New access_allowed()

servers/slapd/back-bdb/add.c

@@ -44,6 +44,7 @@ bdb_add(Operation *op, SlapReply *rs )
 	LDAPControl **postread_ctrl = NULL;
 	LDAPControl *ctrls[SLAP_MAX_RESPONSE_CONTROLS];
 	int num_ctrls = 0;
+	AclCheck	ak;
 
 #ifdef LDAP_X_TXN
 	int settle = 0;
@@ -221,8 +222,12 @@ retry:	/* transaction retry */
 		goto return_results;
 	}
 
-	rs->sr_err = access_allowed( op, p,
-		children, NULL, ACL_WADD, NULL );
+	ak.ak_e = p;
+	ak.ak_desc = children;
+	ak.ak_val = NULL;
+	ak.ak_access = ACL_WADD;
+	ak.ak_state = NULL;
+	rs->sr_err = access_allowed( op, &ak );
 
 	if ( ! rs->sr_err ) {
 		switch( opinfo.boi_err ) {
@@ -318,8 +323,9 @@ retry:	/* transaction retry */
 	}
 	p = NULL;
 
-	rs->sr_err = access_allowed( op, op->ora_e,
-		entry, NULL, ACL_WADD, NULL );
+	ak.ak_e = op->ora_e;
+	ak.ak_desc = entry;
+	rs->sr_err = access_allowed( op, &ak );
 
 	if ( ! rs->sr_err ) {
 		switch( opinfo.boi_err ) {

servers/slapd/back-bdb/compare.c

@@ -33,6 +33,8 @@ bdb_compare( Operation *op, SlapReply *rs )
 	DB_TXN		*rtxn;
 	DB_LOCK		lock;
 
+	AclCheck	ak;
+
 	rs->sr_err = bdb_reader_get(op, bdb->bi_dbenv, &rtxn);
 	switch(rs->sr_err) {
 	case 0:
@@ -64,11 +66,16 @@ dn2entry_retry:
 	}
 
 	e = ei->bei_e;
+	ak.ak_e = e;
+	ak.ak_desc = slap_schema.si_ad_entry;
+	ak.ak_val = NULL;
+	ak.ak_access = ACL_DISCLOSE;
+	ak.ak_state = NULL;
+
 	if ( rs->sr_err == DB_NOTFOUND ) {
 		if ( e != NULL ) {
 			/* return referral only if "disclose" is granted on the object */
-			if ( ! access_allowed( op, e, slap_schema.si_ad_entry,
-				NULL, ACL_DISCLOSE, NULL ) )
+			if ( ! access_allowed( op, &ak ))
 			{
 				rs->sr_err = LDAP_NO_SUCH_OBJECT;
 
@@ -101,8 +108,7 @@ dn2entry_retry:
 
 	if (!manageDSAit && is_entry_referral( e ) ) {
 		/* return referral only if "disclose" is granted on the object */
-		if ( !access_allowed( op, e, slap_schema.si_ad_entry,
-			NULL, ACL_DISCLOSE, NULL ) )
+		if ( !access_allowed( op, &ak ))
 		{
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		} else {
@@ -125,8 +131,7 @@ dn2entry_retry:
 	if ( get_assert( op ) &&
 		( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
 	{
-		if ( !access_allowed( op, e, slap_schema.si_ad_entry,
-			NULL, ACL_DISCLOSE, NULL ) )
+		if ( !access_allowed( op, &ak ))
 		{
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		} else {
@@ -135,13 +140,17 @@ dn2entry_retry:
 		goto return_results;
 	}
 
-	if ( !access_allowed( op, e, op->oq_compare.rs_ava->aa_desc,
-		&op->oq_compare.rs_ava->aa_value, ACL_COMPARE, NULL ) )
+	ak.ak_desc = op->oq_compare.rs_ava->aa_desc;
+	ak.ak_val = &op->oq_compare.rs_ava->aa_value;
+	ak.ak_access = ACL_COMPARE;
+	if ( !access_allowed( op, &ak ))
 	{
 		/* return error only if "disclose"
 		 * is granted on the object */
-		if ( !access_allowed( op, e, slap_schema.si_ad_entry,
-					NULL, ACL_DISCLOSE, NULL ) )
+		ak.ak_desc = slap_schema.si_ad_entry;
+		ak.ak_val = NULL;
+		ak.ak_access = ACL_DISCLOSE;
+		if ( !access_allowed( op, &ak ))
 		{
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		} else {

servers/slapd/back-bdb/delete.c

@@ -55,6 +55,8 @@ bdb_delete( Operation *op, SlapReply *rs )
 	int settle = 0;
 #endif
 
+	AclCheck	ak;
+
 	Debug( LDAP_DEBUG_ARGS, "==> " LDAP_XSTRING(bdb_delete) ": %s\n",
 		op->o_req_dn.bv_val, 0, 0 );
 
@@ -229,6 +231,10 @@ retry:	/* transaction retry */
 	}
 	if ( eip ) p = eip->bei_e;
 
+	ak.ak_desc = children;
+	ak.ak_val = NULL;
+	ak.ak_access = ACL_WDEL;
+	ak.ak_state = NULL;
 	if ( pdn.bv_len != 0 ) {
 		if( p == NULL || !bvmatch( &pdn, &p->e_nname )) {
 			Debug( LDAP_DEBUG_TRACE,
@@ -240,8 +246,8 @@ retry:	/* transaction retry */
 		}
 
 		/* check parent for "children" acl */
-		rs->sr_err = access_allowed( op, p,
-			children, NULL, ACL_WDEL, NULL );
+		ak.ak_e = p;
+		rs->sr_err = access_allowed( op, &ak );
 
 		if ( !rs->sr_err  ) {
 			switch( opinfo.boi_err ) {
@@ -266,8 +272,8 @@ retry:	/* transaction retry */
 				p = (Entry *)&slap_entry_root;
 
 				/* check parent for "children" acl */
-				rs->sr_err = access_allowed( op, p,
-					children, NULL, ACL_WDEL, NULL );
+				ak.ak_e = p;
+				rs->sr_err = access_allowed( op, &ak );
 
 				p = NULL;
 
@@ -304,8 +310,9 @@ retry:	/* transaction retry */
 		goto return_results;
 	}
 
-	rs->sr_err = access_allowed( op, e,
-		entry, NULL, ACL_WDEL, NULL );
+	ak.ak_e = e;
+	ak.ak_desc = entry;
+	rs->sr_err = access_allowed( op, &ak );
 
 	if ( !rs->sr_err  ) {
 		switch( opinfo.boi_err ) {

servers/slapd/back-bdb/modrdn.c

@@ -64,6 +64,8 @@ bdb_modrdn( Operation	*op, SlapReply *rs )
 	int settle = 0;
 #endif
 
+	AclCheck	ak;
+
 	Debug( LDAP_DEBUG_TRACE, "==>" LDAP_XSTRING(bdb_modrdn) "(%s,%s,%s)\n",
 		op->o_req_dn.bv_val,op->oq_modrdn.rs_newrdn.bv_val,
 		op->oq_modrdn.rs_newSup ? op->oq_modrdn.rs_newSup->bv_val : "NULL" );
@@ -226,7 +228,12 @@ retry:	/* transaction retry */
 	}
 
 	/* check write on old entry */
-	rs->sr_err = access_allowed( op, e, entry, NULL, ACL_WRITE, NULL );
+	ak.ak_e = e;
+	ak.ak_desc = entry;
+	ak.ak_val = NULL;
+	ak.ak_access = ACL_WRITE;
+	ak.ak_state = NULL;
+	rs->sr_err = access_allowed( op, &ak );
 	if ( ! rs->sr_err ) {
 		switch( opinfo.boi_err ) {
 		case DB_LOCK_DEADLOCK:
@@ -337,11 +344,10 @@ retry:	/* transaction retry */
 	}
 
 	/* check parent for "children" acl */
-	rs->sr_err = access_allowed( op, p,
-		children, NULL,
-		op->oq_modrdn.rs_newSup == NULL ?
-			ACL_WRITE : ACL_WDEL,
-		NULL );
+	ak.ak_e = p;
+	ak.ak_desc = children;
+	ak.ak_access = op->oq_modrdn.rs_newSup == NULL ?  ACL_WRITE : ACL_WDEL;
+	rs->sr_err = access_allowed( op, &ak );
 
 	if ( !p_ndn.bv_len )
 		p = NULL;
@@ -449,8 +455,9 @@ retry:	/* transaction retry */
 				(void *) np, (long) np->e_id, 0 );
 
 			/* check newSuperior for "children" acl */
-			rs->sr_err = access_allowed( op, np, children,
-				NULL, ACL_WADD, NULL );
+			ak.ak_e = np;
+			ak.ak_access = ACL_WADD;
+			rs->sr_err = access_allowed( op, &ak );
 
 			if( ! rs->sr_err ) {
 				switch( opinfo.boi_err ) {
@@ -499,8 +506,9 @@ retry:	/* transaction retry */
 				np = (Entry *)&slap_entry_root;
 
 				/* check parent for "children" acl */
-				rs->sr_err = access_allowed( op, np,
-					children, NULL, ACL_WADD, NULL );
+				ak.ak_e = np;
+				ak.ak_access = ACL_WADD;
+				rs->sr_err = access_allowed( op, &ak );
 
 				np = NULL;
 

servers/slapd/back-bdb/search.c

@@ -323,7 +323,6 @@ bdb_search( Operation *op, SlapReply *rs )
 	EntryInfo	*ei;
 	AttributeName	*attrs;
 	struct berval	realbase = BER_BVNULL;
-	slap_mask_t	mask;
 	time_t		stoptime;
 	int		manageDSAit;
 	int		tentries = 0;
@@ -334,6 +333,7 @@ bdb_search( Operation *op, SlapReply *rs )
 	struct	bdb_op_info	*opinfo = NULL;
 	DB_TXN			*ltid = NULL;
 	OpExtra *oex;
+	AclCheck	ak;
 
 	Debug( LDAP_DEBUG_TRACE, "=> " LDAP_XSTRING(bdb_search) "\n", 0, 0, 0);
 	attrs = op->oq_search.rs_attrs;
@@ -420,6 +420,10 @@ dn2entry_retry:
 		}
 	}
 
+	ak.ak_desc = slap_schema.si_ad_entry;
+	ak.ak_val = NULL;
+	ak.ak_state = NULL;
+
 	if ( e == NULL ) {
 		struct berval matched_dn = BER_BVNULL;
 
@@ -428,9 +432,9 @@ dn2entry_retry:
 
 			/* return referral only if "disclose"
 			 * is granted on the object */
-			if ( ! access_allowed( op, matched,
-						slap_schema.si_ad_entry,
-						NULL, ACL_DISCLOSE, NULL ) )
+			ak.ak_e = matched;
+			ak.ak_access = ACL_DISCLOSE;
+			if ( ! access_allowed( op, &ak ))
 			{
 				rs->sr_err = LDAP_NO_SUCH_OBJECT;
 
@@ -481,10 +485,11 @@ dn2entry_retry:
 
 	/* NOTE: __NEW__ "search" access is required
 	 * on searchBase object */
-	if ( ! access_allowed_mask( op, e, slap_schema.si_ad_entry,
-				NULL, ACL_SEARCH, NULL, &mask ) )
+	ak.ak_e = e;
+	ak.ak_access = ACL_SEARCH;
+	if ( ! access_allowed( op, &ak ))
 	{
-		if ( !ACL_GRANT( mask, ACL_DISCLOSE ) ) {
+		if ( !ACL_GRANT( ak.ak_mask, ACL_DISCLOSE ) ) {
 			rs->sr_err = LDAP_NO_SUCH_OBJECT;
 		} else {
 			rs->sr_err = LDAP_INSUFFICIENT_ACCESS;

servers/slapd/slapi/proto-slapi.h

@@ -30,7 +30,7 @@ LDAP_SLAPI_F (LDAPMod **) slapi_int_modifications2ldapmods LDAP_P(( Modification
 LDAP_SLAPI_F (Modifications *) slapi_int_ldapmods2modifications LDAP_P(( Operation *op, LDAPMod ** ));
 LDAP_SLAPI_F (int) slapi_int_count_controls LDAP_P(( LDAPControl **ctrls ));
 LDAP_SLAPI_F (char **) slapi_get_supported_extended_ops LDAP_P((void));
-LDAP_SLAPI_F (int) slapi_int_access_allowed LDAP_P((Operation *op, Entry *entry, AttributeDescription *desc, struct berval *val, slap_access_t access, AccessControlState *state ));
+LDAP_SLAPI_F (int) slapi_int_access_allowed LDAP_P((Operation *op, AclCheck *ak ));
 
 /* slapi_ops.c */
 LDAP_SLAPI_F (int) slapi_int_response LDAP_P(( Slapi_Operation *op, SlapReply *rs ));

servers/slapd/slapi/slapi_overlay.c

@@ -714,12 +714,7 @@ cleanup:
 static int
 slapi_over_access_allowed(
 	Operation		*op,
-	Entry			*e,
-	AttributeDescription	*desc,
-	struct berval		*val,
-	slap_access_t		access,
-	AccessControlState	*state,
-	slap_mask_t		*maskp )
+	AclCheck		*ak )
 {
 	int			rc;
 	Slapi_PBlock		*pb;
@@ -734,7 +729,7 @@ slapi_over_access_allowed(
 
 	pb = SLAPI_OPERATION_PBLOCK( op );
 
-	rc = slapi_int_access_allowed( op, e, desc, val, access, state );
+	rc = slapi_int_access_allowed( op, ak );
 	if ( rc ) {
 		rc = SLAP_CB_CONTINUE;
 	}

servers/slapd/slapi/slapi_utils.c

@@ -2558,11 +2558,11 @@ int slapi_access_allowed( Slapi_PBlock *pb, Slapi_Entry *e, char *attr,
 	struct berval *val, int access )
 {
 	int rc;
-	slap_access_t slap_access;
-	AttributeDescription *ad = NULL;
 	const char *text;
+	AclCheck ak;
 
-	rc = slap_str2ad( attr, &ad, &text );
+	ak.ak_desc = NULL;
+	rc = slap_str2ad( attr, &ak.ak_desc, &text );
 	if ( rc != LDAP_SUCCESS ) {
 		return rc;
 	}
@@ -2573,22 +2573,22 @@ int slapi_access_allowed( Slapi_PBlock *pb, Slapi_Entry *e, char *attr,
 	 */
 	switch ( access & SLAPI_ACL_ALL ) {
 	case SLAPI_ACL_COMPARE:
-		slap_access = ACL_COMPARE;
+		ak.ak_access = ACL_COMPARE;
 		break;
 	case SLAPI_ACL_SEARCH:
-		slap_access = ACL_SEARCH;
+		ak.ak_access = ACL_SEARCH;
 		break;
 	case SLAPI_ACL_READ:
-		slap_access = ACL_READ;
+		ak.ak_access = ACL_READ;
 		break;
 	case SLAPI_ACL_WRITE:
-		slap_access = ACL_WRITE;
+		ak.ak_access = ACL_WRITE;
 		break;
 	case SLAPI_ACL_DELETE:
-		slap_access = ACL_WDEL;
+		ak.ak_access = ACL_WDEL;
 		break;
 	case SLAPI_ACL_ADD:
-		slap_access = ACL_WADD;
+		ak.ak_access = ACL_WADD;
 		break;
 	case SLAPI_ACL_SELF:  /* not documented */
 	case SLAPI_ACL_PROXY: /* not documented */
@@ -2599,7 +2599,10 @@ int slapi_access_allowed( Slapi_PBlock *pb, Slapi_Entry *e, char *attr,
 
 	assert( pb->pb_op != NULL );
 
-	if ( access_allowed( pb->pb_op, e, ad, val, slap_access, NULL ) ) {
+	ak.ak_e = e;
+	ak.ak_val = val;
+	ak.ak_state = NULL;
+	if ( access_allowed( pb->pb_op, &ak )) {
 		return LDAP_SUCCESS;
 	}
 
@@ -2997,11 +3000,7 @@ int slapi_notify_condvar( Slapi_CondVar *cvar, int notify_all )
 }
 
 int slapi_int_access_allowed( Operation *op,
-	Entry *entry,
-	AttributeDescription *desc,
-	struct berval *val,
-	slap_access_t access,
-	AccessControlState *state )
+	AclCheck *ak )
 {
 	int rc, slap_access = 0;
 	slapi_acl_callback_t *pGetPlugin, *tmpPlugin;
@@ -3013,9 +3012,9 @@ int slapi_int_access_allowed( Operation *op,
 		return 1;
 	}
 
-	switch ( access ) {
+	switch ( ak->ak_access ) {
 	case ACL_COMPARE:
-                slap_access |= SLAPI_ACL_COMPARE;
+		slap_access |= SLAPI_ACL_COMPARE;
 		break;
 	case ACL_SEARCH:
 		slap_access |= SLAPI_ACL_SEARCH;
@@ -3049,8 +3048,8 @@ int slapi_int_access_allowed( Operation *op,
 		 * 0	access denied
 		 * 1	access granted
 		 */
-		rc = (*pGetPlugin)( pb, entry, desc->ad_cname.bv_val,
-				    val, slap_access, (void *)state );
+		rc = (*pGetPlugin)( pb, ak->ak_e, ak->ak_desc->ad_cname.bv_val,
+				    ak->ak_val, slap_access, (void *)ak->ak_state );
 		if ( rc == 0 ) {
 			break;
 		}