ITS#4253 fix value-dependent ACL caching - just record the ACL we'll start

looking for, don't cache anything else.

servers/slapd/acl.c

@@ -199,7 +199,9 @@ slap_access_allowed(
 	control = ACL_BREAK;
 
 	if ( st_same_attr ) {
+#if 0
 		assert( state->as_vd_acl != NULL );
+#endif
 
 		a = state->as_vd_acl;
 		count = state->as_vd_acl_count;
@@ -377,11 +379,14 @@ access_allowed_mask(
 			{
 				return state->as_result;
 
-			} else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) &&
+			}
+#if 0
+			else if ( ( state->as_recorded & ACL_STATE_RECORDED_VD ) &&
 				val != NULL && state->as_vd_acl == NULL )
 			{
 				return state->as_result;
 			}
+#endif
 			st_same_attr = 1;
 		} else {
 			*state = state_init;
@@ -509,7 +514,7 @@ slap_acl_get(
 
 	dnlen = e->e_nname.bv_len;
 
-	for ( ; a != NULL; a = a->acl_next ) {
+	for ( ; a != NULL; prev = a, a = a->acl_next ) {
 		(*count) ++;
 
 		if ( a->acl_dn_pat.bv_len || ( a->acl_dn_style != ACL_STYLE_REGEX )) {
@@ -580,10 +585,8 @@ slap_acl_get(
 
 			if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) {
 				state->as_recorded |= ACL_STATE_RECORDED_VD;
-				state->as_vd_acl = a;
-				state->as_vd_acl_count = *count;
-				state->as_vd_access = a->acl_access;
-				state->as_vd_access_count = 1;
+				state->as_vd_acl = prev;
+				state->as_vd_acl_count = *count - 1;
 				ACL_INVALIDATE( state->as_vd_acl_mask );
 			}
 
@@ -667,21 +670,6 @@ slap_acl_get(
 	return( NULL );
 }
 
-/*
- * Record value-dependent access control state
- */
-#define ACL_RECORD_VALUE_STATE do { \
-		if( state && !( state->as_recorded & ACL_STATE_RECORDED_VD )) { \
-			state->as_recorded |= ACL_STATE_RECORDED_VD; \
-			state->as_vd_acl = a; \
-			AC_MEMCPY( state->as_vd_acl_matches, matches, \
-				sizeof( state->as_vd_acl_matches )) ; \
-			state->as_vd_acl_count = count; \
-			state->as_vd_access = b; \
-			state->as_vd_access_count = i; \
-		} \
-	} while( 0 )
-
 static int
 acl_mask_dn(
 	Operation		*op,
@@ -1029,8 +1017,6 @@ acl_mask_dnattr(
 		if ( ! bdn->a_self )
 			return 1;
 
-		ACL_RECORD_VALUE_STATE;
-		
 		/* this is a self clause, check if the target is an
 		 * attribute.
 		 */
@@ -1102,16 +1088,8 @@ slap_acl_mask(
 		accessmask2str( *mask, accessmaskbuf, 1 ) );
 
 
-	if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD )
-		&& state->as_vd_acl == a )
-	{
-		b = state->as_vd_access;
-		i = state->as_vd_access_count;
-
-	} else {
-		b = a->acl_access;
-		i = 1;
-	}
+	b = a->acl_access;
+	i = 1;
 
 	for ( ; b != NULL; b = b->a_next, i++ ) {
 		slap_mask_t oldmask, modmask;
@@ -1646,8 +1624,6 @@ slap_acl_mask(
 			const char *dummy;
 			int rc, match = 0;
 
-			ACL_RECORD_VALUE_STATE;
-
 			/* must have DN syntax */
 			if ( desc->ad_type->sat_syntax != slap_schema.si_syn_distinguishedName &&
 				!is_at_syntax( desc->ad_type, SLAPD_NAMEUID_SYNTAX )) continue;

servers/slapd/slap.h

@@ -1448,23 +1448,20 @@ typedef enum {
 } slap_acl_state_t;
 
 typedef struct slap_acl_state {
-	slap_acl_state_t as_recorded;
-
 	/* Access state */
-	AccessControl *as_vd_acl;
 	AccessControl *as_vi_acl;
+	AccessControl *as_vd_acl;
+	AttributeDescription *as_vd_ad;
+
 	slap_mask_t as_vd_acl_mask;
+
+	slap_acl_state_t as_recorded;
 	regmatch_t as_vd_acl_matches[MAXREMATCHES];
 	int as_vd_acl_count;
-
-	Access *as_vd_access;
-	int as_vd_access_count;
-
 	int as_result;
-	AttributeDescription *as_vd_ad;
 } AccessControlState;
-#define ACL_STATE_INIT { ACL_STATE_NOT_RECORDED, NULL, NULL, 0UL, \
-	{ { 0, 0 } }, 0, NULL, 0, 0, NULL }
+#define ACL_STATE_INIT { NULL, NULL, NULL, 0UL, \
+	ACL_STATE_NOT_RECORDED, { { 0, 0 } }, 0, 0 }
 
 /*
  * Backend-info