Support for ACL plugins

This commit is contained in:
Luke Howard 2003-08-31 08:17:21 +00:00
parent d649ae0808
commit 0edb270b9e
5 changed files with 80 additions and 0 deletions

View File

@ -174,6 +174,14 @@ access_allowed(
goto done; goto done;
} }
#ifdef LDAP_SLAPI
ret = slapi_x_access_allowed( op, e, desc, val, access, state );
if ( ret == 0 ) {
/* ACL plugin denied access */
goto done;
}
#endif /* LDAP_SLAPI */
be = op->o_bd; be = op->o_bd;
if ( be == NULL ) { if ( be == NULL ) {
be = &backends[0]; be = &backends[0];

View File

@ -220,6 +220,8 @@ extern int compute_evaluator(computed_attr_context *c, char *type, Slapi_Entry *
extern int slapi_x_compute_output_ber(computed_attr_context *c, Slapi_Attr *a, Slapi_Entry *e); extern int slapi_x_compute_output_ber(computed_attr_context *c, Slapi_Attr *a, Slapi_Entry *e);
extern int slapi_x_compute_get_pblock(computed_attr_context *c, Slapi_PBlock **pb); extern int slapi_x_compute_get_pblock(computed_attr_context *c, Slapi_PBlock **pb);
extern int slapi_x_access_allowed(Operation *op, Entry *entry, AttributeDescription *desc, struct berval *val, slap_access_t access, AccessControlState *state);
extern ldap_pvt_thread_mutex_t slapi_hn_mutex; extern ldap_pvt_thread_mutex_t slapi_hn_mutex;
extern ldap_pvt_thread_mutex_t slapi_time_mutex; extern ldap_pvt_thread_mutex_t slapi_time_mutex;
extern ldap_pvt_thread_mutex_t slapi_printmessage_mutex; extern ldap_pvt_thread_mutex_t slapi_printmessage_mutex;

View File

@ -398,6 +398,12 @@ extern Backend * slapi_cl_get_be(char *dn);
#define SLAPI_PLUGIN_SYNTAX_FLAGS 707 #define SLAPI_PLUGIN_SYNTAX_FLAGS 707
#define SLAPI_PLUGIN_SYNTAX_COMPARE 708 #define SLAPI_PLUGIN_SYNTAX_COMPARE 708
#define SLAPI_PLUGIN_ACL_INIT 730
#define SLAPI_PLUGIN_ACL_SYNTAX_CHECK 731
#define SLAPI_PLUGIN_ACL_ALLOW_ACCESS 732
#define SLAPI_PLUGIN_ACL_MODS_ALLOWED 733
#define SLAPI_PLUGIN_ACL_MODS_UPDATE 734
#define SLAPI_OPERATION_AUTHTYPE 741 #define SLAPI_OPERATION_AUTHTYPE 741
#define SLAPI_OPERATION_ID 742 #define SLAPI_OPERATION_ID 742
#define SLAPI_CONN_CERT 743 #define SLAPI_CONN_CERT 743

View File

@ -203,6 +203,7 @@ isOkNetscapeParam( int param )
case SLAPI_RESULT_MATCHED: case SLAPI_RESULT_MATCHED:
case SLAPI_PLUGIN_COMPUTE_EVALUATOR_FN: case SLAPI_PLUGIN_COMPUTE_EVALUATOR_FN:
case SLAPI_PLUGIN_COMPUTE_SEARCH_REWRITER_FN: case SLAPI_PLUGIN_COMPUTE_SEARCH_REWRITER_FN:
case SLAPI_PLUGIN_ACL_ALLOW_ACCESS:
return LDAP_SUCCESS; return LDAP_SUCCESS;
default: default:
return INVALID_PARAM; return INVALID_PARAM;

View File

@ -3734,3 +3734,66 @@ int slapi_notify_condvar( Slapi_CondVar *cvar, int notify_all )
#endif #endif
} }
int slapi_x_access_allowed( Operation *op,
Entry *entry,
AttributeDescription *desc,
struct berval *val,
slap_access_t access,
AccessControlState *state )
{
#ifdef LDAP_SLAPI
int rc, slap_access = 0;
slapi_acl_callback_t *pGetPlugin, *tmpPlugin;
if ( op->o_pb == NULL ) {
/* internal operation */
return 1;
}
slapi_x_pblock_set_operation( op->o_pb, op );
switch ( access ) {
case ACL_WRITE:
slap_access |= SLAPI_ACL_ADD | SLAPI_ACL_DELETE | SLAPI_ACL_WRITE;
break;
case ACL_READ:
slap_access |= SLAPI_ACL_READ;
break;
case ACL_SEARCH:
slap_access |= SLAPI_ACL_SEARCH;
break;
case ACL_COMPARE:
slap_access = ACL_COMPARE;
break;
default:
break;
}
rc = getAllPluginFuncs( NULL, SLAPI_PLUGIN_ACL_ALLOW_ACCESS, (SLAPI_FUNC **)&tmpPlugin );
if ( rc != LDAP_SUCCESS || tmpPlugin == NULL ) {
/* nothing to do; allowed access */
return 1;
}
rc = 1; /* default allow policy */
for ( pGetPlugin = tmpPlugin; *pGetPlugin != NULL; pGetPlugin++ ) {
/*
* 0 access denied
* 1 access granted
*/
rc = (*pGetPlugin)( op->o_pb, entry, desc->ad_cname.bv_val,
val, slap_access, (void *)state );
if ( rc == 0 ) {
break;
}
}
slapi_ch_free( (void **)&tmpPlugin );
return rc;
#else
return 1;
#endif /* LDAP_SLAPI */
}