xref: /netbsd-src/external/bsd/openldap/dist/servers/slapd/overlays/refint.c (revision 549b59ed3ccf0d36d3097190a0db27b770f3a839)
1 /*	$NetBSD: refint.c,v 1.3 2021/08/14 16:15:02 christos Exp $	*/
2 
3 /* refint.c - referential integrity module */
4 /* $OpenLDAP$ */
5 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
6  *
7  * Copyright 2004-2021 The OpenLDAP Foundation.
8  * Portions Copyright 2004 Symas Corporation.
9  * All rights reserved.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted only as authorized by the OpenLDAP
13  * Public License.
14  *
15  * A copy of this license is available in the file LICENSE in the
16  * top-level directory of the distribution or, alternatively, at
17  * <http://www.OpenLDAP.org/license.html>.
18  */
19 /* ACKNOWLEDGEMENTS:
20  * This work was initially developed by Symas Corp. for inclusion in
21  * OpenLDAP Software.  This work was sponsored by Hewlett-Packard.
22  */
23 
24 #include <sys/cdefs.h>
25 __RCSID("$NetBSD: refint.c,v 1.3 2021/08/14 16:15:02 christos Exp $");
26 
27 #include "portable.h"
28 
29 /* This module maintains referential integrity for a set of
30  * DN-valued attributes by searching for all references to a given
31  * DN whenever the DN is changed or its entry is deleted, and making
32  * the appropriate update.
33  *
34  * Updates are performed using the database rootdn in a separate task
35  * to allow the original operation to complete immediately.
36  */
37 
38 #ifdef SLAPD_OVER_REFINT
39 
40 #include <stdio.h>
41 
42 #include <ac/string.h>
43 #include <ac/socket.h>
44 
45 #include "slap.h"
46 #include "slap-config.h"
47 #include "ldap_rq.h"
48 
49 static slap_overinst refint;
50 
51 /* The DN to use in the ModifiersName for all refint updates */
52 static BerValue refint_dn = BER_BVC("cn=Referential Integrity Overlay");
53 static BerValue refint_ndn = BER_BVC("cn=referential integrity overlay");
54 
55 typedef struct refint_attrs_s {
56 	struct refint_attrs_s	*next;
57 	AttributeDescription	*attr;
58 	BerVarray		old_vals;
59 	BerVarray		old_nvals;
60 	BerVarray		new_vals;
61 	BerVarray		new_nvals;
62 	int				ra_numvals;
63 	int				dont_empty;
64 } refint_attrs;
65 
66 typedef struct dependents_s {
67 	struct dependents_s *next;
68 	BerValue dn;				/* target dn */
69 	BerValue ndn;
70 	refint_attrs *attrs;
71 } dependent_data;
72 
73 typedef struct refint_q {
74 	struct refint_q *next;
75 	struct refint_data_s *rdata;
76 	dependent_data *attrs;		/* entries and attrs returned from callback */
77 	BackendDB *db;
78 	BerValue olddn;
79 	BerValue oldndn;
80 	BerValue newdn;
81 	BerValue newndn;
82 	int do_sub;
83 } refint_q;
84 
85 typedef struct refint_data_s {
86 	struct refint_attrs_s *attrs;	/* list of known attrs */
87 	BerValue dn;				/* basedn in parent, */
88 	BerValue nothing;			/* the nothing value, if needed */
89 	BerValue nnothing;			/* normalized nothingness */
90 	BerValue refint_dn;			/* modifier's name */
91 	BerValue refint_ndn;			/* normalized modifier's name */
92 	struct re_s *qtask;
93 	refint_q *qhead;
94 	refint_q *qtail;
95 	BackendDB *db;
96 	ldap_pvt_thread_mutex_t qmutex;
97 } refint_data;
98 
99 typedef struct refint_pre_s {
100 	slap_overinst *on;
101 	int do_sub;
102 } refint_pre;
103 
104 #define	RUNQ_INTERVAL	36000	/* a long time */
105 
106 static MatchingRule	*mr_dnSubtreeMatch;
107 
108 enum {
109 	REFINT_ATTRS = 1,
110 	REFINT_NOTHING,
111 	REFINT_MODIFIERSNAME
112 };
113 
114 static ConfigDriver refint_cf_gen;
115 
116 static ConfigTable refintcfg[] = {
117 	{ "refint_attributes", "attribute...", 2, 0, 0,
118 	  ARG_MAGIC|REFINT_ATTRS, refint_cf_gen,
119 	  "( OLcfgOvAt:11.1 NAME 'olcRefintAttribute' "
120 	  "DESC 'Attributes for referential integrity' "
121 	  "EQUALITY caseIgnoreMatch "
122 	  "SYNTAX OMsDirectoryString )", NULL, NULL },
123 	{ "refint_nothing", "string", 2, 2, 0,
124 	  ARG_DN|ARG_QUOTE|ARG_MAGIC|REFINT_NOTHING, refint_cf_gen,
125 	  "( OLcfgOvAt:11.2 NAME 'olcRefintNothing' "
126 	  "DESC 'Replacement DN to supply when needed' "
127 	  "EQUALITY distinguishedNameMatch "
128 	  "SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL },
129 	{ "refint_modifiersName", "DN", 2, 2, 0,
130 	  ARG_DN|ARG_QUOTE|ARG_MAGIC|REFINT_MODIFIERSNAME, refint_cf_gen,
131 	  "( OLcfgOvAt:11.3 NAME 'olcRefintModifiersName' "
132 	  "DESC 'The DN to use as modifiersName' "
133 	  "EQUALITY distinguishedNameMatch "
134 	  "SYNTAX OMsDN SINGLE-VALUE )", NULL, NULL },
135 	{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
136 };
137 
138 static ConfigOCs refintocs[] = {
139 	{ "( OLcfgOvOc:11.1 "
140 	  "NAME 'olcRefintConfig' "
141 	  "DESC 'Referential integrity configuration' "
142 	  "SUP olcOverlayConfig "
143 	  "MAY ( olcRefintAttribute "
144 		"$ olcRefintNothing "
145 		"$ olcRefintModifiersName "
146 	  ") )",
147 	  Cft_Overlay, refintcfg },
148 	{ NULL, 0, NULL }
149 };
150 
151 static int
refint_cf_gen(ConfigArgs * c)152 refint_cf_gen(ConfigArgs *c)
153 {
154 	slap_overinst *on = (slap_overinst *)c->bi;
155 	refint_data *dd = (refint_data *)on->on_bi.bi_private;
156 	refint_attrs *ip, *pip, **pipp = NULL;
157 	AttributeDescription *ad;
158 	const char *text;
159 	int rc = ARG_BAD_CONF;
160 	int i;
161 
162 	switch ( c->op ) {
163 	case SLAP_CONFIG_EMIT:
164 		switch ( c->type ) {
165 		case REFINT_ATTRS:
166 			ip = dd->attrs;
167 			while ( ip ) {
168 				value_add_one( &c->rvalue_vals,
169 					       &ip->attr->ad_cname );
170 				ip = ip->next;
171 			}
172 			rc = 0;
173 			break;
174 		case REFINT_NOTHING:
175 			if ( !BER_BVISEMPTY( &dd->nothing )) {
176 				rc = value_add_one( &c->rvalue_vals,
177 						    &dd->nothing );
178 				if ( rc ) return rc;
179 				rc = value_add_one( &c->rvalue_nvals,
180 						    &dd->nnothing );
181 				return rc;
182 			}
183 			rc = 0;
184 			break;
185 		case REFINT_MODIFIERSNAME:
186 			if ( !BER_BVISEMPTY( &dd->refint_dn )) {
187 				rc = value_add_one( &c->rvalue_vals,
188 						    &dd->refint_dn );
189 				if ( rc ) return rc;
190 				rc = value_add_one( &c->rvalue_nvals,
191 						    &dd->refint_ndn );
192 				return rc;
193 			}
194 			rc = 0;
195 			break;
196 		default:
197 			abort ();
198 		}
199 		break;
200 	case LDAP_MOD_DELETE:
201 		switch ( c->type ) {
202 		case REFINT_ATTRS:
203 			pipp = &dd->attrs;
204 			if ( c->valx < 0 ) {
205 				ip = *pipp;
206 				*pipp = NULL;
207 				while ( ip ) {
208 					pip = ip;
209 					ip = ip->next;
210 					ch_free ( pip );
211 				}
212 			} else {
213 				/* delete from linked list */
214 				for ( i=0; i < c->valx; ++i ) {
215 					pipp = &(*pipp)->next;
216 				}
217 				ip = *pipp;
218 				*pipp = (*pipp)->next;
219 
220 				/* AttributeDescriptions are global so
221 				 * shouldn't be freed here... */
222 				ch_free ( ip );
223 			}
224 			rc = 0;
225 			break;
226 		case REFINT_NOTHING:
227 			ch_free( dd->nothing.bv_val );
228 			ch_free( dd->nnothing.bv_val );
229 			BER_BVZERO( &dd->nothing );
230 			BER_BVZERO( &dd->nnothing );
231 			rc = 0;
232 			break;
233 		case REFINT_MODIFIERSNAME:
234 			ch_free( dd->refint_dn.bv_val );
235 			ch_free( dd->refint_ndn.bv_val );
236 			BER_BVZERO( &dd->refint_dn );
237 			BER_BVZERO( &dd->refint_ndn );
238 			rc = 0;
239 			break;
240 		default:
241 			abort ();
242 		}
243 		break;
244 	case SLAP_CONFIG_ADD:
245 		/* fallthru to LDAP_MOD_ADD */
246 	case LDAP_MOD_ADD:
247 		switch ( c->type ) {
248 		case REFINT_ATTRS:
249 			rc = 0;
250 			for ( i=1; i < c->argc; ++i ) {
251 				ad = NULL;
252 				if ( slap_str2ad ( c->argv[i], &ad, &text )
253 				     == LDAP_SUCCESS) {
254 					ip = ch_malloc (
255 						sizeof ( refint_attrs ) );
256 					ip->attr = ad;
257 					ip->next = dd->attrs;
258 					dd->attrs = ip;
259 				} else {
260 					snprintf( c->cr_msg, sizeof( c->cr_msg ),
261 						"%s <%s>: %s", c->argv[0], c->argv[i], text );
262 					Debug ( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
263 						"%s: %s\n", c->log, c->cr_msg );
264 					rc = ARG_BAD_CONF;
265 				}
266 			}
267 			break;
268 		case REFINT_NOTHING:
269 			if ( !BER_BVISNULL( &c->value_ndn )) {
270 				ch_free ( dd->nothing.bv_val );
271 				ch_free ( dd->nnothing.bv_val );
272 				dd->nothing = c->value_dn;
273 				dd->nnothing = c->value_ndn;
274 				rc = 0;
275 			} else {
276 				rc = ARG_BAD_CONF;
277 			}
278 			break;
279 		case REFINT_MODIFIERSNAME:
280 			if ( !BER_BVISNULL( &c->value_ndn )) {
281 				ch_free( dd->refint_dn.bv_val );
282 				ch_free( dd->refint_ndn.bv_val );
283 				dd->refint_dn = c->value_dn;
284 				dd->refint_ndn = c->value_ndn;
285 				rc = 0;
286 			} else {
287 				rc = ARG_BAD_CONF;
288 			}
289 			break;
290 		default:
291 			abort ();
292 		}
293 		break;
294 	default:
295 		abort ();
296 	}
297 
298 	return rc;
299 }
300 
301 /*
302 ** allocate new refint_data;
303 ** store in on_bi.bi_private;
304 **
305 */
306 
307 static int
refint_db_init(BackendDB * be,ConfigReply * cr)308 refint_db_init(
309 	BackendDB	*be,
310 	ConfigReply	*cr
311 )
312 {
313 	slap_overinst *on = (slap_overinst *)be->bd_info;
314 	refint_data *id = ch_calloc(1,sizeof(refint_data));
315 
316 	on->on_bi.bi_private = id;
317 	ldap_pvt_thread_mutex_init( &id->qmutex );
318 	return(0);
319 }
320 
321 static int
refint_db_destroy(BackendDB * be,ConfigReply * cr)322 refint_db_destroy(
323 	BackendDB	*be,
324 	ConfigReply	*cr
325 )
326 {
327 	slap_overinst *on = (slap_overinst *)be->bd_info;
328 
329 	if ( on->on_bi.bi_private ) {
330 		refint_data *id = on->on_bi.bi_private;
331 		refint_attrs *ii, *ij;
332 
333 		on->on_bi.bi_private = NULL;
334 		ldap_pvt_thread_mutex_destroy( &id->qmutex );
335 
336 		for(ii = id->attrs; ii; ii = ij) {
337 			ij = ii->next;
338 			ch_free(ii);
339 		}
340 
341 		ch_free( id->nothing.bv_val );
342 		BER_BVZERO( &id->nothing );
343 		ch_free( id->nnothing.bv_val );
344 		BER_BVZERO( &id->nnothing );
345 
346 		ch_free( id );
347 	}
348 	return(0);
349 }
350 
351 /*
352 ** initialize, copy basedn if not already set
353 **
354 */
355 
356 static int
refint_open(BackendDB * be,ConfigReply * cr)357 refint_open(
358 	BackendDB *be,
359 	ConfigReply *cr
360 )
361 {
362 	slap_overinst *on	= (slap_overinst *)be->bd_info;
363 	refint_data *id	= on->on_bi.bi_private;
364 
365 	if ( BER_BVISNULL( &id->dn )) {
366 		if ( BER_BVISNULL( &be->be_nsuffix[0] ))
367 			return -1;
368 		ber_dupbv( &id->dn, &be->be_nsuffix[0] );
369 	}
370 	if ( BER_BVISNULL( &id->refint_dn ) ) {
371 		ber_dupbv( &id->refint_dn, &refint_dn );
372 		ber_dupbv( &id->refint_ndn, &refint_ndn );
373 	}
374 
375 	/*
376 	** find the backend that matches our configured basedn;
377 	** make sure it exists and has search and modify methods;
378 	**
379 	*/
380 
381 	if ( on->on_info->oi_origdb != frontendDB ) {
382 		BackendDB *db = select_backend(&id->dn, 1);
383 
384 		if ( db ) {
385 			BackendInfo *bi;
386 			if ( db == be )
387 				bi = on->on_info->oi_orig;
388 			else
389 				bi = db->bd_info;
390 			if ( !bi->bi_op_search || !bi->bi_op_modify ) {
391 				Debug( LDAP_DEBUG_CONFIG,
392 					"refint_response: backend missing search and/or modify\n" );
393 				return -1;
394 			}
395 			id->db = db;
396 		} else {
397 			Debug( LDAP_DEBUG_CONFIG,
398 				"refint_response: no backend for our baseDN %s??\n",
399 				id->dn.bv_val );
400 			return -1;
401 		}
402 	}
403 	return(0);
404 }
405 
406 
407 /*
408 ** free our basedn;
409 ** free our refintdn
410 **
411 */
412 
413 static int
refint_close(BackendDB * be,ConfigReply * cr)414 refint_close(
415 	BackendDB *be,
416 	ConfigReply *cr
417 )
418 {
419 	slap_overinst *on	= (slap_overinst *) be->bd_info;
420 	refint_data *id	= on->on_bi.bi_private;
421 
422 	ch_free( id->dn.bv_val );
423 	BER_BVZERO( &id->dn );
424 	ch_free( id->refint_dn.bv_val );
425 	BER_BVZERO( &id->refint_dn );
426 	ch_free( id->refint_ndn.bv_val );
427 	BER_BVZERO( &id->refint_ndn );
428 
429 	return(0);
430 }
431 
432 /*
433 ** search callback
434 ** generates a list of Attributes from search results
435 */
436 
437 static int
refint_search_cb(Operation * op,SlapReply * rs)438 refint_search_cb(
439 	Operation *op,
440 	SlapReply *rs
441 )
442 {
443 	Attribute *a;
444 	BerVarray b = NULL;
445 	refint_q *rq = op->o_callback->sc_private;
446 	refint_data *dd = rq->rdata;
447 	refint_attrs *ia, *da = dd->attrs, *na;
448 	dependent_data *ip;
449 	int i;
450 
451 	Debug(LDAP_DEBUG_TRACE, "refint_search_cb <%s>\n",
452 		rs->sr_entry ? rs->sr_entry->e_name.bv_val : "NOTHING" );
453 
454 	if (rs->sr_type != REP_SEARCH || !rs->sr_entry) return(0);
455 
456 	/*
457 	** foreach configured attribute type:
458 	**	if this attr exists in the search result,
459 	**	and it has a value matching the target:
460 	**		allocate an attr;
461 	**		save/build DNs of any subordinate matches;
462 	**		handle special case: found exact + subordinate match;
463 	**		handle olcRefintNothing;
464 	**
465 	*/
466 
467 	ip = op->o_tmpalloc(sizeof(dependent_data), op->o_tmpmemctx );
468 	ber_dupbv_x( &ip->dn, &rs->sr_entry->e_name, op->o_tmpmemctx );
469 	ber_dupbv_x( &ip->ndn, &rs->sr_entry->e_nname, op->o_tmpmemctx );
470 	ip->next = rq->attrs;
471 	rq->attrs = ip;
472 	ip->attrs = NULL;
473 	for(ia = da; ia; ia = ia->next) {
474 		if ( (a = attr_find(rs->sr_entry->e_attrs, ia->attr) ) ) {
475 			int exact = -1, is_exact;
476 
477 			na = NULL;
478 
479 			/* Are we doing subtree matching or simple equality? */
480 			if ( rq->do_sub ) {
481 			for(i = 0, b = a->a_nvals; b[i].bv_val; i++) {
482 				if(dnIsSuffix(&b[i], &rq->oldndn)) {
483 					is_exact = b[i].bv_len == rq->oldndn.bv_len;
484 
485 					/* Paranoia: skip buggy duplicate exact match,
486 					 * it would break ra_numvals
487 					 */
488 					if ( is_exact && exact >= 0 )
489 						continue;
490 
491 					/* first match? create structure */
492 					if ( na == NULL ) {
493 						na = op->o_tmpcalloc( 1,
494 							sizeof( refint_attrs ),
495 							op->o_tmpmemctx );
496 						na->next = ip->attrs;
497 						ip->attrs = na;
498 						na->attr = ia->attr;
499 					}
500 
501 					na->ra_numvals++;
502 
503 					if ( is_exact ) {
504 						/* Exact match: refint_repair will deduce the DNs */
505 						exact = i;
506 
507 					} else {
508 						/* Subordinate match */
509 						struct berval	newsub, newdn, olddn, oldndn;
510 
511 						/* Save old DN */
512 						ber_dupbv_x( &olddn, &a->a_vals[i], op->o_tmpmemctx );
513 						ber_bvarray_add_x( &na->old_vals, &olddn, op->o_tmpmemctx );
514 
515 						ber_dupbv_x( &oldndn, &a->a_nvals[i], op->o_tmpmemctx );
516 						ber_bvarray_add_x( &na->old_nvals, &oldndn, op->o_tmpmemctx );
517 
518 						if ( BER_BVISEMPTY( &rq->newdn ) )
519 							continue;
520 
521 						/* Rename subordinate match: Build new DN */
522 						newsub = a->a_vals[i];
523 						newsub.bv_len -= rq->olddn.bv_len + 1;
524 						build_new_dn( &newdn, &rq->newdn, &newsub, op->o_tmpmemctx );
525 						ber_bvarray_add_x( &na->new_vals, &newdn, op->o_tmpmemctx );
526 
527 						newsub = a->a_nvals[i];
528 						newsub.bv_len -= rq->oldndn.bv_len + 1;
529 						build_new_dn( &newdn, &rq->newndn, &newsub, op->o_tmpmemctx );
530 						ber_bvarray_add_x( &na->new_nvals, &newdn, op->o_tmpmemctx );
531 					}
532 				}
533 			}
534 
535 			/* If we got both subordinate and exact match,
536 			 * refint_repair won't special-case the exact match */
537 			if ( exact >= 0 && na->old_vals ) {
538 				struct berval	dn;
539 
540 				ber_dupbv_x( &dn, &a->a_vals[exact], op->o_tmpmemctx );
541 				ber_bvarray_add_x( &na->old_vals, &dn, op->o_tmpmemctx );
542 				ber_dupbv_x( &dn, &a->a_nvals[exact], op->o_tmpmemctx );
543 				ber_bvarray_add_x( &na->old_nvals, &dn, op->o_tmpmemctx );
544 
545 				if ( !BER_BVISEMPTY( &rq->newdn ) ) {
546 					ber_dupbv_x( &dn, &rq->newdn, op->o_tmpmemctx );
547 					ber_bvarray_add_x( &na->new_vals, &dn, op->o_tmpmemctx );
548 					ber_dupbv_x( &dn, &rq->newndn, op->o_tmpmemctx );
549 					ber_bvarray_add_x( &na->new_nvals, &dn, op->o_tmpmemctx );
550 				}
551 			}
552 			} else {
553 				/* entry has no children, just equality matching */
554 				is_exact = attr_valfind( a,
555 					SLAP_MR_EQUALITY|SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH|
556 					SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH, &rq->oldndn, &i, NULL );
557 				if ( is_exact == LDAP_SUCCESS ) {
558 					na = op->o_tmpcalloc( 1,
559 						sizeof( refint_attrs ),
560 						op->o_tmpmemctx );
561 					na->next = ip->attrs;
562 					ip->attrs = na;
563 					na->attr = ia->attr;
564 					na->ra_numvals = 1;
565 				}
566 			}
567 
568 			/* Deleting/replacing all values and a nothing DN is configured? */
569 			if ( na && na->ra_numvals == a->a_numvals && !BER_BVISNULL(&dd->nothing) )
570 				na->dont_empty = 1;
571 
572 			Debug( LDAP_DEBUG_TRACE, "refint_search_cb: %s: %s (#%d)\n",
573 				a->a_desc->ad_cname.bv_val, rq->olddn.bv_val, i );
574 		}
575 	}
576 
577 	return(0);
578 }
579 
580 static int
refint_repair(Operation * op,refint_data * id,refint_q * rq)581 refint_repair(
582 	Operation	*op,
583 	refint_data	*id,
584 	refint_q	*rq )
585 {
586 	dependent_data	*dp;
587 	SlapReply		rs = {REP_RESULT};
588 	Operation		op2;
589 	unsigned long	opid;
590 	int		rc;
591 	int	cache;
592 
593 	op->o_callback->sc_response = refint_search_cb;
594 	op->o_req_dn = op->o_bd->be_suffix[ 0 ];
595 	op->o_req_ndn = op->o_bd->be_nsuffix[ 0 ];
596 	op->o_dn = op->o_bd->be_rootdn;
597 	op->o_ndn = op->o_bd->be_rootndn;
598 	cache = op->o_do_not_cache;
599 	op->o_do_not_cache = 1;
600 
601 	/* search */
602 	rc = op->o_bd->be_search( op, &rs );
603 	op->o_do_not_cache = cache;
604 
605 	if ( rc != LDAP_SUCCESS ) {
606 		Debug( LDAP_DEBUG_TRACE,
607 			"refint_repair: search failed: %d\n",
608 			rc );
609 		return rc;
610 	}
611 
612 	/* safety? paranoid just in case */
613 	if ( op->o_callback->sc_private == NULL ) {
614 		Debug( LDAP_DEBUG_TRACE,
615 			"refint_repair: callback wiped out sc_private?!\n" );
616 		return 0;
617 	}
618 
619 	/* Set up the Modify requests */
620 	op->o_callback->sc_response = &slap_null_cb;
621 
622 	/*
623 	 * [our search callback builds a list of attrs]
624 	 * foreach attr:
625 	 *	make sure its dn has a backend;
626 	 *	build Modification* chain;
627 	 *	call the backend modify function;
628 	 *
629 	 */
630 
631 	opid = op->o_opid;
632 	op2 = *op;
633 	for ( dp = rq->attrs; dp; dp = dp->next ) {
634 		SlapReply	rs2 = {REP_RESULT};
635 		refint_attrs	*ra;
636 		Modifications	*m;
637 
638 		if ( dp->attrs == NULL ) continue; /* TODO: Is this needed? */
639 
640 		op2.o_bd = select_backend( &dp->ndn, 1 );
641 		if ( !op2.o_bd ) {
642 			Debug( LDAP_DEBUG_TRACE,
643 				"refint_repair: no backend for DN %s!\n",
644 				dp->dn.bv_val );
645 			continue;
646 		}
647 		op2.o_tag = LDAP_REQ_MODIFY;
648 		op2.orm_modlist = NULL;
649 		op2.o_req_dn	= dp->dn;
650 		op2.o_req_ndn	= dp->ndn;
651 		/* Internal ops, never replicate these */
652 		op2.orm_no_opattrs = 1;
653 		op2.o_dont_replicate = 1;
654 		op2.o_opid = 0;
655 
656 		/* Set our ModifiersName */
657 		if ( SLAP_LASTMOD( op->o_bd ) ) {
658 				m = op2.o_tmpalloc( sizeof(Modifications) +
659 					4*sizeof(BerValue), op2.o_tmpmemctx );
660 				m->sml_next = op2.orm_modlist;
661 				op2.orm_modlist = m;
662 				m->sml_op = LDAP_MOD_REPLACE;
663 				m->sml_flags = SLAP_MOD_INTERNAL;
664 				m->sml_desc = slap_schema.si_ad_modifiersName;
665 				m->sml_type = m->sml_desc->ad_cname;
666 				m->sml_numvals = 1;
667 				m->sml_values = (BerVarray)(m+1);
668 				m->sml_nvalues = m->sml_values+2;
669 				BER_BVZERO( &m->sml_values[1] );
670 				BER_BVZERO( &m->sml_nvalues[1] );
671 				m->sml_values[0] = id->refint_dn;
672 				m->sml_nvalues[0] = id->refint_ndn;
673 		}
674 
675 		for ( ra = dp->attrs; ra; ra = ra->next ) {
676 			size_t	len;
677 
678 			/* Add values */
679 			if ( ra->dont_empty || !BER_BVISEMPTY( &rq->newdn ) ) {
680 				len = sizeof(Modifications);
681 
682 				if ( ra->new_vals == NULL ) {
683 					len += 4*sizeof(BerValue);
684 				}
685 
686 				m = op2.o_tmpalloc( len, op2.o_tmpmemctx );
687 				m->sml_next = op2.orm_modlist;
688 				op2.orm_modlist = m;
689 				m->sml_op = LDAP_MOD_ADD;
690 				m->sml_flags = 0;
691 				m->sml_desc = ra->attr;
692 				m->sml_type = ra->attr->ad_cname;
693 				if ( ra->new_vals == NULL ) {
694 					m->sml_values = (BerVarray)(m+1);
695 					m->sml_nvalues = m->sml_values+2;
696 					BER_BVZERO( &m->sml_values[1] );
697 					BER_BVZERO( &m->sml_nvalues[1] );
698 					m->sml_numvals = 1;
699 					if ( BER_BVISEMPTY( &rq->newdn ) ) {
700 						m->sml_values[0] = id->nothing;
701 						m->sml_nvalues[0] = id->nnothing;
702 					} else {
703 						m->sml_values[0] = rq->newdn;
704 						m->sml_nvalues[0] = rq->newndn;
705 					}
706 				} else {
707 					m->sml_values = ra->new_vals;
708 					m->sml_nvalues = ra->new_nvals;
709 					m->sml_numvals = ra->ra_numvals;
710 				}
711 			}
712 
713 			/* Delete values */
714 			len = sizeof(Modifications);
715 			if ( ra->old_vals == NULL ) {
716 				len += 4*sizeof(BerValue);
717 			}
718 			m = op2.o_tmpalloc( len, op2.o_tmpmemctx );
719 			m->sml_next = op2.orm_modlist;
720 			op2.orm_modlist = m;
721 			m->sml_op = LDAP_MOD_DELETE;
722 			m->sml_flags = 0;
723 			m->sml_desc = ra->attr;
724 			m->sml_type = ra->attr->ad_cname;
725 			if ( ra->old_vals == NULL ) {
726 				m->sml_numvals = 1;
727 				m->sml_values = (BerVarray)(m+1);
728 				m->sml_nvalues = m->sml_values+2;
729 				m->sml_values[0] = rq->olddn;
730 				m->sml_nvalues[0] = rq->oldndn;
731 				BER_BVZERO( &m->sml_values[1] );
732 				BER_BVZERO( &m->sml_nvalues[1] );
733 			} else {
734 				m->sml_values = ra->old_vals;
735 				m->sml_nvalues = ra->old_nvals;
736 				m->sml_numvals = ra->ra_numvals;
737 			}
738 		}
739 
740 		op2.o_dn = op2.o_bd->be_rootdn;
741 		op2.o_ndn = op2.o_bd->be_rootndn;
742 		rc = op2.o_bd->be_modify( &op2, &rs2 );
743 		if ( rc != LDAP_SUCCESS ) {
744 			Debug( LDAP_DEBUG_TRACE,
745 				"refint_repair: dependent modify failed: %d\n",
746 				rs2.sr_err );
747 		}
748 
749 		while ( ( m = op2.orm_modlist ) ) {
750 			op2.orm_modlist = m->sml_next;
751 			op2.o_tmpfree( m, op2.o_tmpmemctx );
752 		}
753 	}
754 	op2.o_opid = opid;
755 
756 	return 0;
757 }
758 
759 static void *
refint_qtask(void * ctx,void * arg)760 refint_qtask( void *ctx, void *arg )
761 {
762 	struct re_s *rtask = arg;
763 	refint_data *id = rtask->arg;
764 	Connection conn = {0};
765 	OperationBuffer opbuf;
766 	Operation *op;
767 	slap_callback cb = { NULL, NULL, NULL, NULL };
768 	Filter ftop, *fptr;
769 	refint_q *rq;
770 	refint_attrs *ip;
771 	int pausing = 0, rc = 0;
772 
773 	connection_fake_init( &conn, &opbuf, ctx );
774 	op = &opbuf.ob_op;
775 
776 	/*
777 	** build a search filter for all configured attributes;
778 	** populate our Operation;
779 	** pass our data (attr list, dn) to backend via sc_private;
780 	** call the backend search function;
781 	** nb: (|(one=thing)) is valid, but do smart formatting anyway;
782 	** nb: 16 is arbitrarily a dozen or so extra bytes;
783 	**
784 	*/
785 
786 	ftop.f_choice = LDAP_FILTER_OR;
787 	ftop.f_next = NULL;
788 	ftop.f_or = NULL;
789 	op->ors_filter = &ftop;
790 	for(ip = id->attrs; ip; ip = ip->next) {
791 		/* this filter can be either EQUALITY or EXT */
792 		fptr = op->o_tmpcalloc( sizeof(Filter) + sizeof(MatchingRuleAssertion),
793 			1, op->o_tmpmemctx );
794 		fptr->f_mra = (MatchingRuleAssertion *)(fptr+1);
795 		fptr->f_mr_rule = mr_dnSubtreeMatch;
796 		fptr->f_mr_rule_text = mr_dnSubtreeMatch->smr_bvoid;
797 		fptr->f_mr_desc = ip->attr;
798 		fptr->f_mr_dnattrs = 0;
799 		fptr->f_next = ftop.f_or;
800 		ftop.f_or = fptr;
801 	}
802 
803 	for (;;) {
804 		dependent_data	*dp, *dp_next;
805 		refint_attrs *ra, *ra_next;
806 
807 		if ( ldap_pvt_thread_pool_pausing( &connection_pool ) > 0 ) {
808 			pausing = 1;
809 			break;
810 		}
811 
812 		/* Dequeue an op */
813 		ldap_pvt_thread_mutex_lock( &id->qmutex );
814 		rq = id->qhead;
815 		if ( rq ) {
816 			id->qhead = rq->next;
817 			if ( !id->qhead )
818 				id->qtail = NULL;
819 		}
820 		ldap_pvt_thread_mutex_unlock( &id->qmutex );
821 		if ( !rq )
822 			break;
823 
824 		for (fptr = ftop.f_or; fptr; fptr = fptr->f_next ) {
825 			fptr->f_mr_value = rq->oldndn;
826 			/* Use (attr:dnSubtreeMatch:=value) to catch subtree rename
827 			 * and subtree delete where supported */
828 			if (rq->do_sub)
829 				fptr->f_choice = LDAP_FILTER_EXT;
830 			else
831 				fptr->f_choice = LDAP_FILTER_EQUALITY;
832 		}
833 
834 		filter2bv_x( op, op->ors_filter, &op->ors_filterstr );
835 
836 		/* callback gets the searched dn instead */
837 		cb.sc_private	= rq;
838 		cb.sc_response	= refint_search_cb;
839 		op->o_callback	= &cb;
840 		op->o_tag	= LDAP_REQ_SEARCH;
841 		op->ors_scope	= LDAP_SCOPE_SUBTREE;
842 		op->ors_deref	= LDAP_DEREF_NEVER;
843 		op->ors_limit   = NULL;
844 		op->ors_slimit	= SLAP_NO_LIMIT;
845 		op->ors_tlimit	= SLAP_NO_LIMIT;
846 
847 		/* no attrs! */
848 		op->ors_attrs = slap_anlist_no_attrs;
849 
850 		slap_op_time( &op->o_time, &op->o_tincr );
851 
852 		if ( rq->db != NULL ) {
853 			op->o_bd = rq->db;
854 			rc = refint_repair( op, id, rq );
855 
856 		} else {
857 			BackendDB	*be;
858 
859 			LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) {
860 				/* we may want to skip cn=config */
861 				if ( be == LDAP_STAILQ_FIRST(&backendDB) ) {
862 					continue;
863 				}
864 
865 				if ( be->be_search && be->be_modify ) {
866 					op->o_bd = be;
867 					rc = refint_repair( op, id, rq );
868 				}
869 			}
870 		}
871 
872 		for ( dp = rq->attrs; dp; dp = dp_next ) {
873 			dp_next = dp->next;
874 			for ( ra = dp->attrs; ra; ra = ra_next ) {
875 				ra_next = ra->next;
876 				ber_bvarray_free_x( ra->new_nvals, op->o_tmpmemctx );
877 				ber_bvarray_free_x( ra->new_vals, op->o_tmpmemctx );
878 				ber_bvarray_free_x( ra->old_nvals, op->o_tmpmemctx );
879 				ber_bvarray_free_x( ra->old_vals, op->o_tmpmemctx );
880 				op->o_tmpfree( ra, op->o_tmpmemctx );
881 			}
882 			op->o_tmpfree( dp->ndn.bv_val, op->o_tmpmemctx );
883 			op->o_tmpfree( dp->dn.bv_val, op->o_tmpmemctx );
884 			op->o_tmpfree( dp, op->o_tmpmemctx );
885 		}
886 		op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
887 		if ( rc == LDAP_BUSY ) {
888 			pausing = 1;
889 			/* re-queue this op */
890 			ldap_pvt_thread_mutex_lock( &id->qmutex );
891 			rq->next = id->qhead;
892 			id->qhead = rq;
893 			if ( !id->qtail )
894 				id->qtail = rq;
895 			ldap_pvt_thread_mutex_unlock( &id->qmutex );
896 			break;
897 		}
898 
899 		if ( !BER_BVISNULL( &rq->newndn )) {
900 			ch_free( rq->newndn.bv_val );
901 			ch_free( rq->newdn.bv_val );
902 		}
903 		ch_free( rq->oldndn.bv_val );
904 		ch_free( rq->olddn.bv_val );
905 		ch_free( rq );
906 	}
907 
908 	/* free filter */
909 	for ( fptr = ftop.f_or; fptr; ) {
910 		Filter *f_next = fptr->f_next;
911 		op->o_tmpfree( fptr, op->o_tmpmemctx );
912 		fptr = f_next;
913 	}
914 
915 	/* wait until we get explicitly scheduled again */
916 	ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
917 	ldap_pvt_runqueue_stoptask( &slapd_rq, id->qtask );
918 	if ( pausing ) {
919 		/* try to run again as soon as the pause is done */
920 		id->qtask->interval.tv_sec = 0;
921 		ldap_pvt_runqueue_resched( &slapd_rq, id->qtask, 0 );
922 		id->qtask->interval.tv_sec = RUNQ_INTERVAL;
923 	} else {
924 		ldap_pvt_runqueue_resched( &slapd_rq,id->qtask, 1 );
925 	}
926 	ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
927 
928 	return NULL;
929 }
930 
931 /*
932 ** refint_response
933 ** search for matching records and modify them
934 */
935 
936 static int
refint_response(Operation * op,SlapReply * rs)937 refint_response(
938 	Operation *op,
939 	SlapReply *rs
940 )
941 {
942 	refint_pre *rp;
943 	slap_overinst *on;
944 	refint_data *id;
945 	BerValue pdn;
946 	refint_q *rq;
947 	refint_attrs *ip;
948 	int ac;
949 
950 	/* If the main op failed or is not a Delete or ModRdn, ignore it */
951 	if (( op->o_tag != LDAP_REQ_DELETE && op->o_tag != LDAP_REQ_MODRDN ) ||
952 		rs->sr_err != LDAP_SUCCESS )
953 		return SLAP_CB_CONTINUE;
954 
955 	rp = op->o_callback->sc_private;
956 	on = rp->on;
957 	id = on->on_bi.bi_private;
958 
959 	rq = ch_calloc( 1, sizeof( refint_q ));
960 	ber_dupbv( &rq->olddn, &op->o_req_dn );
961 	ber_dupbv( &rq->oldndn, &op->o_req_ndn );
962 	rq->db = id->db;
963 	rq->rdata = id;
964 	rq->do_sub = rp->do_sub;
965 
966 	if ( op->o_tag == LDAP_REQ_MODRDN ) {
967 		if ( op->oq_modrdn.rs_newSup ) {
968 			pdn = *op->oq_modrdn.rs_newSup;
969 		} else {
970 			dnParent( &op->o_req_dn, &pdn );
971 		}
972 		build_new_dn( &rq->newdn, &pdn, &op->orr_newrdn, NULL );
973 		if ( op->oq_modrdn.rs_nnewSup ) {
974 			pdn = *op->oq_modrdn.rs_nnewSup;
975 		} else {
976 			dnParent( &op->o_req_ndn, &pdn );
977 		}
978 		build_new_dn( &rq->newndn, &pdn, &op->orr_nnewrdn, NULL );
979 	}
980 
981 	ldap_pvt_thread_mutex_lock( &id->qmutex );
982 	if ( id->qtail ) {
983 		id->qtail->next = rq;
984 	} else {
985 		id->qhead = rq;
986 	}
987 	id->qtail = rq;
988 	ldap_pvt_thread_mutex_unlock( &id->qmutex );
989 
990 	ac = 0;
991 	ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
992 	if ( !id->qtask ) {
993 		id->qtask = ldap_pvt_runqueue_insert( &slapd_rq, RUNQ_INTERVAL,
994 			refint_qtask, id, "refint_qtask",
995 			op->o_bd->be_suffix[0].bv_val );
996 		ac = 1;
997 	} else {
998 		if ( !ldap_pvt_runqueue_isrunning( &slapd_rq, id->qtask ) &&
999 			!id->qtask->next_sched.tv_sec ) {
1000 			id->qtask->interval.tv_sec = 0;
1001 			ldap_pvt_runqueue_resched( &slapd_rq, id->qtask, 0 );
1002 			id->qtask->interval.tv_sec = RUNQ_INTERVAL;
1003 			ac = 1;
1004 		}
1005 	}
1006 	ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
1007 	if ( ac )
1008 		slap_wake_listener();
1009 
1010 	return SLAP_CB_CONTINUE;
1011 }
1012 
1013 /* Check if the target entry exists and has children.
1014  * Do nothing if target doesn't exist.
1015  */
1016 static int
refint_preop(Operation * op,SlapReply * rs)1017 refint_preop(
1018 	Operation *op,
1019 	SlapReply *rs
1020 )
1021 {
1022 	slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
1023 	refint_data *id = on->on_bi.bi_private;
1024 	Entry *e;
1025 	int rc;
1026 
1027 	/* are any attrs configured? */
1028 	if ( !id->attrs )
1029 		return SLAP_CB_CONTINUE;
1030 
1031 	rc = overlay_entry_get_ov( op, &op->o_req_ndn, NULL, NULL, 0, &e, on );
1032 	if ( rc == LDAP_SUCCESS ) {
1033 		slap_callback *sc = op->o_tmpcalloc( 1,
1034 			sizeof(slap_callback)+sizeof(refint_pre), op->o_tmpmemctx );
1035 		refint_pre *rp = (refint_pre *)(sc+1);
1036 		rp->on = on;
1037 		rp->do_sub = 1;	/* assume there are children */
1038 		if ( op->o_bd->be_has_subordinates ) {
1039 			int has = 0;
1040 			rc = op->o_bd->be_has_subordinates( op, e, &has );
1041 			/* there definitely are not children */
1042 			if ( rc == LDAP_SUCCESS && has == LDAP_COMPARE_FALSE )
1043 				rp->do_sub = 0;
1044 		}
1045 		overlay_entry_release_ov( op, e, 0, on );
1046 		sc->sc_response = refint_response;
1047 		sc->sc_private = rp;
1048 		sc->sc_next = op->o_callback;
1049 		op->o_callback = sc;
1050 	}
1051 	return SLAP_CB_CONTINUE;
1052 }
1053 
1054 /*
1055 ** init_module is last so the symbols resolve "for free" --
1056 ** it expects to be called automagically during dynamic module initialization
1057 */
1058 
refint_initialize()1059 int refint_initialize() {
1060 	int rc;
1061 
1062 	mr_dnSubtreeMatch = mr_find( "dnSubtreeMatch" );
1063 	if ( mr_dnSubtreeMatch == NULL ) {
1064 		Debug( LDAP_DEBUG_ANY, "refint_initialize: "
1065 			"unable to find MatchingRule 'dnSubtreeMatch'.\n" );
1066 		return 1;
1067 	}
1068 
1069 	/* statically declared just after the #includes at top */
1070 	refint.on_bi.bi_type = "refint";
1071 	refint.on_bi.bi_db_init = refint_db_init;
1072 	refint.on_bi.bi_db_destroy = refint_db_destroy;
1073 	refint.on_bi.bi_db_open = refint_open;
1074 	refint.on_bi.bi_db_close = refint_close;
1075 	refint.on_bi.bi_op_delete = refint_preop;
1076 	refint.on_bi.bi_op_modrdn = refint_preop;
1077 
1078 	refint.on_bi.bi_cf_ocs = refintocs;
1079 	rc = config_register_schema ( refintcfg, refintocs );
1080 	if ( rc ) return rc;
1081 
1082 	return(overlay_register(&refint));
1083 }
1084 
1085 #if SLAPD_OVER_REFINT == SLAPD_MOD_DYNAMIC && defined(PIC)
init_module(int argc,char * argv[])1086 int init_module(int argc, char *argv[]) {
1087 	return refint_initialize();
1088 }
1089 #endif
1090 
1091 #endif /* SLAPD_OVER_REFINT */
1092