From 9e5312e1668b41b6663f1d9690678db77d2c9d72 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Mon, 29 May 2000 03:44:06 +0000 Subject: [PATCH] SLAPD_SCHEMA_NOT_COMPAT: ACL cleanup (not yet working) --- servers/slapd/acl.c | 74 ++++++++++++++++++++++++++++++++----------- servers/slapd/value.c | 24 ++++++++++---- 2 files changed, 74 insertions(+), 24 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index 628adee7b8..e89f9716b9 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -22,7 +22,7 @@ static AccessControl * acl_get( #ifdef SLAPD_SCHEMA_NOT_COMPAT AttributeDescription *desc, #else - const char *attr, + const char *desc, #endif int nmatches, regmatch_t *matches ); @@ -33,7 +33,7 @@ static slap_control_t acl_mask( #ifdef SLAPD_SCHEMA_NOT_COMPAT AttributeDescription *desc, #else - const char *attr, + const char *desc, #endif struct berval *val, regmatch_t *matches ); @@ -46,10 +46,13 @@ static int aci_mask( #ifdef SLAPD_SCHEMA_NOT_COMPAT AttributeDescription *desc, #else - const char *attr, + const char *desc, #endif - struct berval *val, struct berval *aci, - regmatch_t *matches, slap_access_t *grant, slap_access_t *deny ); + struct berval *val, + struct berval *aci, + regmatch_t *matches, + slap_access_t *grant, + slap_access_t *deny ); char *supportedACIMechs[] = { "1.3.6.1.4.1.4203.666.7.1", /* experimental IETF aci family */ @@ -87,9 +90,9 @@ access_allowed( Operation *op, Entry *e, #ifdef SLAPD_SCHEMA_NOT_COMPAT - AttributeDescription *attr, + AttributeDescription *desc, #else - const char *attr, + const char *desc, #endif struct berval *val, slap_access_t access ) @@ -102,6 +105,12 @@ access_allowed( slap_access_mask_t mask; slap_control_t control; +#ifdef SLAPD_SCHEMA_NOT_COMPAT + const char *attr = desc ? desc->ad_cname->bv_val : NULL; +#else + const char *attr = desc; +#endif + regmatch_t matches[MAXREMATCHES]; Debug( LDAP_DEBUG_ACL, @@ -128,7 +137,7 @@ access_allowed( * by the user */ #ifdef SLAPD_SCHEMA_NOT_COMPAT - if ( access >= ACL_WRITE && is_at_no_user_mod( attr->ad_type ) ) + if ( access >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) ) #else if ( access >= ACL_WRITE && oc_check_op_no_usermod_attr( attr ) ) #endif @@ -168,7 +177,7 @@ access_allowed( a = NULL; count = 0; - while( a = acl_get( a, &count, be, op, e, attr, MAXREMATCHES, matches ) ) + while( a = acl_get( a, &count, be, op, e, desc, MAXREMATCHES, matches ) ) { int i; @@ -186,7 +195,7 @@ access_allowed( } control = acl_mask( a, &mask, be, conn, op, - e, attr, val, matches ); + e, desc, val, matches ); if ( control != ACL_BREAK ) { break; @@ -241,6 +250,12 @@ acl_get( assert( e != NULL ); assert( count != NULL ); +#ifdef SLAPD_SCHEMA_NOT_COMPAT + attr = desc ? desc->ad_cname->bv_val : NULL; +#else + attr = desc; +#endif + if( a == NULL ) { if( be == NULL ) { a = global_acl; @@ -254,12 +269,6 @@ acl_get( a = a->acl_next; } -#ifdef SLAPD_SCHEMA_NOT_COMPAT - attr = desc->ad_cname->bv_val; -#else - attr = desc; -#endif - for ( ; a != NULL; a = a->acl_next ) { (*count) ++; @@ -320,9 +329,9 @@ acl_mask( Operation *op, Entry *e, #ifdef SLAPD_SCHEMA_NOT_COMPAT - AttributeDescription *attr, + AttributeDescription *desc, #else - const char *attr, + const char *desc, #endif struct berval *val, regmatch_t *matches @@ -333,6 +342,11 @@ acl_mask( #ifdef LDAP_DEBUG char accessmaskbuf[ACCESSMASK_MAXLEN]; #endif +#ifdef SLAPD_SCHEMA_NOT_COMPAT + const char *attr = desc ? desc->ad_cname->bv_val : NULL; +#else + const char *attr = desc; +#endif assert( a != NULL ); assert( mask != NULL ); @@ -441,6 +455,10 @@ acl_mask( if ( b->a_dn_at != NULL && op->o_ndn != NULL ) { Attribute *at; struct berval bv; +#ifdef SLAPD_SCHEMA_NOT_COMPAT + int match; + const char *text; +#endif Debug( LDAP_DEBUG_ACL, "<= check a_dn_at: %s\n", b->a_dn_at, 0, 0); @@ -455,9 +473,29 @@ acl_mask( at = attrs_find( e->e_attrs->a_next, b->a_dn_at ) ) { if( value_find( b->a_dn_at, at->a_vals, &bv ) == 0 ) { + /* found it */ + match = 1; + break; } } + if( match ) { + if ( b->a_dn_self && (val == NULL + || value_match( &match, b->a_dn_at, + b->a_dn_at->ad_type->sat_equality, &bv, val, &text ) ) + != LDAP_SUCCESS + || match ) + { + continue; + } + } else if ( ! b->a_dn_self || val == NULL + || value_match( &match, b->a_dn_at, + b->a_dn_at->ad_type->sat_equality, &bv, val, &text ) + != LDAP_SUCCESS + || match ) + { + continue; + } #else /* see if asker is listed in dnattr */ if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL && diff --git a/servers/slapd/value.c b/servers/slapd/value.c index 28b48fd144..4b4ecc3bd8 100644 --- a/servers/slapd/value.c +++ b/servers/slapd/value.c @@ -198,6 +198,10 @@ value_match( int usage = 0; struct berval *nv1 = NULL; + if( !mr->smr_match ) { + return LDAP_INAPPROPRIATE_MATCHING; + } + if( ad->ad_type->sat_syntax->ssyn_normalize ) { rc = ad->ad_type->sat_syntax->ssyn_normalize( ad->ad_type->sat_syntax, v1, &nv1 ); @@ -207,10 +211,6 @@ value_match( } } - if( !mr->smr_match ) { - return LDAP_INAPPROPRIATE_MATCHING; - } - rc = (mr->smr_match)( match, usage, ad->ad_type->sat_syntax, mr, @@ -287,19 +287,31 @@ value_find( { int i; #ifdef SLAPD_SCHEMA_NOT_COMPAT + int rc; + struct berval *nval = NULL; MatchingRule *mr = ad->ad_type->sat_equality; if( mr == NULL || !mr->smr_match ) { return LDAP_INAPPROPRIATE_MATCHING; } + + if( mr->smr_syntax->ssyn_normalize ) { + rc = mr->smr_syntax->ssyn_normalize( + mr->smr_syntax, val, &nval ); + + if( rc != LDAP_SUCCESS ) { + return LDAP_INAPPROPRIATE_MATCHING; + } + } #endif for ( i = 0; vals[i] != NULL; i++ ) { #ifdef SLAPD_SCHEMA_NOT_COMPAT - int rc; int match; const char *text; - rc = value_match( &match, ad, mr, vals[i], val, &text ); + + rc = value_match( &match, ad, mr, vals[i], + nval == NULL ? val : nval, &text ); if( rc == LDAP_SUCCESS && match == 0 ) #else -- 2.39.5