]> git.sur5r.net Git - openldap/blob - servers/slapd/compare.c
Ignore attempts to Add cn=schema,cn=config
[openldap] / servers / slapd / compare.c
1 /* $OpenLDAP$ */
2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3  *
4  * Copyright 1998-2009 The OpenLDAP Foundation.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted only as authorized by the OpenLDAP
9  * Public License.
10  *
11  * A copy of this license is available in the file LICENSE in the
12  * top-level directory of the distribution or, alternatively, at
13  * <http://www.OpenLDAP.org/license.html>.
14  */
15 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
16  * All rights reserved.
17  *
18  * Redistribution and use in source and binary forms are permitted
19  * provided that this notice is preserved and that due credit is given
20  * to the University of Michigan at Ann Arbor. The name of the University
21  * may not be used to endorse or promote products derived from this
22  * software without specific prior written permission. This software
23  * is provided ``as is'' without express or implied warranty.
24  */
25
26 #include "portable.h"
27
28 #include <stdio.h>
29 #include <ac/socket.h>
30 #include <ac/string.h>
31
32 #include "slap.h"
33
34 static int compare_entry(
35         Operation *op,
36         Entry *e,
37         AttributeAssertion *ava );
38
39 int
40 do_compare(
41     Operation   *op,
42     SlapReply   *rs )
43 {
44         struct berval dn = BER_BVNULL;
45         struct berval desc = BER_BVNULL;
46         struct berval value = BER_BVNULL;
47         AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
48
49         Debug( LDAP_DEBUG_TRACE, "%s do_compare\n",
50                 op->o_log_prefix, 0, 0 );
51         /*
52          * Parse the compare request.  It looks like this:
53          *
54          *      CompareRequest := [APPLICATION 14] SEQUENCE {
55          *              entry   DistinguishedName,
56          *              ava     SEQUENCE {
57          *                      type    AttributeType,
58          *                      value   AttributeValue
59          *              }
60          *      }
61          */
62
63         if ( ber_scanf( op->o_ber, "{m" /*}*/, &dn ) == LBER_ERROR ) {
64                 Debug( LDAP_DEBUG_ANY, "%s do_compare: ber_scanf failed\n",
65                         op->o_log_prefix, 0, 0 );
66                 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
67                 return SLAPD_DISCONNECT;
68         }
69
70         if ( ber_scanf( op->o_ber, "{mm}", &desc, &value ) == LBER_ERROR ) {
71                 Debug( LDAP_DEBUG_ANY, "%s do_compare: get ava failed\n",
72                         op->o_log_prefix, 0, 0 );
73                 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
74                 return SLAPD_DISCONNECT;
75         }
76
77         if ( ber_scanf( op->o_ber, /*{*/ "}" ) == LBER_ERROR ) {
78                 Debug( LDAP_DEBUG_ANY, "%s do_compare: ber_scanf failed\n",
79                         op->o_log_prefix, 0, 0 );
80                 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
81                 return SLAPD_DISCONNECT;
82         }
83
84         if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
85                 Debug( LDAP_DEBUG_ANY, "%s do_compare: get_ctrls failed\n",
86                         op->o_log_prefix, 0, 0 );
87                 goto cleanup;
88         } 
89
90         rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn,
91                 op->o_tmpmemctx );
92         if( rs->sr_err != LDAP_SUCCESS ) {
93                 Debug( LDAP_DEBUG_ANY, "%s do_compare: invalid dn (%s)\n",
94                         op->o_log_prefix, dn.bv_val, 0 );
95                 send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" );
96                 goto cleanup;
97         }
98
99         Statslog( LDAP_DEBUG_STATS,
100                 "%s CMP dn=\"%s\" attr=\"%s\"\n",
101                 op->o_log_prefix, op->o_req_dn.bv_val,
102                 desc.bv_val, 0, 0 );
103
104         rs->sr_err = slap_bv2ad( &desc, &ava.aa_desc, &rs->sr_text );
105         if( rs->sr_err != LDAP_SUCCESS ) {
106                 rs->sr_err = slap_bv2undef_ad( &desc, &ava.aa_desc,
107                                 &rs->sr_text,
108                                 SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
109                 if( rs->sr_err != LDAP_SUCCESS ) {
110                         send_ldap_result( op, rs );
111                         goto cleanup;
112                 }
113         }
114
115         rs->sr_err = asserted_value_validate_normalize( ava.aa_desc,
116                 ava.aa_desc->ad_type->sat_equality,
117                 SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
118                 &value, &ava.aa_value, &rs->sr_text, op->o_tmpmemctx );
119         if( rs->sr_err != LDAP_SUCCESS ) {
120                 send_ldap_result( op, rs );
121                 goto cleanup;
122         }
123
124         op->orc_ava = &ava;
125
126         Debug( LDAP_DEBUG_ARGS,
127                 "do_compare: dn (%s) attr (%s) value (%s)\n",
128                 op->o_req_dn.bv_val,
129                 ava.aa_desc->ad_cname.bv_val, ava.aa_value.bv_val );
130
131         op->o_bd = frontendDB;
132         rs->sr_err = frontendDB->be_compare( op, rs );
133
134 cleanup:;
135         op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
136         op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
137         if ( !BER_BVISNULL( &ava.aa_value ) ) {
138                 op->o_tmpfree( ava.aa_value.bv_val, op->o_tmpmemctx );
139         }
140
141         return rs->sr_err;
142 }
143
144 int
145 fe_op_compare( Operation *op, SlapReply *rs )
146 {
147         Entry                   *entry = NULL;
148         AttributeAssertion      *ava = op->orc_ava;
149         BackendDB               *bd = op->o_bd;
150
151         if( strcasecmp( op->o_req_ndn.bv_val, LDAP_ROOT_DSE ) == 0 ) {
152                 if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
153                         send_ldap_result( op, rs );
154                         goto cleanup;
155                 }
156
157                 rs->sr_err = root_dse_info( op->o_conn, &entry, &rs->sr_text );
158                 if( rs->sr_err != LDAP_SUCCESS ) {
159                         send_ldap_result( op, rs );
160                         goto cleanup;
161                 }
162
163         } else if ( bvmatch( &op->o_req_ndn, &frontendDB->be_schemandn ) ) {
164                 if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
165                         send_ldap_result( op, rs );
166                         rs->sr_err = 0;
167                         goto cleanup;
168                 }
169
170                 rs->sr_err = schema_info( &entry, &rs->sr_text );
171                 if( rs->sr_err != LDAP_SUCCESS ) {
172                         send_ldap_result( op, rs );
173                         rs->sr_err = 0;
174                         goto cleanup;
175                 }
176         }
177
178         if( entry ) {
179                 rs->sr_err = compare_entry( op, entry, ava );
180                 entry_free( entry );
181
182                 send_ldap_result( op, rs );
183
184                 if( rs->sr_err == LDAP_COMPARE_TRUE ||
185                         rs->sr_err == LDAP_COMPARE_FALSE )
186                 {
187                         rs->sr_err = LDAP_SUCCESS;
188                 }
189
190                 goto cleanup;
191         }
192
193         /*
194          * We could be serving multiple database backends.  Select the
195          * appropriate one, or send a referral to our "referral server"
196          * if we don't hold it.
197          */
198         op->o_bd = select_backend( &op->o_req_ndn, 0 );
199         if ( op->o_bd == NULL ) {
200                 rs->sr_ref = referral_rewrite( default_referral,
201                         NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
202
203                 rs->sr_err = LDAP_REFERRAL;
204                 if (!rs->sr_ref) rs->sr_ref = default_referral;
205                 op->o_bd = bd;
206                 send_ldap_result( op, rs );
207
208                 if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref );
209                 rs->sr_err = 0;
210                 goto cleanup;
211         }
212
213         /* check restrictions */
214         if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
215                 send_ldap_result( op, rs );
216                 goto cleanup;
217         }
218
219         /* check for referrals */
220         if( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) {
221                 goto cleanup;
222         }
223
224         if ( SLAP_SHADOW(op->o_bd) && get_dontUseCopy(op) ) {
225                 /* don't use shadow copy */
226                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
227                         "copy not used" );
228
229         } else if ( ava->aa_desc == slap_schema.si_ad_entryDN ) {
230                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
231                         "entryDN compare not supported" );
232
233         } else if ( ava->aa_desc == slap_schema.si_ad_subschemaSubentry ) {
234                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
235                         "subschemaSubentry compare not supported" );
236
237 #ifndef SLAP_COMPARE_IN_FRONTEND
238         } else if ( ava->aa_desc == slap_schema.si_ad_hasSubordinates
239                 && op->o_bd->be_has_subordinates )
240         {
241                 int     rc, hasSubordinates = LDAP_SUCCESS;
242
243                 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &entry );
244                 if ( rc == 0 && entry ) {
245                         if ( ! access_allowed( op, entry,
246                                 ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
247                         {       
248                                 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
249                                 
250                         } else {
251                                 rc = rs->sr_err = op->o_bd->be_has_subordinates( op,
252                                                 entry, &hasSubordinates );
253                                 be_entry_release_r( op, entry );
254                         }
255                 }
256
257                 if ( rc == 0 ) {
258                         int     asserted;
259
260                         asserted = bvmatch( &ava->aa_value, &slap_true_bv )
261                                 ? LDAP_COMPARE_TRUE : LDAP_COMPARE_FALSE;
262                         if ( hasSubordinates == asserted ) {
263                                 rs->sr_err = LDAP_COMPARE_TRUE;
264
265                         } else {
266                                 rs->sr_err = LDAP_COMPARE_FALSE;
267                         }
268
269                 } else {
270                         /* return error only if "disclose"
271                          * is granted on the object */
272                         if ( backend_access( op, NULL, &op->o_req_ndn,
273                                         slap_schema.si_ad_entry,
274                                         NULL, ACL_DISCLOSE, NULL ) == LDAP_INSUFFICIENT_ACCESS )
275                         {
276                                 rs->sr_err = LDAP_NO_SUCH_OBJECT;
277                         }
278                 }
279
280                 send_ldap_result( op, rs );
281
282                 if ( rc == 0 ) {
283                         rs->sr_err = LDAP_SUCCESS;
284                 }
285
286         } else if ( op->o_bd->be_compare ) {
287                 rs->sr_err = op->o_bd->be_compare( op, rs );
288
289 #endif /* ! SLAP_COMPARE_IN_FRONTEND */
290         } else {
291                 rs->sr_err = SLAP_CB_CONTINUE;
292         }
293
294         if ( rs->sr_err == SLAP_CB_CONTINUE ) {
295                 /* do our best to compare that AVA
296                  * 
297                  * NOTE: this code is used only
298                  * if SLAP_COMPARE_IN_FRONTEND 
299                  * is #define'd (it's not by default)
300                  * or if op->o_bd->be_compare is NULL.
301                  * 
302                  * FIXME: one potential issue is that
303                  * if SLAP_COMPARE_IN_FRONTEND overlays
304                  * are not executed for compare. */
305                 BerVarray       vals = NULL;
306                 int             rc = LDAP_OTHER;
307
308                 rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
309                                 ava->aa_desc, &vals, ACL_COMPARE );
310                 switch ( rs->sr_err ) {
311                 default:
312                         /* return error only if "disclose"
313                          * is granted on the object */
314                         if ( backend_access( op, NULL, &op->o_req_ndn,
315                                         slap_schema.si_ad_entry,
316                                         NULL, ACL_DISCLOSE, NULL )
317                                         == LDAP_INSUFFICIENT_ACCESS )
318                         {
319                                 rs->sr_err = LDAP_NO_SUCH_OBJECT;
320                         }
321                         break;
322
323                 case LDAP_SUCCESS:
324                         if ( value_find_ex( op->oq_compare.rs_ava->aa_desc,
325                                 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
326                                         SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
327                                 vals, &ava->aa_value, op->o_tmpmemctx ) == 0 )
328                         {
329                                 rs->sr_err = LDAP_COMPARE_TRUE;
330                                 break;
331
332                         } else {
333                                 rs->sr_err = LDAP_COMPARE_FALSE;
334                         }
335                         rc = LDAP_SUCCESS;
336                         break;
337                 }
338
339                 send_ldap_result( op, rs );
340
341                 if ( rc == 0 ) {
342                         rs->sr_err = LDAP_SUCCESS;
343                 }
344                 
345                 if ( vals ) {
346                         ber_bvarray_free_x( vals, op->o_tmpmemctx );
347                 }
348         }
349
350 cleanup:;
351         op->o_bd = bd;
352         return rs->sr_err;
353 }
354
355 static int compare_entry(
356         Operation *op,
357         Entry *e,
358         AttributeAssertion *ava )
359 {
360         int rc = LDAP_COMPARE_FALSE;
361         Attribute *a;
362
363         if ( ! access_allowed( op, e,
364                 ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
365         {       
366                 rc = LDAP_INSUFFICIENT_ACCESS;
367                 goto done;
368         }
369
370         a = attrs_find( e->e_attrs, ava->aa_desc );
371         if( a == NULL ) {
372                 rc = LDAP_NO_SUCH_ATTRIBUTE;
373                 goto done;
374         }
375
376         for(a = attrs_find( e->e_attrs, ava->aa_desc );
377                 a != NULL;
378                 a = attrs_find( a->a_next, ava->aa_desc ))
379         {
380                 if (( ava->aa_desc != a->a_desc ) && ! access_allowed( op,
381                         e, a->a_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
382                 {       
383                         rc = LDAP_INSUFFICIENT_ACCESS;
384                         break;
385                 }
386
387                 if ( attr_valfind( a, 
388                         SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
389                                 SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
390                         &ava->aa_value, NULL, op->o_tmpmemctx ) == 0 )
391                 {
392                         rc = LDAP_COMPARE_TRUE;
393                         break;
394                 }
395         }
396
397 done:
398         if( rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE ) {
399                 if ( ! access_allowed( op, e,
400                         slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) )
401                 {
402                         rc = LDAP_NO_SUCH_OBJECT;
403                 }
404         }
405
406         return rc;
407 }