From a642e9566afa4833b71e14852ac469710097c5a3 Mon Sep 17 00:00:00 2001
Message-Id: <a642e9566afa4833b71e14852ac469710097c5a3.1435845928.git.hahn@univention.de>
From: Philipp Hahn <hahn@univention.de>
Date: Thu, 2 Jul 2015 13:57:40 +0000
Subject: [PATCH] Issue #2387: Add Listener cache filter
Organization: Univention GmbH, Bremen, Germany

Add UCRV "listener/cache/filter" to prevent certain LDAP objects from
being stored in the local Listener cache.

Beware: Certain functionality like moving objects will work reliable for
those objects, so be careful on which objects get black-listed.

git-svn-id: svn+in8://mail.univention.de/var/univention/svn/dev@3578 ae5adf9b-a26c-40de-88c9-2f0554b1ae1e
---
 univention-directory-listener/debian/changelog     |  6 ++++++
 ...y-listener.univention-config-registry-variables |  6 ++++++
 univention-directory-listener/src/Makefile         |  4 ++--
 univention-directory-listener/src/cache.c          | 22 ++++++++++++++++++++++
 univention-directory-listener/src/handlers.c       |  4 ++--
 univention-directory-listener/src/utils.h          |  5 +++++
 6 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/univention-directory-listener/debian/changelog b/univention-directory-listener/debian/changelog
index 14b45b1..167ffe1 100644
--- a/univention-directory-listener/debian/changelog
+++ b/univention-directory-listener/debian/changelog
@@ -1,3 +1,9 @@
+univention-directory-listener (12.0.1-12) unstable; urgency=low
+
+  * Issue #2387: Implement local cache filter
+
+ -- Philipp Hahn <hahn@univention.de>  Wed, 01 Jul 2015 17:07:10 +0200
+
 univention-directory-listener (12.0.1-11) unstable; urgency=low
 
   * create /etc/ldap/rootpw.conf if missing 
diff --git a/univention-directory-listener/debian/univention-directory-listener.univention-config-registry-variables b/univention-directory-listener/debian/univention-directory-listener.univention-config-registry-variables
index 6e6d8dc..8bc1586 100644
--- a/univention-directory-listener/debian/univention-directory-listener.univention-config-registry-variables
+++ b/univention-directory-listener/debian/univention-directory-listener.univention-config-registry-variables
@@ -27,3 +27,9 @@ Description[de]=Ist diese Variable auf 'yes' gesetzt, führt der Univention Dire
 Description[en]=If this variable is set to 'yes', the Univention Directory Listener performs consistency checks to prevent a user name being added into a group multiple times. These checks can be deactivated by setting the variables 'listener/memberuid/skip' and 'listener/uniquemember/skip' to 'no'.
 Type=str
 Categories=service-ln
+
+[listener/cache/filter]
+Description[de]=LDAP filter string, um das lokale Cachen zu verhindern.
+Description[en]=LDAP filter string to prevent local caching
+Type=str
+Categories=service-ln
diff --git a/univention-directory-listener/src/Makefile b/univention-directory-listener/src/Makefile
index 06dacd8..45482de 100644
--- a/univention-directory-listener/src/Makefile
+++ b/univention-directory-listener/src/Makefile
@@ -32,12 +32,12 @@
 CC=gcc
 DB_LDADD=-ldb3
 DB_CFLAGS=-I/usr/include/db3 -DWITH_DB3
-DB_OBJS=cache.o cache_entry.o cache_lowlevel.o base64.o
+DB_OBJS=cache.o cache_entry.o cache_lowlevel.o base64.o filter.o
 
 CFLAGS=-g -Wall -Werror -D_FILE_OFFSET_BITS=64 $(DB_CFLAGS)
 LDADD=-g -luniventiondebug
 LISTENER_LDADD=$(LDADD) -luniventionpolicy -lldap -lpython2.6 $(DB_LDADD)
-LISTENER_OBJS=main.o notifier.o transfile.o handlers.o cache.o cache_entry.o cache_lowlevel.o change.o network.o filter.o signals.o base64.o select_server.o
+LISTENER_OBJS=main.o notifier.o transfile.o handlers.o change.o network.o signals.o select_server.o $(DB_OBJS)
 DUMP_LDADD=$(LDADD) -lldap -luniventionconfig $(DB_LDADD)
 DUMP_OBJS=dump.o dump_signals.o $(DB_OBJS)
 DEMO_LDADD=$(LDADD) -luniventionconfig
diff --git a/univention-directory-listener/src/cache.c b/univention-directory-listener/src/cache.c
index 3e2d514..329728e 100644
--- a/univention-directory-listener/src/cache.c
+++ b/univention-directory-listener/src/cache.c
@@ -71,6 +71,7 @@
 #include <stdbool.h>
 
 #include <univention/debug.h>
+#include <univention/config.h>
 
 #include "common.h"
 #include "cache.h"
@@ -78,6 +79,8 @@
 #include "cache_entry.h"
 #include "network.h"
 #include "signals.h"
+#include "filter.h"
+#include "utils.h"
 
 #define MASTER_KEY "__master__"
 #define MASTER_KEY_SIZE (sizeof MASTER_KEY)
@@ -94,6 +97,20 @@ DB_ENV *dbenvp;
 #endif
 static FILE *lock_fp=NULL;
 
+static struct filter cache_filter;
+static struct filter *cache_filters[] = {&cache_filter, NULL};
+
+static void setup_cache_filter(void) {
+	cache_filter.filter = univention_config_get_string("listener/cache/filter");
+	if (cache_filter.filter && cache_filter.filter[0]) {
+		cache_filter.base = univention_config_get_string("ldap/base");
+		cache_filter.scope = LDAP_SCOPE_SUBTREE;
+	} else {
+		FREE(cache_filter.filter);
+		FREE(cache_filter.base);
+	}
+}
+
 #ifdef WITH_DB42
 static void cache_panic_call(DB_ENV *dbenvp, int errval)
 {
@@ -192,6 +209,7 @@ int cache_init(void)
 	}
 	dbp->set_errcall(dbp, cache_error_message);
 #endif
+	setup_cache_filter();
 	return 0;
 }
 
@@ -429,6 +447,10 @@ int cache_update_entry_lower(NotifierID id, char *dn, CacheEntry *entry)
 	char *lower_dn;
 	int rv = 0;
 
+	/* IN8 Issue 2387: Skip caching certain entries matching LDAP filter */
+	if (cache_filter.filter && cache_entry_ldap_filter_match(cache_filters, dn, entry))
+		return rv;
+
 	lower_dn = _convert_to_lower(dn);
 	rv = cache_update_entry(id, lower_dn, entry);
 
diff --git a/univention-directory-listener/src/handlers.c b/univention-directory-listener/src/handlers.c
index 12df56e..405ca66 100644
--- a/univention-directory-listener/src/handlers.c
+++ b/univention-directory-listener/src/handlers.c
@@ -88,7 +88,7 @@ static PyObject* module_import(char *filename)
 
 	namep = strrchr(filename, '.');
 	if ((namep != NULL) && (strcmp(namep, ".pyo") == 0)) {
-		long magic;
+		__attribute__((unused)) long magic;
 
 		magic = PyMarshal_ReadLongFromFile(fp);
 		/* we should probably check the magic here */
@@ -936,7 +936,7 @@ int handlers_set_data_all(char *key, char *value)
 {
 	Handler *handler;
 	PyObject *argtuple;
-	int rv = 1;
+	__attribute__((unused))  int rv = 1;
 
 	univention_debug(UV_DEBUG_LISTENER, UV_DEBUG_INFO, "setting data for all handlers: key=%s  value=%s", key, strcmp("bindpw", key) ? value : "<HIDDEN>");
 
diff --git a/univention-directory-listener/src/utils.h b/univention-directory-listener/src/utils.h
index bd18d39..e59b58f 100644
--- a/univention-directory-listener/src/utils.h
+++ b/univention-directory-listener/src/utils.h
@@ -4,6 +4,11 @@
 #include <ldap.h>
 
 
+#define FREE(ptr) \
+	free(ptr); \
+	ptr = NULL;
+
+
 static inline bool BERSTREQ(const struct berval *ber, const char *str, size_t len) {
 	return ber->bv_len == len && memcmp(ber->bv_val, str, len) == 0;
 }
-- 
1.9.1