diff options
author | Ludwig Krispenz <lkrispen@redhat.com> | 2015-06-11 11:22:19 +0200 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2015-06-11 13:58:02 +0200 |
commit | 056518ab1af36fa4a8d7b4450616145aa0dbfd16 (patch) | |
tree | 58a0233ecf2a924b5a9ca8ac52eab25791c9c72a /daemons | |
parent | b3c2a4b810bfe31dc544648de8fe98dbb84ec320 (diff) | |
download | freeipa-056518ab1af36fa4a8d7b4450616145aa0dbfd16.tar.gz freeipa-056518ab1af36fa4a8d7b4450616145aa0dbfd16.tar.xz freeipa-056518ab1af36fa4a8d7b4450616145aa0dbfd16.zip |
v2-reject modifications of endpoints and connectivity of a segment
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Diffstat (limited to 'daemons')
-rw-r--r-- | daemons/ipa-slapi-plugins/topology/topology_pre.c | 69 |
1 files changed, 60 insertions, 9 deletions
diff --git a/daemons/ipa-slapi-plugins/topology/topology_pre.c b/daemons/ipa-slapi-plugins/topology/topology_pre.c index 0a0cd65b5..cf935d8d2 100644 --- a/daemons/ipa-slapi-plugins/topology/topology_pre.c +++ b/daemons/ipa-slapi-plugins/topology/topology_pre.c @@ -60,7 +60,7 @@ int ipa_topo_is_entry_managed(Slapi_PBlock *pb) } int -ipa_topo_is_modattr_restricted(Slapi_PBlock *pb) +ipa_topo_is_agmt_attr_restricted(Slapi_PBlock *pb) { LDAPMod **mods; int i; @@ -75,6 +75,24 @@ ipa_topo_is_modattr_restricted(Slapi_PBlock *pb) } return rc; } +int +ipa_topo_is_segm_attr_restricted(Slapi_PBlock *pb) +{ + LDAPMod **mods; + int i; + int rc = 0; + + slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods); + for (i = 0; (mods != NULL) && (mods[i] != NULL); i++) { + if ((0 == strcasecmp(mods[i]->mod_type, "ipaReplTopoSegmentDirection")) || + (0 == strcasecmp(mods[i]->mod_type, "ipaReplTopoSegmentLeftNode")) || + (0 == strcasecmp(mods[i]->mod_type, "ipaReplTopoSegmentRightNode"))) { + rc = 1; + break; + } + } + return rc; +} /* connectivity check for topology * checks if the nodes of a segment would still be connected after @@ -266,7 +284,7 @@ ipa_topo_connection_exists(struct node_fanout *fanout, char* from, char *to) } int -ipa_topo_check_connect_reject(Slapi_PBlock *pb) +ipa_topo_check_segment_is_valid(Slapi_PBlock *pb) { int rc = 0; Slapi_Entry *add_entry; @@ -309,7 +327,29 @@ ipa_topo_check_connect_reject(Slapi_PBlock *pb) } int -ipa_topo_check_disconnect_reject(Slapi_PBlock *pb) +ipa_topo_check_segment_updates(Slapi_PBlock *pb) +{ + int rc = 0; + Slapi_Entry *mod_entry; + char *pi; + + /* we have to check if the operation is triggered by the + * topology plugin itself - allow it + */ + slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY,&pi); + if (pi && 0 == strcasecmp(pi, ipa_topo_get_plugin_id())) { + return 0; + } + slapi_pblock_get(pb,SLAPI_MODIFY_EXISTING_ENTRY,&mod_entry); + if (TOPO_SEGMENT_ENTRY == ipa_topo_check_entry_type(mod_entry) && + (ipa_topo_is_segm_attr_restricted(pb))) { + rc = 1; + } + return rc; +} + +int +ipa_topo_check_topology_disconnect(Slapi_PBlock *pb) { int rc = 1; Slapi_Entry *del_entry; @@ -385,7 +425,7 @@ int ipa_topo_pre_add(Slapi_PBlock *pb) slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, errtxt); slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc); result = SLAPI_PLUGIN_FAILURE; - } else if (ipa_topo_check_connect_reject(pb)) { + } else if (ipa_topo_check_segment_is_valid(pb)) { int rc = LDAP_UNWILLING_TO_PERFORM; char *errtxt; errtxt = slapi_ch_smprintf("Segment already exists in topology or" @@ -403,6 +443,7 @@ ipa_topo_pre_mod(Slapi_PBlock *pb) { int result = SLAPI_PLUGIN_SUCCESS; + char *errtxt = NULL; slapi_log_error(SLAPI_LOG_PLUGIN, IPA_TOPO_PLUGIN_SUBSYSTEM, "--> ipa_topo_pre_mod\n"); @@ -415,11 +456,21 @@ ipa_topo_pre_mod(Slapi_PBlock *pb) if (ipa_topo_pre_ignore_op(pb)) return result; - if (ipa_topo_is_entry_managed(pb) && ipa_topo_is_modattr_restricted(pb)) { + if (ipa_topo_is_entry_managed(pb)){ + /* this means it is a replication agreement targeting a managed server + * next check is if it tries to modify restricted attributes + */ + if(ipa_topo_is_agmt_attr_restricted(pb)) { + errtxt = slapi_ch_smprintf("Entry and attributes are managed by topology plugin." + "No direct modifications allowed.\n"); + } + } else if (ipa_topo_check_segment_updates(pb)) { + /* some updates to segments are not supported */ + errtxt = slapi_ch_smprintf("Modification of connectivity and segment nodes " + " is not supported.\n"); + } + if (errtxt) { int rc = LDAP_UNWILLING_TO_PERFORM; - char *errtxt; - errtxt = slapi_ch_smprintf("Entry and attributes are managed by topology plugin." - "No direct modifications allowed.\n"); slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, errtxt); slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc); result = SLAPI_PLUGIN_FAILURE; @@ -453,7 +504,7 @@ ipa_topo_pre_del(Slapi_PBlock *pb) slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, errtxt); slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc); result = SLAPI_PLUGIN_FAILURE; - } else if (ipa_topo_check_disconnect_reject(pb)) { + } else if (ipa_topo_check_topology_disconnect(pb)) { int rc = LDAP_UNWILLING_TO_PERFORM; char *errtxt; errtxt = slapi_ch_smprintf("Removal of Segment disconnects topology." |