1 /*	$NetBSD: cloak.c,v 1.3 2021/08/14 16:14:51 christos Exp $	*/
2 
3 /* cloak.c - Overlay to hide some attribute except if explicitly requested */
4 /* $OpenLDAP$ */
5 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
6  *
7  * Copyright 2008-2021 The OpenLDAP Foundation.
8  * Portions Copyright 2008 Emmanuel Dreyfus
9  * All rights reserved.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted only as authorized by the OpenLDAP
13  * Public License.
14  *
15  * A copy of this license is available in the file LICENSE in the
16  * top-level directory of the distribution or, alternatively, at
17  * <http://www.OpenLDAP.org/license.html>.
18  */
19 /* ACKNOWLEDGEMENTS:
20  * This work was originally developed by the Emmanuel Dreyfus for
21  * inclusion in OpenLDAP Software.
22  */
23 
24 #include <sys/cdefs.h>
25 __RCSID("$NetBSD: cloak.c,v 1.3 2021/08/14 16:14:51 christos Exp $");
26 
27 #include "portable.h"
28 
29 #ifdef SLAPD_OVER_CLOAK
30 
31 #include <stdio.h>
32 
33 #include "ac/string.h"
34 #include "ac/socket.h"
35 
36 #include "lutil.h"
37 #include "slap.h"
38 #include "slap-config.h"
39 
40 enum { CLOAK_ATTR = 1 };
41 
42 typedef struct cloak_info_t {
43 	ObjectClass 		*ci_oc;
44 	AttributeDescription	*ci_ad;
45 	struct cloak_info_t	*ci_next;
46 } cloak_info_t;
47 
48 #define CLOAK_USAGE "\"cloak-attr <attr> [<class>]\": "
49 
50 static int
cloak_cfgen(ConfigArgs * c)51 cloak_cfgen( ConfigArgs *c )
52 {
53 	slap_overinst	*on = (slap_overinst *)c->bi;
54 	cloak_info_t	*ci = (cloak_info_t *)on->on_bi.bi_private;
55 
56 	int		rc = 0, i;
57 
58 	if ( c->op == SLAP_CONFIG_EMIT ) {
59 		switch( c->type ) {
60 		case CLOAK_ATTR:
61 			for ( i = 0; ci; i++, ci = ci->ci_next ) {
62 				struct berval	bv;
63 				int len;
64 
65 				assert( ci->ci_ad != NULL );
66 
67 				if ( ci->ci_oc != NULL )
68 					len = snprintf( c->cr_msg,
69 					sizeof( c->cr_msg ),
70 					SLAP_X_ORDERED_FMT "%s %s", i,
71 					ci->ci_ad->ad_cname.bv_val,
72 					ci->ci_oc->soc_cname.bv_val );
73 				else
74 					len = snprintf( c->cr_msg,
75 					sizeof( c->cr_msg ),
76 					SLAP_X_ORDERED_FMT "%s", i,
77 					ci->ci_ad->ad_cname.bv_val );
78 
79 				bv.bv_val = c->cr_msg;
80 				bv.bv_len = len;
81 				value_add_one( &c->rvalue_vals, &bv );
82 			}
83 			break;
84 
85 		default:
86 			rc = 1;
87 			break;
88 		}
89 
90 		return rc;
91 
92 	} else if ( c->op == LDAP_MOD_DELETE ) {
93 		cloak_info_t	*ci_next;
94 
95 		switch( c->type ) {
96 		case CLOAK_ATTR:
97 			for ( ci_next = ci, i = 0;
98 			      ci_next, c->valx < 0 || i < c->valx;
99 			      ci = ci_next, i++ ){
100 
101 				ci_next = ci->ci_next;
102 
103 				ch_free ( ci->ci_ad );
104 				if ( ci->ci_oc != NULL )
105 					ch_free ( ci->ci_oc );
106 
107 				ch_free( ci );
108 			}
109 			ci = (cloak_info_t *)on->on_bi.bi_private;
110 			break;
111 
112 		default:
113 			rc = 1;
114 			break;
115 		}
116 
117 		return rc;
118 	}
119 
120 	switch( c->type ) {
121 	case CLOAK_ATTR: {
122 		ObjectClass		*oc = NULL;
123 		AttributeDescription	*ad = NULL;
124 		const char		*text;
125 		cloak_info_t 	       **cip = NULL;
126 		cloak_info_t 	        *ci_next = NULL;
127 
128 		if ( c->argc == 3 ) {
129 			oc = oc_find( c->argv[ 2 ] );
130 			if ( oc == NULL ) {
131 				snprintf( c->cr_msg,
132 					  sizeof( c->cr_msg ),
133 					  CLOAK_USAGE
134 					  "unable to find ObjectClass \"%s\"",
135 					  c->argv[ 2 ] );
136 				Debug( LDAP_DEBUG_ANY, "%s: %s.\n",
137 				       c->log, c->cr_msg );
138 				return 1;
139 			}
140 		}
141 
142 		rc = slap_str2ad( c->argv[ 1 ], &ad, &text );
143 		if ( rc != LDAP_SUCCESS ) {
144 			snprintf( c->cr_msg, sizeof( c->cr_msg ), CLOAK_USAGE
145 				"unable to find AttributeDescription \"%s\"",
146 				c->argv[ 1 ] );
147 			Debug( LDAP_DEBUG_ANY, "%s: %s.\n",
148 				c->log, c->cr_msg );
149 			return 1;
150 		}
151 
152 		for ( i = 0, cip = (cloak_info_t **)&on->on_bi.bi_private;
153 		      c->valx < 0 || i < c->valx, *cip;
154 		      i++, cip = &(*cip)->ci_next ) {
155 			if ( c->valx >= 0 && *cip == NULL ) {
156 				snprintf( c->cr_msg, sizeof( c->cr_msg ),
157 					CLOAK_USAGE
158 					"invalid index {%d}\n",
159 					c->valx );
160 				Debug( LDAP_DEBUG_ANY, "%s: %s.\n",
161 					c->log, c->cr_msg );
162 				return 1;
163 			}
164 			ci_next = *cip;
165 		}
166 
167 		*cip = (cloak_info_t *)SLAP_CALLOC( 1, sizeof( cloak_info_t ) );
168 		(*cip)->ci_oc = oc;
169 		(*cip)->ci_ad = ad;
170 		(*cip)->ci_next = ci_next;
171 
172 		rc = 0;
173 		break;
174 	}
175 
176 	default:
177 		rc = 1;
178 		break;
179 	}
180 
181 	return rc;
182 }
183 
184 static int
cloak_search_response_cb(Operation * op,SlapReply * rs)185 cloak_search_response_cb( Operation *op, SlapReply *rs )
186 {
187 	slap_callback   *sc;
188 	cloak_info_t	*ci;
189 	Entry		*e = NULL;
190 	Entry		*me = NULL;
191 
192 	assert( op && op->o_callback && rs );
193 
194 	if ( rs->sr_type != REP_SEARCH || !rs->sr_entry ) {
195 		return ( SLAP_CB_CONTINUE );
196 	}
197 
198 	sc = op->o_callback;
199 	e = rs->sr_entry;
200 
201 	/*
202 	 * First perform a quick scan for an attribute to cloak
203 	 */
204 	for ( ci = (cloak_info_t *)sc->sc_private; ci; ci = ci->ci_next ) {
205 		Attribute *a;
206 
207 		if ( ci->ci_oc != NULL &&
208 		     !is_entry_objectclass_or_sub( e, ci->ci_oc ) )
209 			continue;
210 
211 		for ( a = e->e_attrs; a; a = a->a_next )
212 			if ( a->a_desc == ci->ci_ad )
213 				break;
214 
215 		if ( a != NULL )
216 			break;
217 	}
218 
219 	/*
220 	 * Nothing found to cloak
221 	 */
222 	if ( ci == NULL )
223 		return ( SLAP_CB_CONTINUE );
224 
225 	/*
226 	 * We are now committed to cloak an attribute.
227 	 */
228 	rs_entry2modifiable( op, rs, (slap_overinst *) op->o_bd->bd_info );
229 	me = rs->sr_entry;
230 
231 	for ( ci = (cloak_info_t *)sc->sc_private; ci; ci = ci->ci_next ) {
232 		Attribute *a;
233 		Attribute *pa;
234 
235 		for ( pa = NULL, a = me->e_attrs;
236 		      a;
237 		      pa = a, a = a->a_next ) {
238 
239 			if ( a->a_desc != ci->ci_ad )
240 				continue;
241 
242 			Debug( LDAP_DEBUG_TRACE, "cloak_search_response_cb: cloak %s\n",
243 			       a->a_desc->ad_cname.bv_val );
244 
245 			if ( pa != NULL )
246 				pa->a_next = a->a_next;
247 			else
248 				me->e_attrs = a->a_next;
249 
250 			attr_clean( a );
251 		}
252 
253 	}
254 
255 	return ( SLAP_CB_CONTINUE );
256 }
257 
258 static int
cloak_search_cleanup_cb(Operation * op,SlapReply * rs)259 cloak_search_cleanup_cb( Operation *op, SlapReply *rs )
260 {
261 	if ( rs->sr_type == REP_RESULT || rs->sr_err != LDAP_SUCCESS ) {
262 		slap_freeself_cb( op, rs );
263 	}
264 
265 	return SLAP_CB_CONTINUE;
266 }
267 
268 static int
cloak_search(Operation * op,SlapReply * rs)269 cloak_search( Operation *op, SlapReply *rs )
270 {
271 	slap_overinst   *on = (slap_overinst *)op->o_bd->bd_info;
272 	cloak_info_t    *ci = (cloak_info_t *)on->on_bi.bi_private;
273 	slap_callback	*sc;
274 
275 	if ( op->ors_attrsonly ||
276 	     op->ors_attrs ||
277 	     get_manageDSAit( op ) )
278 		return SLAP_CB_CONTINUE;
279 
280 	sc = op->o_tmpcalloc( 1, sizeof( *sc ), op->o_tmpmemctx );
281 	sc->sc_response = cloak_search_response_cb;
282 	sc->sc_cleanup = cloak_search_cleanup_cb;
283 	sc->sc_next = op->o_callback;
284 	sc->sc_private = ci;
285 	op->o_callback = sc;
286 
287 	return SLAP_CB_CONTINUE;
288 }
289 
290 static slap_overinst cloak_ovl;
291 
292 static ConfigTable cloakcfg[] = {
293 	{ "cloak-attr", "attribute [class]",
294 		2, 3, 0, ARG_MAGIC|CLOAK_ATTR, cloak_cfgen,
295 		"( OLcfgCtAt:4.1 NAME 'olcCloakAttribute' "
296 			"DESC 'Cloaked attribute: attribute [class]' "
297 			"EQUALITY caseIgnoreMatch "
298 			"SYNTAX OMsDirectoryString "
299 			"X-ORDERED 'VALUES' )",
300 			NULL, NULL },
301 	{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
302 };
303 
304 static int
cloak_db_destroy(BackendDB * be,ConfigReply * cr)305 cloak_db_destroy(
306 	BackendDB *be,
307 	ConfigReply *cr )
308 {
309 	slap_overinst *on = (slap_overinst *)be->bd_info;
310 	cloak_info_t	*ci = (cloak_info_t *)on->on_bi.bi_private;
311 
312 	for ( ; ci; ) {
313 		cloak_info_t *tmp = ci;
314 		ci = ci->ci_next;
315 		SLAP_FREE( tmp );
316 	}
317 
318 	on->on_bi.bi_private = NULL;
319 
320 	return 0;
321 }
322 
323 static ConfigOCs cloakocs[] = {
324 	{ "( OLcfgCtOc:4.1 "
325 	  "NAME 'olcCloakConfig' "
326 	  "DESC 'Attribute cloak configuration' "
327 	  "SUP olcOverlayConfig "
328 	  "MAY ( olcCloakAttribute ) )",
329 	  Cft_Overlay, cloakcfg },
330 	{ NULL, 0, NULL }
331 };
332 
333 #if SLAPD_OVER_CLOAK == SLAPD_MOD_DYNAMIC
334 static
335 #endif
336 int
cloak_initialize(void)337 cloak_initialize( void ) {
338 	int rc;
339 	cloak_ovl.on_bi.bi_type = "cloak";
340 	cloak_ovl.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
341 	cloak_ovl.on_bi.bi_db_destroy = cloak_db_destroy;
342 	cloak_ovl.on_bi.bi_op_search = cloak_search;
343         cloak_ovl.on_bi.bi_cf_ocs = cloakocs;
344 
345 	rc = config_register_schema ( cloakcfg, cloakocs );
346 	if ( rc )
347 		return rc;
348 
349 	return overlay_register( &cloak_ovl );
350 }
351 
352 #if SLAPD_OVER_CLOAK == SLAPD_MOD_DYNAMIC
init_module(int argc,char * argv[])353 int init_module(int argc, char *argv[]) {
354 	return cloak_initialize();
355 }
356 #endif
357 
358 #endif /* defined(SLAPD_OVER_CLOAK) */
359 
360