From 2a141bf2c12ae0f9a54e130e7f149d2ba7997942 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Mon, 25 Oct 2010 16:33:31 -0400
Subject: ipa-uuid: Add enforce mode

By setting the enforce flag in the configuration we prevent anyone from storing
arbitrary values and allow only Directory Manager to override the plugin.
Users can only set the value to the magic value (usually 0) to have the uuid
regenerated, and nothing else.
---
 daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'daemons')

diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
index 88623457..eb5b40d7 100644
--- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
+++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c
@@ -90,6 +90,7 @@ int slapi_uniqueIDGenerateString(char **uId);
 #define IPAUUID_GENERATE         "ipaUuidMagicRegen"
 #define IPAUUID_FILTER           "ipaUuidFilter"
 #define IPAUUID_SCOPE            "ipaUuidScope"
+#define IPAUUID_ENFORCE          "ipaUuidEnforce"
 
 #define IPAUUID_FEATURE_DESC      "IPA UUID"
 #define IPAUUID_PLUGIN_DESC       "IPA UUID plugin"
@@ -116,6 +117,7 @@ struct configEntry {
     Slapi_Filter *slapi_filter;
     char *generate;
     char *scope;
+    bool enforce;
 };
 
 static PRCList *ipauuid_global_config = NULL;
@@ -565,6 +567,10 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply)
     }
     LOG_CONFIG("----------> %s [%s]\n", IPAUUID_SCOPE, entry->scope);
 
+    entry->enforce = slapi_entry_attr_get_bool(e, IPAUUID_ENFORCE);
+    LOG_CONFIG("----------> %s [%s]\n",
+               IPAUUID_ENFORCE, entry->enforce ? "True" : "False");
+
     /* If we were only called to validate config, we can
      * just bail out before applying the config changes */
     if (!apply) {
@@ -1067,6 +1073,23 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype)
             slapi_ch_free_string(&value);
             slapi_ch_free_string(&new_value);
 
+        } else {
+            char *bindDN = NULL;
+            int is_root;
+
+            slapi_pblock_get(pb, SLAPI_CONN_DN, &bindDN);
+            is_root = slapi_dn_isroot(bindDN);
+
+            /* If not set to the magic value, check enforcement */
+            if (cfgentry->enforce && is_root != 1) {
+                /* only Directory Manager can set arbitrary values when
+                 * enforce is enabled. */
+                errstr = slapi_ch_smprintf("Only the Directory Manager "
+                                           "can set arbitrary values "
+                                           "for %s\n", cfgentry->attr);
+                ret = LDAP_INSUFFICIENT_ACCESS;
+                goto done;
+            }
         }
     }
 
-- 
cgit