2 /* constraint.c - Overlay to constrain attributes to certain values */
4 * Copyright 2003-2004 Hewlett-Packard Company
5 * Copyright 2007 Emmanuel Dreyfus
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
17 * Authors: Neil Dunbar <neil.dunbar@hp.com>
18 * Emmannuel Dreyfus <manu@netbsd.org>
22 #ifdef SLAPD_OVER_CONSTRAINT
26 #include <ac/string.h>
27 #include <ac/socket.h>
35 * This overlay limits the values which can be placed into an
36 * attribute, over and above the limits placed by the schema.
38 * It traps only LDAP adds and modify commands (and only seeks to
39 * control the add and modify value mods of a modify)
42 #define REGEX_STR "regex"
45 #define SIZE_STR "size"
46 #define COUNT_STR "count"
49 * Linked list of attribute constraints which we should enforce.
50 * This is probably a sub optimal structure - some form of sorted
51 * array would be better if the number of attributes contrained is
52 * likely to be much bigger than 4 or 5. We stick with a list for
56 typedef struct constraint {
57 struct constraint *ap_next;
58 AttributeDescription **ap;
60 LDAPURLDesc *restrict_lud;
61 struct berval restrict_ndn;
62 Filter *restrict_filter;
63 struct berval restrict_val;
70 AttributeDescription **attrs;
71 struct berval val; /* constraint value */
77 CONSTRAINT_ATTRIBUTE = 1
80 static ConfigDriver constraint_cf_gen;
82 static ConfigTable constraintcfg[] = {
83 { "constraint_attribute", "attribute[list]> (regex|uri|set|size|count) <value> [<restrict URI>]",
84 4, 0, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen,
85 "( OLcfgOvAt:13.1 NAME 'olcConstraintAttribute' "
86 "DESC 'constraint for list of attributes' "
87 "EQUALITY caseIgnoreMatch "
88 "SYNTAX OMsDirectoryString )", NULL, NULL },
89 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
92 static ConfigOCs constraintocs[] = {
94 "NAME 'olcConstraintConfig' "
95 "DESC 'Constraint overlay configuration' "
96 "SUP olcOverlayConfig "
97 "MAY ( olcConstraintAttribute ) )",
98 Cft_Overlay, constraintcfg },
103 constraint_free( constraint *cp, int freeme )
105 if (cp->restrict_lud)
106 ldap_free_urldesc(cp->restrict_lud);
107 if (!BER_BVISNULL(&cp->restrict_ndn))
108 ch_free(cp->restrict_ndn.bv_val);
109 if (cp->restrict_filter != NULL && cp->restrict_filter != slap_filter_objectClass_pres)
110 filter_free(cp->restrict_filter);
111 if (!BER_BVISNULL(&cp->restrict_val))
112 ch_free(cp->restrict_val.bv_val);
117 if (!BER_BVISNULL(&cp->val))
118 ch_free(cp->val.bv_val);
120 ldap_free_urldesc(cp->lud);
130 constraint_cf_gen( ConfigArgs *c )
132 slap_overinst *on = (slap_overinst *)(c->bi);
133 constraint *cn = on->on_bi.bi_private, *cp;
136 constraint ap = { NULL };
137 const char *text = NULL;
140 case SLAP_CONFIG_EMIT:
142 case CONSTRAINT_ATTRIBUTE:
143 for (cp=cn; cp; cp=cp->ap_next) {
149 bv.bv_len = STRLENOF(" ");
150 for (j = 0; cp->ap[j]; j++) {
151 bv.bv_len += cp->ap[j]->ad_cname.bv_len;
154 /* room for commas */
159 } else if (cp->lud) {
162 } else if (cp->set) {
165 } else if (cp->size) {
167 } else if (cp->count) {
171 bv.bv_len += strlen(tstr);
172 bv.bv_len += cp->val.bv_len + 2*quotes;
174 if (cp->restrict_lud != NULL) {
175 bv.bv_len += cp->restrict_val.bv_len + STRLENOF(" restrict=\"\"");
178 s = bv.bv_val = ch_malloc(bv.bv_len + 1);
180 s = lutil_strncopy( s, cp->ap[0]->ad_cname.bv_val, cp->ap[0]->ad_cname.bv_len );
181 for (j = 1; cp->ap[j]; j++) {
183 s = lutil_strncopy( s, cp->ap[j]->ad_cname.bv_val, cp->ap[j]->ad_cname.bv_len );
186 s = lutil_strcopy( s, tstr );
188 if ( quotes ) *s++ = '"';
189 s = lutil_strncopy( s, cp->val.bv_val, cp->val.bv_len );
190 if ( quotes ) *s++ = '"';
191 if (cp->restrict_lud != NULL) {
192 s = lutil_strcopy( s, " restrict=\"" );
193 s = lutil_strncopy( s, cp->restrict_val.bv_val, cp->restrict_val.bv_len );
198 rc = value_add_one( &c->rvalue_vals, &bv );
199 if (rc == LDAP_SUCCESS)
200 rc = value_add_one( &c->rvalue_nvals, &bv );
210 case LDAP_MOD_DELETE:
212 case CONSTRAINT_ATTRIBUTE:
213 if (!cn) break; /* nothing to do */
216 /* zap all constraints */
219 constraint_free( cn, 1 );
223 on->on_bi.bi_private = NULL;
227 /* zap constraint numbered 'valx' */
228 for(i=0, cp = cn, cpp = &cn;
230 i++, cpp = &cp->ap_next, cp = *cpp);
233 /* zap cp, and join cpp to cp->ap_next */
235 constraint_free( cp, 1 );
237 on->on_bi.bi_private = cn;
246 case SLAP_CONFIG_ADD:
249 case CONSTRAINT_ATTRIBUTE: {
251 char **attrs = ldap_str2charray( c->argv[1], "," );
253 for ( j = 0; attrs[j]; j++)
255 ap.ap = ch_calloc( sizeof(AttributeDescription*), j + 1 );
256 for ( j = 0; attrs[j]; j++) {
257 if ( slap_str2ad( attrs[j], &ap.ap[j], &text ) ) {
258 snprintf( c->cr_msg, sizeof( c->cr_msg ),
259 "%s <%s>: %s\n", c->argv[0], attrs[j], text );
265 if ( strcasecmp( c->argv[2], REGEX_STR ) == 0) {
268 ap.re = ch_malloc( sizeof(regex_t) );
269 if ((err = regcomp( ap.re,
270 c->argv[3], REG_EXTENDED )) != 0) {
273 regerror( err, ap.re, errmsg, sizeof(errmsg) );
275 snprintf( c->cr_msg, sizeof( c->cr_msg ),
276 "%s %s: Illegal regular expression \"%s\": Error %s",
277 c->argv[0], c->argv[1], c->argv[3], errmsg);
282 ber_str2bv( c->argv[3], 0, 1, &ap.val );
283 } else if ( strcasecmp( c->argv[2], SIZE_STR ) == 0 ) {
286 if ( ( size = atoi(c->argv[3]) ) != 0 )
288 } else if ( strcasecmp( c->argv[2], COUNT_STR ) == 0 ) {
291 if ( ( count = atoi(c->argv[3]) ) != 0 )
293 } else if ( strcasecmp( c->argv[2], URI_STR ) == 0 ) {
296 err = ldap_url_parse(c->argv[3], &ap.lud);
297 if ( err != LDAP_URL_SUCCESS ) {
298 snprintf( c->cr_msg, sizeof( c->cr_msg ),
299 "%s %s: Invalid URI \"%s\"",
300 c->argv[0], c->argv[1], c->argv[3]);
305 if (ap.lud->lud_host != NULL) {
306 snprintf( c->cr_msg, sizeof( c->cr_msg ),
307 "%s %s: unsupported hostname in URI \"%s\"",
308 c->argv[0], c->argv[1], c->argv[3]);
309 ldap_free_urldesc(ap.lud);
314 for ( i=0; ap.lud->lud_attrs[i]; i++);
315 /* FIXME: This is worthless without at least one attr */
317 ap.attrs = ch_malloc( (i+1)*sizeof(AttributeDescription *));
318 for ( i=0; ap.lud->lud_attrs[i]; i++) {
320 if ( slap_str2ad( ap.lud->lud_attrs[i], &ap.attrs[i], &text ) ) {
322 snprintf( c->cr_msg, sizeof( c->cr_msg ),
323 "%s <%s>: %s\n", c->argv[0], ap.lud->lud_attrs[i], text );
331 if (ap.lud->lud_dn == NULL) {
332 ap.lud->lud_dn = ch_strdup("");
334 struct berval dn, ndn;
336 ber_str2bv( ap.lud->lud_dn, 0, 0, &dn );
337 if (dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL ) ) {
339 snprintf( c->cr_msg, sizeof( c->cr_msg ),
340 "%s %s: URI %s DN normalization failed",
341 c->argv[0], c->argv[1], c->argv[3] );
342 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
343 "%s: %s\n", c->log, c->cr_msg, 0 );
347 ldap_memfree( ap.lud->lud_dn );
348 ap.lud->lud_dn = ndn.bv_val;
351 if (ap.lud->lud_filter == NULL) {
352 ap.lud->lud_filter = ch_strdup("objectClass=*");
353 } else if ( ap.lud->lud_filter[0] == '(' ) {
354 ber_len_t len = strlen( ap.lud->lud_filter );
355 if ( ap.lud->lud_filter[len - 1] != ')' ) {
356 snprintf( c->cr_msg, sizeof( c->cr_msg ),
357 "%s %s: invalid URI filter: %s",
358 c->argv[0], c->argv[1], ap.lud->lud_filter );
362 AC_MEMCPY( &ap.lud->lud_filter[0], &ap.lud->lud_filter[1], len - 2 );
363 ap.lud->lud_filter[len - 2] = '\0';
366 ber_str2bv( c->argv[3], 0, 1, &ap.val );
368 } else if ( strcasecmp( c->argv[2], SET_STR ) == 0 ) {
370 ber_str2bv( c->argv[3], 0, 1, &ap.val );
373 snprintf( c->cr_msg, sizeof( c->cr_msg ),
374 "%s %s: Unknown constraint type: %s",
375 c->argv[0], c->argv[1], c->argv[2] );
383 for ( argidx = 4; argidx < c->argc; argidx++ ) {
384 if ( strncasecmp( c->argv[argidx], "restrict=", STRLENOF("restrict=") ) == 0 ) {
386 char *arg = c->argv[argidx] + STRLENOF("restrict=");
388 err = ldap_url_parse(arg, &ap.restrict_lud);
389 if ( err != LDAP_URL_SUCCESS ) {
390 snprintf( c->cr_msg, sizeof( c->cr_msg ),
391 "%s %s: Invalid restrict URI \"%s\"",
392 c->argv[0], c->argv[1], arg);
397 if (ap.restrict_lud->lud_host != NULL) {
398 snprintf( c->cr_msg, sizeof( c->cr_msg ),
399 "%s %s: unsupported hostname in restrict URI \"%s\"",
400 c->argv[0], c->argv[1], arg);
405 if ( ap.restrict_lud->lud_attrs != NULL ) {
406 if ( ap.restrict_lud->lud_attrs[0] != '\0' ) {
407 snprintf( c->cr_msg, sizeof( c->cr_msg ),
408 "%s %s: attrs not allowed in restrict URI %s\n",
409 c->argv[0], c->argv[1], arg);
413 ldap_memvfree((void *)ap.restrict_lud->lud_attrs);
414 ap.restrict_lud->lud_attrs = NULL;
417 if (ap.restrict_lud->lud_dn != NULL) {
418 if (ap.restrict_lud->lud_dn[0] == '\0') {
419 ldap_memfree(ap.restrict_lud->lud_dn);
420 ap.restrict_lud->lud_dn = NULL;
423 struct berval dn, ndn;
426 ber_str2bv(ap.restrict_lud->lud_dn, 0, 0, &dn);
427 if (dnNormalize(0, NULL, NULL, &dn, &ndn, NULL)) {
429 snprintf( c->cr_msg, sizeof( c->cr_msg ),
430 "%s %s: restrict URI %s DN normalization failed",
431 c->argv[0], c->argv[1], arg );
436 assert(c->be != NULL);
437 if (c->be->be_nsuffix == NULL) {
438 snprintf( c->cr_msg, sizeof( c->cr_msg ),
439 "%s %s: restrict URI requires suffix",
440 c->argv[0], c->argv[1] );
445 for ( j = 0; !BER_BVISNULL(&c->be->be_nsuffix[j]); j++) {
446 if (dnIsSuffix(&ndn, &c->be->be_nsuffix[j])) break;
449 if (BER_BVISNULL(&c->be->be_nsuffix[j])) {
451 snprintf( c->cr_msg, sizeof( c->cr_msg ),
452 "%s %s: restrict URI DN %s not within database naming context(s)",
453 c->argv[0], c->argv[1], dn.bv_val );
458 ap.restrict_ndn = ndn;
462 if (ap.restrict_lud->lud_filter != NULL) {
463 ap.restrict_filter = str2filter(ap.restrict_lud->lud_filter);
464 if (ap.restrict_filter == NULL) {
466 snprintf( c->cr_msg, sizeof( c->cr_msg ),
467 "%s %s: restrict URI filter %s invalid",
468 c->argv[0], c->argv[1], ap.restrict_lud->lud_filter );
474 ber_str2bv(c->argv[argidx], 0, 1, &ap.restrict_val);
478 snprintf( c->cr_msg, sizeof( c->cr_msg ),
479 "%s %s: unrecognized arg #%d (%s)",
480 c->argv[0], c->argv[1], argidx, c->argv[argidx] );
488 if ( rc == LDAP_SUCCESS ) {
489 constraint *a2 = ch_calloc( sizeof(constraint), 1 );
490 a2->ap_next = on->on_bi.bi_private;
497 a2->count = ap.count;
499 ber_str2bv(a2->lud->lud_dn, 0, 0, &a2->dn);
500 ber_str2bv(a2->lud->lud_filter, 0, 0, &a2->filter);
502 a2->attrs = ap.attrs;
503 a2->restrict_lud = ap.restrict_lud;
504 a2->restrict_ndn = ap.restrict_ndn;
505 a2->restrict_filter = ap.restrict_filter;
506 a2->restrict_val = ap.restrict_val;
507 on->on_bi.bi_private = a2;
510 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
511 "%s: %s\n", c->log, c->cr_msg, 0 );
512 constraint_free( &ap, 0 );
515 ldap_memvfree((void**)attrs);
530 constraint_uri_cb( Operation *op, SlapReply *rs )
532 if(rs->sr_type == REP_SEARCH) {
533 int *foundp = op->o_callback->sc_private;
537 Debug(LDAP_DEBUG_TRACE, "==> constraint_uri_cb <%s>\n",
538 rs->sr_entry ? rs->sr_entry->e_name.bv_val : "UNKNOWN_DN", 0, 0);
544 constraint_violation( constraint *c, struct berval *bv, Operation *op, SlapReply *rs)
546 if ((!c) || (!bv)) return LDAP_SUCCESS;
549 (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH))
550 return LDAP_CONSTRAINT_VIOLATION; /* regular expression violation */
552 if ((c->size) && (bv->bv_len > c->size))
553 return LDAP_CONSTRAINT_VIOLATION; /* size violation */
557 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
559 SlapReply nrs = { REP_RESULT };
564 struct berval filterstr;
573 cb.sc_response = constraint_uri_cb;
574 cb.sc_cleanup = NULL;
575 cb.sc_private = &found;
577 nop.o_protocol = LDAP_VERSION3;
578 nop.o_tag = LDAP_REQ_SEARCH;
579 nop.o_time = slap_get_time();
580 if (c->lud->lud_dn) {
583 ber_str2bv(c->lud->lud_dn, 0, 0, &dn);
586 nop.o_bd = select_backend(&nop.o_req_ndn, 1 );
588 return LDAP_NO_SUCH_OBJECT; /* unexpected error */
590 if (!nop.o_bd->be_search) {
591 return LDAP_OTHER; /* unexpected error */
594 nop.o_req_dn = nop.o_bd->be_nsuffix[0];
595 nop.o_req_ndn = nop.o_bd->be_nsuffix[0];
596 nop.o_bd = on->on_info->oi_origdb;
598 nop.o_do_not_cache = 1;
599 nop.o_callback = &cb;
601 nop.ors_scope = c->lud->lud_scope;
602 nop.ors_deref = LDAP_DEREF_NEVER;
603 nop.ors_slimit = SLAP_NO_LIMIT;
604 nop.ors_tlimit = SLAP_NO_LIMIT;
605 nop.ors_limit = NULL;
607 nop.ors_attrsonly = 0;
608 nop.ors_attrs = slap_anlist_no_attrs;
610 len = STRLENOF("(&(") +
614 for (i = 0; c->attrs[i]; i++) {
615 len += STRLENOF("(") +
616 c->attrs[i]->ad_cname.bv_len +
622 len += STRLENOF("))");
623 filterstr.bv_len = len;
624 filterstr.bv_val = op->o_tmpalloc(len + 1, op->o_tmpmemctx);
626 ptr = filterstr.bv_val +
627 snprintf(filterstr.bv_val, len, "(&(%s)(|", c->lud->lud_filter);
628 for (i = 0; c->attrs[i]; i++) {
630 ptr = lutil_strcopy( ptr, c->attrs[i]->ad_cname.bv_val );
632 ptr = lutil_strcopy( ptr, bv->bv_val );
639 nop.ors_filterstr = filterstr;
640 nop.ors_filter = str2filter_x(&nop, filterstr.bv_val);
641 if ( nop.ors_filter == NULL ) {
642 Debug( LDAP_DEBUG_ANY,
643 "%s constraint_violation uri filter=\"%s\" invalid\n",
644 op->o_log_prefix, filterstr.bv_val, 0 );
647 Debug(LDAP_DEBUG_TRACE,
648 "==> constraint_violation uri filter = %s\n",
649 filterstr.bv_val, 0, 0);
651 rc = nop.o_bd->be_search( &nop, &nrs );
653 Debug(LDAP_DEBUG_TRACE,
654 "==> constraint_violation uri rc = %d, found = %d\n",
657 op->o_tmpfree(filterstr.bv_val, op->o_tmpmemctx);
659 if((rc != LDAP_SUCCESS) && (rc != LDAP_NO_SUCH_OBJECT)) {
660 return rc; /* unexpected error */
664 return LDAP_CONSTRAINT_VIOLATION; /* constraint violation */
672 print_message( struct berval *errtext, AttributeDescription *a )
677 sz = errtext->bv_len + sizeof(" on ") + a->ad_cname.bv_len;
679 snprintf( ret, sz, "%s on %s", errtext->bv_val, a->ad_cname.bv_val );
684 constraint_count_attr(Entry *e, AttributeDescription *ad)
688 if ((a = attr_find(e->e_attrs, ad)) != NULL)
694 constraint_check_restrict( Operation *op, constraint *c, Entry *e )
696 assert( c->restrict_lud != NULL );
698 if ( c->restrict_lud->lud_dn != NULL ) {
699 int diff = e->e_nname.bv_len - c->restrict_ndn.bv_len;
705 if ( c->restrict_lud->lud_scope == LDAP_SCOPE_BASE ) {
706 return bvmatch( &e->e_nname, &c->restrict_ndn );
709 if ( !dnIsSuffix( &e->e_nname, &c->restrict_ndn ) ) {
713 if ( c->restrict_lud->lud_scope != LDAP_SCOPE_SUBTREE ) {
720 dnParent( &e->e_nname, &pdn );
722 if ( c->restrict_lud->lud_scope == LDAP_SCOPE_ONELEVEL
723 && pdn.bv_len != c->restrict_ndn.bv_len )
730 if ( c->restrict_filter != NULL ) {
732 struct berval save_dn = op->o_dn, save_ndn = op->o_ndn;
734 op->o_dn = op->o_bd->be_rootdn;
735 op->o_ndn = op->o_bd->be_rootndn;
736 rc = test_filter( op, e, c->restrict_filter );
738 op->o_ndn = save_ndn;
740 if ( rc != LDAP_COMPARE_TRUE ) {
749 constraint_add( Operation *op, SlapReply *rs )
751 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
753 constraint *c = on->on_bi.bi_private, *cp;
756 struct berval rsv = BER_BVC("add breaks constraint");
761 return SLAP_CB_CONTINUE;
764 if ((a = op->ora_e->e_attrs) == NULL) {
765 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
766 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
767 "constraint_add: no attrs");
771 for(; a; a = a->a_next ) {
772 /* we don't constrain operational attributes */
773 if (is_at_operational(a->a_desc->ad_type)) continue;
775 for(cp = c; cp; cp = cp->ap_next) {
777 for (j = 0; cp->ap[j]; j++) {
778 if (cp->ap[j] == a->a_desc) break;
780 if (cp->ap[j] == NULL) continue;
781 if ((b = a->a_vals) == NULL) continue;
783 if (cp->restrict_lud != NULL && constraint_check_restrict(op, cp, op->ora_e) == 0) {
787 Debug(LDAP_DEBUG_TRACE,
788 "==> constraint_add, "
789 "a->a_numvals = %d, cp->count = %d\n",
790 a->a_numvals, cp->count, 0);
792 if ((cp->count != 0) && (a->a_numvals > cp->count)) {
793 rc = LDAP_CONSTRAINT_VIOLATION;
797 for ( i = 0; b[i].bv_val; i++ ) {
798 rc = constraint_violation( cp, &b[i], op, rs );
804 if (cp->set && acl_match_set(&cp->val, op, op->ora_e, NULL) == 0) {
805 rc = LDAP_CONSTRAINT_VIOLATION;
806 goto add_violation; /* constraint violation */
812 /* Default is to just fall through to the normal processing */
813 return SLAP_CB_CONTINUE;
816 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
817 if (rc == LDAP_CONSTRAINT_VIOLATION ) {
818 msg = print_message( &rsv, a->a_desc );
820 send_ldap_error(op, rs, rc, msg );
827 constraint_update( Operation *op, SlapReply *rs )
829 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
830 Backend *be = op->o_bd;
831 constraint *c = on->on_bi.bi_private, *cp;
832 Entry *target_entry = NULL, *target_entry_copy = NULL;
833 Modifications *modlist, *m;
836 struct berval rsv = BER_BVC("modify breaks constraint");
841 return SLAP_CB_CONTINUE;
844 switch ( op->o_tag ) {
845 case LDAP_REQ_MODIFY:
846 modlist = op->orm_modlist;
849 case LDAP_REQ_MODRDN:
850 modlist = op->orr_modlist;
854 /* impossible! assert? */
858 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE, "constraint_update()\n", 0,0,0);
859 if ((m = modlist) == NULL) {
860 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
861 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
862 "constraint_update() got null modlist");
866 /* Do we need to count attributes? */
867 for(cp = c; cp; cp = cp->ap_next) {
868 if (cp->count != 0 || cp->set || cp->restrict_lud != 0) {
869 op->o_bd = on->on_info->oi_origdb;
870 rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry );
873 if (rc != 0 || target_entry == NULL) {
874 Debug(LDAP_DEBUG_TRACE,
875 "==> constraint_update rc = %d DN=\"%s\"%s\n",
876 rc, op->o_req_ndn.bv_val,
877 target_entry ? "" : " not found" );
879 rc = LDAP_CONSTRAINT_VIOLATION;
886 rc = LDAP_CONSTRAINT_VIOLATION;
887 for(;m; m = m->sml_next) {
890 if (is_at_operational( m->sml_desc->ad_type )) continue;
892 if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
893 (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE) &&
894 (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_DELETE))
896 /* we only care about ADD and REPLACE modifications */
897 /* and DELETE are used to track attribute count */
898 if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
901 /* Get this attribute count, if needed */
903 ce = constraint_count_attr(target_entry, m->sml_desc);
905 for(cp = c; cp; cp = cp->ap_next) {
907 for (j = 0; cp->ap[j]; j++) {
908 if (cp->ap[j] == m->sml_desc) {
912 if (cp->ap[j] == NULL) continue;
914 if (cp->restrict_lud != NULL && constraint_check_restrict(op, cp, target_entry) == 0) {
918 if (cp->count != 0) {
921 if (m->sml_op == LDAP_MOD_DELETE)
924 for (ca = 0; b[ca].bv_val; ++ca);
926 Debug(LDAP_DEBUG_TRACE,
927 "==> constraint_update ce = %d, "
928 "ca = %d, cp->count = %d\n",
931 if (m->sml_op == LDAP_MOD_ADD) {
932 if (ca + ce > cp->count) {
933 rc = LDAP_CONSTRAINT_VIOLATION;
937 if (m->sml_op == LDAP_MOD_REPLACE) {
938 if (ca > cp->count) {
939 rc = LDAP_CONSTRAINT_VIOLATION;
946 /* DELETE are to be ignored beyond this point */
947 if (( m->sml_op & LDAP_MOD_OP ) == LDAP_MOD_DELETE)
950 for ( i = 0; b[i].bv_val; i++ ) {
951 rc = constraint_violation( cp, &b[i], op, rs );
957 if (cp->set && target_entry) {
958 if (target_entry_copy == NULL) {
961 target_entry_copy = entry_dup(target_entry);
963 /* if rename, set the new entry's name
964 * (in normalized form only) */
965 if ( op->o_tag == LDAP_REQ_MODRDN ) {
966 struct berval pdn, ndn = BER_BVNULL;
968 if ( op->orr_nnewSup ) {
969 pdn = *op->orr_nnewSup;
972 dnParent( &target_entry_copy->e_nname, &pdn );
975 build_new_dn( &ndn, &pdn, &op->orr_nnewrdn, NULL );
977 ber_memfree( target_entry_copy->e_nname.bv_val );
978 target_entry_copy->e_nname = ndn;
979 ber_bvreplace( &target_entry_copy->e_name, &ndn );
982 /* apply modifications, in an attempt
983 * to estimate what the entry would
984 * look like in case all modifications
986 for ( ml = modlist; ml; ml = ml->sml_next ) {
987 Modification *mod = &ml->sml_mod;
989 char textbuf[SLAP_TEXT_BUFLEN];
990 size_t textlen = sizeof(textbuf);
993 switch ( mod->sm_op ) {
995 err = modify_add_values( target_entry_copy,
996 mod, get_permissiveModify(op),
997 &text, textbuf, textlen );
1000 case LDAP_MOD_DELETE:
1001 err = modify_delete_values( target_entry_copy,
1002 mod, get_permissiveModify(op),
1003 &text, textbuf, textlen );
1006 case LDAP_MOD_REPLACE:
1007 err = modify_replace_values( target_entry_copy,
1008 mod, get_permissiveModify(op),
1009 &text, textbuf, textlen );
1012 case LDAP_MOD_INCREMENT:
1013 err = modify_increment_values( target_entry_copy,
1014 mod, get_permissiveModify(op),
1015 &text, textbuf, textlen );
1018 case SLAP_MOD_SOFTADD:
1019 mod->sm_op = LDAP_MOD_ADD;
1020 err = modify_add_values( target_entry_copy,
1021 mod, get_permissiveModify(op),
1022 &text, textbuf, textlen );
1023 mod->sm_op = SLAP_MOD_SOFTADD;
1024 if ( err == LDAP_TYPE_OR_VALUE_EXISTS ) {
1034 if ( err != LDAP_SUCCESS ) {
1041 if ( acl_match_set(&cp->val, op, target_entry_copy, NULL) == 0) {
1042 rc = LDAP_CONSTRAINT_VIOLATION;
1050 op->o_bd = on->on_info->oi_origdb;
1051 be_entry_release_r(op, target_entry);
1055 if (target_entry_copy) {
1056 entry_free(target_entry_copy);
1059 return SLAP_CB_CONTINUE;
1064 op->o_bd = on->on_info->oi_origdb;
1065 be_entry_release_r(op, target_entry);
1069 if (target_entry_copy) {
1070 entry_free(target_entry_copy);
1073 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
1074 if ( rc == LDAP_CONSTRAINT_VIOLATION ) {
1075 msg = print_message( &rsv, m->sml_desc );
1077 send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
1079 return (rs->sr_err);
1087 slap_overinst *on = (slap_overinst *) be->bd_info;
1088 constraint *ap, *a2;
1090 for ( ap = on->on_bi.bi_private; ap; ap = a2 ) {
1092 constraint_free( ap, 1 );
1098 static slap_overinst constraint_ovl;
1100 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
1104 constraint_initialize( void ) {
1107 constraint_ovl.on_bi.bi_type = "constraint";
1108 constraint_ovl.on_bi.bi_db_close = constraint_close;
1109 constraint_ovl.on_bi.bi_op_add = constraint_add;
1110 constraint_ovl.on_bi.bi_op_modify = constraint_update;
1111 constraint_ovl.on_bi.bi_op_modrdn = constraint_update;
1113 constraint_ovl.on_bi.bi_private = NULL;
1115 constraint_ovl.on_bi.bi_cf_ocs = constraintocs;
1116 rc = config_register_schema( constraintcfg, constraintocs );
1119 return overlay_register( &constraint_ovl );
1122 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
1123 int init_module(int argc, char *argv[]) {
1124 return constraint_initialize();
1128 #endif /* defined(SLAPD_OVER_CONSTRAINT) */
projects / openldap / blob