Entry *e,
AttributeDescription *desc,
struct berval *val,
- regmatch_t *matches );
+ regmatch_t *matches,
+ int count,
+ AccessControlState *state );
#ifdef SLAPD_ACI_ENABLED
static int aci_mask(
Entry *e,
AttributeDescription *desc,
struct berval *val,
- slap_access_t access )
+ slap_access_t access,
+ AccessControlState *state )
{
+ int ret = 1;
int count;
AccessControl *a;
#ifdef LDAP_DEBUG
assert( attr != NULL );
+ if( state && state->as_recorded ) {
+ if( state->as_recorded & ACL_STATE_RECORDED_NV &&
+ val == NULL )
+ {
+ return state->as_result;
+
+ } else if ( state->as_recorded & ACL_STATE_RECORDED_VD &&
+ val != NULL && state->as_vd_acl == NULL )
+ {
+ return state->as_result;
+ }
+ }
+
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_ENTRY,
"access_allowed: conn %d %s access to \"%s\" \"%s\" requested\n",
if ( op == NULL ) {
/* no-op call */
- return 1;
+ goto done;
}
if ( be == NULL ) be = &backends[0];
"<= root access granted\n",
0, 0, 0 );
#endif
- return 1;
+ goto done;
}
/*
" %s access granted\n",
attr, 0, 0 );
#endif
- return 1;
+ goto done;
}
/* use backend default access if no backend acls */
access2str( access ),
be->be_dfltaccess >= access ? "granted" : "denied", op->o_dn.bv_val );
#endif
- return be->be_dfltaccess >= access;
+ ret = be->be_dfltaccess >= access;
+ goto done;
#ifdef notdef
/* be is always non-NULL */
access2str( access ),
global_default_access >= access ? "granted" : "denied", op->o_dn.bv_val );
#endif
- return global_default_access >= access;
+ ret = global_default_access >= access;
+ goto done;
#endif
}
- ACL_INIT(mask);
- memset(matches, '\0', sizeof(matches));
-
+ ret = 0;
control = ACL_BREAK;
- a = NULL;
- count = 0;
- while((a = acl_get( a, &count, be, op, e, desc, MAXREMATCHES, matches )) != NULL)
+ if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD )) {
+ assert( state->as_vd_acl != NULL );
+
+ a = state->as_vd_acl;
+ mask = state->as_vd_acl_mask;
+ count = state->as_vd_acl_count;
+ AC_MEMCPY( matches, state->as_vd_acl_matches,
+ sizeof(matches) );
+ goto vd_access;
+
+ } else {
+ a = NULL;
+ ACL_INIT(mask);
+ count = 0;
+ memset(matches, '\0', sizeof(matches));
+ }
+
+ while((a = acl_get( a, &count, be, op, e, desc,
+ MAXREMATCHES, matches )) != NULL)
{
int i;
for (i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++) {
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
- "access_allowed: conn %d match[%d]: %d %d ",
- conn->c_connid, i, (int)matches[i].rm_so, (int)matches[i].rm_eo ));
+ "access_allowed: conn %d match[%d]: %d %d ",
+ conn->c_connid, i,
+ (int)matches[i].rm_so, (int)matches[i].rm_eo ));
#else
Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i,
- (int)matches[i].rm_so, (int)matches[i].rm_eo );
+ (int)matches[i].rm_so, (int)matches[i].rm_eo );
#endif
if( matches[i].rm_so <= matches[0].rm_eo ) {
int n;
#endif
}
+vd_access:
control = acl_mask( a, &mask, be, conn, op,
- e, desc, val, matches );
+ e, desc, val, matches, count, state );
if ( control != ACL_BREAK ) {
break;
if ( ACL_IS_INVALID( mask ) ) {
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_DETAIL1,
- "access_allowed: conn %d \"%s\" (%s) invalid!\n",
- conn->c_connid, e->e_dn, attr ));
+ "access_allowed: conn %d \"%s\" (%s) invalid!\n",
+ conn->c_connid, e->e_dn, attr ));
#else
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: \"%s\" (%s) invalid!\n",
e->e_dn, attr, 0 );
#endif
- ACL_INIT( mask );
+ ACL_INIT(mask);
} else if ( control == ACL_BREAK ) {
#ifdef NEW_LOGGING
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: no more rules\n", 0, 0, 0);
#endif
- ACL_INIT( mask );
+
+ goto done;
}
#ifdef NEW_LOGGING
LDAP_LOG(( "acl", LDAP_LEVEL_ENTRY,
- "access_allowed: conn %d %s access %s by %s\n",
- conn->c_connid,
- access2str( access ),
- ACL_GRANT( mask, access ) ? "granted" : "denied",
- accessmask2str( mask, accessmaskbuf ) ));
+ "access_allowed: conn %d %s access %s by %s\n",
+ conn->c_connid,
+ access2str( access ),
+ ACL_GRANT( mask, access ) ? "granted" : "denied",
+ accessmask2str( mask, accessmaskbuf ) ));
#else
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: %s access %s by %s\n",
ACL_GRANT(mask, access) ? "granted" : "denied",
accessmask2str( mask, accessmaskbuf ) );
#endif
- return ACL_GRANT(mask, access);
+
+ ret = ACL_GRANT(mask, access);
+
+done:
+ if( state != NULL ) {
+ state->as_recorded |= ACL_STATE_RECORDED;
+ state->as_result = ret;
+ }
+ return ret;
}
/*
return( NULL );
}
+/*
+ * Record value-dependent access control state
+ */
+#define ACL_RECORD_VALUE_STATE do { \
+ if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { \
+ state->as_recorded |= ACL_STATE_RECORDED_VD; \
+ state->as_vd_acl = a; \
+ AC_MEMCPY( state->as_vd_acl_matches, matches, \
+ sizeof( state->as_vd_acl_matches )) ; \
+ state->as_vd_acl_count = count; \
+ state->as_vd_access = b; \
+ state->as_vd_access_count = i; \
+ } \
+ } while( 0 )
/*
* acl_mask - modifies mask based upon the given acl and the
Entry *e,
AttributeDescription *desc,
struct berval *val,
- regmatch_t *matches
-)
+ regmatch_t *matches,
+ int count,
+ AccessControlState *state )
{
int i, odnlen, patlen;
+ int vd_recorded = 0;
Access *b;
#ifdef LDAP_DEBUG
char accessmaskbuf[ACCESSMASK_MAXLEN];
accessmask2str( *mask, accessmaskbuf ) );
#endif
- for ( i = 1, b = a->acl_access; b != NULL; b = b->a_next, i++ ) {
+ if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD )
+ && state->as_vd_acl == a )
+ {
+ b = state->as_vd_access;
+ i = state->as_vd_access_count;
+
+ } else {
+ b = a->acl_access;
+ i = 1;
+ }
+
+ for ( ; b != NULL; b = b->a_next, i++ ) {
slap_mask_t oldmask, modmask;
ACL_INVALIDATE( modmask );
/* no dnattr match, check if this is a self clause */
if ( ! b->a_dn_self )
continue;
+
+ ACL_RECORD_VALUE_STATE;
+
/* this is a self clause, check if the target is an
* attribute.
*/
if ( val == NULL )
continue;
+
/* target is attribute, check if the attribute value
* is the op dn.
*/
continue;
}
+ ACL_RECORD_VALUE_STATE;
+
/* start out with nothing granted, nothing denied */
ACL_INIT(tgrant);
ACL_INIT(tdeny);
}
for ( ; mlist != NULL; mlist = mlist->sml_next ) {
+ static AccessControlState state_init = ACL_STATE_INIT;
+ AccessControlState state;
+
/*
* no-user-modification operational attributes are ignored
* by ACL_WRITE checking as any found here are not provided
continue;
}
+ state = state_init;
+
switch ( mlist->sml_op ) {
case LDAP_MOD_REPLACE:
/*
* This prevents abuse from selfwriters.
*/
if ( ! access_allowed( be, conn, op, e,
- mlist->sml_desc, NULL, ACL_WRITE ) )
+ mlist->sml_desc, NULL, ACL_WRITE, &state ) )
{
return( 0 );
}
for ( bv = mlist->sml_bvalues; bv->bv_val != NULL; bv++ ) {
if ( ! access_allowed( be, conn, op, e,
- mlist->sml_desc, bv, ACL_WRITE ) )
+ mlist->sml_desc, bv, ACL_WRITE, &state ) )
{
return( 0 );
}
case LDAP_MOD_DELETE:
if ( mlist->sml_bvalues == NULL ) {
if ( ! access_allowed( be, conn, op, e,
- mlist->sml_desc, NULL, ACL_WRITE ) )
+ mlist->sml_desc, NULL, ACL_WRITE, NULL ) )
{
return( 0 );
}
}
for ( bv = mlist->sml_bvalues; bv->bv_val != NULL; bv++ ) {
if ( ! access_allowed( be, conn, op, e,
- mlist->sml_desc, bv, ACL_WRITE ) )
+ mlist->sml_desc, bv, ACL_WRITE, &state ) )
{
return( 0 );
}
}
break;
+ case SLAP_MOD_SOFTADD:
+ /* allow adding attribute via modrdn thru */
+ break;
+
default:
assert( 0 );
return( 0 );