/** BEGIN COPYRIGHT BLOCK * This Program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation; version 2 of the License. * * This Program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along with * this Program; if not, write to the Free Software Foundation, Inc., 59 Temple * Place, Suite 330, Boston, MA 02111-1307 USA. * * In addition, as a special exception, Red Hat, Inc. gives You the additional * right to link the code of this Program with code not covered under the GNU * General Public License ("Non-GPL Code") and to distribute linked combinations * including the two, subject to the limitations in this paragraph. Non-GPL Code * permitted under this exception must only link to the code of this Program * through those well defined interfaces identified in the file named EXCEPTION * found in the source code files (the "Approved Interfaces"). The files of * Non-GPL Code may instantiate templates or use macros or inline functions from * the Approved Interfaces without causing the resulting work to be covered by * the GNU General Public License. Only Red Hat, Inc. may make changes or * additions to the list of Approved Interfaces. You must obey the GNU General * Public License in all respects for all of the Program code and other code used * in conjunction with the Program except the Non-GPL Code covered by this * exception. If you modify this file, you may extend this exception to your * version of the file, but you are not obligated to do so. If you do not wish to * provide this exception without modification, you must delete this exception * statement from your version and license this file solely under the GPL without * exception. * * * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. * Copyright (C) 2005 Red Hat, Inc. * All rights reserved. * END COPYRIGHT BLOCK **/ #ifdef HAVE_CONFIG_H # include #endif /* Code to implement server roles features */ #include "slap.h" #include "vattr_spi.h" #include "roles_cache.h" #define DEFINE_STATECHANGE_STATICS 1 #include "statechange.h" #define STATECHANGE_ROLES_ID "Roles" #define STATECHANGE_ROLES_CONFG_FILTER "objectclass=nsRoleDefinition" #define STATECHANGE_ROLES_ENTRY_FILTER "objectclass=*" #define ROLES_PLUGIN_SUBSYSTEM "roles-plugin" /* for logging */ static void * roles_plugin_identity = NULL; static Slapi_PluginDesc pdesc = { "roles", VENDOR, DS_PACKAGE_VERSION, "roles plugin" }; #ifdef _WIN32 int *module_ldap_debug = 0; void plugin_init_debug_level(int *level_ptr) { module_ldap_debug = level_ptr; } #endif static int roles_start( Slapi_PBlock *pb ); static int roles_post_op( Slapi_PBlock *pb ); static int roles_close( Slapi_PBlock *pb ); static void roles_set_plugin_identity(void * identity); int roles_postop_init ( Slapi_PBlock *pb ) { int rc = 0; Slapi_Entry *plugin_entry = NULL; char *plugin_type = NULL; int postadd = SLAPI_PLUGIN_POST_ADD_FN; int postmod = SLAPI_PLUGIN_POST_MODIFY_FN; int postmdn = SLAPI_PLUGIN_POST_MODRDN_FN; int postdel = SLAPI_PLUGIN_POST_DELETE_FN; if ((slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_ENTRY, &plugin_entry) == 0) && plugin_entry && (plugin_type = slapi_entry_attr_get_charptr(plugin_entry, "nsslapd-plugintype")) && plugin_type && strstr(plugin_type, "betxn")) { postadd = SLAPI_PLUGIN_BE_TXN_POST_ADD_FN; postmod = SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN; postmdn = SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN; postdel = SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN; } slapi_ch_free_string(&plugin_type); if ( slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01 ) != 0 || slapi_pblock_set(pb, postmod, (void *)roles_post_op ) != 0 || slapi_pblock_set(pb, postmdn, (void *)roles_post_op ) != 0 || slapi_pblock_set(pb, postadd, (void *) roles_post_op ) != 0 || slapi_pblock_set(pb, postdel, (void *) roles_post_op ) != 0 ) { slapi_log_error( SLAPI_LOG_FATAL, ROLES_PLUGIN_SUBSYSTEM, "roles_postop_init: failed to register plugin\n" ); rc = -1; } return rc; } int roles_internalpostop_init ( Slapi_PBlock *pb ) { int rc = 0; if ( slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01 ) != 0 || slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODIFY_FN, (void *)roles_post_op ) != 0 || slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_MODRDN_FN, (void *)roles_post_op ) != 0 || slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_ADD_FN, (void *) roles_post_op ) != 0 || slapi_pblock_set(pb, SLAPI_PLUGIN_INTERNAL_POST_DELETE_FN, (void *) roles_post_op ) != 0 ) { slapi_log_error( SLAPI_LOG_FATAL, ROLES_PLUGIN_SUBSYSTEM, "roles_internalpostop_init: failed to register plugin\n" ); rc = -1; } return rc; } /* roles_init ---------- Initialization of the plugin */ int roles_init( Slapi_PBlock *pb ) { int rc = 0; void *plugin_identity = NULL; Slapi_Entry *plugin_entry = NULL; int is_betxn = 0; const char *plugin_type = "postoperation"; slapi_log_error( SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "=> roles_init\n" ); slapi_pblock_get (pb, SLAPI_PLUGIN_IDENTITY, &plugin_identity); PR_ASSERT (plugin_identity); roles_set_plugin_identity(plugin_identity); if ((slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_ENTRY, &plugin_entry) == 0) && plugin_entry) { is_betxn = slapi_entry_attr_get_bool(plugin_entry, "nsslapd-pluginbetxn"); } if ( slapi_pblock_set( pb, SLAPI_PLUGIN_VERSION, (void *)SLAPI_PLUGIN_VERSION_01 ) != 0 || slapi_pblock_set( pb, SLAPI_PLUGIN_DESCRIPTION, (void *)&pdesc ) != 0 || slapi_pblock_set( pb, SLAPI_PLUGIN_START_FN, (void *)roles_start ) != 0 || slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN, (void *) roles_close ) != 0 ) { slapi_log_error( SLAPI_LOG_FATAL, ROLES_PLUGIN_SUBSYSTEM, "roles_init failed\n" ); rc = -1; goto bailout; } if (is_betxn) { plugin_type = "betxnpostoperation"; } rc = slapi_register_plugin(plugin_type, 1 /* Enabled */, "roles_postop_init", roles_postop_init, "Roles postoperation plugin", NULL, plugin_identity); if ( rc < 0 ) { goto bailout; } if (!is_betxn) { rc = slapi_register_plugin("internalpostoperation", 1 /* Enabled */, "roles_internalpostop_init", roles_internalpostop_init, "Roles internalpostoperation plugin", NULL, plugin_identity); } bailout: slapi_log_error( SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "<= roles_init %d\n", rc ); return rc; } /* roles_start ----------- kexcoff: cache build at init or at startup ? */ static int roles_start( Slapi_PBlock *pb ) { int rc = 0; void **statechange_api; slapi_log_error( SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "=> roles_start\n" ); roles_cache_init(); /* from Pete Rowley for vcache * PLUGIN DEPENDENCY ON STATECHANGE PLUGIN * * register objectclasses which indicate a * role configuration entry, and therefore * a globally significant change for the vcache */ if(!slapi_apib_get_interface(StateChange_v1_0_GUID, &statechange_api)) { statechange_register(statechange_api, STATECHANGE_ROLES_ID, NULL, STATECHANGE_ROLES_CONFG_FILTER, &vattr_global_invalidate, (notify_callback) statechange_vattr_cache_invalidator_callback(statechange_api)); } slapi_log_error( SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "<= roles_start %d\n", rc ); return rc; } /* roles_close ----------- kexcoff: ?? */ static int roles_close( Slapi_PBlock *pb ) { void **statechange_api; int rc = 0; slapi_log_error( SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "=> roles_close\n" ); roles_cache_stop(); if(!slapi_apib_get_interface(StateChange_v1_0_GUID, &statechange_api)) { statechange_unregister(statechange_api, NULL, STATECHANGE_ROLES_CONFG_FILTER, (notify_callback) statechange_vattr_cache_invalidator_callback(statechange_api)); } slapi_log_error( SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "<= roles_close %d\n", rc ); return rc; } /* roles_sp_get_value ------------------ Enumerate the values of the role attribute. We do this by first locating all the roles which are in scope Then we iterate over the in-scope roles calling Slapi_Role_Check(). For those which pass the check, we add their DN to the attribute's value set. */ int roles_sp_get_value(vattr_sp_handle *handle, vattr_context *c, Slapi_Entry *e, char *type, Slapi_ValueSet** results, int *type_name_disposition, char** actual_type_name, int flags, int *free_flags, void *hint) { int rc = -1; rc = roles_cache_listroles_ext(c, e, 1, results); if (rc == 0) { *free_flags = SLAPI_VIRTUALATTRS_RETURNED_COPIES; *actual_type_name = slapi_ch_strdup(NSROLEATTR); if (type_name_disposition) { *type_name_disposition = SLAPI_VIRTUALATTRS_TYPE_NAME_MATCHED_EXACTLY_OR_ALIAS; } } /* Need to check the return code here because the caller doesn't understand roles return codes */ return rc; } /* roles_sp_compare_value ---------------------- Compare the value of the role attribute with a presented value. Return true or false to the client. */ int roles_sp_compare_value(vattr_sp_handle *handle, vattr_context *c, Slapi_Entry *e, char *type, Slapi_Value *test_this, int* result,int flags, void *hint) { int rv; Slapi_DN the_dn; /* Extract the role's DN from the value passed in */ /* possible problem here - slapi_value_get_string returns a pointer to the raw bv_val in the value, which is not guaranteed to be null terminated, but probably is for any value passed into this function */ slapi_sdn_init_dn_byref(&the_dn,slapi_value_get_string(test_this)); rv = roles_check(e,&the_dn,result); slapi_sdn_done(&the_dn); return rv; } int roles_sp_list_types(vattr_sp_handle *handle,Slapi_Entry *e,vattr_type_list_context *type_context,int flags) { static char* test_type_name = NSROLEATTR; int ret =0; if ( 0 == ( flags & SLAPI_VIRTUALATTRS_LIST_OPERATIONAL_ATTRS )) { /* * Operational attributes were NOT requested. Since the only * attribute type we service is nsRole which IS operational, * there is nothing for us to do in this case. */ return 0; } ret = roles_cache_listroles(e, 0, NULL); if(ret == 0) { vattr_type_thang thang = {0}; thang.type_name = test_type_name; thang.type_flags = SLAPI_ATTR_FLAG_OPATTR; slapi_vattrspi_add_type(type_context,&thang,SLAPI_VIRTUALATTRS_REQUEST_POINTERS); } return 0; } /* What do we do on shutdown ? */ int roles_sp_cleanup() { return 0; } /* roles_post_op ----------- Catch all for all post operations that change entries in some way - this simply notifies the cache of a change - the cache decides if action is necessary */ static int roles_post_op( Slapi_PBlock *pb ) { slapi_log_error( SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "--> roles_post_op\n"); roles_cache_change_notify(pb); slapi_log_error( SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "<-- roles_post_op\n"); return SLAPI_PLUGIN_SUCCESS; /* always succeed */ } static void roles_set_plugin_identity(void * identity) { roles_plugin_identity=identity; } void * roles_get_plugin_identity() { return roles_plugin_identity; }