Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 309953 Details for
Bug 437525
GER: allow GER for non-existing entries
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
cvs diffs
ger.diffs (text/plain), 47.59 KB, created by
Noriko Hosoi
on 2008-06-20 23:24:13 UTC
(
hide
)
Description:
cvs diffs
Filename:
MIME Type:
Creator:
Noriko Hosoi
Created:
2008-06-20 23:24:13 UTC
Size:
47.59 KB
patch
obsolete
>Index: ldap/servers/slapd/charray.c >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/charray.c,v >retrieving revision 1.6 >diff -t -w -U4 -r1.6 charray.c >--- ldap/servers/slapd/charray.c 10 Nov 2006 23:45:40 -0000 1.6 >+++ ldap/servers/slapd/charray.c 20 Jun 2008 22:36:12 -0000 >@@ -117,8 +117,50 @@ > } > (*a)[n + nn] = NULL; > } > >+/* >+ * charray_merge_nodup: >+ * merge a string array (second arg) into the first string array >+ * unless the each string is in the first string array. >+ */ >+void >+charray_merge_nodup( >+ char ***a, >+ char **s, >+ int copy_strs >+) >+{ >+ int i, j, n, nn; >+ char **dupa; >+ >+ if ( (s == NULL) || (s[0] == NULL) ) >+ return; >+ >+ for ( n = 0; *a != NULL && (*a)[n] != NULL; n++ ) { >+ ; /* NULL */ >+ } >+ for ( nn = 0; s[nn] != NULL; nn++ ) { >+ ; /* NULL */ >+ } >+ >+ dupa = (char **)slapi_ch_calloc(1, (n+nn+1) * sizeof(char *)); >+ memcpy(dupa, *a, sizeof(char *) * n); >+ slapi_ch_free((void **)a); >+ >+ for ( i = 0, j = 0; i < nn; i++ ) { >+ if (!charray_inlist(dupa, s[i])) { /* skip if s[i] is already in *a */ >+ if ( copy_strs ) { >+ dupa[n+j] = slapi_ch_strdup( s[i] ); >+ } else { >+ dupa[n+j] = s[i]; >+ } >+ j++; >+ } >+ } >+ *a = dupa; >+} >+ > /* Routines which don't pound on malloc. Don't interchange the arrays with the > * regular calls---they can end up freeing non-heap memory, which is wrong */ > > void >@@ -336,15 +378,17 @@ > /* > * Remove the char string from the array of char strings. > * Performs a case *insensitive* comparison! > * Just shunts the strings down to cover the deleted string. >- * Doesn't free up the unused memory. >+ * freeit: none zero -> free the found string >+ * : zero -> Doesn't free up the unused memory. > * Returns 1 if the entry found and removed, 0 if not. > */ > int > charray_remove( > char **a, >- const char *s >+ const char *s, >+ int freeit > ) > { > int i; > int found= 0; >@@ -352,8 +396,12 @@ > { > if ( !found && strcasecmp (a[i],s) == 0 ) > { > found= 1; >+ if (freeit) >+ { >+ slapi_ch_free_string(&a[i]); >+ } > } > if (found) > { > a[i]= a[i+1]; >Index: ldap/servers/slapd/opshared.c >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/opshared.c,v >retrieving revision 1.11 >diff -t -w -U4 -r1.11 opshared.c >--- ldap/servers/slapd/opshared.c 18 Oct 2007 00:08:34 -0000 1.11 >+++ ldap/servers/slapd/opshared.c 20 Jun 2008 22:36:12 -0000 >@@ -952,9 +952,9 @@ > { > int rc; > int attrsonly; > int done = 0; >- Slapi_Entry *e; >+ Slapi_Entry *e = NULL; > char **attrs = NULL; > > slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &attrs); > slapi_pblock_get(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly); >@@ -962,8 +962,11 @@ > *pnentries = 0; > > while (!done) > { >+ Slapi_Entry *gerentry = NULL; >+ Slapi_Operation *operation; >+ > rc = be->be_next_search_entry(pb); > if (rc < 0) > { > /* >@@ -974,19 +977,131 @@ > operation_out_of_disk_space(); > } > return -1; > } >- else >+ >+ slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_ENTRY, &e); >+ >+ /* Check for possible get_effective_rights control */ >+ slapi_pblock_get (pb, SLAPI_OPERATION, &operation); >+ if ( operation->o_flags & OP_FLAG_GET_EFFECTIVE_RIGHTS ) >+ { >+ char *errbuf = NULL; >+ char **gerattrs = NULL; >+ char **gerattrsdup = NULL; >+ char **gap = NULL; >+ char *gapnext = NULL; >+ >+ slapi_pblock_get( pb, SLAPI_SEARCH_GERATTRS, &gerattrs ); >+ >+ gerattrsdup = cool_charray_dup(gerattrs); >+ gap = gerattrsdup; >+ do > { >+ gapnext = NULL; >+ if (gap) >+ { >+ if (*gap && *(gap+1)) >+ { >+ gapnext = *(gap+1); >+ *(gap+1) = NULL; >+ } >+ slapi_pblock_set( pb, SLAPI_SEARCH_GERATTRS, gap ); >+ rc = plugin_call_acl_plugin (pb, e, attrs, NULL, >+ SLAPI_ACL_ALL, ACLPLUGIN_ACCESS_GET_EFFECTIVE_RIGHTS, >+ &errbuf); >+ if (NULL != gapnext) >+ { >+ *(gap+1) = gapnext; >+ } >+ } >+ else if (NULL != e) >+ { >+ rc = plugin_call_acl_plugin (pb, e, attrs, NULL, >+ SLAPI_ACL_ALL, ACLPLUGIN_ACCESS_GET_EFFECTIVE_RIGHTS, >+ &errbuf); >+ } >+ if (NULL == e) { >+ /* get the template entry, if any */ > slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_ENTRY, &e); >- if (e == NULL) >+ if (NULL == e) { >+ /* everything is ok - don't send the result */ >+ return 1; >+ } >+ gerentry = e; >+ } >+ if ( rc != LDAP_SUCCESS ) { >+ /* Send error result and >+ abort op if the control is critical */ >+ LDAPDebug( LDAP_DEBUG_ANY, >+ "Failed to get effective rights for entry (%s), rc=%d\n", >+ slapi_entry_get_dn_const(e), rc, 0 ); >+ send_ldap_result( pb, rc, NULL, errbuf, 0, NULL ); >+ slapi_ch_free ( (void**)&errbuf ); >+ if (gerentry) >+ { >+ slapi_pblock_set(pb, >+ SLAPI_SEARCH_RESULT_ENTRY, NULL); >+ slapi_entry_free(gerentry); >+ gerentry = e = NULL; >+ } >+ return( -1 ); >+ } >+ slapi_ch_free ( (void**)&errbuf ); >+ if (process_entry(pb, e, send_result)) >+ { >+ /* shouldn't send this entry */ >+ if (gerentry) >+ { >+ slapi_pblock_set(pb, >+ SLAPI_SEARCH_RESULT_ENTRY, NULL); >+ slapi_entry_free(gerentry); >+ gerentry = e = NULL; >+ } >+ continue; >+ } >+ >+ /* >+ * It's a regular entry, or it's a referral and >+ * managedsait control is on. In either case, send >+ * the entry. >+ */ >+ switch (send_ldap_search_entry(pb, e, >+ NULL, attrs, attrsonly)) >+ { >+ case 0: /* entry sent ok */ >+ (*pnentries)++; >+ slapi_pblock_set(pb, SLAPI_NENTRIES, pnentries); >+ break; >+ case 1: /* entry not sent */ >+ break; >+ case -1: /* connection closed */ >+ /* >+ * mark the operation as abandoned so the backend >+ * next entry function gets called again and has >+ * a chance to clean things up. >+ */ >+ pb->pb_op->o_status = SLAPI_OP_STATUS_ABANDONED; >+ break; >+ } >+ if (gerentry) >+ { >+ slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, NULL); >+ slapi_entry_free(gerentry); >+ gerentry = e = NULL; >+ } >+ } >+ while (gap && ++gap && *gap); >+ slapi_pblock_set( pb, SLAPI_SEARCH_GERATTRS, gerattrs ); >+ cool_charray_free(gerattrsdup); >+ if (NULL == e) > { > /* no more entries */ > done = 1; >- continue; > } > } >- >+ else if (e) >+ { > if (process_entry(pb, e, send_result)) > { > /* shouldn't send this entry */ > continue; >@@ -1014,8 +1129,14 @@ > pb->pb_op->o_status = SLAPI_OP_STATUS_ABANDONED; > break; > } > } >+ else >+ { >+ /* no more entries */ >+ done = 1; >+ } >+ } > > return 1; > } > >Index: ldap/servers/slapd/pblock.c >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/pblock.c,v >retrieving revision 1.13 >diff -t -w -U4 -r1.13 pblock.c >--- ldap/servers/slapd/pblock.c 4 Jun 2008 22:22:55 -0000 1.13 >+++ ldap/servers/slapd/pblock.c 20 Jun 2008 22:36:12 -0000 >@@ -1230,8 +1230,14 @@ > { > (*(char ***)value) = pblock->pb_op->o_params.p.p_search.search_attrs; > } > break; >+ case SLAPI_SEARCH_GERATTRS: >+ if(pblock->pb_op!=NULL) >+ { >+ (*(char ***)value) = pblock->pb_op->o_params.p.p_search.search_gerattrs; >+ } >+ break; > case SLAPI_SEARCH_ATTRSONLY: > if(pblock->pb_op!=NULL) > { > (*(int *)value) = pblock->pb_op->o_params.p.p_search.search_attrsonly; >@@ -2508,8 +2514,14 @@ > { > pblock->pb_op->o_params.p.p_search.search_attrs = (char **) value; > } > break; >+ case SLAPI_SEARCH_GERATTRS: >+ if(pblock->pb_op!=NULL) >+ { >+ pblock->pb_op->o_params.p.p_search.search_gerattrs = (char **) value; >+ } >+ break; > case SLAPI_SEARCH_ATTRSONLY: > if(pblock->pb_op!=NULL) > { > pblock->pb_op->o_params.p.p_search.search_attrsonly = *((int *) value); >Index: ldap/servers/slapd/result.c >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/result.c,v >retrieving revision 1.12 >diff -t -w -U4 -r1.12 result.c >--- ldap/servers/slapd/result.c 18 Oct 2007 00:08:34 -0000 1.12 >+++ ldap/servers/slapd/result.c 20 Jun 2008 22:36:12 -0000 >@@ -1203,15 +1203,16 @@ > int *dontsendattr= NULL; > Slapi_Operation *operation; > int real_attrs_only = 0; > LDAPControl **ctrlp = 0; >+ Slapi_Entry *gerentry = NULL; > > slapi_pblock_get (pb, SLAPI_OPERATION, &operation); > > LDAPDebug( LDAP_DEBUG_TRACE, "=> send_ldap_search_entry (%s)\n", >- slapi_entry_get_dn_const(e), 0, 0 ); >+ e?slapi_entry_get_dn_const(e):"null", 0, 0 ); > >- if ( conn == NULL ) { >+ if ( conn == NULL && e ) { > if ( op->o_search_entry_handler != NULL ) { > if (( rc = (*op->o_search_entry_handler)( > pb->pb_backend, conn, op, e )) == 0 ) { > logit = 1; >@@ -1223,31 +1224,18 @@ > return 0; > } > > #if !defined(DISABLE_ACL_CHECK) >- if ( plugin_call_acl_plugin (pb, e, attrs, NULL, >+ if ( e && plugin_call_acl_plugin (pb, e, attrs, NULL, > SLAPI_ACL_READ, ACLPLUGIN_ACCESS_READ_ON_ENTRY, NULL ) != LDAP_SUCCESS ) { > LDAPDebug( LDAP_DEBUG_ACL, "acl: access to entry not allowed\n", > 0, 0, 0 ); > return( 1 ); > } > #endif > >- /* Check for possible get_effective_rights control */ >- if ( operation->o_flags & OP_FLAG_GET_EFFECTIVE_RIGHTS ) { >- char *errbuf = NULL; >- rc = plugin_call_acl_plugin (pb, e, attrs, NULL, SLAPI_ACL_ALL, >- ACLPLUGIN_ACCESS_GET_EFFECTIVE_RIGHTS, &errbuf); >- if ( rc != LDAP_SUCCESS ) { >- LDAPDebug( LDAP_DEBUG_ANY, >- "Failed to get effective rights for entry (%s), rc=%d\n", >- slapi_entry_get_dn_const(e), rc, 0 ); >- /* Send error result and abort op if the control is critical */ >- send_ldap_result( pb, rc, NULL, errbuf, 0, NULL ); >- slapi_ch_free ( (void**)&errbuf ); >- return( -1 ); >- } >- slapi_ch_free ( (void**)&errbuf ); >+ if (NULL == e) { >+ return 1; /* everything is ok - don't send the result */ > } > > if ( (ber = der_alloc()) == NULL ) { > LDAPDebug( LDAP_DEBUG_ANY, "ber_alloc failed\n", 0, 0, 0 ); >@@ -1453,8 +1441,12 @@ > log_result( pb, op, LDAP_SUCCESS, tag, nentries ); > } > } > >+ if (gerentry) >+ { >+ slapi_entry_free(gerentry); >+ } > LDAPDebug( LDAP_DEBUG_TRACE, "<= send_ldap_search_entry\n", 0, 0, 0 ); > exit: > return( rc ); > } >Index: ldap/servers/slapd/schema.c >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/schema.c,v >retrieving revision 1.14 >diff -t -w -U4 -r1.14 schema.c >--- ldap/servers/slapd/schema.c 10 Jun 2008 18:50:07 -0000 1.14 >+++ ldap/servers/slapd/schema.c 20 Jun 2008 22:36:12 -0000 >@@ -1391,10 +1391,10 @@ > return ATTR_SYNTAX_ENUM_NEXT; > } > > /* Return the list of attributes names matching attribute flags */ >- >-char ** slapi_schema_list_attribute_names(unsigned long flag) >+char ** >+slapi_schema_list_attribute_names(unsigned long flag) > { > struct listargs aew; > memset(&aew,0,sizeof(struct listargs)); > aew.flag=flag; >@@ -4965,4 +4965,70 @@ > "schema file reload failed\n" ); > return LDAP_LOCAL_ERROR; > } > } >+ >+/* >+ * slapi_schema_list_objectclass_attributes: >+ * Return the list of attributes belonging to the objectclass >+ * >+ * The caller is responsible to free the returned list with charray_free. >+ * flags: one of them or both: >+ * SLAPI_OC_FLAG_REQUIRED >+ * SLAPI_OC_FLAG_ALLOWED >+ */ >+char ** >+slapi_schema_list_objectclass_attributes(const char *ocname_or_oid, >+ PRUint32 flags) >+{ >+ struct objclass *oc = NULL; >+ char **attrs = NULL; >+ PRUint32 mask = SLAPI_OC_FLAG_REQUIRED | SLAPI_OC_FLAG_ALLOWED; >+ >+ if (!flags) { >+ return attrs; >+ } >+ >+ oc_lock_read(); >+ oc = oc_find_nolock(ocname_or_oid); >+ oc_unlock(); >+ if (oc) { >+ switch (flags & mask) { >+ case SLAPI_OC_FLAG_REQUIRED: >+ attrs = charray_dup(oc->oc_required); >+ break; >+ case SLAPI_OC_FLAG_ALLOWED: >+ attrs = charray_dup(oc->oc_allowed); >+ break; >+ case SLAPI_OC_FLAG_REQUIRED|SLAPI_OC_FLAG_ALLOWED: >+ attrs = charray_dup(oc->oc_required); >+ charray_merge(&attrs, oc->oc_allowed, 1/*copy_strs*/); >+ break; >+ default: >+ slapi_log_error( SLAPI_LOG_FATAL, "list objectclass attributes", >+ "flag 0x%x not supported\n", flags ); >+ break; >+ } >+ } >+ return attrs; >+} >+ >+/* >+ * slapi_schema_get_superior_name: >+ * Return the name of the superior objectclass >+ * >+ * The caller is responsible to free the returned name >+ */ >+char * >+slapi_schema_get_superior_name(const char *ocname_or_oid) >+{ >+ struct objclass *oc = NULL; >+ char *superior = NULL; >+ >+ oc_lock_read(); >+ oc = oc_find_nolock(ocname_or_oid); >+ oc_unlock(); >+ if (oc) { >+ superior = slapi_ch_strdup(oc->oc_superior); >+ } >+ return superior; >+} >Index: ldap/servers/slapd/search.c >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/search.c,v >retrieving revision 1.8 >diff -t -w -U4 -r1.8 search.c >--- ldap/servers/slapd/search.c 18 Oct 2007 00:08:34 -0000 1.8 >+++ ldap/servers/slapd/search.c 20 Jun 2008 22:36:12 -0000 >@@ -70,8 +70,9 @@ > ber_int_t scope, deref, sizelimit, timelimit; > char *base = NULL, *fstr = NULL; > struct slapi_filter *filter = NULL; > char **attrs = NULL; >+ char **gerattrs = NULL; > int psearch = 0; > struct berval *psbvp; > ber_int_t changetypes; > int send_entchg_controls; >@@ -185,22 +186,94 @@ > { > charray_add(&attrs, slapi_attr_syntax_normalize("aci")); > charray_add(&attrs, slapi_attr_syntax_normalize(LDAP_ALL_USER_ATTRS)); > } >+ } >+ >+ if ( attrs != NULL ) { >+ int gerattrsiz = 1; >+ int gerattridx = 0; >+ int aciin = 0; >+ /* >+ * . store gerattrs if any >+ * . add "aci" once if "*" is given >+ */ >+ for ( i = 0; attrs[i] != NULL; i++ ) >+ { >+ char *p = NULL; >+ /* check if @<objectclass> is included */ >+ p = strchr(attrs[i], '@'); >+ if ( p && '\0' != *(p+1) ) /* don't store "*@", e.g. */ >+ { >+ int j = 0; >+ if (gerattridx + 1 >= gerattrsiz) >+ { >+ char **tmpgerattrs; >+ gerattrsiz *= 2; >+ tmpgerattrs = >+ (char **)slapi_ch_calloc(1, gerattrsiz*sizeof(char *)); >+ if (NULL != gerattrs) >+ { >+ memcpy(tmpgerattrs, gerattrs, gerattrsiz*sizeof(char *)); >+ slapi_ch_free((void **)&gerattrs); >+ } >+ gerattrs = tmpgerattrs; >+ } >+ for ( j = 0; gerattrs; j++ ) >+ { >+ char *attri = NULL; >+ if ( NULL == gerattrs[j] ) >+ { >+ if (0 == j) >+ { >+ /* first time */ >+ gerattrs[gerattridx++] = attrs[i]; >+ /* get rid of "@<objectclass>" part from the attr >+ list, which is needed only in gerattr list */ >+ *p = '\0'; >+ attri = slapi_ch_strdup(attrs[i]); >+ attrs[i] = attri; >+ *p = '@'; >+ } > else > { >- for ( i = 0; attrs[i] != NULL; i++ ) >+ break; /* done */ >+ } >+ } >+ else if ( 0 == strcasecmp( attrs[i], gerattrs[j] )) >+ { >+ /* skip if attrs[i] is already in gerattrs */ >+ continue; >+ } >+ else > { >- if ( strcasecmp(attrs[i], LDAP_ALL_USER_ATTRS) == 0 ) >+ char *q = strchr(gerattrs[j], '@'); /* q never be 0 */ >+ if ( 0 != strcasecmp( p+1, q+1 )) > { >- charray_add(&attrs, slapi_attr_syntax_normalize("aci")); >- break; >+ /* you don't want to display the same template >+ entry multiple times */ >+ gerattrs[gerattridx++] = attrs[i]; >+ } >+ /* get rid of "@<objectclass>" part from the attr >+ list, which is needed only in gerattr list */ >+ *p = '\0'; >+ attri = slapi_ch_strdup(attrs[i]); >+ attrs[i] = attri; >+ *p = '@'; > } > } > } >+ else if ( !aciin && strcasecmp(attrs[i], LDAP_ALL_USER_ATTRS) == 0 ) >+ { >+ charray_add(&attrs, slapi_attr_syntax_normalize("aci")); >+ aciin = 1; >+ } >+ } >+ if (NULL != gerattrs) >+ { >+ gerattrs[gerattridx] = NULL; > } > >- if ( attrs != NULL ) { > operation->o_searchattrs = cool_charray_dup( attrs ); > for ( i = 0; attrs[i] != NULL; i++ ) { > char *type; > >@@ -260,8 +333,9 @@ > slapi_pblock_set( pb, SLAPI_SEARCH_DEREF, &deref ); > slapi_pblock_set( pb, SLAPI_SEARCH_FILTER, filter ); > slapi_pblock_set( pb, SLAPI_SEARCH_STRFILTER, fstr ); > slapi_pblock_set( pb, SLAPI_SEARCH_ATTRS, attrs ); >+ slapi_pblock_set( pb, SLAPI_SEARCH_GERATTRS, gerattrs ); > slapi_pblock_set( pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly ); > slapi_pblock_set( pb, SLAPI_REQUESTOR_ISROOT, &operation->o_isroot ); > slapi_pblock_set( pb, SLAPI_SEARCH_SIZELIMIT, &sizelimit ); > slapi_pblock_set( pb, SLAPI_SEARCH_TIMELIMIT, &timelimit ); >@@ -290,11 +364,10 @@ > } > slapi_ch_free_string(&base); > slapi_ch_free_string(&fstr); > slapi_filter_free( filter, 1 ); >- if ( attrs != NULL ) { >- charray_free( attrs ); >- } >+ charray_free( attrs ); /* passing NULL is fine */ >+ charray_free( gerattrs ); /* passing NULL is fine */ > /* > * Fix for defect 526719 / 553356 : Persistent search op failed. > * Marking it as non-persistent so that operation resources get freed > */ >Index: ldap/servers/slapd/slapi-plugin.h >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-plugin.h,v >retrieving revision 1.22 >diff -t -w -U4 -r1.22 slapi-plugin.h >--- ldap/servers/slapd/slapi-plugin.h 4 Jun 2008 22:22:55 -0000 1.22 >+++ ldap/servers/slapd/slapi-plugin.h 20 Jun 2008 22:36:12 -0000 >@@ -71,8 +71,11 @@ > /* operation flags */ > #define SLAPI_OP_FLAG_NEVER_CHAIN 0x00800 /* Do not chain the operation */ > #define SLAPI_OP_FLAG_NO_ACCESS_CHECK 0x10000 /* Do not check for access control - bypass them */ > >+#define SLAPI_OC_FLAG_REQUIRED 0x0001 >+#define SLAPI_OC_FLAG_ALLOWED 0x0002 >+ > /* > * access control levels > */ > #define SLAPI_ACL_COMPARE 0x01 >@@ -1702,8 +1705,9 @@ > #define SLAPI_SEARCH_TIMELIMIT 113 > #define SLAPI_SEARCH_FILTER 114 > #define SLAPI_SEARCH_STRFILTER 115 > #define SLAPI_SEARCH_ATTRS 116 >+#define SLAPI_SEARCH_GERATTRS 1160 > #define SLAPI_SEARCH_ATTRSONLY 117 > #define SLAPI_SEARCH_IS_AND 118 > > /* abandon arguments */ >Index: ldap/servers/slapd/slapi-private.h >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-private.h,v >retrieving revision 1.23 >diff -t -w -U4 -r1.23 slapi-private.h >--- ldap/servers/slapd/slapi-private.h 10 Jun 2008 18:50:07 -0000 1.23 >+++ ldap/servers/slapd/slapi-private.h 20 Jun 2008 22:36:12 -0000 >@@ -573,8 +573,9 @@ > char *search_strfilter; > char **search_attrs; > int search_attrsonly; > int search_is_and; >+ char **search_gerattrs; > } p_search; > > struct abandon_parameters > { >@@ -725,8 +726,13 @@ > #define SLAPI_COMPONENT_NAME_LDAPSDK "LDAP sdk" > > /* return the list of attr defined in the schema matching the attr flags */ > char ** slapi_schema_list_attribute_names(unsigned long flag); >+/* return the list of attributes belonging to the objectclass */ >+char ** slapi_schema_list_objectclass_attributes(const char *ocname_or_oid, >+ PRUint32 flags); >+char * slapi_schema_get_superior_name(const char *ocname_or_oid); >+ > CSN *dup_global_schema_csn(); > > /* misc function for the chaining backend */ > char * slapi_get_rootdn(); /* return the directory manager dn in use */ >@@ -786,15 +792,16 @@ > * charray.c > */ > void charray_add( char ***a, char *s ); > void charray_merge( char ***a, char **s, int copy_strs ); >+void charray_merge_nodup( char ***a, char **s, int copy_strs ); > void charray_free( char **array ); > int charray_inlist( char **a, char *s ); > int charray_utf8_inlist( char **a, char *s ); > char ** charray_dup( char **a ); > char ** str2charray( char *str, char *brkstr ); > char ** str2charray_ext( char *str, char *brkstr, int allow_dups ); >-int charray_remove(char **a,const char *s); >+int charray_remove(char **a, const char *s, int freeit); > char ** cool_charray_dup( char **a ); > void cool_charray_free( char **array ); > void charray_subtract( char **a, char **b, char ***c ); > int charray_get_index(char **array, char *s); >@@ -1123,12 +1130,8 @@ > #include <stdio.h> /* GGOODREPL - For BUFSIZ, below, gak */ > const char* escape_string (const char* str, char buf[BUFSIZ]); > const char* escape_string_with_punctuation(const char* str, char buf[BUFSIZ]); > const char* escape_filter_value(const char* str, int len, char buf[BUFSIZ]); >-void charray_add( char ***a, char *s ); >-void charray_free(char **array); >-int charray_remove(char **a,const char *s); >-int charray_inlist( char **a, char *s ); > > char *slapi_berval_get_string_copy(const struct berval *bval); > > /* lenstr stuff */ >Index: ldap/servers/plugins/acl/acleffectiverights.c >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/acl/acleffectiverights.c,v >retrieving revision 1.7 >diff -t -w -U4 -r1.7 acleffectiverights.c >--- ldap/servers/plugins/acl/acleffectiverights.c 18 Oct 2007 00:08:27 -0000 1.7 >+++ ldap/servers/plugins/acl/acleffectiverights.c 20 Jun 2008 22:36:12 -0000 >@@ -45,9 +45,15 @@ > /* safer than doing strcat unprotected */ > /* news2 is optional, provided as a convenience */ > /* capacity is the capacity of the gerstr, size is the current length */ > static void >-_append_gerstr(char **gerstr, size_t *capacity, size_t *size, const char *news, const char *news2) >+_append_gerstr( >+ char **gerstr, >+ size_t *capacity, >+ size_t *size, >+ const char *news, >+ const char *news2 >+ ) > { > size_t len; > size_t increment = 128; > size_t fornull; >@@ -89,9 +95,14 @@ > return; > } > > static int >-_ger_g_permission_granted ( Slapi_PBlock *pb, Slapi_Entry *e, char **errbuf ) >+_ger_g_permission_granted ( >+ Slapi_PBlock *pb, >+ Slapi_Entry *e, >+ const char *subjectdn, >+ char **errbuf >+ ) > { > char *proxydn = NULL; > Slapi_DN *requestor_sdn, *entry_sdn; > char *errtext = NULL; >@@ -150,8 +161,16 @@ > rc = LDAP_SUCCESS; > goto bailout; > } > >+ /* if the requestor and the subject user are identical, let's grant it */ >+ if ( strcasecmp ( slapi_sdn_get_dn(requestor_sdn), subjectdn ) == 0) >+ { >+ /* Requestor should see his own permission rights on any entry */ >+ rc = LDAP_SUCCESS; >+ goto bailout; >+ } >+ > aclutil_str_appened ( errbuf, "get-effective-rights: requestor has no g permission on the entry" ); > slapi_log_error (SLAPI_LOG_ACL, plugin_name, > "_ger_g_permission_granted: %s\n", *errbuf); > rc = LDAP_INSUFFICIENT_ACCESS; >@@ -165,13 +184,19 @@ > return rc; > } > > static int >-_ger_parse_control ( Slapi_PBlock *pb, char **subjectndn, int *iscritical, char **errbuf ) >+_ger_parse_control ( >+ Slapi_PBlock *pb, >+ char **subjectndn, >+ int *iscritical, >+ char **errbuf >+ ) > { > LDAPControl **requestcontrols; > struct berval *subjectber; > BerElement *ber; >+ int subjectndnlen = 0; > > if (NULL == subjectndn) > { > return LDAP_OPERATIONS_ERROR; >@@ -230,17 +255,19 @@ > * The current implementation limits the subject to authorization ID > * (see section 9 of RFC 2829) only. It also only supports the "dnAuthzId" > * flavor, which looks like "dn:<DN>" where null <DN> is for anonymous. > */ >- if ( NULL == *subjectndn || strlen (*subjectndn) < 3 || >+ subjectndnlen = strlen(*subjectndn); >+ if ( NULL == *subjectndn || subjectndnlen < 3 || > strncasecmp ( "dn:", *subjectndn, 3 ) != 0 ) > { > aclutil_str_appened ( errbuf, "get-effective-rights: subject is not dnAuthzId" ); > slapi_log_error (SLAPI_LOG_FATAL, plugin_name, "%s\n", *errbuf ); > return LDAP_INVALID_SYNTAX; > } > >- strcpy ( *subjectndn, *subjectndn + 3 ); >+ /* memmove is safe for overlapping copy */ >+ memmove ( *subjectndn, *subjectndn + 3, subjectndnlen - 2);/* 1 for '\0' */ > slapi_dn_normalize ( *subjectndn ); > return LDAP_SUCCESS; > } > >@@ -532,8 +559,29 @@ > > return attrrights; > } > >+#define GER_GET_ATTR_RIGHTS(attrs) \ >+ for (thisattr = (attrs); thisattr && *thisattr; thisattr++) \ >+ { \ >+ _ger_get_attr_rights (gerpb, e, subjectndn, *thisattr, \ >+ gerstr, gerstrsize, gerstrcap, isfirstattr, errbuf); \ >+ isfirstattr = 0; \ >+ } \ >+ >+#define GER_GET_ATTR_RIGHTA_EXT(c, inattrs, exattrs); \ >+ for ( i = 0; attrs[i]; i++ ) \ >+ { \ >+ if ((c) != *attrs[i] && charray_inlist((inattrs), attrs[i]) && \ >+ !charray_inlist((exattrs), attrs[i])) \ >+ { \ >+ _ger_get_attr_rights ( gerpb, e, subjectndn, attrs[i], \ >+ gerstr, gerstrsize, gerstrcap, isfirstattr, errbuf ); \ >+ isfirstattr = 0; \ >+ } \ >+ } >+ >+ > void > _ger_get_attrs_rights ( > Slapi_PBlock *gerpb, > Slapi_Entry *e, >@@ -551,15 +599,79 @@ > _append_gerstr(gerstr, gerstrsize, gerstrcap, "attributeLevelRights: ", NULL); > > if (attrs && *attrs) > { >- int i; >+ int i = 0; >+ char **allattrs = NULL; >+ char **opattrs = NULL; >+ char **myattrs = NULL; >+ char **thisattr = NULL; >+ int hasstar = charray_inlist(attrs, "*"); >+ int hasplus = charray_inlist(attrs, "+"); >+ Slapi_Attr *objclasses = NULL; >+ Slapi_ValueSet *objclassvals = NULL; >+ >+ /* get all attrs available for the entry */ >+ slapi_entry_attr_find(e, "objectclass", &objclasses); >+ if (NULL != objclasses) { >+ Slapi_Value *v; >+ slapi_attr_get_valueset(objclasses, &objclassvals); >+ i = slapi_valueset_first_value(objclassvals, &v); >+ if (-1 != i) { >+ allattrs = slapi_schema_list_objectclass_attributes( >+ (const char *)v->bv.bv_val, >+ SLAPI_OC_FLAG_REQUIRED|SLAPI_OC_FLAG_ALLOWED); >+ /* add "aci" to the allattrs to adjust to do_search */ >+ charray_add(&allattrs, slapi_attr_syntax_normalize("aci")); >+ while (-1 != i) >+ { >+ i = slapi_valueset_next_value(objclassvals, i, &v); >+ if (-1 != i) >+ { >+ myattrs = slapi_schema_list_objectclass_attributes( >+ (const char *)v->bv.bv_val, >+ SLAPI_OC_FLAG_REQUIRED|SLAPI_OC_FLAG_ALLOWED); >+ charray_merge_nodup(&allattrs, myattrs, 1/*copy_strs*/); >+ charray_free(myattrs); >+ } >+ } >+ } >+ } >+ >+ /* get operational attrs */ >+ opattrs = slapi_schema_list_attribute_names(SLAPI_ATTR_FLAG_OPATTR); >+ >+ if (hasstar && hasplus) >+ { >+ GER_GET_ATTR_RIGHTS(allattrs); >+ GER_GET_ATTR_RIGHTS(opattrs); >+ } >+ else if (hasstar) >+ { >+ GER_GET_ATTR_RIGHTS(allattrs); >+ GER_GET_ATTR_RIGHTA_EXT('*', opattrs, allattrs); >+ } >+ else if (hasplus) >+ { >+ GER_GET_ATTR_RIGHTS(opattrs); >+ GER_GET_ATTR_RIGHTA_EXT('+', allattrs, opattrs); >+ } >+ else >+ { > for ( i = 0; attrs[i]; i++ ) > { >- _ger_get_attr_rights ( gerpb, e, subjectndn, attrs[i], gerstr, gerstrsize, gerstrcap, isfirstattr, errbuf ); >+ if (charray_inlist(allattrs, attrs[i]) || >+ charray_inlist(opattrs, attrs[i])) >+ { >+ _ger_get_attr_rights ( gerpb, e, subjectndn, attrs[i], >+ gerstr, gerstrsize, gerstrcap, isfirstattr, errbuf ); > isfirstattr = 0; > } > } >+ } >+ charray_free(allattrs); >+ charray_free(opattrs); >+ } > else > { > Slapi_Attr *prevattr = NULL, *attr; > char *type; >@@ -568,9 +680,10 @@ > { > if ( ! slapi_attr_flag_is_set (attr, SLAPI_ATTR_FLAG_OPATTR) ) > { > slapi_attr_get_type ( attr, &type ); >- _ger_get_attr_rights ( gerpb, e, subjectndn, type, gerstr, gerstrsize, gerstrcap, isfirstattr, errbuf ); >+ _ger_get_attr_rights ( gerpb, e, subjectndn, type, gerstr, >+ gerstrsize, gerstrcap, isfirstattr, errbuf ); > isfirstattr = 0; > } > prevattr = attr; > } >@@ -647,8 +760,133 @@ > ber_bvfree ( berval ); /* ber_bvfree() checks for NULL param */ > } > > int >+_ger_generate_template_entry ( >+ Slapi_PBlock *pb >+ ) >+{ >+ Slapi_Entry *e = NULL; >+ char **gerattrs = NULL; >+ char **attrs = NULL; >+ char *templateentry = NULL; >+ char *object = NULL; >+ char *superior = NULL; >+ char *p = NULL; >+ int siz = 0; >+ int len = 0; >+ int i = 0; >+ int notfirst = 0; >+ int rc = LDAP_SUCCESS; >+ >+ slapi_pblock_get( pb, SLAPI_SEARCH_GERATTRS, &gerattrs ); >+ if (NULL == gerattrs) >+ { >+ slapi_log_error (SLAPI_LOG_FATAL, plugin_name, >+ "Objectclass info is expected " >+ "in the attr list, e.g., \"*@person\"\n"); >+ rc = LDAP_SUCCESS; >+ goto bailout; >+ } >+ for (i = 0; gerattrs && gerattrs[i]; i++) >+ { >+ object = strchr(gerattrs[i], '@'); >+ if (NULL != object && '\0' != *(++object)) >+ { >+ break; >+ } >+ } >+ if (NULL == object) >+ { >+ rc = LDAP_SUCCESS; /* no objectclass info; ok to return */ >+ goto bailout; >+ } >+ attrs = slapi_schema_list_objectclass_attributes( >+ (const char *)object, SLAPI_OC_FLAG_REQUIRED); >+ if (NULL == attrs) >+ { >+ rc = LDAP_SUCCESS; /* bogus objectclass info; ok to return */ >+ goto bailout; >+ } >+ for (i = 0; attrs[i]; i++) >+ { >+ if (0 == strcasecmp(attrs[i], "objectclass")) >+ { >+ /* <*attrp>: <object>\n\0 */ >+ siz += strlen(attrs[i]) + 4 + strlen(object); >+ } >+ else >+ { >+ /* <*attrp>: dummy\n\0 */ >+ siz += strlen(attrs[i]) + 4 + 5; >+ } >+ } >+ siz += 32 + strlen(object); /* dn: cn=<template_name>\n\0 */ >+ templateentry = (char *)slapi_ch_malloc(siz); >+ PR_snprintf(templateentry, siz, >+ "dn: cn=template_%s_objectclass\n", object); >+ for (--i; i >= 0; i--) >+ { >+ len = strlen(templateentry); >+ p = templateentry + len; >+ if (0 == strcasecmp(attrs[i], "objectclass")) >+ { >+ PR_snprintf(p, siz - len, "%s: %s\n", attrs[i], object); >+ } >+ else >+ { >+ PR_snprintf(p, siz - len, "%s: dummy\n", attrs[i]); >+ } >+ } >+ charray_free(attrs); >+ >+ while ((superior = slapi_schema_get_superior_name(object)) && >+ (0 != strcasecmp(superior, "top"))) >+ { >+ if (notfirst) >+ { >+ slapi_ch_free_string(&object); >+ } >+ notfirst = 1; >+ object = superior; >+ attrs = slapi_schema_list_objectclass_attributes( >+ (const char *)superior, SLAPI_OC_FLAG_REQUIRED); >+ for (i = 0; attrs && attrs[i]; i++) >+ { >+ if (0 == strcasecmp(attrs[i], "objectclass")) >+ { >+ /* <*attrp>: <object>\n\0 */ >+ siz += strlen(attrs[i]) + 4 + strlen(object); >+ } >+ } >+ templateentry = (char *)slapi_ch_realloc(templateentry, siz); >+ for (--i; i >= 0; i--) >+ { >+ len = strlen(templateentry); >+ p = templateentry + len; >+ if (0 == strcasecmp(attrs[i], "objectclass")) >+ { >+ PR_snprintf(p, siz - len, "%s: %s\n", attrs[i], object); >+ } >+ } >+ charray_free(attrs); >+ } >+ slapi_ch_free_string(&superior); >+ siz += 18; /* objectclass: top\n\0 */ >+ len = strlen(templateentry); >+ templateentry = (char *)slapi_ch_realloc(templateentry, siz); >+ p = templateentry + len; >+ PR_snprintf(p, siz - len, "objectclass: top\n"); >+ >+ e = slapi_str2entry(templateentry, SLAPI_STR2ENTRY_NOT_WELL_FORMED_LDIF); >+ /* set the template entry to send the result to clients */ >+ slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, e); >+bailout: >+ slapi_ch_free_string(&templateentry); >+ return rc; >+} >+ >+int > acl_get_effective_rights ( > Slapi_PBlock *pb, > Slapi_Entry *e, /* target entry */ > char **attrs, /* Attribute of the entry */ >@@ -663,12 +901,22 @@ > char *gerstr = NULL; > size_t gerstrsize = 0; > size_t gerstrcap = 0; > int iscritical = 1; >- int rc; >+ int rc = LDAP_SUCCESS; > > *errbuf = '\0'; > >+ if (NULL == e) /* create a template entry from SLAPI_SEARCH_GERATTRS */ >+ { >+ rc = _ger_generate_template_entry ( pb ); >+ slapi_pblock_get ( pb, SLAPI_SEARCH_RESULT_ENTRY, &e ); >+ if ( rc != LDAP_SUCCESS || NULL == e ) >+ { >+ goto bailout; >+ } >+ } >+ > /* > * Get the subject > */ > rc = _ger_parse_control (pb, &subjectndn, &iscritical, errbuf ); >@@ -680,9 +928,9 @@ > /* > * The requestor should have g permission on the entry > * to get the effective rights. > */ >- rc = _ger_g_permission_granted (pb, e, errbuf); >+ rc = _ger_g_permission_granted (pb, e, subjectndn, errbuf); > if ( rc != LDAP_SUCCESS ) > { > goto bailout; > } >@@ -717,9 +965,9 @@ > } > > slapi_log_error (SLAPI_LOG_ACLSUMMARY, plugin_name, > "###### Effective Rights on Entry (%s) for Subject (%s) ######\n", >- slapi_entry_get_ndn (e), subjectndn); >+ e?slapi_entry_get_ndn(e):"null", subjectndn?subjectndn:"null"); > slapi_log_error (SLAPI_LOG_ACLSUMMARY, plugin_name, "%s\n", gerstr); > > /* Restore pb */ > _ger_release_gerpb ( &gerpb, &aclcb, pb ); >Index: ldap/servers/plugins/chainingdb/cb_config.c >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb/cb_config.c,v >retrieving revision 1.6 >diff -t -w -U4 -r1.6 cb_config.c >--- ldap/servers/plugins/chainingdb/cb_config.c 10 Nov 2006 23:44:50 -0000 1.6 >+++ ldap/servers/plugins/chainingdb/cb_config.c 20 Jun 2008 22:36:12 -0000 >@@ -476,9 +476,10 @@ > slapi_dn_normalize(slapi_ch_strdup(config_attr_value))); > } else > if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) { > charray_remove(cb->config.chaining_components, >- slapi_dn_normalize(slapi_ch_strdup(config_attr_value))); >+ slapi_dn_normalize(slapi_ch_strdup(config_attr_value)), >+ 0 /* freeit */); > } > } > if (NULL == mods[i]->mod_bvalues) { > charray_free(cb->config.chaining_components); >@@ -512,9 +513,10 @@ > } else > if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) { > charray_remove(cb->config.chainable_components, > slapi_dn_normalize(slapi_ch_strdup(config_attr_value) >-)); >+), >+ 0 /* freeit */); > } > } > if (NULL == mods[i]->mod_bvalues) { > charray_free(cb->config.chainable_components); >Index: ldap/servers/plugins/chainingdb/cb_controls.c >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb/cb_controls.c,v >retrieving revision 1.8 >diff -t -w -U4 -r1.8 cb_controls.c >--- ldap/servers/plugins/chainingdb/cb_controls.c 10 Nov 2006 23:44:50 -0000 1.8 >+++ ldap/servers/plugins/chainingdb/cb_controls.c 20 Jun 2008 22:36:12 -0000 >@@ -90,9 +90,9 @@ > PR_RWLock_Unlock(cb->config.rwl_config_lock); > return; > } > if ( controlops == 0 ) { >- charray_remove(cb->config.forward_ctrls,controloid); >+ charray_remove(cb->config.forward_ctrls,controloid,0/* free it */); > } > PR_RWLock_Unlock(cb->config.rwl_config_lock); > } > } >Index: ldap/servers/plugins/chainingdb/cb_instance.c >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb/cb_instance.c,v >retrieving revision 1.8 >diff -t -w -U4 -r1.8 cb_instance.c >--- ldap/servers/plugins/chainingdb/cb_instance.c 18 Oct 2007 00:08:28 -0000 1.8 >+++ ldap/servers/plugins/chainingdb/cb_instance.c 20 Jun 2008 22:36:12 -0000 >@@ -391,9 +391,10 @@ > slapi_ch_strdup(config_attr_value)); > } else > if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) { > charray_remove(inst->illegal_attributes, >- slapi_ch_strdup(config_attr_value)); >+ slapi_ch_strdup(config_attr_value), >+ 0 /* freeit */); > } > } > if (NULL == mods[i]->mod_bvalues) { > charray_free(inst->illegal_attributes); >@@ -425,9 +426,10 @@ > slapi_dn_normalize(slapi_ch_strdup(config_attr_value))); > } else > if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) { > charray_remove(inst->chaining_components, >- slapi_dn_normalize(slapi_ch_strdup(config_attr_value))); >+ slapi_dn_normalize(slapi_ch_strdup(config_attr_value)), >+ 0 /* freeit */); > } > } > if (NULL == mods[i]->mod_bvalues) { > charray_free(inst->chaining_components);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=309953">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 437525
: 309953 |
310288
|
310471