git.sur5r.net Git - openldap/blob - servers/slapd/compare.c

   1 /* $OpenLDAP$ */
   2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   3  *
   4  * Copyright 1998-2017 The OpenLDAP Foundation.
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted only as authorized by the OpenLDAP
   9  * Public License.
  10  *
  11  * A copy of this license is available in the file LICENSE in the
  12  * top-level directory of the distribution or, alternatively, at
  13  * <http://www.OpenLDAP.org/license.html>.
  14  */
  15 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
  16  * All rights reserved.
  17  *
  18  * Redistribution and use in source and binary forms are permitted
  19  * provided that this notice is preserved and that due credit is given
  20  * to the University of Michigan at Ann Arbor. The name of the University
  21  * may not be used to endorse or promote products derived from this
  22  * software without specific prior written permission. This software
  23  * is provided ``as is'' without express or implied warranty.
  24  */
  25
  26 #include "portable.h"
  27
  28 #include <stdio.h>
  29 #include <ac/socket.h>
  30 #include <ac/string.h>
  31
  32 #include "slap.h"
  33
  34 int
  35 do_compare(
  36     Operation   *op,
  37     SlapReply   *rs )
  38 {
  39         struct berval dn = BER_BVNULL;
  40         struct berval desc = BER_BVNULL;
  41         struct berval value = BER_BVNULL;
  42         AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
  43
  44         Debug( LDAP_DEBUG_TRACE, "%s do_compare\n",
  45                 op->o_log_prefix, 0, 0 );
  46         /*
  47          * Parse the compare request.  It looks like this:
  48          *
  49          *      CompareRequest := [APPLICATION 14] SEQUENCE {
  50          *              entry   DistinguishedName,
  51          *              ava     SEQUENCE {
  52          *                      type    AttributeType,
  53          *                      value   AttributeValue
  54          *              }
  55          *      }
  56          */
  57
  58         if ( ber_scanf( op->o_ber, "{m" /*}*/, &dn ) == LBER_ERROR ) {
  59                 Debug( LDAP_DEBUG_ANY, "%s do_compare: ber_scanf failed\n",
  60                         op->o_log_prefix, 0, 0 );
  61                 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
  62                 return SLAPD_DISCONNECT;
  63         }
  64
  65         if ( ber_scanf( op->o_ber, "{mm}", &desc, &value ) == LBER_ERROR ) {
  66                 Debug( LDAP_DEBUG_ANY, "%s do_compare: get ava failed\n",
  67                         op->o_log_prefix, 0, 0 );
  68                 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
  69                 return SLAPD_DISCONNECT;
  70         }
  71
  72         if ( ber_scanf( op->o_ber, /*{*/ "}" ) == LBER_ERROR ) {
  73                 Debug( LDAP_DEBUG_ANY, "%s do_compare: ber_scanf failed\n",
  74                         op->o_log_prefix, 0, 0 );
  75                 send_ldap_discon( op, rs, LDAP_PROTOCOL_ERROR, "decoding error" );
  76                 return SLAPD_DISCONNECT;
  77         }
  78
  79         if( get_ctrls( op, rs, 1 ) != LDAP_SUCCESS ) {
  80                 Debug( LDAP_DEBUG_ANY, "%s do_compare: get_ctrls failed\n",
  81                         op->o_log_prefix, 0, 0 );
  82                 goto cleanup;
  83         }
  84
  85         rs->sr_err = dnPrettyNormal( NULL, &dn, &op->o_req_dn, &op->o_req_ndn,
  86                 op->o_tmpmemctx );
  87         if( rs->sr_err != LDAP_SUCCESS ) {
  88                 Debug( LDAP_DEBUG_ANY, "%s do_compare: invalid dn (%s)\n",
  89                         op->o_log_prefix, dn.bv_val, 0 );
  90                 send_ldap_error( op, rs, LDAP_INVALID_DN_SYNTAX, "invalid DN" );
  91                 goto cleanup;
  92         }
  93
  94         Statslog( LDAP_DEBUG_STATS,
  95                 "%s CMP dn=\"%s\" attr=\"%s\"\n",
  96                 op->o_log_prefix, op->o_req_dn.bv_val,
  97                 desc.bv_val, 0, 0 );
  98
  99         rs->sr_err = slap_bv2ad( &desc, &ava.aa_desc, &rs->sr_text );
 100         if( rs->sr_err != LDAP_SUCCESS ) {
 101                 rs->sr_err = slap_bv2undef_ad( &desc, &ava.aa_desc,
 102                                 &rs->sr_text,
 103                                 SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
 104                 if( rs->sr_err != LDAP_SUCCESS ) {
 105                         send_ldap_result( op, rs );
 106                         goto cleanup;
 107                 }
 108         }
 109
 110         rs->sr_err = asserted_value_validate_normalize( ava.aa_desc,
 111                 ava.aa_desc->ad_type->sat_equality,
 112                 SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
 113                 &value, &ava.aa_value, &rs->sr_text, op->o_tmpmemctx );
 114         if( rs->sr_err != LDAP_SUCCESS ) {
 115                 send_ldap_result( op, rs );
 116                 goto cleanup;
 117         }
 118
 119         op->orc_ava = &ava;
 120
 121         Debug( LDAP_DEBUG_ARGS,
 122                 "do_compare: dn (%s) attr (%s) value (%s)\n",
 123                 op->o_req_dn.bv_val,
 124                 ava.aa_desc->ad_cname.bv_val, ava.aa_value.bv_val );
 125
 126         op->o_bd = frontendDB;
 127         rs->sr_err = frontendDB->be_compare( op, rs );
 128         if ( rs->sr_err == SLAPD_ASYNCOP ) {
 129                 /* skip cleanup */
 130                 return rs->sr_err;
 131         }
 132
 133 cleanup:;
 134         op->o_tmpfree( op->o_req_dn.bv_val, op->o_tmpmemctx );
 135         op->o_tmpfree( op->o_req_ndn.bv_val, op->o_tmpmemctx );
 136         if ( !BER_BVISNULL( &ava.aa_value ) ) {
 137                 op->o_tmpfree( ava.aa_value.bv_val, op->o_tmpmemctx );
 138         }
 139
 140         return rs->sr_err;
 141 }
 142
 143 int
 144 fe_op_compare( Operation *op, SlapReply *rs )
 145 {
 146         Entry                   *entry = NULL;
 147         AttributeAssertion      *ava = op->orc_ava;
 148         BackendDB               *bd = op->o_bd;
 149
 150         if( strcasecmp( op->o_req_ndn.bv_val, LDAP_ROOT_DSE ) == 0 ) {
 151                 if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
 152                         send_ldap_result( op, rs );
 153                         goto cleanup;
 154                 }
 155
 156                 rs->sr_err = root_dse_info( op->o_conn, &entry, &rs->sr_text );
 157                 if( rs->sr_err != LDAP_SUCCESS ) {
 158                         send_ldap_result( op, rs );
 159                         goto cleanup;
 160                 }
 161
 162         } else if ( bvmatch( &op->o_req_ndn, &frontendDB->be_schemandn ) ) {
 163                 if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
 164                         send_ldap_result( op, rs );
 165                         rs->sr_err = 0;
 166                         goto cleanup;
 167                 }
 168
 169                 rs->sr_err = schema_info( &entry, &rs->sr_text );
 170                 if( rs->sr_err != LDAP_SUCCESS ) {
 171                         send_ldap_result( op, rs );
 172                         rs->sr_err = 0;
 173                         goto cleanup;
 174                 }
 175         }
 176
 177         if( entry ) {
 178                 rs->sr_err = slap_compare_entry( op, entry, ava );
 179                 entry_free( entry );
 180
 181                 send_ldap_result( op, rs );
 182
 183                 if( rs->sr_err == LDAP_COMPARE_TRUE ||
 184                         rs->sr_err == LDAP_COMPARE_FALSE )
 185                 {
 186                         rs->sr_err = LDAP_SUCCESS;
 187                 }
 188
 189                 goto cleanup;
 190         }
 191
 192         /*
 193          * We could be serving multiple database backends.  Select the
 194          * appropriate one, or send a referral to our "referral server"
 195          * if we don't hold it.
 196          */
 197         op->o_bd = select_backend( &op->o_req_ndn, 0 );
 198         if ( op->o_bd == NULL ) {
 199                 rs->sr_ref = referral_rewrite( default_referral,
 200                         NULL, &op->o_req_dn, LDAP_SCOPE_DEFAULT );
 201
 202                 rs->sr_err = LDAP_REFERRAL;
 203                 if (!rs->sr_ref) rs->sr_ref = default_referral;
 204                 op->o_bd = bd;
 205                 send_ldap_result( op, rs );
 206
 207                 if (rs->sr_ref != default_referral) ber_bvarray_free( rs->sr_ref );
 208                 rs->sr_err = 0;
 209                 goto cleanup;
 210         }
 211
 212         /* check restrictions */
 213         if( backend_check_restrictions( op, rs, NULL ) != LDAP_SUCCESS ) {
 214                 send_ldap_result( op, rs );
 215                 goto cleanup;
 216         }
 217
 218         /* check for referrals */
 219         if( backend_check_referrals( op, rs ) != LDAP_SUCCESS ) {
 220                 goto cleanup;
 221         }
 222
 223         if ( SLAP_SHADOW(op->o_bd) && get_dontUseCopy(op) ) {
 224                 /* don't use shadow copy */
 225                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
 226                         "copy not used" );
 227
 228         } else if ( ava->aa_desc == slap_schema.si_ad_entryDN ) {
 229                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
 230                         "entryDN compare not supported" );
 231
 232         } else if ( ava->aa_desc == slap_schema.si_ad_subschemaSubentry ) {
 233                 send_ldap_error( op, rs, LDAP_UNWILLING_TO_PERFORM,
 234                         "subschemaSubentry compare not supported" );
 235
 236 #ifndef SLAP_COMPARE_IN_FRONTEND
 237         } else if ( ava->aa_desc == slap_schema.si_ad_hasSubordinates
 238                 && op->o_bd->be_has_subordinates )
 239         {
 240                 int     rc, hasSubordinates = LDAP_SUCCESS;
 241
 242                 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &entry );
 243                 if ( rc == 0 && entry ) {
 244                         if ( ! access_allowed( op, entry,
 245                                 ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
 246                         {
 247                                 rc = rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
 248
 249                         } else {
 250                                 rc = rs->sr_err = op->o_bd->be_has_subordinates( op,
 251                                                 entry, &hasSubordinates );
 252                                 be_entry_release_r( op, entry );
 253                         }
 254                 }
 255
 256                 if ( rc == 0 ) {
 257                         int     asserted;
 258
 259                         asserted = bvmatch( &ava->aa_value, &slap_true_bv )
 260                                 ? LDAP_COMPARE_TRUE : LDAP_COMPARE_FALSE;
 261                         if ( hasSubordinates == asserted ) {
 262                                 rs->sr_err = LDAP_COMPARE_TRUE;
 263
 264                         } else {
 265                                 rs->sr_err = LDAP_COMPARE_FALSE;
 266                         }
 267
 268                 } else {
 269                         /* return error only if "disclose"
 270                          * is granted on the object */
 271                         if ( backend_access( op, NULL, &op->o_req_ndn,
 272                                         slap_schema.si_ad_entry,
 273                                         NULL, ACL_DISCLOSE, NULL ) == LDAP_INSUFFICIENT_ACCESS )
 274                         {
 275                                 rs->sr_err = LDAP_NO_SUCH_OBJECT;
 276                         }
 277                 }
 278
 279                 send_ldap_result( op, rs );
 280
 281                 if ( rc == 0 ) {
 282                         rs->sr_err = LDAP_SUCCESS;
 283                 }
 284
 285         } else if ( op->o_bd->be_compare ) {
 286                 rs->sr_err = op->o_bd->be_compare( op, rs );
 287
 288 #endif /* ! SLAP_COMPARE_IN_FRONTEND */
 289         } else {
 290                 rs->sr_err = SLAP_CB_CONTINUE;
 291         }
 292
 293         if ( rs->sr_err == SLAP_CB_CONTINUE ) {
 294                 /* do our best to compare that AVA
 295                  *
 296                  * NOTE: this code is used only
 297                  * if SLAP_COMPARE_IN_FRONTEND
 298                  * is #define'd (it's not by default)
 299                  * or if op->o_bd->be_compare is NULL.
 300                  *
 301                  * FIXME: one potential issue is that
 302                  * if SLAP_COMPARE_IN_FRONTEND overlays
 303                  * are not executed for compare. */
 304                 BerVarray       vals = NULL;
 305                 int             rc = LDAP_OTHER;
 306
 307                 rs->sr_err = backend_attribute( op, NULL, &op->o_req_ndn,
 308                                 ava->aa_desc, &vals, ACL_COMPARE );
 309                 switch ( rs->sr_err ) {
 310                 default:
 311                         /* return error only if "disclose"
 312                          * is granted on the object */
 313                         if ( backend_access( op, NULL, &op->o_req_ndn,
 314                                         slap_schema.si_ad_entry,
 315                                         NULL, ACL_DISCLOSE, NULL )
 316                                         == LDAP_INSUFFICIENT_ACCESS )
 317                         {
 318                                 rs->sr_err = LDAP_NO_SUCH_OBJECT;
 319                         }
 320                         break;
 321
 322                 case LDAP_SUCCESS:
 323                         if ( value_find_ex( op->oq_compare.rs_ava->aa_desc,
 324                                 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
 325                                         SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
 326                                 vals, &ava->aa_value, op->o_tmpmemctx ) == 0 )
 327                         {
 328                                 rs->sr_err = LDAP_COMPARE_TRUE;
 329                                 break;
 330
 331                         } else {
 332                                 rs->sr_err = LDAP_COMPARE_FALSE;
 333                         }
 334                         rc = LDAP_SUCCESS;
 335                         break;
 336                 }
 337
 338                 send_ldap_result( op, rs );
 339
 340                 if ( rc == 0 ) {
 341                         rs->sr_err = LDAP_SUCCESS;
 342                 }
 343
 344                 if ( vals ) {
 345                         ber_bvarray_free_x( vals, op->o_tmpmemctx );
 346                 }
 347         }
 348
 349 cleanup:;
 350         op->o_bd = bd;
 351         return rs->sr_err;
 352 }
 353
 354 int slap_compare_entry(
 355         Operation *op,
 356         Entry *e,
 357         AttributeAssertion *ava )
 358 {
 359         int rc = LDAP_COMPARE_FALSE;
 360         Attribute *a;
 361
 362         if ( ! access_allowed( op, e,
 363                 ava->aa_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
 364         {
 365                 rc = LDAP_INSUFFICIENT_ACCESS;
 366                 goto done;
 367         }
 368
 369         if ( get_assert( op ) &&
 370                 ( test_filter( op, e, get_assertion( op )) != LDAP_COMPARE_TRUE ))
 371         {
 372                 rc = LDAP_ASSERTION_FAILED;
 373                 goto done;
 374         }
 375
 376         a = attrs_find( e->e_attrs, ava->aa_desc );
 377         if( a == NULL ) {
 378                 rc = LDAP_NO_SUCH_ATTRIBUTE;
 379                 goto done;
 380         }
 381
 382         for(;
 383                 a != NULL;
 384                 a = attrs_find( a->a_next, ava->aa_desc ))
 385         {
 386                 if (( ava->aa_desc != a->a_desc ) && ! access_allowed( op,
 387                         e, a->a_desc, &ava->aa_value, ACL_COMPARE, NULL ) )
 388                 {
 389                         rc = LDAP_INSUFFICIENT_ACCESS;
 390                         break;
 391                 }
 392
 393                 if ( attr_valfind( a,
 394                         SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH |
 395                                 SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH,
 396                         &ava->aa_value, NULL, op->o_tmpmemctx ) == 0 )
 397                 {
 398                         rc = LDAP_COMPARE_TRUE;
 399                         break;
 400                 }
 401         }
 402
 403 done:
 404         if( rc != LDAP_COMPARE_TRUE && rc != LDAP_COMPARE_FALSE ) {
 405                 if ( ! access_allowed( op, e,
 406                         slap_schema.si_ad_entry, NULL, ACL_DISCLOSE, NULL ) )
 407                 {
 408                         rc = LDAP_NO_SUCH_OBJECT;
 409                 }
 410         }
 411
 412         return rc;
 413 }