1 /* schema_check.c - routines to enforce schema definitions */
4 * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/string.h>
14 #include <ac/socket.h>
19 static char * oc_check_required(
22 struct berval *ocname );
24 static int entry_naming_check(
27 char *textbuf, size_t textlen );
29 * entry_schema_check - check that entry e conforms to the schema required
30 * by its object class(es).
32 * returns 0 if so, non-zero otherwise.
41 char *textbuf, size_t textlen )
43 Attribute *a, *asc, *aoc;
45 #ifdef SLAP_EXTENDED_SCHEMA
51 AttributeDescription *ad_structuralObjectClass
52 = slap_schema.si_ad_structuralObjectClass;
53 AttributeDescription *ad_objectClass
54 = slap_schema.si_ad_objectClass;
56 int subentry = is_entry_subentry( e );
57 int collectiveSubentry = 0;
60 collectiveSubentry = is_entry_collectiveAttributeSubentry( e );
65 /* misc attribute checks */
66 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
67 const char *type = a->a_desc->ad_cname.bv_val;
69 /* there should be at least one value */
71 assert( a->a_vals[0].bv_val != NULL );
73 if( a->a_desc->ad_type->sat_check ) {
74 int rc = (a->a_desc->ad_type->sat_check)(
75 be, e, a, text, textbuf, textlen );
76 if( rc != LDAP_SUCCESS ) {
81 if( !collectiveSubentry && is_at_collective( a->a_desc->ad_type ) ) {
82 snprintf( textbuf, textlen,
83 "'%s' can only appear in collectiveAttributeSubentry",
85 return LDAP_OBJECT_CLASS_VIOLATION;
88 /* if single value type, check for multiple values */
89 if( is_at_single_value( a->a_desc->ad_type ) &&
90 a->a_vals[1].bv_val != NULL )
92 snprintf( textbuf, textlen,
93 "attribute '%s' cannot have multiple values",
97 LDAP_LOG( OPERATION, INFO,
98 "entry_schema_check: dn=\"%s\" %s\n", e->e_dn, textbuf, 0 );
100 Debug( LDAP_DEBUG_ANY,
102 e->e_dn, textbuf, 0 );
105 return LDAP_CONSTRAINT_VIOLATION;
109 /* it's a REALLY bad idea to disable schema checks */
110 if( !global_schemacheck ) return LDAP_SUCCESS;
112 /* find the structural object class attribute */
113 asc = attr_find( e->e_attrs, ad_structuralObjectClass );
116 LDAP_LOG( OPERATION, INFO,
117 "entry_schema_check: No structuralObjectClass for entry (%s)\n",
120 Debug( LDAP_DEBUG_ANY,
121 "No structuralObjectClass for entry (%s)\n",
125 *text = "no structuralObjectClass operational attribute";
129 assert( asc->a_vals != NULL );
130 assert( asc->a_vals[0].bv_val != NULL );
131 assert( asc->a_vals[1].bv_val == NULL );
133 sc = oc_bvfind( &asc->a_vals[0] );
135 snprintf( textbuf, textlen,
136 "unrecognized structuralObjectClass '%s'",
137 asc->a_vals[0].bv_val );
140 LDAP_LOG( OPERATION, INFO,
141 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
143 Debug( LDAP_DEBUG_ANY,
144 "entry_check_schema(%s): %s\n",
145 e->e_dn, textbuf, 0 );
148 return LDAP_OBJECT_CLASS_VIOLATION;
151 if( sc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
152 snprintf( textbuf, textlen,
153 "structuralObjectClass '%s' is not STRUCTURAL",
154 asc->a_vals[0].bv_val );
157 LDAP_LOG( OPERATION, INFO,
158 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
160 Debug( LDAP_DEBUG_ANY,
161 "entry_check_schema(%s): %s\n",
162 e->e_dn, textbuf, 0 );
168 if( sc->soc_obsolete ) {
169 snprintf( textbuf, textlen,
170 "structuralObjectClass '%s' is OBSOLETE",
171 asc->a_vals[0].bv_val );
174 LDAP_LOG( OPERATION, INFO,
175 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
177 Debug( LDAP_DEBUG_ANY,
178 "entry_check_schema(%s): %s\n",
179 e->e_dn, textbuf, 0 );
182 return LDAP_OBJECT_CLASS_VIOLATION;
185 /* find the object class attribute */
186 aoc = attr_find( e->e_attrs, ad_objectClass );
189 LDAP_LOG( OPERATION, INFO,
190 "entry_schema_check: No objectClass for entry (%s).\n",
193 Debug( LDAP_DEBUG_ANY, "No objectClass for entry (%s)\n",
197 *text = "no objectClass attribute";
198 return LDAP_OBJECT_CLASS_VIOLATION;
201 assert( aoc->a_vals != NULL );
202 assert( aoc->a_vals[0].bv_val != NULL );
204 rc = structural_class( aoc->a_vals, &nsc, &oc, text, textbuf, textlen );
205 if( rc != LDAP_SUCCESS ) {
212 snprintf( textbuf, textlen,
213 "unrecognized objectClass '%s'",
214 aoc->a_vals[0].bv_val );
215 return LDAP_OBJECT_CLASS_VIOLATION;
218 } else if ( sc != slap_schema.si_oc_glue && sc != oc ) {
220 } else if ( sc != oc ) {
222 snprintf( textbuf, textlen,
223 "structural object class modification "
224 "from '%s' to '%s' not allowed",
225 asc->a_vals[0].bv_val, nsc.bv_val );
226 return LDAP_NO_OBJECT_CLASS_MODS;
229 else if ( sc == slap_schema.si_oc_glue ) {
236 if ( !is_entry_objectclass ( e, slap_schema.si_oc_glue, 0 ) ) {
237 rc = entry_naming_check( e, text, textbuf, textlen );
238 if( rc != LDAP_SUCCESS ) {
245 rc = entry_naming_check( e, text, textbuf, textlen );
246 if( rc != LDAP_SUCCESS ) {
251 #ifdef SLAP_EXTENDED_SCHEMA
252 /* find the content rule for the structural class */
253 cr = cr_find( sc->soc_oid );
255 /* the cr must be same as the structural class */
256 assert( !cr || !strcmp( cr->scr_oid, sc->soc_oid ) );
258 /* check that the entry has required attrs of the content rule */
260 if( cr->scr_obsolete ) {
261 snprintf( textbuf, textlen,
262 "content rule '%s' is obsolete",
263 ldap_contentrule2name( &cr->scr_crule ));
266 LDAP_LOG( OPERATION, INFO,
267 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
269 Debug( LDAP_DEBUG_ANY,
271 e->e_dn, textbuf, 0 );
274 return LDAP_OBJECT_CLASS_VIOLATION;
277 if( cr->scr_required ) for( i=0; cr->scr_required[i]; i++ ) {
278 at = cr->scr_required[i];
280 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
281 if( a->a_desc->ad_type == at ) {
286 /* not there => schema violation */
288 snprintf( textbuf, textlen,
289 "content rule '%s' requires attribute '%s'",
290 ldap_contentrule2name( &cr->scr_crule ),
291 at->sat_cname.bv_val );
294 LDAP_LOG( OPERATION, INFO,
295 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
297 Debug( LDAP_DEBUG_ANY,
299 e->e_dn, textbuf, 0 );
302 return LDAP_OBJECT_CLASS_VIOLATION;
306 if( cr->scr_precluded ) for( i=0; cr->scr_precluded[i]; i++ ) {
307 at = cr->scr_precluded[i];
309 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
310 if( a->a_desc->ad_type == at ) {
315 /* there => schema violation */
317 snprintf( textbuf, textlen,
318 "content rule '%s' precluded attribute '%s'",
319 ldap_contentrule2name( &cr->scr_crule ),
320 at->sat_cname.bv_val );
323 LDAP_LOG( OPERATION, INFO,
324 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
326 Debug( LDAP_DEBUG_ANY,
328 e->e_dn, textbuf, 0 );
331 return LDAP_OBJECT_CLASS_VIOLATION;
335 #endif /* SLAP_EXTENDED_SCHEMA */
337 /* check that the entry has required attrs for each oc */
338 for ( i = 0; aoc->a_vals[i].bv_val != NULL; i++ ) {
339 if ( (oc = oc_bvfind( &aoc->a_vals[i] )) == NULL ) {
340 snprintf( textbuf, textlen,
341 "unrecognized objectClass '%s'",
342 aoc->a_vals[i].bv_val );
345 LDAP_LOG( OPERATION, INFO,
346 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
348 Debug( LDAP_DEBUG_ANY,
349 "entry_check_schema(%s): %s\n",
350 e->e_dn, textbuf, 0 );
353 return LDAP_OBJECT_CLASS_VIOLATION;
356 if ( oc->soc_obsolete ) {
357 /* disallow obsolete classes */
358 snprintf( textbuf, textlen,
359 "objectClass '%s' is OBSOLETE",
360 aoc->a_vals[i].bv_val );
363 LDAP_LOG( OPERATION, INFO,
364 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
366 Debug( LDAP_DEBUG_ANY,
367 "entry_check_schema(%s): %s\n",
368 e->e_dn, textbuf, 0 );
371 return LDAP_OBJECT_CLASS_VIOLATION;
374 if ( oc->soc_check ) {
375 int rc = (oc->soc_check)( be, e, oc,
376 text, textbuf, textlen );
377 if( rc != LDAP_SUCCESS ) {
382 if ( oc->soc_kind == LDAP_SCHEMA_ABSTRACT ) {
383 /* object class is abstract */
384 if ( oc != slap_schema.si_oc_top &&
385 !is_object_subclass( oc, sc ))
388 ObjectClass *xc = NULL;
389 for( j=0; aoc->a_vals[j].bv_val; j++ ) {
391 xc = oc_bvfind( &aoc->a_vals[i] );
393 snprintf( textbuf, textlen,
394 "unrecognized objectClass '%s'",
395 aoc->a_vals[i].bv_val );
398 LDAP_LOG( OPERATION, INFO,
399 "entry_schema_check: dn (%s), %s\n",
400 e->e_dn, textbuf, 0 );
402 Debug( LDAP_DEBUG_ANY,
403 "entry_check_schema(%s): %s\n",
404 e->e_dn, textbuf, 0 );
407 return LDAP_OBJECT_CLASS_VIOLATION;
410 /* since we previous check against the
411 * structural object of this entry, the
412 * abstract class must be a (direct or indirect)
413 * superclass of one of the auxiliary classes of
416 if ( xc->soc_kind == LDAP_SCHEMA_AUXILIARY &&
417 is_object_subclass( oc, xc ) )
426 snprintf( textbuf, textlen, "instanstantiation of "
427 "abstract objectClass '%s' not allowed",
428 aoc->a_vals[i].bv_val );
431 LDAP_LOG( OPERATION, INFO,
432 "entry_schema_check: dn (%s), %s\n",
433 e->e_dn, textbuf, 0 );
435 Debug( LDAP_DEBUG_ANY,
436 "entry_check_schema(%s): %s\n",
437 e->e_dn, textbuf, 0 );
440 return LDAP_OBJECT_CLASS_VIOLATION;
444 } else if ( oc->soc_kind != LDAP_SCHEMA_STRUCTURAL || oc == sc ) {
447 #ifdef SLAP_EXTENDED_SCHEMA
448 if( oc->soc_kind == LDAP_SCHEMA_AUXILIARY ) {
455 if( cr->scr_auxiliaries ) {
456 for( j = 0; cr->scr_auxiliaries[j]; j++ ) {
457 if( cr->scr_auxiliaries[j] == oc ) {
463 } else if ( global_disallows & SLAP_DISALLOW_AUX_WO_CR ) {
470 snprintf( textbuf, textlen,
471 "content rule '%s' does not allow class '%s'",
472 ldap_contentrule2name( &cr->scr_crule ),
473 oc->soc_cname.bv_val );
476 LDAP_LOG( OPERATION, INFO,
477 "entry_schema_check: dn=\"%s\" %s",
478 e->e_dn, textbuf, 0 );
480 Debug( LDAP_DEBUG_ANY,
482 e->e_dn, textbuf, 0 );
485 return LDAP_OBJECT_CLASS_VIOLATION;
488 #endif /* SLAP_EXTENDED_SCHEMA */
490 s = oc_check_required( e, oc, &aoc->a_vals[i] );
492 snprintf( textbuf, textlen,
493 "object class '%s' requires attribute '%s'",
494 aoc->a_vals[i].bv_val, s );
497 LDAP_LOG( OPERATION, INFO,
498 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
500 Debug( LDAP_DEBUG_ANY,
502 e->e_dn, textbuf, 0 );
505 return LDAP_OBJECT_CLASS_VIOLATION;
508 if( oc == slap_schema.si_oc_extensibleObject ) {
518 /* check that each attr in the entry is allowed by some oc */
519 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
522 #ifdef SLAP_EXTENDED_SCHEMA
523 ret = LDAP_OBJECT_CLASS_VIOLATION;
525 if( cr && cr->scr_required ) {
526 for( i=0; cr->scr_required[i]; i++ ) {
527 if( cr->scr_required[i] == a->a_desc->ad_type ) {
534 if( ret != LDAP_SUCCESS && cr && cr->scr_allowed ) {
535 for( i=0; cr->scr_allowed[i]; i++ ) {
536 if( cr->scr_allowed[i] == a->a_desc->ad_type ) {
543 if( ret != LDAP_SUCCESS )
544 #endif /* SLAP_EXTENDED_SCHEMA */
546 ret = oc_check_allowed( a->a_desc->ad_type, aoc->a_vals, sc );
549 if ( ret != LDAP_SUCCESS ) {
550 char *type = a->a_desc->ad_cname.bv_val;
552 snprintf( textbuf, textlen,
553 "attribute '%s' not allowed",
557 LDAP_LOG( OPERATION, INFO,
558 "entry_schema_check: dn=\"%s\" %s\n", e->e_dn, textbuf, 0);
560 Debug( LDAP_DEBUG_ANY,
562 e->e_dn, textbuf, 0 );
576 struct berval *ocname )
583 LDAP_LOG( OPERATION, ENTRY,
584 "oc_check_required: dn (%s), objectClass \"%s\"\n",
585 e->e_dn, ocname->bv_val, 0 );
587 Debug( LDAP_DEBUG_TRACE,
588 "oc_check_required entry (%s), objectClass \"%s\"\n",
589 e->e_dn, ocname->bv_val, 0 );
593 /* check for empty oc_required */
594 if(oc->soc_required == NULL) {
598 /* for each required attribute */
599 for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
600 at = oc->soc_required[i];
601 /* see if it's in the entry */
602 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
603 if( a->a_desc->ad_type == at ) {
607 /* not there => schema violation */
609 return at->sat_cname.bv_val;
616 int oc_check_allowed(
624 LDAP_LOG( OPERATION, ENTRY,
625 "oc_check_allowed: type \"%s\"\n", at->sat_cname.bv_val, 0, 0 );
627 Debug( LDAP_DEBUG_TRACE,
628 "oc_check_allowed type \"%s\"\n",
629 at->sat_cname.bv_val, 0, 0 );
632 /* always allow objectClass attribute */
633 if ( strcasecmp( at->sat_cname.bv_val, "objectClass" ) == 0 ) {
638 * All operational attributions are allowed by schema rules.
640 if( is_at_operational(at) ) {
644 /* check to see if its allowed by the structuralObjectClass */
646 /* does it require the type? */
647 for ( j = 0; sc->soc_required != NULL &&
648 sc->soc_required[j] != NULL; j++ )
650 if( at == sc->soc_required[j] ) {
655 /* does it allow the type? */
656 for ( j = 0; sc->soc_allowed != NULL &&
657 sc->soc_allowed[j] != NULL; j++ )
659 if( at == sc->soc_allowed[j] ) {
665 /* check that the type appears as req or opt in at least one oc */
666 for ( i = 0; ocl[i].bv_val != NULL; i++ ) {
667 /* if we know about the oc */
668 ObjectClass *oc = oc_bvfind( &ocl[i] );
669 if ( oc != NULL && oc->soc_kind != LDAP_SCHEMA_ABSTRACT &&
670 ( sc == NULL || oc->soc_kind == LDAP_SCHEMA_AUXILIARY ))
672 /* does it require the type? */
673 for ( j = 0; oc->soc_required != NULL &&
674 oc->soc_required[j] != NULL; j++ )
676 if( at == oc->soc_required[j] ) {
680 /* does it allow the type? */
681 for ( j = 0; oc->soc_allowed != NULL &&
682 oc->soc_allowed[j] != NULL; j++ )
684 if( at == oc->soc_allowed[j] ) {
691 /* not allowed by any oc */
692 return LDAP_OBJECT_CLASS_VIOLATION;
696 * Determine the structural object class from a set of OIDs
698 int structural_class(
703 char *textbuf, size_t textlen )
707 ObjectClass *sc = NULL;
710 *text = "structural_class: internal error";
713 for( i=0; ocs[i].bv_val; i++ ) {
714 oc = oc_bvfind( &ocs[i] );
717 snprintf( textbuf, textlen,
718 "unrecognized objectClass '%s'",
721 return LDAP_OBJECT_CLASS_VIOLATION;
724 if( oc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) {
725 if( sc == NULL || is_object_subclass( sc, oc ) ) {
729 } else if ( !is_object_subclass( oc, sc ) ) {
731 ObjectClass *xc = NULL;
733 /* find common superior */
734 for( j=i+1; ocs[j].bv_val; j++ ) {
735 xc = oc_bvfind( &ocs[j] );
738 snprintf( textbuf, textlen,
739 "unrecognized objectClass '%s'",
742 return LDAP_OBJECT_CLASS_VIOLATION;
745 if( xc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
750 if( is_object_subclass( sc, xc ) &&
751 is_object_subclass( oc, xc ) )
753 /* found common subclass */
761 /* no common subclass */
762 snprintf( textbuf, textlen,
763 "invalid structural object class chain (%s/%s)",
764 ocs[scn].bv_val, ocs[i].bv_val );
766 return LDAP_OBJECT_CLASS_VIOLATION;
777 *text = "no structural object class provided";
778 return LDAP_OBJECT_CLASS_VIOLATION;
782 *text = "invalid structural object class";
783 return LDAP_OBJECT_CLASS_VIOLATION;
788 if( scbv->bv_len == 0 ) {
789 *text = "invalid structural object class";
790 return LDAP_OBJECT_CLASS_VIOLATION;
797 * Return structural object class from list of modifications
799 int mods_structural_class(
803 char *textbuf, size_t textlen )
805 Modifications *ocmod = NULL;
807 for( ; mods != NULL; mods = mods->sml_next ) {
808 if( mods->sml_desc == slap_schema.si_ad_objectClass ) {
809 if( ocmod != NULL ) {
810 *text = "entry has multiple objectClass attributes";
811 return LDAP_OBJECT_CLASS_VIOLATION;
817 if( ocmod == NULL ) {
818 *text = "entry has no objectClass attribute";
819 return LDAP_OBJECT_CLASS_VIOLATION;
822 if( ocmod->sml_bvalues == NULL || ocmod->sml_bvalues[0].bv_val == NULL ) {
823 *text = "objectClass attribute has no values";
824 return LDAP_OBJECT_CLASS_VIOLATION;
827 return structural_class( ocmod->sml_bvalues, sc, NULL,
828 text, textbuf, textlen );
836 char *textbuf, size_t textlen )
840 const char *p = NULL;
842 int rc = LDAP_SUCCESS;
845 * Get attribute type(s) and attribute value(s) of our RDN
847 if ( ldap_bv2rdn( &e->e_name, &rdn, (char **)&p,
848 LDAP_DN_FORMAT_LDAP ) )
850 *text = "unrecongized attribute type(s) in RDN";
851 return LDAP_INVALID_DN_SYNTAX;
854 /* Check that each AVA of the RDN is present in the entry */
855 /* FIXME: Should also check that each AVA lists a distinct type */
856 for ( cnt = 0; rdn[cnt]; cnt++ ) {
857 LDAPAVA *ava = rdn[cnt];
858 AttributeDescription *desc = NULL;
862 rc = slap_bv2ad( &ava->la_attr, &desc, &errtext );
863 if ( rc != LDAP_SUCCESS ) {
864 snprintf( textbuf, textlen, "%s (in RDN)", errtext );
868 /* find the naming attribute */
869 attr = attr_find( e->e_attrs, desc );
870 if ( attr == NULL ) {
871 snprintf( textbuf, textlen,
872 "naming attribute '%s' is not present in entry",
873 ava->la_attr.bv_val );
874 rc = LDAP_NAMING_VIOLATION;
878 if( ava->la_flags & LDAP_AVA_BINARY ) {
879 snprintf( textbuf, textlen,
880 "value of naming attribute '%s' in unsupported BER form",
881 ava->la_attr.bv_val );
882 rc = LDAP_NAMING_VIOLATION;
885 if ( value_find_ex( desc,
886 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
888 &ava->la_value, NULL ) != 0 )
890 snprintf( textbuf, textlen,
891 "value of naming attribute '%s' is not present in entry",
892 ava->la_attr.bv_val );
893 rc = LDAP_NAMING_VIOLATION;
projects / openldap / blob