1 /* filter.c - routines for parsing and dealing with filters */
4 * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
12 #include <ac/socket.h>
13 #include <ac/string.h>
17 static int get_filter_list(
26 SubstringsAssertion **s,
29 static void simple_vrFilter2bv(
30 ValuesReturnFilter *f,
31 struct berval *fstr );
33 static int get_simple_vrFilter(
36 ValuesReturnFilter **f,
54 LDAP_LOG( FILTER, ENTRY, "get_filter: conn %d\n", conn->c_connid, 0, 0 );
56 Debug( LDAP_DEBUG_FILTER, "begin get_filter\n", 0, 0, 0 );
59 * A filter looks like this coming in:
61 * and [0] SET OF Filter,
62 * or [1] SET OF Filter,
64 * equalityMatch [3] AttributeValueAssertion,
65 * substrings [4] SubstringFilter,
66 * greaterOrEqual [5] AttributeValueAssertion,
67 * lessOrEqual [6] AttributeValueAssertion,
68 * present [7] AttributeType,,
69 * approxMatch [8] AttributeValueAssertion
70 * extensibleMatch [9] MatchingRuleAssertion
73 * SubstringFilter ::= SEQUENCE {
75 * SEQUENCE OF CHOICE {
76 * initial [0] IA5String,
82 * MatchingRuleAssertion ::= SEQUENCE {
83 * matchingRule [1] MatchingRuleId OPTIONAL,
84 * type [2] AttributeDescription OPTIONAL,
85 * matchValue [3] AssertionValue,
86 * dnAttributes [4] BOOLEAN DEFAULT FALSE
91 tag = ber_peek_tag( ber, &len );
93 if( tag == LBER_ERROR ) {
94 *text = "error decoding filter";
95 return SLAPD_DISCONNECT;
103 switch ( f.f_choice ) {
104 case LDAP_FILTER_EQUALITY:
106 LDAP_LOG( FILTER, DETAIL2,
107 "get_filter: conn %d EQUALITY\n", conn->c_connid, 0, 0 );
109 Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
111 err = get_ava( ber, &f.f_ava, SLAP_MR_EQUALITY, text );
112 if ( err != LDAP_SUCCESS ) {
116 assert( f.f_ava != NULL );
119 case LDAP_FILTER_SUBSTRINGS:
121 LDAP_LOG( FILTER, DETAIL1,
122 "get_filter: conn %d SUBSTRINGS\n", conn->c_connid, 0, 0 );
124 Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
126 err = get_ssa( conn, ber, &f.f_sub, text );
127 if( err != LDAP_SUCCESS ) {
130 assert( f.f_sub != NULL );
135 LDAP_LOG( FILTER, DETAIL1,
136 "get_filter: conn %d GE\n", conn->c_connid, 0, 0 );
138 Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
140 err = get_ava( ber, &f.f_ava, SLAP_MR_ORDERING, text );
141 if ( err != LDAP_SUCCESS ) {
144 assert( f.f_ava != NULL );
149 LDAP_LOG( FILTER, DETAIL1,
150 "get_filter: conn %d LE\n", conn->c_connid, 0, 0 );
152 Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
154 err = get_ava( ber, &f.f_ava, SLAP_MR_ORDERING, text );
155 if ( err != LDAP_SUCCESS ) {
158 assert( f.f_ava != NULL );
161 case LDAP_FILTER_PRESENT: {
165 LDAP_LOG( FILTER, DETAIL1,
166 "get_filter: conn %d PRESENT\n", conn->c_connid, 0, 0 );
168 Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
170 if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
171 err = SLAPD_DISCONNECT;
172 *text = "error decoding filter";
177 err = slap_bv2ad( &type, &f.f_desc, text );
179 if( err != LDAP_SUCCESS ) {
180 /* unrecognized attribute description or other error */
181 f.f_choice = SLAPD_FILTER_COMPUTED;
182 f.f_result = LDAP_COMPARE_FALSE;
188 assert( f.f_desc != NULL );
191 case LDAP_FILTER_APPROX:
193 LDAP_LOG( FILTER, DETAIL1,
194 "get_filter: conn %d APPROX\n", conn->c_connid, 0, 0 );
196 Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
198 err = get_ava( ber, &f.f_ava, SLAP_MR_EQUALITY_APPROX, text );
199 if ( err != LDAP_SUCCESS ) {
202 assert( f.f_ava != NULL );
205 case LDAP_FILTER_AND:
207 LDAP_LOG( FILTER, DETAIL1,
208 "get_filter: conn %d AND\n", conn->c_connid, 0, 0 );
210 Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
212 err = get_filter_list( conn, ber, &f.f_and, text );
213 if ( err != LDAP_SUCCESS ) {
216 /* no assert - list could be empty */
221 LDAP_LOG( FILTER, DETAIL1,
222 "get_filter: conn %d OR\n", conn->c_connid, 0, 0 );
224 Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
226 err = get_filter_list( conn, ber, &f.f_or, text );
227 if ( err != LDAP_SUCCESS ) {
230 /* no assert - list could be empty */
233 case LDAP_FILTER_NOT:
235 LDAP_LOG( FILTER, DETAIL1,
236 "get_filter: conn %d NOT\n", conn->c_connid, 0, 0 );
238 Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
240 (void) ber_skip_tag( ber, &len );
241 err = get_filter( conn, ber, &f.f_not, text );
242 if ( err != LDAP_SUCCESS ) {
247 assert( f.f_not != NULL );
251 case LDAP_FILTER_EXT:
253 LDAP_LOG( FILTER, DETAIL1,
254 "get_filter: conn %d EXTENSIBLE\n", conn->c_connid, 0, 0 );
256 Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
259 err = get_mra( ber, &f.f_mra, text );
260 if ( err != LDAP_SUCCESS ) {
265 assert( f.f_mra != NULL );
270 (void) ber_scanf( ber, "x" ); /* skip the element */
272 LDAP_LOG( FILTER, ERR,
273 "get_filter: conn %d unknown filter type=%lu\n",
274 conn->c_connid, f.f_choice, 0 );
276 Debug( LDAP_DEBUG_ANY, "get_filter: unknown filter type=%lu\n",
279 f.f_choice = SLAPD_FILTER_COMPUTED;
280 f.f_result = SLAPD_COMPARE_UNDEFINED;
284 if( err != LDAP_SUCCESS && err != SLAPD_DISCONNECT ) {
286 f.f_choice = SLAPD_FILTER_COMPUTED;
287 f.f_result = SLAPD_COMPARE_UNDEFINED;
291 if ( err == LDAP_SUCCESS ) {
292 *filt = ch_malloc( sizeof(f) );
297 LDAP_LOG( FILTER, DETAIL2,
298 "get_filter: conn %d exit\n", conn->c_connid, 0, 0 );
300 Debug( LDAP_DEBUG_FILTER, "end get_filter %d\n", err, 0, 0 );
307 get_filter_list( Connection *conn, BerElement *ber,
318 LDAP_LOG( FILTER, ENTRY,
319 "get_filter_list: conn %d start\n", conn->c_connid, 0, 0 );
321 Debug( LDAP_DEBUG_FILTER, "begin get_filter_list\n", 0, 0, 0 );
324 for ( tag = ber_first_element( ber, &len, &last );
326 tag = ber_next_element( ber, &len, last ) )
328 err = get_filter( conn, ber, new, text );
329 if ( err != LDAP_SUCCESS )
331 new = &(*new)->f_next;
336 LDAP_LOG( FILTER, ENTRY,
337 "get_filter_list: conn %d exit\n", conn->c_connid, 0, 0 );
339 Debug( LDAP_DEBUG_FILTER, "end get_filter_list\n", 0, 0, 0 );
341 return( LDAP_SUCCESS );
348 SubstringsAssertion **out,
354 struct berval desc, value, nvalue;
356 SubstringsAssertion ssa;
358 *text = "error decoding filter";
361 LDAP_LOG( FILTER, ENTRY,
362 "get_ssa: conn %d begin\n", conn->c_connid, 0, 0 );
364 Debug( LDAP_DEBUG_FILTER, "begin get_ssa\n", 0, 0, 0 );
366 if ( ber_scanf( ber, "{m" /*}*/, &desc ) == LBER_ERROR ) {
367 return SLAPD_DISCONNECT;
373 ssa.sa_initial.bv_val = NULL;
375 ssa.sa_final.bv_val = NULL;
377 rc = slap_bv2ad( &desc, &ssa.sa_desc, text );
379 if( rc != LDAP_SUCCESS ) {
383 rc = LDAP_PROTOCOL_ERROR;
385 for ( tag = ber_first_element( ber, &len, &last );
387 tag = ber_next_element( ber, &len, last ) )
391 rc = ber_scanf( ber, "m", &value );
392 if ( rc == LBER_ERROR ) {
393 rc = SLAPD_DISCONNECT;
397 if ( value.bv_val == NULL || value.bv_len == 0 ) {
398 rc = LDAP_INVALID_SYNTAX;
403 case LDAP_SUBSTRING_INITIAL:
404 usage = SLAP_MR_SUBSTR_INITIAL;
407 case LDAP_SUBSTRING_ANY:
408 usage = SLAP_MR_SUBSTR_ANY;
411 case LDAP_SUBSTRING_FINAL:
412 usage = SLAP_MR_SUBSTR_FINAL;
416 rc = LDAP_PROTOCOL_ERROR;
419 LDAP_LOG( FILTER, ERR,
420 "get_filter_substring: conn %d unknown substring choice=%ld\n",
421 conn->c_connid, (long)tag, 0 );
423 Debug( LDAP_DEBUG_FILTER,
424 " unknown substring choice=%ld\n",
431 /* validate/normalize using equality matching rule validator! */
432 rc = asserted_value_validate_normalize(
433 ssa.sa_desc, ssa.sa_desc->ad_type->sat_equality,
434 usage, &value, &nvalue, text );
436 if( rc != LDAP_SUCCESS ) {
440 rc = LDAP_PROTOCOL_ERROR;
443 case LDAP_SUBSTRING_INITIAL:
445 LDAP_LOG( FILTER, DETAIL1,
446 "get_ssa: conn %d INITIAL\n",
447 conn->c_connid, 0, 0 );
449 Debug( LDAP_DEBUG_FILTER, " INITIAL\n", 0, 0, 0 );
452 if ( ssa.sa_initial.bv_val != NULL
453 || ssa.sa_any != NULL
454 || ssa.sa_final.bv_val != NULL )
456 free( nvalue.bv_val );
460 ssa.sa_initial = nvalue;
463 case LDAP_SUBSTRING_ANY:
465 LDAP_LOG( FILTER, DETAIL1,
466 "get_ssa: conn %d ANY\n",
467 conn->c_connid, 0, 0 );
469 Debug( LDAP_DEBUG_FILTER, " ANY\n", 0, 0, 0 );
472 if ( ssa.sa_final.bv_val != NULL ) {
473 free( nvalue.bv_val );
477 ber_bvarray_add( &ssa.sa_any, &nvalue );
480 case LDAP_SUBSTRING_FINAL:
482 LDAP_LOG( FILTER, DETAIL1,
483 "get_ssa: conn %d FINAL\n",
484 conn->c_connid, 0, 0 );
486 Debug( LDAP_DEBUG_FILTER, " FINAL\n", 0, 0, 0 );
489 if ( ssa.sa_final.bv_val != NULL ) {
490 free( nvalue.bv_val );
494 ssa.sa_final = nvalue;
499 LDAP_LOG( FILTER, INFO,
500 "get_ssa: conn %d unknown substring type %ld\n",
501 conn->c_connid, (long)tag, 0 );
503 Debug( LDAP_DEBUG_FILTER,
504 " unknown substring type=%ld\n",
509 free( nvalue.bv_val );
513 LDAP_LOG( FILTER, INFO,
514 "get_ssa: conn %d error %ld\n",
515 conn->c_connid, (long)rc, 0 );
517 Debug( LDAP_DEBUG_FILTER, " error=%ld\n",
520 free( ssa.sa_initial.bv_val );
521 ber_bvarray_free( ssa.sa_any );
522 free( ssa.sa_final.bv_val );
529 if( rc == LDAP_SUCCESS ) {
530 *out = ch_malloc( sizeof( ssa ) );
535 LDAP_LOG( FILTER, ENTRY,
536 "get_ssa: conn %d exit\n", conn->c_connid, 0, 0 );
538 Debug( LDAP_DEBUG_FILTER, "end get_ssa\n", 0, 0, 0 );
545 filter_free( Filter *f )
553 switch ( f->f_choice ) {
554 case LDAP_FILTER_PRESENT:
557 case LDAP_FILTER_EQUALITY:
560 case LDAP_FILTER_APPROX:
561 ava_free( f->f_ava, 1 );
564 case LDAP_FILTER_SUBSTRINGS:
565 if ( f->f_sub_initial.bv_val != NULL ) {
566 free( f->f_sub_initial.bv_val );
568 ber_bvarray_free( f->f_sub_any );
569 if ( f->f_sub_final.bv_val != NULL ) {
570 free( f->f_sub_final.bv_val );
575 case LDAP_FILTER_AND:
577 case LDAP_FILTER_NOT:
578 for ( p = f->f_list; p != NULL; p = next ) {
584 case LDAP_FILTER_EXT:
585 mra_free( f->f_mra, 1 );
588 case SLAPD_FILTER_COMPUTED:
593 LDAP_LOG( FILTER, ERR,
594 "filter_free: unknown filter type %lu\n", f->f_choice, 0, 0 );
596 Debug( LDAP_DEBUG_ANY, "filter_free: unknown filter type=%lu\n",
606 filter2bv( Filter *f, struct berval *fstr )
614 ber_str2bv( "No filter!", sizeof("No filter!")-1, 1, fstr );
618 switch ( f->f_choice ) {
619 case LDAP_FILTER_EQUALITY:
620 filter_escape_value( &f->f_av_value, &tmp );
622 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
623 tmp.bv_len + ( sizeof("(=)") - 1 );
624 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
626 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=%s)",
627 f->f_av_desc->ad_cname.bv_val,
630 ber_memfree( tmp.bv_val );
634 filter_escape_value( &f->f_av_value, &tmp );
636 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
637 tmp.bv_len + ( sizeof("(>=)") - 1 );
638 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
640 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=%s)",
641 f->f_av_desc->ad_cname.bv_val,
644 ber_memfree( tmp.bv_val );
648 filter_escape_value( &f->f_av_value, &tmp );
650 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
651 tmp.bv_len + ( sizeof("(<=)") - 1 );
652 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
654 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=%s)",
655 f->f_av_desc->ad_cname.bv_val,
658 ber_memfree( tmp.bv_val );
661 case LDAP_FILTER_APPROX:
662 filter_escape_value( &f->f_av_value, &tmp );
664 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
665 tmp.bv_len + ( sizeof("(~=)") - 1 );
666 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
668 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=%s)",
669 f->f_av_desc->ad_cname.bv_val,
671 ber_memfree( tmp.bv_val );
674 case LDAP_FILTER_SUBSTRINGS:
675 fstr->bv_len = f->f_sub_desc->ad_cname.bv_len +
676 ( sizeof("(=*)") - 1 );
677 fstr->bv_val = ch_malloc( fstr->bv_len + 128 );
679 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
680 f->f_sub_desc->ad_cname.bv_val );
682 if ( f->f_sub_initial.bv_val != NULL ) {
685 filter_escape_value( &f->f_sub_initial, &tmp );
687 fstr->bv_len += tmp.bv_len;
688 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
690 snprintf( &fstr->bv_val[len-2], tmp.bv_len+3,
691 /* "(attr=" */ "%s*)",
694 ber_memfree( tmp.bv_val );
697 if ( f->f_sub_any != NULL ) {
698 for ( i = 0; f->f_sub_any[i].bv_val != NULL; i++ ) {
700 filter_escape_value( &f->f_sub_any[i], &tmp );
702 fstr->bv_len += tmp.bv_len + 1;
703 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
705 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
706 /* "(attr=[init]*[any*]" */ "%s*)",
708 ber_memfree( tmp.bv_val );
712 if ( f->f_sub_final.bv_val != NULL ) {
715 filter_escape_value( &f->f_sub_final, &tmp );
717 fstr->bv_len += tmp.bv_len;
718 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
720 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
721 /* "(attr=[init*][any*]" */ "%s)",
724 ber_memfree( tmp.bv_val );
729 case LDAP_FILTER_PRESENT:
730 fstr->bv_len = f->f_desc->ad_cname.bv_len +
731 ( sizeof("(=*)") - 1 );
732 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
734 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
735 f->f_desc->ad_cname.bv_val );
738 case LDAP_FILTER_AND:
740 case LDAP_FILTER_NOT:
741 fstr->bv_len = sizeof("(%)") - 1;
742 fstr->bv_val = ch_malloc( fstr->bv_len + 128 );
744 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%c)",
745 f->f_choice == LDAP_FILTER_AND ? '&' :
746 f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
748 for ( p = f->f_list; p != NULL; p = p->f_next ) {
751 filter2bv( p, &tmp );
753 fstr->bv_len += tmp.bv_len;
754 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
756 snprintf( &fstr->bv_val[len-1], tmp.bv_len + 2,
757 /*"("*/ "%s)", tmp.bv_val );
759 ch_free( tmp.bv_val );
764 case LDAP_FILTER_EXT: {
766 filter_escape_value( &f->f_mr_value, &tmp );
768 if ( f->f_mr_desc ) {
769 ad = f->f_mr_desc->ad_cname;
775 fstr->bv_len = ad.bv_len +
776 ( f->f_mr_dnattrs ? sizeof(":dn")-1 : 0 ) +
777 ( f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_len+1 : 0 ) +
778 tmp.bv_len + ( sizeof("(:=)") - 1 );
779 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
781 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
783 f->f_mr_dnattrs ? ":dn" : "",
784 f->f_mr_rule_text.bv_len ? ":" : "",
785 f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_val : "",
787 ber_memfree( tmp.bv_val );
790 case SLAPD_FILTER_COMPUTED:
792 f->f_result == LDAP_COMPARE_FALSE ? "(?=false)" :
793 f->f_result == LDAP_COMPARE_TRUE ? "(?=true)" :
794 f->f_result == SLAPD_COMPARE_UNDEFINED ? "(?=undefined)" :
796 f->f_result == LDAP_COMPARE_FALSE ? sizeof("(?=false)")-1 :
797 f->f_result == LDAP_COMPARE_TRUE ? sizeof("(?=true)")-1 :
798 f->f_result == SLAPD_COMPARE_UNDEFINED ? sizeof("(?=undefined)")-1 :
799 sizeof("(?=error)")-1,
804 ber_str2bv( "(?=unknown)", sizeof("(?=unknown)")-1, 1, fstr );
818 out->bv_val = (char *) ch_malloc( ( in->bv_len * 3 ) + 1 );
821 for( i=0; i < in->bv_len ; i++ ) {
822 if( FILTER_ESCAPE(in->bv_val[i]) ) {
823 out->bv_val[out->bv_len++] = SLAP_ESCAPE_CHAR;
824 out->bv_val[out->bv_len++] = SLAP_ESCAPE_HI( in->bv_val[i] );
825 out->bv_val[out->bv_len++] = SLAP_ESCAPE_LO( in->bv_val[i] );
827 out->bv_val[out->bv_len++] = in->bv_val[i];
831 out->bv_val[out->bv_len] = '\0';
839 ValuesReturnFilter **filt,
845 ValuesReturnFilter vrf;
848 LDAP_LOG( FILTER, ENTRY,
849 "get_simple_vrFilter: conn %d\n", conn->c_connid, 0, 0 );
851 Debug( LDAP_DEBUG_FILTER, "begin get_simple_vrFilter\n", 0, 0, 0 );
854 tag = ber_peek_tag( ber, &len );
856 if( tag == LBER_ERROR ) {
857 *text = "error decoding filter";
858 return SLAPD_DISCONNECT;
864 vrf.vrf_choice = tag;
866 switch ( vrf.vrf_choice ) {
867 case LDAP_FILTER_EQUALITY:
869 LDAP_LOG( FILTER, DETAIL2,
870 "get_simple_vrFilter: conn %d EQUALITY\n", conn->c_connid, 0, 0 );
872 Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
874 err = get_ava( ber, &vrf.vrf_ava, SLAP_MR_EQUALITY, text );
875 if ( err != LDAP_SUCCESS ) {
879 assert( vrf.vrf_ava != NULL );
882 case LDAP_FILTER_SUBSTRINGS:
884 LDAP_LOG( FILTER, DETAIL1,
885 "get_simple_vrFilter: conn %d SUBSTRINGS\n", conn->c_connid, 0, 0 );
887 Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
889 err = get_ssa( conn, ber, &vrf.vrf_sub, text );
894 LDAP_LOG( FILTER, DETAIL1,
895 "get_simple_vrFilter: conn %d GE\n", conn->c_connid, 0, 0 );
897 Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
899 err = get_ava( ber, &vrf.vrf_ava, SLAP_MR_ORDERING, text );
900 if ( err != LDAP_SUCCESS ) {
907 LDAP_LOG( FILTER, DETAIL1,
908 "get_simple_vrFilter: conn %d LE\n", conn->c_connid, 0, 0 );
910 Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
912 err = get_ava( ber, &vrf.vrf_ava, SLAP_MR_ORDERING, text );
913 if ( err != LDAP_SUCCESS ) {
918 case LDAP_FILTER_PRESENT: {
922 LDAP_LOG( FILTER, DETAIL1,
923 "get_simple_vrFilter: conn %d PRESENT\n", conn->c_connid, 0, 0 );
925 Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
927 if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
928 err = SLAPD_DISCONNECT;
929 *text = "error decoding filter";
934 err = slap_bv2ad( &type, &vrf.vrf_desc, text );
936 if( err != LDAP_SUCCESS ) {
937 /* unrecognized attribute description or other error */
938 vrf.vrf_choice = SLAPD_FILTER_COMPUTED;
939 vrf.vrf_result = LDAP_COMPARE_FALSE;
945 case LDAP_FILTER_APPROX:
947 LDAP_LOG( FILTER, DETAIL1,
948 "get_simple_vrFilter: conn %d APPROX\n", conn->c_connid, 0, 0 );
950 Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
952 err = get_ava( ber, &vrf.vrf_ava, SLAP_MR_EQUALITY_APPROX, text );
953 if ( err != LDAP_SUCCESS ) {
958 case LDAP_FILTER_EXT:
960 LDAP_LOG( FILTER, DETAIL1,
961 "get_simple_vrFilter: conn %d EXTENSIBLE\n", conn->c_connid, 0, 0 );
963 Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
966 err = get_mra( ber, &vrf.vrf_mra, text );
967 if ( err != LDAP_SUCCESS ) {
971 assert( vrf.vrf_mra != NULL );
975 (void) ber_scanf( ber, "x" ); /* skip the element */
977 LDAP_LOG( FILTER, ERR,
978 "get_simple_vrFilter: conn %d unknown filter type=%lu\n",
979 conn->c_connid, vrf.vrf_choice, 0 );
981 Debug( LDAP_DEBUG_ANY, "get_simple_vrFilter: unknown filter type=%lu\n",
982 vrf.vrf_choice, 0, 0 );
984 vrf.vrf_choice = SLAPD_FILTER_COMPUTED;
985 vrf.vrf_result = SLAPD_COMPARE_UNDEFINED;
989 if ( err != LDAP_SUCCESS && err != SLAPD_DISCONNECT ) {
991 vrf.vrf_choice = SLAPD_FILTER_COMPUTED;
992 vrf.vrf_result = SLAPD_COMPARE_UNDEFINED;
996 if ( err == LDAP_SUCCESS ) {
997 *filt = ch_malloc( sizeof vrf );
1002 LDAP_LOG( FILTER, DETAIL2,
1003 "get_simple_vrFilter: conn %d exit\n", conn->c_connid, 0, 0 );
1005 Debug( LDAP_DEBUG_FILTER, "end get_simple_vrFilter %d\n", err, 0, 0 );
1012 get_vrFilter( Connection *conn, BerElement *ber,
1013 ValuesReturnFilter **vrf,
1017 * A ValuesReturnFilter looks like this:
1019 * ValuesReturnFilter ::= SEQUENCE OF SimpleFilterItem
1020 * SimpleFilterItem ::= CHOICE {
1021 * equalityMatch [3] AttributeValueAssertion,
1022 * substrings [4] SubstringFilter,
1023 * greaterOrEqual [5] AttributeValueAssertion,
1024 * lessOrEqual [6] AttributeValueAssertion,
1025 * present [7] AttributeType,
1026 * approxMatch [8] AttributeValueAssertion,
1027 * extensibleMatch [9] SimpleMatchingAssertion -- LDAPv3
1030 * SubstringFilter ::= SEQUENCE {
1031 * type AttributeType,
1032 * SEQUENCE OF CHOICE {
1033 * initial [0] IA5String,
1034 * any [1] IA5String,
1035 * final [2] IA5String
1039 * SimpleMatchingAssertion ::= SEQUENCE { -- LDAPv3
1040 * matchingRule [1] MatchingRuleId OPTIONAL,
1041 * type [2] AttributeDescription OPTIONAL,
1042 * matchValue [3] AssertionValue }
1045 ValuesReturnFilter **n;
1051 LDAP_LOG( FILTER, ENTRY,
1052 "get_vrFilter: conn %d start\n", conn->c_connid, 0, 0 );
1054 Debug( LDAP_DEBUG_FILTER, "begin get_vrFilter\n", 0, 0, 0 );
1057 tag = ber_peek_tag( ber, &len );
1059 if( tag == LBER_ERROR ) {
1060 *text = "error decoding vrFilter";
1061 return SLAPD_DISCONNECT;
1064 if( tag != LBER_SEQUENCE ) {
1065 *text = "error decoding vrFilter, expect SEQUENCE tag";
1066 return SLAPD_DISCONNECT;
1070 for ( tag = ber_first_element( ber, &len, &last );
1071 tag != LBER_DEFAULT;
1072 tag = ber_next_element( ber, &len, last ) )
1074 int err = get_simple_vrFilter( conn, ber, n, text );
1076 if ( err != LDAP_SUCCESS ) return( err );
1078 n = &(*n)->vrf_next;
1083 LDAP_LOG( FILTER, ENTRY,
1084 "get_vrFilter: conn %d exit\n", conn->c_connid, 0, 0 );
1086 Debug( LDAP_DEBUG_FILTER, "end get_vrFilter\n", 0, 0, 0 );
1088 return( LDAP_SUCCESS );
1092 vrFilter_free( ValuesReturnFilter *vrf )
1094 ValuesReturnFilter *p, *next;
1096 if ( vrf == NULL ) {
1100 for ( p = vrf; p != NULL; p = next ) {
1103 switch ( vrf->vrf_choice ) {
1104 case LDAP_FILTER_PRESENT:
1107 case LDAP_FILTER_EQUALITY:
1108 case LDAP_FILTER_GE:
1109 case LDAP_FILTER_LE:
1110 case LDAP_FILTER_APPROX:
1111 ava_free( vrf->vrf_ava, 1 );
1114 case LDAP_FILTER_SUBSTRINGS:
1115 if ( vrf->vrf_sub_initial.bv_val != NULL ) {
1116 free( vrf->vrf_sub_initial.bv_val );
1118 ber_bvarray_free( vrf->vrf_sub_any );
1119 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1120 free( vrf->vrf_sub_final.bv_val );
1122 ch_free( vrf->vrf_sub );
1125 case LDAP_FILTER_EXT:
1126 mra_free( vrf->vrf_mra, 1 );
1129 case SLAPD_FILTER_COMPUTED:
1134 LDAP_LOG( FILTER, ERR,
1135 "filter_free: unknown filter type %lu\n", vrf->vrf_choice, 0, 0 );
1137 Debug( LDAP_DEBUG_ANY, "filter_free: unknown filter type=%lu\n",
1138 vrf->vrf_choice, 0, 0 );
1149 vrFilter2bv( ValuesReturnFilter *vrf, struct berval *fstr )
1151 ValuesReturnFilter *p;
1155 if ( vrf == NULL ) {
1156 ber_str2bv( "No filter!", sizeof("No filter!")-1, 1, fstr );
1160 fstr->bv_len = sizeof("()") - 1;
1161 fstr->bv_val = ch_malloc( fstr->bv_len + 128 );
1163 snprintf( fstr->bv_val, fstr->bv_len + 1, "()");
1165 for ( p = vrf; p != NULL; p = p->vrf_next ) {
1168 simple_vrFilter2bv( p, &tmp );
1170 fstr->bv_len += tmp.bv_len;
1171 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1173 snprintf( &fstr->bv_val[len-1], tmp.bv_len + 2,
1174 /*"("*/ "%s)", tmp.bv_val );
1176 ch_free( tmp.bv_val );
1181 simple_vrFilter2bv( ValuesReturnFilter *vrf, struct berval *fstr )
1186 if ( vrf == NULL ) {
1187 ber_str2bv( "No filter!", sizeof("No filter!")-1, 1, fstr );
1191 switch ( vrf->vrf_choice ) {
1192 case LDAP_FILTER_EQUALITY:
1193 filter_escape_value( &vrf->vrf_av_value, &tmp );
1195 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1196 tmp.bv_len + ( sizeof("(=)") - 1 );
1197 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1199 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=%s)",
1200 vrf->vrf_av_desc->ad_cname.bv_val,
1203 ber_memfree( tmp.bv_val );
1206 case LDAP_FILTER_GE:
1207 filter_escape_value( &vrf->vrf_av_value, &tmp );
1209 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1210 tmp.bv_len + ( sizeof("(>=)") - 1 );
1211 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1213 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=%s)",
1214 vrf->vrf_av_desc->ad_cname.bv_val,
1217 ber_memfree( tmp.bv_val );
1220 case LDAP_FILTER_LE:
1221 filter_escape_value( &vrf->vrf_av_value, &tmp );
1223 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1224 tmp.bv_len + ( sizeof("(<=)") - 1 );
1225 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1227 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=%s)",
1228 vrf->vrf_av_desc->ad_cname.bv_val,
1231 ber_memfree( tmp.bv_val );
1234 case LDAP_FILTER_APPROX:
1235 filter_escape_value( &vrf->vrf_av_value, &tmp );
1237 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1238 tmp.bv_len + ( sizeof("(~=)") - 1 );
1239 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1241 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=%s)",
1242 vrf->vrf_av_desc->ad_cname.bv_val,
1244 ber_memfree( tmp.bv_val );
1247 case LDAP_FILTER_SUBSTRINGS:
1248 fstr->bv_len = vrf->vrf_sub_desc->ad_cname.bv_len +
1249 ( sizeof("(=*)") - 1 );
1250 fstr->bv_val = ch_malloc( fstr->bv_len + 128 );
1252 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
1253 vrf->vrf_sub_desc->ad_cname.bv_val );
1255 if ( vrf->vrf_sub_initial.bv_val != NULL ) {
1258 filter_escape_value( &vrf->vrf_sub_initial, &tmp );
1260 fstr->bv_len += tmp.bv_len;
1261 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1263 snprintf( &fstr->bv_val[len-2], tmp.bv_len+3,
1264 /* "(attr=" */ "%s*)",
1267 ber_memfree( tmp.bv_val );
1270 if ( vrf->vrf_sub_any != NULL ) {
1272 for ( i = 0; vrf->vrf_sub_any[i].bv_val != NULL; i++ ) {
1274 filter_escape_value( &vrf->vrf_sub_any[i], &tmp );
1276 fstr->bv_len += tmp.bv_len + 1;
1277 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1279 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
1280 /* "(attr=[init]*[any*]" */ "%s*)",
1282 ber_memfree( tmp.bv_val );
1286 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1289 filter_escape_value( &vrf->vrf_sub_final, &tmp );
1291 fstr->bv_len += tmp.bv_len;
1292 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1294 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
1295 /* "(attr=[init*][any*]" */ "%s)",
1298 ber_memfree( tmp.bv_val );
1303 case LDAP_FILTER_PRESENT:
1304 fstr->bv_len = vrf->vrf_desc->ad_cname.bv_len +
1305 ( sizeof("(=*)") - 1 );
1306 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1308 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
1309 vrf->vrf_desc->ad_cname.bv_val );
1312 case LDAP_FILTER_EXT: {
1314 filter_escape_value( &vrf->vrf_mr_value, &tmp );
1316 if ( vrf->vrf_mr_desc ) {
1317 ad = vrf->vrf_mr_desc->ad_cname;
1323 fstr->bv_len = ad.bv_len +
1324 ( vrf->vrf_mr_dnattrs ? sizeof(":dn")-1 : 0 ) +
1325 ( vrf->vrf_mr_rule_text.bv_len ? vrf->vrf_mr_rule_text.bv_len+1 : 0 ) +
1326 tmp.bv_len + ( sizeof("(:=)") - 1 );
1327 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1329 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
1331 vrf->vrf_mr_dnattrs ? ":dn" : "",
1332 vrf->vrf_mr_rule_text.bv_len ? ":" : "",
1333 vrf->vrf_mr_rule_text.bv_len ? vrf->vrf_mr_rule_text.bv_val : "",
1336 ber_memfree( tmp.bv_val );
1339 case SLAPD_FILTER_COMPUTED:
1341 vrf->vrf_result == LDAP_COMPARE_FALSE ? "(?=false)" :
1342 vrf->vrf_result == LDAP_COMPARE_TRUE ? "(?=true)" :
1343 vrf->vrf_result == SLAPD_COMPARE_UNDEFINED ? "(?=undefined)" :
1345 vrf->vrf_result == LDAP_COMPARE_FALSE ? sizeof("(?=false)")-1 :
1346 vrf->vrf_result == LDAP_COMPARE_TRUE ? sizeof("(?=true)")-1 :
1347 vrf->vrf_result == SLAPD_COMPARE_UNDEFINED ? sizeof("(?=undefined)")-1 :
1348 sizeof("(?=error)")-1,
1353 ber_str2bv( "(?=unknown)", sizeof("(?=unknown)")-1, 1, fstr );
1360 get_substring_vrFilter(
1363 ValuesReturnFilter *vrf,
1369 struct berval value;
1372 *text = "error decoding filter";
1375 LDAP_LOG( FILTER, ENTRY,
1376 "get_substring_filter: conn %d begin\n", conn->c_connid, 0, 0 );
1378 Debug( LDAP_DEBUG_FILTER, "begin get_substring_filter\n", 0, 0, 0 );
1380 if ( ber_scanf( ber, "{m" /*}*/, &bv ) == LBER_ERROR ) {
1381 return SLAPD_DISCONNECT;
1384 vrf->vrf_sub = ch_calloc( 1, sizeof(SubstringsAssertion) );
1385 vrf->vrf_sub_desc = NULL;
1386 rc = slap_bv2ad( &bv, &vrf->vrf_sub_desc, text );
1388 if( rc != LDAP_SUCCESS ) {
1390 ch_free( vrf->vrf_sub );
1391 vrf->vrf_choice = SLAPD_FILTER_COMPUTED;
1392 vrf->vrf_result = SLAPD_COMPARE_UNDEFINED;
1393 return LDAP_SUCCESS;
1396 vrf->vrf_sub_initial.bv_val = NULL;
1397 vrf->vrf_sub_any = NULL;
1398 vrf->vrf_sub_final.bv_val = NULL;
1400 for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_DEFAULT;
1401 tag = ber_next_element( ber, &len, last ) )
1405 rc = ber_scanf( ber, "m", &value );
1406 if ( rc == LBER_ERROR ) {
1407 rc = SLAPD_DISCONNECT;
1411 if ( value.bv_val == NULL || value.bv_len == 0 ) {
1412 rc = LDAP_INVALID_SYNTAX;
1417 case LDAP_SUBSTRING_INITIAL:
1418 usage = SLAP_MR_SUBSTR_INITIAL;
1421 case LDAP_SUBSTRING_ANY:
1422 usage = SLAP_MR_SUBSTR_ANY;
1425 case LDAP_SUBSTRING_FINAL:
1426 usage = SLAP_MR_SUBSTR_FINAL;
1430 rc = LDAP_PROTOCOL_ERROR;
1433 LDAP_LOG( FILTER, ERR,
1434 "get_filter_substring: conn %d unknown substring choice=%ld\n",
1435 conn->c_connid, (long)tag, 0 );
1437 Debug( LDAP_DEBUG_FILTER,
1438 " unknown substring choice=%ld\n",
1444 /* validate/normalize using equality matching rule validator! */
1445 rc = asserted_value_validate_normalize(
1446 vrf->vrf_sub_desc, vrf->vrf_sub_desc->ad_type->sat_equality,
1447 usage, &value, &bv, text );
1448 if( rc != LDAP_SUCCESS ) {
1454 rc = LDAP_PROTOCOL_ERROR;
1457 case LDAP_SUBSTRING_INITIAL:
1459 LDAP_LOG( FILTER, DETAIL1,
1460 "get_substring_filter: conn %d INITIAL\n",
1461 conn->c_connid, 0, 0 );
1463 Debug( LDAP_DEBUG_FILTER, " INITIAL\n", 0, 0, 0 );
1466 if ( vrf->vrf_sub_initial.bv_val != NULL
1467 || vrf->vrf_sub_any != NULL
1468 || vrf->vrf_sub_final.bv_val != NULL )
1470 free( value.bv_val );
1474 vrf->vrf_sub_initial = value;
1477 case LDAP_SUBSTRING_ANY:
1479 LDAP_LOG( FILTER, DETAIL1,
1480 "get_substring_filter: conn %d ANY\n", conn->c_connid, 0, 0 );
1482 Debug( LDAP_DEBUG_FILTER, " ANY\n", 0, 0, 0 );
1485 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1486 free( value.bv_val );
1490 ber_bvarray_add( &vrf->vrf_sub_any, &value );
1493 case LDAP_SUBSTRING_FINAL:
1495 LDAP_LOG( FILTER, DETAIL1,
1496 "get_substring_filter: conn %d FINAL\n", conn->c_connid, 0, 0 );
1498 Debug( LDAP_DEBUG_FILTER, " FINAL\n", 0, 0, 0 );
1501 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1502 free( value.bv_val );
1506 vrf->vrf_sub_final = value;
1511 LDAP_LOG( FILTER, INFO,
1512 "get_substring_filter: conn %d unknown substring type %ld\n",
1513 conn->c_connid, (long)tag, 0 );
1515 Debug( LDAP_DEBUG_FILTER,
1516 " unknown substring type=%ld\n",
1520 free( value.bv_val );
1524 LDAP_LOG( FILTER, INFO,
1525 "get_substring_filter: conn %d error %ld\n",
1526 conn->c_connid, (long)rc, 0 );
1528 Debug( LDAP_DEBUG_FILTER, " error=%ld\n",
1531 free( vrf->vrf_sub_initial.bv_val );
1532 ber_bvarray_free( vrf->vrf_sub_any );
1533 free( vrf->vrf_sub_final.bv_val );
1534 ch_free( vrf->vrf_sub );
1540 LDAP_LOG( FILTER, ENTRY,
1541 "get_substring_filter: conn %d exit\n", conn->c_connid, 0, 0 );
1543 Debug( LDAP_DEBUG_FILTER, "end get_substring_filter\n", 0, 0, 0 );
1545 return( LDAP_SUCCESS );