From 918df0a60a9cf1e3a836165f1044ea63c88bdd72 Mon Sep 17 00:00:00 2001
From: William Brown <william@blackhats.net.au>
Date: Fri, 6 Dec 2019 14:04:45 +1000
Subject: [PATCH] Ticket 50727 - correct mistaken options in filter validation
patch
Bug Description: Because William of the past missed (forgot) to make
some agreed upon changes, we shipped the feature for filter validation
in a state that was a bit unclear for users.
Fix Description: Fix the options to now be clearer in what is
expected/demaned from admins. We now have 4 possible states for
the value of the config:
* reject-invalid (prev on)
* process-safe (prev warn)
* warn-invalid (new!)
* off (prev off)
These behave as:
* reject-invalid - reject queries that contain unknown attributes
* process-safe - log a notes=F that an attr is missing, and idl_alloc(0)
the missing attribute for RFC4511 compliance.
* warn-invalid - log a notes=F that an attr is missing, and process
as ALLIDS (the legacy behaviour)
* off - process as ALLIDs (the legacy behaviour)
The default is "process-safe".
https://pagure.io/389-ds-base/issue/50727
Author: William Brown <william@blackhats.net.au>
Review by: tbordaz, lkrispen (thanks)
---
.../suites/filter/schema_validation_test.py | 112 ++++++++++++++++--
ldap/servers/slapd/back-ldbm/filterindex.c | 28 +++--
ldap/servers/slapd/libglobs.c | 78 +++++++-----
ldap/servers/slapd/schema.c | 26 ++--
ldap/servers/slapd/slap.h | 21 ++--
ldap/servers/slapd/slapi-plugin.h | 1 +
ldap/servers/slapd/slapi-private.h | 3 +-
src/lib389/lib389/extensibleobject.py | 53 +++++++++
8 files changed, 258 insertions(+), 64 deletions(-)
create mode 100644 src/lib389/lib389/extensibleobject.py
diff --git a/dirsrvtests/tests/suites/filter/schema_validation_test.py b/dirsrvtests/tests/suites/filter/schema_validation_test.py
index 4ac9fa8ff..d0d67ca95 100644
--- a/dirsrvtests/tests/suites/filter/schema_validation_test.py
+++ b/dirsrvtests/tests/suites/filter/schema_validation_test.py
@@ -9,14 +9,29 @@
import pytest
import ldap
-from lib389.topologies import topology_st
+from lib389.topologies import topology_st as topology_st_pre
from lib389.dirsrv_log import DirsrvAccessLog
from lib389._mapped_object import DSLdapObjects
from lib389._constants import DEFAULT_SUFFIX
+from lib389.extensibleobject import UnsafeExtensibleObjects
-def _check_value(inst_cfg, value):
+def _check_value(inst_cfg, value, exvalue=None):
+ if exvalue is None:
+ exvalue = value
inst_cfg.set('nsslapd-verify-filter-schema', value)
- assert(inst_cfg.get_attr_val_utf8('nsslapd-verify-filter-schema') == value)
+ assert(inst_cfg.get_attr_val_utf8('nsslapd-verify-filter-schema') == exvalue)
+
+@pytest.fixture(scope="module")
+def topology_st(topology_st_pre):
+ raw_objects = UnsafeExtensibleObjects(topology_st_pre.standalone, basedn=DEFAULT_SUFFIX)
+ # Add an object that won't be able to be queried due to invalid attrs.
+ raw_objects.create(properties = {
+ "cn": "test_obj",
+ "a": "a",
+ "b": "b",
+ "uid": "foo"
+ })
+ return topology_st_pre
@pytest.mark.ds50349
@@ -51,8 +66,14 @@ def test_filter_validation_config(topology_st):
initial_value = inst_cfg.get_attr_val_utf8('nsslapd-verify-filter-schema')
- _check_value(inst_cfg, "on")
- _check_value(inst_cfg, "warn")
+ # Check legacy values that may have been set
+ _check_value(inst_cfg, "on", "reject-invalid")
+ _check_value(inst_cfg, "warn", "process-safe")
+ _check_value(inst_cfg, "off")
+ # Check the more descriptive values
+ _check_value(inst_cfg, "reject-invalid")
+ _check_value(inst_cfg, "process-safe")
+ _check_value(inst_cfg, "warn-invalid")
_check_value(inst_cfg, "off")
# This should fail
@@ -85,7 +106,7 @@ def test_filter_validation_enabled(topology_st):
inst = topology_st.standalone
# In case the default has changed, we set the value to warn.
- inst.config.set("nsslapd-verify-filter-schema", "on")
+ inst.config.set("nsslapd-verify-filter-schema", "reject-invalid")
raw_objects = DSLdapObjects(inst, basedn=DEFAULT_SUFFIX)
# Check a good query has no errors.
@@ -104,9 +125,9 @@ def test_filter_validation_enabled(topology_st):
@pytest.mark.ds50349
-def test_filter_validation_warning(topology_st):
+def test_filter_validation_warn_safe(topology_st):
"""Test that queries which are invalid, are correctly marked as "notes=F" in
- the access log.
+ the access log, and return no entries or partial sets.
:id: 8b2b23fe-d878-435c-bc84-8c298be4ca1f
:setup: Standalone instance
@@ -122,7 +143,7 @@ def test_filter_validation_warning(topology_st):
inst = topology_st.standalone
# In case the default has changed, we set the value to warn.
- inst.config.set("nsslapd-verify-filter-schema", "warn")
+ inst.config.set("nsslapd-verify-filter-schema", "process-safe")
# Set the access log to un-buffered so we get it immediately.
inst.config.set("nsslapd-accesslog-logbuffering", "off")
@@ -139,20 +160,93 @@ def test_filter_validation_warning(topology_st):
# Check a good query has no warnings.
r = raw_objects.filter("(objectClass=*)")
+ assert(len(r) > 0)
r_s1 = access_log.match(".*notes=F.*")
# Should be the same number of log lines IE 0.
assert(len(r_init) == len(r_s1))
# Check a bad one DOES emit a warning.
r = raw_objects.filter("(a=a)")
+ assert(len(r) == 0)
r_s2 = access_log.match(".*notes=F.*")
# Should be the greate number of log lines IE +1
assert(len(r_init) + 1 == len(r_s2))
# Check a bad complex one does emit a warning.
r = raw_objects.filter("(&(a=a)(b=b)(objectClass=*))")
+ assert(len(r) == 0)
r_s3 = access_log.match(".*notes=F.*")
# Should be the greate number of log lines IE +2
assert(len(r_init) + 2 == len(r_s3))
+ # Check that we can still get things when partial
+ r = raw_objects.filter("(|(a=a)(b=b)(uid=foo))")
+ assert(len(r) == 1)
+ r_s4 = access_log.match(".*notes=F.*")
+ # Should be the greate number of log lines IE +2
+ assert(len(r_init) + 3 == len(r_s4))
+
+
+@pytest.mark.ds50349
+def test_filter_validation_warn_unsafe(topology_st):
+ """Test that queries which are invalid, are correctly marked as "notes=F" in
+ the access log, and uses the legacy query behaviour to return unsafe sets.
+
+ :id: 8b2b23fe-d878-435c-bc84-8c298be4ca1f
+ :setup: Standalone instance
+ :steps:
+ 1. Search a well formed query
+ 2. Search a poorly formed query
+ 3. Search a poorly formed complex (and/or) query
+ :expectedresults:
+ 1. No warnings
+ 2. notes=F is present
+ 3. notes=F is present
+ """
+ inst = topology_st.standalone
+
+ # In case the default has changed, we set the value to warn.
+ inst.config.set("nsslapd-verify-filter-schema", "warn-invalid")
+ # Set the access log to un-buffered so we get it immediately.
+ inst.config.set("nsslapd-accesslog-logbuffering", "off")
+
+ # Setup the query object.
+ # Now we don't care if there are any results, we only care about good/bad queries.
+ # To do this we have to bypass some of the lib389 magic, and just emit raw queries
+ # to check them. Turns out lib389 is well designed and this just works as expected
+ # if you use a single DSLdapObjects and filter. :)
+ raw_objects = DSLdapObjects(inst, basedn=DEFAULT_SUFFIX)
+
+ # Find any initial notes=F
+ access_log = DirsrvAccessLog(inst)
+ r_init = access_log.match(".*notes=(U,)?F.*")
+
+ # Check a good query has no warnings.
+ r = raw_objects.filter("(objectClass=*)")
+ assert(len(r) > 0)
+ r_s1 = access_log.match(".*notes=(U,)?F.*")
+ # Should be the same number of log lines IE 0.
+ assert(len(r_init) == len(r_s1))
+
+ # Check a bad one DOES emit a warning.
+ r = raw_objects.filter("(a=a)")
+ assert(len(r) == 1)
+ # NOTE: Unlike warn-process-safely, these become UNINDEXED and show in the logs.
+ r_s2 = access_log.match(".*notes=(U,)?F.*")
+ # Should be the greate number of log lines IE +1
+ assert(len(r_init) + 1 == len(r_s2))
+
+ # Check a bad complex one does emit a warning.
+ r = raw_objects.filter("(&(a=a)(b=b)(objectClass=*))")
+ assert(len(r) == 1)
+ r_s3 = access_log.match(".*notes=(U,)?F.*")
+ # Should be the greate number of log lines IE +2
+ assert(len(r_init) + 2 == len(r_s3))
+
+ # Check that we can still get things when partial
+ r = raw_objects.filter("(|(a=a)(b=b)(uid=foo))")
+ assert(len(r) == 1)
+ r_s4 = access_log.match(".*notes=(U,)?F.*")
+ # Should be the greate number of log lines IE +2
+ assert(len(r_init) + 3 == len(r_s4))
diff --git a/ldap/servers/slapd/back-ldbm/filterindex.c b/ldap/servers/slapd/back-ldbm/filterindex.c
index 7e65f73ca..8a79848c3 100644
--- a/ldap/servers/slapd/back-ldbm/filterindex.c
+++ b/ldap/servers/slapd/back-ldbm/filterindex.c
@@ -223,13 +223,15 @@ ava_candidates(
switch (ftype) {
case LDAP_FILTER_GE:
- if (f->f_flags & SLAPI_FILTER_INVALID_ATTR) {
+ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_WARN) {
/*
* REMEMBER: this flag is only set on WARN levels. If the filter verify
* is on strict, we reject in search.c, if we ar off, the flag will NOT
* be set on the filter at all!
*/
slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_FILTER_INVALID);
+ }
+ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_UNDEFINE) {
idl = idl_alloc(0);
} else {
idl = range_candidates(pb, be, type, bval, NULL, err, &sattr, allidslimit);
@@ -239,13 +241,15 @@ ava_candidates(
goto done;
break;
case LDAP_FILTER_LE:
- if (f->f_flags & SLAPI_FILTER_INVALID_ATTR) {
+ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_WARN) {
/*
* REMEMBER: this flag is only set on WARN levels. If the filter verify
* is on strict, we reject in search.c, if we ar off, the flag will NOT
* be set on the filter at all!
*/
slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_FILTER_INVALID);
+ }
+ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_UNDEFINE) {
idl = idl_alloc(0);
} else {
idl = range_candidates(pb, be, type, NULL, bval, err, &sattr, allidslimit);
@@ -293,13 +297,15 @@ ava_candidates(
ptr[1] = NULL;
ivals = ptr;
- if (f->f_flags & SLAPI_FILTER_INVALID_ATTR) {
+ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_WARN) {
/*
* REMEMBER: this flag is only set on WARN levels. If the filter verify
* is on strict, we reject in search.c, if we ar off, the flag will NOT
* be set on the filter at all!
*/
slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_FILTER_INVALID);
+ }
+ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_UNDEFINE) {
idl = idl_alloc(0);
} else {
slapi_attr_assertion2keys_ava_sv(&sattr, &tmp, (Slapi_Value ***)&ivals, LDAP_FILTER_EQUALITY_FAST);
@@ -326,13 +332,15 @@ ava_candidates(
slapi_ch_free((void **)&ivals);
}
} else {
- if (f->f_flags & SLAPI_FILTER_INVALID_ATTR) {
+ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_WARN) {
/*
* REMEMBER: this flag is only set on WARN levels. If the filter verify
* is on strict, we reject in search.c, if we ar off, the flag will NOT
* be set on the filter at all!
*/
slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_FILTER_INVALID);
+ }
+ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_UNDEFINE) {
idl = idl_alloc(0);
} else {
slapi_value_init_berval(&sv, bval);
@@ -382,13 +390,15 @@ presence_candidates(
}
slapi_pblock_get(pb, SLAPI_TXN, &txn.back_txn_txn);
- if (f->f_flags & SLAPI_FILTER_INVALID_ATTR) {
+ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_WARN) {
/*
* REMEMBER: this flag is only set on WARN levels. If the filter verify
* is on strict, we reject in search.c, if we ar off, the flag will NOT
* be set on the filter at all!
*/
slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_FILTER_INVALID);
+ }
+ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_UNDEFINE) {
idl = idl_alloc(0);
} else {
idl = index_read_ext_allids(pb, be, type, indextype_PRESENCE,
@@ -485,13 +495,15 @@ extensible_candidates(
slapi_pblock_get(pb, SLAPI_PLUGIN_MR_KEYS, &keys)) {
/* something went wrong. bail. */
break;
- } else if (f->f_flags & SLAPI_FILTER_INVALID_ATTR) {
+ } else if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_WARN) {
/*
* REMEMBER: this flag is only set on WARN levels. If the filter verify
* is on strict, we reject in search.c, if we ar off, the flag will NOT
* be set on the filter at all!
*/
slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_FILTER_INVALID);
+ }
+ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_UNDEFINE) {
idl = idl_alloc(0);
} else if (keys == NULL || keys[0] == NULL) {
/* no keys */
@@ -986,13 +998,15 @@ substring_candidates(
* look up each key in the index, ANDing the resulting
* IDLists together.
*/
- if (f->f_flags & SLAPI_FILTER_INVALID_ATTR) {
+ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_WARN) {
/*
* REMEMBER: this flag is only set on WARN levels. If the filter verify
* is on strict, we reject in search.c, if we ar off, the flag will NOT
* be set on the filter at all!
*/
slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_FILTER_INVALID);
+ }
+ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_UNDEFINE) {
idl = idl_alloc(0);
} else {
slapi_pblock_get(pb, SLAPI_TXN, &txn.back_txn_txn);
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index b9cdb6b37..66170ebc6 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -166,7 +166,7 @@ typedef enum {
CONFIG_SPECIAL_VALIDATE_CERT_SWITCH, /* maps strings to an enumeration */
CONFIG_SPECIAL_UNHASHED_PW_SWITCH, /* unhashed pw: on/off/nolog */
CONFIG_SPECIAL_TLS_CHECK_CRL, /* maps enum tls_check_crl_t to char * */
- CONFIG_ON_OFF_WARN, /* maps to a config on/warn/off enum */
+ CONFIG_SPECIAL_FILTER_VERIFY, /* maps to a config strict/warn-strict/warn/off enum */
} ConfigVarType;
static int32_t config_set_onoff(const char *attrname, char *value, int32_t *configvalue, char *errorbuf, int apply);
@@ -256,7 +256,7 @@ slapi_int_t init_malloc_mmap_threshold;
slapi_onoff_t init_extract_pem;
slapi_onoff_t init_ignore_vattrs;
slapi_onoff_t init_enable_upgrade_hash;
-slapi_onwarnoff_t init_verify_filter_schema;
+slapi_special_filter_verify_t init_verify_filter_schema;
static int
isInt(ConfigVarType type)
@@ -1248,7 +1248,7 @@ static struct config_get_and_set
{CONFIG_VERIFY_FILTER_SCHEMA, config_set_verify_filter_schema,
NULL, 0,
(void **)&global_slapdFrontendConfig.verify_filter_schema,
- CONFIG_ON_OFF_WARN, (ConfigGetFunc)config_get_verify_filter_schema,
+ CONFIG_SPECIAL_FILTER_VERIFY, (ConfigGetFunc)config_get_verify_filter_schema,
&init_verify_filter_schema},
/* End config */
};
@@ -7659,18 +7659,21 @@ config_initvalue_to_onoff(struct config_get_and_set *cgas, char *initvalbuf, siz
}
static char *
-config_initvalue_to_onwarnoff(struct config_get_and_set *cgas, char *initvalbuf, size_t initvalbufsize) {
+config_initvalue_to_special_filter_verify(struct config_get_and_set *cgas, char *initvalbuf, size_t initvalbufsize) {
char *retval = NULL;
- if (cgas->config_var_type == CONFIG_ON_OFF_WARN) {
- slapi_onwarnoff_t *value = (slapi_onwarnoff_t *)(intptr_t)cgas->initvalue;
+ if (cgas->config_var_type == CONFIG_SPECIAL_FILTER_VERIFY) {
+ slapi_special_filter_verify_t *value = (slapi_special_filter_verify_t *)(intptr_t)cgas->initvalue;
if (value != NULL) {
- if (*value == SLAPI_ON) {
- PR_snprintf(initvalbuf, initvalbufsize, "%s", "on");
+ if (*value == SLAPI_STRICT) {
+ PR_snprintf(initvalbuf, initvalbufsize, "%s", "reject-invalid");
retval = initvalbuf;
- } else if (*value == SLAPI_WARN) {
- PR_snprintf(initvalbuf, initvalbufsize, "%s", "warn");
+ } else if (*value == SLAPI_WARN_SAFE) {
+ PR_snprintf(initvalbuf, initvalbufsize, "%s", "process-safe");
retval = initvalbuf;
- } else if (*value == SLAPI_OFF) {
+ } else if (*value == SLAPI_WARN_UNSAFE) {
+ PR_snprintf(initvalbuf, initvalbufsize, "%s", "warn-invalid");
+ retval = initvalbuf;
+ } else if (*value == SLAPI_OFF_UNSAFE) {
PR_snprintf(initvalbuf, initvalbufsize, "%s", "off");
retval = initvalbuf;
}
@@ -7680,7 +7683,7 @@ config_initvalue_to_onwarnoff(struct config_get_and_set *cgas, char *initvalbuf,
}
static int32_t
-config_set_onoffwarn(slapdFrontendConfig_t *slapdFrontendConfig, slapi_onwarnoff_t *target, const char *attrname, char *value, char *errorbuf, int apply) {
+config_set_specialfilterverify(slapdFrontendConfig_t *slapdFrontendConfig, slapi_special_filter_verify_t *target, const char *attrname, char *value, char *errorbuf, int apply) {
if (target == NULL) {
return LDAP_OPERATIONS_ERROR;
}
@@ -7691,15 +7694,23 @@ config_set_onoffwarn(slapdFrontendConfig_t *slapdFrontendConfig, slapi_onwarnoff
slapi_special_filter_verify_t p_val = SLAPI_WARN_UNSAFE;
+ /* on/warn/off retained for legacy reasons due to wbrown making terrible mistakes :( :( */
if (strcasecmp(value, "on") == 0) {
- p_val = SLAPI_ON;
+ p_val = SLAPI_STRICT;
} else if (strcasecmp(value, "warn") == 0) {
- p_val = SLAPI_WARN;
+ p_val = SLAPI_WARN_SAFE;
+ /* The new fixed/descriptive names */
+ } else if (strcasecmp(value, "reject-invalid") == 0) {
+ p_val = SLAPI_STRICT;
+ } else if (strcasecmp(value, "process-safe") == 0) {
+ p_val = SLAPI_WARN_SAFE;
+ } else if (strcasecmp(value, "warn-invalid") == 0) {
+ p_val = SLAPI_WARN_UNSAFE;
} else if (strcasecmp(value, "off") == 0) {
- p_val = SLAPI_OFF;
+ p_val = SLAPI_OFF_UNSAFE;
} else {
slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid value \"%s\". Valid values are \"on\", \"warn\" or \"off\".", attrname, value);
+ "%s: invalid value \"%s\". Valid values are \"reject-invalid\", \"process-safe\", \"warn-invalid\" or \"off\". If in doubt, choose \"process-safe\"", attrname, value);
return LDAP_OPERATIONS_ERROR;
}
@@ -7718,14 +7729,14 @@ config_set_onoffwarn(slapdFrontendConfig_t *slapdFrontendConfig, slapi_onwarnoff
int32_t
config_set_verify_filter_schema(const char *attrname, char *value, char *errorbuf, int apply) {
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- slapi_onwarnoff_t *target = &(slapdFrontendConfig->verify_filter_schema);
- return config_set_onoffwarn(slapdFrontendConfig, target, attrname, value, errorbuf, apply);
+ slapi_special_filter_verify_t *target = &(slapdFrontendConfig->verify_filter_schema);
+ return config_set_specialfilterverify(slapdFrontendConfig, target, attrname, value, errorbuf, apply);
}
Slapi_Filter_Policy
config_get_verify_filter_schema()
{
- slapi_onwarnoff_t retVal;
+ slapi_special_filter_verify_t retVal;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
CFG_LOCK_READ(slapdFrontendConfig);
retVal = slapdFrontendConfig->verify_filter_schema;
@@ -7733,10 +7744,13 @@ config_get_verify_filter_schema()
/* Now map this to a policy that the fns understand. */
switch (retVal) {
- case SLAPI_ON:
+ case SLAPI_STRICT:
return FILTER_POLICY_STRICT;
break;
- case SLAPI_WARN:
+ case SLAPI_WARN_SAFE:
+ return FILTER_POLICY_PROTECT;
+ break;
+ case SLAPI_WARN_UNSAFE:
return FILTER_POLICY_WARNING;
break;
default:
@@ -7794,8 +7808,8 @@ config_set(const char *attr, struct berval **values, char *errorbuf, int apply)
void *initval = cgas->initvalue;
if (cgas->config_var_type == CONFIG_ON_OFF) {
initval = (void *)config_initvalue_to_onoff(cgas, initvalbuf, sizeof(initvalbuf));
- } else if (cgas->config_var_type == CONFIG_ON_OFF_WARN) {
- initval = (void *)config_initvalue_to_onwarnoff(cgas, initvalbuf, sizeof(initvalbuf));
+ } else if (cgas->config_var_type == CONFIG_SPECIAL_FILTER_VERIFY) {
+ initval = (void *)config_initvalue_to_special_filter_verify(cgas, initvalbuf, sizeof(initvalbuf));
}
if (cgas->setfunc) {
retval = (cgas->setfunc)(cgas->attr_name, initval, errorbuf, apply);
@@ -8021,20 +8035,24 @@ config_set_value(
break;
- case CONFIG_ON_OFF_WARN:
+ case CONFIG_SPECIAL_FILTER_VERIFY:
/* Is this the right default here? */
if (!value) {
- slapi_entry_attr_set_charptr(e, cgas->attr_name, "off");
+ slapi_entry_attr_set_charptr(e, cgas->attr_name, "process-safe");
break;
}
- if (*((slapi_onwarnoff_t *)value) == SLAPI_ON) {
- slapi_entry_attr_set_charptr(e, cgas->attr_name, "on");
- } else if (*((slapi_onwarnoff_t *)value) == SLAPI_WARN) {
- slapi_entry_attr_set_charptr(e, cgas->attr_name, "warn");
+ if (*((slapi_special_filter_verify_t *)value) == SLAPI_STRICT) {
+ slapi_entry_attr_set_charptr(e, cgas->attr_name, "reject-invalid");
+ } else if (*((slapi_special_filter_verify_t *)value) == SLAPI_WARN_SAFE) {
+ slapi_entry_attr_set_charptr(e, cgas->attr_name, "process-safe");
+ } else if (*((slapi_special_filter_verify_t *)value) == SLAPI_WARN_UNSAFE) {
+ slapi_entry_attr_set_charptr(e, cgas->attr_name, "warn-invalid");
+ } else if (*((slapi_special_filter_verify_t *)value) == SLAPI_OFF_UNSAFE) {
+ slapi_entry_attr_set_charptr(e, cgas->attr_name, "off");
} else {
/* Default to safe warn-proccess-safely */
- slapi_entry_attr_set_charptr(e, cgas->attr_name, "warn-invalid");
+ slapi_entry_attr_set_charptr(e, cgas->attr_name, "process-safe");
}
break;
diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c
index 6e853fc7c..d7c3c139e 100644
--- a/ldap/servers/slapd/schema.c
+++ b/ldap/servers/slapd/schema.c
@@ -698,7 +698,7 @@ out:
}
static Slapi_Filter_Result
-slapi_filter_schema_check_inner(Slapi_Filter *f) {
+slapi_filter_schema_check_inner(Slapi_Filter *f, slapi_filter_flags flags) {
/*
* Default response to Ok. If any more severe things happen we
* alter this to reflect it. IE we bubble up more severe errors
@@ -712,26 +712,26 @@ slapi_filter_schema_check_inner(Slapi_Filter *f) {
case LDAP_FILTER_LE:
case LDAP_FILTER_APPROX:
if (!attr_syntax_exist_by_name_nolock(f->f_avtype)) {
- f->f_flags |= SLAPI_FILTER_INVALID_ATTR;
+ f->f_flags |= flags;
r = FILTER_SCHEMA_WARNING;
}
break;
case LDAP_FILTER_PRESENT:
if (!attr_syntax_exist_by_name_nolock(f->f_type)) {
- f->f_flags |= SLAPI_FILTER_INVALID_ATTR;
+ f->f_flags |= flags;
r = FILTER_SCHEMA_WARNING;
}
break;
case LDAP_FILTER_SUBSTRINGS:
if (!attr_syntax_exist_by_name_nolock(f->f_sub_type)) {
- f->f_flags |= SLAPI_FILTER_INVALID_ATTR;
+ f->f_flags |= flags;
r = FILTER_SCHEMA_WARNING;
}
break;
case LDAP_FILTER_EXTENDED:
/* I don't have any examples of this, so I'm not 100% on how to check it */
if (!attr_syntax_exist_by_name_nolock(f->f_mr_type)) {
- f->f_flags |= SLAPI_FILTER_INVALID_ATTR;
+ f->f_flags |= flags;
r = FILTER_SCHEMA_WARNING;
}
break;
@@ -740,7 +740,7 @@ slapi_filter_schema_check_inner(Slapi_Filter *f) {
case LDAP_FILTER_NOT:
/* Recurse and check all elemments of the filter */
for (Slapi_Filter *f_child = f->f_list; f_child != NULL; f_child = f_child->f_next) {
- Slapi_Filter_Result ri = slapi_filter_schema_check_inner(f_child);
+ Slapi_Filter_Result ri = slapi_filter_schema_check_inner(f_child, flags);
if (ri > r) {
r = ri;
}
@@ -769,12 +769,24 @@ slapi_filter_schema_check(Slapi_Filter *f, Slapi_Filter_Policy fp) {
return FILTER_SCHEMA_SUCCESS;
}
+ /*
+ * There are two possible warning types - it's not up to us to warn into
+ * the logs, that's the backends job. So we have to flag a hint into the
+ * filter about what it should do. This is why there are two FILTER_INVALID
+ * types in filter_flags, one for logging it, and one for actually doing
+ * the rejection.
+ */
+ slapi_filter_flags flags = SLAPI_FILTER_INVALID_ATTR_WARN;
+ if (fp == FILTER_POLICY_PROTECT) {
+ flags |= SLAPI_FILTER_INVALID_ATTR_UNDEFINE;
+ }
+
/*
* Filters are nested, recursive structures, so we actually have to call an inner
* function until we have a result!
*/
attr_syntax_read_lock();
- Slapi_Filter_Result r = slapi_filter_schema_check_inner(f);
+ Slapi_Filter_Result r = slapi_filter_schema_check_inner(f, flags);
attr_syntax_unlock_read();
/* If any warning occured, ensure we fail it. */
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 8a2748519..d73e9aaae 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -457,12 +457,12 @@ typedef enum _tls_check_crl_t {
TLS_CHECK_ALL = 2,
} tls_check_crl_t;
-typedef enum _slapi_onwarnoff_t {
- SLAPI_OFF = 0,
- SLAPI_WARN = 1,
- SLAPI_ON = 2,
-} slapi_onwarnoff_t;
-
+typedef enum _slapi_special_filter_verify_t {
+ SLAPI_STRICT = 0,
+ SLAPI_WARN_SAFE = 1,
+ SLAPI_WARN_UNSAFE = 2,
+ SLAPI_OFF_UNSAFE = 3,
+} slapi_special_filter_verify_t;
struct subfilt
{
@@ -2547,11 +2547,12 @@ typedef struct _slapdFrontendConfig
slapi_onoff_t enable_upgrade_hash; /* If on, upgrade hashes for PW at bind */
/*
* Do we verify the filters we recieve by schema?
- * on - yes, and reject if attribute not found
- * warn - yes, and warn that the attribute is unknown and unindexed
- * off - no, do whatever (old status-quo)
+ * reject-invalid - reject filter if there is anything invalid
+ * process-safe - allow the filter, warn about what's invalid, and then idl_alloc(0) with rfc compliance
+ * warn-invalid - allow the filter, warn about the invalid, and then do a ALLIDS (may lead to full table scan)
+ * off - don't warn, just allow anything. This is the legacy behaviour.
*/
- slapi_onwarnoff_t verify_filter_schema;
+ slapi_special_filter_verify_t verify_filter_schema;
} slapdFrontendConfig_t;
/* possible values for slapdFrontendConfig_t.schemareplace */
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index 50b8d12c8..40b5c911a 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -1571,6 +1571,7 @@ int slapi_entry_syntax_check(Slapi_PBlock *pb, Slapi_Entry *e, int override);
typedef enum {
FILTER_POLICY_OFF,
FILTER_POLICY_WARNING,
+ FILTER_POLICY_PROTECT,
FILTER_POLICY_STRICT,
} Slapi_Filter_Policy;
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 04c045532..1f17eda12 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -54,7 +54,8 @@ typedef enum _slapi_filter_flags_t {
SLAPI_FILTER_RUV = 4,
SLAPI_FILTER_NORMALIZED_TYPE = 8,
SLAPI_FILTER_NORMALIZED_VALUE = 16,
- SLAPI_FILTER_INVALID_ATTR = 32,
+ SLAPI_FILTER_INVALID_ATTR_UNDEFINE = 32,
+ SLAPI_FILTER_INVALID_ATTR_WARN = 64,
} slapi_filter_flags;
#define SLAPI_ENTRY_LDAPSUBENTRY 2
diff --git a/src/lib389/lib389/extensibleobject.py b/src/lib389/lib389/extensibleobject.py
new file mode 100644
index 000000000..8fe37f980
--- /dev/null
+++ b/src/lib389/lib389/extensibleobject.py
@@ -0,0 +1,53 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2019, William Brown <william at blackhats.net.au>
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+
+from lib389._mapped_object import DSLdapObject, DSLdapObjects
+from lib389.utils import ensure_str
+
+class UnsafeExtensibleObject(DSLdapObject):
+ """A single instance of an extensible object. Extensible object by it's
+ nature is unsafe, eliminating rules around attribute checking. It may
+ cause unsafe or other unknown behaviour if not handled correctly.
+
+ :param instance: An instance
+ :type instance: lib389.DirSrv
+ :param dn: Entry DN
+ :type dn: str
+ """
+
+ def __init__(self, instance, dn=None):
+ super(UnsafeExtensibleObject, self).__init__(instance, dn)
+ self._rdn_attribute = "cn"
+ # Can I generate these from schema?
+ self._must_attributes = []
+ self._create_objectclasses = [
+ 'top',
+ 'extensibleObject',
+ ]
+ self._protected = False
+
+class UnsafeExtensibleObjects(DSLdapObjects):
+ """DSLdapObjects that represents all extensible objects. Extensible Objects
+ are unsafe in their nature, disabling many checks around schema and attribute
+ handling. You should really really REALLY not use this unless you have specific
+ needs for testing.
+
+ :param instance: An instance
+ :type instance: lib389.DirSrv
+ :param basedn: Base DN for all group entries below
+ :type basedn: str
+ """
+
+ def __init__(self, instance, basedn):
+ super(UnsafeExtensibleObjects, self).__init__(instance)
+ self._objectclasses = [
+ 'extensibleObject',
+ ]
+ self._filterattrs = ["cn"]
+ self._childobject = UnsafeExtensibleObject
+ self._basedn = ensure_str(basedn)
--
2.21.1