Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 310288 Details for
Bug 437525
GER: allow GER for non-existing entries
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
revised diffs (schema.c, acleffective
revised.diffs (text/plain), 18.37 KB, created by
Noriko Hosoi
on 2008-06-25 18:46:49 UTC
(
hide
)
Description:
revised diffs (schema.c, acleffective
Filename:
MIME Type:
Creator:
Noriko Hosoi
Created:
2008-06-25 18:46:49 UTC
Size:
18.37 KB
patch
obsolete
>Index: schema.c >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/schema.c,v >retrieving revision 1.14 >diff -t -w -U4 -r1.14 schema.c >--- schema.c 10 Jun 2008 18:50:07 -0000 1.14 >+++ schema.c 25 Jun 2008 18:26:13 -0000 >@@ -1391,10 +1391,10 @@ > return ATTR_SYNTAX_ENUM_NEXT; > } > > /* Return the list of attributes names matching attribute flags */ >- >-char ** slapi_schema_list_attribute_names(unsigned long flag) >+char ** >+slapi_schema_list_attribute_names(unsigned long flag) > { > struct listargs aew; > memset(&aew,0,sizeof(struct listargs)); > aew.flag=flag; >@@ -4965,4 +4965,70 @@ > "schema file reload failed\n" ); > return LDAP_LOCAL_ERROR; > } > } >+ >+/* >+ * slapi_schema_list_objectclass_attributes: >+ * Return the list of attributes belonging to the objectclass >+ * >+ * The caller is responsible to free the returned list with charray_free. >+ * flags: one of them or both: >+ * SLAPI_OC_FLAG_REQUIRED >+ * SLAPI_OC_FLAG_ALLOWED >+ */ >+char ** >+slapi_schema_list_objectclass_attributes(const char *ocname_or_oid, >+ PRUint32 flags) >+{ >+ struct objclass *oc = NULL; >+ char **attrs = NULL; >+ PRUint32 mask = SLAPI_OC_FLAG_REQUIRED | SLAPI_OC_FLAG_ALLOWED; >+ >+ if (!flags) { >+ return attrs; >+ } >+ >+ oc_lock_read(); >+ oc = oc_find_nolock(ocname_or_oid); >+ if (oc) { >+ switch (flags & mask) { >+ case SLAPI_OC_FLAG_REQUIRED: >+ attrs = charray_dup(oc->oc_required); >+ break; >+ case SLAPI_OC_FLAG_ALLOWED: >+ attrs = charray_dup(oc->oc_allowed); >+ break; >+ case SLAPI_OC_FLAG_REQUIRED|SLAPI_OC_FLAG_ALLOWED: >+ attrs = charray_dup(oc->oc_required); >+ charray_merge(&attrs, oc->oc_allowed, 1/*copy_strs*/); >+ break; >+ default: >+ slapi_log_error( SLAPI_LOG_FATAL, "list objectclass attributes", >+ "flag 0x%x not supported\n", flags ); >+ break; >+ } >+ } >+ oc_unlock(); >+ return attrs; >+} >+ >+/* >+ * slapi_schema_get_superior_name: >+ * Return the name of the superior objectclass >+ * >+ * The caller is responsible to free the returned name >+ */ >+char * >+slapi_schema_get_superior_name(const char *ocname_or_oid) >+{ >+ struct objclass *oc = NULL; >+ char *superior = NULL; >+ >+ oc_lock_read(); >+ oc = oc_find_nolock(ocname_or_oid); >+ if (oc) { >+ superior = slapi_ch_strdup(oc->oc_superior); >+ } >+ oc_unlock(); >+ return superior; >+} > >Index: acleffectiverights.c >=================================================================== >RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/acl/acleffectiverights.c,v >retrieving revision 1.7 >diff -t -w -U4 -r1.7 acleffectiverights.c >--- acleffectiverights.c 18 Oct 2007 00:08:27 -0000 1.7 >+++ acleffectiverights.c 25 Jun 2008 18:39:24 -0000 >@@ -45,9 +45,15 @@ > /* safer than doing strcat unprotected */ > /* news2 is optional, provided as a convenience */ > /* capacity is the capacity of the gerstr, size is the current length */ > static void >-_append_gerstr(char **gerstr, size_t *capacity, size_t *size, const char *news, const char *news2) >+_append_gerstr( >+ char **gerstr, >+ size_t *capacity, >+ size_t *size, >+ const char *news, >+ const char *news2 >+ ) > { > size_t len; > size_t increment = 128; > size_t fornull; >@@ -89,9 +95,14 @@ > return; > } > > static int >-_ger_g_permission_granted ( Slapi_PBlock *pb, Slapi_Entry *e, char **errbuf ) >+_ger_g_permission_granted ( >+ Slapi_PBlock *pb, >+ Slapi_Entry *e, >+ const char *subjectdn, >+ char **errbuf >+ ) > { > char *proxydn = NULL; > Slapi_DN *requestor_sdn, *entry_sdn; > char *errtext = NULL; >@@ -150,8 +161,16 @@ > rc = LDAP_SUCCESS; > goto bailout; > } > >+ /* if the requestor and the subject user are identical, let's grant it */ >+ if ( strcasecmp ( slapi_sdn_get_ndn(requestor_sdn), subjectdn ) == 0) >+ { >+ /* Requestor should see his own permission rights on any entry */ >+ rc = LDAP_SUCCESS; >+ goto bailout; >+ } >+ > aclutil_str_appened ( errbuf, "get-effective-rights: requestor has no g permission on the entry" ); > slapi_log_error (SLAPI_LOG_ACL, plugin_name, > "_ger_g_permission_granted: %s\n", *errbuf); > rc = LDAP_INSUFFICIENT_ACCESS; >@@ -165,13 +184,19 @@ > return rc; > } > > static int >-_ger_parse_control ( Slapi_PBlock *pb, char **subjectndn, int *iscritical, char **errbuf ) >+_ger_parse_control ( >+ Slapi_PBlock *pb, >+ char **subjectndn, >+ int *iscritical, >+ char **errbuf >+ ) > { > LDAPControl **requestcontrols; > struct berval *subjectber; > BerElement *ber; >+ int subjectndnlen = 0; > > if (NULL == subjectndn) > { > return LDAP_OPERATIONS_ERROR; >@@ -230,17 +255,19 @@ > * The current implementation limits the subject to authorization ID > * (see section 9 of RFC 2829) only. It also only supports the "dnAuthzId" > * flavor, which looks like "dn:<DN>" where null <DN> is for anonymous. > */ >- if ( NULL == *subjectndn || strlen (*subjectndn) < 3 || >+ subjectndnlen = strlen(*subjectndn); >+ if ( NULL == *subjectndn || subjectndnlen < 3 || > strncasecmp ( "dn:", *subjectndn, 3 ) != 0 ) > { > aclutil_str_appened ( errbuf, "get-effective-rights: subject is not dnAuthzId" ); > slapi_log_error (SLAPI_LOG_FATAL, plugin_name, "%s\n", *errbuf ); > return LDAP_INVALID_SYNTAX; > } > >- strcpy ( *subjectndn, *subjectndn + 3 ); >+ /* memmove is safe for overlapping copy */ >+ memmove ( *subjectndn, *subjectndn + 3, subjectndnlen - 2);/* 1 for '\0' */ > slapi_dn_normalize ( *subjectndn ); > return LDAP_SUCCESS; > } > >@@ -532,8 +559,29 @@ > > return attrrights; > } > >+#define GER_GET_ATTR_RIGHTS(attrs) \ >+ for (thisattr = (attrs); thisattr && *thisattr; thisattr++) \ >+ { \ >+ _ger_get_attr_rights (gerpb, e, subjectndn, *thisattr, \ >+ gerstr, gerstrsize, gerstrcap, isfirstattr, errbuf); \ >+ isfirstattr = 0; \ >+ } \ >+ >+#define GER_GET_ATTR_RIGHTA_EXT(c, inattrs, exattrs); \ >+ for ( i = 0; attrs[i]; i++ ) \ >+ { \ >+ if ((c) != *attrs[i] && charray_inlist((inattrs), attrs[i]) && \ >+ !charray_inlist((exattrs), attrs[i])) \ >+ { \ >+ _ger_get_attr_rights ( gerpb, e, subjectndn, attrs[i], \ >+ gerstr, gerstrsize, gerstrcap, isfirstattr, errbuf ); \ >+ isfirstattr = 0; \ >+ } \ >+ } >+ >+ > void > _ger_get_attrs_rights ( > Slapi_PBlock *gerpb, > Slapi_Entry *e, >@@ -551,15 +599,79 @@ > _append_gerstr(gerstr, gerstrsize, gerstrcap, "attributeLevelRights: ", NULL); > > if (attrs && *attrs) > { >- int i; >+ int i = 0; >+ char **allattrs = NULL; >+ char **opattrs = NULL; >+ char **myattrs = NULL; >+ char **thisattr = NULL; >+ int hasstar = charray_inlist(attrs, "*"); >+ int hasplus = charray_inlist(attrs, "+"); >+ Slapi_Attr *objclasses = NULL; >+ Slapi_ValueSet *objclassvals = NULL; >+ >+ /* get all attrs available for the entry */ >+ slapi_entry_attr_find(e, "objectclass", &objclasses); >+ if (NULL != objclasses) { >+ Slapi_Value *v; >+ slapi_attr_get_valueset(objclasses, &objclassvals); >+ i = slapi_valueset_first_value(objclassvals, &v); >+ if (-1 != i) { >+ allattrs = slapi_schema_list_objectclass_attributes( >+ (const char *)v->bv.bv_val, >+ SLAPI_OC_FLAG_REQUIRED|SLAPI_OC_FLAG_ALLOWED); >+ /* add "aci" to the allattrs to adjust to do_search */ >+ charray_add(&allattrs, slapi_attr_syntax_normalize("aci")); >+ while (-1 != i) >+ { >+ i = slapi_valueset_next_value(objclassvals, i, &v); >+ if (-1 != i) >+ { >+ myattrs = slapi_schema_list_objectclass_attributes( >+ (const char *)v->bv.bv_val, >+ SLAPI_OC_FLAG_REQUIRED|SLAPI_OC_FLAG_ALLOWED); >+ charray_merge_nodup(&allattrs, myattrs, 1/*copy_strs*/); >+ charray_free(myattrs); >+ } >+ } >+ } >+ } >+ >+ /* get operational attrs */ >+ opattrs = slapi_schema_list_attribute_names(SLAPI_ATTR_FLAG_OPATTR); >+ >+ if (hasstar && hasplus) >+ { >+ GER_GET_ATTR_RIGHTS(allattrs); >+ GER_GET_ATTR_RIGHTS(opattrs); >+ } >+ else if (hasstar) >+ { >+ GER_GET_ATTR_RIGHTS(allattrs); >+ GER_GET_ATTR_RIGHTA_EXT('*', opattrs, allattrs); >+ } >+ else if (hasplus) >+ { >+ GER_GET_ATTR_RIGHTS(opattrs); >+ GER_GET_ATTR_RIGHTA_EXT('+', allattrs, opattrs); >+ } >+ else >+ { > for ( i = 0; attrs[i]; i++ ) > { >- _ger_get_attr_rights ( gerpb, e, subjectndn, attrs[i], gerstr, gerstrsize, gerstrcap, isfirstattr, errbuf ); >+ if (charray_inlist(allattrs, attrs[i]) || >+ charray_inlist(opattrs, attrs[i])) >+ { >+ _ger_get_attr_rights ( gerpb, e, subjectndn, attrs[i], >+ gerstr, gerstrsize, gerstrcap, isfirstattr, errbuf ); > isfirstattr = 0; > } > } >+ } >+ charray_free(allattrs); >+ charray_free(opattrs); >+ } > else > { > Slapi_Attr *prevattr = NULL, *attr; > char *type; >@@ -568,9 +680,10 @@ > { > if ( ! slapi_attr_flag_is_set (attr, SLAPI_ATTR_FLAG_OPATTR) ) > { > slapi_attr_get_type ( attr, &type ); >- _ger_get_attr_rights ( gerpb, e, subjectndn, type, gerstr, gerstrsize, gerstrcap, isfirstattr, errbuf ); >+ _ger_get_attr_rights ( gerpb, e, subjectndn, type, gerstr, >+ gerstrsize, gerstrcap, isfirstattr, errbuf ); > isfirstattr = 0; > } > prevattr = attr; > } >@@ -647,8 +760,133 @@ > ber_bvfree ( berval ); /* ber_bvfree() checks for NULL param */ > } > > int >+_ger_generate_template_entry ( >+ Slapi_PBlock *pb >+ ) >+{ >+ Slapi_Entry *e = NULL; >+ char **gerattrs = NULL; >+ char **attrs = NULL; >+ char *templateentry = NULL; >+ char *object = NULL; >+ char *superior = NULL; >+ char *p = NULL; >+ int siz = 0; >+ int len = 0; >+ int i = 0; >+ int notfirst = 0; >+ int rc = LDAP_SUCCESS; >+ >+ slapi_pblock_get( pb, SLAPI_SEARCH_GERATTRS, &gerattrs ); >+ if (NULL == gerattrs) >+ { >+ slapi_log_error (SLAPI_LOG_FATAL, plugin_name, >+ "Objectclass info is expected " >+ "in the attr list, e.g., \"*@person\"\n"); >+ rc = LDAP_SUCCESS; >+ goto bailout; >+ } >+ for (i = 0; gerattrs && gerattrs[i]; i++) >+ { >+ object = strchr(gerattrs[i], '@'); >+ if (NULL != object && '\0' != *(++object)) >+ { >+ break; >+ } >+ } >+ if (NULL == object) >+ { >+ rc = LDAP_SUCCESS; /* no objectclass info; ok to return */ >+ goto bailout; >+ } >+ attrs = slapi_schema_list_objectclass_attributes( >+ (const char *)object, SLAPI_OC_FLAG_REQUIRED); >+ if (NULL == attrs) >+ { >+ rc = LDAP_SUCCESS; /* bogus objectclass info; ok to return */ >+ goto bailout; >+ } >+ for (i = 0; attrs[i]; i++) >+ { >+ if (0 == strcasecmp(attrs[i], "objectclass")) >+ { >+ /* <*attrp>: <object>\n\0 */ >+ siz += strlen(attrs[i]) + 4 + strlen(object); >+ } >+ else >+ { >+ /* <*attrp>: dummy\n\0 */ >+ siz += strlen(attrs[i]) + 4 + 5; >+ } >+ } >+ siz += 32 + strlen(object); /* dn: cn=<template_name>\n\0 */ >+ templateentry = (char *)slapi_ch_malloc(siz); >+ PR_snprintf(templateentry, siz, >+ "dn: cn=template_%s_objectclass\n", object); >+ for (--i; i >= 0; i--) >+ { >+ len = strlen(templateentry); >+ p = templateentry + len; >+ if (0 == strcasecmp(attrs[i], "objectclass")) >+ { >+ PR_snprintf(p, siz - len, "%s: %s\n", attrs[i], object); >+ } >+ else >+ { >+ PR_snprintf(p, siz - len, "%s: dummy\n", attrs[i]); >+ } >+ } >+ charray_free(attrs); >+ >+ while ((superior = slapi_schema_get_superior_name(object)) && >+ (0 != strcasecmp(superior, "top"))) >+ { >+ if (notfirst) >+ { >+ slapi_ch_free_string(&object); >+ } >+ notfirst = 1; >+ object = superior; >+ attrs = slapi_schema_list_objectclass_attributes( >+ (const char *)superior, SLAPI_OC_FLAG_REQUIRED); >+ for (i = 0; attrs && attrs[i]; i++) >+ { >+ if (0 == strcasecmp(attrs[i], "objectclass")) >+ { >+ /* <*attrp>: <object>\n\0 */ >+ siz += strlen(attrs[i]) + 4 + strlen(object); >+ } >+ } >+ templateentry = (char *)slapi_ch_realloc(templateentry, siz); >+ for (--i; i >= 0; i--) >+ { >+ len = strlen(templateentry); >+ p = templateentry + len; >+ if (0 == strcasecmp(attrs[i], "objectclass")) >+ { >+ PR_snprintf(p, siz - len, "%s: %s\n", attrs[i], object); >+ } >+ } >+ charray_free(attrs); >+ } >+ slapi_ch_free_string(&superior); >+ siz += 18; /* objectclass: top\n\0 */ >+ len = strlen(templateentry); >+ templateentry = (char *)slapi_ch_realloc(templateentry, siz); >+ p = templateentry + len; >+ PR_snprintf(p, siz - len, "objectclass: top\n"); >+ >+ e = slapi_str2entry(templateentry, SLAPI_STR2ENTRY_NOT_WELL_FORMED_LDIF); >+ /* set the template entry to send the result to clients */ >+ slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, e); >+bailout: >+ slapi_ch_free_string(&templateentry); >+ return rc; >+} >+ >+int > acl_get_effective_rights ( > Slapi_PBlock *pb, > Slapi_Entry *e, /* target entry */ > char **attrs, /* Attribute of the entry */ >@@ -663,12 +901,22 @@ > char *gerstr = NULL; > size_t gerstrsize = 0; > size_t gerstrcap = 0; > int iscritical = 1; >- int rc; >+ int rc = LDAP_SUCCESS; > > *errbuf = '\0'; > >+ if (NULL == e) /* create a template entry from SLAPI_SEARCH_GERATTRS */ >+ { >+ rc = _ger_generate_template_entry ( pb ); >+ slapi_pblock_get ( pb, SLAPI_SEARCH_RESULT_ENTRY, &e ); >+ if ( rc != LDAP_SUCCESS || NULL == e ) >+ { >+ goto bailout; >+ } >+ } >+ > /* > * Get the subject > */ > rc = _ger_parse_control (pb, &subjectndn, &iscritical, errbuf ); >@@ -680,9 +928,9 @@ > /* > * The requestor should have g permission on the entry > * to get the effective rights. > */ >- rc = _ger_g_permission_granted (pb, e, errbuf); >+ rc = _ger_g_permission_granted (pb, e, subjectndn, errbuf); > if ( rc != LDAP_SUCCESS ) > { > goto bailout; > } >@@ -717,9 +965,9 @@ > } > > slapi_log_error (SLAPI_LOG_ACLSUMMARY, plugin_name, > "###### Effective Rights on Entry (%s) for Subject (%s) ######\n", >- slapi_entry_get_ndn (e), subjectndn); >+ e?slapi_entry_get_ndn(e):"null", subjectndn?subjectndn:"null"); > slapi_log_error (SLAPI_LOG_ACLSUMMARY, plugin_name, "%s\n", gerstr); > > /* Restore pb */ > _ger_release_gerpb ( &gerpb, &aclcb, pb );
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=310288">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 437525
:
309953
| 310288 |
310471