549
549
** Check if we can use any cached information to determine
550
550
** access to this resource
552
if ( (access & SLAPI_ACL_SEARCH) &&
553
(ret_val = acl__match_handlesFromCache ( aclpb , attr, access)) != -1) {
552
if ((access & SLAPI_ACL_SEARCH) &&
553
(ret_val = acl__match_handlesFromCache(aclpb, attr, access)) != -1) {
554
554
/* means got a result: allowed or not*/
556
556
if (ret_val == LDAP_SUCCESS ) {
557
decision_reason.reason = ACL_REASON_EVALCONTEXT_CACHED_ALLOW;
557
decision_reason.reason = ACL_REASON_EVALCONTEXT_CACHED_ALLOW;
558
558
} else if (ret_val == LDAP_INSUFFICIENT_ACCESS) {
559
decision_reason.reason =
560
ACL_REASON_EVALCONTEXT_CACHED_NOT_ALLOWED;
559
decision_reason.reason = ACL_REASON_EVALCONTEXT_CACHED_NOT_ALLOWED;
562
561
goto cleanup_and_ret;
1194
* Am I a anonymous dude ? then we can use our anonympous profile
1194
* Am I anonymous? then we can use our anonympous profile
1195
1195
* We don't require the aclpb to have been initialized for anom stuff
1198
1197
slapi_pblock_get (pb, SLAPI_REQUESTOR_DN ,&clientDn );
1199
if ( clientDn && *clientDn == '\0' ) {
1200
ret_val = aclanom_match_profile ( pb, aclpb, e, attr,
1198
if (clientDn && (*clientDn == '\0')) {
1199
ret_val = aclanom_match_profile (pb, aclpb, e, attr, SLAPI_ACL_READ);
1202
1200
TNF_PROBE_1_DEBUG(acl_read_access_allowed_on_attr_end ,"ACL","",
1203
tnf_string,anon_decision,"");
1204
if (ret_val != -1 ) return ret_val;
1201
tnf_string,anon_decision,"");
1202
if (ret_val != -1) {
1207
1207
/* Then I must have a access to the entry. */
1208
1208
aclpb->aclpb_state |= ACLPB_ACCESS_ALLOWED_ON_ENTRY;
1210
if ( aclpb->aclpb_state & ACLPB_MATCHES_ALL_ACLS ) {
1210
if (aclpb->aclpb_state & ACLPB_MATCHES_ALL_ACLS) {
1212
1212
ret_val = acl__attr_cached_result (aclpb, attr, SLAPI_ACL_READ);
1213
if (ret_val != -1 ) {
1213
if (ret_val != -1) {
1214
1214
slapi_log_error(SLAPI_LOG_ACL, plugin_name,
1215
"MATCHED HANDLE:dn:%s attr: %s val:%d\n",
1216
n_edn, attr, ret_val );
1217
if ( ret_val == LDAP_SUCCESS) {
1218
decision_reason.reason =
1219
ACL_REASON_EVALCONTEXT_CACHED_ALLOW;
1215
"MATCHED HANDLE:dn:%s attr: %s val:%d\n",
1216
n_edn, attr, ret_val );
1217
if (ret_val == LDAP_SUCCESS) {
1218
decision_reason.reason = ACL_REASON_EVALCONTEXT_CACHED_ALLOW;
1221
decision_reason.reason =
1222
ACL_REASON_EVALCONTEXT_CACHED_NOT_ALLOWED;
1220
decision_reason.reason = ACL_REASON_EVALCONTEXT_CACHED_NOT_ALLOWED;
1224
1222
goto acl_access_allowed_on_attr_Exit;
1226
1224
aclpb->aclpb_state |= ACLPB_COPY_EVALCONTEXT;
1258
1256
** -- access is allowed on phone
1259
1257
** -- Don't know about the rest. Need to evaluate.
1262
if ( slapi_attr_type_cmp (attr, aclpb->aclpb_Evalattr, 1) == 0) {
1259
if (slapi_attr_type_cmp(aclpb->aclpb_Evalattr, attr, SLAPI_TYPE_CMP_SUBTYPE) == 0) {
1263
1260
/* from now on we need to evaluate access on
1264
1261
** rest of the attrs.
1266
aclpb->aclpb_state &= ~ACLPB_ACCESS_ALLOWED_ON_A_ATTR;
1267
1263
TNF_PROBE_1_DEBUG(acl_read_access_allowed_on_attr_end ,"ACL","",
1268
tnf_string,aclp_Evalattr1,"");
1264
tnf_string,aclp_Evalattr1,"");
1270
1265
return LDAP_SUCCESS;
1273
* Here, the attr that implied access to the entry (aclpb_Evalattr),
1275
* the one we currently want evaluated--so
1276
* we need to evaluate access to attr--so fall through.
1280
} else if (aclpb->aclpb_state & ACLPB_ACCESS_ALLOWED_USERATTR) {
1269
* Here, the attr that implied access to the entry (aclpb_Evalattr),
1271
* the one we currently want evaluated--so
1272
* we need to evaluate access to attr--so fall through.
1275
} else if (aclpb->aclpb_state & ACLPB_ACCESS_ALLOWED_USERATTR) {
1281
1276
/* Only skip evaluation on the user attr on which we have
1282
1277
** evaluated before.
1284
if ( slapi_attr_type_cmp (attr, aclpb->aclpb_Evalattr, 1) == 0) {
1279
if (slapi_attr_type_cmp(aclpb->aclpb_Evalattr, attr, SLAPI_TYPE_CMP_SUBTYPE) == 0) {
1285
1280
aclpb->aclpb_state &= ~ACLPB_ACCESS_ALLOWED_USERATTR;
1286
1281
TNF_PROBE_1_DEBUG(acl_read_access_allowed_on_attr_end ,"ACL","",
1287
tnf_string,aclp_Evalattr2,"");
1282
tnf_string,aclp_Evalattr2,"");
1288
1283
return LDAP_SUCCESS;
1292
1287
/* we need to evaluate the access on this attr */
1290
* search attribute list: cn sn
1293
* aclpb_Evalattr: sn;en
1293
1295
return ( acl_access_allowed(pb, e, attr, val, access) );
1295
1297
/* This exit point prints a summary and returns ret_val */
1296
1298
acl_access_allowed_on_attr_Exit:
1298
/* print summary if loglevel set */
1300
/* print summary if loglevel set */
1299
1301
if ( slapi_is_loglevel_set(loglevel) ) {
1301
1303
print_access_control_summary( "on attr",
1302
1304
ret_val, clientDn, aclpb,
1303
1305
acl_access2str(SLAPI_ACL_READ),
1304
attr, n_edn, &decision_reason);
1306
attr, n_edn, &decision_reason);
1306
1308
TNF_PROBE_0_DEBUG(acl_read_access_allowed_on_attr_end ,"ACL","");
1698
1700
mods = (LDAPMod **) change;
1700
for (j=0; mods[j] != NULL; j++) {
1701
if (strcasecmp(mods[j]->mod_type, aci_attr_type) == 0) {
1702
for (j=0; mods && mods[j]; j++) {
1703
if (slapi_attr_type_cmp(mods[j]->mod_type, aci_attr_type,
1704
SLAPI_TYPE_CMP_SUBTYPE) == 0) {
1703
1706
/* Got an aci to mod in this list of mods, so
1704
1707
* take the acicache lock for the whole list of mods,
2356
2359
while(k != -1 && !done) {
2357
2360
attrVal = slapi_value_get_berval(sval);
2359
if ( acl__make_filter_test_entry(
2360
&aclpb->aclpb_filter_test_entry,
2361
attrFilter->attr_str,
2362
(struct berval *)attrVal) == LDAP_SUCCESS ) {
2364
attr_matched= acl__test_filter(
2365
aclpb->aclpb_filter_test_entry,
2367
1 /* Do filter sense evaluation below */
2362
if (acl__make_filter_test_entry(&aclpb->aclpb_filter_test_entry,
2363
attrFilter->attr_str,
2364
(struct berval *)attrVal) == LDAP_SUCCESS ) {
2366
attr_matched = acl__test_filter(aclpb->aclpb_filter_test_entry,
2368
1 /* Do filter sense evaluation below */
2369
2370
done = !attr_matched;
2370
slapi_entry_free( aclpb->aclpb_filter_test_entry );
2371
slapi_entry_free( aclpb->aclpb_filter_test_entry );
2373
2374
k= slapi_attr_next_value(attr_ptr, k, &sval);
2415
2416
goto acl__resource_match_aci_EXIT;
2418
} else if ( ((aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_ADD) &&
2419
(aci->aci_type & ACI_TARGET_ATTR_ADD_FILTERS)) ||
2420
((aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_DEL) &&
2421
(aci->aci_type & ACI_TARGET_ATTR_DEL_FILTERS)) ) {
2419
} else if ( ((aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_ADD) &&
2420
(aci->aci_type & ACI_TARGET_ATTR_ADD_FILTERS)) ||
2421
((aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_DEL) &&
2422
(aci->aci_type & ACI_TARGET_ATTR_DEL_FILTERS)) ) {
2425
2424
* Here, it's a modify add/del and we have attr filters.
2426
2425
* So, we need to scan the add/del filter list to find the filter
2438
2437
if ((aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_ADD) &&
2439
(aci->aci_type & ACI_TARGET_ATTR_ADD_FILTERS)) {
2438
(aci->aci_type & ACI_TARGET_ATTR_ADD_FILTERS)) {
2441
2439
attrFilterArray = aci->targetAttrAddFilters;
2443
2440
} else if ((aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_DEL) &&
2444
(aci->aci_type & ACI_TARGET_ATTR_DEL_FILTERS)) {
2441
(aci->aci_type & ACI_TARGET_ATTR_DEL_FILTERS)) {
2446
2442
attrFilterArray = aci->targetAttrDelFilters;
2458
2453
while (attrFilterArray[num_attrs] && !found) {
2459
attrFilter = attrFilterArray[num_attrs];
2454
attrFilter = attrFilterArray[num_attrs];
2461
2456
/* If this filter applies to the attribute, stop. */
2462
2457
if ((aclpb->aclpb_curr_attrEval) &&
2463
slapi_attr_type_cmp ( aclpb->aclpb_curr_attrEval->attrEval_name,
2464
attrFilter->attr_str, 1) == 0) {
2458
slapi_attr_type_cmp(aclpb->aclpb_curr_attrEval->attrEval_name,
2459
attrFilter->attr_str, SLAPI_TYPE_CMP_SUBTYPE) == 0) {
2478
if ( acl__make_filter_test_entry(
2479
&aclpb->aclpb_filter_test_entry,
2480
aclpb->aclpb_curr_attrEval->attrEval_name,
2481
aclpb->aclpb_curr_attrVal) == LDAP_SUCCESS ) {
2473
if (acl__make_filter_test_entry(&aclpb->aclpb_filter_test_entry,
2474
aclpb->aclpb_curr_attrEval->attrEval_name,
2475
aclpb->aclpb_curr_attrVal) == LDAP_SUCCESS ) {
2483
2477
attr_matched= acl__test_filter(aclpb->aclpb_filter_test_entry,
2484
2478
attrFilter->filter,
2485
2479
1 /* Do filter sense evaluation below */
2487
slapi_entry_free( aclpb->aclpb_filter_test_entry );
2481
slapi_entry_free( aclpb->aclpb_filter_test_entry );
2490
2484
/* No need to look further */
2491
2485
if (attr_matched == ACL_FALSE) {
2589
2583
while (attrArray[num_attrs] && !attr_matched) {
2590
attr = attrArray[num_attrs];
2591
if (attr->attr_type & ACL_ATTR_STRING) {
2592
if (slapi_attr_type_cmp ( res_attr,
2593
attr->u.attr_str, 1) == 0) {
2584
attr = attrArray[num_attrs];
2585
if (attr->attr_type & ACL_ATTR_STRING) {
2587
* res_attr: attr type to eval (e.g., filter "(sn;en=*)")
2588
* attr->u.attr_str: targetattr value (e.g., sn;en)
2590
if (slapi_attr_type_cmp(attr->u.attr_str, res_attr, SLAPI_TYPE_CMP_SUBTYPE) == 0) {
2594
2591
attr_matched = ACL_TRUE;
2595
2592
*a_matched = ACL_TRUE;
3710
3707
for ( j = 0; j < dest->acle_numof_attrs; j++ ) {
3711
if ( strcasecmp ( src->acle_attrEval[i].attrEval_name,
3712
dest->acle_attrEval[j].attrEval_name ) == 0 ) {
3708
if (slapi_attr_type_cmp(src->acle_attrEval[i].attrEval_name,
3709
dest->acle_attrEval[j].attrEval_name,
3710
SLAPI_TYPE_CMP_SUBTYPE) == 0) {
3713
3711
/* We have it. skip it. */
3714
3712
attr_exists = 1;
3918
3915
/* Go thru and see if we have the attr already */
3919
3916
for (j=0; j < c_ContextEval->acle_numof_attrs; j++) {
3920
3917
c_attrEval = &c_ContextEval->acle_attrEval[j];
3923
slapi_attr_type_cmp ( c_attrEval->attrEval_name, attr, 1) == 0 ) {
3920
/* attr: e.g., filter "(sn;en=*)" / attr list / attr in entry */
3921
/* This compare must check all subtypes. "sn" vs. "sn;fr" should return 1 */
3922
slapi_attr_type_cmp(c_attrEval->attrEval_name,
3923
attr, SLAPI_TYPE_CMP_SUBTYPES) == 0) {
3924
3924
aclpb->aclpb_curr_attrEval = c_attrEval;
added
removed
ldap/servers/plugins/acl/acl.c
