Commit 0dbaf877 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Another round of changes behind -DSLAPD_SCHEMA_NOT_COMPAT

plus these changes unhidden changes:
	remove now meaning --enable-discreteaci configure option
	fix ITS#451, slapd filters
	Add ber_bvecadd() to support above
	constify ldap_pvt_find_wildcard() and misc slapd routines
	renamed some slap.h macros
	likely broken something
parent 4e4b8204
This diff is collapsed.
......@@ -141,7 +141,6 @@ OL_ARG_ENABLE(phonetic,[ --enable-phonetic enable phonetic/soundex], no)dnl
OL_ARG_ENABLE(quipu,[ --enable-quipu build quipu migration tools], no)dnl
OL_ARG_ENABLE(rlookups,[ --enable-rlookups enable reverse lookups], auto)dnl
OL_ARG_ENABLE(aci,[ --enable-aci enable per-object ACIs], no)dnl
OL_ARG_ENABLE(discreteaci,[ --enable-discreteaci enable discrete rights in ACIs], no)dnl
OL_ARG_ENABLE(wrappers,[ --enable-wrappers enable tcp wrapper support], no)dnl
OL_ARG_ENABLE(dynamic,[ --enable-dynamic enable linking built binaries with dynamic libs], no)dnl
......@@ -242,9 +241,6 @@ if test $ol_enable_slapd = no ; then
if test $ol_enable_aci = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable-aci argument])
fi
if test $ol_enable_discreteaci = yes ; then
AC_MSG_WARN([slapd disabled, ignoring --enable-discreteaci argument])
fi
if test $ol_with_ldbm_api != auto ; then
AC_MSG_WARN([slapd disabled, ignoring --with-ldbm-api argument])
fi
......@@ -291,7 +287,6 @@ if test $ol_enable_slapd = no ; then
ol_enable_quipu=no
ol_enable_rlookups=no
ol_enable_aci=no
ol_enable_discreteaci=no
ol_enable_wrappers=no
ol_enable_dynamic=no
......@@ -2206,9 +2201,6 @@ fi
if test "$ol_enable_aci" != no ; then
AC_DEFINE(SLAPD_ACI_ENABLED,1,[define to support per-object ACIs])
fi
if test "$ol_enable_discreteaci" != no ; then
AC_DEFINE(SLAPD_ACI_DISCRETE_RIGHTS,1,[define to support discrete rights in ACIs])
fi
if test "$ol_link_modules" != no ; then
AC_DEFINE(SLAPD_MODULES,1,[define to support modules])
......
......@@ -466,6 +466,11 @@ LIBLBER_F( void )
ber_bvecfree LDAP_P((
struct berval **bv ));
LIBLBER_F( int )
ber_bvecadd LDAP_P((
struct berval ***bvec,
struct berval *bv ));
LIBLBER_F( struct berval * )
ber_bvdup LDAP_P((
LDAP_CONST struct berval *bv ));
......
......@@ -119,7 +119,7 @@ LIBLDAP_F (int) ldap_pvt_sasl_bind LDAP_P(( LDAP *, LDAP_CONST char *, LDAP_CONS
/* search.c */
LIBLDAP_F( char * )
ldap_pvt_find_wildcard LDAP_P(( char *s ));
ldap_pvt_find_wildcard LDAP_P(( const char *s ));
LIBLDAP_F( ber_slen_t )
ldap_pvt_filter_value_unescape LDAP_P(( char *filter ));
......
......@@ -886,9 +886,6 @@
/* define to support per-object ACIs */
#undef SLAPD_ACI_ENABLED
/* define to support discrete rights in ACIs */
#undef SLAPD_ACI_DISCRETE_RIGHTS
/* define to support modules */
#undef SLAPD_MODULES
......
......@@ -270,6 +270,57 @@ ber_bvecfree( struct berval **bv )
LBER_FREE( (char *) bv );
}
int
ber_bvecadd( struct berval ***bvec, struct berval *bv )
{
ber_len_t i;
struct berval **new;
ber_int_options.lbo_valid = LBER_INITIALIZED;
if( bvec == NULL ) {
if( bv == NULL ) {
/* nothing to add */
return 0;
}
*bvec = ber_memalloc( 2 * sizeof(struct berval *) );
if( *bvec == NULL ) {
return -1;
}
(*bvec)[0] = bv;
(*bvec)[1] = NULL;
return 1;
}
BER_MEM_VALID( bvec );
/* count entries */
for ( i = 0; bvec[i] != NULL; i++ ) {
/* EMPTY */;
}
if( bv == NULL ) {
return i;
}
new = ber_memrealloc( *bvec, (i+2) * sizeof(struct berval *));
if( new == NULL ) {
return -1;
}
*bvec = new;
(*bvec)[i++] = bv;
(*bvec)[i] = NULL;
return i;
}
struct berval *
ber_bvdup(
......
......@@ -424,12 +424,12 @@ static int hex2value( int c )
}
char *
ldap_pvt_find_wildcard( char *s )
ldap_pvt_find_wildcard( const char *s )
{
for( ; *s != '\0' ; s++ ) {
switch( *s ) {
case '*': /* found wildcard */
return s;
return (char *) s;
case '\\':
s++; /* skip over escape */
......
......@@ -18,20 +18,37 @@
static AccessControl * acl_get(
AccessControl *ac, int *count,
Backend *be, Operation *op,
Entry *e, char *attr,
Entry *e,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *type,
#else
const char *attr,
#endif
int nmatches, regmatch_t *matches );
static slap_control_t acl_mask(
AccessControl *ac, slap_access_mask_t *mask,
Backend *be, Connection *conn, Operation *op,
Entry *e, char *attr, struct berval *val,
Entry *e,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *type,
#else
const char *attr,
#endif
struct berval *val,
regmatch_t *matches );
#ifdef SLAPD_ACI_ENABLED
static int aci_mask(
Backend *be,
Operation *op,
Entry *e, char *attr, struct berval *val, struct berval *aci,
Entry *e,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *type,
#else
const char *attr,
#endif
struct berval *val, struct berval *aci,
regmatch_t *matches, slap_access_t *grant, slap_access_t *deny );
char *supportedACIMechs[] = {
......@@ -41,8 +58,10 @@ char *supportedACIMechs[] = {
};
#endif
static int regex_matches(char *pat, char *str, char *buf, regmatch_t *matches);
static void string_expand(char *newbuf, int bufsiz, char *pattern,
static int regex_matches(
char *pat, char *str, char *buf, regmatch_t *matches);
static void string_expand(
char *newbuf, int bufsiz, char *pattern,
char *match, regmatch_t *matches);
......@@ -67,10 +86,13 @@ access_allowed(
Connection *conn,
Operation *op,
Entry *e,
char *attr,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *attr,
#else
const char *attr,
#endif
struct berval *val,
slap_access_t access
)
slap_access_t access )
{
int count;
AccessControl *a;
......@@ -105,7 +127,12 @@ access_allowed(
* by ACL_WRITE checking as any found here are not provided
* by the user
*/
if ( access >= ACL_WRITE && oc_check_op_no_usermod_attr( attr ) ) {
#ifdef SLAPD_SCHEMA_NOT_COMPAT
if ( access >= ACL_WRITE && is_at_no_user_mod( attr ) )
#else
if ( access >= ACL_WRITE && oc_check_op_no_usermod_attr( attr ) )
#endif
{
Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
" %s access granted\n",
attr, 0, 0 );
......@@ -202,10 +229,13 @@ acl_get(
Backend *be,
Operation *op,
Entry *e,
char *attr,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *attr,
#else
const char *attr,
#endif
int nmatch,
regmatch_t *matches
)
regmatch_t *matches )
{
assert( e != NULL );
assert( count != NULL );
......@@ -282,7 +312,11 @@ acl_mask(
Connection *conn,
Operation *op,
Entry *e,
char *attr,
#ifdef SLAPD_SCHEMA_NOT_COMPAT
AttributeType *attr,
#else
const char *attr,
#endif
struct berval *val,
regmatch_t *matches
)
......@@ -398,7 +432,6 @@ acl_mask(
}
if ( b->a_dn_at != NULL && op->o_ndn != NULL ) {
char *dn_at;
Attribute *at;
struct berval bv;
......@@ -408,14 +441,8 @@ acl_mask(
bv.bv_val = op->o_ndn;
bv.bv_len = strlen( bv.bv_val );
#ifdef SLAPD_SCHEMA_NOT_COMPAT
dn_at = at_canonical_name( b->a_dn_at );
#else
dn_at = b->a_dn_at;
#endif
/* see if asker is listed in dnattr */
if ( (at = attr_find( e->e_attrs, dn_at )) != NULL
if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL
#ifdef SLAPD_SCHEMA_NOT_COMPAT
/* not yet implemented */
#else
......@@ -714,7 +741,7 @@ acl_check_modlist(
#ifdef SLAPD_ACI_ENABLED
static char *
aci_bvstrdup (struct berval *bv)
aci_bvstrdup( struct berval *bv )
{
char *s;
......@@ -727,7 +754,9 @@ aci_bvstrdup (struct berval *bv)
}
static int
aci_strbvcmp (char *s, struct berval *bv)
aci_strbvcmp(
const char *s,
struct berval *bv )
{
int res, len;
......@@ -743,7 +772,11 @@ aci_strbvcmp (char *s, struct berval *bv)
}
static int
aci_get_part (struct berval *list, int ix, char sep, struct berval *bv)
aci_get_part(
struct berval *list,
int ix,
char sep,
struct berval *bv )
{
int len;
char *p;
......@@ -778,8 +811,8 @@ aci_get_part (struct berval *list, int ix, char sep, struct berval *bv)
}
static int
aci_list_map_rights (
struct berval *list)
aci_list_map_rights(
struct berval *list )
{
struct berval bv;
slap_access_t mask;
......@@ -823,7 +856,10 @@ aci_list_map_rights (
}
static int
aci_list_has_attr (struct berval *list, char *attr, struct berval *val)
aci_list_has_attr(
struct berval *list,
const char *attr,
struct berval *val )
{
struct berval bv, left, right;
int i;
......@@ -869,7 +905,10 @@ aci_list_has_attr (struct berval *list, char *attr, struct berval *val)
}
static slap_access_t
aci_list_get_attr_rights (struct berval *list, char *attr, struct berval *val)
aci_list_get_attr_rights(
struct berval *list,
const char *attr,
struct berval *val )
{
struct berval bv;
slap_access_t mask;
......@@ -888,12 +927,12 @@ aci_list_get_attr_rights (struct berval *list, char *attr, struct berval *val)
}
static int
aci_list_get_rights (
aci_list_get_rights(
struct berval *list,
char *attr,
const char *attr,
struct berval *val,
slap_access_t *grant,
slap_access_t *deny)
slap_access_t *deny )
{
struct berval perm, actn;
slap_access_t *mask;
......@@ -974,11 +1013,11 @@ aci_group_member (
}
static int
aci_mask (
aci_mask(
Backend *be,
Operation *op,
Entry *e,
char *attr,
const char *attr,
struct berval *val,
struct berval *aci,
regmatch_t *matches,
......@@ -1063,8 +1102,12 @@ aci_mask (
bv.bv_val = op->o_ndn;
bv.bv_len = strlen( bv.bv_val );
#ifdef SLAPD_SCHEMA_NOT_COMPAT
/* not yet implemented */
#else
if (value_find( at->a_vals, &bv, at->a_syntax, 3 ) == 0 )
return(1);
#endif
}
} else if (aci_strbvcmp( "group", &bv ) == 0) {
......@@ -1080,7 +1123,8 @@ aci_mask (
}
char *
get_supported_acimech (int index)
get_supported_acimech(
int index )
{
if (index < 0 || index >= (sizeof(supportedACIMechs) / sizeof(char *)))
return(NULL);
......
/* acl.c - routines to parse and check acl's */
/* aclparse.c - routines to parse and check acl's */
/* $OpenLDAP$ */
/*
* Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved.
......@@ -95,6 +95,12 @@ parse_acl(
char *left, *right;
AccessControl *a;
Access *b;
#ifdef SLAPD_SCHEMA_NOT_COMPAT
int rc;
char *text;
static AttributeDescription *member = NULL;
static AttributeDescription *aci = NULL;
#endif
a = NULL;
for ( i = 1; i < argc; i++ ) {
......@@ -321,17 +327,17 @@ parse_acl(
}
#ifdef SLAPD_SCHEMA_NOT_COMPAT
b->a_dn_at = at_find( right );
rc = slap_str2ad( right, &b->a_dn_at, &text );
if( b->a_dn_at == NULL ) {
if( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: dnattr attribute type undefined.\n",
fname, lineno );
"%s: line %d: dnattr \"%s\": %s\n",
fname, lineno, right, text );
acl_usage();
}
#ifdef SLAPD_OID_DN_SYNTAX
if( strcmp( b->a_dn_at->sat_syntax_oid,
if( strcmp( b->a_dn_at->ad_type->sat_syntax_oid,
SLAPD_OID_DN_SYNTAX ) != 0 )
{
fprintf( stderr,
......@@ -379,7 +385,14 @@ parse_acl(
if (name && *name) {
#ifdef SLAPD_SCHEMA_NOT_COMPAT
b->a_group_at = at_find( name );
rc = slap_str2ad( right, &b->a_group_at, &text );
if( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: group \"%s\": %s\n",
fname, lineno, right, text );
acl_usage();
}
#else
b->a_group_at = ch_strdup(name);
#endif
......@@ -387,7 +400,7 @@ parse_acl(
} else {
#ifdef SLAPD_SCHEMA_NOT_COMPAT
b->a_group_at = at_find("member");
b->a_group_at = member;
#else
b->a_group_at = ch_strdup("member");
#endif
......@@ -402,7 +415,7 @@ parse_acl(
}
#ifdef SLAPD_OID_DN_SYNTAX
if( strcmp( b->a_group_at->sat_syntax_oid,
if( strcmp( b->a_group_at->ad_type->sat_syntax_oid,
SLAPD_OID_DN_SYNTAX ) != 0 )
{
fprintf( stderr,
......@@ -478,9 +491,16 @@ parse_acl(
#ifdef SLAPD_SCHEMA_NOT_COMPAT
if ( right != NULL && *right != '\0' ) {
b->a_aci_at = at_find( right );
rc = slap_str2ad( right, &b->a_aci_at, &text );
if( rc != LDAP_SUCCESS ) {
fprintf( stderr,
"%s: line %d: aci \"%s\": %s\n",
fname, lineno, right, text );
acl_usage();
}
} else {
b->a_aci_at = at_find( SLAPD_ACI_DEFAULT_ATTR );
b->a_aci_at = aci;
}
if( b->a_aci_at == NULL ) {
......@@ -490,7 +510,7 @@ parse_acl(
acl_usage();
}
if( strcmp( b->a_aci_at->sat_syntax_oid,
if( strcmp( b->a_aci_at->ad_type->sat_syntax_oid,
SLAPD_OID_ACI_SYNTAX ) != 0 )
{
fprintf( stderr,
......
......@@ -20,6 +20,35 @@
#ifdef SLAPD_SCHEMA_NOT_COMPAT
static int ad_keystring(
struct berval *bv )
{
ber_len_t i;
if( !AD_CHAR( bv->bv_val[0] ) ) {
return 1;
}
for( i=1; i<bv->bv_len; i++ ) {
if( !AD_CHAR( bv->bv_val[i] ) ) {
return 1;
}
}
return 0;
}
int slap_str2ad(
const char *str,
AttributeDescription **ad,
char **text )
{
struct berval bv;
bv.bv_val = (char *) str;
bv.bv_len = strlen( str );
return slap_bv2ad( &bv, ad, text );
}
int slap_bv2ad(
struct berval *bv,
AttributeDescription **ad,
......@@ -39,8 +68,8 @@ int slap_bv2ad(
}
/* make sure description is IA5 */
if( IA5StringValidate( NULL, bv ) != 0 ) {
*text = "attribute description contains non-IA5 characters";
if( ad_keystring( bv ) ) {
*text = "attribute description contains inappropriate characters";
return LDAP_UNDEFINED_TYPE;
}
......
......@@ -65,7 +65,7 @@ attr_syntax( const char *type )
*/
void
attr_syntax_config(
at_config(
const char *fname,
int lineno,
int argc,
......@@ -166,7 +166,7 @@ at_fake_if_needed(
argv[0] = (char*) name;
argv[1] = "cis";
argv[2] = NULL;
attr_syntax_config( "implicit", 0, 2, argv );
at_config( "implicit", 0, 2, argv );
return 0;
}
}
......
......@@ -30,7 +30,6 @@ void
attr_free( Attribute *a )
{
#ifdef SLAPD_SCHEMA_NOT_COMPAT
/* not yet implemented */
ad_free( &a->a_desc, 0 );
#else
free( a->a_type );
......@@ -80,7 +79,6 @@ Attribute *attr_dup( Attribute *a )
}
#ifdef SLAPD_SCHEMA_NOT_COMPAT
/* not yet implemented */
tmp->a_desc = a->a_desc;
tmp->a_desc.ad_cname = ber_bvdup( a->a_desc.ad_cname );
tmp->a_desc.ad_lang = ch_strdup( a->a_desc.ad_lang );
......@@ -183,8 +181,7 @@ int
attr_merge(
Entry *e,
const char *type,
struct berval **vals
)
struct berval **vals )
{
Attribute **a;
......
......@@ -30,6 +30,13 @@ ldbm_back_add(
int rootlock = 0;
int rc;
#ifdef SLAPD_SCHEMA_NOT_COMPAT
static AttributeDescription *children = NULL;
#else
static const char *children = "children";
#endif
Debug(LDAP_DEBUG_ARGS, "==> ldbm_back_add: %s\n", e->e_dn, 0, 0);
/* nobody else can add until we lock our parent */
......@@ -109,7 +116,7 @@ ldbm_back_add(
free(pdn);
if ( ! access_allowed( be, conn, op, p,
"children", NULL, ACL_WRITE ) )
children, NULL, ACL_WRITE ) )
{
/* free parent and writer lock */
cache_return_entry_w( &li->li_cache, p );
......
......@@ -215,7 +215,14 @@ static char* get_alias_dn(
int *err,
char **errmsg )
{
Attribute *a = attr_find( e->e_attrs, "aliasedobjectname" );
Attribute *a;
#ifdef SLAPD_SCHEMA_NOT_COMPAT
static AttributeDescription *aliasedObjectName = NULL;
#else
static const char *aliasedObjectName = NULL;
#endif
a = attr_find( e->e_attrs, aliasedObjectName );
if( a == NULL ) {
/*
......
......@@ -41,6 +41,14 @@ ldbm_back_bind(