X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Ffilterentry.c;h=b201fd469d23b2205beab079e27673ec1afa6d0b;hb=00dae75f7b48b6bab23503d211deb7650aba8c1b;hp=5cc91fbb8c9e7603350abbc4b95cc6b50addb1d1;hpb=a84938c2943e23fa53ad6efb05cb8202671ecf51;p=openldap diff --git a/servers/slapd/filterentry.c b/servers/slapd/filterentry.c index 5cc91fbb8c..b201fd469d 100644 --- a/servers/slapd/filterentry.c +++ b/servers/slapd/filterentry.c @@ -31,9 +31,12 @@ #include #include - #include "slap.h" +#ifdef LDAP_COMP_MATCH +#include "component.h" +#endif + static int test_filter_and( Operation *op, Entry *e, Filter *flist ); static int test_filter_or( Operation *op, Entry *e, Filter *flist ); static int test_substrings_filter( Operation *op, Entry *e, Filter *f); @@ -172,7 +175,7 @@ static int test_mra_filter( * one attribute, and SEARCH permissions can be checked * directly. */ - if( !access_allowed( op, e, + if ( !access_allowed( op, e, mra->ma_desc, &mra->ma_value, ACL_SEARCH, NULL ) ) { return LDAP_INSUFFICIENT_ACCESS; @@ -183,7 +186,7 @@ static int test_mra_filter( const char *text; rc = value_match( &ret, slap_schema.si_ad_entryDN, mra->ma_rule, - 0, &e->e_nname, &mra->ma_value, &text ); + SLAP_MR_EXT, &e->e_nname, &mra->ma_value, &text ); if( rc != LDAP_SUCCESS ) return rc; @@ -191,18 +194,20 @@ static int test_mra_filter( return LDAP_COMPARE_FALSE; } - for(a = attrs_find( e->e_attrs, mra->ma_desc ); + for ( a = attrs_find( e->e_attrs, mra->ma_desc ); a != NULL; a = attrs_find( a->a_next, mra->ma_desc ) ) { - struct berval *bv; + struct berval *bv; + int normalize_attribute = 0; + #ifdef LDAP_COMP_MATCH /* Component Matching */ - if( mra->ma_cf && mra->ma_rule->smr_usage & SLAP_MR_COMPONENT ) { + if ( mra->ma_cf && mra->ma_rule->smr_usage & SLAP_MR_COMPONENT ) { num_attr_vals = 0; if ( !a->a_comp_data ) { for ( ; - a->a_vals[num_attr_vals].bv_val != NULL; + !BER_BVISNULL( &a->a_vals[num_attr_vals] ); num_attr_vals++ ) { /* empty */; @@ -231,22 +236,25 @@ static int test_mra_filter( /* If ma_rule is not the same as the attribute's * normal rule, then we can't use the a_nvals. */ - if (mra->ma_rule == a->a_desc->ad_type->sat_equality) { + if ( mra->ma_rule == a->a_desc->ad_type->sat_equality ) { bv = a->a_nvals; + } else { bv = a->a_vals; + normalize_attribute = 1; } #ifdef LDAP_COMP_MATCH i = 0; #endif - for ( ; bv->bv_val != NULL; bv++ ) { + for ( ; !BER_BVISNULL( bv ); bv++ ) { int ret; int rc; const char *text; #ifdef LDAP_COMP_MATCH - if( mra->ma_cf && - mra->ma_rule->smr_usage & SLAP_MR_COMPONENT ) { + if ( mra->ma_cf && + mra->ma_rule->smr_usage & SLAP_MR_COMPONENT ) + { /* Check if decoded component trees are already linked */ if ( num_attr_vals ) { a->a_comp_data->cd_tree[i] = attr_converter( @@ -256,17 +264,60 @@ static int test_mra_filter( if ( !a->a_comp_data->cd_tree[i] ) { return LDAP_OPERATIONS_ERROR; } - rc = value_match( &ret, a->a_desc, mra->ma_rule, 0, + rc = value_match( &ret, a->a_desc, mra->ma_rule, + SLAP_MR_COMPONENT, (struct berval*)a->a_comp_data->cd_tree[i++], (void*)mra, &text ); } else #endif { - rc = value_match( &ret, a->a_desc, mra->ma_rule, 0, - bv, &mra->ma_value, &text ); + struct berval nbv = BER_BVNULL; + + if ( normalize_attribute && mra->ma_rule->smr_normalize ) { + /* + + Document: draft-ietf-ldapbis-protocol + + 4.5.1. Search Request + ... + If the type field is present and the matchingRule is present, + the matchValue is compared against entry attributes of the + specified type. In this case, the matchingRule MUST be one + suitable for use with the specified type (see [Syntaxes]), + otherwise the filter item is Undefined. + + + In this case, since the matchingRule requires the assertion + value to be normalized, we normalize the attribute value + according to the syntax of the matchingRule. + + This should likely be done inside value_match(), by passing + the appropriate flags, but this is not done at present. + See ITS#3406. + */ + if ( mra->ma_rule->smr_normalize( + SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX, + mra->ma_rule->smr_syntax, + mra->ma_rule, + bv, &nbv, memctx ) != LDAP_SUCCESS ) + { + /* FIXME: stop processing? */ + continue; + } + + } else { + nbv = *bv; + } + + rc = value_match( &ret, a->a_desc, mra->ma_rule, + SLAP_MR_EXT, &nbv, &mra->ma_value, &text ); + + if ( nbv.bv_val != bv->bv_val ) { + memfree( nbv.bv_val, memctx ); + } } - if( rc != LDAP_SUCCESS ) return rc; + if ( rc != LDAP_SUCCESS ) return rc; if ( ret == 0 ) return LDAP_COMPARE_TRUE; } } @@ -279,9 +330,10 @@ static int test_mra_filter( struct berval *bv, value; const char *text = NULL; int rc; + int normalize_attribute = 0; /* check if matching is appropriate */ - if ( !mr_usable_with_at( mra->ma_rule, a->a_desc->ad_type )) { + if ( !mr_usable_with_at( mra->ma_rule, a->a_desc->ad_type ) ) { continue; } @@ -293,20 +345,22 @@ static int test_mra_filter( /* check search access */ if ( !access_allowed( op, e, - a->a_desc, &value, ACL_SEARCH, NULL ) ) { + a->a_desc, &value, ACL_SEARCH, NULL ) ) + { memfree( value.bv_val, memctx ); continue; } #ifdef LDAP_COMP_MATCH /* Component Matching */ - if( mra->ma_cf && - mra->ma_rule->smr_usage & SLAP_MR_COMPONENT) + if ( mra->ma_cf && + mra->ma_rule->smr_usage & SLAP_MR_COMPONENT ) { int ret; - rc = value_match( &ret, a->a_desc, mra->ma_rule, 0, + rc = value_match( &ret, a->a_desc, mra->ma_rule, + SLAP_MR_COMPONENT, (struct berval*)a, (void*)mra, &text ); - if( rc != LDAP_SUCCESS ) break; + if ( rc != LDAP_SUCCESS ) break; if ( ret == 0 ) { rc = LDAP_COMPARE_TRUE; @@ -317,19 +371,42 @@ static int test_mra_filter( #endif /* check match */ - if (mra->ma_rule == a->a_desc->ad_type->sat_equality) { + if ( mra->ma_rule == a->a_desc->ad_type->sat_equality ) { bv = a->a_nvals; + } else { bv = a->a_vals; + normalize_attribute = 1; } - for ( ; bv->bv_val != NULL; bv++ ) { - int ret; - - rc = value_match( &ret, a->a_desc, mra->ma_rule, 0, - bv, &value, &text ); + for ( ; !BER_BVISNULL( bv ); bv++ ) { + int ret; + struct berval nbv = BER_BVNULL; + + if ( normalize_attribute && mra->ma_rule->smr_normalize ) { + /* see comment above */ + if ( mra->ma_rule->smr_normalize( + SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX, + mra->ma_rule->smr_syntax, + mra->ma_rule, + bv, &nbv, memctx ) != LDAP_SUCCESS ) + { + /* FIXME: stop processing? */ + continue; + } + + } else { + nbv = *bv; + } + + rc = value_match( &ret, a->a_desc, mra->ma_rule, + SLAP_MR_EXT, &nbv, &value, &text ); - if( rc != LDAP_SUCCESS ) break; + if ( nbv.bv_val != bv->bv_val ) { + memfree( nbv.bv_val, memctx ); + } + + if ( rc != LDAP_SUCCESS ) break; if ( ret == 0 ) { rc = LDAP_COMPARE_TRUE; @@ -359,11 +436,13 @@ static int test_mra_filter( for ( iAVA = 0; rdn[ iAVA ]; iAVA++ ) { LDAPAVA *ava = rdn[ iAVA ]; - struct berval *bv = &ava->la_value, value; + struct berval *bv = &ava->la_value, + value = BER_BVNULL, + nbv = BER_BVNULL; AttributeDescription *ad = (AttributeDescription *)ava->la_private; - int ret; - const char *text; + int ret; + const char *text; assert( ad ); @@ -378,7 +457,7 @@ static int test_mra_filter( const char *text = NULL; /* check if matching is appropriate */ - if ( !mr_usable_with_at( mra->ma_rule, ad->ad_type )) { + if ( !mr_usable_with_at( mra->ma_rule, ad->ad_type ) ) { continue; } @@ -398,16 +477,40 @@ static int test_mra_filter( } } + if ( mra->ma_rule->smr_normalize ) { + /* see comment above */ + if ( mra->ma_rule->smr_normalize( + SLAP_MR_VALUE_OF_ATTRIBUTE_SYNTAX, + mra->ma_rule->smr_syntax, + mra->ma_rule, + bv, &nbv, memctx ) != LDAP_SUCCESS ) + { + /* FIXME: stop processing? */ + rc = LDAP_SUCCESS; + ret = -1; + goto cleanup; + } + + } else { + nbv = *bv; + } + /* check match */ - rc = value_match( &ret, ad, mra->ma_rule, 0, - bv, &value, &text ); - if ( value.bv_val != mra->ma_value.bv_val ) { + rc = value_match( &ret, ad, mra->ma_rule, SLAP_MR_EXT, + &nbv, &value, &text ); + +cleanup:; + if ( !BER_BVISNULL( &value ) && value.bv_val != mra->ma_value.bv_val ) { memfree( value.bv_val, memctx ); } + if ( !BER_BVISNULL( &nbv ) && nbv.bv_val != bv->bv_val ) { + memfree( nbv.bv_val, memctx ); + } + if ( rc == LDAP_SUCCESS && ret == 0 ) rc = LDAP_COMPARE_TRUE; - if( rc != LDAP_SUCCESS ) { + if ( rc != LDAP_SUCCESS ) { ldap_dnfree_x( dn, memctx ); return rc; } @@ -428,6 +531,10 @@ test_ava_filter( { int rc; Attribute *a; +#ifdef LDAP_COMP_MATCH + int i, num_attr_vals = 0; + AttributeAliasing *a_alias = NULL; +#endif if ( !access_allowed( op, e, ava->aa_desc, &ava->aa_value, ACL_SEARCH, NULL ) ) @@ -483,8 +590,8 @@ test_ava_filter( mr = slap_schema.si_ad_entryDN->ad_type->sat_equality; assert( mr ); - rc = value_match( &match, slap_schema.si_ad_entryDN, mr, 0, - &e->e_nname, &ava->aa_value, &text ); + rc = value_match( &match, slap_schema.si_ad_entryDN, mr, + SLAP_MR_EXT, &e->e_nname, &ava->aa_value, &text ); if( rc != LDAP_SUCCESS ) return rc; if( match == 0 ) return LDAP_COMPARE_TRUE; @@ -493,10 +600,22 @@ test_ava_filter( rc = LDAP_COMPARE_FALSE; +#ifdef LDAP_COMP_MATCH + if ( is_aliased_attribute && ava->aa_cf ) + { + a_alias = is_aliased_attribute ( ava->aa_desc ); + if ( a_alias ) + ava->aa_desc = a_alias->aa_aliased_ad; + else + ava->aa_cf = NULL; + } +#endif + for(a = attrs_find( e->e_attrs, ava->aa_desc ); a != NULL; a = attrs_find( a->a_next, ava->aa_desc ) ) { + int use; MatchingRule *mr; struct berval *bv; @@ -507,19 +626,24 @@ test_ava_filter( continue; } + use = SLAP_MR_EQUALITY; + switch ( type ) { case LDAP_FILTER_APPROX: + use = SLAP_MR_EQUALITY_APPROX; mr = a->a_desc->ad_type->sat_approx; if( mr != NULL ) break; - /* use EQUALITY matching rule if no APPROX rule */ + /* fallthru: use EQUALITY matching rule if no APPROX rule */ case LDAP_FILTER_EQUALITY: + /* use variable set above so fall thru use is not clobbered */ mr = a->a_desc->ad_type->sat_equality; break; case LDAP_FILTER_GE: case LDAP_FILTER_LE: + use = SLAP_MR_ORDERING; mr = a->a_desc->ad_type->sat_ordering; break; @@ -532,12 +656,76 @@ test_ava_filter( continue; } - for ( bv = a->a_nvals; bv->bv_val != NULL; bv++ ) { +#ifdef LDAP_COMP_MATCH + if ( nibble_mem_allocator && ava->aa_cf && !a->a_comp_data ) { + /* Component Matching */ + for ( num_attr_vals = 0; a->a_vals[num_attr_vals].bv_val != NULL; num_attr_vals++ ); + if ( num_attr_vals <= 0 )/* no attribute value */ + return LDAP_INAPPROPRIATE_MATCHING; + num_attr_vals++;/* for NULL termination */ + + /* following malloced will be freed by comp_tree_free () */ + a->a_comp_data = malloc( sizeof( ComponentData ) + sizeof( ComponentSyntaxInfo* )*num_attr_vals ); + + if ( !a->a_comp_data ) { + return LDAP_NO_MEMORY; + } + + a->a_comp_data->cd_tree = (ComponentSyntaxInfo**)((char*)a->a_comp_data + sizeof(ComponentData)); + i = num_attr_vals; + for ( ; i ; i-- ) { + a->a_comp_data->cd_tree[ i-1 ] = (ComponentSyntaxInfo*)NULL; + } + + a->a_comp_data->cd_mem_op = nibble_mem_allocator ( 1024*10*(num_attr_vals-1), 1024 ); + if ( a->a_comp_data->cd_mem_op == NULL ) { + free ( a->a_comp_data ); + a->a_comp_data = NULL; + return LDAP_OPERATIONS_ERROR; + } + } + + i = 0; +#endif + + for ( bv = a->a_nvals; !BER_BVISNULL( bv ); bv++ ) { int ret, match; const char *text; - ret = value_match( &match, a->a_desc, mr, 0, - bv, &ava->aa_value, &text ); +#ifdef LDAP_COMP_MATCH + if( attr_converter && ava->aa_cf && a->a_comp_data ) { + /* Check if decoded component trees are already linked */ + struct berval cf_bv = { 20, "componentFilterMatch" }; + MatchingRule* cf_mr = mr_bvfind( &cf_bv ); + MatchingRuleAssertion mra; + mra.ma_cf = ava->aa_cf; + + if ( a->a_comp_data->cd_tree[i] == NULL ) + a->a_comp_data->cd_tree[i] = attr_converter (a, a->a_desc->ad_type->sat_syntax, (a->a_vals + i)); + /* decoding error */ + if ( !a->a_comp_data->cd_tree[i] ) { + free_ComponentData ( a ); + return LDAP_OPERATIONS_ERROR; + } + + ret = value_match( &match, a->a_desc, cf_mr, + SLAP_MR_COMPONENT, + (struct berval*)a->a_comp_data->cd_tree[i++], + (void*)&mra, &text ); + if ( ret == LDAP_INAPPROPRIATE_MATCHING ) { + /* cached component tree is broken, just remove it */ + free_ComponentData ( a ); + return ret; + } + if ( a_alias ) + ava->aa_desc = a_alias->aa_aliasing_ad; + + } else +#endif + { + ret = value_match( &match, a->a_desc, mr, use, + bv, &ava->aa_value, &text ); + } if( ret != LDAP_SUCCESS ) { rc = ret; @@ -561,6 +749,11 @@ test_ava_filter( } } +#ifdef LDAP_COMP_MATCH + if ( a_alias ) + ava->aa_desc = a_alias->aa_aliasing_ad; +#endif + return rc; } @@ -721,11 +914,11 @@ test_substrings_filter( continue; } - for ( bv = a->a_nvals; bv->bv_val != NULL; bv++ ) { + for ( bv = a->a_nvals; !BER_BVISNULL( bv ); bv++ ) { int ret, match; const char *text; - ret = value_match( &match, a->a_desc, mr, 0, + ret = value_match( &match, a->a_desc, mr, SLAP_MR_SUBSTR, bv, f->f_sub, &text ); if( ret != LDAP_SUCCESS ) {