mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-06 10:46:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

allow "expand" style in peername, sockname, sockurl as well; more sanity checks

Browse Source
This commit is contained in:
Pierangelo Masarati 2004-03-09 19:44:14 +00:00
parent 042869366d
commit 006745430e
3 changed files with 107 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
doc/man/man5/slapd.access.5
View File

@ -189,7 +189,7 @@ It can have the forms
sockname[.<style>]=<sockname> sockname[.<style>]=<sockname>
domain[.<domainstyle>[,<modifier>]]=<domain> domain[.<domainstyle>[,<modifier>]]=<domain>
sockurl[.<style>]=<sockurl> sockurl[.<style>]=<sockurl>
set[.<style>]=<pattern> set[.<setstyle>]=<pattern>
ssf=<n> ssf=<n>
transport_ssf=<n> transport_ssf=<n>
@ -204,9 +204,10 @@ with
.nf .nf
<dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children} <dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children}
<groupstyle>={exact|expand} <groupstyle>={exact|expand}
<style>={exact|regex} <style>={exact|regex|expand}
<peernamestyle>={exact|regex|ip|path} <peernamestyle>={<style>|ip|path}
<domainstyle>={exact|regex|sub(tree)} <domainstyle>={exact|regex|sub(tree)}
<setstyle>={exact|regex}
<modifier>={expand} <modifier>={expand}
.fi .fi
.LP .LP
@ -331,7 +332,13 @@ The same
.B style .B style
rules for pattern match described for the rules for pattern match described for the
.B group .B group
case apply. case apply, plus the
.B regex
style, which implies submatch
.B expand
and
.BR regex (7)
match of the corresponding connection parameters.
The The
.B exact .B exact
style of the style of the
@ -395,6 +402,13 @@ pattern, or its trailing part, after a
exactly matches the exactly matches the
.BR domain .BR domain
pattern. pattern.
The
.B expand
style is allowed, implying an
.B exact
match with submatch expansion; the use of
.B expand
as a style modifier is considered more appropriate.
As an example, As an example,
.B domain.subtree=example.com .B domain.subtree=example.com
will match www.example.com, but will not match www.anotherexample.com. will match www.example.com, but will not match www.anotherexample.com.

43
servers/slapd/acl.c
View File

@ -908,6 +908,19 @@ dn_match_cleanup:;
{ {
continue; continue;
} }
} else if ( b->a_sockurl_style == ACL_STYLE_EXPAND ) {
struct berval bv;
char buf[ACL_BUF_SIZE];
bv.bv_len = sizeof( buf ) - 1;
bv.bv_val = buf;
string_expand( &bv, &b->a_sockurl_pat, e->e_ndn, matches );
if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_listener_url ) != 0 ) {
continue;
}
} else { } else {
if ( ber_bvstrcasecmp( &b->a_sockurl_pat, &op->o_conn->c_listener_url ) != 0 ) if ( ber_bvstrcasecmp( &b->a_sockurl_pat, &op->o_conn->c_listener_url ) != 0 )
continue; continue;
@ -985,7 +998,7 @@ dn_match_cleanup:;
b->a_peername_pat.bv_val, 0, 0 ); b->a_peername_pat.bv_val, 0, 0 );
#endif #endif
if ( !ber_bvccmp( &b->a_peername_pat, '*' ) ) { if ( !ber_bvccmp( &b->a_peername_pat, '*' ) ) {
if ( b->a_peername_style == ACL_STYLE_REGEX) { if ( b->a_peername_style == ACL_STYLE_REGEX ) {
if (!regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val, if (!regex_matches( &b->a_peername_pat, op->o_conn->c_peer_name.bv_val,
e->e_ndn, matches ) ) e->e_ndn, matches ) )
{ {
@ -995,8 +1008,21 @@ dn_match_cleanup:;
} else { } else {
/* try exact match */ /* try exact match */
if ( b->a_peername_style == ACL_STYLE_BASE ) { if ( b->a_peername_style == ACL_STYLE_BASE ) {
if ( ber_bvstrcasecmp( &b->a_peername_pat, &op->o_conn->c_peer_name ) != 0 ) if ( ber_bvstrcasecmp( &b->a_peername_pat, &op->o_conn->c_peer_name ) != 0 ) {
continue; continue;
}
} else if ( b->a_peername_style == ACL_STYLE_EXPAND ) {
struct berval bv;
char buf[ACL_BUF_SIZE];
bv.bv_len = sizeof( buf ) - 1;
bv.bv_val = buf;
string_expand( &bv, &b->a_peername_pat, e->e_ndn, matches );
if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_peer_name ) != 0 ) {
continue;
}
/* extract IP and try exact match */ /* extract IP and try exact match */
} else if ( b->a_peername_style == ACL_STYLE_IP ) { } else if ( b->a_peername_style == ACL_STYLE_IP ) {
@ -1088,6 +1114,19 @@ dn_match_cleanup:;
{ {
continue; continue;
} }
} else if ( b->a_sockname_style == ACL_STYLE_EXPAND ) {
struct berval bv;
char buf[ACL_BUF_SIZE];
bv.bv_len = sizeof( buf ) - 1;
bv.bv_val = buf;
string_expand( &bv, &b->a_sockname_pat, e->e_ndn, matches );
if ( ber_bvstrcasecmp( &bv, &op->o_conn->c_sock_name ) != 0 ) {
continue;
}
} else { } else {
if ( ber_bvstrcasecmp( &b->a_sockname_pat, &op->o_conn->c_sock_name ) != 0 ) if ( ber_bvstrcasecmp( &b->a_sockname_pat, &op->o_conn->c_sock_name ) != 0 )
continue; continue;

57
servers/slapd/aclparse.c
View File

@ -469,13 +469,15 @@ parse_acl(
break; break;
default: default:
/* we'll see later if it's pertinent */
expand = 1; expand = 1;
break; break;
} }
} }
/* expand in <who> needs regex in <what> */
if ( ( sty == ACL_STYLE_EXPAND || expand ) if ( ( sty == ACL_STYLE_EXPAND || expand )
&& ( a->acl_dn_pat.bv_len && a->acl_dn_style != ACL_STYLE_REGEX) ) && a->acl_dn_style != ACL_STYLE_REGEX )
{ {
fprintf( stderr, "%s: line %d: " fprintf( stderr, "%s: line %d: "
"\"expand\" style or modifier used " "\"expand\" style or modifier used "
@ -644,7 +646,7 @@ parse_acl(
switch ( sty ) { switch ( sty ) {
case ACL_STYLE_REGEX: case ACL_STYLE_REGEX:
/* legacy */ /* legacy, tolerated */
fprintf( stderr, "%s: line %d: " fprintf( stderr, "%s: line %d: "
"deprecated group style \"regex\"; " "deprecated group style \"regex\"; "
"use \"expand\" instead\n", "use \"expand\" instead\n",
@ -652,13 +654,14 @@ parse_acl(
sty = ACL_STYLE_EXPAND; sty = ACL_STYLE_EXPAND;
break; break;
case ACL_STYLE_EXPAND:
case ACL_STYLE_BASE: case ACL_STYLE_BASE:
/* legal */ /* legal, traditional */
case ACL_STYLE_EXPAND:
/* legal, substring expansion; supersedes regex */
break; break;
default: default:
/* unhandled */ /* unknown */
fprintf( stderr, "%s: line %d: " fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n", "inappropriate style \"%s\" in by clause\n",
fname, lineno, style ); fname, lineno, style );
@ -814,8 +817,12 @@ parse_acl(
switch (sty) { switch (sty) {
case ACL_STYLE_REGEX: case ACL_STYLE_REGEX:
case ACL_STYLE_BASE: case ACL_STYLE_BASE:
/* legal, traditional */
case ACL_STYLE_EXPAND:
/* cheap replacement to regex for simple expansion */
case ACL_STYLE_IP: case ACL_STYLE_IP:
case ACL_STYLE_PATH: case ACL_STYLE_PATH:
/* legal, peername specific */
break; break;
default: default:
@ -899,7 +906,16 @@ parse_acl(
} }
if ( strcasecmp( left, "sockname" ) == 0 ) { if ( strcasecmp( left, "sockname" ) == 0 ) {
if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { switch (sty) {
case ACL_STYLE_REGEX:
case ACL_STYLE_BASE:
/* legal, traditional */
case ACL_STYLE_EXPAND:
/* cheap replacement to regex for simple expansion */
break;
default:
/* unknown */
fprintf( stderr, "%s: line %d: " fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n", "inappropriate style \"%s\" in by clause\n",
fname, lineno, style ); fname, lineno, style );
@ -939,9 +955,23 @@ parse_acl(
case ACL_STYLE_REGEX: case ACL_STYLE_REGEX:
case ACL_STYLE_BASE: case ACL_STYLE_BASE:
case ACL_STYLE_SUBTREE: case ACL_STYLE_SUBTREE:
/* legal, traditional */
break;
case ACL_STYLE_EXPAND:
/* tolerated: means exact,expand */
if ( expand ) {
fprintf( stderr,
"%s: line %d: "
"\"expand\" modifier with \"expand\" style\n",
fname, lineno );
}
sty = ACL_STYLE_BASE;
expand = 1;
break; break;
default: default:
/* unknown */
fprintf( stderr, fprintf( stderr,
"%s: line %d: inappropriate style \"%s\" in by clause\n", "%s: line %d: inappropriate style \"%s\" in by clause\n",
fname, lineno, style ); fname, lineno, style );
@ -977,9 +1007,18 @@ parse_acl(
} }
if ( strcasecmp( left, "sockurl" ) == 0 ) { if ( strcasecmp( left, "sockurl" ) == 0 ) {
if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) { switch (sty) {
fprintf( stderr, case ACL_STYLE_REGEX:
"%s: line %d: inappropriate style \"%s\" in by clause\n", case ACL_STYLE_BASE:
/* legal, traditional */
case ACL_STYLE_EXPAND:
/* cheap replacement to regex for simple expansion */
break;
default:
/* unknown */
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
fname, lineno, style ); fname, lineno, style );
acl_usage(); acl_usage();
} }