New access_allowed()

servers/slapd/back-sql/add.c

@@ -929,11 +929,12 @@ backsql_add( Operation *op, SlapReply *rs )
 	struct berval		pdn;
 	struct berval		realdn = BER_BVNULL;
 	int			colnum;
-	slap_mask_t		mask;
 
 	char			textbuf[ SLAP_TEXT_BUFLEN ];
 	size_t			textlen = sizeof( textbuf );
 
+	AclCheck	ak;
+
 #ifdef BACKSQL_SYNCPROV
 	/*
 	 * NOTE: fake successful result to force contextCSN to be bumped up
@@ -1069,9 +1070,12 @@ backsql_add( Operation *op, SlapReply *rs )
 	}
 
 	/* check write access */
-	if ( !access_allowed_mask( op, op->ora_e,
-				slap_schema.si_ad_entry,
-				NULL, ACL_WADD, NULL, &mask ) )
+	ak.ak_e = op->ora_e;
+	ak.ak_desc = slap_schema.si_ad_entry;
+	ak.ak_val = NULL;
+	ak.ak_access = ACL_WADD;
+	ak.ak_state = NULL;
+	if ( !access_allowed( op, &ak ))
 	{
 		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 		e = op->ora_e;
@@ -1145,8 +1149,9 @@ backsql_add( Operation *op, SlapReply *rs )
 		}
 
 		/* check "children" pseudo-attribute access to parent */
-		if ( !access_allowed( op, &p, slap_schema.si_ad_children,
-					NULL, ACL_WADD, NULL ) )
+		ak.ak_e = &p;
+		ak.ak_desc = slap_schema.si_ad_children;
+		if ( !access_allowed( op, &ak ))
 		{
 			rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 			e = &p;
@@ -1495,15 +1500,19 @@ done:;
 	if ( e != NULL ) {
 		int	disclose = 1;
 
-		if ( e == op->ora_e && !ACL_GRANT( mask, ACL_DISCLOSE ) ) {
+		if ( e == op->ora_e && !ACL_GRANT( ak.ak_mask, ACL_DISCLOSE ) ) {
 			/* mask already collected */
 			disclose = 0;
 
-		} else if ( e == &p && !access_allowed( op, &p,
-					slap_schema.si_ad_entry, NULL,
-					ACL_DISCLOSE, NULL ) )
+		} else if ( e == &p ) 
 		{
-			disclose = 0;
+			ak.ak_e = &p;
+			ak.ak_desc = slap_schema.si_ad_entry;
+			ak.ak_access = ACL_DISCLOSE;
+			if ( !access_allowed( op, &ak ))
+			{
+				disclose = 0;
+			}
 		}
 
 		if ( disclose == 0 ) {

servers/slapd/back-sql/compare.c

@@ -38,6 +38,7 @@ backsql_compare( Operation *op, SlapReply *rs )
 	int			rc;
 	int			manageDSAit = get_manageDSAit( op );
 	AttributeName		anlist[2];
+	AclCheck	ak;
 
  	Debug( LDAP_DEBUG_TRACE, "==>backsql_compare()\n", 0, 0, 0 );
 
@@ -117,9 +118,12 @@ backsql_compare( Operation *op, SlapReply *rs )
 		*ap = nrs.sr_operational_attrs;
 	}
 
-	if ( ! access_allowed( op, &e, op->oq_compare.rs_ava->aa_desc,
-				&op->oq_compare.rs_ava->aa_value,
-				ACL_COMPARE, NULL ) )
+	ak.ak_e = &e;
+	ak.ak_desc = op->oq_compare.rs_ava->aa_desc;
+	ak.ak_val = &op->oq_compare.rs_ava->aa_value;
+	ak.ak_access = ACL_COMPARE;
+	ak.ak_state = NULL;
+	if ( ! access_allowed( op, &ak ))
 	{
 		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 		goto return_results;
@@ -149,10 +153,11 @@ return_results:;
 		break;
 
 	default:
+		ak.ak_desc = slap_schema.si_ad_entry;
+		ak.ak_val = NULL;
+		ak.ak_access = ACL_DISCLOSE;
 		if ( !BER_BVISNULL( &e.e_nname ) &&
-				! access_allowed( op, &e,
-					slap_schema.si_ad_entry, NULL,
-					ACL_DISCLOSE, NULL ) )
+				! access_allowed( op, &ak ))
 		{
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
 			rs->sr_text = NULL;

servers/slapd/back-sql/delete.c

@@ -295,13 +295,15 @@ backsql_tree_delete_search_cb( Operation *op, SlapReply *rs )
 	if ( rs->sr_type == REP_SEARCH ) {
 		backsql_tree_delete_t	*btd;
 		backsql_entryID		*eid;
+		AclCheck ak = { rs->sr_entry, slap_schema.si_ad_entry, NULL,
+			ACL_WDEL, NULL };
+		int ret;
 
 		btd = (backsql_tree_delete_t *)op->o_callback->sc_private;
 
-		if ( !access_allowed( btd->btd_op, rs->sr_entry,
-			slap_schema.si_ad_entry, NULL, ACL_WDEL, NULL )
-			|| !access_allowed( btd->btd_op, rs->sr_entry,
-			slap_schema.si_ad_children, NULL, ACL_WDEL, NULL ) )
+		ret = access_allowed( btd->btd_op, &ak );
+		ak.ak_desc = slap_schema.si_ad_children;
+		if ( !ret || !access_allowed( btd->btd_op, &ak ))
 		{
 			btd->btd_rc = LDAP_INSUFFICIENT_ACCESS;
 			return rs->sr_err = LDAP_UNAVAILABLE;
@@ -410,6 +412,7 @@ backsql_delete( Operation *op, SlapReply *rs )
 	Entry			d = { 0 }, p = { 0 }, *e = NULL;
 	struct berval		pdn = BER_BVNULL;
 	int			manageDSAit = get_manageDSAit( op );
+	AclCheck	ak;
 
 	Debug( LDAP_DEBUG_TRACE, "==>backsql_delete(): deleting entry \"%s\"\n",
 			op->o_req_ndn.bv_val, 0, 0 );
@@ -476,8 +479,12 @@ backsql_delete( Operation *op, SlapReply *rs )
 		goto done;
 	}
 
-	if ( !access_allowed( op, &d, slap_schema.si_ad_entry, 
-			NULL, ACL_WDEL, NULL ) )
+	ak.ak_e = &d;
+	ak.ak_desc = slap_schema.si_ad_entry;
+	ak.ak_val = NULL;
+	ak.ak_access = ACL_WDEL;
+	ak.ak_state = NULL;
+	if ( !access_allowed( op, &ak ))
 	{
 		Debug( LDAP_DEBUG_TRACE, "   backsql_delete(): "
 			"no write access to entry\n", 
@@ -550,8 +557,9 @@ backsql_delete( Operation *op, SlapReply *rs )
 		(void)backsql_free_entryID( &bsi.bsi_base_id, 0, op->o_tmpmemctx );
 
 		/* check parent for "children" acl */
-		if ( !access_allowed( op, &p, slap_schema.si_ad_children, 
-				NULL, ACL_WDEL, NULL ) )
+		ak.ak_e = &p;
+		ak.ak_desc = slap_schema.si_ad_children;
+		if ( !access_allowed( op, &ak ))
 		{
 			Debug( LDAP_DEBUG_TRACE, "   backsql_delete(): "
 				"no write access to parent\n", 
@@ -594,8 +602,10 @@ backsql_delete( Operation *op, SlapReply *rs )
 
 done:;
 	if ( e != NULL ) {
-		if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
-					ACL_DISCLOSE, NULL ) )
+		ak.ak_e = e;
+		ak.ak_desc = slap_schema.si_ad_entry;
+		ak.ak_access = ACL_DISCLOSE;
+		if ( !access_allowed( op, &ak ))
 		{
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
 			rs->sr_text = NULL;

servers/slapd/back-sql/modify.c

@@ -176,8 +176,8 @@ do_transact:;
 
 done:;
 	if ( e != NULL ) {
-		if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
-					ACL_DISCLOSE, NULL ) )
+		AclCheck ak = { e, slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL };
+		if ( !access_allowed( op, &ak ))
 		{
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
 			rs->sr_text = NULL;

servers/slapd/back-sql/modrdn.c

@@ -50,6 +50,7 @@ backsql_modrdn( Operation *op, SlapReply *rs )
 				*e = NULL;
 	int			manageDSAit = get_manageDSAit( op );
 	struct berval		*newSuperior = op->oq_modrdn.rs_newSup;
+	AclCheck	ak;
  
 	Debug( LDAP_DEBUG_TRACE, "==>backsql_modrdn() renaming entry \"%s\", "
 			"newrdn=\"%s\", newSuperior=\"%s\"\n",
@@ -137,8 +138,12 @@ backsql_modrdn( Operation *op, SlapReply *rs )
 	/*
 	 * Check for entry access to target
 	 */
-	if ( !access_allowed( op, &r, slap_schema.si_ad_entry, 
-				NULL, ACL_WRITE, NULL ) ) {
+	ak.ak_e = &r;
+	ak.ak_desc = slap_schema.si_ad_entry;
+	ak.ak_val = NULL;
+	ak.ak_access = ACL_WRITE;
+	ak.ak_state = NULL;
+	if ( !access_allowed( op, &ak )) {
 		Debug( LDAP_DEBUG_TRACE, "   no access to entry\n", 0, 0, 0 );
 		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 		goto done;
@@ -189,8 +194,10 @@ backsql_modrdn( Operation *op, SlapReply *rs )
 		goto done;
 	}
 
-	if ( !access_allowed( op, &p, slap_schema.si_ad_children, NULL,
-			newSuperior ? ACL_WDEL : ACL_WRITE, NULL ) )
+	ak.ak_e = &p;
+	ak.ak_desc = slap_schema.si_ad_children;
+	if ( newSuperior ) ak.ak_desc = ACL_WDEL;
+	if ( !access_allowed( op, &ak ))
 	{
 		Debug( LDAP_DEBUG_TRACE, "   no access to parent\n", 0, 0, 0 );
 		rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
@@ -244,8 +251,9 @@ backsql_modrdn( Operation *op, SlapReply *rs )
 			n_id.eid_id, 0, 0 );
 #endif /* ! BACKSQL_ARBITRARY_KEY */
 
-		if ( !access_allowed( op, &n, slap_schema.si_ad_children, 
-					NULL, ACL_WADD, NULL ) ) {
+		ak.ak_e = &n;
+		ak.ak_access = ACL_WADD;
+		if ( !access_allowed( op, &ak )) {
 			Debug( LDAP_DEBUG_TRACE, "   backsql_modrdn(): "
 					"no access to new parent \"%s\"\n", 
 					new_pdn->bv_val, 0, 0 );
@@ -468,8 +476,10 @@ backsql_modrdn( Operation *op, SlapReply *rs )
 
 done:;
 	if ( e != NULL ) {
-		if ( !access_allowed( op, e, slap_schema.si_ad_entry, NULL,
-					ACL_DISCLOSE, NULL ) )
+		ak.ak_e = e;
+		ak.ak_desc = slap_schema.si_ad_entry;
+		ak.ak_access = ACL_DISCLOSE;
+		if ( !access_allowed( op, &ak ))
 		{
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
 			rs->sr_text = NULL;

servers/slapd/back-sql/search.c

@@ -2017,6 +2017,7 @@ backsql_search( Operation *op, SlapReply *rs )
 #ifndef BACKSQL_ARBITRARY_KEY
 	ID			lastid = 0;
 #endif /* ! BACKSQL_ARBITRARY_KEY */
+	AclCheck	ak = { &base_entry, slap_schema.si_ad_entry, NULL };
 
 	Debug( LDAP_DEBUG_TRACE, "==>backsql_search(): "
 		"base=\"%s\", filter=\"%s\", scope=%d,", 
@@ -2088,10 +2089,9 @@ backsql_search( Operation *op, SlapReply *rs )
 		/* fall thru */
 
 	default:
+		ak.ak_access = ACL_DISCLOSE;
 		if ( !BER_BVISNULL( &base_entry.e_nname )
-				&& !access_allowed( op, &base_entry,
-					slap_schema.si_ad_entry, NULL,
-					ACL_DISCLOSE, NULL ) )
+				&& !access_allowed( op, &ak ))
 		{
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
 			if ( rs->sr_ref ) {
@@ -2118,8 +2118,6 @@ backsql_search( Operation *op, SlapReply *rs )
 	/* NOTE: __NEW__ "search" access is required
 	 * on searchBase object */
 	{
-		slap_mask_t	mask;
-		
 		if ( get_assert( op ) &&
 				( test_filter( op, &base_entry, get_assertion( op ) )
 				  != LDAP_COMPARE_TRUE ) )
@@ -2127,9 +2125,8 @@ backsql_search( Operation *op, SlapReply *rs )
 			rs->sr_err = LDAP_ASSERTION_FAILED;
 			
 		}
-		if ( ! access_allowed_mask( op, &base_entry,
-					slap_schema.si_ad_entry,
-					NULL, ACL_SEARCH, NULL, &mask ) )
+		ak.ak_access = ACL_SEARCH;
+		if ( ! access_allowed( op, &ak ))
 		{
 			if ( rs->sr_err == LDAP_SUCCESS ) {
 				rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
@@ -2137,7 +2134,7 @@ backsql_search( Operation *op, SlapReply *rs )
 		}
 
 		if ( rs->sr_err != LDAP_SUCCESS ) {
-			if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) {
+			if ( !ACL_GRANT( ak.ak_mask, ACL_DISCLOSE ) ) {
 				rs->sr_err = LDAP_NO_SUCH_OBJECT;
 				rs->sr_text = NULL;
 			}