[389-commits] ldap/servers
Noriko Hosoi
nhosoi at fedoraproject.org
Tue Nov 2 18:02:12 UTC 2010
ldap/servers/plugins/cos/cos_cache.c | 16 +++++------
ldap/servers/plugins/roles/roles_cache.c | 43 +++++++++++++++++++++++++++++++
ldap/servers/slapd/vattr.c | 9 ++++--
3 files changed, 56 insertions(+), 12 deletions(-)
New commits:
commit 9fa6ff7820883991d2a293ebda60258d9ca6027a
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Tue Nov 2 10:21:20 2010 -0700
Bug 329751 - "nested" filtered roles searches candidates more
than needed
https://bugzilla.redhat.com/show_bug.cgi?id=329751
Bug Description: If nsRoleFilter in nsRoleDefinition contains
virtual attributes in the filter AND the attribute type is
not indexed, following searches could go in to a loop starting
from slapi_vattr_filter_test. On the other hand, if the
the attribute type is indexed, the nsRoleDefinition is ignored.
The server does not support virtual attributes for nsRoleFilter,
but it was not checked. This patch tries to detect such an invalid
role definition and issues an error. Note: the check cannot detect
the case nsRoleFilter is already in the db, then add CoS defining
an attribute in the nsRoleFilter as an virtual attribute.
diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
index 971249c..bfb585e 100644
--- a/ldap/servers/plugins/cos/cos_cache.c
+++ b/ldap/servers/plugins/cos/cos_cache.c
@@ -1034,12 +1034,14 @@ static int cos_dn_defs_cb (Slapi_Entry* e, void *callback_data) {
* Don't reset info->ret....it keeps track of any success
*/
if ( rc == COS_DEF_ERROR_NO_TEMPLATES) {
- LDAPDebug(LDAP_DEBUG_ANY, "skipping cos definition %s"
- "--no templates found\n",
- escape_string(pTmpDn, ebuf),0,0);
+ LDAPDebug(LDAP_DEBUG_ANY, "Skipping CoS Definition %s"
+ "--no CoS Templates found, "
+ "which should be added before the CoS Definition.\n",
+ escape_string(pTmpDn, ebuf), 0, 0);
} else {
- LDAPDebug(LDAP_DEBUG_ANY, "skipping cos definition %s\n"
- ,escape_string(pTmpDn, ebuf),0,0);
+ LDAPDebug(LDAP_DEBUG_ANY, "Skipping CoS Definition %s\n"
+ "--error(%d)\n",
+ escape_string(pTmpDn, ebuf), rc, 0);
}
}
@@ -2441,10 +2443,6 @@ static int cos_cache_query_attr(cos_cache *ptheCache, vattr_context *context, Sl
/* MAB: We need to free actual_type_name here !!!
XXX BAD--should use slapi_vattr_values_free() */
slapi_ch_free((void **) &actual_type_name);
- if (SLAPI_VIRTUALATTRS_LOOP_DETECTED == ret) {
- ret = LDAP_UNWILLING_TO_PERFORM;
- goto bail;
- }
}
if(pAttrSpecs || pDef->cosType == COSTYPE_POINTER)
diff --git a/ldap/servers/plugins/roles/roles_cache.c b/ldap/servers/plugins/roles/roles_cache.c
index 838ae27..36952a8 100644
--- a/ldap/servers/plugins/roles/roles_cache.c
+++ b/ldap/servers/plugins/roles/roles_cache.c
@@ -1176,6 +1176,8 @@ static int roles_cache_create_object_from_entry(Slapi_Entry *role_entry, role_ob
Slapi_Filter *filter = NULL;
char *filter_attr_value = NULL;
+ Slapi_PBlock *pb = NULL;
+ char *parent = NULL;
/* Get the filter and retrieve the filter attribute */
filter_attr_value = slapi_entry_attr_get_charptr(role_entry,ROLE_FILTER_ATTR_NAME);
@@ -1185,6 +1187,47 @@ static int roles_cache_create_object_from_entry(Slapi_Entry *role_entry, role_ob
slapi_ch_free((void**)&this_role);
return SLAPI_ROLE_ERROR_NO_FILTER_SPECIFIED;
}
+ /* search (&(objectclass=costemplate)(filter_attr_value))*/
+ /* if found, reject it (returning SLAPI_ROLE_ERROR_FILTER_BAD) */
+ pb = slapi_pblock_new();
+ parent = slapi_dn_parent(slapi_entry_get_dn(role_entry));
+ if (parent) {
+ Slapi_Entry **cosentries = NULL;
+ char *costmpl_filter = NULL;
+ if ((*filter_attr_value == '(') &&
+ (*(filter_attr_value+strlen(filter_attr_value)-1) == ')')) {
+ costmpl_filter =
+ slapi_ch_smprintf("(&(objectclass=costemplate)%s)",
+ filter_attr_value);
+ } else {
+ costmpl_filter =
+ slapi_ch_smprintf("(&(objectclass=costemplate)(%s))",
+ filter_attr_value);
+ }
+ slapi_search_internal_set_pb(pb, parent, LDAP_SCOPE_SUBTREE,
+ costmpl_filter, NULL, 0, NULL,
+ NULL, roles_get_plugin_identity(),
+ 0);
+ slapi_search_internal_pb(pb);
+ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES,
+ &cosentries);
+ slapi_ch_free_string(&costmpl_filter);
+ slapi_ch_free_string(&parent);
+ if (cosentries && *cosentries) {
+ slapi_free_search_results_internal(pb);
+ slapi_pblock_destroy(pb);
+ slapi_log_error(SLAPI_LOG_FATAL, ROLES_PLUGIN_SUBSYSTEM,
+ "%s: not allowed to refer virtual attribute "
+ "in the value of %s %s. The %s is disabled.\n",
+ (char*)slapi_sdn_get_ndn(this_role->dn),
+ ROLE_FILTER_ATTR_NAME, filter_attr_value,
+ ROLE_FILTER_ATTR_NAME);
+ slapi_ch_free((void**)&this_role);
+ return SLAPI_ROLE_ERROR_FILTER_BAD;
+ }
+ }
+ slapi_free_search_results_internal(pb);
+ slapi_pblock_destroy(pb);
/* Turn it into a slapi filter object */
filter = slapi_str2filter(filter_attr_value);
diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c
index df89549..4957132 100644
--- a/ldap/servers/slapd/vattr.c
+++ b/ldap/servers/slapd/vattr.c
@@ -102,7 +102,7 @@ struct _vattr_context {
unsigned int vattr_context_loop_count;
unsigned int error_displayed;
};
-#define VATTR_LOOP_COUNT_MAX 256
+#define VATTR_LOOP_COUNT_MAX 50
typedef vattr_sp_handle vattr_sp_handle_list;
@@ -1082,8 +1082,11 @@ int slapi_vattr_namespace_value_compare_sp(vattr_context *c,/* Entry we're inter
rc = vattr_context_grok(&c);
if (0 != rc) {
- /* Print a handy error log message */
- LDAPDebug(LDAP_DEBUG_ANY,"Detected virtual attribute loop in compare on entry %s, attribute %s\n", slapi_entry_get_dn_const(e), type, 0);
+ if(!vattr_context_is_loop_msg_displayed(&c)) {
+ /* Print a handy error log message */
+ LDAPDebug(LDAP_DEBUG_ANY,"Detected virtual attribute loop in compare on entry %s, attribute %s\n", slapi_entry_get_dn_const(e), type, 0);
+ vattr_context_set_loop_msg_displayed(&c);
+ }
return rc;
}
More information about the 389-commits
mailing list