Commit 5f9b6d80 authored by Howard Chu's avatar Howard Chu
Browse files

New access_allowed()

parent 62a27b2a
......@@ -368,11 +368,11 @@ dds_op_add( Operation *op, SlapReply *rs )
slap_schema.si_oc_dynamicObject, NULL, 0, &e );
if ( rc == LDAP_SUCCESS && e != NULL ) {
if ( !is_dynamicObject ) {
AclCheck ak = { e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL };
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, e,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
if ( ! access_allowed( op, &ak ))
{
rc = rs->sr_err = LDAP_NO_SUCH_OBJECT;
send_ldap_result( op, rs );
......@@ -850,11 +850,11 @@ dds_op_rename( Operation *op, SlapReply *rs )
slap_schema.si_oc_dynamicObject, NULL, 0, &e );
if ( rc == LDAP_SUCCESS && e != NULL ) {
if ( !is_dynamicObject ) {
AclCheck ak = { e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL };
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, e,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
if ( ! access_allowed( op, &ak ))
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
send_ldap_result( op, rs );
......@@ -1068,11 +1068,11 @@ dds_op_extended( Operation *op, SlapReply *rs )
rs->sr_err = be_entry_get_rw( op, &op->o_req_ndn,
NULL, NULL, 0, &e );
if ( rs->sr_err == LDAP_SUCCESS && e != NULL ) {
AclCheck ak = { e, slap_schema.si_ad_entry, NULL,
ACL_DISCLOSE, NULL };
/* return referral only if "disclose"
* is granted on the object */
if ( ! access_allowed( op, e,
slap_schema.si_ad_entry,
NULL, ACL_DISCLOSE, NULL ) )
if ( ! access_allowed( op, &ak ))
{
rs->sr_err = LDAP_NO_SUCH_OBJECT;
......
......@@ -295,12 +295,16 @@ deref_response( Operation *op, SlapReply *rs )
static char dummy = '\0';
Entry *ebase;
int i;
AclCheck ak;
rc = overlay_entry_get_ov( op, &rs->sr_entry->e_nname, NULL, NULL, 0, &ebase, dc->dc_on );
if ( rc != LDAP_SUCCESS || ebase == NULL ) {
return SLAP_CB_CONTINUE;
}
ak.ak_e = rs->sr_entry;
ak.ak_access = ACL_READ;
ak.ak_state = &acl_state;
for ( ds = dc->dc_ds; ds; ds = ds->ds_next ) {
Attribute *a = attr_find( ebase->e_attrs, ds->ds_derefAttr );
......@@ -308,8 +312,9 @@ deref_response( Operation *op, SlapReply *rs )
DerefVal *dv;
BerVarray *bva;
if ( !access_allowed( op, rs->sr_entry, a->a_desc,
NULL, ACL_READ, &acl_state ) )
ak.ak_desc = a->a_desc;
ak.ak_val = NULL;
if ( !access_allowed( op, &ak ))
{
continue;
}
......@@ -331,9 +336,8 @@ deref_response( Operation *op, SlapReply *rs )
dv[ i ].dv_attrVals = bva;
bva += ds->ds_nattrs;
if ( !access_allowed( op, rs->sr_entry, a->a_desc,
&a->a_nvals[ i ], ACL_READ, &acl_state ) )
ak.ak_val = &a->a_nvals[i];
if ( !access_allowed( op, &ak ))
{
dv[ i ].dv_derefSpecVal.bv_val = &dummy;
continue;
......@@ -347,15 +351,21 @@ deref_response( Operation *op, SlapReply *rs )
rc = overlay_entry_get_ov( op, &a->a_nvals[ i ], NULL, NULL, 0, &e, dc->dc_on );
if ( rc == LDAP_SUCCESS && e != NULL ) {
int j;
if ( access_allowed( op, e, slap_schema.si_ad_entry,
NULL, ACL_READ, NULL ) )
AclCheck ak2;
AccessControlState acl_st2 = ACL_STATE_INIT;
ak2.ak_e = e;
ak2.ak_desc = slap_schema.si_ad_entry;
ak2.ak_val = NULL;
ak2.ak_state = NULL;
if ( access_allowed( op, &ak2 ))
{
ak2.ak_state = &acl_st2;
for ( j = 0; j < ds->ds_nattrs; j++ ) {
Attribute *aa;
if ( !access_allowed( op, e, ds->ds_attributes[ j ], NULL,
ACL_READ, &acl_state ) )
ak2.ak_desc = ds->ds_attributes[ j ];
if ( !access_allowed( op, &ak2 ))
{
continue;
}
......@@ -368,12 +378,10 @@ deref_response( Operation *op, SlapReply *rs )
aa->a_vals, op->o_tmpmemctx );
bv.bv_len += ds->ds_attributes[ j ]->ad_cname.bv_len;
ak2.ak_desc = aa->a_desc;
for ( k = 0, h = 0; k < aa->a_numvals; k++ ) {
if ( !access_allowed( op, e,
aa->a_desc,
&aa->a_nvals[ k ],
ACL_READ, &acl_state ) )
ak2.ak_val = &aa->a_nvals[ k ];
if ( !access_allowed( op, &ak2 ))
{
op->o_tmpfree( dv[ i ].dv_attrVals[ j ][ h ].bv_val,
op->o_tmpmemctx );
......
......@@ -220,6 +220,7 @@ dynlist_sc_update( Operation *op, SlapReply *rs )
int opattrs,
userattrs;
AccessControlState acl_state = ACL_STATE_INIT;
AclCheck ak;
dynlist_sc_t *dlc;
dynlist_map_t *dlm;
......@@ -235,8 +236,12 @@ dynlist_sc_update( Operation *op, SlapReply *rs )
assert( rs->sr_entry != NULL );
/* test access to entry */
if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry,
NULL, ACL_READ, NULL ) )
ak.ak_e = rs->sr_entry;
ak.ak_desc = slap_schema.si_ad_entry;
ak.ak_val = NULL;
ak.ak_access = ACL_READ;
ak.ak_state = NULL;
if ( !access_allowed( op, &ak ))
{
goto done;
}
......@@ -247,29 +252,25 @@ dynlist_sc_update( Operation *op, SlapReply *rs )
if ( dlm && dlm->dlm_mapped_ad == NULL && dlm->dlm_next == NULL ) {
/* if access allowed, try to add values, emulating permissive
* control to silently ignore duplicates */
if ( access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry,
NULL, ACL_READ, NULL ) )
{
Modification mod;
const char *text = NULL;
char textbuf[1024];
struct berval vals[ 2 ], nvals[ 2 ];
vals[ 0 ] = rs->sr_entry->e_name;
BER_BVZERO( &vals[ 1 ] );
nvals[ 0 ] = rs->sr_entry->e_nname;
BER_BVZERO( &nvals[ 1 ] );
mod.sm_op = LDAP_MOD_ADD;
mod.sm_desc = dlm->dlm_member_ad;
mod.sm_type = dlm->dlm_member_ad->ad_cname;
mod.sm_values = vals;
mod.sm_nvalues = nvals;
mod.sm_numvals = 1;
(void)modify_add_values( e, &mod, /* permissive */ 1,
&text, textbuf, sizeof( textbuf ) );
}
Modification mod;
const char *text = NULL;
char textbuf[1024];
struct berval vals[ 2 ], nvals[ 2 ];
vals[ 0 ] = rs->sr_entry->e_name;
BER_BVZERO( &vals[ 1 ] );
nvals[ 0 ] = rs->sr_entry->e_nname;
BER_BVZERO( &nvals[ 1 ] );
mod.sm_op = LDAP_MOD_ADD;
mod.sm_desc = dlm->dlm_member_ad;
mod.sm_type = dlm->dlm_member_ad->ad_cname;
mod.sm_values = vals;
mod.sm_nvalues = nvals;
mod.sm_numvals = 1;
(void)modify_add_values( e, &mod, /* permissive */ 1,
&text, textbuf, sizeof( textbuf ) );
goto done;
}
......@@ -308,10 +309,11 @@ dynlist_sc_update( Operation *op, SlapReply *rs )
}
}
ak.ak_desc = a->a_desc;
ak.ak_state = &acl_state;
/* test access to attribute */
if ( op->ors_attrsonly ) {
if ( !access_allowed( op, rs->sr_entry, a->a_desc, NULL,
ACL_READ, &acl_state ) )
if ( !access_allowed( op, &ak ))
{
continue;
}
......@@ -341,8 +343,8 @@ dynlist_sc_update( Operation *op, SlapReply *rs )
}
}
if ( access_allowed( op, rs->sr_entry, a->a_desc,
&a->a_nvals[i], ACL_READ, &acl_state ) )
ak.ak_val = &a->a_nvals[i];
if ( access_allowed( op, &ak ))
{
vals[j] = a->a_vals[i];
if ( nvals ) {
......
......@@ -601,16 +601,20 @@ memberof_op_add( Operation *op, SlapReply *rs )
if ( map != NULL ) {
Attribute *a = *map;
AccessControlState acl_state = ACL_STATE_INIT;
AclCheck ak;
ak.ak_desc = mo->mo_ad_memberof;
ak.ak_access = ACL_WADD;
ak.ak_state = &acl_state;
for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
Entry *e;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
/* access is checked with the original identity */
rc = access_allowed( op, op->ora_e, mo->mo_ad_memberof,
&a->a_nvals[ i ], ACL_WADD,
&acl_state );
if ( rc == 0 ) {
ak.ak_e = op->ora_e;
ak.ak_val = &a->a_nvals[ i ];
if ( !access_allowed( op, &ak )) {
rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = NULL;
send_ldap_result( op, rs );
......@@ -665,8 +669,9 @@ memberof_op_add( Operation *op, SlapReply *rs )
/* access is checked with the original identity */
op->o_bd->bd_info = (BackendInfo *)on->on_info;
rc = access_allowed( op, e, mo->mo_ad_member,
&op->o_req_ndn, ACL_WADD, NULL );
ak.ak_e = e;
ak.ak_val = &op->o_req_ndn;
rc = access_allowed( op, &ak );
be_entry_release_r( op, e );
op->o_bd->bd_info = (BackendInfo *)on;
......@@ -886,6 +891,7 @@ memberof_op_modify( Operation *op, SlapReply *rs )
Modifications *ml = *mmlp;
int i;
Entry *target;
AclCheck ak;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
rc = be_entry_get_rw( op, &op->o_req_ndn,
......@@ -897,22 +903,22 @@ memberof_op_modify( Operation *op, SlapReply *rs )
goto done;
}
ak.ak_desc = mo->mo_ad_memberof;
switch ( ml->sml_op ) {
case LDAP_MOD_DELETE:
if ( ml->sml_nvalues != NULL ) {
AccessControlState acl_state = ACL_STATE_INIT;
ak.ak_access = ACL_WDEL;
ak.ak_state = &acl_state;
for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
Entry *e;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
/* access is checked with the original identity */
rc = access_allowed( op, target,
mo->mo_ad_memberof,
&ml->sml_nvalues[ i ],
ACL_WDEL,
&acl_state );
if ( rc == 0 ) {
ak.ak_e = target;
ak.ak_val = &ml->sml_nvalues[ i ];
if ( !access_allowed( op, &ak )) {
rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = NULL;
send_ldap_result( op, rs );
......@@ -969,9 +975,9 @@ memberof_op_modify( Operation *op, SlapReply *rs )
/* access is checked with the original identity */
op->o_bd->bd_info = (BackendInfo *)on->on_info;
rc = access_allowed( op, e, mo->mo_ad_member,
&op->o_req_ndn,
ACL_WDEL, NULL );
ak.ak_e = e;
ak.ak_val = &op->o_req_ndn;
rc = access_allowed( op, &ak );
be_entry_release_r( op, e );
op->o_bd->bd_info = (BackendInfo *)on;
......@@ -997,10 +1003,11 @@ memberof_op_modify( Operation *op, SlapReply *rs )
op->o_bd->bd_info = (BackendInfo *)on->on_info;
/* access is checked with the original identity */
rc = access_allowed( op, target,
mo->mo_ad_memberof,
NULL,
ACL_WDEL, NULL );
ak.ak_e = target;
ak.ak_val = NULL;
ak.ak_access = ACL_WDEL;
ak.ak_state = NULL;
rc = access_allowed( op, &ak );
op->o_bd->bd_info = (BackendInfo *)on;
if ( rc == 0 ) {
rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
......@@ -1016,18 +1023,24 @@ memberof_op_modify( Operation *op, SlapReply *rs )
case LDAP_MOD_ADD: {
AccessControlState acl_state = ACL_STATE_INIT;
AclCheck ak2;
ak.ak_e = target;
ak.ak_access = ACL_WADD;
ak.ak_state = &acl_state;
ak2.ak_desc = mo->mo_ad_member;
ak2.ak_val = &op->o_req_ndn;
ak2.ak_access = ACL_WDEL;
ak2.ak_state = NULL;
for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
Entry *e;
op->o_bd->bd_info = (BackendInfo *)on->on_info;
/* access is checked with the original identity */
rc = access_allowed( op, target,
mo->mo_ad_memberof,
&ml->sml_nvalues[ i ],
ACL_WADD,
&acl_state );
if ( rc == 0 ) {
ak.ak_val = &ml->sml_nvalues[ i ];
if ( !access_allowed( op, &ak )) {
rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = NULL;
send_ldap_result( op, rs );
......@@ -1080,9 +1093,8 @@ memberof_op_modify( Operation *op, SlapReply *rs )
/* access is checked with the original identity */
op->o_bd->bd_info = (BackendInfo *)on->on_info;
rc = access_allowed( op, e, mo->mo_ad_member,
&op->o_req_ndn,
ACL_WDEL, NULL );
ak2.ak_e = e;
rc = access_allowed( op, &ak2 );
be_entry_release_r( op, e );
op->o_bd->bd_info = (BackendInfo *)on;
......
......@@ -1901,6 +1901,7 @@ syncprov_op_compare( Operation *op, SlapReply *rs )
{
Entry e = {0};
Attribute a = {0};
AclCheck ak;
e.e_name = si->si_contextdn;
e.e_nname = si->si_contextdn;
......@@ -1914,8 +1915,12 @@ syncprov_op_compare( Operation *op, SlapReply *rs )
a.a_nvals = a.a_vals;
a.a_numvals = si->si_numcsns;
rs->sr_err = access_allowed( op, &e, op->oq_compare.rs_ava->aa_desc,
&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL );
ak.ak_e = &e;
ak.ak_desc = op->oq_compare.rs_ava->aa_desc;
ak.ak_val = &op->oq_compare.rs_ava->aa_value;
ak.ak_access = ACL_COMPARE;
ak.ak_state = NULL;
rs->sr_err = access_allowed( op, &ak );
if ( ! rs->sr_err ) {
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
goto return_results;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment