From 827ea96e163abe93717ba2672f32abf60de88b6b Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Wed, 4 Dec 2002 02:35:00 +0000 Subject: [PATCH] ITS#1523 enhanced ACL caching --- servers/slapd/acl.c | 31 ++++++++++++++++++++++++------- servers/slapd/result.c | 7 +------ servers/slapd/slap.h | 4 +++- 3 files changed, 28 insertions(+), 14 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 281d96e66a..de9cda67bc 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -130,6 +130,9 @@ access_allowed( slap_control_t control; const char *attr; regmatch_t matches[MAXREMATCHES]; + int st_same_attr = 0; + int st_initialized = 0; + static AccessControlState state_init = ACL_STATE_INIT; assert( e != NULL ); assert( desc != NULL ); @@ -139,7 +142,7 @@ access_allowed( assert( attr != NULL ); - if( state && state->as_recorded ) { + if( state && state->as_recorded && state->as_vd_ad==desc) { if( state->as_recorded & ACL_STATE_RECORDED_NV && val == NULL ) { @@ -150,6 +153,9 @@ access_allowed( { return state->as_result; } + st_same_attr = 1; + } if (state) { + state->as_vd_ad=desc; } #ifdef NEW_LOGGING @@ -246,7 +252,7 @@ access_allowed( ret = 0; control = ACL_BREAK; - if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD )) { + if( st_same_attr ) { assert( state->as_vd_acl != NULL ); a = state->as_vd_acl; @@ -290,6 +296,18 @@ access_allowed( #endif } + if (state) { + if (state->as_vi_acl == a && (state->as_recorded & ACL_STATE_RECORDED_NV)) { + Debug( LDAP_DEBUG_ACL, "access_allowed: result from state (%s)\n", attr, 0, 0 ); + return state->as_result; + } else if (!st_initialized) { + Debug( LDAP_DEBUG_ACL, "access_allowed: no res from state (%s)\n", attr, 0, 0); + *state = state_init; + state->as_vd_ad=desc; + st_initialized=1; + } + } + vd_access: control = acl_mask( a, &mask, be, conn, op, e, desc, val, matches, count, state ); @@ -342,6 +360,9 @@ vd_access: done: if( state != NULL ) { + /* If not value-dependent, save ACL in case of more attrs */ + if ( !(state->as_recorded & ACL_STATE_RECORDED_VD) ) + state->as_vi_acl = a; state->as_recorded |= ACL_STATE_RECORDED; state->as_result = ret; } @@ -1200,6 +1221,7 @@ acl_check_modlist( ) { struct berval *bv; + AccessControlState state = ACL_STATE_INIT; assert( be != NULL ); @@ -1254,9 +1276,6 @@ acl_check_modlist( } for ( ; mlist != NULL; mlist = mlist->sml_next ) { - static AccessControlState state_init = ACL_STATE_INIT; - AccessControlState state; - /* * no-user-modification operational attributes are ignored * by ACL_WRITE checking as any found here are not provided @@ -1275,8 +1294,6 @@ acl_check_modlist( continue; } - state = state_init; - switch ( mlist->sml_op ) { case LDAP_MOD_REPLACE: /* diff --git a/servers/slapd/result.c b/servers/slapd/result.c index 703947b8d7..7f87db28d4 100644 --- a/servers/slapd/result.c +++ b/servers/slapd/result.c @@ -678,8 +678,7 @@ send_search_entry( char *edn; int userattrs; int opattrs; - static AccessControlState acl_state_init = ACL_STATE_INIT; - AccessControlState acl_state; + AccessControlState acl_state = ACL_STATE_INIT; AttributeDescription *ad_entry = slap_schema.si_ad_entry; @@ -856,8 +855,6 @@ send_search_entry( } } - acl_state = acl_state_init; - if ( ! access_allowed( be, conn, op, e, desc, NULL, ACL_READ, &acl_state ) ) { @@ -1041,8 +1038,6 @@ send_search_entry( } } - acl_state = acl_state_init; - if ( ! access_allowed( be, conn, op, e, desc, NULL, ACL_READ, &acl_state ) ) { diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index af09fec6d6..b15cd8864f 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1102,6 +1102,7 @@ typedef struct slap_acl_state { /* Access state */ AccessControl *as_vd_acl; + AccessControl *as_vi_acl; slap_mask_t as_vd_acl_mask; regmatch_t as_vd_acl_matches[MAXREMATCHES]; int as_vd_acl_count; @@ -1110,8 +1111,9 @@ typedef struct slap_acl_state { int as_vd_access_count; int as_result; + AttributeDescription *as_vd_ad; } AccessControlState; -#define ACL_STATE_INIT { ACL_STATE_NOT_RECORDED, NULL, 0UL, { { 0, 0 } }, 0, NULL, 0, 0 } +#define ACL_STATE_INIT { ACL_STATE_NOT_RECORDED, NULL, NULL, 0UL, { { 0, 0 } }, 0, NULL, 0, 0, 0, NULL } /* * replog moddn param structure -- 2.39.5