1 /* schema_check.c - routines to enforce schema definitions */
4 * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/string.h>
14 #include <ac/socket.h>
19 static char * oc_check_required(
22 struct berval *ocname );
25 * entry_schema_check - check that entry e conforms to the schema required
26 * by its object class(es).
28 * returns 0 if so, non-zero otherwise.
33 Entry *e, Attribute *oldattrs,
35 char *textbuf, size_t textlen )
37 Attribute *a, *asc, *aoc;
41 AttributeDescription *ad_structuralObjectClass
42 = slap_schema.si_ad_structuralObjectClass;
43 AttributeDescription *ad_objectClass
44 = slap_schema.si_ad_objectClass;
49 /* check single-valued attrs for multiple values */
50 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
51 /* there should be at least one value */
53 assert( a->a_vals[0].bv_val != NULL );
55 /* if single value type, check for multiple values */
56 if( is_at_single_value( a->a_desc->ad_type ) &&
57 a->a_vals[1].bv_val != NULL )
59 char *type = a->a_desc->ad_cname.bv_val;
61 snprintf( textbuf, textlen,
62 "attribute '%s' cannot have multiple values",
66 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
67 "entry_schema_check: dn=\"%s\" %s\n",
70 Debug( LDAP_DEBUG_ANY,
72 e->e_dn, textbuf, 0 );
75 return LDAP_CONSTRAINT_VIOLATION;
79 /* it's a REALLY bad idea to disable schema checks */
80 if( !global_schemacheck ) return LDAP_SUCCESS;
82 /* find the object class attribute - could error out here */
83 asc = attr_find( e->e_attrs, ad_structuralObjectClass );
86 LDAP_LOG(( "schema", LDAP_LEVEL_INFO, "entry_schema_check: "
87 "No structuralObjectClass for entry (%s)\n",
90 Debug( LDAP_DEBUG_ANY,
91 "No structuralObjectClass for entry (%s)\n",
95 *text = "no structuralObjectClass operational attribute";
96 return LDAP_OBJECT_CLASS_VIOLATION;
99 assert( asc->a_vals != NULL );
100 assert( asc->a_vals[0].bv_val != NULL );
101 assert( asc->a_vals[1].bv_val == NULL );
103 sc = oc_bvfind( &asc->a_vals[0] );
105 snprintf( textbuf, textlen,
106 "unrecognized structuralObjectClass '%s'",
107 asc->a_vals[0].bv_val );
110 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
111 "entry_schema_check: dn (%s), %s\n",
114 Debug( LDAP_DEBUG_ANY,
115 "entry_check_schema(%s): %s\n",
116 e->e_dn, textbuf, 0 );
119 return LDAP_OBJECT_CLASS_VIOLATION;
122 if( sc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
123 snprintf( textbuf, textlen,
124 "structuralObjectClass '%s' is not STRUCTURAL",
125 asc->a_vals[0].bv_val );
128 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
129 "entry_schema_check: dn (%s), %s\n",
132 Debug( LDAP_DEBUG_ANY,
133 "entry_check_schema(%s): %s\n",
134 e->e_dn, textbuf, 0 );
137 return LDAP_OBJECT_CLASS_VIOLATION;
140 /* find the object class attribute */
141 aoc = attr_find( e->e_attrs, ad_objectClass );
144 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
145 "entry_schema_check: No objectClass for entry (%s).\n"
148 Debug( LDAP_DEBUG_ANY, "No objectClass for entry (%s)\n",
152 *text = "no objectClass attribute";
153 return LDAP_OBJECT_CLASS_VIOLATION;
156 assert( aoc->a_vals != NULL );
157 assert( aoc->a_vals[0].bv_val != NULL );
159 rc = structural_class( aoc->a_vals, &nsc, &oc, text, textbuf, textlen );
160 if( rc != LDAP_SUCCESS ) {
162 } else if ( nsc.bv_len == 0 ) {
163 return LDAP_OBJECT_CLASS_VIOLATION;
169 snprintf( textbuf, textlen,
170 "unrecognized objectClass '%s'",
171 aoc->a_vals[0].bv_val );
172 return LDAP_OBJECT_CLASS_VIOLATION;
174 } else if ( sc != oc ) {
175 snprintf( textbuf, textlen,
176 "structuralObjectClass modification from '%s' to '%s' not allowed",
177 asc->a_vals[0].bv_val, nsc.bv_val );
178 return LDAP_NO_OBJECT_CLASS_MODS;
181 /* check that the entry has required attrs for each oc */
182 for ( i = 0; aoc->a_vals[i].bv_val != NULL; i++ ) {
183 if ( (oc = oc_bvfind( &aoc->a_vals[i] )) == NULL ) {
184 snprintf( textbuf, textlen,
185 "unrecognized objectClass '%s'",
186 aoc->a_vals[i].bv_val );
189 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
190 "entry_schema_check: dn (%s), %s\n",
193 Debug( LDAP_DEBUG_ANY,
194 "entry_check_schema(%s): %s\n",
195 e->e_dn, textbuf, 0 );
198 return LDAP_OBJECT_CLASS_VIOLATION;
200 } else if ( oc->soc_kind == LDAP_SCHEMA_ABSTRACT ) {
201 /* object class is abstract */
202 if ( oc != slap_schema.si_oc_top &&
203 !is_object_subclass( oc, sc ))
206 ObjectClass *xc = NULL;
207 for( j=0; aoc->a_vals[j].bv_val; j++ ) {
209 xc = oc_bvfind( &aoc->a_vals[i] );
211 snprintf( textbuf, textlen,
212 "unrecognized objectClass '%s'",
213 aoc->a_vals[i].bv_val );
216 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
217 "entry_schema_check: dn (%s), %s\n",
220 Debug( LDAP_DEBUG_ANY,
221 "entry_check_schema(%s): %s\n",
222 e->e_dn, textbuf, 0 );
225 return LDAP_OBJECT_CLASS_VIOLATION;
228 /* since we previous check against the
229 * structural object of this entry, the
230 * abstract class must be a (direct or indirect)
231 * superclass of one of the auxiliary classes of
234 if ( xc->soc_kind == LDAP_SCHEMA_AUXILIARY &&
235 is_object_subclass( oc, xc ) )
245 snprintf( textbuf, textlen, "instanstantiation of "
246 "abstract objectClass '%s' not allowed",
247 aoc->a_vals[i].bv_val );
250 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
251 "entry_schema_check: dn (%s), %s\n",
254 Debug( LDAP_DEBUG_ANY,
255 "entry_check_schema(%s): %s\n",
256 e->e_dn, textbuf, 0 );
259 return LDAP_OBJECT_CLASS_VIOLATION;
263 } else if ( oc->soc_kind != LDAP_SCHEMA_STRUCTURAL || oc == sc ) {
264 char *s = oc_check_required( e, oc, &aoc->a_vals[i] );
267 snprintf( textbuf, textlen,
268 "object class '%s' requires attribute '%s'",
269 aoc->a_vals[i].bv_val, s );
272 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
273 "entry_schema_check: dn=\"%s\" %s",
276 Debug( LDAP_DEBUG_ANY,
278 e->e_dn, textbuf, 0 );
281 return LDAP_OBJECT_CLASS_VIOLATION;
284 if( oc == slap_schema.si_oc_extensibleObject ) {
294 /* check that each attr in the entry is allowed by some oc */
295 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
296 int ret = oc_check_allowed( a->a_desc->ad_type, aoc->a_vals, sc );
297 if ( ret != LDAP_SUCCESS ) {
298 char *type = a->a_desc->ad_cname.bv_val;
300 snprintf( textbuf, textlen,
301 "attribute '%s' not allowed",
305 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
306 "entry_schema_check: dn=\"%s\" %s\n",
309 Debug( LDAP_DEBUG_ANY,
311 e->e_dn, textbuf, 0 );
325 struct berval *ocname )
332 LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY,
333 "oc_check_required: dn (%s), objectClass \"%s\"\n",
334 e->e_dn, ocname->bv_val ));
336 Debug( LDAP_DEBUG_TRACE,
337 "oc_check_required entry (%s), objectClass \"%s\"\n",
338 e->e_dn, ocname->bv_val, 0 );
342 /* check for empty oc_required */
343 if(oc->soc_required == NULL) {
347 /* for each required attribute */
348 for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
349 at = oc->soc_required[i];
350 /* see if it's in the entry */
351 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
352 if( a->a_desc->ad_type == at ) {
356 /* not there => schema violation */
358 return at->sat_cname.bv_val;
365 int oc_check_allowed(
373 LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY,
374 "oc_check_allowed: type \"%s\"\n", at->sat_cname.bv_val ));
376 Debug( LDAP_DEBUG_TRACE,
377 "oc_check_allowed type \"%s\"\n",
378 at->sat_cname.bv_val, 0, 0 );
381 /* always allow objectClass attribute */
382 if ( strcasecmp( at->sat_cname.bv_val, "objectClass" ) == 0 ) {
387 * All operational attributions are allowed by schema rules.
389 if( is_at_operational(at) ) {
393 /* check to see if its allowed by the structuralObjectClass */
395 /* does it require the type? */
396 for ( j = 0; sc->soc_required != NULL &&
397 sc->soc_required[j] != NULL; j++ )
399 if( at == sc->soc_required[j] ) {
404 /* does it allow the type? */
405 for ( j = 0; sc->soc_allowed != NULL &&
406 sc->soc_allowed[j] != NULL; j++ )
408 if( at == sc->soc_allowed[j] ) {
414 /* check that the type appears as req or opt in at least one oc */
415 for ( i = 0; ocl[i].bv_val != NULL; i++ ) {
416 /* if we know about the oc */
417 ObjectClass *oc = oc_bvfind( &ocl[i] );
418 if ( oc != NULL && oc->soc_kind != LDAP_SCHEMA_ABSTRACT &&
419 ( sc == NULL || oc->soc_kind == LDAP_SCHEMA_AUXILIARY ))
421 /* does it require the type? */
422 for ( j = 0; oc->soc_required != NULL &&
423 oc->soc_required[j] != NULL; j++ )
425 if( at == oc->soc_required[j] ) {
429 /* does it allow the type? */
430 for ( j = 0; oc->soc_allowed != NULL &&
431 oc->soc_allowed[j] != NULL; j++ )
433 if( at == oc->soc_allowed[j] ) {
440 /* not allowed by any oc */
441 return LDAP_OBJECT_CLASS_VIOLATION;
445 * Determine the structural object class from a set of OIDs
447 int structural_class(
452 char *textbuf, size_t textlen )
456 ObjectClass *sc = NULL;
459 *text = "structural_class: internal error";
462 for( i=0; ocs[i].bv_val; i++ ) {
463 oc = oc_bvfind( &ocs[i] );
466 snprintf( textbuf, textlen,
467 "unrecongized objectClass '%s'",
470 return LDAP_OBJECT_CLASS_VIOLATION;
473 if( oc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) {
474 if( sc == NULL || is_object_subclass( sc, oc ) ) {
478 } else if ( !is_object_subclass( oc, sc ) ) {
480 ObjectClass *xc = NULL;
482 /* find common superior */
483 for( j=i+1; ocs[j].bv_val; j++ ) {
484 xc = oc_bvfind( &ocs[j] );
487 snprintf( textbuf, textlen,
488 "unrecongized objectClass '%s'",
491 return LDAP_OBJECT_CLASS_VIOLATION;
494 if( xc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
499 if( is_object_subclass( sc, xc ) &&
500 is_object_subclass( oc, xc ) )
502 /* found common subclass */
510 /* no common subclass */
511 snprintf( textbuf, textlen,
512 "invalid structural object class chain (%s/%s)",
513 ocs[scn].bv_val, ocs[i].bv_val );
515 return LDAP_OBJECT_CLASS_VIOLATION;
525 *text = "no structural object classes provided";
526 return LDAP_OBJECT_CLASS_VIOLATION;
534 * Return structural object class from list of modifications
536 int mods_structural_class(
540 char *textbuf, size_t textlen )
542 Modifications *ocmod = NULL;
544 for( ; mods != NULL; mods = mods->sml_next ) {
545 if( mods->sml_desc == slap_schema.si_ad_objectClass ) {
546 if( ocmod != NULL ) {
547 *text = "entry has multiple objectClass attributes";
548 return LDAP_OBJECT_CLASS_VIOLATION;
554 if( ocmod == NULL ) {
555 *text = "entry has no objectClass attribute";
556 return LDAP_OBJECT_CLASS_VIOLATION;
559 if( ocmod->sml_bvalues == NULL || ocmod->sml_bvalues[0].bv_val == NULL ) {
560 *text = "objectClass attribute has no values";
561 return LDAP_OBJECT_CLASS_VIOLATION;
564 return structural_class( ocmod->sml_bvalues, sc, NULL,
565 text, textbuf, textlen );
projects / openldap / blob