osaf/services/saf/immsv/immnd/ImmModel.cc | 67 ++++++++++++++++++++++-------- 1 files changed, 48 insertions(+), 19 deletions(-)
When the attribute 'longDnsAllowed' is changed form non-zero to zero, this implies that the imm is transitoning from allowing long DNs to not allowing long DNs. Such a configuration change must be validated that the imm-db currently has no long DNs. Only if such a check passes will the CCB modify operation assigning zero to 'longDnsAllowed' be allowed. The validation is done locally in the modify operation. This is sufficent because the IMM service itself is the "OI" for the object: opensafImm=opensafImm,safApp=safImmService The imm service will bar any other CCB from modifying that object untill a current ccb that is modifying it has either comitted or aborted. Prior to this patch, the only check done was that no object *exists* currently with a long DN. This patch adds a check also for reference attributes. Specifically the attributes checked are the ones that: a) Are defined on the type SA_IMM_ATTR_SANAMET. Because currently references are only recognized as references when they have this attribute type. b) Do not have the attribute flag SA_IMM_ATTR_NO_DANGLING set. Because if that flag is set the reference can only point to an existing object, thus covered by the pre-existing check. c) Do not have the attribute flag SA_IMM_ATTR_RDN set. Because the RDN attribute is simply a copy of the RDN part of the objects DN, thus coverd by the pre-existing check. diff --git a/osaf/services/saf/immsv/immnd/ImmModel.cc b/osaf/services/saf/immsv/immnd/ImmModel.cc --- a/osaf/services/saf/immsv/immnd/ImmModel.cc +++ b/osaf/services/saf/immsv/immnd/ImmModel.cc @@ -452,7 +452,7 @@ static const std::string saImmOiTimeout( static SaImmRepositoryInitModeT immInitMode = SA_IMM_INIT_FROM_FILE; -static SaUint32T ccbIdLongDnGuard = 0; /* Disallow long DN creates if longDnsAllowed is being changed in ccb*/ +static SaUint32T ccbIdLongDnGuard = 0; /* Disallow long DN additions if longDnsAllowed is being changed in ccb*/ static bool sIsLongDnLoaded = false; /* track long DNs before opensafImm=opensafImm,safApp=safImmService is created */ struct AttrFlagIncludes @@ -2470,11 +2470,11 @@ ImmModel::setLoader(int pid) } if (accessControlMode() == ACCESS_CONTROL_DISABLED) { - LOG_WA("IMM Access Control mode is DISABLED!"); + LOG_WA("IMM Access Control mode is DISABLED!"); } else if (accessControlMode() == ACCESS_CONTROL_PERMISSIVE) { - LOG_WA("IMM Access Control mode is PERMISSIVE"); - } else { - LOG_NO("IMM Access Control mode is ENFORCING"); + LOG_WA("IMM Access Control mode is PERMISSIVE"); + } else { + LOG_NO("IMM Access Control mode is ENFORCING"); } } else { @@ -3475,11 +3475,11 @@ ImmModel::accessControlMode() ImmAttrValueMap::iterator avi = immObject->mAttrValueMap.find(immAccessControlMode); if (avi == immObject->mAttrValueMap.end()) - return ACCESS_CONTROL_DISABLED; + return ACCESS_CONTROL_DISABLED; osafassert(!(avi->second->isMultiValued())); ImmAttrValue* valuep = avi->second; OsafImmAccessControlModeT accessControlMode = - static_cast<OsafImmAccessControlModeT>(valuep->getValue_int()); + static_cast<OsafImmAccessControlModeT>(valuep->getValue_int()); TRACE_LEAVE2("%u", accessControlMode); return accessControlMode; @@ -3498,8 +3498,9 @@ ImmModel::authorizedGroup() ObjectInfo* immObject = oi->second; ImmAttrValueMap::iterator avi = immObject->mAttrValueMap.find(immAuthorizedGroup); - if (avi == immObject->mAttrValueMap.end()) - return NULL; + if (avi == immObject->mAttrValueMap.end()) { + return NULL; + } osafassert(!(avi->second->isMultiValued())); ImmAttrValue* valuep = avi->second; const char *adminGroupName = valuep->getValueC_str(); @@ -3859,10 +3860,9 @@ ImmModel::notCompatibleAtt(const std::st } } - if(av->isMultiValued()) + if(av->isMultiValued()) { av = ((ImmAttrMultiValue *)av)->getNextAttrValue(); - else - break; + } else {break;} } } } @@ -7838,9 +7838,8 @@ ImmModel::ccbObjectModify(const ImmsvOmC (size_t) p->attrValue.attrName.size); std::string attrName((const char *) p->attrValue.attrName.buf, sz); bool modifiedRim = modifiedImmMngt && (attrName == saImmRepositoryInit); - bool modifiedOiTimeout = modifiedImmMngt && (attrName == saImmOiTimeout); - - if(modifiedOiTimeout) { + + if(modifiedImmMngt && (attrName == saImmOiTimeout)) { /* Currently the IMM does not support this attribute. */ TRACE_7("ERR_BAD_OPERATION: attr '%s' in IMM object %s is not supported", attrName.c_str(), objectName.c_str()); @@ -8300,18 +8299,48 @@ ImmModel::ccbObjectModify(const ImmsvOmC err = SA_AIS_ERR_BUSY; } else { if(!longDnsAllowedAfter) { - /* Check that NO LONG DNS EXIST! */ + TRACE("longDnsAllowed assigned 0 => Check that no long DNs exist in IMM-db"); ObjectMap::iterator omi = sObjectMap.begin(); while(omi != sObjectMap.end()) { - if(omi->first.length() > 255) { + if(omi->first.length() >= SA_MAX_UNEXTENDED_NAME_LENGTH) { LOG_WA("Setting attr %s to 0 in %s not allowed when long DN exists: '%s'", - immLongDnsAllowed.c_str(),immObjectDn.c_str(), omi->first.c_str()); + immLongDnsAllowed.c_str(), immObjectDn.c_str(), omi->first.c_str()); err = SA_AIS_ERR_BAD_OPERATION; goto bypass_impl; } + /* Check any attributes of type SaNameT that could be dangling, i.e. does NOT + have the SA_IMM_ATTR_NO_DANGLING flag set. Skip checking the RDN atribute + because it is covered by the DN check above. Implementation below is not the + most optimal as it iterates over the attribute definitions of the class for + each object. But THIS CASE, of turning OFF longDnsAllowed, must be extreemely + rare. The implication is that the turning ON of longDnsAllowed was a mistake. + */ + for(i4 = omi->second->mClassInfo->mAttrMap.begin(); + i4 != omi->second->mClassInfo->mAttrMap.end(); ++i4) { + if((i4->second->mValueType == SA_IMM_ATTR_SANAMET) && + !(i4->second->mFlags & SA_IMM_ATTR_RDN) && + !(i4->second->mFlags & SA_IMM_ATTR_NO_DANGLING)) + { + oavi = omi->second->mAttrValueMap.find(i4->first); + osafassert(oavi != omi->second->mAttrValueMap.end()); + ImmAttrValue *av = oavi->second; + do { + const char* dn = av->getValueC_str(); + if((dn && strlen(dn) >= SA_MAX_UNEXTENDED_NAME_LENGTH)) { + LOG_WA("Setting attr %s to 0 in %s not allowed when long DN exists " + "inside object: %s", immLongDnsAllowed.c_str(), + immObjectDn.c_str(), omi->first.c_str()); + err = SA_AIS_ERR_BAD_OPERATION; + goto bypass_impl; + } + av = (av->isMultiValued()) ? + ((ImmAttrMultiValue *)av)->getNextAttrValue() : NULL; + } while (av); + } + } ++omi; } - } + } /* End of LONG DN check */ ccbIdLongDnGuard = ccbId; } ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Opensaf-devel mailing list Opensaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opensaf-devel