X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Flimits.c;h=c33726e71190b011a143de2f8a8eb210618142a3;hb=62139b6ef3634529c6d1ff726c337e685ea38cf8;hp=5e27a2d8320297e5d2b5681487c326b4b75e71f2;hpb=8471ef7ed02632d2352189eddfaf806886b2de24;p=openldap

diff --git a/servers/slapd/limits.c b/servers/slapd/limits.c
index 5e27a2d832..c33726e711 100644
--- a/servers/slapd/limits.c
+++ b/servers/slapd/limits.c
@@ -1,6 +1,6 @@
 /* limits.c - routines to handle regex-based size and time limits */
 /*
- * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  */
 
@@ -16,7 +16,7 @@
 int
 get_limits( 
 	Backend			*be, 
-	const char		*ndn, 
+	struct berval		*ndn, 
 	struct slap_limits_set 	**limit
 )
 {
@@ -30,29 +30,100 @@ get_limits(
 	 */
 	*limit = &be->be_def_limit;
 
-	/*
-	 * anonymous or no regex-based limits? 
-	 */
-	if ( be->be_limits == NULL || ndn == NULL || ndn[0] == '\0' ) {
+	if ( be->be_limits == NULL ) {
 		return( 0 );
 	}
 
 	for ( lm = be->be_limits; lm[0] != NULL; lm++ ) {
-		switch ( lm[0]->lm_type) {
+		switch ( lm[0]->lm_type ) {
 		case SLAP_LIMITS_EXACT:
-			if ( strcmp( lm[0]->lm_dn_pat, ndn ) == 0 ) {
+			if ( ndn->bv_len == 0 ) {
+				break;
+			}
+			if ( dn_match( &lm[0]->lm_dn_pat, ndn ) ) {
 				*limit = &lm[0]->lm_limits;
 				return( 0 );
 			}
 			break;
 
+		case SLAP_LIMITS_ONE:
+		case SLAP_LIMITS_SUBTREE:
+		case SLAP_LIMITS_CHILDREN: {
+			size_t d;
+			
+			if ( ndn->bv_len == 0 ) {
+				break;
+			}
+
+			/* ndn shorter than dn_pat */
+			if ( ndn->bv_len < lm[0]->lm_dn_pat.bv_len ) {
+				break;
+			}
+			d = ndn->bv_len - lm[0]->lm_dn_pat.bv_len;
+
+			/* allow exact match for SUBTREE only */
+			if ( d == 0 ) {
+				if ( lm[0]->lm_type != SLAP_LIMITS_SUBTREE ) {
+					break;
+				}
+			} else {
+				/* check for unescaped rdn separator */
+				if ( !DN_SEPARATOR( ndn->bv_val[d-1] ) ) {
+					break;
+				}
+			}
+
+			/* in case of (sub)match ... */
+			if ( lm[0]->lm_dn_pat.bv_len == ( ndn->bv_len - d )
+					&& strcmp( lm[0]->lm_dn_pat.bv_val, &ndn->bv_val[d] ) == 0 ) {
+				/* check for exactly one rdn in case of ONE */
+				if ( lm[0]->lm_type == SLAP_LIMITS_ONE ) {
+					/*
+					 * if ndn is more that one rdn
+					 * below dn_pat, continue
+					 */
+					if ( (size_t) dn_rdnlen( NULL, ndn ) != d - 1 ) {
+						break;
+					}
+				}
+
+				*limit = &lm[0]->lm_limits;
+				return( 0 );
+			}
+
+			break;
+		}
+
 		case SLAP_LIMITS_REGEX:
-			if ( regexec( &lm[0]->lm_dn_regex, ndn, 0, NULL, 0) == 0 ) {
+			if ( ndn->bv_len == 0 ) {
+				break;
+			}
+			if ( regexec( &lm[0]->lm_dn_regex, ndn->bv_val, 0, NULL, 0 )
+				== 0 )
+			{
 				*limit = &lm[0]->lm_limits;
 				return( 0 );
 			}
 			break;
-			
+
+		case SLAP_LIMITS_ANONYMOUS:
+			if ( ndn->bv_len == 0 ) {
+				*limit = &lm[0]->lm_limits;
+				return( 0 );
+			}
+			break;
+
+		case SLAP_LIMITS_USERS:
+			if ( ndn->bv_len != 0 ) {
+				*limit = &lm[0]->lm_limits;
+				return( 0 );
+			}
+			break;
+
+		case SLAP_LIMITS_ANY:
+			*limit = &lm[0]->lm_limits;
+			return( 0 );
+
 		default:
 			assert( 0 );	/* unreachable */
 			return( -1 );
@@ -62,7 +133,7 @@ get_limits(
 	return( 0 );
 }
 
-int
+static int
 add_limits(
 	Backend 	        *be,
 	int			type,
@@ -74,32 +145,49 @@ add_limits(
 	struct slap_limits	*lm;
 	
 	assert( be );
-	assert( pattern );
 	assert( limit );
 
 	lm = ( struct slap_limits * )ch_calloc( sizeof( struct slap_limits ), 1 );
 
 	switch ( type ) {
 	case SLAP_LIMITS_EXACT:
-		lm->lm_type = SLAP_LIMITS_EXACT;
-		lm->lm_dn_pat = ch_strdup( pattern );
-		if ( dn_normalize( lm->lm_dn_pat ) == NULL ) {
-			ch_free( lm->lm_dn_pat );
-			ch_free( lm );
-			return( -1 );
+	case SLAP_LIMITS_ONE:
+	case SLAP_LIMITS_SUBTREE:
+	case SLAP_LIMITS_CHILDREN:
+		lm->lm_type = type;
+		{
+			int rc;
+			struct berval bv;
+			bv.bv_val = (char *) pattern;
+			bv.bv_len = strlen( pattern );
+
+			rc = dnNormalize2( NULL, &bv, &lm->lm_dn_pat );
+			if ( rc != LDAP_SUCCESS ) {
+				ch_free( lm );
+				return( -1 );
+			}
 		}
 		break;
 		
 	case SLAP_LIMITS_REGEX:
 	case SLAP_LIMITS_UNDEFINED:
 		lm->lm_type = SLAP_LIMITS_REGEX;
-		lm->lm_dn_pat = ch_strdup( pattern );
-		if ( regcomp( &lm->lm_dn_regex, lm->lm_dn_pat, REG_EXTENDED | REG_ICASE ) ) {
-			ch_free( lm->lm_dn_pat );
+		ber_str2bv( pattern, 0, 1, &lm->lm_dn_pat );
+		if ( regcomp( &lm->lm_dn_regex, lm->lm_dn_pat.bv_val, 
+					REG_EXTENDED | REG_ICASE ) ) {
+			free( lm->lm_dn_pat.bv_val );
 			ch_free( lm );
 			return( -1 );
 		}
 		break;
+
+	case SLAP_LIMITS_ANONYMOUS:
+	case SLAP_LIMITS_USERS:
+	case SLAP_LIMITS_ANY:
+		lm->lm_type = type;
+		lm->lm_dn_pat.bv_val = NULL;
+		lm->lm_dn_pat.bv_len = 0;
+		break;
 	}
 
 	lm->lm_limits = *limit;
@@ -158,9 +246,21 @@ parse_limits(
 	 * 
 	 * <pattern>:
 	 * 
-	 * [ "dn" [ "." { "exact" | "regex" } ] "=" ] <dn pattern>
+	 * "anonymous"
+	 * "users"
+	 * [ "dn" [ "." { "exact" | "base" | "one" | "sub" | children" 
+	 *	| "regex" | "anonymous" } ] "=" ] <dn pattern>
+	 *
+	 * Note:
+	 *	"exact" and "base" are the same (exact match);
+	 *	"one" means exactly one rdn below, NOT including the pattern
+	 *	"sub" means any rdn below, including the pattern
+	 *	"children" means any rdn below, NOT including the pattern
+	 *	
+	 *	"anonymous" may be deprecated in favour 
+	 *	of the pattern = "anonymous" form
+	 *
 	 *
-	 * 
 	 * <limit>:
 	 *
 	 * "time" [ "." { "soft" | "hard" } ] "=" <integer>
@@ -169,40 +269,102 @@ parse_limits(
 	 */
 	
 	pattern = argv[1];
-	if ( strncasecmp( pattern, "dn", 2 ) == 0 ) {
+	if ( strcmp( pattern, "*" ) == 0) {
+		type = SLAP_LIMITS_ANY;
+
+	} else if ( strcasecmp( pattern, "anonymous" ) == 0 ) {
+		type = SLAP_LIMITS_ANONYMOUS;
+
+	} else if ( strcasecmp( pattern, "users" ) == 0 ) {
+		type = SLAP_LIMITS_USERS;
+		
+	} else if ( strncasecmp( pattern, "dn", 2 ) == 0 ) {
 		pattern += 2;
 		if ( pattern[0] == '.' ) {
 			pattern++;
 			if ( strncasecmp( pattern, "exact", 5 ) == 0 ) {
 				type = SLAP_LIMITS_EXACT;
 				pattern += 5;
+
+			} else if ( strncasecmp( pattern, "base", 4 ) == 0 ) {
+				type = SLAP_LIMITS_BASE;
+				pattern += 4;
+
+			} else if ( strncasecmp( pattern, "one", 3 ) == 0 ) {
+				type = SLAP_LIMITS_ONE;
+				pattern += 3;
+
+			} else if ( strncasecmp( pattern, "subtree", 7 ) == 0 ) {
+				type = SLAP_LIMITS_SUBTREE;
+				pattern += 7;
+
+			} else if ( strncasecmp( pattern, "children", 8 ) == 0 ) {
+				type = SLAP_LIMITS_CHILDREN;
+				pattern += 8;
+
 			} else if ( strncasecmp( pattern, "regex", 5 ) == 0 ) {
 				type = SLAP_LIMITS_REGEX;
 				pattern += 5;
+
+			/* 
+			 * this could be deprecated in favour
+			 * of the pattern = "anonymous" form
+			 */
+			} else if ( strncasecmp( pattern, "anonymous", 9 ) == 0 ) {
+				type = SLAP_LIMITS_ANONYMOUS;
+				pattern = NULL;
 			}
 		}
 
-		if ( pattern[0] != '=' ) {
+		/* pre-check the data */
+		switch ( type ) {
+		case SLAP_LIMITS_ANONYMOUS:
+		case SLAP_LIMITS_USERS:
+
+			/* no need for pattern */
+			pattern = NULL;
+			break;
+
+		default:
+			if ( pattern[0] != '=' ) {
 #ifdef NEW_LOGGING
-			LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
-				"%s : line %d: missing '=' in "
-				"\"dn[.{exact|regex}]=<pattern>\" in "
-				"\"limits <pattern> <limits>\" line.\n",
-			fname, lineno ));
+				LDAP_LOG(( "config", LDAP_LEVEL_CRIT,
+					"%s : line %d: missing '=' in "
+					"\"dn[.{exact|base|one|subtree"
+					"|children|regex|anonymous}]"
+					"=<pattern>\" in "
+					"\"limits <pattern> <limits>\" line.\n",
+					fname, lineno ));
 #else
-			Debug( LDAP_DEBUG_ANY,
-				"%s : line %d: missing '=' in "
-				"\"dn[.{exact|regex}]=<pattern>\" in "
-				"\"limits <pattern> <limits>\" line.\n%s",
-			fname, lineno, "" );
+				Debug( LDAP_DEBUG_ANY,
+					"%s : line %d: missing '=' in "
+					"\"dn[.{exact|base|one|subtree"
+					"|children|regex|anonymous}]"
+					"=<pattern>\" in "
+					"\"limits <pattern> <limits>\" "
+					"line.\n%s",
+					fname, lineno, "" );
 #endif
-			return( -1 );
-		}
+				return( -1 );
+			}
+
+			/* skip '=' (required) */
+			pattern++;
 
-		/* skip '=' (required) */
-		pattern++;
+			/* trim obvious cases */
+			if ( strcmp( pattern, "*" ) == 0 ) {
+				type = SLAP_LIMITS_ANY;
+				pattern = NULL;
+
+			} else if ( ( type == SLAP_LIMITS_REGEX || type == SLAP_LIMITS_UNDEFINED ) 
+					&& strcmp( pattern, ".*" ) == 0 ) {
+				type = SLAP_LIMITS_ANY;
+				pattern = NULL;
+			}
+		}
 	}
 
+	/* get the limits */
 	for ( i = 2; i < argc; i++ ) {
 		if ( parse_limit( argv[i], &limit ) ) {
 
@@ -264,7 +426,13 @@ parse_limit(
 					return( 1 );
 				}
 				arg++;
-				limit->lms_t_hard = atoi( arg );
+				if ( strcasecmp( arg, "soft" ) == 0 ) {
+					limit->lms_t_hard = 0;
+				} else if ( strcasecmp( arg, "none" ) == 0 ) {
+					limit->lms_t_hard = -1;
+				} else {
+					limit->lms_t_hard = atoi( arg );
+				}
 				
 			} else {
 				return( 1 );
@@ -297,7 +465,13 @@ parse_limit(
 					return( 1 );
 				}
 				arg++;
-				limit->lms_s_hard = atoi( arg );
+				if ( strcasecmp( arg, "soft" ) == 0 ) {
+					limit->lms_s_hard = 0;
+				} else if ( strcasecmp( arg, "none" ) == 0 ) {
+					limit->lms_s_hard = -1;
+				} else {
+					limit->lms_s_hard = atoi( arg );
+				}
 				
 			} else if ( strncasecmp( arg, "unchecked", 9 ) == 0 ) {
 				arg += 9;
@@ -305,7 +479,11 @@ parse_limit(
 					return( 1 );
 				}
 				arg++;
-				limit->lms_s_unchecked = atoi( arg );
+				if ( strcasecmp( arg, "none" ) == 0 ) {
+					limit->lms_s_unchecked = -1;
+				} else {
+					limit->lms_s_unchecked = atoi( arg );
+				}
 				
 			} else {
 				return( 1 );