Commit 827ea96e authored by Howard Chu's avatar Howard Chu
Browse files

ITS#1523 enhanced ACL caching

parent 618877cd
......@@ -130,6 +130,9 @@ access_allowed(
slap_control_t control;
const char *attr;
regmatch_t matches[MAXREMATCHES];
int st_same_attr = 0;
int st_initialized = 0;
static AccessControlState state_init = ACL_STATE_INIT;
assert( e != NULL );
assert( desc != NULL );
......@@ -139,7 +142,7 @@ access_allowed(
assert( attr != NULL );
if( state && state->as_recorded ) {
if( state && state->as_recorded && state->as_vd_ad==desc) {
if( state->as_recorded & ACL_STATE_RECORDED_NV &&
val == NULL )
{
......@@ -150,6 +153,9 @@ access_allowed(
{
return state->as_result;
}
st_same_attr = 1;
} if (state) {
state->as_vd_ad=desc;
}
#ifdef NEW_LOGGING
......@@ -246,7 +252,7 @@ access_allowed(
ret = 0;
control = ACL_BREAK;
if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD )) {
if( st_same_attr ) {
assert( state->as_vd_acl != NULL );
a = state->as_vd_acl;
......@@ -290,6 +296,18 @@ access_allowed(
#endif
}
if (state) {
if (state->as_vi_acl == a && (state->as_recorded & ACL_STATE_RECORDED_NV)) {
Debug( LDAP_DEBUG_ACL, "access_allowed: result from state (%s)\n", attr, 0, 0 );
return state->as_result;
} else if (!st_initialized) {
Debug( LDAP_DEBUG_ACL, "access_allowed: no res from state (%s)\n", attr, 0, 0);
*state = state_init;
state->as_vd_ad=desc;
st_initialized=1;
}
}
vd_access:
control = acl_mask( a, &mask, be, conn, op,
e, desc, val, matches, count, state );
......@@ -342,6 +360,9 @@ vd_access:
done:
if( state != NULL ) {
/* If not value-dependent, save ACL in case of more attrs */
if ( !(state->as_recorded & ACL_STATE_RECORDED_VD) )
state->as_vi_acl = a;
state->as_recorded |= ACL_STATE_RECORDED;
state->as_result = ret;
}
......@@ -1200,6 +1221,7 @@ acl_check_modlist(
)
{
struct berval *bv;
AccessControlState state = ACL_STATE_INIT;
assert( be != NULL );
......@@ -1254,9 +1276,6 @@ acl_check_modlist(
}
for ( ; mlist != NULL; mlist = mlist->sml_next ) {
static AccessControlState state_init = ACL_STATE_INIT;
AccessControlState state;
/*
* no-user-modification operational attributes are ignored
* by ACL_WRITE checking as any found here are not provided
......@@ -1275,8 +1294,6 @@ acl_check_modlist(
continue;
}
state = state_init;
switch ( mlist->sml_op ) {
case LDAP_MOD_REPLACE:
/*
......
......@@ -678,8 +678,7 @@ send_search_entry(
char *edn;
int userattrs;
int opattrs;
static AccessControlState acl_state_init = ACL_STATE_INIT;
AccessControlState acl_state;
AccessControlState acl_state = ACL_STATE_INIT;
AttributeDescription *ad_entry = slap_schema.si_ad_entry;
......@@ -856,8 +855,6 @@ send_search_entry(
}
}
acl_state = acl_state_init;
if ( ! access_allowed( be, conn, op, e, desc, NULL,
ACL_READ, &acl_state ) )
{
......@@ -1041,8 +1038,6 @@ send_search_entry(
}
}
acl_state = acl_state_init;
if ( ! access_allowed( be, conn, op, e, desc, NULL,
ACL_READ, &acl_state ) )
{
......
......@@ -1102,6 +1102,7 @@ typedef struct slap_acl_state {
/* Access state */
AccessControl *as_vd_acl;
AccessControl *as_vi_acl;
slap_mask_t as_vd_acl_mask;
regmatch_t as_vd_acl_matches[MAXREMATCHES];
int as_vd_acl_count;
......@@ -1110,8 +1111,9 @@ typedef struct slap_acl_state {
int as_vd_access_count;
int as_result;
AttributeDescription *as_vd_ad;
} AccessControlState;
#define ACL_STATE_INIT { ACL_STATE_NOT_RECORDED, NULL, 0UL, { { 0, 0 } }, 0, NULL, 0, 0 }
#define ACL_STATE_INIT { ACL_STATE_NOT_RECORDED, NULL, NULL, 0UL, { { 0, 0 } }, 0, NULL, 0, 0, 0, NULL }
/*
* replog moddn param structure
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment