|
 |
dc8c34 |
From 92fbcbe2c3f4476cc4b6373bb52ef4663ea7e4c4 Mon Sep 17 00:00:00 2001
|
|
|
dc8c34 |
From: Ludwig Krispenz <lkrispen@redhat.com>
|
|
|
dc8c34 |
Date: Fri, 27 Jun 2014 15:20:25 +0200
|
|
|
dc8c34 |
Subject: [PATCH 231/234] Ticket 47821 - deref plugin cannot handle complex
|
|
|
dc8c34 |
acis
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Bug Description: the deref plugin does not return attributes if
|
|
|
dc8c34 |
the access depends on rules requireing
|
|
|
dc8c34 |
the entry
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Fix Description: do the access check after the entry is retrieved
|
|
|
dc8c34 |
|
|
|
dc8c34 |
https://fedorahosted.org/389/ticket/47821
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Reviewed by: mark, thanks
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Conflicts:
|
|
|
dc8c34 |
ldap/servers/plugins/deref/deref.c
|
|
|
dc8c34 |
(cherry picked from commit ed487614f094a902afa7299e2c98f4cd8d02fe96)
|
|
|
dc8c34 |
---
|
|
|
dc8c34 |
ldap/servers/plugins/deref/deref.c | 115 +++++++++++++++++++------------------
|
|
|
dc8c34 |
1 file changed, 59 insertions(+), 56 deletions(-)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
|
|
|
dc8c34 |
index 6e4d4ec..c6630df 100644
|
|
|
dc8c34 |
--- a/ldap/servers/plugins/deref/deref.c
|
|
|
dc8c34 |
+++ b/ldap/servers/plugins/deref/deref.c
|
|
|
dc8c34 |
@@ -597,14 +597,10 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
|
|
|
dc8c34 |
Slapi_Entry **entries = NULL;
|
|
|
dc8c34 |
int rc;
|
|
|
dc8c34 |
|
|
|
dc8c34 |
- if (deref_check_access(pb, NULL, derefdn, attrs, &retattrs,
|
|
|
dc8c34 |
- (SLAPI_ACL_SEARCH|SLAPI_ACL_READ))) {
|
|
|
dc8c34 |
- slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
|
|
|
dc8c34 |
- "The client does not have permission to read the requested "
|
|
|
dc8c34 |
- "attributes in entry %s\n", derefdn);
|
|
|
dc8c34 |
- return;
|
|
|
dc8c34 |
- }
|
|
|
dc8c34 |
-
|
|
|
dc8c34 |
+/* If the access check on the attributes is done without retrieveing the entry
|
|
|
dc8c34 |
+ * it cannot handle acis which need teh entry, eg to apply a targetfilter rule
|
|
|
dc8c34 |
+ * So the determination of attrs which can be dereferenced is delayed
|
|
|
dc8c34 |
+ */
|
|
|
dc8c34 |
derefpb = slapi_pblock_new();
|
|
|
dc8c34 |
slapi_search_internal_set_pb(derefpb, derefdn, LDAP_SCOPE_BASE,
|
|
|
dc8c34 |
"(objectclass=*)", retattrs, 0,
|
|
|
dc8c34 |
@@ -623,61 +619,68 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
|
|
|
dc8c34 |
} else {
|
|
|
dc8c34 |
int ii;
|
|
|
dc8c34 |
int needattrvals = 1; /* need attrvals sequence? */
|
|
|
dc8c34 |
- for (ii = 0; retattrs[ii]; ++ii) {
|
|
|
dc8c34 |
- Slapi_Value *sv;
|
|
|
dc8c34 |
- int idx = 0;
|
|
|
dc8c34 |
- Slapi_ValueSet* results = NULL;
|
|
|
dc8c34 |
- int type_name_disposition = 0;
|
|
|
dc8c34 |
- char* actual_type_name = NULL;
|
|
|
dc8c34 |
- int flags = 0;
|
|
|
dc8c34 |
- int buffer_flags = 0;
|
|
|
dc8c34 |
- int needpartialattr = 1; /* need PartialAttribute sequence? */
|
|
|
dc8c34 |
- int needvalsset = 1;
|
|
|
dc8c34 |
-
|
|
|
dc8c34 |
- if (is_type_forbidden(retattrs[ii])) {
|
|
|
dc8c34 |
- slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
|
|
|
dc8c34 |
- "skip forbidden attribute [%s]\n", derefdn);
|
|
|
dc8c34 |
- continue;
|
|
|
dc8c34 |
- }
|
|
|
dc8c34 |
+ if (deref_check_access(pb, entries[0], derefdn, attrs, &retattrs,
|
|
|
dc8c34 |
+ (SLAPI_ACL_SEARCH|SLAPI_ACL_READ))) {
|
|
|
dc8c34 |
+ slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
|
|
|
dc8c34 |
+ "The client does not have permission to read the requested "
|
|
|
dc8c34 |
+ "attributes in entry %s\n", derefdn);
|
|
|
dc8c34 |
+ } else {
|
|
|
dc8c34 |
+ for (ii = 0; retattrs[ii]; ++ii) {
|
|
|
dc8c34 |
+ Slapi_Value *sv;
|
|
|
dc8c34 |
+ int idx = 0;
|
|
|
dc8c34 |
+ Slapi_ValueSet* results = NULL;
|
|
|
dc8c34 |
+ int type_name_disposition = 0;
|
|
|
dc8c34 |
+ char* actual_type_name = NULL;
|
|
|
dc8c34 |
+ int flags = 0;
|
|
|
dc8c34 |
+ int buffer_flags = 0;
|
|
|
dc8c34 |
+ int needpartialattr = 1; /* need PartialAttribute sequence? */
|
|
|
dc8c34 |
+ int needvalsset = 1;
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ if (is_type_forbidden(retattrs[ii])) {
|
|
|
dc8c34 |
+ slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
|
|
|
dc8c34 |
+ "skip forbidden attribute [%s]\n", derefdn);
|
|
|
dc8c34 |
+ continue;
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
|
|
|
dc8c34 |
- deref_get_values(entries[0], retattrs[ii], &results, &type_name_disposition,
|
|
|
dc8c34 |
- &actual_type_name, flags, &buffer_flags);
|
|
|
dc8c34 |
+ deref_get_values(entries[0], retattrs[ii], &results, &type_name_disposition,
|
|
|
dc8c34 |
+ &actual_type_name, flags, &buffer_flags);
|
|
|
dc8c34 |
|
|
|
dc8c34 |
- if (results) {
|
|
|
dc8c34 |
- idx = slapi_valueset_first_value(results, &sv;;
|
|
|
dc8c34 |
- }
|
|
|
dc8c34 |
- for (; results && sv; idx = slapi_valueset_next_value(results, idx, &sv)) {
|
|
|
dc8c34 |
- const struct berval *bv = slapi_value_get_berval(sv);
|
|
|
dc8c34 |
- if (needattrvals) {
|
|
|
dc8c34 |
- /* we have at least one attribute with values in
|
|
|
dc8c34 |
- DerefRes.attrVals */
|
|
|
dc8c34 |
- /* attrVals is OPTIONAL - only added if there are
|
|
|
dc8c34 |
- any values to send */
|
|
|
dc8c34 |
- ber_printf(ctrlber, "t{", (LBER_CLASS_CONTEXT|LBER_CONSTRUCTED));
|
|
|
dc8c34 |
- needattrvals = 0;
|
|
|
dc8c34 |
+ if (results) {
|
|
|
dc8c34 |
+ idx = slapi_valueset_first_value(results, &sv;;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
- if (needpartialattr) {
|
|
|
dc8c34 |
- /* This attribute in attrVals has values */
|
|
|
dc8c34 |
- ber_printf(ctrlber, "{s", retattrs[ii]);
|
|
|
dc8c34 |
- needpartialattr = 0;
|
|
|
dc8c34 |
+ for (; results && sv; idx = slapi_valueset_next_value(results, idx, &sv)) {
|
|
|
dc8c34 |
+ const struct berval *bv = slapi_value_get_berval(sv);
|
|
|
dc8c34 |
+ if (needattrvals) {
|
|
|
dc8c34 |
+ /* we have at least one attribute with values in
|
|
|
dc8c34 |
+ DerefRes.attrVals */
|
|
|
dc8c34 |
+ /* attrVals is OPTIONAL - only added if there are
|
|
|
dc8c34 |
+ any values to send */
|
|
|
dc8c34 |
+ ber_printf(ctrlber, "t{", (LBER_CLASS_CONTEXT|LBER_CONSTRUCTED));
|
|
|
dc8c34 |
+ needattrvals = 0;
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+ if (needpartialattr) {
|
|
|
dc8c34 |
+ /* This attribute in attrVals has values */
|
|
|
dc8c34 |
+ ber_printf(ctrlber, "{s", retattrs[ii]);
|
|
|
dc8c34 |
+ needpartialattr = 0;
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+ if (needvalsset) {
|
|
|
dc8c34 |
+ /* begin the vals SET of values for this attribute */
|
|
|
dc8c34 |
+ ber_printf(ctrlber, "[");
|
|
|
dc8c34 |
+ needvalsset = 0;
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+ ber_printf(ctrlber, "O", bv);
|
|
|
dc8c34 |
+ } /* for each value in retattrs[ii] */
|
|
|
dc8c34 |
+ deref_values_free(&results, &actual_type_name, buffer_flags);
|
|
|
dc8c34 |
+ if (needvalsset == 0) {
|
|
|
dc8c34 |
+ ber_printf(ctrlber, "]");
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
- if (needvalsset) {
|
|
|
dc8c34 |
- /* begin the vals SET of values for this attribute */
|
|
|
dc8c34 |
- ber_printf(ctrlber, "[");
|
|
|
dc8c34 |
- needvalsset = 0;
|
|
|
dc8c34 |
+ if (needpartialattr == 0) {
|
|
|
dc8c34 |
+ ber_printf(ctrlber, "}");
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
- ber_printf(ctrlber, "O", bv);
|
|
|
dc8c34 |
- } /* for each value in retattrs[ii] */
|
|
|
dc8c34 |
- deref_values_free(&results, &actual_type_name, buffer_flags);
|
|
|
dc8c34 |
- if (needvalsset == 0) {
|
|
|
dc8c34 |
- ber_printf(ctrlber, "]");
|
|
|
dc8c34 |
- }
|
|
|
dc8c34 |
- if (needpartialattr == 0) {
|
|
|
dc8c34 |
+ } /* for each attr in retattrs */
|
|
|
dc8c34 |
+ if (needattrvals == 0) {
|
|
|
dc8c34 |
ber_printf(ctrlber, "}");
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
- } /* for each attr in retattrs */
|
|
|
dc8c34 |
- if (needattrvals == 0) {
|
|
|
dc8c34 |
- ber_printf(ctrlber, "}");
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
} else { /* nothing */
|
|
|
dc8c34 |
--
|
|
|
dc8c34 |
1.8.1.4
|
|
|
dc8c34 |
|