1 /* schema_check.c - routines to enforce schema definitions */
4 * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/string.h>
14 #include <ac/socket.h>
19 static char * oc_check_required(
22 struct berval *ocname );
24 static int entry_naming_check(
27 char *textbuf, size_t textlen );
29 * entry_schema_check - check that entry e conforms to the schema required
30 * by its object class(es).
32 * returns 0 if so, non-zero otherwise.
41 char *textbuf, size_t textlen )
43 Attribute *a, *asc, *aoc;
45 #ifdef SLAP_EXTENDED_SCHEMA
51 AttributeDescription *ad_structuralObjectClass
52 = slap_schema.si_ad_structuralObjectClass;
53 AttributeDescription *ad_objectClass
54 = slap_schema.si_ad_objectClass;
56 int subentry = is_entry_subentry( e );
57 int collectiveSubentry = 0;
60 collectiveSubentry = is_entry_collectiveAttributeSubentry( e );
65 /* misc attribute checks */
66 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
67 const char *type = a->a_desc->ad_cname.bv_val;
69 /* there should be at least one value */
71 assert( a->a_vals[0].bv_val != NULL );
73 if( a->a_desc->ad_type->sat_check ) {
74 int rc = (a->a_desc->ad_type->sat_check)(
75 be, e, a, text, textbuf, textlen );
76 if( rc != LDAP_SUCCESS ) {
81 if( !collectiveSubentry && is_at_collective( a->a_desc->ad_type ) ) {
82 snprintf( textbuf, textlen,
83 "'%s' can only appear in collectiveAttributeSubentry",
85 return LDAP_OBJECT_CLASS_VIOLATION;
88 /* if single value type, check for multiple values */
89 if( is_at_single_value( a->a_desc->ad_type ) &&
90 a->a_vals[1].bv_val != NULL )
92 snprintf( textbuf, textlen,
93 "attribute '%s' cannot have multiple values",
97 LDAP_LOG( OPERATION, INFO,
98 "entry_schema_check: dn=\"%s\" %s\n", e->e_dn, textbuf, 0 );
100 Debug( LDAP_DEBUG_ANY,
102 e->e_dn, textbuf, 0 );
105 return LDAP_CONSTRAINT_VIOLATION;
109 /* it's a REALLY bad idea to disable schema checks */
110 if( !global_schemacheck ) return LDAP_SUCCESS;
112 /* find the structural object class attribute */
113 asc = attr_find( e->e_attrs, ad_structuralObjectClass );
116 LDAP_LOG( OPERATION, INFO,
117 "entry_schema_check: No structuralObjectClass for entry (%s)\n",
120 Debug( LDAP_DEBUG_ANY,
121 "No structuralObjectClass for entry (%s)\n",
125 *text = "no structuralObjectClass operational attribute";
129 assert( asc->a_vals != NULL );
130 assert( asc->a_vals[0].bv_val != NULL );
131 assert( asc->a_vals[1].bv_val == NULL );
133 sc = oc_bvfind( &asc->a_vals[0] );
135 snprintf( textbuf, textlen,
136 "unrecognized structuralObjectClass '%s'",
137 asc->a_vals[0].bv_val );
140 LDAP_LOG( OPERATION, INFO,
141 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
143 Debug( LDAP_DEBUG_ANY,
144 "entry_check_schema(%s): %s\n",
145 e->e_dn, textbuf, 0 );
148 return LDAP_OBJECT_CLASS_VIOLATION;
151 if( sc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
152 snprintf( textbuf, textlen,
153 "structuralObjectClass '%s' is not STRUCTURAL",
154 asc->a_vals[0].bv_val );
157 LDAP_LOG( OPERATION, INFO,
158 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
160 Debug( LDAP_DEBUG_ANY,
161 "entry_check_schema(%s): %s\n",
162 e->e_dn, textbuf, 0 );
168 if( sc->soc_obsolete ) {
169 snprintf( textbuf, textlen,
170 "structuralObjectClass '%s' is OBSOLETE",
171 asc->a_vals[0].bv_val );
174 LDAP_LOG( OPERATION, INFO,
175 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
177 Debug( LDAP_DEBUG_ANY,
178 "entry_check_schema(%s): %s\n",
179 e->e_dn, textbuf, 0 );
182 return LDAP_OBJECT_CLASS_VIOLATION;
185 /* find the object class attribute */
186 aoc = attr_find( e->e_attrs, ad_objectClass );
189 LDAP_LOG( OPERATION, INFO,
190 "entry_schema_check: No objectClass for entry (%s).\n",
193 Debug( LDAP_DEBUG_ANY, "No objectClass for entry (%s)\n",
197 *text = "no objectClass attribute";
198 return LDAP_OBJECT_CLASS_VIOLATION;
201 assert( aoc->a_vals != NULL );
202 assert( aoc->a_vals[0].bv_val != NULL );
204 rc = structural_class( aoc->a_vals, &nsc, &oc, text, textbuf, textlen );
205 if( rc != LDAP_SUCCESS ) {
212 snprintf( textbuf, textlen,
213 "unrecognized objectClass '%s'",
214 aoc->a_vals[0].bv_val );
215 return LDAP_OBJECT_CLASS_VIOLATION;
217 } else if ( sc != oc ) {
218 snprintf( textbuf, textlen,
219 "structural object class modification "
220 "from '%s' to '%s' not allowed",
221 asc->a_vals[0].bv_val, nsc.bv_val );
222 return LDAP_NO_OBJECT_CLASS_MODS;
226 rc = entry_naming_check( e, text, textbuf, textlen );
227 if( rc != LDAP_SUCCESS ) {
231 #ifdef SLAP_EXTENDED_SCHEMA
232 /* find the content rule for the structural class */
233 cr = cr_find( sc->soc_oid );
235 /* the cr must be same as the structural class */
236 assert( !cr || !strcmp( cr->scr_oid, sc->soc_oid ) );
238 /* check that the entry has required attrs of the content rule */
240 if( cr->scr_obsolete ) {
241 snprintf( textbuf, textlen,
242 "content rule '%s' is obsolete",
243 ldap_contentrule2name( &cr->scr_crule ));
246 LDAP_LOG( OPERATION, INFO,
247 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
249 Debug( LDAP_DEBUG_ANY,
251 e->e_dn, textbuf, 0 );
254 return LDAP_OBJECT_CLASS_VIOLATION;
257 if( cr->scr_required ) for( i=0; cr->scr_required[i]; i++ ) {
258 at = cr->scr_required[i];
260 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
261 if( a->a_desc->ad_type == at ) {
266 /* not there => schema violation */
268 snprintf( textbuf, textlen,
269 "content rule '%s' requires attribute '%s'",
270 ldap_contentrule2name( &cr->scr_crule ),
271 at->sat_cname.bv_val );
274 LDAP_LOG( OPERATION, INFO,
275 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
277 Debug( LDAP_DEBUG_ANY,
279 e->e_dn, textbuf, 0 );
282 return LDAP_OBJECT_CLASS_VIOLATION;
286 if( cr->scr_precluded ) for( i=0; cr->scr_precluded[i]; i++ ) {
287 at = cr->scr_precluded[i];
289 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
290 if( a->a_desc->ad_type == at ) {
295 /* there => schema violation */
297 snprintf( textbuf, textlen,
298 "content rule '%s' precluded attribute '%s'",
299 ldap_contentrule2name( &cr->scr_crule ),
300 at->sat_cname.bv_val );
303 LDAP_LOG( OPERATION, INFO,
304 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
306 Debug( LDAP_DEBUG_ANY,
308 e->e_dn, textbuf, 0 );
311 return LDAP_OBJECT_CLASS_VIOLATION;
315 #endif /* SLAP_EXTENDED_SCHEMA */
317 /* check that the entry has required attrs for each oc */
318 for ( i = 0; aoc->a_vals[i].bv_val != NULL; i++ ) {
319 if ( (oc = oc_bvfind( &aoc->a_vals[i] )) == NULL ) {
320 snprintf( textbuf, textlen,
321 "unrecognized objectClass '%s'",
322 aoc->a_vals[i].bv_val );
325 LDAP_LOG( OPERATION, INFO,
326 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
328 Debug( LDAP_DEBUG_ANY,
329 "entry_check_schema(%s): %s\n",
330 e->e_dn, textbuf, 0 );
333 return LDAP_OBJECT_CLASS_VIOLATION;
336 if ( oc->soc_obsolete ) {
337 /* disallow obsolete classes */
338 snprintf( textbuf, textlen,
339 "objectClass '%s' is OBSOLETE",
340 aoc->a_vals[i].bv_val );
343 LDAP_LOG( OPERATION, INFO,
344 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
346 Debug( LDAP_DEBUG_ANY,
347 "entry_check_schema(%s): %s\n",
348 e->e_dn, textbuf, 0 );
351 return LDAP_OBJECT_CLASS_VIOLATION;
354 if ( oc->soc_check ) {
355 int rc = (oc->soc_check)( be, e, oc,
356 text, textbuf, textlen );
357 if( rc != LDAP_SUCCESS ) {
362 if ( oc->soc_kind == LDAP_SCHEMA_ABSTRACT ) {
363 /* object class is abstract */
364 if ( oc != slap_schema.si_oc_top &&
365 !is_object_subclass( oc, sc ))
368 ObjectClass *xc = NULL;
369 for( j=0; aoc->a_vals[j].bv_val; j++ ) {
371 xc = oc_bvfind( &aoc->a_vals[i] );
373 snprintf( textbuf, textlen,
374 "unrecognized objectClass '%s'",
375 aoc->a_vals[i].bv_val );
378 LDAP_LOG( OPERATION, INFO,
379 "entry_schema_check: dn (%s), %s\n",
380 e->e_dn, textbuf, 0 );
382 Debug( LDAP_DEBUG_ANY,
383 "entry_check_schema(%s): %s\n",
384 e->e_dn, textbuf, 0 );
387 return LDAP_OBJECT_CLASS_VIOLATION;
390 /* since we previous check against the
391 * structural object of this entry, the
392 * abstract class must be a (direct or indirect)
393 * superclass of one of the auxiliary classes of
396 if ( xc->soc_kind == LDAP_SCHEMA_AUXILIARY &&
397 is_object_subclass( oc, xc ) )
406 snprintf( textbuf, textlen, "instanstantiation of "
407 "abstract objectClass '%s' not allowed",
408 aoc->a_vals[i].bv_val );
411 LDAP_LOG( OPERATION, INFO,
412 "entry_schema_check: dn (%s), %s\n",
413 e->e_dn, textbuf, 0 );
415 Debug( LDAP_DEBUG_ANY,
416 "entry_check_schema(%s): %s\n",
417 e->e_dn, textbuf, 0 );
420 return LDAP_OBJECT_CLASS_VIOLATION;
424 } else if ( oc->soc_kind != LDAP_SCHEMA_STRUCTURAL || oc == sc ) {
427 #ifdef SLAP_EXTENDED_SCHEMA
428 if( oc->soc_kind == LDAP_SCHEMA_AUXILIARY ) {
431 if( cr->scr_auxiliaries ) {
432 for( ; cr->scr_auxiliaries[k]; k++ ) {
433 if( cr->scr_auxiliaries[k] == oc ) {
439 } else if ( global_disallows & SLAP_DISALLOW_AUX_WO_CR ) {
444 snprintf( textbuf, textlen,
445 "content rule '%s' does not allow class '%s'",
446 ldap_contentrule2name( &cr->scr_crule ),
447 oc->soc_cname.bv_val );
450 LDAP_LOG( OPERATION, INFO,
451 "entry_schema_check: dn=\"%s\" %s",
452 e->e_dn, textbuf, 0 );
454 Debug( LDAP_DEBUG_ANY,
456 e->e_dn, textbuf, 0 );
459 return LDAP_OBJECT_CLASS_VIOLATION;
462 #endif /* SLAP_EXTENDED_SCHEMA */
464 s = oc_check_required( e, oc, &aoc->a_vals[i] );
466 snprintf( textbuf, textlen,
467 "object class '%s' requires attribute '%s'",
468 aoc->a_vals[i].bv_val, s );
471 LDAP_LOG( OPERATION, INFO,
472 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
474 Debug( LDAP_DEBUG_ANY,
476 e->e_dn, textbuf, 0 );
479 return LDAP_OBJECT_CLASS_VIOLATION;
482 if( oc == slap_schema.si_oc_extensibleObject ) {
492 /* check that each attr in the entry is allowed by some oc */
493 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
496 #ifdef SLAP_EXTENDED_SCHEMA
497 ret = LDAP_OBJECT_CLASS_VIOLATION;
499 if( cr && cr->scr_required ) {
500 for( i=0; cr->scr_required[i]; i++ ) {
501 if( cr->scr_required[i] == a->a_desc->ad_type ) {
508 if( ret != LDAP_SUCCESS && cr && cr->scr_allowed ) {
509 for( i=0; cr->scr_allowed[i]; i++ ) {
510 if( cr->scr_allowed[i] == a->a_desc->ad_type ) {
517 if( ret != LDAP_SUCCESS )
518 #endif /* SLAP_EXTENDED_SCHEMA */
520 ret = oc_check_allowed( a->a_desc->ad_type, aoc->a_vals, sc );
523 if ( ret != LDAP_SUCCESS ) {
524 char *type = a->a_desc->ad_cname.bv_val;
526 snprintf( textbuf, textlen,
527 "attribute '%s' not allowed",
531 LDAP_LOG( OPERATION, INFO,
532 "entry_schema_check: dn=\"%s\" %s\n", e->e_dn, textbuf, 0);
534 Debug( LDAP_DEBUG_ANY,
536 e->e_dn, textbuf, 0 );
550 struct berval *ocname )
557 LDAP_LOG( OPERATION, ENTRY,
558 "oc_check_required: dn (%s), objectClass \"%s\"\n",
559 e->e_dn, ocname->bv_val, 0 );
561 Debug( LDAP_DEBUG_TRACE,
562 "oc_check_required entry (%s), objectClass \"%s\"\n",
563 e->e_dn, ocname->bv_val, 0 );
567 /* check for empty oc_required */
568 if(oc->soc_required == NULL) {
572 /* for each required attribute */
573 for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
574 at = oc->soc_required[i];
575 /* see if it's in the entry */
576 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
577 if( a->a_desc->ad_type == at ) {
581 /* not there => schema violation */
583 return at->sat_cname.bv_val;
590 int oc_check_allowed(
598 LDAP_LOG( OPERATION, ENTRY,
599 "oc_check_allowed: type \"%s\"\n", at->sat_cname.bv_val, 0, 0 );
601 Debug( LDAP_DEBUG_TRACE,
602 "oc_check_allowed type \"%s\"\n",
603 at->sat_cname.bv_val, 0, 0 );
606 /* always allow objectClass attribute */
607 if ( strcasecmp( at->sat_cname.bv_val, "objectClass" ) == 0 ) {
612 * All operational attributions are allowed by schema rules.
614 if( is_at_operational(at) ) {
618 /* check to see if its allowed by the structuralObjectClass */
620 /* does it require the type? */
621 for ( j = 0; sc->soc_required != NULL &&
622 sc->soc_required[j] != NULL; j++ )
624 if( at == sc->soc_required[j] ) {
629 /* does it allow the type? */
630 for ( j = 0; sc->soc_allowed != NULL &&
631 sc->soc_allowed[j] != NULL; j++ )
633 if( at == sc->soc_allowed[j] ) {
639 /* check that the type appears as req or opt in at least one oc */
640 for ( i = 0; ocl[i].bv_val != NULL; i++ ) {
641 /* if we know about the oc */
642 ObjectClass *oc = oc_bvfind( &ocl[i] );
643 if ( oc != NULL && oc->soc_kind != LDAP_SCHEMA_ABSTRACT &&
644 ( sc == NULL || oc->soc_kind == LDAP_SCHEMA_AUXILIARY ))
646 /* does it require the type? */
647 for ( j = 0; oc->soc_required != NULL &&
648 oc->soc_required[j] != NULL; j++ )
650 if( at == oc->soc_required[j] ) {
654 /* does it allow the type? */
655 for ( j = 0; oc->soc_allowed != NULL &&
656 oc->soc_allowed[j] != NULL; j++ )
658 if( at == oc->soc_allowed[j] ) {
665 /* not allowed by any oc */
666 return LDAP_OBJECT_CLASS_VIOLATION;
670 * Determine the structural object class from a set of OIDs
672 int structural_class(
677 char *textbuf, size_t textlen )
681 ObjectClass *sc = NULL;
684 *text = "structural_class: internal error";
687 for( i=0; ocs[i].bv_val; i++ ) {
688 oc = oc_bvfind( &ocs[i] );
691 snprintf( textbuf, textlen,
692 "unrecognized objectClass '%s'",
695 return LDAP_OBJECT_CLASS_VIOLATION;
698 if( oc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) {
699 if( sc == NULL || is_object_subclass( sc, oc ) ) {
703 } else if ( !is_object_subclass( oc, sc ) ) {
705 ObjectClass *xc = NULL;
707 /* find common superior */
708 for( j=i+1; ocs[j].bv_val; j++ ) {
709 xc = oc_bvfind( &ocs[j] );
712 snprintf( textbuf, textlen,
713 "unrecognized objectClass '%s'",
716 return LDAP_OBJECT_CLASS_VIOLATION;
719 if( xc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
724 if( is_object_subclass( sc, xc ) &&
725 is_object_subclass( oc, xc ) )
727 /* found common subclass */
735 /* no common subclass */
736 snprintf( textbuf, textlen,
737 "invalid structural object class chain (%s/%s)",
738 ocs[scn].bv_val, ocs[i].bv_val );
740 return LDAP_OBJECT_CLASS_VIOLATION;
751 *text = "no structural object class provided";
752 return LDAP_OBJECT_CLASS_VIOLATION;
756 *text = "invalid structural object class";
757 return LDAP_OBJECT_CLASS_VIOLATION;
762 if( scbv->bv_len == 0 ) {
763 *text = "invalid structural object class";
764 return LDAP_OBJECT_CLASS_VIOLATION;
771 * Return structural object class from list of modifications
773 int mods_structural_class(
777 char *textbuf, size_t textlen )
779 Modifications *ocmod = NULL;
781 for( ; mods != NULL; mods = mods->sml_next ) {
782 if( mods->sml_desc == slap_schema.si_ad_objectClass ) {
783 if( ocmod != NULL ) {
784 *text = "entry has multiple objectClass attributes";
785 return LDAP_OBJECT_CLASS_VIOLATION;
791 if( ocmod == NULL ) {
792 *text = "entry has no objectClass attribute";
793 return LDAP_OBJECT_CLASS_VIOLATION;
796 if( ocmod->sml_bvalues == NULL || ocmod->sml_bvalues[0].bv_val == NULL ) {
797 *text = "objectClass attribute has no values";
798 return LDAP_OBJECT_CLASS_VIOLATION;
801 return structural_class( ocmod->sml_bvalues, sc, NULL,
802 text, textbuf, textlen );
810 char *textbuf, size_t textlen )
814 const char *p = NULL;
816 int rc = LDAP_SUCCESS;
819 * Get attribute type(s) and attribute value(s) of our RDN
821 if ( ldap_bv2rdn( &e->e_name, &rdn, (char **)&p,
822 LDAP_DN_FORMAT_LDAP ) )
824 *text = "unrecongized attribute type(s) in RDN";
825 return LDAP_INVALID_DN_SYNTAX;
828 /* Check that each AVA of the RDN is present in the entry */
829 /* FIXME: Should also check that each AVA lists a distinct type */
830 for ( cnt = 0; rdn[0][cnt]; cnt++ ) {
831 LDAPAVA *ava = rdn[0][cnt];
832 AttributeDescription *desc = NULL;
836 rc = slap_bv2ad( &ava->la_attr, &desc, &errtext );
837 if ( rc != LDAP_SUCCESS ) {
838 snprintf( textbuf, textlen, "%s (in RDN)", errtext );
842 /* find the naming attribute */
843 attr = attr_find( e->e_attrs, desc );
844 if ( attr == NULL ) {
845 snprintf( textbuf, textlen,
846 "naming attribute '%s' is not present in entry",
847 ava->la_attr.bv_val );
848 rc = LDAP_NAMING_VIOLATION;
852 if( ava->la_flags & LDAP_AVA_BINARY ) {
853 snprintf( textbuf, textlen,
854 "value of naming attribute '%s' in unsupported BER form",
855 ava->la_attr.bv_val );
856 rc = LDAP_NAMING_VIOLATION;
859 if ( value_find_ex( desc,
860 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
862 &ava->la_value ) != 0 )
864 snprintf( textbuf, textlen,
865 "value of naming attribute '%s' is not present in entry",
866 ava->la_attr.bv_val );
867 rc = LDAP_NAMING_VIOLATION;
projects / openldap / blob