]> git.sur5r.net Git - openldap/commitdiff
Add "disclose" and "manage" ACL levels (but no meat).
authorKurt Zeilenga <kurt@openldap.org>
Sat, 8 Jan 2005 05:26:18 +0000 (05:26 +0000)
committerKurt Zeilenga <kurt@openldap.org>
Sat, 8 Jan 2005 05:26:18 +0000 (05:26 +0000)
Disclose permission intended to be used for "disclose on error"
(as in our present "none"), none being "don't disclose on error".

Manage permission is intended to be used to allow DSA IT management
(e.g., changing entryCSNs, structuralObjectClass, etc.).

servers/slapd/acl.c
servers/slapd/aclparse.c
servers/slapd/slap.h

index 1c001f529eaeb8ddd19f47733568c6d77d51bc1e..0150d1c7e9ad67b1b8f4e691054fddf22c0d1341 100644 (file)
@@ -253,7 +253,7 @@ access_allowed_mask(
                    "<= root access granted\n",
                        0, 0, 0 );
                if ( maskp ) {
-                       mask = ACL_LVL_WRITE;
+                       mask = ACL_LVL_MANAGE;
                }
 
                goto done;
@@ -1741,7 +1741,9 @@ acl_check_modlist(
                Debug( LDAP_DEBUG_ACL,
                        "=> access_allowed: backend default %s access %s to \"%s\"\n",
                        access2str( ACL_WRITE ),
-                       op->o_bd->be_dfltaccess >= ACL_WRITE ? "granted" : "denied", op->o_dn.bv_val );
+                       op->o_bd->be_dfltaccess >= ACL_WRITE
+                               ? "granted" : "denied",
+                       op->o_dn.bv_val );
                ret = (op->o_bd->be_dfltaccess >= ACL_WRITE);
                goto done;
        }
index 1809c9e9a8039aec1a74a37b9a4f8ff2a5d0288c..05b52d25f67cdb3c83cf3ad6b1f886613ffde135 100644 (file)
@@ -62,10 +62,7 @@ static void          print_acl(Backend *be, AccessControl *a);
 static void            print_access(Access *b);
 #endif
 
-#ifdef LDAP_DEVEL
-static int
-check_scope( BackendDB *be, AccessControl *a );
-#endif /* LDAP_DEVEL */
+static int             check_scope( BackendDB *be, AccessControl *a );
 
 #ifdef SLAP_DYNACL
 static int
@@ -160,7 +157,6 @@ regtest(const char *fname, int lineno, char *pat) {
        regfree(&re);
 }
 
-#ifdef LDAP_DEVEL
 /*
  * Experimental
  *
@@ -295,7 +291,6 @@ regex_done:;
 
        return ACL_SCOPE_UNKNOWN;
 }
-#endif /* LDAP_DEVEL */
 
 void
 parse_acl(
@@ -303,8 +298,7 @@ parse_acl(
     const char *fname,
     int                lineno,
     int                argc,
-    char       **argv
-)
+    char       **argv )
 {
        int             i;
        char            *left, *right, *style, *next;
@@ -1653,7 +1647,6 @@ parse_acl(
                }
 
                if ( be != NULL ) {
-#ifdef LDAP_DEVEL
                        if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
                                fprintf( stderr, "%s: line %d: warning: "
                                        "scope checking only applies to single-valued "
@@ -1693,7 +1686,6 @@ parse_acl(
                        default:
                                break;
                        }
-#endif /* LDAP_DEVEL */
                        acl_append( &be->be_acl, a );
 
                } else {
@@ -1720,6 +1712,9 @@ accessmask2str( slap_mask_t mask, char *buf )
                if ( ACL_LVL_IS_NONE(mask) ) {
                        ptr = lutil_strcopy( ptr, "none" );
 
+               } else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
+                       ptr = lutil_strcopy( ptr, "disclose" );
+
                } else if ( ACL_LVL_IS_AUTH(mask) ) {
                        ptr = lutil_strcopy( ptr, "auth" );
 
@@ -1734,6 +1729,10 @@ accessmask2str( slap_mask_t mask, char *buf )
 
                } else if ( ACL_LVL_IS_WRITE(mask) ) {
                        ptr = lutil_strcopy( ptr, "write" );
+
+               } else if ( ACL_LVL_IS_MANAGE(mask) ) {
+                       ptr = lutil_strcopy( ptr, "manage" );
+
                } else {
                        ptr = lutil_strcopy( ptr, "unknown" );
                }
@@ -1751,6 +1750,11 @@ accessmask2str( slap_mask_t mask, char *buf )
                *ptr++ = '=';
        }
 
+       if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
+               none = 0;
+               *ptr++ = 'm';
+       } 
+
        if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
                none = 0;
                *ptr++ = 'w';
@@ -1776,6 +1780,11 @@ accessmask2str( slap_mask_t mask, char *buf )
                *ptr++ = 'x';
        } 
 
+       if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
+               none = 0;
+               *ptr++ = 'd';
+       } 
+
        if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
                none = 0;
                *ptr++ = 'n';
@@ -1817,7 +1826,10 @@ str2accessmask( const char *str )
                }
 
                for( i=1; str[i] != '\0'; i++ ) {
-                       if( TOLOWER((unsigned char) str[i]) == 'w' ) {
+                       if( TOLOWER((unsigned char) str[i]) == 'm' ) {
+                               ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
+
+                       } else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
                                ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
 
                        } else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
@@ -1832,6 +1844,9 @@ str2accessmask( const char *str )
                        } else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
                                ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
 
+                       } else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
+                               ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
+
                        } else if( str[i] != '0' ) {
                                ACL_INVALIDATE(mask);
                                return mask;
@@ -1844,6 +1859,9 @@ str2accessmask( const char *str )
        if ( strcasecmp( str, "none" ) == 0 ) {
                ACL_LVL_ASSIGN_NONE(mask);
 
+       } else if ( strcasecmp( str, "disclose" ) == 0 ) {
+               ACL_LVL_ASSIGN_DISCLOSE(mask);
+
        } else if ( strcasecmp( str, "auth" ) == 0 ) {
                ACL_LVL_ASSIGN_AUTH(mask);
 
@@ -1859,6 +1877,9 @@ str2accessmask( const char *str )
        } else if ( strcasecmp( str, "write" ) == 0 ) {
                ACL_LVL_ASSIGN_WRITE(mask);
 
+       } else if ( strcasecmp( str, "manage" ) == 0 ) {
+               ACL_LVL_ASSIGN_MANAGE(mask);
+
        } else {
                ACL_INVALIDATE( mask );
        }
@@ -1890,8 +1911,8 @@ acl_usage( void )
                "<peernamestyle> ::= exact | regex | ip | path\n"
                "<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
                "<access> ::= [self]{<level>|<priv>}\n"
-               "<level> ::= none | auth | compare | search | read | write\n"
-               "<priv> ::= {=|+|-}{w|r|s|c|x|0}+\n"
+               "<level> ::= none|disclose|auth|compare|search|read|write|manage\n"
+               "<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n"
                "<control> ::= [ stop | continue | break ]\n"
        );
        exit( EXIT_FAILURE );
@@ -2053,6 +2074,9 @@ access2str( slap_access_t access )
        if ( access == ACL_NONE ) {
                return "none";
 
+       } else if ( access == ACL_DISCLOSE ) {
+               return "disclose";
+
        } else if ( access == ACL_AUTH ) {
                return "auth";
 
@@ -2067,6 +2091,10 @@ access2str( slap_access_t access )
 
        } else if ( access == ACL_WRITE ) {
                return "write";
+
+       } else if ( access == ACL_MANAGE ) {
+               return "manage";
+
        }
 
        return "unknown";
@@ -2078,6 +2106,9 @@ str2access( const char *str )
        if ( strcasecmp( str, "none" ) == 0 ) {
                return ACL_NONE;
 
+       } else if ( strcasecmp( str, "disclose" ) == 0 ) {
+               return ACL_DISCLOSE;
+
        } else if ( strcasecmp( str, "auth" ) == 0 ) {
                return ACL_AUTH;
 
@@ -2092,6 +2123,9 @@ str2access( const char *str )
 
        } else if ( strcasecmp( str, "write" ) == 0 ) {
                return ACL_WRITE;
+
+       } else if ( strcasecmp( str, "manage" ) == 0 ) {
+               return ACL_MANAGE;
        }
 
        return( ACL_INVALID_ACCESS );
index b5c62909cb5b860ebb29b57f7292c82316d0f6dc..e20cba370bab8daf88a0d86ff3203a800c10e469 100644 (file)
@@ -1123,11 +1123,13 @@ typedef struct slap_ldap_modlist {
 typedef enum slap_access_e {
        ACL_INVALID_ACCESS = -1,
        ACL_NONE = 0,
+       ACL_DISCLOSE,
        ACL_AUTH,
        ACL_COMPARE,
        ACL_SEARCH,
        ACL_READ,
-       ACL_WRITE
+       ACL_WRITE,
+       ACL_MANAGE
 } slap_access_t;
 
 typedef enum slap_control_e {
@@ -1209,11 +1211,13 @@ typedef struct slap_access {
 #define ACL_ACCESS2PRIV(access)        (0x01U << (access))
 
 #define ACL_PRIV_NONE                  ACL_ACCESS2PRIV( ACL_NONE )
+#define ACL_PRIV_DISCLOSE              ACL_ACCESS2PRIV( ACL_DISCLOSE )
 #define ACL_PRIV_AUTH                  ACL_ACCESS2PRIV( ACL_AUTH )
 #define ACL_PRIV_COMPARE               ACL_ACCESS2PRIV( ACL_COMPARE )
 #define ACL_PRIV_SEARCH                        ACL_ACCESS2PRIV( ACL_SEARCH )
 #define ACL_PRIV_READ                  ACL_ACCESS2PRIV( ACL_READ )
 #define ACL_PRIV_WRITE                 ACL_ACCESS2PRIV( ACL_WRITE )
+#define ACL_PRIV_MANAGE                        ACL_ACCESS2PRIV( ACL_MANAGE )
 
 #define ACL_PRIV_MASK                  0x00ffUL
 
@@ -1242,26 +1246,32 @@ typedef struct slap_access {
 #define ACL_IS_SUBTRACTIVE(m)  ACL_PRIV_ISSET((m),ACL_PRIV_SUBSTRACTIVE)
 
 #define ACL_LVL_NONE                   (ACL_PRIV_NONE|ACL_PRIV_LEVEL)
-#define ACL_LVL_AUTH                   (ACL_PRIV_AUTH|ACL_LVL_NONE)
+#define ACL_LVL_DISCLOSE               (ACL_PRIV_DISCLOSE|ACL_LVL_NONE)
+#define ACL_LVL_AUTH                   (ACL_PRIV_AUTH|ACL_LVL_DISCLOSE)
 #define ACL_LVL_COMPARE                        (ACL_PRIV_COMPARE|ACL_LVL_AUTH)
 #define ACL_LVL_SEARCH                 (ACL_PRIV_SEARCH|ACL_LVL_COMPARE)
 #define ACL_LVL_READ                   (ACL_PRIV_READ|ACL_LVL_SEARCH)
 #define ACL_LVL_WRITE                  (ACL_PRIV_WRITE|ACL_LVL_READ)
+#define ACL_LVL_MANAGE                 (ACL_PRIV_MANAGE|ACL_LVL_WRITE)
 
 #define ACL_LVL(m,l)                   (((m)&ACL_PRIV_MASK) == ((l)&ACL_PRIV_MASK))
 #define ACL_LVL_IS_NONE(m)             ACL_LVL((m),ACL_LVL_NONE)
+#define ACL_LVL_IS_DISCLOSE(m) ACL_LVL((m),ACL_LVL_DISCLOSE)
 #define ACL_LVL_IS_AUTH(m)             ACL_LVL((m),ACL_LVL_AUTH)
 #define ACL_LVL_IS_COMPARE(m)  ACL_LVL((m),ACL_LVL_COMPARE)
 #define ACL_LVL_IS_SEARCH(m)   ACL_LVL((m),ACL_LVL_SEARCH)
 #define ACL_LVL_IS_READ(m)             ACL_LVL((m),ACL_LVL_READ)
 #define ACL_LVL_IS_WRITE(m)            ACL_LVL((m),ACL_LVL_WRITE)
+#define ACL_LVL_IS_MANAGE(m)   ACL_LVL((m),ACL_LVL_MANAGE)
 
 #define ACL_LVL_ASSIGN_NONE(m)         ACL_PRIV_ASSIGN((m),ACL_LVL_NONE)
+#define ACL_LVL_ASSIGN_DISCLOSE(m)     ACL_PRIV_ASSIGN((m),ACL_LVL_DISCLOSE)
 #define ACL_LVL_ASSIGN_AUTH(m)         ACL_PRIV_ASSIGN((m),ACL_LVL_AUTH)
 #define ACL_LVL_ASSIGN_COMPARE(m)      ACL_PRIV_ASSIGN((m),ACL_LVL_COMPARE)
 #define ACL_LVL_ASSIGN_SEARCH(m)       ACL_PRIV_ASSIGN((m),ACL_LVL_SEARCH)
 #define ACL_LVL_ASSIGN_READ(m)         ACL_PRIV_ASSIGN((m),ACL_LVL_READ)
 #define ACL_LVL_ASSIGN_WRITE(m)                ACL_PRIV_ASSIGN((m),ACL_LVL_WRITE)
+#define ACL_LVL_ASSIGN_MANAGE(m)       ACL_PRIV_ASSIGN((m),ACL_LVL_MANAGE)
 
        slap_mask_t     a_access_mask;