[SCM] Samba Shared Repository - branch master updated
Nadezhda Ivanova
nivanova at samba.org
Mon Feb 21 10:03:01 MST 2011
The branch, master has been updated
via a69f634 s4-descriptor: Fixed some compiler warnings.
via 3b9f375 s4-descriptor: Removed unnecessary descriptor_change function and unused callbacks.
via a0a52b3 s4-descriptor: Replaced the async descriptor_change with synchronous descriptor_modify.
via 85877c0 s4-descriptor: Replaced the synchronous descriptor_change with the synchronous descriptor_add.
from fb45c88 s4-smbtorture: use torture_comment() instead of printf in raw.write test.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a69f634de467733fc7c3238303bf061f47c39ab2
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Mon Feb 21 17:17:12 2011 +0200
s4-descriptor: Fixed some compiler warnings.
Autobuild-User: Nadezhda Ivanova <nivanova at samba.org>
Autobuild-Date: Mon Feb 21 18:02:21 CET 2011 on sn-devel-104
commit 3b9f3755b037bf19244781cdaa2de46370d385e9
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Mon Feb 21 17:14:12 2011 +0200
s4-descriptor: Removed unnecessary descriptor_change function and unused callbacks.
commit a0a52b3423db0fec82092924772afc1d2289003a
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Mon Feb 21 17:08:44 2011 +0200
s4-descriptor: Replaced the async descriptor_change with synchronous descriptor_modify.
The purpose is to make descriptor module synchronous. This will simplify reading and debugging, and also will make the
implementation of SD hierarchy recalculation on modify much easier.
commit 85877c0bd1279a6c19bb8354f56e9cdbe1901630
Author: Nadezhda Ivanova <nivanova at samba.org>
Date: Mon Feb 21 17:04:27 2011 +0200
s4-descriptor: Replaced the synchronous descriptor_change with the synchronous descriptor_add.
The purpose is to make descriptor module synchronous. This will simplify reading and debugging, and also will make the
implementation of SD hierarchy recalculation on modify much easier.
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/descriptor.c | 516 ++++++++++-----------------
1 files changed, 192 insertions(+), 324 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index dfbfdf6..19cea0a 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -211,8 +211,8 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
TALLOC_CTX *mem_ctx,
const struct dsdb_class *objectclass,
const struct ldb_val *parent,
- struct ldb_val *object,
- struct ldb_val *old_sd,
+ const struct ldb_val *object,
+ const struct ldb_val *old_sd,
uint32_t sd_flags)
{
struct security_descriptor *user_descriptor = NULL, *parent_descriptor = NULL;
@@ -379,106 +379,6 @@ static struct descriptor_context *descriptor_init_context(struct ldb_module *mod
return ac;
}
-static int get_search_callback(struct ldb_request *req, struct ldb_reply *ares)
-{
- struct ldb_context *ldb;
- struct descriptor_context *ac;
- int ret;
-
- ac = talloc_get_type(req->context, struct descriptor_context);
- ldb = ldb_module_get_ctx(ac->module);
-
- if (!ares) {
- return ldb_module_done(ac->req, NULL, NULL,
- LDB_ERR_OPERATIONS_ERROR);
- }
- if (ares->error != LDB_SUCCESS &&
- ares->error != LDB_ERR_NO_SUCH_OBJECT) {
- return ldb_module_done(ac->req, ares->controls,
- ares->response, ares->error);
- }
-
- ldb_reset_err_string(ldb);
-
- switch (ares->type) {
- case LDB_REPLY_ENTRY:
- if (ac->search_res != NULL) {
- ldb_set_errstring(ldb, "Too many results");
- talloc_free(ares);
- return ldb_module_done(ac->req, NULL, NULL,
- LDB_ERR_OPERATIONS_ERROR);
- }
-
- ac->search_res = talloc_steal(ac, ares);
- break;
-
- case LDB_REPLY_REFERRAL:
- /* ignore */
- talloc_free(ares);
- break;
-
- case LDB_REPLY_DONE:
- talloc_free(ares);
- ret = ac->step_fn(ac);
- if (ret != LDB_SUCCESS) {
- return ldb_module_done(ac->req, NULL, NULL, ret);
- }
- break;
- }
-
- return LDB_SUCCESS;
-}
-
-static int get_search_oc_callback(struct ldb_request *req, struct ldb_reply *ares)
-{
- struct ldb_context *ldb;
- struct descriptor_context *ac;
- int ret;
-
- ac = talloc_get_type(req->context, struct descriptor_context);
- ldb = ldb_module_get_ctx(ac->module);
-
- if (!ares) {
- return ldb_module_done(ac->req, NULL, NULL,
- LDB_ERR_OPERATIONS_ERROR);
- }
- if (ares->error != LDB_SUCCESS &&
- ares->error != LDB_ERR_NO_SUCH_OBJECT) {
- return ldb_module_done(ac->req, ares->controls,
- ares->response, ares->error);
- }
-
- ldb_reset_err_string(ldb);
-
- switch (ares->type) {
- case LDB_REPLY_ENTRY:
- if (ac->search_oc_res != NULL) {
- ldb_set_errstring(ldb, "Too many results");
- talloc_free(ares);
- return ldb_module_done(ac->req, NULL, NULL,
- LDB_ERR_OPERATIONS_ERROR);
- }
-
- ac->search_oc_res = talloc_steal(ac, ares);
- break;
-
- case LDB_REPLY_REFERRAL:
- /* ignore */
- talloc_free(ares);
- break;
-
- case LDB_REPLY_DONE:
- talloc_free(ares);
- ret = ac->step_fn(ac);
- if (ret != LDB_SUCCESS) {
- return ldb_module_done(ac->req, NULL, NULL, ret);
- }
- break;
- }
-
- return LDB_SUCCESS;
-}
-
static int descriptor_search_callback(struct ldb_request *req, struct ldb_reply *ares)
{
struct descriptor_context *ac;
@@ -549,290 +449,258 @@ fail:
return ldb_module_done(ac->req, NULL, NULL, ret);
}
-static int descriptor_do_mod(struct descriptor_context *ac)
+static int descriptor_add(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_context *ldb;
- const struct dsdb_schema *schema;
- struct ldb_request *mod_req;
- struct ldb_message_element *objectclass_element, *oldsd_el;
- struct ldb_val *oldsd_val = NULL;
+ struct ldb_request *add_req;
+ struct ldb_message *msg;
+ struct ldb_result *parent_res;
+ const struct ldb_val *parent_sd = NULL;
+ const struct ldb_val *user_sd;
+ struct ldb_dn *parent_dn, *dn, *nc_root;
+ struct ldb_message_element *objectclass_element, *sd_element;
int ret;
+ const struct dsdb_schema *schema;
DATA_BLOB *sd;
const struct dsdb_class *objectclass;
- struct ldb_control *sd_control;
- struct ldb_control *sd_control2;
- uint32_t sd_flags = 0;
+ static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
+
+ ldb = ldb_module_get_ctx(module);
+ dn = req->op.add.message->dn;
+ user_sd = ldb_msg_find_ldb_val(req->op.add.message, "nTSecurityDescriptor");
+ sd_element = ldb_msg_find_element(req->op.add.message, "nTSecurityDescriptor");
+ /* nTSecurityDescriptor without a value is an error, letting through so it is handled */
+ if (user_sd == NULL && sd_element) {
+ return ldb_next_request(module, req);
+ }
- ldb = ldb_module_get_ctx(ac->module);
- schema = dsdb_get_schema(ldb, ac);
+ ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: %s\n", ldb_dn_get_linearized(dn));
- objectclass_element = ldb_msg_find_element(ac->search_oc_res->message,
- "objectClass");
- if (objectclass_element == NULL) {
- return ldb_operr(ldb);
+ /* do not manipulate our control entries */
+ if (ldb_dn_is_special(dn)) {
+ return ldb_next_request(module, req);
}
- objectclass = get_last_structural_class(schema, objectclass_element, ac->req);
- if (objectclass == NULL) {
- return ldb_operr(ldb);
+ /* if the object has a parent, retrieve its SD to
+ * use for calculation. unfortunately we do not yet have
+ * instanceType*/
+ parent_dn = ldb_dn_get_parent(req, dn);
+ if (parent_dn == NULL) {
+ return ldb_oom(ldb);
}
- sd_control = ldb_request_get_control(ac->req, LDB_CONTROL_SD_FLAGS_OID);
- sd_control2 = ldb_request_get_control(ac->req,
- LDB_CONTROL_RECALCULATE_SD_OID);
- if (sd_control) {
- struct ldb_sd_flags_control *sdctr = (struct ldb_sd_flags_control *)sd_control->data;
- sd_flags = sdctr->secinfo_flags;
- /* we only care for the last 4 bits */
- sd_flags = sd_flags & 0x0000000F;
+ ret = dsdb_find_nc_root(ldb, req, dn, &nc_root);
+ if (ret != LDB_SUCCESS) {
+ ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find NC root for %s\n",
+ ldb_dn_get_linearized(dn));
+ return ret;
}
- if (sd_flags != 0) {
- oldsd_el = ldb_msg_find_element(ac->search_oc_res->message,
- "nTSecurityDescriptor");
- if (oldsd_el) {
- oldsd_val = oldsd_el->values;
+
+ if (ldb_dn_compare(dn, nc_root) != 0) {
+ /* we aren't any NC */
+ ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
+ parent_attrs,
+ DSDB_FLAG_NEXT_MODULE,
+ req);
+ if (ret != LDB_SUCCESS) {
+ ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_add: Could not find SD for %s\n",
+ ldb_dn_get_linearized(parent_dn));
+ return ret;
}
+ if (parent_res->count != 1) {
+ return ldb_operr(ldb);
+ }
+ parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
}
- sd = get_new_descriptor(ac->module, ac->msg->dn, ac,
- objectclass, ac->parentsd_val,
- ac->sd_val, oldsd_val, sd_flags);
- if (sd != NULL) {
- if (ac->sd_val != NULL) {
- ac->sd_element->values[0] = *sd;
- } else if (sd_control2 != NULL) {
- /* In this branch we really do force the recalculation
- * of the SD */
- ldb_msg_remove_attr(ac->msg, "nTSecurityDescriptor");
+ schema = dsdb_get_schema(ldb, req);
- ret = ldb_msg_add_steal_value(ac->msg,
+ objectclass_element = ldb_msg_find_element(req->op.add.message, "objectClass");
+ if (objectclass_element == NULL) {
+ return ldb_operr(ldb);
+ }
+
+ objectclass = get_last_structural_class(schema, objectclass_element, req);
+ if (objectclass == NULL) {
+ return ldb_operr(ldb);
+ }
+
+ sd = get_new_descriptor(module, dn, req,
+ objectclass, parent_sd,
+ user_sd, NULL, 0);
+ msg = ldb_msg_copy_shallow(req, req->op.add.message);
+ if (sd != NULL) {
+ if (sd_element != NULL) {
+ sd_element->values[0] = *sd;
+ } else {
+ ret = ldb_msg_add_steal_value(msg,
"nTSecurityDescriptor",
sd);
if (ret != LDB_SUCCESS) {
return ret;
}
- ac->sd_element = ldb_msg_find_element(ac->msg,
- "nTSecurityDescriptor");
- ac->sd_element->flags = LDB_FLAG_MOD_REPLACE;
}
}
- /* mark the controls as non-critical since we've handled them */
- if (sd_control != NULL) {
- sd_control->critical = 0;
- }
- if (sd_control2 != NULL) {
- sd_control2->critical = 0;
- }
-
- ret = ldb_build_mod_req(&mod_req, ldb, ac,
- ac->msg,
- ac->req->controls,
- ac->req, dsdb_next_callback,
- ac->req);
- LDB_REQ_SET_LOCATION(mod_req);
+ ret = ldb_build_add_req(&add_req, ldb, req,
+ msg,
+ req->controls,
+ req, dsdb_next_callback,
+ req);
+ LDB_REQ_SET_LOCATION(add_req);
if (ret != LDB_SUCCESS) {
- return ret;
+ return ldb_error(ldb, ret,
+ "descriptor_add: Error creating new add request.");
}
- return ldb_next_request(ac->module, mod_req);
+ return ldb_next_request(module, add_req);
}
-static int descriptor_do_add(struct descriptor_context *ac)
+static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_context *ldb;
- const struct dsdb_schema *schema;
- struct ldb_request *add_req;
+ struct ldb_control *sd_recalculate_control, *sd_flags_control;
+ struct ldb_request *mod_req;
+ struct ldb_message *msg;
+ struct ldb_result *current_res, *parent_res;
+ const struct ldb_val *old_sd = NULL;
+ const struct ldb_val *parent_sd = NULL;
+ const struct ldb_val *user_sd;
+ struct ldb_dn *parent_dn, *dn;
struct ldb_message_element *objectclass_element;
int ret;
+ uint32_t instanceType, sd_flags = 0;
+ const struct dsdb_schema *schema;
DATA_BLOB *sd;
const struct dsdb_class *objectclass;
- static const char *const attrs[] = { "objectClass", "nTSecurityDescriptor", NULL };
- struct ldb_request *search_req;
-
- ldb = ldb_module_get_ctx(ac->module);
- schema = dsdb_get_schema(ldb, ac);
-
- switch (ac->req->operation) {
- case LDB_ADD:
- ac->msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message);
- if (ac->msg == NULL) {
- return ldb_module_oom(ac->module);
- }
+ static const char * const parent_attrs[] = { "nTSecurityDescriptor", NULL };
+ static const char * const current_attrs[] = { "nTSecurityDescriptor",
+ "instanceType",
+ "objectClass", NULL };
+ ldb = ldb_module_get_ctx(module);
+ dn = req->op.mod.message->dn;
+ user_sd = ldb_msg_find_ldb_val(req->op.mod.message, "nTSecurityDescriptor");
+ /* This control forces the recalculation of the SD also when
+ * no modification is performed. */
+ sd_recalculate_control = ldb_request_get_control(req,
+ LDB_CONTROL_RECALCULATE_SD_OID);
+ if (!user_sd && !sd_recalculate_control) {
+ return ldb_next_request(module, req);
+ }
- objectclass_element = ldb_msg_find_element(ac->msg,
- "objectClass");
- if (objectclass_element == NULL) {
- return ldb_operr(ldb);
- }
+ ldb_debug(ldb, LDB_DEBUG_TRACE,"descriptor_modify: %s\n", ldb_dn_get_linearized(dn));
- objectclass = get_last_structural_class(schema,
- objectclass_element, ac->req);
- if (objectclass == NULL) {
- return ldb_operr(ldb);
- }
- break;
- case LDB_MODIFY:
- ac->msg = ldb_msg_copy_shallow(ac, ac->req->op.mod.message);
- if (ac->msg == NULL) {
- return ldb_module_oom(ac->module);
- }
- break;
- default:
- return ldb_operr(ldb);
+ /* do not manipulate our control entries */
+ if (ldb_dn_is_special(dn)) {
+ return ldb_next_request(module, req);
}
- /* Check if there is a valid security descriptor provided */
- ac->sd_element = dsdb_get_single_valued_attr(ac->msg,
- "nTSecurityDescriptor",
- ac->req->operation);
- if ((ac->sd_element != NULL) && (ac->sd_element->num_values == 1)) {
- ac->sd_val = talloc_memdup(ac,
- &ac->sd_element->values[0],
- sizeof(struct ldb_val));
+ ret = dsdb_module_search_dn(module, req, ¤t_res, dn,
+ current_attrs,
+ DSDB_FLAG_NEXT_MODULE,
+ req);
+ if (ret != LDB_SUCCESS) {
+ ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
+ ldb_dn_get_linearized(dn));
+ return ret;
}
- /* If we do have a parent, then please fetch it's security descriptor.
- * But have in mind: NCs don't have any parents! That means
- * "CN=Configuration,DC=example,DC=com" has no parent
- * "DC=example,DC=com" since this is located under another NC! */
- if (ac->search_res != NULL) {
- struct ldb_message_element *parent_element = NULL;
- struct ldb_dn *nc_root;
-
- ret = dsdb_find_nc_root(ldb, ac, ac->msg->dn, &nc_root);
- if (ret != LDB_SUCCESS) {
- return ret;
+ instanceType = ldb_msg_find_attr_as_uint(current_res->msgs[0],
+ "instanceType", 0);
+ /* if the object has a parent, retrieve its SD to
+ * use for calculation */
+ if (!ldb_dn_is_null(current_res->msgs[0]->dn) &&
+ !(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
+ parent_dn = ldb_dn_get_parent(req, dn);
+ if (parent_dn == NULL) {
+ return ldb_oom(ldb);
}
-
- if (ldb_dn_compare(ac->msg->dn, nc_root) != 0) {
- /* we aren't any NC */
- parent_element = ldb_msg_find_element(ac->search_res->message,
- "nTSecurityDescriptor");
- if (parent_element != NULL) {
- ac->parentsd_val = talloc_memdup(ac,
- &parent_element->values[0],
- sizeof(struct ldb_val));
- }
- }
- }
-
- if (ac->req->operation == LDB_ADD) {
- /* Get the parent descriptor and the one provided. If not
- * provided, get the default. Convert it to a security
- * descriptor and calculate the permissions. */
- sd = get_new_descriptor(ac->module, ac->msg->dn, ac,
- objectclass, ac->parentsd_val,
- ac->sd_val, NULL, 0);
- if (sd != NULL) {
- if (ac->sd_val != NULL) {
- ac->sd_element->values[0] = *sd;
- } else if (ac->sd_element == NULL) {
- ret = ldb_msg_add_steal_value(ac->msg,
- "nTSecurityDescriptor",
- sd);
- if (ret != LDB_SUCCESS) {
- return ret;
- }
- }
- }
-
- ret = ldb_build_add_req(&add_req, ldb, ac,
- ac->msg,
- ac->req->controls,
- ac->req, dsdb_next_callback,
- ac->req);
- LDB_REQ_SET_LOCATION(add_req);
+ ret = dsdb_module_search_dn(module, req, &parent_res, parent_dn,
+ parent_attrs,
+ DSDB_FLAG_NEXT_MODULE,
+ req);
if (ret != LDB_SUCCESS) {
+ ldb_debug(ldb, LDB_DEBUG_ERROR, "descriptor_modify: Could not find SD for %s\n",
+ ldb_dn_get_linearized(parent_dn));
return ret;
}
- return ldb_next_request(ac->module, add_req);
- } else {
- ret = ldb_build_search_req(&search_req, ldb, ac,
- ac->msg->dn, LDB_SCOPE_BASE,
- "(objectClass=*)", attrs,
- NULL,
- ac, get_search_oc_callback,
- ac->req);
- LDB_REQ_SET_LOCATION(search_req);
- if (ret != LDB_SUCCESS) {
- return ret;
+ if (parent_res->count != 1) {
+ return ldb_operr(ldb);
}
- ac->step_fn = descriptor_do_mod;
- return ldb_next_request(ac->module, search_req);
+ parent_sd = ldb_msg_find_ldb_val(parent_res->msgs[0], "nTSecurityDescriptor");
}
-}
+ sd_flags_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
-static int descriptor_change(struct ldb_module *module, struct ldb_request *req)
-{
- struct ldb_context *ldb;
- struct ldb_control *sd_control;
- struct ldb_request *search_req;
- struct descriptor_context *ac;
- struct ldb_dn *parent_dn, *dn;
- struct ldb_message_element *sd_element;
- int ret;
- static const char * const descr_attrs[] = { "nTSecurityDescriptor", NULL };
-
- ldb = ldb_module_get_ctx(module);
+ schema = dsdb_get_schema(ldb, req);
- switch (req->operation) {
- case LDB_ADD:
- dn = req->op.add.message->dn;
- break;
- case LDB_MODIFY:
- dn = req->op.mod.message->dn;
- sd_element = ldb_msg_find_element(req->op.mod.message,
- "nTSecurityDescriptor");
- /* This control forces the recalculation of the SD also when
- * no modification is performed. */
- sd_control = ldb_request_get_control(req,
- LDB_CONTROL_RECALCULATE_SD_OID);
--
Samba Shared Repository
More information about the samba-cvs
mailing list