Modify backend_attribute to return bervals and adjust ACLs

(actually, ACL here might be dangerous)

servers/slapd/back-ldbm/attribute.c

@@ -17,7 +17,7 @@
 #include "proto-back-ldbm.h"
 
 
-/* return 0 IFF we can retrieve the attributes
+/* return LDAP_SUCCESS IFF we can retrieve the attributes
  * of entry with e_ndn
  */
 int
@@ -28,15 +28,15 @@ ldbm_back_attribute(
 	Entry	*target,
 	const char	*e_ndn,
 	AttributeDescription *entry_at,
-	const char ***vals
+	struct berval ***vals
 )
 {
 	struct ldbminfo *li = (struct ldbminfo *) be->be_private;    
 	Entry        *e;
-	int          i, j, rc = 1;
+	int          i, j, rc;
 	Attribute   *attr;
-	struct berval **abv;
-	char *s, **v;
+	struct berval **v;
+	char *s;
 	const char *entry_at_name = entry_at->ad_cname->bv_val;
 
 	Debug( LDAP_DEBUG_ARGS,
@@ -63,7 +63,7 @@ ldbm_back_attribute(
 			Debug( LDAP_DEBUG_ACL,
 				"=> ldbm_back_attribute: cannot find entry: \"%s\"\n",
 					e_ndn, 0, 0 ); 
-			return( 1 );
+			return LDAP_NO_SUCH_OBJECT; 
 		}
 		
 		Debug( LDAP_DEBUG_ACL,
@@ -71,26 +71,27 @@ ldbm_back_attribute(
 			e_ndn, 0, 0 ); 
     }
 
-	rc = 1;
-
-	/* find attribute values
-	 */
+	/* find attribute values */
         
 	if( is_entry_alias( e ) ) {
 		Debug( LDAP_DEBUG_ACL,
 			"<= ldbm_back_attribute: entry is an alias\n", 0, 0, 0 );
+		rc = LDAP_ALIAS_PROBLEM;
 		goto return_results;
 	}
 
 	if( is_entry_referral( e ) ) {
 		Debug( LDAP_DEBUG_ACL,
 			"<= ldbm_back_attribute: entry is an referral\n", 0, 0, 0 );
+		rc = LDAP_REFERRAL;
 		goto return_results;
 	}
 
 	if (conn != NULL && op != NULL
-		&& access_allowed(be, conn, op, e, slap_schema.si_ad_entry, NULL, ACL_SEARCH) == 0)
+		&& access_allowed(be, conn, op, e, slap_schema.si_ad_entry,
+			NULL, ACL_READ) == 0)
 	{
+		rc = LDAP_INSUFFICIENT_ACCESS;
 		goto return_results;
 	}
 
@@ -98,41 +99,53 @@ ldbm_back_attribute(
 		Debug( LDAP_DEBUG_ACL,
 			"<= ldbm_back_attribute: failed to find %s\n",
 			entry_at_name, 0, 0 ); 
+		rc = LDAP_NO_SUCH_ATTRIBUTE;
 		goto return_results;
 	}
 
 	if (conn != NULL && op != NULL
-		&& access_allowed(be, conn, op, e, entry_at, NULL, ACL_SEARCH) == 0)
+		&& access_allowed(be, conn, op, e, entry_at, NULL, ACL_READ) == 0)
 	{
+		rc = LDAP_INSUFFICIENT_ACCESS;
 		goto return_results;
 	}
 
-	for ( i = 0; attr->a_vals[i] != NULL; i++ ) { }
-	v = (char **) ch_calloc( (i + 1), sizeof(char *) );
-	if (v != NULL) {
-		for ( j = 0, abv = attr->a_vals; --i >= 0; abv++ ) {
-			if ( (*abv)->bv_len > 0 ) {
-				s = ch_malloc( (*abv)->bv_len + 1 );
-				if( s == NULL )
-					break;
-				memcpy(s, (*abv)->bv_val, (*abv)->bv_len);
-				s[(*abv)->bv_len] = 0;
-				v[j++] = s;
-			}
+	for ( i = 0; attr->a_vals[i] != NULL; i++ ) {
+		/* count them */
+	}
+
+	v = (struct berval **) ch_malloc( sizeof(struct berval *) * (i+1) );
+
+	for ( i=0, j=0; attr->a_vals[i] != NULL; i++ ) {
+		if( access_allowed(be, conn, op, e, entry_at,
+			attr->a_vals[i], ACL_READ) == 0)
+		{
+			continue;
 		}
+		v[j] = ber_bvdup( attr->a_vals[i] );
+
+		if( v[j] != NULL ) j++;
+	}
+
+	if( j == 0 ) {
+		ch_free( v );
+		*vals = NULL;
+		rc = LDAP_INSUFFICIENT_ACCESS;
+	} else {
 		v[j] = NULL;
 		*vals = v;
+		rc = LDAP_SUCCESS;
 	}
 
-	rc = 0;
-
 return_results:
 	if( target != e ) {
 		/* free entry and reader lock */
 		cache_return_entry_r( &li->li_cache, e );                 
 	}
 
-	Debug( LDAP_DEBUG_TRACE, "ldbm_back_attribute: rc=%d\n", rc, 0, 0 ); 
+	Debug( LDAP_DEBUG_TRACE,
+		"ldbm_back_attribute: rc=%d nvals=%d\n",
+		rc, j, 0 ); 
 	return(rc);
 }
 

servers/slapd/back-ldbm/external.h

@@ -85,7 +85,7 @@ extern int	ldbm_back_attribute LDAP_P(( BackendDB *bd,
 	Entry *target,
 	const char* e_ndn,
 	AttributeDescription* entry_at,
-	const char ***vals));
+	struct berval ***vals));
 
 
 /* hooks for slap tools */

servers/slapd/backend.c

@@ -675,7 +675,7 @@ backend_attribute(
 	Entry	*target,
 	const char	*e_ndn,
 	AttributeDescription *entry_at,
-	const char ***vals
+	struct berval ***vals
 )
 {
 	if( target == NULL || strcmp( target->e_ndn, e_ndn ) != 0 ) {

servers/slapd/proto-slap.h

@@ -179,7 +179,7 @@ LDAP_SLAPD_F (int) backend_attribute LDAP_P((Backend *be,
 	Entry *target,
 	const char *e_ndn,
 	AttributeDescription *entry_at,
-	const char ***vals
+	struct berval ***vals
 ));
 
 LDAP_SLAPD_F (Attribute *) backend_operational( Backend *, Entry * );

servers/slapd/slap.h

@@ -444,7 +444,6 @@ typedef struct slap_mr_assertion {
 /*
  * represents a search filter
  */
-
 typedef struct slap_filter {
 	ber_tag_t	f_choice;	/* values taken from ldap.h, plus: */
 #define SLAPD_FILTER_COMPUTED	((ber_tag_t) -1)
@@ -567,7 +566,6 @@ typedef struct slap_ldap_modlist {
 /*
  * represents an access control list
  */
-
 typedef enum slap_access_e {
 	ACL_INVALID_ACCESS = -1,
 	ACL_NONE = 0,
@@ -586,7 +584,7 @@ typedef enum slap_control_e {
 } slap_control_t;
 
 typedef enum slap_style_e {
-	ACL_STYLE_REGEX,
+	ACL_STYLE_REGEX = 0,
 	ACL_STYLE_BASE,
 	ACL_STYLE_ONE,
 	ACL_STYLE_SUBTREE,
@@ -934,7 +932,7 @@ struct slap_backend_info {
 		struct slap_conn *c, struct slap_op *o,
 		Entry *e, const char *edn,
 		AttributeDescription *entry_at,
-		const char ***vals ));
+		struct berval ***vals ));
 
 	int	(*bi_connection_init) LDAP_P((BackendDB *bd,
 		struct slap_conn *c));
@@ -979,7 +977,6 @@ struct slap_backend_info {
 /*
  * represents an operation pending from an ldap client
  */
-
 typedef struct slap_op {
 	ber_int_t	o_opid;		/* id of this operation		  */
 	ber_int_t	o_msgid;	/* msgid of the request		  */
@@ -1030,7 +1027,6 @@ typedef struct slap_op {
 /*
  * represents a connection from an ldap client
  */
-
 typedef struct slap_conn {
 	int			c_struct_state; /* structure management state */
 	int			c_conn_state;	/* connection state */