s4:dsdb: Make use of dsdb_have_system_access()

There should not be any change in behaviour.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

source4/dsdb/samdb/ldb_modules/acl.c

@@ -1188,7 +1188,6 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req)
 	const struct dsdb_class *computer_objectclass = NULL;
 	const struct ldb_message_element *oc_el = NULL;
 	struct ldb_message_element sorted_oc_el;
-	struct ldb_control *as_system;
 	struct ldb_control *sd_ctrl = NULL;
 	struct ldb_message_element *el;
 	unsigned int instanceType = 0;
@@ -1205,12 +1204,8 @@ static int acl_add(struct ldb_module *module, struct ldb_request *req)
 		return ldb_next_request(module, req);
 	}
 
-	as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
+	if (dsdb_have_system_access(module, req, SYSTEM_CONTROL_STRIP_CRITICAL))
-	if (as_system != NULL) {
+	{
-		as_system->critical = 0;
-	}
-
-	if (dsdb_module_am_system(module) || as_system) {
 		return ldb_next_request(module, req);
 	}
 
@@ -1879,7 +1874,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 	struct ldb_result *acl_res;
 	struct security_descriptor *sd;
 	struct dom_sid *sid = NULL;
-	struct ldb_control *as_system;
 	struct ldb_control *is_undelete;
 	struct ldb_control *implicit_validated_write_control = NULL;
 	bool userPassword;
@@ -1901,11 +1895,6 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 		return ldb_next_request(module, req);
 	}
 
-	as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
-	if (as_system != NULL) {
-		as_system->critical = 0;
-	}
-
 	is_undelete = ldb_request_get_control(req, DSDB_CONTROL_RESTORE_TOMBSTONE_OID);
 
 	implicit_validated_write_control = ldb_request_get_control(
@@ -1918,7 +1907,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 	if (msg->num_elements > 0) {
 		DEBUG(10, ("ldb:acl_modify: %s\n", msg->elements[0].name));
 	}
-	if (dsdb_module_am_system(module) || as_system) {
+	if (dsdb_have_system_access(module, req, SYSTEM_CONTROL_STRIP_CRITICAL))
+	{
 		return ldb_next_request(module, req);
 	}
 
@@ -2207,7 +2197,6 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req)
 	struct ldb_dn *parent;
 	struct ldb_context *ldb;
 	struct ldb_dn *nc_root;
-	struct ldb_control *as_system;
 	const struct dsdb_schema *schema;
 	const struct dsdb_class *objectclass;
 	struct security_descriptor *sd = NULL;
@@ -2224,12 +2213,8 @@ static int acl_delete(struct ldb_module *module, struct ldb_request *req)
 		return ldb_next_request(module, req);
 	}
 
-	as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
+	if (dsdb_have_system_access(module, req, SYSTEM_CONTROL_STRIP_CRITICAL))
-	if (as_system != NULL) {
+	{
-		as_system->critical = 0;
-	}
-
-	if (dsdb_module_am_system(module) || as_system) {
 		return ldb_next_request(module, req);
 	}
 
@@ -2384,7 +2369,6 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
 	struct dom_sid *sid = NULL;
 	struct ldb_result *acl_res;
 	struct ldb_dn *nc_root;
-	struct ldb_control *as_system;
 	struct ldb_control *is_undelete;
 	TALLOC_CTX *tmp_ctx;
 	const char *rdn_name;
@@ -2399,13 +2383,9 @@ static int acl_rename(struct ldb_module *module, struct ldb_request *req)
 		return ldb_next_request(module, req);
 	}
 
-	as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
-	if (as_system != NULL) {
-		as_system->critical = 0;
-	}
-
 	DEBUG(10, ("ldb:acl_rename: %s\n", ldb_dn_get_linearized(req->op.rename.olddn)));
-	if (dsdb_module_am_system(module) || as_system) {
+	if (dsdb_have_system_access(module, req, SYSTEM_CONTROL_STRIP_CRITICAL))
+	{
 		return ldb_next_request(module, req);
 	}
 
@@ -2853,7 +2833,6 @@ static int acl_search(struct ldb_module *module, struct ldb_request *req)
 static int acl_extended(struct ldb_module *module, struct ldb_request *req)
 {
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
-	struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
 
 	/* allow everybody to read the sequence number */
 	if (strcmp(req->op.extended.oid,
@@ -2861,8 +2840,11 @@ static int acl_extended(struct ldb_module *module, struct ldb_request *req)
 		return ldb_next_request(module, req);
 	}
 
-	if (dsdb_module_am_system(module) ||
+	if (dsdb_have_system_access(module,
-	    dsdb_module_am_administrator(module) || as_system) {
+				    req,
+				    SYSTEM_CONTROL_KEEP_CRITICAL) ||
+	    dsdb_module_am_administrator(module))
+	{
 		return ldb_next_request(module, req);
 	} else {
 		ldb_asprintf_errstring(ldb,

source4/dsdb/samdb/ldb_modules/acl_read.c

@@ -883,10 +883,9 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
 	ldb = ldb_module_get_ctx(module);
 	p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
 
-	am_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID) != NULL;
+	am_system = dsdb_have_system_access(module,
-	if (!am_system) {
+					    req,
-		am_system = dsdb_module_am_system(module);
+					    SYSTEM_CONTROL_KEEP_CRITICAL);
-	}
 
 	/* skip access checks if we are system or system control is supplied
 	 * or this is not LDAP server request */

source4/dsdb/samdb/ldb_modules/objectclass_attrs.c

@@ -259,9 +259,11 @@ static int attr_handler(struct oc_context *ac)
 				 * fschemaUpgradeInProgress and other specific schema checks.
 				 */
 				if (ldb_dn_compare_base(ldb_get_schema_basedn(ldb), msg->dn) != 0) {
-					struct ldb_control *as_system = ldb_request_get_control(ac->req,
+					if (!dsdb_have_system_access(
-												LDB_CONTROL_AS_SYSTEM_OID);
+						    ac->module,
-					if (!dsdb_module_am_system(ac->module) && !as_system) {
+						    ac->req,
+						    SYSTEM_CONTROL_KEEP_CRITICAL))
+					{
 						ldb_asprintf_errstring(ldb,
 								       "objectclass_attrs: attribute '%s' on entry '%s' can only be modified as system",
 								       msg->elements[i].name,