1 /* filter.c - routines for parsing and dealing with filters */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 1998-2006 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* Portions Copyright (c) 1995 Regents of the University of Michigan.
17 * All rights reserved.
19 * Redistribution and use in source and binary forms are permitted
20 * provided that this notice is preserved and that due credit is given
21 * to the University of Michigan at Ann Arbor. The name of the University
22 * may not be used to endorse or promote products derived from this
23 * software without specific prior written permission. This software
24 * is provided ``as is'' without express or implied warranty.
31 #include <ac/socket.h>
32 #include <ac/string.h>
36 static int get_filter_list(
45 SubstringsAssertion **s,
48 static void simple_vrFilter2bv(
50 ValuesReturnFilter *f,
51 struct berval *fstr );
53 static int get_simple_vrFilter(
56 ValuesReturnFilter **f,
71 Debug( LDAP_DEBUG_FILTER, "begin get_filter\n", 0, 0, 0 );
73 * A filter looks like this coming in:
75 * and [0] SET OF Filter,
76 * or [1] SET OF Filter,
78 * equalityMatch [3] AttributeValueAssertion,
79 * substrings [4] SubstringFilter,
80 * greaterOrEqual [5] AttributeValueAssertion,
81 * lessOrEqual [6] AttributeValueAssertion,
82 * present [7] AttributeType,,
83 * approxMatch [8] AttributeValueAssertion
84 * extensibleMatch [9] MatchingRuleAssertion
87 * SubstringFilter ::= SEQUENCE {
89 * SEQUENCE OF CHOICE {
90 * initial [0] IA5String,
96 * MatchingRuleAssertion ::= SEQUENCE {
97 * matchingRule [1] MatchingRuleId OPTIONAL,
98 * type [2] AttributeDescription OPTIONAL,
99 * matchValue [3] AssertionValue,
100 * dnAttributes [4] BOOLEAN DEFAULT FALSE
105 tag = ber_peek_tag( ber, &len );
107 if( tag == LBER_ERROR ) {
108 *text = "error decoding filter";
109 return SLAPD_DISCONNECT;
117 switch ( f.f_choice ) {
118 case LDAP_FILTER_EQUALITY:
119 Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
120 err = get_ava( op, ber, &f.f_ava, SLAP_MR_EQUALITY, text );
121 if ( err != LDAP_SUCCESS ) {
125 assert( f.f_ava != NULL );
128 case LDAP_FILTER_SUBSTRINGS:
129 Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
130 err = get_ssa( op, ber, &f.f_sub, text );
131 if( err != LDAP_SUCCESS ) {
134 assert( f.f_sub != NULL );
138 Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
139 err = get_ava( op, ber, &f.f_ava, SLAP_MR_ORDERING, text );
140 if ( err != LDAP_SUCCESS ) {
143 assert( f.f_ava != NULL );
147 Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
148 err = get_ava( op, ber, &f.f_ava, SLAP_MR_ORDERING, text );
149 if ( err != LDAP_SUCCESS ) {
152 assert( f.f_ava != NULL );
155 case LDAP_FILTER_PRESENT: {
158 Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
159 if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
160 err = SLAPD_DISCONNECT;
161 *text = "error decoding filter";
166 err = slap_bv2ad( &type, &f.f_desc, text );
168 if( err != LDAP_SUCCESS ) {
169 err = slap_bv2undef_ad( &type, &f.f_desc, text,
170 SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
172 if ( err != LDAP_SUCCESS ) {
173 /* unrecognized attribute description or other error */
174 Debug( LDAP_DEBUG_ANY,
175 "get_filter: conn %lu unknown attribute "
177 op->o_connid, type.bv_val, err );
179 f.f_choice = SLAPD_FILTER_COMPUTED;
180 f.f_result = LDAP_COMPARE_FALSE;
187 assert( f.f_desc != NULL );
190 case LDAP_FILTER_APPROX:
191 Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
192 err = get_ava( op, ber, &f.f_ava, SLAP_MR_EQUALITY_APPROX, text );
193 if ( err != LDAP_SUCCESS ) {
196 assert( f.f_ava != NULL );
199 case LDAP_FILTER_AND:
200 Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
201 err = get_filter_list( op, ber, &f.f_and, text );
202 if ( err != LDAP_SUCCESS ) {
205 if ( f.f_and == NULL ) {
206 f.f_choice = SLAPD_FILTER_COMPUTED;
207 f.f_result = LDAP_COMPARE_TRUE;
209 /* no assert - list could be empty */
213 Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
214 err = get_filter_list( op, ber, &f.f_or, text );
215 if ( err != LDAP_SUCCESS ) {
218 if ( f.f_or == NULL ) {
219 f.f_choice = SLAPD_FILTER_COMPUTED;
220 f.f_result = LDAP_COMPARE_FALSE;
222 /* no assert - list could be empty */
225 case LDAP_FILTER_NOT:
226 Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
227 (void) ber_skip_tag( ber, &len );
228 err = get_filter( op, ber, &f.f_not, text );
229 if ( err != LDAP_SUCCESS ) {
233 assert( f.f_not != NULL );
234 if ( f.f_not->f_choice == SLAPD_FILTER_COMPUTED ) {
235 int fresult = f.f_not->f_result;
236 f.f_choice = SLAPD_FILTER_COMPUTED;
237 op->o_tmpfree( f.f_not, op->o_tmpmemctx );
241 case LDAP_COMPARE_TRUE:
242 f.f_result = LDAP_COMPARE_FALSE;
244 case LDAP_COMPARE_FALSE:
245 f.f_result = LDAP_COMPARE_TRUE;
248 /* (!Undefined) is Undefined */
253 case LDAP_FILTER_EXT:
254 Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
256 err = get_mra( op, ber, &f.f_mra, text );
257 if ( err != LDAP_SUCCESS ) {
261 assert( f.f_mra != NULL );
265 (void) ber_scanf( ber, "x" ); /* skip the element */
266 Debug( LDAP_DEBUG_ANY, "get_filter: unknown filter type=%lu\n",
268 f.f_choice = SLAPD_FILTER_COMPUTED;
269 f.f_result = SLAPD_COMPARE_UNDEFINED;
273 if( err != LDAP_SUCCESS && err != SLAPD_DISCONNECT ) {
276 f.f_choice = SLAPD_FILTER_COMPUTED;
277 f.f_result = SLAPD_COMPARE_UNDEFINED;
281 if ( err == LDAP_SUCCESS ) {
282 *filt = op->o_tmpalloc( sizeof(f), op->o_tmpmemctx );
286 Debug( LDAP_DEBUG_FILTER, "end get_filter %d\n", err, 0, 0 );
292 get_filter_list( Operation *op, BerElement *ber,
302 Debug( LDAP_DEBUG_FILTER, "begin get_filter_list\n", 0, 0, 0 );
304 for ( tag = ber_first_element( ber, &len, &last );
306 tag = ber_next_element( ber, &len, last ) )
308 err = get_filter( op, ber, new, text );
309 if ( err != LDAP_SUCCESS )
311 new = &(*new)->f_next;
315 Debug( LDAP_DEBUG_FILTER, "end get_filter_list\n", 0, 0, 0 );
316 return( LDAP_SUCCESS );
323 SubstringsAssertion **out,
329 struct berval desc, value, nvalue;
331 SubstringsAssertion ssa;
333 *text = "error decoding filter";
336 Debug( LDAP_DEBUG_FILTER, "begin get_ssa\n", 0, 0, 0 );
337 if ( ber_scanf( ber, "{m" /*}*/, &desc ) == LBER_ERROR ) {
338 return SLAPD_DISCONNECT;
344 ssa.sa_initial.bv_val = NULL;
346 ssa.sa_final.bv_val = NULL;
348 rc = slap_bv2ad( &desc, &ssa.sa_desc, text );
350 if( rc != LDAP_SUCCESS ) {
351 rc = slap_bv2undef_ad( &desc, &ssa.sa_desc, text,
352 SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
354 if( rc != LDAP_SUCCESS ) {
355 Debug( LDAP_DEBUG_ANY,
356 "get_ssa: conn %lu unknown attribute type=%s (%ld)\n",
357 op->o_connid, desc.bv_val, (long) rc );
359 /* skip over the rest of this filter */
360 for ( tag = ber_first_element( ber, &len, &last );
362 tag = ber_next_element( ber, &len, last ) ) {
363 ber_scanf( ber, "x" );
369 rc = LDAP_PROTOCOL_ERROR;
371 for ( tag = ber_first_element( ber, &len, &last );
373 tag = ber_next_element( ber, &len, last ) )
377 rc = ber_scanf( ber, "m", &value );
378 if ( rc == LBER_ERROR ) {
379 rc = SLAPD_DISCONNECT;
383 if ( value.bv_val == NULL || value.bv_len == 0 ) {
384 rc = LDAP_INVALID_SYNTAX;
389 case LDAP_SUBSTRING_INITIAL:
390 if ( ssa.sa_initial.bv_val != NULL
391 || ssa.sa_any != NULL
392 || ssa.sa_final.bv_val != NULL )
394 rc = LDAP_PROTOCOL_ERROR;
397 usage = SLAP_MR_SUBSTR_INITIAL;
400 case LDAP_SUBSTRING_ANY:
401 if ( ssa.sa_final.bv_val != NULL ) {
402 rc = LDAP_PROTOCOL_ERROR;
405 usage = SLAP_MR_SUBSTR_ANY;
408 case LDAP_SUBSTRING_FINAL:
409 if ( ssa.sa_final.bv_val != NULL ) {
410 rc = LDAP_PROTOCOL_ERROR;
414 usage = SLAP_MR_SUBSTR_FINAL;
418 Debug( LDAP_DEBUG_FILTER,
419 " unknown substring choice=%ld\n",
422 rc = LDAP_PROTOCOL_ERROR;
426 /* validate/normalize using equality matching rule validator! */
427 rc = asserted_value_validate_normalize(
428 ssa.sa_desc, ssa.sa_desc->ad_type->sat_equality,
429 usage, &value, &nvalue, text, op->o_tmpmemctx );
430 if( rc != LDAP_SUCCESS ) goto return_error;
433 case LDAP_SUBSTRING_INITIAL:
434 Debug( LDAP_DEBUG_FILTER, " INITIAL\n", 0, 0, 0 );
435 ssa.sa_initial = nvalue;
438 case LDAP_SUBSTRING_ANY:
439 Debug( LDAP_DEBUG_FILTER, " ANY\n", 0, 0, 0 );
440 ber_bvarray_add_x( &ssa.sa_any, &nvalue, op->o_tmpmemctx );
443 case LDAP_SUBSTRING_FINAL:
444 Debug( LDAP_DEBUG_FILTER, " FINAL\n", 0, 0, 0 );
445 ssa.sa_final = nvalue;
450 slap_sl_free( nvalue.bv_val, op->o_tmpmemctx );
451 rc = LDAP_PROTOCOL_ERROR;
454 Debug( LDAP_DEBUG_FILTER, " error=%ld\n",
456 slap_sl_free( ssa.sa_initial.bv_val, op->o_tmpmemctx );
457 ber_bvarray_free_x( ssa.sa_any, op->o_tmpmemctx );
458 slap_sl_free( ssa.sa_final.bv_val, op->o_tmpmemctx );
465 if( rc == LDAP_SUCCESS ) {
466 *out = op->o_tmpalloc( sizeof( ssa ), op->o_tmpmemctx );
470 Debug( LDAP_DEBUG_FILTER, "end get_ssa\n", 0, 0, 0 );
471 return rc /* LDAP_SUCCESS */ ;
475 filter_free_x( Operation *op, Filter *f )
483 switch ( f->f_choice ) {
484 case LDAP_FILTER_PRESENT:
487 case LDAP_FILTER_EQUALITY:
490 case LDAP_FILTER_APPROX:
491 ava_free( op, f->f_ava, 1 );
494 case LDAP_FILTER_SUBSTRINGS:
495 if ( f->f_sub_initial.bv_val != NULL ) {
496 op->o_tmpfree( f->f_sub_initial.bv_val, op->o_tmpmemctx );
498 ber_bvarray_free_x( f->f_sub_any, op->o_tmpmemctx );
499 if ( f->f_sub_final.bv_val != NULL ) {
500 op->o_tmpfree( f->f_sub_final.bv_val, op->o_tmpmemctx );
502 op->o_tmpfree( f->f_sub, op->o_tmpmemctx );
505 case LDAP_FILTER_AND:
507 case LDAP_FILTER_NOT:
508 for ( p = f->f_list; p != NULL; p = next ) {
510 filter_free_x( op, p );
514 case LDAP_FILTER_EXT:
515 mra_free( op, f->f_mra, 1 );
518 case SLAPD_FILTER_COMPUTED:
522 Debug( LDAP_DEBUG_ANY, "filter_free: unknown filter type=%lu\n",
527 op->o_tmpfree( f, op->o_tmpmemctx );
531 filter_free( Filter *f )
537 op.o_tmpmemctx = slap_sl_context( f );
538 op.o_tmpmfuncs = &slap_sl_mfuncs;
539 filter_free_x( &op, f );
543 filter2bv_x( Operation *op, Filter *f, struct berval *fstr )
549 ber_bvfalse = BER_BVC( "(?=false)" ),
550 ber_bvtrue = BER_BVC( "(?=true)" ),
551 ber_bvundefined = BER_BVC( "(?=undefined)" ),
552 ber_bverror = BER_BVC( "(?=error)" ),
553 ber_bvunknown = BER_BVC( "(?=unknown)" ),
554 ber_bvnone = BER_BVC( "(?=none)" );
558 ber_dupbv_x( fstr, &ber_bvnone, op->o_tmpmemctx );
562 switch ( f->f_choice ) {
563 case LDAP_FILTER_EQUALITY:
564 filter_escape_value_x( &f->f_av_value, &tmp, op->o_tmpmemctx );
565 /* NOTE: tmp can legitimately be NULL (meaning empty)
566 * since in a Filter values in AVAs are supposed
567 * to have been normalized, meaning that an empty value
568 * is legal for that attribute's syntax */
570 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
571 tmp.bv_len + STRLENOF("(=)");
572 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
574 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=%s)",
575 f->f_av_desc->ad_cname.bv_val,
576 tmp.bv_len ? tmp.bv_val : "" );
578 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
582 filter_escape_value_x( &f->f_av_value, &tmp, op->o_tmpmemctx );
583 /* NOTE: tmp can legitimately be NULL (meaning empty)
584 * since in a Filter values in AVAs are supposed
585 * to have been normalized, meaning that an empty value
586 * is legal for that attribute's syntax */
588 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
589 tmp.bv_len + STRLENOF("(>=)");
590 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
592 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=%s)",
593 f->f_av_desc->ad_cname.bv_val,
594 tmp.bv_len ? tmp.bv_val : "");
596 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
600 filter_escape_value_x( &f->f_av_value, &tmp, op->o_tmpmemctx );
601 /* NOTE: tmp can legitimately be NULL (meaning empty)
602 * since in a Filter values in AVAs are supposed
603 * to have been normalized, meaning that an empty value
604 * is legal for that attribute's syntax */
606 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
607 tmp.bv_len + STRLENOF("(<=)");
608 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
610 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=%s)",
611 f->f_av_desc->ad_cname.bv_val,
612 tmp.bv_len ? tmp.bv_val : "");
614 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
617 case LDAP_FILTER_APPROX:
618 filter_escape_value_x( &f->f_av_value, &tmp, op->o_tmpmemctx );
619 /* NOTE: tmp can legitimately be NULL (meaning empty)
620 * since in a Filter values in AVAs are supposed
621 * to have been normalized, meaning that an empty value
622 * is legal for that attribute's syntax */
624 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
625 tmp.bv_len + STRLENOF("(~=)");
626 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
628 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=%s)",
629 f->f_av_desc->ad_cname.bv_val,
630 tmp.bv_len ? tmp.bv_val : "");
631 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
634 case LDAP_FILTER_SUBSTRINGS:
635 fstr->bv_len = f->f_sub_desc->ad_cname.bv_len +
637 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 128, op->o_tmpmemctx );
639 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
640 f->f_sub_desc->ad_cname.bv_val );
642 if ( f->f_sub_initial.bv_val != NULL ) {
647 filter_escape_value_x( &f->f_sub_initial, &tmp, op->o_tmpmemctx );
648 tmplen = tmp.bv_len ? tmp.bv_len : STRLENOF( "(null)" );
650 fstr->bv_len += tmplen;
651 fstr->bv_val = op->o_tmprealloc( fstr->bv_val,
652 fstr->bv_len + 1, op->o_tmpmemctx );
654 snprintf( &fstr->bv_val[len-2],
655 tmplen + STRLENOF( /*(*/ "*)" ) + 1,
656 /* "(attr=" */ "%s*)",
657 tmp.bv_len ? tmp.bv_val : "(null)");
659 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
662 if ( f->f_sub_any != NULL ) {
663 for ( i = 0; f->f_sub_any[i].bv_val != NULL; i++ ) {
667 filter_escape_value_x( &f->f_sub_any[i],
668 &tmp, op->o_tmpmemctx );
669 tmplen = tmp.bv_len ? tmp.bv_len : STRLENOF( "(null)" );
671 fstr->bv_len += tmplen + STRLENOF( /*(*/ ")" );
672 fstr->bv_val = op->o_tmprealloc( fstr->bv_val,
673 fstr->bv_len + 1, op->o_tmpmemctx );
675 snprintf( &fstr->bv_val[len-1],
676 tmplen + STRLENOF( /*(*/ "*)" ) + 1,
677 /* "(attr=[init]*[any*]" */ "%s*)",
678 tmp.bv_len ? tmp.bv_val : "(null)");
679 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
683 if ( f->f_sub_final.bv_val != NULL ) {
688 filter_escape_value_x( &f->f_sub_final, &tmp, op->o_tmpmemctx );
689 tmplen = tmp.bv_len ? tmp.bv_len : STRLENOF( "(null)" );
691 fstr->bv_len += tmplen;
692 fstr->bv_val = op->o_tmprealloc( fstr->bv_val,
693 fstr->bv_len + 1, op->o_tmpmemctx );
695 snprintf( &fstr->bv_val[len-1],
696 tmplen + STRLENOF( /*(*/ ")" ) + 1,
697 /* "(attr=[init*][any*]" */ "%s)",
698 tmp.bv_len ? tmp.bv_val : "(null)");
700 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
705 case LDAP_FILTER_PRESENT:
706 fstr->bv_len = f->f_desc->ad_cname.bv_len +
708 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
710 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
711 f->f_desc->ad_cname.bv_val );
714 case LDAP_FILTER_AND:
716 case LDAP_FILTER_NOT:
717 fstr->bv_len = STRLENOF("(%)");
718 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 128, op->o_tmpmemctx );
720 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%c)",
721 f->f_choice == LDAP_FILTER_AND ? '&' :
722 f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
724 for ( p = f->f_list; p != NULL; p = p->f_next ) {
727 filter2bv_x( op, p, &tmp );
729 fstr->bv_len += tmp.bv_len;
730 fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1,
733 snprintf( &fstr->bv_val[len-1],
734 tmp.bv_len + STRLENOF( /*(*/ ")" ) + 1,
735 /*"("*/ "%s)", tmp.bv_val );
737 op->o_tmpfree( tmp.bv_val, op->o_tmpmemctx );
742 case LDAP_FILTER_EXT: {
745 filter_escape_value_x( &f->f_mr_value, &tmp, op->o_tmpmemctx );
746 /* NOTE: tmp can legitimately be NULL (meaning empty)
747 * since in a Filter values in MRAs are supposed
748 * to have been normalized, meaning that an empty value
749 * is legal for that attribute's syntax */
751 if ( f->f_mr_desc ) {
752 ad = f->f_mr_desc->ad_cname;
758 fstr->bv_len = ad.bv_len +
759 ( f->f_mr_dnattrs ? STRLENOF(":dn") : 0 ) +
760 ( f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_len+1 : 0 ) +
761 tmp.bv_len + STRLENOF("(:=)");
762 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
764 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
766 f->f_mr_dnattrs ? ":dn" : "",
767 f->f_mr_rule_text.bv_len ? ":" : "",
768 f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_val : "",
769 tmp.bv_len ? tmp.bv_val : "" );
770 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
773 case SLAPD_FILTER_COMPUTED:
774 switch ( f->f_result ) {
775 case LDAP_COMPARE_FALSE:
779 case LDAP_COMPARE_TRUE:
783 case SLAPD_COMPARE_UNDEFINED:
784 tmp = ber_bvundefined;
792 ber_dupbv_x( fstr, &tmp, op->o_tmpmemctx );
796 ber_dupbv_x( fstr, &ber_bvunknown, op->o_tmpmemctx );
802 filter2bv( Filter *f, struct berval *fstr )
808 op.o_tmpmemctx = NULL;
809 op.o_tmpmfuncs = &ch_mfuncs;
811 filter2bv_x( &op, f, fstr );
815 filter_dup( Filter *f, void *memctx )
817 BerMemoryFunctions *mf = &slap_sl_mfuncs;
823 n = mf->bmf_malloc( sizeof(Filter), memctx );
824 n->f_choice = f->f_choice;
827 switch( f->f_choice ) {
828 case SLAPD_FILTER_COMPUTED:
829 n->f_result = f->f_result;
831 case LDAP_FILTER_PRESENT:
832 n->f_desc = f->f_desc;
834 case LDAP_FILTER_EQUALITY:
837 case LDAP_FILTER_APPROX:
838 /* Should this be ava_dup() ? */
839 n->f_ava = mf->bmf_calloc( 1, sizeof(AttributeAssertion), memctx );
840 *n->f_ava = *f->f_ava;
841 ber_dupbv_x( &n->f_av_value, &f->f_av_value, memctx );
843 case LDAP_FILTER_SUBSTRINGS:
844 n->f_sub = mf->bmf_calloc( 1, sizeof(SubstringsAssertion), memctx );
845 n->f_sub_desc = f->f_sub_desc;
846 if ( !BER_BVISNULL( &f->f_sub_initial ))
847 ber_dupbv_x( &n->f_sub_initial, &f->f_sub_initial, memctx );
848 if ( f->f_sub_any ) {
850 for ( i = 0; !BER_BVISNULL( &f->f_sub_any[i] ); i++ );
851 n->f_sub_any = mf->bmf_malloc(( i+1 )*sizeof( struct berval ),
853 for ( i = 0; !BER_BVISNULL( &f->f_sub_any[i] ); i++ ) {
854 ber_dupbv_x( &n->f_sub_any[i], &f->f_sub_any[i], memctx );
856 BER_BVZERO( &n->f_sub_any[i] );
858 if ( !BER_BVISNULL( &f->f_sub_final ))
859 ber_dupbv_x( &n->f_sub_final, &f->f_sub_final, memctx );
861 case LDAP_FILTER_EXT: {
862 /* Should this be mra_dup() ? */
864 length = sizeof(MatchingRuleAssertion);
865 if ( !BER_BVISNULL( &f->f_mr_rule_text ))
866 length += f->f_mr_rule_text.bv_len + 1;
867 n->f_mra = mf->bmf_calloc( 1, length, memctx );
868 *n->f_mra = *f->f_mra;
869 ber_dupbv_x( &n->f_mr_value, &f->f_mr_value, memctx );
870 if ( !BER_BVISNULL( &f->f_mr_rule_text )) {
871 n->f_mr_rule_text.bv_val = (char *)(n->f_mra+1);
872 AC_MEMCPY(n->f_mr_rule_text.bv_val,
873 f->f_mr_rule_text.bv_val, f->f_mr_rule_text.bv_len );
876 case LDAP_FILTER_AND:
878 case LDAP_FILTER_NOT: {
880 for ( p = &n->f_list, f = f->f_list; f; f = f->f_next ) {
881 *p = filter_dup( f, memctx );
893 ValuesReturnFilter **filt,
899 ValuesReturnFilter vrf;
901 Debug( LDAP_DEBUG_FILTER, "begin get_simple_vrFilter\n", 0, 0, 0 );
903 tag = ber_peek_tag( ber, &len );
905 if( tag == LBER_ERROR ) {
906 *text = "error decoding filter";
907 return SLAPD_DISCONNECT;
913 vrf.vrf_choice = tag;
915 switch ( vrf.vrf_choice ) {
916 case LDAP_FILTER_EQUALITY:
917 Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
918 err = get_ava( op, ber, &vrf.vrf_ava, SLAP_MR_EQUALITY, text );
919 if ( err != LDAP_SUCCESS ) {
923 assert( vrf.vrf_ava != NULL );
926 case LDAP_FILTER_SUBSTRINGS:
927 Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
928 err = get_ssa( op, ber, &vrf.vrf_sub, text );
932 Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
933 err = get_ava( op, ber, &vrf.vrf_ava, SLAP_MR_ORDERING, text );
934 if ( err != LDAP_SUCCESS ) {
940 Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
941 err = get_ava( op, ber, &vrf.vrf_ava, SLAP_MR_ORDERING, text );
942 if ( err != LDAP_SUCCESS ) {
947 case LDAP_FILTER_PRESENT: {
950 Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
951 if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
952 err = SLAPD_DISCONNECT;
953 *text = "error decoding filter";
958 err = slap_bv2ad( &type, &vrf.vrf_desc, text );
960 if( err != LDAP_SUCCESS ) {
961 err = slap_bv2undef_ad( &type, &vrf.vrf_desc, text,
962 SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
964 if( err != LDAP_SUCCESS ) {
965 /* unrecognized attribute description or other error */
966 Debug( LDAP_DEBUG_ANY,
967 "get_simple_vrFilter: conn %lu unknown "
968 "attribute type=%s (%d)\n",
969 op->o_connid, type.bv_val, err );
971 vrf.vrf_choice = SLAPD_FILTER_COMPUTED;
972 vrf.vrf_result = LDAP_COMPARE_FALSE;
979 case LDAP_FILTER_APPROX:
980 Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
981 err = get_ava( op, ber, &vrf.vrf_ava, SLAP_MR_EQUALITY_APPROX, text );
982 if ( err != LDAP_SUCCESS ) {
987 case LDAP_FILTER_EXT:
988 Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
990 err = get_mra( op, ber, &vrf.vrf_mra, text );
991 if ( err != LDAP_SUCCESS ) {
995 assert( vrf.vrf_mra != NULL );
999 (void) ber_scanf( ber, "x" ); /* skip the element */
1000 Debug( LDAP_DEBUG_ANY, "get_simple_vrFilter: unknown filter type=%lu\n",
1001 vrf.vrf_choice, 0, 0 );
1002 vrf.vrf_choice = SLAPD_FILTER_COMPUTED;
1003 vrf.vrf_result = SLAPD_COMPARE_UNDEFINED;
1007 if ( err != LDAP_SUCCESS && err != SLAPD_DISCONNECT ) {
1009 vrf.vrf_choice = SLAPD_FILTER_COMPUTED;
1010 vrf.vrf_result = SLAPD_COMPARE_UNDEFINED;
1014 if ( err == LDAP_SUCCESS ) {
1015 *filt = ch_malloc( sizeof vrf );
1019 Debug( LDAP_DEBUG_FILTER, "end get_simple_vrFilter %d\n", err, 0, 0 );
1025 get_vrFilter( Operation *op, BerElement *ber,
1026 ValuesReturnFilter **vrf,
1030 * A ValuesReturnFilter looks like this:
1032 * ValuesReturnFilter ::= SEQUENCE OF SimpleFilterItem
1033 * SimpleFilterItem ::= CHOICE {
1034 * equalityMatch [3] AttributeValueAssertion,
1035 * substrings [4] SubstringFilter,
1036 * greaterOrEqual [5] AttributeValueAssertion,
1037 * lessOrEqual [6] AttributeValueAssertion,
1038 * present [7] AttributeType,
1039 * approxMatch [8] AttributeValueAssertion,
1040 * extensibleMatch [9] SimpleMatchingAssertion -- LDAPv3
1043 * SubstringFilter ::= SEQUENCE {
1044 * type AttributeType,
1045 * SEQUENCE OF CHOICE {
1046 * initial [0] IA5String,
1047 * any [1] IA5String,
1048 * final [2] IA5String
1052 * SimpleMatchingAssertion ::= SEQUENCE { -- LDAPv3
1053 * matchingRule [1] MatchingRuleId OPTIONAL,
1054 * type [2] AttributeDescription OPTIONAL,
1055 * matchValue [3] AssertionValue }
1058 ValuesReturnFilter **n;
1063 Debug( LDAP_DEBUG_FILTER, "begin get_vrFilter\n", 0, 0, 0 );
1065 tag = ber_peek_tag( ber, &len );
1067 if( tag == LBER_ERROR ) {
1068 *text = "error decoding vrFilter";
1069 return SLAPD_DISCONNECT;
1072 if( tag != LBER_SEQUENCE ) {
1073 *text = "error decoding vrFilter, expect SEQUENCE tag";
1074 return SLAPD_DISCONNECT;
1078 for ( tag = ber_first_element( ber, &len, &last );
1079 tag != LBER_DEFAULT;
1080 tag = ber_next_element( ber, &len, last ) )
1082 int err = get_simple_vrFilter( op, ber, n, text );
1084 if ( err != LDAP_SUCCESS ) return( err );
1086 n = &(*n)->vrf_next;
1090 Debug( LDAP_DEBUG_FILTER, "end get_vrFilter\n", 0, 0, 0 );
1091 return( LDAP_SUCCESS );
1095 vrFilter_free( Operation *op, ValuesReturnFilter *vrf )
1097 ValuesReturnFilter *p, *next;
1099 if ( vrf == NULL ) {
1103 for ( p = vrf; p != NULL; p = next ) {
1106 switch ( vrf->vrf_choice ) {
1107 case LDAP_FILTER_PRESENT:
1110 case LDAP_FILTER_EQUALITY:
1111 case LDAP_FILTER_GE:
1112 case LDAP_FILTER_LE:
1113 case LDAP_FILTER_APPROX:
1114 ava_free( op, vrf->vrf_ava, 1 );
1117 case LDAP_FILTER_SUBSTRINGS:
1118 if ( vrf->vrf_sub_initial.bv_val != NULL ) {
1119 op->o_tmpfree( vrf->vrf_sub_initial.bv_val, op->o_tmpmemctx );
1121 ber_bvarray_free_x( vrf->vrf_sub_any, op->o_tmpmemctx );
1122 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1123 op->o_tmpfree( vrf->vrf_sub_final.bv_val, op->o_tmpmemctx );
1125 op->o_tmpfree( vrf->vrf_sub, op->o_tmpmemctx );
1128 case LDAP_FILTER_EXT:
1129 mra_free( op, vrf->vrf_mra, 1 );
1132 case SLAPD_FILTER_COMPUTED:
1136 Debug( LDAP_DEBUG_ANY, "filter_free: unknown filter type=%lu\n",
1137 vrf->vrf_choice, 0, 0 );
1141 op->o_tmpfree( vrf, op->o_tmpmemctx );
1146 vrFilter2bv( Operation *op, ValuesReturnFilter *vrf, struct berval *fstr )
1148 ValuesReturnFilter *p;
1152 if ( vrf == NULL ) {
1153 ber_str2bv_x( "No filter!", STRLENOF("No filter!"),
1154 1, fstr, op->o_tmpmemctx );
1158 fstr->bv_len = STRLENOF("()");
1159 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 128, op->o_tmpmemctx );
1161 snprintf( fstr->bv_val, fstr->bv_len + 1, "()");
1163 for ( p = vrf; p != NULL; p = p->vrf_next ) {
1166 simple_vrFilter2bv( op, p, &tmp );
1168 fstr->bv_len += tmp.bv_len;
1169 fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1,
1172 snprintf( &fstr->bv_val[len-1], tmp.bv_len + 2,
1173 /*"("*/ "%s)", tmp.bv_val );
1175 op->o_tmpfree( tmp.bv_val, op->o_tmpmemctx );
1180 simple_vrFilter2bv( Operation *op, ValuesReturnFilter *vrf, struct berval *fstr )
1185 if ( vrf == NULL ) {
1186 ber_str2bv_x( "No filter!", STRLENOF("No filter!"), 1, fstr,
1191 switch ( vrf->vrf_choice ) {
1192 case LDAP_FILTER_EQUALITY:
1193 filter_escape_value_x( &vrf->vrf_av_value, &tmp, op->o_tmpmemctx );
1195 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1196 tmp.bv_len + STRLENOF("(=)");
1197 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
1199 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=%s)",
1200 vrf->vrf_av_desc->ad_cname.bv_val,
1203 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1206 case LDAP_FILTER_GE:
1207 filter_escape_value_x( &vrf->vrf_av_value, &tmp, op->o_tmpmemctx );
1209 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1210 tmp.bv_len + STRLENOF("(>=)");
1211 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
1213 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=%s)",
1214 vrf->vrf_av_desc->ad_cname.bv_val,
1217 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1220 case LDAP_FILTER_LE:
1221 filter_escape_value_x( &vrf->vrf_av_value, &tmp, op->o_tmpmemctx );
1223 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1224 tmp.bv_len + STRLENOF("(<=)");
1225 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
1227 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=%s)",
1228 vrf->vrf_av_desc->ad_cname.bv_val,
1231 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1234 case LDAP_FILTER_APPROX:
1235 filter_escape_value_x( &vrf->vrf_av_value, &tmp, op->o_tmpmemctx );
1237 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1238 tmp.bv_len + STRLENOF("(~=)");
1239 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
1241 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=%s)",
1242 vrf->vrf_av_desc->ad_cname.bv_val,
1244 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1247 case LDAP_FILTER_SUBSTRINGS:
1248 fstr->bv_len = vrf->vrf_sub_desc->ad_cname.bv_len +
1250 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 128, op->o_tmpmemctx );
1252 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
1253 vrf->vrf_sub_desc->ad_cname.bv_val );
1255 if ( vrf->vrf_sub_initial.bv_val != NULL ) {
1258 filter_escape_value_x( &vrf->vrf_sub_initial, &tmp, op->o_tmpmemctx );
1260 fstr->bv_len += tmp.bv_len;
1261 fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1,
1264 snprintf( &fstr->bv_val[len-2], tmp.bv_len+3,
1265 /* "(attr=" */ "%s*)",
1268 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1271 if ( vrf->vrf_sub_any != NULL ) {
1273 for ( i = 0; vrf->vrf_sub_any[i].bv_val != NULL; i++ ) {
1275 filter_escape_value_x( &vrf->vrf_sub_any[i], &tmp,
1278 fstr->bv_len += tmp.bv_len + 1;
1279 fstr->bv_val = op->o_tmprealloc( fstr->bv_val,
1280 fstr->bv_len + 1, op->o_tmpmemctx );
1282 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
1283 /* "(attr=[init]*[any*]" */ "%s*)",
1285 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1289 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1292 filter_escape_value_x( &vrf->vrf_sub_final, &tmp, op->o_tmpmemctx );
1294 fstr->bv_len += tmp.bv_len;
1295 fstr->bv_val = op->o_tmprealloc( fstr->bv_val, fstr->bv_len + 1,
1298 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
1299 /* "(attr=[init*][any*]" */ "%s)",
1302 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1307 case LDAP_FILTER_PRESENT:
1308 fstr->bv_len = vrf->vrf_desc->ad_cname.bv_len +
1310 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
1312 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
1313 vrf->vrf_desc->ad_cname.bv_val );
1316 case LDAP_FILTER_EXT: {
1318 filter_escape_value_x( &vrf->vrf_mr_value, &tmp, op->o_tmpmemctx );
1320 if ( vrf->vrf_mr_desc ) {
1321 ad = vrf->vrf_mr_desc->ad_cname;
1327 fstr->bv_len = ad.bv_len +
1328 ( vrf->vrf_mr_dnattrs ? STRLENOF(":dn") : 0 ) +
1329 ( vrf->vrf_mr_rule_text.bv_len
1330 ? vrf->vrf_mr_rule_text.bv_len+1 : 0 ) +
1331 tmp.bv_len + STRLENOF("(:=)");
1332 fstr->bv_val = op->o_tmpalloc( fstr->bv_len + 1, op->o_tmpmemctx );
1334 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
1336 vrf->vrf_mr_dnattrs ? ":dn" : "",
1337 vrf->vrf_mr_rule_text.bv_len ? ":" : "",
1338 vrf->vrf_mr_rule_text.bv_len ? vrf->vrf_mr_rule_text.bv_val : "",
1341 ber_memfree_x( tmp.bv_val, op->o_tmpmemctx );
1344 case SLAPD_FILTER_COMPUTED:
1346 vrf->vrf_result == LDAP_COMPARE_FALSE ? "(?=false)" :
1347 vrf->vrf_result == LDAP_COMPARE_TRUE ? "(?=true)" :
1348 vrf->vrf_result == SLAPD_COMPARE_UNDEFINED
1349 ? "(?=undefined)" : "(?=error)",
1350 vrf->vrf_result == LDAP_COMPARE_FALSE ? STRLENOF("(?=false)") :
1351 vrf->vrf_result == LDAP_COMPARE_TRUE ? STRLENOF("(?=true)") :
1352 vrf->vrf_result == SLAPD_COMPARE_UNDEFINED
1353 ? STRLENOF("(?=undefined)") : STRLENOF("(?=error)"),
1354 1, fstr, op->o_tmpmemctx );
1358 ber_str2bv_x( "(?=unknown)", STRLENOF("(?=unknown)"),
1359 1, fstr, op->o_tmpmemctx );