diff options
author | Ludwig Krispenz <lkrispen@redhat.com> | 2015-12-11 13:50:53 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-01-21 12:52:08 +0100 |
commit | c152e1007515f208b0c3b84c1ff13a9fe9b45fdf (patch) | |
tree | d2d628559a576df9038b07b4f17d725241cb4512 | |
parent | 54a91c3ed33c7be54cadb188add802e781893ec9 (diff) | |
download | freeipa-c152e1007515f208b0c3b84c1ff13a9fe9b45fdf.tar.gz freeipa-c152e1007515f208b0c3b84c1ff13a9fe9b45fdf.tar.xz freeipa-c152e1007515f208b0c3b84c1ff13a9fe9b45fdf.zip |
prevent moving of topology entries out of managed scope by modrdn operations
Ticket: https://fedorahosted.org/freeipa/ticket/5536
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
-rw-r--r-- | daemons/ipa-slapi-plugins/topology/topology.h | 1 | ||||
-rw-r--r-- | daemons/ipa-slapi-plugins/topology/topology_init.c | 2 | ||||
-rw-r--r-- | daemons/ipa-slapi-plugins/topology/topology_pre.c | 53 |
3 files changed, 56 insertions, 0 deletions
diff --git a/daemons/ipa-slapi-plugins/topology/topology.h b/daemons/ipa-slapi-plugins/topology/topology.h index d264ed9c1..4ea2b368f 100644 --- a/daemons/ipa-slapi-plugins/topology/topology.h +++ b/daemons/ipa-slapi-plugins/topology/topology.h @@ -211,6 +211,7 @@ int ipa_topo_post_del(Slapi_PBlock *pb); /* preop plugin functions */ int ipa_topo_pre_add(Slapi_PBlock *pb); int ipa_topo_pre_mod(Slapi_PBlock *pb); +int ipa_topo_pre_modrdn(Slapi_PBlock *pb); int ipa_topo_pre_del(Slapi_PBlock *pb); /* functions to modify agreements */ diff --git a/daemons/ipa-slapi-plugins/topology/topology_init.c b/daemons/ipa-slapi-plugins/topology/topology_init.c index de53ad69e..02ff495e3 100644 --- a/daemons/ipa-slapi-plugins/topology/topology_init.c +++ b/daemons/ipa-slapi-plugins/topology/topology_init.c @@ -90,6 +90,8 @@ ipa_topo_preop_init(Slapi_PBlock *pb) rc = slapi_pblock_set(pb, SLAPI_PLUGIN_BE_PRE_MODIFY_FN, (void *)ipa_topo_pre_mod); + rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_BE_PRE_MODRDN_FN, + (void *)ipa_topo_pre_modrdn); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_BE_PRE_ADD_FN, (void *)ipa_topo_pre_add); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_BE_PRE_DELETE_FN, diff --git a/daemons/ipa-slapi-plugins/topology/topology_pre.c b/daemons/ipa-slapi-plugins/topology/topology_pre.c index 1788c6d3e..d0436bafc 100644 --- a/daemons/ipa-slapi-plugins/topology/topology_pre.c +++ b/daemons/ipa-slapi-plugins/topology/topology_pre.c @@ -402,6 +402,29 @@ ipa_topo_check_segment_updates(Slapi_PBlock *pb) } int +ipa_topo_check_entry_move(Slapi_PBlock *pb) +{ + int rc = 0; + int entry_type = TOPO_IGNORE_ENTRY; + Slapi_Entry *modrdn_entry; + slapi_pblock_get(pb,SLAPI_MODRDN_TARGET_ENTRY,&modrdn_entry); + entry_type = ipa_topo_check_entry_type(modrdn_entry); + switch (entry_type) { + case TOPO_SEGMENT_ENTRY: + case TOPO_CONFIG_ENTRY: { + Slapi_DN *newsuperior = NULL; + slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &newsuperior); + if (newsuperior && slapi_sdn_get_dn(newsuperior)) rc = 1; + break; + } + default: + rc = 0; + break; + } + return rc; +} + +int ipa_topo_check_host_updates(Slapi_PBlock *pb) { int rc = 0; @@ -605,3 +628,33 @@ ipa_topo_pre_del(Slapi_PBlock *pb) "<-- ipa_topo_pre_del\n"); return result; } +int +ipa_topo_pre_modrdn(Slapi_PBlock *pb) +{ + + int result = SLAPI_PLUGIN_SUCCESS; + + slapi_log_error(SLAPI_LOG_PLUGIN, IPA_TOPO_PLUGIN_SUBSYSTEM, + "--> ipa_topo_pre_modrdn\n"); + + if (0 == ipa_topo_get_plugin_active()) { + slapi_log_error(SLAPI_LOG_PLUGIN, IPA_TOPO_PLUGIN_SUBSYSTEM, + "<-- ipa_topo_pre_modrdn - plugin not active\n"); + return 0; + } + + if (ipa_topo_pre_ignore_op(pb)) return result; + + if (ipa_topo_check_entry_move(pb)){ + int rc = LDAP_UNWILLING_TO_PERFORM; + char *errtxt; + errtxt = slapi_ch_smprintf("Moving of a segment or config entry " + "to another subtree is not allowed.\n"); + slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, errtxt); + slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc); + result = SLAPI_PLUGIN_FAILURE; + } + + return result; + +} |