X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Facl.c;h=3a3568f0112706893406408dcec88a48b46ab9a4;hb=d1824b14ae78b128fb9ff6cf73d2ec4a0e756a90;hp=62593991f6d23c03f51decbc9b84ab428cde6555;hpb=a54ca7a6ce9ddfd737e1c08ff648c1cb39f5e686;p=openldap diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 62593991f6..3a3568f011 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -94,7 +94,6 @@ SLAP_SET_GATHER acl_set_gather2; * - can be legally called with op->o_bd == NULL */ -#ifdef SLAP_OVERLAY_ACCESS int slap_access_always_allowed( Operation *op, @@ -462,281 +461,6 @@ done: return ret; } -#else /* !SLAP_OVERLAY_ACCESS */ - -int -access_allowed_mask( - Operation *op, - Entry *e, - AttributeDescription *desc, - struct berval *val, - slap_access_t access, - AccessControlState *state, - slap_mask_t *maskp ) -{ - int ret = 1; - int count; - AccessControl *a = NULL; - Backend *be; - int be_null = 0; - -#ifdef LDAP_DEBUG - char accessmaskbuf[ACCESSMASK_MAXLEN]; -#endif - slap_mask_t mask; - slap_control_t control; - slap_access_t access_level; - const char *attr; - regmatch_t matches[MAXREMATCHES]; - int st_same_attr = 0; - static AccessControlState state_init = ACL_STATE_INIT; - - assert( e != NULL ); - assert( desc != NULL ); - - access_level = ACL_LEVEL( access ); - - assert( access_level > ACL_NONE ); - if ( maskp ) ACL_INVALIDATE( *maskp ); - - attr = desc->ad_cname.bv_val; - - assert( attr != NULL ); - - if ( op ) { - if ( op->o_is_auth_check && - ( access_level == ACL_SEARCH || access_level == ACL_READ ) ) - { - access = ACL_AUTH; - - } else if ( get_manageDIT( op ) && access_level == ACL_WRITE && - desc == slap_schema.si_ad_entry ) - { - access = ACL_MANAGE; - } - } - - if ( state ) { - if ( state->as_vd_ad == desc ) { - if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) && - val == NULL ) - { - return state->as_result; - - } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) && - val != NULL && state->as_vd_acl == NULL ) - { - return state->as_result; - } - st_same_attr = 1; - } else { - *state = state_init; - } - - state->as_vd_ad = desc; - } - - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: %s access to \"%s\" \"%s\" requested\n", - access2str( access ), e->e_dn, attr ); - - if ( op == NULL ) { - /* no-op call */ - goto done; - } - - be = op->o_bd; - if ( be == NULL ) { - be = LDAP_STAILQ_FIRST(&backendDB); - be_null = 1; -#ifdef LDAP_DEVEL - /* - * FIXME: experimental; use first backend rules - * iff there is no global_acl (ITS#3100) */ - if ( frontendDB->be_acl == NULL ) -#endif - { - op->o_bd = be; - } - } - assert( be != NULL ); - - /* grant database root access */ - if ( be_isroot( op ) ) { - Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 ); - if ( maskp ) { - mask = ACL_LVL_MANAGE; - } - - goto done; - } - - /* - * no-user-modification operational attributes are ignored - * by ACL_WRITE checking as any found here are not provided - * by the user - * - * NOTE: but they are not ignored for ACL_MANAGE, because - * if we get here it means a non-root user is trying to - * manage data, so we need to check its privileges. - */ - if ( access_level == ACL_WRITE && is_at_no_user_mod( desc->ad_type ) - && desc != slap_schema.si_ad_entry - && desc != slap_schema.si_ad_children ) - { - Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:" - " %s access granted\n", - attr, 0, 0 ); - goto done; - } - - /* use backend default access if no backend acls */ - if ( be->be_acl == NULL ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: backend default %s " - "access %s to \"%s\"\n", - access2str( access ), - be->be_dfltaccess >= access_level ? "granted" : "denied", - op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" ); - ret = be->be_dfltaccess >= access_level; - - if ( maskp ) { - int i; - - mask = ACL_PRIV_LEVEL; - for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) { - mask |= ACL_ACCESS2PRIV( i ); - } - } - - goto done; - -#ifdef notdef - /* be is always non-NULL */ - /* use global default access if no global acls */ - } else if ( be == NULL && frontendDB->be_acl == NULL ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: global default %s access %s to \"%s\"\n", - access2str( access ), - frontendDB->be_dfltaccess >= access_level ? - "granted" : "denied", op->o_dn.bv_val ); - ret = frontendDB->be_dfltaccess >= access_level; - - if ( maskp ) { - int i; - - mask = ACL_PRIV_LEVEL; - for ( i = ACL_NONE; i <= global_default_access; i++ ) { - mask |= ACL_ACCESS2PRIV( i ); - } - } - - goto done; -#endif - } - - ret = 0; - control = ACL_BREAK; - - if ( st_same_attr ) { - assert( state->as_vd_acl != NULL ); - - a = state->as_vd_acl; - count = state->as_vd_acl_count; - if ( !ACL_IS_INVALID( state->as_vd_acl_mask ) ) { - mask = state->as_vd_acl_mask; - AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) ); - goto vd_access; - } - - } else { - if ( state ) state->as_vi_acl = NULL; - a = NULL; - ACL_INIT(mask); - count = 0; - memset( matches, '\0', sizeof(matches) ); - } - - while ( ( a = slap_acl_get( a, &count, op, e, desc, val, - MAXREMATCHES, matches, state ) ) != NULL ) - { - int i; - - for ( i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++ ) { - Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i, - (int)matches[i].rm_so, (int)matches[i].rm_eo ); - if ( matches[i].rm_so <= matches[0].rm_eo ) { - int n; - for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++ ) { - Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 ); - } - } - Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 ); - } - - if ( state ) { - if ( state->as_vi_acl == a && - ( state->as_recorded & ACL_STATE_RECORDED_NV ) ) - { - Debug( LDAP_DEBUG_ACL, - "access_allowed: result from state (%s)\n", - attr, 0, 0 ); - ret = state->as_result; - goto done; - } else { - Debug( LDAP_DEBUG_ACL, - "access_allowed: no res from state (%s)\n", - attr, 0, 0 ); - } - } - -vd_access: - control = slap_acl_mask( a, &mask, op, - e, desc, val, MAXREMATCHES, matches, count, state ); - - if ( control != ACL_BREAK ) { - break; - } - - memset( matches, '\0', sizeof(matches) ); - } - - if ( ACL_IS_INVALID( mask ) ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: \"%s\" (%s) invalid!\n", - e->e_dn, attr, 0 ); - ACL_INIT(mask); - - } else if ( control == ACL_BREAK ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: no more rules\n", 0, 0, 0 ); - - goto done; - } - - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: %s access %s by %s\n", - access2str( access ), - ACL_GRANT(mask, access) ? "granted" : "denied", - accessmask2str( mask, accessmaskbuf, 1 ) ); - - ret = ACL_GRANT(mask, access); - -done: - if ( state != NULL ) { - /* If not value-dependent, save ACL in case of more attrs */ - if ( !( state->as_recorded & ACL_STATE_RECORDED_VD ) ) { - state->as_vi_acl = a; - state->as_result = ret; - } - state->as_recorded |= ACL_STATE_RECORDED; - } - if ( be_null ) op->o_bd = NULL; - if ( maskp ) *maskp = mask; - return ret; -} - -#endif /* !SLAP_OVERLAY_ACCESS */ /* * slap_acl_get - return the acl applicable to entry e, attribute @@ -1957,15 +1681,15 @@ slap_acl_mask( } /* start out with nothing granted, nothing denied */ - ACL_INIT(tgrant); - ACL_INIT(tdeny); + ACL_INVALIDATE(tgrant); + ACL_INVALIDATE(tdeny); for ( da = b->a_dynacl; da; da = da->da_next ) { slap_access_t grant, deny; - ACL_INIT(grant); - ACL_INIT(deny); + ACL_INVALIDATE(grant); + ACL_INVALIDATE(deny); Debug( LDAP_DEBUG_ACL, " <= check a_dynacl: %s\n", da->da_name, 0, 0 ); @@ -2504,7 +2228,7 @@ acl_match_set ( } else { struct berval subjdn, ndn = BER_BVNULL; struct berval setat; - BerVarray bvals; + BerVarray bvals = NULL; const char *text; AttributeDescription *desc = NULL;