s4:subtree_rename LDB module - fix the move/rename constraints
[mat/samba.git] / source4 / dsdb / samdb / ldb_modules / subtree_rename.c
1 /* 
2    ldb database library
3
4    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006-2007
5    Copyright (C) Stefan Metzmacher <metze@samba.org> 2007
6    Copyright (C) Matthias Dieter Wallnöfer <mdw@samba.org> 2010-2011
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /*
23  *  Name: ldb
24  *
25  *  Component: ldb subtree rename module
26  *
27  *  Description: Rename a subtree in LDB
28  *
29  *  Author: Andrew Bartlett
30  */
31
32 #include "includes.h"
33 #include <ldb.h>
34 #include <ldb_module.h>
35 #include "libds/common/flags.h"
36 #include "dsdb/samdb/samdb.h"
37
38 struct subren_msg_store {
39         struct subren_msg_store *next;
40         struct ldb_dn *olddn;
41         struct ldb_dn *newdn;
42 };
43
44 struct subtree_rename_context {
45         struct ldb_module *module;
46         struct ldb_request *req;
47
48         struct subren_msg_store *list;
49         struct subren_msg_store *current;
50 };
51
52 static struct subtree_rename_context *subren_ctx_init(struct ldb_module *module,
53                                                       struct ldb_request *req)
54 {
55         struct ldb_context *ldb;
56         struct subtree_rename_context *ac;
57
58         ldb = ldb_module_get_ctx(module);
59
60         ac = talloc_zero(req, struct subtree_rename_context);
61         if (ac == NULL) {
62                 return NULL;
63         }
64
65         ac->module = module;
66         ac->req = req;
67
68         return ac;
69 }
70
71 static int subtree_rename_next_request(struct subtree_rename_context *ac);
72
73 static int subtree_rename_callback(struct ldb_request *req,
74                                    struct ldb_reply *ares)
75 {
76         struct ldb_context *ldb;
77         struct subtree_rename_context *ac;
78         int ret;
79
80         ac = talloc_get_type(req->context, struct subtree_rename_context);
81         ldb = ldb_module_get_ctx(ac->module);
82
83         if (!ares) {
84                 return ldb_module_done(ac->req, NULL, NULL,
85                                         LDB_ERR_OPERATIONS_ERROR);
86         }
87
88         if (ares->type == LDB_REPLY_REFERRAL) {
89                 return ldb_module_send_referral(ac->req, ares->referral);
90         }
91
92         if (ares->error != LDB_SUCCESS) {
93                 return ldb_module_done(ac->req, ares->controls,
94                                         ares->response, ares->error);
95         }
96
97         if (ares->type != LDB_REPLY_DONE) {
98                 ldb_set_errstring(ldb, "Invalid reply type!\n");
99                 return ldb_module_done(ac->req, NULL, NULL,
100                                         LDB_ERR_OPERATIONS_ERROR);
101         }
102
103         if (ac->current == NULL) {
104                 /* this was the last one */
105                 return ldb_module_done(ac->req, ares->controls,
106                                         ares->response, LDB_SUCCESS);
107         }
108
109         ret = subtree_rename_next_request(ac);
110         if (ret != LDB_SUCCESS) {
111                 return ldb_module_done(ac->req, NULL, NULL, ret);
112         }
113
114         talloc_free(ares);
115         return LDB_SUCCESS;
116 }
117
118 static int subtree_rename_next_request(struct subtree_rename_context *ac)
119 {
120         struct ldb_context *ldb;
121         struct ldb_request *req;
122         int ret;
123
124         ldb = ldb_module_get_ctx(ac->module);
125
126         if (ac->current == NULL) {
127                 return ldb_operr(ldb);
128         }
129
130         ret = ldb_build_rename_req(&req, ldb, ac->current,
131                                    ac->current->olddn,
132                                    ac->current->newdn,
133                                    ac->req->controls,
134                                    ac, subtree_rename_callback,
135                                    ac->req);
136         LDB_REQ_SET_LOCATION(req);
137         if (ret != LDB_SUCCESS) {
138                 return ret;
139         }
140
141         ac->current = ac->current->next;
142
143         return ldb_next_request(ac->module, req);
144 }
145
146 static int check_constraints(struct ldb_message *msg,
147                              struct subtree_rename_context *ac,
148                              struct ldb_dn *olddn, struct ldb_dn *newdn)
149 {
150         struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
151         struct ldb_dn *dn1, *dn2, *nc_root;
152         int32_t systemFlags;
153         bool move_op = false;
154         bool rename_op = false;
155         int ret;
156
157         /* Skip the checks if old and new DN are the same, or if we have the
158          * relax control specified or if the returned objects is already
159          * deleted and needs only to be moved for consistency. */
160
161         if (ldb_dn_compare(olddn, newdn) == 0) {
162                 return LDB_SUCCESS;
163         }
164         if (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) != NULL) {
165                 return LDB_SUCCESS;
166         }
167         if (ldb_msg_find_attr_as_bool(msg, "isDeleted", false)) {
168                 return LDB_SUCCESS;
169         }
170
171         /* Objects under CN=System */
172
173         dn1 = ldb_dn_copy(ac, ldb_get_default_basedn(ldb));
174         if (dn1 == NULL) return ldb_oom(ldb);
175
176         if ( ! ldb_dn_add_child_fmt(dn1, "CN=System")) {
177                 talloc_free(dn1);
178                 return LDB_ERR_OPERATIONS_ERROR;
179         }
180
181         if ((ldb_dn_compare_base(dn1, olddn) == 0) &&
182             (ldb_dn_compare_base(dn1, newdn) != 0)) {
183                 talloc_free(dn1);
184                 ldb_asprintf_errstring(ldb,
185                                        "subtree_rename: Cannot move/rename %s. Objects under CN=System have to stay under it!",
186                                        ldb_dn_get_linearized(olddn));
187                 return LDB_ERR_OTHER;
188         }
189
190         talloc_free(dn1);
191
192         /* LSA objects */
193
194         if ((samdb_find_attribute(ldb, msg, "objectClass", "secret") != NULL) ||
195             (samdb_find_attribute(ldb, msg, "objectClass", "trustedDomain") != NULL)) {
196                 ldb_asprintf_errstring(ldb,
197                                        "subtree_rename: Cannot move/rename %s. It's an LSA-specific object!",
198                                        ldb_dn_get_linearized(olddn));
199                 return LDB_ERR_UNWILLING_TO_PERFORM;
200         }
201
202         /* systemFlags */
203
204         dn1 = ldb_dn_get_parent(ac, olddn);
205         if (dn1 == NULL) return ldb_oom(ldb);
206         dn2 = ldb_dn_get_parent(ac, newdn);
207         if (dn2 == NULL) return ldb_oom(ldb);
208
209         if (ldb_dn_compare(dn1, dn2) == 0) {
210                 rename_op = true;
211         } else {
212                 move_op = true;
213         }
214
215         talloc_free(dn1);
216         talloc_free(dn2);
217
218         systemFlags = ldb_msg_find_attr_as_int(msg, "systemFlags", 0);
219
220         /* Fetch name context */
221
222         ret = dsdb_find_nc_root(ldb, ac, olddn, &nc_root);
223         if (ret != LDB_SUCCESS) {
224                 return ret;
225         }
226
227         if (ldb_dn_compare(nc_root, ldb_get_schema_basedn(ldb)) == 0) {
228                 if (move_op) {
229                         ldb_asprintf_errstring(ldb,
230                                                "subtree_rename: Cannot move %s within schema partition",
231                                                ldb_dn_get_linearized(olddn));
232                         return LDB_ERR_UNWILLING_TO_PERFORM;
233                 }
234                 if (rename_op &&
235                     (systemFlags & SYSTEM_FLAG_SCHEMA_BASE_OBJECT) != 0) {
236                         ldb_asprintf_errstring(ldb,
237                                                "subtree_rename: Cannot rename %s within schema partition",
238                                                ldb_dn_get_linearized(olddn));
239                         return LDB_ERR_UNWILLING_TO_PERFORM;
240                 }
241         } else if (ldb_dn_compare(nc_root, ldb_get_config_basedn(ldb)) == 0) {
242                 if (move_op &&
243                     (systemFlags & SYSTEM_FLAG_CONFIG_ALLOW_MOVE) == 0) {
244                         /* Here we have to do more: control the
245                          * "ALLOW_LIMITED_MOVE" flag. This means that the
246                          * grand-grand-parents of two objects have to be equal
247                          * in order to perform the move (this is used for
248                          * moving "server" objects in the "sites" container). */
249                         bool limited_move =
250                                 systemFlags & SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE;
251
252                         if (limited_move) {
253                                 dn1 = ldb_dn_copy(ac, olddn);
254                                 if (dn1 == NULL) return ldb_oom(ldb);
255                                 dn2 = ldb_dn_copy(ac, newdn);
256                                 if (dn2 == NULL) return ldb_oom(ldb);
257
258                                 limited_move &= ldb_dn_remove_child_components(dn1, 3);
259                                 limited_move &= ldb_dn_remove_child_components(dn2, 3);
260                                 limited_move &= ldb_dn_compare(dn1, dn2) == 0;
261
262                                 talloc_free(dn1);
263                                 talloc_free(dn2);
264                         }
265
266                         if (!limited_move) {
267                                 ldb_asprintf_errstring(ldb,
268                                                        "subtree_rename: Cannot move %s to %s in config partition",
269                                                        ldb_dn_get_linearized(olddn), ldb_dn_get_linearized(newdn));
270                                 return LDB_ERR_UNWILLING_TO_PERFORM;
271                         }
272                 }
273                 if (rename_op &&
274                     (systemFlags & SYSTEM_FLAG_CONFIG_ALLOW_RENAME) == 0) {
275                         ldb_asprintf_errstring(ldb,
276                                                "subtree_rename: Cannot rename %s to %s within config partition",
277                                                ldb_dn_get_linearized(olddn), ldb_dn_get_linearized(newdn));
278                         return LDB_ERR_UNWILLING_TO_PERFORM;
279                 }
280         } else if (ldb_dn_compare(nc_root, ldb_get_default_basedn(ldb)) == 0) {
281                 if (move_op &&
282                     (systemFlags & SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE) != 0) {
283                         ldb_asprintf_errstring(ldb,
284                                                "subtree_rename: Cannot move %s to %s - DISALLOW_MOVE set",
285                                                ldb_dn_get_linearized(olddn), ldb_dn_get_linearized(newdn));
286                         return LDB_ERR_UNWILLING_TO_PERFORM;
287                 }
288                 if (rename_op &&
289                     (systemFlags & SYSTEM_FLAG_DOMAIN_DISALLOW_RENAME) != 0) {
290                         ldb_asprintf_errstring(ldb,
291                                                        "subtree_rename: Cannot rename %s to %s - DISALLOW_RENAME set",
292                                                ldb_dn_get_linearized(olddn), ldb_dn_get_linearized(newdn));
293                         return LDB_ERR_UNWILLING_TO_PERFORM;
294                 }
295         }
296
297         talloc_free(nc_root);
298
299         return LDB_SUCCESS;
300 }
301
302 static int subtree_rename_search_callback(struct ldb_request *req,
303                                           struct ldb_reply *ares)
304 {
305         struct subren_msg_store *store;
306         struct subtree_rename_context *ac;
307         int ret;
308
309         ac = talloc_get_type(req->context, struct subtree_rename_context);
310
311         if (!ares || !ac->current) {
312                 return ldb_module_done(ac->req, NULL, NULL,
313                                         LDB_ERR_OPERATIONS_ERROR);
314         }
315         if (ares->error != LDB_SUCCESS) {
316                 return ldb_module_done(ac->req, ares->controls,
317                                         ares->response, ares->error);
318         }
319
320         switch (ares->type) {
321         case LDB_REPLY_ENTRY:
322                 if (ldb_dn_compare(ares->message->dn, ac->list->olddn) == 0) {
323                         /*
324                          * This is the root entry of the originating move
325                          * respectively rename request. It has been already
326                          * stored in the list using "subtree_rename_search()".
327                          * Only this one is subject to constraint checking.
328                          */
329                         ret = check_constraints(ares->message, ac,
330                                                 ac->list->olddn,
331                                                 ac->list->newdn);
332                         if (ret != LDB_SUCCESS) {
333                                 return ldb_module_done(ac->req, NULL, NULL,
334                                                        ret);
335                         }
336
337                         talloc_free(ares);
338                         return LDB_SUCCESS;
339                 }
340
341                 store = talloc_zero(ac, struct subren_msg_store);
342                 if (store == NULL) {
343                         return ldb_module_done(ac->req, NULL, NULL,
344                                                 LDB_ERR_OPERATIONS_ERROR);
345                 }
346                 ac->current->next = store;
347                 ac->current = store;
348
349                 /* the first list element contains the base for the rename */
350                 store->olddn = talloc_steal(store, ares->message->dn);
351                 store->newdn = ldb_dn_copy(store, store->olddn);
352
353                 if ( ! ldb_dn_remove_base_components(store->newdn,
354                                 ldb_dn_get_comp_num(ac->list->olddn))) {
355                         return ldb_module_done(ac->req, NULL, NULL,
356                                                 LDB_ERR_OPERATIONS_ERROR);
357                 }
358
359                 if ( ! ldb_dn_add_base(store->newdn, ac->list->newdn)) {
360                         return ldb_module_done(ac->req, NULL, NULL,
361                                                 LDB_ERR_OPERATIONS_ERROR);
362                 }
363                 break;
364
365         case LDB_REPLY_REFERRAL:
366                 /* ignore */
367                 break;
368
369         case LDB_REPLY_DONE:
370
371                 /* rewind ac->current */
372                 ac->current = ac->list;
373
374                 /* All dns set up, start with the first one */
375                 ret = subtree_rename_next_request(ac);
376
377                 if (ret != LDB_SUCCESS) {
378                         return ldb_module_done(ac->req, NULL, NULL, ret);
379                 }
380                 break;
381         }
382
383         talloc_free(ares);
384         return LDB_SUCCESS;
385 }
386
387 /* rename */
388 static int subtree_rename(struct ldb_module *module, struct ldb_request *req)
389 {
390         struct ldb_context *ldb;
391         static const char * const attrs[] = { "objectClass", "systemFlags",
392                                               "isDeleted", NULL };
393         struct ldb_request *search_req;
394         struct subtree_rename_context *ac;
395         int ret;
396
397         if (ldb_dn_is_special(req->op.rename.olddn)) { /* do not manipulate our control entries */
398                 return ldb_next_request(module, req);
399         }
400
401         ldb = ldb_module_get_ctx(module);
402
403         /* This gets complex:  We need to:
404            - Do a search for all entires under this entry 
405            - Wait for these results to appear
406            - In the callback for each result, issue a modify request
407            - That will include this rename, we hope
408            - Wait for each modify result
409            - Regain our sanity
410         */
411
412         ac = subren_ctx_init(module, req);
413         if (!ac) {
414                 return ldb_oom(ldb);
415         }
416
417         /* add this entry as the first to do */
418         ac->current = talloc_zero(ac, struct subren_msg_store);
419         if (ac->current == NULL) {
420                 return ldb_oom(ldb);
421         }
422         ac->current->olddn = req->op.rename.olddn;
423         ac->current->newdn = req->op.rename.newdn;
424         ac->list = ac->current;
425
426         ret = ldb_build_search_req(&search_req, ldb, ac,
427                                    req->op.rename.olddn, 
428                                    LDB_SCOPE_SUBTREE,
429                                    "(objectClass=*)",
430                                    attrs,
431                                    NULL,
432                                    ac, 
433                                    subtree_rename_search_callback,
434                                    req);
435         LDB_REQ_SET_LOCATION(search_req);
436         if (ret != LDB_SUCCESS) {
437                 return ret;
438         }
439
440         ret = ldb_request_add_control(search_req, LDB_CONTROL_SHOW_RECYCLED_OID,
441                                       true, NULL);
442         if (ret != LDB_SUCCESS) {
443                 return ret;
444         }
445
446         return ldb_next_request(module, search_req);
447 }
448
449 static const struct ldb_module_ops ldb_subtree_rename_module_ops = {
450         .name              = "subtree_rename",
451         .rename            = subtree_rename
452 };
453
454 int ldb_subtree_rename_module_init(const char *version)
455 {
456         LDB_MODULE_CHECK_VERSION(version);
457         return ldb_register_module(&ldb_subtree_rename_module_ops);
458 }