#include "slap.h"
#include "sets.h"
+
+/*
+ * speed up compares
+ */
+static struct berval
+ aci_bv_entry = { sizeof("entry") - 1, "entry" },
+ aci_bv_br_entry = { sizeof("[entry]") - 1, "[entry]" },
+ aci_bv_br_all = { sizeof("[all]") - 1, "[all]" },
+ aci_bv_access_id = { sizeof("access-id") - 1, "access-id" },
+ aci_bv_anonymous = { sizeof("anonymous") - 1, "anonymous" },
+ aci_bv_users = { sizeof("users") - 1, "users" },
+ aci_bv_self = { sizeof("self") - 1, "self" },
+ aci_bv_dnattr = { sizeof("dnattr") - 1, "dnattr" },
+ aci_bv_group = { sizeof("group") - 1, "group" },
+ aci_bv_role = { sizeof("role") - 1, "role" },
+ aci_bv_set = { sizeof("set") - 1, "set" },
+ aci_bv_set_ref = { sizeof("set-ref") - 1, "set-ref"},
+ aci_bv_grant = { sizeof("grant") - 1, "grant" },
+ aci_bv_deny = { sizeof("deny") - 1, "deny" };
+
static AccessControl * acl_get(
AccessControl *ac, int *count,
Backend *be, Operation *op,
* user is bound as somebody in the same namespace as
* the entry, OR the given dn matches the dn pattern
*/
- if ( b->a_dn_pat.bv_len == sizeof("anonymous") -1 &&
- strcmp( b->a_dn_pat.bv_val, "anonymous" ) == 0 ) {
- if (op->o_ndn.bv_len != 0 ) {
+ if ( ber_cmp( &b->a_dn_pat, &aci_bv_anonymous ) == 0 ) {
+ if ( op->o_ndn.bv_len != 0 ) {
continue;
}
- } else if ( b->a_dn_pat.bv_len == sizeof("users") - 1 &&
- strcmp( b->a_dn_pat.bv_val, "users" ) == 0 ) {
- if (op->o_ndn.bv_len == 0 ) {
+ } else if ( ber_cmp( &b->a_dn_pat, &aci_bv_users ) == 0 ) {
+ if ( op->o_ndn.bv_len == 0 ) {
continue;
}
- } else if ( b->a_dn_pat.bv_len == sizeof("self") - 1 &&
- strcmp( b->a_dn_pat.bv_val, "self" ) == 0 ) {
- if( op->o_ndn.bv_len == 0 ) {
+ } else if ( ber_cmp( &b->a_dn_pat, &aci_bv_self ) == 0 ) {
+ if ( op->o_ndn.bv_len == 0 ) {
continue;
}
- if ( e->e_dn == NULL || strcmp( e->e_ndn, op->o_ndn.bv_val ) != 0 ) {
+ if ( e->e_dn == NULL || !dn_match( &e->e_nname, &op->o_ndn ) ) {
continue;
}
} else if ( b->a_dn_style == ACL_STYLE_REGEX ) {
if ( b->a_dn_pat.bv_len != 1 ||
- strcmp( b->a_dn_pat.bv_val, "*" ) != 0 ) {
+ ber_charcmp( &b->a_dn_pat, '*' ) != 0 ) {
int ret = regex_matches( b->a_dn_pat.bv_val,
op->o_ndn.bv_val, e->e_ndn, matches );
static int
aci_list_has_attr(
struct berval *list,
- const char *attr,
+ const struct berval *attr,
struct berval *val )
{
struct berval bv, left, right;
if (aci_get_part(&bv, 0, '=', &left) < 0
|| aci_get_part(&bv, 1, '=', &right) < 0)
{
- if (aci_strbvcmp(attr, &bv) == 0)
+ if (ber_casecmp(attr, &bv) == 0)
return(1);
} else if (val == NULL) {
- if (aci_strbvcmp(attr, &left) == 0)
+ if (ber_casecmp(attr, &left) == 0)
return(1);
} else {
- if (aci_strbvcmp(attr, &left) == 0) {
+ if (ber_casecmp(attr, &left) == 0) {
/* this is experimental code that implements a
* simple (prefix) match of the attribute value.
* the ACI draft does not provide for aci's that
if (aci_get_part(&right, 0, '*', &left) < 0
|| right.bv_len <= left.bv_len)
{
- if (aci_strbvcmp(val->bv_val, &right) == 0)
+ if (ber_casecmp(val, &right) == 0)
return(1);
} else if (val->bv_len >= left.bv_len) {
if (strncasecmp( val->bv_val, left.bv_val, left.bv_len ) == 0)
static slap_access_t
aci_list_get_attr_rights(
struct berval *list,
- const char *attr,
+ const struct berval *attr,
struct berval *val )
{
struct berval bv;
static int
aci_list_get_rights(
struct berval *list,
- const char *attr,
+ const struct berval *attr,
struct berval *val,
slap_access_t *grant,
slap_access_t *deny )
slap_access_t *mask;
int i, found;
- if (attr == NULL || *attr == 0 || strcasecmp(attr, "entry") == 0) {
- attr = "[entry]";
+ if (attr == NULL || attr->bv_len == 0
+ || ber_casecmp( attr, &aci_bv_entry ) == 0) {
+ attr = &aci_bv_br_entry;
}
found = 0;
for (i = 0; aci_get_part(list, i, '$', &perm) >= 0; i++) {
if (aci_get_part(&perm, 0, ';', &actn) < 0)
continue;
- if (aci_strbvcmp( "grant", &actn ) == 0) {
+ if (ber_casecmp( &aci_bv_grant, &actn ) == 0) {
mask = grant;
- } else if (aci_strbvcmp( "deny", &actn ) == 0) {
+ } else if (ber_casecmp( &aci_bv_deny, &actn ) == 0) {
mask = deny;
} else {
continue;
found = 1;
*mask |= aci_list_get_attr_rights(&perm, attr, val);
- *mask |= aci_list_get_attr_rights(&perm, "[all]", NULL);
+ *mask |= aci_list_get_attr_rights(&perm, &aci_bv_br_all, NULL);
}
return(found);
}
{
struct berval bv, perms, sdn;
int rc;
- char *attr = desc->ad_cname.bv_val;
+
- assert( attr != NULL );
+ assert( desc->ad_cname.bv_val != NULL );
/* parse an aci of the form:
oid#scope#action;rights;attr;rights;attr$action;rights;attr;rights;attr#dnType#subjectDN
/* check that the scope is "entry" */
if (aci_get_part(aci, 1, '#', &bv) < 0
- || aci_strbvcmp( "entry", &bv ) != 0)
+ || ber_casecmp( &aci_bv_entry, &bv ) != 0)
{
return(0);
}
return(0);
/* check if any permissions allow desired access */
- if (aci_list_get_rights(&perms, attr, val, grant, deny) == 0)
+ if (aci_list_get_rights(&perms, &desc->ad_cname, val, grant, deny) == 0)
return(0);
/* see if we have a DN match */
if (aci_get_part(aci, 4, '#', &sdn) < 0)
return(0);
- if (aci_strbvcmp( "access-id", &bv ) == 0) {
+ if (ber_casecmp( &aci_bv_access_id, &bv ) == 0) {
struct berval ndn;
rc = 1;
if ( dnNormalize2(NULL, &sdn, &ndn) == LDAP_SUCCESS ) {
- if (strcasecmp(op->o_ndn.bv_val, ndn.bv_val) != 0)
+ if (!dn_match( &op->o_ndn, &ndn))
rc = 0;
free(ndn.bv_val);
}
return(rc);
}
- if (aci_strbvcmp( "self", &bv ) == 0) {
+ if (ber_casecmp( &aci_bv_self, &bv ) == 0) {
if (dn_match(&op->o_ndn, &e->e_nname))
return(1);
- } else if (aci_strbvcmp( "dnattr", &bv ) == 0) {
- char *dnattr = aci_bvstrdup(&sdn);
+ } else if (ber_casecmp( &aci_bv_dnattr, &bv ) == 0) {
Attribute *at;
AttributeDescription *ad = NULL;
const char *text;
- rc = slap_str2ad( dnattr, &ad, &text );
- ch_free( dnattr );
+ rc = slap_bv2ad( &sdn, &ad, &text );
if( rc != LDAP_SUCCESS ) {
return 0;
return rc;
- } else if (aci_strbvcmp( "group", &bv ) == 0) {
+ } else if (ber_casecmp( &aci_bv_group, &bv ) == 0) {
if (aci_group_member(&sdn, &GroupClass, &GroupAttr, be, e, conn, op, matches))
return(1);
- } else if (aci_strbvcmp( "role", &bv ) == 0) {
+ } else if (ber_casecmp( &aci_bv_role, &bv ) == 0) {
if (aci_group_member(&sdn, &RoleClass, &RoleAttr, be, e, conn, op, matches))
return(1);
- } else if (aci_strbvcmp( "set", &bv ) == 0) {
+ } else if (ber_casecmp( &aci_bv_set, &bv ) == 0) {
if (aci_match_set(&sdn, be, e, conn, op, 0))
return(1);
- } else if (aci_strbvcmp( "set-ref", &bv ) == 0) {
+ } else if (ber_casecmp( &aci_bv_set_ref, &bv ) == 0) {
if (aci_match_set(&sdn, be, e, conn, op, 1))
return(1);
projects / openldap / commitdiff