/* ldb database library Copyright (C) Andrew Bartlett <abartlet@samba.org> 2006-2007 Copyright (C) Stefan Metzmacher <metze@samba.org> 2007 Copyright (C) Simo Sorce <idra@samba.org> 2008 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ /* * Name: ldb * * Component: ldb subtree delete (prevention) module * * Description: Prevent deletion of a subtree in LDB * * Author: Andrew Bartlett */ #include "ldb_module.h" struct subtree_delete_context { struct ldb_module *module; struct ldb_request *req; int num_children; }; static struct subtree_delete_context *subdel_ctx_init(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb; struct subtree_delete_context *ac; ldb = ldb_module_get_ctx(module); ac = talloc_zero(req, struct subtree_delete_context); if (ac == NULL) { ldb_oom(ldb); return NULL; } ac->module = module; ac->req = req; ac->num_children = 0; return ac; } static int subtree_delete_search_callback(struct ldb_request *req, struct ldb_reply *ares) { struct ldb_context *ldb; struct subtree_delete_context *ac; int ret; ac = talloc_get_type(req->context, struct subtree_delete_context); ldb = ldb_module_get_ctx(ac->module); if (!ares) { ret = LDB_ERR_OPERATIONS_ERROR; goto done; } if (ares->error != LDB_SUCCESS) { return ldb_module_done(ac->req, ares->controls, ares->response, ares->error); } switch (ares->type) { case LDB_REPLY_ENTRY: /* count entry */ ++(ac->num_children); talloc_free(ares); ret = LDB_SUCCESS; break; case LDB_REPLY_REFERRAL: /* ignore */ talloc_free(ares); ret = LDB_SUCCESS; break; case LDB_REPLY_DONE: talloc_free(ares); if (ac->num_children > 0) { ldb_asprintf_errstring(ldb, "Cannot delete %s, not a leaf node " "(has %d children)\n", ldb_dn_get_linearized(ac->req->op.del.dn), ac->num_children); return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_NOT_ALLOWED_ON_NON_LEAF); } /* ok no children, let the original request through */ ret = ldb_next_request(ac->module, ac->req); break; } done: if (ret != LDB_SUCCESS) { return ldb_module_done(ac->req, NULL, NULL, ret); } return LDB_SUCCESS; } static int subtree_delete(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb; static const char * const attrs[2] = { "distinguishedName", NULL }; struct ldb_request *search_req; struct subtree_delete_context *ac; int ret; if (ldb_dn_is_special(req->op.rename.olddn)) { /* do not manipulate our control entries */ return ldb_next_request(module, req); } ldb = ldb_module_get_ctx(module); /* This gets complex: We need to: - Do a search for all entires under this entry - Wait for these results to appear - In the callback for each result, count the children (if any) - return an error if there are any */ ac = subdel_ctx_init(module, req); if (!ac) { return LDB_ERR_OPERATIONS_ERROR; } /* we do not really need to find all descendents, * if there is even one single direct child, that's * enough to bail out */ ret = ldb_build_search_req(&search_req, ldb, ac, req->op.del.dn, LDB_SCOPE_ONELEVEL, "(objectClass=*)", attrs, req->controls, ac, subtree_delete_search_callback, req); if (ret != LDB_SUCCESS) { return ret; } return ldb_next_request(module, search_req); } const struct ldb_module_ops ldb_subtree_delete_module_ops = { .name = "subtree_delete", .del = subtree_delete, };