ITS#5804

CHANGES

@@ -5,6 +5,7 @@ OpenLDAP 2.4.14 Engineering
 	Fixed libldap peer cert memory leak (ITS#5849)
 	Fixed libldap_r deref building (ITS#5768)
 	Fixed libldap_r slapd lockup when paused during shutdown (ITS#5841)
+	Added slapd val.regex expansion (ITS#5804)
 	Fixed slapd syncrepl rename handling (ITS#5809)
 	Fixed slapd syncrepl MMR when adding new server (ITS#5850)
 	Fixed slapd-ldif numerous bugs (ITS#5408)

doc/man/man5/slapd.access.5

@@ -369,6 +369,10 @@ ranging from 0 to 9 (where 0 matches the entire string),
 or the form
 .BR ${<digit>+} ,
 for submatches higher than 9.
+Substring substitution from attribute value can
+be done in 
+using the form
+.BR ${v<digit>+} .
 Since the dollar character is used to indicate a substring replacement,
 the dollar character that is used to indicate match up to the end of
 the string must be escaped by a second dollar character, e.g.

servers/slapd/aci.c

@@ -400,11 +400,15 @@ aci_group_member (
 	if ( grp_oc != NULL && grp_ad != NULL ) {
 		char		buf[ ACI_BUF_SIZE ];
 		struct berval	bv, ndn;
+		AclRegexMatches amatches = { 0 };
+
+		amatches.dn_count = nmatch;
+		AC_MEMCPY( amatches.dn_data, matches, sizeof( amatches.dn_data ) );
 
 		bv.bv_len = sizeof( buf ) - 1;
 		bv.bv_val = (char *)&buf;
 		if ( acl_string_expand( &bv, &subjdn,
-				e->e_ndn, nmatch, matches ) )
+				&e->e_nname, NULL, &amatches ) )
 		{
 			rc = LDAP_OTHER;
 			goto done;

servers/slapd/aclparse.c

@@ -528,7 +528,7 @@ parse_acl(
 					if ( style != NULL ) {
 						if ( strcasecmp( style, "regex" ) == 0 ) {
 							int e = regcomp( &a->acl_attrval_re, bv.bv_val,
-								REG_EXTENDED | REG_ICASE | REG_NOSUB );
+								REG_EXTENDED | REG_ICASE );
 							if ( e ) {
 								char	err[SLAP_TEXT_BUFLEN],
 									buf[ SLAP_TEXT_BUFLEN ];
@@ -1004,7 +1004,8 @@ parse_acl(
 								< bdn->a_pat.bv_len;
 							exp = strchr( exp, '$' ) )
 						{
-							if ( isdigit( (unsigned char) exp[ 1 ] ) ) {
+							if ( ( isdigit( (unsigned char) exp[ 1 ] ) ||
+								    exp[ 1 ] == '{' ) ) {
 								gotit = 1;
 								break;
 							}

servers/slapd/proto-slap.h

@@ -93,7 +93,7 @@ LDAP_SLAPD_F (int) acl_match_set LDAP_P((
 	struct berval *default_set_attribute ));
 LDAP_SLAPD_F (int) acl_string_expand LDAP_P((
 	struct berval *newbuf, struct berval *pattern,
-	char *match, int nmatch, regmatch_t *matches ));
+	struct berval *dnmatch, struct berval *valmatch, AclRegexMatches *matches ));
 
 /*
  * aclparse.c

servers/slapd/slap.h

@@ -1547,6 +1547,13 @@ typedef struct AccessControlState {
 #define ACL_STATE_INIT { NULL, NULL, NULL, \
 	ACL_STATE_NOT_RECORDED, 0, 0, 0 }
 
+typedef struct AclRegexMatches {        
+	int dn_count;
+        regmatch_t dn_data[MAXREMATCHES];
+	int val_count;
+        regmatch_t val_data[MAXREMATCHES];
+} AclRegexMatches;
+
 /*
  * Backend-info
  * represents a backend 

tests/data/slapd-valregex.conf

+# master slapd config -- for testing
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2008 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+include		@SCHEMADIR@/core.schema
+include		@SCHEMADIR@/cosine.schema
+include		@SCHEMADIR@/inetorgperson.schema
+include		@SCHEMADIR@/openldap.schema
+include		@SCHEMADIR@/nis.schema
+pidfile		@TESTDIR@/slapd.1.pid
+argsfile	@TESTDIR@/slapd.1.args
+
+# global ACLs
+#
+# normal installations should protect root dse, cn=monitor, cn=subschema
+#
+
+access		to dn.exact="" attrs=objectClass
+		by users read
+access		to *
+		by * read
+
+#mod#modulepath	../servers/slapd/back-@BACKEND@/
+#mod#moduleload	back_@BACKEND@.la
+#monitormod#modulepath ../servers/slapd/back-monitor/
+#monitormod#moduleload back_monitor.la
+
+#######################################################################
+# database definitions
+#######################################################################
+
+database	@BACKEND@
+
+suffix		"dc=example,dc=com"
+directory	@TESTDIR@/db.1.a
+rootdn		"cn=Manager,dc=example,dc=com"
+rootpw		secret
+#bdb#index		objectClass	eq
+#bdb#index		cn,sn,uid	pres,eq,sub
+#hdb#index		objectClass	eq
+#hdb#index		cn,sn,uid	pres,eq,sub
+#ndb#dbname db_1
+#ndb#include @DATADIR@/ndb.conf
+
+access to attrs=userPassword
+	by anonymous auth  
+	by * none stop
+
+access to attrs=sn val.regex="^(.*)$"
+	by dn.exact,expand="cn=${v1},ou=Alumni Association,ou=People,dc=example,dc=com" write
+	by * read stop
+
+access to attrs=sn val.regex="."
+	by * read stop
+
+access to attrs=sn
+        by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" write
+	by * read stop
+
+# fall into global ACLs
+
+#monitor#database	monitor

tests/scripts/defines.sh

@@ -131,6 +131,7 @@ DDSCONF=$DATADIR/slapd-dds.conf
 PASSWDCONF=$DATADIR/slapd-passwd.conf
 UNDOCONF=$DATADIR/slapd-config-undo.conf
 NAKEDCONF=$DATADIR/slapd-config-naked.conf
+VALREGEXCONF=$DATADIR/slapd-valregex.conf
 
 DYNAMICCONF=$DATADIR/slapd-dynamic.ldif
 

tests/scripts/test055-valregex

+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2008 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+case "$BACKEND" in
+bdb|hdb)
+	;;
+*)
+	echo "Test does not support $BACKEND backend"
+	exit 0
+esac
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+LVL=acl
+
+mkdir -p $TESTDIR $DBDIR1
+
+echo "Running slapadd to build slapd database..."
+. $CONFFILTER $BACKEND $MONITORDB < $VALREGEXCONF > $CONF1
+$SLAPADD -f $CONF1 -l $LDIFORDERED
+RC=$?
+if test $RC != 0 ; then
+	echo "slapadd failed ($RC)!"
+	exit $RC
+fi
+
+echo "Starting slapd on TCP/IP port $PORT1..."
+$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
+PID=$!
+if test $WAIT != 0 ; then
+    echo PID $PID
+    read foo
+fi
+KILLPIDS="$PID"
+
+sleep 1
+
+echo "Testing attribute value regex subsitution..."
+for i in 0 1 2 3 4 5; do
+	$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
+		'objectclass=*' > /dev/null 2>&1
+	RC=$?
+	if test $RC = 0 ; then
+		break
+	fi
+	echo "Waiting 5 seconds for slapd to start..."
+	sleep 5
+done
+
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+cat /dev/null > $SEARCHOUT
+
+echo "# Try an attribute vale regex that match, but substitute does not"
+echo "# this should fail"
+$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
+	$TESTOUT 2>&1 << EOMODS
+dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com
+changetype: modify
+replace: sn
+sn: foobarbuz
+EOMODS
+RC=$?
+case $RC in
+50)
+	echo "ldapmodify failed as expected"
+	;;
+0)
+	echo "ldapmodify should have failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit -1
+	;;
+*)
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+	;;
+esac
+
+echo "# Try an attribute vale regex that match and substitute does"
+echo "# this should succeed"
+$LDAPMODIFY -D "$JAJDN" -h $LOCALHOST -p $PORT1 -w jaj >> \
+	$TESTOUT 2>&1 << EOMODS
+dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com
+changetype: modify
+replace: sn
+sn: James A Jones 1
+EOMODS
+RC=$?
+
+test $KILLSERVERS != no && kill -HUP $KILLPIDS
+
+case $RC in
+0)
+	echo "ldapmodify succeed as expected"
+	;;
+*)
+	echo "ldapmodify failed ($RC)!"
+	exit $RC
+	;;
+esac
+
+echo ">>>>> Test succeeded"
+
+test $KILLSERVERS != no && wait
+
+exit 0