diff options
Diffstat (limited to 'servers/slapd/back-monitor/database.c')
-rw-r--r-- | servers/slapd/back-monitor/database.c | 1048 |
1 files changed, 1048 insertions, 0 deletions
diff --git a/servers/slapd/back-monitor/database.c b/servers/slapd/back-monitor/database.c new file mode 100644 index 0000000..fc6ad1b --- /dev/null +++ b/servers/slapd/back-monitor/database.c @@ -0,0 +1,1048 @@ +/* database.c - deals with database subsystem */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2001-2018 The OpenLDAP Foundation. + * Portions Copyright 2001-2003 Pierangelo Masarati. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati for inclusion + * in OpenLDAP Software. + */ + +#include "portable.h" + +#include <stdio.h> +#include <ac/string.h> +#include <ac/unistd.h> + +#include "slap.h" +#include "back-monitor.h" + +#if defined(LDAP_SLAPI) +#include "slapi.h" +static int monitor_back_add_plugin( monitor_info_t *mi, Backend *be, Entry *e ); +#endif /* defined(LDAP_SLAPI) */ + +static int +monitor_subsys_database_modify( + Operation *op, + SlapReply *rs, + Entry *e ); + +static struct restricted_ops_t { + struct berval op; + unsigned int tag; +} restricted_ops[] = { + { BER_BVC( "add" ), SLAP_RESTRICT_OP_ADD }, + { BER_BVC( "bind" ), SLAP_RESTRICT_OP_BIND }, + { BER_BVC( "compare" ), SLAP_RESTRICT_OP_COMPARE }, + { BER_BVC( "delete" ), SLAP_RESTRICT_OP_DELETE }, + { BER_BVC( "extended" ), SLAP_RESTRICT_OP_EXTENDED }, + { BER_BVC( "modify" ), SLAP_RESTRICT_OP_MODIFY }, + { BER_BVC( "rename" ), SLAP_RESTRICT_OP_RENAME }, + { BER_BVC( "search" ), SLAP_RESTRICT_OP_SEARCH }, + { BER_BVNULL, 0 } +}, restricted_exops[] = { + { BER_BVC( LDAP_EXOP_START_TLS ), SLAP_RESTRICT_EXOP_START_TLS }, + { BER_BVC( LDAP_EXOP_MODIFY_PASSWD ), SLAP_RESTRICT_EXOP_MODIFY_PASSWD }, + { BER_BVC( LDAP_EXOP_WHO_AM_I ), SLAP_RESTRICT_EXOP_WHOAMI }, + { BER_BVC( LDAP_EXOP_CANCEL ), SLAP_RESTRICT_EXOP_CANCEL }, + { BER_BVNULL, 0 } +}; + +static int +init_readOnly( monitor_info_t *mi, Entry *e, slap_mask_t restrictops ) +{ + struct berval *tf = ( ( restrictops & SLAP_RESTRICT_OP_MASK ) == SLAP_RESTRICT_OP_WRITES ) ? + (struct berval *)&slap_true_bv : (struct berval *)&slap_false_bv; + + return attr_merge_one( e, mi->mi_ad_readOnly, tf, NULL ); +} + +static int +init_restrictedOperation( monitor_info_t *mi, Entry *e, slap_mask_t restrictops ) +{ + int i, rc; + + for ( i = 0; restricted_ops[ i ].op.bv_val; i++ ) { + if ( restrictops & restricted_ops[ i ].tag ) { + rc = attr_merge_one( e, mi->mi_ad_restrictedOperation, + &restricted_ops[ i ].op, + &restricted_ops[ i ].op ); + if ( rc ) { + return rc; + } + } + } + + for ( i = 0; restricted_exops[ i ].op.bv_val; i++ ) { + if ( restrictops & restricted_exops[ i ].tag ) { + rc = attr_merge_one( e, mi->mi_ad_restrictedOperation, + &restricted_exops[ i ].op, + &restricted_exops[ i ].op ); + if ( rc ) { + return rc; + } + } + } + + return LDAP_SUCCESS; +} + +static int +monitor_subsys_overlay_init_one( + monitor_info_t *mi, + BackendDB *be, + monitor_subsys_t *ms, + monitor_subsys_t *ms_overlay, + slap_overinst *on, + Entry *e_database, + Entry **ep_overlay ) +{ + char buf[ BACKMONITOR_BUFSIZE ]; + int j, o; + Entry *e_overlay; + slap_overinst *on2; + slap_overinfo *oi = NULL; + BackendInfo *bi; + monitor_entry_t *mp_overlay; + struct berval bv; + + assert( overlay_is_over( be ) ); + + oi = (slap_overinfo *)be->bd_info->bi_private; + bi = oi->oi_orig; + + /* find the overlay number, o */ + for ( o = 0, on2 = oi->oi_list; on2 && on2 != on; on2 = on2->on_next, o++ ) + ; + + if ( on2 == NULL ) { + return -1; + } + + /* find the overlay type number, j */ + for ( on2 = overlay_next( NULL ), j = 0; on2; on2 = overlay_next( on2 ), j++ ) { + if ( on2->on_bi.bi_type == on->on_bi.bi_type ) { + break; + } + } + assert( on2 != NULL ); + + bv.bv_len = snprintf( buf, sizeof( buf ), "cn=Overlay %d", o ); + bv.bv_val = buf; + + e_overlay = monitor_entry_stub( &e_database->e_name, &e_database->e_nname, &bv, + mi->mi_oc_monitoredObject, NULL, NULL ); + + if ( e_overlay == NULL ) { + Debug( LDAP_DEBUG_ANY, + "monitor_subsys_overlay_init_one: " + "unable to create entry " + "\"cn=Overlay %d,%s\"\n", + o, e_database->e_name.bv_val, 0 ); + return( -1 ); + } + ber_str2bv( on->on_bi.bi_type, 0, 0, &bv ); + attr_merge_normalize_one( e_overlay, mi->mi_ad_monitoredInfo, &bv, NULL ); + + bv.bv_len = snprintf( buf, sizeof( buf ), "cn=Overlay %d,%s", + j, ms_overlay->mss_dn.bv_val ); + bv.bv_val = buf; + attr_merge_normalize_one( e_overlay, slap_schema.si_ad_seeAlso, + &bv, NULL ); + + if ( SLAP_MONITOR( be ) ) { + attr_merge( e_overlay, slap_schema.si_ad_monitorContext, + be->be_suffix, be->be_nsuffix ); + + } else { + attr_merge( e_overlay, slap_schema.si_ad_namingContexts, + be->be_suffix, NULL ); + } + + mp_overlay = monitor_entrypriv_create(); + if ( mp_overlay == NULL ) { + return -1; + } + e_overlay->e_private = ( void * )mp_overlay; + mp_overlay->mp_info = ms; + mp_overlay->mp_flags = ms->mss_flags | MONITOR_F_SUB; + + if ( monitor_cache_add( mi, e_overlay ) ) { + Debug( LDAP_DEBUG_ANY, + "monitor_subsys_overlay_init_one: " + "unable to add entry " + "\"cn=Overlay %d,%s\"\n", + o, e_database->e_name.bv_val, 0 ); + return -1; + } + + *ep_overlay = e_overlay; + ep_overlay = &mp_overlay->mp_next; + + return 0; +} + +static int +monitor_subsys_database_init_one( + monitor_info_t *mi, + BackendDB *be, + monitor_subsys_t *ms, + monitor_subsys_t *ms_backend, + monitor_subsys_t *ms_overlay, + struct berval *rdn, + Entry *e_database, + Entry ***epp ) +{ + char buf[ BACKMONITOR_BUFSIZE ]; + int j; + slap_overinfo *oi = NULL; + BackendInfo *bi, *bi2; + Entry *e; + monitor_entry_t *mp; + char *rdnval = strchr( rdn->bv_val, '=' ) + 1; + struct berval bv; + + bi = be->bd_info; + + if ( overlay_is_over( be ) ) { + oi = (slap_overinfo *)be->bd_info->bi_private; + bi = oi->oi_orig; + } + + e = monitor_entry_stub( &ms->mss_dn, &ms->mss_ndn, rdn, + mi->mi_oc_monitoredObject, NULL, NULL ); + + if ( e == NULL ) { + Debug( LDAP_DEBUG_ANY, + "monitor_subsys_database_init_one: " + "unable to create entry \"%s,%s\"\n", + rdn->bv_val, ms->mss_dn.bv_val, 0 ); + return( -1 ); + } + + ber_str2bv( bi->bi_type, 0, 0, &bv ); + attr_merge_normalize_one( e, mi->mi_ad_monitoredInfo, &bv, NULL ); + attr_merge_one( e, mi->mi_ad_monitorIsShadow, + SLAP_SHADOW( be ) ? (struct berval *)&slap_true_bv : + (struct berval *)&slap_false_bv, NULL ); + + if ( SLAP_MONITOR( be ) ) { + attr_merge( e, slap_schema.si_ad_monitorContext, + be->be_suffix, be->be_nsuffix ); + attr_merge( e_database, slap_schema.si_ad_monitorContext, + be->be_suffix, be->be_nsuffix ); + + } else { + if ( be->be_suffix == NULL ) { + Debug( LDAP_DEBUG_ANY, + "monitor_subsys_database_init_one: " + "missing suffix for %s\n", + rdnval, 0, 0 ); + } else { + attr_merge( e, slap_schema.si_ad_namingContexts, + be->be_suffix, NULL ); + attr_merge( e_database, slap_schema.si_ad_namingContexts, + be->be_suffix, NULL ); + } + + if ( SLAP_GLUE_SUBORDINATE( be ) ) { + BackendDB *sup_be = select_backend( &be->be_nsuffix[ 0 ], 1 ); + if ( sup_be == NULL ) { + Debug( LDAP_DEBUG_ANY, + "monitor_subsys_database_init: " + "unable to get superior for %s\n", + be->be_suffix[ 0 ].bv_val, 0, 0 ); + + } else { + attr_merge( e, mi->mi_ad_monitorSuperiorDN, + sup_be->be_suffix, sup_be->be_nsuffix ); + } + } + } + + (void)init_readOnly( mi, e, be->be_restrictops ); + (void)init_restrictedOperation( mi, e, be->be_restrictops ); + + if ( SLAP_SHADOW( be ) && be->be_update_refs ) { + attr_merge_normalize( e, mi->mi_ad_monitorUpdateRef, + be->be_update_refs, NULL ); + } + + if ( oi != NULL ) { + slap_overinst *on = oi->oi_list, + *on1 = on; + + for ( ; on; on = on->on_next ) { + slap_overinst *on2; + + for ( on2 = on1; on2 != on; on2 = on2->on_next ) { + if ( on2->on_bi.bi_type == on->on_bi.bi_type ) { + break; + } + } + + if ( on2 != on ) { + break; + } + + ber_str2bv( on->on_bi.bi_type, 0, 0, &bv ); + attr_merge_normalize_one( e, mi->mi_ad_monitorOverlay, + &bv, NULL ); + + /* find the overlay number, j */ + for ( on2 = overlay_next( NULL ), j = 0; on2; on2 = overlay_next( on2 ), j++ ) { + if ( on2->on_bi.bi_type == on->on_bi.bi_type ) { + break; + } + } + assert( on2 != NULL ); + + snprintf( buf, sizeof( buf ), + "cn=Overlay %d,%s", + j, ms_overlay->mss_dn.bv_val ); + ber_str2bv( buf, 0, 0, &bv ); + attr_merge_normalize_one( e, + slap_schema.si_ad_seeAlso, + &bv, NULL ); + } + } + + j = -1; + LDAP_STAILQ_FOREACH( bi2, &backendInfo, bi_next ) { + j++; + if ( bi2->bi_type == bi->bi_type ) { + snprintf( buf, sizeof( buf ), + "cn=Backend %d,%s", + j, ms_backend->mss_dn.bv_val ); + bv.bv_val = buf; + bv.bv_len = strlen( buf ); + attr_merge_normalize_one( e, + slap_schema.si_ad_seeAlso, + &bv, NULL ); + break; + } + } + /* we must find it! */ + assert( j >= 0 ); + + mp = monitor_entrypriv_create(); + if ( mp == NULL ) { + return -1; + } + e->e_private = ( void * )mp; + mp->mp_info = ms; + mp->mp_flags = ms->mss_flags + | MONITOR_F_SUB; + + if ( monitor_cache_add( mi, e ) ) { + Debug( LDAP_DEBUG_ANY, + "monitor_subsys_database_init_one: " + "unable to add entry \"%s,%s\"\n", + rdn->bv_val, ms->mss_dn.bv_val, 0 ); + return( -1 ); + } + +#if defined(LDAP_SLAPI) + monitor_back_add_plugin( mi, be, e ); +#endif /* defined(LDAP_SLAPI) */ + + if ( oi != NULL ) { + Entry **ep_overlay = &mp->mp_children; + slap_overinst *on = oi->oi_list; + + for ( ; on; on = on->on_next ) { + monitor_subsys_overlay_init_one( mi, be, + ms, ms_overlay, on, e, ep_overlay ); + } + } + + **epp = e; + *epp = &mp->mp_next; + + return 0; +} + +static int +monitor_back_register_database_and_overlay( + BackendDB *be, + struct slap_overinst *on, + struct berval *ndn_out ) +{ + monitor_info_t *mi; + Entry *e_database, **ep; + int i, rc; + monitor_entry_t *mp; + monitor_subsys_t *ms_backend, + *ms_database, + *ms_overlay; + struct berval bv; + char buf[ BACKMONITOR_BUFSIZE ]; + + assert( be_monitor != NULL ); + + if ( !monitor_subsys_is_opened() ) { + if ( on ) { + return monitor_back_register_overlay_limbo( be, on, ndn_out ); + + } else { + return monitor_back_register_database_limbo( be, ndn_out ); + } + } + + mi = ( monitor_info_t * )be_monitor->be_private; + + ms_backend = monitor_back_get_subsys( SLAPD_MONITOR_BACKEND_NAME ); + if ( ms_backend == NULL ) { + Debug( LDAP_DEBUG_ANY, + "monitor_back_register_database: " + "unable to get " + "\"" SLAPD_MONITOR_BACKEND_NAME "\" " + "subsystem\n", + 0, 0, 0 ); + return -1; + } + + ms_database = monitor_back_get_subsys( SLAPD_MONITOR_DATABASE_NAME ); + if ( ms_database == NULL ) { + Debug( LDAP_DEBUG_ANY, + "monitor_back_register_database: " + "unable to get " + "\"" SLAPD_MONITOR_DATABASE_NAME "\" " + "subsystem\n", + 0, 0, 0 ); + return -1; + } + + ms_overlay = monitor_back_get_subsys( SLAPD_MONITOR_OVERLAY_NAME ); + if ( ms_overlay == NULL ) { + Debug( LDAP_DEBUG_ANY, + "monitor_back_register_database: " + "unable to get " + "\"" SLAPD_MONITOR_OVERLAY_NAME "\" " + "subsystem\n", + 0, 0, 0 ); + return -1; + } + + if ( monitor_cache_get( mi, &ms_database->mss_ndn, &e_database ) ) { + Debug( LDAP_DEBUG_ANY, + "monitor_subsys_database_init: " + "unable to get entry \"%s\"\n", + ms_database->mss_ndn.bv_val, 0, 0 ); + return( -1 ); + } + + mp = ( monitor_entry_t * )e_database->e_private; + for ( i = -1, ep = &mp->mp_children; *ep; i++ ) { + Attribute *a; + + a = attr_find( (*ep)->e_attrs, slap_schema.si_ad_namingContexts ); + if ( a ) { + int j, k; + + /* FIXME: RFC 4512 defines namingContexts without an + * equality matching rule, making comparisons + * like this one tricky. We use a_vals and + * be_suffix instead for now. + */ + for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ ) { + for ( k = 0; !BER_BVISNULL( &be->be_suffix[ k ] ); k++ ) { + if ( dn_match( &a->a_vals[ j ], + &be->be_suffix[ k ] ) ) { + rc = 0; + goto done; + } + } + } + } + + mp = ( monitor_entry_t * )(*ep)->e_private; + + assert( mp != NULL ); + ep = &mp->mp_next; + } + + bv.bv_val = buf; + bv.bv_len = snprintf( buf, sizeof( buf ), "cn=Database %d", i ); + if ( bv.bv_len >= sizeof( buf ) ) { + rc = -1; + goto done; + } + + rc = monitor_subsys_database_init_one( mi, be, + ms_database, ms_backend, ms_overlay, &bv, e_database, &ep ); + if ( rc != 0 ) { + goto done; + } + /* database_init_one advanced ep past where we want. + * But it stored the entry we want in mp->mp_next. + */ + ep = &mp->mp_next; + +done:; + monitor_cache_release( mi, e_database ); + if ( rc == 0 && ndn_out && ep && *ep ) { + if ( on ) { + Entry *e_ov; + struct berval ov_type; + + ber_str2bv( on->on_bi.bi_type, 0, 0, &ov_type ); + + mp = ( monitor_entry_t * ) (*ep)->e_private; + for ( e_ov = mp->mp_children; e_ov; ) { + Attribute *a = attr_find( e_ov->e_attrs, mi->mi_ad_monitoredInfo ); + + if ( a != NULL && bvmatch( &a->a_nvals[ 0 ], &ov_type ) ) { + *ndn_out = e_ov->e_nname; + break; + } + + mp = ( monitor_entry_t * ) e_ov->e_private; + e_ov = mp->mp_next; + } + + } else { + *ndn_out = (*ep)->e_nname; + } + } + + return rc; +} + +int +monitor_back_register_database( + BackendDB *be, + struct berval *ndn_out ) +{ + return monitor_back_register_database_and_overlay( be, NULL, ndn_out ); +} + +int +monitor_back_register_overlay( + BackendDB *be, + struct slap_overinst *on, + struct berval *ndn_out ) +{ + return monitor_back_register_database_and_overlay( be, on, ndn_out ); +} + +int +monitor_subsys_database_init( + BackendDB *be, + monitor_subsys_t *ms ) +{ + monitor_info_t *mi; + Entry *e_database, **ep; + int i, rc; + monitor_entry_t *mp; + monitor_subsys_t *ms_backend, + *ms_overlay; + struct berval bv; + + assert( be != NULL ); + + ms->mss_modify = monitor_subsys_database_modify; + + mi = ( monitor_info_t * )be->be_private; + + ms_backend = monitor_back_get_subsys( SLAPD_MONITOR_BACKEND_NAME ); + if ( ms_backend == NULL ) { + Debug( LDAP_DEBUG_ANY, + "monitor_subsys_database_init: " + "unable to get " + "\"" SLAPD_MONITOR_BACKEND_NAME "\" " + "subsystem\n", + 0, 0, 0 ); + return -1; + } + + ms_overlay = monitor_back_get_subsys( SLAPD_MONITOR_OVERLAY_NAME ); + if ( ms_overlay == NULL ) { + Debug( LDAP_DEBUG_ANY, + "monitor_subsys_database_init: " + "unable to get " + "\"" SLAPD_MONITOR_OVERLAY_NAME "\" " + "subsystem\n", + 0, 0, 0 ); + return -1; + } + + if ( monitor_cache_get( mi, &ms->mss_ndn, &e_database ) ) { + Debug( LDAP_DEBUG_ANY, + "monitor_subsys_database_init: " + "unable to get entry \"%s\"\n", + ms->mss_ndn.bv_val, 0, 0 ); + return( -1 ); + } + + (void)init_readOnly( mi, e_database, frontendDB->be_restrictops ); + (void)init_restrictedOperation( mi, e_database, frontendDB->be_restrictops ); + + mp = ( monitor_entry_t * )e_database->e_private; + mp->mp_children = NULL; + ep = &mp->mp_children; + + BER_BVSTR( &bv, "cn=Frontend" ); + rc = monitor_subsys_database_init_one( mi, frontendDB, + ms, ms_backend, ms_overlay, &bv, e_database, &ep ); + if ( rc != 0 ) { + return rc; + } + + i = -1; + LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) { + char buf[ BACKMONITOR_BUFSIZE ]; + + bv.bv_val = buf; + bv.bv_len = snprintf( buf, sizeof( buf ), "cn=Database %d", ++i ); + if ( bv.bv_len >= sizeof( buf ) ) { + return -1; + } + + rc = monitor_subsys_database_init_one( mi, be, + ms, ms_backend, ms_overlay, &bv, e_database, &ep ); + if ( rc != 0 ) { + return rc; + } + } + + monitor_cache_release( mi, e_database ); + + return( 0 ); +} + +/* + * v: array of values + * cur: must not contain the tags corresponding to the values in v + * delta: will contain the tags corresponding to the values in v + */ +static int +value_mask( BerVarray v, slap_mask_t cur, slap_mask_t *delta ) +{ + for ( ; !BER_BVISNULL( v ); v++ ) { + struct restricted_ops_t *rops; + int i; + + if ( OID_LEADCHAR( v->bv_val[ 0 ] ) ) { + rops = restricted_exops; + + } else { + rops = restricted_ops; + } + + for ( i = 0; !BER_BVISNULL( &rops[ i ].op ); i++ ) { + if ( ber_bvstrcasecmp( v, &rops[ i ].op ) != 0 ) { + continue; + } + + if ( rops[ i ].tag & *delta ) { + return LDAP_OTHER; + } + + if ( rops[ i ].tag & cur ) { + return LDAP_OTHER; + } + + cur |= rops[ i ].tag; + *delta |= rops[ i ].tag; + + break; + } + + if ( BER_BVISNULL( &rops[ i ].op ) ) { + return LDAP_INVALID_SYNTAX; + } + } + + return LDAP_SUCCESS; +} + +static int +monitor_subsys_database_modify( + Operation *op, + SlapReply *rs, + Entry *e ) +{ + monitor_info_t *mi = (monitor_info_t *)op->o_bd->be_private; + int rc = LDAP_OTHER; + Attribute *save_attrs, *a; + Modifications *ml; + Backend *be; + int ro_gotval = 1, i, n; + slap_mask_t rp_add = 0, rp_delete = 0, rp_cur; + struct berval *tf; + + i = sscanf( e->e_nname.bv_val, "cn=database %d,", &n ); + if ( i != 1 ) { + return SLAP_CB_CONTINUE; + } + + if ( n < 0 || n >= nBackendDB ) { + rs->sr_text = "invalid database index"; + return ( rs->sr_err = LDAP_NO_SUCH_OBJECT ); + } + + LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) { + if ( n == 0 ) { + break; + } + n--; + } + /* do not allow some changes on back-monitor (needs work)... */ + if ( SLAP_MONITOR( be ) ) { + rs->sr_text = "no modifications allowed to monitor database entry"; + return ( rs->sr_err = LDAP_UNWILLING_TO_PERFORM ); + } + + rp_cur = be->be_restrictops; + + save_attrs = e->e_attrs; + e->e_attrs = attrs_dup( e->e_attrs ); + + for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) { + Modification *mod = &ml->sml_mod; + + if ( mod->sm_desc == mi->mi_ad_readOnly ) { + int val = -1; + + if ( mod->sm_values ) { + if ( !BER_BVISNULL( &mod->sm_values[ 1 ] ) ) { + rs->sr_text = "attempting to modify multiple values of single-valued attribute"; + rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; + goto done; + } + + if ( bvmatch( &slap_true_bv, mod->sm_values )) { + val = 1; + + } else if ( bvmatch( &slap_false_bv, mod->sm_values )) { + val = 0; + + } else { + assert( 0 ); + rc = rs->sr_err = LDAP_INVALID_SYNTAX; + goto done; + } + } + + switch ( mod->sm_op ) { + case LDAP_MOD_DELETE: + if ( ro_gotval < 1 ) { + rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; + goto done; + } + ro_gotval--; + + if ( val == 0 && ( rp_cur & SLAP_RESTRICT_OP_WRITES ) == SLAP_RESTRICT_OP_WRITES ) { + rc = rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE; + goto done; + } + + if ( val == 1 && ( rp_cur & SLAP_RESTRICT_OP_WRITES ) != SLAP_RESTRICT_OP_WRITES ) { + rc = rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE; + goto done; + } + + break; + + case LDAP_MOD_REPLACE: + ro_gotval = 0; + /* fall thru */ + + case LDAP_MOD_ADD: + if ( ro_gotval > 0 ) { + rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; + goto done; + } + ro_gotval++; + + if ( val == 1 ) { + rp_add |= (~rp_cur) & SLAP_RESTRICT_OP_WRITES; + rp_cur |= SLAP_RESTRICT_OP_WRITES; + rp_delete &= ~SLAP_RESTRICT_OP_WRITES; + + } else if ( val == 0 ) { + rp_delete |= rp_cur & SLAP_RESTRICT_OP_WRITES; + rp_cur &= ~SLAP_RESTRICT_OP_WRITES; + rp_add &= ~SLAP_RESTRICT_OP_WRITES; + } + break; + + default: + rc = rs->sr_err = LDAP_OTHER; + goto done; + } + + } else if ( mod->sm_desc == mi->mi_ad_restrictedOperation ) { + slap_mask_t mask = 0; + + switch ( mod->sm_op ) { + case LDAP_MOD_DELETE: + if ( mod->sm_values == NULL ) { + rp_delete = rp_cur; + rp_cur = 0; + rp_add = 0; + break; + } + rc = value_mask( mod->sm_values, ~rp_cur, &mask ); + if ( rc == LDAP_SUCCESS ) { + rp_delete |= mask; + rp_add &= ~mask; + rp_cur &= ~mask; + + } else if ( rc == LDAP_OTHER ) { + rc = LDAP_NO_SUCH_ATTRIBUTE; + } + break; + + case LDAP_MOD_REPLACE: + rp_delete = rp_cur; + rp_cur = 0; + rp_add = 0; + /* fall thru */ + + case LDAP_MOD_ADD: + rc = value_mask( mod->sm_values, rp_cur, &mask ); + if ( rc == LDAP_SUCCESS ) { + rp_add |= mask; + rp_cur |= mask; + rp_delete &= ~mask; + + } else if ( rc == LDAP_OTHER ) { + rc = rs->sr_err = LDAP_TYPE_OR_VALUE_EXISTS; + } + break; + + default: + rc = rs->sr_err = LDAP_OTHER; + break; + } + + if ( rc != LDAP_SUCCESS ) { + goto done; + } + + } else if ( is_at_operational( mod->sm_desc->ad_type )) { + /* accept all operational attributes */ + attr_delete( &e->e_attrs, mod->sm_desc ); + rc = attr_merge( e, mod->sm_desc, mod->sm_values, + mod->sm_nvalues ); + if ( rc ) { + rc = rs->sr_err = LDAP_OTHER; + break; + } + + } else { + rc = rs->sr_err = LDAP_UNWILLING_TO_PERFORM; + break; + } + } + + /* sanity checks: */ + if ( ro_gotval < 1 ) { + rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; + goto done; + } + + if ( ( rp_cur & SLAP_RESTRICT_OP_EXTENDED ) && ( rp_cur & SLAP_RESTRICT_EXOP_MASK ) ) { + rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; + goto done; + } + + if ( rp_delete & rp_add ) { + rc = rs->sr_err = LDAP_OTHER; + goto done; + } + + /* check current value of readOnly */ + if ( ( rp_cur & SLAP_RESTRICT_OP_WRITES ) == SLAP_RESTRICT_OP_WRITES ) { + tf = (struct berval *)&slap_true_bv; + + } else { + tf = (struct berval *)&slap_false_bv; + } + + a = attr_find( e->e_attrs, mi->mi_ad_readOnly ); + if ( a == NULL ) { + rc = LDAP_OTHER; + goto done; + } + + if ( !bvmatch( &a->a_vals[ 0 ], tf ) ) { + attr_delete( &e->e_attrs, mi->mi_ad_readOnly ); + rc = attr_merge_one( e, mi->mi_ad_readOnly, tf, tf ); + } + + if ( rc == LDAP_SUCCESS ) { + if ( rp_delete ) { + if ( rp_delete == be->be_restrictops ) { + attr_delete( &e->e_attrs, mi->mi_ad_restrictedOperation ); + + } else { + a = attr_find( e->e_attrs, mi->mi_ad_restrictedOperation ); + if ( a == NULL ) { + rc = rs->sr_err = LDAP_OTHER; + goto done; + } + + for ( i = 0; !BER_BVISNULL( &restricted_ops[ i ].op ); i++ ) { + if ( rp_delete & restricted_ops[ i ].tag ) { + int j; + + for ( j = 0; !BER_BVISNULL( &a->a_nvals[ j ] ); j++ ) { + int k; + + if ( !bvmatch( &a->a_nvals[ j ], &restricted_ops[ i ].op ) ) { + continue; + } + + ch_free( a->a_vals[ j ].bv_val ); + ch_free( a->a_nvals[ j ].bv_val ); + + for ( k = j + 1; !BER_BVISNULL( &a->a_nvals[ k ] ); k++ ) { + a->a_vals[ k - 1 ] = a->a_vals[ k ]; + a->a_nvals[ k - 1 ] = a->a_nvals[ k ]; + } + + BER_BVZERO( &a->a_vals[ k - 1 ] ); + BER_BVZERO( &a->a_nvals[ k - 1 ] ); + a->a_numvals--; + } + } + } + + for ( i = 0; !BER_BVISNULL( &restricted_exops[ i ].op ); i++ ) { + if ( rp_delete & restricted_exops[ i ].tag ) { + int j; + + for ( j = 0; !BER_BVISNULL( &a->a_nvals[ j ] ); j++ ) { + int k; + + if ( !bvmatch( &a->a_nvals[ j ], &restricted_exops[ i ].op ) ) { + continue; + } + + ch_free( a->a_vals[ j ].bv_val ); + ch_free( a->a_nvals[ j ].bv_val ); + + for ( k = j + 1; !BER_BVISNULL( &a->a_nvals[ k ] ); k++ ) { + a->a_vals[ k - 1 ] = a->a_vals[ k ]; + a->a_nvals[ k - 1 ] = a->a_nvals[ k ]; + } + + BER_BVZERO( &a->a_vals[ k - 1 ] ); + BER_BVZERO( &a->a_nvals[ k - 1 ] ); + a->a_numvals--; + } + } + } + + if ( a->a_vals == NULL ) { + assert( a->a_numvals == 0 ); + + attr_delete( &e->e_attrs, mi->mi_ad_restrictedOperation ); + } + } + } + + if ( rp_add ) { + for ( i = 0; !BER_BVISNULL( &restricted_ops[ i ].op ); i++ ) { + if ( rp_add & restricted_ops[ i ].tag ) { + attr_merge_one( e, mi->mi_ad_restrictedOperation, + &restricted_ops[ i ].op, + &restricted_ops[ i ].op ); + } + } + + for ( i = 0; !BER_BVISNULL( &restricted_exops[ i ].op ); i++ ) { + if ( rp_add & restricted_exops[ i ].tag ) { + attr_merge_one( e, mi->mi_ad_restrictedOperation, + &restricted_exops[ i ].op, + &restricted_exops[ i ].op ); + } + } + } + } + + be->be_restrictops = rp_cur; + +done:; + if ( rc == LDAP_SUCCESS ) { + attrs_free( save_attrs ); + rc = SLAP_CB_CONTINUE; + + } else { + Attribute *tmp = e->e_attrs; + e->e_attrs = save_attrs; + attrs_free( tmp ); + } + return rc; +} + +#if defined(LDAP_SLAPI) +static int +monitor_back_add_plugin( monitor_info_t *mi, Backend *be, Entry *e_database ) +{ + Slapi_PBlock *pCurrentPB; + int i, rc = LDAP_SUCCESS; + + if ( slapi_int_pblock_get_first( be, &pCurrentPB ) != LDAP_SUCCESS ) { + /* + * LDAP_OTHER is returned if no plugins are installed + */ + rc = LDAP_OTHER; + goto done; + } + + i = 0; + do { + Slapi_PluginDesc *srchdesc; + char buf[ BACKMONITOR_BUFSIZE ]; + struct berval bv; + + rc = slapi_pblock_get( pCurrentPB, SLAPI_PLUGIN_DESCRIPTION, + &srchdesc ); + if ( rc != LDAP_SUCCESS ) { + goto done; + } + if ( srchdesc ) { + snprintf( buf, sizeof(buf), + "plugin %d name: %s; " + "vendor: %s; " + "version: %s; " + "description: %s", + i, + srchdesc->spd_id, + srchdesc->spd_vendor, + srchdesc->spd_version, + srchdesc->spd_description ); + } else { + snprintf( buf, sizeof(buf), + "plugin %d name: <no description available>", i ); + } + + ber_str2bv( buf, 0, 0, &bv ); + attr_merge_normalize_one( e_database, + mi->mi_ad_monitoredInfo, &bv, NULL ); + + i++; + + } while ( ( slapi_int_pblock_get_next( &pCurrentPB ) == LDAP_SUCCESS ) + && ( pCurrentPB != NULL ) ); + +done: + return rc; +} +#endif /* defined(LDAP_SLAPI) */ |