1 /* constraint.c - Overlay to constrain attributes to certain values */
4 * Copyright 2003-2004 Hewlett-Packard Company
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
16 * Author: Neil Dunbar <neil.dunbar@hp.com>
20 #ifdef SLAPD_OVER_CONSTRAINT
24 #include <ac/string.h>
25 #include <ac/socket.h>
32 * This overlay limits the values which can be placed into an
33 * attribute, over and above the limits placed by the schema.
35 * It traps only LDAP adds and modify commands (and only seeks to
36 * control the add and modify value mods of a modify)
39 #define REGEX_STR "regex"
42 * Linked list of attribute constraints which we should enforce.
43 * This is probably a sub optimal structure - some form of sorted
44 * array would be better if the number of attributes contrained is
45 * likely to be much bigger than 4 or 5. We stick with a list for
49 typedef struct constraint {
50 struct constraint *ap_next;
51 AttributeDescription *ap;
53 char *re_str; /* string representation of regex */
57 CONSTRAINT_ATTRIBUTE = 1
60 static ConfigDriver constraint_cf_gen;
62 static ConfigTable constraintcfg[] = {
63 { "constraint_attribute", "attribute regex <regular expression>",
64 4, 4, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen,
65 "( HPcfgOvAt:4.1 NAME 'olcConstraintAttribute' "
66 "DESC 'regular expression constraint for attribute' "
67 "SYNTAX OMsDirectoryString )", NULL, NULL },
68 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
71 static ConfigOCs constraintocs[] = {
73 "NAME 'olcConstraintConfig' "
74 "DESC 'Constraint overlay configuration' "
75 "SUP olcOverlayConfig "
76 "MAY ( olcConstraintAttribute ) )",
77 Cft_Overlay, constraintcfg },
82 constraint_cf_gen( ConfigArgs *c )
84 slap_overinst *on = (slap_overinst *)(c->bi);
85 constraint *cn = on->on_bi.bi_private, *cp;
88 constraint ap = { NULL, NULL, NULL }, *a2 = NULL;
90 const char *text = NULL;
93 case SLAP_CONFIG_EMIT:
95 case CONSTRAINT_ATTRIBUTE:
96 for (cp=cn; cp; cp=cp->ap_next) {
100 len = cp->ap->ad_cname.bv_len +
101 strlen( REGEX_STR ) + strlen( cp->re_str) + 3;
104 snprintf(s, len, "%s %s %s", cp->ap->ad_cname.bv_val,
105 REGEX_STR, cp->re_str);
107 bv.bv_len = strlen(s);
108 rc = value_add_one( &c->rvalue_vals, &bv );
110 rc = value_add_one( &c->rvalue_nvals, &bv );
120 case LDAP_MOD_DELETE:
122 case CONSTRAINT_ATTRIBUTE:
123 if (!cn) break; /* nothing to do */
126 /* zap all constraints */
133 if (cn->re_str) ch_free(cn->re_str);
138 on->on_bi.bi_private = NULL;
142 /* zap constraint numbered 'valx' */
143 for(i=0, cp = cn, cpp = NULL;
145 i++, cpp = cp, cp=cp->ap_next);
148 /* zap cp, and join cpp to cp->ap_next */
149 cpp->ap_next = cp->ap_next;
154 if (cp->re_str) ch_free(cp->re_str);
157 /* zap the list head */
162 if (cn->re_str) ch_free(cn->re_str);
164 on->on_bi.bi_private = cn->ap_next;
174 case SLAP_CONFIG_ADD:
177 case CONSTRAINT_ATTRIBUTE:
178 if ( slap_str2ad( c->argv[1], &ap.ap, &text ) ) {
179 Debug( LDAP_DEBUG_CONFIG,
180 "constraint_add: <%s>: attribute description unknown %s.\n",
181 c->argv[1], text, 0 );
182 return( ARG_BAD_CONF );
185 if ( strcasecmp( c->argv[2], "regex" ) == 0) {
188 ap.re = ch_malloc( sizeof(regex_t) );
189 if ((err = regcomp( ap.re,
190 c->argv[3], REG_EXTENDED )) != 0) {
193 regerror( err, ap.re, errmsg, sizeof(errmsg) );
195 Debug( LDAP_DEBUG_CONFIG,
196 "%s: Illegal regular expression \"%s\": Error %s\n",
197 c->argv[1], c->argv[3], errmsg);
199 return( ARG_BAD_CONF );
201 ap.re_str = ch_strdup( c->argv[3] );
203 Debug( LDAP_DEBUG_CONFIG,
204 "%s: Unknown constraint type: %s\n",
205 c->argv[1], c->argv[2], 0 );
206 return ( ARG_BAD_CONF );
210 a2 = ch_malloc( sizeof(constraint) );
211 a2->ap_next = on->on_bi.bi_private;
214 a2->re_str = ap.re_str;
215 on->on_bi.bi_private = a2;
230 constraint_violation( constraint *c, struct berval *bv )
232 if ((!c) || (!bv)) return 0;
235 (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH))
237 return 1; /* regular expression violation */
243 print_message( const char *fmt, AttributeDescription *a )
248 sz = strlen(fmt) + a->ad_cname.bv_len + 1;
250 snprintf( ret, sz, fmt, a->ad_cname.bv_val );
255 constraint_add( Operation *op, SlapReply *rs )
257 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
259 constraint *c = on->on_bi.bi_private, *cp;
262 const char *rsv = "add breaks regular expression constraint on %s";
265 if ((a = op->ora_e->e_attrs) == NULL) {
266 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
267 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
268 "constraint_add() got null op.ora_e.e_attrs");
272 for(; a; a = a->a_next ) {
273 /* we don't constrain operational attributes */
275 if (is_at_operational(a->a_desc->ad_type)) continue;
277 for(cp = c; cp; cp = cp->ap_next) {
278 if (cp->ap != a->a_desc) continue;
279 if ((b = a->a_vals) == NULL) continue;
281 for(i=0; b[i].bv_val; i++) {
282 int cv = constraint_violation( cp, &b[i]);
285 /* regex violation */
286 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
287 msg = print_message( rsv, a->a_desc );
288 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
295 /* Default is to just fall through to the normal processing */
296 return SLAP_CB_CONTINUE;
300 constraint_modify( Operation *op, SlapReply *rs )
302 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
303 constraint *c = on->on_bi.bi_private, *cp;
307 const char *rsv = "modify breaks regular expression constraint on %s";
310 if ((m = op->orm_modlist) == NULL) {
311 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
312 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
313 "constraint_modify() got null orm_modlist");
317 for(;m; m = m->sml_next) {
318 if (is_at_operational( m->sml_desc->ad_type )) continue;
319 if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
320 (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE))
322 /* we only care about ADD and REPLACE modifications */
323 if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
326 for(cp = c; cp; cp = cp->ap_next) {
327 if (cp->ap != m->sml_desc) continue;
329 for(i=0; b[i].bv_val; i++) {
330 int cv = constraint_violation( cp, &b[i]);
333 /* regex violation */
334 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
335 msg = print_message( rsv, m->sml_desc );
336 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
344 return SLAP_CB_CONTINUE;
352 slap_overinst *on = (slap_overinst *) be->bd_info;
355 for ( ap = on->on_bi.bi_private; ap; ap = a2 ) {
357 if (ap->re_str) ch_free(ap->re_str);
369 static slap_overinst constraint_ovl;
371 /* This overlay is set up for dynamic loading via moduleload. For static
372 * configuration, you'll need to arrange for the slap_overinst to be
373 * initialized and registered by some other function inside slapd.
376 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
380 constraint_initialize( void ) {
383 constraint_ovl.on_bi.bi_type = "constraint";
384 constraint_ovl.on_bi.bi_db_close = constraint_close;
385 constraint_ovl.on_bi.bi_op_add = constraint_add;
386 constraint_ovl.on_bi.bi_op_modify = constraint_modify;
388 constraint_ovl.on_bi.bi_private = NULL;
390 constraint_ovl.on_bi.bi_cf_ocs = constraintocs;
391 rc = config_register_schema( constraintcfg, constraintocs );
394 return overlay_register( &constraint_ovl );
397 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
398 int init_module(int argc, char *argv[]) {
399 return constraint_initialize();
403 #endif /* defined(SLAPD_OVER_CONSTRAINT) */