1 /* constraint.c - Overlay to constrain attributes to certain values */
4 * Copyright 2003-2004 Hewlett-Packard Company
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
16 * Author: Neil Dunbar <neil.dunbar@hp.com>
20 #ifdef SLAPD_OVER_CONSTRAINT
24 #include <ac/string.h>
25 #include <ac/socket.h>
31 * This overlay limits the values which can be placed into an
32 * attribute, over and above the limits placed by the schema.
34 * It traps only LDAP adds and modify commands (and only seeks to
35 * control the add and modify value mods of a modify)
39 * Linked list of attribute constraints which we should enforce.
40 * This is probably a sub optimal structure - some form of sorted
41 * array would be better if the number of attributes contrained is
42 * likely to be much bigger than 4 or 5. We stick with a list for
45 typedef struct constraint {
46 struct constraint *ap_next;
47 AttributeDescription *ap;
52 constraint_violation( constraint *c, struct berval *bv )
54 if ((!c) || (!bv)) return 0;
57 (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH))
59 return 1; /* regular expression violation */
65 print_message( const char *msg, AttributeDescription *a )
70 sz = strlen(msg) + a->ad_cname.bv_len + sizeof(" on ");
72 snprintf( ret, sz, "%s on %s", msg, a->ad_cname.bv_val );
77 constraint_add( Operation *op, SlapReply *rs )
79 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
81 constraint *c = on->on_bi.bi_private, *cp;
84 const char *rsv = "add breaks regular expression constraint";
87 if ((a = op->ora_e->e_attrs) == NULL) {
88 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
89 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
90 "constraint_add() got null op.ora_e.e_attrs");
94 for(; a; a = a->a_next ) {
95 /* we don't constrain operational attributes */
97 if (is_at_operational(a->a_desc->ad_type)) continue;
99 for(cp = c; cp; cp = cp->ap_next) {
100 if (cp->ap != a->a_desc) continue;
101 if ((b = a->a_vals) == NULL) continue;
103 for(i=0; b[i].bv_val; i++) {
104 int cv = constraint_violation( cp, &b[i]);
107 /* regex violation */
108 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
109 msg = print_message( rsv, a->a_desc );
110 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
117 /* Default is to just fall through to the normal processing */
118 return SLAP_CB_CONTINUE;
122 constraint_modify( Operation *op, SlapReply *rs )
124 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
125 constraint *c = on->on_bi.bi_private, *cp;
129 const char *rsv = "modify breaks regular expression constraint";
132 if ((m = op->orm_modlist) == NULL) {
133 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
134 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
135 "constraint_modify() got null orm_modlist");
139 for(;m; m = m->sml_next) {
140 if (is_at_operational( m->sml_desc->ad_type )) continue;
141 if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
142 (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE))
144 /* we only care about ADD and REPLACE modifications */
145 if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
148 for(cp = c; cp; cp = cp->ap_next) {
149 if (cp->ap != m->sml_desc) continue;
151 for(i=0; b[i].bv_val; i++) {
152 int cv = constraint_violation( cp, &b[i]);
155 /* regex violation */
156 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
157 msg = print_message( rsv, m->sml_desc );
158 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
166 return SLAP_CB_CONTINUE;
169 static int constraint_config(
177 slap_overinst *on = (slap_overinst *) be->bd_info;
178 constraint ap = { NULL, NULL, NULL }, *a2 = NULL;
180 if ( strcasecmp( argv[0], "constraint_attribute" ) == 0 ) {
184 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
185 "wrong number of parameters in"
186 "\"constraint_attribute <attribute> <constraint> <constraint_value>\" line.\n",
190 if ( slap_str2ad( argv[1], &ap.ap, &text ) ) {
191 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
192 "attribute description unknown \"constraint_attribute\" line: %s.\n",
193 fname, lineno, text );
197 if ( strcasecmp( argv[2], "regex" ) == 0) {
200 ap.re = ch_malloc( sizeof(regex_t) );
201 if ((err = regcomp( ap.re, argv[3], REG_EXTENDED )) != 0) {
202 static const char fmt[] = "\"%s\": Error %s";
203 char errmsg[1024], *msg;
206 msgsize = regerror( err, ap.re, errmsg, sizeof(errmsg) );
207 msgsize += STRLENOF(fmt) - STRLENOF("%s%s") + strlen(argv[3]);
209 msg = ch_malloc( msgsize + 1 );
210 snprintf( msg, msgsize, fmt, argv[3], errmsg );
212 Debug( LDAP_DEBUG_ANY,
213 "%s: line %d: Illegal regular expression %s\n",
214 fname, lineno, msg );
220 Debug( LDAP_DEBUG_ANY, "%s: line %d: "
221 "Unknown constraint type: %s",
222 fname, lineno, argv[2] );
225 a2 = ch_malloc( sizeof(constraint) );
226 a2->ap_next = on->on_bi.bi_private;
229 on->on_bi.bi_private = a2;
231 return SLAP_CONF_UNKNOWN;
242 slap_overinst *on = (slap_overinst *) be->bd_info;
245 for ( ap = on->on_bi.bi_private; ap; ap = a2 ) {
258 static slap_overinst constraint_ovl;
260 /* This overlay is set up for dynamic loading via moduleload. For static
261 * configuration, you'll need to arrange for the slap_overinst to be
262 * initialized and registered by some other function inside slapd.
265 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
269 constraint_initialize( void ) {
270 constraint_ovl.on_bi.bi_type = "constraint";
271 constraint_ovl.on_bi.bi_db_config = constraint_config;
272 constraint_ovl.on_bi.bi_db_close = constraint_close;
273 constraint_ovl.on_bi.bi_op_add = constraint_add;
274 constraint_ovl.on_bi.bi_op_modify = constraint_modify;
276 return overlay_register( &constraint_ovl );
279 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
280 int init_module(int argc, char *argv[]) {
281 return constraint_initialize();
285 #endif /* defined(SLAPD_OVER_CONSTRAINT) */