SLAPD_SCHEMA_NOT_COMPAT: ACL cleanup (not yet working)

servers/slapd/acl.c

@@ -22,7 +22,7 @@ static AccessControl * acl_get(
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 	AttributeDescription *desc,
 #else
-	const char *attr,
+	const char *desc,
 #endif
 	int nmatches, regmatch_t *matches );
 
@@ -33,7 +33,7 @@ static slap_control_t acl_mask(
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 	AttributeDescription *desc,
 #else
-	const char *attr,
+	const char *desc,
 #endif
 	struct berval *val,
 	regmatch_t *matches );
@@ -46,10 +46,13 @@ static int aci_mask(
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
 	AttributeDescription *desc,
 #else
-	const char *attr,
+	const char *desc,
 #endif
-	struct berval *val, struct berval *aci,
-	regmatch_t *matches, slap_access_t *grant, slap_access_t *deny );
+	struct berval *val,
+	struct berval *aci,
+	regmatch_t *matches,
+	slap_access_t *grant,
+	slap_access_t *deny );
 
 char *supportedACIMechs[] = {
 	"1.3.6.1.4.1.4203.666.7.1",	/* experimental IETF aci family */
@@ -87,9 +90,9 @@ access_allowed(
     Operation		*op,
     Entry		*e,
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	AttributeDescription	*attr,
+	AttributeDescription	*desc,
 #else
-    const char		*attr,
+    const char		*desc,
 #endif
     struct berval	*val,
     slap_access_t	access )
@@ -102,6 +105,12 @@ access_allowed(
 	slap_access_mask_t mask;
 	slap_control_t control;
 
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	const char *attr = desc ? desc->ad_cname->bv_val : NULL;
+#else
+    const char *attr = desc;
+#endif
+
 	regmatch_t       matches[MAXREMATCHES];
 
 	Debug( LDAP_DEBUG_ACL,
@@ -128,7 +137,7 @@ access_allowed(
 	 * by the user
 	 */
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	if ( access >= ACL_WRITE && is_at_no_user_mod( attr->ad_type ) )
+	if ( access >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) )
 #else
 	if ( access >= ACL_WRITE && oc_check_op_no_usermod_attr( attr ) )
 #endif
@@ -168,7 +177,7 @@ access_allowed(
 	a = NULL;
 	count = 0;
 
-	while( a = acl_get( a, &count, be, op, e, attr, MAXREMATCHES, matches ) )
+	while( a = acl_get( a, &count, be, op, e, desc, MAXREMATCHES, matches ) )
 	{
 		int i;
 
@@ -186,7 +195,7 @@ access_allowed(
 		}
 
 		control = acl_mask( a, &mask, be, conn, op,
-			e, attr, val, matches );
+			e, desc, val, matches );
 
 		if ( control != ACL_BREAK ) {
 			break;
@@ -241,6 +250,12 @@ acl_get(
 	assert( e != NULL );
 	assert( count != NULL );
 
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	attr = desc ? desc->ad_cname->bv_val : NULL;
+#else
+	attr = desc;
+#endif
+
 	if( a == NULL ) {
 		if( be == NULL ) {
 			a = global_acl;
@@ -254,12 +269,6 @@ acl_get(
 		a = a->acl_next;
 	}
 
-#ifdef SLAPD_SCHEMA_NOT_COMPAT
-	attr = desc->ad_cname->bv_val;
-#else
-	attr = desc;
-#endif
-
 	for ( ; a != NULL; a = a->acl_next ) {
 		(*count) ++;
 
@@ -320,9 +329,9 @@ acl_mask(
     Operation	*op,
     Entry		*e,
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-	AttributeDescription *attr,
+	AttributeDescription *desc,
 #else
-    const char	*attr,
+    const char	*desc,
 #endif
     struct berval	*val,
 	regmatch_t	*matches
@@ -333,6 +342,11 @@ acl_mask(
 #ifdef LDAP_DEBUG
 	char accessmaskbuf[ACCESSMASK_MAXLEN];
 #endif
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+	const char *attr = desc ? desc->ad_cname->bv_val : NULL;
+#else
+	const char *attr = desc;
+#endif
 
 	assert( a != NULL );
 	assert( mask != NULL );
@@ -441,6 +455,10 @@ acl_mask(
 		if ( b->a_dn_at != NULL && op->o_ndn != NULL ) {
 			Attribute	*at;
 			struct berval	bv;
+#ifdef SLAPD_SCHEMA_NOT_COMPAT
+			int match;
+			const char *text;
+#endif
 
 			Debug( LDAP_DEBUG_ACL, "<= check a_dn_at: %s\n",
 				b->a_dn_at, 0, 0);
@@ -455,9 +473,29 @@ acl_mask(
 				at = attrs_find( e->e_attrs->a_next, b->a_dn_at ) )
 			{
 				if( value_find( b->a_dn_at, at->a_vals, &bv ) == 0 ) {
+					/* found it */
+					match = 1;
+					break;
 				}
 			}
 
+			if( match ) {
+				if ( b->a_dn_self && (val == NULL
+					|| value_match( &match, b->a_dn_at,
+						b->a_dn_at->ad_type->sat_equality, &bv, val, &text ) )
+						!= LDAP_SUCCESS
+					|| match )
+				{
+					continue;
+				}
+			} else if ( ! b->a_dn_self || val == NULL
+				|| value_match( &match, b->a_dn_at,
+					b->a_dn_at->ad_type->sat_equality, &bv, val, &text )
+					!= LDAP_SUCCESS
+				|| match )
+			{
+				continue;
+			}
 #else
 			/* see if asker is listed in dnattr */
 			if ( (at = attr_find( e->e_attrs, b->a_dn_at )) != NULL &&

servers/slapd/value.c

@@ -198,6 +198,10 @@ value_match(
 	int usage = 0;
 	struct berval *nv1 = NULL;
 
+	if( !mr->smr_match ) {
+		return LDAP_INAPPROPRIATE_MATCHING;
+	}
+
 	if( ad->ad_type->sat_syntax->ssyn_normalize ) {
 		rc = ad->ad_type->sat_syntax->ssyn_normalize(
 			ad->ad_type->sat_syntax, v1, &nv1 );
@@ -207,10 +211,6 @@ value_match(
 		}
 	}
 
-	if( !mr->smr_match ) {
-		return LDAP_INAPPROPRIATE_MATCHING;
-	}
-
 	rc = (mr->smr_match)( match, usage,
 		ad->ad_type->sat_syntax,
 		mr,
@@ -287,19 +287,31 @@ value_find(
 {
 	int	i;
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
+	int rc;
+	struct berval *nval = NULL;
 	MatchingRule *mr = ad->ad_type->sat_equality;
 
 	if( mr == NULL || !mr->smr_match ) {
 		return LDAP_INAPPROPRIATE_MATCHING;
 	}
+
+	if( mr->smr_syntax->ssyn_normalize ) {
+		rc = mr->smr_syntax->ssyn_normalize(
+			mr->smr_syntax, val, &nval );
+
+		if( rc != LDAP_SUCCESS ) {
+			return LDAP_INAPPROPRIATE_MATCHING;
+		}
+	}
 #endif
 
 	for ( i = 0; vals[i] != NULL; i++ ) {
 #ifdef SLAPD_SCHEMA_NOT_COMPAT
-		int rc;
 		int match;
 		const char *text;
-		rc = value_match( &match, ad, mr, vals[i], val, &text );
+
+		rc = value_match( &match, ad, mr, vals[i],
+			nval == NULL ? val : nval, &text );
 
 		if( rc == LDAP_SUCCESS && match == 0 )
 #else