1 /* filter.c - routines for parsing and dealing with filters */
4 * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
12 #include <ac/socket.h>
13 #include <ac/string.h>
17 static int get_filter_list(
23 static int get_substring_filter(
29 static int filter_escape_value(
33 static void simple_vrFilter2bv(
34 ValuesReturnFilter *f,
35 struct berval *fstr );
37 static int get_simple_vrFilter(
40 ValuesReturnFilter **f,
57 LDAP_LOG( FILTER, ENTRY, "get_filter: conn %d\n", conn->c_connid, 0, 0 );
59 Debug( LDAP_DEBUG_FILTER, "begin get_filter\n", 0, 0, 0 );
62 * A filter looks like this coming in:
64 * and [0] SET OF Filter,
65 * or [1] SET OF Filter,
67 * equalityMatch [3] AttributeValueAssertion,
68 * substrings [4] SubstringFilter,
69 * greaterOrEqual [5] AttributeValueAssertion,
70 * lessOrEqual [6] AttributeValueAssertion,
71 * present [7] AttributeType,,
72 * approxMatch [8] AttributeValueAssertion
73 * extensibleMatch [9] MatchingRuleAssertion
76 * SubstringFilter ::= SEQUENCE {
78 * SEQUENCE OF CHOICE {
79 * initial [0] IA5String,
85 * MatchingRuleAssertion ::= SEQUENCE {
86 * matchingRule [1] MatchingRuleId OPTIONAL,
87 * type [2] AttributeDescription OPTIONAL,
88 * matchValue [3] AssertionValue,
89 * dnAttributes [4] BOOLEAN DEFAULT FALSE
94 tag = ber_peek_tag( ber, &len );
96 if( tag == LBER_ERROR ) {
97 *text = "error decoding filter";
98 return SLAPD_DISCONNECT;
101 f = (Filter *) ch_malloc( sizeof(Filter) );
107 switch ( f->f_choice ) {
108 case LDAP_FILTER_EQUALITY:
110 LDAP_LOG( FILTER, DETAIL2,
111 "get_filter: conn %d EQUALITY\n", conn->c_connid, 0, 0 );
113 Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
115 err = get_ava( ber, &f->f_ava, SLAP_MR_EQUALITY, text );
116 if ( err != LDAP_SUCCESS ) {
120 assert( f->f_ava != NULL );
123 case LDAP_FILTER_SUBSTRINGS:
125 LDAP_LOG( FILTER, DETAIL1,
126 "get_filter: conn %d SUBSTRINGS\n", conn->c_connid, 0, 0 );
128 Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
130 err = get_substring_filter( conn, ber, f, text );
135 LDAP_LOG( FILTER, DETAIL1,
136 "get_filter: conn %d GE\n", conn->c_connid, 0, 0 );
138 Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
140 err = get_ava( ber, &f->f_ava, SLAP_MR_ORDERING, text );
141 if ( err != LDAP_SUCCESS ) {
148 LDAP_LOG( FILTER, DETAIL1,
149 "get_filter: conn %d LE\n", conn->c_connid, 0, 0 );
151 Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
153 err = get_ava( ber, &f->f_ava, SLAP_MR_ORDERING, text );
154 if ( err != LDAP_SUCCESS ) {
159 case LDAP_FILTER_PRESENT: {
163 LDAP_LOG( FILTER, DETAIL1,
164 "get_filter: conn %d PRESENT\n", conn->c_connid, 0, 0 );
166 Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
168 if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
169 err = SLAPD_DISCONNECT;
170 *text = "error decoding filter";
175 err = slap_bv2ad( &type, &f->f_desc, text );
177 if( err != LDAP_SUCCESS ) {
178 /* unrecognized attribute description or other error */
179 f->f_choice = SLAPD_FILTER_COMPUTED;
180 f->f_result = LDAP_COMPARE_FALSE;
186 case LDAP_FILTER_APPROX:
188 LDAP_LOG( FILTER, DETAIL1,
189 "get_filter: conn %d APPROX\n", conn->c_connid, 0, 0 );
191 Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
193 err = get_ava( ber, &f->f_ava, SLAP_MR_EQUALITY_APPROX, text );
194 if ( err != LDAP_SUCCESS ) {
199 case LDAP_FILTER_AND:
201 LDAP_LOG( FILTER, DETAIL1,
202 "get_filter: conn %d AND\n", conn->c_connid, 0, 0 );
204 Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
206 err = get_filter_list( conn, ber, &f->f_and, text );
207 if ( err != LDAP_SUCCESS ) {
214 LDAP_LOG( FILTER, DETAIL1,
215 "get_filter: conn %d OR\n", conn->c_connid, 0, 0 );
217 Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
219 err = get_filter_list( conn, ber, &f->f_or, text );
220 if ( err != LDAP_SUCCESS ) {
225 case LDAP_FILTER_NOT:
227 LDAP_LOG( FILTER, DETAIL1,
228 "get_filter: conn %d NOT\n", conn->c_connid, 0, 0 );
230 Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
232 (void) ber_skip_tag( ber, &len );
233 err = get_filter( conn, ber, &f->f_not, text );
234 if ( err != LDAP_SUCCESS ) {
239 case LDAP_FILTER_EXT:
241 LDAP_LOG( FILTER, DETAIL1,
242 "get_filter: conn %d EXTENSIBLE\n", conn->c_connid, 0, 0 );
244 Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
247 err = get_mra( ber, &f->f_mra, text );
248 if ( err != LDAP_SUCCESS ) {
252 assert( f->f_mra != NULL );
256 (void) ber_scanf( ber, "x" ); /* skip the element */
258 LDAP_LOG( FILTER, ERR,
259 "get_filter: conn %d unknown filter type=%lu\n",
260 conn->c_connid, f->f_choice, 0 );
262 Debug( LDAP_DEBUG_ANY, "get_filter: unknown filter type=%lu\n",
265 f->f_choice = SLAPD_FILTER_COMPUTED;
266 f->f_result = SLAPD_COMPARE_UNDEFINED;
270 if ( err != LDAP_SUCCESS ) {
271 if( err != SLAPD_DISCONNECT ) {
273 f->f_choice = SLAPD_FILTER_COMPUTED;
274 f->f_result = SLAPD_COMPARE_UNDEFINED;
287 LDAP_LOG( FILTER, DETAIL2,
288 "get_filter: conn %d exit\n", conn->c_connid, 0, 0 );
290 Debug( LDAP_DEBUG_FILTER, "end get_filter %d\n", err, 0, 0 );
296 get_filter_list( Connection *conn, BerElement *ber,
307 LDAP_LOG( FILTER, ENTRY,
308 "get_filter_list: conn %d start\n", conn->c_connid, 0, 0 );
310 Debug( LDAP_DEBUG_FILTER, "begin get_filter_list\n", 0, 0, 0 );
313 for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_DEFAULT;
314 tag = ber_next_element( ber, &len, last ) )
316 err = get_filter( conn, ber, new, text );
317 if ( err != LDAP_SUCCESS )
319 new = &(*new)->f_next;
324 LDAP_LOG( FILTER, ENTRY,
325 "get_filter_list: conn %d exit\n", conn->c_connid, 0, 0 );
327 Debug( LDAP_DEBUG_FILTER, "end get_filter_list\n", 0, 0, 0 );
329 return( LDAP_SUCCESS );
333 get_substring_filter(
345 *text = "error decoding filter";
348 LDAP_LOG( FILTER, ENTRY,
349 "get_substring_filter: conn %d begin\n", conn->c_connid, 0, 0 );
351 Debug( LDAP_DEBUG_FILTER, "begin get_substring_filter\n", 0, 0, 0 );
353 if ( ber_scanf( ber, "{m" /*}*/, &bv ) == LBER_ERROR ) {
354 return SLAPD_DISCONNECT;
357 f->f_sub = ch_calloc( 1, sizeof(SubstringsAssertion) );
358 f->f_sub_desc = NULL;
359 rc = slap_bv2ad( &bv, &f->f_sub_desc, text );
361 if( rc != LDAP_SUCCESS ) {
364 f->f_choice = SLAPD_FILTER_COMPUTED;
365 f->f_result = SLAPD_COMPARE_UNDEFINED;
369 f->f_sub_initial.bv_val = NULL;
371 f->f_sub_final.bv_val = NULL;
373 for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_DEFAULT;
374 tag = ber_next_element( ber, &len, last ) )
378 rc = ber_scanf( ber, "m", &value );
379 if ( rc == LBER_ERROR ) {
380 rc = SLAPD_DISCONNECT;
384 if ( value.bv_val == NULL || value.bv_len == 0 ) {
385 rc = LDAP_INVALID_SYNTAX;
390 case LDAP_SUBSTRING_INITIAL:
391 usage = SLAP_MR_SUBSTR_INITIAL;
394 case LDAP_SUBSTRING_ANY:
395 usage = SLAP_MR_SUBSTR_ANY;
398 case LDAP_SUBSTRING_FINAL:
399 usage = SLAP_MR_SUBSTR_FINAL;
403 rc = LDAP_PROTOCOL_ERROR;
406 LDAP_LOG( FILTER, ERR,
407 "get_filter_substring: conn %d unknown substring choice=%ld\n",
408 conn->c_connid, (long)tag, 0 );
410 Debug( LDAP_DEBUG_FILTER,
411 " unknown substring choice=%ld\n",
417 /* valiate using equality matching rule validator! */
418 rc = value_validate( f->f_sub_desc->ad_type->sat_equality,
420 if( rc != LDAP_SUCCESS ) {
424 rc = value_normalize( f->f_sub_desc, usage,
426 if( rc != LDAP_SUCCESS ) {
432 rc = LDAP_PROTOCOL_ERROR;
435 case LDAP_SUBSTRING_INITIAL:
437 LDAP_LOG( FILTER, DETAIL1,
438 "get_substring_filter: conn %d INITIAL\n", conn->c_connid, 0, 0 );
440 Debug( LDAP_DEBUG_FILTER, " INITIAL\n", 0, 0, 0 );
443 if ( f->f_sub_initial.bv_val != NULL
444 || f->f_sub_any != NULL
445 || f->f_sub_final.bv_val != NULL )
447 free( value.bv_val );
451 f->f_sub_initial = value;
454 case LDAP_SUBSTRING_ANY:
456 LDAP_LOG( FILTER, DETAIL1,
457 "get_substring_filter: conn %d ANY\n", conn->c_connid, 0, 0 );
459 Debug( LDAP_DEBUG_FILTER, " ANY\n", 0, 0, 0 );
462 if ( f->f_sub_final.bv_val != NULL ) {
463 free( value.bv_val );
467 ber_bvarray_add( &f->f_sub_any, &value );
470 case LDAP_SUBSTRING_FINAL:
472 LDAP_LOG( FILTER, DETAIL1,
473 "get_substring_filter: conn %d FINAL\n", conn->c_connid, 0, 0 );
475 Debug( LDAP_DEBUG_FILTER, " FINAL\n", 0, 0, 0 );
478 if ( f->f_sub_final.bv_val != NULL ) {
479 free( value.bv_val );
483 f->f_sub_final = value;
488 LDAP_LOG( FILTER, INFO,
489 "get_substring_filter: conn %d unknown substring type %ld\n",
490 conn->c_connid, (long)tag, 0 );
492 Debug( LDAP_DEBUG_FILTER,
493 " unknown substring type=%ld\n",
497 free( value.bv_val );
501 LDAP_LOG( FILTER, INFO,
502 "get_substring_filter: conn %d error %ld\n",
503 conn->c_connid, (long)rc, 0 );
505 Debug( LDAP_DEBUG_FILTER, " error=%ld\n",
508 free( f->f_sub_initial.bv_val );
509 ber_bvarray_free( f->f_sub_any );
510 free( f->f_sub_final.bv_val );
517 LDAP_LOG( FILTER, ENTRY,
518 "get_substring_filter: conn %d exit\n", conn->c_connid, 0, 0 );
520 Debug( LDAP_DEBUG_FILTER, "end get_substring_filter\n", 0, 0, 0 );
522 return( LDAP_SUCCESS );
526 filter_free( Filter *f )
534 switch ( f->f_choice ) {
535 case LDAP_FILTER_PRESENT:
538 case LDAP_FILTER_EQUALITY:
541 case LDAP_FILTER_APPROX:
542 ava_free( f->f_ava, 1 );
545 case LDAP_FILTER_SUBSTRINGS:
546 if ( f->f_sub_initial.bv_val != NULL ) {
547 free( f->f_sub_initial.bv_val );
549 ber_bvarray_free( f->f_sub_any );
550 if ( f->f_sub_final.bv_val != NULL ) {
551 free( f->f_sub_final.bv_val );
556 case LDAP_FILTER_AND:
558 case LDAP_FILTER_NOT:
559 for ( p = f->f_list; p != NULL; p = next ) {
565 case LDAP_FILTER_EXT:
566 mra_free( f->f_mra, 1 );
569 case SLAPD_FILTER_COMPUTED:
574 LDAP_LOG( FILTER, ERR,
575 "filter_free: unknown filter type %lu\n", f->f_choice, 0, 0 );
577 Debug( LDAP_DEBUG_ANY, "filter_free: unknown filter type=%lu\n",
587 filter2bv( Filter *f, struct berval *fstr )
595 ber_str2bv( "No filter!", sizeof("No filter!")-1, 1, fstr );
599 switch ( f->f_choice ) {
600 case LDAP_FILTER_EQUALITY:
601 filter_escape_value( &f->f_av_value, &tmp );
603 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
604 tmp.bv_len + ( sizeof("(=)") - 1 );
605 fstr->bv_val = malloc( fstr->bv_len + 1 );
607 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=%s)",
608 f->f_av_desc->ad_cname.bv_val,
611 ber_memfree( tmp.bv_val );
615 filter_escape_value( &f->f_av_value, &tmp );
617 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
618 tmp.bv_len + ( sizeof("(>=)") - 1 );
619 fstr->bv_val = malloc( fstr->bv_len + 1 );
621 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=%s)",
622 f->f_av_desc->ad_cname.bv_val,
625 ber_memfree( tmp.bv_val );
629 filter_escape_value( &f->f_av_value, &tmp );
631 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
632 tmp.bv_len + ( sizeof("(<=)") - 1 );
633 fstr->bv_val = malloc( fstr->bv_len + 1 );
635 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=%s)",
636 f->f_av_desc->ad_cname.bv_val,
639 ber_memfree( tmp.bv_val );
642 case LDAP_FILTER_APPROX:
643 filter_escape_value( &f->f_av_value, &tmp );
645 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
646 tmp.bv_len + ( sizeof("(~=)") - 1 );
647 fstr->bv_val = malloc( fstr->bv_len + 1 );
649 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=%s)",
650 f->f_av_desc->ad_cname.bv_val,
652 ber_memfree( tmp.bv_val );
655 case LDAP_FILTER_SUBSTRINGS:
656 fstr->bv_len = f->f_sub_desc->ad_cname.bv_len +
657 ( sizeof("(=*)") - 1 );
658 fstr->bv_val = malloc( fstr->bv_len + 128 );
660 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
661 f->f_sub_desc->ad_cname.bv_val );
663 if ( f->f_sub_initial.bv_val != NULL ) {
666 filter_escape_value( &f->f_sub_initial, &tmp );
668 fstr->bv_len += tmp.bv_len;
669 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
671 snprintf( &fstr->bv_val[len-2], tmp.bv_len+3,
672 /* "(attr=" */ "%s*)",
675 ber_memfree( tmp.bv_val );
678 if ( f->f_sub_any != NULL ) {
679 for ( i = 0; f->f_sub_any[i].bv_val != NULL; i++ ) {
681 filter_escape_value( &f->f_sub_any[i], &tmp );
683 fstr->bv_len += tmp.bv_len + 1;
684 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
686 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
687 /* "(attr=[init]*[any*]" */ "%s*)",
689 ber_memfree( tmp.bv_val );
693 if ( f->f_sub_final.bv_val != NULL ) {
696 filter_escape_value( &f->f_sub_final, &tmp );
698 fstr->bv_len += tmp.bv_len;
699 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
701 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
702 /* "(attr=[init*][any*]" */ "%s)",
705 ber_memfree( tmp.bv_val );
710 case LDAP_FILTER_PRESENT:
711 fstr->bv_len = f->f_desc->ad_cname.bv_len +
712 ( sizeof("(=*)") - 1 );
713 fstr->bv_val = malloc( fstr->bv_len + 1 );
715 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
716 f->f_desc->ad_cname.bv_val );
719 case LDAP_FILTER_AND:
721 case LDAP_FILTER_NOT:
722 fstr->bv_len = sizeof("(%)") - 1;
723 fstr->bv_val = malloc( fstr->bv_len + 128 );
725 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%c)",
726 f->f_choice == LDAP_FILTER_AND ? '&' :
727 f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
729 for ( p = f->f_list; p != NULL; p = p->f_next ) {
732 filter2bv( p, &tmp );
734 fstr->bv_len += tmp.bv_len;
735 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
737 snprintf( &fstr->bv_val[len-1], tmp.bv_len + 2,
738 /*"("*/ "%s)", tmp.bv_val );
740 ch_free( tmp.bv_val );
745 case LDAP_FILTER_EXT:
746 filter_escape_value( &f->f_mr_value, &tmp );
747 #ifndef SLAP_X_MRA_MATCH_DNATTRS
748 fstr->bv_len = f->f_mr_desc->ad_cname.bv_len +
749 ( f->f_mr_dnattrs ? sizeof(":dn")-1 : 0 ) +
750 ( f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_len+1 : 0 ) +
751 tmp.bv_len + ( sizeof("(:=)") - 1 );
752 fstr->bv_val = malloc( fstr->bv_len + 1 );
754 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
755 f->f_mr_desc->ad_cname.bv_val,
756 f->f_mr_dnattrs ? ":dn" : "",
757 f->f_mr_rule_text.bv_len ? ":" : "",
758 f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_val : "",
760 #else /* SLAP_X_MRA_MATCH_DNATTRS */
764 if ( f->f_mr_desc ) {
765 ad = f->f_mr_desc->ad_cname;
771 fstr->bv_len = ad.bv_len +
772 ( f->f_mr_dnattrs ? sizeof(":dn")-1 : 0 ) +
773 ( f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_len+1 : 0 ) +
774 tmp.bv_len + ( sizeof("(:=)") - 1 );
775 fstr->bv_val = malloc( fstr->bv_len + 1 );
777 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
779 f->f_mr_dnattrs ? ":dn" : "",
780 f->f_mr_rule_text.bv_len ? ":" : "",
781 f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_val : "",
784 #endif /* SLAP_X_MRA_MATCH_DNATTRS */
785 ber_memfree( tmp.bv_val );
788 case SLAPD_FILTER_COMPUTED:
790 f->f_result == LDAP_COMPARE_FALSE ? "(?=false)" :
791 f->f_result == LDAP_COMPARE_TRUE ? "(?=true)" :
792 f->f_result == SLAPD_COMPARE_UNDEFINED ? "(?=undefined)" :
794 f->f_result == LDAP_COMPARE_FALSE ? sizeof("(?=false)")-1 :
795 f->f_result == LDAP_COMPARE_TRUE ? sizeof("(?=true)")-1 :
796 f->f_result == SLAPD_COMPARE_UNDEFINED ? sizeof("(?=undefined)")-1 :
797 sizeof("(?=error)")-1,
802 ber_str2bv( "(?=unknown)", sizeof("(?=unknown)")-1, 1, fstr );
807 static int filter_escape_value(
815 out->bv_val = (char *) ch_malloc( ( in->bv_len * 3 ) + 1 );
818 for( i=0; i < in->bv_len ; i++ ) {
819 if( FILTER_ESCAPE(in->bv_val[i]) ) {
820 out->bv_val[out->bv_len++] = SLAP_ESCAPE_CHAR;
821 out->bv_val[out->bv_len++] = SLAP_ESCAPE_HI( in->bv_val[i] );
822 out->bv_val[out->bv_len++] = SLAP_ESCAPE_LO( in->bv_val[i] );
824 out->bv_val[out->bv_len++] = in->bv_val[i];
828 out->bv_val[out->bv_len] = '\0';
836 ValuesReturnFilter **filt,
842 ValuesReturnFilter *f;
845 LDAP_LOG( FILTER, ENTRY,
846 "get_simple_vrFilter: conn %d\n", conn->c_connid, 0, 0 );
848 Debug( LDAP_DEBUG_FILTER, "begin get_simple_vrFilter\n", 0, 0, 0 );
851 tag = ber_peek_tag( ber, &len );
853 if( tag == LBER_ERROR ) {
854 *text = "error decoding filter";
855 return SLAPD_DISCONNECT;
858 f = (ValuesReturnFilter *) ch_malloc( sizeof(ValuesReturnFilter) );
864 switch ( f->f_choice ) {
865 case LDAP_FILTER_EQUALITY:
867 LDAP_LOG( FILTER, DETAIL2,
868 "get_simple_vrFilter: conn %d EQUALITY\n", conn->c_connid, 0, 0 );
870 Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
872 err = get_ava( ber, &f->f_ava, SLAP_MR_EQUALITY, text );
873 if ( err != LDAP_SUCCESS ) {
877 assert( f->f_ava != NULL );
880 case LDAP_FILTER_SUBSTRINGS:
882 LDAP_LOG( FILTER, DETAIL1,
883 "get_simple_vrFilter: conn %d SUBSTRINGS\n", conn->c_connid, 0, 0 );
885 Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
887 err = get_substring_filter( conn, ber, (Filter *)f, text );
892 LDAP_LOG( FILTER, DETAIL1,
893 "get_simple_vrFilter: conn %d GE\n", conn->c_connid, 0, 0 );
895 Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
897 err = get_ava( ber, &f->f_ava, SLAP_MR_ORDERING, text );
898 if ( err != LDAP_SUCCESS ) {
905 LDAP_LOG( FILTER, DETAIL1,
906 "get_simple_vrFilter: conn %d LE\n", conn->c_connid, 0, 0 );
908 Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
910 err = get_ava( ber, &f->f_ava, SLAP_MR_ORDERING, text );
911 if ( err != LDAP_SUCCESS ) {
916 case LDAP_FILTER_PRESENT: {
920 LDAP_LOG( FILTER, DETAIL1,
921 "get_simple_vrFilter: conn %d PRESENT\n", conn->c_connid, 0, 0 );
923 Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
925 if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
926 err = SLAPD_DISCONNECT;
927 *text = "error decoding filter";
932 err = slap_bv2ad( &type, &f->f_desc, text );
934 if( err != LDAP_SUCCESS ) {
935 /* unrecognized attribute description or other error */
936 f->f_choice = SLAPD_FILTER_COMPUTED;
937 f->f_result = LDAP_COMPARE_FALSE;
943 case LDAP_FILTER_APPROX:
945 LDAP_LOG( FILTER, DETAIL1,
946 "get_simple_vrFilter: conn %d APPROX\n", conn->c_connid, 0, 0 );
948 Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
950 err = get_ava( ber, &f->f_ava, SLAP_MR_EQUALITY_APPROX, text );
951 if ( err != LDAP_SUCCESS ) {
956 case LDAP_FILTER_EXT:
958 LDAP_LOG( FILTER, DETAIL1,
959 "get_simple_vrFilter: conn %d EXTENSIBLE\n", conn->c_connid, 0, 0 );
961 Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
964 err = get_mra( ber, &f->f_mra, text );
965 if ( err != LDAP_SUCCESS ) {
969 assert( f->f_mra != NULL );
973 (void) ber_scanf( ber, "x" ); /* skip the element */
975 LDAP_LOG( FILTER, ERR,
976 "get_simple_vrFilter: conn %d unknown filter type=%lu\n",
977 conn->c_connid, f->f_choice, 0 );
979 Debug( LDAP_DEBUG_ANY, "get_simple_vrFilter: unknown filter type=%lu\n",
982 f->f_choice = SLAPD_FILTER_COMPUTED;
983 f->f_result = SLAPD_COMPARE_UNDEFINED;
987 if ( err != LDAP_SUCCESS ) {
988 if( err != SLAPD_DISCONNECT ) {
990 f->f_choice = SLAPD_FILTER_COMPUTED;
991 f->f_result = SLAPD_COMPARE_UNDEFINED;
1004 LDAP_LOG( FILTER, DETAIL2,
1005 "get_simple_vrFilter: conn %d exit\n", conn->c_connid, 0, 0 );
1007 Debug( LDAP_DEBUG_FILTER, "end get_simple_vrFilter %d\n", err, 0, 0 );
1013 get_vrFilter( Connection *conn, BerElement *ber,
1014 ValuesReturnFilter **f,
1018 * A ValuesReturnFilter looks like this:
1020 * ValuesReturnFilter ::= SEQUENCE OF SimpleFilterItem
1021 * SimpleFilterItem ::= CHOICE {
1022 * equalityMatch [3] AttributeValueAssertion,
1023 * substrings [4] SubstringFilter,
1024 * greaterOrEqual [5] AttributeValueAssertion,
1025 * lessOrEqual [6] AttributeValueAssertion,
1026 * present [7] AttributeType,
1027 * approxMatch [8] AttributeValueAssertion,
1028 * extensibleMatch [9] SimpleMatchingAssertion -- LDAPv3
1031 * SubstringFilter ::= SEQUENCE {
1032 * type AttributeType,
1033 * SEQUENCE OF CHOICE {
1034 * initial [0] IA5String,
1035 * any [1] IA5String,
1036 * final [2] IA5String
1040 * SimpleMatchingAssertion ::= SEQUENCE { -- LDAPv3
1041 * matchingRule [1] MatchingRuleId OPTIONAL,
1042 * type [2] AttributeDescription OPTIONAL,
1043 * matchValue [3] AssertionValue }
1046 ValuesReturnFilter **new;
1052 LDAP_LOG( FILTER, ENTRY,
1053 "get_vrFilter: conn %d start\n", conn->c_connid, 0, 0 );
1055 Debug( LDAP_DEBUG_FILTER, "begin get_vrFilter\n", 0, 0, 0 );
1058 tag = ber_peek_tag( ber, &len );
1060 if( tag == LBER_ERROR ) {
1061 *text = "error decoding vrFilter";
1062 return SLAPD_DISCONNECT;
1065 if( tag != LBER_SEQUENCE ) {
1066 *text = "error decoding vrFilter, expect SEQUENCE tag";
1067 return SLAPD_DISCONNECT;
1071 for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_DEFAULT;
1072 tag = ber_next_element( ber, &len, last ) )
1074 int err = get_simple_vrFilter( conn, ber, new, text );
1075 if ( err != LDAP_SUCCESS )
1077 new = &(*new)->f_next;
1082 LDAP_LOG( FILTER, ENTRY,
1083 "get_vrFilter: conn %d exit\n", conn->c_connid, 0, 0 );
1085 Debug( LDAP_DEBUG_FILTER, "end get_vrFilter\n", 0, 0, 0 );
1087 return( LDAP_SUCCESS );
1091 vrFilter_free( ValuesReturnFilter *f )
1093 ValuesReturnFilter *p, *next;
1099 for ( p = f; p != NULL; p = next ) {
1102 switch ( f->f_choice ) {
1103 case LDAP_FILTER_PRESENT:
1106 case LDAP_FILTER_EQUALITY:
1107 case LDAP_FILTER_GE:
1108 case LDAP_FILTER_LE:
1109 case LDAP_FILTER_APPROX:
1110 ava_free( f->f_ava, 1 );
1113 case LDAP_FILTER_SUBSTRINGS:
1114 if ( f->f_sub_initial.bv_val != NULL ) {
1115 free( f->f_sub_initial.bv_val );
1117 ber_bvarray_free( f->f_sub_any );
1118 if ( f->f_sub_final.bv_val != NULL ) {
1119 free( f->f_sub_final.bv_val );
1121 ch_free( f->f_sub );
1124 case LDAP_FILTER_EXT:
1125 mra_free( f->f_mra, 1 );
1128 case SLAPD_FILTER_COMPUTED:
1133 LDAP_LOG( FILTER, ERR,
1134 "filter_free: unknown filter type %lu\n", f->f_choice, 0, 0 );
1136 Debug( LDAP_DEBUG_ANY, "filter_free: unknown filter type=%lu\n",
1137 f->f_choice, 0, 0 );
1148 vrFilter2bv( ValuesReturnFilter *f, struct berval *fstr )
1150 ValuesReturnFilter *p;
1155 ber_str2bv( "No filter!", sizeof("No filter!")-1, 1, fstr );
1159 fstr->bv_len = sizeof("()") - 1;
1160 fstr->bv_val = malloc( fstr->bv_len + 128 );
1162 snprintf( fstr->bv_val, fstr->bv_len + 1, "()");
1164 for ( p = f; p != NULL; p = p->f_next ) {
1167 simple_vrFilter2bv( p, &tmp );
1169 fstr->bv_len += tmp.bv_len;
1170 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1172 snprintf( &fstr->bv_val[len-1], tmp.bv_len + 2,
1173 /*"("*/ "%s)", tmp.bv_val );
1175 ch_free( tmp.bv_val );
1180 simple_vrFilter2bv( ValuesReturnFilter *f, struct berval *fstr )
1186 ber_str2bv( "No filter!", sizeof("No filter!")-1, 1, fstr );
1190 switch ( f->f_choice ) {
1191 case LDAP_FILTER_EQUALITY:
1192 filter_escape_value( &f->f_av_value, &tmp );
1194 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
1195 tmp.bv_len + ( sizeof("(=)") - 1 );
1196 fstr->bv_val = malloc( fstr->bv_len + 1 );
1198 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=%s)",
1199 f->f_av_desc->ad_cname.bv_val,
1202 ber_memfree( tmp.bv_val );
1205 case LDAP_FILTER_GE:
1206 filter_escape_value( &f->f_av_value, &tmp );
1208 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
1209 tmp.bv_len + ( sizeof("(>=)") - 1 );
1210 fstr->bv_val = malloc( fstr->bv_len + 1 );
1212 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=%s)",
1213 f->f_av_desc->ad_cname.bv_val,
1216 ber_memfree( tmp.bv_val );
1219 case LDAP_FILTER_LE:
1220 filter_escape_value( &f->f_av_value, &tmp );
1222 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
1223 tmp.bv_len + ( sizeof("(<=)") - 1 );
1224 fstr->bv_val = malloc( fstr->bv_len + 1 );
1226 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=%s)",
1227 f->f_av_desc->ad_cname.bv_val,
1230 ber_memfree( tmp.bv_val );
1233 case LDAP_FILTER_APPROX:
1234 filter_escape_value( &f->f_av_value, &tmp );
1236 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
1237 tmp.bv_len + ( sizeof("(~=)") - 1 );
1238 fstr->bv_val = malloc( fstr->bv_len + 1 );
1240 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=%s)",
1241 f->f_av_desc->ad_cname.bv_val,
1243 ber_memfree( tmp.bv_val );
1246 case LDAP_FILTER_SUBSTRINGS:
1247 fstr->bv_len = f->f_sub_desc->ad_cname.bv_len +
1248 ( sizeof("(=*)") - 1 );
1249 fstr->bv_val = malloc( fstr->bv_len + 128 );
1251 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
1252 f->f_sub_desc->ad_cname.bv_val );
1254 if ( f->f_sub_initial.bv_val != NULL ) {
1257 filter_escape_value( &f->f_sub_initial, &tmp );
1259 fstr->bv_len += tmp.bv_len;
1260 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1262 snprintf( &fstr->bv_val[len-2], tmp.bv_len+3,
1263 /* "(attr=" */ "%s*)",
1266 ber_memfree( tmp.bv_val );
1269 if ( f->f_sub_any != NULL ) {
1271 for ( i = 0; f->f_sub_any[i].bv_val != NULL; i++ ) {
1273 filter_escape_value( &f->f_sub_any[i], &tmp );
1275 fstr->bv_len += tmp.bv_len + 1;
1276 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1278 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
1279 /* "(attr=[init]*[any*]" */ "%s*)",
1281 ber_memfree( tmp.bv_val );
1285 if ( f->f_sub_final.bv_val != NULL ) {
1288 filter_escape_value( &f->f_sub_final, &tmp );
1290 fstr->bv_len += tmp.bv_len;
1291 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1293 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
1294 /* "(attr=[init*][any*]" */ "%s)",
1297 ber_memfree( tmp.bv_val );
1302 case LDAP_FILTER_PRESENT:
1303 fstr->bv_len = f->f_desc->ad_cname.bv_len +
1304 ( sizeof("(=*)") - 1 );
1305 fstr->bv_val = malloc( fstr->bv_len + 1 );
1307 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
1308 f->f_desc->ad_cname.bv_val );
1311 case LDAP_FILTER_EXT:
1312 filter_escape_value( &f->f_mr_value, &tmp );
1314 #ifndef SLAP_X_MRA_MATCH_DNATTRS
1315 fstr->bv_len = f->f_mr_desc->ad_cname.bv_len +
1316 ( f->f_mr_dnattrs ? sizeof(":dn")-1 : 0 ) +
1317 ( f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_len+1 : 0 ) +
1318 tmp.bv_len + ( sizeof("(:=)") - 1 );
1319 fstr->bv_val = malloc( fstr->bv_len + 1 );
1321 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
1322 f->f_mr_desc->ad_cname.bv_val,
1323 f->f_mr_dnattrs ? ":dn" : "",
1324 f->f_mr_rule_text.bv_len ? ":" : "",
1325 f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_val : "",
1327 #else /* SLAP_X_MRA_MATCH_DNATTRS */
1331 if ( f->f_mr_desc ) {
1332 ad = f->f_mr_desc->ad_cname;
1338 fstr->bv_len = ad.bv_len +
1339 ( f->f_mr_dnattrs ? sizeof(":dn")-1 : 0 ) +
1340 ( f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_len+1 : 0 ) +
1341 tmp.bv_len + ( sizeof("(:=)") - 1 );
1342 fstr->bv_val = malloc( fstr->bv_len + 1 );
1344 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
1346 f->f_mr_dnattrs ? ":dn" : "",
1347 f->f_mr_rule_text.bv_len ? ":" : "",
1348 f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_val : "",
1351 #endif /* SLAP_X_MRA_MATCH_DNATTRS */
1353 ber_memfree( tmp.bv_val );
1356 case SLAPD_FILTER_COMPUTED:
1358 f->f_result == LDAP_COMPARE_FALSE ? "(?=false)" :
1359 f->f_result == LDAP_COMPARE_TRUE ? "(?=true)" :
1360 f->f_result == SLAPD_COMPARE_UNDEFINED ? "(?=undefined)" :
1362 f->f_result == LDAP_COMPARE_FALSE ? sizeof("(?=false)")-1 :
1363 f->f_result == LDAP_COMPARE_TRUE ? sizeof("(?=true)")-1 :
1364 f->f_result == SLAPD_COMPARE_UNDEFINED ? sizeof("(?=undefined)")-1 :
1365 sizeof("(?=error)")-1,
1370 ber_str2bv( "(?=unknown)", sizeof("(?=unknown)")-1, 1, fstr );
1376 get_substring_vrFilter(
1379 ValuesReturnFilter *f,
1385 struct berval value;
1388 *text = "error decoding filter";
1391 LDAP_LOG( FILTER, ENTRY,
1392 "get_substring_filter: conn %d begin\n", conn->c_connid, 0, 0 );
1394 Debug( LDAP_DEBUG_FILTER, "begin get_substring_filter\n", 0, 0, 0 );
1396 if ( ber_scanf( ber, "{m" /*}*/, &bv ) == LBER_ERROR ) {
1397 return SLAPD_DISCONNECT;
1400 f->f_sub = ch_calloc( 1, sizeof(SubstringsAssertion) );
1401 f->f_sub_desc = NULL;
1402 rc = slap_bv2ad( &bv, &f->f_sub_desc, text );
1404 if( rc != LDAP_SUCCESS ) {
1406 ch_free( f->f_sub );
1407 f->f_choice = SLAPD_FILTER_COMPUTED;
1408 f->f_result = SLAPD_COMPARE_UNDEFINED;
1409 return LDAP_SUCCESS;
1412 f->f_sub_initial.bv_val = NULL;
1413 f->f_sub_any = NULL;
1414 f->f_sub_final.bv_val = NULL;
1416 for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_DEFAULT;
1417 tag = ber_next_element( ber, &len, last ) )
1421 rc = ber_scanf( ber, "m", &value );
1422 if ( rc == LBER_ERROR ) {
1423 rc = SLAPD_DISCONNECT;
1427 if ( value.bv_val == NULL || value.bv_len == 0 ) {
1428 rc = LDAP_INVALID_SYNTAX;
1433 case LDAP_SUBSTRING_INITIAL:
1434 usage = SLAP_MR_SUBSTR_INITIAL;
1437 case LDAP_SUBSTRING_ANY:
1438 usage = SLAP_MR_SUBSTR_ANY;
1441 case LDAP_SUBSTRING_FINAL:
1442 usage = SLAP_MR_SUBSTR_FINAL;
1446 rc = LDAP_PROTOCOL_ERROR;
1449 LDAP_LOG( FILTER, ERR,
1450 "get_filter_substring: conn %d unknown substring choice=%ld\n",
1451 conn->c_connid, (long)tag, 0 );
1453 Debug( LDAP_DEBUG_FILTER,
1454 " unknown substring choice=%ld\n",
1460 /* valiate using equality matching rule validator! */
1461 rc = value_validate( f->f_sub_desc->ad_type->sat_equality,
1463 if( rc != LDAP_SUCCESS ) {
1467 rc = value_normalize( f->f_sub_desc, usage,
1468 &value, &bv, text );
1469 if( rc != LDAP_SUCCESS ) {
1475 rc = LDAP_PROTOCOL_ERROR;
1478 case LDAP_SUBSTRING_INITIAL:
1480 LDAP_LOG( FILTER, DETAIL1,
1481 "get_substring_filter: conn %d INITIAL\n",
1482 conn->c_connid, 0, 0 );
1484 Debug( LDAP_DEBUG_FILTER, " INITIAL\n", 0, 0, 0 );
1487 if ( f->f_sub_initial.bv_val != NULL
1488 || f->f_sub_any != NULL
1489 || f->f_sub_final.bv_val != NULL )
1491 free( value.bv_val );
1495 f->f_sub_initial = value;
1498 case LDAP_SUBSTRING_ANY:
1500 LDAP_LOG( FILTER, DETAIL1,
1501 "get_substring_filter: conn %d ANY\n", conn->c_connid, 0, 0 );
1503 Debug( LDAP_DEBUG_FILTER, " ANY\n", 0, 0, 0 );
1506 if ( f->f_sub_final.bv_val != NULL ) {
1507 free( value.bv_val );
1511 ber_bvarray_add( &f->f_sub_any, &value );
1514 case LDAP_SUBSTRING_FINAL:
1516 LDAP_LOG( FILTER, DETAIL1,
1517 "get_substring_filter: conn %d FINAL\n", conn->c_connid, 0, 0 );
1519 Debug( LDAP_DEBUG_FILTER, " FINAL\n", 0, 0, 0 );
1522 if ( f->f_sub_final.bv_val != NULL ) {
1523 free( value.bv_val );
1527 f->f_sub_final = value;
1532 LDAP_LOG( FILTER, INFO,
1533 "get_substring_filter: conn %d unknown substring type %ld\n",
1534 conn->c_connid, (long)tag, 0 );
1536 Debug( LDAP_DEBUG_FILTER,
1537 " unknown substring type=%ld\n",
1541 free( value.bv_val );
1545 LDAP_LOG( FILTER, INFO,
1546 "get_substring_filter: conn %d error %ld\n",
1547 conn->c_connid, (long)rc, 0 );
1549 Debug( LDAP_DEBUG_FILTER, " error=%ld\n",
1552 free( f->f_sub_initial.bv_val );
1553 ber_bvarray_free( f->f_sub_any );
1554 free( f->f_sub_final.bv_val );
1555 ch_free( f->f_sub );
1561 LDAP_LOG( FILTER, ENTRY,
1562 "get_substring_filter: conn %d exit\n", conn->c_connid, 0, 0 );
1564 Debug( LDAP_DEBUG_FILTER, "end get_substring_filter\n", 0, 0, 0 );
1566 return( LDAP_SUCCESS );
1569 #ifdef SLAP_X_FILTER_HASSUBORDINATES
1570 static int filter_has_subordinates_list(
1574 * FIXME: we could detect the need to filter
1575 * for hasSubordinates when parsing the filter ...
1579 filter_has_subordinates_list(
1584 for ( f = fl; f != NULL; f = f->f_next ) {
1587 rc = filter_has_subordinates( f );
1598 filter_has_subordinates(
1601 AttributeDescription *ad = NULL;
1603 switch ( f->f_choice ) {
1604 case LDAP_FILTER_PRESENT:
1608 case LDAP_FILTER_EQUALITY:
1609 case LDAP_FILTER_APPROX:
1610 case LDAP_FILTER_GE:
1611 case LDAP_FILTER_LE:
1612 ad = f->f_ava->aa_desc;
1615 case LDAP_FILTER_SUBSTRINGS:
1619 case LDAP_FILTER_EXT:
1620 /* could be null; however here it is harmless */
1621 ad = f->f_mra->ma_desc;
1624 case LDAP_FILTER_NOT:
1625 return filter_has_subordinates( f->f_not );
1627 case LDAP_FILTER_AND:
1628 return filter_has_subordinates_list( f->f_and );
1630 case LDAP_FILTER_OR:
1631 return filter_has_subordinates_list( f->f_or );
1633 case SLAPD_FILTER_COMPUTED:
1641 * this means a new type of filter has been implemented,
1642 * which is not handled yet in this function; we should
1643 * issue a developer's warning, e.g. an assertion
1649 if ( ad == slap_schema.si_ad_hasSubordinates ) {
1656 #endif /* SLAP_X_FILTER_HASSUBORDINATES */