1 /* schema_check.c - routines to enforce schema definitions */
4 * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/string.h>
14 #include <ac/socket.h>
19 static char * oc_check_required(
22 struct berval *ocname );
24 static int entry_naming_check(
27 char *textbuf, size_t textlen );
29 * entry_schema_check - check that entry e conforms to the schema required
30 * by its object class(es).
32 * returns 0 if so, non-zero otherwise.
41 char *textbuf, size_t textlen )
43 Attribute *a, *asc, *aoc;
49 AttributeDescription *ad_structuralObjectClass
50 = slap_schema.si_ad_structuralObjectClass;
51 AttributeDescription *ad_objectClass
52 = slap_schema.si_ad_objectClass;
54 int subentry = is_entry_subentry( e );
55 int collectiveSubentry = 0;
57 if ( SLAP_NO_SCHEMA_CHECK( be )) {
62 collectiveSubentry = is_entry_collectiveAttributeSubentry( e );
67 /* misc attribute checks */
68 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
69 const char *type = a->a_desc->ad_cname.bv_val;
71 /* there should be at least one value */
73 assert( a->a_vals[0].bv_val != NULL );
75 if( a->a_desc->ad_type->sat_check ) {
76 int rc = (a->a_desc->ad_type->sat_check)(
77 be, e, a, text, textbuf, textlen );
78 if( rc != LDAP_SUCCESS ) {
83 if( !collectiveSubentry && is_at_collective( a->a_desc->ad_type ) ) {
84 snprintf( textbuf, textlen,
85 "'%s' can only appear in collectiveAttributeSubentry",
87 return LDAP_OBJECT_CLASS_VIOLATION;
90 /* if single value type, check for multiple values */
91 if( is_at_single_value( a->a_desc->ad_type ) &&
92 a->a_vals[1].bv_val != NULL )
94 snprintf( textbuf, textlen,
95 "attribute '%s' cannot have multiple values",
99 LDAP_LOG( OPERATION, INFO,
100 "entry_schema_check: dn=\"%s\" %s\n", e->e_dn, textbuf, 0 );
102 Debug( LDAP_DEBUG_ANY,
104 e->e_dn, textbuf, 0 );
107 return LDAP_CONSTRAINT_VIOLATION;
111 /* it's a REALLY bad idea to disable schema checks */
112 if( !global_schemacheck ) return LDAP_SUCCESS;
114 /* find the structural object class attribute */
115 asc = attr_find( e->e_attrs, ad_structuralObjectClass );
118 LDAP_LOG( OPERATION, INFO,
119 "entry_schema_check: No structuralObjectClass for entry (%s)\n",
122 Debug( LDAP_DEBUG_ANY,
123 "No structuralObjectClass for entry (%s)\n",
127 *text = "no structuralObjectClass operational attribute";
131 assert( asc->a_vals != NULL );
132 assert( asc->a_vals[0].bv_val != NULL );
133 assert( asc->a_vals[1].bv_val == NULL );
135 sc = oc_bvfind( &asc->a_vals[0] );
137 snprintf( textbuf, textlen,
138 "unrecognized structuralObjectClass '%s'",
139 asc->a_vals[0].bv_val );
142 LDAP_LOG( OPERATION, INFO,
143 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
145 Debug( LDAP_DEBUG_ANY,
146 "entry_check_schema(%s): %s\n",
147 e->e_dn, textbuf, 0 );
150 return LDAP_OBJECT_CLASS_VIOLATION;
153 if( sc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
154 snprintf( textbuf, textlen,
155 "structuralObjectClass '%s' is not STRUCTURAL",
156 asc->a_vals[0].bv_val );
159 LDAP_LOG( OPERATION, INFO,
160 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
162 Debug( LDAP_DEBUG_ANY,
163 "entry_check_schema(%s): %s\n",
164 e->e_dn, textbuf, 0 );
170 if( sc->soc_obsolete ) {
171 snprintf( textbuf, textlen,
172 "structuralObjectClass '%s' is OBSOLETE",
173 asc->a_vals[0].bv_val );
176 LDAP_LOG( OPERATION, INFO,
177 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
179 Debug( LDAP_DEBUG_ANY,
180 "entry_check_schema(%s): %s\n",
181 e->e_dn, textbuf, 0 );
184 return LDAP_OBJECT_CLASS_VIOLATION;
187 /* find the object class attribute */
188 aoc = attr_find( e->e_attrs, ad_objectClass );
191 LDAP_LOG( OPERATION, INFO,
192 "entry_schema_check: No objectClass for entry (%s).\n",
195 Debug( LDAP_DEBUG_ANY, "No objectClass for entry (%s)\n",
199 *text = "no objectClass attribute";
200 return LDAP_OBJECT_CLASS_VIOLATION;
203 assert( aoc->a_vals != NULL );
204 assert( aoc->a_vals[0].bv_val != NULL );
206 rc = structural_class( aoc->a_vals, &nsc, &oc, text, textbuf, textlen );
207 if( rc != LDAP_SUCCESS ) {
214 snprintf( textbuf, textlen,
215 "unrecognized objectClass '%s'",
216 aoc->a_vals[0].bv_val );
217 return LDAP_OBJECT_CLASS_VIOLATION;
219 } else if ( sc != slap_schema.si_oc_glue && sc != oc ) {
220 snprintf( textbuf, textlen,
221 "structural object class modification "
222 "from '%s' to '%s' not allowed",
223 asc->a_vals[0].bv_val, nsc.bv_val );
224 return LDAP_NO_OBJECT_CLASS_MODS;
225 } else if ( sc == slap_schema.si_oc_glue ) {
230 if ( !is_entry_objectclass ( e, slap_schema.si_oc_glue, 0 ) ) {
231 rc = entry_naming_check( e, text, textbuf, textlen );
232 if( rc != LDAP_SUCCESS ) {
239 /* find the content rule for the structural class */
240 cr = cr_find( sc->soc_oid );
242 /* the cr must be same as the structural class */
243 assert( !cr || !strcmp( cr->scr_oid, sc->soc_oid ) );
245 /* check that the entry has required attrs of the content rule */
247 if( cr->scr_obsolete ) {
248 snprintf( textbuf, textlen,
249 "content rule '%s' is obsolete",
250 ldap_contentrule2name( &cr->scr_crule ));
253 LDAP_LOG( OPERATION, INFO,
254 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
256 Debug( LDAP_DEBUG_ANY,
258 e->e_dn, textbuf, 0 );
261 return LDAP_OBJECT_CLASS_VIOLATION;
264 if( cr->scr_required ) for( i=0; cr->scr_required[i]; i++ ) {
265 at = cr->scr_required[i];
267 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
268 if( a->a_desc->ad_type == at ) {
273 /* not there => schema violation */
275 snprintf( textbuf, textlen,
276 "content rule '%s' requires attribute '%s'",
277 ldap_contentrule2name( &cr->scr_crule ),
278 at->sat_cname.bv_val );
281 LDAP_LOG( OPERATION, INFO,
282 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
284 Debug( LDAP_DEBUG_ANY,
286 e->e_dn, textbuf, 0 );
289 return LDAP_OBJECT_CLASS_VIOLATION;
293 if( cr->scr_precluded ) for( i=0; cr->scr_precluded[i]; i++ ) {
294 at = cr->scr_precluded[i];
296 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
297 if( a->a_desc->ad_type == at ) {
302 /* there => schema violation */
304 snprintf( textbuf, textlen,
305 "content rule '%s' precluded attribute '%s'",
306 ldap_contentrule2name( &cr->scr_crule ),
307 at->sat_cname.bv_val );
310 LDAP_LOG( OPERATION, INFO,
311 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
313 Debug( LDAP_DEBUG_ANY,
315 e->e_dn, textbuf, 0 );
318 return LDAP_OBJECT_CLASS_VIOLATION;
323 /* check that the entry has required attrs for each oc */
324 for ( i = 0; aoc->a_vals[i].bv_val != NULL; i++ ) {
325 if ( (oc = oc_bvfind( &aoc->a_vals[i] )) == NULL ) {
326 snprintf( textbuf, textlen,
327 "unrecognized objectClass '%s'",
328 aoc->a_vals[i].bv_val );
331 LDAP_LOG( OPERATION, INFO,
332 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
334 Debug( LDAP_DEBUG_ANY,
335 "entry_check_schema(%s): %s\n",
336 e->e_dn, textbuf, 0 );
339 return LDAP_OBJECT_CLASS_VIOLATION;
342 if ( oc->soc_obsolete ) {
343 /* disallow obsolete classes */
344 snprintf( textbuf, textlen,
345 "objectClass '%s' is OBSOLETE",
346 aoc->a_vals[i].bv_val );
349 LDAP_LOG( OPERATION, INFO,
350 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
352 Debug( LDAP_DEBUG_ANY,
353 "entry_check_schema(%s): %s\n",
354 e->e_dn, textbuf, 0 );
357 return LDAP_OBJECT_CLASS_VIOLATION;
360 if ( oc->soc_check ) {
361 int rc = (oc->soc_check)( be, e, oc,
362 text, textbuf, textlen );
363 if( rc != LDAP_SUCCESS ) {
368 if ( oc->soc_kind == LDAP_SCHEMA_ABSTRACT ) {
369 /* object class is abstract */
370 if ( oc != slap_schema.si_oc_top &&
371 !is_object_subclass( oc, sc ))
374 ObjectClass *xc = NULL;
375 for( j=0; aoc->a_vals[j].bv_val; j++ ) {
377 xc = oc_bvfind( &aoc->a_vals[i] );
379 snprintf( textbuf, textlen,
380 "unrecognized objectClass '%s'",
381 aoc->a_vals[i].bv_val );
384 LDAP_LOG( OPERATION, INFO,
385 "entry_schema_check: dn (%s), %s\n",
386 e->e_dn, textbuf, 0 );
388 Debug( LDAP_DEBUG_ANY,
389 "entry_check_schema(%s): %s\n",
390 e->e_dn, textbuf, 0 );
393 return LDAP_OBJECT_CLASS_VIOLATION;
396 /* since we previous check against the
397 * structural object of this entry, the
398 * abstract class must be a (direct or indirect)
399 * superclass of one of the auxiliary classes of
402 if ( xc->soc_kind == LDAP_SCHEMA_AUXILIARY &&
403 is_object_subclass( oc, xc ) )
412 snprintf( textbuf, textlen, "instanstantiation of "
413 "abstract objectClass '%s' not allowed",
414 aoc->a_vals[i].bv_val );
417 LDAP_LOG( OPERATION, INFO,
418 "entry_schema_check: dn (%s), %s\n",
419 e->e_dn, textbuf, 0 );
421 Debug( LDAP_DEBUG_ANY,
422 "entry_check_schema(%s): %s\n",
423 e->e_dn, textbuf, 0 );
426 return LDAP_OBJECT_CLASS_VIOLATION;
430 } else if ( oc->soc_kind != LDAP_SCHEMA_STRUCTURAL || oc == sc ) {
433 if( oc->soc_kind == LDAP_SCHEMA_AUXILIARY ) {
440 if( cr->scr_auxiliaries ) {
441 for( j = 0; cr->scr_auxiliaries[j]; j++ ) {
442 if( cr->scr_auxiliaries[j] == oc ) {
448 } else if ( global_disallows & SLAP_DISALLOW_AUX_WO_CR ) {
455 snprintf( textbuf, textlen,
456 "content rule '%s' does not allow class '%s'",
457 ldap_contentrule2name( &cr->scr_crule ),
458 oc->soc_cname.bv_val );
461 LDAP_LOG( OPERATION, INFO,
462 "entry_schema_check: dn=\"%s\" %s",
463 e->e_dn, textbuf, 0 );
465 Debug( LDAP_DEBUG_ANY,
467 e->e_dn, textbuf, 0 );
470 return LDAP_OBJECT_CLASS_VIOLATION;
474 s = oc_check_required( e, oc, &aoc->a_vals[i] );
476 snprintf( textbuf, textlen,
477 "object class '%s' requires attribute '%s'",
478 aoc->a_vals[i].bv_val, s );
481 LDAP_LOG( OPERATION, INFO,
482 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
484 Debug( LDAP_DEBUG_ANY,
486 e->e_dn, textbuf, 0 );
489 return LDAP_OBJECT_CLASS_VIOLATION;
492 if( oc == slap_schema.si_oc_extensibleObject ) {
502 /* check that each attr in the entry is allowed by some oc */
503 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
506 ret = LDAP_OBJECT_CLASS_VIOLATION;
508 if( cr && cr->scr_required ) {
509 for( i=0; cr->scr_required[i]; i++ ) {
510 if( cr->scr_required[i] == a->a_desc->ad_type ) {
517 if( ret != LDAP_SUCCESS && cr && cr->scr_allowed ) {
518 for( i=0; cr->scr_allowed[i]; i++ ) {
519 if( cr->scr_allowed[i] == a->a_desc->ad_type ) {
526 if( ret != LDAP_SUCCESS )
528 ret = oc_check_allowed( a->a_desc->ad_type, aoc->a_vals, sc );
531 if ( ret != LDAP_SUCCESS ) {
532 char *type = a->a_desc->ad_cname.bv_val;
534 snprintf( textbuf, textlen,
535 "attribute '%s' not allowed",
539 LDAP_LOG( OPERATION, INFO,
540 "entry_schema_check: dn=\"%s\" %s\n", e->e_dn, textbuf, 0);
542 Debug( LDAP_DEBUG_ANY,
544 e->e_dn, textbuf, 0 );
558 struct berval *ocname )
565 LDAP_LOG( OPERATION, ENTRY,
566 "oc_check_required: dn (%s), objectClass \"%s\"\n",
567 e->e_dn, ocname->bv_val, 0 );
569 Debug( LDAP_DEBUG_TRACE,
570 "oc_check_required entry (%s), objectClass \"%s\"\n",
571 e->e_dn, ocname->bv_val, 0 );
575 /* check for empty oc_required */
576 if(oc->soc_required == NULL) {
580 /* for each required attribute */
581 for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
582 at = oc->soc_required[i];
583 /* see if it's in the entry */
584 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
585 if( a->a_desc->ad_type == at ) {
589 /* not there => schema violation */
591 return at->sat_cname.bv_val;
598 int oc_check_allowed(
606 LDAP_LOG( OPERATION, ENTRY,
607 "oc_check_allowed: type \"%s\"\n", at->sat_cname.bv_val, 0, 0 );
609 Debug( LDAP_DEBUG_TRACE,
610 "oc_check_allowed type \"%s\"\n",
611 at->sat_cname.bv_val, 0, 0 );
614 /* always allow objectClass attribute */
615 if ( strcasecmp( at->sat_cname.bv_val, "objectClass" ) == 0 ) {
620 * All operational attributions are allowed by schema rules.
622 if( is_at_operational(at) ) {
626 /* check to see if its allowed by the structuralObjectClass */
628 /* does it require the type? */
629 for ( j = 0; sc->soc_required != NULL &&
630 sc->soc_required[j] != NULL; j++ )
632 if( at == sc->soc_required[j] ) {
637 /* does it allow the type? */
638 for ( j = 0; sc->soc_allowed != NULL &&
639 sc->soc_allowed[j] != NULL; j++ )
641 if( at == sc->soc_allowed[j] ) {
647 /* check that the type appears as req or opt in at least one oc */
648 for ( i = 0; ocl[i].bv_val != NULL; i++ ) {
649 /* if we know about the oc */
650 ObjectClass *oc = oc_bvfind( &ocl[i] );
651 if ( oc != NULL && oc->soc_kind != LDAP_SCHEMA_ABSTRACT &&
652 ( sc == NULL || oc->soc_kind == LDAP_SCHEMA_AUXILIARY ))
654 /* does it require the type? */
655 for ( j = 0; oc->soc_required != NULL &&
656 oc->soc_required[j] != NULL; j++ )
658 if( at == oc->soc_required[j] ) {
662 /* does it allow the type? */
663 for ( j = 0; oc->soc_allowed != NULL &&
664 oc->soc_allowed[j] != NULL; j++ )
666 if( at == oc->soc_allowed[j] ) {
673 /* not allowed by any oc */
674 return LDAP_OBJECT_CLASS_VIOLATION;
678 * Determine the structural object class from a set of OIDs
680 int structural_class(
685 char *textbuf, size_t textlen )
689 ObjectClass *sc = NULL;
692 *text = "structural_class: internal error";
695 for( i=0; ocs[i].bv_val; i++ ) {
696 oc = oc_bvfind( &ocs[i] );
699 snprintf( textbuf, textlen,
700 "unrecognized objectClass '%s'",
703 return LDAP_OBJECT_CLASS_VIOLATION;
706 if( oc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) {
707 if( sc == NULL || is_object_subclass( sc, oc ) ) {
711 } else if ( !is_object_subclass( oc, sc ) ) {
713 ObjectClass *xc = NULL;
715 /* find common superior */
716 for( j=i+1; ocs[j].bv_val; j++ ) {
717 xc = oc_bvfind( &ocs[j] );
720 snprintf( textbuf, textlen,
721 "unrecognized objectClass '%s'",
724 return LDAP_OBJECT_CLASS_VIOLATION;
727 if( xc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
732 if( is_object_subclass( sc, xc ) &&
733 is_object_subclass( oc, xc ) )
735 /* found common subclass */
743 /* no common subclass */
744 snprintf( textbuf, textlen,
745 "invalid structural object class chain (%s/%s)",
746 ocs[scn].bv_val, ocs[i].bv_val );
748 return LDAP_OBJECT_CLASS_VIOLATION;
759 *text = "no structural object class provided";
760 return LDAP_OBJECT_CLASS_VIOLATION;
764 *text = "invalid structural object class";
765 return LDAP_OBJECT_CLASS_VIOLATION;
770 if( scbv->bv_len == 0 ) {
771 *text = "invalid structural object class";
772 return LDAP_OBJECT_CLASS_VIOLATION;
779 * Return structural object class from list of modifications
781 int mods_structural_class(
785 char *textbuf, size_t textlen )
787 Modifications *ocmod = NULL;
789 for( ; mods != NULL; mods = mods->sml_next ) {
790 if( mods->sml_desc == slap_schema.si_ad_objectClass ) {
791 if( ocmod != NULL ) {
792 *text = "entry has multiple objectClass attributes";
793 return LDAP_OBJECT_CLASS_VIOLATION;
799 if( ocmod == NULL ) {
800 *text = "entry has no objectClass attribute";
801 return LDAP_OBJECT_CLASS_VIOLATION;
804 if( ocmod->sml_bvalues == NULL || ocmod->sml_bvalues[0].bv_val == NULL ) {
805 *text = "objectClass attribute has no values";
806 return LDAP_OBJECT_CLASS_VIOLATION;
809 return structural_class( ocmod->sml_bvalues, sc, NULL,
810 text, textbuf, textlen );
818 char *textbuf, size_t textlen )
822 const char *p = NULL;
824 int rc = LDAP_SUCCESS;
827 * Get attribute type(s) and attribute value(s) of our RDN
829 if ( ldap_bv2rdn( &e->e_name, &rdn, (char **)&p,
830 LDAP_DN_FORMAT_LDAP ) )
832 *text = "unrecongized attribute type(s) in RDN";
833 return LDAP_INVALID_DN_SYNTAX;
836 /* Check that each AVA of the RDN is present in the entry */
837 /* FIXME: Should also check that each AVA lists a distinct type */
838 for ( cnt = 0; rdn[cnt]; cnt++ ) {
839 LDAPAVA *ava = rdn[cnt];
840 AttributeDescription *desc = NULL;
844 if( ava->la_flags & LDAP_AVA_BINARY ) {
845 snprintf( textbuf, textlen,
846 "value of naming attribute '%s' in unsupported BER form",
847 ava->la_attr.bv_val );
848 rc = LDAP_NAMING_VIOLATION;
851 rc = slap_bv2ad( &ava->la_attr, &desc, &errtext );
852 if ( rc != LDAP_SUCCESS ) {
853 snprintf( textbuf, textlen, "%s (in RDN)", errtext );
857 if( desc->ad_type->sat_usage ) {
858 snprintf( textbuf, textlen,
859 "naming attribute '%s' is operational",
860 ava->la_attr.bv_val );
861 rc = LDAP_NAMING_VIOLATION;
865 if( desc->ad_type->sat_collective ) {
866 snprintf( textbuf, textlen,
867 "naming attribute '%s' is collective",
868 ava->la_attr.bv_val );
869 rc = LDAP_NAMING_VIOLATION;
873 if( desc->ad_type->sat_obsolete ) {
874 snprintf( textbuf, textlen,
875 "naming attribute '%s' is collective",
876 ava->la_attr.bv_val );
877 rc = LDAP_NAMING_VIOLATION;
881 if( !desc->ad_type->sat_equality ) {
882 snprintf( textbuf, textlen,
883 "naming attribute '%s' has no equality matching rule",
884 ava->la_attr.bv_val );
885 rc = LDAP_NAMING_VIOLATION;
889 if( !desc->ad_type->sat_equality->smr_match ) {
890 snprintf( textbuf, textlen,
891 "naming attribute '%s' has unsupported equality matching rule",
892 ava->la_attr.bv_val );
893 rc = LDAP_NAMING_VIOLATION;
897 /* find the naming attribute */
898 attr = attr_find( e->e_attrs, desc );
899 if ( attr == NULL ) {
900 snprintf( textbuf, textlen,
901 "naming attribute '%s' is not present in entry",
902 ava->la_attr.bv_val );
903 rc = LDAP_NAMING_VIOLATION;
907 rc = value_find_ex( desc, SLAP_MR_VALUE_OF_ASSERTION_SYNTAX|
908 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
909 attr->a_nvals, &ava->la_value, NULL );
913 case LDAP_INAPPROPRIATE_MATCHING:
914 snprintf( textbuf, textlen,
915 "inappropriate matching for naming attribute '%s'",
916 ava->la_attr.bv_val );
918 case LDAP_INVALID_SYNTAX:
919 snprintf( textbuf, textlen,
920 "value of naming attribute '%s' is invalid",
921 ava->la_attr.bv_val );
923 case LDAP_NO_SUCH_ATTRIBUTE:
924 snprintf( textbuf, textlen,
925 "value of naming attribute '%s' is not present in entry",
926 ava->la_attr.bv_val );
929 snprintf( textbuf, textlen,
930 "naming attribute '%s' is inappropriate",
931 ava->la_attr.bv_val );
933 rc = LDAP_NAMING_VIOLATION;
projects / openldap / blob