mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
This commit is contained in:
parent
490e1e4aa9
commit
042869366d
@ -184,7 +184,7 @@ It can have the forms
|
||||
dn[.<dnstyle>[,<modifier>]]=<DN>
|
||||
dnattr=<attrname>
|
||||
group[/<objectclass>[/<attrname>]]
|
||||
[.<style>]=<group>
|
||||
[.<groupstyle>]=<group>
|
||||
peername[.<peernamestyle>]=<peername>
|
||||
sockname[.<style>]=<sockname>
|
||||
domain[.<domainstyle>[,<modifier>]]=<domain>
|
||||
@ -203,6 +203,7 @@ with
|
||||
.LP
|
||||
.nf
|
||||
<dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children}
|
||||
<groupstyle>={exact|expand}
|
||||
<style>={exact|regex}
|
||||
<peernamestyle>={exact|regex|ip|path}
|
||||
<domainstyle>={exact|regex|sub(tree)}
|
||||
@ -286,16 +287,12 @@ define the objectClass and the member attributeType of the group entry.
|
||||
The optional style qualifier
|
||||
.B <style>
|
||||
can be
|
||||
.BR regex ,
|
||||
.BR expand ,
|
||||
which means that
|
||||
.B <group>
|
||||
will be expanded as a replacement string (but not as a regular expression)
|
||||
according to regex (7), and
|
||||
.B base
|
||||
or
|
||||
.B exact
|
||||
(an alias of
|
||||
.BR base ),
|
||||
.BR exact ,
|
||||
which means that exact match will be used.
|
||||
.LP
|
||||
For static groups, the specified attributeType must have
|
||||
@ -307,7 +304,7 @@ be a subtype of the
|
||||
.B labeledURI
|
||||
attributeType. Only LDAP URIs of the form
|
||||
.B ldap:///<base>??<scope>?<filter>
|
||||
will be evaluated in a dynamic group.
|
||||
will be evaluated in a dynamic group, by searching the local server only.
|
||||
.LP
|
||||
The statements
|
||||
.BR peername=<peername> ,
|
||||
|
@ -1193,7 +1193,7 @@ dn_match_cleanup:;
|
||||
* the values in the attribute group
|
||||
*/
|
||||
/* see if asker is listed in dnattr */
|
||||
if ( b->a_group_style == ACL_STYLE_REGEX ) {
|
||||
if ( b->a_group_style == ACL_STYLE_EXPAND ) {
|
||||
char buf[ACL_BUF_SIZE];
|
||||
bv.bv_len = sizeof(buf) - 1;
|
||||
bv.bv_val = buf;
|
||||
|
@ -40,6 +40,7 @@
|
||||
|
||||
static char *style_strings[] = {
|
||||
"regex",
|
||||
"expand",
|
||||
"base",
|
||||
"one",
|
||||
"subtree",
|
||||
@ -427,6 +428,9 @@ parse_acl(
|
||||
} else if ( strcasecmp( style, "regex" ) == 0 ) {
|
||||
sty = ACL_STYLE_REGEX;
|
||||
|
||||
} else if ( strcasecmp( style, "expand" ) == 0 ) {
|
||||
sty = ACL_STYLE_EXPAND;
|
||||
|
||||
} else if ( strcasecmp( style, "ip" ) == 0 ) {
|
||||
sty = ACL_STYLE_IP;
|
||||
|
||||
@ -448,9 +452,39 @@ parse_acl(
|
||||
if ( style_modifier &&
|
||||
strcasecmp( style_modifier, "expand" ) == 0 )
|
||||
{
|
||||
expand = 1;
|
||||
switch ( sty ) {
|
||||
case ACL_STYLE_REGEX:
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"\"regex\" style implies "
|
||||
"\"expand\" modifier (ignored)\n",
|
||||
fname, lineno );
|
||||
break;
|
||||
|
||||
case ACL_STYLE_EXPAND:
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"\"expand\" style used "
|
||||
"in conjunction with "
|
||||
"\"expand\" modifier (ignored)\n",
|
||||
fname, lineno );
|
||||
break;
|
||||
|
||||
default:
|
||||
expand = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if ( ( sty == ACL_STYLE_EXPAND || expand )
|
||||
&& ( a->acl_dn_pat.bv_len && a->acl_dn_style != ACL_STYLE_REGEX) )
|
||||
{
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"\"expand\" style or modifier used "
|
||||
"in conjunction with "
|
||||
"a non-regex <what> clause\n",
|
||||
fname, lineno );
|
||||
}
|
||||
|
||||
|
||||
if ( strcasecmp( argv[i], "*" ) == 0 ) {
|
||||
bv.bv_val = ch_strdup( "*" );
|
||||
bv.bv_len = 1;
|
||||
@ -608,10 +642,26 @@ parse_acl(
|
||||
char *name = NULL;
|
||||
char *value = NULL;
|
||||
|
||||
if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
|
||||
switch ( sty ) {
|
||||
case ACL_STYLE_REGEX:
|
||||
/* legacy */
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"deprecated group style \"regex\"; "
|
||||
"use \"expand\" instead\n",
|
||||
fname, lineno, style );
|
||||
sty = ACL_STYLE_EXPAND;
|
||||
break;
|
||||
|
||||
case ACL_STYLE_EXPAND:
|
||||
case ACL_STYLE_BASE:
|
||||
/* legal */
|
||||
break;
|
||||
|
||||
default:
|
||||
/* unhandled */
|
||||
fprintf( stderr, "%s: line %d: "
|
||||
"inappropriate style \"%s\" in by clause\n",
|
||||
fname, lineno, style );
|
||||
fname, lineno, style );
|
||||
acl_usage();
|
||||
}
|
||||
|
||||
@ -640,7 +690,7 @@ parse_acl(
|
||||
}
|
||||
|
||||
b->a_group_style = sty;
|
||||
if (sty == ACL_STYLE_REGEX) {
|
||||
if (sty == ACL_STYLE_EXPAND) {
|
||||
acl_regex_normalized_dn( right, &bv );
|
||||
if ( !ber_bvccmp( &bv, '*' ) ) {
|
||||
regtest(fname, lineno, bv.bv_val);
|
||||
|
@ -1078,6 +1078,7 @@ typedef enum slap_control_e {
|
||||
|
||||
typedef enum slap_style_e {
|
||||
ACL_STYLE_REGEX = 0,
|
||||
ACL_STYLE_EXPAND,
|
||||
ACL_STYLE_BASE,
|
||||
ACL_STYLE_ONE,
|
||||
ACL_STYLE_SUBTREE,
|
||||
|
Loading…
Reference in New Issue
Block a user