Support pre-operation and post-operations for backend_group()

This allows computed attribute plugins to also provide their attributes to the ACL engine, for example
2025-01-24 13:24:56 +08:00 · 2004-08-25 15:20:19 +00:00 · 2004-08-25 15:20:19 +00:00 · d45b89823f
commit d45b89823f
parent 9df812bba1
3 changed files with 69 additions and 1 deletions
--- a/servers/slapd/backend.c
+++ b/servers/slapd/backend.c
@ -41,7 +41,12 @@

 #ifdef LDAP_SLAPI
 #include "slapi/slapi.h"
-#endif
+
+static void init_group_pblock( Operation *op, Entry *target,
+	Entry *e, struct berval *op_ndn, AttributeDescription *group_at );
+static int call_group_preop_plugins( Operation *op );
+static void call_group_postop_plugins( Operation *op );
+#endif /* LDAP_SLAPI */

 /*
 * If a module is configured as dynamic, its header should not
@ -1359,6 +1364,17 @@ backend_group(
 		rc = be_entry_get_rw(op, gr_ndn, group_oc, group_at, 0, &e );
 	}
 	if ( e ) {
+#ifdef LDAP_SLAPI
+		if ( op->o_pb != NULL ) {
+			init_group_pblock( op, target, e, op_ndn, group_at );
+
+			rc = call_group_preop_plugins( op );
+			if ( rc == LDAP_SUCCESS ) {
+				goto done;
+			}
+		}
+#endif /* LDAP_SLAPI */
+
 		a = attr_find( e->e_attrs, group_at );
 		if ( a ) {
 			/* If the attribute is a subtype of labeledURI, treat this as
@ -1460,6 +1476,10 @@ loopit:
 		rc = LDAP_NO_SUCH_OBJECT;
 	}

+#ifdef LDAP_SLAPI
+	if ( op->o_pb ) call_group_postop_plugins( op );
+#endif /* LDAP_SLAPI */
+
 	if ( op->o_tag != LDAP_REQ_BIND && !op->o_do_not_cache ) {
 		g = op->o_tmpalloc(sizeof(GroupAssertion) + gr_ndn->bv_len,
 			op->o_tmpmemctx);
@ -1589,3 +1609,38 @@ int backend_operational(
 	return rc;
 }

+#ifdef LDAP_SLAPI
+static void init_group_pblock( Operation *op, Entry *target,
+	Entry *e, struct berval *op_ndn, AttributeDescription *group_at )
+{
+	slapi_int_pblock_set_operation( op->o_pb, op );
+	slapi_pblock_set( op->o_pb, SLAPI_TARGET_DN, (void *)target->e_nname.bv_val );
+	slapi_pblock_set( op->o_pb, SLAPI_X_GROUP_ENTRY, (void *)e );
+	slapi_pblock_set( op->o_pb, SLAPI_X_GROUP_OPERATION_DN, (void *)op_ndn->bv_val );
+	slapi_pblock_set( op->o_pb, SLAPI_X_GROUP_ATTRIBUTE, (void *)group_at->ad_cname.bv_val );
+}
+
+static int call_group_preop_plugins( Operation *op )
+{
+	int rc;
+
+	rc = slapi_int_call_plugins( op->o_bd, SLAPI_X_PLUGIN_PRE_GROUP_FN, op->o_pb );
+	if ( rc < 0 ) {
+		if (( slapi_pblock_get( op->o_pb, SLAPI_RESULT_CODE,
+			(void *)&rc ) != 0 ) || rc == LDAP_SUCCESS )
+		{
+			rc = LDAP_NO_SUCH_ATTRIBUTE;
+		}
+	} else {
+		rc = LDAP_SUCCESS;
+	}
+
+	return rc;
+}
+
+static void call_group_postop_plugins( Operation *op )
+{
+	(void) slapi_int_call_plugins( op->o_bd, SLAPI_X_PLUGIN_POST_GROUP_FN, op->o_pb );
+}
+#endif /* LDAP_SLAPI */
+
--- a/servers/slapd/slapi/slapi.h
+++ b/servers/slapd/slapi/slapi.h
@ -430,6 +430,14 @@ extern Backend * slapi_cl_get_be(char *dn);
 #define SLAPI_PLUGIN_COMPUTE_EVALUATOR_FN	1200
 #define SLAPI_PLUGIN_COMPUTE_SEARCH_REWRITER_FN	1201

+#define SLAPI_X_PLUGIN_PRE_GROUP_FN		1202 
+#define SLAPI_X_PLUGIN_POST_GROUP_FN		1203
+
+/* backend_group extension */
+#define SLAPI_X_GROUP_ENTRY			1250		/* e */
+#define SLAPI_X_GROUP_ATTRIBUTE			1251		/* group_at */
+#define SLAPI_X_GROUP_OPERATION_DN		1252		/* op_ndn */
+
 #define SLAPI_MANAGEDSAIT       		1000

 #define SLAPI_CONFIG_FILENAME			40
--- a/servers/slapd/slapi/slapi_pblock.c
+++ b/servers/slapd/slapi/slapi_pblock.c
@ -213,6 +213,11 @@ isOkNetscapeParam( int param )
 	case SLAPI_PLUGIN_COMPUTE_EVALUATOR_FN:
 	case SLAPI_PLUGIN_COMPUTE_SEARCH_REWRITER_FN:
 	case SLAPI_PLUGIN_ACL_ALLOW_ACCESS:
+	case SLAPI_X_PLUGIN_PRE_GROUP_FN:
+	case SLAPI_X_PLUGIN_POST_GROUP_FN:
+	case SLAPI_X_GROUP_ENTRY:
+	case SLAPI_X_GROUP_ATTRIBUTE:
+	case SLAPI_X_GROUP_OPERATION_DN:
 		return LDAP_SUCCESS;
 	default:
 		return INVALID_PARAM;