From 0a1e9e51568d5caea0b97d79773dbc9f5a900ab3 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Fri, 10 Oct 2014 11:50:13 -0700
Subject: [PATCH 21/21] Ticket #47922 - dynamically added macro aci is not
 evaluated on the fly

Bug Description: When macro aci is dynamically added and if the aci's
macro target dn is not normalized, the following operation that requires
the aci could fail with Insufficient access since matching the target dn
and the macro target dn fails since the code expects normalized macro
target dn.

Fix Description: Before setting the macro target dn, process the dn by
slapi_create_dn_string_case.

https://fedorahosted.org/389/ticket/47922

Reviewed by lkrispen@redhat.com and rmeggins@redhat.com (Thank you, Ludwig and Rich!!)

(cherry picked from commit 07c1bc25508a9c1e71dd8e717fd4ce455ddfeff0)
(cherry picked from commit c6b397c8466fd0859c5404c946a82f240564076e)
---
 ldap/servers/plugins/acl/aclparse.c | 19 +++++++++++++------
 ldap/servers/plugins/acl/aclutil.c  |  2 +-
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/ldap/servers/plugins/acl/aclparse.c b/ldap/servers/plugins/acl/aclparse.c
index ea64fa7..be86c8b 100644
--- a/ldap/servers/plugins/acl/aclparse.c
+++ b/ldap/servers/plugins/acl/aclparse.c
@@ -1849,9 +1849,9 @@ static int
 acl_check_for_target_macro( aci_t *aci_item, char *value)
 {
 
-	char			*str = NULL;
+	char *str = NULL;
 
-	str = strstr(value, ACL_TARGET_MACRO_DN_KEY /* ($dn) */);	
+	str = PL_strcasestr(value, ACL_TARGET_MACRO_DN_KEY /* ($dn) */);
 	
 	if (str != NULL) {
 		char *p0 = NULL, *p1 = NULL;
@@ -1871,10 +1871,17 @@ acl_check_for_target_macro( aci_t *aci_item, char *value)
 		aci_item->aci_type &= ~ACI_TARGET_DN;
 		aci_item->aci_type |= ACI_TARGET_MACRO_DN;
 		aci_item->aci_macro = (aciMacro *)slapi_ch_malloc(sizeof(aciMacro));
-		aci_item->aci_macro->match_this = slapi_ch_strdup(value);
-		aci_item->aci_macro->macro_ptr = strstr( aci_item->aci_macro->match_this,
-												 ACL_TARGET_MACRO_DN_KEY);
-		return(1);											
+		/* Macro dn needs to normalize. E.g., "ou=Groups, ($dN), dn=example,dn=com" */
+		aci_item->aci_macro->match_this = slapi_create_dn_string_case("%s", value);
+		if (NULL == aci_item->aci_macro->match_this) {
+			slapi_log_error(SLAPI_LOG_FATAL, plugin_name,
+			                "acl_check_for_target_macro: Error: Invalid macro target dn: \"%s\"\n", value);
+			aci_item->aci_type &= ~ACI_TARGET_MACRO_DN;
+			slapi_ch_free((void **)&aci_item->aci_macro);
+			return -1;
+		}
+		aci_item->aci_macro->macro_ptr = PL_strcasestr(aci_item->aci_macro->match_this, ACL_TARGET_MACRO_DN_KEY);
+		return(1);
 	}
 
 	return(0);
diff --git a/ldap/servers/plugins/acl/aclutil.c b/ldap/servers/plugins/acl/aclutil.c
index e865a95..0720dae 100644
--- a/ldap/servers/plugins/acl/aclutil.c
+++ b/ldap/servers/plugins/acl/aclutil.c
@@ -785,7 +785,7 @@ acl_match_macro_in_target( const char *ndn, char * match_this,
 	macro_prefix = slapi_ch_strdup(match_this);
 	
 	/* we know it's got a $(dn) */
-	tmp_ptr = strstr(macro_prefix, ACL_TARGET_MACRO_DN_KEY);	
+	tmp_ptr = PL_strcasestr(macro_prefix, ACL_TARGET_MACRO_DN_KEY);	
 	if (!tmp_ptr) {
 		LDAPDebug(LDAP_DEBUG_ACL,"acl_match_macro_in_target: "
 				"Target macro DN key \"%s\" not found in \"%s\".\n",
-- 
1.9.3