ACIs almost entirely factored out of slapd

Added OpenLDAPaciSyntax based on ITS#3877 by Nikita Shulga
aci_mask() doesn't exploit the normalized value yet (next step)
The case #define SLAPD_ACI_ENABLED / #undef SLAP_DYNACL should
be removed

servers/slapd/Makefile.in

@@ -38,6 +38,7 @@ SRCS	= main.c globals.c bconfig.c config.c daemon.c \
 		backover.c ctxcsn.c ldapsync.c frontend.c \
 		slapadd.c slapcat.c slapcommon.c slapdn.c slapindex.c \
 		slappasswd.c slaptest.c slapauth.c slapacl.c component.c \
+		aci.c \
 		$(@PLAT@_SRCS)
 
 OBJS	= main.o globals.o bconfig.o config.o daemon.o \
@@ -55,6 +56,7 @@ OBJS	= main.o globals.o bconfig.o config.o daemon.o \
 		backover.o ctxcsn.o ldapsync.o frontend.o \
 		slapadd.o slapcat.o slapcommon.o slapdn.o slapindex.o \
 		slappasswd.o slaptest.o slapauth.o slapacl.o component.o \
+		aci.o \
 		$(@PLAT@_OBJS)
 
 LDAP_INCDIR= ../../include -I$(srcdir) -I$(srcdir)/slapi -I.

servers/slapd/proto-slap.h

@@ -31,6 +31,30 @@
 
 LDAP_BEGIN_DECL
 
+/*
+ * aci.c
+ */
+#ifdef SLAPD_ACI_ENABLED
+LDAP_SLAPD_F (int) aci_mask LDAP_P((
+	Operation *op, Entry *e,
+	AttributeDescription *desc,
+	struct berval *val,
+	struct berval *aci,
+	int nmatch,
+	regmatch_t *matches,
+	slap_access_t *grant,
+	slap_access_t *deny,
+	slap_aci_scope_t scope));
+LDAP_SLAPD_F (int) OpenLDAPaciValidate LDAP_P((
+	Syntax *syn, struct berval *in ));
+LDAP_SLAPD_F (int) OpenLDAPaciPretty LDAP_P((
+	Syntax *syn, struct berval *val, struct berval *out, void *ctx ));
+LDAP_SLAPD_F (slap_mr_normalize_func) OpenLDAPaciNormalize;
+#ifdef SLAP_DYNACL
+LDAP_SLAPD_F (int) dynacl_aci_init LDAP_P(( void ));
+#endif /* SLAP_DYNACL */
+#endif /* SLAPD_ACI_ENABLED */
+
 /*
  * acl.c
  */
@@ -71,6 +95,22 @@ LDAP_SLAPD_F (slap_dynacl_t *) slap_dynacl_get LDAP_P(( const char *name ));
 #endif /* SLAP_DYNACL */
 LDAP_SLAPD_F (int) acl_init LDAP_P(( void ));
 
+LDAP_SLAPD_V (const struct berval) aci_bv[];
+
+LDAP_SLAPD_F (int) acl_get_part LDAP_P((
+	struct berval	*list,
+	int		ix,
+	char		sep,
+	struct berval	*bv ));
+LDAP_SLAPD_F (int) acl_match_set LDAP_P((
+	struct berval *subj,
+	Operation *op,
+	Entry *e,
+	int setref ));
+LDAP_SLAPD_F (int) acl_string_expand LDAP_P((
+	struct berval *newbuf, struct berval *pattern,
+	char *match, int nmatch, regmatch_t *matches ));
+
 /*
  * aclparse.c
  */
@@ -1407,7 +1447,9 @@ LDAP_SLAPD_F (void) schema_destroy LDAP_P(( void ));
 
 LDAP_SLAPD_F( slap_mr_indexer_func ) octetStringIndexer;
 LDAP_SLAPD_F( slap_mr_filter_func ) octetStringFilter;
-
+LDAP_SLAPD_F( int ) numericoidValidate LDAP_P((
+	struct slap_syntax *syntax,
+        struct berval *in ));
 
 /*
  * schema_prep.c

servers/slapd/schema_init.c

@@ -50,7 +50,7 @@
 #define HASH_Update(c,buf,len)	lutil_HASHUpdate(c,buf,len)
 #define HASH_Final(d,c)			lutil_HASHFinal(d,c)
 
-#define	OpenLDAPaciMatch			NULL
+#define	OpenLDAPaciMatch			octetStringMatch
 
 /* approx matching rules */
 #define directoryStringApproxMatchOID	"1.3.6.1.4.1.4203.666.4.4"
@@ -1861,7 +1861,7 @@ telephoneNumberNormalize(
 	return LDAP_SUCCESS;
 }
 
-static int
+int
 numericoidValidate(
 	Syntax *syntax,
 	struct berval *in )
@@ -3427,8 +3427,8 @@ static slap_syntax_defs_rec syntax_defs[] = {
 	/* OpenLDAP Experimental Syntaxes */
 	{"( 1.3.6.1.4.1.4203.666.2.1 DESC 'OpenLDAP Experimental ACI' )",
 		SLAP_SYNTAX_HIDE,
-		UTF8StringValidate /* THIS WILL CHANGE FOR NEW ACI SYNTAX */,
-		NULL},
+		OpenLDAPaciValidate,
+		OpenLDAPaciPretty},
 #endif
 
 #ifdef SLAPD_AUTHPASSWD
@@ -3851,7 +3851,7 @@ static slap_mrule_defs_rec mrule_defs[] = {
 	{"( 1.3.6.1.4.1.4203.666.4.2 NAME 'OpenLDAPaciMatch' "
 		"SYNTAX 1.3.6.1.4.1.4203.666.2.1 )",
 		SLAP_MR_HIDE | SLAP_MR_EQUALITY, NULL,
-		NULL, NULL, OpenLDAPaciMatch,
+		NULL, OpenLDAPaciNormalize, OpenLDAPaciMatch,
 		NULL, NULL,
 		NULL},
 #endif

servers/slapd/slap.h

@@ -914,7 +914,7 @@ struct slap_internal_schema {
 #endif
 	AttributeDescription *si_ad_description;
 	AttributeDescription *si_ad_seeAlso;
-        
+
 	/* Undefined Attribute Type */
 	AttributeType	*si_at_undefined;
 
@@ -1481,6 +1481,53 @@ typedef struct slap_acl_state {
 #define ACL_STATE_INIT { ACL_STATE_NOT_RECORDED, NULL, NULL, 0UL, \
 	{ { 0, 0 } }, 0, NULL, 0, 0, NULL }
 
+#ifdef SLAPD_ACI_ENABLED
+typedef enum slap_aci_scope_t {
+	SLAP_ACI_SCOPE_ENTRY		= 0x1,
+	SLAP_ACI_SCOPE_CHILDREN		= 0x2,
+	SLAP_ACI_SCOPE_SUBTREE		= ( SLAP_ACI_SCOPE_ENTRY | SLAP_ACI_SCOPE_CHILDREN )
+} slap_aci_scope_t;
+#endif /* SLAPD_ACI_ENABLED */
+
+enum {
+	ACI_BV_ENTRY,
+	ACI_BV_CHILDREN,
+	ACI_BV_ONELEVEL,
+	ACI_BV_SUBTREE,
+	ACI_BV_BR_ENTRY,
+	ACI_BV_BR_ALL,
+	ACI_BV_ACCESS_ID,
+#if 0
+	ACI_BV_ANONYMOUS	= BER_BVC("anonymous"),
+#endif
+	ACI_BV_PUBLIC,
+	ACI_BV_USERS,
+	ACI_BV_SELF,
+	ACI_BV_DNATTR,
+	ACI_BV_GROUP,
+	ACI_BV_ROLE,
+	ACI_BV_SET,
+	ACI_BV_SET_REF,
+	ACI_BV_GRANT,
+	ACI_BV_DENY,
+
+	ACI_BV_IP_EQ,
+#ifdef LDAP_PF_LOCAL
+	ACI_BV_PATH_EQ,
+#if 0
+	ACI_BV_DIRSEP,
+#endif
+#endif /* LDAP_PF_LOCAL */
+	
+	ACI_BV_GROUP_CLASS,
+	ACI_BV_GROUP_ATTR,
+	ACI_BV_ROLE_CLASS,
+	ACI_BV_ROLE_ATTR,
+	ACI_BV_SET_ATTR,
+
+	ACI_BV_LAST
+};
+
 /*
  * Backend-info
  * represents a backend