1 /* schema_check.c - routines to enforce schema definitions */
4 * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/string.h>
14 #include <ac/socket.h>
19 static char * oc_check_required(
22 struct berval *ocname );
25 * entry_schema_check - check that entry e conforms to the schema required
26 * by its object class(es).
28 * returns 0 if so, non-zero otherwise.
37 char *textbuf, size_t textlen )
39 Attribute *a, *asc, *aoc;
43 AttributeDescription *ad_structuralObjectClass
44 = slap_schema.si_ad_structuralObjectClass;
45 AttributeDescription *ad_objectClass
46 = slap_schema.si_ad_objectClass;
48 int subentry = is_entry_subentry( e );
49 int collectiveSubentry = 0;
51 if( subentry) collectiveSubentry = is_entry_collectiveAttributeSubentry( e );
55 /* misc attribute checks */
56 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
57 const char *type = a->a_desc->ad_cname.bv_val;
59 /* there should be at least one value */
61 assert( a->a_vals[0].bv_val != NULL );
63 if( a->a_desc->ad_type->sat_check ) {
64 int rc = (a->a_desc->ad_type->sat_check)(
65 be, e, a, text, textbuf, textlen );
66 if( rc != LDAP_SUCCESS ) {
71 if( !collectiveSubentry && is_at_collective( a->a_desc->ad_type ) ) {
72 snprintf( textbuf, textlen,
73 "'%s' can only appear in collectiveAttributeSubentry",
75 return LDAP_OBJECT_CLASS_VIOLATION;
78 /* if single value type, check for multiple values */
79 if( is_at_single_value( a->a_desc->ad_type ) &&
80 a->a_vals[1].bv_val != NULL )
82 snprintf( textbuf, textlen,
83 "attribute '%s' cannot have multiple values",
87 LDAP_LOG( OPERATION, INFO,
88 "entry_schema_check: dn=\"%s\" %s\n", e->e_dn, textbuf, 0 );
90 Debug( LDAP_DEBUG_ANY,
92 e->e_dn, textbuf, 0 );
95 return LDAP_CONSTRAINT_VIOLATION;
99 /* it's a REALLY bad idea to disable schema checks */
100 if( !global_schemacheck ) return LDAP_SUCCESS;
102 /* find the structural object class attribute */
103 asc = attr_find( e->e_attrs, ad_structuralObjectClass );
106 LDAP_LOG( OPERATION, INFO,
107 "entry_schema_check: No structuralObjectClass for entry (%s)\n",
110 Debug( LDAP_DEBUG_ANY,
111 "No structuralObjectClass for entry (%s)\n",
115 *text = "no structuralObjectClass operational attribute";
119 assert( asc->a_vals != NULL );
120 assert( asc->a_vals[0].bv_val != NULL );
121 assert( asc->a_vals[1].bv_val == NULL );
123 sc = oc_bvfind( &asc->a_vals[0] );
125 snprintf( textbuf, textlen,
126 "unrecognized structuralObjectClass '%s'",
127 asc->a_vals[0].bv_val );
130 LDAP_LOG( OPERATION, INFO,
131 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
133 Debug( LDAP_DEBUG_ANY,
134 "entry_check_schema(%s): %s\n",
135 e->e_dn, textbuf, 0 );
138 return LDAP_OBJECT_CLASS_VIOLATION;
141 if( sc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
142 snprintf( textbuf, textlen,
143 "structuralObjectClass '%s' is not STRUCTURAL",
144 asc->a_vals[0].bv_val );
147 LDAP_LOG( OPERATION, INFO,
148 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
150 Debug( LDAP_DEBUG_ANY,
151 "entry_check_schema(%s): %s\n",
152 e->e_dn, textbuf, 0 );
158 /* find the object class attribute */
159 aoc = attr_find( e->e_attrs, ad_objectClass );
162 LDAP_LOG( OPERATION, INFO,
163 "entry_schema_check: No objectClass for entry (%s).\n",
166 Debug( LDAP_DEBUG_ANY, "No objectClass for entry (%s)\n",
170 *text = "no objectClass attribute";
171 return LDAP_OBJECT_CLASS_VIOLATION;
174 assert( aoc->a_vals != NULL );
175 assert( aoc->a_vals[0].bv_val != NULL );
177 rc = structural_class( aoc->a_vals, &nsc, &oc, text, textbuf, textlen );
178 if( rc != LDAP_SUCCESS ) {
185 snprintf( textbuf, textlen,
186 "unrecognized objectClass '%s'",
187 aoc->a_vals[0].bv_val );
188 return LDAP_OBJECT_CLASS_VIOLATION;
190 } else if ( sc != oc ) {
191 snprintf( textbuf, textlen,
192 "structural object class modification from '%s' to '%s' not allowed",
193 asc->a_vals[0].bv_val, nsc.bv_val );
194 return LDAP_NO_OBJECT_CLASS_MODS;
197 /* check that the entry has required attrs for each oc */
198 for ( i = 0; aoc->a_vals[i].bv_val != NULL; i++ ) {
199 if ( (oc = oc_bvfind( &aoc->a_vals[i] )) == NULL ) {
200 snprintf( textbuf, textlen,
201 "unrecognized objectClass '%s'",
202 aoc->a_vals[i].bv_val );
205 LDAP_LOG( OPERATION, INFO,
206 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
208 Debug( LDAP_DEBUG_ANY,
209 "entry_check_schema(%s): %s\n",
210 e->e_dn, textbuf, 0 );
213 return LDAP_OBJECT_CLASS_VIOLATION;
216 if ( oc->soc_check ) {
217 int rc = (oc->soc_check)( be, e, oc,
218 text, textbuf, textlen );
219 if( rc != LDAP_SUCCESS ) {
224 if ( oc->soc_kind == LDAP_SCHEMA_ABSTRACT ) {
225 /* object class is abstract */
226 if ( oc != slap_schema.si_oc_top &&
227 !is_object_subclass( oc, sc ))
230 ObjectClass *xc = NULL;
231 for( j=0; aoc->a_vals[j].bv_val; j++ ) {
233 xc = oc_bvfind( &aoc->a_vals[i] );
235 snprintf( textbuf, textlen,
236 "unrecognized objectClass '%s'",
237 aoc->a_vals[i].bv_val );
240 LDAP_LOG( OPERATION, INFO,
241 "entry_schema_check: dn (%s), %s\n",
242 e->e_dn, textbuf, 0 );
244 Debug( LDAP_DEBUG_ANY,
245 "entry_check_schema(%s): %s\n",
246 e->e_dn, textbuf, 0 );
249 return LDAP_OBJECT_CLASS_VIOLATION;
252 /* since we previous check against the
253 * structural object of this entry, the
254 * abstract class must be a (direct or indirect)
255 * superclass of one of the auxiliary classes of
258 if ( xc->soc_kind == LDAP_SCHEMA_AUXILIARY &&
259 is_object_subclass( oc, xc ) )
268 snprintf( textbuf, textlen, "instanstantiation of "
269 "abstract objectClass '%s' not allowed",
270 aoc->a_vals[i].bv_val );
273 LDAP_LOG( OPERATION, INFO,
274 "entry_schema_check: dn (%s), %s\n",
275 e->e_dn, textbuf, 0 );
277 Debug( LDAP_DEBUG_ANY,
278 "entry_check_schema(%s): %s\n",
279 e->e_dn, textbuf, 0 );
282 return LDAP_OBJECT_CLASS_VIOLATION;
286 } else if ( oc->soc_kind != LDAP_SCHEMA_STRUCTURAL || oc == sc ) {
287 char *s = oc_check_required( e, oc, &aoc->a_vals[i] );
290 snprintf( textbuf, textlen,
291 "object class '%s' requires attribute '%s'",
292 aoc->a_vals[i].bv_val, s );
295 LDAP_LOG( OPERATION, INFO,
296 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
298 Debug( LDAP_DEBUG_ANY,
300 e->e_dn, textbuf, 0 );
303 return LDAP_OBJECT_CLASS_VIOLATION;
306 if( oc == slap_schema.si_oc_extensibleObject ) {
316 /* check that each attr in the entry is allowed by some oc */
317 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
318 int ret = oc_check_allowed( a->a_desc->ad_type, aoc->a_vals, sc );
319 if ( ret != LDAP_SUCCESS ) {
320 char *type = a->a_desc->ad_cname.bv_val;
322 snprintf( textbuf, textlen,
323 "attribute '%s' not allowed",
327 LDAP_LOG( OPERATION, INFO,
328 "entry_schema_check: dn=\"%s\" %s\n", e->e_dn, textbuf, 0);
330 Debug( LDAP_DEBUG_ANY,
332 e->e_dn, textbuf, 0 );
346 struct berval *ocname )
353 LDAP_LOG( OPERATION, ENTRY,
354 "oc_check_required: dn (%s), objectClass \"%s\"\n",
355 e->e_dn, ocname->bv_val, 0 );
357 Debug( LDAP_DEBUG_TRACE,
358 "oc_check_required entry (%s), objectClass \"%s\"\n",
359 e->e_dn, ocname->bv_val, 0 );
363 /* check for empty oc_required */
364 if(oc->soc_required == NULL) {
368 /* for each required attribute */
369 for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
370 at = oc->soc_required[i];
371 /* see if it's in the entry */
372 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
373 if( a->a_desc->ad_type == at ) {
377 /* not there => schema violation */
379 return at->sat_cname.bv_val;
386 int oc_check_allowed(
394 LDAP_LOG( OPERATION, ENTRY,
395 "oc_check_allowed: type \"%s\"\n", at->sat_cname.bv_val, 0, 0 );
397 Debug( LDAP_DEBUG_TRACE,
398 "oc_check_allowed type \"%s\"\n",
399 at->sat_cname.bv_val, 0, 0 );
402 /* always allow objectClass attribute */
403 if ( strcasecmp( at->sat_cname.bv_val, "objectClass" ) == 0 ) {
408 * All operational attributions are allowed by schema rules.
410 if( is_at_operational(at) ) {
414 /* check to see if its allowed by the structuralObjectClass */
416 /* does it require the type? */
417 for ( j = 0; sc->soc_required != NULL &&
418 sc->soc_required[j] != NULL; j++ )
420 if( at == sc->soc_required[j] ) {
425 /* does it allow the type? */
426 for ( j = 0; sc->soc_allowed != NULL &&
427 sc->soc_allowed[j] != NULL; j++ )
429 if( at == sc->soc_allowed[j] ) {
435 /* check that the type appears as req or opt in at least one oc */
436 for ( i = 0; ocl[i].bv_val != NULL; i++ ) {
437 /* if we know about the oc */
438 ObjectClass *oc = oc_bvfind( &ocl[i] );
439 if ( oc != NULL && oc->soc_kind != LDAP_SCHEMA_ABSTRACT &&
440 ( sc == NULL || oc->soc_kind == LDAP_SCHEMA_AUXILIARY ))
442 /* does it require the type? */
443 for ( j = 0; oc->soc_required != NULL &&
444 oc->soc_required[j] != NULL; j++ )
446 if( at == oc->soc_required[j] ) {
450 /* does it allow the type? */
451 for ( j = 0; oc->soc_allowed != NULL &&
452 oc->soc_allowed[j] != NULL; j++ )
454 if( at == oc->soc_allowed[j] ) {
461 /* not allowed by any oc */
462 return LDAP_OBJECT_CLASS_VIOLATION;
466 * Determine the structural object class from a set of OIDs
468 int structural_class(
473 char *textbuf, size_t textlen )
477 ObjectClass *sc = NULL;
480 *text = "structural_class: internal error";
483 for( i=0; ocs[i].bv_val; i++ ) {
484 oc = oc_bvfind( &ocs[i] );
487 snprintf( textbuf, textlen,
488 "unrecognized objectClass '%s'",
491 return LDAP_OBJECT_CLASS_VIOLATION;
494 if( oc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) {
495 if( sc == NULL || is_object_subclass( sc, oc ) ) {
499 } else if ( !is_object_subclass( oc, sc ) ) {
501 ObjectClass *xc = NULL;
503 /* find common superior */
504 for( j=i+1; ocs[j].bv_val; j++ ) {
505 xc = oc_bvfind( &ocs[j] );
508 snprintf( textbuf, textlen,
509 "unrecognized objectClass '%s'",
512 return LDAP_OBJECT_CLASS_VIOLATION;
515 if( xc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
520 if( is_object_subclass( sc, xc ) &&
521 is_object_subclass( oc, xc ) )
523 /* found common subclass */
531 /* no common subclass */
532 snprintf( textbuf, textlen,
533 "invalid structural object class chain (%s/%s)",
534 ocs[scn].bv_val, ocs[i].bv_val );
536 return LDAP_OBJECT_CLASS_VIOLATION;
547 *text = "no structural object classes provided";
548 return LDAP_OBJECT_CLASS_VIOLATION;
552 *text = "invalid structural object class";
553 return LDAP_OBJECT_CLASS_VIOLATION;
558 if( scbv->bv_len == 0 ) {
559 *text = "invalid structural object class";
560 return LDAP_OBJECT_CLASS_VIOLATION;
567 * Return structural object class from list of modifications
569 int mods_structural_class(
573 char *textbuf, size_t textlen )
575 Modifications *ocmod = NULL;
577 for( ; mods != NULL; mods = mods->sml_next ) {
578 if( mods->sml_desc == slap_schema.si_ad_objectClass ) {
579 if( ocmod != NULL ) {
580 *text = "entry has multiple objectClass attributes";
581 return LDAP_OBJECT_CLASS_VIOLATION;
587 if( ocmod == NULL ) {
588 *text = "entry has no objectClass attribute";
589 return LDAP_OBJECT_CLASS_VIOLATION;
592 if( ocmod->sml_bvalues == NULL || ocmod->sml_bvalues[0].bv_val == NULL ) {
593 *text = "objectClass attribute has no values";
594 return LDAP_OBJECT_CLASS_VIOLATION;
597 return structural_class( ocmod->sml_bvalues, sc, NULL,
598 text, textbuf, textlen );
projects / openldap / blob