Thursday, June 12, 2014

[389-commits] Branch '389-ds-base-1.2.11' - 2 commits - ldap/servers

ldap/servers/plugins/acl/acl.c | 28 ++++++++++++++++++++++++++--
ldap/servers/plugins/acl/acl.h | 3 ++-
ldap/servers/plugins/acl/aclparse.c | 19 +++++++++++++++++++
3 files changed, 47 insertions(+), 3 deletions(-)

New commits:
commit d8f6af4242a8f546a2d60a10b48fd8e24a9e72d9
Author: Noriko Hosoi <nhosoi@redhat.com>
Date: Tue Apr 30 10:22:59 2013 -0700

Ticket 47331 - Self entry access ACI not working properly

Description: Additional change to
commit 79346deb255ca8d7889d7590534d308d4e3a78da
which added a macro ACLPB_CACHE_RESULT_PER_ENTRY_SKIP, but
ACLPB_STATE_ALL was not updated to cover the bit.
This patch updates ACLPB_STATE_ALL to support the new bit.
(cherry picked from commit 86fea4b326b28912cd0d8de0d0cb3a2f8dea423e)
(cherry picked from commit 6d43552d862234334f94a5768132d71847bfcd20)

diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h
index dbe5c11..8a9bec2 100644
--- a/ldap/servers/plugins/acl/acl.h
+++ b/ldap/servers/plugins/acl/acl.h
@@ -475,7 +475,7 @@ struct acl_pblock {
ACLPB_ACCESS_ALLOWED_ON_ENTRY | ACLPB_ATTR_STAR_MATCHED | \
ACLPB_FOUND_ATTR_RULE | ACLPB_EVALUATING_FIRST_ATTR | \
ACLPB_FOUND_A_ENTRY_TEST_RULE )
-#define ACLPB_STATE_ALL 0x3fffff
+#define ACLPB_STATE_ALL 0xffffff

int aclpb_res_type;


commit 46b06bb3f12be8df973579971c5cdf4312456974
Author: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
Date: Mon Apr 22 14:15:33 2013 +0200

Ticket 47331 - Self entry access ACI not working properly

Bug Description:

There are two issues in that bug.

The first one is that for a given entry, the rights related to an attribute are evaluated and cached. Reusing this evaluation for a different entry is erronous.

The second one is that for each deny/allow aci, the results of the evaluation of the aci is cached. These results
are reset for aci type that are entry related. The parsing of the rule self entry access miss the setting
of ACI_USERDN_SELFRULE.
This flag allows to reset (in result cache) a result obtained on a previous entry. The consequence is that
a previous result was erronously reused.

Fix Description:

The fix for the first issue, is to prevent acl__match_handlesFromCache to reuse already evaluated attributes.
A new flag make acl__match_handlesFromCache to return if the evaluation is entry related.

The second fix is to set ACI_USERDN_SELFRULE, when we have a rule like 'userdn = ldap:///self'

https://fedorahosted.org/389/ticket/47331

Reviewed by: Noriko Hosoi, Ludwig Krispenz

Platforms tested: fedora 17

Flag Day: no

Doc impact: no
(cherry picked from commit 79346deb255ca8d7889d7590534d308d4e3a78da)
(cherry picked from commit 1580bcd71cbb60f0e97a36bf83faca6e079cd861)

diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index 09f28ee..d27c0e1 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -2799,6 +2799,11 @@ acl__TestRights(Acl_PBlock *aclpb,int access, char **right, char ** map_generic,

if (access & ( SLAPI_ACL_SEARCH | SLAPI_ACL_READ)) {

+ /* We can not reused results obtained on a other entry */
+ if (aci->aci_type & ACI_CACHE_RESULT_PER_ENTRY) {
+ aclpb->aclpb_state |= ACLPB_CACHE_RESULT_PER_ENTRY_SKIP;
+ }
+
/*
* aclpb->aclpb_cache_result[0..aclpb->aclpb_last_cache_result] is
* a cache of info about whether applicable acis
@@ -3010,6 +3015,10 @@ acl__TestRights(Acl_PBlock *aclpb,int access, char **right, char ** map_generic,

if (access & ( SLAPI_ACL_SEARCH | SLAPI_ACL_READ)) {

+ /* We can not reused results obtained on a other entry */
+ if (aci->aci_type & ACI_CACHE_RESULT_PER_ENTRY) {
+ aclpb->aclpb_state |= ACLPB_CACHE_RESULT_PER_ENTRY_SKIP;
+ }
/*
* aclpb->aclpb_cache_result[0..aclpb->aclpb_last_cache_result] is
* a cache of info about whether applicable acis
@@ -3794,8 +3803,23 @@ acl__match_handlesFromCache ( Acl_PBlock *aclpb, char *attr, int access)
} else {
context_type = ACLPB_EVALCONTEXT_PREV;
c_evalContext = &aclpb->aclpb_prev_entryEval_context;
- }
-
+ }
+
+ /* we can not reused access evaluation done on a previous entry
+ * so just skip that cache
+ */
+ if (aclpb->aclpb_state & ACLPB_CACHE_RESULT_PER_ENTRY_SKIP) {
+ aclpb->aclpb_state &= ~ACLPB_MATCHES_ALL_ACLS;
+ aclpb->aclpb_state |= ACLPB_UPD_ACLCB_CACHE;
+ /* Did not match */
+ if (context_type == ACLPB_EVALCONTEXT_ACLCB) {
+ aclpb->aclpb_state &= ~ACLPB_HAS_ACLCB_EVALCONTEXT;
+ } else {
+ aclpb->aclpb_state |= ACLPB_COPY_EVALCONTEXT;
+ c_evalContext->acle_numof_tmatched_handles = 0;
+ }
+ return -1;
+ }

if ( aclpb->aclpb_res_type & (ACLPB_NEW_ENTRY | ACLPB_EFFECTIVE_RIGHTS) ) {
aclpb->aclpb_state |= ACLPB_MATCHES_ALL_ACLS;
diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h
index c61ee70..dbe5c11 100644
--- a/ldap/servers/plugins/acl/acl.h
+++ b/ldap/servers/plugins/acl/acl.h
@@ -468,6 +468,7 @@ struct acl_pblock {
#define ACLPB_UPD_ACLCB_CACHE 0x100000
#define ACLPB_ATTR_RULE_EVALUATED 0x200000
#define ACLPB_DONOT_EVALUATE_PROXY 0x400000
+#define ACLPB_CACHE_RESULT_PER_ENTRY_SKIP 0x800000


#define ACLPB_RESET_MASK ( ACLPB_ACCESS_ALLOWED_ON_A_ATTR | ACLPB_ACCESS_DENIED_ON_ALL_ATTRS | \
diff --git a/ldap/servers/plugins/acl/aclparse.c b/ldap/servers/plugins/acl/aclparse.c
index 8b11471..26d57c4 100644
--- a/ldap/servers/plugins/acl/aclparse.c
+++ b/ldap/servers/plugins/acl/aclparse.c
@@ -784,6 +784,8 @@ normalize_nextACERule:
goto error;
}
} else if ( 0 == strncmp ( s, DS_LAS_USERDN, 6 )) {
+ char *prefix;
+
p = PL_strnchr (s, '=', end - s);
if (NULL == p) {
goto error;
@@ -808,6 +810,23 @@ normalize_nextACERule:
goto error;
}

+ /* skip the ldap prefix */
+ prefix = PL_strncasestr(p, LDAP_URL_prefix, end - p);
+ if (prefix) {
+ prefix += strlen(LDAP_URL_prefix);
+ } else {
+ prefix = PL_strncasestr(p, LDAPS_URL_prefix, end - p);
+ if (prefix) {
+ prefix += strlen(LDAPS_URL_prefix);
+ }
+ }
+ if (prefix == NULL) {
+ /* userdn value does not starts with LDAP(S)_URL_prefix */
+ goto error;
+ }
+ p = prefix;
+
+
/* we have a rule like userdn = "ldap:///blah". s points to blah now.
** let's find if we have a SELF rule like userdn = "ldap:///self".
** Since the resource changes on entry basis, we can't cache the


--
389 commits mailing list
389-commits@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-commits

No comments:

Post a Comment