From: Howard Chu Date: Fri, 11 Dec 2009 10:49:00 +0000 (+0000) Subject: New access_allowed() X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=5f9b6d809c1e5ece4fe597464740981fc30c68ae;p=openldap New access_allowed() --- diff --git a/servers/slapd/overlays/dds.c b/servers/slapd/overlays/dds.c index f434720933..e21ab2a67c 100644 --- a/servers/slapd/overlays/dds.c +++ b/servers/slapd/overlays/dds.c @@ -368,11 +368,11 @@ dds_op_add( Operation *op, SlapReply *rs ) slap_schema.si_oc_dynamicObject, NULL, 0, &e ); if ( rc == LDAP_SUCCESS && e != NULL ) { if ( !is_dynamicObject ) { + AclCheck ak = { e, slap_schema.si_ad_entry, NULL, + ACL_DISCLOSE, NULL }; /* return referral only if "disclose" * is granted on the object */ - if ( ! access_allowed( op, e, - slap_schema.si_ad_entry, - NULL, ACL_DISCLOSE, NULL ) ) + if ( ! access_allowed( op, &ak )) { rc = rs->sr_err = LDAP_NO_SUCH_OBJECT; send_ldap_result( op, rs ); @@ -850,11 +850,11 @@ dds_op_rename( Operation *op, SlapReply *rs ) slap_schema.si_oc_dynamicObject, NULL, 0, &e ); if ( rc == LDAP_SUCCESS && e != NULL ) { if ( !is_dynamicObject ) { + AclCheck ak = { e, slap_schema.si_ad_entry, NULL, + ACL_DISCLOSE, NULL }; /* return referral only if "disclose" * is granted on the object */ - if ( ! access_allowed( op, e, - slap_schema.si_ad_entry, - NULL, ACL_DISCLOSE, NULL ) ) + if ( ! access_allowed( op, &ak )) { rs->sr_err = LDAP_NO_SUCH_OBJECT; send_ldap_result( op, rs ); @@ -1068,11 +1068,11 @@ dds_op_extended( Operation *op, SlapReply *rs ) rs->sr_err = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e ); if ( rs->sr_err == LDAP_SUCCESS && e != NULL ) { + AclCheck ak = { e, slap_schema.si_ad_entry, NULL, + ACL_DISCLOSE, NULL }; /* return referral only if "disclose" * is granted on the object */ - if ( ! access_allowed( op, e, - slap_schema.si_ad_entry, - NULL, ACL_DISCLOSE, NULL ) ) + if ( ! access_allowed( op, &ak )) { rs->sr_err = LDAP_NO_SUCH_OBJECT; diff --git a/servers/slapd/overlays/deref.c b/servers/slapd/overlays/deref.c index d397c02385..0eb07c78b7 100644 --- a/servers/slapd/overlays/deref.c +++ b/servers/slapd/overlays/deref.c @@ -295,12 +295,16 @@ deref_response( Operation *op, SlapReply *rs ) static char dummy = '\0'; Entry *ebase; int i; + AclCheck ak; rc = overlay_entry_get_ov( op, &rs->sr_entry->e_nname, NULL, NULL, 0, &ebase, dc->dc_on ); if ( rc != LDAP_SUCCESS || ebase == NULL ) { return SLAP_CB_CONTINUE; } + ak.ak_e = rs->sr_entry; + ak.ak_access = ACL_READ; + ak.ak_state = &acl_state; for ( ds = dc->dc_ds; ds; ds = ds->ds_next ) { Attribute *a = attr_find( ebase->e_attrs, ds->ds_derefAttr ); @@ -308,8 +312,9 @@ deref_response( Operation *op, SlapReply *rs ) DerefVal *dv; BerVarray *bva; - if ( !access_allowed( op, rs->sr_entry, a->a_desc, - NULL, ACL_READ, &acl_state ) ) + ak.ak_desc = a->a_desc; + ak.ak_val = NULL; + if ( !access_allowed( op, &ak )) { continue; } @@ -331,9 +336,8 @@ deref_response( Operation *op, SlapReply *rs ) dv[ i ].dv_attrVals = bva; bva += ds->ds_nattrs; - - if ( !access_allowed( op, rs->sr_entry, a->a_desc, - &a->a_nvals[ i ], ACL_READ, &acl_state ) ) + ak.ak_val = &a->a_nvals[i]; + if ( !access_allowed( op, &ak )) { dv[ i ].dv_derefSpecVal.bv_val = &dummy; continue; @@ -347,15 +351,21 @@ deref_response( Operation *op, SlapReply *rs ) rc = overlay_entry_get_ov( op, &a->a_nvals[ i ], NULL, NULL, 0, &e, dc->dc_on ); if ( rc == LDAP_SUCCESS && e != NULL ) { int j; - - if ( access_allowed( op, e, slap_schema.si_ad_entry, - NULL, ACL_READ, NULL ) ) + AclCheck ak2; + AccessControlState acl_st2 = ACL_STATE_INIT; + + ak2.ak_e = e; + ak2.ak_desc = slap_schema.si_ad_entry; + ak2.ak_val = NULL; + ak2.ak_state = NULL; + if ( access_allowed( op, &ak2 )) { + ak2.ak_state = &acl_st2; for ( j = 0; j < ds->ds_nattrs; j++ ) { Attribute *aa; - if ( !access_allowed( op, e, ds->ds_attributes[ j ], NULL, - ACL_READ, &acl_state ) ) + ak2.ak_desc = ds->ds_attributes[ j ]; + if ( !access_allowed( op, &ak2 )) { continue; } @@ -368,12 +378,10 @@ deref_response( Operation *op, SlapReply *rs ) aa->a_vals, op->o_tmpmemctx ); bv.bv_len += ds->ds_attributes[ j ]->ad_cname.bv_len; - + ak2.ak_desc = aa->a_desc; for ( k = 0, h = 0; k < aa->a_numvals; k++ ) { - if ( !access_allowed( op, e, - aa->a_desc, - &aa->a_nvals[ k ], - ACL_READ, &acl_state ) ) + ak2.ak_val = &aa->a_nvals[ k ]; + if ( !access_allowed( op, &ak2 )) { op->o_tmpfree( dv[ i ].dv_attrVals[ j ][ h ].bv_val, op->o_tmpmemctx ); diff --git a/servers/slapd/overlays/dynlist.c b/servers/slapd/overlays/dynlist.c index 1b83f9f41d..895d286a9a 100644 --- a/servers/slapd/overlays/dynlist.c +++ b/servers/slapd/overlays/dynlist.c @@ -220,6 +220,7 @@ dynlist_sc_update( Operation *op, SlapReply *rs ) int opattrs, userattrs; AccessControlState acl_state = ACL_STATE_INIT; + AclCheck ak; dynlist_sc_t *dlc; dynlist_map_t *dlm; @@ -235,8 +236,12 @@ dynlist_sc_update( Operation *op, SlapReply *rs ) assert( rs->sr_entry != NULL ); /* test access to entry */ - if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry, - NULL, ACL_READ, NULL ) ) + ak.ak_e = rs->sr_entry; + ak.ak_desc = slap_schema.si_ad_entry; + ak.ak_val = NULL; + ak.ak_access = ACL_READ; + ak.ak_state = NULL; + if ( !access_allowed( op, &ak )) { goto done; } @@ -247,29 +252,25 @@ dynlist_sc_update( Operation *op, SlapReply *rs ) if ( dlm && dlm->dlm_mapped_ad == NULL && dlm->dlm_next == NULL ) { /* if access allowed, try to add values, emulating permissive * control to silently ignore duplicates */ - if ( access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry, - NULL, ACL_READ, NULL ) ) - { - Modification mod; - const char *text = NULL; - char textbuf[1024]; - struct berval vals[ 2 ], nvals[ 2 ]; - - vals[ 0 ] = rs->sr_entry->e_name; - BER_BVZERO( &vals[ 1 ] ); - nvals[ 0 ] = rs->sr_entry->e_nname; - BER_BVZERO( &nvals[ 1 ] ); - - mod.sm_op = LDAP_MOD_ADD; - mod.sm_desc = dlm->dlm_member_ad; - mod.sm_type = dlm->dlm_member_ad->ad_cname; - mod.sm_values = vals; - mod.sm_nvalues = nvals; - mod.sm_numvals = 1; - - (void)modify_add_values( e, &mod, /* permissive */ 1, - &text, textbuf, sizeof( textbuf ) ); - } + Modification mod; + const char *text = NULL; + char textbuf[1024]; + struct berval vals[ 2 ], nvals[ 2 ]; + + vals[ 0 ] = rs->sr_entry->e_name; + BER_BVZERO( &vals[ 1 ] ); + nvals[ 0 ] = rs->sr_entry->e_nname; + BER_BVZERO( &nvals[ 1 ] ); + + mod.sm_op = LDAP_MOD_ADD; + mod.sm_desc = dlm->dlm_member_ad; + mod.sm_type = dlm->dlm_member_ad->ad_cname; + mod.sm_values = vals; + mod.sm_nvalues = nvals; + mod.sm_numvals = 1; + + (void)modify_add_values( e, &mod, /* permissive */ 1, + &text, textbuf, sizeof( textbuf ) ); goto done; } @@ -308,10 +309,11 @@ dynlist_sc_update( Operation *op, SlapReply *rs ) } } + ak.ak_desc = a->a_desc; + ak.ak_state = &acl_state; /* test access to attribute */ if ( op->ors_attrsonly ) { - if ( !access_allowed( op, rs->sr_entry, a->a_desc, NULL, - ACL_READ, &acl_state ) ) + if ( !access_allowed( op, &ak )) { continue; } @@ -341,8 +343,8 @@ dynlist_sc_update( Operation *op, SlapReply *rs ) } } - if ( access_allowed( op, rs->sr_entry, a->a_desc, - &a->a_nvals[i], ACL_READ, &acl_state ) ) + ak.ak_val = &a->a_nvals[i]; + if ( access_allowed( op, &ak )) { vals[j] = a->a_vals[i]; if ( nvals ) { diff --git a/servers/slapd/overlays/memberof.c b/servers/slapd/overlays/memberof.c index 3a38b63373..b42379f908 100644 --- a/servers/slapd/overlays/memberof.c +++ b/servers/slapd/overlays/memberof.c @@ -601,16 +601,20 @@ memberof_op_add( Operation *op, SlapReply *rs ) if ( map != NULL ) { Attribute *a = *map; AccessControlState acl_state = ACL_STATE_INIT; + AclCheck ak; + + ak.ak_desc = mo->mo_ad_memberof; + ak.ak_access = ACL_WADD; + ak.ak_state = &acl_state; for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) { Entry *e; op->o_bd->bd_info = (BackendInfo *)on->on_info; /* access is checked with the original identity */ - rc = access_allowed( op, op->ora_e, mo->mo_ad_memberof, - &a->a_nvals[ i ], ACL_WADD, - &acl_state ); - if ( rc == 0 ) { + ak.ak_e = op->ora_e; + ak.ak_val = &a->a_nvals[ i ]; + if ( !access_allowed( op, &ak )) { rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = NULL; send_ldap_result( op, rs ); @@ -665,8 +669,9 @@ memberof_op_add( Operation *op, SlapReply *rs ) /* access is checked with the original identity */ op->o_bd->bd_info = (BackendInfo *)on->on_info; - rc = access_allowed( op, e, mo->mo_ad_member, - &op->o_req_ndn, ACL_WADD, NULL ); + ak.ak_e = e; + ak.ak_val = &op->o_req_ndn; + rc = access_allowed( op, &ak ); be_entry_release_r( op, e ); op->o_bd->bd_info = (BackendInfo *)on; @@ -886,6 +891,7 @@ memberof_op_modify( Operation *op, SlapReply *rs ) Modifications *ml = *mmlp; int i; Entry *target; + AclCheck ak; op->o_bd->bd_info = (BackendInfo *)on->on_info; rc = be_entry_get_rw( op, &op->o_req_ndn, @@ -897,22 +903,22 @@ memberof_op_modify( Operation *op, SlapReply *rs ) goto done; } + ak.ak_desc = mo->mo_ad_memberof; switch ( ml->sml_op ) { case LDAP_MOD_DELETE: if ( ml->sml_nvalues != NULL ) { AccessControlState acl_state = ACL_STATE_INIT; + ak.ak_access = ACL_WDEL; + ak.ak_state = &acl_state; for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) { Entry *e; op->o_bd->bd_info = (BackendInfo *)on->on_info; /* access is checked with the original identity */ - rc = access_allowed( op, target, - mo->mo_ad_memberof, - &ml->sml_nvalues[ i ], - ACL_WDEL, - &acl_state ); - if ( rc == 0 ) { + ak.ak_e = target; + ak.ak_val = &ml->sml_nvalues[ i ]; + if ( !access_allowed( op, &ak )) { rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = NULL; send_ldap_result( op, rs ); @@ -969,9 +975,9 @@ memberof_op_modify( Operation *op, SlapReply *rs ) /* access is checked with the original identity */ op->o_bd->bd_info = (BackendInfo *)on->on_info; - rc = access_allowed( op, e, mo->mo_ad_member, - &op->o_req_ndn, - ACL_WDEL, NULL ); + ak.ak_e = e; + ak.ak_val = &op->o_req_ndn; + rc = access_allowed( op, &ak ); be_entry_release_r( op, e ); op->o_bd->bd_info = (BackendInfo *)on; @@ -997,10 +1003,11 @@ memberof_op_modify( Operation *op, SlapReply *rs ) op->o_bd->bd_info = (BackendInfo *)on->on_info; /* access is checked with the original identity */ - rc = access_allowed( op, target, - mo->mo_ad_memberof, - NULL, - ACL_WDEL, NULL ); + ak.ak_e = target; + ak.ak_val = NULL; + ak.ak_access = ACL_WDEL; + ak.ak_state = NULL; + rc = access_allowed( op, &ak ); op->o_bd->bd_info = (BackendInfo *)on; if ( rc == 0 ) { rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS; @@ -1016,18 +1023,24 @@ memberof_op_modify( Operation *op, SlapReply *rs ) case LDAP_MOD_ADD: { AccessControlState acl_state = ACL_STATE_INIT; + AclCheck ak2; + + ak.ak_e = target; + ak.ak_access = ACL_WADD; + ak.ak_state = &acl_state; + + ak2.ak_desc = mo->mo_ad_member; + ak2.ak_val = &op->o_req_ndn; + ak2.ak_access = ACL_WDEL; + ak2.ak_state = NULL; for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) { Entry *e; op->o_bd->bd_info = (BackendInfo *)on->on_info; /* access is checked with the original identity */ - rc = access_allowed( op, target, - mo->mo_ad_memberof, - &ml->sml_nvalues[ i ], - ACL_WADD, - &acl_state ); - if ( rc == 0 ) { + ak.ak_val = &ml->sml_nvalues[ i ]; + if ( !access_allowed( op, &ak )) { rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS; rs->sr_text = NULL; send_ldap_result( op, rs ); @@ -1080,9 +1093,8 @@ memberof_op_modify( Operation *op, SlapReply *rs ) /* access is checked with the original identity */ op->o_bd->bd_info = (BackendInfo *)on->on_info; - rc = access_allowed( op, e, mo->mo_ad_member, - &op->o_req_ndn, - ACL_WDEL, NULL ); + ak2.ak_e = e; + rc = access_allowed( op, &ak2 ); be_entry_release_r( op, e ); op->o_bd->bd_info = (BackendInfo *)on; diff --git a/servers/slapd/overlays/syncprov.c b/servers/slapd/overlays/syncprov.c index 8fb306241b..32dd0f2f9a 100644 --- a/servers/slapd/overlays/syncprov.c +++ b/servers/slapd/overlays/syncprov.c @@ -1901,6 +1901,7 @@ syncprov_op_compare( Operation *op, SlapReply *rs ) { Entry e = {0}; Attribute a = {0}; + AclCheck ak; e.e_name = si->si_contextdn; e.e_nname = si->si_contextdn; @@ -1914,8 +1915,12 @@ syncprov_op_compare( Operation *op, SlapReply *rs ) a.a_nvals = a.a_vals; a.a_numvals = si->si_numcsns; - rs->sr_err = access_allowed( op, &e, op->oq_compare.rs_ava->aa_desc, - &op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ); + ak.ak_e = &e; + ak.ak_desc = op->oq_compare.rs_ava->aa_desc; + ak.ak_val = &op->oq_compare.rs_ava->aa_value; + ak.ak_access = ACL_COMPARE; + ak.ak_state = NULL; + rs->sr_err = access_allowed( op, &ak ); if ( ! rs->sr_err ) { rs->sr_err = LDAP_INSUFFICIENT_ACCESS; goto return_results;