1 /* filter.c - routines for parsing and dealing with filters */
4 * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
12 #include <ac/socket.h>
13 #include <ac/string.h>
17 static int get_filter_list(
24 static int get_substring_filter(
31 static int filter_escape_value(
47 struct berval ftmp = { 0, NULL };
48 struct berval escaped;
51 LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, "get_filter: conn %d\n",
54 Debug( LDAP_DEBUG_FILTER, "begin get_filter\n", 0, 0, 0 );
57 * A filter looks like this coming in:
59 * and [0] SET OF Filter,
60 * or [1] SET OF Filter,
62 * equalityMatch [3] AttributeValueAssertion,
63 * substrings [4] SubstringFilter,
64 * greaterOrEqual [5] AttributeValueAssertion,
65 * lessOrEqual [6] AttributeValueAssertion,
66 * present [7] AttributeType,,
67 * approxMatch [8] AttributeValueAssertion
68 * extensibleMatch [9] MatchingRuleAssertion
71 * SubstringFilter ::= SEQUENCE {
73 * SEQUENCE OF CHOICE {
74 * initial [0] IA5String,
80 * MatchingRuleAssertion ::= SEQUENCE {
81 * matchingRule [1] MatchingRuleId OPTIONAL,
82 * type [2] AttributeDescription OPTIONAL,
83 * matchValue [3] AssertionValue,
84 * dnAttributes [4] BOOLEAN DEFAULT FALSE
89 tag = ber_peek_tag( ber, &len );
91 if( tag == LBER_ERROR ) {
92 *text = "error decoding filter";
93 return SLAPD_DISCONNECT;
96 f = (Filter *) ch_malloc( sizeof(Filter) );
103 switch ( f->f_choice ) {
104 case LDAP_FILTER_EQUALITY:
106 LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL2,
107 "get_filter: conn %d EQUALITY\n", conn->c_connid ));
109 Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
111 err = get_ava( ber, &f->f_ava, SLAP_MR_EQUALITY, text );
112 if ( err != LDAP_SUCCESS ) {
116 assert( f->f_ava != NULL );
118 filter_escape_value( &f->f_av_value, &escaped );
120 fstr->bv_len = sizeof("(=)")-1
121 + f->f_av_desc->ad_cname.bv_len
124 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
126 sprintf( fstr->bv_val, "(%s=%s)",
127 f->f_av_desc->ad_cname.bv_val,
130 ber_memfree( escaped.bv_val );
133 case LDAP_FILTER_SUBSTRINGS:
135 LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1,
136 "get_filter: conn %d SUBSTRINGS\n", conn->c_connid ));
138 Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
140 err = get_substring_filter( conn, ber, f, fstr, text );
145 LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1,
146 "get_filter: conn %d GE\n", conn->c_connid ));
148 Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
150 err = get_ava( ber, &f->f_ava, SLAP_MR_ORDERING, text );
151 if ( err != LDAP_SUCCESS ) {
155 filter_escape_value( &f->f_av_value, &escaped );
157 fstr->bv_len = sizeof("(>=)")-1
158 + f->f_av_desc->ad_cname.bv_len
161 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
163 sprintf( fstr->bv_val, "(%s>=%s)",
164 f->f_av_desc->ad_cname.bv_val,
167 ber_memfree( escaped.bv_val );
172 LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1,
173 "get_filter: conn %d LE\n", conn->c_connid ));
175 Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
177 err = get_ava( ber, &f->f_ava, SLAP_MR_ORDERING, text );
178 if ( err != LDAP_SUCCESS ) {
183 filter_escape_value( &f->f_av_value, &escaped );
185 fstr->bv_len = sizeof("(<=)")-1
186 + f->f_av_desc->ad_cname.bv_len
189 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
191 sprintf( fstr->bv_val, "(%s<=%s)",
192 f->f_av_desc->ad_cname.bv_val,
195 ber_memfree( escaped.bv_val );
198 case LDAP_FILTER_PRESENT: {
202 LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1,
203 "get_filter: conn %d PRESENT\n", conn->c_connid ));
205 Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
207 if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
208 err = SLAPD_DISCONNECT;
209 *text = "error decoding filter";
214 err = slap_bv2ad( &type, &f->f_desc, text );
216 if( err != LDAP_SUCCESS ) {
217 /* unrecognized attribute description or other error */
218 f->f_choice = SLAPD_FILTER_COMPUTED;
219 f->f_result = LDAP_COMPARE_FALSE;
220 ber_str2bv("(unrecognized=*)",
221 sizeof("(unrecognized=*)")-1, 1, fstr);
226 fstr->bv_len = sizeof("(=*)") - 1
227 + f->f_desc->ad_cname.bv_len;
228 fstr->bv_val = ch_malloc( fstr->bv_len + 1);
229 sprintf( fstr->bv_val, "(%s=*)",
230 f->f_desc->ad_cname.bv_val );
234 case LDAP_FILTER_APPROX:
236 LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1,
237 "get_filter: conn %d APPROX\n", conn->c_connid ));
239 Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
241 err = get_ava( ber, &f->f_ava, SLAP_MR_EQUALITY_APPROX, text );
242 if ( err != LDAP_SUCCESS ) {
246 filter_escape_value( &f->f_av_value, &escaped );
248 fstr->bv_len = sizeof("(~=)") - 1
249 + f->f_av_desc->ad_cname.bv_len
251 fstr->bv_val = ch_malloc( fstr->bv_len + 1);
253 sprintf( fstr->bv_val, "(%s~=%s)",
254 f->f_av_desc->ad_cname.bv_val,
257 ber_memfree( escaped.bv_val );
260 case LDAP_FILTER_AND:
262 LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1,
263 "get_filter: conn %d AND\n", conn->c_connid ));
265 Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
267 err = get_filter_list( conn, ber, &f->f_and, &ftmp, text );
268 if ( err != LDAP_SUCCESS ) {
271 fstr->bv_len = sizeof("(&)") - 1 + ftmp.bv_len;
272 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
273 sprintf( fstr->bv_val, "(&%s)",
274 ftmp.bv_len ? ftmp.bv_val : "" );
279 LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1,
280 "get_filter: conn %d OR\n", conn->c_connid ));
282 Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
284 err = get_filter_list( conn, ber, &f->f_and, &ftmp, text );
285 if ( err != LDAP_SUCCESS ) {
288 fstr->bv_len = sizeof("(|)") - 1 + ftmp.bv_len;
289 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
290 sprintf( fstr->bv_val, "(|%s)",
291 ftmp.bv_len ? ftmp.bv_val : "" );
294 case LDAP_FILTER_NOT:
296 LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1,
297 "get_filter: conn %d NOT\n", conn->c_connid ));
299 Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
301 (void) ber_skip_tag( ber, &len );
302 err = get_filter( conn, ber, &f->f_not, &ftmp, text );
303 if ( err != LDAP_SUCCESS ) {
306 fstr->bv_len = sizeof("(!)") - 1 + ftmp.bv_len;
307 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
308 sprintf( fstr->bv_val, "(!%s)",
309 ftmp.bv_len ? ftmp.bv_val : "" );
312 case LDAP_FILTER_EXT:
314 LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1,
315 "get_filter: conn %d EXTENSIBLE\n", conn->c_connid ));
317 Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
320 err = get_mra( ber, &f->f_mra, text );
321 if ( err != LDAP_SUCCESS ) {
325 assert( f->f_mra != NULL );
327 filter_escape_value( &f->f_mr_value, &escaped );
329 fstr->bv_len = sizeof("(:dn::=)") - 1
330 + (f->f_mr_desc ? f->f_mr_desc->ad_cname.bv_len : 0)
331 + f->f_mr_rule_text.bv_len
334 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
335 sprintf( fstr->bv_val, "(%s%s%s%s:=%s)",
336 (f->f_mr_desc ? f->f_mr_desc->ad_cname.bv_val : ""),
337 (f->f_mr_dnattrs ? ":dn" : ""),
338 (f->f_mr_rule_text.bv_len ? ":" : ""),
339 (f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_val : ""),
342 ber_memfree( escaped.bv_val );
346 (void) ber_scanf( ber, "x" ); /* skip the element */
348 LDAP_LOG(( "filter", LDAP_LEVEL_ERR,
349 "get_filter: conn %d unknown filter type=%lu\n",
350 conn->c_connid, f->f_choice ));
352 Debug( LDAP_DEBUG_ANY, "get_filter: unknown filter type=%lu\n",
355 f->f_choice = SLAPD_FILTER_COMPUTED;
356 f->f_result = SLAPD_COMPARE_UNDEFINED;
357 ber_str2bv( "(undefined)", sizeof("(undefined)") - 1,
362 if ( ftmp.bv_val ) free( ftmp.bv_val );
364 if ( err != LDAP_SUCCESS ) {
365 if ( fstr->bv_val != NULL ) {
366 free( fstr->bv_val );
369 if( err != SLAPD_DISCONNECT ) {
371 f->f_choice = SLAPD_FILTER_COMPUTED;
372 f->f_result = SLAPD_COMPARE_UNDEFINED;
373 ber_str2bv( "(badfilter)", sizeof("(badfilter)") - 1,
386 LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL2,
387 "get_filter: conn %d exit\n", conn->c_connid ));
389 Debug( LDAP_DEBUG_FILTER, "end get_filter %d\n", err, 0, 0 );
395 get_filter_list( Connection *conn, BerElement *ber,
396 Filter **f, struct berval *fstr,
407 LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY,
408 "get_filter_list: conn %d start\n", conn->c_connid ));
410 Debug( LDAP_DEBUG_FILTER, "begin get_filter_list\n", 0, 0, 0 );
413 for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_DEFAULT;
414 tag = ber_next_element( ber, &len, last ) )
416 err = get_filter( conn, ber, new, &ftmp, text );
417 if ( err != LDAP_SUCCESS )
420 if ( !fstr->bv_len ) {
423 int i = fstr->bv_len;
424 fstr->bv_len += ftmp.bv_len;
425 fstr->bv_val = ch_realloc( fstr->bv_val,
427 strcpy( fstr->bv_val+i, ftmp.bv_val );
430 new = &(*new)->f_next;
435 LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY,
436 "get_filter_list: conn %d exit\n", conn->c_connid ));
438 Debug( LDAP_DEBUG_FILTER, "end get_filter_list\n", 0, 0, 0 );
440 return( LDAP_SUCCESS );
444 get_substring_filter(
456 struct berval escaped;
459 *text = "error decoding filter";
462 LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY,
463 "get_substring_filter: conn %d begin\n", conn->c_connid ));
465 Debug( LDAP_DEBUG_FILTER, "begin get_substring_filter\n", 0, 0, 0 );
467 if ( ber_scanf( ber, "{m" /*}*/, &bv ) == LBER_ERROR ) {
468 return SLAPD_DISCONNECT;
471 f->f_sub = ch_calloc( 1, sizeof(SubstringsAssertion) );
472 f->f_sub_desc = NULL;
473 rc = slap_bv2ad( &bv, &f->f_sub_desc, text );
475 if( rc != LDAP_SUCCESS ) {
478 f->f_choice = SLAPD_FILTER_COMPUTED;
479 f->f_result = SLAPD_COMPARE_UNDEFINED;
480 ber_str2bv( "(undefined)", sizeof("(undefined)")-1, 1, fstr );
484 f->f_sub_initial.bv_val = NULL;
486 f->f_sub_final.bv_val = NULL;
488 fstr->bv_len = sizeof("(=" /*)*/) - 1 +
489 f->f_sub_desc->ad_cname.bv_len;
490 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
491 sprintf( fstr->bv_val, "(%s=" /*)*/, f->f_sub_desc->ad_cname.bv_val );
493 for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_DEFAULT;
494 tag = ber_next_element( ber, &len, last ) )
498 rc = ber_scanf( ber, "m", &value );
499 if ( rc == LBER_ERROR ) {
500 rc = SLAPD_DISCONNECT;
504 if ( value.bv_val == NULL || value.bv_len == 0 ) {
505 rc = LDAP_INVALID_SYNTAX;
510 case LDAP_SUBSTRING_INITIAL:
511 usage = SLAP_MR_SUBSTR_INITIAL;
514 case LDAP_SUBSTRING_ANY:
515 usage = SLAP_MR_SUBSTR_ANY;
518 case LDAP_SUBSTRING_FINAL:
519 usage = SLAP_MR_SUBSTR_FINAL;
523 rc = LDAP_PROTOCOL_ERROR;
526 LDAP_LOG(( "filter", LDAP_LEVEL_ERR,
527 "get_filter_substring: conn %d unknown substring choice=%ld\n",
528 conn->c_connid, (long)tag ));
530 Debug( LDAP_DEBUG_FILTER,
531 " unknown substring choice=%ld\n",
537 /* valiate using equality matching rule validator! */
538 rc = value_validate( f->f_sub_desc->ad_type->sat_equality,
540 if( rc != LDAP_SUCCESS ) {
544 rc = value_normalize( f->f_sub_desc, usage,
546 if( rc != LDAP_SUCCESS ) {
552 rc = LDAP_PROTOCOL_ERROR;
555 case LDAP_SUBSTRING_INITIAL:
557 LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1,
558 "get_substring_filter: conn %d INITIAL\n",
561 Debug( LDAP_DEBUG_FILTER, " INITIAL\n", 0, 0, 0 );
564 if ( f->f_sub_initial.bv_val != NULL
565 || f->f_sub_any != NULL
566 || f->f_sub_final.bv_val != NULL )
568 free( value.bv_val );
572 f->f_sub_initial = value;
575 int i = fstr->bv_len;
576 filter_escape_value( &value, &escaped );
577 fstr->bv_len += escaped.bv_len;
578 fstr->bv_val = ch_realloc( fstr->bv_val,
580 strcpy( fstr->bv_val+i, escaped.bv_val );
581 ber_memfree( escaped.bv_val );
585 case LDAP_SUBSTRING_ANY:
587 LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1,
588 "get_substring_filter: conn %d ANY\n",
591 Debug( LDAP_DEBUG_FILTER, " ANY\n", 0, 0, 0 );
594 if ( f->f_sub_final.bv_val != NULL ) {
595 free( value.bv_val );
599 ber_bvarray_add( &f->f_sub_any, &value );
602 int i = fstr->bv_len;
603 filter_escape_value( &value, &escaped );
604 fstr->bv_len += escaped.bv_len + 2;
605 fstr->bv_val = ch_realloc( fstr->bv_val,
607 strcpy( fstr->bv_val+i, "*" );
608 strcpy( fstr->bv_val+i+1, escaped.bv_val );
609 ber_memfree( escaped.bv_val );
613 case LDAP_SUBSTRING_FINAL:
615 LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1,
616 "get_substring_filter: conn %d FINAL\n",
619 Debug( LDAP_DEBUG_FILTER, " FINAL\n", 0, 0, 0 );
622 if ( f->f_sub_final.bv_val != NULL ) {
623 free( value.bv_val );
627 f->f_sub_final = value;
630 int i = fstr->bv_len;
631 filter_escape_value( &value, &escaped );
632 fstr->bv_len += escaped.bv_len + 2;
633 fstr->bv_val = ch_realloc( fstr->bv_val,
635 strcpy( fstr->bv_val+i, "*" );
636 strcpy( fstr->bv_val+i+1, escaped.bv_val );
637 ber_memfree( escaped.bv_val );
643 LDAP_LOG(( "filter", LDAP_LEVEL_INFO,
644 "get_substring_filter: conn %d unknown substring type %ld\n",
645 conn->c_connid, (long)tag ));
647 Debug( LDAP_DEBUG_FILTER,
648 " unknown substring type=%ld\n",
652 free( value.bv_val );
656 LDAP_LOG(( "filter", LDAP_LEVEL_INFO,
657 "get_substring_filter: conn %d error %ld\n",
658 conn->c_connid, (long)rc ));
660 Debug( LDAP_DEBUG_FILTER, " error=%ld\n",
664 free( fstr->bv_val );
669 free( f->f_sub_initial.bv_val );
670 ber_bvarray_free( f->f_sub_any );
671 free( f->f_sub_final.bv_val );
678 int i = fstr->bv_len;
680 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 3 );
681 if ( f->f_sub_final.bv_val == NULL ) {
682 strcpy( fstr->bv_val+i, "*" );
685 strcpy( fstr->bv_val+i, /*(*/ ")" );
689 LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY,
690 "get_substring_filter: conn %d exit\n", conn->c_connid ));
692 Debug( LDAP_DEBUG_FILTER, "end get_substring_filter\n", 0, 0, 0 );
694 return( LDAP_SUCCESS );
698 filter_free( Filter *f )
706 switch ( f->f_choice ) {
707 case LDAP_FILTER_PRESENT:
710 case LDAP_FILTER_EQUALITY:
713 case LDAP_FILTER_APPROX:
714 ava_free( f->f_ava, 1 );
717 case LDAP_FILTER_SUBSTRINGS:
718 if ( f->f_sub_initial.bv_val != NULL ) {
719 free( f->f_sub_initial.bv_val );
721 ber_bvarray_free( f->f_sub_any );
722 if ( f->f_sub_final.bv_val != NULL ) {
723 free( f->f_sub_final.bv_val );
728 case LDAP_FILTER_AND:
730 case LDAP_FILTER_NOT:
731 for ( p = f->f_list; p != NULL; p = next ) {
737 case LDAP_FILTER_EXT:
738 mra_free( f->f_mra, 1 );
741 case SLAPD_FILTER_COMPUTED:
746 LDAP_LOG(( "filter", LDAP_LEVEL_ERR,
747 "filter_free: unknown filter type %lu\n", f->f_choice ));
749 Debug( LDAP_DEBUG_ANY, "filter_free: unknown filter type=%lu\n",
760 filter_print( Filter *f )
764 struct berval escaped;
767 fprintf( stderr, "No filter!" );
770 switch ( f->f_choice ) {
771 case LDAP_FILTER_EQUALITY:
772 filter_escape_value( &f->f_av_value, &escaped );
773 fprintf( stderr, "(%s=%s)",
774 f->f_av_desc->ad_cname.bv_val,
776 ber_memfree( escaped.bv_val );
780 filter_escape_value( &f->f_av_value, &escaped );
781 fprintf( stderr, "(%s>=%s)",
782 f->f_av_desc->ad_cname.bv_val,
784 ber_memfree( escaped.bv_val );
788 filter_escape_value( &f->f_av_value, &escaped );
789 fprintf( stderr, "(%s<=%s)",
790 f->f_ava->aa_desc->ad_cname.bv_val,
792 ber_memfree( escaped.bv_val );
795 case LDAP_FILTER_APPROX:
796 filter_escape_value( &f->f_av_value, &escaped );
797 fprintf( stderr, "(%s~=%s)",
798 f->f_ava->aa_desc->ad_cname.bv_val,
800 ber_memfree( escaped.bv_val );
803 case LDAP_FILTER_SUBSTRINGS:
804 fprintf( stderr, "(%s=" /*)*/,
805 f->f_sub_desc->ad_cname.bv_val );
806 if ( f->f_sub_initial.bv_val != NULL ) {
807 filter_escape_value( &f->f_sub_initial, &escaped );
808 fprintf( stderr, "%s",
810 ber_memfree( escaped.bv_val );
812 if ( f->f_sub_any != NULL ) {
813 for ( i = 0; f->f_sub_any[i].bv_val != NULL; i++ ) {
814 filter_escape_value( &f->f_sub_any[i], &escaped );
815 fprintf( stderr, "*%s",
817 ber_memfree( escaped.bv_val );
820 if ( f->f_sub_final.bv_val != NULL ) {
821 filter_escape_value( &f->f_sub_final, &escaped );
823 "*%s", escaped.bv_val );
824 ber_memfree( escaped.bv_val );
826 fprintf( stderr, /*(*/ ")" );
829 case LDAP_FILTER_PRESENT:
830 fprintf( stderr, "(%s=*)",
831 f->f_desc->ad_cname.bv_val );
834 case LDAP_FILTER_AND:
836 case LDAP_FILTER_NOT:
837 fprintf( stderr, "(%c" /*)*/,
838 f->f_choice == LDAP_FILTER_AND ? '&' :
839 f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
840 for ( p = f->f_list; p != NULL; p = p->f_next ) {
843 fprintf( stderr, /*(*/ ")" );
846 case SLAPD_FILTER_COMPUTED:
847 fprintf( stderr, "(?=%s)",
848 f->f_result == LDAP_COMPARE_FALSE ? "false" :
849 f->f_result == LDAP_COMPARE_TRUE ? "true" :
850 f->f_result == SLAPD_COMPARE_UNDEFINED ? "undefined" :
855 fprintf( stderr, "(unknown-filter=%lu)", f->f_choice );
860 #endif /* ldap_debug */
862 static int filter_escape_value(
870 out->bv_val = (char *) ch_malloc( ( in->bv_len * 3 ) + 1 );
873 for( i=0; i < in->bv_len ; i++ ) {
874 if( FILTER_ESCAPE(in->bv_val[i]) ) {
875 out->bv_val[out->bv_len++] = SLAP_ESCAPE_CHAR;
876 out->bv_val[out->bv_len++] = SLAP_ESCAPE_HI( in->bv_val[i] );
877 out->bv_val[out->bv_len++] = SLAP_ESCAPE_LO( in->bv_val[i] );
879 out->bv_val[out->bv_len++] = in->bv_val[i];
883 out->bv_val[out->bv_len] = '\0';