git.sur5r.net Git - openldap/blob - servers/slapd/slapacl.c

   1 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   2  *
   3  * Copyright 2004-2005 The OpenLDAP Foundation.
   4  * Portions Copyright 2004 Pierangelo Masarati.
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted only as authorized by the OpenLDAP
   9  * Public License.
  10  *
  11  * A copy of this license is available in file LICENSE in the
  12  * top-level directory of the distribution or, alternatively, at
  13  * <http://www.OpenLDAP.org/license.html>.
  14  */
  15 /* ACKNOWLEDGEMENTS:
  16  * This work was initially developed by Pierangelo Masarati for inclusion
  17  * in OpenLDAP Software.
  18  */
  19
  20 #include "portable.h"
  21
  22 #include <stdio.h>
  23
  24 #include <ac/stdlib.h>
  25
  26 #include <ac/ctype.h>
  27 #include <ac/string.h>
  28 #include <ac/socket.h>
  29 #include <ac/unistd.h>
  30
  31 #include <lber.h>
  32 #include <ldif.h>
  33 #include <lutil.h>
  34
  35 #include "slapcommon.h"
  36
  37 int
  38 slapacl( int argc, char **argv )
  39 {
  40         int                     rc = EXIT_SUCCESS;
  41         const char              *progname = "slapacl";
  42         Connection              conn = {0};
  43         char opbuf[OPERATION_BUFFER_SIZE];
  44         Operation               *op;
  45         Entry                   e = { 0 };
  46         char                    *attr = NULL;
  47
  48         slap_tool_init( progname, SLAPACL, argc, argv );
  49
  50         argv = &argv[ optind ];
  51         argc -= optind;
  52
  53         op = (Operation *)opbuf;
  54         connection_fake_init( &conn, op, &conn );
  55
  56         if ( !BER_BVISNULL( &authcID ) ) {
  57                 rc = slap_sasl_getdn( &conn, op, &authcID, NULL,
  58                                 &authcDN, SLAP_GETDN_AUTHCID );
  59                 if ( rc != LDAP_SUCCESS ) {
  60                         fprintf( stderr, "ID: <%s> check failed %d (%s)\n",
  61                                         authcID.bv_val, rc,
  62                                         ldap_err2string( rc ) );
  63                         rc = 1;
  64                         goto destroy;
  65                 }
  66
  67         } else if ( !BER_BVISNULL( &authcDN ) ) {
  68                 struct berval   ndn;
  69
  70                 rc = dnNormalize( 0, NULL, NULL, &authcDN, &ndn, NULL );
  71                 if ( rc != LDAP_SUCCESS ) {
  72                         fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
  73                                         authcDN.bv_val, rc,
  74                                         ldap_err2string( rc ) );
  75                         rc = 1;
  76                         goto destroy;
  77                 }
  78                 ch_free( authcDN.bv_val );
  79                 authcDN = ndn;
  80         }
  81
  82
  83         if ( !BER_BVISNULL( &authcDN ) ) {
  84                 fprintf( stderr, "DN: \"%s\"\n", authcDN.bv_val );
  85         }
  86
  87         assert( !BER_BVISNULL( &baseDN ) );
  88         rc = dnPrettyNormal( NULL, &baseDN, &e.e_name, &e.e_nname, NULL );
  89         if ( rc != LDAP_SUCCESS ) {
  90                 fprintf( stderr, "base=\"%s\" normalization failed %d (%s)\n",
  91                                 baseDN.bv_val, rc,
  92                                 ldap_err2string( rc ) );
  93                 rc = 1;
  94                 goto destroy;
  95         }
  96
  97         op->o_bd = be;
  98         if ( !BER_BVISNULL( &authcDN ) ) {
  99                 op->o_dn = authcDN;
 100                 op->o_ndn = authcDN;
 101         }
 102
 103         if ( argc == 0 ) {
 104                 argc = 1;
 105                 attr = slap_schema.si_ad_entry->ad_cname.bv_val;
 106         }
 107
 108         for ( ; argc--; argv++ ) {
 109                 slap_mask_t             mask;
 110                 AttributeDescription    *desc = NULL;
 111                 int                     rc;
 112                 struct berval           val = BER_BVNULL,
 113                                         *valp = NULL;
 114                 const char              *text;
 115                 char                    accessmaskbuf[ACCESSMASK_MAXLEN];
 116                 char                    *accessstr;
 117                 slap_access_t           access = ACL_AUTH;
 118
 119                 if ( attr == NULL ) {
 120                         attr = argv[ 0 ];
 121                 }
 122
 123                 val.bv_val = strchr( attr, ':' );
 124                 if ( val.bv_val != NULL ) {
 125                         val.bv_val[0] = '\0';
 126                         val.bv_val++;
 127                         val.bv_len = strlen( val.bv_val );
 128                         valp = &val;
 129                 }
 130
 131                 accessstr = strchr( attr, '/' );
 132                 if ( accessstr != NULL ) {
 133                         accessstr[0] = '\0';
 134                         accessstr++;
 135                         access = str2access( accessstr );
 136                         if ( access == ACL_INVALID_ACCESS ) {
 137                                 fprintf( stderr, "unknown access \"%s\" for attribute \"%s\"\n",
 138                                                 accessstr, attr );
 139                                 if ( continuemode ) {
 140                                         continue;
 141                                 }
 142                                 break;
 143                         }
 144                 }
 145
 146                 rc = slap_str2ad( attr, &desc, &text );
 147                 if ( rc != LDAP_SUCCESS ) {
 148                         fprintf( stderr, "slap_str2ad(%s) failed %d (%s)\n",
 149                                         attr, rc, ldap_err2string( rc ) );
 150                         if ( continuemode ) {
 151                                 continue;
 152                         }
 153                         break;
 154                 }
 155
 156                 rc = access_allowed_mask( op, &e, desc, valp, access,
 157                                 NULL, &mask );
 158
 159                 if ( accessstr ) {
 160                         fprintf( stderr, "%s access to %s%s%s: %s\n",
 161                                         accessstr,
 162                                         desc->ad_cname.bv_val,
 163                                         val.bv_val ? "=" : "",
 164                                         val.bv_val ? val.bv_val : "",
 165                                         rc ? "ALLOWED" : "DENIED" );
 166
 167                 } else {
 168                         fprintf( stderr, "%s%s%s: %s\n",
 169                                         desc->ad_cname.bv_val,
 170                                         val.bv_val ? "=" : "",
 171                                         val.bv_val ? val.bv_val : "",
 172                                         accessmask2str( mask, accessmaskbuf, 1 ) );
 173                 }
 174                 rc = 0;
 175                 attr = NULL;
 176         }
 177
 178 destroy:;
 179         slap_tool_destroy();
 180
 181         return rc;
 182 }
 183