New access_allowed()

servers/slapd/overlays/dds.c

@@ -368,11 +368,11 @@ dds_op_add( Operation *op, SlapReply *rs )
 			slap_schema.si_oc_dynamicObject, NULL, 0, &e );
 		if ( rc == LDAP_SUCCESS && e != NULL ) {
 			if ( !is_dynamicObject ) {
+				AclCheck ak = { e, slap_schema.si_ad_entry, NULL,
+					ACL_DISCLOSE, NULL };
 				/* return referral only if "disclose"
 				 * is granted on the object */
-				if ( ! access_allowed( op, e,
-						slap_schema.si_ad_entry,
-						NULL, ACL_DISCLOSE, NULL ) )
+				if ( ! access_allowed( op, &ak ))
 				{
 					rc = rs->sr_err = LDAP_NO_SUCH_OBJECT;
 					send_ldap_result( op, rs );
@@ -850,11 +850,11 @@ dds_op_rename( Operation *op, SlapReply *rs )
 			slap_schema.si_oc_dynamicObject, NULL, 0, &e );
 		if ( rc == LDAP_SUCCESS && e != NULL ) {
 			if ( !is_dynamicObject ) {
+				AclCheck ak = { e, slap_schema.si_ad_entry, NULL,
+					ACL_DISCLOSE, NULL };
 				/* return referral only if "disclose"
 				 * is granted on the object */
-				if ( ! access_allowed( op, e,
-						slap_schema.si_ad_entry,
-						NULL, ACL_DISCLOSE, NULL ) )
+				if ( ! access_allowed( op, &ak ))
 				{
 					rs->sr_err = LDAP_NO_SUCH_OBJECT;
 					send_ldap_result( op, rs );
@@ -1068,11 +1068,11 @@ dds_op_extended( Operation *op, SlapReply *rs )
 			rs->sr_err = be_entry_get_rw( op, &op->o_req_ndn,
 				NULL, NULL, 0, &e );
 			if ( rs->sr_err == LDAP_SUCCESS && e != NULL ) {
+				AclCheck ak = { e, slap_schema.si_ad_entry, NULL,
+					ACL_DISCLOSE, NULL };
 				/* return referral only if "disclose"
 				 * is granted on the object */
-				if ( ! access_allowed( op, e,
-						slap_schema.si_ad_entry,
-						NULL, ACL_DISCLOSE, NULL ) )
+				if ( ! access_allowed( op, &ak ))
 				{
 					rs->sr_err = LDAP_NO_SUCH_OBJECT;
 

servers/slapd/overlays/deref.c

@@ -295,12 +295,16 @@ deref_response( Operation *op, SlapReply *rs )
 		static char dummy = '\0';
 		Entry *ebase;
 		int i;
+		AclCheck ak;
 
 		rc = overlay_entry_get_ov( op, &rs->sr_entry->e_nname, NULL, NULL, 0, &ebase, dc->dc_on );
 		if ( rc != LDAP_SUCCESS || ebase == NULL ) {
 			return SLAP_CB_CONTINUE;
 		}
 
+		ak.ak_e = rs->sr_entry;
+		ak.ak_access = ACL_READ;
+		ak.ak_state = &acl_state;
 		for ( ds = dc->dc_ds; ds; ds = ds->ds_next ) {
 			Attribute *a = attr_find( ebase->e_attrs, ds->ds_derefAttr );
 
@@ -308,8 +312,9 @@ deref_response( Operation *op, SlapReply *rs )
 				DerefVal *dv;
 				BerVarray *bva;
 
-				if ( !access_allowed( op, rs->sr_entry, a->a_desc,
-						NULL, ACL_READ, &acl_state ) )
+				ak.ak_desc = a->a_desc;
+				ak.ak_val = NULL;
+				if ( !access_allowed( op, &ak ))
 				{
 					continue;
 				}
@@ -331,9 +336,8 @@ deref_response( Operation *op, SlapReply *rs )
 					dv[ i ].dv_attrVals = bva;
 					bva += ds->ds_nattrs;
 
-
-					if ( !access_allowed( op, rs->sr_entry, a->a_desc,
-							&a->a_nvals[ i ], ACL_READ, &acl_state ) )
+					ak.ak_val = &a->a_nvals[i];
+					if ( !access_allowed( op, &ak ))
 					{
 						dv[ i ].dv_derefSpecVal.bv_val = &dummy;
 						continue;
@@ -347,15 +351,21 @@ deref_response( Operation *op, SlapReply *rs )
 					rc = overlay_entry_get_ov( op, &a->a_nvals[ i ], NULL, NULL, 0, &e, dc->dc_on );
 					if ( rc == LDAP_SUCCESS && e != NULL ) {
 						int j;
+						AclCheck ak2;
+						AccessControlState acl_st2 = ACL_STATE_INIT;
 
-						if ( access_allowed( op, e, slap_schema.si_ad_entry,
-							NULL, ACL_READ, NULL ) )
+						ak2.ak_e = e;
+						ak2.ak_desc = slap_schema.si_ad_entry;
+						ak2.ak_val = NULL;
+						ak2.ak_state = NULL;
+						if ( access_allowed( op, &ak2 ))
 						{
+							ak2.ak_state = &acl_st2;
 							for ( j = 0; j < ds->ds_nattrs; j++ ) {
 								Attribute *aa;
 
-								if ( !access_allowed( op, e, ds->ds_attributes[ j ], NULL,
-									ACL_READ, &acl_state ) )
+								ak2.ak_desc = ds->ds_attributes[ j ];
+								if ( !access_allowed( op, &ak2 ))
 								{
 									continue;
 								}
@@ -368,12 +378,10 @@ deref_response( Operation *op, SlapReply *rs )
 										aa->a_vals, op->o_tmpmemctx );
 
 									bv.bv_len += ds->ds_attributes[ j ]->ad_cname.bv_len;
-
+									ak2.ak_desc = aa->a_desc;
 									for ( k = 0, h = 0; k < aa->a_numvals; k++ ) {
-										if ( !access_allowed( op, e,
-											aa->a_desc,
-											&aa->a_nvals[ k ],
-											ACL_READ, &acl_state ) )
+										ak2.ak_val = &aa->a_nvals[ k ];
+										if ( !access_allowed( op, &ak2 ))
 										{
 											op->o_tmpfree( dv[ i ].dv_attrVals[ j ][ h ].bv_val,
 												op->o_tmpmemctx );

servers/slapd/overlays/dynlist.c

@@ -220,6 +220,7 @@ dynlist_sc_update( Operation *op, SlapReply *rs )
 	int			opattrs,
 				userattrs;
 	AccessControlState	acl_state = ACL_STATE_INIT;
+	AclCheck	ak;
 
 	dynlist_sc_t		*dlc;
 	dynlist_map_t		*dlm;
@@ -235,8 +236,12 @@ dynlist_sc_update( Operation *op, SlapReply *rs )
 	assert( rs->sr_entry != NULL );
 
 	/* test access to entry */
-	if ( !access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry,
-				NULL, ACL_READ, NULL ) )
+	ak.ak_e = rs->sr_entry;
+	ak.ak_desc = slap_schema.si_ad_entry;
+	ak.ak_val = NULL;
+	ak.ak_access = ACL_READ;
+	ak.ak_state = NULL;
+	if ( !access_allowed( op, &ak ))
 	{
 		goto done;
 	}
@@ -247,29 +252,25 @@ dynlist_sc_update( Operation *op, SlapReply *rs )
 	if ( dlm && dlm->dlm_mapped_ad == NULL && dlm->dlm_next == NULL ) {
 		/* if access allowed, try to add values, emulating permissive
 		 * control to silently ignore duplicates */
-		if ( access_allowed( op, rs->sr_entry, slap_schema.si_ad_entry,
-					NULL, ACL_READ, NULL ) )
-		{
-			Modification	mod;
-			const char	*text = NULL;
-			char		textbuf[1024];
-			struct berval	vals[ 2 ], nvals[ 2 ];
+		Modification	mod;
+		const char	*text = NULL;
+		char		textbuf[1024];
+		struct berval	vals[ 2 ], nvals[ 2 ];
 
-			vals[ 0 ] = rs->sr_entry->e_name;
-			BER_BVZERO( &vals[ 1 ] );
-			nvals[ 0 ] = rs->sr_entry->e_nname;
-			BER_BVZERO( &nvals[ 1 ] );
+		vals[ 0 ] = rs->sr_entry->e_name;
+		BER_BVZERO( &vals[ 1 ] );
+		nvals[ 0 ] = rs->sr_entry->e_nname;
+		BER_BVZERO( &nvals[ 1 ] );
 
-			mod.sm_op = LDAP_MOD_ADD;
-			mod.sm_desc = dlm->dlm_member_ad;
-			mod.sm_type = dlm->dlm_member_ad->ad_cname;
-			mod.sm_values = vals;
-			mod.sm_nvalues = nvals;
-			mod.sm_numvals = 1;
+		mod.sm_op = LDAP_MOD_ADD;
+		mod.sm_desc = dlm->dlm_member_ad;
+		mod.sm_type = dlm->dlm_member_ad->ad_cname;
+		mod.sm_values = vals;
+		mod.sm_nvalues = nvals;
+		mod.sm_numvals = 1;
 
-			(void)modify_add_values( e, &mod, /* permissive */ 1,
-					&text, textbuf, sizeof( textbuf ) );
-		}
+		(void)modify_add_values( e, &mod, /* permissive */ 1,
+				&text, textbuf, sizeof( textbuf ) );
 
 		goto done;
 	}
@@ -308,10 +309,11 @@ dynlist_sc_update( Operation *op, SlapReply *rs )
 			}
 		}
 
+		ak.ak_desc = a->a_desc;
+		ak.ak_state = &acl_state;
 		/* test access to attribute */
 		if ( op->ors_attrsonly ) {
-			if ( !access_allowed( op, rs->sr_entry, a->a_desc, NULL,
-						ACL_READ, &acl_state ) )
+			if ( !access_allowed( op, &ak ))
 			{
 				continue;
 			}
@@ -341,8 +343,8 @@ dynlist_sc_update( Operation *op, SlapReply *rs )
 				}
 			}
 
-			if ( access_allowed( op, rs->sr_entry, a->a_desc,
-						&a->a_nvals[i], ACL_READ, &acl_state ) )
+			ak.ak_val = &a->a_nvals[i];
+			if ( access_allowed( op, &ak ))
 			{
 				vals[j] = a->a_vals[i];
 				if ( nvals ) {

servers/slapd/overlays/memberof.c

@@ -601,16 +601,20 @@ memberof_op_add( Operation *op, SlapReply *rs )
 	if ( map != NULL ) {
 		Attribute		*a = *map;
 		AccessControlState	acl_state = ACL_STATE_INIT;
+		AclCheck	ak;
+
+		ak.ak_desc = mo->mo_ad_memberof;
+		ak.ak_access = ACL_WADD;
+		ak.ak_state = &acl_state;
 
 		for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
 			Entry		*e;
 
 			op->o_bd->bd_info = (BackendInfo *)on->on_info;
 			/* access is checked with the original identity */
-			rc = access_allowed( op, op->ora_e, mo->mo_ad_memberof,
-					&a->a_nvals[ i ], ACL_WADD,
-					&acl_state );
-			if ( rc == 0 ) {
+			ak.ak_e = op->ora_e;
+			ak.ak_val = &a->a_nvals[ i ];
+			if ( !access_allowed( op, &ak )) {
 				rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 				rs->sr_text = NULL;
 				send_ldap_result( op, rs );
@@ -665,8 +669,9 @@ memberof_op_add( Operation *op, SlapReply *rs )
 
 			/* access is checked with the original identity */
 			op->o_bd->bd_info = (BackendInfo *)on->on_info;
-			rc = access_allowed( op, e, mo->mo_ad_member,
-					&op->o_req_ndn, ACL_WADD, NULL );
+			ak.ak_e = e;
+			ak.ak_val = &op->o_req_ndn;
+			rc = access_allowed( op, &ak );
 			be_entry_release_r( op, e );
 			op->o_bd->bd_info = (BackendInfo *)on;
 
@@ -886,6 +891,7 @@ memberof_op_modify( Operation *op, SlapReply *rs )
 		Modifications	*ml = *mmlp;
 		int		i;
 		Entry		*target;
+		AclCheck	ak;
 
 		op->o_bd->bd_info = (BackendInfo *)on->on_info;
 		rc = be_entry_get_rw( op, &op->o_req_ndn,
@@ -897,22 +903,22 @@ memberof_op_modify( Operation *op, SlapReply *rs )
 			goto done;
 		}
 
+		ak.ak_desc = mo->mo_ad_memberof;
 		switch ( ml->sml_op ) {
 		case LDAP_MOD_DELETE:
 			if ( ml->sml_nvalues != NULL ) {
 				AccessControlState	acl_state = ACL_STATE_INIT;
 
+				ak.ak_access = ACL_WDEL;
+				ak.ak_state = &acl_state;
 				for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
 					Entry		*e;
 
 					op->o_bd->bd_info = (BackendInfo *)on->on_info;
 					/* access is checked with the original identity */
-					rc = access_allowed( op, target,
-							mo->mo_ad_memberof,
-							&ml->sml_nvalues[ i ],
-							ACL_WDEL,
-							&acl_state );
-					if ( rc == 0 ) {
+					ak.ak_e = target;
+					ak.ak_val = &ml->sml_nvalues[ i ];
+					if ( !access_allowed( op, &ak )) {
 						rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 						rs->sr_text = NULL;
 						send_ldap_result( op, rs );
@@ -969,9 +975,9 @@ memberof_op_modify( Operation *op, SlapReply *rs )
 
 					/* access is checked with the original identity */
 					op->o_bd->bd_info = (BackendInfo *)on->on_info;
-					rc = access_allowed( op, e, mo->mo_ad_member,
-							&op->o_req_ndn,
-							ACL_WDEL, NULL );
+					ak.ak_e = e;
+					ak.ak_val = &op->o_req_ndn;
+					rc = access_allowed( op, &ak );
 					be_entry_release_r( op, e );
 					op->o_bd->bd_info = (BackendInfo *)on;
 
@@ -997,10 +1003,11 @@ memberof_op_modify( Operation *op, SlapReply *rs )
 
 			op->o_bd->bd_info = (BackendInfo *)on->on_info;
 			/* access is checked with the original identity */
-			rc = access_allowed( op, target,
-					mo->mo_ad_memberof,
-					NULL,
-					ACL_WDEL, NULL );
+			ak.ak_e = target;
+			ak.ak_val = NULL;
+			ak.ak_access = ACL_WDEL;
+			ak.ak_state = NULL;
+			rc = access_allowed( op, &ak );
 			op->o_bd->bd_info = (BackendInfo *)on;
 			if ( rc == 0 ) {
 				rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
@@ -1016,18 +1023,24 @@ memberof_op_modify( Operation *op, SlapReply *rs )
 
 		case LDAP_MOD_ADD: {
 			AccessControlState	acl_state = ACL_STATE_INIT;
+			AclCheck ak2;
+
+			ak.ak_e = target;
+			ak.ak_access = ACL_WADD;
+			ak.ak_state = &acl_state;
+
+			ak2.ak_desc = mo->mo_ad_member;
+			ak2.ak_val = &op->o_req_ndn;
+			ak2.ak_access = ACL_WDEL;
+			ak2.ak_state = NULL;
 
 			for ( i = 0; !BER_BVISNULL( &ml->sml_nvalues[ i ] ); i++ ) {
 				Entry		*e;
 
 				op->o_bd->bd_info = (BackendInfo *)on->on_info;
 				/* access is checked with the original identity */
-				rc = access_allowed( op, target,
-						mo->mo_ad_memberof,
-						&ml->sml_nvalues[ i ],
-						ACL_WADD,
-						&acl_state );
-				if ( rc == 0 ) {
+				ak.ak_val = &ml->sml_nvalues[ i ];
+				if ( !access_allowed( op, &ak )) {
 					rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 					rs->sr_text = NULL;
 					send_ldap_result( op, rs );
@@ -1080,9 +1093,8 @@ memberof_op_modify( Operation *op, SlapReply *rs )
 
 				/* access is checked with the original identity */
 				op->o_bd->bd_info = (BackendInfo *)on->on_info;
-				rc = access_allowed( op, e, mo->mo_ad_member,
-						&op->o_req_ndn,
-						ACL_WDEL, NULL );
+				ak2.ak_e = e;
+				rc = access_allowed( op, &ak2 );
 				be_entry_release_r( op, e );
 				op->o_bd->bd_info = (BackendInfo *)on;
 

servers/slapd/overlays/syncprov.c

@@ -1901,6 +1901,7 @@ syncprov_op_compare( Operation *op, SlapReply *rs )
 	{
 		Entry e = {0};
 		Attribute a = {0};
+		AclCheck ak;
 
 		e.e_name = si->si_contextdn;
 		e.e_nname = si->si_contextdn;
@@ -1914,8 +1915,12 @@ syncprov_op_compare( Operation *op, SlapReply *rs )
 		a.a_nvals = a.a_vals;
 		a.a_numvals = si->si_numcsns;
 
-		rs->sr_err = access_allowed( op, &e, op->oq_compare.rs_ava->aa_desc,
-			&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL );
+		ak.ak_e = &e;
+		ak.ak_desc = op->oq_compare.rs_ava->aa_desc;
+		ak.ak_val = &op->oq_compare.rs_ava->aa_value;
+		ak.ak_access = ACL_COMPARE;
+		ak.ak_state = NULL;
+		rs->sr_err = access_allowed( op, &ak );
 		if ( ! rs->sr_err ) {
 			rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 			goto return_results;