X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Faci.c;h=42ee9ebea11fa504b56bea809057c9a41a63ba3f;hb=447f3f746e59fc5b724b8dd8bfb1ec0e02cc8d9f;hp=97276cfc0b625b26c83aa1e33c093b1ada4a2482;hpb=a06fc9cb02b7e1fbae1ef2f1eb2b914f8060d83f;p=openldap

diff --git a/servers/slapd/aci.c b/servers/slapd/aci.c
index 97276cfc0b..42ee9ebea1 100644
--- a/servers/slapd/aci.c
+++ b/servers/slapd/aci.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2006 The OpenLDAP Foundation.
+ * Copyright 1998-2009 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -278,18 +278,31 @@ aci_list_get_attr_rights(
 	ACL_INIT(mask);
 	for ( i = 1; acl_get_part( list, i + 1, ';', &bv ) >= 0; i += 2 ) {
 		if ( aci_list_has_attr( &bv, attr, val ) == 0 ) {
-			Debug( LDAP_DEBUG_ACL, "        <= aci_list_get_attr_rights test %s for %s -> failed\n", bv.bv_val, attr->bv_val, 0 );
+			Debug( LDAP_DEBUG_ACL,
+				"        <= aci_list_get_attr_rights "
+				"test %s for %s -> failed\n",
+				bv.bv_val, attr->bv_val, 0 );
 			continue;
 		}
-		Debug( LDAP_DEBUG_ACL, "        <= aci_list_get_attr_rights test %s for %s -> ok\n", bv.bv_val, attr->bv_val, 0 );
+
+		Debug( LDAP_DEBUG_ACL,
+			"        <= aci_list_get_attr_rights "
+			"test %s for %s -> ok\n",
+			bv.bv_val, attr->bv_val, 0 );
 
 		if ( acl_get_part( list, i, ';', &bv ) < 0 ) {
-			Debug( LDAP_DEBUG_ACL, "        <= aci_list_get_attr_rights test no rightsk\n", 0, 0, 0 );
+			Debug( LDAP_DEBUG_ACL,
+				"        <= aci_list_get_attr_rights "
+				"test no rights\n",
+				0, 0, 0 );
 			continue;
 		}
 
 		mask |= aci_list_map_rights( &bv );
-		Debug( LDAP_DEBUG_ACL, "        <= aci_list_get_attr_rights rights %s to mask 0x%x\n", bv.bv_val, mask, 0 );
+		Debug( LDAP_DEBUG_ACL,
+			"        <= aci_list_get_attr_rights "
+			"rights %s to mask 0x%x\n",
+			bv.bv_val, mask, 0 );
 	}
 
 	return mask;
@@ -332,9 +345,12 @@ aci_list_get_rights(
 			continue;
 		}
 
-		found = 1;
 		*mask |= aci_list_get_attr_rights( &perm, attr, val );
 		*mask |= aci_list_get_attr_rights( &perm, &aci_bv[ ACI_BV_BR_ALL ], NULL );
+
+		if ( *mask != ACL_PRIV_NONE ) { 
+			found = 1;
+		}
 	}
 
 	return found;
@@ -384,11 +400,15 @@ aci_group_member (
 	if ( grp_oc != NULL && grp_ad != NULL ) {
 		char		buf[ ACI_BUF_SIZE ];
 		struct berval	bv, ndn;
+		AclRegexMatches amatches = { 0 };
+
+		amatches.dn_count = nmatch;
+		AC_MEMCPY( amatches.dn_data, matches, sizeof( amatches.dn_data ) );
 
 		bv.bv_len = sizeof( buf ) - 1;
 		bv.bv_val = (char *)&buf;
 		if ( acl_string_expand( &bv, &subjdn,
-				e->e_ndn, nmatch, matches ) )
+				&e->e_nname, NULL, &amatches ) )
 		{
 			rc = LDAP_OTHER;
 			goto done;
@@ -426,7 +446,9 @@ aci_mask(
 				opts,
 				sdn;
 	int			rc;
-		
+
+	ACL_INIT( *grant );
+	ACL_INIT( *deny );
 
 	assert( !BER_BVISNULL( &desc->ad_cname ) );
 
@@ -449,7 +471,7 @@ aci_mask(
 	   This routine now supports scope={ENTRY,CHILDREN}
 	   with the semantics:
 	     - ENTRY applies to "entry" and "subtree";
-	     - CHILDREN aplies to "children" and "subtree"
+	     - CHILDREN applies to "children" and "subtree"
 	 */
 
 	/* check that the aci has all 5 components */
@@ -579,11 +601,10 @@ aci_mask(
 				at != NULL;
 				at = attrs_find( at->a_next, ad ) )
 		{
-			if ( value_find_ex( ad,
+			if ( attr_valfind( at, 
 				SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
 					SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
-				at->a_nvals,
-				&op->o_ndn, op->o_tmpmemctx ) == 0 )
+				&op->o_ndn, NULL, op->o_tmpmemctx ) == 0 )
 			{
 				rc = 1;
 				break;
@@ -663,6 +684,7 @@ aci_init( void )
 	static slap_syntax_defs_rec aci_syntax_def = {
 		"( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )",
 			SLAP_SYNTAX_HIDE,
+			NULL,
 			OpenLDAPaciValidate,
 			OpenLDAPaciPretty
 	};
@@ -1016,7 +1038,7 @@ bv_get_tail(
  *    action    := perms;attrs[[;perms;attrs]...]
  *    perms     := perm[[,perm]...]
  *    perm      := c|s|r|w|x
- *    attrs     := attribute[[,attribute]..]|[all]
+ *    attrs     := attribute[[,attribute]..]|"[all]"
  *    attribute := attributeType|attributeType=attributeValue|attributeType=attributeValuePrefix*
  *    type      := public|users|self|dnattr|group|role|set|set-ref|
  *                 access_id|subtree|onelevel|children
@@ -1025,7 +1047,7 @@ static int
 OpenLDAPaciValidatePerms(
 	struct berval *perms ) 
 {
-	int		i;
+	ber_len_t	i;
 
 	for ( i = 0; i < perms->bv_len; ) {
 		switch ( perms->bv_val[ i ] ) {
@@ -1545,6 +1567,8 @@ OpenLDAPaciPrettyNormal(
 			freetype = 0;
 	char		*ptr;
 
+	BER_BVZERO( out );
+
 	if ( BER_BVISEMPTY( val ) ) {
 		Debug( LDAP_DEBUG_ACL, "aciPrettyNormal: value is empty\n", 0, 0, 0 );
 		return LDAP_INVALID_SYNTAX;
@@ -1723,6 +1747,12 @@ OpenLDAPaciPrettyNormal(
 		}
 
 		nsubject = ad->ad_cname;
+
+	} else if ( OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_SET ]
+		|| OpenLDAPacitypes[ idx ] == &aci_bv[ ACI_BV_SET_REF ] )
+	{
+		/* NOTE: dunno how to normalize it... */
+		nsubject = subject;
 	}