| |
@@ -166,7 +166,7 @@
|
| |
CONFIG_SPECIAL_VALIDATE_CERT_SWITCH, /* maps strings to an enumeration */
|
| |
CONFIG_SPECIAL_UNHASHED_PW_SWITCH, /* unhashed pw: on/off/nolog */
|
| |
CONFIG_SPECIAL_TLS_CHECK_CRL, /* maps enum tls_check_crl_t to char * */
|
| |
- CONFIG_ON_OFF_WARN, /* maps to a config on/warn/off enum */
|
| |
+ CONFIG_SPECIAL_FILTER_VERIFY, /* maps to a config strict/warn-strict/warn/off enum */
|
| |
} ConfigVarType;
|
| |
|
| |
static int32_t config_set_onoff(const char *attrname, char *value, int32_t *configvalue, char *errorbuf, int apply);
|
| |
@@ -256,7 +256,7 @@
|
| |
slapi_onoff_t init_extract_pem;
|
| |
slapi_onoff_t init_ignore_vattrs;
|
| |
slapi_onoff_t init_enable_upgrade_hash;
|
| |
- slapi_onwarnoff_t init_verify_filter_schema;
|
| |
+ slapi_special_filter_verify_t init_verify_filter_schema;
|
| |
|
| |
static int
|
| |
isInt(ConfigVarType type)
|
| |
@@ -1248,7 +1248,7 @@
|
| |
{CONFIG_VERIFY_FILTER_SCHEMA, config_set_verify_filter_schema,
|
| |
NULL, 0,
|
| |
(void **)&global_slapdFrontendConfig.verify_filter_schema,
|
| |
- CONFIG_ON_OFF_WARN, (ConfigGetFunc)config_get_verify_filter_schema,
|
| |
+ CONFIG_SPECIAL_FILTER_VERIFY, (ConfigGetFunc)config_get_verify_filter_schema,
|
| |
&init_verify_filter_schema},
|
| |
/* End config */
|
| |
};
|
| |
@@ -1783,7 +1783,7 @@
|
| |
* scheme set in cn=config
|
| |
*/
|
| |
init_enable_upgrade_hash = cfg->enable_upgrade_hash = LDAP_ON;
|
| |
- init_verify_filter_schema = cfg->verify_filter_schema = SLAPI_WARN;
|
| |
+ init_verify_filter_schema = cfg->verify_filter_schema = SLAPI_WARN_SAFE;
|
| |
|
| |
/* Done, unlock! */
|
| |
CFG_UNLOCK_WRITE(cfg);
|
| |
@@ -7659,18 +7659,21 @@
|
| |
}
|
| |
|
| |
static char *
|
| |
- config_initvalue_to_onwarnoff(struct config_get_and_set *cgas, char *initvalbuf, size_t initvalbufsize) {
|
| |
+ config_initvalue_to_special_filter_verify(struct config_get_and_set *cgas, char *initvalbuf, size_t initvalbufsize) {
|
| |
char *retval = NULL;
|
| |
- if (cgas->config_var_type == CONFIG_ON_OFF_WARN) {
|
| |
- slapi_onwarnoff_t *value = (slapi_onwarnoff_t *)(intptr_t)cgas->initvalue;
|
| |
+ if (cgas->config_var_type == CONFIG_SPECIAL_FILTER_VERIFY) {
|
| |
+ slapi_special_filter_verify_t *value = (slapi_special_filter_verify_t *)(intptr_t)cgas->initvalue;
|
| |
if (value != NULL) {
|
| |
- if (*value == SLAPI_ON) {
|
| |
- PR_snprintf(initvalbuf, initvalbufsize, "%s", "on");
|
| |
+ if (*value == SLAPI_STRICT) {
|
| |
+ PR_snprintf(initvalbuf, initvalbufsize, "%s", "reject-invalid");
|
| |
retval = initvalbuf;
|
| |
- } else if (*value == SLAPI_WARN) {
|
| |
- PR_snprintf(initvalbuf, initvalbufsize, "%s", "warn");
|
| |
+ } else if (*value == SLAPI_WARN_SAFE) {
|
| |
+ PR_snprintf(initvalbuf, initvalbufsize, "%s", "process-safe");
|
| |
retval = initvalbuf;
|
| |
- } else if (*value == SLAPI_OFF) {
|
| |
+ } else if (*value == SLAPI_WARN_UNSAFE) {
|
| |
+ PR_snprintf(initvalbuf, initvalbufsize, "%s", "warn-invalid");
|
| |
+ retval = initvalbuf;
|
| |
+ } else if (*value == SLAPI_OFF_UNSAFE) {
|
| |
PR_snprintf(initvalbuf, initvalbufsize, "%s", "off");
|
| |
retval = initvalbuf;
|
| |
}
|
| |
@@ -7680,7 +7683,7 @@
|
| |
}
|
| |
|
| |
static int32_t
|
| |
- config_set_onoffwarn(slapdFrontendConfig_t *slapdFrontendConfig, slapi_onwarnoff_t *target, const char *attrname, char *value, char *errorbuf, int apply) {
|
| |
+ config_set_specialfilterverify(slapdFrontendConfig_t *slapdFrontendConfig, slapi_special_filter_verify_t *target, const char *attrname, char *value, char *errorbuf, int apply) {
|
| |
if (target == NULL) {
|
| |
return LDAP_OPERATIONS_ERROR;
|
| |
}
|
| |
@@ -7689,17 +7692,25 @@
|
| |
return LDAP_OPERATIONS_ERROR;
|
| |
}
|
| |
|
| |
- slapi_onwarnoff_t p_val = SLAPI_OFF;
|
| |
+ slapi_special_filter_verify_t p_val = SLAPI_WARN_SAFE;
|
| |
|
| |
+ /* on/warn/off retained for legacy reasons due to wbrown making terrible mistakes :( :( */
|
| |
if (strcasecmp(value, "on") == 0) {
|
| |
- p_val = SLAPI_ON;
|
| |
+ p_val = SLAPI_STRICT;
|
| |
} else if (strcasecmp(value, "warn") == 0) {
|
| |
- p_val = SLAPI_WARN;
|
| |
+ p_val = SLAPI_WARN_SAFE;
|
| |
+ /* The new fixed/descriptive names */
|
| |
+ } else if (strcasecmp(value, "reject-invalid") == 0) {
|
| |
+ p_val = SLAPI_STRICT;
|
| |
+ } else if (strcasecmp(value, "process-safe") == 0) {
|
| |
+ p_val = SLAPI_WARN_SAFE;
|
| |
+ } else if (strcasecmp(value, "warn-invalid") == 0) {
|
| |
+ p_val = SLAPI_WARN_UNSAFE;
|
| |
} else if (strcasecmp(value, "off") == 0) {
|
| |
- p_val = SLAPI_OFF;
|
| |
+ p_val = SLAPI_OFF_UNSAFE;
|
| |
} else {
|
| |
slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
|
| |
- "%s: invalid value \"%s\". Valid values are \"on\", \"warn\" or \"off\".", attrname, value);
|
| |
+ "%s: invalid value \"%s\". Valid values are \"reject-invalid\", \"process-safe\", \"warn-invalid\" or \"off\". If in doubt, choose \"process-safe\"", attrname, value);
|
| |
return LDAP_OPERATIONS_ERROR;
|
| |
}
|
| |
|
| |
@@ -7718,14 +7729,14 @@
|
| |
int32_t
|
| |
config_set_verify_filter_schema(const char *attrname, char *value, char *errorbuf, int apply) {
|
| |
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
|
| |
- slapi_onwarnoff_t *target = &(slapdFrontendConfig->verify_filter_schema);
|
| |
- return config_set_onoffwarn(slapdFrontendConfig, target, attrname, value, errorbuf, apply);
|
| |
+ slapi_special_filter_verify_t *target = &(slapdFrontendConfig->verify_filter_schema);
|
| |
+ return config_set_specialfilterverify(slapdFrontendConfig, target, attrname, value, errorbuf, apply);
|
| |
}
|
| |
|
| |
Slapi_Filter_Policy
|
| |
config_get_verify_filter_schema()
|
| |
{
|
| |
- slapi_onwarnoff_t retVal;
|
| |
+ slapi_special_filter_verify_t retVal;
|
| |
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
|
| |
CFG_LOCK_READ(slapdFrontendConfig);
|
| |
retVal = slapdFrontendConfig->verify_filter_schema;
|
| |
@@ -7733,10 +7744,13 @@
|
| |
|
| |
/* Now map this to a policy that the fns understand. */
|
| |
switch (retVal) {
|
| |
- case SLAPI_ON:
|
| |
+ case SLAPI_STRICT:
|
| |
return FILTER_POLICY_STRICT;
|
| |
break;
|
| |
- case SLAPI_WARN:
|
| |
+ case SLAPI_WARN_SAFE:
|
| |
+ return FILTER_POLICY_PROTECT;
|
| |
+ break;
|
| |
+ case SLAPI_WARN_UNSAFE:
|
| |
return FILTER_POLICY_WARNING;
|
| |
break;
|
| |
default:
|
| |
@@ -7794,8 +7808,8 @@
|
| |
void *initval = cgas->initvalue;
|
| |
if (cgas->config_var_type == CONFIG_ON_OFF) {
|
| |
initval = (void *)config_initvalue_to_onoff(cgas, initvalbuf, sizeof(initvalbuf));
|
| |
- } else if (cgas->config_var_type == CONFIG_ON_OFF_WARN) {
|
| |
- initval = (void *)config_initvalue_to_onwarnoff(cgas, initvalbuf, sizeof(initvalbuf));
|
| |
+ } else if (cgas->config_var_type == CONFIG_SPECIAL_FILTER_VERIFY) {
|
| |
+ initval = (void *)config_initvalue_to_special_filter_verify(cgas, initvalbuf, sizeof(initvalbuf));
|
| |
}
|
| |
if (cgas->setfunc) {
|
| |
retval = (cgas->setfunc)(cgas->attr_name, initval, errorbuf, apply);
|
| |
@@ -8021,20 +8035,24 @@
|
| |
|
| |
break;
|
| |
|
| |
- case CONFIG_ON_OFF_WARN:
|
| |
+ case CONFIG_SPECIAL_FILTER_VERIFY:
|
| |
/* Is this the right default here? */
|
| |
if (!value) {
|
| |
- slapi_entry_attr_set_charptr(e, cgas->attr_name, "off");
|
| |
+ slapi_entry_attr_set_charptr(e, cgas->attr_name, "process-safe");
|
| |
break;
|
| |
}
|
| |
|
| |
- if (*((slapi_onwarnoff_t *)value) == SLAPI_ON) {
|
| |
- slapi_entry_attr_set_charptr(e, cgas->attr_name, "on");
|
| |
- } else if (*((slapi_onwarnoff_t *)value) == SLAPI_WARN) {
|
| |
- slapi_entry_attr_set_charptr(e, cgas->attr_name, "warn");
|
| |
- } else {
|
| |
+ if (*((slapi_special_filter_verify_t *)value) == SLAPI_STRICT) {
|
| |
+ slapi_entry_attr_set_charptr(e, cgas->attr_name, "reject-invalid");
|
| |
+ } else if (*((slapi_special_filter_verify_t *)value) == SLAPI_WARN_SAFE) {
|
| |
+ slapi_entry_attr_set_charptr(e, cgas->attr_name, "process-safe");
|
| |
+ } else if (*((slapi_special_filter_verify_t *)value) == SLAPI_WARN_UNSAFE) {
|
| |
+ slapi_entry_attr_set_charptr(e, cgas->attr_name, "warn-invalid");
|
| |
+ } else if (*((slapi_special_filter_verify_t *)value) == SLAPI_OFF_UNSAFE) {
|
| |
slapi_entry_attr_set_charptr(e, cgas->attr_name, "off");
|
| |
- /* Default to off. */
|
| |
+ } else {
|
| |
+ /* Default to safe warn-proccess-safely */
|
| |
+ slapi_entry_attr_set_charptr(e, cgas->attr_name, "process-safe");
|
| |
}
|
| |
|
| |
break;
|
| |
Bug Description: Because William of the past missed (forgot) to make
some agreed upon changes, we shipped the feature for filter validation
in a state that was a bit unclear for users.
Fix Description: Fix the options to now be clearer in what is
expected/demaned from admins. We now have 4 possible states for
the value of the config:
These behave as:
the missing attribute for RFC4511 compliance.
as ALLIDS (the legacy behaviour)
The default is "warn-process-safely".
https://pagure.io/389-ds-base/issue/50727
Author: William Brown william@blackhats.net.au
Review by: ???