1 /* schema_check.c - routines to enforce schema definitions */
4 * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
13 #include <ac/string.h>
14 #include <ac/socket.h>
19 static char * oc_check_required(
22 struct berval *ocname );
25 * entry_schema_check - check that entry e conforms to the schema required
26 * by its object class(es).
28 * returns 0 if so, non-zero otherwise.
37 char *textbuf, size_t textlen )
39 Attribute *a, *asc, *aoc;
41 #ifdef SLAP_EXTENDED_SCHEMA
47 AttributeDescription *ad_structuralObjectClass
48 = slap_schema.si_ad_structuralObjectClass;
49 AttributeDescription *ad_objectClass
50 = slap_schema.si_ad_objectClass;
52 int subentry = is_entry_subentry( e );
53 int collectiveSubentry = 0;
56 collectiveSubentry = is_entry_collectiveAttributeSubentry( e );
61 /* misc attribute checks */
62 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
63 const char *type = a->a_desc->ad_cname.bv_val;
65 /* there should be at least one value */
67 assert( a->a_vals[0].bv_val != NULL );
69 if( a->a_desc->ad_type->sat_check ) {
70 int rc = (a->a_desc->ad_type->sat_check)(
71 be, e, a, text, textbuf, textlen );
72 if( rc != LDAP_SUCCESS ) {
77 if( !collectiveSubentry && is_at_collective( a->a_desc->ad_type ) ) {
78 snprintf( textbuf, textlen,
79 "'%s' can only appear in collectiveAttributeSubentry",
81 return LDAP_OBJECT_CLASS_VIOLATION;
84 /* if single value type, check for multiple values */
85 if( is_at_single_value( a->a_desc->ad_type ) &&
86 a->a_vals[1].bv_val != NULL )
88 snprintf( textbuf, textlen,
89 "attribute '%s' cannot have multiple values",
93 LDAP_LOG( OPERATION, INFO,
94 "entry_schema_check: dn=\"%s\" %s\n", e->e_dn, textbuf, 0 );
96 Debug( LDAP_DEBUG_ANY,
98 e->e_dn, textbuf, 0 );
101 return LDAP_CONSTRAINT_VIOLATION;
105 /* it's a REALLY bad idea to disable schema checks */
106 if( !global_schemacheck ) return LDAP_SUCCESS;
108 /* find the structural object class attribute */
109 asc = attr_find( e->e_attrs, ad_structuralObjectClass );
112 LDAP_LOG( OPERATION, INFO,
113 "entry_schema_check: No structuralObjectClass for entry (%s)\n",
116 Debug( LDAP_DEBUG_ANY,
117 "No structuralObjectClass for entry (%s)\n",
121 *text = "no structuralObjectClass operational attribute";
125 assert( asc->a_vals != NULL );
126 assert( asc->a_vals[0].bv_val != NULL );
127 assert( asc->a_vals[1].bv_val == NULL );
129 sc = oc_bvfind( &asc->a_vals[0] );
131 snprintf( textbuf, textlen,
132 "unrecognized structuralObjectClass '%s'",
133 asc->a_vals[0].bv_val );
136 LDAP_LOG( OPERATION, INFO,
137 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
139 Debug( LDAP_DEBUG_ANY,
140 "entry_check_schema(%s): %s\n",
141 e->e_dn, textbuf, 0 );
144 return LDAP_OBJECT_CLASS_VIOLATION;
147 if( sc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
148 snprintf( textbuf, textlen,
149 "structuralObjectClass '%s' is not STRUCTURAL",
150 asc->a_vals[0].bv_val );
153 LDAP_LOG( OPERATION, INFO,
154 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
156 Debug( LDAP_DEBUG_ANY,
157 "entry_check_schema(%s): %s\n",
158 e->e_dn, textbuf, 0 );
164 /* find the object class attribute */
165 aoc = attr_find( e->e_attrs, ad_objectClass );
168 LDAP_LOG( OPERATION, INFO,
169 "entry_schema_check: No objectClass for entry (%s).\n",
172 Debug( LDAP_DEBUG_ANY, "No objectClass for entry (%s)\n",
176 *text = "no objectClass attribute";
177 return LDAP_OBJECT_CLASS_VIOLATION;
180 assert( aoc->a_vals != NULL );
181 assert( aoc->a_vals[0].bv_val != NULL );
183 rc = structural_class( aoc->a_vals, &nsc, &oc, text, textbuf, textlen );
184 if( rc != LDAP_SUCCESS ) {
191 snprintf( textbuf, textlen,
192 "unrecognized objectClass '%s'",
193 aoc->a_vals[0].bv_val );
194 return LDAP_OBJECT_CLASS_VIOLATION;
196 } else if ( sc != oc ) {
197 snprintf( textbuf, textlen,
198 "structural object class modification from '%s' to '%s' not allowed",
199 asc->a_vals[0].bv_val, nsc.bv_val );
200 return LDAP_NO_OBJECT_CLASS_MODS;
203 #ifdef SLAP_EXTENDED_SCHEMA
204 /* find the content rule for the structural class */
205 cr = cr_find( sc->soc_oid );
207 /* the cr must be same as the structural class */
208 assert( !cr || !strcmp( cr->scr_oid, sc->soc_oid ) );
210 /* check that the entry has required attrs of the content rule */
211 if( cr && cr->scr_required ) {
212 for( i=0; cr->scr_required[i]; i++ ) {
213 at = cr->scr_required[i];
215 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
216 if( a->a_desc->ad_type == at ) {
221 /* not there => schema violation */
223 snprintf( textbuf, textlen,
224 "content rule '%s' requires attribute '%s'",
225 ldap_contentrule2name( &cr->scr_crule ),
226 at->sat_cname.bv_val );
229 LDAP_LOG( OPERATION, INFO,
230 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
232 Debug( LDAP_DEBUG_ANY,
234 e->e_dn, textbuf, 0 );
237 return LDAP_OBJECT_CLASS_VIOLATION;
242 if( cr && cr->scr_precluded ) {
243 for( i=0; cr->scr_precluded[i]; i++ ) {
244 at = cr->scr_precluded[i];
246 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
247 if( a->a_desc->ad_type == at ) {
252 /* there => schema violation */
254 snprintf( textbuf, textlen,
255 "content rule '%s' precluded attribute '%s'",
256 ldap_contentrule2name( &cr->scr_crule ),
257 at->sat_cname.bv_val );
260 LDAP_LOG( OPERATION, INFO,
261 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
263 Debug( LDAP_DEBUG_ANY,
265 e->e_dn, textbuf, 0 );
268 return LDAP_OBJECT_CLASS_VIOLATION;
272 #endif /* SLAP_EXTENDED_SCHEMA */
274 /* check that the entry has required attrs for each oc */
275 for ( i = 0; aoc->a_vals[i].bv_val != NULL; i++ ) {
276 if ( (oc = oc_bvfind( &aoc->a_vals[i] )) == NULL ) {
277 snprintf( textbuf, textlen,
278 "unrecognized objectClass '%s'",
279 aoc->a_vals[i].bv_val );
282 LDAP_LOG( OPERATION, INFO,
283 "entry_schema_check: dn (%s), %s\n", e->e_dn, textbuf, 0 );
285 Debug( LDAP_DEBUG_ANY,
286 "entry_check_schema(%s): %s\n",
287 e->e_dn, textbuf, 0 );
290 return LDAP_OBJECT_CLASS_VIOLATION;
293 if ( oc->soc_check ) {
294 int rc = (oc->soc_check)( be, e, oc,
295 text, textbuf, textlen );
296 if( rc != LDAP_SUCCESS ) {
301 if ( oc->soc_kind == LDAP_SCHEMA_ABSTRACT ) {
302 /* object class is abstract */
303 if ( oc != slap_schema.si_oc_top &&
304 !is_object_subclass( oc, sc ))
307 ObjectClass *xc = NULL;
308 for( j=0; aoc->a_vals[j].bv_val; j++ ) {
310 xc = oc_bvfind( &aoc->a_vals[i] );
312 snprintf( textbuf, textlen,
313 "unrecognized objectClass '%s'",
314 aoc->a_vals[i].bv_val );
317 LDAP_LOG( OPERATION, INFO,
318 "entry_schema_check: dn (%s), %s\n",
319 e->e_dn, textbuf, 0 );
321 Debug( LDAP_DEBUG_ANY,
322 "entry_check_schema(%s): %s\n",
323 e->e_dn, textbuf, 0 );
326 return LDAP_OBJECT_CLASS_VIOLATION;
329 /* since we previous check against the
330 * structural object of this entry, the
331 * abstract class must be a (direct or indirect)
332 * superclass of one of the auxiliary classes of
335 if ( xc->soc_kind == LDAP_SCHEMA_AUXILIARY &&
336 is_object_subclass( oc, xc ) )
345 snprintf( textbuf, textlen, "instanstantiation of "
346 "abstract objectClass '%s' not allowed",
347 aoc->a_vals[i].bv_val );
350 LDAP_LOG( OPERATION, INFO,
351 "entry_schema_check: dn (%s), %s\n",
352 e->e_dn, textbuf, 0 );
354 Debug( LDAP_DEBUG_ANY,
355 "entry_check_schema(%s): %s\n",
356 e->e_dn, textbuf, 0 );
359 return LDAP_OBJECT_CLASS_VIOLATION;
363 } else if ( oc->soc_kind != LDAP_SCHEMA_STRUCTURAL || oc == sc ) {
366 #ifdef SLAP_EXTENDED_SCHEMA
367 if( oc->soc_kind == LDAP_SCHEMA_AUXILIARY ) {
370 if( cr->scr_auxiliaries ) {
371 for( ; cr->scr_auxiliaries[k]; k++ ) {
372 if( cr->scr_auxiliaries[k] == oc ) {
378 } else if ( global_disallows & SLAP_DISALLOW_AUX_WO_CR ) {
383 snprintf( textbuf, textlen,
384 "content rule '%s' does not allow class '%s'",
385 ldap_contentrule2name( &cr->scr_crule ),
386 oc->soc_cname.bv_val );
389 LDAP_LOG( OPERATION, INFO,
390 "entry_schema_check: dn=\"%s\" %s",
391 e->e_dn, textbuf, 0 );
393 Debug( LDAP_DEBUG_ANY,
395 e->e_dn, textbuf, 0 );
398 return LDAP_OBJECT_CLASS_VIOLATION;
401 #endif /* SLAP_EXTENDED_SCHEMA */
403 s = oc_check_required( e, oc, &aoc->a_vals[i] );
405 snprintf( textbuf, textlen,
406 "object class '%s' requires attribute '%s'",
407 aoc->a_vals[i].bv_val, s );
410 LDAP_LOG( OPERATION, INFO,
411 "entry_schema_check: dn=\"%s\" %s", e->e_dn, textbuf, 0 );
413 Debug( LDAP_DEBUG_ANY,
415 e->e_dn, textbuf, 0 );
418 return LDAP_OBJECT_CLASS_VIOLATION;
421 if( oc == slap_schema.si_oc_extensibleObject ) {
431 /* check that each attr in the entry is allowed by some oc */
432 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
435 #ifdef SLAP_EXTENDED_SCHEMA
436 ret = LDAP_OBJECT_CLASS_VIOLATION;
438 if( cr && cr->scr_required ) {
439 for( i=0; cr->scr_required[i]; i++ ) {
440 if( cr->scr_required[i] == a->a_desc->ad_type ) {
447 if( ret != LDAP_SUCCESS && cr && cr->scr_allowed ) {
448 for( i=0; cr->scr_allowed[i]; i++ ) {
449 if( cr->scr_allowed[i] == a->a_desc->ad_type ) {
456 if( ret != LDAP_SUCCESS )
457 #endif /* SLAP_EXTENDED_SCHEMA */
459 ret = oc_check_allowed( a->a_desc->ad_type, aoc->a_vals, sc );
462 if ( ret != LDAP_SUCCESS ) {
463 char *type = a->a_desc->ad_cname.bv_val;
465 snprintf( textbuf, textlen,
466 "attribute '%s' not allowed",
470 LDAP_LOG( OPERATION, INFO,
471 "entry_schema_check: dn=\"%s\" %s\n", e->e_dn, textbuf, 0);
473 Debug( LDAP_DEBUG_ANY,
475 e->e_dn, textbuf, 0 );
489 struct berval *ocname )
496 LDAP_LOG( OPERATION, ENTRY,
497 "oc_check_required: dn (%s), objectClass \"%s\"\n",
498 e->e_dn, ocname->bv_val, 0 );
500 Debug( LDAP_DEBUG_TRACE,
501 "oc_check_required entry (%s), objectClass \"%s\"\n",
502 e->e_dn, ocname->bv_val, 0 );
506 /* check for empty oc_required */
507 if(oc->soc_required == NULL) {
511 /* for each required attribute */
512 for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
513 at = oc->soc_required[i];
514 /* see if it's in the entry */
515 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
516 if( a->a_desc->ad_type == at ) {
520 /* not there => schema violation */
522 return at->sat_cname.bv_val;
529 int oc_check_allowed(
537 LDAP_LOG( OPERATION, ENTRY,
538 "oc_check_allowed: type \"%s\"\n", at->sat_cname.bv_val, 0, 0 );
540 Debug( LDAP_DEBUG_TRACE,
541 "oc_check_allowed type \"%s\"\n",
542 at->sat_cname.bv_val, 0, 0 );
545 /* always allow objectClass attribute */
546 if ( strcasecmp( at->sat_cname.bv_val, "objectClass" ) == 0 ) {
551 * All operational attributions are allowed by schema rules.
553 if( is_at_operational(at) ) {
557 /* check to see if its allowed by the structuralObjectClass */
559 /* does it require the type? */
560 for ( j = 0; sc->soc_required != NULL &&
561 sc->soc_required[j] != NULL; j++ )
563 if( at == sc->soc_required[j] ) {
568 /* does it allow the type? */
569 for ( j = 0; sc->soc_allowed != NULL &&
570 sc->soc_allowed[j] != NULL; j++ )
572 if( at == sc->soc_allowed[j] ) {
578 /* check that the type appears as req or opt in at least one oc */
579 for ( i = 0; ocl[i].bv_val != NULL; i++ ) {
580 /* if we know about the oc */
581 ObjectClass *oc = oc_bvfind( &ocl[i] );
582 if ( oc != NULL && oc->soc_kind != LDAP_SCHEMA_ABSTRACT &&
583 ( sc == NULL || oc->soc_kind == LDAP_SCHEMA_AUXILIARY ))
585 /* does it require the type? */
586 for ( j = 0; oc->soc_required != NULL &&
587 oc->soc_required[j] != NULL; j++ )
589 if( at == oc->soc_required[j] ) {
593 /* does it allow the type? */
594 for ( j = 0; oc->soc_allowed != NULL &&
595 oc->soc_allowed[j] != NULL; j++ )
597 if( at == oc->soc_allowed[j] ) {
604 /* not allowed by any oc */
605 return LDAP_OBJECT_CLASS_VIOLATION;
609 * Determine the structural object class from a set of OIDs
611 int structural_class(
616 char *textbuf, size_t textlen )
620 ObjectClass *sc = NULL;
623 *text = "structural_class: internal error";
626 for( i=0; ocs[i].bv_val; i++ ) {
627 oc = oc_bvfind( &ocs[i] );
630 snprintf( textbuf, textlen,
631 "unrecognized objectClass '%s'",
634 return LDAP_OBJECT_CLASS_VIOLATION;
637 if( oc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) {
638 if( sc == NULL || is_object_subclass( sc, oc ) ) {
642 } else if ( !is_object_subclass( oc, sc ) ) {
644 ObjectClass *xc = NULL;
646 /* find common superior */
647 for( j=i+1; ocs[j].bv_val; j++ ) {
648 xc = oc_bvfind( &ocs[j] );
651 snprintf( textbuf, textlen,
652 "unrecognized objectClass '%s'",
655 return LDAP_OBJECT_CLASS_VIOLATION;
658 if( xc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
663 if( is_object_subclass( sc, xc ) &&
664 is_object_subclass( oc, xc ) )
666 /* found common subclass */
674 /* no common subclass */
675 snprintf( textbuf, textlen,
676 "invalid structural object class chain (%s/%s)",
677 ocs[scn].bv_val, ocs[i].bv_val );
679 return LDAP_OBJECT_CLASS_VIOLATION;
690 *text = "no structural object classes provided";
691 return LDAP_OBJECT_CLASS_VIOLATION;
695 *text = "invalid structural object class";
696 return LDAP_OBJECT_CLASS_VIOLATION;
701 if( scbv->bv_len == 0 ) {
702 *text = "invalid structural object class";
703 return LDAP_OBJECT_CLASS_VIOLATION;
710 * Return structural object class from list of modifications
712 int mods_structural_class(
716 char *textbuf, size_t textlen )
718 Modifications *ocmod = NULL;
720 for( ; mods != NULL; mods = mods->sml_next ) {
721 if( mods->sml_desc == slap_schema.si_ad_objectClass ) {
722 if( ocmod != NULL ) {
723 *text = "entry has multiple objectClass attributes";
724 return LDAP_OBJECT_CLASS_VIOLATION;
730 if( ocmod == NULL ) {
731 *text = "entry has no objectClass attribute";
732 return LDAP_OBJECT_CLASS_VIOLATION;
735 if( ocmod->sml_bvalues == NULL || ocmod->sml_bvalues[0].bv_val == NULL ) {
736 *text = "objectClass attribute has no values";
737 return LDAP_OBJECT_CLASS_VIOLATION;
740 return structural_class( ocmod->sml_bvalues, sc, NULL,
741 text, textbuf, textlen );