From 317d04a5d92c932788ce770c350050a6dbe5d004 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Mon, 26 Jun 2000 01:22:32 +0000 Subject: [PATCH] Modify backend_attribute to return bervals and adjust ACLs (actually, ACL here might be dangerous) --- servers/slapd/back-ldbm/attribute.c | 71 +++++++++++++++++------------ servers/slapd/back-ldbm/external.h | 2 +- servers/slapd/backend.c | 2 +- servers/slapd/proto-slap.h | 2 +- servers/slapd/slap.h | 8 +--- 5 files changed, 47 insertions(+), 38 deletions(-) diff --git a/servers/slapd/back-ldbm/attribute.c b/servers/slapd/back-ldbm/attribute.c index b17092d130..8dd03e13c6 100644 --- a/servers/slapd/back-ldbm/attribute.c +++ b/servers/slapd/back-ldbm/attribute.c @@ -17,7 +17,7 @@ #include "proto-back-ldbm.h" -/* return 0 IFF we can retrieve the attributes +/* return LDAP_SUCCESS IFF we can retrieve the attributes * of entry with e_ndn */ int @@ -28,15 +28,15 @@ ldbm_back_attribute( Entry *target, const char *e_ndn, AttributeDescription *entry_at, - const char ***vals + struct berval ***vals ) { struct ldbminfo *li = (struct ldbminfo *) be->be_private; Entry *e; - int i, j, rc = 1; + int i, j, rc; Attribute *attr; - struct berval **abv; - char *s, **v; + struct berval **v; + char *s; const char *entry_at_name = entry_at->ad_cname->bv_val; Debug( LDAP_DEBUG_ARGS, @@ -63,7 +63,7 @@ ldbm_back_attribute( Debug( LDAP_DEBUG_ACL, "=> ldbm_back_attribute: cannot find entry: \"%s\"\n", e_ndn, 0, 0 ); - return( 1 ); + return LDAP_NO_SUCH_OBJECT; } Debug( LDAP_DEBUG_ACL, @@ -71,26 +71,27 @@ ldbm_back_attribute( e_ndn, 0, 0 ); } - rc = 1; - - /* find attribute values - */ + /* find attribute values */ if( is_entry_alias( e ) ) { Debug( LDAP_DEBUG_ACL, "<= ldbm_back_attribute: entry is an alias\n", 0, 0, 0 ); + rc = LDAP_ALIAS_PROBLEM; goto return_results; } if( is_entry_referral( e ) ) { Debug( LDAP_DEBUG_ACL, "<= ldbm_back_attribute: entry is an referral\n", 0, 0, 0 ); + rc = LDAP_REFERRAL; goto return_results; } if (conn != NULL && op != NULL - && access_allowed(be, conn, op, e, slap_schema.si_ad_entry, NULL, ACL_SEARCH) == 0) + && access_allowed(be, conn, op, e, slap_schema.si_ad_entry, + NULL, ACL_READ) == 0) { + rc = LDAP_INSUFFICIENT_ACCESS; goto return_results; } @@ -98,33 +99,43 @@ ldbm_back_attribute( Debug( LDAP_DEBUG_ACL, "<= ldbm_back_attribute: failed to find %s\n", entry_at_name, 0, 0 ); + rc = LDAP_NO_SUCH_ATTRIBUTE; goto return_results; } if (conn != NULL && op != NULL - && access_allowed(be, conn, op, e, entry_at, NULL, ACL_SEARCH) == 0) + && access_allowed(be, conn, op, e, entry_at, NULL, ACL_READ) == 0) { + rc = LDAP_INSUFFICIENT_ACCESS; goto return_results; } - for ( i = 0; attr->a_vals[i] != NULL; i++ ) { } - v = (char **) ch_calloc( (i + 1), sizeof(char *) ); - if (v != NULL) { - for ( j = 0, abv = attr->a_vals; --i >= 0; abv++ ) { - if ( (*abv)->bv_len > 0 ) { - s = ch_malloc( (*abv)->bv_len + 1 ); - if( s == NULL ) - break; - memcpy(s, (*abv)->bv_val, (*abv)->bv_len); - s[(*abv)->bv_len] = 0; - v[j++] = s; - } - } - v[j] = NULL; - *vals = v; + for ( i = 0; attr->a_vals[i] != NULL; i++ ) { + /* count them */ } - rc = 0; + v = (struct berval **) ch_malloc( sizeof(struct berval *) * (i+1) ); + + for ( i=0, j=0; attr->a_vals[i] != NULL; i++ ) { + if( access_allowed(be, conn, op, e, entry_at, + attr->a_vals[i], ACL_READ) == 0) + { + continue; + } + v[j] = ber_bvdup( attr->a_vals[i] ); + + if( v[j] != NULL ) j++; + } + + if( j == 0 ) { + ch_free( v ); + *vals = NULL; + rc = LDAP_INSUFFICIENT_ACCESS; + } else { + v[j] = NULL; + *vals = v; + rc = LDAP_SUCCESS; + } return_results: if( target != e ) { @@ -132,7 +143,9 @@ return_results: cache_return_entry_r( &li->li_cache, e ); } - Debug( LDAP_DEBUG_TRACE, "ldbm_back_attribute: rc=%d\n", rc, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, + "ldbm_back_attribute: rc=%d nvals=%d\n", + rc, j, 0 ); return(rc); } diff --git a/servers/slapd/back-ldbm/external.h b/servers/slapd/back-ldbm/external.h index 9c2944fefa..1ea9d56561 100644 --- a/servers/slapd/back-ldbm/external.h +++ b/servers/slapd/back-ldbm/external.h @@ -85,7 +85,7 @@ extern int ldbm_back_attribute LDAP_P(( BackendDB *bd, Entry *target, const char* e_ndn, AttributeDescription* entry_at, - const char ***vals)); + struct berval ***vals)); /* hooks for slap tools */ diff --git a/servers/slapd/backend.c b/servers/slapd/backend.c index 02bfac50cc..780e3b9cc3 100644 --- a/servers/slapd/backend.c +++ b/servers/slapd/backend.c @@ -675,7 +675,7 @@ backend_attribute( Entry *target, const char *e_ndn, AttributeDescription *entry_at, - const char ***vals + struct berval ***vals ) { if( target == NULL || strcmp( target->e_ndn, e_ndn ) != 0 ) { diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 8524add4b1..4ea597f62e 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -179,7 +179,7 @@ LDAP_SLAPD_F (int) backend_attribute LDAP_P((Backend *be, Entry *target, const char *e_ndn, AttributeDescription *entry_at, - const char ***vals + struct berval ***vals )); LDAP_SLAPD_F (Attribute *) backend_operational( Backend *, Entry * ); diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index f70ee5c756..9b26a5903e 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -444,7 +444,6 @@ typedef struct slap_mr_assertion { /* * represents a search filter */ - typedef struct slap_filter { ber_tag_t f_choice; /* values taken from ldap.h, plus: */ #define SLAPD_FILTER_COMPUTED ((ber_tag_t) -1) @@ -567,7 +566,6 @@ typedef struct slap_ldap_modlist { /* * represents an access control list */ - typedef enum slap_access_e { ACL_INVALID_ACCESS = -1, ACL_NONE = 0, @@ -586,7 +584,7 @@ typedef enum slap_control_e { } slap_control_t; typedef enum slap_style_e { - ACL_STYLE_REGEX, + ACL_STYLE_REGEX = 0, ACL_STYLE_BASE, ACL_STYLE_ONE, ACL_STYLE_SUBTREE, @@ -934,7 +932,7 @@ struct slap_backend_info { struct slap_conn *c, struct slap_op *o, Entry *e, const char *edn, AttributeDescription *entry_at, - const char ***vals )); + struct berval ***vals )); int (*bi_connection_init) LDAP_P((BackendDB *bd, struct slap_conn *c)); @@ -979,7 +977,6 @@ struct slap_backend_info { /* * represents an operation pending from an ldap client */ - typedef struct slap_op { ber_int_t o_opid; /* id of this operation */ ber_int_t o_msgid; /* msgid of the request */ @@ -1030,7 +1027,6 @@ typedef struct slap_op { /* * represents a connection from an ldap client */ - typedef struct slap_conn { int c_struct_state; /* structure management state */ int c_conn_state; /* connection state */