2 /* constraint.c - Overlay to constrain attributes to certain values */
4 * Copyright 2003-2004 Hewlett-Packard Company
5 * Copyright 2007 Emmanuel Dreyfus
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
17 * Authors: Neil Dunbar <neil.dunbar@hp.com>
18 * Emmannuel Dreyfus <manu@netbsd.org>
22 #ifdef SLAPD_OVER_CONSTRAINT
26 #include <ac/string.h>
27 #include <ac/socket.h>
35 * This overlay limits the values which can be placed into an
36 * attribute, over and above the limits placed by the schema.
38 * It traps only LDAP adds and modify commands (and only seeks to
39 * control the add and modify value mods of a modify)
42 #define REGEX_STR "regex"
44 #define SIZE_STR "size"
45 #define COUNT_STR "count"
48 * Linked list of attribute constraints which we should enforce.
49 * This is probably a sub optimal structure - some form of sorted
50 * array would be better if the number of attributes contrained is
51 * likely to be much bigger than 4 or 5. We stick with a list for
55 typedef struct constraint {
56 struct constraint *ap_next;
57 AttributeDescription *ap;
62 AttributeDescription **attrs;
63 struct berval val; /* constraint value */
69 CONSTRAINT_ATTRIBUTE = 1
72 static ConfigDriver constraint_cf_gen;
74 static ConfigTable constraintcfg[] = {
75 { "constraint_attribute", "attribute> (regex|uri) <value",
76 4, 4, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen,
77 "( OLcfgOvAt:13.1 NAME 'olcConstraintAttribute' "
78 "DESC 'regular expression constraint for attribute' "
79 "EQUALITY caseIgnoreMatch "
80 "SYNTAX OMsDirectoryString )", NULL, NULL },
81 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
84 static ConfigOCs constraintocs[] = {
86 "NAME 'olcConstraintConfig' "
87 "DESC 'Constraint overlay configuration' "
88 "SUP olcOverlayConfig "
89 "MAY ( olcConstraintAttribute ) )",
90 Cft_Overlay, constraintcfg },
95 constraint_free( constraint *cp )
101 if (!BER_BVISNULL(&cp->val))
102 ch_free(cp->val.bv_val);
104 ldap_free_urldesc(cp->lud);
111 constraint_cf_gen( ConfigArgs *c )
113 slap_overinst *on = (slap_overinst *)(c->bi);
114 constraint *cn = on->on_bi.bi_private, *cp;
117 constraint ap = { NULL, NULL, NULL }, *a2 = NULL;
118 const char *text = NULL;
121 case SLAP_CONFIG_EMIT:
123 case CONSTRAINT_ATTRIBUTE:
124 for (cp=cn; cp; cp=cp->ap_next) {
129 len = cp->ap->ad_cname.bv_len + 3;
131 len += STRLENOF(REGEX_STR);
133 } else if (cp->lud) {
134 len += STRLENOF(URI_STR);
136 } else if (cp->size) {
137 len += STRLENOF(SIZE_STR);
139 } else if (cp->count) {
140 len += STRLENOF(COUNT_STR);
143 len += cp->val.bv_len;
147 bv.bv_len = snprintf(s, len, "%s %s %s", cp->ap->ad_cname.bv_val,
148 tstr, cp->val.bv_val);
150 rc = value_add_one( &c->rvalue_vals, &bv );
152 rc = value_add_one( &c->rvalue_nvals, &bv );
162 case LDAP_MOD_DELETE:
164 case CONSTRAINT_ATTRIBUTE:
165 if (!cn) break; /* nothing to do */
168 /* zap all constraints */
171 constraint_free( cn );
175 on->on_bi.bi_private = NULL;
179 /* zap constraint numbered 'valx' */
180 for(i=0, cp = cn, cpp = &cn;
182 i++, cpp = &cp->ap_next, cp = *cpp);
185 /* zap cp, and join cpp to cp->ap_next */
187 constraint_free( cp );
189 on->on_bi.bi_private = cn;
198 case SLAP_CONFIG_ADD:
201 case CONSTRAINT_ATTRIBUTE:
202 if ( slap_str2ad( c->argv[1], &ap.ap, &text ) ) {
203 snprintf( c->cr_msg, sizeof( c->cr_msg ),
204 "%s <%s>: %s\n", c->argv[0], c->argv[1], text );
205 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
206 "%s: %s\n", c->log, c->cr_msg, 0 );
207 return( ARG_BAD_CONF );
210 if ( strcasecmp( c->argv[2], REGEX_STR ) == 0) {
213 ap.re = ch_malloc( sizeof(regex_t) );
214 if ((err = regcomp( ap.re,
215 c->argv[3], REG_EXTENDED )) != 0) {
218 regerror( err, ap.re, errmsg, sizeof(errmsg) );
220 snprintf( c->cr_msg, sizeof( c->cr_msg ),
221 "%s %s: Illegal regular expression \"%s\": Error %s",
222 c->argv[0], c->argv[1], c->argv[3], errmsg);
223 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
224 "%s: %s\n", c->log, c->cr_msg, 0 );
226 return( ARG_BAD_CONF );
228 ber_str2bv( c->argv[3], 0, 1, &ap.val );
229 } else if ( strcasecmp( c->argv[2], SIZE_STR ) == 0 ) {
232 if ( ( size = atoi(c->argv[3]) ) != 0 )
234 } else if ( strcasecmp( c->argv[2], COUNT_STR ) == 0 ) {
237 if ( ( count = atoi(c->argv[3]) ) != 0 )
239 } else if ( strcasecmp( c->argv[2], URI_STR ) == 0 ) {
242 err = ldap_url_parse(c->argv[3], &ap.lud);
243 if ( err != LDAP_URL_SUCCESS ) {
244 snprintf( c->cr_msg, sizeof( c->cr_msg ),
245 "%s %s: Invalid URI \"%s\"",
246 c->argv[0], c->argv[1], c->argv[3]);
247 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
248 "%s: %s\n", c->log, c->cr_msg, 0 );
249 return( ARG_BAD_CONF );
252 if (ap.lud->lud_host != NULL) {
253 snprintf( c->cr_msg, sizeof( c->cr_msg ),
254 "%s %s: unsupported hostname in URI \"%s\"",
255 c->argv[0], c->argv[1], c->argv[3]);
256 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
257 "%s: %s\n", c->log, c->cr_msg, 0 );
259 ldap_free_urldesc(ap.lud);
261 return( ARG_BAD_CONF );
264 for ( i=0; ap.lud->lud_attrs[i]; i++);
265 /* FIXME: This is worthless without at least one attr */
267 ap.attrs = ch_malloc( (i+1)*sizeof(AttributeDescription *));
268 for ( i=0; ap.lud->lud_attrs[i]; i++) {
270 if ( slap_str2ad( ap.lud->lud_attrs[i], &ap.attrs[i], &text ) ) {
272 snprintf( c->cr_msg, sizeof( c->cr_msg ),
273 "%s <%s>: %s\n", c->argv[0], ap.lud->lud_attrs[i], text );
274 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
275 "%s: %s\n", c->log, c->cr_msg, 0 );
276 return( ARG_BAD_CONF );
282 if (ap.lud->lud_dn == NULL)
283 ap.lud->lud_dn = ch_strdup("");
285 if (ap.lud->lud_filter == NULL) {
286 ap.lud->lud_filter = ch_strdup("objectClass=*");
287 } else if ( ap.lud->lud_filter[0] == '(' ) {
288 ber_len_t len = strlen( ap.lud->lud_filter );
289 if ( ap.lud->lud_filter[len - 1] != ')' ) {
290 return( ARG_BAD_CONF );
292 AC_MEMCPY( &ap.lud->lud_filter[0], &ap.lud->lud_filter[1], len - 2 );
293 ap.lud->lud_filter[len - 2] = '\0';
296 ber_str2bv( c->argv[3], 0, 1, &ap.val );
298 snprintf( c->cr_msg, sizeof( c->cr_msg ),
299 "%s %s: Unknown constraint type: %s",
300 c->argv[0], c->argv[1], c->argv[2] );
301 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
302 "%s: %s\n", c->log, c->cr_msg, 0 );
303 return ( ARG_BAD_CONF );
306 a2 = ch_calloc( sizeof(constraint), 1 );
307 a2->ap_next = on->on_bi.bi_private;
313 a2->count = ap.count;
315 ber_str2bv(a2->lud->lud_dn, 0, 0, &a2->dn);
316 ber_str2bv(a2->lud->lud_filter, 0, 0, &a2->filter);
318 a2->attrs = ap.attrs;
319 on->on_bi.bi_private = a2;
334 constraint_uri_cb( Operation *op, SlapReply *rs )
336 if(rs->sr_type == REP_SEARCH) {
337 int *foundp = op->o_callback->sc_private;
341 Debug(LDAP_DEBUG_TRACE, "==> constraint_uri_cb <%s>\n",
342 rs->sr_entry ? rs->sr_entry->e_name.bv_val : "UNKNOWN_DN", 0, 0);
348 constraint_violation( constraint *c, struct berval *bv, Operation *op, SlapReply *rs)
350 if ((!c) || (!bv)) return LDAP_SUCCESS;
353 (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH))
354 return LDAP_CONSTRAINT_VIOLATION; /* regular expression violation */
356 if ((c->size) && (bv->bv_len > c->size))
357 return LDAP_CONSTRAINT_VIOLATION; /* size violation */
361 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
363 SlapReply nrs = { REP_RESULT };
368 struct berval filterstr;
377 cb.sc_response = constraint_uri_cb;
378 cb.sc_cleanup = NULL;
379 cb.sc_private = &found;
381 nop.o_protocol = LDAP_VERSION3;
382 nop.o_tag = LDAP_REQ_SEARCH;
383 nop.o_time = slap_get_time();
384 if (c->lud->lud_dn) {
387 ber_str2bv(c->lud->lud_dn, 0, 0, &dn);
390 nop.o_bd = select_backend(&nop.o_req_ndn, 1 );
392 return LDAP_NO_SUCH_OBJECT; /* unexpected error */
394 if (!nop.o_bd->be_search) {
395 return LDAP_OTHER; /* unexpected error */
398 nop.o_req_dn = nop.o_bd->be_nsuffix[0];
399 nop.o_req_ndn = nop.o_bd->be_nsuffix[0];
400 nop.o_bd = on->on_info->oi_origdb;
402 nop.o_do_not_cache = 1;
403 nop.o_callback = &cb;
405 nop.ors_scope = c->lud->lud_scope;
406 nop.ors_deref = LDAP_DEREF_NEVER;
407 nop.ors_slimit = SLAP_NO_LIMIT;
408 nop.ors_tlimit = SLAP_NO_LIMIT;
409 nop.ors_limit = NULL;
411 nop.ors_attrsonly = 0;
412 nop.ors_attrs = slap_anlist_no_attrs;
414 len = STRLENOF("(&(") +
418 for (i = 0; c->attrs[i]; i++) {
419 len += STRLENOF("(") +
420 c->attrs[i]->ad_cname.bv_len +
426 len += STRLENOF("))");
427 filterstr.bv_len = len;
428 filterstr.bv_val = op->o_tmpalloc(len + 1, op->o_tmpmemctx);
430 ptr = filterstr.bv_val +
431 snprintf(filterstr.bv_val, len, "(&(%s)(|", c->lud->lud_filter);
432 for (i = 0; c->attrs[i]; i++) {
434 ptr = lutil_strcopy( ptr, c->attrs[i]->ad_cname.bv_val );
436 ptr = lutil_strcopy( ptr, bv->bv_val );
443 nop.ors_filterstr = filterstr;
444 nop.ors_filter = str2filter_x(&nop, filterstr.bv_val);
445 if ( nop.ors_filter == NULL ) {
446 Debug( LDAP_DEBUG_ANY,
447 "%s constraint_violation uri filter=\"%s\" invalid\n",
448 op->o_log_prefix, filterstr.bv_val, 0 );
451 Debug(LDAP_DEBUG_TRACE,
452 "==> constraint_violation uri filter = %s\n",
453 filterstr.bv_val, 0, 0);
455 rc = nop.o_bd->be_search( &nop, &nrs );
457 Debug(LDAP_DEBUG_TRACE,
458 "==> constraint_violation uri rc = %d, found = %d\n",
461 op->o_tmpfree(filterstr.bv_val, op->o_tmpmemctx);
463 if((rc != LDAP_SUCCESS) && (rc != LDAP_NO_SUCH_OBJECT)) {
464 return rc; /* unexpected error */
468 return LDAP_CONSTRAINT_VIOLATION; /* constraint violation */
476 print_message( struct berval *errtext, AttributeDescription *a )
481 sz = errtext->bv_len + sizeof(" on ") + a->ad_cname.bv_len;
483 snprintf( ret, sz, "%s on %s", errtext->bv_val, a->ad_cname.bv_val );
488 constraint_count_attr(Entry *e, AttributeDescription *ad)
492 if ((a = attr_find(e->e_attrs, ad)) != NULL)
498 constraint_add( Operation *op, SlapReply *rs )
500 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
501 Backend *be = op->o_bd;
503 constraint *c = on->on_bi.bi_private, *cp;
506 struct berval rsv = BER_BVC("add breaks constraint");
510 if ((a = op->ora_e->e_attrs) == NULL) {
511 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
512 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
513 "constraint_add: no attrs");
517 for(; a; a = a->a_next ) {
518 /* we don't constrain operational attributes */
519 if (is_at_operational(a->a_desc->ad_type)) continue;
521 for(cp = c; cp; cp = cp->ap_next) {
522 if (cp->ap != a->a_desc) continue;
523 if ((b = a->a_vals) == NULL) continue;
525 Debug(LDAP_DEBUG_TRACE,
526 "==> constraint_add, "
527 "a->a_numvals = %d, cp->count = %d\n",
528 a->a_numvals, cp->count, 0);
530 if ((cp->count != 0) && (a->a_numvals > cp->count)) {
531 rc = LDAP_CONSTRAINT_VIOLATION;
535 for ( i = 0; b[i].bv_val; i++ ) {
536 rc = constraint_violation( cp, &b[i], op, rs );
543 /* Default is to just fall through to the normal processing */
544 return SLAP_CB_CONTINUE;
547 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
548 if (rc == LDAP_CONSTRAINT_VIOLATION ) {
549 msg = print_message( &rsv, a->a_desc );
551 send_ldap_error(op, rs, rc, msg );
558 constraint_modify( Operation *op, SlapReply *rs )
560 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
561 Backend *be = op->o_bd;
562 constraint *c = on->on_bi.bi_private, *cp;
563 Entry *target_entry = NULL;
567 struct berval rsv = BER_BVC("modify breaks constraint");
571 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE, "constraint_modify()", 0,0,0);
572 if ((m = op->orm_modlist) == NULL) {
573 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
574 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
575 "constraint_modify() got null orm_modlist");
579 /* Do we need to count attributes? */
580 for(cp = c; cp; cp = cp->ap_next) {
581 if (cp->count != 0) {
583 op->o_bd = on->on_info->oi_origdb;
584 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry );
587 if (rc != 0 || target_entry == NULL) {
588 Debug(LDAP_DEBUG_TRACE,
589 "==> constraint_modify rc = %d DN=\"%s\"%s\n",
590 rc, op->o_req_ndn.bv_val,
591 target_entry ? "" : " not found" );
593 rc = LDAP_CONSTRAINT_VIOLATION;
600 rc = LDAP_CONSTRAINT_VIOLATION;
601 for(;m; m = m->sml_next) {
604 /* Get this attribute count, if needed */
606 ce = constraint_count_attr(target_entry, m->sml_desc);
608 if (is_at_operational( m->sml_desc->ad_type )) continue;
609 if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
610 (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE) &&
611 (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_DELETE))
613 /* we only care about ADD and REPLACE modifications */
614 /* and DELETE are used to track attribute count */
615 if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
618 for(cp = c; cp; cp = cp->ap_next) {
619 if (cp->ap != m->sml_desc) continue;
621 if (cp->count != 0) {
624 if (m->sml_op == LDAP_MOD_DELETE)
627 for (ca = 0; b[ca].bv_val; ++ca);
629 Debug(LDAP_DEBUG_TRACE,
630 "==> constraint_modify ce = %d, "
631 "ca = %d, cp->count = %d\n",
634 if (m->sml_op == LDAP_MOD_ADD) {
635 if (ca + ce > cp->count) {
636 rc = LDAP_CONSTRAINT_VIOLATION;
640 if (m->sml_op == LDAP_MOD_REPLACE) {
641 if (ca > cp->count) {
642 rc = LDAP_CONSTRAINT_VIOLATION;
649 /* DELETE are to be ignored beyond this point */
650 if (( m->sml_op & LDAP_MOD_OP ) == LDAP_MOD_DELETE)
653 for ( i = 0; b[i].bv_val; i++ ) {
654 rc = constraint_violation( cp, &b[i], op, rs );
663 op->o_bd = on->on_info->oi_origdb;
664 be_entry_release_r(op, target_entry);
667 return SLAP_CB_CONTINUE;
672 op->o_bd = on->on_info->oi_origdb;
673 be_entry_release_r(op, target_entry);
676 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
677 if ( rc == LDAP_CONSTRAINT_VIOLATION ) {
678 msg = print_message( &rsv, m->sml_desc );
680 send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
690 slap_overinst *on = (slap_overinst *) be->bd_info;
693 for ( ap = on->on_bi.bi_private; ap; ap = a2 ) {
695 constraint_free( ap );
701 static slap_overinst constraint_ovl;
703 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
707 constraint_initialize( void ) {
710 constraint_ovl.on_bi.bi_type = "constraint";
711 constraint_ovl.on_bi.bi_db_close = constraint_close;
712 constraint_ovl.on_bi.bi_op_add = constraint_add;
713 constraint_ovl.on_bi.bi_op_modify = constraint_modify;
715 constraint_ovl.on_bi.bi_private = NULL;
717 constraint_ovl.on_bi.bi_cf_ocs = constraintocs;
718 rc = config_register_schema( constraintcfg, constraintocs );
721 return overlay_register( &constraint_ovl );
724 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
725 int init_module(int argc, char *argv[]) {
726 return constraint_initialize();
730 #endif /* defined(SLAPD_OVER_CONSTRAINT) */
projects / openldap / blob