Back to index

openldap  2.4.31
Classes | Defines | Typedefs | Functions | Variables
gssacl.c File Reference
#include <portable.h>
#include <ac/string.h>
#include <slap.h>
#include <lutil.h>
#include <sasl/sasl.h>
#include <gssapi/gssapi.h>
#include <gssapi/gssapi_ext.h>

Go to the source code of this file.

Classes

struct  gssattr_t

Defines

#define ACL_BUF_SIZE   1024

Typedefs

typedef struct gssattr_t gssattr_t

Functions

static int gssattr_dynacl_destroy (void *priv)
static int regex_matches (struct berval *pat, char *str, struct berval *dn_matches, struct berval *val_matches, AclRegexMatches *matches)
static int gssattr_dynacl_parse (const char *fname, int lineno, const char *opts, slap_style_t style, const char *pattern, void **privp)
static int gssattr_dynacl_unparse (void *priv, struct berval *bv)
static int gssattr_dynacl_mask (void *priv, Operation *op, Entry *target, AttributeDescription *desc, struct berval *val, int nmatch, regmatch_t *matches, slap_access_t *grant, slap_access_t *deny)
int init_module (int argc, char *argv[])

Variables

static struct slap_dynacl_t

Class Documentation

struct gssattr_t

Definition at line 27 of file gssacl.c.

Class Members
slap_style_t gssattr_style

Define Documentation

#define ACL_BUF_SIZE   1024

Definition at line 25 of file gssacl.c.


Typedef Documentation

typedef struct gssattr_t gssattr_t

Function Documentation

static int gssattr_dynacl_destroy ( void priv) [static]

Definition at line 240 of file gssacl.c.

{
       gssattr_t            *gssattr = (gssattr_t *)priv;

       if ( gssattr != NULL ) {
              if ( !BER_BVISNULL( &gssattr->gssattr_name ) ) {
                     ber_memfree( gssattr->gssattr_name.bv_val );
              }
              if ( !BER_BVISNULL( &gssattr->gssattr_value ) ) {
                     ber_memfree( gssattr->gssattr_value.bv_val );
              }
              ch_free( gssattr );
       }

       return 0;
}

Here is the call graph for this function:

Here is the caller graph for this function:

static int gssattr_dynacl_mask ( void priv,
Operation op,
Entry target,
AttributeDescription desc,
struct berval val,
int  nmatch,
regmatch_t *  matches,
slap_access_t grant,
slap_access_t deny 
) [static]

Definition at line 137 of file gssacl.c.

{
       gssattr_t     *gssattr = (gssattr_t *)priv;
       sasl_conn_t   *sasl_ctx = op->o_conn->c_sasl_authctx;
       gss_name_t    gss_name = GSS_C_NO_NAME;
       OM_uint32     major, minor;
       int           more = -1;
       int           authenticated, complete;
       gss_buffer_desc      attr = GSS_C_EMPTY_BUFFER;
       int           granted = 0;

       ACL_INVALIDATE( *deny );

       if ( sasl_ctx == NULL ||
            sasl_getprop( sasl_ctx, SASL_GSS_PEER_NAME, (const void **)&gss_name) != 0 ||
            gss_name == GSS_C_NO_NAME ) {
              return 0;
       }

       attr.length = gssattr->gssattr_name.bv_len;
       attr.value = gssattr->gssattr_name.bv_val;

       while ( more != 0 ) {
              AclRegexMatches amatches = { 0 };
              gss_buffer_desc      gss_value = GSS_C_EMPTY_BUFFER;
              gss_buffer_desc      gss_display_value = GSS_C_EMPTY_BUFFER;
              struct berval bv_value;

              major = gss_get_name_attribute( &minor, gss_name, &attr,
                                          &authenticated, &complete,
                                          &gss_value, &gss_display_value, &more );
              if ( GSS_ERROR( major ) ) {
                     break;
              } else if ( authenticated == 0 ) {
                     gss_release_buffer( &minor, &gss_value );
                     gss_release_buffer( &minor, &gss_display_value );
                     continue;
              }

              bv_value.bv_len = gss_value.length;
              bv_value.bv_val = (char *)gss_value.value;

              if ( !ber_bvccmp( &gssattr->gssattr_value, '*' ) ) {
                     if ( gssattr->gssattr_style != ACL_STYLE_BASE ) {
                            amatches.dn_count = nmatch;
                            AC_MEMCPY( amatches.dn_data, matches, sizeof( amatches.dn_data ) );
                     }

                     switch ( gssattr->gssattr_style ) {
                     case ACL_STYLE_REGEX:
                            /* XXX assumes value NUL terminated */
                            granted = regex_matches( &gssattr->gssattr_value, bv_value.bv_val,
                                                   &target->e_nname, val, &amatches );
                            break;
                     case ACL_STYLE_EXPAND: {
                            struct berval bv;
                            char buf[ACL_BUF_SIZE];

                            bv.bv_len = sizeof( buf ) - 1;
                            bv.bv_val = buf;

                            granted = ( acl_string_expand( &bv, &gssattr->gssattr_value,
                                                        &target->e_nname, val,
                                                        &amatches ) == 0 ) &&
                                     ( ber_bvstrcmp( &bv, &bv_value) == 0 );
                            break;
                     }
                     case ACL_STYLE_BASE:
                            granted = ( ber_bvstrcmp( &gssattr->gssattr_value, &bv_value ) == 0 );
                            break;
                     default:
                            assert(0);
                            break;
                     }
              } else {
                     granted = 1;
              }

              gss_release_buffer( &minor, &gss_value );
              gss_release_buffer( &minor, &gss_display_value );

              if ( granted ) {
                     break;
              }
       }

       if ( granted ) {
              ACL_LVL_ASSIGN_WRITE( *grant );
       }

       return 0;
}

Here is the call graph for this function:

static int gssattr_dynacl_parse ( const char *  fname,
int  lineno,
const char *  opts,
slap_style_t  style,
const char *  pattern,
void **  privp 
) [static]

Definition at line 45 of file gssacl.c.

{
       gssattr_t     *gssattr;

       gssattr = (gssattr_t *)ch_calloc( 1, sizeof( gssattr_t ) );

       if ( opts == NULL || opts[0] == '\0' ) {
              fprintf( stderr, "%s line %d: GSS ACL: no attribute specified.\n",
                      fname, lineno );
              goto cleanup;
       }

       if ( pattern == NULL || pattern[0] == '\0' ) {
              fprintf( stderr, "%s line %d: GSS ACL: no attribute value specified.\n",
                      fname, lineno );
              goto cleanup;
       }

       gssattr->gssattr_style = style;

       switch ( gssattr->gssattr_style ) {
       case ACL_STYLE_BASE:
       case ACL_STYLE_REGEX:
       case ACL_STYLE_EXPAND:
              break;
       default:
              fprintf( stderr, "%s line %d: GSS ACL: unsupported style \"%s\".\n",
                      fname, lineno, style_strings[style] );
              goto cleanup;
              break;
       }

       ber_str2bv( opts,    0, 1, &gssattr->gssattr_name );
       ber_str2bv( pattern, 0, 1, &gssattr->gssattr_value );

       *privp = (void *)gssattr;
       return 0;

cleanup:
       (void)gssattr_dynacl_destroy( (void *)gssattr );

       return 1;
}

Here is the call graph for this function:

static int gssattr_dynacl_unparse ( void priv,
struct berval bv 
) [static]

Definition at line 96 of file gssacl.c.

{
       gssattr_t     *gssattr = (gssattr_t *)priv;
       char          *ptr;

       bv->bv_len = STRLENOF( " dynacl/gss/.expand=" ) +
                   gssattr->gssattr_name.bv_len +
                   gssattr->gssattr_value.bv_len;
       bv->bv_val = ch_malloc( bv->bv_len + 1 );

       ptr = lutil_strcopy( bv->bv_val, " dynacl/gss/" );
       ptr = lutil_strncopy( ptr, gssattr->gssattr_name.bv_val,
                           gssattr->gssattr_name.bv_len );
       switch ( gssattr->gssattr_style ) {
       case ACL_STYLE_BASE:
              ptr = lutil_strcopy( ptr, ".exact=" );
              break;
       case ACL_STYLE_REGEX:
              ptr = lutil_strcopy( ptr, ".regex=" );
              break;
       case ACL_STYLE_EXPAND:
              ptr = lutil_strcopy( ptr, ".expand=" );
              break;
       default:
              assert( 0 );
              break;
       }

       ptr = lutil_strncopy( ptr, gssattr->gssattr_value.bv_val,
                           gssattr->gssattr_value.bv_len );

       ptr[ 0 ] = '\0';

       bv->bv_len = ptr - bv->bv_val;

       return 0;
}

Here is the call graph for this function:

int init_module ( int  argc,
char *  argv[] 
)

Definition at line 267 of file gssacl.c.

{
       return slap_dynacl_register( &gssattr_dynacl );
}
static int regex_matches ( struct berval pat,
char *  str,
struct berval dn_matches,
struct berval val_matches,
AclRegexMatches matches 
) [static]

Definition at line 274 of file gssacl.c.

{
       regex_t re;
       char newbuf[ACL_BUF_SIZE];
       struct berval bv;
       int    rc;

       bv.bv_len = sizeof( newbuf ) - 1;
       bv.bv_val = newbuf;

       if (str == NULL) {
              str = "";
       };

       acl_string_expand( &bv, pat, dn_matches, val_matches, matches );
       rc = regcomp( &re, newbuf, REG_EXTENDED|REG_ICASE );
       if ( rc ) {
              char error[ACL_BUF_SIZE];
              regerror( rc, &re, error, sizeof( error ) );

              Debug( LDAP_DEBUG_TRACE,
                  "compile( \"%s\", \"%s\") failed %s\n",
                     pat->bv_val, str, error );
              return( 0 );
       }

       rc = regexec( &re, str, 0, NULL, 0 );
       regfree( &re );

       Debug( LDAP_DEBUG_TRACE,
           "=> regex_matches: string:      %s\n", str, 0, 0 );
       Debug( LDAP_DEBUG_TRACE,
           "=> regex_matches: rc: %d %s\n",
              rc, !rc ? "matches" : "no matches", 0 );
       return( !rc );
}

Here is the call graph for this function:

Here is the caller graph for this function:


Variable Documentation

struct slap_dynacl_t [static]
Initial value:

Definition at line 258 of file gssacl.c.