- take a client_secure flag, and if the map_secure flag is set and the

  client_secure flag is not set, feign lack of knowledge about a map's contents

1 files changed, 40 insertions, 28 deletions

diff --git a/src/nis.c b/src/nis.c
index f395bae..b7e3ec6 100644
--- a/src/nis.c
+++ b/src/nis.c
@@ -90,22 +90,23 @@ nis_match(struct plugin_state *state,
 	  dispatch_reply_fragment *reply_fragment_fn,
 	  dispatch_reply *reply_fn,
 	  struct dispatch_client_data *cdata,
-	  XDR *request_xdrs,
+	  XDR *request_xdrs, bool_t client_secure,
 	  struct rpc_msg *reply, XDR *reply_xdrs,
 	  struct ypresp_val *reply_val)
 {
 	struct ypreq_key req_key;
-	bool_t map_supported;
+	bool_t map_supported, map_secure;
 
 	memset(&req_key, 0, sizeof(req_key));
 	memset(reply_val, 0, sizeof(*reply_val));
 	if (xdr_ypreq_key(request_xdrs, &req_key)) {
 		map_rdlock();
-		if (map_match(state, req_key.domain, req_key.map,
+		if (map_match(state, req_key.domain, req_key.map, &map_secure,
 			      req_key.keydat.keydat_len,
 			      req_key.keydat.keydat_val,
 			      &reply_val->valdat.valdat_len,
-			      &reply_val->valdat.valdat_val)) {
+			      &reply_val->valdat.valdat_val) &&
+		    (map_secure ? client_secure : TRUE)) {
 			reply_val->status = YP_TRUE;
 			slapi_log_error(SLAPI_LOG_PLUGIN,
 					state->plugin_desc->spd_id,
@@ -118,7 +119,7 @@ nis_match(struct plugin_state *state,
 		} else {
 			map_supported = FALSE;
 			map_supports_map(state, req_key.domain, req_key.map,
-					 &map_supported);
+					 &map_supported, NULL);
 			reply_val->status = map_supported ? YP_NOKEY : YP_NOMAP;
 		}
 		(*reply_fn)(state, cdata, reply, reply_xdrs);
@@ -133,22 +134,24 @@ nis_first(struct plugin_state *state,
 	  dispatch_reply_fragment *reply_fragment_fn,
 	  dispatch_reply *reply_fn,
 	  struct dispatch_client_data *cdata,
-	  XDR *request_xdrs,
+	  XDR *request_xdrs, bool_t client_secure,
 	  struct rpc_msg *reply, XDR *reply_xdrs,
 	  struct ypresp_key_val *reply_key_val)
 {
 	struct ypreq_nokey req_nokey;
-	bool_t map_supported;
+	bool_t map_supported, map_secure;
 
 	memset(&req_nokey, 0, sizeof(req_nokey));
 	memset(reply_key_val, 0, sizeof(*reply_key_val));
 	if (xdr_ypreq_nokey(request_xdrs, &req_nokey)) {
 		map_rdlock();
 		if (map_first(state, req_nokey.domain, req_nokey.map,
+			      &map_secure,
 			      &reply_key_val->keydat.keydat_len,
 			      &reply_key_val->keydat.keydat_val,
 			      &reply_key_val->valdat.valdat_len,
-			      &reply_key_val->valdat.valdat_val)) {
+			      &reply_key_val->valdat.valdat_val) &&
+		    (map_secure ? client_secure : TRUE)) {
 			reply_key_val->status = YP_TRUE;
 			slapi_log_error(SLAPI_LOG_PLUGIN,
 					state->plugin_desc->spd_id,
@@ -159,7 +162,7 @@ nis_first(struct plugin_state *state,
 		} else {
 			map_supported = FALSE;
 			map_supports_map(state, req_nokey.domain, req_nokey.map,
-					 &map_supported);
+					 &map_supported, NULL);
 			reply_key_val->status = map_supported ? YP_NOKEY :
 								YP_NOMAP;
 		}
@@ -175,22 +178,24 @@ nis_next(struct plugin_state *state,
 	 dispatch_reply_fragment *reply_fragment_fn,
 	 dispatch_reply *reply_fn,
 	 struct dispatch_client_data *cdata,
-	 XDR *request_xdrs,
+	 XDR *request_xdrs, bool_t client_secure,
 	 struct rpc_msg *reply, XDR *reply_xdrs,
 	 struct ypresp_key_val *reply_key_val)
 {
 	struct ypreq_key req_key;
+	bool_t map_secure;
 	memset(&req_key, 0, sizeof(req_key));
 	memset(reply_key_val, 0, sizeof(*reply_key_val));
 	if (xdr_ypreq_key(request_xdrs, &req_key)) {
 		map_rdlock();
-		if (map_next(state, req_key.domain, req_key.map,
+		if (map_next(state, req_key.domain, req_key.map, &map_secure,
 			     req_key.keydat.keydat_len,
 			     req_key.keydat.keydat_val,
 			     &reply_key_val->keydat.keydat_len,
 			     &reply_key_val->keydat.keydat_val,
 			     &reply_key_val->valdat.valdat_len,
-			     &reply_key_val->valdat.valdat_val)) {
+			     &reply_key_val->valdat.valdat_val) &&
+		    (map_secure ? client_secure : TRUE)) {
 			reply_key_val->status = YP_TRUE;
 			slapi_log_error(SLAPI_LOG_PLUGIN,
 					state->plugin_desc->spd_id,
@@ -202,10 +207,12 @@ nis_next(struct plugin_state *state,
 					reply_key_val->status);
 		} else {
 			if (map_match(state, req_key.domain, req_key.map,
+				      &map_secure,
 				      req_key.keydat.keydat_len,
 				      req_key.keydat.keydat_val,
 				      &reply_key_val->valdat.valdat_len,
-				      &reply_key_val->valdat.valdat_val)) {
+				      &reply_key_val->valdat.valdat_val) &&
+			    (map_secure ? client_secure : TRUE)) {
 				/* Have data for this key, but not the next. */
 				reply_key_val->status = YP_NOMORE;
 			} else {
@@ -300,7 +307,7 @@ nis_order(struct plugin_state *state,
 }
 
 static bool_t
-nis_maplist_cb(const char *domain, const char *mapname,
+nis_maplist_cb(const char *domain, const char *mapname, bool_t secure,
 	       void *backend_data, void *cbdata)
 {
 	struct ypmaplist **list, *next;
@@ -427,7 +434,7 @@ nis_all(struct plugin_state *state,
 	dispatch_reply_fragment *reply_fragment_fn,
 	dispatch_reply *reply_fn,
 	struct dispatch_client_data *cdata,
-	XDR *request_xdrs,
+	XDR *request_xdrs, bool_t client_secure,
 	struct rpc_msg *reply, XDR *reply_xdrs,
 	struct ypresp_all *reply_all, void **continuation_cookie)
 {
@@ -436,7 +443,7 @@ nis_all(struct plugin_state *state,
 	valdat_t *reply_val;
 	struct nis_all_cookie *cookie;
 	enum nis_all_cookie_state next_state;
-	bool_t supported, stop;
+	bool_t map_supported, map_secure, stop;
 
 	memset(&req_nokey, 0, sizeof(req_nokey));
 	reply_key = &reply_all->ypresp_all_u.val.keydat;
@@ -457,10 +464,10 @@ nis_all(struct plugin_state *state,
 		}
 		/* Check if we even support the map. */
 		map_rdlock();
-		supported = FALSE;
+		map_supported = FALSE;
 		if (!map_supports_map(state, req_nokey.domain, req_nokey.map,
-				      &supported) ||
-		    !supported) {
+				      &map_supported, NULL) ||
+		    !map_supported) {
 			/* No entries? No-such-map final status. */
 			reply_all->more = TRUE;
 			reply_all->ypresp_all_u.val.status = YP_NOMAP;
@@ -502,11 +509,12 @@ nis_all(struct plugin_state *state,
 				 * or queueing the end-of-map reply. */
 				found = map_first(state,
 						  req_nokey.domain,
-						  req_nokey.map,
+						  req_nokey.map, &map_secure,
 						  &reply_key->keydat_len,
 						  &reply_key->keydat_val,
 						  &reply_val->valdat_len,
-						  &reply_val->valdat_val);
+						  &reply_val->valdat_val) &&
+					(map_secure ? client_secure : TRUE);
 				if (found) {
 					/* Next time grab the entry after this
 					 * one. */
@@ -560,12 +568,14 @@ nis_all(struct plugin_state *state,
 				found = map_next(state,
 						 req_nokey.domain,
 						 req_nokey.map,
+						 &map_secure,
 						 cookie->key_length,
 						 cookie->key,
 						 &reply_key->keydat_len,
 						 &reply_key->keydat_val,
 						 &reply_val->valdat_len,
-						 &reply_val->valdat_val);
+						 &reply_val->valdat_val) &&
+					(map_secure ? client_secure : TRUE);
 				if (found) {
 					slapi_log_error(SLAPI_LOG_PLUGIN,
 							state->plugin_desc->spd_id,
@@ -624,10 +634,12 @@ nis_all(struct plugin_state *state,
 				found = map_match(state,
 						  req_nokey.domain,
 						  req_nokey.map,
+						  &map_secure,
 						  reply_key->keydat_len,
 						  reply_key->keydat_val,
 						  &reply_val->valdat_len,
-						  &reply_val->valdat_val);
+						  &reply_val->valdat_val) &&
+					(map_secure ? client_secure : TRUE);
 				if (found) {
 					/* Next time grab the entry after this
 					 * one. */
@@ -772,7 +784,7 @@ nis_process_request(struct plugin_state *state,
 		    char *request_buf, size_t request_buflen,
 		    dispatch_reply_fragment *reply_fragment_fn,
 		    dispatch_reply *reply_fn,
-		    struct dispatch_client_data *cdata,
+		    struct dispatch_client_data *cdata, bool_t client_secure,
 		    char *reply_buf, size_t reply_buf_size,
 		    void **continuation_cookie)
 {
@@ -942,7 +954,7 @@ nis_process_request(struct plugin_state *state,
 		accepted->ar_results.proc = (xdrproc_t) xdr_ypresp_val;
 		/* Call the real function. */
 		nis_match(state, reply_fragment_fn, reply_fn,
-			  cdata, &request_xdrs,
+			  cdata, &request_xdrs, client_secure,
 			  &reply, &reply_xdrs, &reply_val);
 		goto sent_reply;
 		break;
@@ -956,7 +968,7 @@ nis_process_request(struct plugin_state *state,
 		accepted->ar_results.proc = (xdrproc_t) xdr_ypresp_key_val;
 		/* Call the real function. */
 		nis_first(state, reply_fragment_fn, reply_fn,
-			  cdata, &request_xdrs,
+			  cdata, &request_xdrs, client_secure,
 			  &reply, &reply_xdrs, &reply_key_val);
 		goto sent_reply;
 		break;
@@ -970,7 +982,7 @@ nis_process_request(struct plugin_state *state,
 		accepted->ar_results.proc = (xdrproc_t) xdr_ypresp_key_val;
 		/* Call the real function. */
 		nis_next(state, reply_fragment_fn, reply_fn,
-			 cdata, &request_xdrs,
+			 cdata, &request_xdrs, client_secure,
 			 &reply, &reply_xdrs, &reply_key_val);
 		goto sent_reply;
 		break;
@@ -996,7 +1008,7 @@ nis_process_request(struct plugin_state *state,
 		accepted->ar_results.proc = (xdrproc_t) &xdr_ypresp_all;
 		/* Call the real function. */
 		nis_all(state, reply_fragment_fn, reply_fn,
-			cdata, &request_xdrs,
+			cdata, &request_xdrs, client_secure,
 			&reply, &reply_xdrs, &reply_all,
 			continuation_cookie);
 		goto sent_reply;