From 25c4b164a404f5dc6d7f35a39e2103d3cec2a0bb Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Sun, 9 Jul 2006 20:51:00 +0000 Subject: [PATCH] ITS#4253 fix value-dependent ACL caching - just record the ACL we'll start looking for, don't cache anything else. --- servers/slapd/acl.c | 46 +++++++++++--------------------------------- servers/slapd/slap.h | 17 +++++++--------- 2 files changed, 18 insertions(+), 45 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 080a43b357..b5c2e91240 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -199,7 +199,9 @@ slap_access_allowed( control = ACL_BREAK; if ( st_same_attr ) { +#if 0 assert( state->as_vd_acl != NULL ); +#endif a = state->as_vd_acl; count = state->as_vd_acl_count; @@ -377,11 +379,14 @@ access_allowed_mask( { return state->as_result; - } else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) && + } +#if 0 + else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) && val != NULL && state->as_vd_acl == NULL ) { return state->as_result; } +#endif st_same_attr = 1; } else { *state = state_init; @@ -509,7 +514,7 @@ slap_acl_get( dnlen = e->e_nname.bv_len; - for ( ; a != NULL; a = a->acl_next ) { + for ( ; a != NULL; prev = a, a = a->acl_next ) { (*count) ++; if ( a->acl_dn_pat.bv_len || ( a->acl_dn_style != ACL_STYLE_REGEX )) { @@ -580,10 +585,8 @@ slap_acl_get( if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { state->as_recorded |= ACL_STATE_RECORDED_VD; - state->as_vd_acl = a; - state->as_vd_acl_count = *count; - state->as_vd_access = a->acl_access; - state->as_vd_access_count = 1; + state->as_vd_acl = prev; + state->as_vd_acl_count = *count - 1; ACL_INVALIDATE( state->as_vd_acl_mask ); } @@ -667,21 +670,6 @@ slap_acl_get( return( NULL ); } -/* - * Record value-dependent access control state - */ -#define ACL_RECORD_VALUE_STATE do { \ - if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { \ - state->as_recorded |= ACL_STATE_RECORDED_VD; \ - state->as_vd_acl = a; \ - AC_MEMCPY( state->as_vd_acl_matches, matches, \ - sizeof( state->as_vd_acl_matches )) ; \ - state->as_vd_acl_count = count; \ - state->as_vd_access = b; \ - state->as_vd_access_count = i; \ - } \ - } while( 0 ) - static int acl_mask_dn( Operation *op, @@ -1029,8 +1017,6 @@ acl_mask_dnattr( if ( ! bdn->a_self ) return 1; - ACL_RECORD_VALUE_STATE; - /* this is a self clause, check if the target is an * attribute. */ @@ -1102,16 +1088,8 @@ slap_acl_mask( accessmask2str( *mask, accessmaskbuf, 1 ) ); - if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD ) - && state->as_vd_acl == a ) - { - b = state->as_vd_access; - i = state->as_vd_access_count; - - } else { - b = a->acl_access; - i = 1; - } + b = a->acl_access; + i = 1; for ( ; b != NULL; b = b->a_next, i++ ) { slap_mask_t oldmask, modmask; @@ -1646,8 +1624,6 @@ slap_acl_mask( const char *dummy; int rc, match = 0; - ACL_RECORD_VALUE_STATE; - /* must have DN syntax */ if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName && !is_at_syntax( desc->ad_type, SLAPD_NAMEUID_SYNTAX )) continue; diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 7517277abc..c63641068a 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1448,23 +1448,20 @@ typedef enum { } slap_acl_state_t; typedef struct slap_acl_state { - slap_acl_state_t as_recorded; - /* Access state */ - AccessControl *as_vd_acl; AccessControl *as_vi_acl; + AccessControl *as_vd_acl; + AttributeDescription *as_vd_ad; + slap_mask_t as_vd_acl_mask; + + slap_acl_state_t as_recorded; regmatch_t as_vd_acl_matches[MAXREMATCHES]; int as_vd_acl_count; - - Access *as_vd_access; - int as_vd_access_count; - int as_result; - AttributeDescription *as_vd_ad; } AccessControlState; -#define ACL_STATE_INIT { ACL_STATE_NOT_RECORDED, NULL, NULL, 0UL, \ - { { 0, 0 } }, 0, NULL, 0, 0, NULL } +#define ACL_STATE_INIT { NULL, NULL, NULL, 0UL, \ + ACL_STATE_NOT_RECORDED, { { 0, 0 } }, 0, 0 } /* * Backend-info -- 2.39.5