1 /* schema_check.c - routines to enforce schema definitions */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2005 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
22 #include <ac/string.h>
23 #include <ac/socket.h>
27 static char * oc_check_required(
30 struct berval *ocname );
32 static int entry_naming_check(
35 char *textbuf, size_t textlen );
37 * entry_schema_check - check that entry e conforms to the schema required
38 * by its object class(es).
40 * returns 0 if so, non-zero otherwise.
49 char *textbuf, size_t textlen )
51 Attribute *a, *asc, *aoc;
57 AttributeDescription *ad_structuralObjectClass
58 = slap_schema.si_ad_structuralObjectClass;
59 AttributeDescription *ad_objectClass
60 = slap_schema.si_ad_objectClass;
62 int subentry = is_entry_subentry( e );
63 int collectiveSubentry = 0;
65 if ( SLAP_NO_SCHEMA_CHECK( be )) {
70 collectiveSubentry = is_entry_collectiveAttributeSubentry( e );
75 /* misc attribute checks */
76 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
77 const char *type = a->a_desc->ad_cname.bv_val;
79 /* there should be at least one value */
81 assert( a->a_vals[0].bv_val != NULL );
83 if( a->a_desc->ad_type->sat_check ) {
84 int rc = (a->a_desc->ad_type->sat_check)(
85 be, e, a, text, textbuf, textlen );
86 if( rc != LDAP_SUCCESS ) {
91 if( !collectiveSubentry && is_at_collective( a->a_desc->ad_type ) ) {
92 snprintf( textbuf, textlen,
93 "'%s' can only appear in collectiveAttributeSubentry",
95 return LDAP_OBJECT_CLASS_VIOLATION;
98 /* if single value type, check for multiple values */
99 if( is_at_single_value( a->a_desc->ad_type ) &&
100 a->a_vals[1].bv_val != NULL )
102 snprintf( textbuf, textlen,
103 "attribute '%s' cannot have multiple values",
106 Debug( LDAP_DEBUG_ANY,
108 e->e_dn, textbuf, 0 );
110 return LDAP_CONSTRAINT_VIOLATION;
114 /* find the structural object class attribute */
115 asc = attr_find( e->e_attrs, ad_structuralObjectClass );
117 Debug( LDAP_DEBUG_ANY,
118 "No structuralObjectClass for entry (%s)\n",
121 *text = "no structuralObjectClass operational attribute";
125 assert( asc->a_vals != NULL );
126 assert( asc->a_vals[0].bv_val != NULL );
127 assert( asc->a_vals[1].bv_val == NULL );
129 sc = oc_bvfind( &asc->a_vals[0] );
131 snprintf( textbuf, textlen,
132 "unrecognized structuralObjectClass '%s'",
133 asc->a_vals[0].bv_val );
135 Debug( LDAP_DEBUG_ANY,
136 "entry_check_schema(%s): %s\n",
137 e->e_dn, textbuf, 0 );
139 return LDAP_OBJECT_CLASS_VIOLATION;
142 if( sc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
143 snprintf( textbuf, textlen,
144 "structuralObjectClass '%s' is not STRUCTURAL",
145 asc->a_vals[0].bv_val );
147 Debug( LDAP_DEBUG_ANY,
148 "entry_check_schema(%s): %s\n",
149 e->e_dn, textbuf, 0 );
154 if( sc->soc_obsolete ) {
155 snprintf( textbuf, textlen,
156 "structuralObjectClass '%s' is OBSOLETE",
157 asc->a_vals[0].bv_val );
159 Debug( LDAP_DEBUG_ANY,
160 "entry_check_schema(%s): %s\n",
161 e->e_dn, textbuf, 0 );
163 return LDAP_OBJECT_CLASS_VIOLATION;
166 /* find the object class attribute */
167 aoc = attr_find( e->e_attrs, ad_objectClass );
169 Debug( LDAP_DEBUG_ANY, "No objectClass for entry (%s)\n",
172 *text = "no objectClass attribute";
173 return LDAP_OBJECT_CLASS_VIOLATION;
176 assert( aoc->a_vals != NULL );
177 assert( aoc->a_vals[0].bv_val != NULL );
179 rc = structural_class( aoc->a_vals, &nsc, &oc, text, textbuf, textlen );
180 if( rc != LDAP_SUCCESS ) {
187 snprintf( textbuf, textlen,
188 "unrecognized objectClass '%s'",
189 aoc->a_vals[0].bv_val );
190 return LDAP_OBJECT_CLASS_VIOLATION;
192 } else if ( sc != slap_schema.si_oc_glue && sc != oc ) {
193 snprintf( textbuf, textlen,
194 "structural object class modification "
195 "from '%s' to '%s' not allowed",
196 asc->a_vals[0].bv_val, nsc.bv_val );
197 return LDAP_NO_OBJECT_CLASS_MODS;
198 } else if ( sc == slap_schema.si_oc_glue ) {
203 if ( !is_entry_objectclass ( e, slap_schema.si_oc_glue, 0 ) ) {
204 rc = entry_naming_check( e, text, textbuf, textlen );
205 if( rc != LDAP_SUCCESS ) {
212 /* find the content rule for the structural class */
213 cr = cr_find( sc->soc_oid );
215 /* the cr must be same as the structural class */
216 assert( !cr || !strcmp( cr->scr_oid, sc->soc_oid ) );
218 /* check that the entry has required attrs of the content rule */
220 if( cr->scr_obsolete ) {
221 snprintf( textbuf, textlen,
222 "content rule '%s' is obsolete",
223 ldap_contentrule2name( &cr->scr_crule ));
225 Debug( LDAP_DEBUG_ANY,
227 e->e_dn, textbuf, 0 );
229 return LDAP_OBJECT_CLASS_VIOLATION;
232 if( cr->scr_required ) for( i=0; cr->scr_required[i]; i++ ) {
233 at = cr->scr_required[i];
235 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
236 if( a->a_desc->ad_type == at ) {
241 /* not there => schema violation */
243 snprintf( textbuf, textlen,
244 "content rule '%s' requires attribute '%s'",
245 ldap_contentrule2name( &cr->scr_crule ),
246 at->sat_cname.bv_val );
248 Debug( LDAP_DEBUG_ANY,
250 e->e_dn, textbuf, 0 );
252 return LDAP_OBJECT_CLASS_VIOLATION;
256 if( cr->scr_precluded ) for( i=0; cr->scr_precluded[i]; i++ ) {
257 at = cr->scr_precluded[i];
259 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
260 if( a->a_desc->ad_type == at ) {
265 /* there => schema violation */
267 snprintf( textbuf, textlen,
268 "content rule '%s' precluded attribute '%s'",
269 ldap_contentrule2name( &cr->scr_crule ),
270 at->sat_cname.bv_val );
272 Debug( LDAP_DEBUG_ANY,
274 e->e_dn, textbuf, 0 );
276 return LDAP_OBJECT_CLASS_VIOLATION;
281 /* check that the entry has required attrs for each oc */
282 for ( i = 0; aoc->a_vals[i].bv_val != NULL; i++ ) {
283 if ( (oc = oc_bvfind( &aoc->a_vals[i] )) == NULL ) {
284 snprintf( textbuf, textlen,
285 "unrecognized objectClass '%s'",
286 aoc->a_vals[i].bv_val );
288 Debug( LDAP_DEBUG_ANY,
289 "entry_check_schema(%s): %s\n",
290 e->e_dn, textbuf, 0 );
292 return LDAP_OBJECT_CLASS_VIOLATION;
295 if ( oc->soc_obsolete ) {
296 /* disallow obsolete classes */
297 snprintf( textbuf, textlen,
298 "objectClass '%s' is OBSOLETE",
299 aoc->a_vals[i].bv_val );
301 Debug( LDAP_DEBUG_ANY,
302 "entry_check_schema(%s): %s\n",
303 e->e_dn, textbuf, 0 );
305 return LDAP_OBJECT_CLASS_VIOLATION;
308 if ( oc->soc_check ) {
309 int rc = (oc->soc_check)( be, e, oc,
310 text, textbuf, textlen );
311 if( rc != LDAP_SUCCESS ) {
316 if ( oc->soc_kind == LDAP_SCHEMA_ABSTRACT ) {
317 /* object class is abstract */
318 if ( oc != slap_schema.si_oc_top &&
319 !is_object_subclass( oc, sc ))
322 ObjectClass *xc = NULL;
323 for( j=0; aoc->a_vals[j].bv_val; j++ ) {
325 xc = oc_bvfind( &aoc->a_vals[i] );
327 snprintf( textbuf, textlen,
328 "unrecognized objectClass '%s'",
329 aoc->a_vals[i].bv_val );
331 Debug( LDAP_DEBUG_ANY,
332 "entry_check_schema(%s): %s\n",
333 e->e_dn, textbuf, 0 );
335 return LDAP_OBJECT_CLASS_VIOLATION;
338 /* since we previous check against the
339 * structural object of this entry, the
340 * abstract class must be a (direct or indirect)
341 * superclass of one of the auxiliary classes of
344 if ( xc->soc_kind == LDAP_SCHEMA_AUXILIARY &&
345 is_object_subclass( oc, xc ) )
354 snprintf( textbuf, textlen, "instanstantiation of "
355 "abstract objectClass '%s' not allowed",
356 aoc->a_vals[i].bv_val );
358 Debug( LDAP_DEBUG_ANY,
359 "entry_check_schema(%s): %s\n",
360 e->e_dn, textbuf, 0 );
362 return LDAP_OBJECT_CLASS_VIOLATION;
366 } else if ( oc->soc_kind != LDAP_SCHEMA_STRUCTURAL || oc == sc ) {
369 if( oc->soc_kind == LDAP_SCHEMA_AUXILIARY ) {
376 if( cr->scr_auxiliaries ) {
377 for( j = 0; cr->scr_auxiliaries[j]; j++ ) {
378 if( cr->scr_auxiliaries[j] == oc ) {
384 } else if ( global_disallows & SLAP_DISALLOW_AUX_WO_CR ) {
391 snprintf( textbuf, textlen,
392 "content rule '%s' does not allow class '%s'",
393 ldap_contentrule2name( &cr->scr_crule ),
394 oc->soc_cname.bv_val );
396 Debug( LDAP_DEBUG_ANY,
398 e->e_dn, textbuf, 0 );
400 return LDAP_OBJECT_CLASS_VIOLATION;
404 s = oc_check_required( e, oc, &aoc->a_vals[i] );
406 snprintf( textbuf, textlen,
407 "object class '%s' requires attribute '%s'",
408 aoc->a_vals[i].bv_val, s );
410 Debug( LDAP_DEBUG_ANY,
412 e->e_dn, textbuf, 0 );
414 return LDAP_OBJECT_CLASS_VIOLATION;
417 if( oc == slap_schema.si_oc_extensibleObject ) {
428 /* check that each attr in the entry is allowed by some oc */
429 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
432 ret = LDAP_OBJECT_CLASS_VIOLATION;
434 if( cr && cr->scr_required ) {
435 for( i=0; cr->scr_required[i]; i++ ) {
436 if( cr->scr_required[i] == a->a_desc->ad_type ) {
443 if( ret != LDAP_SUCCESS && cr && cr->scr_allowed ) {
444 for( i=0; cr->scr_allowed[i]; i++ ) {
445 if( cr->scr_allowed[i] == a->a_desc->ad_type ) {
452 if( ret != LDAP_SUCCESS )
454 ret = oc_check_allowed( a->a_desc->ad_type, aoc->a_vals, sc );
457 if ( ret != LDAP_SUCCESS ) {
458 char *type = a->a_desc->ad_cname.bv_val;
460 snprintf( textbuf, textlen,
461 "attribute '%s' not allowed",
464 Debug( LDAP_DEBUG_ANY,
466 e->e_dn, textbuf, 0 );
480 struct berval *ocname )
486 Debug( LDAP_DEBUG_TRACE,
487 "oc_check_required entry (%s), objectClass \"%s\"\n",
488 e->e_dn, ocname->bv_val, 0 );
491 /* check for empty oc_required */
492 if(oc->soc_required == NULL) {
496 /* for each required attribute */
497 for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
498 at = oc->soc_required[i];
499 /* see if it's in the entry */
500 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
501 if( a->a_desc->ad_type == at ) {
505 /* not there => schema violation */
507 return at->sat_cname.bv_val;
514 int oc_check_allowed(
521 Debug( LDAP_DEBUG_TRACE,
522 "oc_check_allowed type \"%s\"\n",
523 at->sat_cname.bv_val, 0, 0 );
525 /* always allow objectClass attribute */
526 if ( strcasecmp( at->sat_cname.bv_val, "objectClass" ) == 0 ) {
531 * All operational attributions are allowed by schema rules.
533 if( is_at_operational(at) ) {
537 /* check to see if its allowed by the structuralObjectClass */
539 /* does it require the type? */
540 for ( j = 0; sc->soc_required != NULL &&
541 sc->soc_required[j] != NULL; j++ )
543 if( at == sc->soc_required[j] ) {
548 /* does it allow the type? */
549 for ( j = 0; sc->soc_allowed != NULL &&
550 sc->soc_allowed[j] != NULL; j++ )
552 if( at == sc->soc_allowed[j] ) {
558 /* check that the type appears as req or opt in at least one oc */
559 for ( i = 0; ocl[i].bv_val != NULL; i++ ) {
560 /* if we know about the oc */
561 ObjectClass *oc = oc_bvfind( &ocl[i] );
562 if ( oc != NULL && oc->soc_kind != LDAP_SCHEMA_ABSTRACT &&
563 ( sc == NULL || oc->soc_kind == LDAP_SCHEMA_AUXILIARY ))
565 /* does it require the type? */
566 for ( j = 0; oc->soc_required != NULL &&
567 oc->soc_required[j] != NULL; j++ )
569 if( at == oc->soc_required[j] ) {
573 /* does it allow the type? */
574 for ( j = 0; oc->soc_allowed != NULL &&
575 oc->soc_allowed[j] != NULL; j++ )
577 if( at == oc->soc_allowed[j] ) {
584 /* not allowed by any oc */
585 return LDAP_OBJECT_CLASS_VIOLATION;
589 * Determine the structural object class from a set of OIDs
591 int structural_class(
596 char *textbuf, size_t textlen )
600 ObjectClass *sc = NULL;
603 *text = "structural_class: internal error";
606 for( i=0; ocs[i].bv_val; i++ ) {
607 oc = oc_bvfind( &ocs[i] );
610 snprintf( textbuf, textlen,
611 "unrecognized objectClass '%s'",
614 return LDAP_OBJECT_CLASS_VIOLATION;
617 if( oc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) {
618 if( sc == NULL || is_object_subclass( sc, oc ) ) {
622 } else if ( !is_object_subclass( oc, sc ) ) {
624 ObjectClass *xc = NULL;
626 /* find common superior */
627 for( j=i+1; ocs[j].bv_val; j++ ) {
628 xc = oc_bvfind( &ocs[j] );
631 snprintf( textbuf, textlen,
632 "unrecognized objectClass '%s'",
635 return LDAP_OBJECT_CLASS_VIOLATION;
638 if( xc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
643 if( is_object_subclass( sc, xc ) &&
644 is_object_subclass( oc, xc ) )
646 /* found common subclass */
654 /* no common subclass */
655 snprintf( textbuf, textlen,
656 "invalid structural object class chain (%s/%s)",
657 ocs[scn].bv_val, ocs[i].bv_val );
659 return LDAP_OBJECT_CLASS_VIOLATION;
670 *text = "no structural object class provided";
671 return LDAP_OBJECT_CLASS_VIOLATION;
675 *text = "invalid structural object class";
676 return LDAP_OBJECT_CLASS_VIOLATION;
681 if( scbv->bv_len == 0 ) {
682 *text = "invalid structural object class";
683 return LDAP_OBJECT_CLASS_VIOLATION;
692 * Return structural object class from list of modifications
694 int mods_structural_class(
698 char *textbuf, size_t textlen )
700 Modifications *ocmod = NULL;
702 for( ; mods != NULL; mods = mods->sml_next ) {
703 if( mods->sml_desc == slap_schema.si_ad_objectClass ) {
704 if( ocmod != NULL ) {
705 *text = "entry has multiple objectClass attributes";
706 return LDAP_OBJECT_CLASS_VIOLATION;
712 if( ocmod == NULL ) {
713 *text = "entry has no objectClass attribute";
714 return LDAP_OBJECT_CLASS_VIOLATION;
717 if( ocmod->sml_values == NULL || ocmod->sml_values[0].bv_val == NULL ) {
718 *text = "objectClass attribute has no values";
719 return LDAP_OBJECT_CLASS_VIOLATION;
722 return structural_class( ocmod->sml_values, sc, NULL,
723 text, textbuf, textlen );
731 char *textbuf, size_t textlen )
735 const char *p = NULL;
737 int rc = LDAP_SUCCESS;
739 if ( BER_BVISEMPTY( &e->e_name )) {
744 * Get attribute type(s) and attribute value(s) of our RDN
746 if ( ldap_bv2rdn( &e->e_name, &rdn, (char **)&p,
747 LDAP_DN_FORMAT_LDAP ) )
749 *text = "unrecongized attribute type(s) in RDN";
750 return LDAP_INVALID_DN_SYNTAX;
753 /* Check that each AVA of the RDN is present in the entry */
754 /* FIXME: Should also check that each AVA lists a distinct type */
755 for ( cnt = 0; rdn[cnt]; cnt++ ) {
756 LDAPAVA *ava = rdn[cnt];
757 AttributeDescription *desc = NULL;
761 if( ava->la_flags & LDAP_AVA_BINARY ) {
762 snprintf( textbuf, textlen,
763 "value of naming attribute '%s' in unsupported BER form",
764 ava->la_attr.bv_val );
765 rc = LDAP_NAMING_VIOLATION;
768 rc = slap_bv2ad( &ava->la_attr, &desc, &errtext );
769 if ( rc != LDAP_SUCCESS ) {
770 snprintf( textbuf, textlen, "%s (in RDN)", errtext );
774 if( desc->ad_type->sat_usage ) {
775 snprintf( textbuf, textlen,
776 "naming attribute '%s' is operational",
777 ava->la_attr.bv_val );
778 rc = LDAP_NAMING_VIOLATION;
782 if( desc->ad_type->sat_collective ) {
783 snprintf( textbuf, textlen,
784 "naming attribute '%s' is collective",
785 ava->la_attr.bv_val );
786 rc = LDAP_NAMING_VIOLATION;
790 if( desc->ad_type->sat_obsolete ) {
791 snprintf( textbuf, textlen,
792 "naming attribute '%s' is obsolete",
793 ava->la_attr.bv_val );
794 rc = LDAP_NAMING_VIOLATION;
798 if( !desc->ad_type->sat_equality ) {
799 snprintf( textbuf, textlen,
800 "naming attribute '%s' has no equality matching rule",
801 ava->la_attr.bv_val );
802 rc = LDAP_NAMING_VIOLATION;
806 if( !desc->ad_type->sat_equality->smr_match ) {
807 snprintf( textbuf, textlen,
808 "naming attribute '%s' has unsupported equality matching rule",
809 ava->la_attr.bv_val );
810 rc = LDAP_NAMING_VIOLATION;
814 /* find the naming attribute */
815 attr = attr_find( e->e_attrs, desc );
816 if ( attr == NULL ) {
817 snprintf( textbuf, textlen,
818 "naming attribute '%s' is not present in entry",
819 ava->la_attr.bv_val );
820 rc = LDAP_NAMING_VIOLATION;
824 rc = value_find_ex( desc, SLAP_MR_VALUE_OF_ASSERTION_SYNTAX|
825 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
826 attr->a_nvals, &ava->la_value, NULL );
830 case LDAP_INAPPROPRIATE_MATCHING:
831 snprintf( textbuf, textlen,
832 "inappropriate matching for naming attribute '%s'",
833 ava->la_attr.bv_val );
835 case LDAP_INVALID_SYNTAX:
836 snprintf( textbuf, textlen,
837 "value of naming attribute '%s' is invalid",
838 ava->la_attr.bv_val );
840 case LDAP_NO_SUCH_ATTRIBUTE:
841 snprintf( textbuf, textlen,
842 "value of naming attribute '%s' is not present in entry",
843 ava->la_attr.bv_val );
846 snprintf( textbuf, textlen,
847 "naming attribute '%s' is inappropriate",
848 ava->la_attr.bv_val );
850 rc = LDAP_NAMING_VIOLATION;
projects / openldap / blob