1 /* constraint.c - Overlay to constrain attributes to certain values */
4 * Copyright 2003-2004 Hewlett-Packard Company
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
16 * Author: Neil Dunbar <neil.dunbar@hp.com>
20 #ifdef SLAPD_OVER_CONSTRAINT
24 #include <ac/string.h>
25 #include <ac/socket.h>
32 * This overlay limits the values which can be placed into an
33 * attribute, over and above the limits placed by the schema.
35 * It traps only LDAP adds and modify commands (and only seeks to
36 * control the add and modify value mods of a modify)
39 #define REGEX_STR "regex"
42 * Linked list of attribute constraints which we should enforce.
43 * This is probably a sub optimal structure - some form of sorted
44 * array would be better if the number of attributes contrained is
45 * likely to be much bigger than 4 or 5. We stick with a list for
49 typedef struct constraint {
50 struct constraint *ap_next;
51 AttributeDescription *ap;
53 char *re_str; /* string representation of regex */
57 CONSTRAINT_ATTRIBUTE = 1
60 static ConfigDriver constraint_cf_gen;
62 static ConfigTable constraintcfg[] = {
63 { "constraint_attribute", "attribute regex <regular expression>",
64 4, 4, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen,
65 "( OLcfgOvAt:13.1 NAME 'olcConstraintAttribute' "
66 "DESC 'regular expression constraint for attribute' "
67 "SYNTAX OMsDirectoryString )", NULL, NULL },
68 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
71 static ConfigOCs constraintocs[] = {
73 "NAME 'olcConstraintConfig' "
74 "DESC 'Constraint overlay configuration' "
75 "SUP olcOverlayConfig "
76 "MAY ( olcConstraintAttribute ) )",
77 Cft_Overlay, constraintcfg },
82 constraint_cf_gen( ConfigArgs *c )
84 slap_overinst *on = (slap_overinst *)(c->bi);
85 constraint *cn = on->on_bi.bi_private, *cp;
88 constraint ap = { NULL, NULL, NULL }, *a2 = NULL;
90 const char *text = NULL;
93 case SLAP_CONFIG_EMIT:
95 case CONSTRAINT_ATTRIBUTE:
96 for (cp=cn; cp; cp=cp->ap_next) {
100 len = cp->ap->ad_cname.bv_len +
101 strlen( REGEX_STR ) + strlen( cp->re_str) + 3;
104 snprintf(s, len, "%s %s %s", cp->ap->ad_cname.bv_val,
105 REGEX_STR, cp->re_str);
107 bv.bv_len = strlen(s);
108 rc = value_add_one( &c->rvalue_vals, &bv );
110 rc = value_add_one( &c->rvalue_nvals, &bv );
120 case LDAP_MOD_DELETE:
122 case CONSTRAINT_ATTRIBUTE:
123 if (!cn) break; /* nothing to do */
126 /* zap all constraints */
133 if (cn->re_str) ch_free(cn->re_str);
138 on->on_bi.bi_private = NULL;
142 /* zap constraint numbered 'valx' */
143 for(i=0, cp = cn, cpp = &cn;
145 i++, cpp = &cp->ap_next, cp = *cpp);
148 /* zap cp, and join cpp to cp->ap_next */
154 if (cp->re_str) ch_free(cp->re_str);
157 on->on_bi.bi_private = cn;
166 case SLAP_CONFIG_ADD:
169 case CONSTRAINT_ATTRIBUTE:
170 if ( slap_str2ad( c->argv[1], &ap.ap, &text ) ) {
171 Debug( LDAP_DEBUG_CONFIG,
172 "constraint_add: <%s>: attribute description unknown %s.\n",
173 c->argv[1], text, 0 );
174 return( ARG_BAD_CONF );
177 if ( strcasecmp( c->argv[2], "regex" ) == 0) {
180 ap.re = ch_malloc( sizeof(regex_t) );
181 if ((err = regcomp( ap.re,
182 c->argv[3], REG_EXTENDED )) != 0) {
185 regerror( err, ap.re, errmsg, sizeof(errmsg) );
187 Debug( LDAP_DEBUG_CONFIG,
188 "%s: Illegal regular expression \"%s\": Error %s\n",
189 c->argv[1], c->argv[3], errmsg);
191 return( ARG_BAD_CONF );
193 ap.re_str = ch_strdup( c->argv[3] );
195 Debug( LDAP_DEBUG_CONFIG,
196 "%s: Unknown constraint type: %s\n",
197 c->argv[1], c->argv[2], 0 );
198 return ( ARG_BAD_CONF );
202 a2 = ch_malloc( sizeof(constraint) );
203 a2->ap_next = on->on_bi.bi_private;
206 a2->re_str = ap.re_str;
207 on->on_bi.bi_private = a2;
222 constraint_violation( constraint *c, struct berval *bv )
224 if ((!c) || (!bv)) return 0;
227 (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH))
229 return 1; /* regular expression violation */
235 print_message( const char *fmt, AttributeDescription *a )
240 sz = strlen(fmt) + a->ad_cname.bv_len + 1;
242 snprintf( ret, sz, fmt, a->ad_cname.bv_val );
247 constraint_add( Operation *op, SlapReply *rs )
249 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
251 constraint *c = on->on_bi.bi_private, *cp;
254 const char *rsv = "add breaks regular expression constraint on %s";
257 if ((a = op->ora_e->e_attrs) == NULL) {
258 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
259 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
260 "constraint_add() got null op.ora_e.e_attrs");
264 for(; a; a = a->a_next ) {
265 /* we don't constrain operational attributes */
267 if (is_at_operational(a->a_desc->ad_type)) continue;
269 for(cp = c; cp; cp = cp->ap_next) {
270 if (cp->ap != a->a_desc) continue;
271 if ((b = a->a_vals) == NULL) continue;
273 for(i=0; b[i].bv_val; i++) {
274 int cv = constraint_violation( cp, &b[i]);
277 /* regex violation */
278 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
279 msg = print_message( rsv, a->a_desc );
280 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
287 /* Default is to just fall through to the normal processing */
288 return SLAP_CB_CONTINUE;
292 constraint_modify( Operation *op, SlapReply *rs )
294 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
295 constraint *c = on->on_bi.bi_private, *cp;
299 const char *rsv = "modify breaks regular expression constraint on %s";
302 if ((m = op->orm_modlist) == NULL) {
303 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
304 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
305 "constraint_modify() got null orm_modlist");
309 for(;m; m = m->sml_next) {
310 if (is_at_operational( m->sml_desc->ad_type )) continue;
311 if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
312 (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE))
314 /* we only care about ADD and REPLACE modifications */
315 if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
318 for(cp = c; cp; cp = cp->ap_next) {
319 if (cp->ap != m->sml_desc) continue;
321 for(i=0; b[i].bv_val; i++) {
322 int cv = constraint_violation( cp, &b[i]);
325 /* regex violation */
326 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
327 msg = print_message( rsv, m->sml_desc );
328 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
336 return SLAP_CB_CONTINUE;
344 slap_overinst *on = (slap_overinst *) be->bd_info;
347 for ( ap = on->on_bi.bi_private; ap; ap = a2 ) {
349 if (ap->re_str) ch_free(ap->re_str);
361 static slap_overinst constraint_ovl;
363 /* This overlay is set up for dynamic loading via moduleload. For static
364 * configuration, you'll need to arrange for the slap_overinst to be
365 * initialized and registered by some other function inside slapd.
368 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
372 constraint_initialize( void ) {
375 constraint_ovl.on_bi.bi_type = "constraint";
376 constraint_ovl.on_bi.bi_db_close = constraint_close;
377 constraint_ovl.on_bi.bi_op_add = constraint_add;
378 constraint_ovl.on_bi.bi_op_modify = constraint_modify;
380 constraint_ovl.on_bi.bi_private = NULL;
382 constraint_ovl.on_bi.bi_cf_ocs = constraintocs;
383 rc = config_register_schema( constraintcfg, constraintocs );
386 return overlay_register( &constraint_ovl );
389 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
390 int init_module(int argc, char *argv[]) {
391 return constraint_initialize();
395 #endif /* defined(SLAPD_OVER_CONSTRAINT) */