X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Facl.c;h=3a3568f0112706893406408dcec88a48b46ab9a4;hb=d1824b14ae78b128fb9ff6cf73d2ec4a0e756a90;hp=e4a2b8f1696006df0521ed4caf9c9fa9c3a025d0;hpb=da03eb03908d6992aaada9465e2b80a393929967;p=openldap diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index e4a2b8f169..3a3568f011 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 1998-2005 The OpenLDAP Foundation. + * Copyright 1998-2006 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -94,7 +94,6 @@ SLAP_SET_GATHER acl_set_gather2; * - can be legally called with op->o_bd == NULL */ -#ifdef SLAP_OVERLAY_ACCESS int slap_access_always_allowed( Operation *op, @@ -373,17 +372,15 @@ access_allowed_mask( if ( state ) { if ( state->as_vd_ad == desc ) { - if ( state->as_recorded ) { - if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) && - val == NULL ) - { - return state->as_result; + if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) && + val == NULL ) + { + return state->as_result; - } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) && - val != NULL && state->as_vd_acl == NULL ) - { - return state->as_result; - } + } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) && + val != NULL && state->as_vd_acl == NULL ) + { + return state->as_result; } st_same_attr = 1; } else { @@ -464,283 +461,6 @@ done: return ret; } -#else /* !SLAP_OVERLAY_ACCESS */ - -int -access_allowed_mask( - Operation *op, - Entry *e, - AttributeDescription *desc, - struct berval *val, - slap_access_t access, - AccessControlState *state, - slap_mask_t *maskp ) -{ - int ret = 1; - int count; - AccessControl *a = NULL; - Backend *be; - int be_null = 0; - -#ifdef LDAP_DEBUG - char accessmaskbuf[ACCESSMASK_MAXLEN]; -#endif - slap_mask_t mask; - slap_control_t control; - slap_access_t access_level; - const char *attr; - regmatch_t matches[MAXREMATCHES]; - int st_same_attr = 0; - static AccessControlState state_init = ACL_STATE_INIT; - - assert( e != NULL ); - assert( desc != NULL ); - - access_level = ACL_LEVEL( access ); - - assert( access_level > ACL_NONE ); - if ( maskp ) ACL_INVALIDATE( *maskp ); - - attr = desc->ad_cname.bv_val; - - assert( attr != NULL ); - - if ( op ) { - if ( op->o_is_auth_check && - ( access_level == ACL_SEARCH || access_level == ACL_READ ) ) - { - access = ACL_AUTH; - - } else if ( get_manageDIT( op ) && access_level == ACL_WRITE && - desc == slap_schema.si_ad_entry ) - { - access = ACL_MANAGE; - } - } - - if ( state ) { - if ( state->as_vd_ad == desc ) { - if ( state->as_recorded ) { - if ( ( state->as_recorded & ACL_STATE_RECORDED_NV ) && - val == NULL ) - { - return state->as_result; - - } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) && - val != NULL && state->as_vd_acl == NULL ) - { - return state->as_result; - } - } - st_same_attr = 1; - } else { - *state = state_init; - } - - state->as_vd_ad=desc; - } - - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: %s access to \"%s\" \"%s\" requested\n", - access2str( access ), e->e_dn, attr ); - - if ( op == NULL ) { - /* no-op call */ - goto done; - } - - be = op->o_bd; - if ( be == NULL ) { - be = LDAP_STAILQ_FIRST(&backendDB); - be_null = 1; -#ifdef LDAP_DEVEL - /* - * FIXME: experimental; use first backend rules - * iff there is no global_acl (ITS#3100) */ - if ( frontendDB->be_acl == NULL ) -#endif - { - op->o_bd = be; - } - } - assert( be != NULL ); - - /* grant database root access */ - if ( be_isroot( op ) ) { - Debug( LDAP_DEBUG_ACL, "<= root access granted\n", 0, 0, 0 ); - if ( maskp ) { - mask = ACL_LVL_MANAGE; - } - - goto done; - } - - /* - * no-user-modification operational attributes are ignored - * by ACL_WRITE checking as any found here are not provided - * by the user - * - * NOTE: but they are not ignored for ACL_MANAGE, because - * if we get here it means a non-root user is trying to - * manage data, so we need to check its privileges. - */ - if ( access_level == ACL_WRITE && is_at_no_user_mod( desc->ad_type ) - && desc != slap_schema.si_ad_entry - && desc != slap_schema.si_ad_children ) - { - Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:" - " %s access granted\n", - attr, 0, 0 ); - goto done; - } - - /* use backend default access if no backend acls */ - if ( be->be_acl == NULL ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: backend default %s " - "access %s to \"%s\"\n", - access2str( access ), - be->be_dfltaccess >= access_level ? "granted" : "denied", - op->o_dn.bv_val ? op->o_dn.bv_val : "(anonymous)" ); - ret = be->be_dfltaccess >= access_level; - - if ( maskp ) { - int i; - - mask = ACL_PRIV_LEVEL; - for ( i = ACL_NONE; i <= be->be_dfltaccess; i++ ) { - mask |= ACL_ACCESS2PRIV( i ); - } - } - - goto done; - -#ifdef notdef - /* be is always non-NULL */ - /* use global default access if no global acls */ - } else if ( be == NULL && frontendDB->be_acl == NULL ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: global default %s access %s to \"%s\"\n", - access2str( access ), - frontendDB->be_dfltaccess >= access_level ? - "granted" : "denied", op->o_dn.bv_val ); - ret = frontendDB->be_dfltaccess >= access_level; - - if ( maskp ) { - int i; - - mask = ACL_PRIV_LEVEL; - for ( i = ACL_NONE; i <= global_default_access; i++ ) { - mask |= ACL_ACCESS2PRIV( i ); - } - } - - goto done; -#endif - } - - ret = 0; - control = ACL_BREAK; - - if ( st_same_attr ) { - assert( state->as_vd_acl != NULL ); - - a = state->as_vd_acl; - count = state->as_vd_acl_count; - if ( !ACL_IS_INVALID( state->as_vd_acl_mask ) ) { - mask = state->as_vd_acl_mask; - AC_MEMCPY( matches, state->as_vd_acl_matches, sizeof(matches) ); - goto vd_access; - } - - } else { - if ( state ) state->as_vi_acl = NULL; - a = NULL; - ACL_INIT(mask); - count = 0; - memset( matches, '\0', sizeof(matches) ); - } - - while ( ( a = slap_acl_get( a, &count, op, e, desc, val, - MAXREMATCHES, matches, state ) ) != NULL ) - { - int i; - - for ( i = 0; i < MAXREMATCHES && matches[i].rm_so > 0; i++ ) { - Debug( LDAP_DEBUG_ACL, "=> match[%d]: %d %d ", i, - (int)matches[i].rm_so, (int)matches[i].rm_eo ); - if ( matches[i].rm_so <= matches[0].rm_eo ) { - int n; - for ( n = matches[i].rm_so; n < matches[i].rm_eo; n++ ) { - Debug( LDAP_DEBUG_ACL, "%c", e->e_ndn[n], 0, 0 ); - } - } - Debug( LDAP_DEBUG_ARGS, "\n", 0, 0, 0 ); - } - - if ( state ) { - if ( state->as_vi_acl == a && - ( state->as_recorded & ACL_STATE_RECORDED_NV ) ) - { - Debug( LDAP_DEBUG_ACL, - "access_allowed: result from state (%s)\n", - attr, 0, 0 ); - ret = state->as_result; - goto done; - } else { - Debug( LDAP_DEBUG_ACL, - "access_allowed: no res from state (%s)\n", - attr, 0, 0 ); - } - } - -vd_access: - control = slap_acl_mask( a, &mask, op, - e, desc, val, MAXREMATCHES, matches, count, state ); - - if ( control != ACL_BREAK ) { - break; - } - - memset( matches, '\0', sizeof(matches) ); - } - - if ( ACL_IS_INVALID( mask ) ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: \"%s\" (%s) invalid!\n", - e->e_dn, attr, 0 ); - ACL_INIT(mask); - - } else if ( control == ACL_BREAK ) { - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: no more rules\n", 0, 0, 0 ); - - goto done; - } - - Debug( LDAP_DEBUG_ACL, - "=> access_allowed: %s access %s by %s\n", - access2str( access ), - ACL_GRANT(mask, access) ? "granted" : "denied", - accessmask2str( mask, accessmaskbuf, 1 ) ); - - ret = ACL_GRANT(mask, access); - -done: - if ( state != NULL ) { - /* If not value-dependent, save ACL in case of more attrs */ - if ( !( state->as_recorded & ACL_STATE_RECORDED_VD ) ) { - state->as_vi_acl = a; - state->as_result = ret; - } - state->as_recorded |= ACL_STATE_RECORDED; - } - if ( be_null ) op->o_bd = NULL; - if ( maskp ) *maskp = mask; - return ret; -} - -#endif /* SLAP_OVERLAY_ACCESS */ /* * slap_acl_get - return the acl applicable to entry e, attribute @@ -951,6 +671,8 @@ static int acl_mask_dn( Operation *op, Entry *e, + AttributeDescription *desc, + struct berval *val, AccessControl *a, int nmatch, regmatch_t *matches, @@ -978,6 +700,27 @@ acl_mask_dn( return 1; } + if ( b->a_self ) { + const char *dummy; + int rc, match = 0; + + /* must have DN syntax */ + if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) return 1; + + /* check if the target is an attribute. */ + if ( val == NULL ) return 1; + + /* target is attribute, check if the attribute value + * is the op dn. + */ + rc = value_match( &match, desc, + desc->ad_type->sat_equality, 0, + val, opndn, &dummy ); + /* on match error or no match, fail the ACL clause */ + if ( rc != LDAP_SUCCESS || match != 0 ) + return 1; + } + } else if ( b->a_style == ACL_STYLE_SELF ) { struct berval ndn, selfndn; int level; @@ -1411,7 +1154,7 @@ slap_acl_mask( * is maintaned in a_dn_pat. */ - if ( acl_mask_dn( op, e, a, nmatch, matches, + if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches, &b->a_dn, &op->o_ndn ) ) { continue; @@ -1442,7 +1185,7 @@ slap_acl_mask( ndn = op->o_ndn; } - if ( acl_mask_dn( op, e, a, nmatch, matches, + if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches, &b->a_realdn, &ndn ) ) { continue; @@ -1938,15 +1681,15 @@ slap_acl_mask( } /* start out with nothing granted, nothing denied */ - ACL_INIT(tgrant); - ACL_INIT(tdeny); + ACL_INVALIDATE(tgrant); + ACL_INVALIDATE(tdeny); for ( da = b->a_dynacl; da; da = da->da_next ) { slap_access_t grant, deny; - ACL_INIT(grant); - ACL_INIT(deny); + ACL_INVALIDATE(grant); + ACL_INVALIDATE(deny); Debug( LDAP_DEBUG_ACL, " <= check a_dynacl: %s\n", da->da_name, 0, 0 ); @@ -1985,169 +1728,7 @@ slap_acl_mask( } } else -#else /* !SLAP_DYNACL */ - - /* NOTE: this entire block can be eliminated when SLAP_DYNACL - * moves outside of LDAP_DEVEL */ -#ifdef SLAPD_ACI_ENABLED - if ( b->a_aci_at != NULL ) { - Attribute *at; - slap_access_t grant, deny, tgrant, tdeny; - struct berval parent_ndn; - BerVarray bvals = NULL; - int ret, stop; -#ifdef LDAP_DEBUG - char accessmaskbuf1[ACCESSMASK_MAXLEN]; -#endif /* DEBUG */ - - Debug( LDAP_DEBUG_ACL, " <= check a_aci_at: %s\n", - b->a_aci_at->ad_cname.bv_val, 0, 0 ); - - /* this case works different from the others above. - * since aci's themselves give permissions, we need - * to first check b->a_access_mask, the ACL's access level. - */ - - if ( BER_BVISEMPTY( &e->e_nname ) ) { - /* no ACIs in the root DSE */ - continue; - } - - /* first check if the right being requested - * is allowed by the ACL clause. - */ - if ( ! ACL_GRANT( b->a_access_mask, *mask ) ) { - continue; - } - /* start out with nothing granted, nothing denied */ - ACL_INIT(tgrant); - ACL_INIT(tdeny); - - /* get the aci attribute */ - at = attr_find( e->e_attrs, b->a_aci_at ); - if ( at != NULL ) { -#if 0 - /* FIXME: this breaks acl caching; - * see also ACL_RECORD_VALUE_STATE below */ - ACL_RECORD_VALUE_STATE; -#endif - /* the aci is an multi-valued attribute. The - * rights are determined by OR'ing the individual - * rights given by the acis. - */ - for ( i = 0; !BER_BVISNULL( &at->a_nvals[i] ); i++ ) { - if ( aci_mask( op, - e, desc, val, - &at->a_nvals[i], - nmatch, matches, - &grant, &deny, SLAP_ACI_SCOPE_ENTRY ) != 0 ) - { - tgrant |= grant; - tdeny |= deny; - } - } - Debug(LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", - accessmask2str(tgrant, accessmaskbuf, 1), - accessmask2str(tdeny, accessmaskbuf1, 1), 0); - - } - /* If the entry level aci didn't contain anything valid for the - * current operation, climb up the tree and evaluate the - * acis with scope set to subtree - */ - if ( (tgrant == ACL_PRIV_NONE) && (tdeny == ACL_PRIV_NONE) ) { - dnParent( &e->e_nname, &parent_ndn ); - while ( !BER_BVISEMPTY( &parent_ndn ) ) { - Debug(LDAP_DEBUG_ACL, "checking ACI of %s\n", parent_ndn.bv_val, 0, 0); - ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals, ACL_AUTH); - switch(ret){ - case LDAP_SUCCESS : - stop = 0; - if (!bvals){ - break; - } - - for ( i = 0; !BER_BVISNULL( &bvals[i] ); i++ ) { -#if 0 - /* FIXME: this breaks acl caching; - * see also ACL_RECORD_VALUE_STATE above */ - ACL_RECORD_VALUE_STATE; -#endif - if ( aci_mask( op, e, desc, val, &bvals[i], - nmatch, matches, - &grant, &deny, SLAP_ACI_SCOPE_CHILDREN ) != 0 ) - { - tgrant |= grant; - tdeny |= deny; - /* evaluation stops as soon as either a "deny" or a - * "grant" directive matches. - */ - if( (tgrant != ACL_PRIV_NONE) || (tdeny != ACL_PRIV_NONE) ){ - stop = 1; - } - } - Debug(LDAP_DEBUG_ACL, "<= aci_mask grant %s deny %s\n", - accessmask2str(tgrant, accessmaskbuf, 1), - accessmask2str(tdeny, accessmaskbuf1, 1), 0); - } - break; - - case LDAP_NO_SUCH_ATTRIBUTE: - /* just go on if the aci-Attribute is not present in - * the current entry - */ - Debug(LDAP_DEBUG_ACL, "no such attribute\n", 0, 0, 0); - stop = 0; - break; - - case LDAP_NO_SUCH_OBJECT: - /* We have reached the base object */ - Debug(LDAP_DEBUG_ACL, "no such object\n", 0, 0, 0); - stop = 1; - break; - - default: - stop = 1; - break; - } - if (stop){ - break; - } - dnParent( &parent_ndn, &parent_ndn ); - } - } - - - /* remove anything that the ACL clause does not allow */ - tgrant &= b->a_access_mask & ACL_PRIV_MASK; - tdeny &= ACL_PRIV_MASK; - - /* see if we have anything to contribute */ - if( ACL_IS_INVALID(tgrant) && ACL_IS_INVALID(tdeny) ) { - continue; - } - - /* this could be improved by changing slap_acl_mask so that it can deal with - * by clauses that return grant/deny pairs. Right now, it does either - * additive or subtractive rights, but not both at the same time. So, - * we need to combine the grant/deny pair into a single rights mask in - * a smart way: if either grant or deny is "empty", then we use the - * opposite as is, otherwise we remove any denied rights from the grant - * rights mask and construct an additive mask. - */ - if (ACL_IS_INVALID(tdeny)) { - modmask = tgrant | ACL_PRIV_ADDITIVE; - - } else if (ACL_IS_INVALID(tgrant)) { - modmask = tdeny | ACL_PRIV_SUBSTRACTIVE; - - } else { - modmask = (tgrant & ~tdeny) | ACL_PRIV_ADDITIVE; - } - - } else -#endif /* SLAPD_ACI_ENABLED */ -#endif /* !SLAP_DYNACL */ +#endif /* SLAP_DYNACL */ { modmask = b->a_access_mask; } @@ -2282,6 +1863,7 @@ acl_check_modlist( switch ( mlist->sml_op ) { case LDAP_MOD_REPLACE: + case LDAP_MOD_INCREMENT: /* * We must check both permission to delete the whole * attribute and permission to add the specific attributes. @@ -2646,7 +2228,7 @@ acl_match_set ( } else { struct berval subjdn, ndn = BER_BVNULL; struct berval setat; - BerVarray bvals; + BerVarray bvals = NULL; const char *text; AttributeDescription *desc = NULL; @@ -2757,13 +2339,12 @@ slap_dynacl_get( const char *name ) * statically built-in dynamic ACL initialization */ static int (*acl_init_func[])( void ) = { -#ifdef SLAPD_ACI_ENABLED #ifdef SLAP_DYNACL + /* TODO: remove when ACI will only be dynamic */ +#if SLAPD_ACI_ENABLED == SLAPD_MOD_STATIC dynacl_aci_init, -#else /* !SLAP_DYNACL */ - aci_init, -#endif /* !SLAP_DYNACL */ #endif /* SLAPD_ACI_ENABLED */ +#endif /* SLAP_DYNACL */ NULL };