|
 |
de47d7 |
From 6ced3f552e4c29f588eb3a56def5a485c2e89a73 Mon Sep 17 00:00:00 2001
|
|
|
de47d7 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
de47d7 |
Date: Thu, 19 Mar 2020 21:24:05 -0400
|
|
|
de47d7 |
Subject: [PATCH 1/4] Issue 50800 - wildcards in rootdn-allow-ip attribute are
|
|
|
de47d7 |
not accepted
|
|
|
de47d7 |
|
|
|
de47d7 |
Description: The asterick character was missing from the allowed character list.
|
|
|
de47d7 |
Also cleaned up the source in the C file.
|
|
|
de47d7 |
|
|
|
de47d7 |
Thanks @yrro for contributing the original patch!
|
|
|
de47d7 |
|
|
|
de47d7 |
relates: https://pagure.io/389-ds-base/issue/50800
|
|
|
de47d7 |
|
|
|
de47d7 |
Reviewed by: firstyear (Thanks!)
|
|
|
de47d7 |
---
|
|
|
de47d7 |
.../suites/plugins/rootdn_plugin_test.py | 73 ++++++++++-
|
|
|
de47d7 |
.../plugins/rootdn_access/rootdn_access.c | 119 ++++++++++--------
|
|
|
de47d7 |
2 files changed, 137 insertions(+), 55 deletions(-)
|
|
|
de47d7 |
|
|
|
de47d7 |
diff --git a/dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py b/dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py
|
|
|
de47d7 |
index af5c4c4d4..a54fd8efc 100644
|
|
|
de47d7 |
--- a/dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py
|
|
|
de47d7 |
+++ b/dirsrvtests/tests/suites/plugins/rootdn_plugin_test.py
|
|
|
de47d7 |
@@ -13,7 +13,6 @@ import pytest
|
|
|
de47d7 |
from lib389.tasks import *
|
|
|
de47d7 |
from lib389.tools import DirSrvTools
|
|
|
de47d7 |
from lib389.topologies import topology_st
|
|
|
de47d7 |
-
|
|
|
de47d7 |
from lib389._constants import PLUGIN_ROOTDN_ACCESS, DN_CONFIG, DEFAULT_SUFFIX, DN_DM, PASSWORD
|
|
|
de47d7 |
|
|
|
de47d7 |
logging.getLogger(__name__).setLevel(logging.DEBUG)
|
|
|
de47d7 |
@@ -439,6 +438,7 @@ def test_rootdn_access_allowed_ip(topology_st):
|
|
|
de47d7 |
log.fatal('test_rootdn_access_allowed_ip: Root DN was incorrectly able to bind')
|
|
|
de47d7 |
assert False
|
|
|
de47d7 |
|
|
|
de47d7 |
+
|
|
|
de47d7 |
#
|
|
|
de47d7 |
# Allow localhost
|
|
|
de47d7 |
#
|
|
|
de47d7 |
@@ -745,6 +745,77 @@ def test_rootdn_config_validate(topology_st):
|
|
|
de47d7 |
log.info('test_rootdn_config_validate: PASSED')
|
|
|
de47d7 |
|
|
|
de47d7 |
|
|
|
de47d7 |
+def test_rootdn_access_denied_ip_wildcard(topology_st, rootdn_setup, rootdn_cleanup):
|
|
|
de47d7 |
+ """Test denied IP feature with a wildcard
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+ :id: 73c74f62-9ac2-4bb6-8a63-bacc8d8bbf93
|
|
|
de47d7 |
+ :setup: Standalone instance, rootdn plugin set up
|
|
|
de47d7 |
+ :steps:
|
|
|
de47d7 |
+ 1. Set rootdn-deny-ip to '127.*'
|
|
|
de47d7 |
+ 2. Bind as Root DN
|
|
|
de47d7 |
+ 3. Change the denied IP so root DN succeeds
|
|
|
de47d7 |
+ 4. Bind as Root DN
|
|
|
de47d7 |
+ :expectedresults:
|
|
|
de47d7 |
+ 1. Success
|
|
|
de47d7 |
+ 2. Should fail
|
|
|
de47d7 |
+ 3. Success
|
|
|
de47d7 |
+ 4. Success
|
|
|
de47d7 |
+ """
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+ log.info('Running test_rootdn_access_denied_ip_wildcard...')
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+ plugin.add_deny_ip('127.*')
|
|
|
de47d7 |
+ time.sleep(.5)
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+ # Bind as root DN - should fail
|
|
|
de47d7 |
+ uri = 'ldap://{}:{}'.format('127.0.0.1', topology_st.standalone.port)
|
|
|
de47d7 |
+ with pytest.raises(ldap.UNWILLING_TO_PERFORM):
|
|
|
de47d7 |
+ rootdn_bind(topology_st.standalone, uri=uri)
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+ # Change the denied IP so root DN succeeds
|
|
|
de47d7 |
+ plugin.apply_mods([(ldap.MOD_REPLACE, 'rootdn-deny-ip', '255.255.255.255')])
|
|
|
de47d7 |
+ time.sleep(.5)
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+ # Bind should succeed
|
|
|
de47d7 |
+ rootdn_bind(topology_st.standalone, uri=uri)
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+def test_rootdn_access_allowed_ip_wildcard(topology_st, rootdn_setup, rootdn_cleanup):
|
|
|
de47d7 |
+ """Test allowed ip feature
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+ :id: c3e22c61-9ed2-4e89-8243-6ff686ecad9b
|
|
|
de47d7 |
+ :setup: Standalone instance, rootdn plugin set up
|
|
|
de47d7 |
+ :steps:
|
|
|
de47d7 |
+ 1. Set allowed ip to 255.255.255.255 - blocks the Root DN
|
|
|
de47d7 |
+ 2. Bind as Root DN
|
|
|
de47d7 |
+ 3. Allow 127.*
|
|
|
de47d7 |
+ 4. Bind as Root DN
|
|
|
de47d7 |
+ :expectedresults:
|
|
|
de47d7 |
+ 1. Success
|
|
|
de47d7 |
+ 2. Should fail
|
|
|
de47d7 |
+ 3. Success
|
|
|
de47d7 |
+ 4. Success
|
|
|
de47d7 |
+ """
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+ log.info('Running test_rootdn_access_allowed_ip...')
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+ # Set allowed ip to 255.255.255.255 - blocks the Root DN
|
|
|
de47d7 |
+ plugin.add_allow_ip('255.255.255.255')
|
|
|
de47d7 |
+ time.sleep(.5)
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+ # Bind as Root DN - should fail
|
|
|
de47d7 |
+ uri = 'ldap://{}:{}'.format("127.0.0.1", topology_st.standalone.port)
|
|
|
de47d7 |
+ with pytest.raises(ldap.UNWILLING_TO_PERFORM):
|
|
|
de47d7 |
+ rootdn_bind(topology_st.standalone, uri=uri)
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+ # Allow localhost
|
|
|
de47d7 |
+ plugin.add_allow_ip('127.*')
|
|
|
de47d7 |
+ time.sleep(.5)
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+ # Bind should succeed
|
|
|
de47d7 |
+ rootdn_bind(topology_st.standalone, uri=uri)
|
|
|
de47d7 |
+
|
|
|
de47d7 |
+
|
|
|
de47d7 |
if __name__ == '__main__':
|
|
|
de47d7 |
# Run isolated
|
|
|
de47d7 |
# -s for DEBUG mode
|
|
|
de47d7 |
diff --git a/ldap/servers/plugins/rootdn_access/rootdn_access.c b/ldap/servers/plugins/rootdn_access/rootdn_access.c
|
|
|
de47d7 |
index 1cb999792..aba44ce72 100644
|
|
|
de47d7 |
--- a/ldap/servers/plugins/rootdn_access/rootdn_access.c
|
|
|
de47d7 |
+++ b/ldap/servers/plugins/rootdn_access/rootdn_access.c
|
|
|
de47d7 |
@@ -48,14 +48,14 @@
|
|
|
de47d7 |
/*
|
|
|
de47d7 |
* Plugin Functions
|
|
|
de47d7 |
*/
|
|
|
de47d7 |
-int rootdn_init(Slapi_PBlock *pb);
|
|
|
de47d7 |
-static int rootdn_start(Slapi_PBlock *pb);
|
|
|
de47d7 |
-static int rootdn_close(Slapi_PBlock *pb);
|
|
|
de47d7 |
-static int rootdn_load_config(Slapi_PBlock *pb);
|
|
|
de47d7 |
-static int rootdn_check_access(Slapi_PBlock *pb);
|
|
|
de47d7 |
-static int rootdn_check_host_wildcard(char *host, char *client_host);
|
|
|
de47d7 |
+int32_t rootdn_init(Slapi_PBlock *pb);
|
|
|
de47d7 |
+static int32_t rootdn_start(Slapi_PBlock *pb);
|
|
|
de47d7 |
+static int32_t rootdn_close(Slapi_PBlock *pb);
|
|
|
de47d7 |
+static int32_t rootdn_load_config(Slapi_PBlock *pb);
|
|
|
de47d7 |
+static int32_t rootdn_check_access(Slapi_PBlock *pb);
|
|
|
de47d7 |
+static int32_t rootdn_check_host_wildcard(char *host, char *client_host);
|
|
|
de47d7 |
static int rootdn_check_ip_wildcard(char *ip, char *client_ip);
|
|
|
de47d7 |
-static int rootdn_preop_bind_init(Slapi_PBlock *pb);
|
|
|
de47d7 |
+static int32_t rootdn_preop_bind_init(Slapi_PBlock *pb);
|
|
|
de47d7 |
char *strToLower(char *str);
|
|
|
de47d7 |
|
|
|
de47d7 |
/*
|
|
|
de47d7 |
@@ -104,10 +104,10 @@ rootdn_get_plugin_dn(void)
|
|
|
de47d7 |
}
|
|
|
de47d7 |
|
|
|
de47d7 |
|
|
|
de47d7 |
-int
|
|
|
de47d7 |
+int32_t
|
|
|
de47d7 |
rootdn_init(Slapi_PBlock *pb)
|
|
|
de47d7 |
{
|
|
|
de47d7 |
- int status = 0;
|
|
|
de47d7 |
+ int32_t status = 0;
|
|
|
de47d7 |
char *plugin_identity = NULL;
|
|
|
de47d7 |
|
|
|
de47d7 |
slapi_log_err(SLAPI_LOG_TRACE, ROOTDN_PLUGIN_SUBSYSTEM,
|
|
|
de47d7 |
@@ -157,7 +157,7 @@ rootdn_init(Slapi_PBlock *pb)
|
|
|
de47d7 |
return status;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
|
|
|
de47d7 |
-static int
|
|
|
de47d7 |
+static int32_t
|
|
|
de47d7 |
rootdn_preop_bind_init(Slapi_PBlock *pb)
|
|
|
de47d7 |
{
|
|
|
de47d7 |
if (slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_PRE_BIND_FN, (void *)rootdn_check_access) != 0) {
|
|
|
de47d7 |
@@ -169,7 +169,7 @@ rootdn_preop_bind_init(Slapi_PBlock *pb)
|
|
|
de47d7 |
return 0;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
|
|
|
de47d7 |
-static int
|
|
|
de47d7 |
+static int32_t
|
|
|
de47d7 |
rootdn_start(Slapi_PBlock *pb __attribute__((unused)))
|
|
|
de47d7 |
{
|
|
|
de47d7 |
slapi_log_err(SLAPI_LOG_PLUGIN, ROOTDN_PLUGIN_SUBSYSTEM, "--> rootdn_start\n");
|
|
|
de47d7 |
@@ -196,14 +196,14 @@ rootdn_free(void)
|
|
|
de47d7 |
ips_to_deny = NULL;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
|
|
|
de47d7 |
-static int
|
|
|
de47d7 |
+static int32_t
|
|
|
de47d7 |
rootdn_close(Slapi_PBlock *pb __attribute__((unused)))
|
|
|
de47d7 |
{
|
|
|
de47d7 |
rootdn_free();
|
|
|
de47d7 |
return 0;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
|
|
|
de47d7 |
-static int
|
|
|
de47d7 |
+static int32_t
|
|
|
de47d7 |
rootdn_load_config(Slapi_PBlock *pb)
|
|
|
de47d7 |
{
|
|
|
de47d7 |
Slapi_Entry *e = NULL;
|
|
|
de47d7 |
@@ -217,9 +217,9 @@ rootdn_load_config(Slapi_PBlock *pb)
|
|
|
de47d7 |
char *token, *iter = NULL, *copy;
|
|
|
de47d7 |
char hour[3], min[3];
|
|
|
de47d7 |
size_t end;
|
|
|
de47d7 |
- int result = 0;
|
|
|
de47d7 |
- int time;
|
|
|
de47d7 |
- int i;
|
|
|
de47d7 |
+ int32_t result = 0;
|
|
|
de47d7 |
+ int32_t time;
|
|
|
de47d7 |
+
|
|
|
de47d7 |
|
|
|
de47d7 |
slapi_log_err(SLAPI_LOG_PLUGIN, ROOTDN_PLUGIN_SUBSYSTEM, "--> rootdn_load_config\n");
|
|
|
de47d7 |
|
|
|
de47d7 |
@@ -346,7 +346,7 @@ rootdn_load_config(Slapi_PBlock *pb)
|
|
|
de47d7 |
goto free_and_return;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
if (hosts_tmp) {
|
|
|
de47d7 |
- for (i = 0; hosts_tmp[i] != NULL; i++) {
|
|
|
de47d7 |
+ for (size_t i = 0; hosts_tmp[i] != NULL; i++) {
|
|
|
de47d7 |
end = strspn(hosts_tmp[i], "0123456789.*-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
|
|
|
de47d7 |
if (!end || hosts_tmp[i][end] != '\0') {
|
|
|
de47d7 |
slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_load_config - "
|
|
|
de47d7 |
@@ -359,7 +359,7 @@ rootdn_load_config(Slapi_PBlock *pb)
|
|
|
de47d7 |
}
|
|
|
de47d7 |
}
|
|
|
de47d7 |
if (hosts_to_deny_tmp) {
|
|
|
de47d7 |
- for (i = 0; hosts_to_deny_tmp[i] != NULL; i++) {
|
|
|
de47d7 |
+ for (size_t i = 0; hosts_to_deny_tmp[i] != NULL; i++) {
|
|
|
de47d7 |
end = strspn(hosts_to_deny_tmp[i], "0123456789.*-ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
|
|
|
de47d7 |
if (!end || hosts_to_deny_tmp[i][end] != '\0') {
|
|
|
de47d7 |
slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_load_config - "
|
|
|
de47d7 |
@@ -372,8 +372,8 @@ rootdn_load_config(Slapi_PBlock *pb)
|
|
|
de47d7 |
}
|
|
|
de47d7 |
}
|
|
|
de47d7 |
if (ips_tmp) {
|
|
|
de47d7 |
- for (i = 0; ips_tmp[i] != NULL; i++) {
|
|
|
de47d7 |
- end = strspn(ips_tmp[i], "0123456789:ABCDEFabcdef.");
|
|
|
de47d7 |
+ for (size_t i = 0; ips_tmp[i] != NULL; i++) {
|
|
|
de47d7 |
+ end = strspn(ips_tmp[i], "0123456789:ABCDEFabcdef.*");
|
|
|
de47d7 |
if (!end || ips_tmp[i][end] != '\0') {
|
|
|
de47d7 |
slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_load_config - "
|
|
|
de47d7 |
"IP address contains invalid characters (%s), skipping\n",
|
|
|
de47d7 |
@@ -399,7 +399,7 @@ rootdn_load_config(Slapi_PBlock *pb)
|
|
|
de47d7 |
}
|
|
|
de47d7 |
}
|
|
|
de47d7 |
if (ips_to_deny_tmp) {
|
|
|
de47d7 |
- for (i = 0; ips_to_deny_tmp[i] != NULL; i++) {
|
|
|
de47d7 |
+ for (size_t i = 0; ips_to_deny_tmp[i] != NULL; i++) {
|
|
|
de47d7 |
end = strspn(ips_to_deny_tmp[i], "0123456789:ABCDEFabcdef.*");
|
|
|
de47d7 |
if (!end || ips_to_deny_tmp[i][end] != '\0') {
|
|
|
de47d7 |
slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_load_config - "
|
|
|
de47d7 |
@@ -453,7 +453,7 @@ free_and_return:
|
|
|
de47d7 |
}
|
|
|
de47d7 |
|
|
|
de47d7 |
|
|
|
de47d7 |
-static int
|
|
|
de47d7 |
+static int32_t
|
|
|
de47d7 |
rootdn_check_access(Slapi_PBlock *pb)
|
|
|
de47d7 |
{
|
|
|
de47d7 |
PRNetAddr *client_addr = NULL;
|
|
|
de47d7 |
@@ -461,9 +461,8 @@ rootdn_check_access(Slapi_PBlock *pb)
|
|
|
de47d7 |
time_t curr_time;
|
|
|
de47d7 |
struct tm *timeinfo = NULL;
|
|
|
de47d7 |
char *dnsName = NULL;
|
|
|
de47d7 |
- int isRoot = 0;
|
|
|
de47d7 |
- int rc = SLAPI_PLUGIN_SUCCESS;
|
|
|
de47d7 |
- int i;
|
|
|
de47d7 |
+ int32_t isRoot = 0;
|
|
|
de47d7 |
+ int32_t rc = SLAPI_PLUGIN_SUCCESS;
|
|
|
de47d7 |
|
|
|
de47d7 |
/*
|
|
|
de47d7 |
* Verify this is a root DN
|
|
|
de47d7 |
@@ -493,8 +492,8 @@ rootdn_check_access(Slapi_PBlock *pb)
|
|
|
de47d7 |
curr_total = (time_t)(timeinfo->tm_hour * 3600) + (timeinfo->tm_min * 60);
|
|
|
de47d7 |
|
|
|
de47d7 |
if ((curr_total < open_time) || (curr_total >= close_time)) {
|
|
|
de47d7 |
- slapi_log_err(SLAPI_LOG_PLUGIN, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_check_access - Bind not in the "
|
|
|
de47d7 |
- "allowed time window\n");
|
|
|
de47d7 |
+ slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM,
|
|
|
de47d7 |
+ "rootdn_check_access - Bind not in the allowed time window\n");
|
|
|
de47d7 |
return -1;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
}
|
|
|
de47d7 |
@@ -512,8 +511,8 @@ rootdn_check_access(Slapi_PBlock *pb)
|
|
|
de47d7 |
daysAllowed = strToLower(daysAllowed);
|
|
|
de47d7 |
|
|
|
de47d7 |
if (!strstr(daysAllowed, today)) {
|
|
|
de47d7 |
- slapi_log_err(SLAPI_LOG_PLUGIN, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_check_access - "
|
|
|
de47d7 |
- "Bind not allowed for today(%s), only allowed on days: %s\n",
|
|
|
de47d7 |
+ slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_check_access - "
|
|
|
de47d7 |
+ "Bind not allowed for today(%s), only allowed on days: %s\n",
|
|
|
de47d7 |
today, daysAllowed);
|
|
|
de47d7 |
return -1;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
@@ -522,7 +521,7 @@ rootdn_check_access(Slapi_PBlock *pb)
|
|
|
de47d7 |
* Check the host restrictions, deny always overrides allow
|
|
|
de47d7 |
*/
|
|
|
de47d7 |
if (hosts || hosts_to_deny) {
|
|
|
de47d7 |
- char buf[PR_NETDB_BUF_SIZE];
|
|
|
de47d7 |
+ char buf[PR_NETDB_BUF_SIZE] = {0};
|
|
|
de47d7 |
char *host;
|
|
|
de47d7 |
|
|
|
de47d7 |
/*
|
|
|
de47d7 |
@@ -530,8 +529,8 @@ rootdn_check_access(Slapi_PBlock *pb)
|
|
|
de47d7 |
*/
|
|
|
de47d7 |
client_addr = (PRNetAddr *)slapi_ch_malloc(sizeof(PRNetAddr));
|
|
|
de47d7 |
if (slapi_pblock_get(pb, SLAPI_CONN_CLIENTNETADDR, client_addr) != 0) {
|
|
|
de47d7 |
- slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_check_access - "
|
|
|
de47d7 |
- "Could not get client address for hosts.\n");
|
|
|
de47d7 |
+ slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM,
|
|
|
de47d7 |
+ "rootdn_check_access - Could not get client address for hosts.\n");
|
|
|
de47d7 |
rc = -1;
|
|
|
de47d7 |
goto free_and_return;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
@@ -545,14 +544,14 @@ rootdn_check_access(Slapi_PBlock *pb)
|
|
|
de47d7 |
dnsName = slapi_ch_strdup(host_entry->h_name);
|
|
|
de47d7 |
} else {
|
|
|
de47d7 |
/* no hostname */
|
|
|
de47d7 |
- slapi_log_err(SLAPI_LOG_PLUGIN, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_check_access - "
|
|
|
de47d7 |
- "Client address missing hostname\n");
|
|
|
de47d7 |
+ slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM,
|
|
|
de47d7 |
+ "rootdn_check_access - Client address missing hostname\n");
|
|
|
de47d7 |
rc = -1;
|
|
|
de47d7 |
goto free_and_return;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
} else {
|
|
|
de47d7 |
- slapi_log_err(SLAPI_LOG_PLUGIN, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_check_access - "
|
|
|
de47d7 |
- "client IP address could not be resolved\n");
|
|
|
de47d7 |
+ slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM,
|
|
|
de47d7 |
+ "rootdn_check_access - client IP address could not be resolved\n");
|
|
|
de47d7 |
rc = -1;
|
|
|
de47d7 |
goto free_and_return;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
@@ -560,18 +559,22 @@ rootdn_check_access(Slapi_PBlock *pb)
|
|
|
de47d7 |
* Now we have our hostname, now do our checks
|
|
|
de47d7 |
*/
|
|
|
de47d7 |
if (hosts_to_deny) {
|
|
|
de47d7 |
- for (i = 0; hosts_to_deny[i] != NULL; i++) {
|
|
|
de47d7 |
+ for (size_t i = 0; hosts_to_deny[i] != NULL; i++) {
|
|
|
de47d7 |
host = hosts_to_deny[i];
|
|
|
de47d7 |
/* check for wild cards */
|
|
|
de47d7 |
if (host[0] == '*') {
|
|
|
de47d7 |
if (rootdn_check_host_wildcard(host, dnsName) == 0) {
|
|
|
de47d7 |
/* match, return failure */
|
|
|
de47d7 |
+ slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_check_access - "
|
|
|
de47d7 |
+ "hostname (%s) matched denied host (%s)\n", dnsName, host);
|
|
|
de47d7 |
rc = -1;
|
|
|
de47d7 |
goto free_and_return;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
} else {
|
|
|
de47d7 |
if (strcasecmp(host, dnsName) == 0) {
|
|
|
de47d7 |
/* we have a match, return failure */
|
|
|
de47d7 |
+ slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_check_access - "
|
|
|
de47d7 |
+ "hostname (%s) matched denied host (%s)\n", dnsName, host);
|
|
|
de47d7 |
rc = -1;
|
|
|
de47d7 |
goto free_and_return;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
@@ -580,7 +583,7 @@ rootdn_check_access(Slapi_PBlock *pb)
|
|
|
de47d7 |
rc = 0;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
if (hosts) {
|
|
|
de47d7 |
- for (i = 0; hosts[i] != NULL; i++) {
|
|
|
de47d7 |
+ for (size_t i = 0; hosts[i] != NULL; i++) {
|
|
|
de47d7 |
host = hosts[i];
|
|
|
de47d7 |
/* check for wild cards */
|
|
|
de47d7 |
if (host[0] == '*') {
|
|
|
de47d7 |
@@ -604,14 +607,15 @@ rootdn_check_access(Slapi_PBlock *pb)
|
|
|
de47d7 |
* Check the IP address restrictions, deny always overrides allow
|
|
|
de47d7 |
*/
|
|
|
de47d7 |
if (ips || ips_to_deny) {
|
|
|
de47d7 |
- char ip_str[256];
|
|
|
de47d7 |
+ char ip_str[256] = {0};
|
|
|
de47d7 |
char *ip;
|
|
|
de47d7 |
- int ip_len, i;
|
|
|
de47d7 |
+ int32_t ip_len;
|
|
|
de47d7 |
|
|
|
de47d7 |
if (client_addr == NULL) {
|
|
|
de47d7 |
client_addr = (PRNetAddr *)slapi_ch_malloc(sizeof(PRNetAddr));
|
|
|
de47d7 |
if (slapi_pblock_get(pb, SLAPI_CONN_CLIENTNETADDR, client_addr) != 0) {
|
|
|
de47d7 |
- slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_check_access - Could not get client address for IP.\n");
|
|
|
de47d7 |
+ slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM,
|
|
|
de47d7 |
+ "rootdn_check_access - Could not get client address for IP.\n");
|
|
|
de47d7 |
rc = -1;
|
|
|
de47d7 |
goto free_and_return;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
@@ -624,13 +628,15 @@ rootdn_check_access(Slapi_PBlock *pb)
|
|
|
de47d7 |
v4addr.inet.family = PR_AF_INET;
|
|
|
de47d7 |
v4addr.inet.ip = client_addr->ipv6.ip.pr_s6_addr32[3];
|
|
|
de47d7 |
if (PR_NetAddrToString(&v4addr, ip_str, sizeof(ip_str)) != PR_SUCCESS) {
|
|
|
de47d7 |
- slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_check_access - Could not get IPv4 from client address.\n");
|
|
|
de47d7 |
+ slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM,
|
|
|
de47d7 |
+ "rootdn_check_access - Could not get IPv4 from client address.\n");
|
|
|
de47d7 |
rc = -1;
|
|
|
de47d7 |
goto free_and_return;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
} else {
|
|
|
de47d7 |
if (PR_NetAddrToString(client_addr, ip_str, sizeof(ip_str)) != PR_SUCCESS) {
|
|
|
de47d7 |
- slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_check_access - Could not get IPv6 from client address.\n");
|
|
|
de47d7 |
+ slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM,
|
|
|
de47d7 |
+ "rootdn_check_access - Could not get IPv6 from client address.\n");
|
|
|
de47d7 |
rc = -1;
|
|
|
de47d7 |
goto free_and_return;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
@@ -639,18 +645,22 @@ rootdn_check_access(Slapi_PBlock *pb)
|
|
|
de47d7 |
* Now we have our IP address, do our checks
|
|
|
de47d7 |
*/
|
|
|
de47d7 |
if (ips_to_deny) {
|
|
|
de47d7 |
- for (i = 0; ips_to_deny[i] != NULL; i++) {
|
|
|
de47d7 |
+ for (size_t i = 0; ips_to_deny[i] != NULL; i++) {
|
|
|
de47d7 |
ip = ips_to_deny[i];
|
|
|
de47d7 |
ip_len = strlen(ip);
|
|
|
de47d7 |
if (ip[ip_len - 1] == '*') {
|
|
|
de47d7 |
if (rootdn_check_ip_wildcard(ips_to_deny[i], ip_str) == 0) {
|
|
|
de47d7 |
/* match, return failure */
|
|
|
de47d7 |
+ slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_check_access - "
|
|
|
de47d7 |
+ "ip address (%s) matched denied IP address (%s)\n", ip_str, ip);
|
|
|
de47d7 |
rc = -1;
|
|
|
de47d7 |
goto free_and_return;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
} else {
|
|
|
de47d7 |
if (strcasecmp(ip_str, ip) == 0) {
|
|
|
de47d7 |
/* match, return failure */
|
|
|
de47d7 |
+ slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_check_access - "
|
|
|
de47d7 |
+ "ip address (%s) matched denied IP address (%s)\n", ip_str, ip);
|
|
|
de47d7 |
rc = -1;
|
|
|
de47d7 |
goto free_and_return;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
@@ -659,7 +669,7 @@ rootdn_check_access(Slapi_PBlock *pb)
|
|
|
de47d7 |
rc = 0;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
if (ips) {
|
|
|
de47d7 |
- for (i = 0; ips[i] != NULL; i++) {
|
|
|
de47d7 |
+ for (size_t i = 0; ips[i] != NULL; i++) {
|
|
|
de47d7 |
ip = ips[i];
|
|
|
de47d7 |
ip_len = strlen(ip);
|
|
|
de47d7 |
if (ip[ip_len - 1] == '*') {
|
|
|
de47d7 |
@@ -668,6 +678,7 @@ rootdn_check_access(Slapi_PBlock *pb)
|
|
|
de47d7 |
rc = 0;
|
|
|
de47d7 |
goto free_and_return;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
+
|
|
|
de47d7 |
} else {
|
|
|
de47d7 |
if (strcasecmp(ip_str, ip) == 0) {
|
|
|
de47d7 |
/* match, return success */
|
|
|
de47d7 |
@@ -688,17 +699,19 @@ free_and_return:
|
|
|
de47d7 |
return rc;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
|
|
|
de47d7 |
-static int
|
|
|
de47d7 |
+static int32_t
|
|
|
de47d7 |
rootdn_check_host_wildcard(char *host, char *client_host)
|
|
|
de47d7 |
{
|
|
|
de47d7 |
- int host_len = strlen(host);
|
|
|
de47d7 |
- int client_len = strlen(client_host);
|
|
|
de47d7 |
- int i, j;
|
|
|
de47d7 |
+ size_t host_len = strlen(host);
|
|
|
de47d7 |
+ size_t client_len = strlen(client_host);
|
|
|
de47d7 |
+ size_t i, j;
|
|
|
de47d7 |
+
|
|
|
de47d7 |
/*
|
|
|
de47d7 |
* Start at the end of the string and move backwards, and skip the first char "*"
|
|
|
de47d7 |
*/
|
|
|
de47d7 |
if (client_len < host_len) {
|
|
|
de47d7 |
/* this can't be a match */
|
|
|
de47d7 |
+
|
|
|
de47d7 |
return -1;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
for (i = host_len - 1, j = client_len - 1; i > 0; i--, j--) {
|
|
|
de47d7 |
@@ -714,7 +727,7 @@ static int
|
|
|
de47d7 |
rootdn_check_ip_wildcard(char *ip, char *client_ip)
|
|
|
de47d7 |
{
|
|
|
de47d7 |
size_t ip_len = strlen(ip);
|
|
|
de47d7 |
- int i;
|
|
|
de47d7 |
+
|
|
|
de47d7 |
/*
|
|
|
de47d7 |
* Start at the beginning of the string and move forward, and skip the last char "*"
|
|
|
de47d7 |
*/
|
|
|
de47d7 |
@@ -722,7 +735,7 @@ rootdn_check_ip_wildcard(char *ip, char *client_ip)
|
|
|
de47d7 |
/* this can't be a match */
|
|
|
de47d7 |
return -1;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
- for (i = 0; i < ip_len - 1; i++) {
|
|
|
de47d7 |
+ for (size_t i = 0; i < ip_len - 1; i++) {
|
|
|
de47d7 |
if (ip[i] != client_ip[i]) {
|
|
|
de47d7 |
return -1;
|
|
|
de47d7 |
}
|
|
|
de47d7 |
@@ -734,9 +747,7 @@ rootdn_check_ip_wildcard(char *ip, char *client_ip)
|
|
|
de47d7 |
char *
|
|
|
de47d7 |
strToLower(char *str)
|
|
|
de47d7 |
{
|
|
|
de47d7 |
- size_t i;
|
|
|
de47d7 |
-
|
|
|
de47d7 |
- for (i = 0; str && i < strlen(str); i++) {
|
|
|
de47d7 |
+ for (size_t i = 0; str && i < strlen(str); i++) {
|
|
|
de47d7 |
str[i] = tolower(str[i]);
|
|
|
de47d7 |
}
|
|
|
de47d7 |
return str;
|
|
|
de47d7 |
--
|
|
|
de47d7 |
2.25.3
|
|
|
de47d7 |
|