From: Howard Chu Date: Fri, 11 Dec 2009 10:06:54 +0000 (+0000) Subject: New access_allowed() X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=62a27b2a42c67e12a9d1feef769e79ec24d5e510;p=thirdparty%2Fopenldap.git New access_allowed() --- diff --git a/servers/slapd/back-sql/add.c b/servers/slapd/back-sql/add.c index 7f4155ea58..6d9eca0c88 100644 --- a/servers/slapd/back-sql/add.c +++ b/servers/slapd/back-sql/add.c @@ -929,11 +929,12 @@ backsql_add( Operation *op, SlapReply *rs ) struct berval pdn; struct berval realdn = BER_BVNULL; int colnum; - slap_mask_t mask; char textbuf[ SLAP_TEXT_BUFLEN ]; size_t textlen = sizeof( textbuf ); + AclCheck ak; + #ifdef BACKSQL_SYNCPROV /* * NOTE: fake successful result to force contextCSN to be bumped up @@ -1069,9 +1070,12 @@ backsql_add( Operation *op, SlapReply *rs ) } /* check write access */ - if ( !access_allowed_mask( op, op->ora_e, - slap_schema.si_ad_entry, - NULL, ACL_WADD, NULL, &mask ) ) + ak.ak_e = op->ora_e; + ak.ak_desc = slap_schema.si_ad_entry; + ak.ak_val = NULL; + ak.ak_access = ACL_WADD; + ak.ak_state = NULL; + if ( !access_allowed( op, &ak )) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; e = op->ora_e; @@ -1145,8 +1149,9 @@ backsql_add( Operation *op, SlapReply *rs ) } /* check "children" pseudo-attribute access to parent */ - if ( !access_allowed( op, &p, slap_schema.si_ad_children, - NULL, ACL_WADD, NULL ) ) + ak.ak_e = &p; + ak.ak_desc = slap_schema.si_ad_children; + if ( !access_allowed( op, &ak )) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; e = &p; @@ -1495,15 +1500,19 @@ done:; if ( e != NULL ) { int disclose = 1; - if ( e == op->ora_e && !ACL_GRANT( mask, ACL_DISCLOSE ) ) { + if ( e == op->ora_e && !ACL_GRANT( ak.ak_mask, ACL_DISCLOSE ) ) { /* mask already collected */ disclose = 0; - } else if ( e == &p && !access_allowed( op, &p, - slap_schema.si_ad_entry, NULL, - ACL_DISCLOSE, NULL ) ) + } else if ( e == &p ) { - disclose = 0; + ak.ak_e = &p; + ak.ak_desc = slap_schema.si_ad_entry; + ak.ak_access = ACL_DISCLOSE; + if ( !access_allowed( op, &ak )) + { + disclose = 0; + } } if ( disclose == 0 ) { diff --git a/servers/slapd/back-sql/compare.c b/servers/slapd/back-sql/compare.c index 7cd0128afe..97f4b65714 100644 --- a/servers/slapd/back-sql/compare.c +++ b/servers/slapd/back-sql/compare.c @@ -38,6 +38,7 @@ backsql_compare( Operation *op, SlapReply *rs ) int rc; int manageDSAit = get_manageDSAit( op ); AttributeName anlist[2]; + AclCheck ak; Debug( LDAP_DEBUG_TRACE, "==>backsql_compare()\n", 0, 0, 0 ); @@ -117,9 +118,12 @@ backsql_compare( Operation *op, SlapReply *rs ) *ap = nrs.sr_operational_attrs; } - if ( ! access_allowed( op, &e, op->oq_compare.rs_ava->aa_desc, - &op->oq_compare.rs_ava->aa_value, - ACL_COMPARE, NULL ) ) + ak.ak_e = &e; + ak.ak_desc = op->oq_compare.rs_ava->aa_desc; + ak.ak_val = &op->oq_compare.rs_ava->aa_value; + ak.ak_access = ACL_COMPARE; + ak.ak_state = NULL; + if ( ! access_allowed( op, &ak )) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; goto return_results; @@ -149,10 +153,11 @@ return_results:; break; default: + ak.ak_desc = slap_schema.si_ad_entry; + ak.ak_val = NULL; + ak.ak_access = ACL_DISCLOSE; if ( !BER_BVISNULL( &e.e_nname ) && - ! access_allowed( op, &e, - slap_schema.si_ad_entry, NULL, - ACL_DISCLOSE, NULL ) ) + ! access_allowed( op, &ak )) { rs->sr_err = LDAP_NO_SUCH_OBJECT; rs->sr_text = NULL; diff --git a/servers/slapd/back-sql/delete.c b/servers/slapd/back-sql/delete.c index 0a171a9f57..391b198ab7 100644 --- a/servers/slapd/back-sql/delete.c +++ b/servers/slapd/back-sql/delete.c @@ -295,13 +295,15 @@ backsql_tree_delete_search_cb( Operation *op, SlapReply *rs ) if ( rs->sr_type == REP_SEARCH ) { backsql_tree_delete_t *btd; backsql_entryID *eid; + AclCheck ak = { rs->sr_entry, slap_schema.si_ad_entry, NULL, + ACL_WDEL, NULL }; + int ret; btd = (backsql_tree_delete_t *)op->o_callback->sc_private; - if ( !access_allowed( btd->btd_op, rs->sr_entry, - slap_schema.si_ad_entry, NULL, ACL_WDEL, NULL ) - || !access_allowed( btd->btd_op, rs->sr_entry, - slap_schema.si_ad_children, NULL, ACL_WDEL, NULL ) ) + ret = access_allowed( btd->btd_op, &ak ); + ak.ak_desc = slap_schema.si_ad_children; + if ( !ret || !access_allowed( btd->btd_op, &ak )) { btd->btd_rc = LDAP_INSUFFICIENT_ACCESS; return rs->sr_err = LDAP_UNAVAILABLE; @@ -410,6 +412,7 @@ backsql_delete( Operation *op, SlapReply *rs ) Entry d = { 0 }, p = { 0 }, *e = NULL; struct berval pdn = BER_BVNULL; int manageDSAit = get_manageDSAit( op ); + AclCheck ak; Debug( LDAP_DEBUG_TRACE, "==>backsql_delete(): deleting entry \"%s\"\n", op->o_req_ndn.bv_val, 0, 0 ); @@ -476,8 +479,12 @@ backsql_delete( Operation *op, SlapReply *rs ) goto done; } - if ( !access_allowed( op, &d, slap_schema.si_ad_entry, - NULL, ACL_WDEL, NULL ) ) + ak.ak_e = &d; + ak.ak_desc = slap_schema.si_ad_entry; + ak.ak_val = NULL; + ak.ak_access = ACL_WDEL; + ak.ak_state = NULL; + if ( !access_allowed( op, &ak )) { Debug( LDAP_DEBUG_TRACE, " backsql_delete(): " "no write access to entry\n", @@ -550,8 +557,9 @@ backsql_delete( Operation *op, SlapReply *rs ) (void)backsql_free_entryID( &bsi.bsi_base_id, 0, op->o_tmpmemctx ); /* check parent for "children" acl */ - if ( !access_allowed( op, &p, slap_schema.si_ad_children, - NULL, ACL_WDEL, NULL ) ) + ak.ak_e = &p; + ak.ak_desc = slap_schema.si_ad_children; + if ( !access_allowed( op, &ak )) { Debug( LDAP_DEBUG_TRACE, " backsql_delete(): " "no write access to parent\n", @@ -594,8 +602,10 @@ backsql_delete( Operation *op, SlapReply *rs ) done:; if ( e != NULL ) { - if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL, - ACL_DISCLOSE, NULL ) ) + ak.ak_e = e; + ak.ak_desc = slap_schema.si_ad_entry; + ak.ak_access = ACL_DISCLOSE; + if ( !access_allowed( op, &ak )) { rs->sr_err = LDAP_NO_SUCH_OBJECT; rs->sr_text = NULL; diff --git a/servers/slapd/back-sql/modify.c b/servers/slapd/back-sql/modify.c index 941bc37548..8ee5c1c912 100644 --- a/servers/slapd/back-sql/modify.c +++ b/servers/slapd/back-sql/modify.c @@ -176,8 +176,8 @@ do_transact:; done:; if ( e != NULL ) { - if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL, - ACL_DISCLOSE, NULL ) ) + AclCheck ak = { e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL }; + if ( !access_allowed( op, &ak )) { rs->sr_err = LDAP_NO_SUCH_OBJECT; rs->sr_text = NULL; diff --git a/servers/slapd/back-sql/modrdn.c b/servers/slapd/back-sql/modrdn.c index fafd98ee54..a509a31e98 100644 --- a/servers/slapd/back-sql/modrdn.c +++ b/servers/slapd/back-sql/modrdn.c @@ -50,6 +50,7 @@ backsql_modrdn( Operation *op, SlapReply *rs ) *e = NULL; int manageDSAit = get_manageDSAit( op ); struct berval *newSuperior = op->oq_modrdn.rs_newSup; + AclCheck ak; Debug( LDAP_DEBUG_TRACE, "==>backsql_modrdn() renaming entry \"%s\", " "newrdn=\"%s\", newSuperior=\"%s\"\n", @@ -137,8 +138,12 @@ backsql_modrdn( Operation *op, SlapReply *rs ) /* * Check for entry access to target */ - if ( !access_allowed( op, &r, slap_schema.si_ad_entry, - NULL, ACL_WRITE, NULL ) ) { + ak.ak_e = &r; + ak.ak_desc = slap_schema.si_ad_entry; + ak.ak_val = NULL; + ak.ak_access = ACL_WRITE; + ak.ak_state = NULL; + if ( !access_allowed( op, &ak )) { Debug( LDAP_DEBUG_TRACE, " no access to entry\n", 0, 0, 0 ); rs->sr_err = LDAP_INSUFFICIENT_ACCESS; goto done; @@ -189,8 +194,10 @@ backsql_modrdn( Operation *op, SlapReply *rs ) goto done; } - if ( !access_allowed( op, &p, slap_schema.si_ad_children, NULL, - newSuperior ? ACL_WDEL : ACL_WRITE, NULL ) ) + ak.ak_e = &p; + ak.ak_desc = slap_schema.si_ad_children; + if ( newSuperior ) ak.ak_desc = ACL_WDEL; + if ( !access_allowed( op, &ak )) { Debug( LDAP_DEBUG_TRACE, " no access to parent\n", 0, 0, 0 ); rs->sr_err = LDAP_INSUFFICIENT_ACCESS; @@ -244,8 +251,9 @@ backsql_modrdn( Operation *op, SlapReply *rs ) n_id.eid_id, 0, 0 ); #endif /* ! BACKSQL_ARBITRARY_KEY */ - if ( !access_allowed( op, &n, slap_schema.si_ad_children, - NULL, ACL_WADD, NULL ) ) { + ak.ak_e = &n; + ak.ak_access = ACL_WADD; + if ( !access_allowed( op, &ak )) { Debug( LDAP_DEBUG_TRACE, " backsql_modrdn(): " "no access to new parent \"%s\"\n", new_pdn->bv_val, 0, 0 ); @@ -468,8 +476,10 @@ backsql_modrdn( Operation *op, SlapReply *rs ) done:; if ( e != NULL ) { - if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL, - ACL_DISCLOSE, NULL ) ) + ak.ak_e = e; + ak.ak_desc = slap_schema.si_ad_entry; + ak.ak_access = ACL_DISCLOSE; + if ( !access_allowed( op, &ak )) { rs->sr_err = LDAP_NO_SUCH_OBJECT; rs->sr_text = NULL; diff --git a/servers/slapd/back-sql/search.c b/servers/slapd/back-sql/search.c index 7b7f78487d..b6a5401e6a 100644 --- a/servers/slapd/back-sql/search.c +++ b/servers/slapd/back-sql/search.c @@ -2017,6 +2017,7 @@ backsql_search( Operation *op, SlapReply *rs ) #ifndef BACKSQL_ARBITRARY_KEY ID lastid = 0; #endif /* ! BACKSQL_ARBITRARY_KEY */ + AclCheck ak = { &base_entry, slap_schema.si_ad_entry, NULL }; Debug( LDAP_DEBUG_TRACE, "==>backsql_search(): " "base=\"%s\", filter=\"%s\", scope=%d,", @@ -2088,10 +2089,9 @@ backsql_search( Operation *op, SlapReply *rs ) /* fall thru */ default: + ak.ak_access = ACL_DISCLOSE; if ( !BER_BVISNULL( &base_entry.e_nname ) - && !access_allowed( op, &base_entry, - slap_schema.si_ad_entry, NULL, - ACL_DISCLOSE, NULL ) ) + && !access_allowed( op, &ak )) { rs->sr_err = LDAP_NO_SUCH_OBJECT; if ( rs->sr_ref ) { @@ -2118,8 +2118,6 @@ backsql_search( Operation *op, SlapReply *rs ) /* NOTE: __NEW__ "search" access is required * on searchBase object */ { - slap_mask_t mask; - if ( get_assert( op ) && ( test_filter( op, &base_entry, get_assertion( op ) ) != LDAP_COMPARE_TRUE ) ) @@ -2127,9 +2125,8 @@ backsql_search( Operation *op, SlapReply *rs ) rs->sr_err = LDAP_ASSERTION_FAILED; } - if ( ! access_allowed_mask( op, &base_entry, - slap_schema.si_ad_entry, - NULL, ACL_SEARCH, NULL, &mask ) ) + ak.ak_access = ACL_SEARCH; + if ( ! access_allowed( op, &ak )) { if ( rs->sr_err == LDAP_SUCCESS ) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; @@ -2137,7 +2134,7 @@ backsql_search( Operation *op, SlapReply *rs ) } if ( rs->sr_err != LDAP_SUCCESS ) { - if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) { + if ( !ACL_GRANT( ak.ak_mask, ACL_DISCLOSE ) ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; rs->sr_text = NULL; }