int
get_mra(
Operation *op,
BerElement *ber,
Filter *f,
const char **text )
{
int rc;
ber_tag_t tag, rtag;
ber_len_t length;
struct berval type = BER_BVNULL;
struct berval value = BER_BVNULL;
struct berval rule_text = BER_BVNULL;
MatchingRuleAssertion ma = { 0 };
#ifdef LDAP_COMP_MATCH
AttributeAliasing* aa = NULL;
#endif
rtag = ber_scanf( ber, "{t" /*"}"*/, &tag );
if( rtag == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, " get_mra ber_scanf\n", 0, 0, 0 );
*text = "Error parsing matching rule assertion";
return SLAPD_DISCONNECT;
}
if ( tag == LDAP_FILTER_EXT_OID ) {
rtag = ber_scanf( ber, "m", &rule_text );
if ( rtag == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, " get_mra ber_scanf for mr\n", 0, 0, 0 );
*text = "Error parsing matching rule in matching rule assertion";
return SLAPD_DISCONNECT;
}
rtag = ber_scanf( ber, "t", &tag );
if( rtag == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, " get_mra ber_scanf\n", 0, 0, 0 );
*text = "Error parsing matching rule assertion";
return SLAPD_DISCONNECT;
}
}
if ( tag == LDAP_FILTER_EXT_TYPE ) {
rtag = ber_scanf( ber, "m", &type );
if ( rtag == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, " get_mra ber_scanf for ad\n", 0, 0, 0 );
*text = "Error parsing attribute description in matching rule assertion";
return SLAPD_DISCONNECT;
}
rtag = ber_scanf( ber, "t", &tag );
if( rtag == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, " get_mra ber_scanf\n", 0, 0, 0 );
*text = "Error parsing matching rule assertion";
return SLAPD_DISCONNECT;
}
}
if ( tag != LDAP_FILTER_EXT_VALUE ) {
Debug( LDAP_DEBUG_ANY, " get_mra ber_scanf missing value\n", 0, 0, 0 );
*text = "Missing value in matching rule assertion";
return SLAPD_DISCONNECT;
}
rtag = ber_scanf( ber, "m", &value );
if( rtag == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, " get_mra ber_scanf\n", 0, 0, 0 );
*text = "Error decoding value in matching rule assertion";
return SLAPD_DISCONNECT;
}
tag = ber_peek_tag( ber, &length );
if ( tag == LDAP_FILTER_EXT_DNATTRS ) {
rtag = ber_scanf( ber, /*"{"*/ "b}", &ma.ma_dnattrs );
} else {
rtag = ber_scanf( ber, /*"{"*/ "}" );
}
if( rtag == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, " get_mra ber_scanf\n", 0, 0, 0 );
*text = "Error decoding dnattrs matching rule assertion";
return SLAPD_DISCONNECT;
}
if( type.bv_val != NULL ) {
rc = slap_bv2ad( &type, &ma.ma_desc, text );
if( rc != LDAP_SUCCESS ) {
f->f_choice |= SLAPD_FILTER_UNDEFINED;
rc = slap_bv2undef_ad( &type, &ma.ma_desc, text,
SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
if( rc != LDAP_SUCCESS ) {
ma.ma_desc = slap_bv2tmp_ad( &type, op->o_tmpmemctx );
rc = LDAP_SUCCESS;
}
}
}
if( rule_text.bv_val != NULL ) {
ma.ma_rule = mr_bvfind( &rule_text );
if( ma.ma_rule == NULL ) {
*text = "matching rule not recognized";
return LDAP_INAPPROPRIATE_MATCHING;
}
}
if ( ma.ma_rule == NULL ) {
/*
* Need either type or rule ...
*/
if ( ma.ma_desc == NULL ) {
*text = "no matching rule or type";
return LDAP_INAPPROPRIATE_MATCHING;
}
if ( ma.ma_desc->ad_type->sat_equality != NULL &&
ma.ma_desc->ad_type->sat_equality->smr_usage & SLAP_MR_EXT )
{
/* no matching rule was provided, use the attribute's
equality rule if it supports extensible matching. */
ma.ma_rule = ma.ma_desc->ad_type->sat_equality;
} else {
*text = "no appropriate rule to use for type";
return LDAP_INAPPROPRIATE_MATCHING;
}
}
if ( ma.ma_desc != NULL ) {
if( !mr_usable_with_at( ma.ma_rule, ma.ma_desc->ad_type ) ) {
*text = "matching rule use with this attribute not appropriate";
return LDAP_INAPPROPRIATE_MATCHING;
}
}
/*
* Normalize per matching rule
*/
rc = asserted_value_validate_normalize( ma.ma_desc,
ma.ma_rule,
SLAP_MR_EXT|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
&value, &ma.ma_value, text, op->o_tmpmemctx );
if( rc != LDAP_SUCCESS ) return rc;
#ifdef LDAP_COMP_MATCH
/* Check If this attribute is aliased */
if ( is_aliased_attribute && ma.ma_desc && ( aa = is_aliased_attribute ( ma.ma_desc ) ) ) {
rc = get_aliased_filter ( op, &ma, aa, text );
if ( rc != LDAP_SUCCESS ) return rc;
}
else if ( ma.ma_rule && ma.ma_rule->smr_usage & SLAP_MR_COMPONENT ) {
/* Matching Rule for Component Matching */
rc = get_comp_filter( op, &ma.ma_value, &ma.ma_cf, text );
if ( rc != LDAP_SUCCESS ) return rc;
}
#endif
length = sizeof(ma);
/* Append rule_text to end of struct */
if (rule_text.bv_val) length += rule_text.bv_len + 1;
f->f_mra = op->o_tmpalloc( length, op->o_tmpmemctx );
*f->f_mra = ma;
if (rule_text.bv_val) {
f->f_mra->ma_rule_text.bv_len = rule_text.bv_len;
f->f_mra->ma_rule_text.bv_val = (char *)(f->f_mra+1);
AC_MEMCPY(f->f_mra->ma_rule_text.bv_val, rule_text.bv_val,
rule_text.bv_len+1);
}
return LDAP_SUCCESS;
}
int
get_filter(
Operation *op,
BerElement *ber,
Filter **filt,
const char **text )
{
ber_tag_t tag;
ber_len_t len;
int err;
Filter f;
Debug( LDAP_DEBUG_FILTER, "begin get_filter\n", 0, 0, 0 );
/*
* A filter looks like this coming in:
* Filter ::= CHOICE {
* and [0] SET OF Filter,
* or [1] SET OF Filter,
* not [2] Filter,
* equalityMatch [3] AttributeValueAssertion,
* substrings [4] SubstringFilter,
* greaterOrEqual [5] AttributeValueAssertion,
* lessOrEqual [6] AttributeValueAssertion,
* present [7] AttributeType,
* approxMatch [8] AttributeValueAssertion,
* extensibleMatch [9] MatchingRuleAssertion
* }
*
* SubstringFilter ::= SEQUENCE {
* type AttributeType,
* SEQUENCE OF CHOICE {
* initial [0] IA5String,
* any [1] IA5String,
* final [2] IA5String
* }
* }
*
* MatchingRuleAssertion ::= SEQUENCE {
* matchingRule [1] MatchingRuleId OPTIONAL,
* type [2] AttributeDescription OPTIONAL,
* matchValue [3] AssertionValue,
* dnAttributes [4] BOOLEAN DEFAULT FALSE
* }
*
*/
tag = ber_peek_tag( ber, &len );
if( tag == LBER_ERROR ) {
*text = "error decoding filter";
return SLAPD_DISCONNECT;
}
err = LDAP_SUCCESS;
f.f_next = NULL;
f.f_choice = tag;
switch ( f.f_choice ) {
case LDAP_FILTER_EQUALITY:
Debug( LDAP_DEBUG_FILTER, "EQUALITY\n", 0, 0, 0 );
err = get_ava( op, ber, &f, SLAP_MR_EQUALITY, text );
if ( err != LDAP_SUCCESS ) {
break;
}
assert( f.f_ava != NULL );
break;
case LDAP_FILTER_SUBSTRINGS:
Debug( LDAP_DEBUG_FILTER, "SUBSTRINGS\n", 0, 0, 0 );
err = get_ssa( op, ber, &f, text );
if( err != LDAP_SUCCESS ) {
break;
}
assert( f.f_sub != NULL );
break;
case LDAP_FILTER_GE:
Debug( LDAP_DEBUG_FILTER, "GE\n", 0, 0, 0 );
err = get_ava( op, ber, &f, SLAP_MR_ORDERING, text );
if ( err != LDAP_SUCCESS ) {
break;
}
assert( f.f_ava != NULL );
break;
case LDAP_FILTER_LE:
Debug( LDAP_DEBUG_FILTER, "LE\n", 0, 0, 0 );
err = get_ava( op, ber, &f, SLAP_MR_ORDERING, text );
if ( err != LDAP_SUCCESS ) {
break;
}
assert( f.f_ava != NULL );
break;
case LDAP_FILTER_PRESENT: {
struct berval type;
Debug( LDAP_DEBUG_FILTER, "PRESENT\n", 0, 0, 0 );
if ( ber_scanf( ber, "m", &type ) == LBER_ERROR ) {
err = SLAPD_DISCONNECT;
*text = "error decoding filter";
break;
}
f.f_desc = NULL;
err = slap_bv2ad( &type, &f.f_desc, text );
if( err != LDAP_SUCCESS ) {
f.f_choice |= SLAPD_FILTER_UNDEFINED;
err = slap_bv2undef_ad( &type, &f.f_desc, text,
SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
if ( err != LDAP_SUCCESS ) {
/* unrecognized attribute description or other error */
Debug( LDAP_DEBUG_ANY,
"get_filter: conn %lu unknown attribute "
"type=%s (%d)\n",
op->o_connid, type.bv_val, err );
err = LDAP_SUCCESS;
f.f_desc = slap_bv2tmp_ad( &type, op->o_tmpmemctx );
}
*text = NULL;
}
assert( f.f_desc != NULL );
} break;
case LDAP_FILTER_APPROX:
Debug( LDAP_DEBUG_FILTER, "APPROX\n", 0, 0, 0 );
err = get_ava( op, ber, &f, SLAP_MR_EQUALITY_APPROX, text );
if ( err != LDAP_SUCCESS ) {
break;
}
assert( f.f_ava != NULL );
break;
case LDAP_FILTER_AND:
Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
err = get_filter_list( op, ber, &f.f_and, text );
if ( err != LDAP_SUCCESS ) {
break;
}
if ( f.f_and == NULL ) {
f.f_choice = SLAPD_FILTER_COMPUTED;
f.f_result = LDAP_COMPARE_TRUE;
}
/* no assert - list could be empty */
break;
case LDAP_FILTER_OR:
Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
err = get_filter_list( op, ber, &f.f_or, text );
if ( err != LDAP_SUCCESS ) {
break;
}
if ( f.f_or == NULL ) {
f.f_choice = SLAPD_FILTER_COMPUTED;
f.f_result = LDAP_COMPARE_FALSE;
}
/* no assert - list could be empty */
break;
case LDAP_FILTER_NOT:
Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
(void) ber_skip_tag( ber, &len );
err = get_filter( op, ber, &f.f_not, text );
if ( err != LDAP_SUCCESS ) {
break;
}
assert( f.f_not != NULL );
if ( f.f_not->f_choice == SLAPD_FILTER_COMPUTED ) {
int fresult = f.f_not->f_result;
f.f_choice = SLAPD_FILTER_COMPUTED;
op->o_tmpfree( f.f_not, op->o_tmpmemctx );
f.f_not = NULL;
switch( fresult ) {
case LDAP_COMPARE_TRUE:
f.f_result = LDAP_COMPARE_FALSE;
break;
case LDAP_COMPARE_FALSE:
f.f_result = LDAP_COMPARE_TRUE;
break;
default: ;
/* (!Undefined) is Undefined */
}
}
break;
case LDAP_FILTER_EXT:
Debug( LDAP_DEBUG_FILTER, "EXTENSIBLE\n", 0, 0, 0 );
err = get_mra( op, ber, &f, text );
if ( err != LDAP_SUCCESS ) {
break;
}
assert( f.f_mra != NULL );
break;
default:
(void) ber_scanf( ber, "x" ); /* skip the element */
Debug( LDAP_DEBUG_ANY, "get_filter: unknown filter type=%lu\n",
f.f_choice, 0, 0 );
f.f_choice = SLAPD_FILTER_COMPUTED;
f.f_result = SLAPD_COMPARE_UNDEFINED;
break;
}
if( err != LDAP_SUCCESS && err != SLAPD_DISCONNECT ) {
/* ignore error */
*text = NULL;
f.f_choice = SLAPD_FILTER_COMPUTED;
f.f_result = SLAPD_COMPARE_UNDEFINED;
err = LDAP_SUCCESS;
}
if ( err == LDAP_SUCCESS ) {
*filt = op->o_tmpalloc( sizeof(f), op->o_tmpmemctx );
**filt = f;
}
Debug( LDAP_DEBUG_FILTER, "end get_filter %d\n", err, 0, 0 );
return( err );
}
int
get_ava(
Operation *op,
BerElement *ber,
Filter *f,
unsigned usage,
const char **text )
{
int rc;
ber_tag_t rtag;
struct berval type, value;
AttributeAssertion *aa;
#ifdef LDAP_COMP_MATCH
AttributeAliasing* a_alias = NULL;
#endif
rtag = ber_scanf( ber, "{mm}", &type, &value );
if( rtag == LBER_ERROR ) {
Debug( LDAP_DEBUG_ANY, " get_ava ber_scanf\n", 0, 0, 0 );
*text = "Error decoding attribute value assertion";
return SLAPD_DISCONNECT;
}
aa = op->o_tmpalloc( sizeof( AttributeAssertion ), op->o_tmpmemctx );
aa->aa_desc = NULL;
aa->aa_value.bv_val = NULL;
#ifdef LDAP_COMP_MATCH
aa->aa_cf = NULL;
#endif
rc = slap_bv2ad( &type, &aa->aa_desc, text );
if( rc != LDAP_SUCCESS ) {
f->f_choice |= SLAPD_FILTER_UNDEFINED;
*text = NULL;
rc = slap_bv2undef_ad( &type, &aa->aa_desc, text,
SLAP_AD_PROXIED|SLAP_AD_NOINSERT );
if( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_FILTER,
"get_ava: unknown attributeType %s\n", type.bv_val, 0, 0 );
aa->aa_desc = slap_bv2tmp_ad( &type, op->o_tmpmemctx );
ber_dupbv_x( &aa->aa_value, &value, op->o_tmpmemctx );
f->f_ava = aa;
return LDAP_SUCCESS;
}
}
rc = asserted_value_validate_normalize(
aa->aa_desc, ad_mr(aa->aa_desc, usage),
usage, &value, &aa->aa_value, text, op->o_tmpmemctx );
if( rc != LDAP_SUCCESS ) {
f->f_choice |= SLAPD_FILTER_UNDEFINED;
Debug( LDAP_DEBUG_FILTER,
"get_ava: illegal value for attributeType %s\n", type.bv_val, 0, 0 );
ber_dupbv_x( &aa->aa_value, &value, op->o_tmpmemctx );
*text = NULL;
rc = LDAP_SUCCESS;
}
#ifdef LDAP_COMP_MATCH
if( is_aliased_attribute ) {
a_alias = is_aliased_attribute ( aa->aa_desc );
if ( a_alias ) {
rc = get_aliased_filter_aa ( op, aa, a_alias, text );
if( rc != LDAP_SUCCESS ) {
Debug( LDAP_DEBUG_FILTER,
"get_ava: Invalid Attribute Aliasing\n", 0, 0, 0 );
return rc;
}
}
}
#endif
f->f_ava = aa;
return LDAP_SUCCESS;
}
