204 lines
5.0 KiB
Diff
204 lines
5.0 KiB
Diff
Fix count constraint when using multiple modifications
|
|
|
|
Constraint overlay doesn't take into account multiple modifications when using
|
|
count.
|
|
|
|
Example: If count for 'description' attribute is set e.g. to 2, the following
|
|
results in a constraint violation:
|
|
|
|
dn: cn=usr2, dc=my-domain,dc=com
|
|
add: description
|
|
description: d1
|
|
description: d2
|
|
description: d3-viol
|
|
|
|
However, this passes:
|
|
|
|
dn: cn=usr2, dc=my-domain,dc=com
|
|
add: description
|
|
description: d1
|
|
-
|
|
add: description
|
|
description: d2
|
|
-
|
|
add: description
|
|
description: d3
|
|
|
|
This patch fixes the behavior in case multiple modifications are used.
|
|
|
|
Author: Jan Synacek <jsynacek@redhat.com>
|
|
Upstream ITS: #7168
|
|
Upstream commit: bb8112c382c24db25b175459e340ce248fe25563
|
|
Resolves: #742163
|
|
|
|
---
|
|
servers/slapd/overlays/constraint.c | 117 ++++++++++++++++++++++++-----------
|
|
1 file changed, 80 insertions(+), 37 deletions(-)
|
|
|
|
diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c
|
|
index e6a9267..538d383 100644
|
|
--- a/servers/slapd/overlays/constraint.c
|
|
+++ b/servers/slapd/overlays/constraint.c
|
|
@@ -838,6 +838,68 @@ add_violation:
|
|
|
|
|
|
static int
|
|
+constraint_check_count_violation( Modifications *m, Entry *target_entry, constraint *cp )
|
|
+{
|
|
+ BerVarray b = NULL;
|
|
+ unsigned ce = 0;
|
|
+ unsigned ca;
|
|
+ int j;
|
|
+
|
|
+ for ( j = 0; cp->ap[j]; j++ ) {
|
|
+ ca = 0;
|
|
+
|
|
+ /* Get this attribute count */
|
|
+ if ( target_entry )
|
|
+ ce = constraint_count_attr( target_entry, cp->ap[j] );
|
|
+
|
|
+ for( ; m; m = m->sml_next ) {
|
|
+ if ( cp->ap[j] == m->sml_desc ) {
|
|
+ switch ( m->sml_op ) {
|
|
+ case LDAP_MOD_DELETE:
|
|
+ if (( b = m->sml_values ) == NULL || b[0].bv_val == NULL ) {
|
|
+ ce = 0;
|
|
+ }
|
|
+ else {
|
|
+ /* No need to check for values' validity. Invalid values
|
|
+ * cause the whole transaction to die anyway. */
|
|
+ for ( ca = 0; b[ca].bv_val; ++ca );
|
|
+ ce -= ca;
|
|
+ }
|
|
+ break;
|
|
+
|
|
+ case LDAP_MOD_ADD:
|
|
+ if (( b = m->sml_values ) == NULL || b[0].bv_val == NULL )
|
|
+ continue;
|
|
+
|
|
+ for ( ca = 0; b[ca].bv_val; ++ca );
|
|
+ ce += ca;
|
|
+ break;
|
|
+
|
|
+ case LDAP_MOD_REPLACE:
|
|
+ if (( b = m->sml_values ) == NULL || b[0].bv_val == NULL )
|
|
+ continue;
|
|
+
|
|
+ for ( ca = 0; b[ca].bv_val; ++ca );
|
|
+ ce = ca;
|
|
+ break;
|
|
+
|
|
+ default:
|
|
+ /* impossible! assert? */
|
|
+ return 1;
|
|
+ }
|
|
+
|
|
+ Debug(LDAP_DEBUG_TRACE,
|
|
+ "==> constraint_check_count_violation ce = %u, "
|
|
+ "ca = %u, cp->count = %lu\n",
|
|
+ ce, ca, (unsigned long) cp->count);
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ return ( ce > cp->count );
|
|
+}
|
|
+
|
|
+static int
|
|
constraint_update( Operation *op, SlapReply *rs )
|
|
{
|
|
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
|
|
@@ -850,6 +912,8 @@ constraint_update( Operation *op, SlapReply *rs )
|
|
struct berval rsv = BER_BVC("modify breaks constraint");
|
|
int rc;
|
|
char *msg = NULL;
|
|
+ int is_v;
|
|
+ int first = 1;
|
|
|
|
if (get_relax(op)) {
|
|
return SLAP_CB_CONTINUE;
|
|
@@ -880,10 +944,12 @@ constraint_update( Operation *op, SlapReply *rs )
|
|
/* Do we need to count attributes? */
|
|
for(cp = c; cp; cp = cp->ap_next) {
|
|
if (cp->count != 0 || cp->set || cp->restrict_lud != 0) {
|
|
- op->o_bd = on->on_info->oi_origdb;
|
|
- rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry );
|
|
- op->o_bd = be;
|
|
-
|
|
+ if (first) {
|
|
+ op->o_bd = on->on_info->oi_origdb;
|
|
+ rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry );
|
|
+ op->o_bd = be;
|
|
+ first = 0;
|
|
+ }
|
|
if (rc != 0 || target_entry == NULL) {
|
|
Debug(LDAP_DEBUG_TRACE,
|
|
"==> constraint_update rc = %d DN=\"%s\"%s\n",
|
|
@@ -893,7 +959,16 @@ constraint_update( Operation *op, SlapReply *rs )
|
|
rc = LDAP_CONSTRAINT_VIOLATION;
|
|
goto mod_violation;
|
|
}
|
|
- break;
|
|
+
|
|
+ is_v = constraint_check_count_violation(m, target_entry, cp);
|
|
+
|
|
+ Debug(LDAP_DEBUG_TRACE,
|
|
+ "==> constraint_update is_v: %d\n", is_v, 0, 0);
|
|
+
|
|
+ if (is_v) {
|
|
+ rc = LDAP_CONSTRAINT_VIOLATION;
|
|
+ goto mod_violation;
|
|
+ }
|
|
}
|
|
}
|
|
|
|
@@ -912,10 +987,6 @@ constraint_update( Operation *op, SlapReply *rs )
|
|
if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
|
|
continue;
|
|
|
|
- /* Get this attribute count, if needed */
|
|
- if (target_entry)
|
|
- ce = constraint_count_attr(target_entry, m->sml_desc);
|
|
-
|
|
for(cp = c; cp; cp = cp->ap_next) {
|
|
int j;
|
|
for (j = 0; cp->ap[j]; j++) {
|
|
@@ -929,34 +1000,6 @@ constraint_update( Operation *op, SlapReply *rs )
|
|
continue;
|
|
}
|
|
|
|
- if (cp->count != 0) {
|
|
- unsigned ca;
|
|
-
|
|
- if (m->sml_op == LDAP_MOD_DELETE)
|
|
- ce = 0;
|
|
-
|
|
- for (ca = 0; b[ca].bv_val; ++ca);
|
|
-
|
|
- Debug(LDAP_DEBUG_TRACE,
|
|
- "==> constraint_update ce = %u, "
|
|
- "ca = %u, cp->count = %lu\n",
|
|
- ce, ca, (unsigned long) cp->count);
|
|
-
|
|
- if (m->sml_op == LDAP_MOD_ADD) {
|
|
- if (ca + ce > cp->count) {
|
|
- rc = LDAP_CONSTRAINT_VIOLATION;
|
|
- goto mod_violation;
|
|
- }
|
|
- }
|
|
- if (m->sml_op == LDAP_MOD_REPLACE) {
|
|
- if (ca > cp->count) {
|
|
- rc = LDAP_CONSTRAINT_VIOLATION;
|
|
- goto mod_violation;
|
|
- }
|
|
- ce = ca;
|
|
- }
|
|
- }
|
|
-
|
|
/* DELETE are to be ignored beyond this point */
|
|
if (( m->sml_op & LDAP_MOD_OP ) == LDAP_MOD_DELETE)
|
|
continue;
|
|
--
|
|
1.7.10.4
|
|
|