1 /* constraint.c - Overlay to constrain attributes to certain values */
4 * Copyright 2003-2004 Hewlett-Packard Company
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
16 * Author: Neil Dunbar <neil.dunbar@hp.com>
20 #ifdef SLAPD_OVER_CONSTRAINT
24 #include <ac/string.h>
25 #include <ac/socket.h>
31 * This overlay limits the values which can be placed into an
32 * attribute, over and above the limits placed by the schema.
34 * It traps only LDAP adds and modify commands (and only seeks to
35 * control the add and modify value mods of a modify)
39 * Linked list of attribute constraints which we should enforce.
40 * This is probably a sub optimal structure - some form of sorted
41 * array would be better if the number of attributes contrained is
42 * likely to be much bigger than 4 or 5. We stick with a list for
45 typedef struct constraint {
46 struct constraint *ap_next;
47 AttributeDescription *ap;
52 constraint_violation( constraint *c, struct berval *bv )
54 if ((!c) || (!bv)) return 0;
57 (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH))
59 return 1; /* regular expression violation */
65 print_message( const char *fmt, AttributeDescription *a )
70 sz = strlen(fmt) + a->ad_cname.bv_len + 1;
72 snprintf( ret, sz, fmt, a->ad_cname.bv_val );
77 constraint_add( Operation *op, SlapReply *rs )
79 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
81 constraint *c = on->on_bi.bi_private, *cp;
84 const char *rsv = "add breaks regular expression constraint on %s";
87 if ((a = op->ora_e->e_attrs) == NULL) {
88 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
89 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
90 "constraint_add() got null op.ora_e.e_attrs");
94 for(; a; a = a->a_next ) {
95 /* we don't constrain operational attributes */
97 if (is_at_operational(a->a_desc->ad_type)) continue;
99 for(cp = c; cp; cp = cp->ap_next) {
100 if (cp->ap != a->a_desc) continue;
101 if ((b = a->a_vals) == NULL) continue;
103 for(i=0; b[i].bv_val; i++) {
104 int cv = constraint_violation( cp, &b[i]);
107 /* regex violation */
108 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
109 msg = print_message( rsv, a->a_desc );
110 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
117 /* Default is to just fall through to the normal processing */
118 return SLAP_CB_CONTINUE;
122 constraint_modify( Operation *op, SlapReply *rs )
124 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
125 constraint *c = on->on_bi.bi_private, *cp;
129 const char *rsv = "modify breaks regular expression constraint on %s";
132 if ((m = op->orm_modlist) == NULL) {
133 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
134 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
135 "constraint_modify() got null orm_modlist");
139 for(;m; m = m->sml_next) {
140 if (is_at_operational( m->sml_desc->ad_type )) continue;
141 if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
142 (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE))
144 /* we only care about ADD and REPLACE modifications */
145 if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
148 for(cp = c; cp; cp = cp->ap_next) {
149 if (cp->ap != m->sml_desc) continue;
151 for(i=0; b[i].bv_val; i++) {
152 int cv = constraint_violation( cp, &b[i]);
155 /* regex violation */
156 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
157 msg = print_message( rsv, m->sml_desc );
158 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
166 return SLAP_CB_CONTINUE;
169 static int constraint_config(
177 slap_overinst *on = (slap_overinst *) be->bd_info;
178 constraint ap = { NULL, NULL, NULL }, *a2 = NULL;
181 if ( strcasecmp( argv[0], "constraint_attribute" ) == 0 ) {
185 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
186 "wrong number of parameters in"
187 "\"constraint_attribute <attribute> <constraint> <constraint_value>\" line.\n",
191 if ( slap_str2ad( argv[1], &ap.ap, &text ) ) {
192 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
193 "attribute description unknown \"constraint_attribute\" line: %s.\n",
194 fname, lineno, text );
198 if ( strcasecmp( argv[2], "regex" ) == 0) {
201 ap.re = ch_malloc( sizeof(regex_t) );
202 if ((err = regcomp( ap.re, argv[3], REG_EXTENDED )) != 0) {
203 const char *fmt = "%s: line %d: Illegal regular expression \"%s\": Error %s\n";
204 char errmsg[1024], *msg;
207 msgsize = regerror( err, ap.re, errmsg, sizeof(errmsg) );
208 msgsize += strlen(fmt) + strlen(argv[3]) + strlen(fname);
209 for(l=lineno; l>0; l/=10, msgsize++);
212 msg = ch_malloc( msgsize + 1 );
213 snprintf( msg, msgsize, fmt, fname, lineno, argv[3], errmsg );
215 Debug( LDAP_DEBUG_ANY, msg, 0, 0, 0);
221 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
222 "Unknown constraint type: %s",
223 fname, lineno, argv[2] );
226 a2 = ch_malloc( sizeof(constraint) );
227 a2->ap_next = on->on_bi.bi_private;
230 on->on_bi.bi_private = a2;
232 return SLAP_CONF_UNKNOWN;
243 slap_overinst *on = (slap_overinst *) be->bd_info;
246 for ( ap = on->on_bi.bi_private; ap; ap = a2 ) {
259 static slap_overinst constraint_ovl;
261 /* This overlay is set up for dynamic loading via moduleload. For static
262 * configuration, you'll need to arrange for the slap_overinst to be
263 * initialized and registered by some other function inside slapd.
266 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
270 constraint_initialize( void ) {
271 constraint_ovl.on_bi.bi_type = "constraint";
272 constraint_ovl.on_bi.bi_db_config = constraint_config;
273 constraint_ovl.on_bi.bi_db_close = constraint_close;
274 constraint_ovl.on_bi.bi_op_add = constraint_add;
275 constraint_ovl.on_bi.bi_op_modify = constraint_modify;
277 return overlay_register( &constraint_ovl );
280 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
281 int init_module(int argc, char *argv[]) {
282 return constraint_initialize();
286 #endif /* defined(SLAPD_OVER_CONSTRAINT) */