389-ds-base

Clone
Source Code
GIT

9d2d939 Ticket #47571 - targetattr ACIs ignore subtype

Authored and Committed by nhosoi 10 years ago
raw patch tree parent
7 files changed. 374 lines added. 281 lines removed.
ldap/servers/plugins/acl/acl.c
file modified
+97 -97
ldap/servers/plugins/acl/aclparse.c
file modified
+1 -2
ldap/servers/plugins/acl/aclplugin.c
file modified
+3 -3
ldap/servers/slapd/attr.c
file modified
+91 -20
ldap/servers/slapd/result.c
file modified
+147 -153
ldap/servers/slapd/search.c
file modified
+27 -6
ldap/servers/slapd/slapi-plugin.h
file modified
+8 -0 
    Ticket #47571 - targetattr ACIs ignore subtype
    
    Description:
    Subtypes in targetattr, userattr in aci as well as filter and attribute list
    in the search are supported.
    * If targetattr contains subtypes, the base type only as well as other subtypes
      are not allowed to access (or denied to access).
    * If userattr contains subtypes, the base type as well as other subtypes in
      entries do not match the userattr value.
    * If attribute list in search has a base type attribute, and a targetattr has
      a type with subtypes, then only the subtyped value is returned.  E.g.,
        attribute list: sn
        targetattr: sn;en
          ==>
        sn;en: <sn-en-value> and
        sn;en;phonetic: <sn-en-phonetic-value> are returned
        but
        sn or sn;fr is not.
      If attribute list has a type with subtype, then if the targetattr allows the
      subtype, the value is returned.  E.g.,
        attribute list: sn;en
        targetattr: sn;en
          ==>
        sn;en: <sn-en-value> and
        sn;en;phonetic: <sn-en-phonetic-value> are returned
        but
        sn or sn;fr is not.
    1) slapd/attr.c
       * slapi_attr_type_cmp assumed the subtype order in 2 args are identical,
         but it is not always guaranteed.  Removed the assumption.
       * Added another compare type SLAPI_TYPE_CMP_SUBTYPES to comp_cmp which is
         called by slapi_attr_type_cmp to support full subtypes comparison.
    2) plugin/acl.c:
       * Changed to call slapi_attr_type_cmp with human readable macros, e.g.,
         SLAPI_TYPE_CMP_BASE, SLAPI_TYPE_CMP_SUBTYPE, etc.
       * Replaced strcasecmp with slapi_attr_type_cmp for attribute type comparison.
       * Changed to call slapi_attr_type_cmp with SLAPI_TYPE_CMP_SUBTYPES (full
         subtype comparison) in acl__get_attrEval, where the next attribute to
    	 compare is determined.
    3) slapd/search.c,result.c
       send_all_attrs/send_specific_attrs use a dontsendattr array to control the
       duplicate attribute types.  Replaced the logic with a simpler one by creating
       an charray with no duplicates.
    
    https://fedorahosted.org/389/ticket/47571
    
    Reviewed by tbordaz@redhat.com (Thank you, Thierry!)
    (cherry picked from commit 85a78741dfeb636a1cf7cced1576278e65f5bb58)
file modified
+97 -97
file modified
+1 -2
file modified
+3 -3
file modified
+91 -20
file modified
+147 -153
file modified
+27 -6
file modified
+8 -0
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.