Bug 329751 - "nested" filtered roles searches candidates more

than needed

https://bugzilla.redhat.com/show_bug.cgi?id=329751

Bug Description: If nsRoleFilter in nsRoleDefinition contains
virtual attributes in the filter AND the attribute type is
not indexed, following searches could go in to a loop starting
from slapi_vattr_filter_test.  On the other hand, if the
the attribute type is indexed, the nsRoleDefinition is ignored.
The server does not support virtual attributes for nsRoleFilter,
but it was not checked.  This patch tries to detect such an invalid
role definition and issues an error.  Note: the check cannot detect
the case nsRoleFilter is already in the db, then add CoS defining
an attribute in the nsRoleFilter as an virtual attribute.

ldap/servers/plugins/cos/cos_cache.c

@@ -1034,12 +1034,14 @@ static int 	cos_dn_defs_cb (Slapi_Entry* e, void *callback_data) {
 				 * Don't reset info->ret....it keeps track of any success
 				*/
 				if ( rc == COS_DEF_ERROR_NO_TEMPLATES) {
-					LDAPDebug(LDAP_DEBUG_ANY, "skipping cos definition %s"
-							"--no templates found\n",
-							escape_string(pTmpDn, ebuf),0,0);
+					LDAPDebug(LDAP_DEBUG_ANY, "Skipping CoS Definition %s"
+						"--no CoS Templates found, "
+						"which should be added before the CoS Definition.\n",
+						escape_string(pTmpDn, ebuf), 0, 0);
 				} else {
-					LDAPDebug(LDAP_DEBUG_ANY, "skipping cos definition %s\n"
-								,escape_string(pTmpDn, ebuf),0,0);
+					LDAPDebug(LDAP_DEBUG_ANY, "Skipping CoS Definition %s\n"
+						"--error(%d)\n",
+						escape_string(pTmpDn, ebuf), rc, 0);
 				}
 			}
 			
@@ -2441,10 +2443,6 @@ static int cos_cache_query_attr(cos_cache *ptheCache, vattr_context *context, Sl
 						/* MAB: We need to free actual_type_name here !!! 
 						XXX BAD--should use slapi_vattr_values_free() */	
 						slapi_ch_free((void **) &actual_type_name);
-						if (SLAPI_VIRTUALATTRS_LOOP_DETECTED == ret) {
-							ret = LDAP_UNWILLING_TO_PERFORM;
-							goto bail;
-						}
 					}
 
 					if(pAttrSpecs || pDef->cosType == COSTYPE_POINTER)

ldap/servers/plugins/roles/roles_cache.c

@@ -1176,6 +1176,8 @@ static int roles_cache_create_object_from_entry(Slapi_Entry *role_entry, role_ob
 
 			Slapi_Filter *filter = NULL;
 			char *filter_attr_value = NULL;
+			Slapi_PBlock *pb = NULL;
+			char *parent = NULL;
 
 			/* Get the filter and retrieve the filter attribute */
 			filter_attr_value = slapi_entry_attr_get_charptr(role_entry,ROLE_FILTER_ATTR_NAME);
@@ -1185,6 +1187,47 @@ static int roles_cache_create_object_from_entry(Slapi_Entry *role_entry, role_ob
 				slapi_ch_free((void**)&this_role);
 				return SLAPI_ROLE_ERROR_NO_FILTER_SPECIFIED;
 			}
+			/* search (&(objectclass=costemplate)(filter_attr_value))*/
+			/* if found, reject it (returning SLAPI_ROLE_ERROR_FILTER_BAD) */
+			pb = slapi_pblock_new();
+			parent = slapi_dn_parent(slapi_entry_get_dn(role_entry));
+			if (parent) {
+				Slapi_Entry **cosentries = NULL;
+				char *costmpl_filter = NULL;
+				if ((*filter_attr_value == '(') &&
+				    (*(filter_attr_value+strlen(filter_attr_value)-1) == ')')) {
+					costmpl_filter =
+					      slapi_ch_smprintf("(&(objectclass=costemplate)%s)", 
+					                        filter_attr_value);
+				} else {
+					costmpl_filter =
+					      slapi_ch_smprintf("(&(objectclass=costemplate)(%s))", 
+					                        filter_attr_value);
+				}
+				slapi_search_internal_set_pb(pb, parent, LDAP_SCOPE_SUBTREE,
+				                             costmpl_filter, NULL, 0, NULL, 
+				                             NULL, roles_get_plugin_identity(),
+				                             0);
+				slapi_search_internal_pb(pb);
+				slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, 
+				                 &cosentries);
+				slapi_ch_free_string(&costmpl_filter);
+				slapi_ch_free_string(&parent);
+				if (cosentries && *cosentries) {
+					slapi_free_search_results_internal(pb);
+					slapi_pblock_destroy(pb);
+					slapi_log_error(SLAPI_LOG_FATAL, ROLES_PLUGIN_SUBSYSTEM,
+					    "%s: not allowed to refer virtual attribute "
+					    "in the value of %s %s. The %s is disabled.\n",
+					    (char*)slapi_sdn_get_ndn(this_role->dn),
+					    ROLE_FILTER_ATTR_NAME, filter_attr_value,
+					    ROLE_FILTER_ATTR_NAME);
+					slapi_ch_free((void**)&this_role);
+					return SLAPI_ROLE_ERROR_FILTER_BAD;
+				}
+			}
+			slapi_free_search_results_internal(pb);
+			slapi_pblock_destroy(pb);
 
 			/* Turn it into a slapi filter object */
 			filter = slapi_str2filter(filter_attr_value);

ldap/servers/slapd/vattr.c

@@ -102,7 +102,7 @@ struct _vattr_context {
 	unsigned int vattr_context_loop_count;
 	unsigned int error_displayed;
 };
-#define VATTR_LOOP_COUNT_MAX 256
+#define VATTR_LOOP_COUNT_MAX 50
 
 typedef  vattr_sp_handle vattr_sp_handle_list;
 
@@ -1082,8 +1082,11 @@ int slapi_vattr_namespace_value_compare_sp(vattr_context *c,/* Entry we're inter
 
 	rc = vattr_context_grok(&c);
 	if (0 != rc) {
-		/* Print a handy error log message */
-		LDAPDebug(LDAP_DEBUG_ANY,"Detected virtual attribute loop in compare on entry %s, attribute %s\n", slapi_entry_get_dn_const(e), type, 0);
+		if(!vattr_context_is_loop_msg_displayed(&c)) {
+			/* Print a handy error log message */
+			LDAPDebug(LDAP_DEBUG_ANY,"Detected virtual attribute loop in compare on entry %s, attribute %s\n", slapi_entry_get_dn_const(e), type, 0);
+			vattr_context_set_loop_msg_displayed(&c);
+		}
 		return rc;
 	}