1 /* accesslog.c - log operations for audit/history purposes */
2 /* $OpenLDAP$ */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
4 *
5 * Copyright 2005-2021 The OpenLDAP Foundation.
6 * Portions copyright 2004-2005 Symas Corporation.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
11 * Public License.
12 *
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
16 */
17 /* ACKNOWLEDGEMENTS:
18 * This work was initially developed by Howard Chu for inclusion in
19 * OpenLDAP Software.
20 */
21
22 #include "portable.h"
23
24 #ifdef SLAPD_OVER_ACCESSLOG
25
26 #include <stdio.h>
27
28 #include <ac/string.h>
29 #include <ac/ctype.h>
30
31 #include "slap.h"
32 #include "config.h"
33 #include "lutil.h"
34 #include "ldap_rq.h"
35
36 #define LOG_OP_ADD 0x001
37 #define LOG_OP_DELETE 0x002
38 #define LOG_OP_MODIFY 0x004
39 #define LOG_OP_MODRDN 0x008
40 #define LOG_OP_COMPARE 0x010
41 #define LOG_OP_SEARCH 0x020
42 #define LOG_OP_BIND 0x040
43 #define LOG_OP_UNBIND 0x080
44 #define LOG_OP_ABANDON 0x100
45 #define LOG_OP_EXTENDED 0x200
46 #define LOG_OP_UNKNOWN 0x400
47
48 #define LOG_OP_WRITES (LOG_OP_ADD|LOG_OP_DELETE|LOG_OP_MODIFY|LOG_OP_MODRDN)
49 #define LOG_OP_READS (LOG_OP_COMPARE|LOG_OP_SEARCH)
50 #define LOG_OP_SESSION (LOG_OP_BIND|LOG_OP_UNBIND|LOG_OP_ABANDON)
51 #define LOG_OP_ALL (LOG_OP_READS|LOG_OP_WRITES|LOG_OP_SESSION| \
52 LOG_OP_EXTENDED|LOG_OP_UNKNOWN)
53
54 typedef struct log_attr {
55 struct log_attr *next;
56 AttributeDescription *attr;
57 } log_attr;
58
59 typedef struct log_base {
60 struct log_base *lb_next;
61 slap_mask_t lb_ops;
62 struct berval lb_base;
63 struct berval lb_line;
64 } log_base;
65
66 typedef struct log_info {
67 BackendDB *li_db;
68 struct berval li_db_suffix;
69 slap_mask_t li_ops;
70 int li_age;
71 int li_cycle;
72 struct re_s *li_task;
73 Filter *li_oldf;
74 Entry *li_old;
75 log_attr *li_oldattrs;
76 struct berval li_uuid;
77 int li_success;
78 log_base *li_bases;
79 ldap_pvt_thread_rmutex_t li_op_rmutex;
80 ldap_pvt_thread_mutex_t li_log_mutex;
81 } log_info;
82
83 static ConfigDriver log_cf_gen;
84
85 enum {
86 LOG_DB = 1,
87 LOG_OPS,
88 LOG_PURGE,
89 LOG_SUCCESS,
90 LOG_OLD,
91 LOG_OLDATTR,
92 LOG_BASE
93 };
94
95 static ConfigTable log_cfats[] = {
96 { "logdb", "suffix", 2, 2, 0, ARG_DN|ARG_MAGIC|LOG_DB,
97 log_cf_gen, "( OLcfgOvAt:4.1 NAME 'olcAccessLogDB' "
98 "DESC 'Suffix of database for log content' "
99 "SUP distinguishedName SINGLE-VALUE )", NULL, NULL },
100 { "logops", "op|writes|reads|session|all", 2, 0, 0,
101 ARG_MAGIC|LOG_OPS,
102 log_cf_gen, "( OLcfgOvAt:4.2 NAME 'olcAccessLogOps' "
103 "DESC 'Operation types to log' "
104 "EQUALITY caseIgnoreMatch "
105 "SYNTAX OMsDirectoryString )", NULL, NULL },
106 { "logpurge", "age> <interval", 3, 3, 0, ARG_MAGIC|LOG_PURGE,
107 log_cf_gen, "( OLcfgOvAt:4.3 NAME 'olcAccessLogPurge' "
108 "DESC 'Log cleanup parameters' "
109 "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
110 { "logsuccess", NULL, 2, 2, 0, ARG_MAGIC|ARG_ON_OFF|LOG_SUCCESS,
111 log_cf_gen, "( OLcfgOvAt:4.4 NAME 'olcAccessLogSuccess' "
112 "DESC 'Log successful ops only' "
113 "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
114 { "logold", "filter", 2, 2, 0, ARG_MAGIC|LOG_OLD,
115 log_cf_gen, "( OLcfgOvAt:4.5 NAME 'olcAccessLogOld' "
116 "DESC 'Log old values when modifying entries matching the filter' "
117 "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
118 { "logoldattr", "attrs", 2, 0, 0, ARG_MAGIC|LOG_OLDATTR,
119 log_cf_gen, "( OLcfgOvAt:4.6 NAME 'olcAccessLogOldAttr' "
120 "DESC 'Log old values of these attributes even if unmodified' "
121 "EQUALITY caseIgnoreMatch "
122 "SYNTAX OMsDirectoryString )", NULL, NULL },
123 { "logbase", "op|writes|reads|session|all< <baseDN", 3, 3, 0,
124 ARG_MAGIC|LOG_BASE,
125 log_cf_gen, "( OLcfgOvAt:4.7 NAME 'olcAccessLogBase' "
126 "DESC 'Operation types to log under a specific branch' "
127 "EQUALITY caseIgnoreMatch "
128 "SYNTAX OMsDirectoryString )", NULL, NULL },
129 { NULL }
130 };
131
132 static ConfigOCs log_cfocs[] = {
133 { "( OLcfgOvOc:4.1 "
134 "NAME 'olcAccessLogConfig' "
135 "DESC 'Access log configuration' "
136 "SUP olcOverlayConfig "
137 "MUST olcAccessLogDB "
138 "MAY ( olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogSuccess $ "
139 "olcAccessLogOld $ olcAccessLogOldAttr $ olcAccessLogBase ) )",
140 Cft_Overlay, log_cfats },
141 { NULL }
142 };
143
144 static slap_verbmasks logops[] = {
145 { BER_BVC("all"), LOG_OP_ALL },
146 { BER_BVC("writes"), LOG_OP_WRITES },
147 { BER_BVC("session"), LOG_OP_SESSION },
148 { BER_BVC("reads"), LOG_OP_READS },
149 { BER_BVC("add"), LOG_OP_ADD },
150 { BER_BVC("delete"), LOG_OP_DELETE },
151 { BER_BVC("modify"), LOG_OP_MODIFY },
152 { BER_BVC("modrdn"), LOG_OP_MODRDN },
153 { BER_BVC("compare"), LOG_OP_COMPARE },
154 { BER_BVC("search"), LOG_OP_SEARCH },
155 { BER_BVC("bind"), LOG_OP_BIND },
156 { BER_BVC("unbind"), LOG_OP_UNBIND },
157 { BER_BVC("abandon"), LOG_OP_ABANDON },
158 { BER_BVC("extended"), LOG_OP_EXTENDED },
159 { BER_BVC("unknown"), LOG_OP_UNKNOWN },
160 { BER_BVNULL, 0 }
161 };
162
163 /* Start with "add" in logops */
164 #define EN_OFFSET 4
165
166 enum {
167 LOG_EN_ADD = 0,
168 LOG_EN_DELETE,
169 LOG_EN_MODIFY,
170 LOG_EN_MODRDN,
171 LOG_EN_COMPARE,
172 LOG_EN_SEARCH,
173 LOG_EN_BIND,
174 LOG_EN_UNBIND,
175 LOG_EN_ABANDON,
176 LOG_EN_EXTENDED,
177 LOG_EN_UNKNOWN,
178 LOG_EN__COUNT
179 };
180
181 static ObjectClass *log_ocs[LOG_EN__COUNT], *log_container,
182 *log_oc_read, *log_oc_write;
183
184 #define LOG_SCHEMA_ROOT "1.3.6.1.4.1.4203.666.11.5"
185
186 #define LOG_SCHEMA_AT LOG_SCHEMA_ROOT ".1"
187 #define LOG_SCHEMA_OC LOG_SCHEMA_ROOT ".2"
188 #define LOG_SCHEMA_SYN LOG_SCHEMA_ROOT ".3"
189
190 static AttributeDescription *ad_reqDN, *ad_reqStart, *ad_reqEnd, *ad_reqType,
191 *ad_reqSession, *ad_reqResult, *ad_reqAuthzID, *ad_reqControls,
192 *ad_reqRespControls, *ad_reqMethod, *ad_reqAssertion, *ad_reqNewRDN,
193 *ad_reqNewSuperior, *ad_reqDeleteOldRDN, *ad_reqMod,
194 *ad_reqScope, *ad_reqFilter, *ad_reqAttr, *ad_reqEntries,
195 *ad_reqSizeLimit, *ad_reqTimeLimit, *ad_reqAttrsOnly, *ad_reqData,
196 *ad_reqId, *ad_reqMessage, *ad_reqVersion, *ad_reqDerefAliases,
197 *ad_reqReferral, *ad_reqOld, *ad_auditContext, *ad_reqEntryUUID;
198
199 static int
200 logSchemaControlValidate(
201 Syntax *syntax,
202 struct berval *val );
203
204 char *mrControl[] = {
205 "objectIdentifierFirstComponentMatch",
206 NULL
207 };
208
209 static struct {
210 char *oid;
211 slap_syntax_defs_rec syn;
212 char **mrs;
213 } lsyntaxes[] = {
214 { LOG_SCHEMA_SYN ".1" ,
215 { "( " LOG_SCHEMA_SYN ".1 DESC 'Control' )",
216 SLAP_SYNTAX_HIDE,
217 NULL,
218 logSchemaControlValidate,
219 NULL },
220 mrControl },
221 { NULL }
222 };
223
224 static struct {
225 char *at;
226 AttributeDescription **ad;
227 } lattrs[] = {
228 { "( " LOG_SCHEMA_AT ".1 NAME 'reqDN' "
229 "DESC 'Target DN of request' "
230 "EQUALITY distinguishedNameMatch "
231 "SYNTAX OMsDN "
232 "SINGLE-VALUE )", &ad_reqDN },
233 { "( " LOG_SCHEMA_AT ".2 NAME 'reqStart' "
234 "DESC 'Start time of request' "
235 "EQUALITY generalizedTimeMatch "
236 "ORDERING generalizedTimeOrderingMatch "
237 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
238 "SINGLE-VALUE )", &ad_reqStart },
239 { "( " LOG_SCHEMA_AT ".3 NAME 'reqEnd' "
240 "DESC 'End time of request' "
241 "EQUALITY generalizedTimeMatch "
242 "ORDERING generalizedTimeOrderingMatch "
243 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
244 "SINGLE-VALUE )", &ad_reqEnd },
245 { "( " LOG_SCHEMA_AT ".4 NAME 'reqType' "
246 "DESC 'Type of request' "
247 "EQUALITY caseIgnoreMatch "
248 "SYNTAX OMsDirectoryString "
249 "SINGLE-VALUE )", &ad_reqType },
250 { "( " LOG_SCHEMA_AT ".5 NAME 'reqSession' "
251 "DESC 'Session ID of request' "
252 "EQUALITY caseIgnoreMatch "
253 "SYNTAX OMsDirectoryString "
254 "SINGLE-VALUE )", &ad_reqSession },
255 { "( " LOG_SCHEMA_AT ".6 NAME 'reqAuthzID' "
256 "DESC 'Authorization ID of requestor' "
257 "EQUALITY distinguishedNameMatch "
258 "SYNTAX OMsDN "
259 "SINGLE-VALUE )", &ad_reqAuthzID },
260 { "( " LOG_SCHEMA_AT ".7 NAME 'reqResult' "
261 "DESC 'Result code of request' "
262 "EQUALITY integerMatch "
263 "ORDERING integerOrderingMatch "
264 "SYNTAX OMsInteger "
265 "SINGLE-VALUE )", &ad_reqResult },
266 { "( " LOG_SCHEMA_AT ".8 NAME 'reqMessage' "
267 "DESC 'Error text of request' "
268 "EQUALITY caseIgnoreMatch "
269 "SUBSTR caseIgnoreSubstringsMatch "
270 "SYNTAX OMsDirectoryString "
271 "SINGLE-VALUE )", &ad_reqMessage },
272 { "( " LOG_SCHEMA_AT ".9 NAME 'reqReferral' "
273 "DESC 'Referrals returned for request' "
274 "SUP labeledURI )", &ad_reqReferral },
275 { "( " LOG_SCHEMA_AT ".10 NAME 'reqControls' "
276 "DESC 'Request controls' "
277 "EQUALITY objectIdentifierFirstComponentMatch "
278 "SYNTAX " LOG_SCHEMA_SYN ".1 "
279 "X-ORDERED 'VALUES' )", &ad_reqControls },
280 { "( " LOG_SCHEMA_AT ".11 NAME 'reqRespControls' "
281 "DESC 'Response controls of request' "
282 "EQUALITY objectIdentifierFirstComponentMatch "
283 "SYNTAX " LOG_SCHEMA_SYN ".1 "
284 "X-ORDERED 'VALUES' )", &ad_reqRespControls },
285 { "( " LOG_SCHEMA_AT ".12 NAME 'reqId' "
286 "DESC 'ID of Request to Abandon' "
287 "EQUALITY integerMatch "
288 "ORDERING integerOrderingMatch "
289 "SYNTAX OMsInteger "
290 "SINGLE-VALUE )", &ad_reqId },
291 { "( " LOG_SCHEMA_AT ".13 NAME 'reqVersion' "
292 "DESC 'Protocol version of Bind request' "
293 "EQUALITY integerMatch "
294 "ORDERING integerOrderingMatch "
295 "SYNTAX OMsInteger "
296 "SINGLE-VALUE )", &ad_reqVersion },
297 { "( " LOG_SCHEMA_AT ".14 NAME 'reqMethod' "
298 "DESC 'Bind method of request' "
299 "EQUALITY caseIgnoreMatch "
300 "SYNTAX OMsDirectoryString "
301 "SINGLE-VALUE )", &ad_reqMethod },
302 { "( " LOG_SCHEMA_AT ".15 NAME 'reqAssertion' "
303 "DESC 'Compare Assertion of request' "
304 "SYNTAX OMsDirectoryString "
305 "SINGLE-VALUE )", &ad_reqAssertion },
306 { "( " LOG_SCHEMA_AT ".16 NAME 'reqMod' "
307 "DESC 'Modifications of request' "
308 "EQUALITY octetStringMatch "
309 "SUBSTR octetStringSubstringsMatch "
310 "SYNTAX OMsOctetString )", &ad_reqMod },
311 { "( " LOG_SCHEMA_AT ".17 NAME 'reqOld' "
312 "DESC 'Old values of entry before request completed' "
313 "EQUALITY octetStringMatch "
314 "SUBSTR octetStringSubstringsMatch "
315 "SYNTAX OMsOctetString )", &ad_reqOld },
316 { "( " LOG_SCHEMA_AT ".18 NAME 'reqNewRDN' "
317 "DESC 'New RDN of request' "
318 "EQUALITY distinguishedNameMatch "
319 "SYNTAX OMsDN "
320 "SINGLE-VALUE )", &ad_reqNewRDN },
321 { "( " LOG_SCHEMA_AT ".19 NAME 'reqDeleteOldRDN' "
322 "DESC 'Delete old RDN' "
323 "EQUALITY booleanMatch "
324 "SYNTAX OMsBoolean "
325 "SINGLE-VALUE )", &ad_reqDeleteOldRDN },
326 { "( " LOG_SCHEMA_AT ".20 NAME 'reqNewSuperior' "
327 "DESC 'New superior DN of request' "
328 "EQUALITY distinguishedNameMatch "
329 "SYNTAX OMsDN "
330 "SINGLE-VALUE )", &ad_reqNewSuperior },
331 { "( " LOG_SCHEMA_AT ".21 NAME 'reqScope' "
332 "DESC 'Scope of request' "
333 "EQUALITY caseIgnoreMatch "
334 "SYNTAX OMsDirectoryString "
335 "SINGLE-VALUE )", &ad_reqScope },
336 { "( " LOG_SCHEMA_AT ".22 NAME 'reqDerefAliases' "
337 "DESC 'Disposition of Aliases in request' "
338 "EQUALITY caseIgnoreMatch "
339 "SYNTAX OMsDirectoryString "
340 "SINGLE-VALUE )", &ad_reqDerefAliases },
341 { "( " LOG_SCHEMA_AT ".23 NAME 'reqAttrsOnly' "
342 "DESC 'Attributes and values of request' "
343 "EQUALITY booleanMatch "
344 "SYNTAX OMsBoolean "
345 "SINGLE-VALUE )", &ad_reqAttrsOnly },
346 { "( " LOG_SCHEMA_AT ".24 NAME 'reqFilter' "
347 "DESC 'Filter of request' "
348 "EQUALITY caseIgnoreMatch "
349 "SUBSTR caseIgnoreSubstringsMatch "
350 "SYNTAX OMsDirectoryString "
351 "SINGLE-VALUE )", &ad_reqFilter },
352 { "( " LOG_SCHEMA_AT ".25 NAME 'reqAttr' "
353 "DESC 'Attributes of request' "
354 "EQUALITY caseIgnoreMatch "
355 "SYNTAX OMsDirectoryString )", &ad_reqAttr },
356 { "( " LOG_SCHEMA_AT ".26 NAME 'reqSizeLimit' "
357 "DESC 'Size limit of request' "
358 "EQUALITY integerMatch "
359 "ORDERING integerOrderingMatch "
360 "SYNTAX OMsInteger "
361 "SINGLE-VALUE )", &ad_reqSizeLimit },
362 { "( " LOG_SCHEMA_AT ".27 NAME 'reqTimeLimit' "
363 "DESC 'Time limit of request' "
364 "EQUALITY integerMatch "
365 "ORDERING integerOrderingMatch "
366 "SYNTAX OMsInteger "
367 "SINGLE-VALUE )", &ad_reqTimeLimit },
368 { "( " LOG_SCHEMA_AT ".28 NAME 'reqEntries' "
369 "DESC 'Number of entries returned' "
370 "EQUALITY integerMatch "
371 "ORDERING integerOrderingMatch "
372 "SYNTAX OMsInteger "
373 "SINGLE-VALUE )", &ad_reqEntries },
374 { "( " LOG_SCHEMA_AT ".29 NAME 'reqData' "
375 "DESC 'Data of extended request' "
376 "EQUALITY octetStringMatch "
377 "SUBSTR octetStringSubstringsMatch "
378 "SYNTAX OMsOctetString "
379 "SINGLE-VALUE )", &ad_reqData },
380
381 /*
382 * from <draft-chu-ldap-logschema-01.txt>:
383 *
384
385 ( LOG_SCHEMA_AT .30 NAME 'auditContext'
386 DESC 'DN of auditContainer'
387 EQUALITY distinguishedNameMatch
388 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
389 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
390
391 * - removed EQUALITY matchingRule
392 * - changed directoryOperation in dSAOperation
393 */
394 { "( " LOG_SCHEMA_AT ".30 NAME 'auditContext' "
395 "DESC 'DN of auditContainer' "
396 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 "
397 "SINGLE-VALUE "
398 "NO-USER-MODIFICATION "
399 "USAGE dSAOperation )", &ad_auditContext },
400
401 /*
402 * ITS#6656
403 */
404 { "( " LOG_SCHEMA_AT ".31 NAME 'reqEntryUUID' "
405 "DESC 'UUID of entry' "
406 "EQUALITY UUIDMatch "
407 "ORDERING UUIDOrderingMatch "
408 "SYNTAX 1.3.6.1.1.16.1 "
409 "SINGLE-VALUE )", &ad_reqEntryUUID },
410 { NULL, NULL }
411 };
412
413 static struct {
414 char *ot;
415 ObjectClass **oc;
416 } locs[] = {
417 { "( " LOG_SCHEMA_OC ".0 NAME 'auditContainer' "
418 "DESC 'AuditLog container' "
419 "SUP top STRUCTURAL "
420 "MAY ( cn $ reqStart $ reqEnd ) )", &log_container },
421 { "( " LOG_SCHEMA_OC ".1 NAME 'auditObject' "
422 "DESC 'OpenLDAP request auditing' "
423 "SUP top STRUCTURAL "
424 "MUST ( reqStart $ reqType $ reqSession ) "
425 "MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $ reqEnd $ "
426 "reqResult $ reqMessage $ reqReferral $ reqEntryUUID ) )",
427 &log_ocs[LOG_EN_UNBIND] },
428 { "( " LOG_SCHEMA_OC ".2 NAME 'auditReadObject' "
429 "DESC 'OpenLDAP read request record' "
430 "SUP auditObject STRUCTURAL )", &log_oc_read },
431 { "( " LOG_SCHEMA_OC ".3 NAME 'auditWriteObject' "
432 "DESC 'OpenLDAP write request record' "
433 "SUP auditObject STRUCTURAL )", &log_oc_write },
434 { "( " LOG_SCHEMA_OC ".4 NAME 'auditAbandon' "
435 "DESC 'Abandon operation' "
436 "SUP auditObject STRUCTURAL "
437 "MUST reqId )", &log_ocs[LOG_EN_ABANDON] },
438 { "( " LOG_SCHEMA_OC ".5 NAME 'auditAdd' "
439 "DESC 'Add operation' "
440 "SUP auditWriteObject STRUCTURAL "
441 "MUST reqMod )", &log_ocs[LOG_EN_ADD] },
442 { "( " LOG_SCHEMA_OC ".6 NAME 'auditBind' "
443 "DESC 'Bind operation' "
444 "SUP auditObject STRUCTURAL "
445 "MUST ( reqVersion $ reqMethod ) )", &log_ocs[LOG_EN_BIND] },
446 { "( " LOG_SCHEMA_OC ".7 NAME 'auditCompare' "
447 "DESC 'Compare operation' "
448 "SUP auditReadObject STRUCTURAL "
449 "MUST reqAssertion )", &log_ocs[LOG_EN_COMPARE] },
450 { "( " LOG_SCHEMA_OC ".8 NAME 'auditDelete' "
451 "DESC 'Delete operation' "
452 "SUP auditWriteObject STRUCTURAL "
453 "MAY reqOld )", &log_ocs[LOG_EN_DELETE] },
454 { "( " LOG_SCHEMA_OC ".9 NAME 'auditModify' "
455 "DESC 'Modify operation' "
456 "SUP auditWriteObject STRUCTURAL "
457 "MAY reqOld MUST reqMod )", &log_ocs[LOG_EN_MODIFY] },
458 { "( " LOG_SCHEMA_OC ".10 NAME 'auditModRDN' "
459 "DESC 'ModRDN operation' "
460 "SUP auditWriteObject STRUCTURAL "
461 "MUST ( reqNewRDN $ reqDeleteOldRDN ) "
462 "MAY ( reqNewSuperior $ reqMod $ reqOld ) )", &log_ocs[LOG_EN_MODRDN] },
463 { "( " LOG_SCHEMA_OC ".11 NAME 'auditSearch' "
464 "DESC 'Search operation' "
465 "SUP auditReadObject STRUCTURAL "
466 "MUST ( reqScope $ reqDerefAliases $ reqAttrsonly ) "
467 "MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $ "
468 "reqTimeLimit ) )", &log_ocs[LOG_EN_SEARCH] },
469 { "( " LOG_SCHEMA_OC ".12 NAME 'auditExtended' "
470 "DESC 'Extended operation' "
471 "SUP auditObject STRUCTURAL "
472 "MAY reqData )", &log_ocs[LOG_EN_EXTENDED] },
473 { NULL, NULL }
474 };
475
476 #define RDNEQ "reqStart="
477
478 /* Our time intervals are of the form [ddd+]hh:mm[:ss]
479 * If a field is present, it must be two digits. (Except for
480 * days, which can be arbitrary width.)
481 */
482 static int
log_age_parse(char * agestr)483 log_age_parse(char *agestr)
484 {
485 int t1, t2;
486 int gotdays = 0;
487 char *endptr;
488
489 t1 = strtol( agestr, &endptr, 10 );
490 /* Is there a days delimiter? */
491 if ( *endptr == '+' ) {
492 /* 32 bit time only covers about 68 years */
493 if ( t1 < 0 || t1 > 25000 )
494 return -1;
495 t1 *= 24;
496 gotdays = 1;
497 agestr = endptr + 1;
498 } else {
499 if ( agestr[2] != ':' ) {
500 /* No valid delimiter found, fail */
501 return -1;
502 }
503 t1 *= 60;
504 agestr += 3;
505 }
506
507 t2 = atoi( agestr );
508 t1 += t2;
509
510 if ( agestr[2] ) {
511 /* if there's a delimiter, it can only be a colon */
512 if ( agestr[2] != ':' )
513 return -1;
514 } else {
515 /* If we're at the end of the string, and we started with days,
516 * fail because we expected to find minutes too.
517 */
518 return gotdays ? -1 : t1 * 60;
519 }
520
521 agestr += 3;
522 t2 = atoi( agestr );
523
524 /* last field can only be seconds */
525 if ( agestr[2] && ( agestr[2] != ':' || !gotdays ))
526 return -1;
527 t1 *= 60;
528 t1 += t2;
529
530 if ( agestr[2] ) {
531 agestr += 3;
532 if ( agestr[2] )
533 return -1;
534 t1 *= 60;
535 t1 += atoi( agestr );
536 } else if ( gotdays ) {
537 /* only got days+hh:mm */
538 t1 *= 60;
539 }
540 return t1;
541 }
542
543 static void
log_age_unparse(int age,struct berval * agebv,size_t size)544 log_age_unparse( int age, struct berval *agebv, size_t size )
545 {
546 int dd, hh, mm, ss, len;
547 char *ptr;
548
549 assert( size > 0 );
550
551 ss = age % 60;
552 age /= 60;
553 mm = age % 60;
554 age /= 60;
555 hh = age % 24;
556 age /= 24;
557 dd = age;
558
559 ptr = agebv->bv_val;
560
561 if ( dd ) {
562 len = snprintf( ptr, size, "%d+", dd );
563 assert( len >= 0 && (unsigned) len < size );
564 size -= len;
565 ptr += len;
566 }
567 len = snprintf( ptr, size, "%02d:%02d", hh, mm );
568 assert( len >= 0 && (unsigned) len < size );
569 size -= len;
570 ptr += len;
571 if ( ss ) {
572 len = snprintf( ptr, size, ":%02d", ss );
573 assert( len >= 0 && (unsigned) len < size );
574 size -= len;
575 ptr += len;
576 }
577
578 agebv->bv_len = ptr - agebv->bv_val;
579 }
580
581 static slap_callback nullsc;
582
583 #define PURGE_INCREMENT 100
584
585 typedef struct purge_data {
586 int slots;
587 int used;
588 BerVarray dn;
589 BerVarray ndn;
590 struct berval csn; /* an arbitrary old CSN */
591 } purge_data;
592
593 static int
log_old_lookup(Operation * op,SlapReply * rs)594 log_old_lookup( Operation *op, SlapReply *rs )
595 {
596 purge_data *pd = op->o_callback->sc_private;
597 Attribute *a;
598
599 if ( rs->sr_type != REP_SEARCH) return 0;
600
601 if ( slapd_shutdown ) return 0;
602
603 /* Remember max CSN: should always be the last entry
604 * seen, since log entries are ordered chronologically...
605 */
606 a = attr_find( rs->sr_entry->e_attrs,
607 slap_schema.si_ad_entryCSN );
608 if ( a ) {
609 ber_len_t len = a->a_nvals[0].bv_len;
610 /* Paranoid len check, normalized CSNs are always the same length */
611 if ( len > LDAP_PVT_CSNSTR_BUFSIZE )
612 len = LDAP_PVT_CSNSTR_BUFSIZE;
613 if ( memcmp( a->a_nvals[0].bv_val, pd->csn.bv_val, len ) > 0 ) {
614 AC_MEMCPY( pd->csn.bv_val, a->a_nvals[0].bv_val, len );
615 pd->csn.bv_len = len;
616 }
617 }
618 if ( pd->used >= pd->slots ) {
619 pd->slots += PURGE_INCREMENT;
620 pd->dn = ch_realloc( pd->dn, pd->slots * sizeof( struct berval ));
621 pd->ndn = ch_realloc( pd->ndn, pd->slots * sizeof( struct berval ));
622 }
623 ber_dupbv( &pd->dn[pd->used], &rs->sr_entry->e_name );
624 ber_dupbv( &pd->ndn[pd->used], &rs->sr_entry->e_nname );
625 pd->used++;
626 return 0;
627 }
628
629 /* Periodically search for old entries in the log database and delete them */
630 static void *
accesslog_purge(void * ctx,void * arg)631 accesslog_purge( void *ctx, void *arg )
632 {
633 struct re_s *rtask = arg;
634 struct log_info *li = rtask->arg;
635
636 Connection conn = {0};
637 OperationBuffer opbuf;
638 Operation *op;
639 SlapReply rs = {REP_RESULT};
640 slap_callback cb = { NULL, log_old_lookup, NULL, NULL, NULL };
641 Filter f;
642 AttributeAssertion ava = ATTRIBUTEASSERTION_INIT;
643 purge_data pd = {0};
644 char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE];
645 char csnbuf[LDAP_PVT_CSNSTR_BUFSIZE];
646 time_t old = slap_get_time();
647
648 connection_fake_init( &conn, &opbuf, ctx );
649 op = &opbuf.ob_op;
650
651 f.f_choice = LDAP_FILTER_LE;
652 f.f_ava = &ava;
653 f.f_next = NULL;
654
655 ava.aa_desc = ad_reqStart;
656 ava.aa_value.bv_val = timebuf;
657 ava.aa_value.bv_len = sizeof(timebuf);
658
659 old -= li->li_age;
660 slap_timestamp( &old, &ava.aa_value );
661
662 op->o_tag = LDAP_REQ_SEARCH;
663 op->o_bd = li->li_db;
664 op->o_dn = li->li_db->be_rootdn;
665 op->o_ndn = li->li_db->be_rootndn;
666 op->o_req_dn = li->li_db->be_suffix[0];
667 op->o_req_ndn = li->li_db->be_nsuffix[0];
668 op->o_callback = &cb;
669 op->ors_scope = LDAP_SCOPE_ONELEVEL;
670 op->ors_deref = LDAP_DEREF_NEVER;
671 op->ors_tlimit = SLAP_NO_LIMIT;
672 op->ors_slimit = SLAP_NO_LIMIT;
673 op->ors_filter = &f;
674 filter2bv_x( op, &f, &op->ors_filterstr );
675 op->ors_attrs = slap_anlist_no_attrs;
676 op->ors_attrsonly = 1;
677
678 pd.csn.bv_len = sizeof( csnbuf );
679 pd.csn.bv_val = csnbuf;
680 csnbuf[0] = '\0';
681 cb.sc_private = &pd;
682
683 op->o_bd->be_search( op, &rs );
684 op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
685
686 if ( pd.used ) {
687 int i;
688
689 /* delete the expired entries */
690 op->o_tag = LDAP_REQ_DELETE;
691 op->o_callback = &nullsc;
692 op->o_csn = pd.csn;
693 op->o_dont_replicate = 1;
694 op->o_csn = slap_empty_bv;
695
696 for (i=0; i<pd.used; i++) {
697 op->o_req_dn = pd.dn[i];
698 op->o_req_ndn = pd.ndn[i];
699 if ( !slapd_shutdown ) {
700 rs_reinit( &rs, REP_RESULT );
701 op->o_bd->be_delete( op, &rs );
702 }
703 ch_free( pd.ndn[i].bv_val );
704 ch_free( pd.dn[i].bv_val );
705 ldap_pvt_thread_pool_pausecheck( &connection_pool );
706 }
707 ch_free( pd.ndn );
708 ch_free( pd.dn );
709
710 {
711 Modifications mod;
712 struct berval bv[2];
713 rs_reinit( &rs, REP_RESULT );
714 /* update context's entryCSN to reflect oldest CSN */
715 mod.sml_numvals = 1;
716 mod.sml_values = bv;
717 bv[0] = pd.csn;
718 BER_BVZERO(&bv[1]);
719 mod.sml_nvalues = NULL;
720 mod.sml_desc = slap_schema.si_ad_entryCSN;
721 mod.sml_op = LDAP_MOD_REPLACE;
722 mod.sml_flags = SLAP_MOD_INTERNAL;
723 mod.sml_next = NULL;
724
725 op->o_tag = LDAP_REQ_MODIFY;
726 op->orm_modlist = &mod;
727 op->orm_no_opattrs = 1;
728 op->o_req_dn = li->li_db->be_suffix[0];
729 op->o_req_ndn = li->li_db->be_nsuffix[0];
730 op->o_no_schema_check = 1;
731 op->o_managedsait = SLAP_CONTROL_NONCRITICAL;
732 op->o_bd->be_modify( op, &rs );
733 if ( mod.sml_next ) {
734 slap_mods_free( mod.sml_next, 1 );
735 }
736 }
737 }
738
739 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
740 ldap_pvt_runqueue_stoptask( &slapd_rq, rtask );
741 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
742
743 return NULL;
744 }
745
746 static int
log_cf_gen(ConfigArgs * c)747 log_cf_gen(ConfigArgs *c)
748 {
749 slap_overinst *on = (slap_overinst *)c->bi;
750 struct log_info *li = on->on_bi.bi_private;
751 int rc = 0;
752 slap_mask_t tmask = 0;
753 char agebuf[2*STRLENOF("ddddd+hh:mm:ss ")];
754 struct berval agebv, cyclebv;
755
756 switch( c->op ) {
757 case SLAP_CONFIG_EMIT:
758 switch( c->type ) {
759 case LOG_DB:
760 if ( !BER_BVISEMPTY( &li->li_db_suffix )) {
761 value_add_one( &c->rvalue_vals, &li->li_db_suffix );
762 value_add_one( &c->rvalue_nvals, &li->li_db_suffix );
763 } else if ( li->li_db ) {
764 value_add_one( &c->rvalue_vals, li->li_db->be_suffix );
765 value_add_one( &c->rvalue_nvals, li->li_db->be_nsuffix );
766 } else {
767 snprintf( c->cr_msg, sizeof( c->cr_msg ),
768 "accesslog: \"logdb <suffix>\" must be specified" );
769 Debug( LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
770 c->log, c->cr_msg, c->value_dn.bv_val );
771 rc = 1;
772 break;
773 }
774 break;
775 case LOG_OPS:
776 rc = mask_to_verbs( logops, li->li_ops, &c->rvalue_vals );
777 break;
778 case LOG_PURGE:
779 if ( !li->li_age ) {
780 rc = 1;
781 break;
782 }
783 agebv.bv_val = agebuf;
784 log_age_unparse( li->li_age, &agebv, sizeof( agebuf ) );
785 agebv.bv_val[agebv.bv_len] = ' ';
786 agebv.bv_len++;
787 cyclebv.bv_val = agebv.bv_val + agebv.bv_len;
788 log_age_unparse( li->li_cycle, &cyclebv, sizeof( agebuf ) - agebv.bv_len );
789 agebv.bv_len += cyclebv.bv_len;
790 value_add_one( &c->rvalue_vals, &agebv );
791 break;
792 case LOG_SUCCESS:
793 if ( li->li_success )
794 c->value_int = li->li_success;
795 else
796 rc = 1;
797 break;
798 case LOG_OLD:
799 if ( li->li_oldf ) {
800 filter2bv( li->li_oldf, &agebv );
801 ber_bvarray_add( &c->rvalue_vals, &agebv );
802 }
803 else
804 rc = 1;
805 break;
806 case LOG_OLDATTR:
807 if ( li->li_oldattrs ) {
808 log_attr *la;
809
810 for ( la = li->li_oldattrs; la; la=la->next )
811 value_add_one( &c->rvalue_vals, &la->attr->ad_cname );
812 }
813 else
814 rc = 1;
815 break;
816 case LOG_BASE:
817 if ( li->li_bases ) {
818 log_base *lb;
819
820 for ( lb = li->li_bases; lb; lb=lb->lb_next )
821 value_add_one( &c->rvalue_vals, &lb->lb_line );
822 }
823 else
824 rc = 1;
825 break;
826 }
827 break;
828 case LDAP_MOD_DELETE:
829 switch( c->type ) {
830 case LOG_DB:
831 /* noop. this should always be a valid backend. */
832 break;
833 case LOG_OPS:
834 if ( c->valx < 0 ) {
835 li->li_ops = 0;
836 } else {
837 rc = verbs_to_mask( 1, &c->line, logops, &tmask );
838 if ( rc == 0 )
839 li->li_ops &= ~tmask;
840 }
841 break;
842 case LOG_PURGE:
843 if ( li->li_task ) {
844 struct re_s *re = li->li_task;
845 li->li_task = NULL;
846 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
847 if ( ldap_pvt_runqueue_isrunning( &slapd_rq, re ))
848 ldap_pvt_runqueue_stoptask( &slapd_rq, re );
849 ldap_pvt_runqueue_remove( &slapd_rq, re );
850 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
851 }
852 li->li_age = 0;
853 li->li_cycle = 0;
854 break;
855 case LOG_SUCCESS:
856 li->li_success = 0;
857 break;
858 case LOG_OLD:
859 if ( li->li_oldf ) {
860 filter_free( li->li_oldf );
861 li->li_oldf = NULL;
862 }
863 break;
864 case LOG_OLDATTR:
865 if ( c->valx < 0 ) {
866 log_attr *la, *ln;
867
868 for ( la = li->li_oldattrs; la; la = ln ) {
869 ln = la->next;
870 ch_free( la );
871 }
872 } else {
873 log_attr *la = NULL, **lp;
874 int i;
875
876 for ( lp = &li->li_oldattrs, i=0; i < c->valx; i++ ) {
877 la = *lp;
878 lp = &la->next;
879 }
880 *lp = la->next;
881 ch_free( la );
882 }
883 break;
884 case LOG_BASE:
885 if ( c->valx < 0 ) {
886 log_base *lb, *ln;
887
888 for ( lb = li->li_bases; lb; lb = ln ) {
889 ln = lb->lb_next;
890 ch_free( lb );
891 }
892 } else {
893 log_base *lb = NULL, **lp;
894 int i;
895
896 for ( lp = &li->li_bases, i=0; i < c->valx; i++ ) {
897 lb = *lp;
898 lp = &lb->lb_next;
899 }
900 *lp = lb->lb_next;
901 ch_free( lb );
902 }
903 break;
904 }
905 break;
906 default:
907 switch( c->type ) {
908 case LOG_DB:
909 if ( CONFIG_ONLINE_ADD( c )) {
910 li->li_db = select_backend( &c->value_ndn, 0 );
911 if ( !li->li_db ) {
912 snprintf( c->cr_msg, sizeof( c->cr_msg ),
913 "<%s> no matching backend found for suffix",
914 c->argv[0] );
915 Debug( LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
916 c->log, c->cr_msg, c->value_dn.bv_val );
917 rc = 1;
918 }
919 ch_free( c->value_ndn.bv_val );
920 } else {
921 li->li_db_suffix = c->value_ndn;
922 }
923 ch_free( c->value_dn.bv_val );
924 break;
925 case LOG_OPS:
926 rc = verbs_to_mask( c->argc, c->argv, logops, &tmask );
927 if ( rc == 0 )
928 li->li_ops |= tmask;
929 break;
930 case LOG_PURGE:
931 li->li_age = log_age_parse( c->argv[1] );
932 if ( li->li_age < 1 ) {
933 rc = 1;
934 } else {
935 li->li_cycle = log_age_parse( c->argv[2] );
936 if ( li->li_cycle < 1 ) {
937 rc = 1;
938 } else if ( slapMode & SLAP_SERVER_MODE ) {
939 struct re_s *re = li->li_task;
940 if ( re )
941 re->interval.tv_sec = li->li_cycle;
942 else {
943 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
944 li->li_task = ldap_pvt_runqueue_insert( &slapd_rq,
945 li->li_cycle, accesslog_purge, li,
946 "accesslog_purge", li->li_db ?
947 li->li_db->be_suffix[0].bv_val :
948 c->be->be_suffix[0].bv_val );
949 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
950 }
951 }
952 }
953 break;
954 case LOG_SUCCESS:
955 li->li_success = c->value_int;
956 break;
957 case LOG_OLD:
958 li->li_oldf = str2filter( c->argv[1] );
959 if ( !li->li_oldf ) {
960 snprintf( c->cr_msg, sizeof( c->cr_msg ), "bad filter!" );
961 rc = 1;
962 }
963 break;
964 case LOG_OLDATTR: {
965 int i;
966 AttributeDescription *ad;
967 const char *text;
968
969 for ( i=1; i< c->argc; i++ ) {
970 ad = NULL;
971 if ( slap_str2ad( c->argv[i], &ad, &text ) == LDAP_SUCCESS ) {
972 log_attr *la = ch_malloc( sizeof( log_attr ));
973 la->attr = ad;
974 la->next = li->li_oldattrs;
975 li->li_oldattrs = la;
976 } else {
977 snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s <%s>: %s",
978 c->argv[0], c->argv[i], text );
979 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
980 "%s: %s\n", c->log, c->cr_msg, 0 );
981 rc = ARG_BAD_CONF;
982 break;
983 }
984 }
985 }
986 break;
987 case LOG_BASE: {
988 slap_mask_t m = 0;
989 rc = verbstring_to_mask( logops, c->argv[1], '|', &m );
990 if ( rc == 0 ) {
991 struct berval dn, ndn;
992 ber_str2bv( c->argv[2], 0, 0, &dn );
993 rc = dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL );
994 if ( rc == 0 ) {
995 log_base *lb;
996 struct berval mbv;
997 char *ptr;
998 mask_to_verbstring( logops, m, '|', &mbv );
999 lb = ch_malloc( sizeof( log_base ) + mbv.bv_len + ndn.bv_len + 3 + 1 );
1000 lb->lb_line.bv_val = (char *)(lb + 1);
1001 lb->lb_line.bv_len = mbv.bv_len + ndn.bv_len + 3;
1002 ptr = lutil_strcopy( lb->lb_line.bv_val, mbv.bv_val );
1003 *ptr++ = ' ';
1004 *ptr++ = '"';
1005 lb->lb_base.bv_val = ptr;
1006 lb->lb_base.bv_len = ndn.bv_len;
1007 ptr = lutil_strcopy( ptr, ndn.bv_val );
1008 *ptr++ = '"';
1009 lb->lb_ops = m;
1010 lb->lb_next = li->li_bases;
1011 li->li_bases = lb;
1012 } else {
1013 snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s invalid DN: %s",
1014 c->argv[0], c->argv[2] );
1015 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
1016 "%s: %s\n", c->log, c->cr_msg, 0 );
1017 rc = ARG_BAD_CONF;
1018 }
1019 } else {
1020 snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s invalid ops: %s",
1021 c->argv[0], c->argv[1] );
1022 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
1023 "%s: %s\n", c->log, c->cr_msg, 0 );
1024 rc = ARG_BAD_CONF;
1025 }
1026 }
1027 break;
1028 }
1029 break;
1030 }
1031 return rc;
1032 }
1033
1034 static int
logSchemaControlValidate(Syntax * syntax,struct berval * valp)1035 logSchemaControlValidate(
1036 Syntax *syntax,
1037 struct berval *valp )
1038 {
1039 struct berval val, bv;
1040 ber_len_t i;
1041 int rc = LDAP_SUCCESS;
1042
1043 assert( valp != NULL );
1044
1045 val = *valp;
1046
1047 /* check minimal size */
1048 if ( val.bv_len < STRLENOF( "{*}" ) ) {
1049 return LDAP_INVALID_SYNTAX;
1050 }
1051
1052 val.bv_len--;
1053
1054 /* check SEQUENCE boundaries */
1055 if ( val.bv_val[ 0 ] != '{' /*}*/ ||
1056 val.bv_val[ val.bv_len ] != /*{*/ '}' )
1057 {
1058 return LDAP_INVALID_SYNTAX;
1059 }
1060
1061 /* extract and check OID */
1062 for ( i = 1; i < val.bv_len; i++ ) {
1063 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1064 break;
1065 }
1066 }
1067
1068 bv.bv_val = &val.bv_val[ i ];
1069
1070 for ( i++; i < val.bv_len; i++ ) {
1071 if ( ASCII_SPACE( val.bv_val[ i ] ) )
1072 {
1073 break;
1074 }
1075 }
1076
1077 bv.bv_len = &val.bv_val[ i ] - bv.bv_val;
1078
1079 rc = numericoidValidate( NULL, &bv );
1080 if ( rc != LDAP_SUCCESS ) {
1081 return rc;
1082 }
1083
1084 if ( i == val.bv_len ) {
1085 return LDAP_SUCCESS;
1086 }
1087
1088 if ( val.bv_val[ i ] != ' ' ) {
1089 return LDAP_INVALID_SYNTAX;
1090 }
1091
1092 for ( i++; i < val.bv_len; i++ ) {
1093 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1094 break;
1095 }
1096 }
1097
1098 if ( i == val.bv_len ) {
1099 return LDAP_SUCCESS;
1100 }
1101
1102 /* extract and check criticality */
1103 if ( strncasecmp( &val.bv_val[ i ], "criticality ", STRLENOF( "criticality " ) ) == 0 )
1104 {
1105 i += STRLENOF( "criticality " );
1106 for ( ; i < val.bv_len; i++ ) {
1107 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1108 break;
1109 }
1110 }
1111
1112 if ( i == val.bv_len ) {
1113 return LDAP_INVALID_SYNTAX;
1114 }
1115
1116 bv.bv_val = &val.bv_val[ i ];
1117
1118 for ( ; i < val.bv_len; i++ ) {
1119 if ( ASCII_SPACE( val.bv_val[ i ] ) ) {
1120 break;
1121 }
1122 }
1123
1124 bv.bv_len = &val.bv_val[ i ] - bv.bv_val;
1125
1126 if ( !bvmatch( &bv, &slap_true_bv ) && !bvmatch( &bv, &slap_false_bv ) )
1127 {
1128 return LDAP_INVALID_SYNTAX;
1129 }
1130
1131 if ( i == val.bv_len ) {
1132 return LDAP_SUCCESS;
1133 }
1134
1135 if ( val.bv_val[ i ] != ' ' ) {
1136 return LDAP_INVALID_SYNTAX;
1137 }
1138
1139 for ( i++; i < val.bv_len; i++ ) {
1140 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1141 break;
1142 }
1143 }
1144
1145 if ( i == val.bv_len ) {
1146 return LDAP_SUCCESS;
1147 }
1148 }
1149
1150 /* extract and check controlValue */
1151 if ( strncasecmp( &val.bv_val[ i ], "controlValue ", STRLENOF( "controlValue " ) ) == 0 )
1152 {
1153 ber_len_t valueStart, valueLen;
1154
1155 i += STRLENOF( "controlValue " );
1156 for ( ; i < val.bv_len; i++ ) {
1157 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1158 break;
1159 }
1160 }
1161
1162 if ( i == val.bv_len ) {
1163 return LDAP_INVALID_SYNTAX;
1164 }
1165
1166 if ( val.bv_val[ i ] != '"' ) {
1167 return LDAP_INVALID_SYNTAX;
1168 }
1169
1170 i++;
1171 valueStart = i;
1172
1173 for ( ; i < val.bv_len; i++ ) {
1174 if ( val.bv_val[ i ] == '"' ) {
1175 break;
1176 }
1177
1178 if ( !ASCII_HEX( val.bv_val[ i ] ) ) {
1179 return LDAP_INVALID_SYNTAX;
1180 }
1181 }
1182
1183 if ( val.bv_val[ i ] != '"' ) {
1184 return LDAP_INVALID_SYNTAX;
1185 }
1186
1187 valueLen = i - valueStart;
1188 if ( (valueLen/2)*2 != valueLen ) {
1189 return LDAP_INVALID_SYNTAX;
1190 }
1191
1192 for ( i++; i < val.bv_len; i++ ) {
1193 if ( !ASCII_SPACE( val.bv_val[ i ] ) ) {
1194 break;
1195 }
1196 }
1197
1198 if ( i == val.bv_len ) {
1199 return LDAP_SUCCESS;
1200 }
1201 }
1202
1203 return LDAP_INVALID_SYNTAX;
1204 }
1205
1206 static int
accesslog_ctrls(LDAPControl ** ctrls,BerVarray * valsp,BerVarray * nvalsp,void * memctx)1207 accesslog_ctrls(
1208 LDAPControl **ctrls,
1209 BerVarray *valsp,
1210 BerVarray *nvalsp,
1211 void *memctx )
1212 {
1213 long i, rc = 0;
1214
1215 assert( valsp != NULL );
1216 assert( ctrls != NULL );
1217
1218 *valsp = NULL;
1219 *nvalsp = NULL;
1220
1221 for ( i = 0; ctrls[ i ] != NULL; i++ ) {
1222 struct berval idx,
1223 oid,
1224 noid,
1225 bv;
1226 char *ptr,
1227 buf[ 32 ];
1228
1229 if ( ctrls[ i ]->ldctl_oid == NULL ) {
1230 return LDAP_PROTOCOL_ERROR;
1231 }
1232
1233 idx.bv_len = snprintf( buf, sizeof( buf ), "{%ld}", i );
1234 idx.bv_val = buf;
1235
1236 ber_str2bv( ctrls[ i ]->ldctl_oid, 0, 0, &oid );
1237 noid.bv_len = idx.bv_len + oid.bv_len;
1238 ptr = noid.bv_val = ber_memalloc_x( noid.bv_len + 1, memctx );
1239 ptr = lutil_strcopy( ptr, idx.bv_val );
1240 ptr = lutil_strcopy( ptr, oid.bv_val );
1241
1242 bv.bv_len = idx.bv_len + STRLENOF( "{}" ) + oid.bv_len;
1243
1244 if ( ctrls[ i ]->ldctl_iscritical ) {
1245 bv.bv_len += STRLENOF( " criticality TRUE" );
1246 }
1247
1248 if ( !BER_BVISNULL( &ctrls[ i ]->ldctl_value ) ) {
1249 bv.bv_len += STRLENOF( " controlValue \"\"" )
1250 + 2 * ctrls[ i ]->ldctl_value.bv_len;
1251 }
1252
1253 ptr = bv.bv_val = ber_memalloc_x( bv.bv_len + 1, memctx );
1254 if ( ptr == NULL ) {
1255 ber_bvarray_free( *valsp );
1256 *valsp = NULL;
1257 ber_bvarray_free( *nvalsp );
1258 *nvalsp = NULL;
1259 return LDAP_OTHER;
1260 }
1261
1262 ptr = lutil_strcopy( ptr, idx.bv_val );
1263
1264 *ptr++ = '{' /*}*/ ;
1265 ptr = lutil_strcopy( ptr, oid.bv_val );
1266
1267 if ( ctrls[ i ]->ldctl_iscritical ) {
1268 ptr = lutil_strcopy( ptr, " criticality TRUE" );
1269 }
1270
1271 if ( !BER_BVISNULL( &ctrls[ i ]->ldctl_value ) ) {
1272 ber_len_t j;
1273
1274 ptr = lutil_strcopy( ptr, " controlValue \"" );
1275 for ( j = 0; j < ctrls[ i ]->ldctl_value.bv_len; j++ ) {
1276 *ptr++ = SLAP_ESCAPE_HI(ctrls[ i ]->ldctl_value.bv_val[ j ]);
1277 *ptr++ = SLAP_ESCAPE_LO(ctrls[ i ]->ldctl_value.bv_val[ j ]);
1278 }
1279
1280 *ptr++ = '"';
1281 }
1282
1283 *ptr++ = '}';
1284 *ptr = '\0';
1285
1286 ber_bvarray_add_x( valsp, &bv, memctx );
1287 ber_bvarray_add_x( nvalsp, &noid, memctx );
1288 }
1289
1290 return rc;
1291
1292 }
1293
accesslog_entry(Operation * op,SlapReply * rs,log_info * li,int logop,Operation * op2)1294 static Entry *accesslog_entry( Operation *op, SlapReply *rs,
1295 log_info *li, int logop, Operation *op2 ) {
1296
1297 char rdnbuf[STRLENOF(RDNEQ)+LDAP_LUTIL_GENTIME_BUFSIZE+8];
1298 char nrdnbuf[STRLENOF(RDNEQ)+LDAP_LUTIL_GENTIME_BUFSIZE+8];
1299
1300 struct berval rdn, nrdn, timestamp, ntimestamp, bv;
1301 slap_verbmasks *lo = logops+logop+EN_OFFSET;
1302
1303 Entry *e = entry_alloc();
1304
1305 strcpy( rdnbuf, RDNEQ );
1306 rdn.bv_val = rdnbuf;
1307 strcpy( nrdnbuf, RDNEQ );
1308 nrdn.bv_val = nrdnbuf;
1309
1310 timestamp.bv_val = rdnbuf+STRLENOF(RDNEQ);
1311 timestamp.bv_len = sizeof(rdnbuf) - STRLENOF(RDNEQ);
1312 slap_timestamp( &op->o_time, ×tamp );
1313 snprintf( timestamp.bv_val + timestamp.bv_len-1, sizeof(".123456Z"), ".%06dZ", op->o_tincr );
1314 timestamp.bv_len += STRLENOF(".123456");
1315
1316 rdn.bv_len = STRLENOF(RDNEQ)+timestamp.bv_len;
1317 ad_reqStart->ad_type->sat_equality->smr_normalize(
1318 SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, ad_reqStart->ad_type->sat_syntax,
1319 ad_reqStart->ad_type->sat_equality, ×tamp, &ntimestamp,
1320 op->o_tmpmemctx );
1321
1322 strcpy( nrdn.bv_val + STRLENOF(RDNEQ), ntimestamp.bv_val );
1323 nrdn.bv_len = STRLENOF(RDNEQ)+ntimestamp.bv_len;
1324 build_new_dn( &e->e_name, li->li_db->be_suffix, &rdn, NULL );
1325 build_new_dn( &e->e_nname, li->li_db->be_nsuffix, &nrdn, NULL );
1326
1327 attr_merge_one( e, slap_schema.si_ad_objectClass,
1328 &log_ocs[logop]->soc_cname, NULL );
1329 attr_merge_one( e, slap_schema.si_ad_structuralObjectClass,
1330 &log_ocs[logop]->soc_cname, NULL );
1331 attr_merge_one( e, ad_reqStart, ×tamp, &ntimestamp );
1332 op->o_tmpfree( ntimestamp.bv_val, op->o_tmpmemctx );
1333
1334 slap_op_time( &op2->o_time, &op2->o_tincr );
1335
1336 timestamp.bv_len = sizeof(rdnbuf) - STRLENOF(RDNEQ);
1337 slap_timestamp( &op2->o_time, ×tamp );
1338 snprintf( timestamp.bv_val + timestamp.bv_len-1, sizeof(".123456Z"), ".%06dZ", op2->o_tincr );
1339 timestamp.bv_len += STRLENOF(".123456");
1340
1341 attr_merge_normalize_one( e, ad_reqEnd, ×tamp, op->o_tmpmemctx );
1342
1343 /* Exops have OID appended */
1344 if ( logop == LOG_EN_EXTENDED ) {
1345 bv.bv_len = lo->word.bv_len + op->ore_reqoid.bv_len + 2;
1346 bv.bv_val = ch_malloc( bv.bv_len + 1 );
1347 AC_MEMCPY( bv.bv_val, lo->word.bv_val, lo->word.bv_len );
1348 bv.bv_val[lo->word.bv_len] = '{';
1349 AC_MEMCPY( bv.bv_val+lo->word.bv_len+1, op->ore_reqoid.bv_val,
1350 op->ore_reqoid.bv_len );
1351 bv.bv_val[bv.bv_len-1] = '}';
1352 bv.bv_val[bv.bv_len] = '\0';
1353 attr_merge_one( e, ad_reqType, &bv, NULL );
1354 } else {
1355 attr_merge_one( e, ad_reqType, &lo->word, NULL );
1356 }
1357
1358 rdn.bv_len = snprintf( rdn.bv_val, sizeof( rdnbuf ), "%lu", op->o_connid );
1359 if ( rdn.bv_len < sizeof( rdnbuf ) ) {
1360 attr_merge_one( e, ad_reqSession, &rdn, NULL );
1361 } /* else? */
1362
1363 if ( BER_BVISNULL( &op->o_dn ) ) {
1364 attr_merge_one( e, ad_reqAuthzID, (struct berval *)&slap_empty_bv,
1365 (struct berval *)&slap_empty_bv );
1366 } else {
1367 attr_merge_one( e, ad_reqAuthzID, &op->o_dn, &op->o_ndn );
1368 }
1369
1370 /* FIXME: need to add reqControls and reqRespControls */
1371 if ( op->o_ctrls ) {
1372 BerVarray vals = NULL,
1373 nvals = NULL;
1374
1375 if ( accesslog_ctrls( op->o_ctrls, &vals, &nvals,
1376 op->o_tmpmemctx ) == LDAP_SUCCESS && vals )
1377 {
1378 attr_merge( e, ad_reqControls, vals, nvals );
1379 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1380 ber_bvarray_free_x( nvals, op->o_tmpmemctx );
1381 }
1382 }
1383
1384 if ( rs->sr_ctrls ) {
1385 BerVarray vals = NULL,
1386 nvals = NULL;
1387
1388 if ( accesslog_ctrls( rs->sr_ctrls, &vals, &nvals,
1389 op->o_tmpmemctx ) == LDAP_SUCCESS && vals )
1390 {
1391 attr_merge( e, ad_reqRespControls, vals, nvals );
1392 ber_bvarray_free_x( vals, op->o_tmpmemctx );
1393 ber_bvarray_free_x( nvals, op->o_tmpmemctx );
1394 }
1395
1396 }
1397
1398 return e;
1399 }
1400
1401 static struct berval scopes[] = {
1402 BER_BVC("base"),
1403 BER_BVC("one"),
1404 BER_BVC("sub"),
1405 BER_BVC("subord")
1406 };
1407
1408 static struct berval derefs[] = {
1409 BER_BVC("never"),
1410 BER_BVC("searching"),
1411 BER_BVC("finding"),
1412 BER_BVC("always")
1413 };
1414
1415 static struct berval simple = BER_BVC("SIMPLE");
1416
accesslog_val2val(AttributeDescription * ad,struct berval * val,char c_op,struct berval * dst)1417 static void accesslog_val2val(AttributeDescription *ad, struct berval *val,
1418 char c_op, struct berval *dst) {
1419 char *ptr;
1420
1421 dst->bv_len = ad->ad_cname.bv_len + val->bv_len + 2;
1422 if ( c_op ) dst->bv_len++;
1423
1424 dst->bv_val = ch_malloc( dst->bv_len+1 );
1425
1426 ptr = lutil_strcopy( dst->bv_val, ad->ad_cname.bv_val );
1427 *ptr++ = ':';
1428 if ( c_op )
1429 *ptr++ = c_op;
1430 *ptr++ = ' ';
1431 AC_MEMCPY( ptr, val->bv_val, val->bv_len );
1432 dst->bv_val[dst->bv_len] = '\0';
1433 }
1434
1435 static int
accesslog_op2logop(Operation * op)1436 accesslog_op2logop( Operation *op )
1437 {
1438 switch ( op->o_tag ) {
1439 case LDAP_REQ_ADD: return LOG_EN_ADD;
1440 case LDAP_REQ_DELETE: return LOG_EN_DELETE;
1441 case LDAP_REQ_MODIFY: return LOG_EN_MODIFY;
1442 case LDAP_REQ_MODRDN: return LOG_EN_MODRDN;
1443 case LDAP_REQ_COMPARE: return LOG_EN_COMPARE;
1444 case LDAP_REQ_SEARCH: return LOG_EN_SEARCH;
1445 case LDAP_REQ_BIND: return LOG_EN_BIND;
1446 case LDAP_REQ_EXTENDED: return LOG_EN_EXTENDED;
1447 default: /* unknown operation type */
1448 break;
1449 } /* Unbind and Abandon never reach here */
1450 return LOG_EN_UNKNOWN;
1451 }
1452
accesslog_response(Operation * op,SlapReply * rs)1453 static int accesslog_response(Operation *op, SlapReply *rs) {
1454 slap_overinst *on = (slap_overinst *)op->o_callback->sc_private;
1455 log_info *li = on->on_bi.bi_private;
1456 Attribute *a, *last_attr;
1457 Modifications *m;
1458 struct berval *b, uuid = BER_BVNULL;
1459 int i;
1460 int logop;
1461 slap_verbmasks *lo;
1462 Entry *e = NULL, *old = NULL, *e_uuid = NULL;
1463 char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE+8];
1464 struct berval bv;
1465 char *ptr;
1466 BerVarray vals;
1467 Operation op2 = {0};
1468 SlapReply rs2 = {REP_RESULT};
1469
1470 {
1471 slap_callback *sc = op->o_callback;
1472 op->o_callback = sc->sc_next;
1473 op->o_tmpfree(sc, op->o_tmpmemctx );
1474 }
1475
1476 if ( rs->sr_type != REP_RESULT && rs->sr_type != REP_EXTENDED )
1477 return SLAP_CB_CONTINUE;
1478
1479 logop = accesslog_op2logop( op );
1480 lo = logops+logop+EN_OFFSET;
1481 if ( !( li->li_ops & lo->mask )) {
1482 log_base *lb;
1483
1484 i = 0;
1485 for ( lb = li->li_bases; lb; lb=lb->lb_next )
1486 if (( lb->lb_ops & lo->mask ) && dnIsSuffix( &op->o_req_ndn, &lb->lb_base )) {
1487 i = 1;
1488 break;
1489 }
1490 if ( !i )
1491 return SLAP_CB_CONTINUE;
1492 }
1493
1494 /* mutex and so were only set for write operations;
1495 * if we got here, the operation must be logged */
1496 if ( lo->mask & LOG_OP_WRITES ) {
1497 slap_callback *cb;
1498
1499 /* These internal ops are not logged */
1500 if ( op->o_dont_replicate )
1501 return SLAP_CB_CONTINUE;
1502
1503 ldap_pvt_thread_mutex_lock( &li->li_log_mutex );
1504 old = li->li_old;
1505 uuid = li->li_uuid;
1506 li->li_old = NULL;
1507 BER_BVZERO( &li->li_uuid );
1508 #ifdef RMUTEX_DEBUG
1509 Debug( LDAP_DEBUG_SYNC,
1510 "accesslog_response: unlocking rmutex for tid %x\n",
1511 op->o_tid, 0, 0 );
1512 #endif
1513 ldap_pvt_thread_rmutex_unlock( &li->li_op_rmutex, op->o_tid );
1514 }
1515
1516 /* ignore these internal reads */
1517 if (( lo->mask & LOG_OP_READS ) && op->o_do_not_cache ) {
1518 return SLAP_CB_CONTINUE;
1519 }
1520
1521 if ( li->li_success && rs->sr_err != LDAP_SUCCESS )
1522 goto done;
1523
1524 e = accesslog_entry( op, rs, li, logop, &op2 );
1525
1526 if ( !BER_BVISNULL( &op->o_req_ndn ))
1527 attr_merge_one( e, ad_reqDN, &op->o_req_dn, &op->o_req_ndn );
1528
1529 if ( rs->sr_text ) {
1530 ber_str2bv( rs->sr_text, 0, 0, &bv );
1531 attr_merge_normalize_one( e, ad_reqMessage, &bv, op->o_tmpmemctx );
1532 }
1533 bv.bv_len = snprintf( timebuf, sizeof( timebuf ), "%d", rs->sr_err );
1534 if ( bv.bv_len < sizeof( timebuf ) ) {
1535 bv.bv_val = timebuf;
1536 attr_merge_one( e, ad_reqResult, &bv, NULL );
1537 }
1538
1539 last_attr = attr_find( e->e_attrs, ad_reqResult );
1540
1541 e_uuid = old;
1542 switch( logop ) {
1543 case LOG_EN_ADD:
1544 case LOG_EN_DELETE: {
1545 char c_op;
1546 Entry *e2;
1547
1548 if ( logop == LOG_EN_ADD ) {
1549 e2 = op->ora_e;
1550 e_uuid = op->ora_e;
1551 c_op = '+';
1552
1553 } else {
1554 if ( !old )
1555 break;
1556 e2 = old;
1557 c_op = 0;
1558 }
1559 /* count all the vals */
1560 i = 0;
1561 for ( a=e2->e_attrs; a; a=a->a_next ) {
1562 i += a->a_numvals;
1563 }
1564 vals = ch_malloc( (i+1) * sizeof( struct berval ));
1565 i = 0;
1566 for ( a=e2->e_attrs; a; a=a->a_next ) {
1567 if ( a->a_vals ) {
1568 for (b=a->a_vals; !BER_BVISNULL( b ); b++,i++) {
1569 accesslog_val2val( a->a_desc, b, c_op, &vals[i] );
1570 }
1571 }
1572 }
1573 vals[i].bv_val = NULL;
1574 vals[i].bv_len = 0;
1575 a = attr_alloc( logop == LOG_EN_ADD ? ad_reqMod : ad_reqOld );
1576 a->a_numvals = i;
1577 a->a_vals = vals;
1578 a->a_nvals = vals;
1579 last_attr->a_next = a;
1580 break;
1581 }
1582
1583 case LOG_EN_MODRDN:
1584 case LOG_EN_MODIFY:
1585 /* count all the mods + attributes (ITS#6545) */
1586 i = 0;
1587 for ( m = op->orm_modlist; m; m = m->sml_next ) {
1588 if ( m->sml_values ) {
1589 i += m->sml_numvals;
1590 } else if ( m->sml_op == LDAP_MOD_DELETE ||
1591 m->sml_op == SLAP_MOD_SOFTDEL ||
1592 m->sml_op == LDAP_MOD_REPLACE )
1593 {
1594 i++;
1595 }
1596 if ( m->sml_next && m->sml_desc == m->sml_next->sml_desc ) {
1597 i++;
1598 }
1599 }
1600 vals = ch_malloc( (i+1) * sizeof( struct berval ));
1601 i = 0;
1602
1603 /* init flags on old entry */
1604 if ( old ) {
1605 for ( a = old->e_attrs; a; a = a->a_next ) {
1606 log_attr *la;
1607 a->a_flags = 0;
1608
1609 /* look for attrs that are always logged */
1610 for ( la = li->li_oldattrs; la; la = la->next ) {
1611 if ( a->a_desc == la->attr ) {
1612 a->a_flags = 1;
1613 }
1614 }
1615 }
1616 }
1617
1618 for ( m = op->orm_modlist; m; m = m->sml_next ) {
1619 /* Mark this attribute as modified */
1620 if ( old ) {
1621 a = attr_find( old->e_attrs, m->sml_desc );
1622 if ( a ) {
1623 a->a_flags = 1;
1624 }
1625 }
1626
1627 /* don't log the RDN mods; they're explicitly logged later */
1628 if ( logop == LOG_EN_MODRDN &&
1629 ( m->sml_op == SLAP_MOD_SOFTADD ||
1630 m->sml_op == LDAP_MOD_DELETE ) )
1631 {
1632 continue;
1633 }
1634
1635 if ( m->sml_values ) {
1636 for ( b = m->sml_values; !BER_BVISNULL( b ); b++, i++ ) {
1637 char c_op;
1638
1639 switch ( m->sml_op ) {
1640 case LDAP_MOD_ADD: /* FALLTHRU */
1641 case SLAP_MOD_SOFTADD: c_op = '+'; break;
1642 case LDAP_MOD_DELETE: /* FALLTHRU */
1643 case SLAP_MOD_SOFTDEL: c_op = '-'; break;
1644 case LDAP_MOD_REPLACE: c_op = '='; break;
1645 case LDAP_MOD_INCREMENT: c_op = '#'; break;
1646
1647 /* unknown op. there shouldn't be any of these. we
1648 * don't know what to do with it, but we shouldn't just
1649 * ignore it.
1650 */
1651 default: c_op = '?'; break;
1652 }
1653 accesslog_val2val( m->sml_desc, b, c_op, &vals[i] );
1654 }
1655 } else if ( m->sml_op == LDAP_MOD_DELETE ||
1656 m->sml_op == SLAP_MOD_SOFTDEL ||
1657 m->sml_op == LDAP_MOD_REPLACE )
1658 {
1659 vals[i].bv_len = m->sml_desc->ad_cname.bv_len + 2;
1660 vals[i].bv_val = ch_malloc( vals[i].bv_len + 1 );
1661 ptr = lutil_strcopy( vals[i].bv_val,
1662 m->sml_desc->ad_cname.bv_val );
1663 *ptr++ = ':';
1664 if ( m->sml_op == LDAP_MOD_DELETE || m->sml_op == SLAP_MOD_SOFTDEL ) {
1665 *ptr++ = '-';
1666 } else {
1667 *ptr++ = '=';
1668 }
1669 *ptr = '\0';
1670 i++;
1671 }
1672 /* ITS#6545: when the same attribute is edited multiple times,
1673 * record the transition */
1674 if ( m->sml_next && m->sml_desc == m->sml_next->sml_desc &&
1675 m->sml_op == m->sml_next->sml_op ) {
1676 ber_str2bv( ":", STRLENOF(":"), 1, &vals[i] );
1677 i++;
1678 }
1679 }
1680
1681 if ( i > 0 ) {
1682 BER_BVZERO( &vals[i] );
1683 a = attr_alloc( ad_reqMod );
1684 a->a_numvals = i;
1685 a->a_vals = vals;
1686 a->a_nvals = vals;
1687 last_attr->a_next = a;
1688 last_attr = a;
1689
1690 } else {
1691 ch_free( vals );
1692 }
1693
1694 if ( old ) {
1695 /* count all the vals */
1696 i = 0;
1697 for ( a = old->e_attrs; a != NULL; a = a->a_next ) {
1698 if ( a->a_vals && a->a_flags ) {
1699 i += a->a_numvals;
1700 }
1701 }
1702 if ( i ) {
1703 vals = ch_malloc( (i + 1) * sizeof( struct berval ) );
1704 i = 0;
1705 for ( a=old->e_attrs; a; a=a->a_next ) {
1706 if ( a->a_vals && a->a_flags ) {
1707 for (b=a->a_vals; !BER_BVISNULL( b ); b++,i++) {
1708 accesslog_val2val( a->a_desc, b, 0, &vals[i] );
1709 }
1710 }
1711 }
1712 vals[i].bv_val = NULL;
1713 vals[i].bv_len = 0;
1714 a = attr_alloc( ad_reqOld );
1715 a->a_numvals = i;
1716 a->a_vals = vals;
1717 a->a_nvals = vals;
1718 last_attr->a_next = a;
1719 }
1720 }
1721 if ( logop == LOG_EN_MODIFY ) {
1722 break;
1723 }
1724
1725 /* Now log the actual modRDN info */
1726 attr_merge_one( e, ad_reqNewRDN, &op->orr_newrdn, &op->orr_nnewrdn );
1727 attr_merge_one( e, ad_reqDeleteOldRDN, op->orr_deleteoldrdn ?
1728 (struct berval *)&slap_true_bv : (struct berval *)&slap_false_bv,
1729 NULL );
1730 if ( op->orr_newSup ) {
1731 attr_merge_one( e, ad_reqNewSuperior, op->orr_newSup, op->orr_nnewSup );
1732 }
1733 break;
1734
1735 case LOG_EN_COMPARE:
1736 bv.bv_len = op->orc_ava->aa_desc->ad_cname.bv_len + 1 +
1737 op->orc_ava->aa_value.bv_len;
1738 bv.bv_val = op->o_tmpalloc( bv.bv_len+1, op->o_tmpmemctx );
1739 ptr = lutil_strcopy( bv.bv_val, op->orc_ava->aa_desc->ad_cname.bv_val );
1740 *ptr++ = '=';
1741 AC_MEMCPY( ptr, op->orc_ava->aa_value.bv_val, op->orc_ava->aa_value.bv_len );
1742 bv.bv_val[bv.bv_len] = '\0';
1743 attr_merge_one( e, ad_reqAssertion, &bv, NULL );
1744 op->o_tmpfree( bv.bv_val, op->o_tmpmemctx );
1745 break;
1746
1747 case LOG_EN_SEARCH:
1748 attr_merge_one( e, ad_reqScope, &scopes[op->ors_scope], NULL );
1749 attr_merge_one( e, ad_reqDerefAliases, &derefs[op->ors_deref], NULL );
1750 attr_merge_one( e, ad_reqAttrsOnly, op->ors_attrsonly ?
1751 (struct berval *)&slap_true_bv : (struct berval *)&slap_false_bv,
1752 NULL );
1753 if ( !BER_BVISEMPTY( &op->ors_filterstr ))
1754 attr_merge_normalize_one( e, ad_reqFilter, &op->ors_filterstr, op->o_tmpmemctx );
1755 if ( op->ors_attrs ) {
1756 int j;
1757 /* count them */
1758 for (i=0; !BER_BVISNULL(&op->ors_attrs[i].an_name );i++)
1759 ;
1760 vals = op->o_tmpalloc( (i+1) * sizeof(struct berval),
1761 op->o_tmpmemctx );
1762 for (i=0, j=0; !BER_BVISNULL(&op->ors_attrs[i].an_name );i++) {
1763 if (!BER_BVISEMPTY(&op->ors_attrs[i].an_name)) {
1764 vals[j] = op->ors_attrs[i].an_name;
1765 j++;
1766 }
1767 }
1768 BER_BVZERO(&vals[j]);
1769 attr_merge_normalize( e, ad_reqAttr, vals, op->o_tmpmemctx );
1770 op->o_tmpfree( vals, op->o_tmpmemctx );
1771 }
1772 bv.bv_val = timebuf;
1773 bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", rs->sr_nentries );
1774 if ( bv.bv_len < sizeof( timebuf ) ) {
1775 attr_merge_one( e, ad_reqEntries, &bv, NULL );
1776 } /* else? */
1777
1778 bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", op->ors_tlimit );
1779 if ( bv.bv_len < sizeof( timebuf ) ) {
1780 attr_merge_one( e, ad_reqTimeLimit, &bv, NULL );
1781 } /* else? */
1782
1783 bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", op->ors_slimit );
1784 if ( bv.bv_len < sizeof( timebuf ) ) {
1785 attr_merge_one( e, ad_reqSizeLimit, &bv, NULL );
1786 } /* else? */
1787 break;
1788
1789 case LOG_EN_BIND:
1790 bv.bv_val = timebuf;
1791 bv.bv_len = snprintf( bv.bv_val, sizeof( timebuf ), "%d", op->o_protocol );
1792 if ( bv.bv_len < sizeof( timebuf ) ) {
1793 attr_merge_one( e, ad_reqVersion, &bv, NULL );
1794 } /* else? */
1795 if ( op->orb_method == LDAP_AUTH_SIMPLE ) {
1796 attr_merge_normalize_one( e, ad_reqMethod, &simple, op->o_tmpmemctx );
1797 } else {
1798 bv.bv_len = STRLENOF("SASL()") + op->orb_mech.bv_len;
1799 bv.bv_val = op->o_tmpalloc( bv.bv_len + 1, op->o_tmpmemctx );
1800 ptr = lutil_strcopy( bv.bv_val, "SASL(" );
1801 ptr = lutil_strcopy( ptr, op->orb_mech.bv_val );
1802 *ptr++ = ')';
1803 *ptr = '\0';
1804 attr_merge_normalize_one( e, ad_reqMethod, &bv, op->o_tmpmemctx );
1805 op->o_tmpfree( bv.bv_val, op->o_tmpmemctx );
1806 }
1807
1808 break;
1809
1810 case LOG_EN_EXTENDED:
1811 if ( op->ore_reqdata ) {
1812 attr_merge_one( e, ad_reqData, op->ore_reqdata, NULL );
1813 }
1814 break;
1815
1816 case LOG_EN_UNKNOWN:
1817 /* we don't know its parameters, don't add any */
1818 break;
1819 }
1820
1821 if ( e_uuid || !BER_BVISNULL( &uuid ) ) {
1822 struct berval *pbv = NULL;
1823
1824 if ( !BER_BVISNULL( &uuid ) ) {
1825 pbv = &uuid;
1826
1827 } else {
1828 a = attr_find( e_uuid->e_attrs, slap_schema.si_ad_entryUUID );
1829 if ( a ) {
1830 pbv = &a->a_vals[0];
1831 }
1832 }
1833
1834 if ( pbv ) {
1835 attr_merge_normalize_one( e, ad_reqEntryUUID, pbv, op->o_tmpmemctx );
1836 }
1837
1838 if ( !BER_BVISNULL( &uuid ) ) {
1839 ber_memfree( uuid.bv_val );
1840 BER_BVZERO( &uuid );
1841 }
1842 }
1843
1844 op2.o_hdr = op->o_hdr;
1845 op2.o_tag = LDAP_REQ_ADD;
1846 op2.o_bd = li->li_db;
1847 op2.o_dn = li->li_db->be_rootdn;
1848 op2.o_ndn = li->li_db->be_rootndn;
1849 op2.o_req_dn = e->e_name;
1850 op2.o_req_ndn = e->e_nname;
1851 op2.ora_e = e;
1852 op2.o_callback = &nullsc;
1853 op2.o_csn = op->o_csn;
1854 /* contextCSN updates may still reach here */
1855 op2.o_dont_replicate = op->o_dont_replicate;
1856
1857 if (( lo->mask & LOG_OP_WRITES ) && !BER_BVISEMPTY( &op->o_csn )) {
1858 struct berval maxcsn;
1859 char cbuf[LDAP_PVT_CSNSTR_BUFSIZE];
1860 int foundit;
1861 cbuf[0] = '\0';
1862 maxcsn.bv_val = cbuf;
1863 maxcsn.bv_len = sizeof(cbuf);
1864 /* If there was a commit CSN on the main DB,
1865 * we must propagate it to the log DB for its
1866 * own syncprov. Otherwise, don't generate one.
1867 */
1868 slap_get_commit_csn( op, &maxcsn, &foundit );
1869 if ( !BER_BVISEMPTY( &maxcsn ) ) {
1870 slap_queue_csn( &op2, &op->o_csn );
1871 } else {
1872 attr_merge_normalize_one( e, slap_schema.si_ad_entryCSN,
1873 &op->o_csn, op->o_tmpmemctx );
1874 }
1875 }
1876
1877 op2.o_bd->be_add( &op2, &rs2 );
1878 if ( rs2.sr_err != LDAP_SUCCESS ) {
1879 Debug( LDAP_DEBUG_SYNC,
1880 "accesslog_response: got result 0x%x adding log entry %s\n",
1881 rs2.sr_err, op2.o_req_dn.bv_val, 0 );
1882 }
1883 if ( e == op2.ora_e ) entry_free( e );
1884 e = NULL;
1885
1886 done:
1887 if ( lo->mask & LOG_OP_WRITES )
1888 ldap_pvt_thread_mutex_unlock( &li->li_log_mutex );
1889 if ( old ) entry_free( old );
1890 return SLAP_CB_CONTINUE;
1891 }
1892
1893 static int
accesslog_op_misc(Operation * op,SlapReply * rs)1894 accesslog_op_misc( Operation *op, SlapReply *rs )
1895 {
1896 slap_callback *sc;
1897
1898 sc = op->o_tmpcalloc( 1, sizeof(slap_callback), op->o_tmpmemctx );
1899 sc->sc_response = accesslog_response;
1900 sc->sc_private = op->o_bd->bd_info;
1901
1902 if ( op->o_callback ) {
1903 sc->sc_next = op->o_callback->sc_next;
1904 op->o_callback->sc_next = sc;
1905 } else {
1906 op->o_callback = sc;
1907 }
1908 return SLAP_CB_CONTINUE;
1909 }
1910
1911 static int
accesslog_op_mod(Operation * op,SlapReply * rs)1912 accesslog_op_mod( Operation *op, SlapReply *rs )
1913 {
1914 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1915 log_info *li = on->on_bi.bi_private;
1916 slap_verbmasks *lo;
1917 int logop;
1918 int doit = 0;
1919
1920 /* These internal ops are not logged */
1921 if ( op->o_dont_replicate )
1922 return SLAP_CB_CONTINUE;
1923
1924 logop = accesslog_op2logop( op );
1925 lo = logops+logop+EN_OFFSET;
1926
1927 if ( li->li_ops & lo->mask ) {
1928 doit = 1;
1929 } else {
1930 log_base *lb;
1931 for ( lb = li->li_bases; lb; lb = lb->lb_next )
1932 if (( lb->lb_ops & lo->mask ) && dnIsSuffix( &op->o_req_ndn, &lb->lb_base )) {
1933 doit = 1;
1934 break;
1935 }
1936 }
1937
1938 if ( doit ) {
1939 slap_callback *cb = op->o_tmpcalloc( 1, sizeof( slap_callback ), op->o_tmpmemctx );
1940 cb->sc_cleanup = accesslog_response;
1941 cb->sc_response = accesslog_response;
1942 cb->sc_private = on;
1943 cb->sc_next = op->o_callback;
1944 op->o_callback = cb;
1945
1946 #ifdef RMUTEX_DEBUG
1947 Debug( LDAP_DEBUG_SYNC,
1948 "accesslog_op_mod: locking rmutex for tid %x\n",
1949 op->o_tid, 0, 0 );
1950 #endif
1951 ldap_pvt_thread_rmutex_lock( &li->li_op_rmutex, op->o_tid );
1952 #ifdef RMUTEX_DEBUG
1953 Debug( LDAP_DEBUG_STATS,
1954 "accesslog_op_mod: locked rmutex for tid %x\n",
1955 op->o_tid, 0, 0 );
1956 #endif
1957 if ( li->li_oldf && ( op->o_tag == LDAP_REQ_DELETE ||
1958 op->o_tag == LDAP_REQ_MODIFY ||
1959 ( op->o_tag == LDAP_REQ_MODRDN && li->li_oldattrs )))
1960 {
1961 int rc;
1962 Entry *e;
1963
1964 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1965 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
1966 if ( e ) {
1967 if ( test_filter( op, e, li->li_oldf ) == LDAP_COMPARE_TRUE )
1968 li->li_old = entry_dup( e );
1969 be_entry_release_rw( op, e, 0 );
1970 }
1971 op->o_bd->bd_info = (BackendInfo *)on;
1972
1973 } else {
1974 int rc;
1975 Entry *e;
1976
1977 op->o_bd->bd_info = (BackendInfo *)on->on_info;
1978 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &e );
1979 if ( e ) {
1980 Attribute *a = attr_find( e->e_attrs, slap_schema.si_ad_entryUUID );
1981 if ( a ) {
1982 ber_dupbv( &li->li_uuid, &a->a_vals[0] );
1983 }
1984 be_entry_release_rw( op, e, 0 );
1985 }
1986 op->o_bd->bd_info = (BackendInfo *)on;
1987 }
1988 }
1989 return SLAP_CB_CONTINUE;
1990 }
1991
1992 /* unbinds are broadcast to all backends; we only log it if this
1993 * backend was used for the original bind.
1994 */
1995 static int
accesslog_unbind(Operation * op,SlapReply * rs)1996 accesslog_unbind( Operation *op, SlapReply *rs )
1997 {
1998 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1999 if ( op->o_conn->c_authz_backend == on->on_info->oi_origdb ) {
2000 log_info *li = on->on_bi.bi_private;
2001 Operation op2 = {0};
2002 void *cids[SLAP_MAX_CIDS];
2003 SlapReply rs2 = {REP_RESULT};
2004 Entry *e;
2005
2006 if ( !( li->li_ops & LOG_OP_UNBIND )) {
2007 log_base *lb;
2008 int i = 0;
2009
2010 for ( lb = li->li_bases; lb; lb=lb->lb_next )
2011 if (( lb->lb_ops & LOG_OP_UNBIND ) && dnIsSuffix( &op->o_ndn, &lb->lb_base )) {
2012 i = 1;
2013 break;
2014 }
2015 if ( !i )
2016 return SLAP_CB_CONTINUE;
2017 }
2018
2019 e = accesslog_entry( op, rs, li, LOG_EN_UNBIND, &op2 );
2020 op2.o_hdr = op->o_hdr;
2021 op2.o_tag = LDAP_REQ_ADD;
2022 op2.o_bd = li->li_db;
2023 op2.o_dn = li->li_db->be_rootdn;
2024 op2.o_ndn = li->li_db->be_rootndn;
2025 op2.o_req_dn = e->e_name;
2026 op2.o_req_ndn = e->e_nname;
2027 op2.ora_e = e;
2028 op2.o_callback = &nullsc;
2029 op2.o_controls = cids;
2030 memset(cids, 0, sizeof( cids ));
2031
2032 op2.o_bd->be_add( &op2, &rs2 );
2033 if ( e == op2.ora_e )
2034 entry_free( e );
2035 }
2036 return SLAP_CB_CONTINUE;
2037 }
2038
2039 static int
accesslog_abandon(Operation * op,SlapReply * rs)2040 accesslog_abandon( Operation *op, SlapReply *rs )
2041 {
2042 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
2043 log_info *li = on->on_bi.bi_private;
2044 Operation op2 = {0};
2045 void *cids[SLAP_MAX_CIDS];
2046 SlapReply rs2 = {REP_RESULT};
2047 Entry *e;
2048 char buf[64];
2049 struct berval bv;
2050
2051 if ( !op->o_time )
2052 return SLAP_CB_CONTINUE;
2053
2054 if ( !( li->li_ops & LOG_OP_ABANDON )) {
2055 log_base *lb;
2056 int i = 0;
2057
2058 for ( lb = li->li_bases; lb; lb=lb->lb_next )
2059 if (( lb->lb_ops & LOG_OP_ABANDON ) && dnIsSuffix( &op->o_ndn, &lb->lb_base )) {
2060 i = 1;
2061 break;
2062 }
2063 if ( !i )
2064 return SLAP_CB_CONTINUE;
2065 }
2066
2067 e = accesslog_entry( op, rs, li, LOG_EN_ABANDON, &op2 );
2068 bv.bv_val = buf;
2069 bv.bv_len = snprintf( buf, sizeof( buf ), "%d", op->orn_msgid );
2070 if ( bv.bv_len < sizeof( buf ) ) {
2071 attr_merge_one( e, ad_reqId, &bv, NULL );
2072 } /* else? */
2073
2074 op2.o_hdr = op->o_hdr;
2075 op2.o_tag = LDAP_REQ_ADD;
2076 op2.o_bd = li->li_db;
2077 op2.o_dn = li->li_db->be_rootdn;
2078 op2.o_ndn = li->li_db->be_rootndn;
2079 op2.o_req_dn = e->e_name;
2080 op2.o_req_ndn = e->e_nname;
2081 op2.ora_e = e;
2082 op2.o_callback = &nullsc;
2083 op2.o_controls = cids;
2084 memset(cids, 0, sizeof( cids ));
2085
2086 op2.o_bd->be_add( &op2, &rs2 );
2087 if ( e == op2.ora_e )
2088 entry_free( e );
2089
2090 return SLAP_CB_CONTINUE;
2091 }
2092
2093 static int
accesslog_operational(Operation * op,SlapReply * rs)2094 accesslog_operational( Operation *op, SlapReply *rs )
2095 {
2096 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
2097 log_info *li = on->on_bi.bi_private;
2098
2099 if ( op->o_sync != SLAP_CONTROL_NONE )
2100 return SLAP_CB_CONTINUE;
2101
2102 if ( rs->sr_entry != NULL
2103 && dn_match( &op->o_bd->be_nsuffix[0], &rs->sr_entry->e_nname ) )
2104 {
2105 Attribute **ap;
2106
2107 for ( ap = &rs->sr_operational_attrs; *ap; ap = &(*ap)->a_next )
2108 /* just count */ ;
2109
2110 if ( SLAP_OPATTRS( rs->sr_attr_flags ) ||
2111 ad_inlist( ad_auditContext, rs->sr_attrs ) )
2112 {
2113 *ap = attr_alloc( ad_auditContext );
2114 attr_valadd( *ap,
2115 &li->li_db->be_suffix[0],
2116 &li->li_db->be_nsuffix[0], 1 );
2117 }
2118 }
2119
2120 return SLAP_CB_CONTINUE;
2121 }
2122
2123 static slap_overinst accesslog;
2124
2125 static int
accesslog_db_init(BackendDB * be,ConfigReply * cr)2126 accesslog_db_init(
2127 BackendDB *be,
2128 ConfigReply *cr
2129 )
2130 {
2131 slap_overinst *on = (slap_overinst *)be->bd_info;
2132 log_info *li = ch_calloc(1, sizeof(log_info));
2133
2134 on->on_bi.bi_private = li;
2135 ldap_pvt_thread_rmutex_init( &li->li_op_rmutex );
2136 ldap_pvt_thread_mutex_init( &li->li_log_mutex );
2137 return 0;
2138 }
2139
2140 static int
accesslog_db_destroy(BackendDB * be,ConfigReply * cr)2141 accesslog_db_destroy(
2142 BackendDB *be,
2143 ConfigReply *cr
2144 )
2145 {
2146 slap_overinst *on = (slap_overinst *)be->bd_info;
2147 log_info *li = on->on_bi.bi_private;
2148 log_attr *la;
2149
2150 if ( li->li_oldf )
2151 filter_free( li->li_oldf );
2152 for ( la=li->li_oldattrs; la; la=li->li_oldattrs ) {
2153 li->li_oldattrs = la->next;
2154 ch_free( la );
2155 }
2156 ldap_pvt_thread_mutex_destroy( &li->li_log_mutex );
2157 ldap_pvt_thread_rmutex_destroy( &li->li_op_rmutex );
2158 free( li );
2159 return LDAP_SUCCESS;
2160 }
2161
2162 /* Create the logdb's root entry if it's missing */
2163 static void *
accesslog_db_root(void * ctx,void * arg)2164 accesslog_db_root(
2165 void *ctx,
2166 void *arg )
2167 {
2168 struct re_s *rtask = arg;
2169 slap_overinst *on = rtask->arg;
2170 log_info *li = on->on_bi.bi_private;
2171
2172 Connection conn = {0};
2173 OperationBuffer opbuf;
2174 Operation *op;
2175
2176 Entry *e;
2177 int rc;
2178
2179 connection_fake_init( &conn, &opbuf, ctx );
2180 op = &opbuf.ob_op;
2181 op->o_bd = li->li_db;
2182 op->o_dn = li->li_db->be_rootdn;
2183 op->o_ndn = li->li_db->be_rootndn;
2184 rc = be_entry_get_rw( op, li->li_db->be_nsuffix, NULL, NULL, 0, &e );
2185
2186 if ( e ) {
2187 be_entry_release_rw( op, e, 0 );
2188
2189 } else {
2190 SlapReply rs = {REP_RESULT};
2191 struct berval rdn, nrdn, attr;
2192 char *ptr;
2193 AttributeDescription *ad = NULL;
2194 const char *text = NULL;
2195 Entry *e_ctx;
2196 BackendDB db;
2197
2198 e = entry_alloc();
2199 ber_dupbv( &e->e_name, li->li_db->be_suffix );
2200 ber_dupbv( &e->e_nname, li->li_db->be_nsuffix );
2201
2202 attr_merge_one( e, slap_schema.si_ad_objectClass,
2203 &log_container->soc_cname, NULL );
2204
2205 dnRdn( &e->e_name, &rdn );
2206 dnRdn( &e->e_nname, &nrdn );
2207 ptr = ber_bvchr( &rdn, '=' );
2208
2209 assert( ptr != NULL );
2210
2211 attr.bv_val = rdn.bv_val;
2212 attr.bv_len = ptr - rdn.bv_val;
2213
2214 slap_bv2ad( &attr, &ad, &text );
2215
2216 rdn.bv_val = ptr+1;
2217 rdn.bv_len -= attr.bv_len + 1;
2218 ptr = ber_bvchr( &nrdn, '=' );
2219 nrdn.bv_len -= ptr - nrdn.bv_val + 1;
2220 nrdn.bv_val = ptr+1;
2221 attr_merge_one( e, ad, &rdn, &nrdn );
2222
2223 /* Get contextCSN from main DB */
2224 op->o_bd = on->on_info->oi_origdb;
2225 rc = be_entry_get_rw( op, op->o_bd->be_nsuffix, NULL,
2226 slap_schema.si_ad_contextCSN, 0, &e_ctx );
2227
2228 if ( e_ctx ) {
2229 Attribute *a;
2230
2231 a = attr_find( e_ctx->e_attrs, slap_schema.si_ad_contextCSN );
2232 if ( a ) {
2233 /* FIXME: contextCSN could have multiple values!
2234 * should select the one with the server's SID */
2235 attr_merge_one( e, slap_schema.si_ad_entryCSN,
2236 &a->a_vals[0], &a->a_nvals[0] );
2237 attr_merge( e, a->a_desc, a->a_vals, a->a_nvals );
2238 }
2239 be_entry_release_rw( op, e_ctx, 0 );
2240 }
2241 db = *li->li_db;
2242 op->o_bd = &db;
2243
2244 op->o_tag = LDAP_REQ_ADD;
2245 op->ora_e = e;
2246 op->o_req_dn = e->e_name;
2247 op->o_req_ndn = e->e_nname;
2248 op->o_callback = &nullsc;
2249 SLAP_DBFLAGS( op->o_bd ) |= SLAP_DBFLAG_NOLASTMOD;
2250 rc = op->o_bd->be_add( op, &rs );
2251 if ( e == op->ora_e )
2252 entry_free( e );
2253 }
2254 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
2255 ldap_pvt_runqueue_stoptask( &slapd_rq, rtask );
2256 ldap_pvt_runqueue_remove( &slapd_rq, rtask );
2257 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
2258
2259 return NULL;
2260 }
2261
2262 static int
accesslog_db_open(BackendDB * be,ConfigReply * cr)2263 accesslog_db_open(
2264 BackendDB *be,
2265 ConfigReply *cr
2266 )
2267 {
2268 slap_overinst *on = (slap_overinst *)be->bd_info;
2269 log_info *li = on->on_bi.bi_private;
2270
2271
2272 if ( !BER_BVISEMPTY( &li->li_db_suffix )) {
2273 li->li_db = select_backend( &li->li_db_suffix, 0 );
2274 ch_free( li->li_db_suffix.bv_val );
2275 BER_BVZERO( &li->li_db_suffix );
2276 }
2277 if ( li->li_db == NULL ) {
2278 Debug( LDAP_DEBUG_ANY,
2279 "accesslog: \"logdb <suffix>\" missing or invalid.\n",
2280 0, 0, 0 );
2281 return 1;
2282 }
2283
2284 if ( slapMode & SLAP_TOOL_MODE )
2285 return 0;
2286
2287 if ( BER_BVISEMPTY( &li->li_db->be_rootndn )) {
2288 ber_dupbv( &li->li_db->be_rootdn, li->li_db->be_suffix );
2289 ber_dupbv( &li->li_db->be_rootndn, li->li_db->be_nsuffix );
2290 }
2291
2292 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
2293 ldap_pvt_runqueue_insert( &slapd_rq, 3600, accesslog_db_root, on,
2294 "accesslog_db_root", li->li_db->be_suffix[0].bv_val );
2295 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
2296
2297 return 0;
2298 }
2299
2300 enum { start = 0 };
2301
2302 static int
check_rdntime_syntax(struct berval * val,int * parts,struct berval * fraction)2303 check_rdntime_syntax (struct berval *val,
2304 int *parts,
2305 struct berval *fraction)
2306 {
2307 /*
2308 * GeneralizedTime YYYYmmddHH[MM[SS]][(./,)d...](Z|(+/-)HH[MM])
2309 * GeneralizedTime supports leap seconds, UTCTime does not.
2310 */
2311 static const int ceiling[9] = { 100, 100, 12, 31, 24, 60, 60, 24, 60 };
2312 static const int mdays[2][12] = {
2313 /* non-leap years */
2314 { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 },
2315 /* leap years */
2316 { 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 }
2317 };
2318 char *p, *e;
2319 int part, c, c1, c2, tzoffset, leapyear = 0;
2320
2321 p = val->bv_val;
2322 e = p + val->bv_len;
2323
2324 for (part = start; part < 7 && p < e; part++) {
2325 c1 = *p;
2326 if (!ASCII_DIGIT(c1)) {
2327 break;
2328 }
2329 p++;
2330 if (p == e) {
2331 return LDAP_INVALID_SYNTAX;
2332 }
2333 c = *p++;
2334 if (!ASCII_DIGIT(c)) {
2335 return LDAP_INVALID_SYNTAX;
2336 }
2337 c += c1 * 10 - '0' * 11;
2338 if ((part | 1) == 3) {
2339 --c;
2340 if (c < 0) {
2341 return LDAP_INVALID_SYNTAX;
2342 }
2343 }
2344 if (c >= ceiling[part]) {
2345 if (! (c == 60 && part == 6 && start == 0))
2346 return LDAP_INVALID_SYNTAX;
2347 }
2348 parts[part] = c;
2349 }
2350 if (part < 5 + start) {
2351 return LDAP_INVALID_SYNTAX;
2352 }
2353 for (; part < 9; part++) {
2354 parts[part] = 0;
2355 }
2356
2357 /* leapyear check for the Gregorian calendar (year>1581) */
2358 if (parts[parts[1] == 0 ? 0 : 1] % 4 == 0) {
2359 leapyear = 1;
2360 }
2361
2362 if (parts[3] >= mdays[leapyear][parts[2]]) {
2363 return LDAP_INVALID_SYNTAX;
2364 }
2365
2366 if (start == 0) {
2367 fraction->bv_val = p;
2368 fraction->bv_len = 0;
2369 if (p < e && (*p == '.' || *p == ',')) {
2370 char *end_num;
2371 while (++p < e && ASCII_DIGIT(*p)) {
2372 /* EMPTY */;
2373 }
2374 if (p - fraction->bv_val == 1) {
2375 return LDAP_INVALID_SYNTAX;
2376 }
2377
2378 #if 0 /* don't truncate trailing zeros */
2379 for (end_num = p; end_num[-1] == '0'; --end_num) {
2380 /* EMPTY */;
2381 }
2382 c = end_num - fraction->bv_val;
2383 #else
2384 c = p - fraction->bv_val;
2385 #endif
2386 if (c != 1) fraction->bv_len = c;
2387 }
2388 }
2389
2390 if (p == e) {
2391 /* no time zone */
2392 return start == 0 ? LDAP_INVALID_SYNTAX : LDAP_SUCCESS;
2393 }
2394
2395 tzoffset = *p++;
2396 switch (tzoffset) {
2397 case 'Z':
2398 /* UTC */
2399 break;
2400 default:
2401 return LDAP_INVALID_SYNTAX;
2402 }
2403
2404 return p != e ? LDAP_INVALID_SYNTAX : LDAP_SUCCESS;
2405 }
2406
2407 static int
rdnTimestampValidate(Syntax * syntax,struct berval * in)2408 rdnTimestampValidate(
2409 Syntax *syntax,
2410 struct berval *in )
2411 {
2412 int parts[9];
2413 struct berval fraction;
2414 return check_rdntime_syntax(in, parts, &fraction);
2415 }
2416
2417 static int
rdnTimestampNormalize(slap_mask_t usage,Syntax * syntax,MatchingRule * mr,struct berval * val,struct berval * normalized,void * ctx)2418 rdnTimestampNormalize(
2419 slap_mask_t usage,
2420 Syntax *syntax,
2421 MatchingRule *mr,
2422 struct berval *val,
2423 struct berval *normalized,
2424 void *ctx )
2425 {
2426 int parts[9], rc;
2427 unsigned int len;
2428 struct berval fraction;
2429
2430 rc = check_rdntime_syntax(val, parts, &fraction);
2431 if (rc != LDAP_SUCCESS) {
2432 return rc;
2433 }
2434
2435 len = STRLENOF("YYYYmmddHHMMSSZ") + fraction.bv_len;
2436 normalized->bv_val = slap_sl_malloc( len + 1, ctx );
2437 if ( BER_BVISNULL( normalized ) ) {
2438 return LBER_ERROR_MEMORY;
2439 }
2440
2441 sprintf( normalized->bv_val, "%02d%02d%02d%02d%02d%02d%02d",
2442 parts[0], parts[1], parts[2] + 1, parts[3] + 1,
2443 parts[4], parts[5], parts[6] );
2444 if ( !BER_BVISEMPTY( &fraction ) ) {
2445 memcpy( normalized->bv_val + STRLENOF("YYYYmmddHHMMSSZ")-1,
2446 fraction.bv_val, fraction.bv_len );
2447 normalized->bv_val[STRLENOF("YYYYmmddHHMMSSZ")-1] = '.';
2448 }
2449 strcpy( normalized->bv_val + len-1, "Z" );
2450 normalized->bv_len = len;
2451
2452 return LDAP_SUCCESS;
2453 }
2454
2455
accesslog_initialize()2456 int accesslog_initialize()
2457 {
2458 int i, rc;
2459 Syntax *rdnTimestampSyntax;
2460 MatchingRule *rdnTimestampMatch;
2461
2462 accesslog.on_bi.bi_type = "accesslog";
2463 accesslog.on_bi.bi_db_init = accesslog_db_init;
2464 accesslog.on_bi.bi_db_destroy = accesslog_db_destroy;
2465 accesslog.on_bi.bi_db_open = accesslog_db_open;
2466
2467 accesslog.on_bi.bi_op_add = accesslog_op_mod;
2468 accesslog.on_bi.bi_op_bind = accesslog_op_misc;
2469 accesslog.on_bi.bi_op_compare = accesslog_op_misc;
2470 accesslog.on_bi.bi_op_delete = accesslog_op_mod;
2471 accesslog.on_bi.bi_op_modify = accesslog_op_mod;
2472 accesslog.on_bi.bi_op_modrdn = accesslog_op_mod;
2473 accesslog.on_bi.bi_op_search = accesslog_op_misc;
2474 accesslog.on_bi.bi_extended = accesslog_op_misc;
2475 accesslog.on_bi.bi_op_unbind = accesslog_unbind;
2476 accesslog.on_bi.bi_op_abandon = accesslog_abandon;
2477 accesslog.on_bi.bi_operational = accesslog_operational;
2478
2479 accesslog.on_bi.bi_cf_ocs = log_cfocs;
2480
2481 nullsc.sc_response = slap_null_cb;
2482
2483 rc = config_register_schema( log_cfats, log_cfocs );
2484 if ( rc ) return rc;
2485
2486 /* log schema integration */
2487 for ( i=0; lsyntaxes[i].oid; i++ ) {
2488 int code;
2489
2490 code = register_syntax( &lsyntaxes[ i ].syn );
2491 if ( code != 0 ) {
2492 Debug( LDAP_DEBUG_ANY,
2493 "accesslog_init: register_syntax failed\n",
2494 0, 0, 0 );
2495 return code;
2496 }
2497
2498 if ( lsyntaxes[i].mrs != NULL ) {
2499 code = mr_make_syntax_compat_with_mrs(
2500 lsyntaxes[i].oid, lsyntaxes[i].mrs );
2501 if ( code < 0 ) {
2502 Debug( LDAP_DEBUG_ANY,
2503 "accesslog_init: "
2504 "mr_make_syntax_compat_with_mrs "
2505 "failed\n",
2506 0, 0, 0 );
2507 return code;
2508 }
2509 }
2510 }
2511
2512 for ( i=0; lattrs[i].at; i++ ) {
2513 int code;
2514
2515 code = register_at( lattrs[i].at, lattrs[i].ad, 0 );
2516 if ( code ) {
2517 Debug( LDAP_DEBUG_ANY,
2518 "accesslog_init: register_at failed\n",
2519 0, 0, 0 );
2520 return -1;
2521 }
2522 #ifndef LDAP_DEVEL
2523 (*lattrs[i].ad)->ad_type->sat_flags |= SLAP_AT_HIDE;
2524 #endif
2525 }
2526
2527 /* Inject custom normalizer for reqStart/reqEnd */
2528 rdnTimestampMatch = ch_malloc( sizeof( MatchingRule ));
2529 rdnTimestampSyntax = ch_malloc( sizeof( Syntax ));
2530 *rdnTimestampMatch = *ad_reqStart->ad_type->sat_equality;
2531 rdnTimestampMatch->smr_normalize = rdnTimestampNormalize;
2532 *rdnTimestampSyntax = *ad_reqStart->ad_type->sat_syntax;
2533 rdnTimestampSyntax->ssyn_validate = rdnTimestampValidate;
2534 ad_reqStart->ad_type->sat_equality = rdnTimestampMatch;
2535 ad_reqStart->ad_type->sat_syntax = rdnTimestampSyntax;
2536
2537 rdnTimestampMatch = ch_malloc( sizeof( MatchingRule ));
2538 rdnTimestampSyntax = ch_malloc( sizeof( Syntax ));
2539 *rdnTimestampMatch = *ad_reqStart->ad_type->sat_equality;
2540 rdnTimestampMatch->smr_normalize = rdnTimestampNormalize;
2541 *rdnTimestampSyntax = *ad_reqStart->ad_type->sat_syntax;
2542 rdnTimestampSyntax->ssyn_validate = rdnTimestampValidate;
2543 ad_reqEnd->ad_type->sat_equality = rdnTimestampMatch;
2544 ad_reqEnd->ad_type->sat_syntax = rdnTimestampSyntax;
2545
2546 for ( i=0; locs[i].ot; i++ ) {
2547 int code;
2548
2549 code = register_oc( locs[i].ot, locs[i].oc, 0 );
2550 if ( code ) {
2551 Debug( LDAP_DEBUG_ANY,
2552 "accesslog_init: register_oc failed\n",
2553 0, 0, 0 );
2554 return -1;
2555 }
2556 #ifndef LDAP_DEVEL
2557 (*locs[i].oc)->soc_flags |= SLAP_OC_HIDE;
2558 #endif
2559 }
2560
2561 return overlay_register(&accesslog);
2562 }
2563
2564 #if SLAPD_OVER_ACCESSLOG == SLAPD_MOD_DYNAMIC
2565 int
init_module(int argc,char * argv[])2566 init_module( int argc, char *argv[] )
2567 {
2568 return accesslog_initialize();
2569 }
2570 #endif
2571
2572 #endif /* SLAPD_OVER_ACCESSLOG */
2573