X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Ffilterentry.c;h=82cd8cd327609843b92086015f996087657a0c5b;hb=69343add5ac17c2300e256c85acf3279298a0fbe;hp=34bc6f1b773ec4cabced71ab806a8a8e7ed9d6be;hpb=c02f448a160332407f32f06816d3f6aa397a44fb;p=openldap diff --git a/servers/slapd/filterentry.c b/servers/slapd/filterentry.c index 34bc6f1b77..82cd8cd327 100644 --- a/servers/slapd/filterentry.c +++ b/servers/slapd/filterentry.c @@ -56,8 +56,7 @@ test_filter( int rc; #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_filter: begin\n" )); + LDAP_LOG( FILTER, ENTRY, "test_filter: begin\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "=> test_filter\n", 0, 0, 0 ); #endif @@ -66,13 +65,12 @@ test_filter( switch ( f->f_choice ) { case SLAPD_FILTER_COMPUTED: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: COMPUTED %s (%d)\n", - f->f_result == LDAP_COMPARE_FALSE ? "false" : - f->f_result == LDAP_COMPARE_TRUE ? "true" : - f->f_result == SLAPD_COMPARE_UNDEFINED ? "undefined" : - "error", - f->f_result )); + LDAP_LOG( FILTER, DETAIL1, + "test_filter: COMPUTED %s (%d)\n", + f->f_result == LDAP_COMPARE_FALSE ? "false" : + f->f_result == LDAP_COMPARE_TRUE ? "true" : + f->f_result == SLAPD_COMPARE_UNDEFINED ? "undefined" : + "error", f->f_result, 0 ); #else Debug( LDAP_DEBUG_FILTER, " COMPUTED %s (%d)\n", f->f_result == LDAP_COMPARE_FALSE ? "false" : @@ -86,8 +84,7 @@ test_filter( case LDAP_FILTER_EQUALITY: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: EQUALITY\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter: EQUALITY\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " EQUALITY\n", 0, 0, 0 ); #endif @@ -98,8 +95,7 @@ test_filter( case LDAP_FILTER_SUBSTRINGS: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter SUBSTRINGS\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter SUBSTRINGS\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " SUBSTRINGS\n", 0, 0, 0 ); #endif @@ -119,8 +115,7 @@ test_filter( case LDAP_FILTER_PRESENT: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: PRESENT\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter: PRESENT\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " PRESENT\n", 0, 0, 0 ); #endif @@ -130,8 +125,7 @@ test_filter( case LDAP_FILTER_APPROX: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: APPROX\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter: APPROX\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " APPROX\n", 0, 0, 0 ); #endif @@ -141,8 +135,7 @@ test_filter( case LDAP_FILTER_AND: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: AND\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter: AND\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " AND\n", 0, 0, 0 ); #endif @@ -152,8 +145,7 @@ test_filter( case LDAP_FILTER_OR: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: OR\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter: OR\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " OR\n", 0, 0, 0 ); #endif @@ -163,8 +155,7 @@ test_filter( case LDAP_FILTER_NOT: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: NOT\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter: NOT\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " NOT\n", 0, 0, 0 ); #endif @@ -186,8 +177,7 @@ test_filter( case LDAP_FILTER_EXT: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: EXT\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter: EXT\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " EXT\n", 0, 0, 0 ); #endif @@ -197,9 +187,8 @@ test_filter( default: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_INFO, - "test_filter: unknown filter type %lu\n", - f->f_choice )); + LDAP_LOG( FILTER, INFO, + "test_filter: unknown filter type %lu\n", f->f_choice, 0, 0 ); #else Debug( LDAP_DEBUG_ANY, " unknown filter type %lu\n", f->f_choice, 0, 0 ); @@ -209,8 +198,7 @@ test_filter( } #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_filter: return=%d\n", rc )); + LDAP_LOG( FILTER, RESULTS, "test_filter: return=%d\n", rc, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "<= test_filter %d\n", rc, 0, 0 ); #endif @@ -227,51 +215,159 @@ static int test_mra_filter( { Attribute *a; - if( mra->ma_desc == NULL || mra->ma_dnattrs ) { - return LDAP_INAPPROPRIATE_MATCHING; - } + if ( mra->ma_desc ) { + /* + * if ma_desc is available, then we're filtering for + * one attribute, and SEARCH permissions can be checked + * directly. + */ + if( !access_allowed( be, conn, op, e, + mra->ma_desc, &mra->ma_value, ACL_SEARCH, NULL ) ) + { + return LDAP_INSUFFICIENT_ACCESS; + } - if( !access_allowed( be, conn, op, e, - mra->ma_desc, &mra->ma_value, ACL_SEARCH, NULL ) ) - { - return LDAP_INSUFFICIENT_ACCESS; - } + for(a = attrs_find( e->e_attrs, mra->ma_desc ); + a != NULL; + a = attrs_find( a->a_next, mra->ma_desc ) ) + { + struct berval *bv; + for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { + int ret; + int rc; + const char *text; + + rc = value_match( &ret, a->a_desc, mra->ma_rule, + SLAP_MR_ASSERTION_SYNTAX_MATCH, + bv, &mra->ma_value, &text ); + + if( rc != LDAP_SUCCESS ) { + return rc; + } + + if ( ret == 0 ) { + return LDAP_COMPARE_TRUE; + } + } + } + } else { - if( mra->ma_rule == NULL ) { - mra->ma_rule = mra->ma_desc->ad_type->sat_equality; - } + /* + * No attribute description: test all + */ + for ( a = e->e_attrs; a != NULL; a = a->a_next ) { + struct berval *bv, value; + const char *text = NULL; + int rc; + + /* check if matching is appropriate */ + if ( !mr_usable_with_at( mra->ma_rule, a->a_desc->ad_type )) { + continue; + } - if( mra->ma_rule == NULL ) { - return LDAP_INAPPROPRIATE_MATCHING; - } + /* normalize for equality */ + rc = value_validate_normalize( a->a_desc, + SLAP_MR_EQUALITY, + &mra->ma_value, &value, &text ); + if ( rc != LDAP_SUCCESS ) { + continue; + } - if( strcmp(mra->ma_rule->smr_syntax->ssyn_oid, - mra->ma_desc->ad_type->sat_syntax->ssyn_oid) != 0) - { - return LDAP_INVALID_SYNTAX; + /* check search access */ + if ( !access_allowed( be, conn, op, e, + a->a_desc, &value, ACL_SEARCH, NULL ) ) { + continue; + } + + /* check match */ + for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { + int ret; + int rc; + + rc = value_match( &ret, a->a_desc, mra->ma_rule, + SLAP_MR_ASSERTION_SYNTAX_MATCH, + bv, &value, &text ); + + if( rc != LDAP_SUCCESS ) { + return rc; + } + + if ( ret == 0 ) { + return LDAP_COMPARE_TRUE; + } + } + } } - for(a = attrs_find( e->e_attrs, mra->ma_desc ); - a != NULL; - a = attrs_find( a->a_next, mra->ma_desc ) ) - { - struct berval *bv; - for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { - int ret; - int rc; - const char *text; + /* check attrs in DN AVAs if required */ + if ( mra->ma_dnattrs ) { + LDAPDN *dn = NULL; + int iRDN, iAVA; + int rc; - rc = value_match( &ret, a->a_desc, mra->ma_rule, - SLAP_MR_ASSERTION_SYNTAX_MATCH, - bv, &mra->ma_value, - &text ); + /* parse and pretty the dn */ + rc = dnPrettyDN( NULL, &e->e_name, &dn ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } - if( rc != LDAP_SUCCESS ) { - return rc; - } + /* for each AVA of each RDN ... */ + for ( iRDN = 0; dn[ 0 ][ iRDN ]; iRDN++ ) { + LDAPRDN *rdn = dn[ 0 ][ iRDN ]; + + for ( iAVA = 0; rdn[ 0 ][ iAVA ]; iAVA++ ) { + LDAPAVA *ava = rdn[ 0 ][ iAVA ]; + struct berval *bv = &ava->la_value, value; + AttributeDescription *ad = (AttributeDescription *)ava->la_private; + int ret; + int rc; + const char *text; + + assert( ad ); + + if ( mra->ma_desc ) { + /* have a mra type? check for subtype */ + if ( !is_ad_subtype( ad, mra->ma_desc ) ) { + continue; + } + value = mra->ma_value; + + } else { + const char *text = NULL; + + /* check if matching is appropriate */ + if ( !mr_usable_with_at( mra->ma_rule, ad->ad_type )) { + continue; + } + + /* normalize for equality */ + rc = value_validate_normalize( ad, SLAP_MR_EQUALITY, + &mra->ma_value, &value, &text ); + if ( rc != LDAP_SUCCESS ) { + continue; + } + + /* check search access */ + if ( !access_allowed( be, conn, op, e, + ad, &value, ACL_SEARCH, NULL ) ) { + continue; + } + } - if ( ret == 0 ) { - return LDAP_COMPARE_TRUE; + /* check match */ + rc = value_match( &ret, ad, mra->ma_rule, + SLAP_MR_ASSERTION_SYNTAX_MATCH, + bv, &value, &text ); + + if( rc != LDAP_SUCCESS ) { + ldap_dnfree( dn ); + return rc; + } + + if ( ret == 0 ) { + ldap_dnfree( dn ); + return LDAP_COMPARE_TRUE; + } } } } @@ -400,8 +496,7 @@ test_filter_and( int rtn = LDAP_COMPARE_TRUE; /* True if empty */ #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_filter_and: begin\n" )); + LDAP_LOG( FILTER, ENTRY, "test_filter_and: begin\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "=> test_filter_and\n", 0, 0, 0 ); #endif @@ -423,8 +518,7 @@ test_filter_and( } #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_filter_and: rc=%d\n", rtn )); + LDAP_LOG( FILTER, RESULTS, "test_filter_and: rc=%d\n", rtn, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "<= test_filter_and %d\n", rtn, 0, 0 ); #endif @@ -445,8 +539,7 @@ test_filter_or( int rtn = LDAP_COMPARE_FALSE; /* False if empty */ #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_filter_or: begin\n" )); + LDAP_LOG( FILTER, ENTRY, "test_filter_or: begin\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "=> test_filter_or\n", 0, 0, 0 ); #endif @@ -468,8 +561,7 @@ test_filter_or( } #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_filter_or: result=%d\n", rtn )); + LDAP_LOG( FILTER, ENTRY, "test_filter_or: result=%d\n", rtn, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "<= test_filter_or %d\n", rtn, 0, 0 ); #endif @@ -490,8 +582,7 @@ test_substrings_filter( Attribute *a; #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_substrings_filter: begin\n" )); + LDAP_LOG( FILTER, ENTRY, "test_substrings_filter: begin\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "begin test_substrings_filter\n", 0, 0, 0 ); #endif @@ -534,8 +625,7 @@ test_substrings_filter( } #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_substrings_filter: return FALSE\n" )); + LDAP_LOG( FILTER, ENTRY, "test_substrings_filter: return FALSE\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "end test_substrings_filter 1\n", 0, 0, 0 ); #endif