Reworked fix for ITS#3140 - add access parameter to backend_attribute

This commit is contained in:
Howard Chu 2004-08-18 17:14:22 +00:00
parent d504ae047e
commit 91033d6552
6 changed files with 22 additions and 23 deletions

View File

@ -1431,7 +1431,7 @@ dn_match_cleanup:;
while ( parent_ndn.bv_val != old_parent_ndn.bv_val ){ while ( parent_ndn.bv_val != old_parent_ndn.bv_val ){
old_parent_ndn = parent_ndn; old_parent_ndn = parent_ndn;
Debug(LDAP_DEBUG_ACL, "checking ACI of %s\n", parent_ndn.bv_val, 0, 0); Debug(LDAP_DEBUG_ACL, "checking ACI of %s\n", parent_ndn.bv_val, 0, 0);
ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals); ret = backend_attribute(op, NULL, &parent_ndn, b->a_aci_at, &bvals, ACL_AUTH);
switch(ret){ switch(ret){
case LDAP_SUCCESS : case LDAP_SUCCESS :
stop = 0; stop = 0;
@ -1803,7 +1803,7 @@ aci_set_gather (SetCookie *cookie, struct berval *name, struct berval *attr)
AttributeDescription *desc = NULL; AttributeDescription *desc = NULL;
if (slap_bv2ad(attr, &desc, &text) == LDAP_SUCCESS) { if (slap_bv2ad(attr, &desc, &text) == LDAP_SUCCESS) {
backend_attribute(cp->op, backend_attribute(cp->op,
cp->e, &ndn, desc, &bvals); cp->e, &ndn, desc, &bvals, ACL_NONE);
} }
slap_sl_free(ndn.bv_val, cp->op->o_tmpmemctx); slap_sl_free(ndn.bv_val, cp->op->o_tmpmemctx);
} }
@ -1821,12 +1821,9 @@ aci_match_set (
struct berval set = BER_BVNULL; struct berval set = BER_BVNULL;
int rc = 0; int rc = 0;
AciSetCookie cookie; AciSetCookie cookie;
Operation op2 = *op;
op2.o_conn = NULL;
if (setref == 0) { if (setref == 0) {
ber_dupbv_x( &set, subj, op2.o_tmpmemctx ); ber_dupbv_x( &set, subj, op->o_tmpmemctx );
} else { } else {
struct berval subjdn, ndn = BER_BVNULL; struct berval subjdn, ndn = BER_BVNULL;
struct berval setat; struct berval setat;
@ -1848,9 +1845,9 @@ aci_match_set (
* as the length of the dn to be normalized * as the length of the dn to be normalized
*/ */
if ( slap_bv2ad( &setat, &desc, &text ) == LDAP_SUCCESS ) { if ( slap_bv2ad( &setat, &desc, &text ) == LDAP_SUCCESS ) {
if ( dnNormalize( 0, NULL, NULL, &subjdn, &ndn, op2.o_tmpmemctx ) == LDAP_SUCCESS ) if ( dnNormalize( 0, NULL, NULL, &subjdn, &ndn, op->o_tmpmemctx ) == LDAP_SUCCESS )
{ {
backend_attribute( &op2, e, &ndn, desc, &bvals ); backend_attribute( op, e, &ndn, desc, &bvals, ACL_NONE );
if ( bvals != NULL && !BER_BVISNULL( &bvals[0] ) ) { if ( bvals != NULL && !BER_BVISNULL( &bvals[0] ) ) {
int i; int i;
@ -1861,18 +1858,18 @@ aci_match_set (
bvals[0].bv_val = bvals[i-1].bv_val; bvals[0].bv_val = bvals[i-1].bv_val;
BER_BVZERO( &bvals[i-1] ); BER_BVZERO( &bvals[i-1] );
} }
ber_bvarray_free_x( bvals, op2.o_tmpmemctx ); ber_bvarray_free_x( bvals, op->o_tmpmemctx );
slap_sl_free( ndn.bv_val, op2.o_tmpmemctx ); slap_sl_free( ndn.bv_val, op->o_tmpmemctx );
} }
} }
} }
if ( !BER_BVISNULL( &set ) ) { if ( !BER_BVISNULL( &set ) ) {
cookie.op = &op2; cookie.op = op;
cookie.e = e; cookie.e = e;
rc = ( slap_set_filter( aci_set_gather, (SetCookie *)&cookie, &set, rc = ( slap_set_filter( aci_set_gather, (SetCookie *)&cookie, &set,
&op2.o_ndn, &e->e_nname, NULL ) > 0 ); &op->o_ndn, &e->e_nname, NULL ) > 0 );
slap_sl_free( set.bv_val, op2.o_tmpmemctx ); slap_sl_free( set.bv_val, op->o_tmpmemctx );
} }
return(rc); return(rc);

View File

@ -1483,7 +1483,8 @@ backend_attribute(
Entry *target, Entry *target,
struct berval *edn, struct berval *edn,
AttributeDescription *entry_at, AttributeDescription *entry_at,
BerVarray *vals ) BerVarray *vals,
slap_access_t access )
{ {
Entry *e; Entry *e;
Attribute *a; Attribute *a;
@ -1504,8 +1505,8 @@ backend_attribute(
if ( a ) { if ( a ) {
BerVarray v; BerVarray v;
if ( op->o_conn && access_allowed( op, if ( op->o_conn && access > ACL_NONE && access_allowed( op,
e, entry_at, NULL, ACL_AUTH, e, entry_at, NULL, access,
&acl_state ) == 0 ) { &acl_state ) == 0 ) {
rc = LDAP_INSUFFICIENT_ACCESS; rc = LDAP_INSUFFICIENT_ACCESS;
goto freeit; goto freeit;
@ -1516,10 +1517,10 @@ backend_attribute(
v = op->o_tmpalloc( sizeof(struct berval) * (i+1), v = op->o_tmpalloc( sizeof(struct berval) * (i+1),
op->o_tmpmemctx ); op->o_tmpmemctx );
for ( i=0,j=0; a->a_vals[i].bv_val; i++ ) { for ( i=0,j=0; a->a_vals[i].bv_val; i++ ) {
if ( op->o_conn && access_allowed( op, if ( op->o_conn && access > ACL_NONE && access_allowed( op,
e, entry_at, e, entry_at,
&a->a_nvals[i], &a->a_nvals[i],
ACL_AUTH, &acl_state ) == 0 ) { access, &acl_state ) == 0 ) {
continue; continue;
} }
ber_dupbv_x( &v[j], ber_dupbv_x( &v[j],

View File

@ -72,7 +72,7 @@ collect_response( Operation *op, SlapReply *rs )
/* Extract the values of the desired attribute from /* Extract the values of the desired attribute from
* the ancestor entry * the ancestor entry
*/ */
rc = backend_attribute( op, NULL, &ci->ci_dn, ci->ci_ad, &vals ); rc = backend_attribute( op, NULL, &ci->ci_dn, ci->ci_ad, &vals, ACL_READ );
/* If there are any values, merge them into the /* If there are any values, merge them into the
* current entry * current entry

View File

@ -274,7 +274,8 @@ LDAP_SLAPD_F (int) backend_attribute LDAP_P((
Entry *target, Entry *target,
struct berval *entry_ndn, struct berval *entry_ndn,
AttributeDescription *entry_at, AttributeDescription *entry_at,
BerVarray *vals BerVarray *vals,
slap_access_t access
)); ));
LDAP_SLAPD_F (int) backend_operational LDAP_P(( LDAP_SLAPD_F (int) backend_operational LDAP_P((

View File

@ -1112,7 +1112,7 @@ slap_sasl_check_authz( Operation *op,
assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val); assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
#endif #endif
rc = backend_attribute( op, NULL, searchDN, ad, &vals ); rc = backend_attribute( op, NULL, searchDN, ad, &vals, ACL_AUTH );
if( rc != LDAP_SUCCESS ) goto COMPLETE; if( rc != LDAP_SUCCESS ) goto COMPLETE;
/* Check if the *assertDN matches any *vals */ /* Check if the *assertDN matches any *vals */

View File

@ -344,7 +344,7 @@ do_syncrep1(
/* read stored cookie if it exists */ /* read stored cookie if it exists */
backend_attribute( op, NULL, &op->o_req_ndn, backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_syncreplCookie, &cookie ); slap_schema.si_ad_syncreplCookie, &cookie, ACL_READ );
if ( !cookie ) { if ( !cookie ) {
/* no stored cookie */ /* no stored cookie */
@ -399,7 +399,7 @@ do_syncrep1(
struct berval cookie_bv; struct berval cookie_bv;
/* try to read stored cookie */ /* try to read stored cookie */
backend_attribute( op, NULL, &op->o_req_ndn, backend_attribute( op, NULL, &op->o_req_ndn,
slap_schema.si_ad_syncreplCookie, &cookie ); slap_schema.si_ad_syncreplCookie, &cookie, ACL_READ );
if ( cookie ) { if ( cookie ) {
ber_dupbv( &cookie_bv, &cookie[0] ); ber_dupbv( &cookie_bv, &cookie[0] );
ber_bvarray_add( &si->si_syncCookie.octet_str, &cookie_bv ); ber_bvarray_add( &si->si_syncCookie.octet_str, &cookie_bv );