Ticket: https://fedorahosted.org/freeipa/ticket/5536
Patch attached.
>From 592c2cfece7c1f0860cacc72b642826d5b4a7791 Mon Sep 17 00:00:00 2001 From: Ludwig Krispenz <lkris...@redhat.com> Date: Fri, 11 Dec 2015 13:50:53 +0100 Subject: [PATCH] prevent moving of topology entries out of managed scope by modrdn operations Ticket: https://fedorahosted.org/freeipa/ticket/5536 --- daemons/ipa-slapi-plugins/topology/topology.h | 1 + daemons/ipa-slapi-plugins/topology/topology_init.c | 2 + daemons/ipa-slapi-plugins/topology/topology_pre.c | 53 ++++++++++++++++++++++ 3 files changed, 56 insertions(+) diff --git a/daemons/ipa-slapi-plugins/topology/topology.h b/daemons/ipa-slapi-plugins/topology/topology.h index d264ed9c1e3e903d7554963b843d1f98385ec47a..4ea2b368f279b56c330dc2067eb6f6aee36b1abb 100644 --- a/daemons/ipa-slapi-plugins/topology/topology.h +++ b/daemons/ipa-slapi-plugins/topology/topology.h @@ -211,6 +211,7 @@ int ipa_topo_post_del(Slapi_PBlock *pb); /* preop plugin functions */ int ipa_topo_pre_add(Slapi_PBlock *pb); int ipa_topo_pre_mod(Slapi_PBlock *pb); +int ipa_topo_pre_modrdn(Slapi_PBlock *pb); int ipa_topo_pre_del(Slapi_PBlock *pb); /* functions to modify agreements */ diff --git a/daemons/ipa-slapi-plugins/topology/topology_init.c b/daemons/ipa-slapi-plugins/topology/topology_init.c index de53ad69ed636ef59b26e64d760d60b9da3a5dfd..02ff495e36b33e35abce361b61c1c2ba8871a5e8 100644 --- a/daemons/ipa-slapi-plugins/topology/topology_init.c +++ b/daemons/ipa-slapi-plugins/topology/topology_init.c @@ -90,6 +90,8 @@ ipa_topo_preop_init(Slapi_PBlock *pb) rc = slapi_pblock_set(pb, SLAPI_PLUGIN_BE_PRE_MODIFY_FN, (void *)ipa_topo_pre_mod); + rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_BE_PRE_MODRDN_FN, + (void *)ipa_topo_pre_modrdn); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_BE_PRE_ADD_FN, (void *)ipa_topo_pre_add); rc |= slapi_pblock_set(pb, SLAPI_PLUGIN_BE_PRE_DELETE_FN, diff --git a/daemons/ipa-slapi-plugins/topology/topology_pre.c b/daemons/ipa-slapi-plugins/topology/topology_pre.c index 1788c6d3e9d95543d905054d9d1f31c40dddc045..d0436bafcc52bf0b187fe08400c0a656e97cd4b4 100644 --- a/daemons/ipa-slapi-plugins/topology/topology_pre.c +++ b/daemons/ipa-slapi-plugins/topology/topology_pre.c @@ -402,6 +402,29 @@ ipa_topo_check_segment_updates(Slapi_PBlock *pb) } int +ipa_topo_check_entry_move(Slapi_PBlock *pb) +{ + int rc = 0; + int entry_type = TOPO_IGNORE_ENTRY; + Slapi_Entry *modrdn_entry; + slapi_pblock_get(pb,SLAPI_MODRDN_TARGET_ENTRY,&modrdn_entry); + entry_type = ipa_topo_check_entry_type(modrdn_entry); + switch (entry_type) { + case TOPO_SEGMENT_ENTRY: + case TOPO_CONFIG_ENTRY: { + Slapi_DN *newsuperior = NULL; + slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &newsuperior); + if (newsuperior && slapi_sdn_get_dn(newsuperior)) rc = 1; + break; + } + default: + rc = 0; + break; + } + return rc; +} + +int ipa_topo_check_host_updates(Slapi_PBlock *pb) { int rc = 0; @@ -605,3 +628,33 @@ ipa_topo_pre_del(Slapi_PBlock *pb) "<-- ipa_topo_pre_del\n"); return result; } +int +ipa_topo_pre_modrdn(Slapi_PBlock *pb) +{ + + int result = SLAPI_PLUGIN_SUCCESS; + + slapi_log_error(SLAPI_LOG_PLUGIN, IPA_TOPO_PLUGIN_SUBSYSTEM, + "--> ipa_topo_pre_modrdn\n"); + + if (0 == ipa_topo_get_plugin_active()) { + slapi_log_error(SLAPI_LOG_PLUGIN, IPA_TOPO_PLUGIN_SUBSYSTEM, + "<-- ipa_topo_pre_modrdn - plugin not active\n"); + return 0; + } + + if (ipa_topo_pre_ignore_op(pb)) return result; + + if (ipa_topo_check_entry_move(pb)){ + int rc = LDAP_UNWILLING_TO_PERFORM; + char *errtxt; + errtxt = slapi_ch_smprintf("Moving of a segment or config entry " + "to another subtree is not allowed.\n"); + slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, errtxt); + slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc); + result = SLAPI_PLUGIN_FAILURE; + } + + return result; + +} -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code