ITS#9442 Add negregex constraint type for not allowing values based on a regex.

doc/man/man5/slapo-constraint.5

@@ -35,8 +35,9 @@ directive.
 .B constraint_attribute <attribute_name>[,...] <type> <value> [<extra> [...]]
 Specifies the constraint which should apply to the comma-separated
 attribute list named as the first parameter.
-Five types of constraint are currently supported -
+Six types of constraint are currently supported -
 .BR regex ,
+.BR negregex ,
 .BR size ,
 .BR count ,
 .BR uri ,
@@ -45,6 +46,8 @@ and
 
 The parameter following the
 .B regex
+or
+.B negregex
 type is a Unix style regular expression (See
 .BR regex (7)
 ). The parameter following the
@@ -104,6 +107,7 @@ overlay constraint
 constraint_attribute jpegPhoto size 131072
 constraint_attribute userPassword count 3
 constraint_attribute mail regex ^[[:alnum:]]+@mydomain.com$
+constraint_attribute mail negregex ^[[:alnum:]]+@notallowed.com$
 constraint_attribute title uri
   ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
 constraint_attribute cn,sn,givenName set
@@ -115,7 +119,9 @@ constraint_attribute cn,sn,givenName set
 A specification like the above would reject any
 .B mail
 attribute which did not look like
-.BR "<alpha-numeric string>@mydomain.com" .
+.BR "<alpha-numeric string>@mydomain.com"
+or that looks like
+.BR "<alpha-numeric string>@notallowed.com" .
 It would also reject any
 .B title
 attribute whose values were not listed in the

servers/slapd/overlays/constraint.c

@@ -40,6 +40,7 @@
  */
 
 #define REGEX_STR "regex"
+#define NEG_REGEX_STR "negregex"
 #define URI_STR "uri"
 #define SET_STR "set"
 #define SIZE_STR "size"
@@ -79,6 +80,7 @@ enum {
 	CONSTRAINT_COUNT,
 	CONSTRAINT_SIZE,
 	CONSTRAINT_REGEX,
+	CONSTRAINT_NEG_REGEX,
 	CONSTRAINT_SET,
 	CONSTRAINT_URI,
 };
@@ -86,7 +88,7 @@ enum {
 static ConfigDriver constraint_cf_gen;
 
 static ConfigTable constraintcfg[] = {
-	{ "constraint_attribute", "attribute[list]> (regex|uri|set|size|count) <value> [<restrict URI>]",
+	{ "constraint_attribute", "attribute[list]> (regex|negregex|uri|set|size|count) <value> [<restrict URI>]",
 	  4, 0, 0, ARG_MAGIC | CONSTRAINT_ATTRIBUTE, constraint_cf_gen,
 	  "( OLcfgOvAt:13.1 NAME 'olcConstraintAttribute' "
 	  "DESC 'constraint for list of attributes' "
@@ -177,6 +179,10 @@ constraint_cf_gen( ConfigArgs *c )
 						tstr = REGEX_STR;
 						quotes = 1;
 						break;
+					case CONSTRAINT_NEG_REGEX:
+						tstr = NEG_REGEX_STR;
+						quotes = 1;
+						break;
 					case CONSTRAINT_SET:
 						tstr = SET_STR;
 						quotes = 1;
@@ -296,10 +302,12 @@ constraint_cf_gen( ConfigArgs *c )
 				}
 			}
 
-			if ( strcasecmp( c->argv[2], REGEX_STR ) == 0) {
+			int is_regex = strcasecmp( c->argv[2], REGEX_STR ) == 0;
+			int is_neg_regex = strcasecmp( c->argv[2], NEG_REGEX_STR ) == 0;
+			if ( is_regex || is_neg_regex ) {
 				int err;
 			
-				ap.type = CONSTRAINT_REGEX;
+				ap.type = is_regex ? CONSTRAINT_REGEX : CONSTRAINT_NEG_REGEX;
 				ap.re = ch_malloc( sizeof(regex_t) );
 				if ((err = regcomp( ap.re,
 					c->argv[3], REG_EXTENDED )) != 0) {
@@ -598,6 +606,10 @@ constraint_violation( constraint *c, struct berval *bv, Operation *op )
 			if (regexec(c->re, bv->bv_val, 0, NULL, 0) == REG_NOMATCH)
 				return LDAP_CONSTRAINT_VIOLATION; /* regular expression violation */
 			break;
+		case CONSTRAINT_NEG_REGEX:
+			if (regexec(c->re, bv->bv_val, 0, NULL, 0) != REG_NOMATCH)
+				return LDAP_CONSTRAINT_VIOLATION; /* regular expression violation */
+			break;
 		case CONSTRAINT_URI: {
 			Operation nop = *op;
 			slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;