2 /* constraint.c - Overlay to constrain attributes to certain values */
4 * Copyright 2003-2004 Hewlett-Packard Company
5 * Copyright 2007 Emmanuel Dreyfus
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
17 * Authors: Neil Dunbar <neil.dunbar@hp.com>
18 * Emmannuel Dreyfus <manu@netbsd.org>
22 #ifdef SLAPD_OVER_CONSTRAINT
26 #include <ac/string.h>
27 #include <ac/socket.h>
35 * This overlay limits the values which can be placed into an
36 * attribute, over and above the limits placed by the schema.
38 * It traps only LDAP adds and modify commands (and only seeks to
39 * control the add and modify value mods of a modify)
42 #define REGEX_STR "regex"
46 * Linked list of attribute constraints which we should enforce.
47 * This is probably a sub optimal structure - some form of sorted
48 * array would be better if the number of attributes contrained is
49 * likely to be much bigger than 4 or 5. We stick with a list for
53 typedef struct constraint {
54 struct constraint *ap_next;
55 AttributeDescription *ap;
58 AttributeDescription **attrs;
59 struct berval val; /* constraint value */
65 CONSTRAINT_ATTRIBUTE = 1
68 static ConfigDriver constraint_cf_gen;
70 static ConfigTable constraintcfg[] = {
71 { "constraint_attribute", "attribute> (regex|uri) <value",
72 4, 4, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen,
73 "( OLcfgOvAt:13.1 NAME 'olcConstraintAttribute' "
74 "DESC 'regular expression constraint for attribute' "
75 "EQUALITY caseIgnoreMatch "
76 "SYNTAX OMsDirectoryString )", NULL, NULL },
77 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
80 static ConfigOCs constraintocs[] = {
82 "NAME 'olcConstraintConfig' "
83 "DESC 'Constraint overlay configuration' "
84 "SUP olcOverlayConfig "
85 "MAY ( olcConstraintAttribute ) )",
86 Cft_Overlay, constraintcfg },
91 constraint_free( constraint *cp )
97 if (!BER_BVISNULL(&cp->val))
98 ch_free(cp->val.bv_val);
100 ldap_free_urldesc(cp->lud);
107 constraint_cf_gen( ConfigArgs *c )
109 slap_overinst *on = (slap_overinst *)(c->bi);
110 constraint *cn = on->on_bi.bi_private, *cp;
113 constraint ap = { NULL, NULL, NULL }, *a2 = NULL;
114 const char *text = NULL;
117 case SLAP_CONFIG_EMIT:
119 case CONSTRAINT_ATTRIBUTE:
120 for (cp=cn; cp; cp=cp->ap_next) {
125 len = cp->ap->ad_cname.bv_len + 3;
127 len += STRLENOF(REGEX_STR);
129 } else if (cp->lud) {
130 len += STRLENOF(URI_STR);
133 len += cp->val.bv_len;
137 bv.bv_len = snprintf(s, len, "%s %s %s", cp->ap->ad_cname.bv_val,
138 tstr, cp->val.bv_val);
140 rc = value_add_one( &c->rvalue_vals, &bv );
142 rc = value_add_one( &c->rvalue_nvals, &bv );
152 case LDAP_MOD_DELETE:
154 case CONSTRAINT_ATTRIBUTE:
155 if (!cn) break; /* nothing to do */
158 /* zap all constraints */
161 constraint_free( cn );
165 on->on_bi.bi_private = NULL;
169 /* zap constraint numbered 'valx' */
170 for(i=0, cp = cn, cpp = &cn;
172 i++, cpp = &cp->ap_next, cp = *cpp);
175 /* zap cp, and join cpp to cp->ap_next */
177 constraint_free( cp );
179 on->on_bi.bi_private = cn;
188 case SLAP_CONFIG_ADD:
191 case CONSTRAINT_ATTRIBUTE:
192 if ( slap_str2ad( c->argv[1], &ap.ap, &text ) ) {
193 snprintf( c->cr_msg, sizeof( c->cr_msg ),
194 "%s <%s>: %s\n", c->argv[0], c->argv[1], text );
195 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
196 "%s: %s\n", c->log, c->cr_msg, 0 );
197 return( ARG_BAD_CONF );
200 if ( strcasecmp( c->argv[2], REGEX_STR ) == 0) {
203 ap.re = ch_malloc( sizeof(regex_t) );
204 if ((err = regcomp( ap.re,
205 c->argv[3], REG_EXTENDED )) != 0) {
208 regerror( err, ap.re, errmsg, sizeof(errmsg) );
210 snprintf( c->cr_msg, sizeof( c->cr_msg ),
211 "%s %s: Illegal regular expression \"%s\": Error %s",
212 c->argv[0], c->argv[1], c->argv[3], errmsg);
213 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
214 "%s: %s\n", c->log, c->cr_msg, 0 );
216 return( ARG_BAD_CONF );
218 ber_str2bv( c->argv[3], 0, 1, &ap.val );
219 } else if ( strcasecmp( c->argv[2], URI_STR ) == 0) {
222 err = ldap_url_parse(c->argv[3], &ap.lud);
223 if ( err != LDAP_URL_SUCCESS ) {
224 snprintf( c->cr_msg, sizeof( c->cr_msg ),
225 "%s %s: Invalid URI \"%s\"",
226 c->argv[0], c->argv[1], c->argv[3]);
227 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
228 "%s: %s\n", c->log, c->cr_msg, 0 );
229 return( ARG_BAD_CONF );
232 if (ap.lud->lud_host != NULL) {
233 snprintf( c->cr_msg, sizeof( c->cr_msg ),
234 "%s %s: unsupported hostname in URI \"%s\"",
235 c->argv[0], c->argv[1], c->argv[3]);
236 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
237 "%s: %s\n", c->log, c->cr_msg, 0 );
239 ldap_free_urldesc(ap.lud);
241 return( ARG_BAD_CONF );
244 for ( i=0; ap.lud->lud_attrs[i]; i++);
245 /* FIXME: This is worthless without at least one attr */
247 ap.attrs = ch_malloc( (i+1)*sizeof(AttributeDescription *));
248 for ( i=0; ap.lud->lud_attrs[i]; i++) {
250 if ( slap_str2ad( ap.lud->lud_attrs[i], &ap.attrs[i], &text ) ) {
252 snprintf( c->cr_msg, sizeof( c->cr_msg ),
253 "%s <%s>: %s\n", c->argv[0], ap.lud->lud_attrs[i], text );
254 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
255 "%s: %s\n", c->log, c->cr_msg, 0 );
256 return( ARG_BAD_CONF );
262 if (ap.lud->lud_dn == NULL)
263 ap.lud->lud_dn = ch_strdup("");
265 if (ap.lud->lud_filter == NULL)
266 ap.lud->lud_filter = ch_strdup("objectClass=*");
268 ber_str2bv( c->argv[3], 0, 1, &ap.val );
270 snprintf( c->cr_msg, sizeof( c->cr_msg ),
271 "%s %s: Unknown constraint type: %s",
272 c->argv[0], c->argv[1], c->argv[2] );
273 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
274 "%s: %s\n", c->log, c->cr_msg, 0 );
275 return ( ARG_BAD_CONF );
278 a2 = ch_calloc( sizeof(constraint), 1 );
279 a2->ap_next = on->on_bi.bi_private;
285 ber_str2bv(a2->lud->lud_dn, 0, 0, &a2->dn);
286 ber_str2bv(a2->lud->lud_filter, 0, 0, &a2->filter);
288 a2->attrs = ap.attrs;
289 on->on_bi.bi_private = a2;
304 constraint_uri_cb( Operation *op, SlapReply *rs )
306 if(rs->sr_type == REP_SEARCH) {
307 int *foundp = op->o_callback->sc_private;
311 Debug(LDAP_DEBUG_TRACE, "==> constraint_uri_cb <%s>\n",
312 rs->sr_entry ? rs->sr_entry->e_name.bv_val : "UNKNOWN_DN", 0, 0);
318 constraint_violation( constraint *c, struct berval *bv, Operation *op, SlapReply *rs)
320 if ((!c) || (!bv)) return 0;
323 (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH))
324 return 1; /* regular expression violation */
328 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
330 SlapReply nrs = { REP_RESULT };
335 struct berval filterstr;
344 cb.sc_response = constraint_uri_cb;
345 cb.sc_cleanup = NULL;
346 cb.sc_private = &found;
348 nop.o_protocol = LDAP_VERSION3;
349 nop.o_tag = LDAP_REQ_SEARCH;
350 nop.o_time = slap_get_time();
351 if (c->lud->lud_dn) {
354 ber_str2bv(c->lud->lud_dn, 0, 0, &dn);
357 nop.o_bd = select_backend(&nop.o_req_ndn, 1 );
358 if (!nop.o_bd || !nop.o_bd->be_search) {
359 return 1; /* unexpected error */
362 nop.o_req_dn = nop.o_bd->be_nsuffix[0];
363 nop.o_req_ndn = nop.o_bd->be_nsuffix[0];
364 nop.o_bd = on->on_info->oi_origdb;
366 nop.o_do_not_cache = 1;
367 nop.o_callback = &cb;
369 nop.ors_scope = c->lud->lud_scope;
370 nop.ors_deref = LDAP_DEREF_NEVER;
371 nop.ors_slimit = SLAP_NO_LIMIT;
372 nop.ors_tlimit = SLAP_NO_LIMIT;
373 nop.ors_limit = NULL;
375 nop.ors_attrsonly = 0;
376 nop.ors_attrs = slap_anlist_no_attrs;
378 len = STRLENOF("(&(") +
382 for (i = 0; c->attrs[i]; i++) {
383 len += STRLENOF("(") +
384 c->attrs[i]->ad_cname.bv_len +
390 len += STRLENOF("))");
391 filterstr.bv_len = len;
392 filterstr.bv_val = op->o_tmpalloc(len + 1, op->o_tmpmemctx);
394 ptr = filterstr.bv_val +
395 snprintf(filterstr.bv_val, len, "(&(%s)(|", c->lud->lud_filter);
396 for (i = 0; c->attrs[i]; i++) {
398 ptr = lutil_strcopy( ptr, c->attrs[i]->ad_cname.bv_val );
400 ptr = lutil_strcopy( ptr, bv->bv_val );
406 Debug(LDAP_DEBUG_TRACE,
407 "==> constraint_violation uri filter = %s\n",
408 filterstr.bv_val, 0, 0);
410 nop.ors_filterstr = filterstr;
411 nop.ors_filter = str2filter_x(&nop, filterstr.bv_val);
413 rc = nop.o_bd->be_search( &nop, &nrs );
415 op->o_tmpfree(filterstr.bv_val, op->o_tmpmemctx);
416 Debug(LDAP_DEBUG_TRACE,
417 "==> constraint_violation uri rc = %d, found = %d\n",
420 if((rc != LDAP_SUCCESS) && (rc != LDAP_NO_SUCH_OBJECT)) {
421 send_ldap_error(op, rs, rc,
422 "constraint_violation uri search failed");
423 return 1; /* unexpected error */
427 return 1; /* constraint violation */
435 print_message( struct berval *errtext, AttributeDescription *a )
440 sz = errtext->bv_len + sizeof(" on ") + a->ad_cname.bv_len;
442 snprintf( ret, sz, "%s on %s", errtext->bv_val, a->ad_cname.bv_val );
447 constraint_add( Operation *op, SlapReply *rs )
449 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
451 constraint *c = on->on_bi.bi_private, *cp;
454 struct berval rsv = BER_BVC("add breaks constraint");
457 if ((a = op->ora_e->e_attrs) == NULL) {
458 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
459 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
460 "constraint_add() got null op.ora_e.e_attrs");
464 for(; a; a = a->a_next ) {
465 /* we don't constrain operational attributes */
466 if (is_at_operational(a->a_desc->ad_type)) continue;
468 for(cp = c; cp; cp = cp->ap_next) {
469 if (cp->ap != a->a_desc) continue;
470 if ((b = a->a_vals) == NULL) continue;
472 for(i=0; b[i].bv_val; i++) {
473 int cv = constraint_violation( cp, &b[i], op, rs);
477 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
478 msg = print_message( &rsv, a->a_desc );
479 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
486 /* Default is to just fall through to the normal processing */
487 return SLAP_CB_CONTINUE;
491 constraint_modify( Operation *op, SlapReply *rs )
493 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
494 constraint *c = on->on_bi.bi_private, *cp;
498 struct berval rsv = BER_BVC("modify breaks constraint");
501 if ((m = op->orm_modlist) == NULL) {
502 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
503 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
504 "constraint_modify() got null orm_modlist");
508 for(;m; m = m->sml_next) {
509 if (is_at_operational( m->sml_desc->ad_type )) continue;
510 if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
511 (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE))
513 /* we only care about ADD and REPLACE modifications */
514 if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
517 for(cp = c; cp; cp = cp->ap_next) {
518 if (cp->ap != m->sml_desc) continue;
520 for(i=0; b[i].bv_val; i++) {
521 int cv = constraint_violation( cp, &b[i], op, rs);
525 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
526 msg = print_message( &rsv, m->sml_desc );
527 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
535 return SLAP_CB_CONTINUE;
543 slap_overinst *on = (slap_overinst *) be->bd_info;
546 for ( ap = on->on_bi.bi_private; ap; ap = a2 ) {
548 constraint_free( ap );
554 static slap_overinst constraint_ovl;
556 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
560 constraint_initialize( void ) {
563 constraint_ovl.on_bi.bi_type = "constraint";
564 constraint_ovl.on_bi.bi_db_close = constraint_close;
565 constraint_ovl.on_bi.bi_op_add = constraint_add;
566 constraint_ovl.on_bi.bi_op_modify = constraint_modify;
568 constraint_ovl.on_bi.bi_private = NULL;
570 constraint_ovl.on_bi.bi_cf_ocs = constraintocs;
571 rc = config_register_schema( constraintcfg, constraintocs );
574 return overlay_register( &constraint_ovl );
577 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
578 int init_module(int argc, char *argv[]) {
579 return constraint_initialize();
583 #endif /* defined(SLAPD_OVER_CONSTRAINT) */