Let us imagine an ACL like this:
access to dn.regex="^uid=.*,ou=(.*)" attrs=foo val.regex="^(.*)$/" ...
We would like to use $1 (ou's value) and $2 (foo's value) in the <who> field.
For now this is not possible, because slap_access_allowed() collect a single set of regmatch_t. If the <what> field of an ACL has multiple regex matches, the last one only will be retained.
I suggest the following change:
1) In slap_access_allowed(), we would keep track of multiple set of regmatch_t. matches would become something such as:
typedef struct AclRegexMatches { regmatch_t dn[MAXREMATCHES]; regmatch_t val[MAXREMATCHES]; } AclRegexMatches;
In slap_acl_get(), the two regexec() calls would be done with matches.dn or matches.val, depending on the situation.
2) In acl_string_exapand(), we would replace $1, $2, $3 by values from matches.dn, therefore providing backward compatibility.
And we would replace ${v1}, ${v2}, ${v3}... by values from matches.val and ${d1}, ${d2}, ${d3}... by values from matches.dn
There is a problem with my proposal, on dynaic ACL. We cannot provide them values from attribute value without changing the API. I suggest we stick with the current API for now and improve that later if needed.
Opinions? Did I miss something?
Emmanuel Dreyfus wrote:
Let us imagine an ACL like this:
access to dn.regex="^uid=.*,ou=(.*)" attrs=foo val.regex="^(.*)$/" ...
We would like to use $1 (ou's value) and $2 (foo's value) in the <who> field.
For now this is not possible, because slap_access_allowed() collect a single set of regmatch_t. If the <what> field of an ACL has multiple regex matches, the last one only will be retained.
I suggest the following change:
- In slap_access_allowed(), we would keep track of multiple set of
regmatch_t. matches would become something such as:
typedef struct AclRegexMatches { regmatch_t dn[MAXREMATCHES]; regmatch_t val[MAXREMATCHES];
You forgot nmatches in each case.
} AclRegexMatches;
In slap_acl_get(), the two regexec() calls would be done with matches.dn or matches.val, depending on the situation.
This would probably be a good opportunity to define a common structure to be passed within ACL checking, as the list of arguments to those functions grew enough...
- In acl_string_exapand(), we would replace $1, $2, $3 by values from
matches.dn, therefore providing backward compatibility.
And we would replace ${v1}, ${v2}, ${v3}... by values from matches.val and ${d1}, ${d2}, ${d3}... by values from matches.dn
There is a problem with my proposal, on dynaic ACL. We cannot provide them values from attribute value without changing the API. I suggest we stick with the current API for now and improve that later if needed.
That would definitely deserve to be kept in sync with the built-in functions, although I understand it would break compatibility. We could define some means of versioning, and allow the old API for backward compatibility, while introducing a new API. Although, maybe it's not worth the effort.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Pierangelo Masarati ando@sys-net.it wrote:
typedef struct AclRegexMatches { regmatch_t dn[MAXREMATCHES]; regmatch_t val[MAXREMATCHES];
You forgot nmatches in each case.
Right, then something like this?
typedef struct AclRegexMatches { int ndn; regmatch_t dn[MAXREMATCHES]; int nval; regmatch_t val[MAXREMATCHES]; }
This would probably be a good opportunity to define a common structure to be passed within ACL checking, as the list of arguments to those functions grew enough...
It seems that accross slap_acl_get() and slap_acl_mask(), one could gather the following fields in a single structure:
AccessControl *ac, Operation *op, Entry *e, AttributeDescription *desc, struct berval *val, int nmatch, regmatch_t *matches, AccessControlState *state,
How would it be called? Should we add more fields, make unions?
dynamic ACL. We cannot provide them values from attribute value without changing the API. I suggest we stick with the current API for now and improve that later if needed.
That would definitely deserve to be kept in sync with the built-in functions, although I understand it would break compatibility. We could define some means of versioning, and allow the old API for backward compatibility, while introducing a new API. Although, maybe it's not worth the effort.
Well, I suggest to first sort out the internal things, then we can work on external API.
-
manu@netbsd.org -
Pierangelo Masarati