From 50befa2aa6b95f8f8e64a970eb73d54faed0142c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Wed, 18 Sep 2024 15:08:43 +0100
Subject: [PATCH] ITS#6198 Expose verbmasks globally

---
 servers/slapd/bconfig.c    |  27 ++--------
 servers/slapd/config.c     |  37 +++++++++++++
 servers/slapd/proto-slap.h |   3 ++
 servers/slapd/slap.h       | 108 ++++++++++++++++++++-----------------
 4 files changed, 103 insertions(+), 72 deletions(-)

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index fe9c5d4567..8c97afb88b 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -3561,39 +3561,20 @@ static int
 config_restrict(ConfigArgs *c) {
 	slap_mask_t restrictops = 0;
 	int i;
-	slap_verbmasks restrictable_ops[] = {
-		{ BER_BVC("bind"),		SLAP_RESTRICT_OP_BIND },
-		{ BER_BVC("add"),		SLAP_RESTRICT_OP_ADD },
-		{ BER_BVC("modify"),		SLAP_RESTRICT_OP_MODIFY },
-		{ BER_BVC("rename"),		SLAP_RESTRICT_OP_RENAME },
-		{ BER_BVC("modrdn"),		0 },
-		{ BER_BVC("delete"),		SLAP_RESTRICT_OP_DELETE },
-		{ BER_BVC("search"),		SLAP_RESTRICT_OP_SEARCH },
-		{ BER_BVC("compare"),		SLAP_RESTRICT_OP_COMPARE },
-		{ BER_BVC("read"),		SLAP_RESTRICT_OP_READS },
-		{ BER_BVC("write"),		SLAP_RESTRICT_OP_WRITES },
-		{ BER_BVC("extended"),		SLAP_RESTRICT_OP_EXTENDED },
-		{ BER_BVC("extended=" LDAP_EXOP_START_TLS ),		SLAP_RESTRICT_EXOP_START_TLS },
-		{ BER_BVC("extended=" LDAP_EXOP_MODIFY_PASSWD ),	SLAP_RESTRICT_EXOP_MODIFY_PASSWD },
-		{ BER_BVC("extended=" LDAP_EXOP_X_WHO_AM_I ),		SLAP_RESTRICT_EXOP_WHOAMI },
-		{ BER_BVC("extended=" LDAP_EXOP_X_CANCEL ),		SLAP_RESTRICT_EXOP_CANCEL },
-		{ BER_BVC("all"),		SLAP_RESTRICT_OP_ALL },
-		{ BER_BVNULL,	0 }
-	};
 
 	if (c->op == SLAP_CONFIG_EMIT) {
-		return mask_to_verbs( restrictable_ops, c->be->be_restrictops,
+		return mask_to_verbs( slap_restrictable_ops, c->be->be_restrictops,
 			&c->rvalue_vals );
 	} else if ( c->op == LDAP_MOD_DELETE ) {
 		if ( !c->line ) {
 			c->be->be_restrictops = 0;
 		} else {
-			i = verb_to_mask( c->line, restrictable_ops );
-			c->be->be_restrictops &= ~restrictable_ops[i].mask;
+			i = verb_to_mask( c->line, slap_restrictable_ops );
+			c->be->be_restrictops &= ~slap_restrictable_ops[i].mask;
 		}
 		return 0;
 	}
-	i = verbs_to_mask( c->argc, c->argv, restrictable_ops, &restrictops );
+	i = verbs_to_mask( c->argc, c->argv, slap_restrictable_ops, &restrictops );
 	if ( i ) {
 		snprintf( c->cr_msg, sizeof( c->cr_msg ), "<%s> unknown operation", c->argv[0] );
 		Debug(LDAP_DEBUG_ANY, "%s: %s %s\n",
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index aa5aa6b1ee..359cade34c 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -1156,6 +1156,43 @@ static slap_verbmasks versionkey[] = {
 	{ BER_BVNULL, 0 }
 };
 
+static slap_verbmasks slap_ops_[] = {
+	{ BER_BVC("bind"), SLAP_OP_BIND },
+	{ BER_BVC("unbind"), SLAP_OP_UNBIND },
+	{ BER_BVC("search"), SLAP_OP_SEARCH },
+	{ BER_BVC("compare"), SLAP_OP_COMPARE },
+	{ BER_BVC("modify"), SLAP_OP_MODIFY },
+	{ BER_BVC("rename"), SLAP_OP_RENAME },
+	{ BER_BVC("modrdn"), SLAP_OP_MODRDN },
+	{ BER_BVC("add"), SLAP_OP_ADD },
+	{ BER_BVC("delete"), SLAP_OP_DELETE },
+	{ BER_BVC("abandon"), SLAP_OP_ABANDON },
+	{ BER_BVC("extended"), SLAP_OP_EXTENDED },
+	{ BER_BVNULL, SLAP_OP_LAST }
+};
+slap_verbmasks *slap_ops = slap_ops_;
+
+static slap_verbmasks slap_restrictable_ops_[] = {
+	{ BER_BVC("all"), SLAP_RESTRICT_OP_ALL },
+	{ BER_BVC("read"), SLAP_RESTRICT_OP_READS },
+	{ BER_BVC("write"), SLAP_RESTRICT_OP_WRITES },
+	{ BER_BVC("bind"), SLAP_RESTRICT_OP_BIND },
+	{ BER_BVC("add"), SLAP_RESTRICT_OP_ADD },
+	{ BER_BVC("modify"), SLAP_RESTRICT_OP_MODIFY },
+	{ BER_BVC("rename"), SLAP_RESTRICT_OP_RENAME },
+	{ BER_BVC("modrdn"), SLAP_RESTRICT_OP_MODRDN },
+	{ BER_BVC("delete"), SLAP_RESTRICT_OP_DELETE },
+	{ BER_BVC("search"), SLAP_RESTRICT_OP_SEARCH },
+	{ BER_BVC("compare"), SLAP_RESTRICT_OP_COMPARE },
+	{ BER_BVC("extended"), SLAP_RESTRICT_OP_EXTENDED },
+	{ BER_BVC("extended=" LDAP_EXOP_START_TLS ), SLAP_RESTRICT_EXOP_START_TLS },
+	{ BER_BVC("extended=" LDAP_EXOP_MODIFY_PASSWD ), SLAP_RESTRICT_EXOP_MODIFY_PASSWD },
+	{ BER_BVC("extended=" LDAP_EXOP_X_WHO_AM_I ), SLAP_RESTRICT_EXOP_WHOAMI },
+	{ BER_BVC("extended=" LDAP_EXOP_X_CANCEL ), SLAP_RESTRICT_EXOP_CANCEL },
+	{ BER_BVNULL, 0 }
+};
+slap_verbmasks *slap_restrictable_ops = slap_restrictable_ops_;
+
 int
 slap_keepalive_parse(
 	struct berval *val,
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 41a36904dc..b578b9fb21 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -747,6 +747,9 @@ LDAP_SLAPD_F (int) slap_bv_x_ordered_unparse LDAP_P(( BerVarray in, BerVarray *o
 LDAP_SLAPD_F (int) slap_keepalive_parse( struct berval *val, void *bc,
 	slap_cf_aux_table *tab0, const char *tabmsg, int unparse );
 
+LDAP_SLAPD_V (slap_verbmasks *) slap_ops;
+LDAP_SLAPD_V (slap_verbmasks *) slap_restrictable_ops;
+
 #ifdef LDAP_SLAPI
 LDAP_SLAPD_V (int) slapi_plugins_used;
 #endif
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index b530e175a8..36353b5a45 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1312,6 +1312,64 @@ typedef enum slap_style_e {
 	ACL_STYLE_NONE
 } slap_style_t;
 
+/*
+ * Operation indices
+ */
+typedef enum {
+	SLAP_OP_BIND = 0,
+	SLAP_OP_UNBIND,
+	SLAP_OP_SEARCH,
+	SLAP_OP_COMPARE,
+	SLAP_OP_MODIFY,
+	SLAP_OP_MODRDN,
+	SLAP_OP_RENAME = SLAP_OP_MODRDN,
+	SLAP_OP_ADD,
+	SLAP_OP_DELETE,
+	SLAP_OP_ABANDON,
+	SLAP_OP_EXTENDED,
+	SLAP_OP_LAST
+} slap_op_t;
+
+typedef enum {
+	SLAP_RESTRICT_OP_BIND = 1 << SLAP_OP_BIND,
+	SLAP_RESTRICT_OP_UNBIND = 1 << SLAP_OP_UNBIND,
+	SLAP_RESTRICT_OP_SEARCH = 1 << SLAP_OP_SEARCH,
+	SLAP_RESTRICT_OP_COMPARE = 1 << SLAP_OP_COMPARE,
+	SLAP_RESTRICT_OP_MODIFY = 1 << SLAP_OP_MODIFY,
+	SLAP_RESTRICT_OP_MODRDN = 1 << SLAP_OP_MODRDN,
+	SLAP_RESTRICT_OP_RENAME = SLAP_RESTRICT_OP_MODRDN,
+	SLAP_RESTRICT_OP_ADD = 1 << SLAP_OP_ADD,
+	SLAP_RESTRICT_OP_DELETE = 1 << SLAP_OP_DELETE,
+	SLAP_RESTRICT_OP_ABANDON = 1 << SLAP_OP_ABANDON,
+	SLAP_RESTRICT_OP_EXTENDED = 1 << SLAP_OP_EXTENDED,
+	SLAP_RESTRICT_OP_MASK = (1 << SLAP_OP_LAST) - 1,
+	/* Make sure 1 << SLAP_OP_LAST stays unused! */
+
+	SLAP_RESTRICT_OP_READS = (
+			SLAP_RESTRICT_OP_COMPARE |
+			SLAP_RESTRICT_OP_SEARCH ),
+	SLAP_RESTRICT_OP_WRITES = (
+			SLAP_RESTRICT_OP_ADD |
+			SLAP_RESTRICT_OP_DELETE |
+			SLAP_RESTRICT_OP_MODIFY |
+			SLAP_RESTRICT_OP_RENAME ),
+	SLAP_RESTRICT_OP_ALL = (
+			SLAP_RESTRICT_OP_READS |
+			SLAP_RESTRICT_OP_WRITES |
+			SLAP_RESTRICT_OP_BIND |
+			SLAP_RESTRICT_OP_EXTENDED ),
+
+	SLAP_RESTRICT_EXOP_START_TLS = 0x0100U,
+	SLAP_RESTRICT_EXOP_MODIFY_PASSWD = 0x0200U,
+	SLAP_RESTRICT_EXOP_WHOAMI = 0x0400U,
+	SLAP_RESTRICT_EXOP_CANCEL = 0x0800U,
+	SLAP_RESTRICT_EXOP_MASK = 0xFF00U,
+
+	SLAP_RESTRICT_READONLY = 0x80000000U,
+} slap_restrictop_t;
+#define SLAP_OP2RESTRICT(op)   ((slap_restrictop_t)1U << (op))
+
+
 typedef struct AuthorizationInformation {
 	ber_tag_t	sai_method;			/* LDAP_AUTH_* from <ldap.h> */
 	struct berval	sai_mech;		/* SASL Mechanism */
@@ -1935,38 +1993,7 @@ struct BackendDB {
 #define SLAP_SYNC_SUBENTRY(be)			(SLAP_DBFLAGS(be) & SLAP_DBFLAG_SYNC_SUBENTRY)
 #define SLAP_LASTBIND_ASSERT(be)		(SLAP_DBFLAGS(be) & SLAP_DBFLAG_LASTBIND_ASSERT)
 
-	slap_mask_t	be_restrictops;		/* restriction operations */
-#define SLAP_RESTRICT_OP_ADD		0x0001U
-#define	SLAP_RESTRICT_OP_BIND		0x0002U
-#define SLAP_RESTRICT_OP_COMPARE	0x0004U
-#define SLAP_RESTRICT_OP_DELETE		0x0008U
-#define	SLAP_RESTRICT_OP_EXTENDED	0x0010U
-#define SLAP_RESTRICT_OP_MODIFY		0x0020U
-#define SLAP_RESTRICT_OP_RENAME		0x0040U
-#define SLAP_RESTRICT_OP_SEARCH		0x0080U
-#define SLAP_RESTRICT_OP_MASK		0x00FFU
-
-#define	SLAP_RESTRICT_READONLY		0x80000000U
-
-#define SLAP_RESTRICT_EXOP_START_TLS		0x0100U
-#define	SLAP_RESTRICT_EXOP_MODIFY_PASSWD	0x0200U
-#define SLAP_RESTRICT_EXOP_WHOAMI		0x0400U
-#define SLAP_RESTRICT_EXOP_CANCEL		0x0800U
-#define SLAP_RESTRICT_EXOP_MASK			0xFF00U
-
-#define SLAP_RESTRICT_OP_READS	\
-	( SLAP_RESTRICT_OP_COMPARE	\
-	| SLAP_RESTRICT_OP_SEARCH )
-#define SLAP_RESTRICT_OP_WRITES	\
-	( SLAP_RESTRICT_OP_ADD    \
-	| SLAP_RESTRICT_OP_DELETE \
-	| SLAP_RESTRICT_OP_MODIFY \
-	| SLAP_RESTRICT_OP_RENAME )
-#define SLAP_RESTRICT_OP_ALL \
-	( SLAP_RESTRICT_OP_READS \
-	| SLAP_RESTRICT_OP_WRITES \
-	| SLAP_RESTRICT_OP_BIND \
-	| SLAP_RESTRICT_OP_EXTENDED )
+	slap_restrictop_t	be_restrictops;		/* restriction operations */
 
 #define SLAP_ALLOW_BIND_V2		0x0001U	/* LDAPv2 bind */
 #define SLAP_ALLOW_BIND_ANON_CRED	0x0002U /* cred should be empty */
@@ -2563,23 +2590,6 @@ struct slap_control_ids {
 #endif
 };
 
-/*
- * Operation indices
- */
-typedef enum {
-	SLAP_OP_BIND = 0,
-	SLAP_OP_UNBIND,
-	SLAP_OP_SEARCH,
-	SLAP_OP_COMPARE,
-	SLAP_OP_MODIFY,
-	SLAP_OP_MODRDN,
-	SLAP_OP_ADD,
-	SLAP_OP_DELETE,
-	SLAP_OP_ABANDON,
-	SLAP_OP_EXTENDED,
-	SLAP_OP_LAST
-} slap_op_t;
-
 typedef struct slap_counters_t {
 	struct slap_counters_t	*sc_next;
 	ldap_pvt_thread_mutex_t	sc_mutex;