diff options
author | Endi S. Dewata <edewata@redhat.com> | 2010-04-17 00:08:35 -0500 |
---|---|---|
committer | Rich Megginson <rmeggins@redhat.com> | 2010-04-26 17:41:45 -0600 |
commit | 1d7f7f52485922e9fa992de0e74ede1d44b81097 (patch) | |
tree | 37bd3f871b8315c6ef923186b5bea1ccb7e1d898 /ldap | |
parent | a7b2cdc8c3ee5fcc23155d791cafc48f554008f2 (diff) | |
download | ds-1d7f7f52485922e9fa992de0e74ede1d44b81097.tar.gz ds-1d7f7f52485922e9fa992de0e74ede1d44b81097.tar.xz ds-1d7f7f52485922e9fa992de0e74ede1d44b81097.zip |
Bug 145181 - Plugin target/bind subtrees only take 1 value.
https://bugzilla.redhat.com/show_bug.cgi?id=145181
Resolves: bug 145181
Bug Description: Plugin target/bind subtrees only take 1 value.
Fix Description: New attributes nsslapd-exclude-targetSubtree and
nsslapd-exclude-bindSubtree have been added to specify excluded subtrees.
The set_plugin_config_from_entry() has been modified to read multiple
subtrees. The plugin_invoke_plugin_sdn() and plugin_allow_internal_op()
have been modified to check for excluded subtrees.
Reviewed by: rmeggins (and pushed)
Diffstat (limited to 'ldap')
-rw-r--r-- | ldap/servers/slapd/plugin.c | 82 | ||||
-rw-r--r-- | ldap/servers/slapd/slap.h | 8 |
2 files changed, 74 insertions, 16 deletions
diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c index 84dbcfe5..658fcf47 100644 --- a/ldap/servers/slapd/plugin.c +++ b/ldap/servers/slapd/plugin.c @@ -1726,6 +1726,8 @@ set_plugin_config_from_entry( { struct pluginconfig *config = &plugin->plg_conf; char *value = 0; + char **values = 0; + int i = 0; int status = 0; PRBool target_seen = PR_FALSE; PRBool bind_seen = PR_FALSE; @@ -1782,39 +1784,73 @@ set_plugin_config_from_entry( slapi_ch_free((void**)&value); } - if ((value = slapi_entry_attr_get_charptr(plugin_entry, - ATTR_PLUGIN_TARGET_SUBTREE)) != NULL) + values = slapi_entry_attr_get_charray(plugin_entry, + ATTR_PLUGIN_TARGET_SUBTREE); + for (i=0; values && values[i]; i++) { - if (plugin_set_subtree_config(&(config->plgc_target_subtrees), value)) + if (plugin_set_subtree_config(&(config->plgc_target_subtrees), values[i])) { LDAPDebug(LDAP_DEBUG_PLUGIN, "Error: invalid value %s for attribute %s " - "from entry %s\n", value, ATTR_PLUGIN_TARGET_SUBTREE, + "from entry %s\n", values[i], ATTR_PLUGIN_TARGET_SUBTREE, slapi_entry_get_dn_const(plugin_entry)); status = 1; + break; } else { target_seen = PR_TRUE; } - slapi_ch_free((void**)&value); } + slapi_ch_array_free(values); - if ((value = slapi_entry_attr_get_charptr(plugin_entry, - ATTR_PLUGIN_BIND_SUBTREE)) != NULL) + values = slapi_entry_attr_get_charray(plugin_entry, + ATTR_PLUGIN_EXCLUDE_TARGET_SUBTREE); + for (i=0; values && values[i]; i++) + { + if (plugin_set_subtree_config(&(config->plgc_excluded_target_subtrees), values[i])) + { + LDAPDebug(LDAP_DEBUG_PLUGIN, "Error: invalid value %s for attribute %s " + "from entry %s\n", values[i], ATTR_PLUGIN_EXCLUDE_TARGET_SUBTREE, + slapi_entry_get_dn_const(plugin_entry)); + status = 1; + break; + } + } + slapi_ch_array_free(values); + + values = slapi_entry_attr_get_charray(plugin_entry, + ATTR_PLUGIN_BIND_SUBTREE); + for (i=0; values && values[i]; i++) { - if (plugin_set_subtree_config(&(config->plgc_bind_subtrees), value)) + if (plugin_set_subtree_config(&(config->plgc_bind_subtrees), values[i])) { LDAPDebug(LDAP_DEBUG_PLUGIN, "Error: invalid value %s for attribute %s " - "from entry %s\n", value, ATTR_PLUGIN_BIND_SUBTREE, + "from entry %s\n", values[i], ATTR_PLUGIN_BIND_SUBTREE, slapi_entry_get_dn_const(plugin_entry)); status = 1; + break; } else { bind_seen = PR_TRUE; } - slapi_ch_free((void**)&value); } + slapi_ch_array_free(values); + + values = slapi_entry_attr_get_charray(plugin_entry, + ATTR_PLUGIN_EXCLUDE_BIND_SUBTREE); + for (i=0; values && values[i]; i++) + { + if (plugin_set_subtree_config(&(config->plgc_excluded_bind_subtrees), values[i])) + { + LDAPDebug(LDAP_DEBUG_PLUGIN, "Error: invalid value %s for attribute %s " + "from entry %s\n", values[i], ATTR_PLUGIN_EXCLUDE_BIND_SUBTREE, + slapi_entry_get_dn_const(plugin_entry)); + status = 1; + break; + } + } + slapi_ch_array_free(values); /* set target subtree default - allow access to all data */ if (!target_seen) @@ -2274,7 +2310,9 @@ plugin_config_init (struct pluginconfig *config) PR_ASSERT (config); ptd_init (&config->plgc_target_subtrees); + ptd_init (&config->plgc_excluded_target_subtrees); ptd_init (&config->plgc_bind_subtrees); + ptd_init (&config->plgc_excluded_bind_subtrees); config->plgc_schema_check = PLGC_ON; config->plgc_invoke_for_replop = PLGC_ON; /* currently, we leave it up to plugin, but don't actually tell plugins that they can choose. @@ -2319,7 +2357,9 @@ plugin_config_cleanup (struct pluginconfig *config) PR_ASSERT (config); ptd_cleanup (&config->plgc_target_subtrees); + ptd_cleanup (&config->plgc_excluded_target_subtrees); ptd_cleanup (&config->plgc_bind_subtrees); + ptd_cleanup (&config->plgc_excluded_bind_subtrees); } #if 0 @@ -2380,13 +2420,13 @@ PRBool plugin_invoke_plugin_sdn (struct slapdplugin *plugin, int operation, Slapi_PBlock *pb, Slapi_DN *target_spec) { PluginTargetData *ptd; + PluginTargetData *excludedPtd; struct pluginconfig *config; Slapi_Backend *be; int isroot; PRBool islocal; PRBool bindop; unsigned long op; - PRBool rc; int method = -1; PR_ASSERT (plugin); @@ -2453,15 +2493,19 @@ plugin_invoke_plugin_sdn (struct slapdplugin *plugin, int operation, Slapi_PBloc if (bindop) { ptd = &(config->plgc_bind_subtrees); + excludedPtd = &(config->plgc_excluded_bind_subtrees); } else { ptd = &(config->plgc_target_subtrees); + excludedPtd = &(config->plgc_excluded_target_subtrees); } - rc = plugin_matches_operation (target_spec, ptd, bindop, isroot, islocal, method); + if (plugin_matches_operation (target_spec, excludedPtd, bindop, isroot, islocal, method) == PR_TRUE) { + return PR_FALSE; + } - return rc; + return plugin_matches_operation (target_spec, ptd, bindop, isroot, islocal, method); } /* this interface is exposed to be used by internal operations. @@ -2528,6 +2572,9 @@ PRBool plugin_allow_internal_op (Slapi_DN *target_spec, struct slapdplugin *plug Slapi_Backend *be; int islocal; + if (plugin_is_global (&config->plgc_excluded_target_subtrees)) + return PR_FALSE; + if (plugin_is_global (&config->plgc_target_subtrees)) return PR_TRUE; @@ -2545,7 +2592,14 @@ PRBool plugin_allow_internal_op (Slapi_DN *target_spec, struct slapdplugin *plug } else { islocal = be != defbackend_get_backend(); } - /* SIMPLE auth method sends us through original code path in plugin_mathches_operation */ + + /* SIMPLE auth method sends us through original code path in plugin_mathches_operation */ + + if (plugin_matches_operation (target_spec, &config->plgc_excluded_target_subtrees, + PR_FALSE, PR_FALSE, islocal, LDAP_AUTH_SIMPLE) == PR_TRUE) { + return PR_FALSE; + } + return plugin_matches_operation (target_spec, &config->plgc_target_subtrees, PR_FALSE, PR_FALSE, islocal, LDAP_AUTH_SIMPLE); } diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index aa5a88b4..ba550c72 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -707,7 +707,9 @@ struct matchingRuleList { #define ATTR_PLUGIN_LOG_ACCESS "nsslapd-logAccess" #define ATTR_PLUGIN_LOG_AUDIT "nsslapd-logAudit" #define ATTR_PLUGIN_TARGET_SUBTREE "nsslapd-targetSubtree" +#define ATTR_PLUGIN_EXCLUDE_TARGET_SUBTREE "nsslapd-exclude-targetSubtree" #define ATTR_PLUGIN_BIND_SUBTREE "nsslapd-bindSubtree" +#define ATTR_PLUGIN_EXCLUDE_BIND_SUBTREE "nsslapd-exclude-bindSubtree" #define ATTR_PLUGIN_INVOKE_FOR_REPLOP "nsslapd-invokeForReplOp" #define ATTR_PLUGIN_LOAD_NOW "nsslapd-pluginLoadNow" #define ATTR_PLUGIN_LOAD_GLOBAL "nsslapd-pluginLoadGlobal" @@ -752,8 +754,10 @@ typedef struct target_data }PluginTargetData; struct pluginconfig{ - PluginTargetData plgc_target_subtrees; /* list of subtrees accessible by the plugin */ - PluginTargetData plgc_bind_subtrees; /* the list of subtrees for which plugin in invoked during bind operation */ + PluginTargetData plgc_target_subtrees; /* list of subtrees accessible by the plugin */ + PluginTargetData plgc_excluded_target_subtrees; /* list of subtrees inaccessible by the plugin */ + PluginTargetData plgc_bind_subtrees; /* the list of subtrees for which plugin is invoked during bind operation */ + PluginTargetData plgc_excluded_bind_subtrees; /* the list of subtrees for which plugin is not invoked during bind operation */ PRBool plgc_schema_check; /* inidcates whether schema check is performed during internal op */ PRBool plgc_log_change; /* indicates whether changes are logged during internal op */ PRBool plgc_log_access; /* indicates whether internal op is recorded in access log */ |