From: Pierangelo Masarati Date: Mon, 22 Aug 2005 16:03:35 +0000 (+0000) Subject: further ACI factoring out & confinement X-Git-Tag: OPENLDAP_REL_ENG_2_2_MP~615 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=4bc8197dcb652a92a270b1ee45063ccb31c0eaad;p=openldap further ACI factoring out & confinement --- diff --git a/servers/slapd/aci.c b/servers/slapd/aci.c index bfceacf03d..01c2691d03 100644 --- a/servers/slapd/aci.c +++ b/servers/slapd/aci.c @@ -42,6 +42,34 @@ #define ACI_BUF_SIZE 1024 /* use most appropriate size */ +#ifdef SLAP_DYNACL +static +#endif /* SLAP_DYNACL */ +AttributeDescription *slap_ad_aci; + +static int +OpenLDAPaciValidate( + Syntax *syntax, + struct berval *val ); + +static int +OpenLDAPaciPretty( + Syntax *syntax, + struct berval *val, + struct berval *out, + void *ctx ); + +static int +OpenLDAPaciNormalize( + slap_mask_t use, + Syntax *syntax, + MatchingRule *mr, + struct berval *val, + struct berval *out, + void *ctx ); + +#define OpenLDAPaciMatch octetStringMatch + static int aci_list_map_rights( struct berval *list ) @@ -486,6 +514,93 @@ aci_mask( return 0; } +int +aci_init( void ) +{ + /* OpenLDAP Experimental Syntax */ + static slap_syntax_defs_rec aci_syntax_def = { + "( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )", + SLAP_SYNTAX_HIDE, + OpenLDAPaciValidate, + OpenLDAPaciPretty + }; + static slap_mrule_defs_rec aci_mr_def = { + "( 1.3.6.1.4.1.4203.666.4.2 NAME 'OpenLDAPaciMatch' " + "SYNTAX 1.3.6.1.4.1.4203.666.2.1 )", + SLAP_MR_HIDE | SLAP_MR_EQUALITY, NULL, + NULL, OpenLDAPaciNormalize, OpenLDAPaciMatch, + NULL, NULL, + NULL + }; + static struct { + char *name; + char *desc; + slap_mask_t flags; + AttributeDescription **ad; + } aci_at = { + "OpenLDAPaci", "( 1.3.6.1.4.1.4203.666.1.5 " + "NAME 'OpenLDAPaci' " + "DESC 'OpenLDAP access control information (experimental)' " + "EQUALITY OpenLDAPaciMatch " + "SYNTAX 1.3.6.1.4.1.4203.666.2.1 " + "USAGE directoryOperation )", + SLAP_AT_HIDE, + &slap_ad_aci + }; + + LDAPAttributeType *at; + AttributeType *sat; + int rc; + const char *text; + + /* ACI syntax */ + rc = register_syntax( &aci_syntax_def ); + if ( rc != 0 ) { + return rc; + } + + /* ACI equality rule */ + rc = register_matching_rule( &aci_mr_def ); + if ( rc != 0 ) { + return rc; + } + + /* ACI attribute */ + at = ldap_str2attributetype( aci_at.desc, + &rc, &text, LDAP_SCHEMA_ALLOW_ALL ); + if ( !at ) { + Debug( LDAP_DEBUG_ANY, + "%s AttributeType load failed: %s %s\n", + aci_at.name, ldap_scherr2str( rc ), text ); + return rc; + } + + rc = at_add( at, 0, &sat, &text ); + if ( rc != LDAP_SUCCESS ) { + ldap_attributetype_free( at ); + fprintf( stderr, "iMUX_monitor_schema_init: " + "AttributeType load failed: %s %s\n", + scherr2str( rc ), text ); + return rc; + } + ldap_memfree( at ); + + rc = slap_str2ad( aci_at.name, + aci_at.ad, &text ); + if ( rc != LDAP_SUCCESS ) { + Debug( LDAP_DEBUG_ANY, + "unable to find AttributeDescription " + "\"%s\": %d (%s)\n", + aci_at.name, rc, text ); + return 1; + } + + /* install flags */ + sat->sat_flags |= aci_at.flags; + + return rc; +} + #ifdef SLAP_DYNACL /* * FIXME: there is a silly dependence that makes it difficult @@ -514,7 +629,7 @@ dynacl_aci_parse( const char *fname, int lineno, slap_style_t sty, const char *r } } else { - ad = slap_schema.si_ad_aci; + ad = slap_ad_aci; } if ( !is_at_syntax( ad->ad_type, SLAPD_ACI_SYNTAX) ) { @@ -706,7 +821,15 @@ static slap_dynacl_t dynacl_aci = { int dynacl_aci_init( void ) { - return slap_dynacl_register( &dynacl_aci ); + int rc; + + rc = aci_init(); + + if ( rc == 0 ) { + rc = slap_dynacl_register( &dynacl_aci ); + } + + return rc; } #endif /* SLAP_DYNACL */ @@ -1040,7 +1163,7 @@ static const struct berval *OpenLDAPacitypes[] = { NULL }; -int +static int OpenLDAPaciValidate( Syntax *syntax, struct berval *val ) @@ -1406,7 +1529,7 @@ cleanup:; return rc; } -int +static int OpenLDAPaciPretty( Syntax *syntax, struct berval *val, @@ -1416,7 +1539,7 @@ OpenLDAPaciPretty( return OpenLDAPaciPrettyNormal( val, out, ctx, 0 ); } -int +static int OpenLDAPaciNormalize( slap_mask_t use, Syntax *syntax, diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index a96104f84f..e89f1406b6 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -2794,19 +2794,20 @@ slap_dynacl_get( const char *name ) int acl_init( void ) { -#ifdef SLAP_DYNACL - int rc; + int rc = 0; #ifdef SLAPD_ACI_ENABLED +#ifdef SLAP_DYNACL rc = dynacl_aci_init(); +#else /* !SLAP_DYNACL */ + rc = aci_init(); +#endif /* !SLAP_DYNACL */ if ( rc != 0 ) { return rc; } #endif /* SLAPD_ACI_ENABLED */ -#endif /* SLAP_DYNACL */ - - return 0; + return rc; } int diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c index bca6db91c2..1c9a4354d7 100644 --- a/servers/slapd/aclparse.c +++ b/servers/slapd/aclparse.c @@ -1539,7 +1539,7 @@ parse_acl( } } else { - b->a_aci_at = slap_schema.si_ad_aci; + b->a_aci_at = slap_ad_aci; } if( !is_at_syntax( b->a_aci_at->ad_type, diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index f359298df9..8881076dd8 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -45,14 +45,12 @@ LDAP_SLAPD_F (int) aci_mask LDAP_P(( slap_access_t *grant, slap_access_t *deny, slap_aci_scope_t scope)); -LDAP_SLAPD_F (int) OpenLDAPaciValidate LDAP_P(( - Syntax *syn, struct berval *in )); -LDAP_SLAPD_F (int) OpenLDAPaciPretty LDAP_P(( - Syntax *syn, struct berval *val, struct berval *out, void *ctx )); -LDAP_SLAPD_F (slap_mr_normalize_func) OpenLDAPaciNormalize; #ifdef SLAP_DYNACL LDAP_SLAPD_F (int) dynacl_aci_init LDAP_P(( void )); -#endif /* SLAP_DYNACL */ +#else /* !SLAP_DYNACL */ +LDAP_SLAPD_F (int) aci_init LDAP_P(( void )); +LDAP_SLAPD_V (AttributeDescription *) slap_ad_aci; +#endif /* !SLAP_DYNACL */ #endif /* SLAPD_ACI_ENABLED */ /* @@ -1453,9 +1451,17 @@ LDAP_SLAPD_F (void) schema_destroy LDAP_P(( void )); LDAP_SLAPD_F( slap_mr_indexer_func ) octetStringIndexer; LDAP_SLAPD_F( slap_mr_filter_func ) octetStringFilter; + LDAP_SLAPD_F( int ) numericoidValidate LDAP_P(( struct slap_syntax *syntax, struct berval *in )); +LDAP_SLAPD_F( int ) octetStringMatch LDAP_P(( + int *matchp, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *value, + void *assertedValue )); /* * schema_prep.c diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index 5ff82c9974..07fb1f0db6 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -50,8 +50,6 @@ #define HASH_Update(c,buf,len) lutil_HASHUpdate(c,buf,len) #define HASH_Final(d,c) lutil_HASHFinal(d,c) -#define OpenLDAPaciMatch octetStringMatch - /* approx matching rules */ #define directoryStringApproxMatchOID "1.3.6.1.4.1.4203.666.4.4" #define directoryStringApproxMatch approxMatch @@ -129,7 +127,7 @@ static int certificateValidate( Syntax *syntax, struct berval *in ) #define certificateValidate sequenceValidate #endif -static int +int octetStringMatch( int *matchp, slap_mask_t flags, @@ -3426,14 +3424,6 @@ static slap_syntax_defs_rec syntax_defs[] = { serialNumberAndIssuerValidate, serialNumberAndIssuerPretty}, -#ifdef SLAPD_ACI_ENABLED - /* OpenLDAP Experimental Syntaxes */ - {"( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )", - SLAP_SYNTAX_HIDE, - OpenLDAPaciValidate, - OpenLDAPaciPretty}, -#endif - #ifdef SLAPD_AUTHPASSWD /* needs updating */ {"( 1.3.6.1.4.1.4203.666.2.2 DESC 'OpenLDAP authPassword' )", @@ -3850,15 +3840,6 @@ static slap_mrule_defs_rec mrule_defs[] = { NULL}, #endif -#ifdef SLAPD_ACI_ENABLED - {"( 1.3.6.1.4.1.4203.666.4.2 NAME 'OpenLDAPaciMatch' " - "SYNTAX 1.3.6.1.4.1.4203.666.2.1 )", - SLAP_MR_HIDE | SLAP_MR_EQUALITY, NULL, - NULL, OpenLDAPaciNormalize, OpenLDAPaciMatch, - NULL, NULL, - NULL}, -#endif - {"( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )", SLAP_MR_EXT, NULL, diff --git a/servers/slapd/schema_prep.c b/servers/slapd/schema_prep.c index dc2964e351..54d16095e6 100644 --- a/servers/slapd/schema_prep.c +++ b/servers/slapd/schema_prep.c @@ -887,18 +887,6 @@ static struct slap_schema_ad_map { NULL, NULL, NULL, NULL, NULL, NULL, NULL, offsetof(struct slap_internal_schema, si_ad_saslAuthzFrom) }, -#ifdef SLAPD_ACI_ENABLED - { "OpenLDAPaci", "( 1.3.6.1.4.1.4203.666.1.5 " - "NAME 'OpenLDAPaci' " - "DESC 'OpenLDAP access control information (experimental)' " - "EQUALITY OpenLDAPaciMatch " - "SYNTAX 1.3.6.1.4.1.4203.666.2.1 " - "USAGE directoryOperation )", - NULL, SLAP_AT_HIDE, - NULL, NULL, - NULL, NULL, NULL, NULL, NULL, - offsetof(struct slap_internal_schema, si_ad_aci) }, -#endif #ifdef LDAP_DYNAMIC_OBJECTS { "entryTtl", "( 1.3.6.1.4.1.1466.101.119.3 NAME 'entryTtl' " diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 932c413feb..5ce7aad420 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -894,9 +894,6 @@ struct slap_internal_schema { AttributeDescription *si_ad_children; AttributeDescription *si_ad_saslAuthzTo; AttributeDescription *si_ad_saslAuthzFrom; -#ifdef SLAPD_ACI_ENABLED - AttributeDescription *si_ad_aci; -#endif /* SLAPD_ACI_ENABLED */ /* dynamic entries */ AttributeDescription *si_ad_entryTtl;