]> git.sur5r.net Git - openldap/blob - servers/slapd/overlays/constraint.c
ITS#5705
[openldap] / servers / slapd / overlays / constraint.c
1 /* $OpenLDAP$ */
2 /* constraint.c - Overlay to constrain attributes to certain values */
3 /* 
4  * Copyright 2003-2004 Hewlett-Packard Company
5  * Copyright 2007 Emmanuel Dreyfus
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted only as authorized by the OpenLDAP
10  * Public License.
11  *
12  * A copy of this license is available in the file LICENSE in the
13  * top-level directory of the distribution or, alternatively, at
14  * <http://www.OpenLDAP.org/license.html>.
15  */
16 /*
17  * Authors: Neil Dunbar <neil.dunbar@hp.com>
18  *                      Emmannuel Dreyfus <manu@netbsd.org>
19  */
20 #include "portable.h"
21
22 #ifdef SLAPD_OVER_CONSTRAINT
23
24 #include <stdio.h>
25
26 #include <ac/string.h>
27 #include <ac/socket.h>
28 #include <ac/regex.h>
29
30 #include "lutil.h"
31 #include "slap.h"
32 #include "config.h"
33
34 /*
35  * This overlay limits the values which can be placed into an
36  * attribute, over and above the limits placed by the schema.
37  *
38  * It traps only LDAP adds and modify commands (and only seeks to
39  * control the add and modify value mods of a modify)
40  */
41
42 #define REGEX_STR "regex"
43 #define URI_STR "uri"
44 #define SET_STR "set"
45 #define SIZE_STR "size"
46 #define COUNT_STR "count"
47
48 /*
49  * Linked list of attribute constraints which we should enforce.
50  * This is probably a sub optimal structure - some form of sorted
51  * array would be better if the number of attributes contrained is
52  * likely to be much bigger than 4 or 5. We stick with a list for
53  * the moment.
54  */
55
56 typedef struct constraint {
57         struct constraint *ap_next;
58         AttributeDescription **ap;
59
60         LDAPURLDesc *restrict_lud;
61         struct berval restrict_ndn;
62         Filter *restrict_filter;
63         struct berval restrict_val;
64
65         regex_t *re;
66         LDAPURLDesc *lud;
67         int set;
68         size_t size;
69         size_t count;
70         AttributeDescription **attrs;
71         struct berval val; /* constraint value */
72         struct berval dn;
73         struct berval filter;
74 } constraint;
75
76 enum {
77         CONSTRAINT_ATTRIBUTE = 1
78 };
79
80 static ConfigDriver constraint_cf_gen;
81
82 static ConfigTable constraintcfg[] = {
83         { "constraint_attribute", "attribute[list]> (regex|uri|set|size|count) <value> [<restrict URI>]",
84           4, 0, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen,
85           "( OLcfgOvAt:13.1 NAME 'olcConstraintAttribute' "
86           "DESC 'constraint for list of attributes' "
87           "EQUALITY caseIgnoreMatch "
88           "SYNTAX OMsDirectoryString )", NULL, NULL },
89         { NULL, NULL, 0, 0, 0, ARG_IGNORED }
90 };
91
92 static ConfigOCs constraintocs[] = {
93         { "( OLcfgOvOc:13.1 "
94           "NAME 'olcConstraintConfig' "
95           "DESC 'Constraint overlay configuration' "
96           "SUP olcOverlayConfig "
97           "MAY ( olcConstraintAttribute ) )",
98           Cft_Overlay, constraintcfg },
99         { NULL, 0, NULL }
100 };
101
102 static void
103 constraint_free( constraint *cp, int freeme )
104 {
105         if (cp->restrict_lud)
106                 ldap_free_urldesc(cp->restrict_lud);
107         if (!BER_BVISNULL(&cp->restrict_ndn))
108                 ch_free(cp->restrict_ndn.bv_val);
109         if (cp->restrict_filter != NULL && cp->restrict_filter != slap_filter_objectClass_pres)
110                 filter_free(cp->restrict_filter);
111         if (!BER_BVISNULL(&cp->restrict_val))
112                 ch_free(cp->restrict_val.bv_val);
113         if (cp->re) {
114                 regfree(cp->re);
115                 ch_free(cp->re);
116         }
117         if (!BER_BVISNULL(&cp->val))
118                 ch_free(cp->val.bv_val);
119         if (cp->lud)
120                 ldap_free_urldesc(cp->lud);
121         if (cp->attrs)
122                 ch_free(cp->attrs);
123         if (cp->ap)
124                 ch_free(cp->ap);
125         if (freeme)
126                 ch_free(cp);
127 }
128
129 static int
130 constraint_cf_gen( ConfigArgs *c )
131 {
132         slap_overinst *on = (slap_overinst *)(c->bi);
133         constraint *cn = on->on_bi.bi_private, *cp;
134         struct berval bv;
135         int i, rc = 0;
136         constraint ap = { NULL };
137         const char *text = NULL;
138         
139         switch ( c->op ) {
140         case SLAP_CONFIG_EMIT:
141                 switch (c->type) {
142                 case CONSTRAINT_ATTRIBUTE:
143                         for (cp=cn; cp; cp=cp->ap_next) {
144                                 char *s;
145                                 char *tstr = NULL;
146                                 int quotes = 0;
147                                 int j;
148
149                                 bv.bv_len = STRLENOF("  ");
150                                 for (j = 0; cp->ap[j]; j++) {
151                                         bv.bv_len += cp->ap[j]->ad_cname.bv_len;
152                                 }
153
154                                 /* room for commas */
155                                 bv.bv_len += j - 1;
156
157                                 if (cp->re) {
158                                         tstr = REGEX_STR;
159                                 } else if (cp->lud) {
160                                         tstr = URI_STR;
161                                         quotes = 1;
162                                 } else if (cp->set) {
163                                         tstr = SET_STR;
164                                         quotes = 1;
165                                 } else if (cp->size) {
166                                         tstr = SIZE_STR;
167                                 } else if (cp->count) {
168                                         tstr = COUNT_STR;
169                                 }
170
171                                 bv.bv_len += strlen(tstr);
172                                 bv.bv_len += cp->val.bv_len + 2*quotes;
173
174                                 if (cp->restrict_lud != NULL) {
175                                         bv.bv_len += cp->restrict_val.bv_len + STRLENOF(" restrict=\"\"");
176                                 }
177
178                                 s = bv.bv_val = ch_malloc(bv.bv_len + 1);
179
180                                 s = lutil_strncopy( s, cp->ap[0]->ad_cname.bv_val, cp->ap[0]->ad_cname.bv_len );
181                                 for (j = 1; cp->ap[j]; j++) {
182                                         *s++ = ',';
183                                         s = lutil_strncopy( s, cp->ap[j]->ad_cname.bv_val, cp->ap[j]->ad_cname.bv_len );
184                                 }
185                                 *s++ = ' ';
186                                 s = lutil_strcopy( s, tstr );
187                                 *s++ = ' ';
188                                 if ( quotes ) *s++ = '"';
189                                 s = lutil_strncopy( s, cp->val.bv_val, cp->val.bv_len );
190                                 if ( quotes ) *s++ = '"';
191                                 if (cp->restrict_lud != NULL) {
192                                         s = lutil_strcopy( s, " restrict=\"" );
193                                         s = lutil_strncopy( s, cp->restrict_val.bv_val, cp->restrict_val.bv_len );
194                                         *s++ = '"';
195                                 }
196                                 *s = '\0';
197
198                                 rc = value_add_one( &c->rvalue_vals, &bv );
199                                 if (rc == LDAP_SUCCESS)
200                                         rc = value_add_one( &c->rvalue_nvals, &bv );
201                                 ch_free(bv.bv_val);
202                                 if (rc) return rc;
203                         }
204                         break;
205                 default:
206                         abort();
207                         break;
208                 }
209                 break;
210         case LDAP_MOD_DELETE:
211                 switch (c->type) {
212                 case CONSTRAINT_ATTRIBUTE:
213                         if (!cn) break; /* nothing to do */
214                                         
215                         if (c->valx < 0) {
216                                 /* zap all constraints */
217                                 while (cn) {
218                                         cp = cn->ap_next;
219                                         constraint_free( cn, 1 );
220                                         cn = cp;
221                                 }
222                                                 
223                                 on->on_bi.bi_private = NULL;
224                         } else {
225                                 constraint **cpp;
226                                                 
227                                 /* zap constraint numbered 'valx' */
228                                 for(i=0, cp = cn, cpp = &cn;
229                                         (cp) && (i<c->valx);
230                                         i++, cpp = &cp->ap_next, cp = *cpp);
231
232                                 if (cp) {
233                                         /* zap cp, and join cpp to cp->ap_next */
234                                         *cpp = cp->ap_next;
235                                         constraint_free( cp, 1 );
236                                 }
237                                 on->on_bi.bi_private = cn;
238                         }
239                         break;
240
241                 default:
242                         abort();
243                         break;
244                 }
245                 break;
246         case SLAP_CONFIG_ADD:
247         case LDAP_MOD_ADD:
248                 switch (c->type) {
249                 case CONSTRAINT_ATTRIBUTE: {
250                         int j;
251                         char **attrs = ldap_str2charray( c->argv[1], "," );
252
253                         for ( j = 0; attrs[j]; j++)
254                                 /* just count */ ;
255                         ap.ap = ch_calloc( sizeof(AttributeDescription*), j + 1 );
256                         for ( j = 0; attrs[j]; j++) {
257                                 if ( slap_str2ad( attrs[j], &ap.ap[j], &text ) ) {
258                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
259                                                 "%s <%s>: %s\n", c->argv[0], attrs[j], text );
260                                         rc = ARG_BAD_CONF;
261                                         goto done;
262                                 }
263                         }
264
265                         if ( strcasecmp( c->argv[2], REGEX_STR ) == 0) {
266                                 int err;
267                         
268                                 ap.re = ch_malloc( sizeof(regex_t) );
269                                 if ((err = regcomp( ap.re,
270                                         c->argv[3], REG_EXTENDED )) != 0) {
271                                         char errmsg[1024];
272                                                         
273                                         regerror( err, ap.re, errmsg, sizeof(errmsg) );
274                                         ch_free(ap.re);
275                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
276                                                 "%s %s: Illegal regular expression \"%s\": Error %s",
277                                                 c->argv[0], c->argv[1], c->argv[3], errmsg);
278                                         ap.re = NULL;
279                                         rc = ARG_BAD_CONF;
280                                         goto done;
281                                 }
282                                 ber_str2bv( c->argv[3], 0, 1, &ap.val );
283                         } else if ( strcasecmp( c->argv[2], SIZE_STR ) == 0 ) {
284                                 size_t size;
285
286                                 if ( ( size = atoi(c->argv[3]) ) != 0 )
287                                         ap.size = size; 
288                         } else if ( strcasecmp( c->argv[2], COUNT_STR ) == 0 ) {
289                                 size_t count;
290
291                                 if ( ( count = atoi(c->argv[3]) ) != 0 )
292                                         ap.count = count;       
293                         } else if ( strcasecmp( c->argv[2], URI_STR ) == 0 ) {
294                                 int err;
295                         
296                                 err = ldap_url_parse(c->argv[3], &ap.lud);
297                                 if ( err != LDAP_URL_SUCCESS ) {
298                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
299                                                 "%s %s: Invalid URI \"%s\"",
300                                                 c->argv[0], c->argv[1], c->argv[3]);
301                                         rc = ARG_BAD_CONF;
302                                         goto done;
303                                 }
304
305                                 if (ap.lud->lud_host != NULL) {
306                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
307                                                 "%s %s: unsupported hostname in URI \"%s\"",
308                                                 c->argv[0], c->argv[1], c->argv[3]);
309                                         ldap_free_urldesc(ap.lud);
310                                         rc = ARG_BAD_CONF;
311                                         goto done;
312                                 }
313
314                                 for ( i=0; ap.lud->lud_attrs[i]; i++);
315                                 /* FIXME: This is worthless without at least one attr */
316                                 if ( i ) {
317                                         ap.attrs = ch_malloc( (i+1)*sizeof(AttributeDescription *));
318                                         for ( i=0; ap.lud->lud_attrs[i]; i++) {
319                                                 ap.attrs[i] = NULL;
320                                                 if ( slap_str2ad( ap.lud->lud_attrs[i], &ap.attrs[i], &text ) ) {
321                                                         ch_free( ap.attrs );
322                                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
323                                                                 "%s <%s>: %s\n", c->argv[0], ap.lud->lud_attrs[i], text );
324                                                         rc = ARG_BAD_CONF;
325                                                         goto done;
326                                                 }
327                                         }
328                                         ap.attrs[i] = NULL;
329                                 }
330
331                                 if (ap.lud->lud_dn == NULL) {
332                                         ap.lud->lud_dn = ch_strdup("");
333                                 } else {
334                                         struct berval dn, ndn;
335
336                                         ber_str2bv( ap.lud->lud_dn, 0, 0, &dn );
337                                         if (dnNormalize( 0, NULL, NULL, &dn, &ndn, NULL ) ) {
338                                                 /* cleanup */
339                                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
340                                                         "%s %s: URI %s DN normalization failed",
341                                                         c->argv[0], c->argv[1], c->argv[3] );
342                                                 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
343                                                            "%s: %s\n", c->log, c->cr_msg, 0 );
344                                                 rc = ARG_BAD_CONF;
345                                                 goto done;
346                                         }
347                                         ldap_memfree( ap.lud->lud_dn );
348                                         ap.lud->lud_dn = ndn.bv_val;
349                                 }
350
351                                 if (ap.lud->lud_filter == NULL) {
352                                         ap.lud->lud_filter = ch_strdup("objectClass=*");
353                                 } else if ( ap.lud->lud_filter[0] == '(' ) {
354                                         ber_len_t len = strlen( ap.lud->lud_filter );
355                                         if ( ap.lud->lud_filter[len - 1] != ')' ) {
356                                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
357                                                         "%s %s: invalid URI filter: %s",
358                                                         c->argv[0], c->argv[1], ap.lud->lud_filter );
359                                                 rc = ARG_BAD_CONF;
360                                                 goto done;
361                                         }
362                                         AC_MEMCPY( &ap.lud->lud_filter[0], &ap.lud->lud_filter[1], len - 2 );
363                                         ap.lud->lud_filter[len - 2] = '\0';
364                                 }
365
366                                 ber_str2bv( c->argv[3], 0, 1, &ap.val );
367
368                         } else if ( strcasecmp( c->argv[2], SET_STR ) == 0 ) {
369                                 ap.set = 1;
370                                 ber_str2bv( c->argv[3], 0, 1, &ap.val );
371
372                         } else {
373                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
374                                         "%s %s: Unknown constraint type: %s",
375                                         c->argv[0], c->argv[1], c->argv[2] );
376                                 rc = ARG_BAD_CONF;
377                                 goto done;
378                         }
379
380                         if ( c->argc > 4 ) {
381                                 int argidx;
382
383                                 for ( argidx = 4; argidx < c->argc; argidx++ ) {
384                                         if ( strncasecmp( c->argv[argidx], "restrict=", STRLENOF("restrict=") ) == 0 ) {
385                                                 int err;
386                                                 char *arg = c->argv[argidx] + STRLENOF("restrict=");
387
388                                                 err = ldap_url_parse(arg, &ap.restrict_lud);
389                                                 if ( err != LDAP_URL_SUCCESS ) {
390                                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
391                                                                 "%s %s: Invalid restrict URI \"%s\"",
392                                                                 c->argv[0], c->argv[1], arg);
393                                                         rc = ARG_BAD_CONF;
394                                                         goto done;
395                                                 }
396
397                                                 if (ap.restrict_lud->lud_host != NULL) {
398                                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
399                                                                 "%s %s: unsupported hostname in restrict URI \"%s\"",
400                                                                 c->argv[0], c->argv[1], arg);
401                                                         rc = ARG_BAD_CONF;
402                                                         goto done;
403                                                 }
404
405                                                 if ( ap.restrict_lud->lud_attrs != NULL ) {
406                                                         if ( ap.restrict_lud->lud_attrs[0] != '\0' ) {
407                                                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
408                                                                         "%s %s: attrs not allowed in restrict URI %s\n",
409                                                                         c->argv[0], c->argv[1], arg);
410                                                                 rc = ARG_BAD_CONF;
411                                                                 goto done;
412                                                         }
413                                                         ldap_memvfree((void *)ap.restrict_lud->lud_attrs);
414                                                         ap.restrict_lud->lud_attrs = NULL;
415                                                 }
416
417                                                 if (ap.restrict_lud->lud_dn != NULL) {
418                                                         if (ap.restrict_lud->lud_dn[0] == '\0') {
419                                                                 ldap_memfree(ap.restrict_lud->lud_dn);
420                                                                 ap.restrict_lud->lud_dn = NULL;
421
422                                                         } else {
423                                                                 struct berval dn, ndn;
424                                                                 int j;
425
426                                                                 ber_str2bv(ap.restrict_lud->lud_dn, 0, 0, &dn);
427                                                                 if (dnNormalize(0, NULL, NULL, &dn, &ndn, NULL)) {
428                                                                         /* cleanup */
429                                                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
430                                                                                 "%s %s: restrict URI %s DN normalization failed",
431                                                                                 c->argv[0], c->argv[1], arg );
432                                                                         rc = ARG_BAD_CONF;
433                                                                         goto done;
434                                                                 }
435
436                                                                 assert(c->be != NULL);
437                                                                 if (c->be->be_nsuffix == NULL) {
438                                                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
439                                                                                 "%s %s: restrict URI requires suffix",
440                                                                                 c->argv[0], c->argv[1] );
441                                                                         rc = ARG_BAD_CONF;
442                                                                         goto done;
443                                                                 }
444
445                                                                 for ( j = 0; !BER_BVISNULL(&c->be->be_nsuffix[j]); j++) {
446                                                                         if (dnIsSuffix(&ndn, &c->be->be_nsuffix[j])) break;
447                                                                 }
448
449                                                                 if (BER_BVISNULL(&c->be->be_nsuffix[j])) {
450                                                                         /* error */
451                                                                         snprintf( c->cr_msg, sizeof( c->cr_msg ),
452                                                                                 "%s %s: restrict URI DN %s not within database naming context(s)",
453                                                                                 c->argv[0], c->argv[1], dn.bv_val );
454                                                                         rc = ARG_BAD_CONF;
455                                                                         goto done;
456                                                                 }
457
458                                                                 ap.restrict_ndn = ndn;
459                                                         }
460                                                 }
461
462                                                 if (ap.restrict_lud->lud_filter != NULL) {
463                                                         ap.restrict_filter = str2filter(ap.restrict_lud->lud_filter);
464                                                         if (ap.restrict_filter == NULL) {
465                                                                 /* error */
466                                                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
467                                                                         "%s %s: restrict URI filter %s invalid",
468                                                                         c->argv[0], c->argv[1], ap.restrict_lud->lud_filter );
469                                                                 rc = ARG_BAD_CONF;
470                                                                 goto done;
471                                                         }
472                                                 }
473
474                                                 ber_str2bv(c->argv[argidx], 0, 1, &ap.restrict_val);
475
476                                         } else {
477                                                 /* cleanup */
478                                                 snprintf( c->cr_msg, sizeof( c->cr_msg ),
479                                                         "%s %s: unrecognized arg #%d (%s)",
480                                                         c->argv[0], c->argv[1], argidx, c->argv[argidx] );
481                                                 rc = ARG_BAD_CONF;
482                                                 goto done;
483                                         }
484                                 }
485                         }
486
487 done:;
488                         if ( rc == LDAP_SUCCESS ) {
489                                 constraint *a2 = ch_calloc( sizeof(constraint), 1 );
490                                 a2->ap_next = on->on_bi.bi_private;
491                                 a2->ap = ap.ap;
492                                 a2->re = ap.re;
493                                 a2->val = ap.val;
494                                 a2->lud = ap.lud;
495                                 a2->set = ap.set;
496                                 a2->size = ap.size;
497                                 a2->count = ap.count;
498                                 if ( a2->lud ) {
499                                         ber_str2bv(a2->lud->lud_dn, 0, 0, &a2->dn);
500                                         ber_str2bv(a2->lud->lud_filter, 0, 0, &a2->filter);
501                                 }
502                                 a2->attrs = ap.attrs;
503                                 a2->restrict_lud = ap.restrict_lud;
504                                 a2->restrict_ndn = ap.restrict_ndn;
505                                 a2->restrict_filter = ap.restrict_filter;
506                                 a2->restrict_val = ap.restrict_val;
507                                 on->on_bi.bi_private = a2;
508
509                         } else {
510                                 Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE,
511                                            "%s: %s\n", c->log, c->cr_msg, 0 );
512                                 constraint_free( &ap, 0 );
513                         }
514
515                         ldap_memvfree((void**)attrs);
516                         } break;
517                 default:
518                         abort();
519                         break;
520                 }
521                 break;
522         default:
523                 abort();
524         }
525
526         return rc;
527 }
528
529 static int
530 constraint_uri_cb( Operation *op, SlapReply *rs ) 
531 {
532         if(rs->sr_type == REP_SEARCH) {
533                 int *foundp = op->o_callback->sc_private;
534
535                 *foundp = 1;
536
537                 Debug(LDAP_DEBUG_TRACE, "==> constraint_uri_cb <%s>\n",
538                         rs->sr_entry ? rs->sr_entry->e_name.bv_val : "UNKNOWN_DN", 0, 0);
539         }
540         return 0;
541 }
542
543 static int
544 constraint_violation( constraint *c, struct berval *bv, Operation *op, SlapReply *rs)
545 {
546         if ((!c) || (!bv)) return LDAP_SUCCESS;
547         
548         if ((c->re) &&
549                 (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH))
550                 return LDAP_CONSTRAINT_VIOLATION; /* regular expression violation */
551
552         if ((c->size) && (bv->bv_len > c->size))
553                 return LDAP_CONSTRAINT_VIOLATION; /* size violation */
554
555         if (c->lud) {
556                 Operation nop = *op;
557                 slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
558                 slap_callback cb;
559                 SlapReply nrs = { REP_RESULT };
560                 int i;
561                 int found;
562                 int rc;
563                 size_t len;
564                 struct berval filterstr;
565                 char *ptr;
566
567                 found = 0;
568
569                 nrs.sr_entry = NULL;
570                 nrs.sr_nentries = 0;
571
572                 cb.sc_next = NULL;
573                 cb.sc_response = constraint_uri_cb;
574                 cb.sc_cleanup = NULL;
575                 cb.sc_private = &found;
576
577                 nop.o_protocol = LDAP_VERSION3;
578                 nop.o_tag = LDAP_REQ_SEARCH;
579                 nop.o_time = slap_get_time();
580                 if (c->lud->lud_dn) {
581                         struct berval dn;
582
583                         ber_str2bv(c->lud->lud_dn, 0, 0, &dn);
584                         nop.o_req_dn = dn;
585                         nop.o_req_ndn = dn;
586                         nop.o_bd = select_backend(&nop.o_req_ndn, 1 );
587                         if (!nop.o_bd) {
588                                 return LDAP_NO_SUCH_OBJECT; /* unexpected error */
589                         }
590                         if (!nop.o_bd->be_search) {
591                                 return LDAP_OTHER; /* unexpected error */
592                         }
593                 } else {
594                         nop.o_req_dn = nop.o_bd->be_nsuffix[0];
595                         nop.o_req_ndn = nop.o_bd->be_nsuffix[0];
596                         nop.o_bd = on->on_info->oi_origdb;
597                 }
598                 nop.o_do_not_cache = 1;
599                 nop.o_callback = &cb;
600
601                 nop.ors_scope = c->lud->lud_scope;
602                 nop.ors_deref = LDAP_DEREF_NEVER;
603                 nop.ors_slimit = SLAP_NO_LIMIT;
604                 nop.ors_tlimit = SLAP_NO_LIMIT;
605                 nop.ors_limit = NULL;
606
607                 nop.ors_attrsonly = 0;
608                 nop.ors_attrs = slap_anlist_no_attrs;
609
610                 len = STRLENOF("(&(") + 
611                           c->filter.bv_len +
612                           STRLENOF(")(|");
613
614                 for (i = 0; c->attrs[i]; i++) {
615                         len += STRLENOF("(") +
616                                    c->attrs[i]->ad_cname.bv_len +
617                                    STRLENOF("=") + 
618                                    bv->bv_len +
619                                    STRLENOF(")");
620                 }
621
622                 len += STRLENOF("))");
623                 filterstr.bv_len = len;
624                 filterstr.bv_val = op->o_tmpalloc(len + 1, op->o_tmpmemctx);
625
626                 ptr = filterstr.bv_val +
627                         snprintf(filterstr.bv_val, len, "(&(%s)(|", c->lud->lud_filter);
628                 for (i = 0; c->attrs[i]; i++) {
629                         *ptr++ = '(';
630                         ptr = lutil_strcopy( ptr, c->attrs[i]->ad_cname.bv_val );
631                         *ptr++ = '=';
632                         ptr = lutil_strcopy( ptr, bv->bv_val );
633                         *ptr++ = ')';
634                 }
635                 *ptr++ = ')';
636                 *ptr++ = ')';
637                 *ptr++ = '\0';
638
639                 nop.ors_filterstr = filterstr;
640                 nop.ors_filter = str2filter_x(&nop, filterstr.bv_val);
641                 if ( nop.ors_filter == NULL ) {
642                         Debug( LDAP_DEBUG_ANY,
643                                 "%s constraint_violation uri filter=\"%s\" invalid\n",
644                                 op->o_log_prefix, filterstr.bv_val, 0 );
645
646                 } else {
647                         Debug(LDAP_DEBUG_TRACE, 
648                                 "==> constraint_violation uri filter = %s\n",
649                                 filterstr.bv_val, 0, 0);
650
651                         rc = nop.o_bd->be_search( &nop, &nrs );
652                 
653                         Debug(LDAP_DEBUG_TRACE, 
654                                 "==> constraint_violation uri rc = %d, found = %d\n",
655                                 rc, found, 0);
656                 }
657                 op->o_tmpfree(filterstr.bv_val, op->o_tmpmemctx);
658
659                 if((rc != LDAP_SUCCESS) && (rc != LDAP_NO_SUCH_OBJECT)) {
660                         return rc; /* unexpected error */
661                 }
662
663                 if (!found)
664                         return LDAP_CONSTRAINT_VIOLATION; /* constraint violation */
665                         
666         }
667
668         return LDAP_SUCCESS;
669 }
670
671 static char *
672 print_message( struct berval *errtext, AttributeDescription *a )
673 {
674         char *ret;
675         int sz;
676         
677         sz = errtext->bv_len + sizeof(" on ") + a->ad_cname.bv_len;
678         ret = ch_malloc(sz);
679         snprintf( ret, sz, "%s on %s", errtext->bv_val, a->ad_cname.bv_val );
680         return ret;
681 }
682
683 static unsigned
684 constraint_count_attr(Entry *e, AttributeDescription *ad)
685 {
686         struct Attribute *a;
687
688         if ((a = attr_find(e->e_attrs, ad)) != NULL)
689                 return a->a_numvals;
690         return 0;
691 }
692
693 static int
694 constraint_check_restrict( Operation *op, constraint *c, Entry *e )
695 {
696         assert( c->restrict_lud != NULL );
697
698         if ( c->restrict_lud->lud_dn != NULL ) {
699                 int diff = e->e_nname.bv_len - c->restrict_ndn.bv_len;
700
701                 if ( diff < 0 ) {
702                         return 0;
703                 }
704
705                 if ( c->restrict_lud->lud_scope == LDAP_SCOPE_BASE ) {
706                         return bvmatch( &e->e_nname, &c->restrict_ndn );
707                 }
708
709                 if ( !dnIsSuffix( &e->e_nname, &c->restrict_ndn ) ) {
710                         return 0;
711                 }
712
713                 if ( c->restrict_lud->lud_scope != LDAP_SCOPE_SUBTREE ) {
714                         struct berval pdn;
715
716                         if ( diff == 0 ) {
717                                 return 0;
718                         }
719
720                         dnParent( &e->e_nname, &pdn );
721
722                         if ( c->restrict_lud->lud_scope == LDAP_SCOPE_ONELEVEL
723                                 && pdn.bv_len != c->restrict_ndn.bv_len )
724                         {
725                                 return 0;
726                         }
727                 }
728         }
729
730         if ( c->restrict_filter != NULL ) {
731                 int rc;
732                 struct berval save_dn = op->o_dn, save_ndn = op->o_ndn;
733
734                 op->o_dn = op->o_bd->be_rootdn;
735                 op->o_ndn = op->o_bd->be_rootndn;
736                 rc = test_filter( op, e, c->restrict_filter );
737                 op->o_dn = save_dn;
738                 op->o_ndn = save_ndn;
739
740                 if ( rc != LDAP_COMPARE_TRUE ) {
741                         return 0;
742                 }
743         }
744
745         return 1;
746 }
747
748 static int
749 constraint_add( Operation *op, SlapReply *rs )
750 {
751         slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
752         Attribute *a;
753         constraint *c = on->on_bi.bi_private, *cp;
754         BerVarray b = NULL;
755         int i;
756         struct berval rsv = BER_BVC("add breaks constraint");
757         int rc;
758         char *msg = NULL;
759
760         if (get_relax(op)) {
761                 return SLAP_CB_CONTINUE;
762         }
763
764         if ((a = op->ora_e->e_attrs) == NULL) {
765                 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
766                 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
767                         "constraint_add: no attrs");
768                 return(rs->sr_err);
769         }
770
771         for(; a; a = a->a_next ) {
772                 /* we don't constrain operational attributes */
773                 if (is_at_operational(a->a_desc->ad_type)) continue;
774
775                 for(cp = c; cp; cp = cp->ap_next) {
776                         int j;
777                         for (j = 0; cp->ap[j]; j++) {
778                                 if (cp->ap[j] == a->a_desc) break;
779                         }
780                         if (cp->ap[j] == NULL) continue;
781                         if ((b = a->a_vals) == NULL) continue;
782
783                         if (cp->restrict_lud != NULL && constraint_check_restrict(op, cp, op->ora_e) == 0) {
784                                 continue;
785                         }
786
787                         Debug(LDAP_DEBUG_TRACE, 
788                                 "==> constraint_add, "
789                                 "a->a_numvals = %d, cp->count = %d\n",
790                                 a->a_numvals, cp->count, 0);
791
792                         if ((cp->count != 0) && (a->a_numvals > cp->count)) {
793                                 rc = LDAP_CONSTRAINT_VIOLATION;
794                                 goto add_violation;
795                         }
796
797                         for ( i = 0; b[i].bv_val; i++ ) {
798                                 rc = constraint_violation( cp, &b[i], op, rs );
799                                 if ( rc ) {
800                                         goto add_violation;
801                                 }
802                         }
803
804                         if (cp->set && acl_match_set(&cp->val, op, op->ora_e, NULL) == 0) {
805                                 rc = LDAP_CONSTRAINT_VIOLATION;
806                                 goto add_violation; /* constraint violation */
807                         }
808
809                 }
810         }
811
812         /* Default is to just fall through to the normal processing */
813         return SLAP_CB_CONTINUE;
814
815 add_violation:
816         op->o_bd->bd_info = (BackendInfo *)(on->on_info);
817         if (rc == LDAP_CONSTRAINT_VIOLATION ) {
818                 msg = print_message( &rsv, a->a_desc );
819         }
820         send_ldap_error(op, rs, rc, msg );
821         ch_free(msg);
822         return (rs->sr_err);
823 }
824
825
826 static int
827 constraint_update( Operation *op, SlapReply *rs )
828 {
829         slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
830         Backend *be = op->o_bd;
831         constraint *c = on->on_bi.bi_private, *cp;
832         Entry *target_entry = NULL, *target_entry_copy = NULL;
833         Modifications *modlist, *m;
834         BerVarray b = NULL;
835         int i;
836         struct berval rsv = BER_BVC("modify breaks constraint");
837         int rc;
838         char *msg = NULL;
839
840         if (get_relax(op)) {
841                 return SLAP_CB_CONTINUE;
842         }
843
844         switch ( op->o_tag ) {
845         case LDAP_REQ_MODIFY:
846                 modlist = op->orm_modlist;
847                 break;
848
849         case LDAP_REQ_MODRDN:
850                 modlist = op->orr_modlist;
851                 break;
852
853         default:
854                 /* impossible! assert? */
855                 return LDAP_OTHER;
856         }
857         
858         Debug( LDAP_DEBUG_CONFIG|LDAP_DEBUG_NONE, "constraint_update()\n", 0,0,0);
859         if ((m = modlist) == NULL) {
860                 op->o_bd->bd_info = (BackendInfo *)(on->on_info);
861                 send_ldap_error(op, rs, LDAP_INVALID_SYNTAX,
862                                                 "constraint_update() got null modlist");
863                 return(rs->sr_err);
864         }
865
866         /* Do we need to count attributes? */
867         for(cp = c; cp; cp = cp->ap_next) {
868                 if (cp->count != 0 || cp->set || cp->restrict_lud != 0) {
869                         op->o_bd = on->on_info->oi_origdb;
870                         rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry );
871                         op->o_bd = be;
872
873                         if (rc != 0 || target_entry == NULL) {
874                                 Debug(LDAP_DEBUG_TRACE, 
875                                         "==> constraint_update rc = %d DN=\"%s\"%s\n",
876                                         rc, op->o_req_ndn.bv_val,
877                                         target_entry ? "" : " not found" );
878                                 if ( rc == 0 ) 
879                                         rc = LDAP_CONSTRAINT_VIOLATION;
880                                 goto mod_violation;
881                         }
882                         break;
883                 }
884         }
885
886         rc = LDAP_CONSTRAINT_VIOLATION;
887         for(;m; m = m->sml_next) {
888                 int ce = 0;
889
890                 if (is_at_operational( m->sml_desc->ad_type )) continue;
891
892                 if ((( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_ADD) &&
893                         (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_REPLACE) &&
894                         (( m->sml_op & LDAP_MOD_OP ) != LDAP_MOD_DELETE))
895                         continue;
896                 /* we only care about ADD and REPLACE modifications */
897                 /* and DELETE are used to track attribute count */
898                 if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
899                         continue;
900
901                 /* Get this attribute count, if needed */
902                 if (target_entry)
903                         ce = constraint_count_attr(target_entry, m->sml_desc);
904
905                 for(cp = c; cp; cp = cp->ap_next) {
906                         int j;
907                         for (j = 0; cp->ap[j]; j++) {
908                                 if (cp->ap[j] == m->sml_desc) {
909                                         break;
910                                 }
911                         }
912                         if (cp->ap[j] == NULL) continue;
913
914                         if (cp->restrict_lud != NULL && constraint_check_restrict(op, cp, target_entry) == 0) {
915                                 continue;
916                         }
917
918                         if (cp->count != 0) {
919                                 int ca;
920
921                                 if (m->sml_op == LDAP_MOD_DELETE)
922                                         ce = 0;
923
924                                 for (ca = 0; b[ca].bv_val; ++ca);
925
926                                 Debug(LDAP_DEBUG_TRACE, 
927                                         "==> constraint_update ce = %d, "
928                                         "ca = %d, cp->count = %d\n",
929                                         ce, ca, cp->count);
930
931                                 if (m->sml_op == LDAP_MOD_ADD) {
932                                         if (ca + ce > cp->count) {
933                                                 rc = LDAP_CONSTRAINT_VIOLATION;
934                                                 goto mod_violation;
935                                         }
936                                 }
937                                 if (m->sml_op == LDAP_MOD_REPLACE) {
938                                         if (ca > cp->count) {
939                                                 rc = LDAP_CONSTRAINT_VIOLATION;
940                                                 goto mod_violation;
941                                         }
942                                         ce = ca;
943                                 }
944                         } 
945
946                         /* DELETE are to be ignored beyond this point */
947                         if (( m->sml_op & LDAP_MOD_OP ) == LDAP_MOD_DELETE)
948                                 continue;
949
950                         for ( i = 0; b[i].bv_val; i++ ) {
951                                 rc = constraint_violation( cp, &b[i], op, rs );
952                                 if ( rc ) {
953                                         goto mod_violation;
954                                 }
955                         }
956
957                         if (cp->set && target_entry) {
958                                 if (target_entry_copy == NULL) {
959                                         Modifications *ml;
960
961                                         target_entry_copy = entry_dup(target_entry);
962
963                                         /* if rename, set the new entry's name
964                                          * (in normalized form only) */
965                                         if ( op->o_tag == LDAP_REQ_MODRDN ) {
966                                                 struct berval pdn, ndn = BER_BVNULL;
967
968                                                 if ( op->orr_nnewSup ) {
969                                                         pdn = *op->orr_nnewSup;
970
971                                                 } else {
972                                                         dnParent( &target_entry_copy->e_nname, &pdn );
973                                                 }
974
975                                                 build_new_dn( &ndn, &pdn, &op->orr_nnewrdn, NULL ); 
976
977                                                 ber_memfree( target_entry_copy->e_nname.bv_val );
978                                                 target_entry_copy->e_nname = ndn;
979                                                 ber_bvreplace( &target_entry_copy->e_name, &ndn );
980                                         }
981
982                                         /* apply modifications, in an attempt
983                                          * to estimate what the entry would
984                                          * look like in case all modifications
985                                          * pass */
986                                         for ( ml = modlist; ml; ml = ml->sml_next ) {
987                                                 Modification *mod = &ml->sml_mod;
988                                                 const char *text;
989                                                 char textbuf[SLAP_TEXT_BUFLEN];
990                                                 size_t textlen = sizeof(textbuf);
991                                                 int err;
992
993                                                 switch ( mod->sm_op ) {
994                                                 case LDAP_MOD_ADD:
995                                                         err = modify_add_values( target_entry_copy,
996                                                                 mod, get_permissiveModify(op),
997                                                                 &text, textbuf, textlen );
998                                                         break;
999
1000                                                 case LDAP_MOD_DELETE:
1001                                                         err = modify_delete_values( target_entry_copy,
1002                                                                 mod, get_permissiveModify(op),
1003                                                                 &text, textbuf, textlen );
1004                                                         break;
1005
1006                                                 case LDAP_MOD_REPLACE:
1007                                                         err = modify_replace_values( target_entry_copy,
1008                                                                 mod, get_permissiveModify(op),
1009                                                                 &text, textbuf, textlen );
1010                                                         break;
1011
1012                                                 case LDAP_MOD_INCREMENT:
1013                                                         err = modify_increment_values( target_entry_copy,
1014                                                                 mod, get_permissiveModify(op),
1015                                                                 &text, textbuf, textlen );
1016                                                         break;
1017
1018                                                 case SLAP_MOD_SOFTADD:
1019                                                         mod->sm_op = LDAP_MOD_ADD;
1020                                                         err = modify_add_values( target_entry_copy,
1021                                                                 mod, get_permissiveModify(op),
1022                                                                 &text, textbuf, textlen );
1023                                                         mod->sm_op = SLAP_MOD_SOFTADD;
1024                                                         if ( err == LDAP_TYPE_OR_VALUE_EXISTS ) {
1025                                                                 err = LDAP_SUCCESS;
1026                                                         }
1027                                                         break;
1028
1029                                                 default:
1030                                                         err = LDAP_OTHER;
1031                                                         break;
1032                                                 }
1033
1034                                                 if ( err != LDAP_SUCCESS ) {
1035                                                         rc = err;
1036                                                         goto mod_violation;
1037                                                 }
1038                                         }
1039                                 }
1040
1041                                 if ( acl_match_set(&cp->val, op, target_entry_copy, NULL) == 0) {
1042                                         rc = LDAP_CONSTRAINT_VIOLATION;
1043                                         goto mod_violation;
1044                                 }
1045                         }
1046                 }
1047         }
1048
1049         if (target_entry) {
1050                 op->o_bd = on->on_info->oi_origdb;
1051                 be_entry_release_r(op, target_entry);
1052                 op->o_bd = be;
1053         }
1054
1055         if (target_entry_copy) {
1056                 entry_free(target_entry_copy);
1057         }
1058
1059         return SLAP_CB_CONTINUE;
1060
1061 mod_violation:
1062         /* violation */
1063         if (target_entry) {
1064                 op->o_bd = on->on_info->oi_origdb;
1065                 be_entry_release_r(op, target_entry);
1066                 op->o_bd = be;
1067         }
1068
1069         if (target_entry_copy) {
1070                 entry_free(target_entry_copy);
1071         }
1072
1073         op->o_bd->bd_info = (BackendInfo *)(on->on_info);
1074         if ( rc == LDAP_CONSTRAINT_VIOLATION ) {
1075                 msg = print_message( &rsv, m->sml_desc );
1076         }
1077         send_ldap_error( op, rs, LDAP_CONSTRAINT_VIOLATION, msg );
1078         ch_free(msg);
1079         return (rs->sr_err);
1080 }
1081
1082 static int
1083 constraint_close(
1084         BackendDB *be,
1085         ConfigReply *cr )
1086 {
1087         slap_overinst *on = (slap_overinst *) be->bd_info;
1088         constraint *ap, *a2;
1089
1090         for ( ap = on->on_bi.bi_private; ap; ap = a2 ) {
1091                 a2 = ap->ap_next;
1092                 constraint_free( ap, 1 );
1093         }
1094
1095         return 0;
1096 }
1097
1098 static slap_overinst constraint_ovl;
1099
1100 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
1101 static
1102 #endif
1103 int
1104 constraint_initialize( void ) {
1105         int rc;
1106
1107         constraint_ovl.on_bi.bi_type = "constraint";
1108         constraint_ovl.on_bi.bi_db_close = constraint_close;
1109         constraint_ovl.on_bi.bi_op_add = constraint_add;
1110         constraint_ovl.on_bi.bi_op_modify = constraint_update;
1111         constraint_ovl.on_bi.bi_op_modrdn = constraint_update;
1112
1113         constraint_ovl.on_bi.bi_private = NULL;
1114         
1115         constraint_ovl.on_bi.bi_cf_ocs = constraintocs;
1116         rc = config_register_schema( constraintcfg, constraintocs );
1117         if (rc) return rc;
1118         
1119         return overlay_register( &constraint_ovl );
1120 }
1121
1122 #if SLAPD_OVER_CONSTRAINT == SLAPD_MOD_DYNAMIC
1123 int init_module(int argc, char *argv[]) {
1124         return constraint_initialize();
1125 }
1126 #endif
1127
1128 #endif /* defined(SLAPD_OVER_CONSTRAINT) */
1129