X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fschema_check.c;h=87ba819c1d35e1a44a2d361067fe720855245234;hb=0f30fb0d8f0adbbb7b41fd455c57aa56d64c9853;hp=25bbd5486a23683d5d079e5857f62223fc8e0cb5;hpb=f9195f9b6f9fc995fe120a9ff0fcd01d51fd0cc8;p=openldap diff --git a/servers/slapd/schema_check.c b/servers/slapd/schema_check.c index 25bbd5486a..87ba819c1d 100644 --- a/servers/slapd/schema_check.c +++ b/servers/slapd/schema_check.c @@ -1,7 +1,7 @@ /* schema_check.c - routines to enforce schema definitions */ /* $OpenLDAP$ */ /* - * Copyright 1998-1999 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ @@ -16,8 +16,7 @@ #include "slap.h" #include "ldap_pvt.h" -static char * oc_check_required(Entry *e, char *ocname); -static int oc_check_allowed(char *type, struct berval **ocl); +static char * oc_check_required(Entry *e, struct berval *ocname); /* * entry_schema_check - check that entry e conforms to the schema required @@ -27,88 +26,169 @@ static int oc_check_allowed(char *type, struct berval **ocl); */ int -schema_check_entry( Entry *e ) +entry_schema_check( + Entry *e, Attribute *oldattrs, const char** text, + char *textbuf, size_t textlen ) { Attribute *a, *aoc; ObjectClass *oc; int i; - int ret = 0; + AttributeDescription *ad_objectClass = slap_schema.si_ad_objectClass; + int extensible = 0; - if( !global_schemacheck ) return 0; + *text = textbuf; + + /* check single-valued attrs for multiple values */ + for ( a = e->e_attrs; a != NULL; a = a->a_next ) { + /* there should be at least one value */ + assert( a->a_vals ); + assert( a->a_vals[0] != NULL ); + + /* if single value type, check for multiple values */ + if( is_at_single_value( a->a_desc->ad_type ) && + a->a_vals[1] != NULL ) + { + char *type = a->a_desc->ad_cname.bv_val; + + snprintf( textbuf, textlen, + "attribute '%s' cannot have multiple values", + type ); + +#ifdef NEW_LOGGING + LDAP_LOG(( "schema", LDAP_LEVEL_INFO, + "entry_schema_check: dn=\"%s\" %s\n", + e->e_dn, textbuf )); +#else + Debug( LDAP_DEBUG_ANY, + "Entry (%s), %s\n", + e->e_dn, textbuf, 0 ); +#endif + + return LDAP_CONSTRAINT_VIOLATION; + } + } + + if( !global_schemacheck ) return LDAP_SUCCESS; /* find the object class attribute - could error out here */ - if ( (aoc = attr_find( e->e_attrs, "objectclass" )) == NULL ) { - Debug( LDAP_DEBUG_ANY, "No object class for entry (%s)\n", + if ( (aoc = attr_find( e->e_attrs, ad_objectClass )) == NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "schema", LDAP_LEVEL_INFO, + "entry_schema_check: No objectClass for entry (%s).\n", e->e_dn )); +#else + Debug( LDAP_DEBUG_ANY, "No objectClass for entry (%s)\n", e->e_dn, 0, 0 ); - return( 1 ); +#endif + + *text = "no objectClass attribute"; + return LDAP_OBJECT_CLASS_VIOLATION; } /* check that the entry has required attrs for each oc */ for ( i = 0; aoc->a_vals[i] != NULL; i++ ) { if ( (oc = oc_find( aoc->a_vals[i]->bv_val )) == NULL ) { + snprintf( textbuf, textlen, + "unrecognized objectClass '%s'", + aoc->a_vals[i]->bv_val ); + +#ifdef NEW_LOGGING + LDAP_LOG(( "schema", LDAP_LEVEL_INFO, + "entry_schema_check: dn (%s), %s\n", + e->e_dn, textbuf )); +#else Debug( LDAP_DEBUG_ANY, - "Objectclass \"%s\" not defined\n", - aoc->a_vals[i]->bv_val, 0, 0 ); - } - else - { - char *s = oc_check_required( e, aoc->a_vals[i]->bv_val ); + "entry_check_schema(%s): \"%s\" not recognized\n", + e->e_dn, textbuf, 0 ); +#endif + + return LDAP_OBJECT_CLASS_VIOLATION; + + } else { + char *s = oc_check_required( e, aoc->a_vals[i] ); if (s != NULL) { + snprintf( textbuf, textlen, + "object class '%s' requires attribute '%s'", + aoc->a_vals[i]->bv_val, s ); + +#ifdef NEW_LOGGING + LDAP_LOG(( "schema", LDAP_LEVEL_INFO, + "entry_schema_check: dn=\"%s\" %s", + e->e_dn, textbuf )); +#else Debug( LDAP_DEBUG_ANY, - "Entry (%s), oc \"%s\" requires attr \"%s\"\n", - e->e_dn, aoc->a_vals[i]->bv_val, s ); - ret = 1; + "Entry (%s): %s\n", + e->e_dn, textbuf, 0 ); +#endif + + return LDAP_OBJECT_CLASS_VIOLATION; + } + + if( oc == slap_schema.si_oc_extensibleObject ) { + extensible=1; } + } } - if ( ret != 0 ) { - return( ret ); + if( extensible ) { + return LDAP_SUCCESS; } /* check that each attr in the entry is allowed by some oc */ for ( a = e->e_attrs; a != NULL; a = a->a_next ) { -#ifdef SLAPD_SCHEMA_NOT_COMPAT - if ( oc_check_allowed( a->a_desc.ad_type, aoc->a_vals ) != 0 ) { - Debug( LDAP_DEBUG_ANY, - "Entry (%s), attr \"%s\" not allowed\n", - e->e_dn, a->a_desc.ad_cname->bv_val, 0 ); - ret = 1; - } + int ret = oc_check_allowed( a->a_desc->ad_type, aoc->a_vals ); + if ( ret != LDAP_SUCCESS ) { + char *type = a->a_desc->ad_cname.bv_val; + + snprintf( textbuf, textlen, + "attribute '%s' not allowed", + type ); + +#ifdef NEW_LOGGING + LDAP_LOG(( "schema", LDAP_LEVEL_INFO, + "entry_schema_check: dn=\"%s\" %s\n", + e->e_dn, textbuf )); #else - if ( oc_check_allowed( a->a_type, aoc->a_vals ) != 0 ) { Debug( LDAP_DEBUG_ANY, - "Entry (%s), attr \"%s\" not allowed\n", - e->e_dn, a->a_type, 0 ); - ret = 1; - } + "Entry (%s), %s\n", + e->e_dn, textbuf, 0 ); #endif + + return ret; + } } - return( ret ); + return LDAP_SUCCESS; } static char * -oc_check_required( Entry *e, char *ocname ) +oc_check_required( Entry *e, struct berval *ocname ) { ObjectClass *oc; AttributeType *at; int i; Attribute *a; +#ifdef NEW_LOGGING + LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY, + "oc_check_required: dn (%s), objectClass \"%s\"\n", + e->e_dn, ocname->bv_val )); +#else Debug( LDAP_DEBUG_TRACE, - "oc_check_required entry (%s), objectclass \"%s\"\n", - e->e_dn, ocname, 0 ); + "oc_check_required entry (%s), objectClass \"%s\"\n", + e->e_dn, ocname->bv_val, 0 ); +#endif + /* find global oc defn. it we don't know about it assume it's ok */ - if ( (oc = oc_find( ocname )) == NULL ) { - return( 0 ); + if ( (oc = oc_find( ocname->bv_val )) == NULL ) { + return NULL; } /* check for empty oc_required */ if(oc->soc_required == NULL) { - return( 0 ); + return NULL; } /* for each required attribute */ @@ -116,91 +196,45 @@ oc_check_required( Entry *e, char *ocname ) at = oc->soc_required[i]; /* see if it's in the entry */ for ( a = e->e_attrs; a != NULL; a = a->a_next ) { -#ifdef SLAPD_SCHEMA_NOT_COMPAT - if( a->a_desc.ad_type == at ) { - break; - } -#else - char **pp; - - if ( at->sat_oid && - strcmp( a->a_type, at->sat_oid ) == 0 ) { - break; - } - pp = at->sat_names; - if ( pp == NULL ) { - /* Empty name list => not found */ - a = NULL; - break; - } - while ( *pp ) { - if ( strcasecmp( a->a_type, *pp ) == 0 ) { - break; - } - pp++; - } - if ( *pp ) { + if( a->a_desc->ad_type == at ) { break; } -#endif } /* not there => schema violation */ if ( a == NULL ) { - if ( at->sat_names && at->sat_names[0] ) { - return at->sat_names[0]; - } else { - return at->sat_oid; - } + return at->sat_cname.bv_val; } } return( NULL ); } -static int -oc_check_allowed( char *type, struct berval **ocl ) +int oc_check_allowed( + AttributeType *at, + struct berval **ocl ) { ObjectClass *oc; - AttributeType *at; int i, j; - char **pp; - char *p, *t; +#ifdef NEW_LOGGING + LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY, + "oc_check_allowed: type \"%s\"\n", at->sat_cname.bv_val )); +#else Debug( LDAP_DEBUG_TRACE, - "oc_check_allowed type \"%s\"\n", type, 0, 0 ); - - /* always allow objectclass attribute */ - if ( strcasecmp( type, "objectclass" ) == 0 ) { - return( 0 ); - } - -#ifndef SLAPD_SCHEMA_NOT_COMPAT - /* Treat any attribute type with option as an unknown attribute type */ - /* - * The "type" we have received is actually an AttributeDescription. - * Let's find out the corresponding type. - */ - p = strchr( type, ';' ); - if ( p ) { - t = ch_malloc( p-type+1 ); - strncpy( t, type, p-type ); - t[p-type] = '\0'; - Debug( LDAP_DEBUG_TRACE, - "oc_check_allowed type \"%s\" from \"%s\"\n", - t, type, 0 ); - - } else + "oc_check_allowed type \"%s\"\n", + at->sat_cname.bv_val, 0, 0 ); #endif - { - t = type; - } + /* always allow objectClass attribute */ + if ( strcasecmp( at->sat_cname.bv_val, "objectClass" ) == 0 ) { + return LDAP_SUCCESS; + } /* * All operational attributions are allowed by schema rules. */ - if ( oc_check_op_attr( t ) ) { - return( 0 ); + if( is_at_operational(at) ) { + return LDAP_SUCCESS; } /* check that the type appears as req or opt in at least one oc */ @@ -209,63 +243,24 @@ oc_check_allowed( char *type, struct berval **ocl ) if ( (oc = oc_find( ocl[i]->bv_val )) != NULL ) { /* does it require the type? */ for ( j = 0; oc->soc_required != NULL && - oc->soc_required[j] != NULL; j++ ) { - at = oc->soc_required[j]; - if ( at->sat_oid && - strcmp(at->sat_oid, t ) == 0 ) { - if ( t != type ) - ldap_memfree( t ); - return( 0 ); - } - pp = at->sat_names; - if ( pp == NULL ) - continue; - while ( *pp ) { - if ( strcasecmp( *pp, t ) == 0 ) { - if ( t != type ) - ldap_memfree( t ); - return( 0 ); - } - pp++; + oc->soc_required[j] != NULL; j++ ) + { + if( at == oc->soc_required[j] ) { + return LDAP_SUCCESS; } } /* does it allow the type? */ for ( j = 0; oc->soc_allowed != NULL && - oc->soc_allowed[j] != NULL; j++ ) { - at = oc->soc_allowed[j]; - if ( at->sat_oid && - strcmp( at->sat_oid, t ) == 0 ) { - if ( t != type ) - ldap_memfree( t ); - return( 0 ); - } - pp = at->sat_names; - if ( pp == NULL ) - continue; - while ( *pp ) { - if ( strcasecmp( *pp, t ) == 0 || - strcmp( *pp, "*" ) == 0 ) { - if ( t != type ) - ldap_memfree( t ); - return( 0 ); - } - pp++; + oc->soc_allowed[j] != NULL; j++ ) + { + if( at == oc->soc_allowed[j] ) { + return LDAP_SUCCESS; } } /* maybe the next oc allows it */ - -#ifdef OC_UNDEFINED_IMPLES_EXTENSIBLE - /* we don't know about the oc. assume it allows it */ - } else { - if ( t != type ) - ldap_memfree( t ); - return( 0 ); -#endif } } - if ( t != type ) - ldap_memfree( t ); /* not allowed by any oc */ - return( 1 ); + return LDAP_OBJECT_CLASS_VIOLATION; }