1 /* schema_check.c - routines to enforce schema definitions */
4 * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/string.h>
14 #include <ac/socket.h>
19 static char * oc_check_required(
22 struct berval *ocname );
25 * entry_schema_check - check that entry e conforms to the schema required
26 * by its object class(es).
28 * returns 0 if so, non-zero otherwise.
37 char *textbuf, size_t textlen )
39 Attribute *a, *asc, *aoc;
43 AttributeDescription *ad_structuralObjectClass
44 = slap_schema.si_ad_structuralObjectClass;
45 AttributeDescription *ad_objectClass
46 = slap_schema.si_ad_objectClass;
51 /* misc attribute checks */
52 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
53 /* there should be at least one value */
55 assert( a->a_vals[0].bv_val != NULL );
57 if( a->a_desc->ad_type->sat_check ) {
58 int rc = (a->a_desc->ad_type->sat_check)(
59 e, a, text, textbuf, textlen );
60 if( rc != LDAP_SUCCESS ) {
65 /* if single value type, check for multiple values */
66 if( is_at_single_value( a->a_desc->ad_type ) &&
67 a->a_vals[1].bv_val != NULL )
69 char *type = a->a_desc->ad_cname.bv_val;
71 snprintf( textbuf, textlen,
72 "attribute '%s' cannot have multiple values",
76 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
77 "entry_schema_check: dn=\"%s\" %s\n",
80 Debug( LDAP_DEBUG_ANY,
82 e->e_dn, textbuf, 0 );
85 return LDAP_CONSTRAINT_VIOLATION;
89 /* it's a REALLY bad idea to disable schema checks */
90 if( !global_schemacheck ) return LDAP_SUCCESS;
92 /* find the object class attribute - could error out here */
93 asc = attr_find( e->e_attrs, ad_structuralObjectClass );
96 LDAP_LOG(( "schema", LDAP_LEVEL_INFO, "entry_schema_check: "
97 "No structuralObjectClass for entry (%s)\n",
100 Debug( LDAP_DEBUG_ANY,
101 "No structuralObjectClass for entry (%s)\n",
105 *text = "no structuralObjectClass operational attribute";
106 return LDAP_OBJECT_CLASS_VIOLATION;
109 assert( asc->a_vals != NULL );
110 assert( asc->a_vals[0].bv_val != NULL );
111 assert( asc->a_vals[1].bv_val == NULL );
113 sc = oc_bvfind( &asc->a_vals[0] );
115 snprintf( textbuf, textlen,
116 "unrecognized structuralObjectClass '%s'",
117 asc->a_vals[0].bv_val );
120 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
121 "entry_schema_check: dn (%s), %s\n",
124 Debug( LDAP_DEBUG_ANY,
125 "entry_check_schema(%s): %s\n",
126 e->e_dn, textbuf, 0 );
129 return LDAP_OBJECT_CLASS_VIOLATION;
132 if( sc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
133 snprintf( textbuf, textlen,
134 "structuralObjectClass '%s' is not STRUCTURAL",
135 asc->a_vals[0].bv_val );
138 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
139 "entry_schema_check: dn (%s), %s\n",
142 Debug( LDAP_DEBUG_ANY,
143 "entry_check_schema(%s): %s\n",
144 e->e_dn, textbuf, 0 );
147 return LDAP_OBJECT_CLASS_VIOLATION;
150 /* find the object class attribute */
151 aoc = attr_find( e->e_attrs, ad_objectClass );
154 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
155 "entry_schema_check: No objectClass for entry (%s).\n"
158 Debug( LDAP_DEBUG_ANY, "No objectClass for entry (%s)\n",
162 *text = "no objectClass attribute";
163 return LDAP_OBJECT_CLASS_VIOLATION;
166 assert( aoc->a_vals != NULL );
167 assert( aoc->a_vals[0].bv_val != NULL );
169 rc = structural_class( aoc->a_vals, &nsc, &oc, text, textbuf, textlen );
170 if( rc != LDAP_SUCCESS ) {
172 } else if ( nsc.bv_len == 0 ) {
173 return LDAP_OBJECT_CLASS_VIOLATION;
179 snprintf( textbuf, textlen,
180 "unrecognized objectClass '%s'",
181 aoc->a_vals[0].bv_val );
182 return LDAP_OBJECT_CLASS_VIOLATION;
184 } else if ( sc != oc ) {
185 snprintf( textbuf, textlen,
186 "structuralObjectClass modification from '%s' to '%s' not allowed",
187 asc->a_vals[0].bv_val, nsc.bv_val );
188 return LDAP_NO_OBJECT_CLASS_MODS;
191 /* check that the entry has required attrs for each oc */
192 for ( i = 0; aoc->a_vals[i].bv_val != NULL; i++ ) {
193 if ( (oc = oc_bvfind( &aoc->a_vals[i] )) == NULL ) {
194 snprintf( textbuf, textlen,
195 "unrecognized objectClass '%s'",
196 aoc->a_vals[i].bv_val );
199 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
200 "entry_schema_check: dn (%s), %s\n",
203 Debug( LDAP_DEBUG_ANY,
204 "entry_check_schema(%s): %s\n",
205 e->e_dn, textbuf, 0 );
208 return LDAP_OBJECT_CLASS_VIOLATION;
211 if ( oc->sco_check ) {
212 int rc = (oc->sco_check)( e, oc,
213 text, textbuf, textlen );
214 if( rc != LDAP_SUCCESS ) {
218 if ( oc->soc_kind == LDAP_SCHEMA_ABSTRACT ) {
219 /* object class is abstract */
220 if ( oc != slap_schema.si_oc_top &&
221 !is_object_subclass( oc, sc ))
224 ObjectClass *xc = NULL;
225 for( j=0; aoc->a_vals[j].bv_val; j++ ) {
227 xc = oc_bvfind( &aoc->a_vals[i] );
229 snprintf( textbuf, textlen,
230 "unrecognized objectClass '%s'",
231 aoc->a_vals[i].bv_val );
234 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
235 "entry_schema_check: dn (%s), %s\n",
238 Debug( LDAP_DEBUG_ANY,
239 "entry_check_schema(%s): %s\n",
240 e->e_dn, textbuf, 0 );
243 return LDAP_OBJECT_CLASS_VIOLATION;
246 /* since we previous check against the
247 * structural object of this entry, the
248 * abstract class must be a (direct or indirect)
249 * superclass of one of the auxiliary classes of
252 if ( xc->soc_kind == LDAP_SCHEMA_AUXILIARY &&
253 is_object_subclass( oc, xc ) )
263 snprintf( textbuf, textlen, "instanstantiation of "
264 "abstract objectClass '%s' not allowed",
265 aoc->a_vals[i].bv_val );
268 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
269 "entry_schema_check: dn (%s), %s\n",
272 Debug( LDAP_DEBUG_ANY,
273 "entry_check_schema(%s): %s\n",
274 e->e_dn, textbuf, 0 );
277 return LDAP_OBJECT_CLASS_VIOLATION;
281 } else if ( oc->soc_kind != LDAP_SCHEMA_STRUCTURAL || oc == sc ) {
282 char *s = oc_check_required( e, oc, &aoc->a_vals[i] );
285 snprintf( textbuf, textlen,
286 "object class '%s' requires attribute '%s'",
287 aoc->a_vals[i].bv_val, s );
290 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
291 "entry_schema_check: dn=\"%s\" %s",
294 Debug( LDAP_DEBUG_ANY,
296 e->e_dn, textbuf, 0 );
299 return LDAP_OBJECT_CLASS_VIOLATION;
302 if( oc == slap_schema.si_oc_extensibleObject ) {
312 /* check that each attr in the entry is allowed by some oc */
313 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
314 int ret = oc_check_allowed( a->a_desc->ad_type, aoc->a_vals, sc );
315 if ( ret != LDAP_SUCCESS ) {
316 char *type = a->a_desc->ad_cname.bv_val;
318 snprintf( textbuf, textlen,
319 "attribute '%s' not allowed",
323 LDAP_LOG(( "schema", LDAP_LEVEL_INFO,
324 "entry_schema_check: dn=\"%s\" %s\n",
327 Debug( LDAP_DEBUG_ANY,
329 e->e_dn, textbuf, 0 );
343 struct berval *ocname )
350 LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY,
351 "oc_check_required: dn (%s), objectClass \"%s\"\n",
352 e->e_dn, ocname->bv_val ));
354 Debug( LDAP_DEBUG_TRACE,
355 "oc_check_required entry (%s), objectClass \"%s\"\n",
356 e->e_dn, ocname->bv_val, 0 );
360 /* check for empty oc_required */
361 if(oc->soc_required == NULL) {
365 /* for each required attribute */
366 for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
367 at = oc->soc_required[i];
368 /* see if it's in the entry */
369 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
370 if( a->a_desc->ad_type == at ) {
374 /* not there => schema violation */
376 return at->sat_cname.bv_val;
383 int oc_check_allowed(
391 LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY,
392 "oc_check_allowed: type \"%s\"\n", at->sat_cname.bv_val ));
394 Debug( LDAP_DEBUG_TRACE,
395 "oc_check_allowed type \"%s\"\n",
396 at->sat_cname.bv_val, 0, 0 );
399 /* always allow objectClass attribute */
400 if ( strcasecmp( at->sat_cname.bv_val, "objectClass" ) == 0 ) {
405 * All operational attributions are allowed by schema rules.
407 if( is_at_operational(at) ) {
411 /* check to see if its allowed by the structuralObjectClass */
413 /* does it require the type? */
414 for ( j = 0; sc->soc_required != NULL &&
415 sc->soc_required[j] != NULL; j++ )
417 if( at == sc->soc_required[j] ) {
422 /* does it allow the type? */
423 for ( j = 0; sc->soc_allowed != NULL &&
424 sc->soc_allowed[j] != NULL; j++ )
426 if( at == sc->soc_allowed[j] ) {
432 /* check that the type appears as req or opt in at least one oc */
433 for ( i = 0; ocl[i].bv_val != NULL; i++ ) {
434 /* if we know about the oc */
435 ObjectClass *oc = oc_bvfind( &ocl[i] );
436 if ( oc != NULL && oc->soc_kind != LDAP_SCHEMA_ABSTRACT &&
437 ( sc == NULL || oc->soc_kind == LDAP_SCHEMA_AUXILIARY ))
439 /* does it require the type? */
440 for ( j = 0; oc->soc_required != NULL &&
441 oc->soc_required[j] != NULL; j++ )
443 if( at == oc->soc_required[j] ) {
447 /* does it allow the type? */
448 for ( j = 0; oc->soc_allowed != NULL &&
449 oc->soc_allowed[j] != NULL; j++ )
451 if( at == oc->soc_allowed[j] ) {
458 /* not allowed by any oc */
459 return LDAP_OBJECT_CLASS_VIOLATION;
463 * Determine the structural object class from a set of OIDs
465 int structural_class(
470 char *textbuf, size_t textlen )
474 ObjectClass *sc = NULL;
477 *text = "structural_class: internal error";
480 for( i=0; ocs[i].bv_val; i++ ) {
481 oc = oc_bvfind( &ocs[i] );
484 snprintf( textbuf, textlen,
485 "unrecongized objectClass '%s'",
488 return LDAP_OBJECT_CLASS_VIOLATION;
491 if( oc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) {
492 if( sc == NULL || is_object_subclass( sc, oc ) ) {
496 } else if ( !is_object_subclass( oc, sc ) ) {
498 ObjectClass *xc = NULL;
500 /* find common superior */
501 for( j=i+1; ocs[j].bv_val; j++ ) {
502 xc = oc_bvfind( &ocs[j] );
505 snprintf( textbuf, textlen,
506 "unrecongized objectClass '%s'",
509 return LDAP_OBJECT_CLASS_VIOLATION;
512 if( xc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
517 if( is_object_subclass( sc, xc ) &&
518 is_object_subclass( oc, xc ) )
520 /* found common subclass */
528 /* no common subclass */
529 snprintf( textbuf, textlen,
530 "invalid structural object class chain (%s/%s)",
531 ocs[scn].bv_val, ocs[i].bv_val );
533 return LDAP_OBJECT_CLASS_VIOLATION;
543 *text = "no structural object classes provided";
544 return LDAP_OBJECT_CLASS_VIOLATION;
552 * Return structural object class from list of modifications
554 int mods_structural_class(
558 char *textbuf, size_t textlen )
560 Modifications *ocmod = NULL;
562 for( ; mods != NULL; mods = mods->sml_next ) {
563 if( mods->sml_desc == slap_schema.si_ad_objectClass ) {
564 if( ocmod != NULL ) {
565 *text = "entry has multiple objectClass attributes";
566 return LDAP_OBJECT_CLASS_VIOLATION;
572 if( ocmod == NULL ) {
573 *text = "entry has no objectClass attribute";
574 return LDAP_OBJECT_CLASS_VIOLATION;
577 if( ocmod->sml_bvalues == NULL || ocmod->sml_bvalues[0].bv_val == NULL ) {
578 *text = "objectClass attribute has no values";
579 return LDAP_OBJECT_CLASS_VIOLATION;
582 return structural_class( ocmod->sml_bvalues, sc, NULL,
583 text, textbuf, textlen );
projects / openldap / blob