X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Facl.c;h=e4a2b8f1696006df0521ed4caf9c9fa9c3a025d0;hb=93d0ef91e65c6d11991b1c36faba67f212f43a34;hp=91c33e9c2377e9f482128264555a99da7820ff99;hpb=8e3adc2428cb4b46cbbf67c8448287b9a8c0724a;p=openldap diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 91c33e9c23..e4a2b8f169 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -39,46 +39,10 @@ #define ACL_BUF_SIZE 1024 /* use most appropriate size */ -/* - * speed up compares - */ -const struct berval aci_bv[] = { - BER_BVC("entry"), - BER_BVC("children"), - BER_BVC("onelevel"), - BER_BVC("subtree"), - BER_BVC("[entry]"), - BER_BVC("[all]"), - BER_BVC("access-id"), -#if 0 - BER_BVC("anonymous"), -#endif - BER_BVC("public"), - BER_BVC("users"), - BER_BVC("self"), - BER_BVC("dnattr"), - BER_BVC("group"), - BER_BVC("role"), - BER_BVC("set"), - BER_BVC("set-ref"), - BER_BVC("grant"), - BER_BVC("deny"), - - BER_BVC("IP="), +static const struct berval acl_bv_ip_eq = BER_BVC( "IP=" ); #ifdef LDAP_PF_LOCAL - BER_BVC("PATH="), -#if 0 - BER_BVC(LDAP_DIRSEP), -#endif +static const struct berval acl_bv_path_eq = BER_BVC("PATH="); #endif /* LDAP_PF_LOCAL */ - - BER_BVC(SLAPD_GROUP_CLASS), - BER_BVC(SLAPD_GROUP_ATTR), - BER_BVC(SLAPD_ROLE_CLASS), - BER_BVC(SLAPD_ROLE_ATTR), - - BER_BVC(SLAPD_ACI_SET_ATTR) -}; static AccessControl * slap_acl_get( AccessControl *ac, int *count, @@ -346,9 +310,10 @@ fe_access_allowed( */ be_orig = op->o_bd; - op->o_bd = select_backend( &op->o_req_ndn, 0, 0 ); if ( op->o_bd == NULL ) { - op->o_bd = frontendDB; + op->o_bd = select_backend( &op->o_req_ndn, 0, 0 ); + if ( op->o_bd == NULL ) + op->o_bd = frontendDB; } rc = slap_access_allowed( op, e, desc, val, access, state, maskp ); op->o_bd = be_orig; @@ -459,14 +424,10 @@ access_allowed_mask( desc, val, access, state, &mask ); } else { - BackendDB *be_orig = op->o_bd; - /* use default (but pass through frontend * for global ACL overlays) */ - op->o_bd = frontendDB; ret = frontendDB->bd_info->bi_access_allowed( op, e, desc, val, access, state, &mask ); - op->o_bd = be_orig; } if ( !ret ) { @@ -851,7 +812,8 @@ slap_acl_get( continue; } else if ( a->acl_dn_style == ACL_STYLE_ONE ) { - int rdnlen = -1, sep = 0; + ber_len_t rdnlen = 0; + int sep = 0; if ( dnlen <= patlen ) continue; @@ -923,7 +885,7 @@ slap_acl_get( if ( a->acl_attrs[0].an_desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) { if (value_match( &match, desc, - /* desc->ad_type->sat_equality */ a->acl_attrval_mr, 0, + a->acl_attrval_mr, 0, val, &a->acl_attrval, &text ) != LDAP_SUCCESS || match ) continue; @@ -942,7 +904,7 @@ slap_acl_get( continue; } else if ( a->acl_attrval_style == ACL_STYLE_ONE ) { - int rdnlen = -1; + ber_len_t rdnlen = 0; if ( !DN_SEPARATOR( val->bv_val[vdnlen - patlen - 1] ) ) continue; @@ -963,7 +925,7 @@ slap_acl_get( continue; } - if ( strcmp( a->acl_attrval.bv_val, val->bv_val + vdnlen - patlen )) + if ( strcmp( a->acl_attrval.bv_val, val->bv_val + vdnlen - patlen ) ) continue; } } @@ -1186,7 +1148,7 @@ acl_mask_dn( } } else if ( b->a_style == ACL_STYLE_ONE ) { - int rdnlen = -1; + ber_len_t rdnlen = 0; if ( odnlen <= patlen ) { goto dn_match_cleanup; @@ -1394,9 +1356,6 @@ slap_acl_mask( Access *b; #ifdef LDAP_DEBUG char accessmaskbuf[ACCESSMASK_MAXLEN]; -#if !defined( SLAP_DYNACL ) && defined( SLAPD_ACI_ENABLED ) - char accessmaskbuf1[ACCESSMASK_MAXLEN]; -#endif /* !SLAP_DYNACL && SLAPD_ACI_ENABLED */ #endif /* DEBUG */ const char *attr; slap_mask_t a2pmask = ACL_ACCESS2PRIV( *mask ); @@ -1632,21 +1591,18 @@ slap_acl_mask( int port_number = -1; if ( strncasecmp( op->o_conn->c_peer_name.bv_val, - aci_bv[ ACI_BV_IP_EQ ].bv_val, - aci_bv[ ACI_BV_IP_EQ ].bv_len ) != 0 ) + acl_bv_ip_eq.bv_val, + acl_bv_ip_eq.bv_len ) != 0 ) continue; - ip.bv_val = op->o_conn->c_peer_name.bv_val + aci_bv[ ACI_BV_IP_EQ ].bv_len; - ip.bv_len = op->o_conn->c_peer_name.bv_len - aci_bv[ ACI_BV_IP_EQ ].bv_len; + ip.bv_val = op->o_conn->c_peer_name.bv_val + acl_bv_ip_eq.bv_len; + ip.bv_len = op->o_conn->c_peer_name.bv_len - acl_bv_ip_eq.bv_len; port = strrchr( ip.bv_val, ':' ); if ( port ) { - char *next; - ip.bv_len = port - ip.bv_val; ++port; - port_number = strtol( port, &next, 10 ); - if ( next[0] != '\0' ) + if ( lutil_atoi( &port_number, port ) != 0 ) continue; } @@ -1676,14 +1632,14 @@ slap_acl_mask( struct berval path; if ( strncmp( op->o_conn->c_peer_name.bv_val, - aci_bv[ ACI_BV_PATH_EQ ].bv_val, - aci_bv[ ACI_BV_PATH_EQ ].bv_len ) != 0 ) + acl_bv_path_eq.bv_val, + acl_bv_path_eq.bv_len ) != 0 ) continue; path.bv_val = op->o_conn->c_peer_name.bv_val - + aci_bv[ ACI_BV_PATH_EQ ].bv_len; + + acl_bv_path_eq.bv_len; path.bv_len = op->o_conn->c_peer_name.bv_len - - aci_bv[ ACI_BV_PATH_EQ ].bv_len; + - acl_bv_path_eq.bv_len; if ( ber_bvcmp( &b->a_peername_pat, &path ) != 0 ) continue; @@ -1922,7 +1878,7 @@ slap_acl_mask( bv = b->a_set_pat; } - if ( acl_match_set( &bv, op, e, 0 ) == 0 ) { + if ( acl_match_set( &bv, op, e, NULL ) == 0 ) { continue; } } @@ -1971,14 +1927,9 @@ slap_acl_mask( 0, 0, 0 ); /* this case works different from the others above. - * since aci's themselves give permissions, we need + * since dynamic ACL's themselves give permissions, we need * to first check b->a_access_mask, the ACL's access level. */ - if ( BER_BVISEMPTY( &e->e_nname ) ) { - /* no ACIs in the root DSE */ - continue; - } - /* first check if the right being requested * is allowed by the ACL clause. */ @@ -2036,6 +1987,8 @@ slap_acl_mask( } else #else /* !SLAP_DYNACL */ + /* NOTE: this entire block can be eliminated when SLAP_DYNACL + * moves outside of LDAP_DEVEL */ #ifdef SLAPD_ACI_ENABLED if ( b->a_aci_at != NULL ) { Attribute *at; @@ -2043,6 +1996,9 @@ slap_acl_mask( struct berval parent_ndn; BerVarray bvals = NULL; int ret, stop; +#ifdef LDAP_DEBUG + char accessmaskbuf1[ACCESSMASK_MAXLEN]; +#endif /* DEBUG */ Debug( LDAP_DEBUG_ACL, " <= check a_aci_at: %s\n", b->a_aci_at->ad_cname.bv_val, 0, 0 ); @@ -2602,7 +2558,7 @@ acl_set_gather( SetCookie *cookie, struct berval *name, AttributeDescription *de op2.o_tag = LDAP_REQ_SEARCH; op2.o_ndn = op2.o_bd->be_rootndn; op2.o_callback = &cb; - op2.o_time = slap_get_time(); + slap_op_time( &op2.o_time, &op2.o_tincr ); op2.o_do_not_cache = 1; op2.o_is_auth_check = 0; ber_dupbv_x( &op2.o_req_dn, &op2.o_req_ndn, cp->asc_op->o_tmpmemctx ); @@ -2678,13 +2634,13 @@ acl_match_set ( struct berval *subj, Operation *op, Entry *e, - int setref ) + struct berval *default_set_attribute ) { struct berval set = BER_BVNULL; int rc = 0; AclSetCookie cookie; - if ( setref == 0 ) { + if ( default_set_attribute == NULL ) { ber_dupbv_x( &set, subj, op->o_tmpmemctx ); } else { @@ -2700,7 +2656,7 @@ acl_match_set ( } if ( acl_get_part( subj, 1, '/', &setat ) < 0 ) { - setat = aci_bv[ ACI_BV_SET_ATTR ]; + setat = *default_set_attribute; } /* @@ -2797,23 +2753,34 @@ slap_dynacl_get( const char *name ) } #endif /* SLAP_DYNACL */ -int -acl_init( void ) -{ - int rc = 0; - +/* + * statically built-in dynamic ACL initialization + */ +static int (*acl_init_func[])( void ) = { #ifdef SLAPD_ACI_ENABLED #ifdef SLAP_DYNACL - rc = dynacl_aci_init(); + dynacl_aci_init, #else /* !SLAP_DYNACL */ - rc = aci_init(); + aci_init, #endif /* !SLAP_DYNACL */ - if ( rc != 0 ) { - return rc; - } #endif /* SLAPD_ACI_ENABLED */ - return rc; + NULL +}; + +int +acl_init( void ) +{ + int i, rc; + + for ( i = 0; acl_init_func[ i ] != NULL; i++ ) { + rc = (*(acl_init_func[ i ]))(); + if ( rc != 0 ) { + return rc; + } + } + + return 0; } int