1 /* filter.c - routines for parsing and dealing with filters */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2018 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
31 #include <ac/socket.h>
32 #include <ac/string.h>
37 const Filter *slap_filter_objectClass_pres;
38 const struct berval *slap_filterstr_objectClass_pres;
40 static int get_filter_list(
52 static void simple_vrFilter2bv(
54 ValuesReturnFilter *f,
55 struct berval *fstr );
57 static int get_simple_vrFilter(
60 ValuesReturnFilter **f,
66 static Filter filter_objectClass_pres = { LDAP_FILTER_PRESENT };
67 static struct berval filterstr_objectClass_pres = BER_BVC("(objectClass=*)");
69 filter_objectClass_pres.f_desc = slap_schema.si_ad_objectClass;
71 slap_filter_objectClass_pres = &filter_objectClass_pres;
72 slap_filterstr_objectClass_pres = &filterstr_objectClass_pres;
78 filter_destroy( void )
95 Debug( LDAP_DEBUG_FILTER, "begin get_filter\n", 0, 0, 0 );
97 * A filter looks like this coming in:
99 * and [0] SET OF Filter,
100 * or [1] SET OF Filter,
102 * equalityMatch [3] AttributeValueAssertion,
103 * substrings [4] SubstringFilter,
104 * greaterOrEqual [5] AttributeValueAssertion,
105 * lessOrEqual [6] AttributeValueAssertion,
106 * present [7] AttributeType,
107 * approxMatch [8] AttributeValueAssertion,
108 * extensibleMatch [9] MatchingRuleAssertion
111 * SubstringFilter ::= SEQUENCE {
112 * type AttributeType,
113 * SEQUENCE OF CHOICE {
114 * initial [0] IA5String,
116 * final [2] IA5String
120 * MatchingRuleAssertion ::= SEQUENCE {
121 * matchingRule [1] MatchingRuleId OPTIONAL,
122 * type [2] AttributeDescription OPTIONAL,
123 * matchValue [3] AssertionValue,
124 * dnAttributes [4] BOOLEAN DEFAULT FALSE
129 tag = ber_peek_tag( ber, &len );
131 if( tag == LBER_ERROR ) {
132 *text = "error decoding filter";
133 return SLAPD_DISCONNECT;
141 switch ( f.f_choice ) {
142 case LDAP_FILTER_EQUALITY:
143 Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
144 err = get_ava( op, ber, &f, SLAP_MR_EQUALITY, text );
145 if ( err != LDAP_SUCCESS ) {
149 assert( f.f_ava != NULL );
152 case LDAP_FILTER_SUBSTRINGS:
153 Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
154 err = get_ssa( op, ber, &f, text );
155 if( err != LDAP_SUCCESS ) {
158 assert( f.f_sub != NULL );
162 Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
163 err = get_ava( op, ber, &f, SLAP_MR_ORDERING, text );
164 if ( err != LDAP_SUCCESS ) {
167 assert( f.f_ava != NULL );
171 Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
172 err = get_ava( op, ber, &f, SLAP_MR_ORDERING, text );
173 if ( err != LDAP_SUCCESS ) {
176 assert( f.f_ava != NULL );
179 case LDAP_FILTER_PRESENT: {
182 Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
183 if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
184 err = SLAPD_DISCONNECT;
185 *text = "error decoding filter";
190 err = slap_bv2ad( &type, &f.f_desc, text );
192 if( err != LDAP_SUCCESS ) {
193 f.f_choice |= SLAPD_FILTER_UNDEFINED;
194 err = slap_bv2undef_ad( &type, &f.f_desc, text,
195 SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
197 if ( err != LDAP_SUCCESS ) {
198 /* unrecognized attribute description or other error */
199 Debug( LDAP_DEBUG_ANY,
200 "get_filter: conn %lu unknown attribute "
202 op->o_connid, type.bv_val, err );
205 f.f_desc = slap_bv2tmp_ad( &type, op->o_tmpmemctx );
210 assert( f.f_desc != NULL );
213 case LDAP_FILTER_APPROX:
214 Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
215 err = get_ava( op, ber, &f, SLAP_MR_EQUALITY_APPROX, text );
216 if ( err != LDAP_SUCCESS ) {
219 assert( f.f_ava != NULL );
222 case LDAP_FILTER_AND:
223 Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
224 err = get_filter_list( op, ber, &f.f_and, text );
225 if ( err != LDAP_SUCCESS ) {
228 if ( f.f_and == NULL ) {
229 f.f_choice = SLAPD_FILTER_COMPUTED;
230 f.f_result = LDAP_COMPARE_TRUE;
232 /* no assert - list could be empty */
236 Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
237 err = get_filter_list( op, ber, &f.f_or, text );
238 if ( err != LDAP_SUCCESS ) {
241 if ( f.f_or == NULL ) {
242 f.f_choice = SLAPD_FILTER_COMPUTED;
243 f.f_result = LDAP_COMPARE_FALSE;
245 /* no assert - list could be empty */
248 case LDAP_FILTER_NOT:
249 Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
250 (void) ber_skip_tag( ber, &len );
251 err = get_filter( op, ber, &f.f_not, text );
252 if ( err != LDAP_SUCCESS ) {
256 assert( f.f_not != NULL );
257 if ( f.f_not->f_choice == SLAPD_FILTER_COMPUTED ) {
258 int fresult = f.f_not->f_result;
259 f.f_choice = SLAPD_FILTER_COMPUTED;
260 op->o_tmpfree( f.f_not, op->o_tmpmemctx );
264 case LDAP_COMPARE_TRUE:
265 f.f_result = LDAP_COMPARE_FALSE;
267 case LDAP_COMPARE_FALSE:
268 f.f_result = LDAP_COMPARE_TRUE;
271 /* (!Undefined) is Undefined */
276 case LDAP_FILTER_EXT:
277 Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
279 err = get_mra( op, ber, &f, text );
280 if ( err != LDAP_SUCCESS ) {
284 assert( f.f_mra != NULL );
288 (void) ber_scanf( ber, "x" ); /* skip the element */
289 Debug( LDAP_DEBUG_ANY, "get_filter: unknown filter type=%lu\n",
291 f.f_choice = SLAPD_FILTER_COMPUTED;
292 f.f_result = SLAPD_COMPARE_UNDEFINED;
296 if( err != LDAP_SUCCESS && err != SLAPD_DISCONNECT ) {
299 f.f_choice = SLAPD_FILTER_COMPUTED;
300 f.f_result = SLAPD_COMPARE_UNDEFINED;
304 if ( err == LDAP_SUCCESS ) {
305 *filt = op->o_tmpalloc( sizeof(f), op->o_tmpmemctx );
309 Debug( LDAP_DEBUG_FILTER, "end get_filter %d\n", err, 0, 0 );
315 get_filter_list( Operation *op, BerElement *ber,
325 Debug( LDAP_DEBUG_FILTER, "begin get_filter_list\n", 0, 0, 0 );
327 for ( tag = ber_first_element( ber, &len, &last );
329 tag = ber_next_element( ber, &len, last ) )
331 err = get_filter( op, ber, new, text );
332 if ( err != LDAP_SUCCESS )
334 new = &(*new)->f_next;
338 Debug( LDAP_DEBUG_FILTER, "end get_filter_list\n", 0, 0, 0 );
339 return( LDAP_SUCCESS );
352 struct berval desc, value, nvalue;
354 SubstringsAssertion ssa;
356 *text = "error decoding filter";
358 Debug( LDAP_DEBUG_FILTER, "begin get_ssa\n", 0, 0, 0 );
359 if ( ber_scanf( ber, "{m" /*}*/, &desc ) == LBER_ERROR ) {
360 return SLAPD_DISCONNECT;
366 ssa.sa_initial.bv_val = NULL;
368 ssa.sa_final.bv_val = NULL;
370 rc = slap_bv2ad( &desc, &ssa.sa_desc, text );
372 if( rc != LDAP_SUCCESS ) {
373 f->f_choice |= SLAPD_FILTER_UNDEFINED;
374 rc = slap_bv2undef_ad( &desc, &ssa.sa_desc, text,
375 SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
377 if( rc != LDAP_SUCCESS ) {
378 Debug( LDAP_DEBUG_ANY,
379 "get_ssa: conn %lu unknown attribute type=%s (%ld)\n",
380 op->o_connid, desc.bv_val, (long) rc );
382 ssa.sa_desc = slap_bv2tmp_ad( &desc, op->o_tmpmemctx );
386 rc = LDAP_PROTOCOL_ERROR;
388 /* If there is no substring matching rule, there's nothing
389 * we can do with this filter. But we continue to parse it
390 * for logging purposes.
392 if ( ssa.sa_desc->ad_type->sat_substr == NULL ) {
393 f->f_choice |= SLAPD_FILTER_UNDEFINED;
394 Debug( LDAP_DEBUG_FILTER,
395 "get_ssa: no substring matching rule for attributeType %s\n",
399 for ( tag = ber_first_element( ber, &len, &last );
401 tag = ber_next_element( ber, &len, last ) )
405 if ( ber_scanf( ber, "m", &value ) == LBER_ERROR ) {
406 rc = SLAPD_DISCONNECT;
410 if ( value.bv_val == NULL || value.bv_len == 0 ) {
411 rc = LDAP_INVALID_SYNTAX;
416 case LDAP_SUBSTRING_INITIAL:
417 if ( ssa.sa_initial.bv_val != NULL
418 || ssa.sa_any != NULL
419 || ssa.sa_final.bv_val != NULL )
421 rc = LDAP_PROTOCOL_ERROR;
424 usage = SLAP_MR_SUBSTR_INITIAL;
427 case LDAP_SUBSTRING_ANY:
428 if ( ssa.sa_final.bv_val != NULL ) {
429 rc = LDAP_PROTOCOL_ERROR;
432 usage = SLAP_MR_SUBSTR_ANY;
435 case LDAP_SUBSTRING_FINAL:
436 if ( ssa.sa_final.bv_val != NULL ) {
437 rc = LDAP_PROTOCOL_ERROR;
441 usage = SLAP_MR_SUBSTR_FINAL;
445 Debug( LDAP_DEBUG_FILTER,
446 " unknown substring choice=%ld\n",
449 rc = LDAP_PROTOCOL_ERROR;
453 /* validate/normalize using equality matching rule validator! */
454 rc = asserted_value_validate_normalize(
455 ssa.sa_desc, ssa.sa_desc->ad_type->sat_equality,
456 usage, &value, &nvalue, text, op->o_tmpmemctx );
457 if( rc != LDAP_SUCCESS ) {
458 f->f_choice |= SLAPD_FILTER_UNDEFINED;
459 Debug( LDAP_DEBUG_FILTER,
460 "get_ssa: illegal value for attributeType %s (%d) %s\n",
461 desc.bv_val, rc, *text );
462 ber_dupbv_x( &nvalue, &value, op->o_tmpmemctx );
466 case LDAP_SUBSTRING_INITIAL:
467 Debug( LDAP_DEBUG_FILTER, " INITIAL\n", 0, 0, 0 );
468 ssa.sa_initial = nvalue;
471 case LDAP_SUBSTRING_ANY:
472 Debug( LDAP_DEBUG_FILTER, " ANY\n", 0, 0, 0 );
473 ber_bvarray_add_x( &ssa.sa_any, &nvalue, op->o_tmpmemctx );
476 case LDAP_SUBSTRING_FINAL:
477 Debug( LDAP_DEBUG_FILTER, " FINAL\n", 0, 0, 0 );
478 ssa.sa_final = nvalue;
483 slap_sl_free( nvalue.bv_val, op->o_tmpmemctx );
484 rc = LDAP_PROTOCOL_ERROR;
487 Debug( LDAP_DEBUG_FILTER, " error=%ld\n",
489 slap_sl_free( ssa.sa_initial.bv_val, op->o_tmpmemctx );
490 ber_bvarray_free_x( ssa.sa_any, op->o_tmpmemctx );
491 if ( ssa.sa_desc->ad_flags & SLAP_DESC_TEMPORARY )
492 op->o_tmpfree( ssa.sa_desc, op->o_tmpmemctx );
493 slap_sl_free( ssa.sa_final.bv_val, op->o_tmpmemctx );
501 if( rc == LDAP_SUCCESS ) {
502 f->f_sub = op->o_tmpalloc( sizeof( ssa ), op->o_tmpmemctx );
506 Debug( LDAP_DEBUG_FILTER, "end get_ssa\n", 0, 0, 0 );
507 return rc /* LDAP_SUCCESS */ ;
511 filter_free_x( Operation *op, Filter *f, int freeme )
519 f->f_choice &= SLAPD_FILTER_MASK;
521 switch ( f->f_choice ) {
522 case LDAP_FILTER_PRESENT:
523 if ( f->f_desc->ad_flags & SLAP_DESC_TEMPORARY )
524 op->o_tmpfree( f->f_desc, op->o_tmpmemctx );
527 case LDAP_FILTER_EQUALITY:
530 case LDAP_FILTER_APPROX:
531 ava_free( op, f->f_ava, 1 );
534 case LDAP_FILTER_SUBSTRINGS:
535 if ( f->f_sub_initial.bv_val != NULL ) {
536 op->o_tmpfree( f->f_sub_initial.bv_val, op->o_tmpmemctx );
538 ber_bvarray_free_x( f->f_sub_any, op->o_tmpmemctx );
539 if ( f->f_sub_final.bv_val != NULL ) {
540 op->o_tmpfree( f->f_sub_final.bv_val, op->o_tmpmemctx );
542 if ( f->f_sub->sa_desc->ad_flags & SLAP_DESC_TEMPORARY )
543 op->o_tmpfree( f->f_sub->sa_desc, op->o_tmpmemctx );
544 op->o_tmpfree( f->f_sub, op->o_tmpmemctx );
547 case LDAP_FILTER_AND:
549 case LDAP_FILTER_NOT:
550 for ( p = f->f_list; p != NULL; p = next ) {
552 filter_free_x( op, p, 1 );
556 case LDAP_FILTER_EXT:
557 mra_free( op, f->f_mra, 1 );
560 case SLAPD_FILTER_COMPUTED:
564 Debug( LDAP_DEBUG_ANY, "filter_free: unknown filter type=%lu\n",
570 op->o_tmpfree( f, op->o_tmpmemctx );
575 filter_free( Filter *f )
581 op.o_tmpmemctx = slap_sl_context( f );
582 op.o_tmpmfuncs = &slap_sl_mfuncs;
583 filter_free_x( &op, f, 1 );
587 filter2bv_x( Operation *op, Filter *f, struct berval *fstr )
589 filter2bv_undef_x( op, f, 0, fstr );
593 filter2bv_undef_x( Operation *op, Filter *f, int noundef, struct berval *fstr )
597 struct berval tmp, value;
599 ber_bvfalse = BER_BVC( "(?=false)" ),
600 ber_bvtrue = BER_BVC( "(?=true)" ),
601 ber_bvundefined = BER_BVC( "(?=undefined)" ),
602 ber_bverror = BER_BVC( "(?=error)" ),
603 ber_bvunknown = BER_BVC( "(?=unknown)" ),
604 ber_bvnone = BER_BVC( "(?=none)" ),
605 ber_bvF = BER_BVC( "(|)" ),
606 ber_bvT = BER_BVC( "(&)" );
613 ber_dupbv_x( fstr, &ber_bvnone, op->o_tmpmemctx );
617 undef = f->f_choice & SLAPD_FILTER_UNDEFINED;
618 undef2 = (undef && !noundef);
619 choice = f->f_choice & SLAPD_FILTER_MASK;
622 case LDAP_FILTER_EQUALITY:
623 fstr->bv_len = STRLENOF("(=)");
627 fstr->bv_len = STRLENOF("(>=)");
631 fstr->bv_len = STRLENOF("(<=)");
634 case LDAP_FILTER_APPROX:
635 fstr->bv_len = STRLENOF("(~=)");
639 value = f->f_av_value;
640 if ( f->f_av_desc->ad_type->sat_equality &&
642 ( f->f_av_desc->ad_type->sat_equality->smr_usage & SLAP_MR_MUTATION_NORMALIZER ))
644 f->f_av_desc->ad_type->sat_equality->smr_normalize(
645 (SLAP_MR_DENORMALIZE|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX),
646 NULL, NULL, &f->f_av_value, &value, op->o_tmpmemctx );
649 filter_escape_value_x( &value, &tmp, op->o_tmpmemctx );
650 /* NOTE: tmp can legitimately be NULL (meaning empty)
651 * since in a Filter values in AVAs are supposed
652 * to have been normalized, meaning that an empty value
653 * is legal for that attribute's syntax */
655 fstr->bv_len += f->f_av_desc->ad_cname.bv_len + tmp.bv_len;
658 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
660 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s)",
662 f->f_av_desc->ad_cname.bv_val, sign,
663 tmp.bv_len ? tmp.bv_val : "" );
665 if ( value.bv_val != f->f_av_value.bv_val ) {
666 ber_memfree_x( value.bv_val, op->o_tmpmemctx );
669 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
672 case LDAP_FILTER_SUBSTRINGS:
673 fstr->bv_len = f->f_sub_desc->ad_cname.bv_len +
677 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 128, op->o_tmpmemctx );
679 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s=*)",
681 f->f_sub_desc->ad_cname.bv_val );
683 if ( f->f_sub_initial.bv_val != NULL ) {
688 filter_escape_value_x( &f->f_sub_initial, &tmp, op->o_tmpmemctx );
691 fstr->bv_len += tmplen;
692 fstr->bv_val = op->o_tmprealloc( fstr->bv_val,
693 fstr->bv_len + 1, op->o_tmpmemctx );
695 snprintf( &fstr->bv_val[len - 2],
696 tmplen + STRLENOF( /*(*/ "*)" ) + 1,
697 /* "(attr=" */ "%s*)",
698 tmp.bv_len ? tmp.bv_val : "");
700 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
703 if ( f->f_sub_any != NULL ) {
704 for ( i = 0; f->f_sub_any[i].bv_val != NULL; i++ ) {
708 filter_escape_value_x( &f->f_sub_any[i],
709 &tmp, op->o_tmpmemctx );
712 fstr->bv_len += tmplen + STRLENOF( /*(*/ ")" );
713 fstr->bv_val = op->o_tmprealloc( fstr->bv_val,
714 fstr->bv_len + 1, op->o_tmpmemctx );
716 snprintf( &fstr->bv_val[len - 1],
717 tmplen + STRLENOF( /*(*/ "*)" ) + 1,
718 /* "(attr=[init]*[any*]" */ "%s*)",
719 tmp.bv_len ? tmp.bv_val : "");
720 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
724 if ( f->f_sub_final.bv_val != NULL ) {
729 filter_escape_value_x( &f->f_sub_final, &tmp, op->o_tmpmemctx );
732 fstr->bv_len += tmplen;
733 fstr->bv_val = op->o_tmprealloc( fstr->bv_val,
734 fstr->bv_len + 1, op->o_tmpmemctx );
736 snprintf( &fstr->bv_val[len - 1],
737 tmplen + STRLENOF( /*(*/ ")" ) + 1,
738 /* "(attr=[init*][any*]" */ "%s)",
739 tmp.bv_len ? tmp.bv_val : "");
741 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
746 case LDAP_FILTER_PRESENT:
747 fstr->bv_len = f->f_desc->ad_cname.bv_len +
752 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
754 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s=*)",
756 f->f_desc->ad_cname.bv_val );
759 case LDAP_FILTER_AND:
761 case LDAP_FILTER_NOT:
762 fstr->bv_len = STRLENOF("(%)");
763 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 128, op->o_tmpmemctx );
765 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%c)",
766 f->f_choice == LDAP_FILTER_AND ? '&' :
767 f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
769 for ( p = f->f_list; p != NULL; p = p->f_next ) {
772 filter2bv_undef_x( op, p, noundef, &tmp );
774 fstr->bv_len += tmp.bv_len;
775 fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1,
778 snprintf( &fstr->bv_val[len-1],
779 tmp.bv_len + STRLENOF( /*(*/ ")" ) + 1,
780 /*"("*/ "%s)", tmp.bv_val );
782 op->o_tmpfree( tmp.bv_val, op->o_tmpmemctx );
787 case LDAP_FILTER_EXT: {
790 filter_escape_value_x( &f->f_mr_value, &tmp, op->o_tmpmemctx );
791 /* NOTE: tmp can legitimately be NULL (meaning empty)
792 * since in a Filter values in MRAs are supposed
793 * to have been normalized, meaning that an empty value
794 * is legal for that attribute's syntax */
796 if ( f->f_mr_desc ) {
797 ad = f->f_mr_desc->ad_cname;
803 fstr->bv_len = ad.bv_len +
805 ( f->f_mr_dnattrs ? STRLENOF(":dn") : 0 ) +
806 ( f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_len + STRLENOF(":") : 0 ) +
807 tmp.bv_len + STRLENOF("(:=)");
808 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
810 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s%s:=%s)",
813 f->f_mr_dnattrs ? ":dn" : "",
814 f->f_mr_rule_text.bv_len ? ":" : "",
815 f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_val : "",
816 tmp.bv_len ? tmp.bv_val : "" );
817 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
820 case SLAPD_FILTER_COMPUTED:
821 switch ( f->f_result ) {
822 case LDAP_COMPARE_FALSE:
823 tmp = ( noundef ? ber_bvF : ber_bvfalse );
826 case LDAP_COMPARE_TRUE:
827 tmp = ( noundef ? ber_bvT : ber_bvtrue );
830 case SLAPD_COMPARE_UNDEFINED:
831 tmp = ber_bvundefined;
839 ber_dupbv_x( fstr, &tmp, op->o_tmpmemctx );
843 ber_dupbv_x( fstr, &ber_bvunknown, op->o_tmpmemctx );
849 filter2bv( Filter *f, struct berval *fstr )
851 filter2bv_undef( f, 0, fstr );
855 filter2bv_undef( Filter *f, int noundef, struct berval *fstr )
861 op.o_tmpmemctx = NULL;
862 op.o_tmpmfuncs = &ch_mfuncs;
864 filter2bv_undef_x( &op, f, noundef, fstr );
868 filter_dup( Filter *f, void *memctx )
870 BerMemoryFunctions *mf = &slap_sl_mfuncs;
876 n = mf->bmf_malloc( sizeof(Filter), memctx );
877 n->f_choice = f->f_choice;
880 switch( f->f_choice & SLAPD_FILTER_MASK ) {
881 case SLAPD_FILTER_COMPUTED:
882 n->f_result = f->f_result;
884 case LDAP_FILTER_PRESENT:
885 if ( f->f_desc->ad_flags & SLAP_DESC_TEMPORARY )
886 n->f_desc = slap_bv2tmp_ad( &f->f_desc->ad_cname, memctx );
888 n->f_desc = f->f_desc;
890 case LDAP_FILTER_EQUALITY:
893 case LDAP_FILTER_APPROX:
894 /* Should this be ava_dup() ? */
895 n->f_ava = mf->bmf_calloc( 1, sizeof(AttributeAssertion), memctx );
896 *n->f_ava = *f->f_ava;
897 if ( f->f_av_desc->ad_flags & SLAP_DESC_TEMPORARY )
898 n->f_av_desc = slap_bv2tmp_ad( &f->f_av_desc->ad_cname, memctx );
899 ber_dupbv_x( &n->f_av_value, &f->f_av_value, memctx );
901 case LDAP_FILTER_SUBSTRINGS:
902 n->f_sub = mf->bmf_calloc( 1, sizeof(SubstringsAssertion), memctx );
903 if ( f->f_sub_desc->ad_flags & SLAP_DESC_TEMPORARY )
904 n->f_sub_desc = slap_bv2tmp_ad( &f->f_sub_desc->ad_cname, memctx );
906 n->f_sub_desc = f->f_sub_desc;
907 if ( !BER_BVISNULL( &f->f_sub_initial ))
908 ber_dupbv_x( &n->f_sub_initial, &f->f_sub_initial, memctx );
909 if ( f->f_sub_any ) {
911 for ( i = 0; !BER_BVISNULL( &f->f_sub_any[i] ); i++ );
912 n->f_sub_any = mf->bmf_malloc(( i+1 )*sizeof( struct berval ),
914 for ( i = 0; !BER_BVISNULL( &f->f_sub_any[i] ); i++ ) {
915 ber_dupbv_x( &n->f_sub_any[i], &f->f_sub_any[i], memctx );
917 BER_BVZERO( &n->f_sub_any[i] );
919 if ( !BER_BVISNULL( &f->f_sub_final ))
920 ber_dupbv_x( &n->f_sub_final, &f->f_sub_final, memctx );
922 case LDAP_FILTER_EXT: {
923 /* Should this be mra_dup() ? */
925 length = sizeof(MatchingRuleAssertion);
926 if ( !BER_BVISNULL( &f->f_mr_rule_text ))
927 length += f->f_mr_rule_text.bv_len + 1;
928 n->f_mra = mf->bmf_calloc( 1, length, memctx );
929 *n->f_mra = *f->f_mra;
930 if ( f->f_mr_desc && ( f->f_sub_desc->ad_flags & SLAP_DESC_TEMPORARY ))
931 n->f_mr_desc = slap_bv2tmp_ad( &f->f_mr_desc->ad_cname, memctx );
932 ber_dupbv_x( &n->f_mr_value, &f->f_mr_value, memctx );
933 if ( !BER_BVISNULL( &f->f_mr_rule_text )) {
934 n->f_mr_rule_text.bv_val = (char *)(n->f_mra+1);
935 AC_MEMCPY(n->f_mr_rule_text.bv_val,
936 f->f_mr_rule_text.bv_val, f->f_mr_rule_text.bv_len );
939 case LDAP_FILTER_AND:
941 case LDAP_FILTER_NOT: {
943 for ( p = &n->f_list, f = f->f_list; f; f = f->f_next ) {
944 *p = filter_dup( f, memctx );
956 ValuesReturnFilter **filt,
962 ValuesReturnFilter vrf;
964 Debug( LDAP_DEBUG_FILTER, "begin get_simple_vrFilter\n", 0, 0, 0 );
966 tag = ber_peek_tag( ber, &len );
968 if( tag == LBER_ERROR ) {
969 *text = "error decoding filter";
970 return SLAPD_DISCONNECT;
976 vrf.vrf_choice = tag;
978 switch ( vrf.vrf_choice ) {
979 case LDAP_FILTER_EQUALITY:
980 Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
981 err = get_ava( op, ber, (Filter *)&vrf, SLAP_MR_EQUALITY, text );
982 if ( err != LDAP_SUCCESS ) {
986 assert( vrf.vrf_ava != NULL );
989 case LDAP_FILTER_SUBSTRINGS:
990 Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
991 err = get_ssa( op, ber, (Filter *)&vrf, text );
995 Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
996 err = get_ava( op, ber, (Filter *)&vrf, SLAP_MR_ORDERING, text );
997 if ( err != LDAP_SUCCESS ) {
1002 case LDAP_FILTER_LE:
1003 Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
1004 err = get_ava( op, ber, (Filter *)&vrf, SLAP_MR_ORDERING, text );
1005 if ( err != LDAP_SUCCESS ) {
1010 case LDAP_FILTER_PRESENT: {
1013 Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
1014 if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
1015 err = SLAPD_DISCONNECT;
1016 *text = "error decoding filter";
1020 vrf.vrf_desc = NULL;
1021 err = slap_bv2ad( &type, &vrf.vrf_desc, text );
1023 if( err != LDAP_SUCCESS ) {
1024 vrf.vrf_choice |= SLAPD_FILTER_UNDEFINED;
1025 err = slap_bv2undef_ad( &type, &vrf.vrf_desc, text,
1028 if( err != LDAP_SUCCESS ) {
1029 /* unrecognized attribute description or other error */
1030 Debug( LDAP_DEBUG_ANY,
1031 "get_simple_vrFilter: conn %lu unknown "
1032 "attribute type=%s (%d)\n",
1033 op->o_connid, type.bv_val, err );
1035 vrf.vrf_choice = SLAPD_FILTER_COMPUTED;
1036 vrf.vrf_result = LDAP_COMPARE_FALSE;
1043 case LDAP_FILTER_APPROX:
1044 Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
1045 err = get_ava( op, ber, (Filter *)&vrf, SLAP_MR_EQUALITY_APPROX, text );
1046 if ( err != LDAP_SUCCESS ) {
1051 case LDAP_FILTER_EXT:
1052 Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
1054 err = get_mra( op, ber, (Filter *)&vrf, text );
1055 if ( err != LDAP_SUCCESS ) {
1059 assert( vrf.vrf_mra != NULL );
1063 (void) ber_scanf( ber, "x" ); /* skip the element */
1064 Debug( LDAP_DEBUG_ANY, "get_simple_vrFilter: unknown filter type=%lu\n",
1065 vrf.vrf_choice, 0, 0 );
1066 vrf.vrf_choice = SLAPD_FILTER_COMPUTED;
1067 vrf.vrf_result = SLAPD_COMPARE_UNDEFINED;
1071 if ( err != LDAP_SUCCESS && err != SLAPD_DISCONNECT ) {
1073 vrf.vrf_choice = SLAPD_FILTER_COMPUTED;
1074 vrf.vrf_result = SLAPD_COMPARE_UNDEFINED;
1078 if ( err == LDAP_SUCCESS ) {
1079 *filt = op->o_tmpalloc( sizeof vrf, op->o_tmpmemctx );
1083 Debug( LDAP_DEBUG_FILTER, "end get_simple_vrFilter %d\n", err, 0, 0 );
1089 get_vrFilter( Operation *op, BerElement *ber,
1090 ValuesReturnFilter **vrf,
1094 * A ValuesReturnFilter looks like this:
1096 * ValuesReturnFilter ::= SEQUENCE OF SimpleFilterItem
1097 * SimpleFilterItem ::= CHOICE {
1098 * equalityMatch [3] AttributeValueAssertion,
1099 * substrings [4] SubstringFilter,
1100 * greaterOrEqual [5] AttributeValueAssertion,
1101 * lessOrEqual [6] AttributeValueAssertion,
1102 * present [7] AttributeType,
1103 * approxMatch [8] AttributeValueAssertion,
1104 * extensibleMatch [9] SimpleMatchingAssertion -- LDAPv3
1107 * SubstringFilter ::= SEQUENCE {
1108 * type AttributeType,
1109 * SEQUENCE OF CHOICE {
1110 * initial [0] IA5String,
1111 * any [1] IA5String,
1112 * final [2] IA5String
1116 * SimpleMatchingAssertion ::= SEQUENCE { -- LDAPv3
1117 * matchingRule [1] MatchingRuleId OPTIONAL,
1118 * type [2] AttributeDescription OPTIONAL,
1119 * matchValue [3] AssertionValue }
1122 ValuesReturnFilter **n;
1127 Debug( LDAP_DEBUG_FILTER, "begin get_vrFilter\n", 0, 0, 0 );
1129 tag = ber_peek_tag( ber, &len );
1131 if( tag == LBER_ERROR ) {
1132 *text = "error decoding vrFilter";
1133 return SLAPD_DISCONNECT;
1136 if( tag != LBER_SEQUENCE ) {
1137 *text = "error decoding vrFilter, expect SEQUENCE tag";
1138 return SLAPD_DISCONNECT;
1142 for ( tag = ber_first_element( ber, &len, &last );
1143 tag != LBER_DEFAULT;
1144 tag = ber_next_element( ber, &len, last ) )
1146 int err = get_simple_vrFilter( op, ber, n, text );
1148 if ( err != LDAP_SUCCESS ) return( err );
1150 n = &(*n)->vrf_next;
1154 Debug( LDAP_DEBUG_FILTER, "end get_vrFilter\n", 0, 0, 0 );
1155 return( LDAP_SUCCESS );
1159 vrFilter_free( Operation *op, ValuesReturnFilter *vrf )
1161 ValuesReturnFilter *next;
1163 for ( ; vrf != NULL; vrf = next ) {
1164 next = vrf->vrf_next;
1166 switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) {
1167 case LDAP_FILTER_PRESENT:
1170 case LDAP_FILTER_EQUALITY:
1171 case LDAP_FILTER_GE:
1172 case LDAP_FILTER_LE:
1173 case LDAP_FILTER_APPROX:
1174 ava_free( op, vrf->vrf_ava, 1 );
1177 case LDAP_FILTER_SUBSTRINGS:
1178 if ( vrf->vrf_sub_initial.bv_val != NULL ) {
1179 op->o_tmpfree( vrf->vrf_sub_initial.bv_val, op->o_tmpmemctx );
1181 ber_bvarray_free_x( vrf->vrf_sub_any, op->o_tmpmemctx );
1182 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1183 op->o_tmpfree( vrf->vrf_sub_final.bv_val, op->o_tmpmemctx );
1185 op->o_tmpfree( vrf->vrf_sub, op->o_tmpmemctx );
1188 case LDAP_FILTER_EXT:
1189 mra_free( op, vrf->vrf_mra, 1 );
1192 case SLAPD_FILTER_COMPUTED:
1196 Debug( LDAP_DEBUG_ANY, "filter_free: unknown filter type=%lu\n",
1197 vrf->vrf_choice, 0, 0 );
1201 op->o_tmpfree( vrf, op->o_tmpmemctx );
1206 vrFilter2bv( Operation *op, ValuesReturnFilter *vrf, struct berval *fstr )
1208 ValuesReturnFilter *p;
1212 if ( vrf == NULL ) {
1213 ber_str2bv_x( "No filter!", STRLENOF("No filter!"),
1214 1, fstr, op->o_tmpmemctx );
1218 fstr->bv_len = STRLENOF("()");
1219 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 128, op->o_tmpmemctx );
1221 snprintf( fstr->bv_val, fstr->bv_len + 1, "()");
1223 for ( p = vrf; p != NULL; p = p->vrf_next ) {
1226 simple_vrFilter2bv( op, p, &tmp );
1228 fstr->bv_len += tmp.bv_len;
1229 fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1,
1232 snprintf( &fstr->bv_val[len-1], tmp.bv_len + 2,
1233 /*"("*/ "%s)", tmp.bv_val );
1235 op->o_tmpfree( tmp.bv_val, op->o_tmpmemctx );
1240 simple_vrFilter2bv( Operation *op, ValuesReturnFilter *vrf, struct berval *fstr )
1246 if ( vrf == NULL ) {
1247 ber_str2bv_x( "No filter!", STRLENOF("No filter!"), 1, fstr,
1251 undef = vrf->vrf_choice & SLAPD_FILTER_UNDEFINED;
1253 switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) {
1254 case LDAP_FILTER_EQUALITY:
1255 filter_escape_value_x( &vrf->vrf_av_value, &tmp, op->o_tmpmemctx );
1257 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1258 tmp.bv_len + STRLENOF("(=)");
1259 if ( undef ) fstr->bv_len++;
1260 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
1262 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=%s)",
1263 vrf->vrf_av_desc->ad_cname.bv_val,
1266 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1269 case LDAP_FILTER_GE:
1270 filter_escape_value_x( &vrf->vrf_av_value, &tmp, op->o_tmpmemctx );
1272 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1273 tmp.bv_len + STRLENOF("(>=)");
1274 if ( undef ) fstr->bv_len++;
1275 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
1277 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=%s)",
1278 vrf->vrf_av_desc->ad_cname.bv_val,
1281 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1284 case LDAP_FILTER_LE:
1285 filter_escape_value_x( &vrf->vrf_av_value, &tmp, op->o_tmpmemctx );
1287 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1288 tmp.bv_len + STRLENOF("(<=)");
1289 if ( undef ) fstr->bv_len++;
1290 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
1292 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=%s)",
1293 vrf->vrf_av_desc->ad_cname.bv_val,
1296 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1299 case LDAP_FILTER_APPROX:
1300 filter_escape_value_x( &vrf->vrf_av_value, &tmp, op->o_tmpmemctx );
1302 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1303 tmp.bv_len + STRLENOF("(~=)");
1304 if ( undef ) fstr->bv_len++;
1305 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
1307 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=%s)",
1308 vrf->vrf_av_desc->ad_cname.bv_val,
1310 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1313 case LDAP_FILTER_SUBSTRINGS:
1314 fstr->bv_len = vrf->vrf_sub_desc->ad_cname.bv_len +
1316 if ( undef ) fstr->bv_len++;
1317 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 128, op->o_tmpmemctx );
1319 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
1320 vrf->vrf_sub_desc->ad_cname.bv_val );
1322 if ( vrf->vrf_sub_initial.bv_val != NULL ) {
1325 filter_escape_value_x( &vrf->vrf_sub_initial, &tmp, op->o_tmpmemctx );
1327 fstr->bv_len += tmp.bv_len;
1328 fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1,
1331 snprintf( &fstr->bv_val[len-2], tmp.bv_len+3,
1332 /* "(attr=" */ "%s*)",
1335 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1338 if ( vrf->vrf_sub_any != NULL ) {
1340 for ( i = 0; vrf->vrf_sub_any[i].bv_val != NULL; i++ ) {
1342 filter_escape_value_x( &vrf->vrf_sub_any[i], &tmp,
1345 fstr->bv_len += tmp.bv_len + 1;
1346 fstr->bv_val = op->o_tmprealloc( fstr->bv_val,
1347 fstr->bv_len + 1, op->o_tmpmemctx );
1349 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
1350 /* "(attr=[init]*[any*]" */ "%s*)",
1352 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1356 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1359 filter_escape_value_x( &vrf->vrf_sub_final, &tmp, op->o_tmpmemctx );
1361 fstr->bv_len += tmp.bv_len;
1362 fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1,
1365 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
1366 /* "(attr=[init*][any*]" */ "%s)",
1369 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1374 case LDAP_FILTER_PRESENT:
1375 fstr->bv_len = vrf->vrf_desc->ad_cname.bv_len +
1377 if ( undef ) fstr->bv_len++;
1378 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
1380 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
1381 vrf->vrf_desc->ad_cname.bv_val );
1384 case LDAP_FILTER_EXT: {
1386 filter_escape_value_x( &vrf->vrf_mr_value, &tmp, op->o_tmpmemctx );
1388 if ( vrf->vrf_mr_desc ) {
1389 ad = vrf->vrf_mr_desc->ad_cname;
1395 fstr->bv_len = ad.bv_len +
1396 ( vrf->vrf_mr_dnattrs ? STRLENOF(":dn") : 0 ) +
1397 ( vrf->vrf_mr_rule_text.bv_len
1398 ? vrf->vrf_mr_rule_text.bv_len+1 : 0 ) +
1399 tmp.bv_len + STRLENOF("(:=)");
1400 if ( undef ) fstr->bv_len++;
1401 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
1403 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
1405 vrf->vrf_mr_dnattrs ? ":dn" : "",
1406 vrf->vrf_mr_rule_text.bv_len ? ":" : "",
1407 vrf->vrf_mr_rule_text.bv_len ? vrf->vrf_mr_rule_text.bv_val : "",
1410 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1413 case SLAPD_FILTER_COMPUTED:
1415 vrf->vrf_result == LDAP_COMPARE_FALSE ? "(?=false)" :
1416 vrf->vrf_result == LDAP_COMPARE_TRUE ? "(?=true)" :
1417 vrf->vrf_result == SLAPD_COMPARE_UNDEFINED
1418 ? "(?=undefined)" : "(?=error)",
1419 vrf->vrf_result == LDAP_COMPARE_FALSE ? STRLENOF("(?=false)") :
1420 vrf->vrf_result == LDAP_COMPARE_TRUE ? STRLENOF("(?=true)") :
1421 vrf->vrf_result == SLAPD_COMPARE_UNDEFINED
1422 ? STRLENOF("(?=undefined)") : STRLENOF("(?=error)"),
1423 1, fstr, op->o_tmpmemctx );
1427 ber_str2bv_x( "(?=unknown)", STRLENOF("(?=unknown)"),
1428 1, fstr, op->o_tmpmemctx );
projects / openldap / blob