]> git.sur5r.net Git - openldap/blob - servers/slapd/slapacl.c
projects / openldap / blob
? search:


7d967db27a4566f0a3816663489a82ce9805c213
[openldap] / servers / slapd / slapacl.c
1 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
2  *
3  * Copyright 2004-2005 The OpenLDAP Foundation.
4  * Portions Copyright 2004 Pierangelo Masarati.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted only as authorized by the OpenLDAP
9  * Public License.
10  *
11  * A copy of this license is available in file LICENSE in the
12  * top-level directory of the distribution or, alternatively, at
13  * <http://www.OpenLDAP.org/license.html>.
14  */
15 /* ACKNOWLEDGEMENTS:
16  * This work was initially developed by Pierangelo Masarati for inclusion
17  * in OpenLDAP Software.
18  */
19
20 #include "portable.h"
21
22 #include <stdio.h>
23
24 #include <ac/stdlib.h>
25
26 #include <ac/ctype.h>
27 #include <ac/string.h>
28 #include <ac/socket.h>
29 #include <ac/unistd.h>
30
31 #include <lber.h>
32 #include <ldif.h>
33 #include <lutil.h>
34
35 #include "slapcommon.h"
36
37 static int
38 print_access(
39         Operation               *op,
40         Entry                   *e,
41         AttributeDescription    *desc,
42         struct berval           *val,
43         struct berval           *nval )
44 {
45         int                     rc;
46         slap_mask_t             mask;
47         char                    accessmaskbuf[ACCESSMASK_MAXLEN];
48         slap_access_t           access = ACL_AUTH;
49
50         rc = access_allowed_mask( op, e, desc, nval, ACL_AUTH, NULL, &mask );
51
52         fprintf( stderr, "%s%s%s: %s\n",
53                         desc->ad_cname.bv_val,
54                         ( val && !BER_BVISNULL( val ) ) ? "=" : "",
55                         ( val && !BER_BVISNULL( val ) ) ?
56                                 ( desc == slap_schema.si_ad_userPassword ? "****" : val->bv_val ) : "",
57                         accessmask2str( mask, accessmaskbuf, 1 ) );
58
59         return rc;
60 }
61
62 int
63 slapacl( int argc, char **argv )
64 {
65         int                     rc = EXIT_SUCCESS;
66         const char              *progname = "slapacl";
67         Connection              conn = { 0 };
68         Listener                listener;
69         char                    opbuf[OPERATION_BUFFER_SIZE];
70         Operation               *op;
71         Entry                   e = { 0 }, *ep = &e;
72         char                    *attr = NULL;
73         int                     doclose = 0;
74
75         slap_tool_init( progname, SLAPACL, argc, argv );
76
77         argv = &argv[ optind ];
78         argc -= optind;
79
80         op = (Operation *)opbuf;
81         connection_fake_init( &conn, op, &conn );
82
83         conn.c_listener = &listener;
84         conn.c_listener_url = listener_url;
85         conn.c_peer_domain = peer_domain;
86         conn.c_peer_name = peer_name;
87         conn.c_sock_name = sock_name;
88         op->o_ssf = ssf;
89         op->o_transport_ssf = transport_ssf;
90         op->o_tls_ssf = tls_ssf;
91         op->o_sasl_ssf = sasl_ssf;
92
93         if ( !BER_BVISNULL( &authcID ) ) {
94                 if ( !BER_BVISNULL( &authcDN ) ) {
95                         fprintf( stderr, "both authcID=\"%s\" "
96                                         "and authcDN=\"%s\" provided\n",
97                                         authcID.bv_val, authcDN.bv_val );
98                         rc = 1;
99                         goto destroy;
100                 }
101
102                 rc = slap_sasl_getdn( &conn, op, &authcID, NULL,
103                                 &authcDN, SLAP_GETDN_AUTHCID );
104                 if ( rc != LDAP_SUCCESS ) {
105                         fprintf( stderr, "authcID: <%s> check failed %d (%s)\n",
106                                         authcID.bv_val, rc,
107                                         ldap_err2string( rc ) );
108                         rc = 1;
109                         goto destroy;
110                 }
111
112         } else if ( !BER_BVISNULL( &authcDN ) ) {
113                 struct berval   ndn;
114
115                 rc = dnNormalize( 0, NULL, NULL, &authcDN, &ndn, NULL );
116                 if ( rc != LDAP_SUCCESS ) {
117                         fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
118                                         authcDN.bv_val, rc,
119                                         ldap_err2string( rc ) );
120                         rc = 1;
121                         goto destroy;
122                 }
123                 ch_free( authcDN.bv_val );
124                 authcDN = ndn;
125         }
126
127         if ( !BER_BVISNULL( &authzID ) ) {
128                 if ( !BER_BVISNULL( &authzDN ) ) {
129                         fprintf( stderr, "both authzID=\"%s\" "
130                                         "and authzDN=\"%s\" provided\n",
131                                         authzID.bv_val, authzDN.bv_val );
132                         rc = 1;
133                         goto destroy;
134                 }
135
136                 rc = slap_sasl_getdn( &conn, op, &authzID, NULL,
137                                 &authzDN, SLAP_GETDN_AUTHZID );
138                 if ( rc != LDAP_SUCCESS ) {
139                         fprintf( stderr, "authzID: <%s> check failed %d (%s)\n",
140                                         authzID.bv_val, rc,
141                                         ldap_err2string( rc ) );
142                         rc = 1;
143                         goto destroy;
144                 }
145
146         } else if ( !BER_BVISNULL( &authzDN ) ) {
147                 struct berval   ndn;
148
149                 rc = dnNormalize( 0, NULL, NULL, &authzDN, &ndn, NULL );
150                 if ( rc != LDAP_SUCCESS ) {
151                         fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
152                                         authzDN.bv_val, rc,
153                                         ldap_err2string( rc ) );
154                         rc = 1;
155                         goto destroy;
156                 }
157                 ch_free( authzDN.bv_val );
158                 authzDN = ndn;
159         }
160
161
162         if ( !BER_BVISNULL( &authcDN ) ) {
163                 fprintf( stderr, "authcDN: \"%s\"\n", authcDN.bv_val );
164         }
165
166         if ( !BER_BVISNULL( &authzDN ) ) {
167                 fprintf( stderr, "authzDN: \"%s\"\n", authzDN.bv_val );
168         }
169
170         if ( !BER_BVISNULL( &authzDN ) ) {
171                 op->o_dn = authzDN;
172                 op->o_ndn = authzDN;
173                 
174                 if ( !BER_BVISNULL( &authcDN ) ) {
175                         op->o_conn->c_dn = authcDN;
176                         op->o_conn->c_ndn = authcDN;
177
178                 } else {
179                         op->o_conn->c_dn = authzDN;
180                         op->o_conn->c_ndn = authzDN;
181                 }
182
183         } else if ( !BER_BVISNULL( &authcDN ) ) {
184                 op->o_conn->c_dn = authcDN;
185                 op->o_conn->c_ndn = authcDN;
186                 op->o_dn = authcDN;
187                 op->o_ndn = authcDN;
188         }
189
190         assert( !BER_BVISNULL( &baseDN ) );
191         rc = dnPrettyNormal( NULL, &baseDN, &e.e_name, &e.e_nname, NULL );
192         if ( rc != LDAP_SUCCESS ) {
193                 fprintf( stderr, "base=\"%s\" normalization failed %d (%s)\n",
194                                 baseDN.bv_val, rc,
195                                 ldap_err2string( rc ) );
196                 rc = 1;
197                 goto destroy;
198         }
199
200         op->o_bd = be;
201         if ( !dryrun && be ) {
202                 ID      id;
203
204                 if ( !be->be_entry_open ||
205                         !be->be_entry_close ||
206                         !be->be_dn2id_get ||
207                         !be->be_entry_get )
208                 {
209                         fprintf( stderr, "%s: target database "
210                                 "doesn't support necessary operations; "
211                                 "you may try with \"-u\" (dry run).\n",
212                                 progname );
213                         rc = 1;
214                         goto destroy;
215                 }
216
217                 if ( be->be_entry_open( be, 0 ) != 0 ) {
218                         fprintf( stderr, "%s: could not open database.\n",
219                                 progname );
220                         rc = 1;
221                         goto destroy;
222                 }
223
224                 doclose = 1;
225
226                 id = be->be_dn2id_get( be, &e.e_nname );
227                 if ( id == NOID ) {
228                         fprintf( stderr, "%s: unable to fetch ID of DN \"%s\"\n",
229                                 progname, e.e_nname.bv_val );
230                         rc = 1;
231                         goto destroy;
232                 }
233                 if ( be->be_id2entry_get( be, id, &ep ) != 0 ) {
234                         fprintf( stderr, "%s: unable to fetch entry \"%s\" (%lu)\n",
235                                 progname, e.e_nname.bv_val, id );
236                         rc = 1;
237                         goto destroy;
238
239                 }
240
241                 if ( argc == 0 ) {
242                         Attribute       *a;
243
244                         (void)print_access( op, ep, slap_schema.si_ad_entry, NULL, NULL );
245                         (void)print_access( op, ep, slap_schema.si_ad_children, NULL, NULL );
246
247                         for ( a = ep->e_attrs; a; a = a->a_next ) {
248                                 int     i;
249
250                                 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
251                                         (void)print_access( op, ep, a->a_desc,
252                                                         &a->a_vals[ i ],
253                                                         &a->a_nvals[ i ] );
254                                 }
255                         }
256                 }
257         }
258
259         for ( ; argc--; argv++ ) {
260                 slap_mask_t             mask;
261                 AttributeDescription    *desc = NULL;
262                 struct berval           val = BER_BVNULL,
263                                         *valp = NULL;
264                 const char              *text;
265                 char                    accessmaskbuf[ACCESSMASK_MAXLEN];
266                 char                    *accessstr;
267                 slap_access_t           access = ACL_AUTH;
268
269                 if ( attr == NULL ) {
270                         attr = argv[ 0 ];
271                 }
272
273                 val.bv_val = strchr( attr, ':' );
274                 if ( val.bv_val != NULL ) {
275                         val.bv_val[0] = '\0';
276                         val.bv_val++;
277                         val.bv_len = strlen( val.bv_val );
278                         valp = &val;
279                 }
280
281                 accessstr = strchr( attr, '/' );
282                 if ( accessstr != NULL ) {
283                         accessstr[0] = '\0';
284                         accessstr++;
285                         access = str2access( accessstr );
286                         if ( access == ACL_INVALID_ACCESS ) {
287                                 fprintf( stderr, "unknown access \"%s\" for attribute \"%s\"\n",
288                                                 accessstr, attr );
289                                 if ( continuemode ) {
290                                         continue;
291                                 }
292                                 break;
293                         }
294                 }
295
296                 rc = slap_str2ad( attr, &desc, &text );
297                 if ( rc != LDAP_SUCCESS ) {
298                         fprintf( stderr, "slap_str2ad(%s) failed %d (%s)\n",
299                                         attr, rc, ldap_err2string( rc ) );
300                         if ( continuemode ) {
301                                 continue;
302                         }
303                         break;
304                 }
305
306                 rc = access_allowed_mask( op, ep, desc, valp, access,
307                                 NULL, &mask );
308
309                 if ( accessstr ) {
310                         fprintf( stderr, "%s access to %s%s%s: %s\n",
311                                         accessstr,
312                                         desc->ad_cname.bv_val,
313                                         val.bv_val ? "=" : "",
314                                         val.bv_val ? val.bv_val : "",
315                                         rc ? "ALLOWED" : "DENIED" );
316
317                 } else {
318                         fprintf( stderr, "%s%s%s: %s\n",
319                                         desc->ad_cname.bv_val,
320                                         val.bv_val ? "=" : "",
321                                         val.bv_val ? val.bv_val : "",
322                                         accessmask2str( mask, accessmaskbuf, 1 ) );
323                 }
324                 rc = 0;
325                 attr = NULL;
326         }
327
328 destroy:;
329         if ( !BER_BVISNULL( &e.e_name ) ) {
330                 ber_memfree( e.e_name.bv_val );
331         }
332         if ( !BER_BVISNULL( &e.e_nname ) ) {
333                 ber_memfree( e.e_nname.bv_val );
334         }
335         if ( !dryrun && be ) {
336                 if ( ep != &e ) {
337                         be_entry_release_r( op, ep );
338                 }
339                 if ( doclose ) {
340                         be->be_entry_close( be );
341                 }
342         }
343
344         slap_tool_destroy();
345
346         return rc;
347 }
348
Cloned from git://git.openldap.org/openldap.git