1 /* schema_check.c - routines to enforce schema definitions */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2016 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
22 #include <ac/string.h>
23 #include <ac/socket.h>
27 static char * oc_check_required(
30 struct berval *ocname );
32 static int entry_naming_check(
37 char *textbuf, size_t textlen );
39 * entry_schema_check - check that entry e conforms to the schema required
40 * by its object class(es).
42 * returns 0 if so, non-zero otherwise.
54 char *textbuf, size_t textlen )
56 Attribute *a, *asc = NULL, *aoc = NULL;
57 ObjectClass *sc, *oc, **socs = NULL;
61 AttributeDescription *ad_structuralObjectClass
62 = slap_schema.si_ad_structuralObjectClass;
63 AttributeDescription *ad_objectClass
64 = slap_schema.si_ad_objectClass;
66 int subentry = is_entry_subentry( e );
67 int collectiveSubentry = 0;
69 if ( SLAP_NO_SCHEMA_CHECK( op->o_bd )) {
73 if ( get_no_schema_check( op ) ) {
78 collectiveSubentry = is_entry_collectiveAttributeSubentry( e );
83 /* misc attribute checks */
84 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
85 const char *type = a->a_desc->ad_cname.bv_val;
87 /* there should be at least one value */
88 assert( a->a_vals != NULL );
89 assert( a->a_vals[0].bv_val != NULL );
91 if( a->a_desc->ad_type->sat_check ) {
92 rc = (a->a_desc->ad_type->sat_check)(
93 op->o_bd, e, a, text, textbuf, textlen );
94 if( rc != LDAP_SUCCESS ) {
99 if( a->a_desc == ad_structuralObjectClass )
101 else if ( a->a_desc == ad_objectClass )
104 if( !collectiveSubentry && is_at_collective( a->a_desc->ad_type ) ) {
105 snprintf( textbuf, textlen,
106 "'%s' can only appear in collectiveAttributeSubentry",
108 return LDAP_OBJECT_CLASS_VIOLATION;
111 /* if single value type, check for multiple values */
112 if( is_at_single_value( a->a_desc->ad_type ) &&
113 a->a_vals[1].bv_val != NULL )
115 snprintf( textbuf, textlen,
116 "attribute '%s' cannot have multiple values",
119 Debug( LDAP_DEBUG_ANY,
121 e->e_dn, textbuf, 0 );
123 return LDAP_CONSTRAINT_VIOLATION;
127 /* check the object class attribute */
129 Debug( LDAP_DEBUG_ANY, "No objectClass for entry (%s)\n",
132 *text = "no objectClass attribute";
133 return LDAP_OBJECT_CLASS_VIOLATION;
136 assert( aoc->a_vals != NULL );
137 assert( aoc->a_vals[0].bv_val != NULL );
139 /* check the structural object class attribute */
140 if ( asc == NULL && !add ) {
141 Debug( LDAP_DEBUG_ANY,
142 "No structuralObjectClass for entry (%s)\n",
145 *text = "no structuralObjectClass operational attribute";
149 rc = structural_class( aoc->a_vals, &oc, &socs, text, textbuf, textlen,
151 if( rc != LDAP_SUCCESS ) {
155 if ( asc == NULL && add ) {
156 attr_merge_one( e, ad_structuralObjectClass, &oc->soc_cname, NULL );
157 asc = attr_find( e->e_attrs, ad_structuralObjectClass );
162 assert( asc->a_vals != NULL );
163 assert( asc->a_vals[0].bv_val != NULL );
164 assert( asc->a_vals[1].bv_val == NULL );
166 sc = oc_bvfind( &asc->a_vals[0] );
168 snprintf( textbuf, textlen,
169 "unrecognized structuralObjectClass '%s'",
170 asc->a_vals[0].bv_val );
172 Debug( LDAP_DEBUG_ANY,
173 "entry_check_schema(%s): %s\n",
174 e->e_dn, textbuf, 0 );
176 rc = LDAP_OBJECT_CLASS_VIOLATION;
180 if( sc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
181 snprintf( textbuf, textlen,
182 "structuralObjectClass '%s' is not STRUCTURAL",
183 asc->a_vals[0].bv_val );
185 Debug( LDAP_DEBUG_ANY,
186 "entry_check_schema(%s): %s\n",
187 e->e_dn, textbuf, 0 );
194 if( !manage && sc->soc_obsolete ) {
195 snprintf( textbuf, textlen,
196 "structuralObjectClass '%s' is OBSOLETE",
197 asc->a_vals[0].bv_val );
199 Debug( LDAP_DEBUG_ANY,
200 "entry_check_schema(%s): %s\n",
201 e->e_dn, textbuf, 0 );
203 rc = LDAP_OBJECT_CLASS_VIOLATION;
210 snprintf( textbuf, textlen,
211 "unrecognized objectClass '%s'",
212 aoc->a_vals[0].bv_val );
213 rc = LDAP_OBJECT_CLASS_VIOLATION;
216 } else if ( sc != oc ) {
217 if ( !manage && sc != slap_schema.si_oc_glue ) {
218 snprintf( textbuf, textlen,
219 "structural object class modification "
220 "from '%s' to '%s' not allowed",
221 asc->a_vals[0].bv_val, oc->soc_cname.bv_val );
222 rc = LDAP_NO_OBJECT_CLASS_MODS;
226 assert( asc->a_vals != NULL );
227 assert( !BER_BVISNULL( &asc->a_vals[0] ) );
228 assert( BER_BVISNULL( &asc->a_vals[1] ) );
229 assert( asc->a_nvals == asc->a_vals );
231 /* draft-zeilenga-ldap-relax: automatically modify
232 * structuralObjectClass if changed with relax */
234 ber_bvreplace( &asc->a_vals[ 0 ], &sc->soc_cname );
241 if ( !is_entry_glue ( e ) ) {
242 rc = entry_naming_check( e, manage, add, text, textbuf, textlen );
243 if( rc != LDAP_SUCCESS ) {
250 /* find the content rule for the structural class */
251 cr = cr_find( sc->soc_oid );
253 /* the cr must be same as the structural class */
254 assert( !cr || !strcmp( cr->scr_oid, sc->soc_oid ) );
256 /* check that the entry has required attrs of the content rule */
258 if( !manage && cr->scr_obsolete ) {
259 snprintf( textbuf, textlen,
260 "content rule '%s' is obsolete",
261 ldap_contentrule2name( &cr->scr_crule ));
263 Debug( LDAP_DEBUG_ANY,
265 e->e_dn, textbuf, 0 );
267 rc = LDAP_OBJECT_CLASS_VIOLATION;
271 if( cr->scr_required ) for( i=0; cr->scr_required[i]; i++ ) {
272 at = cr->scr_required[i];
274 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
275 if( a->a_desc->ad_type == at ) {
280 /* not there => schema violation */
282 snprintf( textbuf, textlen,
283 "content rule '%s' requires attribute '%s'",
284 ldap_contentrule2name( &cr->scr_crule ),
285 at->sat_cname.bv_val );
287 Debug( LDAP_DEBUG_ANY,
289 e->e_dn, textbuf, 0 );
291 rc = LDAP_OBJECT_CLASS_VIOLATION;
296 if( cr->scr_precluded ) for( i=0; cr->scr_precluded[i]; i++ ) {
297 at = cr->scr_precluded[i];
299 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
300 if( a->a_desc->ad_type == at ) {
305 /* there => schema violation */
307 snprintf( textbuf, textlen,
308 "content rule '%s' precluded attribute '%s'",
309 ldap_contentrule2name( &cr->scr_crule ),
310 at->sat_cname.bv_val );
312 Debug( LDAP_DEBUG_ANY,
314 e->e_dn, textbuf, 0 );
316 rc = LDAP_OBJECT_CLASS_VIOLATION;
322 /* check that the entry has required attrs for each oc */
323 for ( i = 0; socs[i]; i++ ) {
325 if ( !manage && oc->soc_obsolete ) {
326 /* disallow obsolete classes */
327 snprintf( textbuf, textlen,
328 "objectClass '%s' is OBSOLETE",
329 aoc->a_vals[i].bv_val );
331 Debug( LDAP_DEBUG_ANY,
332 "entry_check_schema(%s): %s\n",
333 e->e_dn, textbuf, 0 );
335 rc = LDAP_OBJECT_CLASS_VIOLATION;
339 if ( oc->soc_check ) {
340 rc = (oc->soc_check)( op->o_bd, e, oc,
341 text, textbuf, textlen );
342 if( rc != LDAP_SUCCESS ) {
347 if ( oc->soc_kind == LDAP_SCHEMA_ABSTRACT ) {
348 /* object class is abstract */
349 if ( oc != slap_schema.si_oc_top &&
350 !is_object_subclass( oc, sc ))
353 ObjectClass *xc = NULL;
354 for( j=0; socs[j]; j++ ) {
358 /* since we previous check against the
359 * structural object of this entry, the
360 * abstract class must be a (direct or indirect)
361 * superclass of one of the auxiliary classes of
364 if ( xc->soc_kind == LDAP_SCHEMA_AUXILIARY &&
365 is_object_subclass( oc, xc ) )
374 snprintf( textbuf, textlen, "instantiation of "
375 "abstract objectClass '%s' not allowed",
376 aoc->a_vals[i].bv_val );
378 Debug( LDAP_DEBUG_ANY,
379 "entry_check_schema(%s): %s\n",
380 e->e_dn, textbuf, 0 );
382 rc = LDAP_OBJECT_CLASS_VIOLATION;
387 } else if ( oc->soc_kind != LDAP_SCHEMA_STRUCTURAL || oc == sc ) {
390 if( oc->soc_kind == LDAP_SCHEMA_AUXILIARY ) {
397 if( cr->scr_auxiliaries ) {
398 for( j = 0; cr->scr_auxiliaries[j]; j++ ) {
399 if( cr->scr_auxiliaries[j] == oc ) {
406 snprintf( textbuf, textlen,
407 "class '%s' not allowed by content rule '%s'",
408 oc->soc_cname.bv_val,
409 ldap_contentrule2name( &cr->scr_crule ) );
411 } else if ( global_disallows & SLAP_DISALLOW_AUX_WO_CR ) {
413 snprintf( textbuf, textlen,
414 "class '%s' not allowed by any content rule",
415 oc->soc_cname.bv_val );
421 Debug( LDAP_DEBUG_ANY,
423 e->e_dn, textbuf, 0 );
425 rc = LDAP_OBJECT_CLASS_VIOLATION;
430 s = oc_check_required( e, oc, &aoc->a_vals[i] );
432 snprintf( textbuf, textlen,
433 "object class '%s' requires attribute '%s'",
434 aoc->a_vals[i].bv_val, s );
436 Debug( LDAP_DEBUG_ANY,
438 e->e_dn, textbuf, 0 );
440 rc = LDAP_OBJECT_CLASS_VIOLATION;
444 if( oc == slap_schema.si_oc_extensibleObject ) {
456 /* check that each attr in the entry is allowed by some oc */
457 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
458 rc = LDAP_OBJECT_CLASS_VIOLATION;
460 if( cr && cr->scr_required ) {
461 for( i=0; cr->scr_required[i]; i++ ) {
462 if( cr->scr_required[i] == a->a_desc->ad_type ) {
469 if( rc != LDAP_SUCCESS && cr && cr->scr_allowed ) {
470 for( i=0; cr->scr_allowed[i]; i++ ) {
471 if( cr->scr_allowed[i] == a->a_desc->ad_type ) {
478 if( rc != LDAP_SUCCESS )
480 rc = oc_check_allowed( a->a_desc->ad_type, socs, sc );
483 if ( rc != LDAP_SUCCESS ) {
484 char *type = a->a_desc->ad_cname.bv_val;
486 snprintf( textbuf, textlen,
487 "attribute '%s' not allowed",
490 Debug( LDAP_DEBUG_ANY,
492 e->e_dn, textbuf, 0 );
500 slap_sl_free( socs, op->o_tmpmemctx );
508 struct berval *ocname )
514 Debug( LDAP_DEBUG_TRACE,
515 "oc_check_required entry (%s), objectClass \"%s\"\n",
516 e->e_dn, ocname->bv_val, 0 );
519 /* check for empty oc_required */
520 if(oc->soc_required == NULL) {
524 /* for each required attribute */
525 for ( i = 0; oc->soc_required[i] != NULL; i++ ) {
526 at = oc->soc_required[i];
527 /* see if it's in the entry */
528 for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
529 if( a->a_desc->ad_type == at ) {
533 /* not there => schema violation */
535 return at->sat_cname.bv_val;
542 int oc_check_allowed(
549 Debug( LDAP_DEBUG_TRACE,
550 "oc_check_allowed type \"%s\"\n",
551 at->sat_cname.bv_val, 0, 0 );
553 /* always allow objectClass attribute */
554 if ( strcasecmp( at->sat_cname.bv_val, "objectClass" ) == 0 ) {
559 * All operational attributions are allowed by schema rules.
561 if( is_at_operational(at) ) {
565 /* check to see if its allowed by the structuralObjectClass */
567 /* does it require the type? */
568 for ( j = 0; sc->soc_required != NULL &&
569 sc->soc_required[j] != NULL; j++ )
571 if( at == sc->soc_required[j] ) {
576 /* does it allow the type? */
577 for ( j = 0; sc->soc_allowed != NULL &&
578 sc->soc_allowed[j] != NULL; j++ )
580 if( at == sc->soc_allowed[j] ) {
586 /* check that the type appears as req or opt in at least one oc */
587 for ( i = 0; socs[i]; i++ ) {
588 /* if we know about the oc */
589 ObjectClass *oc = socs[i];
590 /* extensibleObject allows all */
591 if ( oc == slap_schema.si_oc_extensibleObject ) {
594 if ( oc != NULL && oc->soc_kind != LDAP_SCHEMA_ABSTRACT &&
595 ( sc == NULL || oc->soc_kind == LDAP_SCHEMA_AUXILIARY ))
597 /* does it require the type? */
598 for ( j = 0; oc->soc_required != NULL &&
599 oc->soc_required[j] != NULL; j++ )
601 if( at == oc->soc_required[j] ) {
605 /* does it allow the type? */
606 for ( j = 0; oc->soc_allowed != NULL &&
607 oc->soc_allowed[j] != NULL; j++ )
609 if( at == oc->soc_allowed[j] ) {
616 /* not allowed by any oc */
617 return LDAP_OBJECT_CLASS_VIOLATION;
621 * Determine the structural object class from a set of OIDs
623 int structural_class(
626 ObjectClass ***socsp,
628 char *textbuf, size_t textlen,
632 ObjectClass *oc, **socs;
633 ObjectClass *sc = NULL;
636 *text = "structural_class: internal error";
639 for( i=0; ocs[i].bv_val; i++ ) ;
642 socs = slap_sl_malloc( (nocs+1) * sizeof(ObjectClass *), ctx );
644 for( i=0; ocs[i].bv_val; i++ ) {
645 socs[i] = oc_bvfind( &ocs[i] );
647 if( socs[i] == NULL ) {
648 snprintf( textbuf, textlen,
649 "unrecognized objectClass '%s'",
657 for( i=0; ocs[i].bv_val; i++ ) {
659 if( oc->soc_kind == LDAP_SCHEMA_STRUCTURAL ) {
660 if( sc == NULL || is_object_subclass( sc, oc ) ) {
664 } else if ( !is_object_subclass( oc, sc ) ) {
666 ObjectClass *xc = NULL;
668 /* find common superior */
669 for( j=i+1; ocs[j].bv_val; j++ ) {
673 snprintf( textbuf, textlen,
674 "unrecognized objectClass '%s'",
680 if( xc->soc_kind != LDAP_SCHEMA_STRUCTURAL ) {
685 if( is_object_subclass( sc, xc ) &&
686 is_object_subclass( oc, xc ) )
688 /* found common subclass */
696 /* no common subclass */
697 snprintf( textbuf, textlen,
698 "invalid structural object class chain (%s/%s)",
699 ocs[scn].bv_val, ocs[i].bv_val );
712 *text = "no structural object class provided";
717 *text = "invalid structural object class";
724 slap_sl_free( socs, ctx );
731 slap_sl_free( socs, ctx );
732 return LDAP_OBJECT_CLASS_VIOLATION;
736 * Return structural object class from list of modifications
738 int mods_structural_class(
742 char *textbuf, size_t textlen, void *ctx )
744 Modifications *ocmod = NULL;
748 for( ; mods != NULL; mods = mods->sml_next ) {
749 if( mods->sml_desc == slap_schema.si_ad_objectClass ) {
750 if( ocmod != NULL ) {
751 *text = "entry has multiple objectClass attributes";
752 return LDAP_OBJECT_CLASS_VIOLATION;
758 if( ocmod == NULL ) {
759 *text = "entry has no objectClass attribute";
760 return LDAP_OBJECT_CLASS_VIOLATION;
763 if( ocmod->sml_values == NULL || ocmod->sml_values[0].bv_val == NULL ) {
764 *text = "objectClass attribute has no values";
765 return LDAP_OBJECT_CLASS_VIOLATION;
768 rc = structural_class( ocmod->sml_values, &ssc, NULL,
769 text, textbuf, textlen, ctx );
770 if ( rc == LDAP_SUCCESS )
771 *sc = ssc->soc_cname;
782 char *textbuf, size_t textlen )
786 const char *p = NULL;
788 int rc = LDAP_SUCCESS;
790 if ( BER_BVISEMPTY( &e->e_name )) {
795 * Get attribute type(s) and attribute value(s) of our RDN
797 if ( ldap_bv2rdn( &e->e_name, &rdn, (char **)&p,
798 LDAP_DN_FORMAT_LDAP ) )
800 *text = "unrecognized attribute type(s) in RDN";
801 return LDAP_INVALID_DN_SYNTAX;
804 /* Check that each AVA of the RDN is present in the entry */
805 /* FIXME: Should also check that each AVA lists a distinct type */
806 for ( cnt = 0; rdn[cnt]; cnt++ ) {
807 LDAPAVA *ava = rdn[cnt];
808 AttributeDescription *desc = NULL;
813 if( ava->la_flags & LDAP_AVA_BINARY ) {
814 snprintf( textbuf, textlen,
815 "value of naming attribute '%s' in unsupported BER form",
816 ava->la_attr.bv_val );
817 rc = LDAP_NAMING_VIOLATION;
821 rc = slap_bv2ad( &ava->la_attr, &desc, &errtext );
822 if ( rc != LDAP_SUCCESS ) {
823 snprintf( textbuf, textlen, "%s (in RDN)", errtext );
827 if( desc->ad_type->sat_usage ) {
828 snprintf( textbuf, textlen,
829 "naming attribute '%s' is operational",
830 ava->la_attr.bv_val );
831 rc = LDAP_NAMING_VIOLATION;
835 if( desc->ad_type->sat_collective ) {
836 snprintf( textbuf, textlen,
837 "naming attribute '%s' is collective",
838 ava->la_attr.bv_val );
839 rc = LDAP_NAMING_VIOLATION;
843 if( !manage && desc->ad_type->sat_obsolete ) {
844 snprintf( textbuf, textlen,
845 "naming attribute '%s' is obsolete",
846 ava->la_attr.bv_val );
847 rc = LDAP_NAMING_VIOLATION;
851 if( !desc->ad_type->sat_equality ) {
852 snprintf( textbuf, textlen,
853 "naming attribute '%s' has no equality matching rule",
854 ava->la_attr.bv_val );
855 rc = LDAP_NAMING_VIOLATION;
859 if( !desc->ad_type->sat_equality->smr_match ) {
860 snprintf( textbuf, textlen,
861 "naming attribute '%s' has unsupported equality matching rule",
862 ava->la_attr.bv_val );
863 rc = LDAP_NAMING_VIOLATION;
867 /* find the naming attribute */
868 attr = attr_find( e->e_attrs, desc );
869 if ( attr == NULL ) {
870 snprintf( textbuf, textlen,
871 "naming attribute '%s' is not present in entry",
872 ava->la_attr.bv_val );
877 rc = LDAP_NAMING_VIOLATION;
881 rc = attr_valfind( attr, SLAP_MR_VALUE_OF_ASSERTION_SYNTAX|
882 SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH,
883 &ava->la_value, NULL, NULL );
887 case LDAP_INAPPROPRIATE_MATCHING:
888 snprintf( textbuf, textlen,
889 "inappropriate matching for naming attribute '%s'",
890 ava->la_attr.bv_val );
892 case LDAP_INVALID_SYNTAX:
893 snprintf( textbuf, textlen,
894 "value of naming attribute '%s' is invalid",
895 ava->la_attr.bv_val );
897 case LDAP_NO_SUCH_ATTRIBUTE:
899 if ( is_at_single_value( desc->ad_type ) ) {
900 snprintf( textbuf, textlen,
901 "value of single-valued naming attribute '%s' conflicts with value present in entry",
902 ava->la_attr.bv_val );
910 snprintf( textbuf, textlen,
911 "value of naming attribute '%s' is not present in entry",
912 ava->la_attr.bv_val );
916 snprintf( textbuf, textlen,
917 "naming attribute '%s' is inappropriate",
918 ava->la_attr.bv_val );
922 rc = LDAP_NAMING_VIOLATION;
928 attr_merge_normalize_one( e, desc, &ava->la_value, NULL );
930 } else if ( rc != LDAP_SUCCESS ) {
projects / openldap / blob