git.sur5r.net Git - openldap/blob - servers/slapd/slapacl.c

   1 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   2  *
   3  * Copyright 2004-2005 The OpenLDAP Foundation.
   4  * Portions Copyright 2004 Pierangelo Masarati.
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted only as authorized by the OpenLDAP
   9  * Public License.
  10  *
  11  * A copy of this license is available in file LICENSE in the
  12  * top-level directory of the distribution or, alternatively, at
  13  * <http://www.OpenLDAP.org/license.html>.
  14  */
  15 /* ACKNOWLEDGEMENTS:
  16  * This work was initially developed by Pierangelo Masarati for inclusion
  17  * in OpenLDAP Software.
  18  */
  19
  20 #include "portable.h"
  21
  22 #include <stdio.h>
  23
  24 #include <ac/stdlib.h>
  25
  26 #include <ac/ctype.h>
  27 #include <ac/string.h>
  28 #include <ac/socket.h>
  29 #include <ac/unistd.h>
  30
  31 #include <lber.h>
  32 #include <ldif.h>
  33 #include <lutil.h>
  34
  35 #include "slapcommon.h"
  36
  37 int
  38 slapacl( int argc, char **argv )
  39 {
  40         int                     rc = EXIT_SUCCESS;
  41         const char              *progname = "slapacl";
  42         Connection              conn = { 0 };
  43         Listener                listener;
  44         char                    opbuf[OPERATION_BUFFER_SIZE];
  45         Operation               *op;
  46         Entry                   e = { 0 }, *ep = &e;
  47         char                    *attr = NULL;
  48
  49         slap_tool_init( progname, SLAPACL, argc, argv );
  50
  51         argv = &argv[ optind ];
  52         argc -= optind;
  53
  54         op = (Operation *)opbuf;
  55         connection_fake_init( &conn, op, &conn );
  56
  57         conn.c_listener = &listener;
  58         conn.c_listener_url = listener_url;
  59         conn.c_peer_domain = peer_domain;
  60         conn.c_peer_name = peer_name;
  61         conn.c_sock_name = sock_name;
  62         op->o_ssf = ssf;
  63         op->o_transport_ssf = transport_ssf;
  64         op->o_tls_ssf = tls_ssf;
  65         op->o_sasl_ssf = sasl_ssf;
  66
  67         if ( !BER_BVISNULL( &authcID ) ) {
  68                 rc = slap_sasl_getdn( &conn, op, &authcID, NULL,
  69                                 &authcDN, SLAP_GETDN_AUTHCID );
  70                 if ( rc != LDAP_SUCCESS ) {
  71                         fprintf( stderr, "ID: <%s> check failed %d (%s)\n",
  72                                         authcID.bv_val, rc,
  73                                         ldap_err2string( rc ) );
  74                         rc = 1;
  75                         goto destroy;
  76                 }
  77
  78         } else if ( !BER_BVISNULL( &authcDN ) ) {
  79                 struct berval   ndn;
  80
  81                 rc = dnNormalize( 0, NULL, NULL, &authcDN, &ndn, NULL );
  82                 if ( rc != LDAP_SUCCESS ) {
  83                         fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
  84                                         authcDN.bv_val, rc,
  85                                         ldap_err2string( rc ) );
  86                         rc = 1;
  87                         goto destroy;
  88                 }
  89                 ch_free( authcDN.bv_val );
  90                 authcDN = ndn;
  91         }
  92
  93
  94         if ( !BER_BVISNULL( &authcDN ) ) {
  95                 fprintf( stderr, "DN: \"%s\"\n", authcDN.bv_val );
  96         }
  97
  98         assert( !BER_BVISNULL( &baseDN ) );
  99         rc = dnPrettyNormal( NULL, &baseDN, &e.e_name, &e.e_nname, NULL );
 100         if ( rc != LDAP_SUCCESS ) {
 101                 fprintf( stderr, "base=\"%s\" normalization failed %d (%s)\n",
 102                                 baseDN.bv_val, rc,
 103                                 ldap_err2string( rc ) );
 104                 rc = 1;
 105                 goto destroy;
 106         }
 107
 108         op->o_bd = be;
 109         if ( !BER_BVISNULL( &authcDN ) ) {
 110                 op->o_dn = authcDN;
 111                 op->o_ndn = authcDN;
 112         }
 113
 114         if ( argc == 0 ) {
 115                 argc = 1;
 116                 attr = slap_schema.si_ad_entry->ad_cname.bv_val;
 117         }
 118
 119         if ( !dryrun ) {
 120                 ID      id;
 121
 122                 if ( !be->be_entry_open ||
 123                         !be->be_entry_close ||
 124                         !be->be_dn2id_get ||
 125                         !be->be_entry_get )
 126                 {
 127                         fprintf( stderr, "%s: target database "
 128                                 "doesn't support necessary operations; "
 129                                 "you may try with \"-u\" (dry run).\n",
 130                                 progname );
 131                         rc = 1;
 132                         goto destroy;
 133                 }
 134
 135                 if ( be->be_entry_open( be, 0 ) != 0 ) {
 136                         fprintf( stderr, "%s: could not open database.\n",
 137                                 progname );
 138                         rc = 1;
 139                         goto destroy;
 140                 }
 141
 142                 id = be->be_dn2id_get( be, &e.e_nname );
 143                 if ( id == NOID ) {
 144                         fprintf( stderr, "%s: unable to fetch ID of DN \"%s\"\n",
 145                                 progname, e.e_nname.bv_val );
 146                         rc = 1;
 147                         goto destroy;
 148                 }
 149                 if ( be->be_id2entry_get( be, id, &ep ) != 0 ) {
 150                         fprintf( stderr, "%s: unable to fetch entry \"%s\" (%lu)\n",
 151                                 progname, e.e_nname.bv_val, id );
 152                         rc = 1;
 153                         goto destroy;
 154
 155                 }
 156         }
 157
 158         for ( ; argc--; argv++ ) {
 159                 slap_mask_t             mask;
 160                 AttributeDescription    *desc = NULL;
 161                 int                     rc;
 162                 struct berval           val = BER_BVNULL,
 163                                         *valp = NULL;
 164                 const char              *text;
 165                 char                    accessmaskbuf[ACCESSMASK_MAXLEN];
 166                 char                    *accessstr;
 167                 slap_access_t           access = ACL_AUTH;
 168
 169                 if ( attr == NULL ) {
 170                         attr = argv[ 0 ];
 171                 }
 172
 173                 val.bv_val = strchr( attr, ':' );
 174                 if ( val.bv_val != NULL ) {
 175                         val.bv_val[0] = '\0';
 176                         val.bv_val++;
 177                         val.bv_len = strlen( val.bv_val );
 178                         valp = &val;
 179                 }
 180
 181                 accessstr = strchr( attr, '/' );
 182                 if ( accessstr != NULL ) {
 183                         accessstr[0] = '\0';
 184                         accessstr++;
 185                         access = str2access( accessstr );
 186                         if ( access == ACL_INVALID_ACCESS ) {
 187                                 fprintf( stderr, "unknown access \"%s\" for attribute \"%s\"\n",
 188                                                 accessstr, attr );
 189                                 if ( continuemode ) {
 190                                         continue;
 191                                 }
 192                                 break;
 193                         }
 194                 }
 195
 196                 rc = slap_str2ad( attr, &desc, &text );
 197                 if ( rc != LDAP_SUCCESS ) {
 198                         fprintf( stderr, "slap_str2ad(%s) failed %d (%s)\n",
 199                                         attr, rc, ldap_err2string( rc ) );
 200                         if ( continuemode ) {
 201                                 continue;
 202                         }
 203                         break;
 204                 }
 205
 206                 rc = access_allowed_mask( op, ep, desc, valp, access,
 207                                 NULL, &mask );
 208
 209                 if ( accessstr ) {
 210                         fprintf( stderr, "%s access to %s%s%s: %s\n",
 211                                         accessstr,
 212                                         desc->ad_cname.bv_val,
 213                                         val.bv_val ? "=" : "",
 214                                         val.bv_val ? val.bv_val : "",
 215                                         rc ? "ALLOWED" : "DENIED" );
 216
 217                 } else {
 218                         fprintf( stderr, "%s%s%s: %s\n",
 219                                         desc->ad_cname.bv_val,
 220                                         val.bv_val ? "=" : "",
 221                                         val.bv_val ? val.bv_val : "",
 222                                         accessmask2str( mask, accessmaskbuf, 1 ) );
 223                 }
 224                 rc = 0;
 225                 attr = NULL;
 226         }
 227
 228 destroy:;
 229         ber_memfree( e.e_name.bv_val );
 230         ber_memfree( e.e_nname.bv_val );
 231         if ( !dryrun ) {
 232                 if ( ep != &e ) {
 233                         be_entry_release_r( op, ep );
 234                 }
 235                 be->be_entry_close( be );
 236         }
 237
 238         slap_tool_destroy();
 239
 240         return rc;
 241 }
 242