From 0799f58533a7cb8169778eb57fb92d2d6bff9758 Mon Sep 17 00:00:00 2001 From: David Barchiesi Date: Sat, 7 Nov 2020 13:32:14 +0100 Subject: [PATCH] ITS#9442 Add negregex constraint type for not allowing values based on a regex. --- doc/man/man5/slapo-constraint.5 | 10 ++++++++-- servers/slapd/overlays/constraint.c | 18 +++++++++++++++--- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/doc/man/man5/slapo-constraint.5 b/doc/man/man5/slapo-constraint.5 index fa8acb1616..79d0cf72bf 100644 --- a/doc/man/man5/slapo-constraint.5 +++ b/doc/man/man5/slapo-constraint.5 @@ -35,8 +35,9 @@ directive. .B constraint_attribute [,...] [ [...]] Specifies the constraint which should apply to the comma-separated attribute list named as the first parameter. -Five types of constraint are currently supported - +Six types of constraint are currently supported - .BR regex , +.BR negregex , .BR size , .BR count , .BR uri , @@ -45,6 +46,8 @@ and The parameter following the .B regex +or +.B negregex type is a Unix style regular expression (See .BR regex (7) ). The parameter following the @@ -104,6 +107,7 @@ overlay constraint constraint_attribute jpegPhoto size 131072 constraint_attribute userPassword count 3 constraint_attribute mail regex ^[[:alnum:]]+@mydomain.com$ +constraint_attribute mail negregex ^[[:alnum:]]+@notallowed.com$ constraint_attribute title uri ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog) constraint_attribute cn,sn,givenName set @@ -115,7 +119,9 @@ constraint_attribute cn,sn,givenName set A specification like the above would reject any .B mail attribute which did not look like -.BR "@mydomain.com" . +.BR "@mydomain.com" +or that looks like +.BR "@notallowed.com" . It would also reject any .B title attribute whose values were not listed in the diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c index c81d327793..4260b15b81 100644 --- a/servers/slapd/overlays/constraint.c +++ b/servers/slapd/overlays/constraint.c @@ -40,6 +40,7 @@ */ #define REGEX_STR "regex" +#define NEG_REGEX_STR "negregex" #define URI_STR "uri" #define SET_STR "set" #define SIZE_STR "size" @@ -79,6 +80,7 @@ enum { CONSTRAINT_COUNT, CONSTRAINT_SIZE, CONSTRAINT_REGEX, + CONSTRAINT_NEG_REGEX, CONSTRAINT_SET, CONSTRAINT_URI, }; @@ -86,7 +88,7 @@ enum { static ConfigDriver constraint_cf_gen; static ConfigTable constraintcfg[] = { - { "constraint_attribute", "attribute[list]> (regex|uri|set|size|count) []", + { "constraint_attribute", "attribute[list]> (regex|negregex|uri|set|size|count) []", 4, 0, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen, "( OLcfgOvAt:13.1 NAME 'olcConstraintAttribute' " "DESC 'constraint for list of attributes' " @@ -177,6 +179,10 @@ constraint_cf_gen( ConfigArgs *c ) tstr = REGEX_STR; quotes = 1; break; + case CONSTRAINT_NEG_REGEX: + tstr = NEG_REGEX_STR; + quotes = 1; + break; case CONSTRAINT_SET: tstr = SET_STR; quotes = 1; @@ -296,10 +302,12 @@ constraint_cf_gen( ConfigArgs *c ) } } - if ( strcasecmp( c->argv[2], REGEX_STR ) == 0) { + int is_regex = strcasecmp( c->argv[2], REGEX_STR ) == 0; + int is_neg_regex = strcasecmp( c->argv[2], NEG_REGEX_STR ) == 0; + if ( is_regex || is_neg_regex ) { int err; - ap.type = CONSTRAINT_REGEX; + ap.type = is_regex ? CONSTRAINT_REGEX : CONSTRAINT_NEG_REGEX; ap.re = ch_malloc( sizeof(regex_t) ); if ((err = regcomp( ap.re, c->argv[3], REG_EXTENDED )) != 0) { @@ -598,6 +606,10 @@ constraint_violation( constraint *c, struct berval *bv, Operation *op ) if (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH) return LDAP_CONSTRAINT_VIOLATION; /* regular expression violation */ break; + case CONSTRAINT_NEG_REGEX: + if (regexec(c->re, bv->bv_val, 0, NULL, 0) != REG_NOMATCH) + return LDAP_CONSTRAINT_VIOLATION; /* regular expression violation */ + break; case CONSTRAINT_URI: { Operation nop = *op; slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;