From: Howard Chu Date: Fri, 11 Dec 2009 05:53:09 +0000 (+0000) Subject: New access_allowed() X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d9775fbbf7b241f28a425184f8b8c6dd8736a062;p=thirdparty%2Fopenldap.git New access_allowed() --- diff --git a/servers/slapd/back-bdb/add.c b/servers/slapd/back-bdb/add.c index b44f86fe64..b01227269f 100644 --- a/servers/slapd/back-bdb/add.c +++ b/servers/slapd/back-bdb/add.c @@ -44,6 +44,7 @@ bdb_add(Operation *op, SlapReply *rs ) LDAPControl **postread_ctrl = NULL; LDAPControl *ctrls[SLAP_MAX_RESPONSE_CONTROLS]; int num_ctrls = 0; + AclCheck ak; #ifdef LDAP_X_TXN int settle = 0; @@ -221,8 +222,12 @@ retry: /* transaction retry */ goto return_results; } - rs->sr_err = access_allowed( op, p, - children, NULL, ACL_WADD, NULL ); + ak.ak_e = p; + ak.ak_desc = children; + ak.ak_val = NULL; + ak.ak_access = ACL_WADD; + ak.ak_state = NULL; + rs->sr_err = access_allowed( op, &ak ); if ( ! rs->sr_err ) { switch( opinfo.boi_err ) { @@ -318,8 +323,9 @@ retry: /* transaction retry */ } p = NULL; - rs->sr_err = access_allowed( op, op->ora_e, - entry, NULL, ACL_WADD, NULL ); + ak.ak_e = op->ora_e; + ak.ak_desc = entry; + rs->sr_err = access_allowed( op, &ak ); if ( ! rs->sr_err ) { switch( opinfo.boi_err ) { diff --git a/servers/slapd/back-bdb/compare.c b/servers/slapd/back-bdb/compare.c index 00b4735352..11dfa48ebd 100644 --- a/servers/slapd/back-bdb/compare.c +++ b/servers/slapd/back-bdb/compare.c @@ -33,6 +33,8 @@ bdb_compare( Operation *op, SlapReply *rs ) DB_TXN *rtxn; DB_LOCK lock; + AclCheck ak; + rs->sr_err = bdb_reader_get(op, bdb->bi_dbenv, &rtxn); switch(rs->sr_err) { case 0: @@ -64,11 +66,16 @@ dn2entry_retry: } e = ei->bei_e; + ak.ak_e = e; + ak.ak_desc = slap_schema.si_ad_entry; + ak.ak_val = NULL; + ak.ak_access = ACL_DISCLOSE; + ak.ak_state = NULL; + if ( rs->sr_err == DB_NOTFOUND ) { if ( e != NULL ) { /* return referral only if "disclose" is granted on the object */ - if ( ! access_allowed( op, e, slap_schema.si_ad_entry, - NULL, ACL_DISCLOSE, NULL ) ) + if ( ! access_allowed( op, &ak )) { rs->sr_err = LDAP_NO_SUCH_OBJECT; @@ -101,8 +108,7 @@ dn2entry_retry: if (!manageDSAit && is_entry_referral( e ) ) { /* return referral only if "disclose" is granted on the object */ - if ( !access_allowed( op, e, slap_schema.si_ad_entry, - NULL, ACL_DISCLOSE, NULL ) ) + if ( !access_allowed( op, &ak )) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } else { @@ -125,8 +131,7 @@ dn2entry_retry: if ( get_assert( op ) && ( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE )) { - if ( !access_allowed( op, e, slap_schema.si_ad_entry, - NULL, ACL_DISCLOSE, NULL ) ) + if ( !access_allowed( op, &ak )) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } else { @@ -135,13 +140,17 @@ dn2entry_retry: goto return_results; } - if ( !access_allowed( op, e, op->oq_compare.rs_ava->aa_desc, - &op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) ) + ak.ak_desc = op->oq_compare.rs_ava->aa_desc; + ak.ak_val = &op->oq_compare.rs_ava->aa_value; + ak.ak_access = ACL_COMPARE; + if ( !access_allowed( op, &ak )) { /* return error only if "disclose" * is granted on the object */ - if ( !access_allowed( op, e, slap_schema.si_ad_entry, - NULL, ACL_DISCLOSE, NULL ) ) + ak.ak_desc = slap_schema.si_ad_entry; + ak.ak_val = NULL; + ak.ak_access = ACL_DISCLOSE; + if ( !access_allowed( op, &ak )) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } else { diff --git a/servers/slapd/back-bdb/delete.c b/servers/slapd/back-bdb/delete.c index fd569cab49..a67ad4fcde 100644 --- a/servers/slapd/back-bdb/delete.c +++ b/servers/slapd/back-bdb/delete.c @@ -55,6 +55,8 @@ bdb_delete( Operation *op, SlapReply *rs ) int settle = 0; #endif + AclCheck ak; + Debug( LDAP_DEBUG_ARGS, "==> " LDAP_XSTRING(bdb_delete) ": %s\n", op->o_req_dn.bv_val, 0, 0 ); @@ -229,6 +231,10 @@ retry: /* transaction retry */ } if ( eip ) p = eip->bei_e; + ak.ak_desc = children; + ak.ak_val = NULL; + ak.ak_access = ACL_WDEL; + ak.ak_state = NULL; if ( pdn.bv_len != 0 ) { if( p == NULL || !bvmatch( &pdn, &p->e_nname )) { Debug( LDAP_DEBUG_TRACE, @@ -240,8 +246,8 @@ retry: /* transaction retry */ } /* check parent for "children" acl */ - rs->sr_err = access_allowed( op, p, - children, NULL, ACL_WDEL, NULL ); + ak.ak_e = p; + rs->sr_err = access_allowed( op, &ak ); if ( !rs->sr_err ) { switch( opinfo.boi_err ) { @@ -266,8 +272,8 @@ retry: /* transaction retry */ p = (Entry *)&slap_entry_root; /* check parent for "children" acl */ - rs->sr_err = access_allowed( op, p, - children, NULL, ACL_WDEL, NULL ); + ak.ak_e = p; + rs->sr_err = access_allowed( op, &ak ); p = NULL; @@ -304,8 +310,9 @@ retry: /* transaction retry */ goto return_results; } - rs->sr_err = access_allowed( op, e, - entry, NULL, ACL_WDEL, NULL ); + ak.ak_e = e; + ak.ak_desc = entry; + rs->sr_err = access_allowed( op, &ak ); if ( !rs->sr_err ) { switch( opinfo.boi_err ) { diff --git a/servers/slapd/back-bdb/modrdn.c b/servers/slapd/back-bdb/modrdn.c index 76a0fc8fd5..9981e78e0e 100644 --- a/servers/slapd/back-bdb/modrdn.c +++ b/servers/slapd/back-bdb/modrdn.c @@ -64,6 +64,8 @@ bdb_modrdn( Operation *op, SlapReply *rs ) int settle = 0; #endif + AclCheck ak; + Debug( LDAP_DEBUG_TRACE, "==>" LDAP_XSTRING(bdb_modrdn) "(%s,%s,%s)\n", op->o_req_dn.bv_val,op->oq_modrdn.rs_newrdn.bv_val, op->oq_modrdn.rs_newSup ? op->oq_modrdn.rs_newSup->bv_val : "NULL" ); @@ -226,7 +228,12 @@ retry: /* transaction retry */ } /* check write on old entry */ - rs->sr_err = access_allowed( op, e, entry, NULL, ACL_WRITE, NULL ); + ak.ak_e = e; + ak.ak_desc = entry; + ak.ak_val = NULL; + ak.ak_access = ACL_WRITE; + ak.ak_state = NULL; + rs->sr_err = access_allowed( op, &ak ); if ( ! rs->sr_err ) { switch( opinfo.boi_err ) { case DB_LOCK_DEADLOCK: @@ -337,11 +344,10 @@ retry: /* transaction retry */ } /* check parent for "children" acl */ - rs->sr_err = access_allowed( op, p, - children, NULL, - op->oq_modrdn.rs_newSup == NULL ? - ACL_WRITE : ACL_WDEL, - NULL ); + ak.ak_e = p; + ak.ak_desc = children; + ak.ak_access = op->oq_modrdn.rs_newSup == NULL ? ACL_WRITE : ACL_WDEL; + rs->sr_err = access_allowed( op, &ak ); if ( !p_ndn.bv_len ) p = NULL; @@ -449,8 +455,9 @@ retry: /* transaction retry */ (void *) np, (long) np->e_id, 0 ); /* check newSuperior for "children" acl */ - rs->sr_err = access_allowed( op, np, children, - NULL, ACL_WADD, NULL ); + ak.ak_e = np; + ak.ak_access = ACL_WADD; + rs->sr_err = access_allowed( op, &ak ); if( ! rs->sr_err ) { switch( opinfo.boi_err ) { @@ -499,8 +506,9 @@ retry: /* transaction retry */ np = (Entry *)&slap_entry_root; /* check parent for "children" acl */ - rs->sr_err = access_allowed( op, np, - children, NULL, ACL_WADD, NULL ); + ak.ak_e = np; + ak.ak_access = ACL_WADD; + rs->sr_err = access_allowed( op, &ak ); np = NULL; diff --git a/servers/slapd/back-bdb/search.c b/servers/slapd/back-bdb/search.c index 3a29064538..38c197638b 100644 --- a/servers/slapd/back-bdb/search.c +++ b/servers/slapd/back-bdb/search.c @@ -323,7 +323,6 @@ bdb_search( Operation *op, SlapReply *rs ) EntryInfo *ei; AttributeName *attrs; struct berval realbase = BER_BVNULL; - slap_mask_t mask; time_t stoptime; int manageDSAit; int tentries = 0; @@ -334,6 +333,7 @@ bdb_search( Operation *op, SlapReply *rs ) struct bdb_op_info *opinfo = NULL; DB_TXN *ltid = NULL; OpExtra *oex; + AclCheck ak; Debug( LDAP_DEBUG_TRACE, "=> " LDAP_XSTRING(bdb_search) "\n", 0, 0, 0); attrs = op->oq_search.rs_attrs; @@ -420,6 +420,10 @@ dn2entry_retry: } } + ak.ak_desc = slap_schema.si_ad_entry; + ak.ak_val = NULL; + ak.ak_state = NULL; + if ( e == NULL ) { struct berval matched_dn = BER_BVNULL; @@ -428,9 +432,9 @@ dn2entry_retry: /* return referral only if "disclose" * is granted on the object */ - if ( ! access_allowed( op, matched, - slap_schema.si_ad_entry, - NULL, ACL_DISCLOSE, NULL ) ) + ak.ak_e = matched; + ak.ak_access = ACL_DISCLOSE; + if ( ! access_allowed( op, &ak )) { rs->sr_err = LDAP_NO_SUCH_OBJECT; @@ -481,10 +485,11 @@ dn2entry_retry: /* NOTE: __NEW__ "search" access is required * on searchBase object */ - if ( ! access_allowed_mask( op, e, slap_schema.si_ad_entry, - NULL, ACL_SEARCH, NULL, &mask ) ) + ak.ak_e = e; + ak.ak_access = ACL_SEARCH; + if ( ! access_allowed( op, &ak )) { - if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) { + if ( !ACL_GRANT( ak.ak_mask, ACL_DISCLOSE ) ) { rs->sr_err = LDAP_NO_SUCH_OBJECT; } else { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; diff --git a/servers/slapd/slapi/proto-slapi.h b/servers/slapd/slapi/proto-slapi.h index 9e28f75e10..f5e7506c59 100644 --- a/servers/slapd/slapi/proto-slapi.h +++ b/servers/slapd/slapi/proto-slapi.h @@ -30,7 +30,7 @@ LDAP_SLAPI_F (LDAPMod **) slapi_int_modifications2ldapmods LDAP_P(( Modification LDAP_SLAPI_F (Modifications *) slapi_int_ldapmods2modifications LDAP_P(( Operation *op, LDAPMod ** )); LDAP_SLAPI_F (int) slapi_int_count_controls LDAP_P(( LDAPControl **ctrls )); LDAP_SLAPI_F (char **) slapi_get_supported_extended_ops LDAP_P((void)); -LDAP_SLAPI_F (int) slapi_int_access_allowed LDAP_P((Operation *op, Entry *entry, AttributeDescription *desc, struct berval *val, slap_access_t access, AccessControlState *state )); +LDAP_SLAPI_F (int) slapi_int_access_allowed LDAP_P((Operation *op, AclCheck *ak )); /* slapi_ops.c */ LDAP_SLAPI_F (int) slapi_int_response LDAP_P(( Slapi_Operation *op, SlapReply *rs )); diff --git a/servers/slapd/slapi/slapi_overlay.c b/servers/slapd/slapi/slapi_overlay.c index 087a61928b..a494de497a 100644 --- a/servers/slapd/slapi/slapi_overlay.c +++ b/servers/slapd/slapi/slapi_overlay.c @@ -714,12 +714,7 @@ cleanup: static int slapi_over_access_allowed( Operation *op, - Entry *e, - AttributeDescription *desc, - struct berval *val, - slap_access_t access, - AccessControlState *state, - slap_mask_t *maskp ) + AclCheck *ak ) { int rc; Slapi_PBlock *pb; @@ -734,7 +729,7 @@ slapi_over_access_allowed( pb = SLAPI_OPERATION_PBLOCK( op ); - rc = slapi_int_access_allowed( op, e, desc, val, access, state ); + rc = slapi_int_access_allowed( op, ak ); if ( rc ) { rc = SLAP_CB_CONTINUE; } diff --git a/servers/slapd/slapi/slapi_utils.c b/servers/slapd/slapi/slapi_utils.c index 8989aaabaa..4f220d5944 100644 --- a/servers/slapd/slapi/slapi_utils.c +++ b/servers/slapd/slapi/slapi_utils.c @@ -2558,11 +2558,11 @@ int slapi_access_allowed( Slapi_PBlock *pb, Slapi_Entry *e, char *attr, struct berval *val, int access ) { int rc; - slap_access_t slap_access; - AttributeDescription *ad = NULL; const char *text; + AclCheck ak; - rc = slap_str2ad( attr, &ad, &text ); + ak.ak_desc = NULL; + rc = slap_str2ad( attr, &ak.ak_desc, &text ); if ( rc != LDAP_SUCCESS ) { return rc; } @@ -2573,22 +2573,22 @@ int slapi_access_allowed( Slapi_PBlock *pb, Slapi_Entry *e, char *attr, */ switch ( access & SLAPI_ACL_ALL ) { case SLAPI_ACL_COMPARE: - slap_access = ACL_COMPARE; + ak.ak_access = ACL_COMPARE; break; case SLAPI_ACL_SEARCH: - slap_access = ACL_SEARCH; + ak.ak_access = ACL_SEARCH; break; case SLAPI_ACL_READ: - slap_access = ACL_READ; + ak.ak_access = ACL_READ; break; case SLAPI_ACL_WRITE: - slap_access = ACL_WRITE; + ak.ak_access = ACL_WRITE; break; case SLAPI_ACL_DELETE: - slap_access = ACL_WDEL; + ak.ak_access = ACL_WDEL; break; case SLAPI_ACL_ADD: - slap_access = ACL_WADD; + ak.ak_access = ACL_WADD; break; case SLAPI_ACL_SELF: /* not documented */ case SLAPI_ACL_PROXY: /* not documented */ @@ -2599,7 +2599,10 @@ int slapi_access_allowed( Slapi_PBlock *pb, Slapi_Entry *e, char *attr, assert( pb->pb_op != NULL ); - if ( access_allowed( pb->pb_op, e, ad, val, slap_access, NULL ) ) { + ak.ak_e = e; + ak.ak_val = val; + ak.ak_state = NULL; + if ( access_allowed( pb->pb_op, &ak )) { return LDAP_SUCCESS; } @@ -2997,11 +3000,7 @@ int slapi_notify_condvar( Slapi_CondVar *cvar, int notify_all ) } int slapi_int_access_allowed( Operation *op, - Entry *entry, - AttributeDescription *desc, - struct berval *val, - slap_access_t access, - AccessControlState *state ) + AclCheck *ak ) { int rc, slap_access = 0; slapi_acl_callback_t *pGetPlugin, *tmpPlugin; @@ -3013,9 +3012,9 @@ int slapi_int_access_allowed( Operation *op, return 1; } - switch ( access ) { + switch ( ak->ak_access ) { case ACL_COMPARE: - slap_access |= SLAPI_ACL_COMPARE; + slap_access |= SLAPI_ACL_COMPARE; break; case ACL_SEARCH: slap_access |= SLAPI_ACL_SEARCH; @@ -3049,8 +3048,8 @@ int slapi_int_access_allowed( Operation *op, * 0 access denied * 1 access granted */ - rc = (*pGetPlugin)( pb, entry, desc->ad_cname.bv_val, - val, slap_access, (void *)state ); + rc = (*pGetPlugin)( pb, ak->ak_e, ak->ak_desc->ad_cname.bv_val, + ak->ak_val, slap_access, (void *)ak->ak_state ); if ( rc == 0 ) { break; }