1 /* filter.c - routines for parsing and dealing with filters */
4 * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
12 #include <ac/socket.h>
13 #include <ac/string.h>
17 static int get_filter_list(
23 static int get_substring_filter(
29 static void simple_vrFilter2bv(
30 ValuesReturnFilter *f,
31 struct berval *fstr );
33 static int get_simple_vrFilter(
36 ValuesReturnFilter **f,
56 LDAP_LOG( FILTER, ENTRY, "get_filter: conn %d\n", conn->c_connid, 0, 0 );
58 Debug( LDAP_DEBUG_FILTER, "begin get_filter\n", 0, 0, 0 );
61 * A filter looks like this coming in:
63 * and [0] SET OF Filter,
64 * or [1] SET OF Filter,
66 * equalityMatch [3] AttributeValueAssertion,
67 * substrings [4] SubstringFilter,
68 * greaterOrEqual [5] AttributeValueAssertion,
69 * lessOrEqual [6] AttributeValueAssertion,
70 * present [7] AttributeType,,
71 * approxMatch [8] AttributeValueAssertion
72 * extensibleMatch [9] MatchingRuleAssertion
75 * SubstringFilter ::= SEQUENCE {
77 * SEQUENCE OF CHOICE {
78 * initial [0] IA5String,
84 * MatchingRuleAssertion ::= SEQUENCE {
85 * matchingRule [1] MatchingRuleId OPTIONAL,
86 * type [2] AttributeDescription OPTIONAL,
87 * matchValue [3] AssertionValue,
88 * dnAttributes [4] BOOLEAN DEFAULT FALSE
93 tag = ber_peek_tag( ber, &len );
95 if( tag == LBER_ERROR ) {
96 *text = "error decoding filter";
97 return SLAPD_DISCONNECT;
100 f = (Filter *) ch_malloc( sizeof(Filter) );
106 switch ( f->f_choice ) {
107 case LDAP_FILTER_EQUALITY:
109 LDAP_LOG( FILTER, DETAIL2,
110 "get_filter: conn %d EQUALITY\n", conn->c_connid, 0, 0 );
112 Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
114 err = get_ava( ber, &f->f_ava, SLAP_MR_EQUALITY, text );
115 if ( err != LDAP_SUCCESS ) {
119 assert( f->f_ava != NULL );
122 case LDAP_FILTER_SUBSTRINGS:
124 LDAP_LOG( FILTER, DETAIL1,
125 "get_filter: conn %d SUBSTRINGS\n", conn->c_connid, 0, 0 );
127 Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
129 err = get_substring_filter( conn, ber, f, text );
130 if( err != LDAP_SUCCESS ) {
133 assert( f->f_sub != NULL );
138 LDAP_LOG( FILTER, DETAIL1,
139 "get_filter: conn %d GE\n", conn->c_connid, 0, 0 );
141 Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
143 err = get_ava( ber, &f->f_ava, SLAP_MR_ORDERING, text );
144 if ( err != LDAP_SUCCESS ) {
147 assert( f->f_ava != NULL );
152 LDAP_LOG( FILTER, DETAIL1,
153 "get_filter: conn %d LE\n", conn->c_connid, 0, 0 );
155 Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
157 err = get_ava( ber, &f->f_ava, SLAP_MR_ORDERING, text );
158 if ( err != LDAP_SUCCESS ) {
161 assert( f->f_ava != NULL );
164 case LDAP_FILTER_PRESENT: {
168 LDAP_LOG( FILTER, DETAIL1,
169 "get_filter: conn %d PRESENT\n", conn->c_connid, 0, 0 );
171 Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
173 if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
174 err = SLAPD_DISCONNECT;
175 *text = "error decoding filter";
180 err = slap_bv2ad( &type, &f->f_desc, text );
182 if( err != LDAP_SUCCESS ) {
183 /* unrecognized attribute description or other error */
184 f->f_choice = SLAPD_FILTER_COMPUTED;
185 f->f_result = LDAP_COMPARE_FALSE;
191 case LDAP_FILTER_APPROX:
193 LDAP_LOG( FILTER, DETAIL1,
194 "get_filter: conn %d APPROX\n", conn->c_connid, 0, 0 );
196 Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
198 err = get_ava( ber, &f->f_ava, SLAP_MR_EQUALITY_APPROX, text );
199 if ( err != LDAP_SUCCESS ) {
202 assert( f->f_ava != NULL );
205 case LDAP_FILTER_AND:
207 LDAP_LOG( FILTER, DETAIL1,
208 "get_filter: conn %d AND\n", conn->c_connid, 0, 0 );
210 Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
212 err = get_filter_list( conn, ber, &f->f_and, text );
213 if ( err != LDAP_SUCCESS ) {
217 assert( f->f_and != NULL );
223 LDAP_LOG( FILTER, DETAIL1,
224 "get_filter: conn %d OR\n", conn->c_connid, 0, 0 );
226 Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
228 err = get_filter_list( conn, ber, &f->f_or, text );
229 if ( err != LDAP_SUCCESS ) {
234 case LDAP_FILTER_NOT:
236 LDAP_LOG( FILTER, DETAIL1,
237 "get_filter: conn %d NOT\n", conn->c_connid, 0, 0 );
239 Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
241 (void) ber_skip_tag( ber, &len );
242 err = get_filter( conn, ber, &f->f_not, text );
243 if ( err != LDAP_SUCCESS ) {
248 case LDAP_FILTER_EXT:
250 LDAP_LOG( FILTER, DETAIL1,
251 "get_filter: conn %d EXTENSIBLE\n", conn->c_connid, 0, 0 );
253 Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
256 err = get_mra( ber, &f->f_mra, text );
257 if ( err != LDAP_SUCCESS ) {
262 assert( f->f_mra != NULL );
267 (void) ber_scanf( ber, "x" ); /* skip the element */
269 LDAP_LOG( FILTER, ERR,
270 "get_filter: conn %d unknown filter type=%lu\n",
271 conn->c_connid, f->f_choice, 0 );
273 Debug( LDAP_DEBUG_ANY, "get_filter: unknown filter type=%lu\n",
276 f->f_choice = SLAPD_FILTER_COMPUTED;
277 f->f_result = SLAPD_COMPARE_UNDEFINED;
281 if ( err != LDAP_SUCCESS ) {
282 if( err != SLAPD_DISCONNECT ) {
284 f->f_choice = SLAPD_FILTER_COMPUTED;
285 f->f_result = SLAPD_COMPARE_UNDEFINED;
298 LDAP_LOG( FILTER, DETAIL2,
299 "get_filter: conn %d exit\n", conn->c_connid, 0, 0 );
301 Debug( LDAP_DEBUG_FILTER, "end get_filter %d\n", err, 0, 0 );
307 get_filter_list( Connection *conn, BerElement *ber,
318 LDAP_LOG( FILTER, ENTRY,
319 "get_filter_list: conn %d start\n", conn->c_connid, 0, 0 );
321 Debug( LDAP_DEBUG_FILTER, "begin get_filter_list\n", 0, 0, 0 );
324 for ( tag = ber_first_element( ber, &len, &last );
326 tag = ber_next_element( ber, &len, last ) )
328 err = get_filter( conn, ber, new, text );
329 if ( err != LDAP_SUCCESS )
331 new = &(*new)->f_next;
336 LDAP_LOG( FILTER, ENTRY,
337 "get_filter_list: conn %d exit\n", conn->c_connid, 0, 0 );
339 Debug( LDAP_DEBUG_FILTER, "end get_filter_list\n", 0, 0, 0 );
341 return( LDAP_SUCCESS );
345 get_substring_filter(
357 *text = "error decoding filter";
360 LDAP_LOG( FILTER, ENTRY,
361 "get_substring_filter: conn %d begin\n", conn->c_connid, 0, 0 );
363 Debug( LDAP_DEBUG_FILTER, "begin get_substring_filter\n", 0, 0, 0 );
365 if ( ber_scanf( ber, "{m" /*}*/, &bv ) == LBER_ERROR ) {
366 return SLAPD_DISCONNECT;
369 f->f_sub = ch_calloc( 1, sizeof(SubstringsAssertion) );
370 f->f_sub_desc = NULL;
371 rc = slap_bv2ad( &bv, &f->f_sub_desc, text );
373 if( rc != LDAP_SUCCESS ) {
376 f->f_choice = SLAPD_FILTER_COMPUTED;
377 f->f_result = SLAPD_COMPARE_UNDEFINED;
381 f->f_sub_initial.bv_val = NULL;
383 f->f_sub_final.bv_val = NULL;
385 for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_DEFAULT;
386 tag = ber_next_element( ber, &len, last ) )
390 rc = ber_scanf( ber, "m", &value );
391 if ( rc == LBER_ERROR ) {
392 rc = SLAPD_DISCONNECT;
396 if ( value.bv_val == NULL || value.bv_len == 0 ) {
397 rc = LDAP_INVALID_SYNTAX;
402 case LDAP_SUBSTRING_INITIAL:
403 usage = SLAP_MR_SUBSTR_INITIAL;
406 case LDAP_SUBSTRING_ANY:
407 usage = SLAP_MR_SUBSTR_ANY;
410 case LDAP_SUBSTRING_FINAL:
411 usage = SLAP_MR_SUBSTR_FINAL;
415 rc = LDAP_PROTOCOL_ERROR;
418 LDAP_LOG( FILTER, ERR,
419 "get_filter_substring: conn %d unknown substring choice=%ld\n",
420 conn->c_connid, (long)tag, 0 );
422 Debug( LDAP_DEBUG_FILTER,
423 " unknown substring choice=%ld\n",
430 /* validate/normalize using equality matching rule validator! */
431 rc = asserted_value_validate_normalize(
432 f->f_sub_desc, f->f_sub_desc->ad_type->sat_equality,
433 usage, &value, &bv, text );
434 if( rc != LDAP_SUCCESS ) {
438 /* validate using equality matching rule validator! */
439 rc = value_validate( f->f_sub_desc->ad_type->sat_equality,
441 if( rc != LDAP_SUCCESS ) {
445 rc = value_normalize( f->f_sub_desc, usage,
447 if( rc != LDAP_SUCCESS ) {
454 rc = LDAP_PROTOCOL_ERROR;
457 case LDAP_SUBSTRING_INITIAL:
459 LDAP_LOG( FILTER, DETAIL1,
460 "get_substring_filter: conn %d INITIAL\n", conn->c_connid, 0, 0 );
462 Debug( LDAP_DEBUG_FILTER, " INITIAL\n", 0, 0, 0 );
465 if ( f->f_sub_initial.bv_val != NULL
466 || f->f_sub_any != NULL
467 || f->f_sub_final.bv_val != NULL )
469 free( value.bv_val );
473 f->f_sub_initial = value;
476 case LDAP_SUBSTRING_ANY:
478 LDAP_LOG( FILTER, DETAIL1,
479 "get_substring_filter: conn %d ANY\n", conn->c_connid, 0, 0 );
481 Debug( LDAP_DEBUG_FILTER, " ANY\n", 0, 0, 0 );
484 if ( f->f_sub_final.bv_val != NULL ) {
485 free( value.bv_val );
489 ber_bvarray_add( &f->f_sub_any, &value );
492 case LDAP_SUBSTRING_FINAL:
494 LDAP_LOG( FILTER, DETAIL1,
495 "get_substring_filter: conn %d FINAL\n", conn->c_connid, 0, 0 );
497 Debug( LDAP_DEBUG_FILTER, " FINAL\n", 0, 0, 0 );
500 if ( f->f_sub_final.bv_val != NULL ) {
501 free( value.bv_val );
505 f->f_sub_final = value;
510 LDAP_LOG( FILTER, INFO,
511 "get_substring_filter: conn %d unknown substring type %ld\n",
512 conn->c_connid, (long)tag, 0 );
514 Debug( LDAP_DEBUG_FILTER,
515 " unknown substring type=%ld\n",
519 free( value.bv_val );
523 LDAP_LOG( FILTER, INFO,
524 "get_substring_filter: conn %d error %ld\n",
525 conn->c_connid, (long)rc, 0 );
527 Debug( LDAP_DEBUG_FILTER, " error=%ld\n",
530 free( f->f_sub_initial.bv_val );
531 ber_bvarray_free( f->f_sub_any );
532 free( f->f_sub_final.bv_val );
539 LDAP_LOG( FILTER, ENTRY,
540 "get_substring_filter: conn %d exit\n", conn->c_connid, 0, 0 );
542 Debug( LDAP_DEBUG_FILTER, "end get_substring_filter\n", 0, 0, 0 );
544 return( LDAP_SUCCESS );
548 filter_free( Filter *f )
556 switch ( f->f_choice ) {
557 case LDAP_FILTER_PRESENT:
560 case LDAP_FILTER_EQUALITY:
563 case LDAP_FILTER_APPROX:
564 ava_free( f->f_ava, 1 );
567 case LDAP_FILTER_SUBSTRINGS:
568 if ( f->f_sub_initial.bv_val != NULL ) {
569 free( f->f_sub_initial.bv_val );
571 ber_bvarray_free( f->f_sub_any );
572 if ( f->f_sub_final.bv_val != NULL ) {
573 free( f->f_sub_final.bv_val );
578 case LDAP_FILTER_AND:
580 case LDAP_FILTER_NOT:
581 for ( p = f->f_list; p != NULL; p = next ) {
587 case LDAP_FILTER_EXT:
588 mra_free( f->f_mra, 1 );
591 case SLAPD_FILTER_COMPUTED:
596 LDAP_LOG( FILTER, ERR,
597 "filter_free: unknown filter type %lu\n", f->f_choice, 0, 0 );
599 Debug( LDAP_DEBUG_ANY, "filter_free: unknown filter type=%lu\n",
609 filter2bv( Filter *f, struct berval *fstr )
617 ber_str2bv( "No filter!", sizeof("No filter!")-1, 1, fstr );
621 switch ( f->f_choice ) {
622 case LDAP_FILTER_EQUALITY:
623 filter_escape_value( &f->f_av_value, &tmp );
625 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
626 tmp.bv_len + ( sizeof("(=)") - 1 );
627 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
629 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=%s)",
630 f->f_av_desc->ad_cname.bv_val,
633 ber_memfree( tmp.bv_val );
637 filter_escape_value( &f->f_av_value, &tmp );
639 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
640 tmp.bv_len + ( sizeof("(>=)") - 1 );
641 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
643 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=%s)",
644 f->f_av_desc->ad_cname.bv_val,
647 ber_memfree( tmp.bv_val );
651 filter_escape_value( &f->f_av_value, &tmp );
653 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
654 tmp.bv_len + ( sizeof("(<=)") - 1 );
655 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
657 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=%s)",
658 f->f_av_desc->ad_cname.bv_val,
661 ber_memfree( tmp.bv_val );
664 case LDAP_FILTER_APPROX:
665 filter_escape_value( &f->f_av_value, &tmp );
667 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
668 tmp.bv_len + ( sizeof("(~=)") - 1 );
669 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
671 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=%s)",
672 f->f_av_desc->ad_cname.bv_val,
674 ber_memfree( tmp.bv_val );
677 case LDAP_FILTER_SUBSTRINGS:
678 fstr->bv_len = f->f_sub_desc->ad_cname.bv_len +
679 ( sizeof("(=*)") - 1 );
680 fstr->bv_val = ch_malloc( fstr->bv_len + 128 );
682 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
683 f->f_sub_desc->ad_cname.bv_val );
685 if ( f->f_sub_initial.bv_val != NULL ) {
688 filter_escape_value( &f->f_sub_initial, &tmp );
690 fstr->bv_len += tmp.bv_len;
691 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
693 snprintf( &fstr->bv_val[len-2], tmp.bv_len+3,
694 /* "(attr=" */ "%s*)",
697 ber_memfree( tmp.bv_val );
700 if ( f->f_sub_any != NULL ) {
701 for ( i = 0; f->f_sub_any[i].bv_val != NULL; i++ ) {
703 filter_escape_value( &f->f_sub_any[i], &tmp );
705 fstr->bv_len += tmp.bv_len + 1;
706 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
708 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
709 /* "(attr=[init]*[any*]" */ "%s*)",
711 ber_memfree( tmp.bv_val );
715 if ( f->f_sub_final.bv_val != NULL ) {
718 filter_escape_value( &f->f_sub_final, &tmp );
720 fstr->bv_len += tmp.bv_len;
721 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
723 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
724 /* "(attr=[init*][any*]" */ "%s)",
727 ber_memfree( tmp.bv_val );
732 case LDAP_FILTER_PRESENT:
733 fstr->bv_len = f->f_desc->ad_cname.bv_len +
734 ( sizeof("(=*)") - 1 );
735 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
737 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
738 f->f_desc->ad_cname.bv_val );
741 case LDAP_FILTER_AND:
743 case LDAP_FILTER_NOT:
744 fstr->bv_len = sizeof("(%)") - 1;
745 fstr->bv_val = ch_malloc( fstr->bv_len + 128 );
747 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%c)",
748 f->f_choice == LDAP_FILTER_AND ? '&' :
749 f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
751 for ( p = f->f_list; p != NULL; p = p->f_next ) {
754 filter2bv( p, &tmp );
756 fstr->bv_len += tmp.bv_len;
757 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
759 snprintf( &fstr->bv_val[len-1], tmp.bv_len + 2,
760 /*"("*/ "%s)", tmp.bv_val );
762 ch_free( tmp.bv_val );
767 case LDAP_FILTER_EXT: {
769 filter_escape_value( &f->f_mr_value, &tmp );
771 if ( f->f_mr_desc ) {
772 ad = f->f_mr_desc->ad_cname;
778 fstr->bv_len = ad.bv_len +
779 ( f->f_mr_dnattrs ? sizeof(":dn")-1 : 0 ) +
780 ( f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_len+1 : 0 ) +
781 tmp.bv_len + ( sizeof("(:=)") - 1 );
782 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
784 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
786 f->f_mr_dnattrs ? ":dn" : "",
787 f->f_mr_rule_text.bv_len ? ":" : "",
788 f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_val : "",
790 ber_memfree( tmp.bv_val );
793 case SLAPD_FILTER_COMPUTED:
795 f->f_result == LDAP_COMPARE_FALSE ? "(?=false)" :
796 f->f_result == LDAP_COMPARE_TRUE ? "(?=true)" :
797 f->f_result == SLAPD_COMPARE_UNDEFINED ? "(?=undefined)" :
799 f->f_result == LDAP_COMPARE_FALSE ? sizeof("(?=false)")-1 :
800 f->f_result == LDAP_COMPARE_TRUE ? sizeof("(?=true)")-1 :
801 f->f_result == SLAPD_COMPARE_UNDEFINED ? sizeof("(?=undefined)")-1 :
802 sizeof("(?=error)")-1,
807 ber_str2bv( "(?=unknown)", sizeof("(?=unknown)")-1, 1, fstr );
821 out->bv_val = (char *) ch_malloc( ( in->bv_len * 3 ) + 1 );
824 for( i=0; i < in->bv_len ; i++ ) {
825 if( FILTER_ESCAPE(in->bv_val[i]) ) {
826 out->bv_val[out->bv_len++] = SLAP_ESCAPE_CHAR;
827 out->bv_val[out->bv_len++] = SLAP_ESCAPE_HI( in->bv_val[i] );
828 out->bv_val[out->bv_len++] = SLAP_ESCAPE_LO( in->bv_val[i] );
830 out->bv_val[out->bv_len++] = in->bv_val[i];
834 out->bv_val[out->bv_len] = '\0';
842 ValuesReturnFilter **filt,
848 ValuesReturnFilter *vrf;
851 LDAP_LOG( FILTER, ENTRY,
852 "get_simple_vrFilter: conn %d\n", conn->c_connid, 0, 0 );
854 Debug( LDAP_DEBUG_FILTER, "begin get_simple_vrFilter\n", 0, 0, 0 );
857 tag = ber_peek_tag( ber, &len );
859 if( tag == LBER_ERROR ) {
860 *text = "error decoding filter";
861 return SLAPD_DISCONNECT;
864 vrf = (ValuesReturnFilter *) ch_malloc( sizeof(ValuesReturnFilter) );
865 vrf->vrf_next = NULL;
868 vrf->vrf_choice = tag;
870 switch ( vrf->vrf_choice ) {
871 case LDAP_FILTER_EQUALITY:
873 LDAP_LOG( FILTER, DETAIL2,
874 "get_simple_vrFilter: conn %d EQUALITY\n", conn->c_connid, 0, 0 );
876 Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
878 err = get_ava( ber, &vrf->vrf_ava, SLAP_MR_EQUALITY, text );
879 if ( err != LDAP_SUCCESS ) {
883 assert( vrf->vrf_ava != NULL );
886 case LDAP_FILTER_SUBSTRINGS:
888 LDAP_LOG( FILTER, DETAIL1,
889 "get_simple_vrFilter: conn %d SUBSTRINGS\n", conn->c_connid, 0, 0 );
891 Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
893 err = get_substring_filter( conn, ber, (Filter *)vrf, text );
898 LDAP_LOG( FILTER, DETAIL1,
899 "get_simple_vrFilter: conn %d GE\n", conn->c_connid, 0, 0 );
901 Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
903 err = get_ava( ber, &vrf->vrf_ava, SLAP_MR_ORDERING, text );
904 if ( err != LDAP_SUCCESS ) {
911 LDAP_LOG( FILTER, DETAIL1,
912 "get_simple_vrFilter: conn %d LE\n", conn->c_connid, 0, 0 );
914 Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
916 err = get_ava( ber, &vrf->vrf_ava, SLAP_MR_ORDERING, text );
917 if ( err != LDAP_SUCCESS ) {
922 case LDAP_FILTER_PRESENT: {
926 LDAP_LOG( FILTER, DETAIL1,
927 "get_simple_vrFilter: conn %d PRESENT\n", conn->c_connid, 0, 0 );
929 Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
931 if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
932 err = SLAPD_DISCONNECT;
933 *text = "error decoding filter";
937 vrf->vrf_desc = NULL;
938 err = slap_bv2ad( &type, &vrf->vrf_desc, text );
940 if( err != LDAP_SUCCESS ) {
941 /* unrecognized attribute description or other error */
942 vrf->vrf_choice = SLAPD_FILTER_COMPUTED;
943 vrf->vrf_result = LDAP_COMPARE_FALSE;
949 case LDAP_FILTER_APPROX:
951 LDAP_LOG( FILTER, DETAIL1,
952 "get_simple_vrFilter: conn %d APPROX\n", conn->c_connid, 0, 0 );
954 Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
956 err = get_ava( ber, &vrf->vrf_ava, SLAP_MR_EQUALITY_APPROX, text );
957 if ( err != LDAP_SUCCESS ) {
962 case LDAP_FILTER_EXT:
964 LDAP_LOG( FILTER, DETAIL1,
965 "get_simple_vrFilter: conn %d EXTENSIBLE\n", conn->c_connid, 0, 0 );
967 Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
970 err = get_mra( ber, &vrf->vrf_mra, text );
971 if ( err != LDAP_SUCCESS ) {
975 assert( vrf->vrf_mra != NULL );
979 (void) ber_scanf( ber, "x" ); /* skip the element */
981 LDAP_LOG( FILTER, ERR,
982 "get_simple_vrFilter: conn %d unknown filter type=%lu\n",
983 conn->c_connid, vrf->vrf_choice, 0 );
985 Debug( LDAP_DEBUG_ANY, "get_simple_vrFilter: unknown filter type=%lu\n",
986 vrf->vrf_choice, 0, 0 );
988 vrf->vrf_choice = SLAPD_FILTER_COMPUTED;
989 vrf->vrf_result = SLAPD_COMPARE_UNDEFINED;
993 if ( err != LDAP_SUCCESS ) {
994 if( err != SLAPD_DISCONNECT ) {
996 vrf->vrf_choice = SLAPD_FILTER_COMPUTED;
997 vrf->vrf_result = SLAPD_COMPARE_UNDEFINED;
1010 LDAP_LOG( FILTER, DETAIL2,
1011 "get_simple_vrFilter: conn %d exit\n", conn->c_connid, 0, 0 );
1013 Debug( LDAP_DEBUG_FILTER, "end get_simple_vrFilter %d\n", err, 0, 0 );
1019 get_vrFilter( Connection *conn, BerElement *ber,
1020 ValuesReturnFilter **vrf,
1024 * A ValuesReturnFilter looks like this:
1026 * ValuesReturnFilter ::= SEQUENCE OF SimpleFilterItem
1027 * SimpleFilterItem ::= CHOICE {
1028 * equalityMatch [3] AttributeValueAssertion,
1029 * substrings [4] SubstringFilter,
1030 * greaterOrEqual [5] AttributeValueAssertion,
1031 * lessOrEqual [6] AttributeValueAssertion,
1032 * present [7] AttributeType,
1033 * approxMatch [8] AttributeValueAssertion,
1034 * extensibleMatch [9] SimpleMatchingAssertion -- LDAPv3
1037 * SubstringFilter ::= SEQUENCE {
1038 * type AttributeType,
1039 * SEQUENCE OF CHOICE {
1040 * initial [0] IA5String,
1041 * any [1] IA5String,
1042 * final [2] IA5String
1046 * SimpleMatchingAssertion ::= SEQUENCE { -- LDAPv3
1047 * matchingRule [1] MatchingRuleId OPTIONAL,
1048 * type [2] AttributeDescription OPTIONAL,
1049 * matchValue [3] AssertionValue }
1052 ValuesReturnFilter **n;
1058 LDAP_LOG( FILTER, ENTRY,
1059 "get_vrFilter: conn %d start\n", conn->c_connid, 0, 0 );
1061 Debug( LDAP_DEBUG_FILTER, "begin get_vrFilter\n", 0, 0, 0 );
1064 tag = ber_peek_tag( ber, &len );
1066 if( tag == LBER_ERROR ) {
1067 *text = "error decoding vrFilter";
1068 return SLAPD_DISCONNECT;
1071 if( tag != LBER_SEQUENCE ) {
1072 *text = "error decoding vrFilter, expect SEQUENCE tag";
1073 return SLAPD_DISCONNECT;
1077 for ( tag = ber_first_element( ber, &len, &last );
1078 tag != LBER_DEFAULT;
1079 tag = ber_next_element( ber, &len, last ) )
1081 int err = get_simple_vrFilter( conn, ber, n, text );
1082 if ( err != LDAP_SUCCESS )
1084 n = &(*n)->vrf_next;
1089 LDAP_LOG( FILTER, ENTRY,
1090 "get_vrFilter: conn %d exit\n", conn->c_connid, 0, 0 );
1092 Debug( LDAP_DEBUG_FILTER, "end get_vrFilter\n", 0, 0, 0 );
1094 return( LDAP_SUCCESS );
1098 vrFilter_free( ValuesReturnFilter *vrf )
1100 ValuesReturnFilter *p, *next;
1102 if ( vrf == NULL ) {
1106 for ( p = vrf; p != NULL; p = next ) {
1109 switch ( vrf->vrf_choice ) {
1110 case LDAP_FILTER_PRESENT:
1113 case LDAP_FILTER_EQUALITY:
1114 case LDAP_FILTER_GE:
1115 case LDAP_FILTER_LE:
1116 case LDAP_FILTER_APPROX:
1117 ava_free( vrf->vrf_ava, 1 );
1120 case LDAP_FILTER_SUBSTRINGS:
1121 if ( vrf->vrf_sub_initial.bv_val != NULL ) {
1122 free( vrf->vrf_sub_initial.bv_val );
1124 ber_bvarray_free( vrf->vrf_sub_any );
1125 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1126 free( vrf->vrf_sub_final.bv_val );
1128 ch_free( vrf->vrf_sub );
1131 case LDAP_FILTER_EXT:
1132 mra_free( vrf->vrf_mra, 1 );
1135 case SLAPD_FILTER_COMPUTED:
1140 LDAP_LOG( FILTER, ERR,
1141 "filter_free: unknown filter type %lu\n", vrf->vrf_choice, 0, 0 );
1143 Debug( LDAP_DEBUG_ANY, "filter_free: unknown filter type=%lu\n",
1144 vrf->vrf_choice, 0, 0 );
1155 vrFilter2bv( ValuesReturnFilter *vrf, struct berval *fstr )
1157 ValuesReturnFilter *p;
1161 if ( vrf == NULL ) {
1162 ber_str2bv( "No filter!", sizeof("No filter!")-1, 1, fstr );
1166 fstr->bv_len = sizeof("()") - 1;
1167 fstr->bv_val = ch_malloc( fstr->bv_len + 128 );
1169 snprintf( fstr->bv_val, fstr->bv_len + 1, "()");
1171 for ( p = vrf; p != NULL; p = p->vrf_next ) {
1174 simple_vrFilter2bv( p, &tmp );
1176 fstr->bv_len += tmp.bv_len;
1177 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1179 snprintf( &fstr->bv_val[len-1], tmp.bv_len + 2,
1180 /*"("*/ "%s)", tmp.bv_val );
1182 ch_free( tmp.bv_val );
1187 simple_vrFilter2bv( ValuesReturnFilter *vrf, struct berval *fstr )
1192 if ( vrf == NULL ) {
1193 ber_str2bv( "No filter!", sizeof("No filter!")-1, 1, fstr );
1197 switch ( vrf->vrf_choice ) {
1198 case LDAP_FILTER_EQUALITY:
1199 filter_escape_value( &vrf->vrf_av_value, &tmp );
1201 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1202 tmp.bv_len + ( sizeof("(=)") - 1 );
1203 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1205 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=%s)",
1206 vrf->vrf_av_desc->ad_cname.bv_val,
1209 ber_memfree( tmp.bv_val );
1212 case LDAP_FILTER_GE:
1213 filter_escape_value( &vrf->vrf_av_value, &tmp );
1215 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1216 tmp.bv_len + ( sizeof("(>=)") - 1 );
1217 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1219 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=%s)",
1220 vrf->vrf_av_desc->ad_cname.bv_val,
1223 ber_memfree( tmp.bv_val );
1226 case LDAP_FILTER_LE:
1227 filter_escape_value( &vrf->vrf_av_value, &tmp );
1229 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1230 tmp.bv_len + ( sizeof("(<=)") - 1 );
1231 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1233 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=%s)",
1234 vrf->vrf_av_desc->ad_cname.bv_val,
1237 ber_memfree( tmp.bv_val );
1240 case LDAP_FILTER_APPROX:
1241 filter_escape_value( &vrf->vrf_av_value, &tmp );
1243 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1244 tmp.bv_len + ( sizeof("(~=)") - 1 );
1245 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1247 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=%s)",
1248 vrf->vrf_av_desc->ad_cname.bv_val,
1250 ber_memfree( tmp.bv_val );
1253 case LDAP_FILTER_SUBSTRINGS:
1254 fstr->bv_len = vrf->vrf_sub_desc->ad_cname.bv_len +
1255 ( sizeof("(=*)") - 1 );
1256 fstr->bv_val = ch_malloc( fstr->bv_len + 128 );
1258 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
1259 vrf->vrf_sub_desc->ad_cname.bv_val );
1261 if ( vrf->vrf_sub_initial.bv_val != NULL ) {
1264 filter_escape_value( &vrf->vrf_sub_initial, &tmp );
1266 fstr->bv_len += tmp.bv_len;
1267 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1269 snprintf( &fstr->bv_val[len-2], tmp.bv_len+3,
1270 /* "(attr=" */ "%s*)",
1273 ber_memfree( tmp.bv_val );
1276 if ( vrf->vrf_sub_any != NULL ) {
1278 for ( i = 0; vrf->vrf_sub_any[i].bv_val != NULL; i++ ) {
1280 filter_escape_value( &vrf->vrf_sub_any[i], &tmp );
1282 fstr->bv_len += tmp.bv_len + 1;
1283 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1285 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
1286 /* "(attr=[init]*[any*]" */ "%s*)",
1288 ber_memfree( tmp.bv_val );
1292 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1295 filter_escape_value( &vrf->vrf_sub_final, &tmp );
1297 fstr->bv_len += tmp.bv_len;
1298 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1300 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
1301 /* "(attr=[init*][any*]" */ "%s)",
1304 ber_memfree( tmp.bv_val );
1309 case LDAP_FILTER_PRESENT:
1310 fstr->bv_len = vrf->vrf_desc->ad_cname.bv_len +
1311 ( sizeof("(=*)") - 1 );
1312 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1314 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
1315 vrf->vrf_desc->ad_cname.bv_val );
1318 case LDAP_FILTER_EXT: {
1320 filter_escape_value( &vrf->vrf_mr_value, &tmp );
1322 if ( vrf->vrf_mr_desc ) {
1323 ad = vrf->vrf_mr_desc->ad_cname;
1329 fstr->bv_len = ad.bv_len +
1330 ( vrf->vrf_mr_dnattrs ? sizeof(":dn")-1 : 0 ) +
1331 ( vrf->vrf_mr_rule_text.bv_len ? vrf->vrf_mr_rule_text.bv_len+1 : 0 ) +
1332 tmp.bv_len + ( sizeof("(:=)") - 1 );
1333 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1335 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
1337 vrf->vrf_mr_dnattrs ? ":dn" : "",
1338 vrf->vrf_mr_rule_text.bv_len ? ":" : "",
1339 vrf->vrf_mr_rule_text.bv_len ? vrf->vrf_mr_rule_text.bv_val : "",
1342 ber_memfree( tmp.bv_val );
1345 case SLAPD_FILTER_COMPUTED:
1347 vrf->vrf_result == LDAP_COMPARE_FALSE ? "(?=false)" :
1348 vrf->vrf_result == LDAP_COMPARE_TRUE ? "(?=true)" :
1349 vrf->vrf_result == SLAPD_COMPARE_UNDEFINED ? "(?=undefined)" :
1351 vrf->vrf_result == LDAP_COMPARE_FALSE ? sizeof("(?=false)")-1 :
1352 vrf->vrf_result == LDAP_COMPARE_TRUE ? sizeof("(?=true)")-1 :
1353 vrf->vrf_result == SLAPD_COMPARE_UNDEFINED ? sizeof("(?=undefined)")-1 :
1354 sizeof("(?=error)")-1,
1359 ber_str2bv( "(?=unknown)", sizeof("(?=unknown)")-1, 1, fstr );
1365 get_substring_vrFilter(
1368 ValuesReturnFilter *vrf,
1374 struct berval value;
1377 *text = "error decoding filter";
1380 LDAP_LOG( FILTER, ENTRY,
1381 "get_substring_filter: conn %d begin\n", conn->c_connid, 0, 0 );
1383 Debug( LDAP_DEBUG_FILTER, "begin get_substring_filter\n", 0, 0, 0 );
1385 if ( ber_scanf( ber, "{m" /*}*/, &bv ) == LBER_ERROR ) {
1386 return SLAPD_DISCONNECT;
1389 vrf->vrf_sub = ch_calloc( 1, sizeof(SubstringsAssertion) );
1390 vrf->vrf_sub_desc = NULL;
1391 rc = slap_bv2ad( &bv, &vrf->vrf_sub_desc, text );
1393 if( rc != LDAP_SUCCESS ) {
1395 ch_free( vrf->vrf_sub );
1396 vrf->vrf_choice = SLAPD_FILTER_COMPUTED;
1397 vrf->vrf_result = SLAPD_COMPARE_UNDEFINED;
1398 return LDAP_SUCCESS;
1401 vrf->vrf_sub_initial.bv_val = NULL;
1402 vrf->vrf_sub_any = NULL;
1403 vrf->vrf_sub_final.bv_val = NULL;
1405 for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_DEFAULT;
1406 tag = ber_next_element( ber, &len, last ) )
1410 rc = ber_scanf( ber, "m", &value );
1411 if ( rc == LBER_ERROR ) {
1412 rc = SLAPD_DISCONNECT;
1416 if ( value.bv_val == NULL || value.bv_len == 0 ) {
1417 rc = LDAP_INVALID_SYNTAX;
1422 case LDAP_SUBSTRING_INITIAL:
1423 usage = SLAP_MR_SUBSTR_INITIAL;
1426 case LDAP_SUBSTRING_ANY:
1427 usage = SLAP_MR_SUBSTR_ANY;
1430 case LDAP_SUBSTRING_FINAL:
1431 usage = SLAP_MR_SUBSTR_FINAL;
1435 rc = LDAP_PROTOCOL_ERROR;
1438 LDAP_LOG( FILTER, ERR,
1439 "get_filter_substring: conn %d unknown substring choice=%ld\n",
1440 conn->c_connid, (long)tag, 0 );
1442 Debug( LDAP_DEBUG_FILTER,
1443 " unknown substring choice=%ld\n",
1450 /* validate/normalize using equality matching rule validator! */
1451 rc = asserted_value_validate_normalize(
1452 vrf->vrf_sub_desc, vrf->vrf_sub_desc->ad_type->sat_equality,
1453 usage, &value, &bv, text );
1454 if( rc != LDAP_SUCCESS ) {
1458 /* valiate using equality matching rule validator! */
1459 rc = value_validate( vrf->vrf_sub_desc->ad_type->sat_equality,
1461 if( rc != LDAP_SUCCESS ) {
1465 rc = value_normalize( vrf->vrf_sub_desc, usage,
1466 &value, &bv, text );
1467 if( rc != LDAP_SUCCESS ) {
1474 rc = LDAP_PROTOCOL_ERROR;
1477 case LDAP_SUBSTRING_INITIAL:
1479 LDAP_LOG( FILTER, DETAIL1,
1480 "get_substring_filter: conn %d INITIAL\n",
1481 conn->c_connid, 0, 0 );
1483 Debug( LDAP_DEBUG_FILTER, " INITIAL\n", 0, 0, 0 );
1486 if ( vrf->vrf_sub_initial.bv_val != NULL
1487 || vrf->vrf_sub_any != NULL
1488 || vrf->vrf_sub_final.bv_val != NULL )
1490 free( value.bv_val );
1494 vrf->vrf_sub_initial = value;
1497 case LDAP_SUBSTRING_ANY:
1499 LDAP_LOG( FILTER, DETAIL1,
1500 "get_substring_filter: conn %d ANY\n", conn->c_connid, 0, 0 );
1502 Debug( LDAP_DEBUG_FILTER, " ANY\n", 0, 0, 0 );
1505 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1506 free( value.bv_val );
1510 ber_bvarray_add( &vrf->vrf_sub_any, &value );
1513 case LDAP_SUBSTRING_FINAL:
1515 LDAP_LOG( FILTER, DETAIL1,
1516 "get_substring_filter: conn %d FINAL\n", conn->c_connid, 0, 0 );
1518 Debug( LDAP_DEBUG_FILTER, " FINAL\n", 0, 0, 0 );
1521 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1522 free( value.bv_val );
1526 vrf->vrf_sub_final = value;
1531 LDAP_LOG( FILTER, INFO,
1532 "get_substring_filter: conn %d unknown substring type %ld\n",
1533 conn->c_connid, (long)tag, 0 );
1535 Debug( LDAP_DEBUG_FILTER,
1536 " unknown substring type=%ld\n",
1540 free( value.bv_val );
1544 LDAP_LOG( FILTER, INFO,
1545 "get_substring_filter: conn %d error %ld\n",
1546 conn->c_connid, (long)rc, 0 );
1548 Debug( LDAP_DEBUG_FILTER, " error=%ld\n",
1551 free( vrf->vrf_sub_initial.bv_val );
1552 ber_bvarray_free( vrf->vrf_sub_any );
1553 free( vrf->vrf_sub_final.bv_val );
1554 ch_free( vrf->vrf_sub );
1560 LDAP_LOG( FILTER, ENTRY,
1561 "get_substring_filter: conn %d exit\n", conn->c_connid, 0, 0 );
1563 Debug( LDAP_DEBUG_FILTER, "end get_substring_filter\n", 0, 0, 0 );
1565 return( LDAP_SUCCESS );