mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
This commit is contained in:
parent
490e1e4aa9
commit
042869366d
@ -184,7 +184,7 @@ It can have the forms
|
|||||||
dn[.<dnstyle>[,<modifier>]]=<DN>
|
dn[.<dnstyle>[,<modifier>]]=<DN>
|
||||||
dnattr=<attrname>
|
dnattr=<attrname>
|
||||||
group[/<objectclass>[/<attrname>]]
|
group[/<objectclass>[/<attrname>]]
|
||||||
[.<style>]=<group>
|
[.<groupstyle>]=<group>
|
||||||
peername[.<peernamestyle>]=<peername>
|
peername[.<peernamestyle>]=<peername>
|
||||||
sockname[.<style>]=<sockname>
|
sockname[.<style>]=<sockname>
|
||||||
domain[.<domainstyle>[,<modifier>]]=<domain>
|
domain[.<domainstyle>[,<modifier>]]=<domain>
|
||||||
@ -203,6 +203,7 @@ with
|
|||||||
.LP
|
.LP
|
||||||
.nf
|
.nf
|
||||||
<dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children}
|
<dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children}
|
||||||
|
<groupstyle>={exact|expand}
|
||||||
<style>={exact|regex}
|
<style>={exact|regex}
|
||||||
<peernamestyle>={exact|regex|ip|path}
|
<peernamestyle>={exact|regex|ip|path}
|
||||||
<domainstyle>={exact|regex|sub(tree)}
|
<domainstyle>={exact|regex|sub(tree)}
|
||||||
@ -286,16 +287,12 @@ define the objectClass and the member attributeType of the group entry.
|
|||||||
The optional style qualifier
|
The optional style qualifier
|
||||||
.B <style>
|
.B <style>
|
||||||
can be
|
can be
|
||||||
.BR regex ,
|
.BR expand ,
|
||||||
which means that
|
which means that
|
||||||
.B <group>
|
.B <group>
|
||||||
will be expanded as a replacement string (but not as a regular expression)
|
will be expanded as a replacement string (but not as a regular expression)
|
||||||
according to regex (7), and
|
according to regex (7), and
|
||||||
.B base
|
.BR exact ,
|
||||||
or
|
|
||||||
.B exact
|
|
||||||
(an alias of
|
|
||||||
.BR base ),
|
|
||||||
which means that exact match will be used.
|
which means that exact match will be used.
|
||||||
.LP
|
.LP
|
||||||
For static groups, the specified attributeType must have
|
For static groups, the specified attributeType must have
|
||||||
@ -307,7 +304,7 @@ be a subtype of the
|
|||||||
.B labeledURI
|
.B labeledURI
|
||||||
attributeType. Only LDAP URIs of the form
|
attributeType. Only LDAP URIs of the form
|
||||||
.B ldap:///<base>??<scope>?<filter>
|
.B ldap:///<base>??<scope>?<filter>
|
||||||
will be evaluated in a dynamic group.
|
will be evaluated in a dynamic group, by searching the local server only.
|
||||||
.LP
|
.LP
|
||||||
The statements
|
The statements
|
||||||
.BR peername=<peername> ,
|
.BR peername=<peername> ,
|
||||||
|
@ -1193,7 +1193,7 @@ dn_match_cleanup:;
|
|||||||
* the values in the attribute group
|
* the values in the attribute group
|
||||||
*/
|
*/
|
||||||
/* see if asker is listed in dnattr */
|
/* see if asker is listed in dnattr */
|
||||||
if ( b->a_group_style == ACL_STYLE_REGEX ) {
|
if ( b->a_group_style == ACL_STYLE_EXPAND ) {
|
||||||
char buf[ACL_BUF_SIZE];
|
char buf[ACL_BUF_SIZE];
|
||||||
bv.bv_len = sizeof(buf) - 1;
|
bv.bv_len = sizeof(buf) - 1;
|
||||||
bv.bv_val = buf;
|
bv.bv_val = buf;
|
||||||
|
@ -40,6 +40,7 @@
|
|||||||
|
|
||||||
static char *style_strings[] = {
|
static char *style_strings[] = {
|
||||||
"regex",
|
"regex",
|
||||||
|
"expand",
|
||||||
"base",
|
"base",
|
||||||
"one",
|
"one",
|
||||||
"subtree",
|
"subtree",
|
||||||
@ -427,6 +428,9 @@ parse_acl(
|
|||||||
} else if ( strcasecmp( style, "regex" ) == 0 ) {
|
} else if ( strcasecmp( style, "regex" ) == 0 ) {
|
||||||
sty = ACL_STYLE_REGEX;
|
sty = ACL_STYLE_REGEX;
|
||||||
|
|
||||||
|
} else if ( strcasecmp( style, "expand" ) == 0 ) {
|
||||||
|
sty = ACL_STYLE_EXPAND;
|
||||||
|
|
||||||
} else if ( strcasecmp( style, "ip" ) == 0 ) {
|
} else if ( strcasecmp( style, "ip" ) == 0 ) {
|
||||||
sty = ACL_STYLE_IP;
|
sty = ACL_STYLE_IP;
|
||||||
|
|
||||||
@ -448,8 +452,38 @@ parse_acl(
|
|||||||
if ( style_modifier &&
|
if ( style_modifier &&
|
||||||
strcasecmp( style_modifier, "expand" ) == 0 )
|
strcasecmp( style_modifier, "expand" ) == 0 )
|
||||||
{
|
{
|
||||||
|
switch ( sty ) {
|
||||||
|
case ACL_STYLE_REGEX:
|
||||||
|
fprintf( stderr, "%s: line %d: "
|
||||||
|
"\"regex\" style implies "
|
||||||
|
"\"expand\" modifier (ignored)\n",
|
||||||
|
fname, lineno );
|
||||||
|
break;
|
||||||
|
|
||||||
|
case ACL_STYLE_EXPAND:
|
||||||
|
fprintf( stderr, "%s: line %d: "
|
||||||
|
"\"expand\" style used "
|
||||||
|
"in conjunction with "
|
||||||
|
"\"expand\" modifier (ignored)\n",
|
||||||
|
fname, lineno );
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
expand = 1;
|
expand = 1;
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( ( sty == ACL_STYLE_EXPAND || expand )
|
||||||
|
&& ( a->acl_dn_pat.bv_len && a->acl_dn_style != ACL_STYLE_REGEX) )
|
||||||
|
{
|
||||||
|
fprintf( stderr, "%s: line %d: "
|
||||||
|
"\"expand\" style or modifier used "
|
||||||
|
"in conjunction with "
|
||||||
|
"a non-regex <what> clause\n",
|
||||||
|
fname, lineno );
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
if ( strcasecmp( argv[i], "*" ) == 0 ) {
|
if ( strcasecmp( argv[i], "*" ) == 0 ) {
|
||||||
bv.bv_val = ch_strdup( "*" );
|
bv.bv_val = ch_strdup( "*" );
|
||||||
@ -608,7 +642,23 @@ parse_acl(
|
|||||||
char *name = NULL;
|
char *name = NULL;
|
||||||
char *value = NULL;
|
char *value = NULL;
|
||||||
|
|
||||||
if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
|
switch ( sty ) {
|
||||||
|
case ACL_STYLE_REGEX:
|
||||||
|
/* legacy */
|
||||||
|
fprintf( stderr, "%s: line %d: "
|
||||||
|
"deprecated group style \"regex\"; "
|
||||||
|
"use \"expand\" instead\n",
|
||||||
|
fname, lineno, style );
|
||||||
|
sty = ACL_STYLE_EXPAND;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case ACL_STYLE_EXPAND:
|
||||||
|
case ACL_STYLE_BASE:
|
||||||
|
/* legal */
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
/* unhandled */
|
||||||
fprintf( stderr, "%s: line %d: "
|
fprintf( stderr, "%s: line %d: "
|
||||||
"inappropriate style \"%s\" in by clause\n",
|
"inappropriate style \"%s\" in by clause\n",
|
||||||
fname, lineno, style );
|
fname, lineno, style );
|
||||||
@ -640,7 +690,7 @@ parse_acl(
|
|||||||
}
|
}
|
||||||
|
|
||||||
b->a_group_style = sty;
|
b->a_group_style = sty;
|
||||||
if (sty == ACL_STYLE_REGEX) {
|
if (sty == ACL_STYLE_EXPAND) {
|
||||||
acl_regex_normalized_dn( right, &bv );
|
acl_regex_normalized_dn( right, &bv );
|
||||||
if ( !ber_bvccmp( &bv, '*' ) ) {
|
if ( !ber_bvccmp( &bv, '*' ) ) {
|
||||||
regtest(fname, lineno, bv.bv_val);
|
regtest(fname, lineno, bv.bv_val);
|
||||||
|
@ -1078,6 +1078,7 @@ typedef enum slap_control_e {
|
|||||||
|
|
||||||
typedef enum slap_style_e {
|
typedef enum slap_style_e {
|
||||||
ACL_STYLE_REGEX = 0,
|
ACL_STYLE_REGEX = 0,
|
||||||
|
ACL_STYLE_EXPAND,
|
||||||
ACL_STYLE_BASE,
|
ACL_STYLE_BASE,
|
||||||
ACL_STYLE_ONE,
|
ACL_STYLE_ONE,
|
||||||
ACL_STYLE_SUBTREE,
|
ACL_STYLE_SUBTREE,
|
||||||
|
Loading…
Reference in New Issue
Block a user