You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

866 lines
32 KiB

  1. /** BEGIN COPYRIGHT BLOCK
  2. * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
  3. * Copyright (C) 2005 Red Hat, Inc.
  4. * All rights reserved.
  5. *
  6. * License: GPL (version 3 or any later version).
  7. * See LICENSE for details.
  8. * END COPYRIGHT BLOCK **/
  9. #ifdef HAVE_CONFIG_H
  10. #include <config.h>
  11. #endif
  12. /*****************************************************************************
  13. * acl.h
  14. *
  15. * Header file for ACL processing
  16. *
  17. *****************************************************************************/
  18. #ifndef _ACL_H_
  19. #define _ACL_H_
  20. #include <stdio.h>
  21. #include <string.h>
  22. #include <sys/types.h>
  23. #include <limits.h>
  24. #include <sys/socket.h>
  25. #include <netinet/in.h>
  26. #include <arpa/inet.h>
  27. #include <netdb.h>
  28. #include <ldap.h>
  29. #include <las.h>
  30. #include <aclproto.h>
  31. #include <aclerror.h>
  32. #include "prcvar.h"
  33. #include "slapi-plugin.h"
  34. #include "slap.h"
  35. #include "slapi-private.h"
  36. #include "portable.h"
  37. #include "avl.h"
  38. #include "cert.h"
  39. #include <plhash.h>
  40. #ifdef SOLARIS
  41. #include <tnf/probe.h>
  42. #else
  43. #define TNF_PROBE_0_DEBUG(a, b, c)
  44. #define TNF_PROBE_1_DEBUG(a, b, c, d, e, f)
  45. #endif
  46. #define ACL_PLUGIN_NAME "NSACLPlugin"
  47. extern char *plugin_name;
  48. /*
  49. * Define the OID for version 2 of the proxied authorization control if
  50. * it is not already defined (it is in recent copies of ldap.h).
  51. */
  52. #ifndef LDAP_CONTROL_PROXIEDAUTH
  53. #define LDAP_CONTROL_PROXIEDAUTH "2.16.840.1.113730.3.4.18"
  54. #endif
  55. #define ACLUCHP unsigned char *
  56. static char *const aci_attr_type = "aci";
  57. static char *const filter_string = "aci=*";
  58. static char *const aci_targetdn = "target";
  59. static char *const aci_targetattr = "targetattr";
  60. static char *const aci_targetattrfilters = "targattrfilters";
  61. static char *const aci_targetfilter = "targetfilter";
  62. static char *const aci_target_to = "target_to";
  63. static char *const aci_target_from = "target_from";
  64. static char *const LDAP_URL_prefix_core = "ldap://";
  65. static char *const LDAPS_URL_prefix_core = "ldaps://";
  66. static char *const LDAP_URL_prefix = "ldap:///";
  67. static char *const LDAPS_URL_prefix = "ldaps:///";
  68. static char *const access_str_compare = "compare";
  69. static char *const access_str_search = "search";
  70. static char *const access_str_read = "read";
  71. static char *const access_str_write = "write";
  72. static char *const access_str_delete = "delete";
  73. static char *const access_str_add = "add";
  74. static char *const access_str_selfwrite = "selfwrite";
  75. static char *const access_str_proxy = "proxy";
  76. static char *const access_str_moddn = "moddn";
  77. #define ACL_INIT_ATTR_ARRAY 5
  78. /* define the method */
  79. #define DS_METHOD "ds_method"
  80. #define ACL_ESCAPE_STRING_WITH_PUNCTUATION(x, y) (slapi_is_loglevel_set(SLAPI_LOG_ACL) ? escape_string_with_punctuation(x, y) : "")
  81. /* Lases */
  82. #define DS_LAS_USER "user"
  83. #define DS_LAS_GROUP "group"
  84. #define DS_LAS_USERDN "userdn"
  85. #define DS_LAS_GROUPDN "groupdn"
  86. #define DS_LAS_SELFDNATTR "selfdnattr"
  87. #define DS_LAS_USERDNATTR "userdnattr"
  88. #define DS_LAS_AUTHMETHOD "authmethod"
  89. #define DS_LAS_GROUPDNATTR "groupdnattr"
  90. #define DS_LAS_USERATTR "userattr"
  91. #define DS_LAS_ROLEDN "roledn"
  92. #define DS_LAS_ROLEDNATTR "rolednattr"
  93. #define DS_LAS_SSF "ssf"
  94. /* These define the things that aclutil_evaluate_macro() supports */
  95. typedef enum {
  96. ACL_EVAL_USER,
  97. ACL_EVAL_GROUP,
  98. ACL_EVAL_ROLE,
  99. ACL_EVAL_GROUPDNATTR,
  100. ACL_EVAL_TARGET_FILTER
  101. } acl_eval_types;
  102. typedef enum {
  103. ACL_RULE_MACRO_DN_TYPE,
  104. ACL_RULE_MACRO_DN_LEVELS_TYPE
  105. } acl_rule_macro_types;
  106. #define ACL_TARGET_MACRO_DN_KEY "($dn)"
  107. #define ACL_RULE_MACRO_DN_KEY "($dn)"
  108. #define ACL_RULE_MACRO_DN_LEVELS_KEY "[$dn]"
  109. #define ACL_RULE_MACRO_ATTR_KEY "($attr."
  110. #define ACL_EVAL_USER 0
  111. #define ACL_EVAL_GROUP 1
  112. #define ACL_EVAL_ROLE 2
  113. /* The LASes are implemented in the libaccess library */
  114. #define DS_LAS_TIMEOFDAY "timeofday"
  115. #define DS_LAS_DAYOFWEEK "dayofweek"
  116. /* ACL function return codes */
  117. #define ACL_TRUE 1 /* evaluation results to TRUE */
  118. #define ACL_OK ACL_TRUE
  119. #define ACL_FALSE 0 /* evaluation results to FALSE */
  120. #define ACL_ERR -1 /* generic error */
  121. #define ACL_TARGET_FILTER_ERR -2 /* Target filter not set properly */
  122. #define ACL_TARGETATTR_FILTER_ERR -3 /* TargetAttr filter not set properly */
  123. #define ACL_TARGETFILTER_ERR -4 /* Target filter not set properly */
  124. #define ACL_SYNTAX_ERR -5 /* Syntax error */
  125. #define ACL_ONEACL_TEXT_ERR -6 /* ONE ACL text error */
  126. #define ACL_ERR_CONCAT_HANDLES -7 /* unable to concat the handles */
  127. #define ACL_INVALID_TARGET -8 /* invalid target */
  128. #define ACL_INVALID_AUTHMETHOD -9 /* multiple client auth */
  129. #define ACL_INVALID_AUTHORIZATION -10 /* no authorization */
  130. #define ACL_INCORRECT_ACI_VERSION -11 /* incorrect version # */
  131. #define ACL_DONT_KNOW -12 /* the world is an uncertain place */
  132. /* supported by the DS */
  133. #define DS_PROP_CONNECTION "connection"
  134. #define DS_ATTR_USERDN "userdn"
  135. #define DS_ATTR_ENTRY "entry"
  136. #define DS_PROP_ACLPB "aclblock"
  137. #define DS_ATTR_AUTHTYPE "authtype"
  138. #define DS_ATTR_CERT "clientcert"
  139. #define DS_ATTR_SSF "ssf"
  140. #define DS_ATTR_LDAPI "ldapi"
  141. #define ACL_ANOM_MAX_ACL 40
  142. struct scoped_entry_anominfo
  143. {
  144. short anom_e_targetInfo[ACL_ANOM_MAX_ACL];
  145. short anom_e_nummatched;
  146. short anom_e_isrootds;
  147. };
  148. typedef struct targetattr
  149. {
  150. int attr_type;
  151. #define ACL_ATTR_FILTER 0x01
  152. #define ACL_ATTR_STRING 0x02
  153. #define ACL_ATTR_STAR 0x04 /* attr is * only */
  154. union
  155. {
  156. char *attr_str;
  157. struct slapi_filter *attr_filter;
  158. } u;
  159. } Targetattr;
  160. typedef struct targetattrfilter
  161. {
  162. char *attr_str;
  163. char *filterStr;
  164. struct slapi_filter *filter; /* value filter */
  165. } Targetattrfilter;
  166. typedef struct Aci_Macro
  167. {
  168. char *match_this;
  169. char *macro_ptr; /* ptr into match_this */
  170. } aciMacro;
  171. typedef PLHashTable acl_ht_t;
  172. /* Access Control Item (aci): Stores information about a particular ACL */
  173. typedef struct aci
  174. {
  175. int aci_type; /* Type of resurce */
  176. /* THE FIRST BYTE WAS USED TO KEEP THE RIGHTS. ITS BEEN MOVED TO
  177. ** aci_access and is now free.
  178. **
  179. **
  180. **
  181. */
  182. #define ACI_TARGET_MACRO_DN (int)0x0000001
  183. #define ACI_TARGET_FILTER_MACRO_DN (int)0x0000002
  184. #define ACI_TARGET_DN (int)0x0000100 /* target has DN */
  185. #define ACI_TARGET_ATTR (int)0x0000200 /* target is an attr */
  186. #define ACI_TARGET_PATTERN (int)0x0000400 /* target has some patt */
  187. #define ACI_TARGET_FILTER (int)0x0000800 /* target has a filter */
  188. #define ACI_ACLTXT (int)0x0001000 /* ACI has text only */
  189. #define ACI_TARGET_NOT (int)0x0002000 /* it's a != */
  190. #define ACI_TARGET_ATTR_NOT (int)0x0004000 /* It's a != manager */
  191. #define ACI_TARGET_FILTER_NOT (int)0x0008000 /* It's a != filter */
  192. #define ACI_UNUSED2 (int)0x0010000 /* Unused */
  193. #define ACI_HAS_ALLOW_RULE (int)0x0020000 /* allow (...) */
  194. #define ACI_HAS_DENY_RULE (int)0x0040000 /* deny (...) */
  195. #define ACI_CONTAIN_NOT_USERDN (int)0x0080000 /* userdn != blah */
  196. #define ACI_TARGET_ATTR_ADD_FILTERS (int)0x0100000
  197. #define ACI_TARGET_ATTR_DEL_FILTERS (int)0x0200000
  198. #define ACI_CONTAIN_NOT_GROUPDN (int)0x0400000 /* groupdn != blah */
  199. #define ACI_CONTAIN_NOT_ROLEDN (int)0x0800000
  200. #define ACI_TARGET_MODDN (int)0x1000000
  201. #define ACI_TARGET_MODDN_FROM_PATTERN (int)0x2000000
  202. #define ACI_TARGET_MODDN_TO_PATTERN (int)0x4000000
  203. int aci_access;
  204. /*
  205. * See also aclpb_access which is used to store rights too.
  206. */
  207. short aci_ruleType; /* kinds of rules in the ACL */
  208. #define ACI_USERDN_RULE (short)0x0001
  209. #define ACI_USERDNATTR_RULE (short)0x0002
  210. #define ACI_GROUPDN_RULE (short)0x0004
  211. #define ACI_GROUPDNATTR_RULE (short)0x0008
  212. #define ACI_AUTHMETHOD_RULE (short)0x0010
  213. #define ACI_IP_RULE (short)0x0020
  214. #define ACI_DNS_RULE (short)0x0040
  215. #define ACI_TIMEOFDAY_RULE (short)0x0080
  216. #define ACI_DAYOFWEEK_RULE (short)0x0010
  217. #define ACI_USERATTR_RULE (short)0x0200
  218. /*
  219. * These are extension of USERDN/GROUPDN rule. However since the
  220. * semantics are quite different, we classify them as different rules.
  221. * ex: groupdn = "ldap:///cn=helpdesk, ou=$attr.dept, o=$dn.o, o=isp"
  222. */
  223. #define ACI_PARAM_DNRULE (short)0x0400
  224. #define ACI_PARAM_ATTRRULE (short)0x0800
  225. #define ACI_USERDN_SELFRULE (short)0x1000
  226. #define ACI_ROLEDN_RULE (short)0x2000
  227. #define ACI_SSF_RULE (short)0x4000
  228. #define ACI_ATTR_RULES (ACI_USERDNATTR_RULE | ACI_GROUPDNATTR_RULE | ACI_USERATTR_RULE | ACI_PARAM_DNRULE | ACI_PARAM_ATTRRULE | ACI_USERDN_SELFRULE)
  229. #define ACI_CACHE_RESULT_PER_ENTRY ACI_ATTR_RULES
  230. short aci_elevel; /* Based on the aci type some idea about the
  231. ** execution flow
  232. */
  233. int aci_index; /* index # */
  234. Slapi_DN *aci_sdn; /* location */
  235. Slapi_Filter *target; /* Target is a DN */
  236. Targetattr **targetAttr;
  237. char *targetFilterStr;
  238. struct slapi_filter *targetFilter; /* Target has a filter */
  239. Targetattrfilter **targetAttrAddFilters;
  240. Targetattrfilter **targetAttrDelFilters;
  241. Slapi_Filter *target_to; /* Target is the destination DN of moddn */
  242. Slapi_Filter *target_from; /* Target is the source DN of moddn */
  243. char *aclName; /* ACL name */
  244. struct ACLListHandle *aci_handle; /*handle of the ACL */
  245. aciMacro *aci_macro;
  246. struct aci *aci_next; /* next one */
  247. } aci_t;
  248. /* Aci excution level
  249. ** The idea is that for each handle types, we can prioritize which one to evaluate first.
  250. ** Evaluating the user before the group is better.
  251. */
  252. #define ACI_ELEVEL_USERDN_ANYONE 0
  253. #define ACI_ELEVEL_USERDN_ALL 1
  254. #define ACI_ELEVEL_USERDN 2
  255. #define ACI_ELEVEL_USERDNATTR 3
  256. #define ACI_ELEVEL_GROUPDNATTR_URL 4
  257. #define ACI_ELEVEL_GROUPDNATTR 5
  258. #define ACI_ELEVEL_GROUPDN 6
  259. #define ACI_MAX_ELEVEL ACI_ELEVEL_GROUPDN + 1
  260. #define ACI_DEFAULT_ELEVEL ACI_MAX_ELEVEL
  261. #define ACL_PLUGIN_CONFIG_ENTRY_DN "cn=ACL Plugin,cn=plugins,cn=config"
  262. /*
  263. * In plugin config entry, set this attribute to change the value
  264. * of aclpb_max_selected_acls and aclpb_max_cache_results.
  265. * If not set, DEFAULT_ACLPB_MAX_SELECTED_ACLS will be used.
  266. */
  267. #define ATTR_ACLPB_MAX_SELECTED_ACLS "nsslapd-aclpb-max-selected-acls"
  268. #define DEFAULT_ACLPB_MAX_SELECTED_ACLS 200
  269. extern int aclpb_max_selected_acls; /* initialized from plugin config entry */
  270. extern int aclpb_max_cache_results; /* initialized from plugin config entry */
  271. typedef struct result_cache
  272. {
  273. int aci_index;
  274. short aci_ruleType;
  275. short result;
  276. #define ACLPB_CACHE_READ_RES_ALLOW (short)0x0001 /* used for ALLOW handles only */
  277. #define ACLPB_CACHE_READ_RES_DENY (short)0x0002 /* used for DENY handles only */
  278. #define ACLPB_CACHE_SEARCH_RES_ALLOW (short)0x0004 /* used for ALLOW handles only */
  279. #define ACLPB_CACHE_SEARCH_RES_DENY (short)0x0008 /* used for DENY handles only */
  280. #define ACLPB_CACHE_SEARCH_RES_SKIP (short)0x0010 /* used for both types */
  281. #define ACLPB_CACHE_READ_RES_SKIP (short)0x0020 /* used for both types */
  282. #define ACLPB_CACHE_ERROR_REPORTED (short)0x8000 /* error is reported */
  283. } r_cache_t;
  284. /*
  285. * This is use to keep the result of the evaluation of the attr.
  286. * We are only intrested in read/searc only.
  287. */
  288. struct acl_attrEval
  289. {
  290. char *attrEval_name; /* Attribute Name */
  291. short attrEval_r_status; /* status of read evaluation */
  292. short attrEval_s_status; /* status of search evaluation */
  293. int attrEval_r_aciIndex; /* Index of the ACL which grants access*/
  294. int attrEval_s_aciIndex; /* Index of the ACL which grants access*/
  295. #define ACL_ATTREVAL_SUCCESS 0x1
  296. #define ACL_ATTREVAL_FAIL 0x2
  297. #define ACL_ATTREVAL_RECOMPUTE 0x4
  298. #define ACL_ATTREVAL_DETERMINISTIC 7
  299. #define ACL_ATTREVAL_INVALID 0x8
  300. };
  301. typedef struct acl_attrEval AclAttrEval;
  302. /*
  303. * Struct to keep the evaluation context information. This struct is
  304. * used in multiple places ( different instance ) to keep the context for
  305. * current entry evaluation, previous entry evaluation or previous operation
  306. * evaluation status.
  307. */
  308. #define ACLPB_MAX_ATTR_LEN 100
  309. #define ACLPB_MAX_ATTRS 100
  310. struct acleval_context
  311. {
  312. /* Information about the attrs */
  313. AclAttrEval acle_attrEval[ACLPB_MAX_ATTRS];
  314. short acle_numof_attrs;
  315. /* Handles information */
  316. short acle_numof_tmatched_handles;
  317. int *acle_handles_matched_target;
  318. };
  319. typedef struct acleval_context aclEvalContext;
  320. struct acl_usergroup
  321. {
  322. short aclug_signature;
  323. /*
  324. * To modify refcnt you need either the write lock on the whole cache or
  325. * the reader lock on the whole cache plus this refcnt mutex
  326. */
  327. short aclug_refcnt;
  328. PRLock *aclug_refcnt_mutex;
  329. char *aclug_ndn; /* Client's normalized DN */
  330. char **aclug_member_groups;
  331. short aclug_member_group_size;
  332. short aclug_numof_member_group;
  333. char **aclug_notmember_groups;
  334. short aclug_notmember_group_size;
  335. short aclug_numof_notmember_group;
  336. struct acl_usergroup *aclug_next;
  337. struct acl_usergroup *aclug_prev;
  338. };
  339. typedef struct acl_usergroup aclUserGroup;
  340. #define ACLUG_INCR_GROUPS_LIST 20
  341. struct aci_container
  342. {
  343. Slapi_DN *acic_sdn; /* node DN */
  344. aci_t *acic_list; /* List of the ACLs for that node */
  345. int acic_index; /* index to the container array */
  346. };
  347. typedef struct aci_container AciContainer;
  348. struct acl_pblock
  349. {
  350. int aclpb_state;
  351. #define ACLPB_ACCESS_ALLOWED_ON_A_ATTR 0x000001
  352. #define ACLPB_ACCESS_DENIED_ON_ALL_ATTRS 0x000002
  353. #define ACLPB_ACCESS_ALLOWED_ON_ENTRY 0x000004
  354. #define ACLPB_ATTR_STAR_MATCHED 0x000008
  355. #define ACLPB_FOUND_ATTR_RULE 0x000010
  356. #define ACLPB_SEARCH_BASED_ON_LIST 0x000020
  357. #define ACLPB_EXECUTING_DENY_HANDLES 0x000040
  358. #define ACLPB_EXECUTING_ALLOW_HANDLES 0x000080
  359. #define ACLPB_ACCESS_ALLOWED_USERATTR 0x000100
  360. #ifdef DETERMINE_ACCESS_BASED_ON_REQUESTED_ATTRIBUTES
  361. #define ACLPB_USER_SPECIFIED_ATTARS 0x000200
  362. #define ACLPB_USER_WANTS_ALL_ATTRS 0x000400
  363. #endif
  364. #define ACLPB_EVALUATING_FIRST_ATTR 0x000800
  365. #define ACLPB_FOUND_A_ENTRY_TEST_RULE 0x001000
  366. #define ACLPB_SEARCH_BASED_ON_ENTRY_LIST 0x002000
  367. #define ACLPB_DONOT_USE_CONTEXT_ACLS 0x004000
  368. #define ACLPB_HAS_ACLCB_EVALCONTEXT 0x008000
  369. #define ACLPB_COPY_EVALCONTEXT 0x010000
  370. #define ACLPB_MATCHES_ALL_ACLS 0x020000
  371. #define ACLPB_INITIALIZED 0x040000
  372. #define ACLPB_INCR_ACLCB_CACHE 0x080000
  373. #define ACLPB_UPD_ACLCB_CACHE 0x100000
  374. #define ACLPB_ATTR_RULE_EVALUATED 0x200000
  375. #define ACLPB_DONOT_EVALUATE_PROXY 0x400000
  376. #define ACLPB_CACHE_RESULT_PER_ENTRY_SKIP 0x800000
  377. #define ACLPB_RESET_MASK (ACLPB_ACCESS_ALLOWED_ON_A_ATTR | ACLPB_ACCESS_DENIED_ON_ALL_ATTRS | \
  378. ACLPB_ACCESS_ALLOWED_ON_ENTRY | ACLPB_ATTR_STAR_MATCHED | \
  379. ACLPB_FOUND_ATTR_RULE | ACLPB_EVALUATING_FIRST_ATTR | \
  380. ACLPB_FOUND_A_ENTRY_TEST_RULE)
  381. #define ACLPB_STATE_ALL 0xffffff
  382. int aclpb_res_type;
  383. #define ACLPB_NEW_ENTRY 0x100
  384. #define ACLPB_EFFECTIVE_RIGHTS 0x200
  385. #define ACLPB_RESTYPE_ALL 0x7ff
  386. /*
  387. * The bottom bye used to be for rights. It's free now as they have
  388. * been moved to aclpb_access.
  389. */
  390. int aclpb_access;
  391. #define ACLPB_SLAPI_ACL_WRITE_ADD 0x200
  392. #define ACLPB_SLAPI_ACL_WRITE_DEL 0x400
  393. /* stores the requested access during an operation */
  394. short aclpb_signature;
  395. short aclpb_type;
  396. #define ACLPB_TYPE_MAIN 1
  397. #define ACLPB_TYPE_MAIN_STR "Main Block"
  398. #define ACLPB_TYPE_PROXY 2
  399. #define ACLPB_TYPE_PROXY_STR "Proxy Block"
  400. Slapi_Entry *aclpb_client_entry; /* A copy of client's entry */
  401. Slapi_PBlock *aclpb_pblock; /* back to LDAP PBlock */
  402. int aclpb_optype; /* current optype from pb */
  403. /* Current entry/dn/attr evaluation info */
  404. Slapi_Entry *aclpb_curr_entry; /* current Entry being processed */
  405. int aclpb_num_entries;
  406. Slapi_DN *aclpb_curr_entry_sdn; /* Entry's SDN */
  407. Slapi_DN *aclpb_authorization_sdn; /* dn used for authorization */
  408. AclAttrEval *aclpb_curr_attrEval; /* Current attr being evaluated */
  409. struct berval *aclpb_curr_attrVal; /* Value of Current attr */
  410. Slapi_Entry *aclpb_filter_test_entry; /* Scratch entry */
  411. aci_t *aclpb_curr_aci;
  412. char *aclpb_Evalattr; /* The last attr evaluated */
  413. /* Source entry (MODDN) */
  414. Slapi_DN *aclpb_moddn_source_sdn; /* This is a pointer into the pb, do not free it */
  415. /* Plist and eval info */
  416. ACLEvalHandle_t *aclpb_acleval; /* acleval handle for evaluation */
  417. struct PListStruct_s *aclpb_proplist; /* All the needed property */
  418. /* DENY ACI HANDLES */
  419. aci_t **aclpb_deny_handles;
  420. int aclpb_deny_handles_size;
  421. int aclpb_num_deny_handles;
  422. /* ALLOW ACI HANDLES */
  423. aci_t **aclpb_allow_handles;
  424. int aclpb_allow_handles_size;
  425. int aclpb_num_allow_handles;
  426. /* This is used in the groupdnattr="URL" rule
  427. ** Keep a list of base where searched has been done
  428. */
  429. char **aclpb_grpsearchbase;
  430. int aclpb_grpsearchbase_size;
  431. int aclpb_numof_bases;
  432. aclUserGroup *aclpb_groupinfo;
  433. /* Keep the Group nesting level */
  434. int aclpb_max_nesting_level;
  435. /* To keep the results in the cache */
  436. int aclpb_last_cache_result;
  437. struct result_cache *aclpb_cache_result;
  438. /* Index numbers of ACLs selected based on a locality search*/
  439. char *aclpb_search_base;
  440. int *aclpb_base_handles_index;
  441. int *aclpb_handles_index;
  442. /* Evaluation context info
  443. ** 1) Context cached from aclcb ( from connection struct )
  444. ** 2) Context cached from previous entry evaluation
  445. ** 3) current entry evaluation info
  446. */
  447. aclEvalContext aclpb_curr_entryEval_context;
  448. aclEvalContext aclpb_prev_entryEval_context;
  449. aclEvalContext aclpb_prev_opEval_context;
  450. /* Currentry anom profile sumamry */
  451. struct scoped_entry_anominfo aclpb_scoped_entry_anominfo;
  452. /* Some Statistics gathering */
  453. PRUint16 aclpb_stat_acllist_scanned;
  454. PRUint16 aclpb_stat_aclres_matched;
  455. PRUint16 aclpb_stat_total_entries;
  456. PRUint16 aclpb_stat_anom_list_scanned;
  457. PRUint16 aclpb_stat_num_copycontext;
  458. PRUint16 aclpb_stat_num_copy_attrs;
  459. PRUint16 aclpb_stat_num_tmatched_acls;
  460. PRUint16 aclpb_stat_unused;
  461. CERTCertificate *aclpb_clientcert;
  462. AciContainer *aclpb_aclContainer;
  463. struct acl_pblock *aclpb_proxy; /* Child proxy block */
  464. acl_ht_t *aclpb_macro_ht; /* ht for partial macro strs */
  465. struct acl_pblock *aclpb_prev; /* Previpous in the chain */
  466. struct acl_pblock *aclpb_next; /* Next in the chain */
  467. };
  468. typedef struct acl_pblock Acl_PBlock;
  469. /* PBLCOK TYPES */
  470. typedef enum {
  471. ACLPB_BINDDN_PBLOCK,
  472. ACLPB_PROXYDN_PBLOCK,
  473. ACLPB_ALL_PBLOCK
  474. } aclpb_types;
  475. #define ACLPB_EVALCONTEXT_CURR 1
  476. #define ACLPB_EVALCONTEXT_PREV 2
  477. #define ACLPB_EVALCONTEXT_ACLCB 3
  478. /* Cleaning/ deallocating/ ... acl_freeBlock() */
  479. #define ACL_CLEAN_ACLPB 1
  480. #define ACL_COPY_ACLCB 2
  481. #define ACL_CLEAN_ACLCB 3
  482. /* used to differentiate acl plugins sharing the same lib */
  483. #define ACL_PLUGIN_IDENTITY 1
  484. #define ACL_PREOP_PLUGIN_IDENTITY 2
  485. /* start with 50 and then add 50 more as required
  486. * The first ACI_MAX_ELEVEL slots are predefined.
  487. */
  488. #define ACLPB_INCR_LIST_HANDLES ACI_MAX_ELEVEL + 43
  489. #define ACLPB_INCR_BASES 5
  490. /*
  491. * acl private block which hangs from connection structure.
  492. * This is allocated the first time an operation is done and freed when the
  493. * connection are cleaned.
  494. *
  495. */
  496. struct acl_cblock
  497. {
  498. short aclcb_aclsignature;
  499. short aclcb_state;
  500. #define ACLCB_HAS_CACHED_EVALCONTEXT 0x1
  501. Slapi_DN *aclcb_sdn; /* Contains bind SDN */
  502. aclEvalContext aclcb_eval_context;
  503. PRLock *aclcb_lock; /* shared lock */
  504. };
  505. struct acl_groupcache
  506. {
  507. short aclg_state; /* status information */
  508. short aclg_signature;
  509. int aclg_num_userGroups;
  510. aclUserGroup *aclg_first;
  511. aclUserGroup *aclg_last;
  512. Slapi_RWLock *aclg_rwlock; /* lock to monitor the group cache */
  513. };
  514. typedef struct acl_groupcache aclGroupCache;
  515. /* Type of extensions that can be registered */
  516. typedef enum {
  517. ACL_EXT_OPERATION, /* extension for Operation object */
  518. ACL_EXT_CONNECTION, /* extension for Connection object */
  519. ACL_EXT_ALL
  520. } ext_type;
  521. /* Used to pass data around in acllas.c */
  522. typedef struct
  523. {
  524. char *clientDn;
  525. char *authType;
  526. int anomUser;
  527. Acl_PBlock *aclpb;
  528. Slapi_Entry *resourceEntry;
  529. int ssf;
  530. char *ldapi;
  531. } lasInfo;
  532. /* reasons why the subject allowed/denied access--good for logs */
  533. /* This is a uint by default */
  534. typedef enum {
  535. ACL_REASON_NO_ALLOWS,
  536. ACL_REASON_RESULT_CACHED_DENY,
  537. ACL_REASON_EVALUATED_DENY, /* evaluated deny */
  538. ACL_REASON_RESULT_CACHED_ALLOW, /* cached allow */
  539. ACL_REASON_EVALUATED_ALLOW, /* evalauted allow */
  540. ACL_REASON_NO_MATCHED_RESOURCE_ALLOWS, /* were allows/denies, but none matched */
  541. ACL_REASON_NONE, /* no reason available */
  542. ACL_REASON_ANON_ALLOWED,
  543. ACL_REASON_ANON_DENIED,
  544. ACL_REASON_NO_MATCHED_SUBJECT_ALLOWS,
  545. ACL_REASON_EVALCONTEXT_CACHED_ALLOW,
  546. ACL_REASON_EVALCONTEXT_CACHED_NOT_ALLOWED,
  547. ACL_REASON_EVALCONTEXT_CACHED_ATTR_STAR_ALLOW
  548. } aclReasonCode_t;
  549. typedef struct
  550. {
  551. aci_t *deciding_aci;
  552. aclReasonCode_t reason;
  553. } aclResultReason_t;
  554. #define ACL_NO_DECIDING_ACI_INDEX -10
  555. /* Extern declaration for backend state change fnc: acllist.c and aclinit.c */
  556. void acl_be_state_change_fnc(void *handle, char *be_name, int old_state, int new_state);
  557. /* Extern declaration for ATTRs */
  558. extern int
  559. DS_LASIpGetter(NSErr_t *errp, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth, void *arg);
  560. extern int
  561. DS_LASDnsGetter(NSErr_t *errp, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth, void *arg);
  562. extern int
  563. DS_LASUserDnGetter(NSErr_t *errp, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth, void *arg);
  564. extern int
  565. DS_LASGroupDnGetter(NSErr_t *errp, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth, void *arg);
  566. extern int
  567. DS_LASEntryGetter(NSErr_t *errp, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth, void *arg);
  568. extern int
  569. DS_LASCertGetter(NSErr_t *errp, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth, void *arg);
  570. /* function declartion for LAses supported by DS */
  571. extern int DS_LASUserEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, char *pattern, int *cachable, void **las_cookie, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth);
  572. extern int DS_LASGroupEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, char *pattern, int *cachable, void **las_cookie, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth);
  573. extern int DS_LASUserDnEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, char *pattern, int *cachable, void **las_cookie, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth);
  574. extern int DS_LASGroupDnEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, char *pattern, int *cachable, void **las_cookie, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth);
  575. extern int DS_LASRoleDnEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator, char *attr_pattern, int *cachable, void **LAS_cookie, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth);
  576. extern int DS_LASUserDnAttrEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, char *pattern, int *cachable, void **las_cookie, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth);
  577. extern int DS_LASAuthMethodEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, char *pattern, int *cachable, void **las_cookie, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth);
  578. extern int DS_LASGroupDnAttrEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, char *pattern, int *cachable, void **las_cookie, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth);
  579. extern int DS_LASRoleDnAttrEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, char *pattern, int *cachable, void **las_cookie, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth);
  580. extern int DS_LASUserAttrEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, char *pattern, int *cachable, void **las_cookie, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth);
  581. extern int DS_LASSSFEval(NSErr_t *errp, char *attribute, CmpOp_t comparator, char *pattern, int *cachable, void **las_cookie, PList_t subject, PList_t resource, PList_t auth_info, PList_t global_auth);
  582. /* other function declaration */
  583. int aclinit_main(void);
  584. int acl_match_substring(struct slapi_filter *f, char *str, int match);
  585. void acl_print_acllib_err(NSErr_t *errp, char *str);
  586. void acl_initBlock(Slapi_PBlock *pb);
  587. void acl_freeBlock(Slapi_PBlock *pb, int state);
  588. int acl_read_access_allowed_on_entry(Slapi_PBlock *pb, Slapi_Entry *e, char **attrs, int access);
  589. int acl_access_allowed_modrdn(Slapi_PBlock *pb, Slapi_Entry *e, char *attr, struct berval *val, int access);
  590. int acl_read_access_allowed_on_attr(Slapi_PBlock *pb, Slapi_Entry *e, char *attr, struct berval *val, int access);
  591. void acl_set_acllist(Slapi_PBlock *pb, int scope, char *base);
  592. void acl_gen_err_msg(int access, char *edn, char *attr, char **errbuf);
  593. void acl_modified(Slapi_PBlock *pb, int optype, Slapi_DN *e_sdn, void *change);
  594. int acl_access_allowed_disjoint_resource(Slapi_PBlock *pb, Slapi_Entry *e, char *attr, struct berval *val, int access);
  595. int acl_access_allowed_main(Slapi_PBlock *pb, Slapi_Entry *e, char **attrs, struct berval *val, int access, int flags, char **errbuf);
  596. int acl_access_allowed(Slapi_PBlock *pb, Slapi_Entry *e, char *attr, struct berval *val, int access);
  597. aclUserGroup *acl_get_usersGroup(struct acl_pblock *aclpb, char *n_dn);
  598. void acl_print_acllib_err(NSErr_t *errp, char *str);
  599. int acl_check_mods(Slapi_PBlock *pb, Slapi_Entry *e, LDAPMod **mods, char **errbuf);
  600. char *acl__access2str(int access);
  601. void acl_strcpy_special(char *d, char *s);
  602. int acl_parse(Slapi_PBlock *pb, char *str, aci_t *aci_item, char **errbuf);
  603. int acl_verify_aci_syntax(Slapi_PBlock *pb, Slapi_Entry *e, char **errbuf);
  604. int acl_verify_syntax(Slapi_PBlock *pb, const Slapi_DN *e_sdn, const struct berval *bval, char **errbuf);
  605. int acllist_insert_aci_needsLock_ext(Slapi_PBlock *pb, const Slapi_DN *e_sdn, const struct berval *aci_attr);
  606. char *acl_access2str(int access);
  607. int acl_init_ext(void);
  608. void acl_remove_ext(void);
  609. void *acl_get_ext(ext_type type, void *object);
  610. void acl_set_ext(ext_type type, void *object, void *data);
  611. void acl_reset_ext_status(ext_type type, void *object);
  612. void acl_init_op_ext(Slapi_PBlock *pb, int type, char *dn, int copy);
  613. void *acl_operation_ext_constructor(void *object, void *parent);
  614. void acl_operation_ext_destructor(void *ext, void *object, void *parent);
  615. void *acl_conn_ext_constructor(void *object, void *parent);
  616. void acl_conn_ext_destructor(void *ext, void *object, void *parent);
  617. void acl_clean_aclEval_context(aclEvalContext *clean_me, int scrub_only);
  618. void acl_copyEval_context(struct acl_pblock *aclpb, aclEvalContext *src, aclEvalContext *dest, int copy_attr_only);
  619. struct acl_pblock *acl_get_aclpb(Slapi_PBlock *pb, int type);
  620. int acl_client_anonymous(Slapi_PBlock *pb);
  621. short acl_get_aclsignature(void);
  622. void acl_set_aclsignature(short value);
  623. void acl_regen_aclsignature(void);
  624. struct acl_pblock *acl_new_proxy_aclpb(Slapi_PBlock *pb);
  625. void acl_set_authorization_dn(Slapi_PBlock *pb, char *dn, int type);
  626. void acl_init_aclpb(Slapi_PBlock *pb, Acl_PBlock *aclpb, const char *dn, int copy_from_aclcb);
  627. int acl_create_aclpb_pool(void);
  628. void acl_destroy_aclpb_pool(void);
  629. int acl_skip_access_check(Slapi_PBlock *pb, Slapi_Entry *e, int access);
  630. int aclutil_str_append(char **str1, const char *str2);
  631. void aclutil_print_err(int rv, const Slapi_DN *sdn, const struct berval *val, char **errbuf);
  632. void aclutil_print_aci(aci_t *aci_item, char *type);
  633. short aclutil_gen_signature(short c_signature);
  634. void aclutil_print_resource(struct acl_pblock *aclpb, const char *right, char *attr, char *clientdn);
  635. char *aclutil_expand_paramString(char *str, Slapi_Entry *e);
  636. void acllist_init_scan(Slapi_PBlock *pb, int scope, const char *base);
  637. aci_t *acllist_get_first_aci(Acl_PBlock *aclpb, PRUint32 *cookie);
  638. aci_t *acllist_get_next_aci(Acl_PBlock *aclpb, aci_t *curraci, PRUint32 *cookie);
  639. aci_t *acllist_get_aci_new(void);
  640. void acllist_free_aci(aci_t *item);
  641. void acllist_acicache_READ_UNLOCK(void);
  642. void acllist_acicache_READ_LOCK(void);
  643. void acllist_acicache_WRITE_UNLOCK(void);
  644. void acllist_acicache_WRITE_LOCK(void);
  645. void acllist_aciscan_update_scan(Acl_PBlock *aclpb, char *edn);
  646. int acllist_remove_aci_needsLock(const Slapi_DN *sdn, const struct berval *attr);
  647. void free_acl_avl_list(void);
  648. int acllist_insert_aci_needsLock(const Slapi_DN *e_sdn, const struct berval *aci_attr);
  649. int acllist_init(void);
  650. void acllist_free(void);
  651. int acllist_moddn_aci_needsLock(Slapi_DN *oldsdn, char *newdn);
  652. void acllist_print_tree(Avlnode *root, int *depth, char *start, char *side);
  653. AciContainer *acllist_get_aciContainer_new(void);
  654. void acllist_free_aciContainer(AciContainer **container);
  655. void acllist_done_aciContainer(AciContainer *);
  656. void free_targetattrfilters(Targetattrfilter ***attrFilterArray);
  657. aclUserGroup *aclg_find_userGroup(const char *n_dn);
  658. void aclg_regen_ugroup_signature(aclUserGroup *ugroup);
  659. void aclg_markUgroupForRemoval(aclUserGroup *u_group);
  660. void aclg_reader_incr_ugroup_refcnt(aclUserGroup *u_group);
  661. int aclg_numof_usergroups(void);
  662. int aclgroup_init(void);
  663. void aclgroup_free(void);
  664. void aclg_regen_group_signature(void);
  665. void aclg_reset_userGroup(struct acl_pblock *aclpb);
  666. void aclg_init_userGroup(struct acl_pblock *aclpb, const char *dn, int got_lock);
  667. aclUserGroup *aclg_get_usersGroup(struct acl_pblock *aclpb, char *n_dn);
  668. void aclg_lock_groupCache(int type);
  669. void aclg_unlock_groupCache(int type);
  670. int aclanom_init(void);
  671. int aclanom_match_profile(Slapi_PBlock *pb, struct acl_pblock *aclpb, Slapi_Entry *e, char *attr, int access);
  672. void aclanom_get_suffix_info(Slapi_Entry *e, struct acl_pblock *aclpb);
  673. void aclanom_invalidateProfile(void);
  674. void aclanom__del_profile(int closing);
  675. typedef enum {
  676. DONT_TAKE_ACLCACHE_READLOCK,
  677. DO_TAKE_ACLCACHE_READLOCK,
  678. DONT_TAKE_ACLCACHE_WRITELOCK,
  679. DO_TAKE_ACLCACHE_WRITELOCK
  680. } acl_lock_flag_t;
  681. void aclanom_gen_anomProfile(acl_lock_flag_t lock_flag);
  682. int aclanom_is_client_anonymous(Slapi_PBlock *pb);
  683. int aclinit_main(void);
  684. typedef struct aclinit_handler_callback_data
  685. {
  686. #define ACL_ADD_ACIS 1
  687. #define ACL_REMOVE_ACIS 0
  688. int op;
  689. int retCode;
  690. acl_lock_flag_t lock_flag;
  691. } aclinit_handler_callback_data_t;
  692. int
  693. aclinit_search_and_update_aci(int thisbeonly, const Slapi_DN *base, char *be_name, int scope, int op, acl_lock_flag_t lock_flag);
  694. void *aclplugin_get_identity(int plug);
  695. int
  696. acl_dn_component_match(const char *ndn, char *match_this, int component_number);
  697. char *
  698. acl_match_macro_in_target(const char *ndn, char *match_this, char *macro_ptr);
  699. char *get_next_component(char *dn, int *index);
  700. int acl_match_prefix(char *macro_prefix, const char *ndn, int *exact_match);
  701. char *
  702. get_this_component(char *dn, int *index);
  703. int
  704. acl_find_comp_end(char *s);
  705. char *
  706. acl_replace_str(char *s, char *substr, char *replace_with);
  707. int acl_strstr(char *s, char *substr);
  708. int aclutil_evaluate_macro(char *rule, lasInfo *lasinfo, acl_eval_types evalType);
  709. int aclutil_str_append_ext(char **dest, size_t *dlen, const char *src, size_t slen);
  710. /* acl hash table functions */
  711. void acl_ht_add_and_freeOld(acl_ht_t *acl_ht, PLHashNumber key, char *value);
  712. void acl_ht_remove_and_free(acl_ht_t *acl_ht, PLHashNumber key);
  713. acl_ht_t *acl_ht_new(void);
  714. void acl_ht_free_all_entries_and_values(acl_ht_t *acl_ht);
  715. void acl_ht_remove(acl_ht_t *acl_ht, PLHashNumber key);
  716. void *acl_ht_lookup(acl_ht_t *acl_ht, PLHashNumber key);
  717. void acl_ht_display_ht(acl_ht_t *acl_ht);
  718. /* acl get effective rights */
  719. int
  720. acl_get_effective_rights(Slapi_PBlock *pb, Slapi_Entry *e, char **attrs, struct berval *val, int access, char **errbuf);
  721. char *aclutil__access_str(int type, char str[]);
  722. int aclplugin_preop_common(Slapi_PBlock *pb);
  723. #endif /* _ACL_H_ */