1 /* limits.c - routines to handle regex-based size and time limits */
3 * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
4 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
12 #include <ac/string.h>
20 struct slap_limits_set **limit
23 struct slap_limits **lm;
31 *limit = &be->be_def_limit;
33 if ( be->be_limits == NULL ) {
37 for ( lm = be->be_limits; lm[0] != NULL; lm++ ) {
38 switch ( lm[0]->lm_type ) {
39 case SLAP_LIMITS_EXACT:
40 if ( ndn->bv_len == 0 ) {
43 if ( strcmp( lm[0]->lm_dn_pat->bv_val, ndn->bv_val ) == 0 ) {
44 *limit = &lm[0]->lm_limits;
50 case SLAP_LIMITS_SUBTREE:
51 case SLAP_LIMITS_CHILDREN: {
54 if ( ndn->bv_len == 0 ) {
58 d = ndn->bv_len - lm[0]->lm_dn_pat->bv_len;
59 /* ndn shorter than dn_pat */
64 /* allow exact match for SUBTREE only */
66 if ( lm[0]->lm_type != SLAP_LIMITS_SUBTREE ) {
70 /* check for unescaped rdn separator */
71 if ( !DN_SEPARATOR( ndn->bv_val[d-1] )
72 || DN_ESCAPE( ndn->bv_val[d-2] ) )
78 /* in case of (sub)match ... */
79 if ( strcmp( lm[0]->lm_dn_pat->bv_val, &ndn->bv_val[d] ) == 0 ) {
80 /* check for exactly one rdn in case of ONE */
81 if ( lm[0]->lm_type == SLAP_LIMITS_ONE ) {
83 * if ndn is more that one rdn
84 * below dn_pat, continue
86 if ( (size_t) dn_rdnlen( NULL, ndn->bv_val ) != d - 1 ) {
91 *limit = &lm[0]->lm_limits;
98 case SLAP_LIMITS_REGEX:
99 if ( ndn->bv_len == 0 ) {
102 if ( regexec( &lm[0]->lm_dn_regex, ndn->bv_val, 0, NULL, 0 )
105 *limit = &lm[0]->lm_limits;
110 case SLAP_LIMITS_ANONYMOUS:
111 if ( ndn->bv_len == 0 ) {
112 *limit = &lm[0]->lm_limits;
117 case SLAP_LIMITS_USERS:
118 if ( ndn->bv_len != 0 ) {
119 *limit = &lm[0]->lm_limits;
125 assert( 0 ); /* unreachable */
138 struct slap_limits_set *limit
142 struct slap_limits *lm;
147 lm = ( struct slap_limits * )ch_calloc( sizeof( struct slap_limits ), 1 );
150 case SLAP_LIMITS_EXACT:
151 case SLAP_LIMITS_ONE:
152 case SLAP_LIMITS_SUBTREE:
153 case SLAP_LIMITS_CHILDREN:
155 lm->lm_dn_pat = ber_bvstrdup( pattern );
156 if ( dn_normalize( lm->lm_dn_pat->bv_val ) == NULL ) {
157 ber_bvfree( lm->lm_dn_pat );
163 case SLAP_LIMITS_REGEX:
164 case SLAP_LIMITS_UNDEFINED:
165 lm->lm_type = SLAP_LIMITS_REGEX;
166 lm->lm_dn_pat = ber_bvstrdup( pattern );
167 if ( regcomp( &lm->lm_dn_regex, lm->lm_dn_pat->bv_val,
168 REG_EXTENDED | REG_ICASE ) ) {
169 ber_bvfree( lm->lm_dn_pat );
175 case SLAP_LIMITS_ANONYMOUS:
176 case SLAP_LIMITS_USERS:
178 lm->lm_dn_pat = NULL;
182 lm->lm_limits = *limit;
185 if ( be->be_limits != NULL ) {
186 for ( ; be->be_limits[i]; i++ );
189 be->be_limits = ( struct slap_limits ** )ch_realloc( be->be_limits,
190 sizeof( struct slap_limits * ) * ( i + 2 ) );
191 be->be_limits[i] = lm;
192 be->be_limits[i+1] = NULL;
206 int type = SLAP_LIMITS_UNDEFINED;
208 struct slap_limits_set limit;
215 LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
216 "%s : line %d: missing arg(s) in "
217 "\"limits <pattern> <limits>\" line.\n",
220 Debug( LDAP_DEBUG_ANY,
221 "%s : line %d: missing arg(s) in "
222 "\"limits <pattern> <limits>\" line.\n%s",
228 limit = be->be_def_limit;
233 * "limits" <pattern> <limit> [ ... ]
240 * [ "dn" [ "." { "exact" | "base" | "one" | "sub" | children"
241 * | "regex" | "anonymous" } ] "=" ] <dn pattern>
244 * "exact" and "base" are the same (exact match);
245 * "one" means exactly one rdn below, NOT including the pattern
246 * "sub" means any rdn below, including the pattern
247 * "children" means any rdn below, NOT including the pattern
249 * "anonymous" may be deprecated in favour
250 * of the pattern = "anonymous" form
255 * "time" [ "." { "soft" | "hard" } ] "=" <integer>
257 * "size" [ "." { "soft" | "hard" | "unchecked" } ] "=" <integer>
261 if ( strcasecmp( pattern, "anonymous" ) == 0 ) {
262 type = SLAP_LIMITS_ANONYMOUS;
264 } else if ( strcasecmp( pattern, "users" ) == 0 ) {
265 type = SLAP_LIMITS_USERS;
267 } else if ( strncasecmp( pattern, "dn", 2 ) == 0 ) {
269 if ( pattern[0] == '.' ) {
271 if ( strncasecmp( pattern, "exact", 5 ) == 0 ) {
272 type = SLAP_LIMITS_EXACT;
275 } else if ( strncasecmp( pattern, "base", 4 ) == 0 ) {
276 type = SLAP_LIMITS_BASE;
279 } else if ( strncasecmp( pattern, "one", 3 ) == 0 ) {
280 type = SLAP_LIMITS_ONE;
283 } else if ( strncasecmp( pattern, "subtree", 7 ) == 0 ) {
284 type = SLAP_LIMITS_SUBTREE;
287 } else if ( strncasecmp( pattern, "children", 8 ) == 0 ) {
288 type = SLAP_LIMITS_CHILDREN;
291 } else if ( strncasecmp( pattern, "regex", 5 ) == 0 ) {
292 type = SLAP_LIMITS_REGEX;
296 * this could be deprecated in favour
297 * of the pattern = "anonymous" form
299 } else if ( strncasecmp( pattern, "anonymous", 9 ) == 0 ) {
300 type = SLAP_LIMITS_ANONYMOUS;
305 /* pre-check the data */
307 case SLAP_LIMITS_ANONYMOUS:
308 case SLAP_LIMITS_USERS:
310 /* no need for pattern */
315 if ( pattern[0] != '=' ) {
317 LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
318 "%s : line %d: missing '=' in "
319 "\"dn[.{exact|base|one|subtree"
320 "|children|regex|anonymous}]"
322 "\"limits <pattern> <limits>\" line.\n",
325 Debug( LDAP_DEBUG_ANY,
326 "%s : line %d: missing '=' in "
327 "\"dn[.{exact|base|one|subtree"
328 "|children|regex|anonymous}]"
330 "\"limits <pattern> <limits>\" "
337 /* skip '=' (required) */
343 for ( i = 2; i < argc; i++ ) {
344 if ( parse_limit( argv[i], &limit ) ) {
347 LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
348 "%s : line %d: unknown limit type \"%s\" in "
349 "\"limits <pattern> <limits>\" line.\n",
350 fname, lineno, argv[i] ));
352 Debug( LDAP_DEBUG_ANY,
353 "%s : line %d: unknown limit type \"%s\" in "
354 "\"limits <pattern> <limits>\" line.\n",
355 fname, lineno, argv[i] );
365 if ( limit.lms_t_hard > 0 && limit.lms_t_hard < limit.lms_t_soft ) {
366 limit.lms_t_hard = limit.lms_t_soft;
369 if ( limit.lms_s_hard > 0 && limit.lms_s_hard < limit.lms_s_soft ) {
370 limit.lms_s_hard = limit.lms_s_soft;
373 return( add_limits( be, type, pattern, &limit ) );
379 struct slap_limits_set *limit
385 if ( strncasecmp( arg, "time", 4 ) == 0 ) {
388 if ( arg[0] == '.' ) {
390 if ( strncasecmp( arg, "soft", 4 ) == 0 ) {
392 if ( arg[0] != '=' ) {
396 limit->lms_t_soft = atoi( arg );
398 } else if ( strncasecmp( arg, "hard", 4 ) == 0 ) {
400 if ( arg[0] != '=' ) {
404 if ( strcasecmp( arg, "soft" ) == 0 ) {
405 limit->lms_t_hard = 0;
406 } else if ( strcasecmp( arg, "none" ) == 0 ) {
407 limit->lms_t_hard = -1;
409 limit->lms_t_hard = atoi( arg );
416 } else if ( arg[0] == '=' ) {
417 limit->lms_t_soft = atoi( arg );
418 limit->lms_t_hard = 0;
424 } else if ( strncasecmp( arg, "size", 4 ) == 0 ) {
427 if ( arg[0] == '.' ) {
429 if ( strncasecmp( arg, "soft", 4 ) == 0 ) {
431 if ( arg[0] != '=' ) {
435 limit->lms_s_soft = atoi( arg );
437 } else if ( strncasecmp( arg, "hard", 4 ) == 0 ) {
439 if ( arg[0] != '=' ) {
443 if ( strcasecmp( arg, "soft" ) == 0 ) {
444 limit->lms_s_hard = 0;
445 } else if ( strcasecmp( arg, "none" ) == 0 ) {
446 limit->lms_s_hard = -1;
448 limit->lms_s_hard = atoi( arg );
451 } else if ( strncasecmp( arg, "unchecked", 9 ) == 0 ) {
453 if ( arg[0] != '=' ) {
457 if ( strcasecmp( arg, "none" ) == 0 ) {
458 limit->lms_s_unchecked = -1;
460 limit->lms_s_unchecked = atoi( arg );
467 } else if ( arg[0] == '=' ) {
468 limit->lms_s_soft = atoi( arg );
469 limit->lms_s_hard = 0;