Attached are two patches:
- reject direct modification of segment endpoints and connectivity
- better manage the rdn of a replication agreements represented by a segment
>From b7d72c390cd4ea021d9c818156c07de4fc2b0921 Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkris...@redhat.com>
Date: Wed, 10 Jun 2015 15:53:16 +0200
Subject: [PATCH] make sure the agremment rdn match the rdn used in the segment

---
 daemons/ipa-slapi-plugins/topology/topology_util.c | 37 +++++++++++-----------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/topology/topology_util.c b/daemons/ipa-slapi-plugins/topology/topology_util.c
index 67014a05d4f89260d4307e5212a5594335617482..cd97827b17d3a276974331f7da7bf0eae40c5a81 100644
--- a/daemons/ipa-slapi-plugins/topology/topology_util.c
+++ b/daemons/ipa-slapi-plugins/topology/topology_util.c
@@ -292,9 +292,9 @@ ipa_topo_util_agmt_from_entry(Slapi_Entry *entry, char *replRoot, char *fromHost
                               char *toHost, char *direction)
 {
     TopoReplicaAgmt *agmt = NULL;
-    char **mattrs;
-    char *mattr;
-    char *mval;
+    char **mattrs = NULL;
+    char *mattr = NULL;
+    char *mval = NULL;
     int i;
 
     agmt = (TopoReplicaAgmt *) slapi_ch_calloc(1,sizeof(TopoReplicaAgmt));
@@ -302,18 +302,8 @@ ipa_topo_util_agmt_from_entry(Slapi_Entry *entry, char *replRoot, char *fromHost
     agmt->target = slapi_ch_strdup(toHost);
     agmt->repl_root = slapi_ch_strdup(replRoot);
 
-    mattr = slapi_ch_smprintf("ipaReplTopoSegmentGenerated;%s",direction);
-    mval = slapi_entry_attr_get_charptr(entry,mattr);
-    if (mval == 0) {
-        mval = slapi_entry_attr_get_charptr(entry,"ipaReplTopoSegmentGenerated");
-    }
-    if (mval) {
-        agmt->rdn = ipa_topo_agmt_gen_rdn(fromHost,toHost);
-    } else {
-        agmt->rdn = ipa_topo_agmt_std_rdn(toHost);
-    }
-    slapi_ch_free_string(&mattr);
-    slapi_ch_free_string(&mval);
+    /* use std agmt rdn, it may be updated when matching real agmt is found */
+    agmt->rdn = ipa_topo_agmt_std_rdn(toHost);
 
     mattrs = ipa_topo_get_plugin_managed_attrs();
     for (i=0; mattrs[i]; i++) {
@@ -520,9 +510,20 @@ ipa_topo_util_update_agmt_list(TopoReplica *conf, TopoReplicaSegmentList *repl_s
                                                     ipa_topo_get_plugin_hostname(),
                                                     targetHost);
         if (topo_agmt) {
-            /* if segment found update agreement params */
-            char * segm_attr_val;
-            char * agmt_attr_val;
+            /* compare rdns, use rdn of existing agreement */
+            const Slapi_DN *agmt_dn = slapi_entry_get_sdn_const(repl_agmt);
+            Slapi_RDN *agmt_rdn = slapi_rdn_new();
+            slapi_sdn_get_rdn(agmt_dn, agmt_rdn);
+            const char *agmt_rdn_str  = slapi_rdn_get_rdn(agmt_rdn);
+            if (strcasecmp(agmt_rdn_str, topo_agmt->rdn)) {
+                slapi_ch_free_string(&topo_agmt->rdn);
+                topo_agmt->rdn = slapi_ch_strdup(agmt_rdn_str);
+            }
+            slapi_rdn_free(&agmt_rdn);
+
+            /* update agreement params which are different in the segment*/
+            char *segm_attr_val;
+            char *agmt_attr_val;
             Slapi_Mods *smods = slapi_mods_new();
             char **mattrs = ipa_topo_get_plugin_managed_attrs();
             for (i=0; mattrs[i]; i++) {
-- 
2.1.0

>From d69ad45e5331a0f0e42ac3c674602b03c40f54ec Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkris...@redhat.com>
Date: Wed, 10 Jun 2015 17:47:25 +0200
Subject: [PATCH] reject modifications of endpoints and connectivity of a
 segment

---
 daemons/ipa-slapi-plugins/topology/topology_pre.c | 57 +++++++++++++++++++++--
 1 file changed, 52 insertions(+), 5 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/topology/topology_pre.c b/daemons/ipa-slapi-plugins/topology/topology_pre.c
index 0a0cd65b592e2dc796a179e035598e5f641bb01e..9ca116c8e036f5b558e0ffae402453db2b0f9f79 100644
--- a/daemons/ipa-slapi-plugins/topology/topology_pre.c
+++ b/daemons/ipa-slapi-plugins/topology/topology_pre.c
@@ -60,7 +60,7 @@ int ipa_topo_is_entry_managed(Slapi_PBlock *pb)
 
 }
 int
-ipa_topo_is_modattr_restricted(Slapi_PBlock *pb)
+ipa_topo_is_agmt_attr_restricted(Slapi_PBlock *pb)
 {
     LDAPMod **mods;
     int i;
@@ -75,6 +75,24 @@ ipa_topo_is_modattr_restricted(Slapi_PBlock *pb)
     }
     return rc;
 }
+int
+ipa_topo_is_segm_attr_restricted(Slapi_PBlock *pb)
+{
+    LDAPMod **mods;
+    int i;
+    int rc = 0;
+
+    slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
+    for (i = 0; (mods != NULL) && (mods[i] != NULL); i++) {
+        if ((0 == strcasecmp(mods[i]->mod_type, "ipaReplTopoSegmentDirection")) ||
+            (0 == strcasecmp(mods[i]->mod_type, "ipaReplTopoSegmentLeftNode")) ||
+            (0 == strcasecmp(mods[i]->mod_type, "ipaReplTopoSegmentRightNode"))) {
+            rc = 1;
+            break;
+        }
+    }
+    return rc;
+}
 
 /* connectivity check for topology
  * checks if the nodes of a segment would still be connected after
@@ -309,6 +327,28 @@ ipa_topo_check_connect_reject(Slapi_PBlock *pb)
 }
 
 int
+ipa_topo_check_connect_restrict(Slapi_PBlock *pb)
+{
+    int rc = 0;
+    Slapi_Entry *mod_entry;
+    char *pi;
+
+    /* we have to check if the operation is triggered by the
+     * topology plugin itself - allow it
+     */
+    slapi_pblock_get(pb, SLAPI_PLUGIN_IDENTITY,&pi);
+    if (pi && 0 == strcasecmp(pi, ipa_topo_get_plugin_id())) {
+        return 0;
+    }
+    slapi_pblock_get(pb,SLAPI_MODIFY_EXISTING_ENTRY,&mod_entry);
+    if (TOPO_SEGMENT_ENTRY == ipa_topo_check_entry_type(mod_entry) &&
+        (ipa_topo_is_segm_attr_restricted(pb))) {
+        rc = 1;
+    }
+    return rc;
+}
+
+int
 ipa_topo_check_disconnect_reject(Slapi_PBlock *pb)
 {
     int rc = 1;
@@ -403,6 +443,7 @@ ipa_topo_pre_mod(Slapi_PBlock *pb)
 {
 
     int result = SLAPI_PLUGIN_SUCCESS;
+    char *errtxt = NULL;
 
     slapi_log_error(SLAPI_LOG_PLUGIN, IPA_TOPO_PLUGIN_SUBSYSTEM,
                     "--> ipa_topo_pre_mod\n");
@@ -415,11 +456,17 @@ ipa_topo_pre_mod(Slapi_PBlock *pb)
 
     if (ipa_topo_pre_ignore_op(pb)) return result;
 
-    if (ipa_topo_is_entry_managed(pb) && ipa_topo_is_modattr_restricted(pb)) {
+    if (ipa_topo_is_entry_managed(pb)){
+        if(ipa_topo_is_agmt_attr_restricted(pb)) {
+            errtxt = slapi_ch_smprintf("Entry and attributes are managed by topology plugin."
+                                       "No direct modifications allowed.\n");
+        }
+    } else if (ipa_topo_check_connect_restrict(pb)) {
+        errtxt = slapi_ch_smprintf("Modification of connectivity and segment nodes "
+                                   " is not supported.\n");
+    }
+    if (errtxt) {
         int rc = LDAP_UNWILLING_TO_PERFORM;
-        char *errtxt;
-        errtxt = slapi_ch_smprintf("Entry and attributes are managed by topology plugin."
-                                   "No direct modifications allowed.\n");
         slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, errtxt);
         slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc);
         result = SLAPI_PLUGIN_FAILURE;
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to