From 1c5d78d8dd4d0e57487ce7142e2d9860f9a7ca79 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Sat, 8 Jan 2005 05:26:18 +0000
Subject: [PATCH] Add "disclose" and "manage" ACL levels (but no meat).

Disclose permission intended to be used for "disclose on error"
(as in our present "none"), none being "don't disclose on error".

Manage permission is intended to be used to allow DSA IT management
(e.g., changing entryCSNs, structuralObjectClass, etc.).
---
 servers/slapd/acl.c      |  6 ++--
 servers/slapd/aclparse.c | 60 +++++++++++++++++++++++++++++++---------
 servers/slapd/slap.h     | 14 ++++++++--
 3 files changed, 63 insertions(+), 17 deletions(-)

diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c
index 1c001f529e..0150d1c7e9 100644
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -253,7 +253,7 @@ access_allowed_mask(
 		    "<= root access granted\n",
 			0, 0, 0 );
 		if ( maskp ) {
-			mask = ACL_LVL_WRITE;
+			mask = ACL_LVL_MANAGE;
 		}
 
 		goto done;
@@ -1741,7 +1741,9 @@ acl_check_modlist(
 		Debug( LDAP_DEBUG_ACL,
 			"=> access_allowed: backend default %s access %s to \"%s\"\n",
 			access2str( ACL_WRITE ),
-			op->o_bd->be_dfltaccess >= ACL_WRITE ? "granted" : "denied", op->o_dn.bv_val );
+			op->o_bd->be_dfltaccess >= ACL_WRITE
+				? "granted" : "denied",
+			op->o_dn.bv_val );
 		ret = (op->o_bd->be_dfltaccess >= ACL_WRITE);
 		goto done;
 	}
diff --git a/servers/slapd/aclparse.c b/servers/slapd/aclparse.c
index 1809c9e9a8..05b52d25f6 100644
--- a/servers/slapd/aclparse.c
+++ b/servers/slapd/aclparse.c
@@ -62,10 +62,7 @@ static void		print_acl(Backend *be, AccessControl *a);
 static void		print_access(Access *b);
 #endif
 
-#ifdef LDAP_DEVEL
-static int
-check_scope( BackendDB *be, AccessControl *a );
-#endif /* LDAP_DEVEL */
+static int		check_scope( BackendDB *be, AccessControl *a );
 
 #ifdef SLAP_DYNACL
 static int
@@ -160,7 +157,6 @@ regtest(const char *fname, int lineno, char *pat) {
 	regfree(&re);
 }
 
-#ifdef LDAP_DEVEL
 /*
  * Experimental
  *
@@ -295,7 +291,6 @@ regex_done:;
 
 	return ACL_SCOPE_UNKNOWN;
 }
-#endif /* LDAP_DEVEL */
 
 void
 parse_acl(
@@ -303,8 +298,7 @@ parse_acl(
     const char	*fname,
     int		lineno,
     int		argc,
-    char	**argv
-)
+    char	**argv )
 {
 	int		i;
 	char		*left, *right, *style, *next;
@@ -1653,7 +1647,6 @@ parse_acl(
 		}
 
 		if ( be != NULL ) {
-#ifdef LDAP_DEVEL
 			if ( !BER_BVISNULL( &be->be_nsuffix[ 1 ] ) ) {
 				fprintf( stderr, "%s: line %d: warning: "
 					"scope checking only applies to single-valued "
@@ -1693,7 +1686,6 @@ parse_acl(
 			default:
 				break;
 			}
-#endif /* LDAP_DEVEL */
 			acl_append( &be->be_acl, a );
 
 		} else {
@@ -1720,6 +1712,9 @@ accessmask2str( slap_mask_t mask, char *buf )
 		if ( ACL_LVL_IS_NONE(mask) ) {
 			ptr = lutil_strcopy( ptr, "none" );
 
+		} else if ( ACL_LVL_IS_DISCLOSE(mask) ) {
+			ptr = lutil_strcopy( ptr, "disclose" );
+
 		} else if ( ACL_LVL_IS_AUTH(mask) ) {
 			ptr = lutil_strcopy( ptr, "auth" );
 
@@ -1734,6 +1729,10 @@ accessmask2str( slap_mask_t mask, char *buf )
 
 		} else if ( ACL_LVL_IS_WRITE(mask) ) {
 			ptr = lutil_strcopy( ptr, "write" );
+
+		} else if ( ACL_LVL_IS_MANAGE(mask) ) {
+			ptr = lutil_strcopy( ptr, "manage" );
+
 		} else {
 			ptr = lutil_strcopy( ptr, "unknown" );
 		}
@@ -1751,6 +1750,11 @@ accessmask2str( slap_mask_t mask, char *buf )
 		*ptr++ = '=';
 	}
 
+	if ( ACL_PRIV_ISSET(mask, ACL_PRIV_MANAGE) ) {
+		none = 0;
+		*ptr++ = 'm';
+	} 
+
 	if ( ACL_PRIV_ISSET(mask, ACL_PRIV_WRITE) ) {
 		none = 0;
 		*ptr++ = 'w';
@@ -1776,6 +1780,11 @@ accessmask2str( slap_mask_t mask, char *buf )
 		*ptr++ = 'x';
 	} 
 
+	if ( ACL_PRIV_ISSET(mask, ACL_PRIV_DISCLOSE) ) {
+		none = 0;
+		*ptr++ = 'd';
+	} 
+
 	if ( none && ACL_PRIV_ISSET(mask, ACL_PRIV_NONE) ) {
 		none = 0;
 		*ptr++ = 'n';
@@ -1817,7 +1826,10 @@ str2accessmask( const char *str )
 		}
 
 		for( i=1; str[i] != '\0'; i++ ) {
-			if( TOLOWER((unsigned char) str[i]) == 'w' ) {
+			if( TOLOWER((unsigned char) str[i]) == 'm' ) {
+				ACL_PRIV_SET(mask, ACL_PRIV_MANAGE);
+
+			} else if( TOLOWER((unsigned char) str[i]) == 'w' ) {
 				ACL_PRIV_SET(mask, ACL_PRIV_WRITE);
 
 			} else if( TOLOWER((unsigned char) str[i]) == 'r' ) {
@@ -1832,6 +1844,9 @@ str2accessmask( const char *str )
 			} else if( TOLOWER((unsigned char) str[i]) == 'x' ) {
 				ACL_PRIV_SET(mask, ACL_PRIV_AUTH);
 
+			} else if( TOLOWER((unsigned char) str[i]) == 'd' ) {
+				ACL_PRIV_SET(mask, ACL_PRIV_DISCLOSE);
+
 			} else if( str[i] != '0' ) {
 				ACL_INVALIDATE(mask);
 				return mask;
@@ -1844,6 +1859,9 @@ str2accessmask( const char *str )
 	if ( strcasecmp( str, "none" ) == 0 ) {
 		ACL_LVL_ASSIGN_NONE(mask);
 
+	} else if ( strcasecmp( str, "disclose" ) == 0 ) {
+		ACL_LVL_ASSIGN_DISCLOSE(mask);
+
 	} else if ( strcasecmp( str, "auth" ) == 0 ) {
 		ACL_LVL_ASSIGN_AUTH(mask);
 
@@ -1859,6 +1877,9 @@ str2accessmask( const char *str )
 	} else if ( strcasecmp( str, "write" ) == 0 ) {
 		ACL_LVL_ASSIGN_WRITE(mask);
 
+	} else if ( strcasecmp( str, "manage" ) == 0 ) {
+		ACL_LVL_ASSIGN_MANAGE(mask);
+
 	} else {
 		ACL_INVALIDATE( mask );
 	}
@@ -1890,8 +1911,8 @@ acl_usage( void )
 		"<peernamestyle> ::= exact | regex | ip | path\n"
 		"<domainstyle> ::= exact | regex | base(Object) | sub(tree)\n"
 		"<access> ::= [self]{<level>|<priv>}\n"
-		"<level> ::= none | auth | compare | search | read | write\n"
-		"<priv> ::= {=|+|-}{w|r|s|c|x|0}+\n"
+		"<level> ::= none|disclose|auth|compare|search|read|write|manage\n"
+		"<priv> ::= {=|+|-}{0|d|x|c|s|r|w|m}+\n"
 		"<control> ::= [ stop | continue | break ]\n"
 	);
 	exit( EXIT_FAILURE );
@@ -2053,6 +2074,9 @@ access2str( slap_access_t access )
 	if ( access == ACL_NONE ) {
 		return "none";
 
+	} else if ( access == ACL_DISCLOSE ) {
+		return "disclose";
+
 	} else if ( access == ACL_AUTH ) {
 		return "auth";
 
@@ -2067,6 +2091,10 @@ access2str( slap_access_t access )
 
 	} else if ( access == ACL_WRITE ) {
 		return "write";
+
+	} else if ( access == ACL_MANAGE ) {
+		return "manage";
+
 	}
 
 	return "unknown";
@@ -2078,6 +2106,9 @@ str2access( const char *str )
 	if ( strcasecmp( str, "none" ) == 0 ) {
 		return ACL_NONE;
 
+	} else if ( strcasecmp( str, "disclose" ) == 0 ) {
+		return ACL_DISCLOSE;
+
 	} else if ( strcasecmp( str, "auth" ) == 0 ) {
 		return ACL_AUTH;
 
@@ -2092,6 +2123,9 @@ str2access( const char *str )
 
 	} else if ( strcasecmp( str, "write" ) == 0 ) {
 		return ACL_WRITE;
+
+	} else if ( strcasecmp( str, "manage" ) == 0 ) {
+		return ACL_MANAGE;
 	}
 
 	return( ACL_INVALID_ACCESS );
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index b5c62909cb..e20cba370b 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1123,11 +1123,13 @@ typedef struct slap_ldap_modlist {
 typedef enum slap_access_e {
 	ACL_INVALID_ACCESS = -1,
 	ACL_NONE = 0,
+	ACL_DISCLOSE,
 	ACL_AUTH,
 	ACL_COMPARE,
 	ACL_SEARCH,
 	ACL_READ,
-	ACL_WRITE
+	ACL_WRITE,
+	ACL_MANAGE
 } slap_access_t;
 
 typedef enum slap_control_e {
@@ -1209,11 +1211,13 @@ typedef struct slap_access {
 #define ACL_ACCESS2PRIV(access)	(0x01U << (access))
 
 #define ACL_PRIV_NONE			ACL_ACCESS2PRIV( ACL_NONE )
+#define ACL_PRIV_DISCLOSE		ACL_ACCESS2PRIV( ACL_DISCLOSE )
 #define ACL_PRIV_AUTH			ACL_ACCESS2PRIV( ACL_AUTH )
 #define ACL_PRIV_COMPARE		ACL_ACCESS2PRIV( ACL_COMPARE )
 #define ACL_PRIV_SEARCH			ACL_ACCESS2PRIV( ACL_SEARCH )
 #define ACL_PRIV_READ			ACL_ACCESS2PRIV( ACL_READ )
 #define ACL_PRIV_WRITE			ACL_ACCESS2PRIV( ACL_WRITE )
+#define ACL_PRIV_MANAGE			ACL_ACCESS2PRIV( ACL_MANAGE )
 
 #define ACL_PRIV_MASK			0x00ffUL
 
@@ -1242,26 +1246,32 @@ typedef struct slap_access {
 #define ACL_IS_SUBTRACTIVE(m)	ACL_PRIV_ISSET((m),ACL_PRIV_SUBSTRACTIVE)
 
 #define ACL_LVL_NONE			(ACL_PRIV_NONE|ACL_PRIV_LEVEL)
-#define ACL_LVL_AUTH			(ACL_PRIV_AUTH|ACL_LVL_NONE)
+#define ACL_LVL_DISCLOSE		(ACL_PRIV_DISCLOSE|ACL_LVL_NONE)
+#define ACL_LVL_AUTH			(ACL_PRIV_AUTH|ACL_LVL_DISCLOSE)
 #define ACL_LVL_COMPARE			(ACL_PRIV_COMPARE|ACL_LVL_AUTH)
 #define ACL_LVL_SEARCH			(ACL_PRIV_SEARCH|ACL_LVL_COMPARE)
 #define ACL_LVL_READ			(ACL_PRIV_READ|ACL_LVL_SEARCH)
 #define ACL_LVL_WRITE			(ACL_PRIV_WRITE|ACL_LVL_READ)
+#define ACL_LVL_MANAGE			(ACL_PRIV_MANAGE|ACL_LVL_WRITE)
 
 #define ACL_LVL(m,l)			(((m)&ACL_PRIV_MASK) == ((l)&ACL_PRIV_MASK))
 #define ACL_LVL_IS_NONE(m)		ACL_LVL((m),ACL_LVL_NONE)
+#define ACL_LVL_IS_DISCLOSE(m)	ACL_LVL((m),ACL_LVL_DISCLOSE)
 #define ACL_LVL_IS_AUTH(m)		ACL_LVL((m),ACL_LVL_AUTH)
 #define ACL_LVL_IS_COMPARE(m)	ACL_LVL((m),ACL_LVL_COMPARE)
 #define ACL_LVL_IS_SEARCH(m)	ACL_LVL((m),ACL_LVL_SEARCH)
 #define ACL_LVL_IS_READ(m)		ACL_LVL((m),ACL_LVL_READ)
 #define ACL_LVL_IS_WRITE(m)		ACL_LVL((m),ACL_LVL_WRITE)
+#define ACL_LVL_IS_MANAGE(m)	ACL_LVL((m),ACL_LVL_MANAGE)
 
 #define ACL_LVL_ASSIGN_NONE(m)		ACL_PRIV_ASSIGN((m),ACL_LVL_NONE)
+#define ACL_LVL_ASSIGN_DISCLOSE(m)	ACL_PRIV_ASSIGN((m),ACL_LVL_DISCLOSE)
 #define ACL_LVL_ASSIGN_AUTH(m)		ACL_PRIV_ASSIGN((m),ACL_LVL_AUTH)
 #define ACL_LVL_ASSIGN_COMPARE(m)	ACL_PRIV_ASSIGN((m),ACL_LVL_COMPARE)
 #define ACL_LVL_ASSIGN_SEARCH(m)	ACL_PRIV_ASSIGN((m),ACL_LVL_SEARCH)
 #define ACL_LVL_ASSIGN_READ(m)		ACL_PRIV_ASSIGN((m),ACL_LVL_READ)
 #define ACL_LVL_ASSIGN_WRITE(m)		ACL_PRIV_ASSIGN((m),ACL_LVL_WRITE)
+#define ACL_LVL_ASSIGN_MANAGE(m)	ACL_PRIV_ASSIGN((m),ACL_LVL_MANAGE)
 
 	slap_mask_t	a_access_mask;
 
-- 
2.39.5