use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks

This commit is contained in:
Pierangelo Masarati 2004-03-09 16:33:05 +00:00
parent 490e1e4aa9
commit 042869366d
4 changed files with 61 additions and 13 deletions

View File

@ -184,7 +184,7 @@ It can have the forms
dn[.<dnstyle>[,<modifier>]]=<DN>
dnattr=<attrname>
group[/<objectclass>[/<attrname>]]
[.<style>]=<group>
[.<groupstyle>]=<group>
peername[.<peernamestyle>]=<peername>
sockname[.<style>]=<sockname>
domain[.<domainstyle>[,<modifier>]]=<domain>
@ -203,6 +203,7 @@ with
.LP
.nf
<dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children}
<groupstyle>={exact|expand}
<style>={exact|regex}
<peernamestyle>={exact|regex|ip|path}
<domainstyle>={exact|regex|sub(tree)}
@ -286,16 +287,12 @@ define the objectClass and the member attributeType of the group entry.
The optional style qualifier
.B <style>
can be
.BR regex ,
.BR expand ,
which means that
.B <group>
will be expanded as a replacement string (but not as a regular expression)
according to regex (7), and
.B base
or
.B exact
(an alias of
.BR base ),
.BR exact ,
which means that exact match will be used.
.LP
For static groups, the specified attributeType must have
@ -307,7 +304,7 @@ be a subtype of the
.B labeledURI
attributeType. Only LDAP URIs of the form
.B ldap:///<base>??<scope>?<filter>
will be evaluated in a dynamic group.
will be evaluated in a dynamic group, by searching the local server only.
.LP
The statements
.BR peername=<peername> ,

View File

@ -1193,7 +1193,7 @@ dn_match_cleanup:;
* the values in the attribute group
*/
/* see if asker is listed in dnattr */
if ( b->a_group_style == ACL_STYLE_REGEX ) {
if ( b->a_group_style == ACL_STYLE_EXPAND ) {
char buf[ACL_BUF_SIZE];
bv.bv_len = sizeof(buf) - 1;
bv.bv_val = buf;

View File

@ -40,6 +40,7 @@
static char *style_strings[] = {
"regex",
"expand",
"base",
"one",
"subtree",
@ -427,6 +428,9 @@ parse_acl(
} else if ( strcasecmp( style, "regex" ) == 0 ) {
sty = ACL_STYLE_REGEX;
} else if ( strcasecmp( style, "expand" ) == 0 ) {
sty = ACL_STYLE_EXPAND;
} else if ( strcasecmp( style, "ip" ) == 0 ) {
sty = ACL_STYLE_IP;
@ -448,9 +452,39 @@ parse_acl(
if ( style_modifier &&
strcasecmp( style_modifier, "expand" ) == 0 )
{
expand = 1;
switch ( sty ) {
case ACL_STYLE_REGEX:
fprintf( stderr, "%s: line %d: "
"\"regex\" style implies "
"\"expand\" modifier (ignored)\n",
fname, lineno );
break;
case ACL_STYLE_EXPAND:
fprintf( stderr, "%s: line %d: "
"\"expand\" style used "
"in conjunction with "
"\"expand\" modifier (ignored)\n",
fname, lineno );
break;
default:
expand = 1;
break;
}
}
if ( ( sty == ACL_STYLE_EXPAND || expand )
&& ( a->acl_dn_pat.bv_len && a->acl_dn_style != ACL_STYLE_REGEX) )
{
fprintf( stderr, "%s: line %d: "
"\"expand\" style or modifier used "
"in conjunction with "
"a non-regex <what> clause\n",
fname, lineno );
}
if ( strcasecmp( argv[i], "*" ) == 0 ) {
bv.bv_val = ch_strdup( "*" );
bv.bv_len = 1;
@ -608,10 +642,26 @@ parse_acl(
char *name = NULL;
char *value = NULL;
if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
switch ( sty ) {
case ACL_STYLE_REGEX:
/* legacy */
fprintf( stderr, "%s: line %d: "
"deprecated group style \"regex\"; "
"use \"expand\" instead\n",
fname, lineno, style );
sty = ACL_STYLE_EXPAND;
break;
case ACL_STYLE_EXPAND:
case ACL_STYLE_BASE:
/* legal */
break;
default:
/* unhandled */
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
fname, lineno, style );
fname, lineno, style );
acl_usage();
}
@ -640,7 +690,7 @@ parse_acl(
}
b->a_group_style = sty;
if (sty == ACL_STYLE_REGEX) {
if (sty == ACL_STYLE_EXPAND) {
acl_regex_normalized_dn( right, &bv );
if ( !ber_bvccmp( &bv, '*' ) ) {
regtest(fname, lineno, bv.bv_val);

View File

@ -1078,6 +1078,7 @@ typedef enum slap_control_e {
typedef enum slap_style_e {
ACL_STYLE_REGEX = 0,
ACL_STYLE_EXPAND,
ACL_STYLE_BASE,
ACL_STYLE_ONE,
ACL_STYLE_SUBTREE,