X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fcompare.c;h=230602895a597849c61e6b39106d69634bd71e2e;hb=3cdba151ad18dba10786fde4464442ddaf67b5fe;hp=506e34736b544fe232de94023956b90d182bdfc8;hpb=d026e2c9f7a390b6adf9b03af3ee125c2cd52958;p=openldap

diff --git a/servers/slapd/compare.c b/servers/slapd/compare.c
index 506e34736b..230602895a 100644
--- a/servers/slapd/compare.c
+++ b/servers/slapd/compare.c
@@ -1,7 +1,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 1998-2004 The OpenLDAP Foundation.
+ * Copyright 1998-2007 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30,9 +30,6 @@
 #include <ac/string.h>
 
 #include "slap.h"
-#ifdef LDAP_SLAPI
-#include "slapi/slapi.h"
-#endif
 
 static int compare_entry(
 	Operation *op,
@@ -47,7 +44,11 @@ do_compare(
 	struct berval dn = BER_BVNULL;
 	struct berval desc = BER_BVNULL;
 	struct berval value = BER_BVNULL;
+#ifdef LDAP_COMP_MATCH
+	AttributeAssertion ava = { NULL, BER_BVNULL, NULL };
+#else
 	AttributeAssertion ava = { NULL, BER_BVNULL };
+#endif
 
 	ava.aa_desc = NULL;
 
@@ -98,8 +99,13 @@ do_compare(
 
 	rs->sr_err = slap_bv2ad( &desc, &ava.aa_desc, &rs->sr_text );
 	if( rs->sr_err != LDAP_SUCCESS ) {
-		send_ldap_result( op, rs );
-		goto cleanup;
+		rs->sr_err = slap_bv2undef_ad( &desc, &ava.aa_desc,
+				&rs->sr_text,
+				SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
+		if( rs->sr_err != LDAP_SUCCESS ) {
+			send_ldap_result( op, rs );
+			goto cleanup;
+		}
 	}
 
 	rs->sr_err = asserted_value_validate_normalize( ava.aa_desc,
@@ -119,7 +125,7 @@ do_compare(
 cleanup:;
 	op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
 	op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
-	if ( ava.aa_value.bv_val ) {
+	if ( !BER_BVISNULL( &ava.aa_value ) ) {
 		op->o_tmpfree( ava.aa_value.bv_val, op->o_tmpmemctx );
 	}
 
@@ -129,9 +135,10 @@ cleanup:;
 int
 fe_op_compare( Operation *op, SlapReply *rs )
 {
-	Entry *entry = NULL;
-	int manageDSAit;
-	AttributeAssertion ava = *op->orc_ava;
+	Entry			*entry = NULL;
+	int			manageDSAit;
+	AttributeAssertion	ava = *op->orc_ava;
+	BackendDB		*bd = op->o_bd;
 
 	if( strcasecmp( op->o_req_ndn.bv_val, LDAP_ROOT_DSE ) == 0 ) {
 		Debug( LDAP_DEBUG_ARGS,
@@ -208,6 +215,7 @@ fe_op_compare( Operation *op, SlapReply *rs )
 
 		rs->sr_err = LDAP_REFERRAL;
 		if (!rs->sr_ref) rs->sr_ref = default_referral;
+		op->o_bd = bd;
 		send_ldap_result( op, rs );
 
 		if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref );
@@ -234,37 +242,14 @@ fe_op_compare( Operation *op, SlapReply *rs )
 		op->o_log_prefix, op->o_req_dn.bv_val,
 		ava.aa_desc->ad_cname.bv_val, 0, 0 );
 
-#if defined( LDAP_SLAPI )
-#define	pb	op->o_pb
-	if ( pb ) {
-		slapi_int_pblock_set_operation( pb, op );
-		slapi_pblock_set( pb, SLAPI_COMPARE_TARGET, (void *)op->o_req_dn.bv_val );
-		slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, (void *)manageDSAit );
-		slapi_pblock_set( pb, SLAPI_COMPARE_TYPE, (void *)ava.aa_desc->ad_cname.bv_val );
-		slapi_pblock_set( pb, SLAPI_COMPARE_VALUE, (void *)&ava.aa_value );
-
-		rs->sr_err = slapi_int_call_plugins( op->o_bd,
-			SLAPI_PLUGIN_PRE_COMPARE_FN, pb );
-		if ( rs->sr_err < 0 ) {
-			/*
-			 * A preoperation plugin failure will abort the
-			 * entire operation.
-			 */
-			Debug(LDAP_DEBUG_TRACE,
-				"do_compare: compare preoperation plugin failed\n",
-				0, 0, 0);
-			if ( ( slapi_pblock_get( op->o_pb, SLAPI_RESULT_CODE,
-				(void *)&rs->sr_err ) != 0 ) || rs->sr_err == LDAP_SUCCESS )
-			{
-				rs->sr_err = LDAP_OTHER;
-			}
-			goto cleanup;
-		}
-	}
-#endif /* defined( LDAP_SLAPI ) */
-
 	op->orc_ava = &ava;
-	if ( ava.aa_desc == slap_schema.si_ad_entryDN ) {
+
+	if ( SLAP_SHADOW(op->o_bd) && get_dontUseCopy(op) ) {
+		/* don't use shadow copy */
+		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
+			"copy not used" );
+
+	} else if ( ava.aa_desc == slap_schema.si_ad_entryDN ) {
 		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
 			"entryDN compare not supported" );
 
@@ -272,6 +257,7 @@ fe_op_compare( Operation *op, SlapReply *rs )
 		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
 			"subschemaSubentry compare not supported" );
 
+#ifndef SLAP_COMPARE_IN_FRONTEND
 	} else if ( ava.aa_desc == slap_schema.si_ad_hasSubordinates
 		&& op->o_bd->be_has_subordinates )
 	{
@@ -279,9 +265,16 @@ fe_op_compare( Operation *op, SlapReply *rs )
 
 		rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &entry );
 		if ( rc == 0 && entry ) {
-			rc = op->o_bd->be_has_subordinates( op, entry,
-				&hasSubordinates );
-			be_entry_release_r( op, entry );
+			if ( ! access_allowed( op, entry,
+				ava.aa_desc, &ava.aa_value, ACL_COMPARE, NULL ) )
+			{	
+				rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+				
+			} else {
+				rc = rs->sr_err = op->o_bd->be_has_subordinates( op,
+						entry, &hasSubordinates );
+				be_entry_release_r( op, entry );
+			}
 		}
 
 		if ( rc == 0 ) {
@@ -291,32 +284,94 @@ fe_op_compare( Operation *op, SlapReply *rs )
 				? LDAP_COMPARE_TRUE : LDAP_COMPARE_FALSE;
 			if ( hasSubordinates == asserted ) {
 				rs->sr_err = LDAP_COMPARE_TRUE;
+
 			} else {
 				rs->sr_err = LDAP_COMPARE_FALSE;
 			}
+
+		} else {
+			/* return error only if "disclose"
+			 * is granted on the object */
+			if ( backend_access( op, NULL, &op->o_req_ndn,
+					slap_schema.si_ad_entry,
+					NULL, ACL_DISCLOSE, NULL ) == LDAP_INSUFFICIENT_ACCESS )
+			{
+				rs->sr_err = LDAP_NO_SUCH_OBJECT;
+			}
 		}
+
 		send_ldap_result( op, rs );
 
-		if( rc == 0 ) rs->sr_err = LDAP_SUCCESS;
+		if ( rc == 0 ) {
+			rs->sr_err = LDAP_SUCCESS;
+		}
 
 	} else if ( op->o_bd->be_compare ) {
-		op->o_bd->be_compare( op, rs );
+		rs->sr_err = op->o_bd->be_compare( op, rs );
 
+#endif /* ! SLAP_COMPARE_IN_FRONTEND */
 	} else {
-		send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
-			"operation not supported within namingContext" );
+		rs->sr_err = SLAP_CB_CONTINUE;
 	}
 
-#if defined( LDAP_SLAPI )
-	if ( pb != NULL && slapi_int_call_plugins( op->o_bd,
-		SLAPI_PLUGIN_POST_COMPARE_FN, pb ) < 0 )
-	{
-		Debug(LDAP_DEBUG_TRACE,
-			"do_compare: compare postoperation plugins failed\n", 0, 0, 0 );
+	if ( rs->sr_err == SLAP_CB_CONTINUE ) {
+		/* do our best to compare that AVA
+		 * 
+		 * NOTE: this code is used only
+		 * if SLAP_COMPARE_IN_FRONTEND 
+		 * is #define'd (it's not by default)
+		 * or if op->o_bd->be_compare is NULL.
+		 * 
+		 * FIXME: one potential issue is that
+		 * if SLAP_COMPARE_IN_FRONTEND overlays
+		 * are not executed for compare. */
+		BerVarray	vals = NULL;
+		int		rc = LDAP_OTHER;
+
+		rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
+				ava.aa_desc, &vals, ACL_COMPARE );
+		switch ( rs->sr_err ) {
+		default:
+			/* return error only if "disclose"
+			 * is granted on the object */
+			if ( backend_access( op, NULL, &op->o_req_ndn,
+					slap_schema.si_ad_entry,
+					NULL, ACL_DISCLOSE, NULL )
+					== LDAP_INSUFFICIENT_ACCESS )
+			{
+				rs->sr_err = LDAP_NO_SUCH_OBJECT;
+			}
+			break;
+
+		case LDAP_SUCCESS:
+			if ( value_find_ex( op->oq_compare.rs_ava->aa_desc,
+				SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
+					SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
+				vals, &ava.aa_value, op->o_tmpmemctx ) == 0 )
+			{
+				rs->sr_err = LDAP_COMPARE_TRUE;
+				break;
+
+			} else {
+				rs->sr_err = LDAP_COMPARE_FALSE;
+			}
+			rc = LDAP_SUCCESS;
+			break;
+		}
+
+		send_ldap_result( op, rs );
+
+		if ( rc == 0 ) {
+			rs->sr_err = LDAP_SUCCESS;
+		}
+		
+		if ( vals ) {
+			ber_bvarray_free_x( vals, op->o_tmpmemctx );
+		}
 	}
-#endif /* defined( LDAP_SLAPI ) */
 
 cleanup:;
+	op->o_bd = bd;
 	return rs->sr_err;
 }
 
@@ -325,19 +380,22 @@ static int compare_entry(
 	Entry *e,
 	AttributeAssertion *ava )
 {
-	int rc;
+	int rc = LDAP_COMPARE_FALSE;
 	Attribute *a;
 
 	if ( ! access_allowed( op, e,
 		ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
 	{	
-		return LDAP_INSUFFICIENT_ACCESS;
+		rc = LDAP_INSUFFICIENT_ACCESS;
+		goto done;
 	}
 
 	a = attrs_find( e->e_attrs, ava->aa_desc );
-	if( a == NULL ) return LDAP_NO_SUCH_ATTRIBUTE;
+	if( a == NULL ) {
+		rc = LDAP_NO_SUCH_ATTRIBUTE;
+		goto done;
+	}
 
-	rc = LDAP_COMPARE_FALSE;
 	for(a = attrs_find( e->e_attrs, ava->aa_desc );
 		a != NULL;
 		a = attrs_find( a->a_next, ava->aa_desc ))
@@ -352,13 +410,21 @@ static int compare_entry(
 		if ( value_find_ex( ava->aa_desc,
 			SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
 				SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
-			a->a_nvals,
-			&ava->aa_value, op->o_tmpmemctx ) == 0 )
+			a->a_nvals, &ava->aa_value, op->o_tmpmemctx ) == 0 )
 		{
 			rc = LDAP_COMPARE_TRUE;
 			break;
 		}
 	}
 
+done:
+	if( rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE ) {
+		if ( ! access_allowed( op, e,
+			slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) )
+		{
+			rc = LDAP_NO_SUCH_OBJECT;
+		}
+	}
+
 	return rc;
 }