2 /* constraint.c - Overlay to constrain attributes to certain values */
4 * Copyright 2003-2004 Hewlett-Packard Company
5 * Copyright 2007 Emmanuel Dreyfus
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
17 * Authors: Neil Dunbar <neil.dunbar@hp.com>
18 * Emmannuel Dreyfus <manu@netbsd.org>
22 #ifdef SLAPD_OVER_CONSTRAINT
26 #include <ac/string.h>
27 #include <ac/socket.h>
35 * This overlay limits the values which can be placed into an
36 * attribute, over and above the limits placed by the schema.
38 * It traps only LDAP adds and modify commands (and only seeks to
39 * control the add and modify value mods of a modify)
42 #define REGEX_STR "regex"
45 #define SIZE_STR "size"
46 #define COUNT_STR "count"
49 * Linked list of attribute constraints which we should enforce.
50 * This is probably a sub optimal structure - some form of sorted
51 * array would be better if the number of attributes contrained is
52 * likely to be much bigger than 4 or 5. We stick with a list for
56 typedef struct constraint {
57 struct constraint *ap_next;
58 AttributeDescription **ap;
60 LDAPURLDesc *restrict_lud;
61 struct berval restrict_ndn;
62 Filter *restrict_filter;
63 struct berval restrict_val;
71 AttributeDescription **attrs;
72 struct berval val; /* constraint value */
78 CONSTRAINT_ATTRIBUTE = 1,
86 static ConfigDriver constraint_cf_gen;
88 static ConfigTable constraintcfg[] = {
89 { "constraint_attribute", "attribute[list]> (regex|uri|set|size|count) <value> [<restrict URI>]",
90 4, 0, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen,
91 "( OLcfgOvAt:13.1 NAME 'olcConstraintAttribute' "
92 "DESC 'constraint for list of attributes' "
93 "EQUALITY caseIgnoreMatch "
94 "SYNTAX OMsDirectoryString )", NULL, NULL },
95 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
98 static ConfigOCs constraintocs[] = {
100 "NAME 'olcConstraintConfig' "
101 "DESC 'Constraint overlay configuration' "
102 "SUP olcOverlayConfig "
103 "MAY ( olcConstraintAttribute ) )",
104 Cft_Overlay, constraintcfg },
109 constraint_free( constraint *cp, int freeme )
111 if (cp->restrict_lud)
112 ldap_free_urldesc(cp->restrict_lud);
113 if (!BER_BVISNULL(&cp->restrict_ndn))
114 ch_free(cp->restrict_ndn.bv_val);
115 if (cp->restrict_filter != NULL && cp->restrict_filter != slap_filter_objectClass_pres)
116 filter_free(cp->restrict_filter);
117 if (!BER_BVISNULL(&cp->restrict_val))
118 ch_free(cp->restrict_val.bv_val);
123 if (!BER_BVISNULL(&cp->val))
124 ch_free(cp->val.bv_val);
126 ldap_free_urldesc(cp->lud);
136 constraint_cf_gen( ConfigArgs *c )
138 slap_overinst *on = (slap_overinst *)(c->bi);
139 constraint *cn = on->on_bi.bi_private, *cp;
142 constraint ap = { NULL };
143 const char *text = NULL;
146 case SLAP_CONFIG_EMIT:
148 case CONSTRAINT_ATTRIBUTE:
149 for (cp=cn; cp; cp=cp->ap_next) {
152 int quotes = 0, numeric = 0;
155 char val_buf[SLAP_TEXT_BUFLEN] = { '\0' };
157 bv.bv_len = STRLENOF(" ");
158 for (j = 0; cp->ap[j]; j++) {
159 bv.bv_len += cp->ap[j]->ad_cname.bv_len;
162 /* room for commas */
166 case CONSTRAINT_COUNT:
171 case CONSTRAINT_SIZE:
176 case CONSTRAINT_REGEX:
192 bv.bv_len += strlen(tstr);
193 bv.bv_len += cp->val.bv_len + 2*quotes;
195 if (cp->restrict_lud != NULL) {
196 bv.bv_len += cp->restrict_val.bv_len + STRLENOF(" restrict=\"\"");
200 int len = snprintf(val_buf, sizeof(val_buf), "%zu", val);
208 s = bv.bv_val = ch_malloc(bv.bv_len + 1);
210 s = lutil_strncopy( s, cp->ap[0]->ad_cname.bv_val, cp->ap[0]->ad_cname.bv_len );
211 for (j = 1; cp->ap[j]; j++) {
213 s = lutil_strncopy( s, cp->ap[j]->ad_cname.bv_val, cp->ap[j]->ad_cname.bv_len );
216 s = lutil_strcopy( s, tstr );
219 s = lutil_strcopy( s, val_buf );
221 if ( quotes ) *s++ = '"';
222 s = lutil_strncopy( s, cp->val.bv_val, cp->val.bv_len );
223 if ( quotes ) *s++ = '"';
225 if (cp->restrict_lud != NULL) {
226 s = lutil_strcopy( s, " restrict=\"" );
227 s = lutil_strncopy( s, cp->restrict_val.bv_val, cp->restrict_val.bv_len );
232 rc = value_add_one( &c->rvalue_vals, &bv );
233 if (rc == LDAP_SUCCESS)
234 rc = value_add_one( &c->rvalue_nvals, &bv );
244 case LDAP_MOD_DELETE:
246 case CONSTRAINT_ATTRIBUTE:
247 if (!cn) break; /* nothing to do */
250 /* zap all constraints */
253 constraint_free( cn, 1 );
257 on->on_bi.bi_private = NULL;
261 /* zap constraint numbered 'valx' */
262 for(i=0, cp = cn, cpp = &cn;
264 i++, cpp = &cp->ap_next, cp = *cpp);
267 /* zap cp, and join cpp to cp->ap_next */
269 constraint_free( cp, 1 );
271 on->on_bi.bi_private = cn;
280 case SLAP_CONFIG_ADD:
283 case CONSTRAINT_ATTRIBUTE: {
285 char **attrs = ldap_str2charray( c->argv[1], "," );
287 for ( j = 0; attrs[j]; j++)
289 ap.ap = ch_calloc( sizeof(AttributeDescription*), j + 1 );
290 for ( j = 0; attrs[j]; j++) {
291 if ( slap_str2ad( attrs[j], &ap.ap[j], &text ) ) {
292 snprintf( c->cr_msg, sizeof( c->cr_msg ),
293 "%s <%s>: %s\n", c->argv[0], attrs[j], text );
299 if ( strcasecmp( c->argv[2], REGEX_STR ) == 0) {
302 ap.type = CONSTRAINT_REGEX;
303 ap.re = ch_malloc( sizeof(regex_t) );
304 if ((err = regcomp( ap.re,
305 c->argv[3], REG_EXTENDED )) != 0) {
308 regerror( err, ap.re, errmsg, sizeof(errmsg) );
310 snprintf( c->cr_msg, sizeof( c->cr_msg ),
311 "%s %s: Illegal regular expression \"%s\": Error %s",
312 c->argv[0], c->argv[1], c->argv[3], errmsg);
317 ber_str2bv( c->argv[3], 0, 1, &ap.val );
318 } else if ( strcasecmp( c->argv[2], SIZE_STR ) == 0 ) {
322 ap.type = CONSTRAINT_SIZE;
323 ap.size = strtoull(c->argv[3], &endptr, 10);
326 } else if ( strcasecmp( c->argv[2], COUNT_STR ) == 0 ) {
330 ap.type = CONSTRAINT_COUNT;
331 ap.count = strtoull(c->argv[3], &endptr, 10);
334 } else if ( strcasecmp( c->argv[2], URI_STR ) == 0 ) {
337 ap.type = CONSTRAINT_URI;
338 err = ldap_url_parse(c->argv[3], &ap.lud);
339 if ( err != LDAP_URL_SUCCESS ) {
340 snprintf( c->cr_msg, sizeof( c->cr_msg ),
341 "%s %s: Invalid URI \"%s\"",
342 c->argv[0], c->argv[1], c->argv[3]);
347 if (ap.lud->lud_host != NULL) {
348 snprintf( c->cr_msg, sizeof( c->cr_msg ),
349 "%s %s: unsupported hostname in URI \"%s\"",
350 c->argv[0], c->argv[1], c->argv[3]);
351 ldap_free_urldesc(ap.lud);
356 for ( i=0; ap.lud->lud_attrs[i]; i++);
357 /* FIXME: This is worthless without at least one attr */
359 ap.attrs = ch_malloc( (i+1)*sizeof(AttributeDescription *));
360 for ( i=0; ap.lud->lud_attrs[i]; i++) {
362 if ( slap_str2ad( ap.lud->lud_attrs[i], &ap.attrs[i], &text ) ) {
364 snprintf( c->cr_msg, sizeof( c->cr_msg ),
365 "%s <%s>: %s\n", c->argv[0], ap.lud->lud_attrs[i], text );
373 if (ap.lud->lud_dn == NULL) {
374 ap.lud->lud_dn = ch_strdup("");
376 struct berval dn, ndn;
378 ber_str2bv( ap.lud->lud_dn, 0, 0, &dn );
379 if (dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL ) ) {
381 snprintf( c->cr_msg, sizeof( c->cr_msg ),
382 "%s %s: URI %s DN normalization failed",
383 c->argv[0], c->argv[1], c->argv[3] );
384 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
385 "%s: %s\n", c->log, c->cr_msg, 0 );
389 ldap_memfree( ap.lud->lud_dn );
390 ap.lud->lud_dn = ndn.bv_val;
393 if (ap.lud->lud_filter == NULL) {
394 ap.lud->lud_filter = ch_strdup("objectClass=*");
395 } else if ( ap.lud->lud_filter[0] == '(' ) {
396 ber_len_t len = strlen( ap.lud->lud_filter );
397 if ( ap.lud->lud_filter[len - 1] != ')' ) {
398 snprintf( c->cr_msg, sizeof( c->cr_msg ),
399 "%s %s: invalid URI filter: %s",
400 c->argv[0], c->argv[1], ap.lud->lud_filter );
404 AC_MEMCPY( &ap.lud->lud_filter[0], &ap.lud->lud_filter[1], len - 2 );
405 ap.lud->lud_filter[len - 2] = '\0';
408 ber_str2bv( c->argv[3], 0, 1, &ap.val );
410 } else if ( strcasecmp( c->argv[2], SET_STR ) == 0 ) {
412 ber_str2bv( c->argv[3], 0, 1, &ap.val );
413 ap.type = CONSTRAINT_SET;
416 snprintf( c->cr_msg, sizeof( c->cr_msg ),
417 "%s %s: Unknown constraint type: %s",
418 c->argv[0], c->argv[1], c->argv[2] );
426 for ( argidx = 4; argidx < c->argc; argidx++ ) {
427 if ( strncasecmp( c->argv[argidx], "restrict=", STRLENOF("restrict=") ) == 0 ) {
429 char *arg = c->argv[argidx] + STRLENOF("restrict=");
431 err = ldap_url_parse(arg, &ap.restrict_lud);
432 if ( err != LDAP_URL_SUCCESS ) {
433 snprintf( c->cr_msg, sizeof( c->cr_msg ),
434 "%s %s: Invalid restrict URI \"%s\"",
435 c->argv[0], c->argv[1], arg);
440 if (ap.restrict_lud->lud_host != NULL) {
441 snprintf( c->cr_msg, sizeof( c->cr_msg ),
442 "%s %s: unsupported hostname in restrict URI \"%s\"",
443 c->argv[0], c->argv[1], arg);
448 if ( ap.restrict_lud->lud_attrs != NULL ) {
449 if ( ap.restrict_lud->lud_attrs[0] != '\0' ) {
450 snprintf( c->cr_msg, sizeof( c->cr_msg ),
451 "%s %s: attrs not allowed in restrict URI %s\n",
452 c->argv[0], c->argv[1], arg);
456 ldap_memvfree((void *)ap.restrict_lud->lud_attrs);
457 ap.restrict_lud->lud_attrs = NULL;
460 if (ap.restrict_lud->lud_dn != NULL) {
461 if (ap.restrict_lud->lud_dn[0] == '\0') {
462 ldap_memfree(ap.restrict_lud->lud_dn);
463 ap.restrict_lud->lud_dn = NULL;
466 struct berval dn, ndn;
469 ber_str2bv(ap.restrict_lud->lud_dn, 0, 0, &dn);
470 if (dnNormalize(0, NULL, NULL, &dn, &ndn, NULL)) {
472 snprintf( c->cr_msg, sizeof( c->cr_msg ),
473 "%s %s: restrict URI %s DN normalization failed",
474 c->argv[0], c->argv[1], arg );
479 assert(c->be != NULL);
480 if (c->be->be_nsuffix == NULL) {
481 snprintf( c->cr_msg, sizeof( c->cr_msg ),
482 "%s %s: restrict URI requires suffix",
483 c->argv[0], c->argv[1] );
488 for ( j = 0; !BER_BVISNULL(&c->be->be_nsuffix[j]); j++) {
489 if (dnIsSuffix(&ndn, &c->be->be_nsuffix[j])) break;
492 if (BER_BVISNULL(&c->be->be_nsuffix[j])) {
494 snprintf( c->cr_msg, sizeof( c->cr_msg ),
495 "%s %s: restrict URI DN %s not within database naming context(s)",
496 c->argv[0], c->argv[1], dn.bv_val );
501 ap.restrict_ndn = ndn;
505 if (ap.restrict_lud->lud_filter != NULL) {
506 ap.restrict_filter = str2filter(ap.restrict_lud->lud_filter);
507 if (ap.restrict_filter == NULL) {
509 snprintf( c->cr_msg, sizeof( c->cr_msg ),
510 "%s %s: restrict URI filter %s invalid",
511 c->argv[0], c->argv[1], ap.restrict_lud->lud_filter );
517 ber_str2bv(c->argv[argidx] + STRLENOF("restrict="), 0, 1, &ap.restrict_val);
521 snprintf( c->cr_msg, sizeof( c->cr_msg ),
522 "%s %s: unrecognized arg #%d (%s)",
523 c->argv[0], c->argv[1], argidx, c->argv[argidx] );
531 if ( rc == LDAP_SUCCESS ) {
532 constraint *a2 = ch_calloc( sizeof(constraint), 1 );
533 a2->ap_next = on->on_bi.bi_private;
541 a2->count = ap.count;
543 ber_str2bv(a2->lud->lud_dn, 0, 0, &a2->dn);
544 ber_str2bv(a2->lud->lud_filter, 0, 0, &a2->filter);
546 a2->attrs = ap.attrs;
547 a2->restrict_lud = ap.restrict_lud;
548 a2->restrict_ndn = ap.restrict_ndn;
549 a2->restrict_filter = ap.restrict_filter;
550 a2->restrict_val = ap.restrict_val;
551 on->on_bi.bi_private = a2;
554 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
555 "%s: %s\n", c->log, c->cr_msg, 0 );
556 constraint_free( &ap, 0 );
559 ldap_memvfree((void**)attrs);
574 constraint_uri_cb( Operation *op, SlapReply *rs )
576 if(rs->sr_type == REP_SEARCH) {
577 int *foundp = op->o_callback->sc_private;
581 Debug(LDAP_DEBUG_TRACE, "==> constraint_uri_cb <%s>\n",
582 rs->sr_entry ? rs->sr_entry->e_name.bv_val : "UNKNOWN_DN", 0, 0);
588 constraint_violation( constraint *c, struct berval *bv, Operation *op )
590 if ((!c) || (!bv)) return LDAP_SUCCESS;
593 case CONSTRAINT_SIZE:
594 if (bv->bv_len > c->size)
595 return LDAP_CONSTRAINT_VIOLATION; /* size violation */
597 case CONSTRAINT_REGEX:
598 if (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH)
599 return LDAP_CONSTRAINT_VIOLATION; /* regular expression violation */
601 case CONSTRAINT_URI: {
603 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
604 slap_callback cb = { 0 };
609 struct berval filterstr;
612 cb.sc_response = constraint_uri_cb;
613 cb.sc_private = &found;
615 nop.o_protocol = LDAP_VERSION3;
616 nop.o_tag = LDAP_REQ_SEARCH;
617 nop.o_time = slap_get_time();
618 if (c->lud->lud_dn) {
621 ber_str2bv(c->lud->lud_dn, 0, 0, &dn);
624 nop.o_bd = select_backend(&nop.o_req_ndn, 1 );
626 return LDAP_NO_SUCH_OBJECT; /* unexpected error */
628 if (!nop.o_bd->be_search) {
629 return LDAP_OTHER; /* unexpected error */
632 nop.o_req_dn = nop.o_bd->be_nsuffix[0];
633 nop.o_req_ndn = nop.o_bd->be_nsuffix[0];
634 nop.o_bd = on->on_info->oi_origdb;
636 nop.o_do_not_cache = 1;
637 nop.o_callback = &cb;
639 nop.ors_scope = c->lud->lud_scope;
640 nop.ors_deref = LDAP_DEREF_NEVER;
641 nop.ors_slimit = SLAP_NO_LIMIT;
642 nop.ors_tlimit = SLAP_NO_LIMIT;
643 nop.ors_limit = NULL;
645 nop.ors_attrsonly = 0;
646 nop.ors_attrs = slap_anlist_no_attrs;
648 len = STRLENOF("(&(") +
652 for (i = 0; c->attrs[i]; i++) {
653 len += STRLENOF("(") +
654 c->attrs[i]->ad_cname.bv_len +
660 len += STRLENOF("))");
661 filterstr.bv_len = len;
662 filterstr.bv_val = op->o_tmpalloc(len + 1, op->o_tmpmemctx);
664 ptr = filterstr.bv_val +
665 snprintf(filterstr.bv_val, len, "(&(%s)(|", c->lud->lud_filter);
666 for (i = 0; c->attrs[i]; i++) {
668 ptr = lutil_strcopy( ptr, c->attrs[i]->ad_cname.bv_val );
670 ptr = lutil_strcopy( ptr, bv->bv_val );
677 nop.ors_filterstr = filterstr;
678 nop.ors_filter = str2filter_x(&nop, filterstr.bv_val);
679 if ( nop.ors_filter == NULL ) {
680 Debug( LDAP_DEBUG_ANY,
681 "%s constraint_violation uri filter=\"%s\" invalid\n",
682 op->o_log_prefix, filterstr.bv_val, 0 );
686 SlapReply nrs = { REP_RESULT };
688 Debug(LDAP_DEBUG_TRACE,
689 "==> constraint_violation uri filter = %s\n",
690 filterstr.bv_val, 0, 0);
692 rc = nop.o_bd->be_search( &nop, &nrs );
694 Debug(LDAP_DEBUG_TRACE,
695 "==> constraint_violation uri rc = %d, found = %d\n",
698 op->o_tmpfree(filterstr.bv_val, op->o_tmpmemctx);
700 if ((rc != LDAP_SUCCESS) && (rc != LDAP_NO_SUCH_OBJECT)) {
701 return rc; /* unexpected error */
705 return LDAP_CONSTRAINT_VIOLATION; /* constraint violation */
714 print_message( struct berval *errtext, AttributeDescription *a )
719 sz = errtext->bv_len + sizeof(" on ") + a->ad_cname.bv_len;
721 snprintf( ret, sz, "%s on %s", errtext->bv_val, a->ad_cname.bv_val );
726 constraint_count_attr(Entry *e, AttributeDescription *ad)
730 if ((a = attr_find(e->e_attrs, ad)) != NULL)
736 constraint_check_restrict( Operation *op, constraint *c, Entry *e )
738 assert( c->restrict_lud != NULL );
740 if ( c->restrict_lud->lud_dn != NULL ) {
741 int diff = e->e_nname.bv_len - c->restrict_ndn.bv_len;
747 if ( c->restrict_lud->lud_scope == LDAP_SCOPE_BASE ) {
748 return bvmatch( &e->e_nname, &c->restrict_ndn );
751 if ( !dnIsSuffix( &e->e_nname, &c->restrict_ndn ) ) {
755 if ( c->restrict_lud->lud_scope != LDAP_SCOPE_SUBTREE ) {
762 dnParent( &e->e_nname, &pdn );
764 if ( c->restrict_lud->lud_scope == LDAP_SCOPE_ONELEVEL
765 && pdn.bv_len != c->restrict_ndn.bv_len )
772 if ( c->restrict_filter != NULL ) {
774 struct berval save_dn = op->o_dn, save_ndn = op->o_ndn;
776 op->o_dn = op->o_bd->be_rootdn;
777 op->o_ndn = op->o_bd->be_rootndn;
778 rc = test_filter( op, e, c->restrict_filter );
780 op->o_ndn = save_ndn;
782 if ( rc != LDAP_COMPARE_TRUE ) {
791 constraint_add( Operation *op, SlapReply *rs )
793 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
795 constraint *c = on->on_bi.bi_private, *cp;
798 struct berval rsv = BER_BVC("add breaks constraint");
802 if (get_relax(op) || SLAPD_SYNC_IS_SYNCCONN( op->o_connid )) {
803 return SLAP_CB_CONTINUE;
806 if ((a = op->ora_e->e_attrs) == NULL) {
807 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
808 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
809 "constraint_add: no attrs");
813 for(; a; a = a->a_next ) {
814 /* we don't constrain operational attributes */
815 if (is_at_operational(a->a_desc->ad_type)) continue;
817 for(cp = c; cp; cp = cp->ap_next) {
819 for (j = 0; cp->ap[j]; j++) {
820 if (cp->ap[j] == a->a_desc) break;
822 if (cp->ap[j] == NULL) continue;
823 if ((b = a->a_vals) == NULL) continue;
825 if (cp->restrict_lud != NULL && constraint_check_restrict(op, cp, op->ora_e) == 0) {
829 Debug(LDAP_DEBUG_TRACE,
830 "==> constraint_add, "
831 "a->a_numvals = %u, cp->count = %lu\n",
832 a->a_numvals, (unsigned long) cp->count, 0);
835 case CONSTRAINT_COUNT:
836 if (a->a_numvals > cp->count)
837 rc = LDAP_CONSTRAINT_VIOLATION;
840 if (acl_match_set(&cp->val, op, op->ora_e, NULL) == 0)
841 rc = LDAP_CONSTRAINT_VIOLATION;
844 for ( i = 0; b[i].bv_val; i++ ) {
845 rc = constraint_violation( cp, &b[i], op );
857 /* Default is to just fall through to the normal processing */
858 return SLAP_CB_CONTINUE;
861 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
862 if (rc == LDAP_CONSTRAINT_VIOLATION ) {
863 msg = print_message( &rsv, a->a_desc );
865 send_ldap_error(op, rs, rc, msg );
872 constraint_check_count_violation( Modifications *m, Entry *target_entry, constraint *cp )
879 for ( j = 0; cp->ap[j]; j++ ) {
880 /* Get this attribute count */
882 ce = constraint_count_attr( target_entry, cp->ap[j] );
884 for( ; m; m = m->sml_next ) {
885 if ( cp->ap[j] == m->sml_desc ) {
887 switch ( m->sml_op ) {
888 case LDAP_MOD_DELETE:
889 case SLAP_MOD_SOFTDEL:
890 if ( !ca || ca > ce ) {
893 /* No need to check for values' validity. Invalid values
894 * cause the whole transaction to die anyway. */
900 case SLAP_MOD_SOFTADD:
904 case LDAP_MOD_REPLACE:
910 case handle SLAP_MOD_ADD_IF_NOT_PRESENT:
914 /* impossible! assert? */
918 Debug(LDAP_DEBUG_TRACE,
919 "==> constraint_check_count_violation ce = %u, "
920 "ca = %u, cp->count = %lu\n",
921 ce, ca, (unsigned long) cp->count);
926 return ( ce > cp->count );
930 constraint_update( Operation *op, SlapReply *rs )
932 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
933 Backend *be = op->o_bd;
934 constraint *c = on->on_bi.bi_private, *cp;
935 Entry *target_entry = NULL, *target_entry_copy = NULL;
936 Modifications *modlist, *m;
939 struct berval rsv = BER_BVC("modify breaks constraint");
944 if (get_relax(op) || SLAPD_SYNC_IS_SYNCCONN( op->o_connid )) {
945 return SLAP_CB_CONTINUE;
948 switch ( op->o_tag ) {
949 case LDAP_REQ_MODIFY:
950 modlist = op->orm_modlist;
953 case LDAP_REQ_MODRDN:
954 modlist = op->orr_modlist;
958 /* impossible! assert? */
962 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE, "constraint_update()\n", 0,0,0);
963 if ((m = modlist) == NULL) {
964 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
965 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
966 "constraint_update() got null modlist");
970 op->o_bd = on->on_info->oi_origdb;
971 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry );
974 /* let the backend send the error */
975 if ( target_entry == NULL )
976 return SLAP_CB_CONTINUE;
978 /* Do we need to count attributes? */
979 for(cp = c; cp; cp = cp->ap_next) {
980 if (cp->type == CONSTRAINT_COUNT) {
981 if (cp->restrict_lud && constraint_check_restrict(op, cp, target_entry) == 0) {
985 is_v = constraint_check_count_violation(m, target_entry, cp);
987 Debug(LDAP_DEBUG_TRACE,
988 "==> constraint_update is_v: %d\n", is_v, 0, 0);
991 rc = LDAP_CONSTRAINT_VIOLATION;
997 rc = LDAP_CONSTRAINT_VIOLATION;
998 for(;m; m = m->sml_next) {
1001 if (is_at_operational( m->sml_desc->ad_type )) continue;
1003 if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
1004 (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE) &&
1005 (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_DELETE))
1007 /* we only care about ADD and REPLACE modifications */
1008 /* and DELETE are used to track attribute count */
1009 if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
1012 for(cp = c; cp; cp = cp->ap_next) {
1014 for (j = 0; cp->ap[j]; j++) {
1015 if (cp->ap[j] == m->sml_desc) {
1019 if (cp->ap[j] == NULL) continue;
1021 if (cp->restrict_lud != NULL && constraint_check_restrict(op, cp, target_entry) == 0) {
1025 /* DELETE are to be ignored beyond this point */
1026 if (( m->sml_op & LDAP_MOD_OP ) == LDAP_MOD_DELETE)
1029 for ( i = 0; b[i].bv_val; i++ ) {
1030 rc = constraint_violation( cp, &b[i], op );
1036 if (cp->type == CONSTRAINT_SET && target_entry) {
1037 if (target_entry_copy == NULL) {
1040 target_entry_copy = entry_dup(target_entry);
1042 /* if rename, set the new entry's name
1043 * (in normalized form only) */
1044 if ( op->o_tag == LDAP_REQ_MODRDN ) {
1045 struct berval pdn, ndn = BER_BVNULL;
1047 if ( op->orr_nnewSup ) {
1048 pdn = *op->orr_nnewSup;
1051 dnParent( &target_entry_copy->e_nname, &pdn );
1054 build_new_dn( &ndn, &pdn, &op->orr_nnewrdn, NULL );
1056 ber_memfree( target_entry_copy->e_nname.bv_val );
1057 target_entry_copy->e_nname = ndn;
1058 ber_bvreplace( &target_entry_copy->e_name, &ndn );
1061 /* apply modifications, in an attempt
1062 * to estimate what the entry would
1063 * look like in case all modifications
1065 for ( ml = modlist; ml; ml = ml->sml_next ) {
1066 Modification *mod = &ml->sml_mod;
1068 char textbuf[SLAP_TEXT_BUFLEN];
1069 size_t textlen = sizeof(textbuf);
1072 switch ( mod->sm_op ) {
1074 err = modify_add_values( target_entry_copy,
1075 mod, get_permissiveModify(op),
1076 &text, textbuf, textlen );
1079 case LDAP_MOD_DELETE:
1080 err = modify_delete_values( target_entry_copy,
1081 mod, get_permissiveModify(op),
1082 &text, textbuf, textlen );
1085 case LDAP_MOD_REPLACE:
1086 err = modify_replace_values( target_entry_copy,
1087 mod, get_permissiveModify(op),
1088 &text, textbuf, textlen );
1091 case LDAP_MOD_INCREMENT:
1092 err = modify_increment_values( target_entry_copy,
1093 mod, get_permissiveModify(op),
1094 &text, textbuf, textlen );
1097 case SLAP_MOD_SOFTADD:
1098 mod->sm_op = LDAP_MOD_ADD;
1099 err = modify_add_values( target_entry_copy,
1100 mod, get_permissiveModify(op),
1101 &text, textbuf, textlen );
1102 mod->sm_op = SLAP_MOD_SOFTADD;
1103 if ( err == LDAP_TYPE_OR_VALUE_EXISTS ) {
1108 case SLAP_MOD_SOFTDEL:
1109 mod->sm_op = LDAP_MOD_ADD;
1110 err = modify_delete_values( target_entry_copy,
1111 mod, get_permissiveModify(op),
1112 &text, textbuf, textlen );
1113 mod->sm_op = SLAP_MOD_SOFTDEL;
1114 if ( err == LDAP_NO_SUCH_ATTRIBUTE ) {
1119 case SLAP_MOD_ADD_IF_NOT_PRESENT:
1120 if ( attr_find( target_entry_copy->e_attrs, mod->sm_desc ) ) {
1124 mod->sm_op = LDAP_MOD_ADD;
1125 err = modify_add_values( target_entry_copy,
1126 mod, get_permissiveModify(op),
1127 &text, textbuf, textlen );
1128 mod->sm_op = SLAP_MOD_ADD_IF_NOT_PRESENT;
1136 if ( err != LDAP_SUCCESS ) {
1143 if ( acl_match_set(&cp->val, op, target_entry_copy, NULL) == 0) {
1144 rc = LDAP_CONSTRAINT_VIOLATION;
1152 op->o_bd = on->on_info->oi_origdb;
1153 be_entry_release_r(op, target_entry);
1157 if (target_entry_copy) {
1158 entry_free(target_entry_copy);
1161 return SLAP_CB_CONTINUE;
1166 op->o_bd = on->on_info->oi_origdb;
1167 be_entry_release_r(op, target_entry);
1171 if (target_entry_copy) {
1172 entry_free(target_entry_copy);
1175 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
1176 if ( rc == LDAP_CONSTRAINT_VIOLATION ) {
1177 msg = print_message( &rsv, m->sml_desc );
1179 send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
1181 return (rs->sr_err);
1189 slap_overinst *on = (slap_overinst *) be->bd_info;
1190 constraint *ap, *a2;
1192 for ( ap = on->on_bi.bi_private; ap; ap = a2 ) {
1194 constraint_free( ap, 1 );
1200 static slap_overinst constraint_ovl;
1202 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
1206 constraint_initialize( void ) {
1209 constraint_ovl.on_bi.bi_type = "constraint";
1210 constraint_ovl.on_bi.bi_db_destroy = constraint_destroy;
1211 constraint_ovl.on_bi.bi_op_add = constraint_add;
1212 constraint_ovl.on_bi.bi_op_modify = constraint_update;
1213 constraint_ovl.on_bi.bi_op_modrdn = constraint_update;
1215 constraint_ovl.on_bi.bi_private = NULL;
1217 constraint_ovl.on_bi.bi_cf_ocs = constraintocs;
1218 rc = config_register_schema( constraintcfg, constraintocs );
1221 return overlay_register( &constraint_ovl );
1224 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
1225 int init_module(int argc, char *argv[]) {
1226 return constraint_initialize();
1230 #endif /* defined(SLAPD_OVER_CONSTRAINT) */