From abc9ff876209819c8f0dd7e799f1ab6a1b084fe5 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 20 Mar 2017 15:08:45 -0400
Subject: [PATCH] Issue 49095 - targetattr wildcard evaluation is incorrectly
 case sensitive

Description:  When processing an aci that uses a wildcard targetattr, the
              comparision should be done using case insensitive functions.

https://pagure.io/389-ds-base/issue/49095

Reviewed by: firstyear(Thanks!)
---
 dirsrvtests/tests/tickets/ticket49095_test.py | 85 +++++++++++++++++++++++++++
 ldap/servers/plugins/acl/acl.c                | 10 ++--
 2 files changed, 90 insertions(+), 5 deletions(-)
 create mode 100644 dirsrvtests/tests/tickets/ticket49095_test.py

diff --git a/dirsrvtests/tests/tickets/ticket49095_test.py b/dirsrvtests/tests/tickets/ticket49095_test.py
new file mode 100644
index 0000000..04f92b2
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket49095_test.py
@@ -0,0 +1,85 @@
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+from lib389.topologies import topology_st as topo
+
+DEBUGGING = os.getenv("DEBUGGING", default=False)
+if DEBUGGING:
+    logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+    logging.getLogger(__name__).setLevel(logging.INFO)
+log = logging.getLogger(__name__)
+
+USER_DN = 'uid=testuser,dc=example,dc=com'
+acis = ['(targetattr != "tele*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
+        '(targetattr != "TELE*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
+        '(targetattr != "telephonenum*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
+        '(targetattr != "TELEPHONENUM*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)']
+
+
+def test_ticket49095(topo):
+    """Check that target attrbiutes with wildcards are case insensitive
+    """
+
+    # Add an entry
+    try:
+        topo.standalone.add_s(Entry((USER_DN, {
+            'objectclass': 'top extensibleObject'.split(),
+            'uid': 'testuser',
+            'telephonenumber': '555-555-5555'
+        })))
+    except ldap.LDAPError as e:
+            log.fatal('Failed to add test user: ' + e.message['desc'])
+            assert False
+
+    for aci in acis:
+        # Add ACI
+        try:
+            topo.standalone.modify_s(DEFAULT_SUFFIX,
+                          [(ldap.MOD_REPLACE, 'aci', aci)])
+
+        except ldap.LDAPError as e:
+            log.fatal('Failed to set aci: ' + aci + ': ' + e.message['desc'])
+            assert False
+
+        # Set Anonymous Bind to test aci
+        try:
+            topo.standalone.simple_bind_s("", "")
+        except ldap.LDAPError as e:
+            log.fatal('Failed to bind anonymously: ' + e.message['desc'])
+            assert False
+
+        # Search for entry - should not get any results
+        try:
+            entry = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_BASE,
+                                             'telephonenumber=*')
+            if entry:
+                log.fatal('The entry was incorrectly returned')
+                assert False
+        except ldap.LDAPError as e:
+            log.fatal('Failed to search anonymously: ' + e.message['desc'])
+            assert False
+
+        # Set root DN Bind so we can update aci's
+        try:
+            topo.standalone.simple_bind_s(DN_DM, PASSWORD)
+        except ldap.LDAPError as e:
+            log.fatal('Failed to bind anonymously: ' + e.message['desc'])
+            assert False
+
+    log.info("Test Passed")
+
+
+if __name__ == '__main__':
+    # Run isolated
+    # -s for DEBUG mode
+    CURRENT_FILE = os.path.realpath(__file__)
+    pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index 0a93808..48b8efc 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -3407,19 +3407,19 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
 	}
 
 	/* this assumes that str and the filter components are already
-	 * normalized. If not, it shoul be done
+	 * normalized. If not, it should be done
 	 */
 	if ( initial != NULL) {
 		len = strlen(initial);
 		if (exact_match) {
-			int rc = strncmp(p, initial, len);
+			int rc = strncasecmp(p, initial, len);
 			if (rc) {
 				return ACL_FALSE;
 			} else {
 				p += len;
 			}  
 		} else {
-			p = strstr(p, initial);
+			p = strcasestr(p, initial);
 			if (p) {
 				p += len;
 			} else {
@@ -3430,7 +3430,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
 
 	if ( any != NULL) {
 		for (i = 0;  any && any[i] != NULL; i++) {
-			p = strstr(p, any[i]);
+			p = strcasestr(p, any[i]);
 			if (p) {
 				p += strlen(any[i]);
 			} else {
@@ -3444,7 +3444,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
 		len = strlen(final);
 		tlen = strlen(p);
 		if (len > tlen) return ACL_FALSE;
-		if (strcmp(p+tlen-len, final)) return ACL_FALSE;
+		if (strcasecmp(p+tlen-len, final)) return ACL_FALSE;
 	}
 
 	return ACL_TRUE;
-- 
2.9.3