1 /* constraint.c - Overlay to constrain attributes to certain values */
4 * Copyright 2003-2004 Hewlett-Packard Company
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
16 * Author: Neil Dunbar <neil.dunbar@hp.com>
20 #ifdef SLAPD_OVER_CONSTRAINT
24 #include <ac/string.h>
25 #include <ac/socket.h>
32 * This overlay limits the values which can be placed into an
33 * attribute, over and above the limits placed by the schema.
35 * It traps only LDAP adds and modify commands (and only seeks to
36 * control the add and modify value mods of a modify)
39 #define REGEX_STR "regex"
42 * Linked list of attribute constraints which we should enforce.
43 * This is probably a sub optimal structure - some form of sorted
44 * array would be better if the number of attributes contrained is
45 * likely to be much bigger than 4 or 5. We stick with a list for
49 typedef struct constraint {
50 struct constraint *ap_next;
51 AttributeDescription *ap;
53 char *re_str; /* string representation of regex */
57 CONSTRAINT_ATTRIBUTE = 1
60 static ConfigDriver constraint_cf_gen;
62 static ConfigTable constraintcfg[] = {
63 { "constraint_attribute", "attribute regex <regular expression>",
64 4, 4, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen,
65 "( OLcfgOvAt:13.1 NAME 'olcConstraintAttribute' "
66 "DESC 'regular expression constraint for attribute' "
67 "EQUALITY caseIgnoreMatch "
68 "SYNTAX OMsDirectoryString )", NULL, NULL },
69 { NULL, NULL, 0, 0, 0, ARG_IGNORED }
72 static ConfigOCs constraintocs[] = {
74 "NAME 'olcConstraintConfig' "
75 "DESC 'Constraint overlay configuration' "
76 "SUP olcOverlayConfig "
77 "MAY ( olcConstraintAttribute ) )",
78 Cft_Overlay, constraintcfg },
83 constraint_cf_gen( ConfigArgs *c )
85 slap_overinst *on = (slap_overinst *)(c->bi);
86 constraint *cn = on->on_bi.bi_private, *cp;
89 constraint ap = { NULL, NULL, NULL }, *a2 = NULL;
91 const char *text = NULL;
94 case SLAP_CONFIG_EMIT:
96 case CONSTRAINT_ATTRIBUTE:
97 for (cp=cn; cp; cp=cp->ap_next) {
101 len = cp->ap->ad_cname.bv_len +
102 strlen( REGEX_STR ) + strlen( cp->re_str) + 3;
105 snprintf(s, len, "%s %s %s", cp->ap->ad_cname.bv_val,
106 REGEX_STR, cp->re_str);
108 bv.bv_len = strlen(s);
109 rc = value_add_one( &c->rvalue_vals, &bv );
111 rc = value_add_one( &c->rvalue_nvals, &bv );
121 case LDAP_MOD_DELETE:
123 case CONSTRAINT_ATTRIBUTE:
124 if (!cn) break; /* nothing to do */
127 /* zap all constraints */
134 if (cn->re_str) ch_free(cn->re_str);
139 on->on_bi.bi_private = NULL;
143 /* zap constraint numbered 'valx' */
144 for(i=0, cp = cn, cpp = &cn;
146 i++, cpp = &cp->ap_next, cp = *cpp);
149 /* zap cp, and join cpp to cp->ap_next */
155 if (cp->re_str) ch_free(cp->re_str);
158 on->on_bi.bi_private = cn;
167 case SLAP_CONFIG_ADD:
170 case CONSTRAINT_ATTRIBUTE:
171 if ( slap_str2ad( c->argv[1], &ap.ap, &text ) ) {
172 snprintf( c->msg, sizeof( c->msg ),
173 "%s <%s>: %s\n", c->argv[0], c->argv[1], text );
174 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
175 "%s: %s\n", c->log, c->msg, 0 );
176 return( ARG_BAD_CONF );
179 if ( strcasecmp( c->argv[2], "regex" ) == 0) {
182 ap.re = ch_malloc( sizeof(regex_t) );
183 if ((err = regcomp( ap.re,
184 c->argv[3], REG_EXTENDED )) != 0) {
187 regerror( err, ap.re, errmsg, sizeof(errmsg) );
189 snprintf( c->msg, sizeof( c->msg ),
190 "%s %s: Illegal regular expression \"%s\": Error %s",
191 c->argv[0], c->argv[1], c->argv[3], errmsg);
192 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
193 "%s: %s\n", c->log, c->msg, 0 );
195 return( ARG_BAD_CONF );
197 ap.re_str = ch_strdup( c->argv[3] );
199 snprintf( c->msg, sizeof( c->msg ),
200 "%s %s: Unknown constraint type: %s",
201 c->argv[0], c->argv[1], c->argv[2] );
202 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
203 "%s: %s\n", c->log, c->msg, 0 );
204 return ( ARG_BAD_CONF );
208 a2 = ch_malloc( sizeof(constraint) );
209 a2->ap_next = on->on_bi.bi_private;
212 a2->re_str = ap.re_str;
213 on->on_bi.bi_private = a2;
228 constraint_violation( constraint *c, struct berval *bv )
230 if ((!c) || (!bv)) return 0;
233 (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH))
235 return 1; /* regular expression violation */
241 print_message( const char *fmt, AttributeDescription *a )
246 sz = strlen(fmt) + a->ad_cname.bv_len + 1;
248 snprintf( ret, sz, fmt, a->ad_cname.bv_val );
253 constraint_add( Operation *op, SlapReply *rs )
255 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
257 constraint *c = on->on_bi.bi_private, *cp;
260 const char *rsv = "add breaks regular expression constraint on %s";
263 if ((a = op->ora_e->e_attrs) == NULL) {
264 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
265 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
266 "constraint_add() got null op.ora_e.e_attrs");
270 for(; a; a = a->a_next ) {
271 /* we don't constrain operational attributes */
273 if (is_at_operational(a->a_desc->ad_type)) continue;
275 for(cp = c; cp; cp = cp->ap_next) {
276 if (cp->ap != a->a_desc) continue;
277 if ((b = a->a_vals) == NULL) continue;
279 for(i=0; b[i].bv_val; i++) {
280 int cv = constraint_violation( cp, &b[i]);
283 /* regex violation */
284 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
285 msg = print_message( rsv, a->a_desc );
286 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
293 /* Default is to just fall through to the normal processing */
294 return SLAP_CB_CONTINUE;
298 constraint_modify( Operation *op, SlapReply *rs )
300 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
301 constraint *c = on->on_bi.bi_private, *cp;
305 const char *rsv = "modify breaks regular expression constraint on %s";
308 if ((m = op->orm_modlist) == NULL) {
309 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
310 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
311 "constraint_modify() got null orm_modlist");
315 for(;m; m = m->sml_next) {
316 if (is_at_operational( m->sml_desc->ad_type )) continue;
317 if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
318 (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE))
320 /* we only care about ADD and REPLACE modifications */
321 if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
324 for(cp = c; cp; cp = cp->ap_next) {
325 if (cp->ap != m->sml_desc) continue;
327 for(i=0; b[i].bv_val; i++) {
328 int cv = constraint_violation( cp, &b[i]);
331 /* regex violation */
332 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
333 msg = print_message( rsv, m->sml_desc );
334 send_ldap_error(op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
342 return SLAP_CB_CONTINUE;
350 slap_overinst *on = (slap_overinst *) be->bd_info;
353 for ( ap = on->on_bi.bi_private; ap; ap = a2 ) {
355 if (ap->re_str) ch_free(ap->re_str);
367 static slap_overinst constraint_ovl;
369 /* This overlay is set up for dynamic loading via moduleload. For static
370 * configuration, you'll need to arrange for the slap_overinst to be
371 * initialized and registered by some other function inside slapd.
374 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
378 constraint_initialize( void ) {
381 constraint_ovl.on_bi.bi_type = "constraint";
382 constraint_ovl.on_bi.bi_db_close = constraint_close;
383 constraint_ovl.on_bi.bi_op_add = constraint_add;
384 constraint_ovl.on_bi.bi_op_modify = constraint_modify;
386 constraint_ovl.on_bi.bi_private = NULL;
388 constraint_ovl.on_bi.bi_cf_ocs = constraintocs;
389 rc = config_register_schema( constraintcfg, constraintocs );
392 return overlay_register( &constraint_ovl );
395 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
396 int init_module(int argc, char *argv[]) {
397 return constraint_initialize();
401 #endif /* defined(SLAPD_OVER_CONSTRAINT) */