X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Ffilterentry.c;h=82cd8cd327609843b92086015f996087657a0c5b;hb=69343add5ac17c2300e256c85acf3279298a0fbe;hp=7011299eb74d99e829a1f5e68f43a1b57614b65b;hpb=a2ba804e47bd501d2cc8378ba4eb28c8d3a3bf0a;p=openldap diff --git a/servers/slapd/filterentry.c b/servers/slapd/filterentry.c index 7011299eb7..82cd8cd327 100644 --- a/servers/slapd/filterentry.c +++ b/servers/slapd/filterentry.c @@ -1,7 +1,7 @@ /* filterentry.c - apply a filter to an entry */ /* $OpenLDAP$ */ /* - * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file */ @@ -15,8 +15,6 @@ #include "slap.h" -#define SLAPD_EXT_FILTERS 1 - static int test_filter_and( Backend *be, Connection *conn, Operation *op, Entry *e, Filter *flist ); @@ -58,8 +56,7 @@ test_filter( int rc; #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_filter: begin\n" )); + LDAP_LOG( FILTER, ENTRY, "test_filter: begin\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "=> test_filter\n", 0, 0, 0 ); #endif @@ -68,13 +65,12 @@ test_filter( switch ( f->f_choice ) { case SLAPD_FILTER_COMPUTED: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: COMPUTED %s (%d)\n", - f->f_result == LDAP_COMPARE_FALSE ? "false" : - f->f_result == LDAP_COMPARE_TRUE ? "true" : - f->f_result == SLAPD_COMPARE_UNDEFINED ? "undefined" : - "error", - f->f_result )); + LDAP_LOG( FILTER, DETAIL1, + "test_filter: COMPUTED %s (%d)\n", + f->f_result == LDAP_COMPARE_FALSE ? "false" : + f->f_result == LDAP_COMPARE_TRUE ? "true" : + f->f_result == SLAPD_COMPARE_UNDEFINED ? "undefined" : + "error", f->f_result, 0 ); #else Debug( LDAP_DEBUG_FILTER, " COMPUTED %s (%d)\n", f->f_result == LDAP_COMPARE_FALSE ? "false" : @@ -88,8 +84,7 @@ test_filter( case LDAP_FILTER_EQUALITY: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: EQUALITY\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter: EQUALITY\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " EQUALITY\n", 0, 0, 0 ); #endif @@ -100,8 +95,7 @@ test_filter( case LDAP_FILTER_SUBSTRINGS: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter SUBSTRINGS\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter SUBSTRINGS\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " SUBSTRINGS\n", 0, 0, 0 ); #endif @@ -121,8 +115,7 @@ test_filter( case LDAP_FILTER_PRESENT: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: PRESENT\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter: PRESENT\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " PRESENT\n", 0, 0, 0 ); #endif @@ -132,8 +125,7 @@ test_filter( case LDAP_FILTER_APPROX: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: APPROX\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter: APPROX\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " APPROX\n", 0, 0, 0 ); #endif @@ -143,8 +135,7 @@ test_filter( case LDAP_FILTER_AND: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: AND\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter: AND\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " AND\n", 0, 0, 0 ); #endif @@ -154,8 +145,7 @@ test_filter( case LDAP_FILTER_OR: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: OR\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter: OR\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " OR\n", 0, 0, 0 ); #endif @@ -165,8 +155,7 @@ test_filter( case LDAP_FILTER_NOT: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: NOT\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter: NOT\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " NOT\n", 0, 0, 0 ); #endif @@ -186,24 +175,20 @@ test_filter( } break; -#ifdef SLAPD_EXT_FILTERS case LDAP_FILTER_EXT: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_DETAIL1, - "test_filter: EXT\n" )); + LDAP_LOG( FILTER, DETAIL1, "test_filter: EXT\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, " EXT\n", 0, 0, 0 ); #endif rc = test_mra_filter( be, conn, op, e, f->f_mra ); break; -#endif default: #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_INFO, - "test_filter: unknown filter type %lu\n", - f->f_choice )); + LDAP_LOG( FILTER, INFO, + "test_filter: unknown filter type %lu\n", f->f_choice, 0, 0 ); #else Debug( LDAP_DEBUG_ANY, " unknown filter type %lu\n", f->f_choice, 0, 0 ); @@ -213,8 +198,7 @@ test_filter( } #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_filter: return=%d\n", rc )); + LDAP_LOG( FILTER, RESULTS, "test_filter: return=%d\n", rc, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "<= test_filter %d\n", rc, 0, 0 ); #endif @@ -229,45 +213,161 @@ static int test_mra_filter( Entry *e, MatchingRuleAssertion *mra ) { - int i; Attribute *a; - if( !access_allowed( be, conn, op, e, - mra->ma_desc, mra->ma_value, ACL_SEARCH ) ) - { - return LDAP_INSUFFICIENT_ACCESS; - } + if ( mra->ma_desc ) { + /* + * if ma_desc is available, then we're filtering for + * one attribute, and SEARCH permissions can be checked + * directly. + */ + if( !access_allowed( be, conn, op, e, + mra->ma_desc, &mra->ma_value, ACL_SEARCH, NULL ) ) + { + return LDAP_INSUFFICIENT_ACCESS; + } - if( strcmp(mra->ma_rule->smr_syntax->ssyn_oid, - mra->ma_desc->ad_type->sat_syntax->ssyn_oid) != 0) - { - return LDAP_INVALID_SYNTAX; - } + for(a = attrs_find( e->e_attrs, mra->ma_desc ); + a != NULL; + a = attrs_find( a->a_next, mra->ma_desc ) ) + { + struct berval *bv; + for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { + int ret; + int rc; + const char *text; + + rc = value_match( &ret, a->a_desc, mra->ma_rule, + SLAP_MR_ASSERTION_SYNTAX_MATCH, + bv, &mra->ma_value, &text ); + + if( rc != LDAP_SUCCESS ) { + return rc; + } + + if ( ret == 0 ) { + return LDAP_COMPARE_TRUE; + } + } + } + } else { - if( mra->ma_rule == NULL ) - { - return LDAP_INAPPROPRIATE_MATCHING; - } + /* + * No attribute description: test all + */ + for ( a = e->e_attrs; a != NULL; a = a->a_next ) { + struct berval *bv, value; + const char *text = NULL; + int rc; + + /* check if matching is appropriate */ + if ( !mr_usable_with_at( mra->ma_rule, a->a_desc->ad_type )) { + continue; + } - for(a = attrs_find( e->e_attrs, mra->ma_desc ); - a != NULL; - a = attrs_find( a->a_next, mra->ma_desc ) ) - { - for ( i = 0; a->a_vals[i] != NULL; i++ ) { - int ret; - int rc; - const char *text; + /* normalize for equality */ + rc = value_validate_normalize( a->a_desc, + SLAP_MR_EQUALITY, + &mra->ma_value, &value, &text ); + if ( rc != LDAP_SUCCESS ) { + continue; + } - rc = value_match( &ret, a->a_desc, mra->ma_rule, 0, - a->a_vals[i], mra->ma_value, - &text ); + /* check search access */ + if ( !access_allowed( be, conn, op, e, + a->a_desc, &value, ACL_SEARCH, NULL ) ) { + continue; + } - if( rc != LDAP_SUCCESS ) { - return rc; + /* check match */ + for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { + int ret; + int rc; + + rc = value_match( &ret, a->a_desc, mra->ma_rule, + SLAP_MR_ASSERTION_SYNTAX_MATCH, + bv, &value, &text ); + + if( rc != LDAP_SUCCESS ) { + return rc; + } + + if ( ret == 0 ) { + return LDAP_COMPARE_TRUE; + } } + } + } - if ( ret ) { - return LDAP_COMPARE_TRUE; + /* check attrs in DN AVAs if required */ + if ( mra->ma_dnattrs ) { + LDAPDN *dn = NULL; + int iRDN, iAVA; + int rc; + + /* parse and pretty the dn */ + rc = dnPrettyDN( NULL, &e->e_name, &dn ); + if ( rc != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + + /* for each AVA of each RDN ... */ + for ( iRDN = 0; dn[ 0 ][ iRDN ]; iRDN++ ) { + LDAPRDN *rdn = dn[ 0 ][ iRDN ]; + + for ( iAVA = 0; rdn[ 0 ][ iAVA ]; iAVA++ ) { + LDAPAVA *ava = rdn[ 0 ][ iAVA ]; + struct berval *bv = &ava->la_value, value; + AttributeDescription *ad = (AttributeDescription *)ava->la_private; + int ret; + int rc; + const char *text; + + assert( ad ); + + if ( mra->ma_desc ) { + /* have a mra type? check for subtype */ + if ( !is_ad_subtype( ad, mra->ma_desc ) ) { + continue; + } + value = mra->ma_value; + + } else { + const char *text = NULL; + + /* check if matching is appropriate */ + if ( !mr_usable_with_at( mra->ma_rule, ad->ad_type )) { + continue; + } + + /* normalize for equality */ + rc = value_validate_normalize( ad, SLAP_MR_EQUALITY, + &mra->ma_value, &value, &text ); + if ( rc != LDAP_SUCCESS ) { + continue; + } + + /* check search access */ + if ( !access_allowed( be, conn, op, e, + ad, &value, ACL_SEARCH, NULL ) ) { + continue; + } + } + + /* check match */ + rc = value_match( &ret, ad, mra->ma_rule, + SLAP_MR_ASSERTION_SYNTAX_MATCH, + bv, &value, &text ); + + if( rc != LDAP_SUCCESS ) { + ldap_dnfree( dn ); + return rc; + } + + if ( ret == 0 ) { + ldap_dnfree( dn ); + return LDAP_COMPARE_TRUE; + } } } } @@ -285,11 +385,10 @@ test_ava_filter( int type ) { - int i; Attribute *a; if ( !access_allowed( be, conn, op, e, - ava->aa_desc, ava->aa_value, ACL_SEARCH ) ) + ava->aa_desc, &ava->aa_value, ACL_SEARCH, NULL ) ) { return LDAP_INSUFFICIENT_ACCESS; } @@ -299,6 +398,7 @@ test_ava_filter( a = attrs_find( a->a_next, ava->aa_desc ) ) { MatchingRule *mr; + struct berval *bv; switch ( type ) { case LDAP_FILTER_APPROX: @@ -324,14 +424,14 @@ test_ava_filter( continue; } - for ( i = 0; a->a_vals[i] != NULL; i++ ) { + for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { int ret; int rc; const char *text; - rc = value_match( &ret, a->a_desc, mr, 0, - a->a_vals[i], ava->aa_value, - &text ); + rc = value_match( &ret, a->a_desc, mr, + SLAP_MR_ASSERTION_SYNTAX_MATCH, + bv, &ava->aa_value, &text ); if( rc != LDAP_SUCCESS ) { return rc; @@ -373,7 +473,7 @@ test_presence_filter( AttributeDescription *desc ) { - if ( !access_allowed( be, conn, op, e, desc, NULL, ACL_SEARCH ) ) + if ( !access_allowed( be, conn, op, e, desc, NULL, ACL_SEARCH, NULL ) ) { return LDAP_INSUFFICIENT_ACCESS; } @@ -396,8 +496,7 @@ test_filter_and( int rtn = LDAP_COMPARE_TRUE; /* True if empty */ #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_filter_and: begin\n" )); + LDAP_LOG( FILTER, ENTRY, "test_filter_and: begin\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "=> test_filter_and\n", 0, 0, 0 ); #endif @@ -419,8 +518,7 @@ test_filter_and( } #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_filter_and: rc=%d\n", rtn )); + LDAP_LOG( FILTER, RESULTS, "test_filter_and: rc=%d\n", rtn, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "<= test_filter_and %d\n", rtn, 0, 0 ); #endif @@ -441,8 +539,7 @@ test_filter_or( int rtn = LDAP_COMPARE_FALSE; /* False if empty */ #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_filter_or: begin\n" )); + LDAP_LOG( FILTER, ENTRY, "test_filter_or: begin\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "=> test_filter_or\n", 0, 0, 0 ); #endif @@ -464,8 +561,7 @@ test_filter_or( } #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_filter_or: result=%d\n", rtn )); + LDAP_LOG( FILTER, ENTRY, "test_filter_or: result=%d\n", rtn, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "<= test_filter_or %d\n", rtn, 0, 0 ); #endif @@ -486,15 +582,14 @@ test_substrings_filter( Attribute *a; #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_substrings_filter: begin\n" )); + LDAP_LOG( FILTER, ENTRY, "test_substrings_filter: begin\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "begin test_substrings_filter\n", 0, 0, 0 ); #endif if ( !access_allowed( be, conn, op, e, - f->f_sub_desc, NULL, ACL_SEARCH ) ) + f->f_sub_desc, NULL, ACL_SEARCH, NULL ) ) { return LDAP_INSUFFICIENT_ACCESS; } @@ -503,21 +598,21 @@ test_substrings_filter( a != NULL; a = attrs_find( a->a_next, f->f_sub_desc ) ) { - int i; MatchingRule *mr = a->a_desc->ad_type->sat_substr; + struct berval *bv; if( mr == NULL ) { continue; } - for ( i = 0; a->a_vals[i] != NULL; i++ ) { + for ( bv = a->a_vals; bv->bv_val != NULL; bv++ ) { int ret; int rc; const char *text; - rc = value_match( &ret, a->a_desc, mr, 0, - a->a_vals[i], f->f_sub, - &text ); + rc = value_match( &ret, a->a_desc, mr, + SLAP_MR_ASSERTION_SYNTAX_MATCH, + bv, f->f_sub, &text ); if( rc != LDAP_SUCCESS ) { return rc; @@ -530,8 +625,7 @@ test_substrings_filter( } #ifdef NEW_LOGGING - LDAP_LOG(( "filter", LDAP_LEVEL_ENTRY, - "test_substrings_filter: return FALSE\n" )); + LDAP_LOG( FILTER, ENTRY, "test_substrings_filter: return FALSE\n", 0, 0, 0 ); #else Debug( LDAP_DEBUG_FILTER, "end test_substrings_filter 1\n", 0, 0, 0 ); #endif