Resolves: #437525

Summary: GER: allow GER for non-existing entries
Description:
[slapd/charray.c]
new: charray_merge_nodup -- merge 2 string arrays skipping the duplicates
modified: charray_remove -- introduced "freeit" flag.  If true, the removed
string is freed.  (The API is used only in chainingdb.	The change is applied
to the plugin.)

[slapd/opshared.c]
modified: check OP_FLAG_GET_EFFECTIVE_RIGHTS in the iterate to support
"@<objectclass>".  It's needed to do at the location since we have to call acl
plugin even
when no entries are returned from the search.  If no entries are returned and
"@<objectclass>" is found in the attribute list, acl effective rights code
generates the corresponding template entry.

[slapd/pblock.c]
place to store gerattrs is added (SLAPI_SEARCH_GERATTRS), where gerattrs is an
array of strings which store "...@<objectclass>".

[slapd/result.c]
moved OP_FLAG_GET_EFFECTIVE_RIGHTS checking to iterate (opshared.c)

[slapd/schema.c]
new: slapi_schema_list_objectclass_attributes -- return the required and/or
allowed attributes belonging to the given objectclass.	This is used to support
"*" and "+" in the get effective rights.
new: slapi_schema_get_superior_name -- return the superior objectclass name of
the given objectclass.

[slapd/search.c]
if "<attr>@<objectclass>" is found in the attribute list, cut the <attr> part
out and added to the attrs array (pblock SLAPI_SEARCH_ATTRS) and store the
original
string to the gerattrs (pblock SLAPI_SEARCH_GERATTRS).

[plugin/acl/acleffectiverights.c]
modified: _ger_g_permission_granted -- if the requester and the subject user
are
identical, give "g" permission
modified: _ger_parse_control -- replaced strcpy with memmove since strcpy does
not guarantee the result of the overlap copy.
modified: _ger_get_attrs_rights -- support "*" (all attributes belonging to the
object) and "+" (operational attributes).  If repeated attributes are found in
the given attribute list, they are reduced to one.
new: _ger_generate_template_entry -- generate a template entry if
"@<objectclass>" is passed.

[pluginc/cb/*]
adjusted to the updated charray_remove.

Please see also this wiki page for the overview and test cases.
http://directory.fedoraproject.org/wiki/Get_Effective_Rights_for_non-present_attributes

1 files changed, 94 insertions, 28 deletions

diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c
index d116e340..b8e154af 100644
--- a/ldap/servers/slapd/schema.c
+++ b/ldap/servers/slapd/schema.c
@@ -641,41 +641,41 @@ static int
 oc_check_required( Slapi_PBlock *pb, Slapi_Entry *e, struct objclass *oc )
 {
     int i;
-    int	rc = 0; /* success, by default */
+    int        rc = 0; /* success, by default */
     Slapi_Attr *a;
 
     if (oc == NULL || oc->oc_required == NULL || oc->oc_required[0] == NULL) {
-	return 0;  /* success, as none required  */
+        return 0;  /* success, as none required  */
     }
 
     /* for each required attribute */
     for ( i = 0; oc->oc_required[i] != NULL; i++ ) {
         /* see if it's in the entry */
         for ( a = e->e_attrs; a != NULL; a = a->a_next ) {
-	    if ( slapi_attr_type_cmp( oc->oc_required[i], a->a_type,
-				      SLAPI_TYPE_CMP_SUBTYPE ) == 0 ) {
-		break;
-	    }
-	}
-	
-	/* not there => schema violation */
-	if ( a == NULL ) {
-	    char errtext[ BUFSIZ ];
-	    char ebuf[ BUFSIZ ];
-	    LDAPDebug( LDAP_DEBUG_ANY,
-		       "Entry \"%s\" missing attribute \"%s\" required"
-		       " by object class \"%s\"\n",
-		       escape_string( slapi_entry_get_dn_const(e), ebuf ),
-		       oc->oc_required[i], oc->oc_name);
-		if (pb) {
-			PR_snprintf( errtext, sizeof( errtext ),
-		       "missing attribute \"%s\" required"
-		       " by object class \"%s\"\n",
-		       oc->oc_required[i], oc->oc_name );
-			slapi_pblock_set( pb, SLAPI_PB_RESULT_TEXT, errtext );
-		}
-	    rc = 1; /* failure */
-	}
+            if ( slapi_attr_type_cmp( oc->oc_required[i], a->a_type,
+                                      SLAPI_TYPE_CMP_SUBTYPE ) == 0 ) {
+                break;
+            }
+        }
+        
+        /* not there => schema violation */
+        if ( a == NULL ) {
+            char errtext[ BUFSIZ ];
+            char ebuf[ BUFSIZ ];
+            LDAPDebug( LDAP_DEBUG_ANY,
+                       "Entry \"%s\" missing attribute \"%s\" required"
+                       " by object class \"%s\"\n",
+                       escape_string( slapi_entry_get_dn_const(e), ebuf ),
+                       oc->oc_required[i], oc->oc_name);
+            if (pb) {
+                PR_snprintf( errtext, sizeof( errtext ),
+                       "missing attribute \"%s\" required"
+                       " by object class \"%s\"\n",
+                       oc->oc_required[i], oc->oc_name );
+                        slapi_pblock_set( pb, SLAPI_PB_RESULT_TEXT, errtext );
+            }
+            rc = 1; /* failure */
+        }
     }
     
     return rc;
@@ -1392,8 +1392,8 @@ schema_list_attributes_callback(struct asyntaxinfo *asi, void *arg)
 }
 
 /* Return the list of attributes names matching attribute flags */
-
-char ** slapi_schema_list_attribute_names(unsigned long flag)
+char **
+slapi_schema_list_attribute_names(unsigned long flag)
 {
         struct listargs aew;
         memset(&aew,0,sizeof(struct listargs));
@@ -4966,3 +4966,69 @@ slapi_reload_schema_files(char *schemadir)
 		return LDAP_LOCAL_ERROR;
 	}
 }
+
+/* 
+ * slapi_schema_list_objectclass_attributes:
+ *         Return the list of attributes belonging to the objectclass
+ *
+ * The caller is responsible to free the returned list with charray_free.
+ * flags: one of them or both:
+ *         SLAPI_OC_FLAG_REQUIRED
+ *         SLAPI_OC_FLAG_ALLOWED
+ */
+char **
+slapi_schema_list_objectclass_attributes(const char *ocname_or_oid,
+                                         PRUint32 flags)
+{
+	struct objclass *oc = NULL;
+	char **attrs = NULL;
+	PRUint32 mask = SLAPI_OC_FLAG_REQUIRED | SLAPI_OC_FLAG_ALLOWED;
+
+	if (!flags) {
+		return attrs;
+	}
+		
+	oc_lock_read();
+	oc = oc_find_nolock(ocname_or_oid);
+	if (oc) {
+		switch (flags & mask) {
+		case SLAPI_OC_FLAG_REQUIRED:
+			attrs = charray_dup(oc->oc_required);
+			break;
+		case SLAPI_OC_FLAG_ALLOWED:
+			attrs = charray_dup(oc->oc_allowed);
+			break;
+		case SLAPI_OC_FLAG_REQUIRED|SLAPI_OC_FLAG_ALLOWED:
+			attrs = charray_dup(oc->oc_required);
+			charray_merge(&attrs, oc->oc_allowed, 1/*copy_strs*/);
+			break;
+		default:
+			slapi_log_error( SLAPI_LOG_FATAL, "list objectclass attributes",
+				"flag 0x%x not supported\n", flags );
+			break;
+		}
+	}
+	oc_unlock();
+	return attrs;
+}
+
+/* 
+ * slapi_schema_get_superior_name:
+ *         Return the name of the superior objectclass
+ *
+ * The caller is responsible to free the returned name
+ */
+char *
+slapi_schema_get_superior_name(const char *ocname_or_oid)
+{
+	struct objclass *oc = NULL;
+	char *superior = NULL;
+
+	oc_lock_read();
+	oc = oc_find_nolock(ocname_or_oid);
+	if (oc) {
+		superior = slapi_ch_strdup(oc->oc_superior);
+	}
+	oc_unlock();
+	return superior;
+}