Commit 04286936 authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

use "expand" instead of "regex" for group ACLs that allow substring expansion,...

use "expand" instead of "regex" for group ACLs that allow substring expansion, preserving backwards compatibility; add sanity checks
parent 490e1e4a
......@@ -184,7 +184,7 @@ It can have the forms
dn[.<dnstyle>[,<modifier>]]=<DN>
dnattr=<attrname>
group[/<objectclass>[/<attrname>]]
[.<style>]=<group>
[.<groupstyle>]=<group>
peername[.<peernamestyle>]=<peername>
sockname[.<style>]=<sockname>
domain[.<domainstyle>[,<modifier>]]=<domain>
......@@ -203,6 +203,7 @@ with
.LP
.nf
<dnstyle>={{exact|base}|regex|sub(tree)|one(level)|children}
<groupstyle>={exact|expand}
<style>={exact|regex}
<peernamestyle>={exact|regex|ip|path}
<domainstyle>={exact|regex|sub(tree)}
......@@ -286,16 +287,12 @@ define the objectClass and the member attributeType of the group entry.
The optional style qualifier
.B <style>
can be
.BR regex ,
.BR expand ,
which means that
.B <group>
will be expanded as a replacement string (but not as a regular expression)
according to regex (7), and
.B base
or
.B exact
(an alias of
.BR base ),
.BR exact ,
which means that exact match will be used.
.LP
For static groups, the specified attributeType must have
......@@ -307,7 +304,7 @@ be a subtype of the
.B labeledURI
attributeType. Only LDAP URIs of the form
.B ldap:///<base>??<scope>?<filter>
will be evaluated in a dynamic group.
will be evaluated in a dynamic group, by searching the local server only.
.LP
The statements
.BR peername=<peername> ,
......
......@@ -1193,7 +1193,7 @@ dn_match_cleanup:;
* the values in the attribute group
*/
/* see if asker is listed in dnattr */
if ( b->a_group_style == ACL_STYLE_REGEX ) {
if ( b->a_group_style == ACL_STYLE_EXPAND ) {
char buf[ACL_BUF_SIZE];
bv.bv_len = sizeof(buf) - 1;
bv.bv_val = buf;
......
......@@ -40,6 +40,7 @@
static char *style_strings[] = {
"regex",
"expand",
"base",
"one",
"subtree",
......@@ -427,6 +428,9 @@ parse_acl(
} else if ( strcasecmp( style, "regex" ) == 0 ) {
sty = ACL_STYLE_REGEX;
} else if ( strcasecmp( style, "expand" ) == 0 ) {
sty = ACL_STYLE_EXPAND;
} else if ( strcasecmp( style, "ip" ) == 0 ) {
sty = ACL_STYLE_IP;
......@@ -448,9 +452,39 @@ parse_acl(
if ( style_modifier &&
strcasecmp( style_modifier, "expand" ) == 0 )
{
expand = 1;
switch ( sty ) {
case ACL_STYLE_REGEX:
fprintf( stderr, "%s: line %d: "
"\"regex\" style implies "
"\"expand\" modifier (ignored)\n",
fname, lineno );
break;
case ACL_STYLE_EXPAND:
fprintf( stderr, "%s: line %d: "
"\"expand\" style used "
"in conjunction with "
"\"expand\" modifier (ignored)\n",
fname, lineno );
break;
default:
expand = 1;
break;
}
}
if ( ( sty == ACL_STYLE_EXPAND || expand )
&& ( a->acl_dn_pat.bv_len && a->acl_dn_style != ACL_STYLE_REGEX) )
{
fprintf( stderr, "%s: line %d: "
"\"expand\" style or modifier used "
"in conjunction with "
"a non-regex <what> clause\n",
fname, lineno );
}
if ( strcasecmp( argv[i], "*" ) == 0 ) {
bv.bv_val = ch_strdup( "*" );
bv.bv_len = 1;
......@@ -608,10 +642,26 @@ parse_acl(
char *name = NULL;
char *value = NULL;
if (sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE) {
switch ( sty ) {
case ACL_STYLE_REGEX:
/* legacy */
fprintf( stderr, "%s: line %d: "
"deprecated group style \"regex\"; "
"use \"expand\" instead\n",
fname, lineno, style );
sty = ACL_STYLE_EXPAND;
break;
case ACL_STYLE_EXPAND:
case ACL_STYLE_BASE:
/* legal */
break;
default:
/* unhandled */
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in by clause\n",
fname, lineno, style );
fname, lineno, style );
acl_usage();
}
......@@ -640,7 +690,7 @@ parse_acl(
}
b->a_group_style = sty;
if (sty == ACL_STYLE_REGEX) {
if (sty == ACL_STYLE_EXPAND) {
acl_regex_normalized_dn( right, &bv );
if ( !ber_bvccmp( &bv, '*' ) ) {
regtest(fname, lineno, bv.bv_val);
......
......@@ -1078,6 +1078,7 @@ typedef enum slap_control_e {
typedef enum slap_style_e {
ACL_STYLE_REGEX = 0,
ACL_STYLE_EXPAND,
ACL_STYLE_BASE,
ACL_STYLE_ONE,
ACL_STYLE_SUBTREE,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment