS#3700)
2005-05-03 20:13:16 +08:00
} else if ( a->acl_attrs[0].an_desc->ad_type->
sat_syntax == slap_schema.si_syn_distinguishedName )
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
{
fix further ITS#3830 issues; allow to specify a matching rule for non-DN match
2005-07-05 20:00:14 +08:00
struct berval bv;
fix SIGSEGV when default style is used for "val" (ITS#3700)
2005-05-03 20:13:16 +08:00
if ( !strcasecmp( style, "baseObject" ) ||
!strcasecmp( style, "base" ) )
{
a->acl_attrval_style = ACL_STYLE_BASE;
} else if ( !strcasecmp( style, "onelevel" ) ||
!strcasecmp( style, "one" ) )
{
a->acl_attrval_style = ACL_STYLE_ONE;
} else if ( !strcasecmp( style, "subtree" ) ||
!strcasecmp( style, "sub" ) )
{
a->acl_attrval_style = ACL_STYLE_SUBTREE;
} else if ( !strcasecmp( style, "children" ) ) {
a->acl_attrval_style = ACL_STYLE_CHILDREN;
} else {
fprintf( stderr,
"%s: line %d: unknown val.<style> \"%s\" "
"for attributeType \"%s\" with DN syntax; "
"using \"base\"\n",
fname, lineno, style,
a->acl_attrs[0].an_desc->ad_cname.bv_val );
a->acl_attrval_style = ACL_STYLE_BASE;
}
fix further ITS#3830 issues; allow to specify a matching rule for non-DN match
2005-07-05 20:00:14 +08:00
bv = a->acl_attrval;
rc = dnNormalize( 0, NULL, NULL, &bv, &a->acl_attrval, NULL );
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: unable to normalize DN \"%s\" "
"for attributeType \"%s\" (%d).\n",
fname, lineno, bv.bv_val,
a->acl_attrs[0].an_desc->ad_cname.bv_val, rc );
acl_usage();
}
ber_memfree( bv.bv_val );
add to 'val[.<style>=<value>' ACLs special match styles for DN-valued attributes; add negated objectClass to attribute name lists for ACLs and partial replication
2003-12-16 08:49:10 +08:00
} else {
fprintf( stderr,
improve error handling for attr val ACL syntax
2003-12-16 18:56:21 +08:00
"%s: line %d: unknown val.<style> \"%s\" "
fix SIGSEGV when default style is used for "val" (ITS#3700)
2005-05-03 20:13:16 +08:00
"for attributeType \"%s\"; using \"exact\"\n",
improve error handling for attr val ACL syntax
2003-12-16 18:56:21 +08:00
fname, lineno, style,
a->acl_attrs[0].an_desc->ad_cname.bv_val );
add to 'val[.<style>=<value>' ACLs special match styles for DN-valued attributes; add negated objectClass to attribute name lists for ACLs and partial replication
2003-12-16 08:49:10 +08:00
a->acl_attrval_style = ACL_STYLE_BASE;
}
}
ITS#2497, implement value-level ACLs: access to attr=foo val.regex=bar.*
2003-09-20 11:23:10 +08:00
}
fix further ITS#3830 issues; allow to specify a matching rule for non-DN match
2005-07-05 20:00:14 +08:00
/* Check for appropriate matching rule */
if ( a->acl_attrval_style != ACL_STYLE_REGEX ) {
if ( a->acl_attrval_mr == NULL ) {
a->acl_attrval_mr = a->acl_attrs[ 0 ].an_desc->ad_type->sat_equality;
}
if ( a->acl_attrval_mr == NULL ) {
fprintf( stderr, "%s: line %d: "
"attr \"%s\" must have an EQUALITY matching rule.\n",
fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val );
acl_usage();
}
}
Initial revision
1998-08-09 08:43:13 +08:00
} else {
fprintf( stderr,
Merged files from branch REGEX_REMOVAL. Despite name, this merge adds POSIX RegEx (and removes BSD re_comp/re_exec) support. * POSIX RegEx is not currently included in the distribution, however we will probably add Henry Spencer's REGEX library soon. * ACL Group functionality is also included in this merge!
1998-08-21 14:33:42 +08:00
"%s: line %d: expecting <what> got \"%s\"\n",
Initial revision
1998-08-09 08:43:13 +08:00
fname, lineno, left );
acl_usage();
}
}
extend the availability of submatches to non-regex DN patterns
2004-10-07 06:03:33 +08:00
if ( !BER_BVISNULL( &a->acl_dn_pat ) &&
ber_bvccmp( &a->acl_dn_pat, '*' ) )
Treat access to dn="" as access to dn.base="". Avoid empty regex. Note: by dn="" already treated as anonymous.
2002-02-09 02:32:12 +08:00
{
Changed Access->a_set_pat and acl->acl_dn_pat to struct berval to eliminate strlen() from acl processing.
2001-12-24 23:43:27 +08:00
free( a->acl_dn_pat.bv_val );
extend the availability of submatches to non-regex DN patterns
2004-10-07 06:03:33 +08:00
BER_BVZERO( &a->acl_dn_pat );
handle "dn=*" <what> clause
2005-05-24 04:29:01 +08:00
a->acl_dn_style = ACL_STYLE_REGEX;
Add support for Root DSE ACLs. Add "users" shorthand (dn="^.+$") Add regex short circuiting for common dn regexs.
1999-10-26 11:19:41 +08:00
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &a->acl_dn_pat ) ||
a->acl_dn_style != ACL_STYLE_REGEX )
More ACL to dn="" bug fixing... and add test006-acl check
2002-07-11 09:45:22 +08:00
{
Treat access to dn="" as access to dn.base="". Avoid empty regex. Note: by dn="" already treated as anonymous.
2002-02-09 02:32:12 +08:00
if ( a->acl_dn_style != ACL_STYLE_REGEX ) {
Added dnPretty2/dnNormalize2 using preallocated destination berval
2001-12-29 12:48:00 +08:00
struct berval bv;
remove dnNormalize2 replace calls to dnNormalize2 with calls to dnNormalize
2003-04-30 02:28:14 +08:00
rc = dnNormalize( 0, NULL, NULL, &a->acl_dn_pat, &bv, NULL);
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr,
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
"%s: line %d: bad DN \"%s\" in to DN clause\n",
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
fname, lineno, a->acl_dn_pat.bv_val );
acl_usage();
}
Changed Access->a_set_pat and acl->acl_dn_pat to struct berval to eliminate strlen() from acl processing.
2001-12-24 23:43:27 +08:00
free( a->acl_dn_pat.bv_val );
Added dnPretty2/dnNormalize2 using preallocated destination berval
2001-12-29 12:48:00 +08:00
a->acl_dn_pat = bv;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
} else {
Changed Access->a_set_pat and acl->acl_dn_pat to struct berval to eliminate strlen() from acl processing.
2001-12-24 23:43:27 +08:00
int e = regcomp( &a->acl_dn_re, a->acl_dn_pat.bv_val,
Treat access to dn="" as access to dn.base="". Avoid empty regex. Note: by dn="" already treated as anonymous.
2002-02-09 02:32:12 +08:00
REG_EXTENDED | REG_ICASE );
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
if ( e ) {
char buf[512];
regerror( e, &a->acl_dn_re, buf, sizeof(buf) );
Treat access to dn="" as access to dn.base="". Avoid empty regex. Note: by dn="" already treated as anonymous.
2002-02-09 02:32:12 +08:00
fprintf( stderr, "%s: line %d: "
"regular expression \"%s\" bad because of %s\n",
fname, lineno, right, buf );
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
acl_usage();
}
Always compile acl_dn_pat when it is set, otherwise acl.c breaks
1999-08-22 11:30:45 +08:00
}
}
Initial revision
1998-08-09 08:43:13 +08:00
/* by clause - select who has what access to entries */
} else if ( strcasecmp( argv[i], "by" ) == 0 ) {
if ( a == NULL ) {
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
fprintf( stderr, "%s: line %d: "
"to clause required before by clause in access line\n",
Initial revision
1998-08-09 08:43:13 +08:00
fname, lineno );
acl_usage();
}
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
Initial revision
1998-08-09 08:43:13 +08:00
/*
* by clause consists of <who> and <access>
*/
Namespace changes added slap_ and ldbm_ to many structures added typedefs to many structures used typedefs New main.c argument parsing with ldap url support (replacing -a address). New sockaddr_in handling and support for multiple listeners.
1999-07-20 03:40:33 +08:00
b = (Access *) ch_calloc( 1, sizeof(Access) );
Initial revision
1998-08-09 08:43:13 +08:00
Minor typedef and other clean ups
2000-08-26 09:14:05 +08:00
ACL_INVALIDATE( b->a_access_mask );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
Initial revision
1998-08-09 08:43:13 +08:00
if ( ++i == argc ) {
fprintf( stderr,
"%s: line %d: premature eol: expecting <who>\n",
fname, lineno );
acl_usage();
}
/* get <who> */
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
for ( ; i < argc; i++ ) {
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
slap_style_t sty = ACL_STYLE_REGEX;
char *style_modifier = NULL;
char *style_level = NULL;
int level = 0;
int expand = 0;
slap_dn_access *bdn = &b->a_dn;
int is_realdn = 0;
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
split( argv[i], '=', &left, &right );
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
split( left, '.', &left, &style );
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
if ( style ) {
initial commit of "level" styles for "dn" and "self" by clauses (ITS#3615)
2005-04-01 02:10:11 +08:00
split( style, ',', &style, &style_modifier );
if ( strncasecmp( style, "level", STRLENOF( "level" ) ) == 0 ) {
split( style, '{', &style, &style_level );
if ( style_level != NULL ) {
char *p = strchr( style_level, '}' );
if ( p == NULL ) {
fprintf( stderr,
"%s: line %d: premature eol: "
"expecting closing '}' in \"level{n}\"\n",
fname, lineno );
acl_usage();
} else if ( p == style_level ) {
fprintf( stderr,
"%s: line %d: empty level "
"in \"level{n}\"\n",
fname, lineno );
acl_usage();
}
p[0] = '\0';
}
}
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
}
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
if ( style == NULL || *style == '\0' ||
strcasecmp( style, "exact" ) == 0 ||
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
strcasecmp( style, "baseObject" ) == 0 ||
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
strcasecmp( style, "base" ) == 0 )
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
{
sty = ACL_STYLE_BASE;
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
for consistency, always allow 'onelevel' as an alias for 'one' in dnstyle
2003-12-20 23:18:21 +08:00
} else if ( strcasecmp( style, "onelevel" ) == 0 ||
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
strcasecmp( style, "one" ) == 0 )
{
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
sty = ACL_STYLE_ONE;
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
} else if ( strcasecmp( style, "subtree" ) == 0 ||
strcasecmp( style, "sub" ) == 0 )
{
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
sty = ACL_STYLE_SUBTREE;
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
} else if ( strcasecmp( style, "children" ) == 0 ) {
sty = ACL_STYLE_CHILDREN;
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
initial commit of "level" styles for "dn" and "self" by clauses (ITS#3615)
2005-04-01 02:10:11 +08:00
} else if ( strcasecmp( style, "level" ) == 0 )
{
char *next;
level = strtol( style_level, &next, 10 );
if ( next[0] != '\0' ) {
fprintf( stderr,
"%s: line %d: unable to parse level "
"in \"level{n}\"\n",
fname, lineno );
acl_usage();
}
sty = ACL_STYLE_LEVEL;
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
} else if ( strcasecmp( style, "regex" ) == 0 ) {
sty = ACL_STYLE_REGEX;
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
} else if ( strcasecmp( style, "expand" ) == 0 ) {
sty = ACL_STYLE_EXPAND;
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
} else if ( strcasecmp( style, "ip" ) == 0 ) {
sty = ACL_STYLE_IP;
} else if ( strcasecmp( style, "path" ) == 0 ) {
sty = ACL_STYLE_PATH;
#ifndef LDAP_PF_LOCAL
fprintf( stderr, "%s: line %d: "
"path style modifier is useless without local\n",
fname, lineno );
#endif /* LDAP_PF_LOCAL */
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
} else {
fprintf( stderr,
"%s: line %d: unknown style \"%s\" in by clause\n",
fname, lineno, style );
acl_usage();
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
if ( style_modifier &&
strcasecmp( style_modifier, "expand" ) == 0 )
{
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
switch ( sty ) {
case ACL_STYLE_REGEX:
fprintf( stderr, "%s: line %d: "
"\"regex\" style implies "
more on strict config parsing (ITS#3705)
2005-05-07 00:42:03 +08:00
"\"expand\" modifier"
SLAPD_CONF_UNKNOWN_IGNORED ".\n",
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
fname, lineno );
more on strict config parsing (ITS#3705)
2005-05-07 00:42:03 +08:00
#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
acl_usage();
#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
break;
case ACL_STYLE_EXPAND:
add URI search to sets; documentation to come...
2004-10-08 01:05:48 +08:00
#if 0
/* FIXME: now it's legal... */
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
fprintf( stderr, "%s: line %d: "
"\"expand\" style used "
"in conjunction with "
more on strict config parsing (ITS#3705)
2005-05-07 00:42:03 +08:00
"\"expand\" modifier"
SLAPD_CONF_UNKNOWN_IGNORED ".\n",
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
fname, lineno );
more on strict config parsing (ITS#3705)
2005-05-07 00:42:03 +08:00
#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
acl_usage();
#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
add URI search to sets; documentation to come...
2004-10-08 01:05:48 +08:00
#endif
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
break;
default:
allow "expand" style in peername, sockname, sockurl as well; more sanity checks
2004-03-10 03:44:14 +08:00
/* we'll see later if it's pertinent */
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
expand = 1;
break;
}
}
allow "expand" style in peername, sockname, sockurl as well; more sanity checks
2004-03-10 03:44:14 +08:00
/* expand in <who> needs regex in <what> */
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
if ( ( sty == ACL_STYLE_EXPAND || expand )
allow "expand" style in peername, sockname, sockurl as well; more sanity checks
2004-03-10 03:44:14 +08:00
&& a->acl_dn_style != ACL_STYLE_REGEX )
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
{
fprintf( stderr, "%s: line %d: "
"\"expand\" style or modifier used "
"in conjunction with "
"a non-regex <what> clause\n",
fname, lineno );
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
}
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
if ( strncasecmp( left, "real", STRLENOF( "real" ) ) == 0 ) {
is_realdn = 1;
bdn = &b->a_realdn;
left += STRLENOF( "real" );
}
if ( strcasecmp( left, "*" ) == 0 ) {
if ( is_realdn ) {
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
ber_str2bv( "*", STRLENOF( "*" ), 1, &bv );
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
sty = ACL_STYLE_REGEX;
Add support for Root DSE ACLs. Add "users" shorthand (dn="^.+$") Add regex short circuiting for common dn regexs.
1999-10-26 11:19:41 +08:00
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
} else if ( strcasecmp( left, "anonymous" ) == 0 ) {
extend the availability of submatches to non-regex DN patterns
2004-10-07 06:03:33 +08:00
ber_str2bv("anonymous", STRLENOF( "anonymous" ), 1, &bv);
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
sty = ACL_STYLE_ANONYMOUS;
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
} else if ( strcasecmp( left, "users" ) == 0 ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
ber_str2bv("users", STRLENOF( "users" ), 1, &bv);
sty = ACL_STYLE_USERS;
Add support for Root DSE ACLs. Add "users" shorthand (dn="^.+$") Add regex short circuiting for common dn regexs.
1999-10-26 11:19:41 +08:00
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
} else if ( strcasecmp( left, "self" ) == 0 ) {
extend the availability of submatches to non-regex DN patterns
2004-10-07 06:03:33 +08:00
ber_str2bv("self", STRLENOF( "self" ), 1, &bv);
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
sty = ACL_STYLE_SELF;
Add support for Root DSE ACLs. Add "users" shorthand (dn="^.+$") Add regex short circuiting for common dn regexs.
1999-10-26 11:19:41 +08:00
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
} else if ( strcasecmp( left, "dn" ) == 0 ) {
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
if ( sty == ACL_STYLE_REGEX ) {
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
bdn->a_style = ACL_STYLE_REGEX;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( right == NULL ) {
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
/* no '=' */
Changed ma_rule_text to struct berval. Changed get_filter to struct bervals
2001-12-26 21:47:10 +08:00
ber_str2bv("users",
extend the availability of submatches to non-regex DN patterns
2004-10-07 06:03:33 +08:00
STRLENOF( "users" ),
Changed ma_rule_text to struct berval. Changed get_filter to struct bervals
2001-12-26 21:47:10 +08:00
1, &bv);
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
bdn->a_style = ACL_STYLE_USERS;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
} else if (*right == '\0' ) {
/* dn="" */
Changed ma_rule_text to struct berval. Changed get_filter to struct bervals
2001-12-26 21:47:10 +08:00
ber_str2bv("anonymous",
extend the availability of submatches to non-regex DN patterns
2004-10-07 06:03:33 +08:00
STRLENOF( "anonymous" ),
Changed ma_rule_text to struct berval. Changed get_filter to struct bervals
2001-12-26 21:47:10 +08:00
1, &bv);
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
bdn->a_style = ACL_STYLE_ANONYMOUS;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
} else if ( strcmp( right, "*" ) == 0 ) {
/* dn=* */
/* any or users? users for now */
Changed ma_rule_text to struct berval. Changed get_filter to struct bervals
2001-12-26 21:47:10 +08:00
ber_str2bv("users",
extend the availability of submatches to non-regex DN patterns
2004-10-07 06:03:33 +08:00
STRLENOF( "users" ),
Changed ma_rule_text to struct berval. Changed get_filter to struct bervals
2001-12-26 21:47:10 +08:00
1, &bv);
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
bdn->a_style = ACL_STYLE_USERS;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
} else if ( strcmp( right, ".+" ) == 0
|| strcmp( right, "^.+" ) == 0
|| strcmp( right, ".+$" ) == 0
|| strcmp( right, "^.+$" ) == 0
|| strcmp( right, ".+$$" ) == 0
|| strcmp( right, "^.+$$" ) == 0 )
{
Changed ma_rule_text to struct berval. Changed get_filter to struct bervals
2001-12-26 21:47:10 +08:00
ber_str2bv("users",
extend the availability of submatches to non-regex DN patterns
2004-10-07 06:03:33 +08:00
STRLENOF( "users" ),
Changed ma_rule_text to struct berval. Changed get_filter to struct bervals
2001-12-26 21:47:10 +08:00
1, &bv);
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
bdn->a_style = ACL_STYLE_USERS;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
} else if ( strcmp( right, ".*" ) == 0
|| strcmp( right, "^.*" ) == 0
|| strcmp( right, ".*$" ) == 0
|| strcmp( right, "^.*$" ) == 0
|| strcmp( right, ".*$$" ) == 0
|| strcmp( right, "^.*$$" ) == 0 )
{
Changed ma_rule_text to struct berval. Changed get_filter to struct bervals
2001-12-26 21:47:10 +08:00
ber_str2bv("*",
extend the availability of submatches to non-regex DN patterns
2004-10-07 06:03:33 +08:00
STRLENOF( "*" ),
Changed ma_rule_text to struct berval. Changed get_filter to struct bervals
2001-12-26 21:47:10 +08:00
1, &bv);
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
} else {
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
acl_regex_normalized_dn( right, &bv );
the logic of this check was completely reversed; in case '*' is used, on't test the regula expression
2002-04-02 16:18:30 +08:00
if ( !ber_bvccmp( &bv, '*' ) ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
regtest( fname, lineno, bv.bv_val );
the logic of this check was completely reversed; in case '*' is used, on't test the regula expression
2002-04-02 16:18:30 +08:00
}
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
} else if ( right == NULL || *right == '\0' ) {
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
fprintf( stderr, "%s: line %d: "
"missing \"=\" in (or value after) \"%s\" "
"in by clause\n",
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
fname, lineno, left );
acl_usage();
Add support for Root DSE ACLs. Add "users" shorthand (dn="^.+$") Add regex short circuiting for common dn regexs.
1999-10-26 11:19:41 +08:00
} else {
Changed ma_rule_text to struct berval. Changed get_filter to struct bervals
2001-12-26 21:47:10 +08:00
ber_str2bv( right, 0, 1, &bv );
Add support for Root DSE ACLs. Add "users" shorthand (dn="^.+$") Add regex short circuiting for common dn regexs.
1999-10-26 11:19:41 +08:00
}
Fix acl parse bug
1999-07-22 05:08:05 +08:00
} else {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
BER_BVZERO( &bv );
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISNULL( &bv ) ) {
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
if ( !BER_BVISEMPTY( &bdn->a_pat ) ) {
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
fprintf( stderr,
"%s: line %d: dn pattern already specified.\n",
fname, lineno );
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( sty != ACL_STYLE_REGEX &&
sty != ACL_STYLE_ANONYMOUS &&
sty != ACL_STYLE_USERS &&
sty != ACL_STYLE_SELF &&
expand == 0 )
{
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
rc = dnNormalize(0, NULL, NULL,
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
&bv, &bdn->a_pat, NULL);
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr,
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
"%s: line %d: bad DN \"%s\" in by DN clause\n",
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
fname, lineno, bv.bv_val );
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
free( bv.bv_val );
More struct berval changes, dnNormalize migration...
2001-12-26 12:17:49 +08:00
} else {
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
bdn->a_pat = bv;
More struct berval changes, dnNormalize migration...
2001-12-26 12:17:49 +08:00
}
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
bdn->a_style = sty;
more on strict config parsing (ITS#3705)
2005-05-07 00:42:03 +08:00
if ( expand ) {
char *exp;
int gotit = 0;
for ( exp = strchr( bdn->a_pat.bv_val, '$' );
exp && exp - bdn->a_pat.bv_val < bdn->a_pat.bv_len;
exp = strchr( exp, '$' ) )
{
if ( isdigit( exp[ 1 ] ) ) {
gotit = 1;
break;
}
}
if ( gotit == 1 ) {
bdn->a_expand = expand;
} else {
fprintf( stderr,
"%s: line %d: \"expand\" used "
"with no expansions in \"pattern\""
SLAPD_CONF_UNKNOWN_IGNORED ".\n",
fname, lineno );
#ifdef SLAPD_CONF_UNKNOWN_BAILOUT
acl_usage();
#endif /* SLAPD_CONF_UNKNOWN_BAILOUT */
}
}
initial commit of "level" styles for "dn" and "self" by clauses (ITS#3615)
2005-04-01 02:10:11 +08:00
if ( sty == ACL_STYLE_SELF ) {
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
bdn->a_self_level = level;
initial commit of "level" styles for "dn" and "self" by clauses (ITS#3615)
2005-04-01 02:10:11 +08:00
} else {
if ( level < 0 ) {
fprintf( stderr,
"%s: line %d: bad negative level \"%d\" "
"in by DN clause\n",
fname, lineno, level );
acl_usage();
} else if ( level == 1 ) {
fprintf( stderr,
"%s: line %d: \"onelevel\" should be used "
"instead of \"level{1}\" in by DN clause\n",
Remove spurious fprintf arguments
2005-07-17 19:55:34 +08:00
fname, lineno );
initial commit of "level" styles for "dn" and "self" by clauses (ITS#3615)
2005-04-01 02:10:11 +08:00
} else if ( level == 0 && sty == ACL_STYLE_LEVEL ) {
fprintf( stderr,
"%s: line %d: \"base\" should be used "
"instead of \"level{0}\" in by DN clause\n",
Remove spurious fprintf arguments
2005-07-17 19:55:34 +08:00
fname, lineno );
initial commit of "level" styles for "dn" and "self" by clauses (ITS#3615)
2005-04-01 02:10:11 +08:00
}
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
bdn->a_level = level;
initial commit of "level" styles for "dn" and "self" by clauses (ITS#3615)
2005-04-01 02:10:11 +08:00
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
continue;
}
if ( strcasecmp( left, "dnattr" ) == 0 ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( right == NULL || right[0] == '\0' ) {
fprintf( stderr, "%s: line %d: "
"missing \"=\" in (or value after) \"%s\" "
"in by clause\n",
fixes assertion fault when the <to> clauses's argument does not have a = inside
2001-10-29 16:14:12 +08:00
fname, lineno, left );
acl_usage();
}
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
if( bdn->a_at != NULL ) {
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
fprintf( stderr,
Additional changes to migrate to new schema codes Still not usable.
2000-01-29 04:01:00 +08:00
"%s: line %d: dnattr already specified.\n",
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
fname, lineno );
acl_usage();
unifdef -DSLAPD_ACLGROUPS -DSLAPD_ACLAUTH
1999-07-05 14:26:26 +08:00
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
rc = slap_str2ad( right, &bdn->a_at, &text );
Additional changes to migrate to new schema codes Still not usable.
2000-01-29 04:01:00 +08:00
Another round of changes behind -DSLAPD_SCHEMA_NOT_COMPAT plus these changes unhidden changes: remove now meaning --enable-discreteaci configure option fix ITS#451, slapd filters Add ber_bvecadd() to support above constify ldap_pvt_find_wildcard() and misc slapd routines renamed some slap.h macros likely broken something
2000-02-15 04:57:34 +08:00
if( rc != LDAP_SUCCESS ) {
Additional changes to migrate to new schema codes Still not usable.
2000-01-29 04:01:00 +08:00
fprintf( stderr,
Another round of changes behind -DSLAPD_SCHEMA_NOT_COMPAT plus these changes unhidden changes: remove now meaning --enable-discreteaci configure option fix ITS#451, slapd filters Add ber_bvecadd() to support above constify ldap_pvt_find_wildcard() and misc slapd routines renamed some slap.h macros likely broken something
2000-02-15 04:57:34 +08:00
"%s: line %d: dnattr \"%s\": %s\n",
fname, lineno, right, text );
Additional changes to migrate to new schema codes Still not usable.
2000-01-29 04:01:00 +08:00
acl_usage();
}
SLAPD_SCHEMA_NOT_COMPAT: prelim ACL work
2000-05-28 03:33:08 +08:00
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
if( !is_at_syntax( bdn->a_at->ad_type,
Add name and uid support to dnaddr
2001-03-15 12:48:29 +08:00
SLAPD_DN_SYNTAX ) &&
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
!is_at_syntax( bdn->a_at->ad_type,
Add name and uid support to dnaddr
2001-03-15 12:48:29 +08:00
SLAPD_NAMEUID_SYNTAX ))
Additional changes to migrate to new schema codes Still not usable.
2000-01-29 04:01:00 +08:00
{
fprintf( stderr,
SLAPD_SCHEMA_NOT_COMPAT: Don't depend acl parsing upon slap_schema, it's filled in post-conf
2000-05-29 02:58:09 +08:00
"%s: line %d: dnattr \"%s\": "
"inappropriate syntax: %s\n",
SLAPD_SCHEMA_NOT_COMPAT: prelim ACL work
2000-05-28 03:33:08 +08:00
fname, lineno, right,
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
bdn->a_at->ad_type->sat_syntax_oid );
Additional changes to migrate to new schema codes Still not usable.
2000-01-29 04:01:00 +08:00
acl_usage();
}
SLAPD_SCHEMA_NOT_COMPAT: prelim ACL work
2000-05-28 03:33:08 +08:00
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
if( bdn->a_at->ad_type->sat_equality == NULL ) {
much better fix for ITS#2196 (dnattr without sat_equality is bounced at config)
2002-11-26 02:37:04 +08:00
fprintf( stderr,
"%s: line %d: dnattr \"%s\": "
"inappropriate matching (no EQUALITY)\n",
fname, lineno, right );
acl_usage();
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
continue;
unifdef -DSLAPD_ACLGROUPS -DSLAPD_ACLAUTH
1999-07-05 14:26:26 +08:00
}
1. extend aclgroup's to be able to specify objectClassValue and groupAttrName 2. update print_acl() a bit and call it during aclparse if LDAP_DEBUG_ACL
1998-10-27 10:07:12 +08:00
extend the availability of submatches to non-regex DN patterns
2004-10-07 06:03:33 +08:00
if ( strncasecmp( left, "group", STRLENOF( "group" ) ) == 0 ) {
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
char *name = NULL;
char *value = NULL;
1. extend aclgroup's to be able to specify objectClassValue and groupAttrName 2. update print_acl() a bit and call it during aclparse if LDAP_DEBUG_ACL
1998-10-27 10:07:12 +08:00
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
switch ( sty ) {
case ACL_STYLE_REGEX:
allow "expand" style in peername, sockname, sockurl as well; more sanity checks
2004-03-10 03:44:14 +08:00
/* legacy, tolerated */
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
fprintf( stderr, "%s: line %d: "
"deprecated group style \"regex\"; "
"use \"expand\" instead\n",
Remove spurious fprintf arguments
2005-07-17 19:55:34 +08:00
fname, lineno );
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
sty = ACL_STYLE_EXPAND;
break;
case ACL_STYLE_BASE:
allow "expand" style in peername, sockname, sockurl as well; more sanity checks
2004-03-10 03:44:14 +08:00
/* legal, traditional */
case ACL_STYLE_EXPAND:
/* legal, substring expansion; supersedes regex */
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
break;
default:
allow "expand" style in peername, sockname, sockurl as well; more sanity checks
2004-03-10 03:44:14 +08:00
/* unknown */
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
2004-03-10 00:33:05 +08:00
fname, lineno, style );
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
acl_usage();
}
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( right == NULL || right[0] == '\0' ) {
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
fprintf( stderr, "%s: line %d: "
"missing \"=\" in (or value after) \"%s\" "
"in by clause\n",
fixes assertion fault when the <to> clauses's argument does not have a = inside
2001-10-29 16:14:12 +08:00
fname, lineno, left );
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
fprintf( stderr,
"%s: line %d: group pattern already specified.\n",
fname, lineno );
acl_usage();
}
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
/* format of string is
"group/objectClassValue/groupAttrName" */
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( ( value = strchr(left, '/') ) != NULL ) {
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
*value++ = '\0';
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( *value && ( name = strchr( value, '/' ) ) != NULL ) {
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
*name++ = '\0';
}
}
1. extend aclgroup's to be able to specify objectClassValue and groupAttrName 2. update print_acl() a bit and call it during aclparse if LDAP_DEBUG_ACL
1998-10-27 10:07:12 +08:00
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
b->a_group_style = sty;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( sty == ACL_STYLE_EXPAND ) {
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
acl_regex_normalized_dn( right, &bv );
the logic of this check was completely reversed; in case '*' is used, on't test the regula expression
2002-04-02 16:18:30 +08:00
if ( !ber_bvccmp( &bv, '*' ) ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
regtest( fname, lineno, bv.bv_val );
the logic of this check was completely reversed; in case '*' is used, on't test the regula expression
2002-04-02 16:18:30 +08:00
}
More struct berval changes, dnNormalize migration...
2001-12-26 12:17:49 +08:00
b->a_group_pat = bv;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
} else {
Changed ma_rule_text to struct berval. Changed get_filter to struct bervals
2001-12-26 21:47:10 +08:00
ber_str2bv( right, 0, 0, &bv );
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
rc = dnNormalize( 0, NULL, NULL, &bv,
&b->a_group_pat, NULL );
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
if ( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: bad DN \"%s\"\n",
fname, lineno, right );
acl_usage();
}
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
}
1. extend aclgroup's to be able to specify objectClassValue and groupAttrName 2. update print_acl() a bit and call it during aclparse if LDAP_DEBUG_ACL
1998-10-27 10:07:12 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( value && *value ) {
SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify
2000-05-29 00:36:34 +08:00
b->a_group_oc = oc_find( value );
SLAPD_SCHEMA_NOT_COMPAT: Don't depend acl parsing upon slap_schema, it's filled in post-conf
2000-05-29 02:58:09 +08:00
*--value = '/';
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( b->a_group_oc == NULL ) {
SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify
2000-05-29 00:36:34 +08:00
fprintf( stderr,
SLAPD_SCHEMA_NOT_COMPAT: Don't depend acl parsing upon slap_schema, it's filled in post-conf
2000-05-29 02:58:09 +08:00
"%s: line %d: group objectclass "
"\"%s\" unknown\n",
SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify
2000-05-29 00:36:34 +08:00
fname, lineno, value );
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
SLAPD_SCHEMA_NOT_COMPAT: Don't depend acl parsing upon slap_schema, it's filled in post-conf
2000-05-29 02:58:09 +08:00
} else {
SLAPD_SCHEMA_NOT_COMPAT: ACI cleanup
2000-05-29 06:17:34 +08:00
b->a_group_oc = oc_find(SLAPD_GROUP_CLASS);
SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify
2000-05-29 00:36:34 +08:00
SLAPD_SCHEMA_NOT_COMPAT: Don't depend acl parsing upon slap_schema, it's filled in post-conf
2000-05-29 02:58:09 +08:00
if( b->a_group_oc == NULL ) {
SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify
2000-05-29 00:36:34 +08:00
fprintf( stderr,
SLAPD_SCHEMA_NOT_COMPAT: Don't depend acl parsing upon slap_schema, it's filled in post-conf
2000-05-29 02:58:09 +08:00
"%s: line %d: group default objectclass "
"\"%s\" unknown\n",
SLAPD_SCHEMA_NOT_COMPAT: ACI cleanup
2000-05-29 06:17:34 +08:00
fname, lineno, SLAPD_GROUP_CLASS );
SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify
2000-05-29 00:36:34 +08:00
acl_usage();
}
Fix bug in group spec parsing, was failing to set attributeType if a nondefault objectclass was given
2000-01-15 11:48:37 +08:00
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( is_object_subclass( slap_schema.si_oc_referral,
b->a_group_oc ) )
SLAPD_SCHEMA_NOT_COMPAT: Don't depend acl parsing upon slap_schema, it's filled in post-conf
2000-05-29 02:58:09 +08:00
{
fprintf( stderr,
"%s: line %d: group objectclass \"%s\" "
"is subclass of referral\n",
fname, lineno, value );
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( is_object_subclass( slap_schema.si_oc_alias,
b->a_group_oc ) )
SLAPD_SCHEMA_NOT_COMPAT: Don't depend acl parsing upon slap_schema, it's filled in post-conf
2000-05-29 02:58:09 +08:00
{
fprintf( stderr,
"%s: line %d: group objectclass \"%s\" "
"is subclass of alias\n",
fname, lineno, value );
acl_usage();
}
SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify
2000-05-29 00:36:34 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( name && *name ) {
Bug fix submitted by Anthony Brock (ITS#637)
2000-07-25 10:16:59 +08:00
rc = slap_str2ad( name, &b->a_group_at, &text );
Another round of changes behind -DSLAPD_SCHEMA_NOT_COMPAT plus these changes unhidden changes: remove now meaning --enable-discreteaci configure option fix ITS#451, slapd filters Add ber_bvecadd() to support above constify ldap_pvt_find_wildcard() and misc slapd routines renamed some slap.h macros likely broken something
2000-02-15 04:57:34 +08:00
if( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: group \"%s\": %s\n",
fname, lineno, right, text );
acl_usage();
}
Fix bug in group spec parsing, was failing to set attributeType if a nondefault objectclass was given
2000-01-15 11:48:37 +08:00
*--name = '/';
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
Fix bug in group spec parsing, was failing to set attributeType if a nondefault objectclass was given
2000-01-15 11:48:37 +08:00
} else {
SLAPD_SCHEMA_NOT_COMPAT: ACI cleanup
2000-05-29 06:17:34 +08:00
rc = slap_str2ad( SLAPD_GROUP_ATTR, &b->a_group_at, &text );
SLAPD_SCHEMA_NOT_COMPAT: Don't depend acl parsing upon slap_schema, it's filled in post-conf
2000-05-29 02:58:09 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( rc != LDAP_SUCCESS ) {
SLAPD_SCHEMA_NOT_COMPAT: Don't depend acl parsing upon slap_schema, it's filled in post-conf
2000-05-29 02:58:09 +08:00
fprintf( stderr,
"%s: line %d: group \"%s\": %s\n",
SLAPD_SCHEMA_NOT_COMPAT: ACI cleanup
2000-05-29 06:17:34 +08:00
fname, lineno, SLAPD_GROUP_ATTR, text );
SLAPD_SCHEMA_NOT_COMPAT: Don't depend acl parsing upon slap_schema, it's filled in post-conf
2000-05-29 02:58:09 +08:00
acl_usage();
}
Additional changes to migrate to new schema codes Still not usable.
2000-01-29 04:01:00 +08:00
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !is_at_syntax( b->a_group_at->ad_type,
Permit access defined by uniqueMember and not only DN-valued attributes. This allows using groupOfUniqueNames for access control. Fix small typo in MRA definition.
2000-10-10 03:09:22 +08:00
SLAPD_DN_SYNTAX ) &&
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
!is_at_syntax( b->a_group_at->ad_type,
ITS#2573 dynamic group support moved labeledURI into system schema attribute types that inherit from labeledURI may be used in dynamic groups e.g. access to * by group/groupOfURLs/memberURL=foo
2003-09-20 16:16:04 +08:00
SLAPD_NAMEUID_SYNTAX ) &&
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
!is_at_subtype( b->a_group_at->ad_type, slap_schema.si_ad_labeledURI->ad_type ) )
SLAPD_SCHEMA_NOT_COMPAT: Don't depend acl parsing upon slap_schema, it's filled in post-conf
2000-05-29 02:58:09 +08:00
{
Additional changes to migrate to new schema codes Still not usable.
2000-01-29 04:01:00 +08:00
fprintf( stderr,
SLAPD_SCHEMA_NOT_COMPAT: Don't depend acl parsing upon slap_schema, it's filled in post-conf
2000-05-29 02:58:09 +08:00
"%s: line %d: group \"%s\": inappropriate syntax: %s\n",
fname, lineno, right,
b->a_group_at->ad_type->sat_syntax_oid );
Additional changes to migrate to new schema codes Still not usable.
2000-01-29 04:01:00 +08:00
acl_usage();
}
SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify
2000-05-29 00:36:34 +08:00
{
int rc;
Change struct berval ** to BVarray
2002-01-02 19:00:36 +08:00
struct berval vals[2];
SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify
2000-05-29 00:36:34 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
ber_str2bv( b->a_group_oc->soc_oid, 0, 0, &vals[0] );
BER_BVZERO( &vals[1] );
SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify
2000-05-29 00:36:34 +08:00
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
rc = oc_check_allowed( b->a_group_at->ad_type,
vals, NULL );
SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify
2000-05-29 00:36:34 +08:00
if( rc != 0 ) {
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
fprintf( stderr, "%s: line %d: "
"group: \"%s\" not allowed by \"%s\"\n",
SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify
2000-05-29 00:36:34 +08:00
fname, lineno,
Moved AttributeDescription caching into main code: Changed AttributeDescription.{ad_cname,ad_lang} to struct berval everywhere Deleted ad_free() everywhere Added ad_mutex to init.c The AttributeDescriptions are in a linked list hanging off of the corresponding AttributeType.
2001-10-22 21:23:05 +08:00
b->a_group_at->ad_cname.bv_val,
SLAPD_SCHEMA_NOT_COMPAT: Mostly work modify
2000-05-29 00:36:34 +08:00
b->a_group_oc->soc_oid );
acl_usage();
}
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
continue;
unifdef -DSLAPD_ACLGROUPS -DSLAPD_ACLAUTH
1999-07-05 14:26:26 +08:00
}
1. extend aclgroup's to be able to specify objectClassValue and groupAttrName 2. update print_acl() a bit and call it during aclparse if LDAP_DEBUG_ACL
1998-10-27 10:07:12 +08:00
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
if ( strcasecmp( left, "peername" ) == 0 ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
switch ( sty ) {
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
case ACL_STYLE_REGEX:
case ACL_STYLE_BASE:
allow "expand" style in peername, sockname, sockurl as well; more sanity checks
2004-03-10 03:44:14 +08:00
/* legal, traditional */
case ACL_STYLE_EXPAND:
/* cheap replacement to regex for simple expansion */
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
case ACL_STYLE_IP:
case ACL_STYLE_PATH:
allow "expand" style in peername, sockname, sockurl as well; more sanity checks
2004-03-10 03:44:14 +08:00
/* legal, peername specific */
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
break;
default:
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
fname, lineno, style );
acl_usage();
}
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( right == NULL || right[0] == '\0' ) {
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
fprintf( stderr, "%s: line %d: "
"missing \"=\" in (or value after) \"%s\" "
"in by clause\n",
fixes assertion fault when the <to> clauses's argument does not have a = inside
2001-10-29 16:14:12 +08:00
fname, lineno, left );
acl_usage();
}
fix ITS#3416
2004-12-03 16:41:06 +08:00
if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
fprintf( stderr, "%s: line %d: "
"peername pattern already specified.\n",
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
fname, lineno );
acl_usage();
}
Merged files from branch REGEX_REMOVAL. Despite name, this merge adds POSIX RegEx (and removes BSD re_comp/re_exec) support. * POSIX RegEx is not currently included in the distribution, however we will probably add Henry Spencer's REGEX library soon. * ACL Group functionality is also included in this merge!
1998-08-21 14:33:42 +08:00
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
b->a_peername_style = sty;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( sty == ACL_STYLE_REGEX ) {
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
acl_regex_normalized_dn( right, &bv );
the logic of this check was completely reversed; in case '*' is used, on't test the regula expression
2002-04-02 16:18:30 +08:00
if ( !ber_bvccmp( &bv, '*' ) ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
regtest( fname, lineno, bv.bv_val );
the logic of this check was completely reversed; in case '*' is used, on't test the regula expression
2002-04-02 16:18:30 +08:00
}
Changed Access.a_sockurl_pat, Connection.c_listener_url etc. to struct bervals
2002-01-28 19:41:07 +08:00
b->a_peername_pat = bv;
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
} else {
Changed Access.a_sockurl_pat, Connection.c_listener_url etc. to struct bervals
2002-01-28 19:41:07 +08:00
ber_str2bv( right, 0, 1, &b->a_peername_pat );
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
if ( sty == ACL_STYLE_IP ) {
char *addr = NULL,
*mask = NULL,
*port = NULL;
split( right, '{', &addr, &port );
split( addr, '%', &addr, &mask );
b->a_peername_addr = inet_addr( addr );
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( b->a_peername_addr == (unsigned long)(-1) ) {
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
/* illegal address */
fprintf( stderr, "%s: line %d: "
"illegal peername address \"%s\".\n",
fname, lineno, addr );
acl_usage();
}
b->a_peername_mask = (unsigned long)(-1);
if ( mask != NULL ) {
b->a_peername_mask = inet_addr( mask );
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( b->a_peername_mask ==
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
(unsigned long)(-1) )
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
{
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
/* illegal mask */
fprintf( stderr, "%s: line %d: "
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
"illegal peername address mask "
"\"%s\".\n",
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
fname, lineno, mask );
acl_usage();
}
}
b->a_peername_port = -1;
if ( port ) {
char *end = NULL;
b->a_peername_port = strtol( port, &end, 10 );
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( end[0] != '}' ) {
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
/* illegal port */
fprintf( stderr, "%s: line %d: "
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
"illegal peername port specification "
"\"{%s}\".\n",
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
fname, lineno, port );
acl_usage();
}
}
}
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
continue;
Initial revision
1998-08-09 08:43:13 +08:00
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
if ( strcasecmp( left, "sockname" ) == 0 ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
switch ( sty ) {
allow "expand" style in peername, sockname, sockurl as well; more sanity checks
2004-03-10 03:44:14 +08:00
case ACL_STYLE_REGEX:
case ACL_STYLE_BASE:
/* legal, traditional */
case ACL_STYLE_EXPAND:
/* cheap replacement to regex for simple expansion */
break;
default:
/* unknown */
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
fname, lineno, style );
acl_usage();
}
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( right == NULL || right[0] == '\0' ) {
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
fprintf( stderr, "%s: line %d: "
"missing \"=\" in (or value after) \"%s\" "
"in by clause\n",
fixes assertion fault when the <to> clauses's argument does not have a = inside
2001-10-29 16:14:12 +08:00
fname, lineno, left );
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISNULL( &b->a_sockname_pat ) ) {
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
fprintf( stderr, "%s: line %d: "
"sockname pattern already specified.\n",
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
fname, lineno );
acl_usage();
}
Initial revision
1998-08-09 08:43:13 +08:00
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
b->a_sockname_style = sty;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( sty == ACL_STYLE_REGEX ) {
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
acl_regex_normalized_dn( right, &bv );
the logic of this check was completely reversed; in case '*' is used, on't test the regula expression
2002-04-02 16:18:30 +08:00
if ( !ber_bvccmp( &bv, '*' ) ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
regtest( fname, lineno, bv.bv_val );
the logic of this check was completely reversed; in case '*' is used, on't test the regula expression
2002-04-02 16:18:30 +08:00
}
Changed Access.a_sockurl_pat, Connection.c_listener_url etc. to struct bervals
2002-01-28 19:41:07 +08:00
b->a_sockname_pat = bv;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
} else {
Changed Access.a_sockurl_pat, Connection.c_listener_url etc. to struct bervals
2002-01-28 19:41:07 +08:00
ber_str2bv( right, 0, 1, &b->a_sockname_pat );
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
continue;
}
Initial revision
1998-08-09 08:43:13 +08:00
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
if ( strcasecmp( left, "domain" ) == 0 ) {
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
switch ( sty ) {
case ACL_STYLE_REGEX:
case ACL_STYLE_BASE:
case ACL_STYLE_SUBTREE:
allow "expand" style in peername, sockname, sockurl as well; more sanity checks
2004-03-10 03:44:14 +08:00
/* legal, traditional */
break;
case ACL_STYLE_EXPAND:
/* tolerated: means exact,expand */
if ( expand ) {
fprintf( stderr,
"%s: line %d: "
minor cleanup
2004-10-07 06:20:30 +08:00
"\"expand\" modifier "
"with \"expand\" style\n",
allow "expand" style in peername, sockname, sockurl as well; more sanity checks
2004-03-10 03:44:14 +08:00
fname, lineno );
}
sty = ACL_STYLE_BASE;
expand = 1;
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
break;
default:
allow "expand" style in peername, sockname, sockurl as well; more sanity checks
2004-03-10 03:44:14 +08:00
/* unknown */
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
fname, lineno, style );
acl_usage();
}
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( right == NULL || right[0] == '\0' ) {
fprintf( stderr, "%s: line %d: "
"missing \"=\" in (or value after) \"%s\" "
"in by clause\n",
fixes assertion fault when the <to> clauses's argument does not have a = inside
2001-10-29 16:14:12 +08:00
fname, lineno, left );
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
fprintf( stderr,
"%s: line %d: domain pattern already specified.\n",
fname, lineno );
acl_usage();
}
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
b->a_domain_style = sty;
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
b->a_domain_expand = expand;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( sty == ACL_STYLE_REGEX ) {
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
acl_regex_normalized_dn( right, &bv );
the logic of this check was completely reversed; in case '*' is used, on't test the regula expression
2002-04-02 16:18:30 +08:00
if ( !ber_bvccmp( &bv, '*' ) ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
regtest( fname, lineno, bv.bv_val );
the logic of this check was completely reversed; in case '*' is used, on't test the regula expression
2002-04-02 16:18:30 +08:00
}
Changed Access.a_sockurl_pat, Connection.c_listener_url etc. to struct bervals
2002-01-28 19:41:07 +08:00
b->a_domain_pat = bv;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
} else {
Changed Access.a_sockurl_pat, Connection.c_listener_url etc. to struct bervals
2002-01-28 19:41:07 +08:00
ber_str2bv( right, 0, 1, &b->a_domain_pat );
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
continue;
}
Update ACL field names and usage statement to match -devel post
1999-07-22 08:50:11 +08:00
if ( strcasecmp( left, "sockurl" ) == 0 ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
switch ( sty ) {
allow "expand" style in peername, sockname, sockurl as well; more sanity checks
2004-03-10 03:44:14 +08:00
case ACL_STYLE_REGEX:
case ACL_STYLE_BASE:
/* legal, traditional */
case ACL_STYLE_EXPAND:
/* cheap replacement to regex for simple expansion */
break;
default:
/* unknown */
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
fname, lineno, style );
acl_usage();
}
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( right == NULL || right[0] == '\0' ) {
fprintf( stderr, "%s: line %d: "
"missing \"=\" in (or value after) \"%s\" "
"in by clause\n",
fixes assertion fault when the <to> clauses's argument does not have a = inside
2001-10-29 16:14:12 +08:00
fname, lineno, left );
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
fprintf( stderr,
Update ACL field names and usage statement to match -devel post
1999-07-22 08:50:11 +08:00
"%s: line %d: sockurl pattern already specified.\n",
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
fname, lineno );
acl_usage();
}
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
b->a_sockurl_style = sty;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( sty == ACL_STYLE_REGEX ) {
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
acl_regex_normalized_dn( right, &bv );
the logic of this check was completely reversed; in case '*' is used, on't test the regula expression
2002-04-02 16:18:30 +08:00
if ( !ber_bvccmp( &bv, '*' ) ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
regtest( fname, lineno, bv.bv_val );
the logic of this check was completely reversed; in case '*' is used, on't test the regula expression
2002-04-02 16:18:30 +08:00
}
Changed Access.a_sockurl_pat, Connection.c_listener_url etc. to struct bervals
2002-01-28 19:41:07 +08:00
b->a_sockurl_pat = bv;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
} else {
Changed Access.a_sockurl_pat, Connection.c_listener_url etc. to struct bervals
2002-01-28 19:41:07 +08:00
ber_str2bv( right, 0, 1, &b->a_sockurl_pat );
Added .regex, .base, .one, .subtree, and .children "style" modifiers.
2000-06-12 09:35:15 +08:00
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
continue;
}
Prepare for Set ACLs and ACIs.
2000-06-30 05:41:54 +08:00
if ( strcasecmp( left, "set" ) == 0 ) {
add URI search to sets; documentation to come...
2004-10-08 01:05:48 +08:00
switch ( sty ) {
/* deprecated */
case ACL_STYLE_REGEX:
fprintf( stderr, "%s: line %d: "
"deprecated set style "
"\"regex\" in <by> clause; "
"use \"expand\" instead\n",
fname, lineno );
sty = ACL_STYLE_EXPAND;
/* FALLTHRU */
case ACL_STYLE_BASE:
case ACL_STYLE_EXPAND:
break;
default:
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
add URI search to sets; documentation to come...
2004-10-08 01:05:48 +08:00
fname, lineno, style );
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
Prepare for Set ACLs and ACIs.
2000-06-30 05:41:54 +08:00
fprintf( stderr,
"%s: line %d: set attribute already specified.\n",
fname, lineno );
acl_usage();
}
if ( right == NULL || *right == '\0' ) {
fprintf( stderr,
"%s: line %d: no set is defined\n",
fname, lineno );
acl_usage();
}
b->a_set_style = sty;
Changed ma_rule_text to struct berval. Changed get_filter to struct bervals
2001-12-26 21:47:10 +08:00
ber_str2bv( right, 0, 1, &b->a_set_pat );
Prepare for Set ACLs and ACIs.
2000-06-30 05:41:54 +08:00
continue;
}
move ACIs under a dynamic infrastructure that allows run-time loadable custom access control logic (needs work)
2004-11-20 09:27:03 +08:00
#ifdef SLAP_DYNACL
{
char *name = NULL;
if ( strcasecmp( left, "aci" ) == 0 ) {
name = "aci";
} else if ( strncasecmp( left, "dynacl/", STRLENOF( "dynacl/" ) ) == 0 ) {
name = &left[ STRLENOF( "dynacl/" ) ];
}
if ( name ) {
if ( slap_dynacl_config( fname, lineno, b, name, sty, right ) ) {
fprintf( stderr, "%s: line %d: "
"unable to configure dynacl \"%s\"\n",
fname, lineno, name );
acl_usage();
}
continue;
}
}
#else /* ! SLAP_DYNACL */
ACIs from Mark Valence <kurash@sassafras.com> (ITS#261)
1999-08-21 06:42:04 +08:00
#ifdef SLAPD_ACI_ENABLED
if ( strcasecmp( left, "aci" ) == 0 ) {
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
fname, lineno, style );
acl_usage();
}
ACIs from Mark Valence <kurash@sassafras.com> (ITS#261)
1999-08-21 06:42:04 +08:00
if( b->a_aci_at != NULL ) {
fprintf( stderr,
"%s: line %d: aci attribute already specified.\n",
fname, lineno );
acl_usage();
}
Resolve syntax errors created by previous -DSLAPD_SCHEMA_COMPAT work.
2000-01-29 15:00:39 +08:00
if ( right != NULL && *right != '\0' ) {
Another round of changes behind -DSLAPD_SCHEMA_NOT_COMPAT plus these changes unhidden changes: remove now meaning --enable-discreteaci configure option fix ITS#451, slapd filters Add ber_bvecadd() to support above constify ldap_pvt_find_wildcard() and misc slapd routines renamed some slap.h macros likely broken something
2000-02-15 04:57:34 +08:00
rc = slap_str2ad( right, &b->a_aci_at, &text );
if( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: aci \"%s\": %s\n",
fname, lineno, right, text );
acl_usage();
}
SLAPD_SCHEMA_NOT_COMPAT: prelim ACL work
2000-05-28 03:33:08 +08:00
SLAPD_SCHEMA_NOT_COMPAT: ACI cleanup
2000-05-29 06:17:34 +08:00
} else {
Misc cleanup, lint removal, and minor optimizations
2002-01-13 13:00:59 +08:00
b->a_aci_at = slap_schema.si_ad_aci;
Additional changes to migrate to new schema codes Still not usable.
2000-01-29 04:01:00 +08:00
}
SLAPD_SCHEMA_NOT_COMPAT: ACI cleanup
2000-05-29 06:17:34 +08:00
if( !is_at_syntax( b->a_aci_at->ad_type,
SLAPD_ACI_SYNTAX) )
{
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"aci \"%s\": inappropriate syntax: %s\n",
SLAPD_SCHEMA_NOT_COMPAT: ACI cleanup
2000-05-29 06:17:34 +08:00
fname, lineno, right,
b->a_aci_at->ad_type->sat_syntax_oid );
Additional changes to migrate to new schema codes Still not usable.
2000-01-29 04:01:00 +08:00
acl_usage();
}
ACIs from Mark Valence <kurash@sassafras.com> (ITS#261)
1999-08-21 06:42:04 +08:00
continue;
}
Additional changes to migrate to new schema codes Still not usable.
2000-01-29 04:01:00 +08:00
#endif /* SLAPD_ACI_ENABLED */
move ACIs under a dynamic infrastructure that allows run-time loadable custom access control logic (needs work)
2004-11-20 09:27:03 +08:00
#endif /* ! SLAP_DYNACL */
ACIs from Mark Valence <kurash@sassafras.com> (ITS#261)
1999-08-21 06:42:04 +08:00
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
if ( strcasecmp( left, "ssf" ) == 0 ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
fname, lineno, style );
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( b->a_authz.sai_ssf ) {
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
fprintf( stderr,
"%s: line %d: ssf attribute already specified.\n",
fname, lineno );
acl_usage();
}
if ( right == NULL || *right == '\0' ) {
fprintf( stderr,
"%s: line %d: no ssf is defined\n",
fname, lineno );
acl_usage();
}
Fix typo in last commit
2004-06-19 03:12:00 +08:00
b->a_authz.sai_ssf = strtol( right, &next, 10 );
improve parsing - first step
2004-06-18 17:11:53 +08:00
if ( next == NULL || next[0] != '\0' ) {
fprintf( stderr,
"%s: line %d: unable to parse ssf value (%s)\n",
fname, lineno, right );
acl_usage();
}
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !b->a_authz.sai_ssf ) {
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
fprintf( stderr,
"%s: line %d: invalid ssf value (%s)\n",
fname, lineno, right );
acl_usage();
}
continue;
}
if ( strcasecmp( left, "transport_ssf" ) == 0 ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
fname, lineno, style );
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( b->a_authz.sai_transport_ssf ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"transport_ssf attribute already specified.\n",
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
fname, lineno );
acl_usage();
}
if ( right == NULL || *right == '\0' ) {
fprintf( stderr,
"%s: line %d: no transport_ssf is defined\n",
fname, lineno );
acl_usage();
}
improve parsing - first step
2004-06-18 17:11:53 +08:00
b->a_authz.sai_transport_ssf = strtol( right, &next, 10 );
if ( next == NULL || next[0] != '\0' ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"unable to parse transport_ssf value (%s)\n",
improve parsing - first step
2004-06-18 17:11:53 +08:00
fname, lineno, right );
acl_usage();
}
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !b->a_authz.sai_transport_ssf ) {
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
fprintf( stderr,
"%s: line %d: invalid transport_ssf value (%s)\n",
fname, lineno, right );
acl_usage();
}
continue;
}
if ( strcasecmp( left, "tls_ssf" ) == 0 ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
fname, lineno, style );
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( b->a_authz.sai_tls_ssf ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"tls_ssf attribute already specified.\n",
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
fname, lineno );
acl_usage();
}
if ( right == NULL || *right == '\0' ) {
fprintf( stderr,
"%s: line %d: no tls_ssf is defined\n",
fname, lineno );
acl_usage();
}
improve parsing - first step
2004-06-18 17:11:53 +08:00
b->a_authz.sai_tls_ssf = strtol( right, &next, 10 );
if ( next == NULL || next[0] != '\0' ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"unable to parse tls_ssf value (%s)\n",
improve parsing - first step
2004-06-18 17:11:53 +08:00
fname, lineno, right );
acl_usage();
}
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !b->a_authz.sai_tls_ssf ) {
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
fprintf( stderr,
"%s: line %d: invalid tls_ssf value (%s)\n",
fname, lineno, right );
acl_usage();
}
continue;
}
if ( strcasecmp( left, "sasl_ssf" ) == 0 ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
fname, lineno, style );
various acl improvements/cleanups/speedups (need to be documented, though)
2002-04-03 23:42:19 +08:00
acl_usage();
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( b->a_authz.sai_sasl_ssf ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"sasl_ssf attribute already specified.\n",
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
fname, lineno );
acl_usage();
}
if ( right == NULL || *right == '\0' ) {
fprintf( stderr,
"%s: line %d: no sasl_ssf is defined\n",
fname, lineno );
acl_usage();
}
improve parsing - first step
2004-06-18 17:11:53 +08:00
b->a_authz.sai_sasl_ssf = strtol( right, &next, 10 );
if ( next == NULL || next[0] != '\0' ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"unable to parse sasl_ssf value (%s)\n",
improve parsing - first step
2004-06-18 17:11:53 +08:00
fname, lineno, right );
acl_usage();
}
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !b->a_authz.sai_sasl_ssf ) {
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
fprintf( stderr,
"%s: line %d: invalid sasl_ssf value (%s)\n",
fname, lineno, right );
acl_usage();
}
continue;
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( right != NULL ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
/* unsplit */
right[-1] = '=';
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
}
break;
}
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( i == argc || ( strcasecmp( left, "stop" ) == 0 ) ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
/* out of arguments or plain stop */
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
b->a_type = ACL_STOP;
access_append( &a->acl_access, b );
continue;
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( strcasecmp( left, "continue" ) == 0 ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
/* plain continue */
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
b->a_type = ACL_CONTINUE;
access_append( &a->acl_access, b );
continue;
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( strcasecmp( left, "break" ) == 0 ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
/* plain continue */
Minor typedef and other clean ups
2000-08-26 09:14:05 +08:00
ACL_PRIV_ASSIGN(b->a_access_mask, ACL_PRIV_ADDITIVE);
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
b->a_type = ACL_BREAK;
access_append( &a->acl_access, b );
continue;
}
if ( strcasecmp( left, "by" ) == 0 ) {
/* we've gone too far */
--i;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
ACL_PRIV_ASSIGN( b->a_access_mask, ACL_PRIV_ADDITIVE );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
b->a_type = ACL_STOP;
access_append( &a->acl_access, b );
continue;
}
/* get <access> */
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
if ( strncasecmp( left, "self", STRLENOF( "self" ) ) == 0 ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
b->a_dn_self = 1;
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "self" ) ] ) );
} else if ( strncasecmp( left, "realself", STRLENOF( "realself" ) ) == 0 ) {
b->a_realdn_self = 1;
ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( &left[ STRLENOF( "realself" ) ] ) );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
} else {
Minor typedef and other clean ups
2000-08-26 09:14:05 +08:00
ACL_PRIV_ASSIGN( b->a_access_mask, str2accessmask( left ) );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( ACL_IS_INVALID( b->a_access_mask ) ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
fprintf( stderr,
"%s: line %d: expecting <access> got \"%s\"\n",
fname, lineno, left );
acl_usage();
}
b->a_type = ACL_STOP;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( ++i == argc ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
/* out of arguments or plain stop */
access_append( &a->acl_access, b );
continue;
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( strcasecmp( argv[i], "continue" ) == 0 ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
/* plain continue */
b->a_type = ACL_CONTINUE;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
} else if ( strcasecmp( argv[i], "break" ) == 0 ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
/* plain continue */
b->a_type = ACL_BREAK;
} else if ( strcasecmp( argv[i], "stop" ) != 0 ) {
/* gone to far */
i--;
}
access_append( &a->acl_access, b );
Initial revision
1998-08-09 08:43:13 +08:00
} else {
fprintf( stderr,
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
"%s: line %d: expecting \"to\" "
"or \"by\" got \"%s\"\n",
fname, lineno, argv[i] );
Initial revision
1998-08-09 08:43:13 +08:00
acl_usage();
}
}
/* if we have no real access clause, complain and do nothing */
if ( a == NULL ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"warning: no access clause(s) specified in access line\n",
fname, lineno );
Initial revision
1998-08-09 08:43:13 +08:00
} else {
Enclose debug variables in #ifdef LDAP_DEBUG
1998-11-05 13:03:12 +08:00
#ifdef LDAP_DEBUG
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( ldap_debug & LDAP_DEBUG_ACL ) {
print_acl( be, a );
}
Enclose debug variables in #ifdef LDAP_DEBUG
1998-11-05 13:03:12 +08:00
#endif
Initial revision
1998-08-09 08:43:13 +08:00
if ( a->acl_access == NULL ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
fprintf( stderr, "%s: line %d: "
"warning: no by clause(s) specified in access line\n",
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
fname, lineno );
Initial revision
1998-08-09 08:43:13 +08:00
}
if ( be != NULL ) {
don't yell at regex styling that wraps all the suffix in a submatch
2004-12-01 06:50:07 +08:00
if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
fprintf( stderr, "%s: line %d: warning: "
"scope checking only applies to single-valued "
"suffix databases\n",
fname, lineno );
/* go ahead, since checking is not authoritative */
}
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
switch ( check_scope( be, a ) ) {
case ACL_SCOPE_UNKNOWN:
fprintf( stderr, "%s: line %d: warning: "
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
"cannot assess the validity of the ACL scope within "
"backend naming context\n",
fname, lineno );
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
break;
case ACL_SCOPE_WARN:
fprintf( stderr, "%s: line %d: warning: "
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
"ACL could be out of scope within backend naming context\n",
fname, lineno );
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
break;
case ACL_SCOPE_PARTIAL:
fprintf( stderr, "%s: line %d: warning: "
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
"ACL appears to be partially out of scope within "
"backend naming context\n",
fname, lineno );
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
break;
case ACL_SCOPE_ERR:
fprintf( stderr, "%s: line %d: warning: "
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
"ACL appears to be out of scope within "
"backend naming context\n",
fname, lineno );
experimental ACL scope correctness test
2004-04-21 03:16:21 +08:00
break;
default:
break;
}
More modify support. ACL editing works.
2005-04-20 00:39:48 +08:00
acl_append( &be->be_acl, a, pos );
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
Initial revision
1998-08-09 08:43:13 +08:00
} else {
More modify support. ACL editing works.
2005-04-20 00:39:48 +08:00
acl_append( &frontendDB->be_acl, a, pos );
Initial revision
1998-08-09 08:43:13 +08:00
}
}
}
char *
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
accessmask2str( slap_mask_t mask, char *buf, int debug )
Initial revision
1998-08-09 08:43:13 +08:00
{
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
int none = 1;
char *ptr = buf;
Initial revision
1998-08-09 08:43:13 +08:00
Make accessmask2str reentrant.
1999-10-22 07:19:22 +08:00
assert( buf != NULL );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
if ( ACL_IS_INVALID( mask ) ) {
return "invalid";
Initial revision
1998-08-09 08:43:13 +08:00
}
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
buf[0] = '\0';
if ( ACL_IS_LEVEL( mask ) ) {
if ( ACL_LVL_IS_NONE(mask) ) {
Moved slap_strcopy, slap_strncopy to lutil_strcopy, lutil_strncopy
2002-07-27 08:24:02 +08:00
ptr = lutil_strcopy( ptr, "none" );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
} else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
ptr = lutil_strcopy( ptr, "disclose" );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
} else if ( ACL_LVL_IS_AUTH(mask) ) {
Moved slap_strcopy, slap_strncopy to lutil_strcopy, lutil_strncopy
2002-07-27 08:24:02 +08:00
ptr = lutil_strcopy( ptr, "auth" );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
} else if ( ACL_LVL_IS_COMPARE(mask) ) {
Moved slap_strcopy, slap_strncopy to lutil_strcopy, lutil_strncopy
2002-07-27 08:24:02 +08:00
ptr = lutil_strcopy( ptr, "compare" );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
} else if ( ACL_LVL_IS_SEARCH(mask) ) {
Moved slap_strcopy, slap_strncopy to lutil_strcopy, lutil_strncopy
2002-07-27 08:24:02 +08:00
ptr = lutil_strcopy( ptr, "search" );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
} else if ( ACL_LVL_IS_READ(mask) ) {
Moved slap_strcopy, slap_strncopy to lutil_strcopy, lutil_strncopy
2002-07-27 08:24:02 +08:00
ptr = lutil_strcopy( ptr, "read" );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
} else if ( ACL_LVL_IS_WRITE(mask) ) {
Moved slap_strcopy, slap_strncopy to lutil_strcopy, lutil_strncopy
2002-07-27 08:24:02 +08:00
ptr = lutil_strcopy( ptr, "write" );
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
implement add/delete granularity in write access (ITS#3631)
2005-04-08 08:18:24 +08:00
} else if ( ACL_LVL_IS_WADD(mask) ) {
ptr = lutil_strcopy( ptr, "add" );
} else if ( ACL_LVL_IS_WDEL(mask) ) {
ptr = lutil_strcopy( ptr, "delete" );
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
} else if ( ACL_LVL_IS_MANAGE(mask) ) {
ptr = lutil_strcopy( ptr, "manage" );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
} else {
Moved slap_strcopy, slap_strncopy to lutil_strcopy, lutil_strncopy
2002-07-27 08:24:02 +08:00
ptr = lutil_strcopy( ptr, "unknown" );
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
}
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
if ( !debug ) {
*ptr = '\0';
return buf;
}
Replace strcat with slap_strcopy
2001-12-27 00:25:18 +08:00
*ptr++ = '(';
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
}
if( ACL_IS_ADDITIVE( mask ) ) {
Replace strcat with slap_strcopy
2001-12-27 00:25:18 +08:00
*ptr++ = '+';
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
} else if( ACL_IS_SUBTRACTIVE( mask ) ) {
Replace strcat with slap_strcopy
2001-12-27 00:25:18 +08:00
*ptr++ = '-';
Import experimental referral implementation from OPENLDAP_DEVEL_REFERRALS. Includes support for update referral for each replicated backend. Reworked replication test to use update referral. Includes major rewrite of response encoding codes (result.c). Includes reworked alias support and eliminates old suffix alias codes (can be emulated using named alias). Includes (untested) support for the Manage DSA IT control. Works in LDAPv2 world. Still testing in LDAPv3 world. Added default referral (test009) test.
1999-07-16 10:45:46 +08:00
Initial revision
1998-08-09 08:43:13 +08:00
} else {
Replace strcat with slap_strcopy
2001-12-27 00:25:18 +08:00
*ptr++ = '=';
Initial revision
1998-08-09 08:43:13 +08:00
}
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
none = 0;
*ptr++ = 'm';
}
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
none = 0;
Replace strcat with slap_strcopy
2001-12-27 00:25:18 +08:00
*ptr++ = 'w';
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
fix access unparse (ITS#3631)
2005-04-13 07:10:48 +08:00
} else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WADD) ) {
implement add/delete granularity in write access (ITS#3631)
2005-04-08 08:18:24 +08:00
none = 0;
*ptr++ = 'a';
fix access unparse (ITS#3631)
2005-04-13 07:10:48 +08:00
} else if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WDEL) ) {
implement add/delete granularity in write access (ITS#3631)
2005-04-08 08:18:24 +08:00
none = 0;
*ptr++ = 'z';
}
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
if ( ACL_PRIV_ISSET(mask, ACL_PRIV_READ) ) {
none = 0;
Replace strcat with slap_strcopy
2001-12-27 00:25:18 +08:00
*ptr++ = 'r';
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
}
if ( ACL_PRIV_ISSET(mask, ACL_PRIV_SEARCH) ) {
none = 0;
Replace strcat with slap_strcopy
2001-12-27 00:25:18 +08:00
*ptr++ = 's';
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
}
if ( ACL_PRIV_ISSET(mask, ACL_PRIV_COMPARE) ) {
none = 0;
Replace strcat with slap_strcopy
2001-12-27 00:25:18 +08:00
*ptr++ = 'c';
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
}
if ( ACL_PRIV_ISSET(mask, ACL_PRIV_AUTH) ) {
none = 0;
Replace strcat with slap_strcopy
2001-12-27 00:25:18 +08:00
*ptr++ = 'x';
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
}
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
none = 0;
*ptr++ = 'd';
}
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
More acl parsing fixes... and print fixes.
1999-10-22 02:44:26 +08:00
none = 0;
implement add/delete granularity in write access (ITS#3631)
2005-04-08 08:18:24 +08:00
*ptr++ = '0';
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
}
More acl parsing fixes... and print fixes.
1999-10-22 02:44:26 +08:00
if ( none ) {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = buf;
More acl parsing fixes... and print fixes.
1999-10-22 02:44:26 +08:00
}
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
if ( ACL_IS_LEVEL( mask ) ) {
cleanup
2001-12-29 18:30:23 +08:00
*ptr++ = ')';
}
*ptr = '\0';
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
return buf;
Initial revision
1998-08-09 08:43:13 +08:00
}
Minor typedef and other clean ups
2000-08-26 09:14:05 +08:00
slap_mask_t
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
str2accessmask( const char *str )
Initial revision
1998-08-09 08:43:13 +08:00
{
Minor typedef and other clean ups
2000-08-26 09:14:05 +08:00
slap_mask_t mask;
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
Use ASCII_*() macros and friends. Should be combined with similiar LDAP_*() macros in ldap_pvt.h.
2000-06-21 01:05:15 +08:00
if( !ASCII_ALPHA(str[0]) ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
int i;
if ( str[0] == '=' ) {
ACL_INIT(mask);
} else if( str[0] == '+' ) {
ACL_PRIV_ASSIGN(mask, ACL_PRIV_ADDITIVE);
} else if( str[0] == '-' ) {
ACL_PRIV_ASSIGN(mask, ACL_PRIV_SUBSTRACTIVE);
Initial revision
1998-08-09 08:43:13 +08:00
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
} else {
ACL_INVALIDATE(mask);
return mask;
}
for( i=1; str[i] != '\0'; i++ ) {
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
if( TOLOWER((unsigned char) str[i]) == 'm' ) {
ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
} else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
implement add/delete granularity in write access (ITS#3631)
2005-04-08 08:18:24 +08:00
} else if( TOLOWER((unsigned char) str[i]) == 'a' ) {
ACL_PRIV_SET(mask, ACL_PRIV_WADD);
} else if( TOLOWER((unsigned char) str[i]) == 'z' ) {
ACL_PRIV_SET(mask, ACL_PRIV_WDEL);
Re: Patch: ctype functions require 'unsigned char' args (ITS#1678) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Here are fixes for more places where the argument to ctype.h functions should be in the range of `unsigned char'. Explanation of the last patch (to schema_init.c:bvcasechr()): TOLOWER() and TOUPPER() return values in the range of `unsigned char', but bvcasechr() then compares those values with a plain `char'. So I convert the return values from TOLOWER()/TOUPPER() to `char' first. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:42:42 +08:00
} else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
ACL_PRIV_SET(mask, ACL_PRIV_READ);
Re: Patch: ctype functions require 'unsigned char' args (ITS#1678) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Here are fixes for more places where the argument to ctype.h functions should be in the range of `unsigned char'. Explanation of the last patch (to schema_init.c:bvcasechr()): TOLOWER() and TOUPPER() return values in the range of `unsigned char', but bvcasechr() then compares those values with a plain `char'. So I convert the return values from TOLOWER()/TOUPPER() to `char' first. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:42:42 +08:00
} else if( TOLOWER((unsigned char) str[i]) == 's' ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
ACL_PRIV_SET(mask, ACL_PRIV_SEARCH);
Re: Patch: ctype functions require 'unsigned char' args (ITS#1678) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Here are fixes for more places where the argument to ctype.h functions should be in the range of `unsigned char'. Explanation of the last patch (to schema_init.c:bvcasechr()): TOLOWER() and TOUPPER() return values in the range of `unsigned char', but bvcasechr() then compares those values with a plain `char'. So I convert the return values from TOLOWER()/TOUPPER() to `char' first. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:42:42 +08:00
} else if( TOLOWER((unsigned char) str[i]) == 'c' ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
ACL_PRIV_SET(mask, ACL_PRIV_COMPARE);
Re: Patch: ctype functions require 'unsigned char' args (ITS#1678) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Here are fixes for more places where the argument to ctype.h functions should be in the range of `unsigned char'. Explanation of the last patch (to schema_init.c:bvcasechr()): TOLOWER() and TOUPPER() return values in the range of `unsigned char', but bvcasechr() then compares those values with a plain `char'. So I convert the return values from TOLOWER()/TOUPPER() to `char' first. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:42:42 +08:00
} else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
} else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
More acl parsing fixes... and print fixes.
1999-10-22 02:44:26 +08:00
} else if( str[i] != '0' ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
ACL_INVALIDATE(mask);
return mask;
}
}
HEADS UP: connections are forced to "anonymous" status upon receiving of a bind request and, upon failure, are left "anonymous." Rework ACL code to hide access testing within macros to facilate additions and eventual redesign. Addition of #ifdef SLAPD_ACLAUTH to conditional include EXPERIMENTAL "auth" access controls. Adds ACL_AUTH "auth" access level (above none, below "compare"). bind requires anonymous access at this level or above access to "entry"/"userPassword"/"krbName". This allows administrators to restrict which entries can be bound to. (This will likely become default behavior after testing has completed).
1999-07-05 02:46:24 +08:00
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
return mask;
Initial revision
1998-08-09 08:43:13 +08:00
}
if ( strcasecmp( str, "none" ) == 0 ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
ACL_LVL_ASSIGN_NONE(mask);
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
} else if ( strcasecmp( str, "disclose" ) == 0 ) {
ACL_LVL_ASSIGN_DISCLOSE(mask);
HEADS UP: connections are forced to "anonymous" status upon receiving of a bind request and, upon failure, are left "anonymous." Rework ACL code to hide access testing within macros to facilate additions and eventual redesign. Addition of #ifdef SLAPD_ACLAUTH to conditional include EXPERIMENTAL "auth" access controls. Adds ACL_AUTH "auth" access level (above none, below "compare"). bind requires anonymous access at this level or above access to "entry"/"userPassword"/"krbName". This allows administrators to restrict which entries can be bound to. (This will likely become default behavior after testing has completed).
1999-07-05 02:46:24 +08:00
} else if ( strcasecmp( str, "auth" ) == 0 ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
ACL_LVL_ASSIGN_AUTH(mask);
Initial revision
1998-08-09 08:43:13 +08:00
} else if ( strcasecmp( str, "compare" ) == 0 ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
ACL_LVL_ASSIGN_COMPARE(mask);
Initial revision
1998-08-09 08:43:13 +08:00
} else if ( strcasecmp( str, "search" ) == 0 ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
ACL_LVL_ASSIGN_SEARCH(mask);
Initial revision
1998-08-09 08:43:13 +08:00
} else if ( strcasecmp( str, "read" ) == 0 ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
ACL_LVL_ASSIGN_READ(mask);
implement add/delete granularity in write access (ITS#3631)
2005-04-08 08:18:24 +08:00
} else if ( strcasecmp( str, "add" ) == 0 ) {
ACL_LVL_ASSIGN_WADD(mask);
} else if ( strcasecmp( str, "delete" ) == 0 ) {
ACL_LVL_ASSIGN_WDEL(mask);
Initial revision
1998-08-09 08:43:13 +08:00
} else if ( strcasecmp( str, "write" ) == 0 ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
ACL_LVL_ASSIGN_WRITE(mask);
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
} else if ( strcasecmp( str, "manage" ) == 0 ) {
ACL_LVL_ASSIGN_MANAGE(mask);
Initial revision
1998-08-09 08:43:13 +08:00
} else {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
ACL_INVALIDATE( mask );
Initial revision
1998-08-09 08:43:13 +08:00
}
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
return mask;
Initial revision
1998-08-09 08:43:13 +08:00
}
static void
Protoized, moved extern definitions to .h files, fixed related bugs. Most function and variable definitions are now preceded by its extern definition, for error checking. Retyped a number of functions, usually to return void. Fixed a number of printf format errors. API changes (in ldap/include): Added avl_dup_ok, avl_prefixapply, removed ber_fatten (probably typo for ber_flatten), retyped ldap_sort_strcasecmp, grew lutil.h. A number of `extern' declarations are left (some added by protoize), to be cleaned away later. Mostly strdup(), strcasecmp(), mktemp(), optind, optarg, errno.
1998-11-16 06:40:11 +08:00
acl_usage( void )
Initial revision
1998-08-09 08:43:13 +08:00
{
Split string literal to keep it below ANSI C's allowed 509-char limit.
2004-07-18 08:47:35 +08:00
fprintf( stderr, "%s%s%s\n",
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
"<access clause> ::= access to <what> "
fixes assertion fault when the <to> clauses's argument does not have a = inside
2001-10-29 16:14:12 +08:00
"[ by <who> <access> [ <control> ] ]+ \n"
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
"<what> ::= * | [dn[.<dnstyle>]=<DN>] [filter=<filter>] [attrs=<attrlist>]\n"
fix further ITS#3830 issues; allow to specify a matching rule for non-DN match
2005-07-05 20:00:14 +08:00
"<attrlist> ::= <attr> [val[/matchingRule][.<attrstyle>]=<value>] | <attr> , <attrlist>\n"
Split string literal to keep it below ANSI C's allowed 509-char limit.
2004-07-18 08:47:35 +08:00
"<attr> ::= <attrname> | entry | children\n",
partially revert previous commit (the "creator" special DN pattern is redundant as "dnattr" is more expressive
2004-11-16 06:57:03 +08:00
"<who> ::= [ * | anonymous | users | self | dn[.<dnstyle>]=<DN> ]\n"
update diagnostics and man pages
2005-04-04 20:24:50 +08:00
"\t[ realanonymous | realusers | realself | realdn[.<dnstyle>]=<DN> ]\n"
Update ACL field names and usage statement to match -devel post
1999-07-22 08:50:11 +08:00
"\t[dnattr=<attrname>]\n"
update diagnostics and man pages
2005-04-04 20:24:50 +08:00
"\t[realdnattr=<attrname>]\n"
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
"\t[group[/<objectclass>[/<attrname>]][.<style>]=<group>]\n"
Split string literal to keep it below ANSI C's allowed 509-char limit.
2004-07-18 08:47:35 +08:00
"\t[peername[.<peernamestyle>]=<peer>] [sockname[.<style>]=<name>]\n"
apply advanced peername ACL (ITS#2907)
2004-03-09 02:49:12 +08:00
"\t[domain[.<domainstyle>]=<domain>] [sockurl[.<style>]=<url>]\n"
ACIs from Mark Valence <kurash@sassafras.com> (ITS#261)
1999-08-21 06:42:04 +08:00
#ifdef SLAPD_ACI_ENABLED
update diagnostics and man pages
2005-04-04 20:24:50 +08:00
"\t[aci=[<attrname>]]\n"
ACIs from Mark Valence <kurash@sassafras.com> (ITS#261)
1999-08-21 06:42:04 +08:00
#endif
update diagnostics and man pages
2005-04-04 20:24:50 +08:00
#ifdef SLAP_DYNACL
"\t[dynacl/<name>[.<dynstyle>][=<pattern>]]\n"
#endif /* SLAP_DYNACL */
Split string literal to keep it below ANSI C's allowed 509-char limit.
2004-07-18 08:47:35 +08:00
"\t[ssf=<n>] [transport_ssf=<n>] [tls_ssf=<n>] [sasl_ssf=<n>]\n",
cosmetic changes
2005-01-12 22:25:08 +08:00
"<style> ::= exact | regex | base(Object)\n"
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
"<dnstyle> ::= base(Object) | one(level) | sub(tree) | children | "
"exact | regex\n"
cosmetic changes
2005-01-12 22:25:08 +08:00
"<attrstyle> ::= exact | regex | base(Object) | one(level) | "
"sub(tree) | children\n"
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
"<peernamestyle> ::= exact | regex | ip | path\n"
"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
update diagnostics and man pages
2005-04-04 20:24:50 +08:00
"<access> ::= [[real]self]{<level>|<priv>}\n"
implement add/delete granularity in write access (ITS#3631)
2005-04-08 08:18:24 +08:00
"<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage\n"
"<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+\n"
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
"<control> ::= [ stop | continue | break ]\n"
Change ACL default style to exact (from regex)
2003-05-30 13:24:39 +08:00
);
s/exit(1)/exit(EXIT_FAILURE)/ s/exit(0)/exit(EXIT_SUCCESS)/ add <ac/stdlib.h> where needed and other minor header adjustments
1999-08-04 02:14:24 +08:00
exit( EXIT_FAILURE );
Initial revision
1998-08-09 08:43:13 +08:00
}
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
/*
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
* Set pattern to a "normalized" DN from src.
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
* At present it simply eats the (optional) space after
* a RDN separator (,)
* Eventually will evolve in a more complete normalization
*/
More struct berval changes, dnNormalize migration...
2001-12-26 12:17:49 +08:00
static void
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
acl_regex_normalized_dn(
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
const char *src,
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
struct berval *pattern )
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
{
char *str, *p;
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
ber_len_t len;
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
Patch: aclparse.c bugs (ITS#1752) ================ Written by Hallvard B. Furuseth and placed into the public domain. This software is not subject to any license of the University of Oslo. ================ Bug fixes: - acl_regex_normalized_dn(pattern): * used pattern->bv_len even though it claimed not to, * would walk past the end of strings that ended (incorrectly) with a single '\'. - style=regex checked for "^.*$$" twice but not for "^.*$". - the code did not notice if dnNormalize2() failed, and would (at least in one case) treat a bad DN as '*'. Some cleanup: - changed regtest() to return void, since the return value was unused. - changed acl_regex_normalized_dn() to take a string input argument instead of a half-filled berval, it looks saner that way. Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
2002-04-16 04:44:05 +08:00
str = ch_strdup( src );
len = strlen( src );
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
for ( p = str; p && p[0]; p++ ) {
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
/* escape */
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( p[0] == '\\' && p[1] ) {
a couple of comments; will require special DN handling ...
2001-12-29 02:18:16 +08:00
/*
* if escaping a hex pair we should
* increment p twice; however, in that
* case the second hex number does
* no harm
*/
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
p++;
}
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
if ( p[0] == ',' && p[1] == ' ' ) {
char *q;
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
/*
* too much space should be an error if we are pedantic
*/
for ( q = &p[2]; q[0] == ' '; q++ ) {
/* DO NOTHING */ ;
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
}
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
AC_MEMCPY( p+1, q, len-(q-str)+1);
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
}
}
More struct berval changes, dnNormalize migration...
2001-12-26 12:17:49 +08:00
pattern->bv_val = str;
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
pattern->bv_len = p - str;
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
More struct berval changes, dnNormalize migration...
2001-12-26 12:17:49 +08:00
return;
trims space after comma in dn.regex acls (prelude to normalization)
2001-11-12 19:29:40 +08:00
}
Initial revision
1998-08-09 08:43:13 +08:00
static void
split(
char *line,
int splitchar,
char **left,
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
char **right )
Initial revision
1998-08-09 08:43:13 +08:00
{
*left = line;
if ( (*right = strchr( line, splitchar )) != NULL ) {
*((*right)++) = '\0';
}
}
static void
Namespace changes added slap_ and ldbm_ to many structures added typedefs to many structures used typedefs New main.c argument parsing with ldap url support (replacing -a address). New sockaddr_in handling and support for multiple listeners.
1999-07-20 03:40:33 +08:00
access_append( Access **l, Access *a )
Initial revision
1998-08-09 08:43:13 +08:00
{
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
for ( ; *l != NULL; l = &(*l)->a_next ) {
; /* Empty */
}
Initial revision
1998-08-09 08:43:13 +08:00
*l = a;
}
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
void
More modify support. ACL editing works.
2005-04-20 00:39:48 +08:00
acl_append( AccessControl **l, AccessControl *a, int pos )
Initial revision
1998-08-09 08:43:13 +08:00
{
More modify support. ACL editing works.
2005-04-20 00:39:48 +08:00
int i;
for (i=0 ; i != pos && *l != NULL; l = &(*l)->acl_next, i++ ) {
add baseObject as alias for base. cleanup
2004-06-28 14:42:00 +08:00
; /* Empty */
}
More modify support. ACL editing works.
2005-04-20 00:39:48 +08:00
if ( *l && a )
a->acl_next = *l;
Initial revision
1998-08-09 08:43:13 +08:00
*l = a;
}
Added acl_destroy, acl_free.
2001-12-15 20:41:53 +08:00
static void
access_free( Access *a )
{
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISNULL( &a->a_dn_pat ) ) {
free( a->a_dn_pat.bv_val );
}
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
if ( !BER_BVISNULL( &a->a_realdn_pat ) ) {
free( a->a_realdn_pat.bv_val );
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISNULL( &a->a_peername_pat ) ) {
free( a->a_peername_pat.bv_val );
}
if ( !BER_BVISNULL( &a->a_sockname_pat ) ) {
free( a->a_sockname_pat.bv_val );
}
if ( !BER_BVISNULL( &a->a_domain_pat ) ) {
free( a->a_domain_pat.bv_val );
}
if ( !BER_BVISNULL( &a->a_sockurl_pat ) ) {
free( a->a_sockurl_pat.bv_val );
}
if ( !BER_BVISNULL( &a->a_set_pat ) ) {
free( a->a_set_pat.bv_val );
}
if ( !BER_BVISNULL( &a->a_group_pat ) ) {
free( a->a_group_pat.bv_val );
}
Added acl_destroy, acl_free.
2001-12-15 20:41:53 +08:00
free( a );
}
void
acl_free( AccessControl *a )
{
Access *n;
Changed search attrs from struct berval ** to AttributeName *
2001-12-31 19:35:52 +08:00
AttributeName *an;
Added acl_destroy, acl_free.
2001-12-15 20:41:53 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( a->acl_filter ) {
filter_free( a->acl_filter );
}
if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
free ( a->acl_dn_pat.bv_val );
}
Changed AttributeName back into an array instead of a linked list. Fixed bug in do_search eating up controls.
2002-01-03 13:38:26 +08:00
if ( a->acl_attrs ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
for ( an = a->acl_attrs; !BER_BVISNULL( &an->an_name ); an++ ) {
Changed AttributeName back into an array instead of a linked list. Fixed bug in do_search eating up controls.
2002-01-03 13:38:26 +08:00
free( an->an_name.bv_val );
}
Changed search attrs from struct berval ** to AttributeName *
2001-12-31 19:35:52 +08:00
free( a->acl_attrs );
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
for ( ; a->acl_access; a->acl_access = n ) {
Added acl_destroy, acl_free.
2001-12-15 20:41:53 +08:00
n = a->acl_access->a_next;
access_free( a->acl_access );
}
free( a );
}
/* Because backend_startup uses acl_append to tack on the global_acl to
* the end of each backend's acl, we cannot just take one argument and
* merrily free our way to the end of the list. backend_destroy calls us
* with the be_acl in arg1, and global_acl in arg2 to give us a stopping
* point. config_destroy calls us with global_acl in arg1 and NULL in
* arg2, so we then proceed to polish off the global_acl.
*/
void
acl_destroy( AccessControl *a, AccessControl *end )
{
AccessControl *n;
for (; a && a!= end; a=n) {
n = a->acl_next;
acl_free( a );
}
}
Move str2access and access2str outside #ifdef LDAP_DEBUG clause
1999-11-11 04:28:42 +08:00
char *
access2str( slap_access_t access )
{
if ( access == ACL_NONE ) {
return "none";
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
} else if ( access == ACL_DISCLOSE ) {
return "disclose";
Move str2access and access2str outside #ifdef LDAP_DEBUG clause
1999-11-11 04:28:42 +08:00
} else if ( access == ACL_AUTH ) {
return "auth";
} else if ( access == ACL_COMPARE ) {
return "compare";
} else if ( access == ACL_SEARCH ) {
return "search";
} else if ( access == ACL_READ ) {
return "read";
} else if ( access == ACL_WRITE ) {
return "write";
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
implement add/delete granularity in write access (ITS#3631)
2005-04-08 08:18:24 +08:00
} else if ( access == ACL_WADD ) {
return "add";
} else if ( access == ACL_WDEL ) {
return "delete";
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
} else if ( access == ACL_MANAGE ) {
return "manage";
Move str2access and access2str outside #ifdef LDAP_DEBUG clause
1999-11-11 04:28:42 +08:00
}
return "unknown";
}
slap_access_t
str2access( const char *str )
{
if ( strcasecmp( str, "none" ) == 0 ) {
return ACL_NONE;
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
} else if ( strcasecmp( str, "disclose" ) == 0 ) {
protect all occurrences of ACL_DISCLOSE
2005-04-10 01:00:40 +08:00
#ifndef SLAP_ACL_HONOR_DISCLOSE
fprintf( stderr, "str2access: warning, "
"\"disclose\" privilege disabled.\n" );
#endif /* SLAP_ACL_HONOR_DISCLOSE */
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
return ACL_DISCLOSE;
Move str2access and access2str outside #ifdef LDAP_DEBUG clause
1999-11-11 04:28:42 +08:00
} else if ( strcasecmp( str, "auth" ) == 0 ) {
return ACL_AUTH;
} else if ( strcasecmp( str, "compare" ) == 0 ) {
return ACL_COMPARE;
} else if ( strcasecmp( str, "search" ) == 0 ) {
return ACL_SEARCH;
} else if ( strcasecmp( str, "read" ) == 0 ) {
return ACL_READ;
} else if ( strcasecmp( str, "write" ) == 0 ) {
return ACL_WRITE;
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
implement add/delete granularity in write access (ITS#3631)
2005-04-08 08:18:24 +08:00
} else if ( strcasecmp( str, "add" ) == 0 ) {
return ACL_WADD;
} else if ( strcasecmp( str, "delete" ) == 0 ) {
return ACL_WDEL;
Add "disclose" and "manage" ACL levels (but no meat). Disclose permission intended to be used for "disclose on error" (as in our present "none"), none being "don't disclose on error". Manage permission is intended to be used to allow DSA IT management (e.g., changing entryCSNs, structuralObjectClass, etc.).
2005-01-08 13:26:18 +08:00
} else if ( strcasecmp( str, "manage" ) == 0 ) {
return ACL_MANAGE;
Move str2access and access2str outside #ifdef LDAP_DEBUG clause
1999-11-11 04:28:42 +08:00
}
return( ACL_INVALID_ACCESS );
}
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
#define ACLBUF_MAXLEN 8192
Initial revision
1998-08-09 08:43:13 +08:00
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
static char aclbuf[ACLBUF_MAXLEN];
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
static char *
dnaccess2text( slap_dn_access *bdn, char *ptr, int is_realdn )
{
*ptr++ = ' ';
if ( is_realdn ) {
ptr = lutil_strcopy( ptr, "real" );
}
if ( ber_bvccmp( &bdn->a_pat, '*' ) ||
bdn->a_style == ACL_STYLE_ANONYMOUS ||
bdn->a_style == ACL_STYLE_USERS ||
bdn->a_style == ACL_STYLE_SELF )
{
if ( is_realdn ) {
assert( ! ber_bvccmp( &bdn->a_pat, '*' ) );
}
ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
if ( bdn->a_style == ACL_STYLE_SELF && bdn->a_self_level != 0 ) {
int n = sprintf( ptr, ".level{%d}", bdn->a_self_level );
if ( n > 0 ) {
ptr += n;
} /* else ? */
}
} else {
ptr = lutil_strcopy( ptr, "dn." );
More value ACL style tweaks
2005-05-10 08:51:28 +08:00
if ( bdn->a_style == ACL_STYLE_BASE )
ptr = lutil_strcopy( ptr, style_base );
else
ptr = lutil_strcopy( ptr, style_strings[bdn->a_style] );
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
if ( bdn->a_style == ACL_STYLE_LEVEL ) {
int n = sprintf( ptr, "{%d}", bdn->a_level );
if ( n > 0 ) {
ptr += n;
} /* else ? */
}
if ( bdn->a_expand ) {
ptr = lutil_strcopy( ptr, ",expand" );
}
*ptr++ = '=';
*ptr++ = '"';
ptr = lutil_strcopy( ptr, bdn->a_pat.bv_val );
*ptr++ = '"';
}
return ptr;
}
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
static char *
access2text( Access *b, char *ptr )
Initial revision
1998-08-09 08:43:13 +08:00
{
Make accessmask2str reentrant.
1999-10-22 07:19:22 +08:00
char maskbuf[ACCESSMASK_MAXLEN];
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, "\tby" );
printf("\tby") belongs on stderr.
1998-12-05 03:29:17 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &b->a_dn_pat ) ) {
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
ptr = dnaccess2text( &b->a_dn, ptr, 0 );
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
}
Fix dnattr unparsing
2005-04-21 15:15:02 +08:00
if ( b->a_dn_at ) {
ptr = lutil_strcopy( ptr, " dnattr=" );
ptr = lutil_strcopy( ptr, b->a_dn_at->ad_cname.bv_val );
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
if ( !BER_BVISEMPTY( &b->a_realdn_pat ) ) {
ptr = dnaccess2text( &b->a_realdn, ptr, 1 );
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
}
Fix dnattr unparsing
2005-04-21 15:15:02 +08:00
if ( b->a_realdn_at ) {
ptr = lutil_strcopy( ptr, " realdnattr=" );
ptr = lutil_strcopy( ptr, b->a_realdn_at->ad_cname.bv_val );
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &b->a_group_pat ) ) {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, " group/" );
ptr = lutil_strcopy( ptr, b->a_group_oc ?
b->a_group_oc->soc_cname.bv_val : "groupOfNames" );
*ptr++ = '/';
ptr = lutil_strcopy( ptr, b->a_group_at ?
b->a_group_at->ad_cname.bv_val : "member" );
*ptr++ = '.';
ptr = lutil_strcopy( ptr, style_strings[b->a_group_style] );
*ptr++ = '=';
*ptr++ = '"';
ptr = lutil_strcopy( ptr, b->a_group_pat.bv_val );
*ptr++ = '"';
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
}
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &b->a_peername_pat ) ) {
Fix acl_unparse - add missing style specifiers
2005-05-10 08:32:43 +08:00
ptr = lutil_strcopy( ptr, " peername" );
*ptr++ = '.';
ptr = lutil_strcopy( ptr, style_strings[b->a_peername_style] );
*ptr++ = '=';
*ptr++ = '"';
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, b->a_peername_pat.bv_val );
*ptr++ = '"';
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
}
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &b->a_sockname_pat ) ) {
Fix acl_unparse - add missing style specifiers
2005-05-10 08:32:43 +08:00
ptr = lutil_strcopy( ptr, " sockname" );
*ptr++ = '.';
ptr = lutil_strcopy( ptr, style_strings[b->a_sockname_style] );
*ptr++ = '=';
*ptr++ = '"';
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, b->a_sockname_pat.bv_val );
*ptr++ = '"';
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &b->a_domain_pat ) ) {
Fix acl_unparse - add missing style specifiers
2005-05-10 08:32:43 +08:00
ptr = lutil_strcopy( ptr, " domain" );
*ptr++ = '.';
ptr = lutil_strcopy( ptr, style_strings[b->a_domain_style] );
if ( b->a_domain_expand ) {
ptr = lutil_strcopy( ptr, ",expand" );
}
*ptr++ = '=';
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, b->a_domain_pat.bv_val );
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &b->a_sockurl_pat ) ) {
Fix acl_unparse - add missing style specifiers
2005-05-10 08:32:43 +08:00
ptr = lutil_strcopy( ptr, " sockurl" );
*ptr++ = '.';
ptr = lutil_strcopy( ptr, style_strings[b->a_sockurl_style] );
*ptr++ = '=';
*ptr++ = '"';
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, b->a_sockurl_pat.bv_val );
*ptr++ = '"';
ACL CHANGES: by <who> <access> changed to by <who>+ <access> (joined with AND) added peername=<regex> sockname=<regex> url=<regex> removed addr=<regex> (use peername instead). replace dn_upcase with str2upper and str2lower. Use where needed.
1999-07-22 04:54:23 +08:00
}
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &b->a_set_pat ) ) {
Fix acl_unparse - add missing style specifiers
2005-05-10 08:32:43 +08:00
ptr = lutil_strcopy( ptr, " set" );
*ptr++ = '.';
ptr = lutil_strcopy( ptr, style_strings[b->a_set_style] );
*ptr++ = '=';
*ptr++ = '"';
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, b->a_set_pat.bv_val );
*ptr++ = '"';
log set in ACL (ITS#2949)
2004-03-08 19:09:49 +08:00
}
move ACIs under a dynamic infrastructure that allows run-time loadable custom access control logic (needs work)
2004-11-20 09:27:03 +08:00
#ifdef SLAP_DYNACL
if ( b->a_dynacl ) {
slap_dynacl_t *da;
for ( da = b->a_dynacl; da; da = da->da_next ) {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
if ( da->da_unparse ) {
struct berval bv;
(void)( *da->da_unparse )( da->da_private, &bv );
ptr = lutil_strcopy( ptr, bv.bv_val );
ch_free( bv.bv_val );
move ACIs under a dynamic infrastructure that allows run-time loadable custom access control logic (needs work)
2004-11-20 09:27:03 +08:00
}
}
}
#else /* ! SLAP_DYNACL */
ACIs from Mark Valence <kurash@sassafras.com> (ITS#261)
1999-08-21 06:42:04 +08:00
#ifdef SLAPD_ACI_ENABLED
if ( b->a_aci_at != NULL ) {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, " aci=" );
ptr = lutil_strcopy( ptr, b->a_aci_at->ad_cname.bv_val );
ACIs from Mark Valence <kurash@sassafras.com> (ITS#261)
1999-08-21 06:42:04 +08:00
}
#endif
move ACIs under a dynamic infrastructure that allows run-time loadable custom access control logic (needs work)
2004-11-20 09:27:03 +08:00
#endif /* SLAP_DYNACL */
ACIs from Mark Valence <kurash@sassafras.com> (ITS#261)
1999-08-21 06:42:04 +08:00
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
/* Security Strength Factors */
if ( b->a_authz.sai_ssf ) {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr += sprintf( ptr, " ssf=%u",
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
b->a_authz.sai_ssf );
}
if ( b->a_authz.sai_transport_ssf ) {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr += sprintf( ptr, " transport_ssf=%u",
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
b->a_authz.sai_transport_ssf );
}
if ( b->a_authz.sai_tls_ssf ) {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr += sprintf( ptr, " tls_ssf=%u",
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
b->a_authz.sai_tls_ssf );
}
if ( b->a_authz.sai_sasl_ssf ) {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr += sprintf( ptr, " sasl_ssf=%u",
restrictops, requires, disallow knobs; ssf acls; and misc other changes man pages to follow...
2000-08-29 02:38:48 +08:00
b->a_authz.sai_sasl_ssf );
}
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
*ptr++ = ' ';
implement "realdn" by clause in ACLs (ITS#3627; accounting for Howard's remarks)
2005-04-03 09:59:03 +08:00
if ( b->a_dn_self ) {
ptr = lutil_strcopy( ptr, "self" );
} else if ( b->a_realdn_self ) {
ptr = lutil_strcopy( ptr, "realself" );
}
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, accessmask2str( b->a_access_mask, maskbuf, 0 ));
if ( !maskbuf[0] ) ptr--;
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
More acl parsing fixes... and print fixes.
1999-10-22 02:44:26 +08:00
if( b->a_type == ACL_BREAK ) {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, " break" );
More acl parsing fixes... and print fixes.
1999-10-22 02:44:26 +08:00
} else if( b->a_type == ACL_CONTINUE ) {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, " continue" );
More acl parsing fixes... and print fixes.
1999-10-22 02:44:26 +08:00
} else if( b->a_type != ACL_STOP ) {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, " unknown-control" );
} else {
if ( !maskbuf[0] ) ptr = lutil_strcopy( ptr, " stop" );
More acl parsing fixes... and print fixes.
1999-10-22 02:44:26 +08:00
}
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
*ptr++ = '\n';
More acl parsing fixes... and print fixes.
1999-10-22 02:44:26 +08:00
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
return ptr;
Initial revision
1998-08-09 08:43:13 +08:00
}
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
void
acl_unparse( AccessControl *a, struct berval *bv )
Initial revision
1998-08-09 08:43:13 +08:00
{
cleanup & silence warnings
2005-04-12 05:35:34 +08:00
Access *b;
char *ptr;
int to = 0;
Initial revision
1998-08-09 08:43:13 +08:00
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
bv->bv_val = aclbuf;
bv->bv_len = 0;
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = bv->bv_val;
Drop "access " from acl_unparse
2005-03-02 07:17:54 +08:00
ptr = lutil_strcopy( ptr, "to" );
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
if ( !BER_BVISNULL( &a->acl_dn_pat ) ) {
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
to++;
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, " dn." );
More value ACL style tweaks
2005-05-10 08:51:28 +08:00
if ( a->acl_dn_style == ACL_STYLE_BASE )
ptr = lutil_strcopy( ptr, style_base );
else
ptr = lutil_strcopy( ptr, style_strings[a->acl_dn_style] );
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
*ptr++ = '=';
*ptr++ = '"';
ptr = lutil_strcopy( ptr, a->acl_dn_pat.bv_val );
ptr = lutil_strcopy( ptr, "\"\n" );
Initial revision
1998-08-09 08:43:13 +08:00
}
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
Initial revision
1998-08-09 08:43:13 +08:00
if ( a->acl_filter != NULL ) {
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
struct berval bv = BER_BVNULL;
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
to++;
Deprecate filter_print in favor of filter2bv.
2002-03-11 01:41:14 +08:00
filter2bv( a->acl_filter, &bv );
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, " filter=\"" );
ptr = lutil_strcopy( ptr, bv.bv_val );
*ptr++ = '"';
*ptr++ = '\n';
Deprecate filter_print in favor of filter2bv.
2002-03-11 01:41:14 +08:00
ch_free( bv.bv_val );
Initial revision
1998-08-09 08:43:13 +08:00
}
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
Initial revision
1998-08-09 08:43:13 +08:00
if ( a->acl_attrs != NULL ) {
Changed search attrs from struct berval ** to AttributeName *
2001-12-31 19:35:52 +08:00
int first = 1;
AttributeName *an;
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
to++;
Initial revision
1998-08-09 08:43:13 +08:00
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, " attrs=" );
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
for ( an = a->acl_attrs; an && !BER_BVISNULL( &an->an_name ); an++ ) {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
if ( ! first ) *ptr++ = ',';
add to 'val[.<style>=<value>' ACLs special match styles for DN-valued attributes; add negated objectClass to attribute name lists for ACLs and partial replication
2003-12-16 08:49:10 +08:00
if (an->an_oc) {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
*ptr++ = an->an_oc_exclude ? '!' : '@';
ptr = lutil_strcopy( ptr, an->an_oc->soc_cname.bv_val );
fix ITS#3416
2004-12-03 16:41:06 +08:00
} else {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, an->an_name.bv_val );
add to 'val[.<style>=<value>' ACLs special match styles for DN-valued attributes; add negated objectClass to attribute name lists for ACLs and partial replication
2003-12-16 08:49:10 +08:00
}
Initial revision
1998-08-09 08:43:13 +08:00
first = 0;
}
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
*ptr++ = '\n';
Initial revision
1998-08-09 08:43:13 +08:00
}
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
move special dn patterns to style enum; add creator special dn pattern
2004-11-16 06:15:28 +08:00
if ( !BER_BVISEMPTY( &a->acl_attrval ) ) {
ITS#2497, implement value-level ACLs: access to attr=foo val.regex=bar.*
2003-09-20 11:23:10 +08:00
to++;
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = lutil_strcopy( ptr, " val." );
More value ACL style tweaks
2005-05-10 08:51:28 +08:00
if ( a->acl_attrval_style == ACL_STYLE_BASE &&
a->acl_attrs[0].an_desc->ad_type->sat_syntax ==
slap_schema.si_syn_distinguishedName )
ptr = lutil_strcopy( ptr, style_base );
else
ptr = lutil_strcopy( ptr, style_strings[a->acl_attrval_style] );
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
*ptr++ = '=';
*ptr++ = '"';
ptr = lutil_strcopy( ptr, a->acl_attrval.bv_val );
*ptr++ = '"';
*ptr++ = '\n';
ITS#2497, implement value-level ACLs: access to attr=foo val.regex=bar.*
2003-09-20 11:23:10 +08:00
}
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
if( !to ) {
ptr = lutil_strcopy( ptr, " *\n" );
}
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
Initial revision
1998-08-09 08:43:13 +08:00
for ( b = a->acl_access; b != NULL; b = b->a_next ) {
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
ptr = access2text( b, ptr );
Initial revision
1998-08-09 08:43:13 +08:00
}
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
*ptr = '\0';
bv->bv_len = ptr - bv->bv_val;
}
#ifdef LDAP_DEBUG
static void
print_acl( Backend *be, AccessControl *a )
{
struct berval bv;
Initial commit of new ACL engine. Engine supports descrete access privs, additive/substractive rules, and rule continuation. Existing rules that use 'defaultaccess none' should be 100% compatible. Rules that rely other defaultaccess settings will require addition of explicit clauses granting the access. Needs additional testing and tuning of logs
1999-10-22 01:53:56 +08:00
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
acl_unparse( a, &bv );
Drop "access " from acl_unparse
2005-03-02 07:17:54 +08:00
fprintf( stderr, "%s ACL: access %s\n",
Added acl_unparse, slap_sasl_getpolicy
2005-02-22 20:02:34 +08:00
be == NULL ? "Global" : "Backend", bv.bv_val );
Initial revision
1998-08-09 08:43:13 +08:00
}
Merged files from branch REGEX_REMOVAL. Despite name, this merge adds POSIX RegEx (and removes BSD re_comp/re_exec) support. * POSIX RegEx is not currently included in the distribution, however we will probably add Henry Spencer's REGEX library soon. * ACL Group functionality is also included in this merge!
1998-08-21 14:33:42 +08:00
#endif /* LDAP_DEBUG */
Reference in New Issue Copy Permalink