allow "expand" style in peername, sockname, sockurl as well; more sanity checks

2025-01-06 10:46:21 +08:00 · 2004-03-09 19:44:14 +00:00 · 2004-03-09 19:44:14 +00:00 · 006745430e
commit 006745430e
parent 042869366d
3 changed files with 107 additions and 15 deletions
--- a/doc/man/man5/slapd.access.5
+++ b/doc/man/man5/slapd.access.5
@ -189,7 +189,7 @@ It can have the forms
 	sockname[.<style>]=<sockname>
 	domain[.<domainstyle>[,<modifier>]]=<domain>
 	sockurl[.<style>]=<sockurl>
-	set[.<style>]=<pattern>
+	set[.<setstyle>]=<pattern>

 	ssf=<n>
 	transport_ssf=<n>
@ -204,9 +204,10 @@ with
 .nf
 	<dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children}
 	<groupstyle>={exact|expand}
-	<style>={exact|regex}
-	<peernamestyle>={exact|regex|ip|path}
+	<style>={exact|regex|expand}
+	<peernamestyle>={<style>|ip|path}
 	<domainstyle>={exact|regex|sub(tree)}
+	<setstyle>={exact|regex}
 	<modifier>={expand}
 .fi
 .LP
@ -331,7 +332,13 @@ The same
 .B style
 rules for pattern match described for the
 .B group
-case apply. 
+case apply, plus the
+.B regex
+style, which implies submatch
+.B expand
+and
+.BR regex (7)
+match of the corresponding connection parameters.
 The
 .B exact
 style of the
@ -395,6 +402,13 @@ pattern, or its trailing part, after a
 exactly matches the 
 .BR domain
 pattern.
+The 
+.B expand
+style is allowed, implying an
+.B exact 
+match with submatch expansion; the use of 
+.B expand 
+as a style modifier is considered more appropriate.
 As an example,
 .B domain.subtree=example.com
 will match www.example.com, but will not match www.anotherexample.com.
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@ -908,6 +908,19 @@ dn_match_cleanup:;
 					{
 						continue;
 					}
+
+				} else if ( b->a_sockurl_style == ACL_STYLE_EXPAND ) {
+					struct berval	bv;
+					char buf[ACL_BUF_SIZE];
+
+					bv.bv_len = sizeof( buf ) - 1;
+					bv.bv_val = buf;
+					string_expand( &bv, &b->a_sockurl_pat, e->e_ndn, matches );
+
+					if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_listener_url ) != 0 ) {
+						continue;
+					}
+
 				} else {
 					if ( ber_bvstrcasecmp( &b->a_sockurl_pat, &op->o_conn->c_listener_url ) != 0 )
 						continue;
@ -985,7 +998,7 @@ dn_match_cleanup:;
 				b->a_peername_pat.bv_val, 0, 0 );
 #endif
 			if ( !ber_bvccmp( &b->a_peername_pat, '*' ) ) {
-				if ( b->a_peername_style == ACL_STYLE_REGEX) {
+				if ( b->a_peername_style == ACL_STYLE_REGEX ) {
 					if (!regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val,
 							e->e_ndn, matches ) ) 
 					{
@ -995,8 +1008,21 @@ dn_match_cleanup:;
 				} else {
 					/* try exact match */
 					if ( b->a_peername_style == ACL_STYLE_BASE ) {
-						if ( ber_bvstrcasecmp( &b->a_peername_pat, &op->o_conn->c_peer_name ) != 0 )
+						if ( ber_bvstrcasecmp( &b->a_peername_pat, &op->o_conn->c_peer_name ) != 0 ) {
 							continue;
+						}
+
+					} else if ( b->a_peername_style == ACL_STYLE_EXPAND ) {
+						struct berval	bv;
+						char buf[ACL_BUF_SIZE];
+
+						bv.bv_len = sizeof( buf ) - 1;
+						bv.bv_val = buf;
+						string_expand( &bv, &b->a_peername_pat, e->e_ndn, matches );
+
+						if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_peer_name ) != 0 ) {
+							continue;
+						}

 					/* extract IP and try exact match */
 					} else if ( b->a_peername_style == ACL_STYLE_IP ) {
@ -1088,6 +1114,19 @@ dn_match_cleanup:;
 					{
 						continue;
 					}
+
+				} else if ( b->a_sockname_style == ACL_STYLE_EXPAND ) {
+					struct berval	bv;
+					char buf[ACL_BUF_SIZE];
+
+					bv.bv_len = sizeof( buf ) - 1;
+					bv.bv_val = buf;
+					string_expand( &bv, &b->a_sockname_pat, e->e_ndn, matches );
+
+					if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_sock_name ) != 0 ) {
+						continue;
+					}
+
 				} else {
 					if ( ber_bvstrcasecmp( &b->a_sockname_pat, &op->o_conn->c_sock_name ) != 0 )
 						continue;
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@ -469,13 +469,15 @@ parse_acl(
 						break;

 					default:
+						/* we'll see later if it's pertinent */
 						expand = 1;
 						break;
 					}
 				}

+				/* expand in <who> needs regex in <what> */
 				if ( ( sty == ACL_STYLE_EXPAND || expand )
-						&& ( a->acl_dn_pat.bv_len && a->acl_dn_style != ACL_STYLE_REGEX) ) 
+						&& a->acl_dn_style != ACL_STYLE_REGEX )
 				{
 					fprintf( stderr, "%s: line %d: "
 						"\"expand\" style or modifier used "
@ -644,7 +646,7 @@ parse_acl(

 					switch ( sty ) {
 					case ACL_STYLE_REGEX:
-						/* legacy */
+						/* legacy, tolerated */
 						fprintf( stderr, "%s: line %d: "
 							"deprecated group style \"regex\"; "
 							"use \"expand\" instead\n",
@ -652,13 +654,14 @@ parse_acl(
 						sty = ACL_STYLE_EXPAND;
 						break;

-					case ACL_STYLE_EXPAND:
 					case ACL_STYLE_BASE:
-						/* legal */
+						/* legal, traditional */
+					case ACL_STYLE_EXPAND:
+						/* legal, substring expansion; supersedes regex */
 						break;

 					default:
-						/* unhandled */
+						/* unknown */
 						fprintf( stderr, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause\n",
 							fname, lineno, style );
@ -814,8 +817,12 @@ parse_acl(
 					switch (sty) {
 					case ACL_STYLE_REGEX:
 					case ACL_STYLE_BASE:
+						/* legal, traditional */
+					case ACL_STYLE_EXPAND:
+						/* cheap replacement to regex for simple expansion */
 					case ACL_STYLE_IP:
 					case ACL_STYLE_PATH:
+						/* legal, peername specific */
 						break;

 					default:
@ -899,7 +906,16 @@ parse_acl(
 				}

 				if ( strcasecmp( left, "sockname" ) == 0 ) {
-					if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
+					switch (sty) {
+					case ACL_STYLE_REGEX:
+					case ACL_STYLE_BASE:
+						/* legal, traditional */
+					case ACL_STYLE_EXPAND:
+						/* cheap replacement to regex for simple expansion */
+						break;
+
+					default:
+						/* unknown */
 						fprintf( stderr, "%s: line %d: "
 							"inappropriate style \"%s\" in by clause\n",
 						    fname, lineno, style );
@ -939,9 +955,23 @@ parse_acl(
 					case ACL_STYLE_REGEX:
 					case ACL_STYLE_BASE:
 					case ACL_STYLE_SUBTREE:
+						/* legal, traditional */
+						break;
+
+					case ACL_STYLE_EXPAND:
+						/* tolerated: means exact,expand */
+						if ( expand ) {
+							fprintf( stderr,
+								"%s: line %d: "
+								"\"expand\" modifier with \"expand\" style\n",
+								fname, lineno );
+						}
+						sty = ACL_STYLE_BASE;
+						expand = 1;
 						break;

 					default:
+						/* unknown */
 						fprintf( stderr,
 							"%s: line %d: inappropriate style \"%s\" in by clause\n",
 						    fname, lineno, style );
@ -977,9 +1007,18 @@ parse_acl(
 				}

 				if ( strcasecmp( left, "sockurl" ) == 0 ) {
-					if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
-						fprintf( stderr,
-							"%s: line %d: inappropriate style \"%s\" in by clause\n",
+					switch (sty) {
+					case ACL_STYLE_REGEX:
+					case ACL_STYLE_BASE:
+						/* legal, traditional */
+					case ACL_STYLE_EXPAND:
+						/* cheap replacement to regex for simple expansion */
+						break;
+
+					default:
+						/* unknown */
+						fprintf( stderr, "%s: line %d: "
+							"inappropriate style \"%s\" in by clause\n",
 						    fname, lineno, style );
 						acl_usage();
 					}