#include "lber_pvt.h"
#include "lutil.h"
-#ifdef LDAP_SLAPI
-#include "slapi/slapi.h"
-#endif /* LDAPI_SLAPI */
-
#define ACL_BUF_SIZE 1024 /* use most appropriate size */
/*
SLAP_ACI_SCOPE_SUBTREE = ( SLAP_ACI_SCOPE_ENTRY | SLAP_ACI_SCOPE_CHILDREN )
} slap_aci_scope_t;
-static AccessControl * acl_get(
+static AccessControl * slap_acl_get(
AccessControl *ac, int *count,
Operation *op, Entry *e,
AttributeDescription *desc,
int nmatch, regmatch_t *matches,
AccessControlState *state );
-static slap_control_t acl_mask(
+static slap_control_t slap_acl_mask(
AccessControl *ac, slap_mask_t *mask,
Operation *op, Entry *e,
AttributeDescription *desc,
* the whole attribute is assumed (all values).
*
* This routine loops through all access controls and calls
- * acl_mask() on each applicable access control.
+ * slap_acl_mask() on each applicable access control.
* The loop exits when a definitive answer is reached or
* or no more controls remain.
*
AccessControlState *state,
slap_mask_t *maskp )
{
- assert( maskp );
+ assert( maskp != NULL );
ACL_PRIV_SET( *maskp, ACL_ACCESS2PRIV( access ) );
assert( attr != NULL );
-#ifdef LDAP_SLAPI
- if ( op->o_pb != NULL ) {
- ret = slapi_int_access_allowed( op, e, desc, val, access, state );
- if ( ret == 0 ) {
- /* ACL plugin denied access */
- goto done;
- }
- }
-#endif /* LDAP_SLAPI */
-
/* grant database root access */
if ( be_isroot( op ) ) {
Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 );
memset( matches, '\0', sizeof( matches ) );
}
- while ( ( a = acl_get( a, &count, op, e, desc, val,
+ while ( ( a = slap_acl_get( a, &count, op, e, desc, val,
MAXREMATCHES, matches, state ) ) != NULL )
{
int i;
( state->as_recorded & ACL_STATE_RECORDED_NV ) )
{
Debug( LDAP_DEBUG_ACL,
- "slap_access_allowed: result from state (%s)\n",
+ "=> slap_access_allowed: result from state (%s)\n",
attr, 0, 0 );
ret = state->as_result;
goto done;
} else {
Debug( LDAP_DEBUG_ACL,
- "slap_access_allowed: no res from state (%s)\n",
+ "=> slap_access_allowed: no res from state (%s)\n",
attr, 0, 0 );
}
}
vd_access:
- control = acl_mask( a, &mask, op,
+ control = slap_acl_mask( a, &mask, op,
e, desc, val, MAXREMATCHES, matches, count, state );
if ( control != ACL_BREAK ) {
return ret;
}
+int
+fe_access_allowed(
+ Operation *op,
+ Entry *e,
+ AttributeDescription *desc,
+ struct berval *val,
+ slap_access_t access,
+ AccessControlState *state,
+ slap_mask_t *maskp )
+{
+ BackendDB *be_orig;
+ int rc;
+
+ /*
+ * NOTE: control gets here if FIXME
+ * if an appropriate backend cannot be selected for the operation,
+ * we assume that the frontend should handle this
+ * FIXME: should select_backend() take care of this,
+ * and return frontendDB instead of NULL? maybe for some value
+ * of the flags?
+ */
+ be_orig = op->o_bd;
+
+ op->o_bd = select_backend( &op->o_req_ndn, 0, 0 );
+ if ( op->o_bd == NULL ) {
+ op->o_bd = frontendDB;
+ }
+ rc = slap_access_allowed( op, e, desc, val, access, state, maskp );
+ op->o_bd = be_orig;
+
+ return rc;
+}
+
int
access_allowed_mask(
Operation *op,
const char *attr;
int st_same_attr = 0;
static AccessControlState state_init = ACL_STATE_INIT;
- BI_access_allowed *bi_access_allowed = NULL;
assert( e != NULL );
assert( desc != NULL );
assert( op->o_bd != NULL );
/* this is enforced in backend_add() */
- assert( op->o_bd->bd_info->bi_access_allowed );
+ if ( op->o_bd->bd_info->bi_access_allowed ) {
+ /* delegate to backend */
+ ret = op->o_bd->bd_info->bi_access_allowed( op, e,
+ desc, val, access, state, &mask );
+
+ } else {
+ BackendDB *be_orig = op->o_bd;
+
+ /* use default (but pass through frontend
+ * for global ACL overlays) */
+ op->o_bd = frontendDB;
+ ret = frontendDB->bd_info->bi_access_allowed( op, e,
+ desc, val, access, state, &mask );
+ op->o_bd = be_orig;
+ }
- /* delegate to backend */
- ret = op->o_bd->bd_info->bi_access_allowed( op, e, desc, val, access, state, &mask );
if ( !ret ) {
if ( ACL_IS_INVALID( mask ) ) {
Debug( LDAP_DEBUG_ACL,
}
assert( be != NULL );
-#ifdef LDAP_SLAPI
- if ( op->o_pb != NULL ) {
- ret = slapi_int_access_allowed( op, e, desc, val, access, state );
- if ( ret == 0 ) {
- /* ACL plugin denied access */
- goto done;
- }
- }
-#endif /* LDAP_SLAPI */
-
/* grant database root access */
if ( be_isroot( op ) ) {
Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 );
memset( matches, '\0', sizeof(matches) );
}
- while ( ( a = acl_get( a, &count, op, e, desc, val,
+ while ( ( a = slap_acl_get( a, &count, op, e, desc, val,
MAXREMATCHES, matches, state ) ) != NULL )
{
int i;
}
vd_access:
- control = acl_mask( a, &mask, op,
+ control = slap_acl_mask( a, &mask, op,
e, desc, val, MAXREMATCHES, matches, count, state );
if ( control != ACL_BREAK ) {
#endif /* SLAP_OVERLAY_ACCESS */
/*
- * acl_get - return the acl applicable to entry e, attribute
+ * slap_acl_get - return the acl applicable to entry e, attribute
* attr. the acl returned is suitable for use in subsequent calls to
* acl_access_allowed().
*/
static AccessControl *
-acl_get(
+slap_acl_get(
AccessControl *a,
int *count,
Operation *op,
if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) {
state->as_recorded |= ACL_STATE_RECORDED_VD;
- state->as_vd_acl = prev;
+ state->as_vd_acl = a;
state->as_vd_acl_count = *count;
state->as_vd_access = a->acl_access;
state->as_vd_access_count = 1;
if ( a->acl_attrs[0].an_desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) {
if (value_match( &match, desc,
- desc->ad_type->sat_equality, 0,
+ /* desc->ad_type->sat_equality */ a->acl_attrval_mr, 0,
val, &a->acl_attrval, &text ) != LDAP_SUCCESS ||
match )
continue;
if ( vdnlen < patlen )
continue;
- if ( a->acl_dn_style == ACL_STYLE_BASE ) {
+ if ( a->acl_attrval_style == ACL_STYLE_BASE ) {
if ( vdnlen > patlen )
continue;
- } else if ( a->acl_dn_style == ACL_STYLE_ONE ) {
+ } else if ( a->acl_attrval_style == ACL_STYLE_ONE ) {
int rdnlen = -1;
if ( !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) )
if ( rdnlen != vdnlen - patlen - 1 )
continue;
- } else if ( a->acl_dn_style == ACL_STYLE_SUBTREE ) {
+ } else if ( a->acl_attrval_style == ACL_STYLE_SUBTREE ) {
if ( vdnlen > patlen && !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) )
continue;
- } else if ( a->acl_dn_style == ACL_STYLE_CHILDREN ) {
+ } else if ( a->acl_attrval_style == ACL_STYLE_CHILDREN ) {
if ( vdnlen <= patlen )
continue;
/*
- * acl_mask - modifies mask based upon the given acl and the
+ * slap_acl_mask - modifies mask based upon the given acl and the
* requested access to entry e, attribute attr, value val. if val
* is null, access to the whole attribute is assumed (all values).
*
*/
static slap_control_t
-acl_mask(
+slap_acl_mask(
AccessControl *a,
slap_mask_t *mask,
Operation *op,
continue;
}
- /* this could be improved by changing acl_mask so that it can deal with
+ /* this could be improved by changing slap_acl_mask so that it can deal with
* by clauses that return grant/deny pairs. Right now, it does either
* additive or subtractive rights, but not both at the same time. So,
* we need to combine the grant/deny pair into a single rights mask in
continue;
}
- /* this could be improved by changing acl_mask so that it can deal with
+ /* this could be improved by changing slap_acl_mask so that it can deal with
* by clauses that return grant/deny pairs. Right now, it does either
* additive or subtractive rights, but not both at the same time. So,
* we need to combine the grant/deny pair into a single rights mask in
}
for ( ; mlist != NULL; mlist = mlist->sml_next ) {
+ /*
+ * Internal mods are ignored by ACL_WRITE checking
+ */
+ if ( mlist->sml_flags & SLAP_MOD_INTERNAL ) {
+ Debug( LDAP_DEBUG_ACL, "acl: internal mod %s:"
+ " modify access granted\n",
+ mlist->sml_desc->ad_cname.bv_val, 0, 0 );
+ continue;
+ }
+
/*
* no-user-modification operational attributes are ignored
* by ACL_WRITE checking as any found here are not provided
if ( sty != ACL_STYLE_REGEX && sty != ACL_STYLE_BASE ) {
fprintf( stderr, "%s: line %d: "
"inappropriate style \"%s\" in \"aci\" by clause\n",
- fname, lineno, sty );
+ fname, lineno, style_strings[sty] );
return -1;
}
AttributeDescription *ad = ( AttributeDescription * )priv;
char *ptr;
- assert( ad );
+ assert( ad != NULL );
bv->bv_val = ch_malloc( STRLENOF(" aci=") + ad->ad_cname.bv_len + 1 );
ptr = lutil_strcopy( bv->bv_val, " aci=" );
int
acl_init( void )
{
- int i, rc;
#ifdef SLAP_DYNACL
+ int i, rc;
slap_dynacl_t *known_dynacl[] = {
#ifdef SLAPD_ACI_ENABLED
&dynacl_aci,
projects / openldap / blobdiff