git.sur5r.net Git - openldap/blob - servers/slapd/compare.c

   1 /* $OpenLDAP$ */
   2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   3  *
   4  * Copyright 1998-2007 The OpenLDAP Foundation.
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted only as authorized by the OpenLDAP
   9  * Public License.
  10  *
  11  * A copy of this license is available in the file LICENSE in the
  12  * top-level directory of the distribution or, alternatively, at
  13  * <http://www.OpenLDAP.org/license.html>.
  14  */
  15 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
  16  * All rights reserved.
  17  *
  18  * Redistribution and use in source and binary forms are permitted
  19  * provided that this notice is preserved and that due credit is given
  20  * to the University of Michigan at Ann Arbor. The name of the University
  21  * may not be used to endorse or promote products derived from this
  22  * software without specific prior written permission. This software
  23  * is provided ``as is'' without express or implied warranty.
  24  */
  25
  26 #include "portable.h"
  27
  28 #include <stdio.h>
  29 #include <ac/socket.h>
  30 #include <ac/string.h>
  31
  32 #include "slap.h"
  33
  34 static int compare_entry(
  35         Operation *op,
  36         Entry *e,
  37         AttributeAssertion *ava );
  38
  39 int
  40 do_compare(
  41     Operation   *op,
  42     SlapReply   *rs )
  43 {
  44         struct berval dn = BER_BVNULL;
  45         struct berval desc = BER_BVNULL;
  46         struct berval value = BER_BVNULL;
  47 #ifdef LDAP_COMP_MATCH
  48         AttributeAssertion ava = { NULL, BER_BVNULL, NULL };
  49 #else
  50         AttributeAssertion ava = { NULL, BER_BVNULL };
  51 #endif
  52
  53         ava.aa_desc = NULL;
  54
  55         Debug( LDAP_DEBUG_TRACE, "do_compare\n", 0, 0, 0 );
  56         /*
  57          * Parse the compare request.  It looks like this:
  58          *
  59          *      CompareRequest := [APPLICATION 14] SEQUENCE {
  60          *              entry   DistinguishedName,
  61          *              ava     SEQUENCE {
  62          *                      type    AttributeType,
  63          *                      value   AttributeValue
  64          *              }
  65          *      }
  66          */
  67
  68         if ( ber_scanf( op->o_ber, "{m" /*}*/, &dn ) == LBER_ERROR ) {
  69                 Debug( LDAP_DEBUG_ANY, "ber_scanf failed\n", 0, 0, 0 );
  70                 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
  71                 return SLAPD_DISCONNECT;
  72         }
  73
  74         if ( ber_scanf( op->o_ber, "{mm}", &desc, &value ) == LBER_ERROR ) {
  75                 Debug( LDAP_DEBUG_ANY, "do_compare: get ava failed\n", 0, 0, 0 );
  76                 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
  77                 return SLAPD_DISCONNECT;
  78         }
  79
  80         if ( ber_scanf( op->o_ber, /*{*/ "}" ) == LBER_ERROR ) {
  81                 Debug( LDAP_DEBUG_ANY, "ber_scanf failed\n", 0, 0, 0 );
  82                 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
  83                 return SLAPD_DISCONNECT;
  84         }
  85
  86         if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
  87                 Debug( LDAP_DEBUG_ANY, "do_compare: get_ctrls failed\n", 0, 0, 0 );
  88                 goto cleanup;
  89         }
  90
  91         rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn,
  92                 op->o_tmpmemctx );
  93         if( rs->sr_err != LDAP_SUCCESS ) {
  94                 Debug( LDAP_DEBUG_ANY,
  95                         "do_compare: invalid dn (%s)\n", dn.bv_val, 0, 0 );
  96                 send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" );
  97                 goto cleanup;
  98         }
  99
 100         rs->sr_err = slap_bv2ad( &desc, &ava.aa_desc, &rs->sr_text );
 101         if( rs->sr_err != LDAP_SUCCESS ) {
 102                 rs->sr_err = slap_bv2undef_ad( &desc, &ava.aa_desc,
 103                                 &rs->sr_text,
 104                                 SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
 105                 if( rs->sr_err != LDAP_SUCCESS ) {
 106                         send_ldap_result( op, rs );
 107                         goto cleanup;
 108                 }
 109         }
 110
 111         rs->sr_err = asserted_value_validate_normalize( ava.aa_desc,
 112                 ava.aa_desc->ad_type->sat_equality,
 113                 SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
 114                 &value, &ava.aa_value, &rs->sr_text, op->o_tmpmemctx );
 115         if( rs->sr_err != LDAP_SUCCESS ) {
 116                 send_ldap_result( op, rs );
 117                 goto cleanup;
 118         }
 119
 120         op->orc_ava = &ava;
 121
 122         op->o_bd = frontendDB;
 123         rs->sr_err = frontendDB->be_compare( op, rs );
 124
 125 cleanup:;
 126         op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
 127         op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
 128         if ( !BER_BVISNULL( &ava.aa_value ) ) {
 129                 op->o_tmpfree( ava.aa_value.bv_val, op->o_tmpmemctx );
 130         }
 131
 132         return rs->sr_err;
 133 }
 134
 135 int
 136 fe_op_compare( Operation *op, SlapReply *rs )
 137 {
 138         Entry                   *entry = NULL;
 139         AttributeAssertion      ava = *op->orc_ava;
 140         BackendDB               *bd = op->o_bd;
 141
 142         Debug( LDAP_DEBUG_ARGS,
 143                 "do_compare: dn (%s) attr (%s) value (%s)\n",
 144                 op->o_req_dn.bv_val,
 145                 ava.aa_desc->ad_cname.bv_val, ava.aa_value.bv_val );
 146
 147         Statslog( LDAP_DEBUG_STATS,
 148                 "%s CMP dn=\"%s\" attr=\"%s\"\n",
 149                 op->o_log_prefix, op->o_req_dn.bv_val,
 150                 ava.aa_desc->ad_cname.bv_val, 0, 0 );
 151
 152         if( strcasecmp( op->o_req_ndn.bv_val, LDAP_ROOT_DSE ) == 0 ) {
 153                 if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
 154                         send_ldap_result( op, rs );
 155                         goto cleanup;
 156                 }
 157
 158                 rs->sr_err = root_dse_info( op->o_conn, &entry, &rs->sr_text );
 159                 if( rs->sr_err != LDAP_SUCCESS ) {
 160                         send_ldap_result( op, rs );
 161                         goto cleanup;
 162                 }
 163
 164         } else if ( bvmatch( &op->o_req_ndn, &frontendDB->be_schemandn ) ) {
 165                 if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
 166                         send_ldap_result( op, rs );
 167                         rs->sr_err = 0;
 168                         goto cleanup;
 169                 }
 170
 171                 rs->sr_err = schema_info( &entry, &rs->sr_text );
 172                 if( rs->sr_err != LDAP_SUCCESS ) {
 173                         send_ldap_result( op, rs );
 174                         rs->sr_err = 0;
 175                         goto cleanup;
 176                 }
 177         }
 178
 179         if( entry ) {
 180                 rs->sr_err = compare_entry( op, entry, &ava );
 181                 entry_free( entry );
 182
 183                 send_ldap_result( op, rs );
 184
 185                 if( rs->sr_err == LDAP_COMPARE_TRUE ||
 186                         rs->sr_err == LDAP_COMPARE_FALSE )
 187                 {
 188                         rs->sr_err = LDAP_SUCCESS;
 189                 }
 190
 191                 goto cleanup;
 192         }
 193
 194         /*
 195          * We could be serving multiple database backends.  Select the
 196          * appropriate one, or send a referral to our "referral server"
 197          * if we don't hold it.
 198          */
 199         op->o_bd = select_backend( &op->o_req_ndn, 0 );
 200         if ( op->o_bd == NULL ) {
 201                 rs->sr_ref = referral_rewrite( default_referral,
 202                         NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
 203
 204                 rs->sr_err = LDAP_REFERRAL;
 205                 if (!rs->sr_ref) rs->sr_ref = default_referral;
 206                 op->o_bd = bd;
 207                 send_ldap_result( op, rs );
 208
 209                 if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref );
 210                 rs->sr_err = 0;
 211                 goto cleanup;
 212         }
 213
 214         /* check restrictions */
 215         if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
 216                 send_ldap_result( op, rs );
 217                 goto cleanup;
 218         }
 219
 220         /* check for referrals */
 221         if( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) {
 222                 goto cleanup;
 223         }
 224
 225         op->orc_ava = &ava;
 226
 227         if ( SLAP_SHADOW(op->o_bd) && get_dontUseCopy(op) ) {
 228                 /* don't use shadow copy */
 229                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
 230                         "copy not used" );
 231
 232         } else if ( ava.aa_desc == slap_schema.si_ad_entryDN ) {
 233                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
 234                         "entryDN compare not supported" );
 235
 236         } else if ( ava.aa_desc == slap_schema.si_ad_subschemaSubentry ) {
 237                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
 238                         "subschemaSubentry compare not supported" );
 239
 240 #ifndef SLAP_COMPARE_IN_FRONTEND
 241         } else if ( ava.aa_desc == slap_schema.si_ad_hasSubordinates
 242                 && op->o_bd->be_has_subordinates )
 243         {
 244                 int     rc, hasSubordinates = LDAP_SUCCESS;
 245
 246                 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &entry );
 247                 if ( rc == 0 && entry ) {
 248                         if ( ! access_allowed( op, entry,
 249                                 ava.aa_desc, &ava.aa_value, ACL_COMPARE, NULL ) )
 250                         {
 251                                 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 252
 253                         } else {
 254                                 rc = rs->sr_err = op->o_bd->be_has_subordinates( op,
 255                                                 entry, &hasSubordinates );
 256                                 be_entry_release_r( op, entry );
 257                         }
 258                 }
 259
 260                 if ( rc == 0 ) {
 261                         int     asserted;
 262
 263                         asserted = bvmatch( &ava.aa_value, &slap_true_bv )
 264                                 ? LDAP_COMPARE_TRUE : LDAP_COMPARE_FALSE;
 265                         if ( hasSubordinates == asserted ) {
 266                                 rs->sr_err = LDAP_COMPARE_TRUE;
 267
 268                         } else {
 269                                 rs->sr_err = LDAP_COMPARE_FALSE;
 270                         }
 271
 272                 } else {
 273                         /* return error only if "disclose"
 274                          * is granted on the object */
 275                         if ( backend_access( op, NULL, &op->o_req_ndn,
 276                                         slap_schema.si_ad_entry,
 277                                         NULL, ACL_DISCLOSE, NULL ) == LDAP_INSUFFICIENT_ACCESS )
 278                         {
 279                                 rs->sr_err = LDAP_NO_SUCH_OBJECT;
 280                         }
 281                 }
 282
 283                 send_ldap_result( op, rs );
 284
 285                 if ( rc == 0 ) {
 286                         rs->sr_err = LDAP_SUCCESS;
 287                 }
 288
 289         } else if ( op->o_bd->be_compare ) {
 290                 rs->sr_err = op->o_bd->be_compare( op, rs );
 291
 292 #endif /* ! SLAP_COMPARE_IN_FRONTEND */
 293         } else {
 294                 rs->sr_err = SLAP_CB_CONTINUE;
 295         }
 296
 297         if ( rs->sr_err == SLAP_CB_CONTINUE ) {
 298                 /* do our best to compare that AVA
 299                  *
 300                  * NOTE: this code is used only
 301                  * if SLAP_COMPARE_IN_FRONTEND
 302                  * is #define'd (it's not by default)
 303                  * or if op->o_bd->be_compare is NULL.
 304                  *
 305                  * FIXME: one potential issue is that
 306                  * if SLAP_COMPARE_IN_FRONTEND overlays
 307                  * are not executed for compare. */
 308                 BerVarray       vals = NULL;
 309                 int             rc = LDAP_OTHER;
 310
 311                 rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
 312                                 ava.aa_desc, &vals, ACL_COMPARE );
 313                 switch ( rs->sr_err ) {
 314                 default:
 315                         /* return error only if "disclose"
 316                          * is granted on the object */
 317                         if ( backend_access( op, NULL, &op->o_req_ndn,
 318                                         slap_schema.si_ad_entry,
 319                                         NULL, ACL_DISCLOSE, NULL )
 320                                         == LDAP_INSUFFICIENT_ACCESS )
 321                         {
 322                                 rs->sr_err = LDAP_NO_SUCH_OBJECT;
 323                         }
 324                         break;
 325
 326                 case LDAP_SUCCESS:
 327                         if ( value_find_ex( op->oq_compare.rs_ava->aa_desc,
 328                                 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
 329                                         SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
 330                                 vals, &ava.aa_value, op->o_tmpmemctx ) == 0 )
 331                         {
 332                                 rs->sr_err = LDAP_COMPARE_TRUE;
 333                                 break;
 334
 335                         } else {
 336                                 rs->sr_err = LDAP_COMPARE_FALSE;
 337                         }
 338                         rc = LDAP_SUCCESS;
 339                         break;
 340                 }
 341
 342                 send_ldap_result( op, rs );
 343
 344                 if ( rc == 0 ) {
 345                         rs->sr_err = LDAP_SUCCESS;
 346                 }
 347
 348                 if ( vals ) {
 349                         ber_bvarray_free_x( vals, op->o_tmpmemctx );
 350                 }
 351         }
 352
 353 cleanup:;
 354         op->o_bd = bd;
 355         return rs->sr_err;
 356 }
 357
 358 static int compare_entry(
 359         Operation *op,
 360         Entry *e,
 361         AttributeAssertion *ava )
 362 {
 363         int rc = LDAP_COMPARE_FALSE;
 364         Attribute *a;
 365
 366         if ( ! access_allowed( op, e,
 367                 ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
 368         {
 369                 rc = LDAP_INSUFFICIENT_ACCESS;
 370                 goto done;
 371         }
 372
 373         a = attrs_find( e->e_attrs, ava->aa_desc );
 374         if( a == NULL ) {
 375                 rc = LDAP_NO_SUCH_ATTRIBUTE;
 376                 goto done;
 377         }
 378
 379         for(a = attrs_find( e->e_attrs, ava->aa_desc );
 380                 a != NULL;
 381                 a = attrs_find( a->a_next, ava->aa_desc ))
 382         {
 383                 if (( ava->aa_desc != a->a_desc ) && ! access_allowed( op,
 384                         e, a->a_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
 385                 {
 386                         rc = LDAP_INSUFFICIENT_ACCESS;
 387                         break;
 388                 }
 389
 390                 if ( value_find_ex( ava->aa_desc,
 391                         SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
 392                                 SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
 393                         a->a_nvals, &ava->aa_value, op->o_tmpmemctx ) == 0 )
 394                 {
 395                         rc = LDAP_COMPARE_TRUE;
 396                         break;
 397                 }
 398         }
 399
 400 done:
 401         if( rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE ) {
 402                 if ( ! access_allowed( op, e,
 403                         slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) )
 404                 {
 405                         rc = LDAP_NO_SUCH_OBJECT;
 406                 }
 407         }
 408
 409         return rc;
 410 }