1 /* $NetBSD: database.c,v 1.2 2020/08/11 13:15:41 christos Exp $ */ 2 3 /* database.c - deals with database subsystem */ 4 /* $OpenLDAP$ */ 5 /* This work is part of OpenLDAP Software <http://www.openldap.org/>. 6 * 7 * Copyright 2001-2020 The OpenLDAP Foundation. 8 * Portions Copyright 2001-2003 Pierangelo Masarati. 9 * All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted only as authorized by the OpenLDAP 13 * Public License. 14 * 15 * A copy of this license is available in file LICENSE in the 16 * top-level directory of the distribution or, alternatively, at 17 * <http://www.OpenLDAP.org/license.html>. 18 */ 19 /* ACKNOWLEDGEMENTS: 20 * This work was initially developed by Pierangelo Masarati for inclusion 21 * in OpenLDAP Software. 22 */ 23 24 #include <sys/cdefs.h> 25 __RCSID("$NetBSD: database.c,v 1.2 2020/08/11 13:15:41 christos Exp $"); 26 27 #include "portable.h" 28 29 #include <stdio.h> 30 #include <ac/string.h> 31 #include <ac/unistd.h> 32 33 #include "slap.h" 34 #include "back-monitor.h" 35 36 #if defined(LDAP_SLAPI) 37 #include "slapi.h" 38 static int monitor_back_add_plugin( monitor_info_t *mi, Backend *be, Entry *e ); 39 #endif /* defined(LDAP_SLAPI) */ 40 41 static int 42 monitor_subsys_database_modify( 43 Operation *op, 44 SlapReply *rs, 45 Entry *e ); 46 47 static struct restricted_ops_t { 48 struct berval op; 49 unsigned int tag; 50 } restricted_ops[] = { 51 { BER_BVC( "add" ), SLAP_RESTRICT_OP_ADD }, 52 { BER_BVC( "bind" ), SLAP_RESTRICT_OP_BIND }, 53 { BER_BVC( "compare" ), SLAP_RESTRICT_OP_COMPARE }, 54 { BER_BVC( "delete" ), SLAP_RESTRICT_OP_DELETE }, 55 { BER_BVC( "extended" ), SLAP_RESTRICT_OP_EXTENDED }, 56 { BER_BVC( "modify" ), SLAP_RESTRICT_OP_MODIFY }, 57 { BER_BVC( "rename" ), SLAP_RESTRICT_OP_RENAME }, 58 { BER_BVC( "search" ), SLAP_RESTRICT_OP_SEARCH }, 59 { BER_BVNULL, 0 } 60 }, restricted_exops[] = { 61 { BER_BVC( LDAP_EXOP_START_TLS ), SLAP_RESTRICT_EXOP_START_TLS }, 62 { BER_BVC( LDAP_EXOP_MODIFY_PASSWD ), SLAP_RESTRICT_EXOP_MODIFY_PASSWD }, 63 { BER_BVC( LDAP_EXOP_WHO_AM_I ), SLAP_RESTRICT_EXOP_WHOAMI }, 64 { BER_BVC( LDAP_EXOP_CANCEL ), SLAP_RESTRICT_EXOP_CANCEL }, 65 { BER_BVNULL, 0 } 66 }; 67 68 static int 69 init_readOnly( monitor_info_t *mi, Entry *e, slap_mask_t restrictops ) 70 { 71 struct berval *tf = ( ( restrictops & SLAP_RESTRICT_OP_MASK ) == SLAP_RESTRICT_OP_WRITES ) ? 72 (struct berval *)&slap_true_bv : (struct berval *)&slap_false_bv; 73 74 return attr_merge_one( e, mi->mi_ad_readOnly, tf, NULL ); 75 } 76 77 static int 78 init_restrictedOperation( monitor_info_t *mi, Entry *e, slap_mask_t restrictops ) 79 { 80 int i, rc; 81 82 for ( i = 0; restricted_ops[ i ].op.bv_val; i++ ) { 83 if ( restrictops & restricted_ops[ i ].tag ) { 84 rc = attr_merge_one( e, mi->mi_ad_restrictedOperation, 85 &restricted_ops[ i ].op, 86 &restricted_ops[ i ].op ); 87 if ( rc ) { 88 return rc; 89 } 90 } 91 } 92 93 for ( i = 0; restricted_exops[ i ].op.bv_val; i++ ) { 94 if ( restrictops & restricted_exops[ i ].tag ) { 95 rc = attr_merge_one( e, mi->mi_ad_restrictedOperation, 96 &restricted_exops[ i ].op, 97 &restricted_exops[ i ].op ); 98 if ( rc ) { 99 return rc; 100 } 101 } 102 } 103 104 return LDAP_SUCCESS; 105 } 106 107 static int 108 monitor_subsys_overlay_init_one( 109 monitor_info_t *mi, 110 BackendDB *be, 111 monitor_subsys_t *ms, 112 monitor_subsys_t *ms_overlay, 113 slap_overinst *on, 114 Entry *e_database, 115 Entry **ep_overlay ) 116 { 117 char buf[ BACKMONITOR_BUFSIZE ]; 118 int j, o; 119 Entry *e_overlay; 120 slap_overinst *on2; 121 slap_overinfo *oi = NULL; 122 BackendInfo *bi; 123 monitor_entry_t *mp_overlay; 124 struct berval bv; 125 126 assert( overlay_is_over( be ) ); 127 128 oi = (slap_overinfo *)be->bd_info->bi_private; 129 bi = oi->oi_orig; 130 131 /* find the overlay number, o */ 132 for ( o = 0, on2 = oi->oi_list; on2 && on2 != on; on2 = on2->on_next, o++ ) 133 ; 134 135 if ( on2 == NULL ) { 136 return -1; 137 } 138 139 /* find the overlay type number, j */ 140 for ( on2 = overlay_next( NULL ), j = 0; on2; on2 = overlay_next( on2 ), j++ ) { 141 if ( on2->on_bi.bi_type == on->on_bi.bi_type ) { 142 break; 143 } 144 } 145 assert( on2 != NULL ); 146 147 bv.bv_len = snprintf( buf, sizeof( buf ), "cn=Overlay %d", o ); 148 bv.bv_val = buf; 149 150 e_overlay = monitor_entry_stub( &e_database->e_name, &e_database->e_nname, &bv, 151 mi->mi_oc_monitoredObject, NULL, NULL ); 152 153 if ( e_overlay == NULL ) { 154 Debug( LDAP_DEBUG_ANY, 155 "monitor_subsys_overlay_init_one: " 156 "unable to create entry " 157 "\"cn=Overlay %d,%s\"\n", 158 o, e_database->e_name.bv_val, 0 ); 159 return( -1 ); 160 } 161 ber_str2bv( on->on_bi.bi_type, 0, 0, &bv ); 162 attr_merge_normalize_one( e_overlay, mi->mi_ad_monitoredInfo, &bv, NULL ); 163 164 bv.bv_len = snprintf( buf, sizeof( buf ), "cn=Overlay %d,%s", 165 j, ms_overlay->mss_dn.bv_val ); 166 bv.bv_val = buf; 167 attr_merge_normalize_one( e_overlay, slap_schema.si_ad_seeAlso, 168 &bv, NULL ); 169 170 if ( SLAP_MONITOR( be ) ) { 171 attr_merge( e_overlay, slap_schema.si_ad_monitorContext, 172 be->be_suffix, be->be_nsuffix ); 173 174 } else { 175 attr_merge( e_overlay, slap_schema.si_ad_namingContexts, 176 be->be_suffix, NULL ); 177 } 178 179 mp_overlay = monitor_entrypriv_create(); 180 if ( mp_overlay == NULL ) { 181 return -1; 182 } 183 e_overlay->e_private = ( void * )mp_overlay; 184 mp_overlay->mp_info = ms; 185 mp_overlay->mp_flags = ms->mss_flags | MONITOR_F_SUB; 186 187 if ( monitor_cache_add( mi, e_overlay ) ) { 188 Debug( LDAP_DEBUG_ANY, 189 "monitor_subsys_overlay_init_one: " 190 "unable to add entry " 191 "\"cn=Overlay %d,%s\"\n", 192 o, e_database->e_name.bv_val, 0 ); 193 return -1; 194 } 195 196 *ep_overlay = e_overlay; 197 ep_overlay = &mp_overlay->mp_next; 198 199 return 0; 200 } 201 202 static int 203 monitor_subsys_database_init_one( 204 monitor_info_t *mi, 205 BackendDB *be, 206 monitor_subsys_t *ms, 207 monitor_subsys_t *ms_backend, 208 monitor_subsys_t *ms_overlay, 209 struct berval *rdn, 210 Entry *e_database, 211 Entry ***epp ) 212 { 213 char buf[ BACKMONITOR_BUFSIZE ]; 214 int j; 215 slap_overinfo *oi = NULL; 216 BackendInfo *bi, *bi2; 217 Entry *e; 218 monitor_entry_t *mp; 219 char *rdnval = strchr( rdn->bv_val, '=' ) + 1; 220 struct berval bv; 221 222 bi = be->bd_info; 223 224 if ( overlay_is_over( be ) ) { 225 oi = (slap_overinfo *)be->bd_info->bi_private; 226 bi = oi->oi_orig; 227 } 228 229 e = monitor_entry_stub( &ms->mss_dn, &ms->mss_ndn, rdn, 230 mi->mi_oc_monitoredObject, NULL, NULL ); 231 232 if ( e == NULL ) { 233 Debug( LDAP_DEBUG_ANY, 234 "monitor_subsys_database_init_one: " 235 "unable to create entry \"%s,%s\"\n", 236 rdn->bv_val, ms->mss_dn.bv_val, 0 ); 237 return( -1 ); 238 } 239 240 ber_str2bv( bi->bi_type, 0, 0, &bv ); 241 attr_merge_normalize_one( e, mi->mi_ad_monitoredInfo, &bv, NULL ); 242 attr_merge_one( e, mi->mi_ad_monitorIsShadow, 243 SLAP_SHADOW( be ) ? (struct berval *)&slap_true_bv : 244 (struct berval *)&slap_false_bv, NULL ); 245 246 if ( SLAP_MONITOR( be ) ) { 247 attr_merge( e, slap_schema.si_ad_monitorContext, 248 be->be_suffix, be->be_nsuffix ); 249 attr_merge( e_database, slap_schema.si_ad_monitorContext, 250 be->be_suffix, be->be_nsuffix ); 251 252 } else { 253 if ( be->be_suffix == NULL ) { 254 Debug( LDAP_DEBUG_ANY, 255 "monitor_subsys_database_init_one: " 256 "missing suffix for %s\n", 257 rdnval, 0, 0 ); 258 } else { 259 attr_merge( e, slap_schema.si_ad_namingContexts, 260 be->be_suffix, NULL ); 261 attr_merge( e_database, slap_schema.si_ad_namingContexts, 262 be->be_suffix, NULL ); 263 } 264 265 if ( SLAP_GLUE_SUBORDINATE( be ) ) { 266 BackendDB *sup_be = select_backend( &be->be_nsuffix[ 0 ], 1 ); 267 if ( sup_be == NULL ) { 268 Debug( LDAP_DEBUG_ANY, 269 "monitor_subsys_database_init: " 270 "unable to get superior for %s\n", 271 be->be_suffix[ 0 ].bv_val, 0, 0 ); 272 273 } else { 274 attr_merge( e, mi->mi_ad_monitorSuperiorDN, 275 sup_be->be_suffix, sup_be->be_nsuffix ); 276 } 277 } 278 } 279 280 (void)init_readOnly( mi, e, be->be_restrictops ); 281 (void)init_restrictedOperation( mi, e, be->be_restrictops ); 282 283 if ( SLAP_SHADOW( be ) && be->be_update_refs ) { 284 attr_merge_normalize( e, mi->mi_ad_monitorUpdateRef, 285 be->be_update_refs, NULL ); 286 } 287 288 if ( oi != NULL ) { 289 slap_overinst *on = oi->oi_list, 290 *on1 = on; 291 292 for ( ; on; on = on->on_next ) { 293 slap_overinst *on2; 294 295 for ( on2 = on1; on2 != on; on2 = on2->on_next ) { 296 if ( on2->on_bi.bi_type == on->on_bi.bi_type ) { 297 break; 298 } 299 } 300 301 if ( on2 != on ) { 302 break; 303 } 304 305 ber_str2bv( on->on_bi.bi_type, 0, 0, &bv ); 306 attr_merge_normalize_one( e, mi->mi_ad_monitorOverlay, 307 &bv, NULL ); 308 309 /* find the overlay number, j */ 310 for ( on2 = overlay_next( NULL ), j = 0; on2; on2 = overlay_next( on2 ), j++ ) { 311 if ( on2->on_bi.bi_type == on->on_bi.bi_type ) { 312 break; 313 } 314 } 315 assert( on2 != NULL ); 316 317 snprintf( buf, sizeof( buf ), 318 "cn=Overlay %d,%s", 319 j, ms_overlay->mss_dn.bv_val ); 320 ber_str2bv( buf, 0, 0, &bv ); 321 attr_merge_normalize_one( e, 322 slap_schema.si_ad_seeAlso, 323 &bv, NULL ); 324 } 325 } 326 327 j = -1; 328 LDAP_STAILQ_FOREACH( bi2, &backendInfo, bi_next ) { 329 j++; 330 if ( bi2->bi_type == bi->bi_type ) { 331 snprintf( buf, sizeof( buf ), 332 "cn=Backend %d,%s", 333 j, ms_backend->mss_dn.bv_val ); 334 bv.bv_val = buf; 335 bv.bv_len = strlen( buf ); 336 attr_merge_normalize_one( e, 337 slap_schema.si_ad_seeAlso, 338 &bv, NULL ); 339 break; 340 } 341 } 342 /* we must find it! */ 343 assert( j >= 0 ); 344 345 mp = monitor_entrypriv_create(); 346 if ( mp == NULL ) { 347 return -1; 348 } 349 e->e_private = ( void * )mp; 350 mp->mp_info = ms; 351 mp->mp_flags = ms->mss_flags 352 | MONITOR_F_SUB; 353 354 if ( monitor_cache_add( mi, e ) ) { 355 Debug( LDAP_DEBUG_ANY, 356 "monitor_subsys_database_init_one: " 357 "unable to add entry \"%s,%s\"\n", 358 rdn->bv_val, ms->mss_dn.bv_val, 0 ); 359 return( -1 ); 360 } 361 362 #if defined(LDAP_SLAPI) 363 monitor_back_add_plugin( mi, be, e ); 364 #endif /* defined(LDAP_SLAPI) */ 365 366 if ( oi != NULL ) { 367 Entry **ep_overlay = &mp->mp_children; 368 slap_overinst *on = oi->oi_list; 369 370 for ( ; on; on = on->on_next ) { 371 monitor_subsys_overlay_init_one( mi, be, 372 ms, ms_overlay, on, e, ep_overlay ); 373 } 374 } 375 376 **epp = e; 377 *epp = &mp->mp_next; 378 379 return 0; 380 } 381 382 static int 383 monitor_back_register_database_and_overlay( 384 BackendDB *be, 385 struct slap_overinst *on, 386 struct berval *ndn_out ) 387 { 388 monitor_info_t *mi; 389 Entry *e_database, **ep; 390 int i, rc; 391 monitor_entry_t *mp; 392 monitor_subsys_t *ms_backend, 393 *ms_database, 394 *ms_overlay; 395 struct berval bv; 396 char buf[ BACKMONITOR_BUFSIZE ]; 397 398 assert( be_monitor != NULL ); 399 400 if ( !monitor_subsys_is_opened() ) { 401 if ( on ) { 402 return monitor_back_register_overlay_limbo( be, on, ndn_out ); 403 404 } else { 405 return monitor_back_register_database_limbo( be, ndn_out ); 406 } 407 } 408 409 mi = ( monitor_info_t * )be_monitor->be_private; 410 411 ms_backend = monitor_back_get_subsys( SLAPD_MONITOR_BACKEND_NAME ); 412 if ( ms_backend == NULL ) { 413 Debug( LDAP_DEBUG_ANY, 414 "monitor_back_register_database: " 415 "unable to get " 416 "\"" SLAPD_MONITOR_BACKEND_NAME "\" " 417 "subsystem\n", 418 0, 0, 0 ); 419 return -1; 420 } 421 422 ms_database = monitor_back_get_subsys( SLAPD_MONITOR_DATABASE_NAME ); 423 if ( ms_database == NULL ) { 424 Debug( LDAP_DEBUG_ANY, 425 "monitor_back_register_database: " 426 "unable to get " 427 "\"" SLAPD_MONITOR_DATABASE_NAME "\" " 428 "subsystem\n", 429 0, 0, 0 ); 430 return -1; 431 } 432 433 ms_overlay = monitor_back_get_subsys( SLAPD_MONITOR_OVERLAY_NAME ); 434 if ( ms_overlay == NULL ) { 435 Debug( LDAP_DEBUG_ANY, 436 "monitor_back_register_database: " 437 "unable to get " 438 "\"" SLAPD_MONITOR_OVERLAY_NAME "\" " 439 "subsystem\n", 440 0, 0, 0 ); 441 return -1; 442 } 443 444 if ( monitor_cache_get( mi, &ms_database->mss_ndn, &e_database ) ) { 445 Debug( LDAP_DEBUG_ANY, 446 "monitor_subsys_database_init: " 447 "unable to get entry \"%s\"\n", 448 ms_database->mss_ndn.bv_val, 0, 0 ); 449 return( -1 ); 450 } 451 452 mp = ( monitor_entry_t * )e_database->e_private; 453 for ( i = -1, ep = &mp->mp_children; *ep; i++ ) { 454 Attribute *a; 455 456 a = attr_find( (*ep)->e_attrs, slap_schema.si_ad_namingContexts ); 457 if ( a ) { 458 int j, k; 459 460 /* FIXME: RFC 4512 defines namingContexts without an 461 * equality matching rule, making comparisons 462 * like this one tricky. We use a_vals and 463 * be_suffix instead for now. 464 */ 465 for ( j = 0; !BER_BVISNULL( &a->a_vals[ j ] ); j++ ) { 466 for ( k = 0; !BER_BVISNULL( &be->be_suffix[ k ] ); k++ ) { 467 if ( dn_match( &a->a_vals[ j ], 468 &be->be_suffix[ k ] ) ) { 469 rc = 0; 470 goto done; 471 } 472 } 473 } 474 } 475 476 mp = ( monitor_entry_t * )(*ep)->e_private; 477 478 assert( mp != NULL ); 479 ep = &mp->mp_next; 480 } 481 482 bv.bv_val = buf; 483 bv.bv_len = snprintf( buf, sizeof( buf ), "cn=Database %d", i ); 484 if ( bv.bv_len >= sizeof( buf ) ) { 485 rc = -1; 486 goto done; 487 } 488 489 rc = monitor_subsys_database_init_one( mi, be, 490 ms_database, ms_backend, ms_overlay, &bv, e_database, &ep ); 491 if ( rc != 0 ) { 492 goto done; 493 } 494 /* database_init_one advanced ep past where we want. 495 * But it stored the entry we want in mp->mp_next. 496 */ 497 ep = &mp->mp_next; 498 499 done:; 500 monitor_cache_release( mi, e_database ); 501 if ( rc == 0 && ndn_out && ep && *ep ) { 502 if ( on ) { 503 Entry *e_ov; 504 struct berval ov_type; 505 506 ber_str2bv( on->on_bi.bi_type, 0, 0, &ov_type ); 507 508 mp = ( monitor_entry_t * ) (*ep)->e_private; 509 for ( e_ov = mp->mp_children; e_ov; ) { 510 Attribute *a = attr_find( e_ov->e_attrs, mi->mi_ad_monitoredInfo ); 511 512 if ( a != NULL && bvmatch( &a->a_nvals[ 0 ], &ov_type ) ) { 513 *ndn_out = e_ov->e_nname; 514 break; 515 } 516 517 mp = ( monitor_entry_t * ) e_ov->e_private; 518 e_ov = mp->mp_next; 519 } 520 521 } else { 522 *ndn_out = (*ep)->e_nname; 523 } 524 } 525 526 return rc; 527 } 528 529 int 530 monitor_back_register_database( 531 BackendDB *be, 532 struct berval *ndn_out ) 533 { 534 return monitor_back_register_database_and_overlay( be, NULL, ndn_out ); 535 } 536 537 int 538 monitor_back_register_overlay( 539 BackendDB *be, 540 struct slap_overinst *on, 541 struct berval *ndn_out ) 542 { 543 return monitor_back_register_database_and_overlay( be, on, ndn_out ); 544 } 545 546 int 547 monitor_subsys_database_init( 548 BackendDB *be, 549 monitor_subsys_t *ms ) 550 { 551 monitor_info_t *mi; 552 Entry *e_database, **ep; 553 int i, rc; 554 monitor_entry_t *mp; 555 monitor_subsys_t *ms_backend, 556 *ms_overlay; 557 struct berval bv; 558 559 assert( be != NULL ); 560 561 ms->mss_modify = monitor_subsys_database_modify; 562 563 mi = ( monitor_info_t * )be->be_private; 564 565 ms_backend = monitor_back_get_subsys( SLAPD_MONITOR_BACKEND_NAME ); 566 if ( ms_backend == NULL ) { 567 Debug( LDAP_DEBUG_ANY, 568 "monitor_subsys_database_init: " 569 "unable to get " 570 "\"" SLAPD_MONITOR_BACKEND_NAME "\" " 571 "subsystem\n", 572 0, 0, 0 ); 573 return -1; 574 } 575 576 ms_overlay = monitor_back_get_subsys( SLAPD_MONITOR_OVERLAY_NAME ); 577 if ( ms_overlay == NULL ) { 578 Debug( LDAP_DEBUG_ANY, 579 "monitor_subsys_database_init: " 580 "unable to get " 581 "\"" SLAPD_MONITOR_OVERLAY_NAME "\" " 582 "subsystem\n", 583 0, 0, 0 ); 584 return -1; 585 } 586 587 if ( monitor_cache_get( mi, &ms->mss_ndn, &e_database ) ) { 588 Debug( LDAP_DEBUG_ANY, 589 "monitor_subsys_database_init: " 590 "unable to get entry \"%s\"\n", 591 ms->mss_ndn.bv_val, 0, 0 ); 592 return( -1 ); 593 } 594 595 (void)init_readOnly( mi, e_database, frontendDB->be_restrictops ); 596 (void)init_restrictedOperation( mi, e_database, frontendDB->be_restrictops ); 597 598 mp = ( monitor_entry_t * )e_database->e_private; 599 mp->mp_children = NULL; 600 ep = &mp->mp_children; 601 602 BER_BVSTR( &bv, "cn=Frontend" ); 603 rc = monitor_subsys_database_init_one( mi, frontendDB, 604 ms, ms_backend, ms_overlay, &bv, e_database, &ep ); 605 if ( rc != 0 ) { 606 return rc; 607 } 608 609 i = -1; 610 LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) { 611 char buf[ BACKMONITOR_BUFSIZE ]; 612 613 bv.bv_val = buf; 614 bv.bv_len = snprintf( buf, sizeof( buf ), "cn=Database %d", ++i ); 615 if ( bv.bv_len >= sizeof( buf ) ) { 616 return -1; 617 } 618 619 rc = monitor_subsys_database_init_one( mi, be, 620 ms, ms_backend, ms_overlay, &bv, e_database, &ep ); 621 if ( rc != 0 ) { 622 return rc; 623 } 624 } 625 626 monitor_cache_release( mi, e_database ); 627 628 return( 0 ); 629 } 630 631 /* 632 * v: array of values 633 * cur: must not contain the tags corresponding to the values in v 634 * delta: will contain the tags corresponding to the values in v 635 */ 636 static int 637 value_mask( BerVarray v, slap_mask_t cur, slap_mask_t *delta ) 638 { 639 for ( ; !BER_BVISNULL( v ); v++ ) { 640 struct restricted_ops_t *rops; 641 int i; 642 643 if ( OID_LEADCHAR( v->bv_val[ 0 ] ) ) { 644 rops = restricted_exops; 645 646 } else { 647 rops = restricted_ops; 648 } 649 650 for ( i = 0; !BER_BVISNULL( &rops[ i ].op ); i++ ) { 651 if ( ber_bvstrcasecmp( v, &rops[ i ].op ) != 0 ) { 652 continue; 653 } 654 655 if ( rops[ i ].tag & *delta ) { 656 return LDAP_OTHER; 657 } 658 659 if ( rops[ i ].tag & cur ) { 660 return LDAP_OTHER; 661 } 662 663 cur |= rops[ i ].tag; 664 *delta |= rops[ i ].tag; 665 666 break; 667 } 668 669 if ( BER_BVISNULL( &rops[ i ].op ) ) { 670 return LDAP_INVALID_SYNTAX; 671 } 672 } 673 674 return LDAP_SUCCESS; 675 } 676 677 static int 678 monitor_subsys_database_modify( 679 Operation *op, 680 SlapReply *rs, 681 Entry *e ) 682 { 683 monitor_info_t *mi = (monitor_info_t *)op->o_bd->be_private; 684 int rc = LDAP_OTHER; 685 Attribute *save_attrs, *a; 686 Modifications *ml; 687 Backend *be; 688 int ro_gotval = 1, i, n; 689 slap_mask_t rp_add = 0, rp_delete = 0, rp_cur; 690 struct berval *tf; 691 692 i = sscanf( e->e_nname.bv_val, "cn=database %d,", &n ); 693 if ( i != 1 ) { 694 return SLAP_CB_CONTINUE; 695 } 696 697 if ( n < 0 || n >= nBackendDB ) { 698 rs->sr_text = "invalid database index"; 699 return ( rs->sr_err = LDAP_NO_SUCH_OBJECT ); 700 } 701 702 LDAP_STAILQ_FOREACH( be, &backendDB, be_next ) { 703 if ( n == 0 ) { 704 break; 705 } 706 n--; 707 } 708 /* do not allow some changes on back-monitor (needs work)... */ 709 if ( SLAP_MONITOR( be ) ) { 710 rs->sr_text = "no modifications allowed to monitor database entry"; 711 return ( rs->sr_err = LDAP_UNWILLING_TO_PERFORM ); 712 } 713 714 rp_cur = be->be_restrictops; 715 716 save_attrs = e->e_attrs; 717 e->e_attrs = attrs_dup( e->e_attrs ); 718 719 for ( ml = op->orm_modlist; ml; ml = ml->sml_next ) { 720 Modification *mod = &ml->sml_mod; 721 722 if ( mod->sm_desc == mi->mi_ad_readOnly ) { 723 int val = -1; 724 725 if ( mod->sm_values ) { 726 if ( !BER_BVISNULL( &mod->sm_values[ 1 ] ) ) { 727 rs->sr_text = "attempting to modify multiple values of single-valued attribute"; 728 rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; 729 goto done; 730 } 731 732 if ( bvmatch( &slap_true_bv, mod->sm_values )) { 733 val = 1; 734 735 } else if ( bvmatch( &slap_false_bv, mod->sm_values )) { 736 val = 0; 737 738 } else { 739 assert( 0 ); 740 rc = rs->sr_err = LDAP_INVALID_SYNTAX; 741 goto done; 742 } 743 } 744 745 switch ( mod->sm_op ) { 746 case LDAP_MOD_DELETE: 747 if ( ro_gotval < 1 ) { 748 rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; 749 goto done; 750 } 751 ro_gotval--; 752 753 if ( val == 0 && ( rp_cur & SLAP_RESTRICT_OP_WRITES ) == SLAP_RESTRICT_OP_WRITES ) { 754 rc = rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE; 755 goto done; 756 } 757 758 if ( val == 1 && ( rp_cur & SLAP_RESTRICT_OP_WRITES ) != SLAP_RESTRICT_OP_WRITES ) { 759 rc = rs->sr_err = LDAP_NO_SUCH_ATTRIBUTE; 760 goto done; 761 } 762 763 break; 764 765 case LDAP_MOD_REPLACE: 766 ro_gotval = 0; 767 /* fall thru */ 768 769 case LDAP_MOD_ADD: 770 if ( ro_gotval > 0 ) { 771 rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; 772 goto done; 773 } 774 ro_gotval++; 775 776 if ( val == 1 ) { 777 rp_add |= (~rp_cur) & SLAP_RESTRICT_OP_WRITES; 778 rp_cur |= SLAP_RESTRICT_OP_WRITES; 779 rp_delete &= ~SLAP_RESTRICT_OP_WRITES; 780 781 } else if ( val == 0 ) { 782 rp_delete |= rp_cur & SLAP_RESTRICT_OP_WRITES; 783 rp_cur &= ~SLAP_RESTRICT_OP_WRITES; 784 rp_add &= ~SLAP_RESTRICT_OP_WRITES; 785 } 786 break; 787 788 default: 789 rc = rs->sr_err = LDAP_OTHER; 790 goto done; 791 } 792 793 } else if ( mod->sm_desc == mi->mi_ad_restrictedOperation ) { 794 slap_mask_t mask = 0; 795 796 switch ( mod->sm_op ) { 797 case LDAP_MOD_DELETE: 798 if ( mod->sm_values == NULL ) { 799 rp_delete = rp_cur; 800 rp_cur = 0; 801 rp_add = 0; 802 break; 803 } 804 rc = value_mask( mod->sm_values, ~rp_cur, &mask ); 805 if ( rc == LDAP_SUCCESS ) { 806 rp_delete |= mask; 807 rp_add &= ~mask; 808 rp_cur &= ~mask; 809 810 } else if ( rc == LDAP_OTHER ) { 811 rc = LDAP_NO_SUCH_ATTRIBUTE; 812 } 813 break; 814 815 case LDAP_MOD_REPLACE: 816 rp_delete = rp_cur; 817 rp_cur = 0; 818 rp_add = 0; 819 /* fall thru */ 820 821 case LDAP_MOD_ADD: 822 rc = value_mask( mod->sm_values, rp_cur, &mask ); 823 if ( rc == LDAP_SUCCESS ) { 824 rp_add |= mask; 825 rp_cur |= mask; 826 rp_delete &= ~mask; 827 828 } else if ( rc == LDAP_OTHER ) { 829 rc = rs->sr_err = LDAP_TYPE_OR_VALUE_EXISTS; 830 } 831 break; 832 833 default: 834 rc = rs->sr_err = LDAP_OTHER; 835 break; 836 } 837 838 if ( rc != LDAP_SUCCESS ) { 839 goto done; 840 } 841 842 } else if ( is_at_operational( mod->sm_desc->ad_type )) { 843 /* accept all operational attributes */ 844 attr_delete( &e->e_attrs, mod->sm_desc ); 845 rc = attr_merge( e, mod->sm_desc, mod->sm_values, 846 mod->sm_nvalues ); 847 if ( rc ) { 848 rc = rs->sr_err = LDAP_OTHER; 849 break; 850 } 851 852 } else { 853 rc = rs->sr_err = LDAP_UNWILLING_TO_PERFORM; 854 break; 855 } 856 } 857 858 /* sanity checks: */ 859 if ( ro_gotval < 1 ) { 860 rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; 861 goto done; 862 } 863 864 if ( ( rp_cur & SLAP_RESTRICT_OP_EXTENDED ) && ( rp_cur & SLAP_RESTRICT_EXOP_MASK ) ) { 865 rc = rs->sr_err = LDAP_CONSTRAINT_VIOLATION; 866 goto done; 867 } 868 869 if ( rp_delete & rp_add ) { 870 rc = rs->sr_err = LDAP_OTHER; 871 goto done; 872 } 873 874 /* check current value of readOnly */ 875 if ( ( rp_cur & SLAP_RESTRICT_OP_WRITES ) == SLAP_RESTRICT_OP_WRITES ) { 876 tf = (struct berval *)&slap_true_bv; 877 878 } else { 879 tf = (struct berval *)&slap_false_bv; 880 } 881 882 a = attr_find( e->e_attrs, mi->mi_ad_readOnly ); 883 if ( a == NULL ) { 884 rc = LDAP_OTHER; 885 goto done; 886 } 887 888 if ( !bvmatch( &a->a_vals[ 0 ], tf ) ) { 889 attr_delete( &e->e_attrs, mi->mi_ad_readOnly ); 890 rc = attr_merge_one( e, mi->mi_ad_readOnly, tf, tf ); 891 } 892 893 if ( rc == LDAP_SUCCESS ) { 894 if ( rp_delete ) { 895 if ( rp_delete == be->be_restrictops ) { 896 attr_delete( &e->e_attrs, mi->mi_ad_restrictedOperation ); 897 898 } else { 899 a = attr_find( e->e_attrs, mi->mi_ad_restrictedOperation ); 900 if ( a == NULL ) { 901 rc = rs->sr_err = LDAP_OTHER; 902 goto done; 903 } 904 905 for ( i = 0; !BER_BVISNULL( &restricted_ops[ i ].op ); i++ ) { 906 if ( rp_delete & restricted_ops[ i ].tag ) { 907 int j; 908 909 for ( j = 0; !BER_BVISNULL( &a->a_nvals[ j ] ); j++ ) { 910 int k; 911 912 if ( !bvmatch( &a->a_nvals[ j ], &restricted_ops[ i ].op ) ) { 913 continue; 914 } 915 916 ch_free( a->a_vals[ j ].bv_val ); 917 ch_free( a->a_nvals[ j ].bv_val ); 918 919 for ( k = j + 1; !BER_BVISNULL( &a->a_nvals[ k ] ); k++ ) { 920 a->a_vals[ k - 1 ] = a->a_vals[ k ]; 921 a->a_nvals[ k - 1 ] = a->a_nvals[ k ]; 922 } 923 924 BER_BVZERO( &a->a_vals[ k - 1 ] ); 925 BER_BVZERO( &a->a_nvals[ k - 1 ] ); 926 a->a_numvals--; 927 } 928 } 929 } 930 931 for ( i = 0; !BER_BVISNULL( &restricted_exops[ i ].op ); i++ ) { 932 if ( rp_delete & restricted_exops[ i ].tag ) { 933 int j; 934 935 for ( j = 0; !BER_BVISNULL( &a->a_nvals[ j ] ); j++ ) { 936 int k; 937 938 if ( !bvmatch( &a->a_nvals[ j ], &restricted_exops[ i ].op ) ) { 939 continue; 940 } 941 942 ch_free( a->a_vals[ j ].bv_val ); 943 ch_free( a->a_nvals[ j ].bv_val ); 944 945 for ( k = j + 1; !BER_BVISNULL( &a->a_nvals[ k ] ); k++ ) { 946 a->a_vals[ k - 1 ] = a->a_vals[ k ]; 947 a->a_nvals[ k - 1 ] = a->a_nvals[ k ]; 948 } 949 950 BER_BVZERO( &a->a_vals[ k - 1 ] ); 951 BER_BVZERO( &a->a_nvals[ k - 1 ] ); 952 a->a_numvals--; 953 } 954 } 955 } 956 957 if ( a->a_vals == NULL ) { 958 assert( a->a_numvals == 0 ); 959 960 attr_delete( &e->e_attrs, mi->mi_ad_restrictedOperation ); 961 } 962 } 963 } 964 965 if ( rp_add ) { 966 for ( i = 0; !BER_BVISNULL( &restricted_ops[ i ].op ); i++ ) { 967 if ( rp_add & restricted_ops[ i ].tag ) { 968 attr_merge_one( e, mi->mi_ad_restrictedOperation, 969 &restricted_ops[ i ].op, 970 &restricted_ops[ i ].op ); 971 } 972 } 973 974 for ( i = 0; !BER_BVISNULL( &restricted_exops[ i ].op ); i++ ) { 975 if ( rp_add & restricted_exops[ i ].tag ) { 976 attr_merge_one( e, mi->mi_ad_restrictedOperation, 977 &restricted_exops[ i ].op, 978 &restricted_exops[ i ].op ); 979 } 980 } 981 } 982 } 983 984 be->be_restrictops = rp_cur; 985 986 done:; 987 if ( rc == LDAP_SUCCESS ) { 988 attrs_free( save_attrs ); 989 rc = SLAP_CB_CONTINUE; 990 991 } else { 992 Attribute *tmp = e->e_attrs; 993 e->e_attrs = save_attrs; 994 attrs_free( tmp ); 995 } 996 return rc; 997 } 998 999 #if defined(LDAP_SLAPI) 1000 static int 1001 monitor_back_add_plugin( monitor_info_t *mi, Backend *be, Entry *e_database ) 1002 { 1003 Slapi_PBlock *pCurrentPB; 1004 int i, rc = LDAP_SUCCESS; 1005 1006 if ( slapi_int_pblock_get_first( be, &pCurrentPB ) != LDAP_SUCCESS ) { 1007 /* 1008 * LDAP_OTHER is returned if no plugins are installed 1009 */ 1010 rc = LDAP_OTHER; 1011 goto done; 1012 } 1013 1014 i = 0; 1015 do { 1016 Slapi_PluginDesc *srchdesc; 1017 char buf[ BACKMONITOR_BUFSIZE ]; 1018 struct berval bv; 1019 1020 rc = slapi_pblock_get( pCurrentPB, SLAPI_PLUGIN_DESCRIPTION, 1021 &srchdesc ); 1022 if ( rc != LDAP_SUCCESS ) { 1023 goto done; 1024 } 1025 if ( srchdesc ) { 1026 snprintf( buf, sizeof(buf), 1027 "plugin %d name: %s; " 1028 "vendor: %s; " 1029 "version: %s; " 1030 "description: %s", 1031 i, 1032 srchdesc->spd_id, 1033 srchdesc->spd_vendor, 1034 srchdesc->spd_version, 1035 srchdesc->spd_description ); 1036 } else { 1037 snprintf( buf, sizeof(buf), 1038 "plugin %d name: <no description available>", i ); 1039 } 1040 1041 ber_str2bv( buf, 0, 0, &bv ); 1042 attr_merge_normalize_one( e_database, 1043 mi->mi_ad_monitoredInfo, &bv, NULL ); 1044 1045 i++; 1046 1047 } while ( ( slapi_int_pblock_get_next( &pCurrentPB ) == LDAP_SUCCESS ) 1048 && ( pCurrentPB != NULL ) ); 1049 1050 done: 1051 return rc; 1052 } 1053 #endif /* defined(LDAP_SLAPI) */ 1054