1 /* filter.c - routines for parsing and dealing with filters */
4 * Copyright 1998-2003 The OpenLDAP Foundation, All Rights Reserved.
5 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
12 #include <ac/socket.h>
13 #include <ac/string.h>
17 static int get_filter_list(
26 SubstringsAssertion **s,
29 static void simple_vrFilter2bv(
30 ValuesReturnFilter *f,
31 struct berval *fstr );
33 static int get_simple_vrFilter(
36 ValuesReturnFilter **f,
56 LDAP_LOG( FILTER, ENTRY, "get_filter: conn %d\n", conn->c_connid, 0, 0 );
58 Debug( LDAP_DEBUG_FILTER, "begin get_filter\n", 0, 0, 0 );
61 * A filter looks like this coming in:
63 * and [0] SET OF Filter,
64 * or [1] SET OF Filter,
66 * equalityMatch [3] AttributeValueAssertion,
67 * substrings [4] SubstringFilter,
68 * greaterOrEqual [5] AttributeValueAssertion,
69 * lessOrEqual [6] AttributeValueAssertion,
70 * present [7] AttributeType,,
71 * approxMatch [8] AttributeValueAssertion
72 * extensibleMatch [9] MatchingRuleAssertion
75 * SubstringFilter ::= SEQUENCE {
77 * SEQUENCE OF CHOICE {
78 * initial [0] IA5String,
84 * MatchingRuleAssertion ::= SEQUENCE {
85 * matchingRule [1] MatchingRuleId OPTIONAL,
86 * type [2] AttributeDescription OPTIONAL,
87 * matchValue [3] AssertionValue,
88 * dnAttributes [4] BOOLEAN DEFAULT FALSE
93 tag = ber_peek_tag( ber, &len );
95 if( tag == LBER_ERROR ) {
96 *text = "error decoding filter";
97 return SLAPD_DISCONNECT;
105 switch ( f.f_choice ) {
106 case LDAP_FILTER_EQUALITY:
108 LDAP_LOG( FILTER, DETAIL2,
109 "get_filter: conn %d EQUALITY\n", conn->c_connid, 0, 0 );
111 Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
113 err = get_ava( ber, &f.f_ava, SLAP_MR_EQUALITY, text );
114 if ( err != LDAP_SUCCESS ) {
118 assert( f.f_ava != NULL );
121 case LDAP_FILTER_SUBSTRINGS:
123 LDAP_LOG( FILTER, DETAIL1,
124 "get_filter: conn %d SUBSTRINGS\n", conn->c_connid, 0, 0 );
126 Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
128 err = get_ssa( conn, ber, &f.f_sub, text );
129 if( err != LDAP_SUCCESS ) {
132 assert( f.f_sub != NULL );
137 LDAP_LOG( FILTER, DETAIL1,
138 "get_filter: conn %d GE\n", conn->c_connid, 0, 0 );
140 Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
142 err = get_ava( ber, &f.f_ava, SLAP_MR_ORDERING, text );
143 if ( err != LDAP_SUCCESS ) {
146 assert( f.f_ava != NULL );
151 LDAP_LOG( FILTER, DETAIL1,
152 "get_filter: conn %d LE\n", conn->c_connid, 0, 0 );
154 Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
156 err = get_ava( ber, &f.f_ava, SLAP_MR_ORDERING, text );
157 if ( err != LDAP_SUCCESS ) {
160 assert( f.f_ava != NULL );
163 case LDAP_FILTER_PRESENT: {
167 LDAP_LOG( FILTER, DETAIL1,
168 "get_filter: conn %d PRESENT\n", conn->c_connid, 0, 0 );
170 Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
172 if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
173 err = SLAPD_DISCONNECT;
174 *text = "error decoding filter";
179 err = slap_bv2ad( &type, &f.f_desc, text );
181 if( err != LDAP_SUCCESS ) {
182 /* unrecognized attribute description or other error */
183 f.f_choice = SLAPD_FILTER_COMPUTED;
184 f.f_result = LDAP_COMPARE_FALSE;
189 assert( f.f_desc != NULL );
192 case LDAP_FILTER_APPROX:
194 LDAP_LOG( FILTER, DETAIL1,
195 "get_filter: conn %d APPROX\n", conn->c_connid, 0, 0 );
197 Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
199 err = get_ava( ber, &f.f_ava, SLAP_MR_EQUALITY_APPROX, text );
200 if ( err != LDAP_SUCCESS ) {
203 assert( f.f_ava != NULL );
206 case LDAP_FILTER_AND:
208 LDAP_LOG( FILTER, DETAIL1,
209 "get_filter: conn %d AND\n", conn->c_connid, 0, 0 );
211 Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
213 err = get_filter_list( conn, ber, &f.f_and, text );
214 if ( err != LDAP_SUCCESS ) {
217 /* no assert - list could be empty */
222 LDAP_LOG( FILTER, DETAIL1,
223 "get_filter: conn %d OR\n", conn->c_connid, 0, 0 );
225 Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
227 err = get_filter_list( conn, ber, &f.f_or, text );
228 if ( err != LDAP_SUCCESS ) {
231 /* no assert - list could be empty */
234 case LDAP_FILTER_NOT:
236 LDAP_LOG( FILTER, DETAIL1,
237 "get_filter: conn %d NOT\n", conn->c_connid, 0, 0 );
239 Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
241 (void) ber_skip_tag( ber, &len );
242 err = get_filter( conn, ber, &f.f_not, text );
243 if ( err != LDAP_SUCCESS ) {
248 assert( f.f_not != NULL );
252 case LDAP_FILTER_EXT:
254 LDAP_LOG( FILTER, DETAIL1,
255 "get_filter: conn %d EXTENSIBLE\n", conn->c_connid, 0, 0 );
257 Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
260 err = get_mra( ber, &f.f_mra, text );
261 if ( err != LDAP_SUCCESS ) {
266 assert( f.f_mra != NULL );
271 (void) ber_scanf( ber, "x" ); /* skip the element */
273 LDAP_LOG( FILTER, ERR,
274 "get_filter: conn %d unknown filter type=%lu\n",
275 conn->c_connid, f.f_choice, 0 );
277 Debug( LDAP_DEBUG_ANY, "get_filter: unknown filter type=%lu\n",
280 f.f_choice = SLAPD_FILTER_COMPUTED;
281 f.f_result = SLAPD_COMPARE_UNDEFINED;
285 if( err != LDAP_SUCCESS && err != SLAPD_DISCONNECT ) {
287 f.f_choice = SLAPD_FILTER_COMPUTED;
288 f.f_result = SLAPD_COMPARE_UNDEFINED;
292 if ( err == LDAP_SUCCESS ) {
293 *filt = ch_malloc( sizeof(f) );
298 LDAP_LOG( FILTER, DETAIL2,
299 "get_filter: conn %d exit\n", conn->c_connid, 0, 0 );
301 Debug( LDAP_DEBUG_FILTER, "end get_filter %d\n", err, 0, 0 );
308 get_filter_list( Connection *conn, BerElement *ber,
319 LDAP_LOG( FILTER, ENTRY,
320 "get_filter_list: conn %d start\n", conn->c_connid, 0, 0 );
322 Debug( LDAP_DEBUG_FILTER, "begin get_filter_list\n", 0, 0, 0 );
325 for ( tag = ber_first_element( ber, &len, &last );
327 tag = ber_next_element( ber, &len, last ) )
329 err = get_filter( conn, ber, new, text );
330 if ( err != LDAP_SUCCESS )
332 new = &(*new)->f_next;
337 LDAP_LOG( FILTER, ENTRY,
338 "get_filter_list: conn %d exit\n", conn->c_connid, 0, 0 );
340 Debug( LDAP_DEBUG_FILTER, "end get_filter_list\n", 0, 0, 0 );
342 return( LDAP_SUCCESS );
349 SubstringsAssertion **out,
355 struct berval desc, value, nvalue;
357 SubstringsAssertion ssa;
359 *text = "error decoding filter";
362 LDAP_LOG( FILTER, ENTRY,
363 "get_ssa: conn %d begin\n", conn->c_connid, 0, 0 );
365 Debug( LDAP_DEBUG_FILTER, "begin get_ssa\n", 0, 0, 0 );
367 if ( ber_scanf( ber, "{m" /*}*/, &desc ) == LBER_ERROR ) {
368 return SLAPD_DISCONNECT;
374 ssa.sa_initial.bv_val = NULL;
376 ssa.sa_final.bv_val = NULL;
378 rc = slap_bv2ad( &desc, &ssa.sa_desc, text );
380 if( rc != LDAP_SUCCESS ) {
384 rc = LDAP_PROTOCOL_ERROR;
386 for ( tag = ber_first_element( ber, &len, &last );
388 tag = ber_next_element( ber, &len, last ) )
392 rc = ber_scanf( ber, "m", &value );
393 if ( rc == LBER_ERROR ) {
394 rc = SLAPD_DISCONNECT;
398 if ( value.bv_val == NULL || value.bv_len == 0 ) {
399 rc = LDAP_INVALID_SYNTAX;
404 case LDAP_SUBSTRING_INITIAL:
405 usage = SLAP_MR_SUBSTR_INITIAL;
408 case LDAP_SUBSTRING_ANY:
409 usage = SLAP_MR_SUBSTR_ANY;
412 case LDAP_SUBSTRING_FINAL:
413 usage = SLAP_MR_SUBSTR_FINAL;
417 rc = LDAP_PROTOCOL_ERROR;
420 LDAP_LOG( FILTER, ERR,
421 "get_filter_substring: conn %d unknown substring choice=%ld\n",
422 conn->c_connid, (long)tag, 0 );
424 Debug( LDAP_DEBUG_FILTER,
425 " unknown substring choice=%ld\n",
433 /* validate/normalize using equality matching rule validator! */
434 rc = asserted_value_validate_normalize(
435 ssa.sa_desc, ssa.sa_desc->ad_type->sat_equality,
436 usage, &value, &nvalue, text );
438 if( rc != LDAP_SUCCESS ) {
442 /* validate using equality matching rule validator! */
443 rc = value_validate( ssa.sa_desc->ad_type->sat_equality,
445 if( rc != LDAP_SUCCESS ) {
449 rc = value_normalize( ssa.sa_desc, usage,
450 &value, &nvalue, text );
452 if( rc != LDAP_SUCCESS ) {
457 rc = LDAP_PROTOCOL_ERROR;
460 case LDAP_SUBSTRING_INITIAL:
462 LDAP_LOG( FILTER, DETAIL1,
463 "get_ssa: conn %d INITIAL\n",
464 conn->c_connid, 0, 0 );
466 Debug( LDAP_DEBUG_FILTER, " INITIAL\n", 0, 0, 0 );
469 if ( ssa.sa_initial.bv_val != NULL
470 || ssa.sa_any != NULL
471 || ssa.sa_final.bv_val != NULL )
473 free( nvalue.bv_val );
477 ssa.sa_initial = nvalue;
480 case LDAP_SUBSTRING_ANY:
482 LDAP_LOG( FILTER, DETAIL1,
483 "get_ssa: conn %d ANY\n",
484 conn->c_connid, 0, 0 );
486 Debug( LDAP_DEBUG_FILTER, " ANY\n", 0, 0, 0 );
489 if ( ssa.sa_final.bv_val != NULL ) {
490 free( nvalue.bv_val );
494 ber_bvarray_add( &ssa.sa_any, &nvalue );
497 case LDAP_SUBSTRING_FINAL:
499 LDAP_LOG( FILTER, DETAIL1,
500 "get_ssa: conn %d FINAL\n",
501 conn->c_connid, 0, 0 );
503 Debug( LDAP_DEBUG_FILTER, " FINAL\n", 0, 0, 0 );
506 if ( ssa.sa_final.bv_val != NULL ) {
507 free( nvalue.bv_val );
511 ssa.sa_final = nvalue;
516 LDAP_LOG( FILTER, INFO,
517 "get_ssa: conn %d unknown substring type %ld\n",
518 conn->c_connid, (long)tag, 0 );
520 Debug( LDAP_DEBUG_FILTER,
521 " unknown substring type=%ld\n",
526 free( nvalue.bv_val );
530 LDAP_LOG( FILTER, INFO,
531 "get_ssa: conn %d error %ld\n",
532 conn->c_connid, (long)rc, 0 );
534 Debug( LDAP_DEBUG_FILTER, " error=%ld\n",
537 free( ssa.sa_initial.bv_val );
538 ber_bvarray_free( ssa.sa_any );
539 free( ssa.sa_final.bv_val );
546 if( rc == LDAP_SUCCESS ) {
547 *out = ch_malloc( sizeof( ssa ) );
552 LDAP_LOG( FILTER, ENTRY,
553 "get_ssa: conn %d exit\n", conn->c_connid, 0, 0 );
555 Debug( LDAP_DEBUG_FILTER, "end get_ssa\n", 0, 0, 0 );
562 filter_free( Filter *f )
570 switch ( f->f_choice ) {
571 case LDAP_FILTER_PRESENT:
574 case LDAP_FILTER_EQUALITY:
577 case LDAP_FILTER_APPROX:
578 ava_free( f->f_ava, 1 );
581 case LDAP_FILTER_SUBSTRINGS:
582 if ( f->f_sub_initial.bv_val != NULL ) {
583 free( f->f_sub_initial.bv_val );
585 ber_bvarray_free( f->f_sub_any );
586 if ( f->f_sub_final.bv_val != NULL ) {
587 free( f->f_sub_final.bv_val );
592 case LDAP_FILTER_AND:
594 case LDAP_FILTER_NOT:
595 for ( p = f->f_list; p != NULL; p = next ) {
601 case LDAP_FILTER_EXT:
602 mra_free( f->f_mra, 1 );
605 case SLAPD_FILTER_COMPUTED:
610 LDAP_LOG( FILTER, ERR,
611 "filter_free: unknown filter type %lu\n", f->f_choice, 0, 0 );
613 Debug( LDAP_DEBUG_ANY, "filter_free: unknown filter type=%lu\n",
623 filter2bv( Filter *f, struct berval *fstr )
631 ber_str2bv( "No filter!", sizeof("No filter!")-1, 1, fstr );
635 switch ( f->f_choice ) {
636 case LDAP_FILTER_EQUALITY:
637 filter_escape_value( &f->f_av_value, &tmp );
639 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
640 tmp.bv_len + ( sizeof("(=)") - 1 );
641 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
643 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=%s)",
644 f->f_av_desc->ad_cname.bv_val,
647 ber_memfree( tmp.bv_val );
651 filter_escape_value( &f->f_av_value, &tmp );
653 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
654 tmp.bv_len + ( sizeof("(>=)") - 1 );
655 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
657 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=%s)",
658 f->f_av_desc->ad_cname.bv_val,
661 ber_memfree( tmp.bv_val );
665 filter_escape_value( &f->f_av_value, &tmp );
667 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
668 tmp.bv_len + ( sizeof("(<=)") - 1 );
669 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
671 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=%s)",
672 f->f_av_desc->ad_cname.bv_val,
675 ber_memfree( tmp.bv_val );
678 case LDAP_FILTER_APPROX:
679 filter_escape_value( &f->f_av_value, &tmp );
681 fstr->bv_len = f->f_av_desc->ad_cname.bv_len +
682 tmp.bv_len + ( sizeof("(~=)") - 1 );
683 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
685 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=%s)",
686 f->f_av_desc->ad_cname.bv_val,
688 ber_memfree( tmp.bv_val );
691 case LDAP_FILTER_SUBSTRINGS:
692 fstr->bv_len = f->f_sub_desc->ad_cname.bv_len +
693 ( sizeof("(=*)") - 1 );
694 fstr->bv_val = ch_malloc( fstr->bv_len + 128 );
696 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
697 f->f_sub_desc->ad_cname.bv_val );
699 if ( f->f_sub_initial.bv_val != NULL ) {
702 filter_escape_value( &f->f_sub_initial, &tmp );
704 fstr->bv_len += tmp.bv_len;
705 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
707 snprintf( &fstr->bv_val[len-2], tmp.bv_len+3,
708 /* "(attr=" */ "%s*)",
711 ber_memfree( tmp.bv_val );
714 if ( f->f_sub_any != NULL ) {
715 for ( i = 0; f->f_sub_any[i].bv_val != NULL; i++ ) {
717 filter_escape_value( &f->f_sub_any[i], &tmp );
719 fstr->bv_len += tmp.bv_len + 1;
720 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
722 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
723 /* "(attr=[init]*[any*]" */ "%s*)",
725 ber_memfree( tmp.bv_val );
729 if ( f->f_sub_final.bv_val != NULL ) {
732 filter_escape_value( &f->f_sub_final, &tmp );
734 fstr->bv_len += tmp.bv_len;
735 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
737 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
738 /* "(attr=[init*][any*]" */ "%s)",
741 ber_memfree( tmp.bv_val );
746 case LDAP_FILTER_PRESENT:
747 fstr->bv_len = f->f_desc->ad_cname.bv_len +
748 ( sizeof("(=*)") - 1 );
749 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
751 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
752 f->f_desc->ad_cname.bv_val );
755 case LDAP_FILTER_AND:
757 case LDAP_FILTER_NOT:
758 fstr->bv_len = sizeof("(%)") - 1;
759 fstr->bv_val = ch_malloc( fstr->bv_len + 128 );
761 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%c)",
762 f->f_choice == LDAP_FILTER_AND ? '&' :
763 f->f_choice == LDAP_FILTER_OR ? '|' : '!' );
765 for ( p = f->f_list; p != NULL; p = p->f_next ) {
768 filter2bv( p, &tmp );
770 fstr->bv_len += tmp.bv_len;
771 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
773 snprintf( &fstr->bv_val[len-1], tmp.bv_len + 2,
774 /*"("*/ "%s)", tmp.bv_val );
776 ch_free( tmp.bv_val );
781 case LDAP_FILTER_EXT: {
783 filter_escape_value( &f->f_mr_value, &tmp );
785 if ( f->f_mr_desc ) {
786 ad = f->f_mr_desc->ad_cname;
792 fstr->bv_len = ad.bv_len +
793 ( f->f_mr_dnattrs ? sizeof(":dn")-1 : 0 ) +
794 ( f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_len+1 : 0 ) +
795 tmp.bv_len + ( sizeof("(:=)") - 1 );
796 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
798 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
800 f->f_mr_dnattrs ? ":dn" : "",
801 f->f_mr_rule_text.bv_len ? ":" : "",
802 f->f_mr_rule_text.bv_len ? f->f_mr_rule_text.bv_val : "",
804 ber_memfree( tmp.bv_val );
807 case SLAPD_FILTER_COMPUTED:
809 f->f_result == LDAP_COMPARE_FALSE ? "(?=false)" :
810 f->f_result == LDAP_COMPARE_TRUE ? "(?=true)" :
811 f->f_result == SLAPD_COMPARE_UNDEFINED ? "(?=undefined)" :
813 f->f_result == LDAP_COMPARE_FALSE ? sizeof("(?=false)")-1 :
814 f->f_result == LDAP_COMPARE_TRUE ? sizeof("(?=true)")-1 :
815 f->f_result == SLAPD_COMPARE_UNDEFINED ? sizeof("(?=undefined)")-1 :
816 sizeof("(?=error)")-1,
821 ber_str2bv( "(?=unknown)", sizeof("(?=unknown)")-1, 1, fstr );
835 out->bv_val = (char *) ch_malloc( ( in->bv_len * 3 ) + 1 );
838 for( i=0; i < in->bv_len ; i++ ) {
839 if( FILTER_ESCAPE(in->bv_val[i]) ) {
840 out->bv_val[out->bv_len++] = SLAP_ESCAPE_CHAR;
841 out->bv_val[out->bv_len++] = SLAP_ESCAPE_HI( in->bv_val[i] );
842 out->bv_val[out->bv_len++] = SLAP_ESCAPE_LO( in->bv_val[i] );
844 out->bv_val[out->bv_len++] = in->bv_val[i];
848 out->bv_val[out->bv_len] = '\0';
856 ValuesReturnFilter **filt,
862 ValuesReturnFilter vrf;
865 LDAP_LOG( FILTER, ENTRY,
866 "get_simple_vrFilter: conn %d\n", conn->c_connid, 0, 0 );
868 Debug( LDAP_DEBUG_FILTER, "begin get_simple_vrFilter\n", 0, 0, 0 );
871 tag = ber_peek_tag( ber, &len );
873 if( tag == LBER_ERROR ) {
874 *text = "error decoding filter";
875 return SLAPD_DISCONNECT;
881 vrf.vrf_choice = tag;
883 switch ( vrf.vrf_choice ) {
884 case LDAP_FILTER_EQUALITY:
886 LDAP_LOG( FILTER, DETAIL2,
887 "get_simple_vrFilter: conn %d EQUALITY\n", conn->c_connid, 0, 0 );
889 Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
891 err = get_ava( ber, &vrf.vrf_ava, SLAP_MR_EQUALITY, text );
892 if ( err != LDAP_SUCCESS ) {
896 assert( vrf.vrf_ava != NULL );
899 case LDAP_FILTER_SUBSTRINGS:
901 LDAP_LOG( FILTER, DETAIL1,
902 "get_simple_vrFilter: conn %d SUBSTRINGS\n", conn->c_connid, 0, 0 );
904 Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
906 err = get_ssa( conn, ber, &vrf.vrf_sub, text );
911 LDAP_LOG( FILTER, DETAIL1,
912 "get_simple_vrFilter: conn %d GE\n", conn->c_connid, 0, 0 );
914 Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
916 err = get_ava( ber, &vrf.vrf_ava, SLAP_MR_ORDERING, text );
917 if ( err != LDAP_SUCCESS ) {
924 LDAP_LOG( FILTER, DETAIL1,
925 "get_simple_vrFilter: conn %d LE\n", conn->c_connid, 0, 0 );
927 Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
929 err = get_ava( ber, &vrf.vrf_ava, SLAP_MR_ORDERING, text );
930 if ( err != LDAP_SUCCESS ) {
935 case LDAP_FILTER_PRESENT: {
939 LDAP_LOG( FILTER, DETAIL1,
940 "get_simple_vrFilter: conn %d PRESENT\n", conn->c_connid, 0, 0 );
942 Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
944 if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
945 err = SLAPD_DISCONNECT;
946 *text = "error decoding filter";
951 err = slap_bv2ad( &type, &vrf.vrf_desc, text );
953 if( err != LDAP_SUCCESS ) {
954 /* unrecognized attribute description or other error */
955 vrf.vrf_choice = SLAPD_FILTER_COMPUTED;
956 vrf.vrf_result = LDAP_COMPARE_FALSE;
962 case LDAP_FILTER_APPROX:
964 LDAP_LOG( FILTER, DETAIL1,
965 "get_simple_vrFilter: conn %d APPROX\n", conn->c_connid, 0, 0 );
967 Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
969 err = get_ava( ber, &vrf.vrf_ava, SLAP_MR_EQUALITY_APPROX, text );
970 if ( err != LDAP_SUCCESS ) {
975 case LDAP_FILTER_EXT:
977 LDAP_LOG( FILTER, DETAIL1,
978 "get_simple_vrFilter: conn %d EXTENSIBLE\n", conn->c_connid, 0, 0 );
980 Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
983 err = get_mra( ber, &vrf.vrf_mra, text );
984 if ( err != LDAP_SUCCESS ) {
988 assert( vrf.vrf_mra != NULL );
992 (void) ber_scanf( ber, "x" ); /* skip the element */
994 LDAP_LOG( FILTER, ERR,
995 "get_simple_vrFilter: conn %d unknown filter type=%lu\n",
996 conn->c_connid, vrf.vrf_choice, 0 );
998 Debug( LDAP_DEBUG_ANY, "get_simple_vrFilter: unknown filter type=%lu\n",
999 vrf.vrf_choice, 0, 0 );
1001 vrf.vrf_choice = SLAPD_FILTER_COMPUTED;
1002 vrf.vrf_result = SLAPD_COMPARE_UNDEFINED;
1006 if ( err != LDAP_SUCCESS && err != SLAPD_DISCONNECT ) {
1008 vrf.vrf_choice = SLAPD_FILTER_COMPUTED;
1009 vrf.vrf_result = SLAPD_COMPARE_UNDEFINED;
1013 if ( err == LDAP_SUCCESS ) {
1014 *filt = ch_malloc( sizeof vrf );
1019 LDAP_LOG( FILTER, DETAIL2,
1020 "get_simple_vrFilter: conn %d exit\n", conn->c_connid, 0, 0 );
1022 Debug( LDAP_DEBUG_FILTER, "end get_simple_vrFilter %d\n", err, 0, 0 );
1029 get_vrFilter( Connection *conn, BerElement *ber,
1030 ValuesReturnFilter **vrf,
1034 * A ValuesReturnFilter looks like this:
1036 * ValuesReturnFilter ::= SEQUENCE OF SimpleFilterItem
1037 * SimpleFilterItem ::= CHOICE {
1038 * equalityMatch [3] AttributeValueAssertion,
1039 * substrings [4] SubstringFilter,
1040 * greaterOrEqual [5] AttributeValueAssertion,
1041 * lessOrEqual [6] AttributeValueAssertion,
1042 * present [7] AttributeType,
1043 * approxMatch [8] AttributeValueAssertion,
1044 * extensibleMatch [9] SimpleMatchingAssertion -- LDAPv3
1047 * SubstringFilter ::= SEQUENCE {
1048 * type AttributeType,
1049 * SEQUENCE OF CHOICE {
1050 * initial [0] IA5String,
1051 * any [1] IA5String,
1052 * final [2] IA5String
1056 * SimpleMatchingAssertion ::= SEQUENCE { -- LDAPv3
1057 * matchingRule [1] MatchingRuleId OPTIONAL,
1058 * type [2] AttributeDescription OPTIONAL,
1059 * matchValue [3] AssertionValue }
1062 ValuesReturnFilter **n;
1068 LDAP_LOG( FILTER, ENTRY,
1069 "get_vrFilter: conn %d start\n", conn->c_connid, 0, 0 );
1071 Debug( LDAP_DEBUG_FILTER, "begin get_vrFilter\n", 0, 0, 0 );
1074 tag = ber_peek_tag( ber, &len );
1076 if( tag == LBER_ERROR ) {
1077 *text = "error decoding vrFilter";
1078 return SLAPD_DISCONNECT;
1081 if( tag != LBER_SEQUENCE ) {
1082 *text = "error decoding vrFilter, expect SEQUENCE tag";
1083 return SLAPD_DISCONNECT;
1087 for ( tag = ber_first_element( ber, &len, &last );
1088 tag != LBER_DEFAULT;
1089 tag = ber_next_element( ber, &len, last ) )
1091 int err = get_simple_vrFilter( conn, ber, n, text );
1093 if ( err != LDAP_SUCCESS ) return( err );
1095 n = &(*n)->vrf_next;
1100 LDAP_LOG( FILTER, ENTRY,
1101 "get_vrFilter: conn %d exit\n", conn->c_connid, 0, 0 );
1103 Debug( LDAP_DEBUG_FILTER, "end get_vrFilter\n", 0, 0, 0 );
1105 return( LDAP_SUCCESS );
1109 vrFilter_free( ValuesReturnFilter *vrf )
1111 ValuesReturnFilter *p, *next;
1113 if ( vrf == NULL ) {
1117 for ( p = vrf; p != NULL; p = next ) {
1120 switch ( vrf->vrf_choice ) {
1121 case LDAP_FILTER_PRESENT:
1124 case LDAP_FILTER_EQUALITY:
1125 case LDAP_FILTER_GE:
1126 case LDAP_FILTER_LE:
1127 case LDAP_FILTER_APPROX:
1128 ava_free( vrf->vrf_ava, 1 );
1131 case LDAP_FILTER_SUBSTRINGS:
1132 if ( vrf->vrf_sub_initial.bv_val != NULL ) {
1133 free( vrf->vrf_sub_initial.bv_val );
1135 ber_bvarray_free( vrf->vrf_sub_any );
1136 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1137 free( vrf->vrf_sub_final.bv_val );
1139 ch_free( vrf->vrf_sub );
1142 case LDAP_FILTER_EXT:
1143 mra_free( vrf->vrf_mra, 1 );
1146 case SLAPD_FILTER_COMPUTED:
1151 LDAP_LOG( FILTER, ERR,
1152 "filter_free: unknown filter type %lu\n", vrf->vrf_choice, 0, 0 );
1154 Debug( LDAP_DEBUG_ANY, "filter_free: unknown filter type=%lu\n",
1155 vrf->vrf_choice, 0, 0 );
1166 vrFilter2bv( ValuesReturnFilter *vrf, struct berval *fstr )
1168 ValuesReturnFilter *p;
1172 if ( vrf == NULL ) {
1173 ber_str2bv( "No filter!", sizeof("No filter!")-1, 1, fstr );
1177 fstr->bv_len = sizeof("()") - 1;
1178 fstr->bv_val = ch_malloc( fstr->bv_len + 128 );
1180 snprintf( fstr->bv_val, fstr->bv_len + 1, "()");
1182 for ( p = vrf; p != NULL; p = p->vrf_next ) {
1185 simple_vrFilter2bv( p, &tmp );
1187 fstr->bv_len += tmp.bv_len;
1188 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1190 snprintf( &fstr->bv_val[len-1], tmp.bv_len + 2,
1191 /*"("*/ "%s)", tmp.bv_val );
1193 ch_free( tmp.bv_val );
1198 simple_vrFilter2bv( ValuesReturnFilter *vrf, struct berval *fstr )
1203 if ( vrf == NULL ) {
1204 ber_str2bv( "No filter!", sizeof("No filter!")-1, 1, fstr );
1208 switch ( vrf->vrf_choice ) {
1209 case LDAP_FILTER_EQUALITY:
1210 filter_escape_value( &vrf->vrf_av_value, &tmp );
1212 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1213 tmp.bv_len + ( sizeof("(=)") - 1 );
1214 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1216 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=%s)",
1217 vrf->vrf_av_desc->ad_cname.bv_val,
1220 ber_memfree( tmp.bv_val );
1223 case LDAP_FILTER_GE:
1224 filter_escape_value( &vrf->vrf_av_value, &tmp );
1226 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1227 tmp.bv_len + ( sizeof("(>=)") - 1 );
1228 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1230 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s>=%s)",
1231 vrf->vrf_av_desc->ad_cname.bv_val,
1234 ber_memfree( tmp.bv_val );
1237 case LDAP_FILTER_LE:
1238 filter_escape_value( &vrf->vrf_av_value, &tmp );
1240 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1241 tmp.bv_len + ( sizeof("(<=)") - 1 );
1242 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1244 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s<=%s)",
1245 vrf->vrf_av_desc->ad_cname.bv_val,
1248 ber_memfree( tmp.bv_val );
1251 case LDAP_FILTER_APPROX:
1252 filter_escape_value( &vrf->vrf_av_value, &tmp );
1254 fstr->bv_len = vrf->vrf_av_desc->ad_cname.bv_len +
1255 tmp.bv_len + ( sizeof("(~=)") - 1 );
1256 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1258 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s~=%s)",
1259 vrf->vrf_av_desc->ad_cname.bv_val,
1261 ber_memfree( tmp.bv_val );
1264 case LDAP_FILTER_SUBSTRINGS:
1265 fstr->bv_len = vrf->vrf_sub_desc->ad_cname.bv_len +
1266 ( sizeof("(=*)") - 1 );
1267 fstr->bv_val = ch_malloc( fstr->bv_len + 128 );
1269 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
1270 vrf->vrf_sub_desc->ad_cname.bv_val );
1272 if ( vrf->vrf_sub_initial.bv_val != NULL ) {
1275 filter_escape_value( &vrf->vrf_sub_initial, &tmp );
1277 fstr->bv_len += tmp.bv_len;
1278 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1280 snprintf( &fstr->bv_val[len-2], tmp.bv_len+3,
1281 /* "(attr=" */ "%s*)",
1284 ber_memfree( tmp.bv_val );
1287 if ( vrf->vrf_sub_any != NULL ) {
1289 for ( i = 0; vrf->vrf_sub_any[i].bv_val != NULL; i++ ) {
1291 filter_escape_value( &vrf->vrf_sub_any[i], &tmp );
1293 fstr->bv_len += tmp.bv_len + 1;
1294 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1296 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
1297 /* "(attr=[init]*[any*]" */ "%s*)",
1299 ber_memfree( tmp.bv_val );
1303 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1306 filter_escape_value( &vrf->vrf_sub_final, &tmp );
1308 fstr->bv_len += tmp.bv_len;
1309 fstr->bv_val = ch_realloc( fstr->bv_val, fstr->bv_len + 1 );
1311 snprintf( &fstr->bv_val[len-1], tmp.bv_len+3,
1312 /* "(attr=[init*][any*]" */ "%s)",
1315 ber_memfree( tmp.bv_val );
1320 case LDAP_FILTER_PRESENT:
1321 fstr->bv_len = vrf->vrf_desc->ad_cname.bv_len +
1322 ( sizeof("(=*)") - 1 );
1323 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1325 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s=*)",
1326 vrf->vrf_desc->ad_cname.bv_val );
1329 case LDAP_FILTER_EXT: {
1331 filter_escape_value( &vrf->vrf_mr_value, &tmp );
1333 if ( vrf->vrf_mr_desc ) {
1334 ad = vrf->vrf_mr_desc->ad_cname;
1340 fstr->bv_len = ad.bv_len +
1341 ( vrf->vrf_mr_dnattrs ? sizeof(":dn")-1 : 0 ) +
1342 ( vrf->vrf_mr_rule_text.bv_len ? vrf->vrf_mr_rule_text.bv_len+1 : 0 ) +
1343 tmp.bv_len + ( sizeof("(:=)") - 1 );
1344 fstr->bv_val = ch_malloc( fstr->bv_len + 1 );
1346 snprintf( fstr->bv_val, fstr->bv_len + 1, "(%s%s%s%s:=%s)",
1348 vrf->vrf_mr_dnattrs ? ":dn" : "",
1349 vrf->vrf_mr_rule_text.bv_len ? ":" : "",
1350 vrf->vrf_mr_rule_text.bv_len ? vrf->vrf_mr_rule_text.bv_val : "",
1353 ber_memfree( tmp.bv_val );
1356 case SLAPD_FILTER_COMPUTED:
1358 vrf->vrf_result == LDAP_COMPARE_FALSE ? "(?=false)" :
1359 vrf->vrf_result == LDAP_COMPARE_TRUE ? "(?=true)" :
1360 vrf->vrf_result == SLAPD_COMPARE_UNDEFINED ? "(?=undefined)" :
1362 vrf->vrf_result == LDAP_COMPARE_FALSE ? sizeof("(?=false)")-1 :
1363 vrf->vrf_result == LDAP_COMPARE_TRUE ? sizeof("(?=true)")-1 :
1364 vrf->vrf_result == SLAPD_COMPARE_UNDEFINED ? sizeof("(?=undefined)")-1 :
1365 sizeof("(?=error)")-1,
1370 ber_str2bv( "(?=unknown)", sizeof("(?=unknown)")-1, 1, fstr );
1377 get_substring_vrFilter(
1380 ValuesReturnFilter *vrf,
1386 struct berval value;
1389 *text = "error decoding filter";
1392 LDAP_LOG( FILTER, ENTRY,
1393 "get_substring_filter: conn %d begin\n", conn->c_connid, 0, 0 );
1395 Debug( LDAP_DEBUG_FILTER, "begin get_substring_filter\n", 0, 0, 0 );
1397 if ( ber_scanf( ber, "{m" /*}*/, &bv ) == LBER_ERROR ) {
1398 return SLAPD_DISCONNECT;
1401 vrf->vrf_sub = ch_calloc( 1, sizeof(SubstringsAssertion) );
1402 vrf->vrf_sub_desc = NULL;
1403 rc = slap_bv2ad( &bv, &vrf->vrf_sub_desc, text );
1405 if( rc != LDAP_SUCCESS ) {
1407 ch_free( vrf->vrf_sub );
1408 vrf->vrf_choice = SLAPD_FILTER_COMPUTED;
1409 vrf->vrf_result = SLAPD_COMPARE_UNDEFINED;
1410 return LDAP_SUCCESS;
1413 vrf->vrf_sub_initial.bv_val = NULL;
1414 vrf->vrf_sub_any = NULL;
1415 vrf->vrf_sub_final.bv_val = NULL;
1417 for ( tag = ber_first_element( ber, &len, &last ); tag != LBER_DEFAULT;
1418 tag = ber_next_element( ber, &len, last ) )
1422 rc = ber_scanf( ber, "m", &value );
1423 if ( rc == LBER_ERROR ) {
1424 rc = SLAPD_DISCONNECT;
1428 if ( value.bv_val == NULL || value.bv_len == 0 ) {
1429 rc = LDAP_INVALID_SYNTAX;
1434 case LDAP_SUBSTRING_INITIAL:
1435 usage = SLAP_MR_SUBSTR_INITIAL;
1438 case LDAP_SUBSTRING_ANY:
1439 usage = SLAP_MR_SUBSTR_ANY;
1442 case LDAP_SUBSTRING_FINAL:
1443 usage = SLAP_MR_SUBSTR_FINAL;
1447 rc = LDAP_PROTOCOL_ERROR;
1450 LDAP_LOG( FILTER, ERR,
1451 "get_filter_substring: conn %d unknown substring choice=%ld\n",
1452 conn->c_connid, (long)tag, 0 );
1454 Debug( LDAP_DEBUG_FILTER,
1455 " unknown substring choice=%ld\n",
1462 /* validate/normalize using equality matching rule validator! */
1463 rc = asserted_value_validate_normalize(
1464 vrf->vrf_sub_desc, vrf->vrf_sub_desc->ad_type->sat_equality,
1465 usage, &value, &bv, text );
1466 if( rc != LDAP_SUCCESS ) {
1470 /* valiate using equality matching rule validator! */
1471 rc = value_validate( vrf->vrf_sub_desc->ad_type->sat_equality,
1473 if( rc != LDAP_SUCCESS ) {
1477 rc = value_normalize( vrf->vrf_sub_desc, usage,
1478 &value, &bv, text );
1479 if( rc != LDAP_SUCCESS ) {
1486 rc = LDAP_PROTOCOL_ERROR;
1489 case LDAP_SUBSTRING_INITIAL:
1491 LDAP_LOG( FILTER, DETAIL1,
1492 "get_substring_filter: conn %d INITIAL\n",
1493 conn->c_connid, 0, 0 );
1495 Debug( LDAP_DEBUG_FILTER, " INITIAL\n", 0, 0, 0 );
1498 if ( vrf->vrf_sub_initial.bv_val != NULL
1499 || vrf->vrf_sub_any != NULL
1500 || vrf->vrf_sub_final.bv_val != NULL )
1502 free( value.bv_val );
1506 vrf->vrf_sub_initial = value;
1509 case LDAP_SUBSTRING_ANY:
1511 LDAP_LOG( FILTER, DETAIL1,
1512 "get_substring_filter: conn %d ANY\n", conn->c_connid, 0, 0 );
1514 Debug( LDAP_DEBUG_FILTER, " ANY\n", 0, 0, 0 );
1517 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1518 free( value.bv_val );
1522 ber_bvarray_add( &vrf->vrf_sub_any, &value );
1525 case LDAP_SUBSTRING_FINAL:
1527 LDAP_LOG( FILTER, DETAIL1,
1528 "get_substring_filter: conn %d FINAL\n", conn->c_connid, 0, 0 );
1530 Debug( LDAP_DEBUG_FILTER, " FINAL\n", 0, 0, 0 );
1533 if ( vrf->vrf_sub_final.bv_val != NULL ) {
1534 free( value.bv_val );
1538 vrf->vrf_sub_final = value;
1543 LDAP_LOG( FILTER, INFO,
1544 "get_substring_filter: conn %d unknown substring type %ld\n",
1545 conn->c_connid, (long)tag, 0 );
1547 Debug( LDAP_DEBUG_FILTER,
1548 " unknown substring type=%ld\n",
1552 free( value.bv_val );
1556 LDAP_LOG( FILTER, INFO,
1557 "get_substring_filter: conn %d error %ld\n",
1558 conn->c_connid, (long)rc, 0 );
1560 Debug( LDAP_DEBUG_FILTER, " error=%ld\n",
1563 free( vrf->vrf_sub_initial.bv_val );
1564 ber_bvarray_free( vrf->vrf_sub_any );
1565 free( vrf->vrf_sub_final.bv_val );
1566 ch_free( vrf->vrf_sub );
1572 LDAP_LOG( FILTER, ENTRY,
1573 "get_substring_filter: conn %d exit\n", conn->c_connid, 0, 0 );
1575 Debug( LDAP_DEBUG_FILTER, "end get_substring_filter\n", 0, 0, 0 );
1577 return( LDAP_SUCCESS );