From c0d95f08c1ab9847c55296f79f00ab78a8013b9a Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Wed, 14 Jun 2006 18:33:02 +0000 Subject: [PATCH] record value-dependent state for acl_mask_dn() (ITS#4587) --- servers/slapd/acl.c | 82 ++++++++++++++++++++++++--------------------- 1 file changed, 44 insertions(+), 38 deletions(-) diff --git a/servers/slapd/acl.c b/servers/slapd/acl.c index c960cc9019..68f10d2f1d 100644 --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -667,6 +667,21 @@ slap_acl_get( return( NULL ); } +/* + * Record value-dependent access control state + */ +#define ACL_RECORD_VALUE_STATE do { \ + if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { \ + state->as_recorded |= ACL_STATE_RECORDED_VD; \ + state->as_vd_acl = a; \ + AC_MEMCPY( state->as_vd_acl_matches, matches, \ + sizeof( state->as_vd_acl_matches )) ; \ + state->as_vd_acl_count = count; \ + state->as_vd_access = b; \ + state->as_vd_access_count = i; \ + } \ + } while( 0 ) + static int acl_mask_dn( Operation *op, @@ -674,9 +689,13 @@ acl_mask_dn( AttributeDescription *desc, struct berval *val, AccessControl *a, + Access *b, + int i, int nmatch, regmatch_t *matches, - slap_dn_access *b, + int count, + AccessControlState *state, + slap_dn_access *bdn, struct berval *opndn ) { /* @@ -690,10 +709,12 @@ acl_mask_dn( * value is set in a_dn_style; however, the string * is maintaned in a_dn_pat. */ - if ( b->a_self ) { + if ( bdn->a_self ) { const char *dummy; int rc, match = 0; + ACL_RECORD_VALUE_STATE; + /* must have DN syntax */ if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName ) return 1; @@ -716,17 +737,17 @@ acl_mask_dn( return 1; } - if ( b->a_style == ACL_STYLE_ANONYMOUS ) { + if ( bdn->a_style == ACL_STYLE_ANONYMOUS ) { if ( !BER_BVISEMPTY( opndn ) ) { return 1; } - } else if ( b->a_style == ACL_STYLE_USERS ) { + } else if ( bdn->a_style == ACL_STYLE_USERS ) { if ( BER_BVISEMPTY( opndn ) ) { return 1; } - } else if ( b->a_style == ACL_STYLE_SELF ) { + } else if ( bdn->a_style == ACL_STYLE_SELF ) { struct berval ndn, selfndn; int level; @@ -734,7 +755,7 @@ acl_mask_dn( return 1; } - level = b->a_self_level; + level = bdn->a_self_level; if ( level < 0 ) { selfndn = *opndn; ndn = e->e_nname; @@ -757,8 +778,8 @@ acl_mask_dn( return 1; } - } else if ( b->a_style == ACL_STYLE_REGEX ) { - if ( !ber_bvccmp( &b->a_pat, '*' ) ) { + } else if ( bdn->a_style == ACL_STYLE_REGEX ) { + if ( !ber_bvccmp( &bdn->a_pat, '*' ) ) { int tmp_nmatch; regmatch_t tmp_matches[2], *tmp_matchesp = tmp_matches; @@ -800,7 +821,7 @@ acl_mask_dn( return 1; } - if ( !regex_matches( &b->a_pat, opndn->bv_val, + if ( !regex_matches( &bdn->a_pat, opndn->bv_val, e->e_ndn, tmp_nmatch, tmp_matchesp ) ) { return 1; @@ -815,7 +836,7 @@ acl_mask_dn( if ( e->e_dn == NULL ) return 1; - if ( b->a_expand ) { + if ( bdn->a_expand ) { struct berval bv; char buf[ACL_BUF_SIZE]; @@ -863,7 +884,7 @@ acl_mask_dn( return 1; } - if ( acl_string_expand( &bv, &b->a_pat, + if ( acl_string_expand( &bv, &bdn->a_pat, e->e_nname.bv_val, tmp_nmatch, tmp_matchesp ) ) { @@ -879,7 +900,7 @@ acl_mask_dn( } } else { - pat = b->a_pat; + pat = bdn->a_pat; } patlen = pat.bv_len; @@ -889,13 +910,13 @@ acl_mask_dn( } - if ( b->a_style == ACL_STYLE_BASE ) { + if ( bdn->a_style == ACL_STYLE_BASE ) { /* base dn -- entire object DN must match */ if ( odnlen != patlen ) { goto dn_match_cleanup; } - } else if ( b->a_style == ACL_STYLE_ONE ) { + } else if ( bdn->a_style == ACL_STYLE_ONE ) { ber_len_t rdnlen = 0; if ( odnlen <= patlen ) { @@ -911,12 +932,12 @@ acl_mask_dn( goto dn_match_cleanup; } - } else if ( b->a_style == ACL_STYLE_SUBTREE ) { + } else if ( bdn->a_style == ACL_STYLE_SUBTREE ) { if ( odnlen > patlen && !DN_SEPARATOR( opndn->bv_val[odnlen - patlen - 1] ) ) { goto dn_match_cleanup; } - } else if ( b->a_style == ACL_STYLE_CHILDREN ) { + } else if ( bdn->a_style == ACL_STYLE_CHILDREN ) { if ( odnlen <= patlen ) { goto dn_match_cleanup; } @@ -925,8 +946,8 @@ acl_mask_dn( goto dn_match_cleanup; } - } else if ( b->a_style == ACL_STYLE_LEVEL ) { - int level = b->a_level; + } else if ( bdn->a_style == ACL_STYLE_LEVEL ) { + int level = bdn->a_level; struct berval ndn; if ( odnlen <= patlen ) { @@ -957,7 +978,7 @@ acl_mask_dn( got_match = !strcmp( pat.bv_val, &opndn->bv_val[ odnlen - patlen ] ); dn_match_cleanup:; - if ( pat.bv_val != b->a_pat.bv_val ) { + if ( pat.bv_val != bdn->a_pat.bv_val ) { slap_sl_free( pat.bv_val, op->o_tmpmemctx ); } @@ -969,21 +990,6 @@ dn_match_cleanup:; return 0; } -/* - * Record value-dependent access control state - */ -#define ACL_RECORD_VALUE_STATE do { \ - if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { \ - state->as_recorded |= ACL_STATE_RECORDED_VD; \ - state->as_vd_acl = a; \ - AC_MEMCPY( state->as_vd_acl_matches, matches, \ - sizeof( state->as_vd_acl_matches )) ; \ - state->as_vd_acl_count = count; \ - state->as_vd_access = b; \ - state->as_vd_access_count = i; \ - } \ - } while( 0 ) - static int acl_mask_dnattr( Operation *op, @@ -1159,8 +1165,8 @@ slap_acl_mask( * is maintaned in a_dn_pat. */ - if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches, - &b->a_dn, &op->o_ndn ) ) + if ( acl_mask_dn( op, e, desc, val, a, b, i, nmatch, matches, + count, state, &b->a_dn, &op->o_ndn ) ) { continue; } @@ -1190,8 +1196,8 @@ slap_acl_mask( ndn = op->o_ndn; } - if ( acl_mask_dn( op, e, desc, val, a, nmatch, matches, - &b->a_realdn, &ndn ) ) + if ( acl_mask_dn( op, e, desc, val, a, b, i, nmatch, matches, + count, state, &b->a_realdn, &ndn ) ) { continue; } -- 2.39.5