ITS#1523 enhanced ACL caching

servers/slapd/acl.c

@@ -130,6 +130,9 @@ access_allowed(
 	slap_control_t control;
 	const char *attr;
 	regmatch_t matches[MAXREMATCHES];
+	int        st_same_attr = 0;
+	int        st_initialized = 0;
+	static AccessControlState state_init = ACL_STATE_INIT;
 
 	assert( e != NULL );
 	assert( desc != NULL );
@@ -139,7 +142,7 @@ access_allowed(
 
 	assert( attr != NULL );
 
-	if( state && state->as_recorded ) { 
+	if( state && state->as_recorded && state->as_vd_ad==desc) { 
 		if( state->as_recorded & ACL_STATE_RECORDED_NV &&
 			val == NULL )
 		{
@@ -150,6 +153,9 @@ access_allowed(
 		{
 			return state->as_result;
 		}
+		st_same_attr = 1;
+	} if (state) {
+		state->as_vd_ad=desc;
 	}
 
 #ifdef NEW_LOGGING
@@ -246,7 +252,7 @@ access_allowed(
 	ret = 0;
 	control = ACL_BREAK;
 
-	if( state && ( state->as_recorded & ACL_STATE_RECORDED_VD )) {
+	if( st_same_attr ) {
 		assert( state->as_vd_acl != NULL );
 
 		a = state->as_vd_acl;
@@ -290,6 +296,18 @@ access_allowed(
 #endif
 		}
 
+		if (state) {
+			if (state->as_vi_acl == a && (state->as_recorded & ACL_STATE_RECORDED_NV)) {
+				Debug( LDAP_DEBUG_ACL, "access_allowed: result from state (%s)\n", attr, 0, 0 );
+				return state->as_result;
+			} else if (!st_initialized) {
+				Debug( LDAP_DEBUG_ACL, "access_allowed: no res from state (%s)\n", attr, 0, 0);
+			    *state = state_init;
+				state->as_vd_ad=desc;
+				st_initialized=1;
+			}
+		}
+
 vd_access:
 		control = acl_mask( a, &mask, be, conn, op,
 			e, desc, val, matches, count, state );
@@ -342,6 +360,9 @@ vd_access:
 
 done:
 	if( state != NULL ) {
+		/* If not value-dependent, save ACL in case of more attrs */
+		if ( !(state->as_recorded & ACL_STATE_RECORDED_VD) )
+			state->as_vi_acl = a;
 		state->as_recorded |= ACL_STATE_RECORDED;
 		state->as_result = ret;
 	}
@@ -1200,6 +1221,7 @@ acl_check_modlist(
 )
 {
 	struct berval *bv;
+	AccessControlState state = ACL_STATE_INIT;
 
 	assert( be != NULL );
 
@@ -1254,9 +1276,6 @@ acl_check_modlist(
 	}
 
 	for ( ; mlist != NULL; mlist = mlist->sml_next ) {
-		static AccessControlState state_init = ACL_STATE_INIT;
-		AccessControlState state;
-
 		/*
 		 * no-user-modification operational attributes are ignored
 		 * by ACL_WRITE checking as any found here are not provided
@@ -1275,8 +1294,6 @@ acl_check_modlist(
 			continue;
 		}
 
-		state = state_init;
-
 		switch ( mlist->sml_op ) {
 		case LDAP_MOD_REPLACE:
 			/*

servers/slapd/result.c

@@ -678,8 +678,7 @@ send_search_entry(
 	char		*edn;
 	int		userattrs;
 	int		opattrs;
-	static AccessControlState acl_state_init = ACL_STATE_INIT;
-	AccessControlState acl_state;
+	AccessControlState acl_state = ACL_STATE_INIT;
 
 	AttributeDescription *ad_entry = slap_schema.si_ad_entry;
 
@@ -856,8 +855,6 @@ send_search_entry(
 			}
 		}
 
-		acl_state = acl_state_init;
-
 		if ( ! access_allowed( be, conn, op, e, desc, NULL,
 			ACL_READ, &acl_state ) )
 		{
@@ -1041,8 +1038,6 @@ send_search_entry(
 			}
 		}
 
-		acl_state = acl_state_init;
-
 		if ( ! access_allowed( be, conn, op, e,	desc, NULL,
 			ACL_READ, &acl_state ) )
 		{

servers/slapd/slap.h

@@ -1102,6 +1102,7 @@ typedef struct slap_acl_state {
 
 	/* Access state */
 	AccessControl *as_vd_acl;
+	AccessControl *as_vi_acl;
 	slap_mask_t as_vd_acl_mask;
 	regmatch_t as_vd_acl_matches[MAXREMATCHES];
 	int as_vd_acl_count;
@@ -1110,8 +1111,9 @@ typedef struct slap_acl_state {
 	int as_vd_access_count;
 
 	int as_result;
+	AttributeDescription *as_vd_ad;
 } AccessControlState;
-#define ACL_STATE_INIT { ACL_STATE_NOT_RECORDED, NULL, 0UL, { { 0, 0 } }, 0, NULL, 0, 0 }
+#define ACL_STATE_INIT { ACL_STATE_NOT_RECORDED, NULL, NULL, 0UL, { { 0, 0 } }, 0, NULL, 0, 0, 0, NULL }
 
 /*
  * replog moddn param structure