1 /* constraint.c - Overlay to constrain attributes to certain values */
4 * Copyright 2003-2004 Hewlett-Packard Company
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
16 * Author: Neil Dunbar <neil.dunbar@hp.com>
20 #ifdef SLAPD_OVER_CONSTRAINT
24 #include <ac/string.h>
25 #include <ac/socket.h>
32 * This overlay limits the values which can be placed into an
33 * attribute, over and above the limits placed by the schema.
35 * It traps only LDAP adds and modify commands (and only seeks to
36 * control the add and modify value mods of a modify)
39 #define REGEX_STR "regex"
42 * Linked list of attribute constraints which we should enforce.
43 * This is probably a sub optimal structure - some form of sorted
44 * array would be better if the number of attributes contrained is
45 * likely to be much bigger than 4 or 5. We stick with a list for
49 typedef struct constraint {
50 struct constraint *ap_next;
51 AttributeDescription *ap;
53 char *re_str; /* string representation of regex */
57 CONSTRAINT_ATTRIBUTE = 1
60 static ConfigDriver constraint_cf_gen;
62 static ConfigTable constraintcfg[] = {
63 { "constraint_attribute", "attribute regex <regular expression>",
64 4, 4, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen,
65 "( OLcfgOvAt:13.1 NAME 'olcConstraintAttribute' "
66 "DESC 'regular expression constraint for attribute' "
67 "EQUALITY caseIgnoreMatch "
68 "SYNTAX OMsDirectoryString )", NULL, NULL },
69 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
72 static ConfigOCs constraintocs[] = {
74 "NAME 'olcConstraintConfig' "
75 "DESC 'Constraint overlay configuration' "
76 "SUP olcOverlayConfig "
77 "MAY ( olcConstraintAttribute ) )",
78 Cft_Overlay, constraintcfg },
83 constraint_cf_gen( ConfigArgs *c )
85 slap_overinst *on = (slap_overinst *)(c->bi);
86 constraint *cn = on->on_bi.bi_private, *cp;
89 constraint ap = { NULL, NULL, NULL }, *a2 = NULL;
90 const char *text = NULL;
93 case SLAP_CONFIG_EMIT:
95 case CONSTRAINT_ATTRIBUTE:
96 for (cp=cn; cp; cp=cp->ap_next) {
100 len = cp->ap->ad_cname.bv_len +
101 strlen( REGEX_STR ) + strlen( cp->re_str) + 3;
104 snprintf(s, len, "%s %s %s", cp->ap->ad_cname.bv_val,
105 REGEX_STR, cp->re_str);
107 bv.bv_len = strlen(s);
108 rc = value_add_one( &c->rvalue_vals, &bv );
110 rc = value_add_one( &c->rvalue_nvals, &bv );
120 case LDAP_MOD_DELETE:
122 case CONSTRAINT_ATTRIBUTE:
123 if (!cn) break; /* nothing to do */
126 /* zap all constraints */
133 if (cn->re_str) ch_free(cn->re_str);
138 on->on_bi.bi_private = NULL;
142 /* zap constraint numbered 'valx' */
143 for(i=0, cp = cn, cpp = &cn;
145 i++, cpp = &cp->ap_next, cp = *cpp);
148 /* zap cp, and join cpp to cp->ap_next */
154 if (cp->re_str) ch_free(cp->re_str);
157 on->on_bi.bi_private = cn;
166 case SLAP_CONFIG_ADD:
169 case CONSTRAINT_ATTRIBUTE:
170 if ( slap_str2ad( c->argv[1], &ap.ap, &text ) ) {
171 snprintf( c->msg, sizeof( c->msg ),
172 "%s <%s>: %s\n", c->argv[0], c->argv[1], text );
173 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
174 "%s: %s\n", c->log, c->msg, 0 );
175 return( ARG_BAD_CONF );
178 if ( strcasecmp( c->argv[2], "regex" ) == 0) {
181 ap.re = ch_malloc( sizeof(regex_t) );
182 if ((err = regcomp( ap.re,
183 c->argv[3], REG_EXTENDED )) != 0) {
186 regerror( err, ap.re, errmsg, sizeof(errmsg) );
188 snprintf( c->msg, sizeof( c->msg ),
189 "%s %s: Illegal regular expression \"%s\": Error %s",
190 c->argv[0], c->argv[1], c->argv[3], errmsg);
191 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
192 "%s: %s\n", c->log, c->msg, 0 );
194 return( ARG_BAD_CONF );
196 ap.re_str = ch_strdup( c->argv[3] );
198 snprintf( c->msg, sizeof( c->msg ),
199 "%s %s: Unknown constraint type: %s",
200 c->argv[0], c->argv[1], c->argv[2] );
201 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
202 "%s: %s\n", c->log, c->msg, 0 );
203 return ( ARG_BAD_CONF );
207 a2 = ch_malloc( sizeof(constraint) );
208 a2->ap_next = on->on_bi.bi_private;
211 a2->re_str = ap.re_str;
212 on->on_bi.bi_private = a2;
227 constraint_violation( constraint *c, struct berval *bv )
229 if ((!c) || (!bv)) return 0;
232 (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH))
234 return 1; /* regular expression violation */
240 print_message( const char *fmt, AttributeDescription *a )
245 sz = strlen(fmt) + a->ad_cname.bv_len + 1;
247 snprintf( ret, sz, fmt, a->ad_cname.bv_val );
252 constraint_add( Operation *op, SlapReply *rs )
254 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
256 constraint *c = on->on_bi.bi_private, *cp;
259 const char *rsv = "add breaks regular expression constraint on %s";
262 if ((a = op->ora_e->e_attrs) == NULL) {
263 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
264 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
265 "constraint_add() got null op.ora_e.e_attrs");
269 for(; a; a = a->a_next ) {
270 /* we don't constrain operational attributes */
272 if (is_at_operational(a->a_desc->ad_type)) continue;
274 for(cp = c; cp; cp = cp->ap_next) {
275 if (cp->ap != a->a_desc) continue;
276 if ((b = a->a_vals) == NULL) continue;
278 for(i=0; b[i].bv_val; i++) {
279 int cv = constraint_violation( cp, &b[i]);
282 /* regex violation */
283 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
284 msg = print_message( rsv, a->a_desc );
285 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
292 /* Default is to just fall through to the normal processing */
293 return SLAP_CB_CONTINUE;
297 constraint_modify( Operation *op, SlapReply *rs )
299 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
300 constraint *c = on->on_bi.bi_private, *cp;
304 const char *rsv = "modify breaks regular expression constraint on %s";
307 if ((m = op->orm_modlist) == NULL) {
308 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
309 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
310 "constraint_modify() got null orm_modlist");
314 for(;m; m = m->sml_next) {
315 if (is_at_operational( m->sml_desc->ad_type )) continue;
316 if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
317 (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE))
319 /* we only care about ADD and REPLACE modifications */
320 if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
323 for(cp = c; cp; cp = cp->ap_next) {
324 if (cp->ap != m->sml_desc) continue;
326 for(i=0; b[i].bv_val; i++) {
327 int cv = constraint_violation( cp, &b[i]);
330 /* regex violation */
331 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
332 msg = print_message( rsv, m->sml_desc );
333 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
341 return SLAP_CB_CONTINUE;
349 slap_overinst *on = (slap_overinst *) be->bd_info;
352 for ( ap = on->on_bi.bi_private; ap; ap = a2 ) {
354 if (ap->re_str) ch_free(ap->re_str);
366 static slap_overinst constraint_ovl;
368 /* This overlay is set up for dynamic loading via moduleload. For static
369 * configuration, you'll need to arrange for the slap_overinst to be
370 * initialized and registered by some other function inside slapd.
373 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
377 constraint_initialize( void ) {
380 constraint_ovl.on_bi.bi_type = "constraint";
381 constraint_ovl.on_bi.bi_db_close = constraint_close;
382 constraint_ovl.on_bi.bi_op_add = constraint_add;
383 constraint_ovl.on_bi.bi_op_modify = constraint_modify;
385 constraint_ovl.on_bi.bi_private = NULL;
387 constraint_ovl.on_bi.bi_cf_ocs = constraintocs;
388 rc = config_register_schema( constraintcfg, constraintocs );
391 return overlay_register( &constraint_ovl );
394 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
395 int init_module(int argc, char *argv[]) {
396 return constraint_initialize();
400 #endif /* defined(SLAPD_OVER_CONSTRAINT) */