git.sur5r.net Git - openldap/blob - servers/slapd/slapacl.c

   1 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   2  *
   3  * Copyright 2004-2005 The OpenLDAP Foundation.
   4  * Portions Copyright 2004 Pierangelo Masarati.
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted only as authorized by the OpenLDAP
   9  * Public License.
  10  *
  11  * A copy of this license is available in file LICENSE in the
  12  * top-level directory of the distribution or, alternatively, at
  13  * <http://www.OpenLDAP.org/license.html>.
  14  */
  15 /* ACKNOWLEDGEMENTS:
  16  * This work was initially developed by Pierangelo Masarati for inclusion
  17  * in OpenLDAP Software.
  18  */
  19
  20 #include "portable.h"
  21
  22 #include <stdio.h>
  23
  24 #include <ac/stdlib.h>
  25
  26 #include <ac/ctype.h>
  27 #include <ac/string.h>
  28 #include <ac/socket.h>
  29 #include <ac/unistd.h>
  30
  31 #include <lber.h>
  32 #include <ldif.h>
  33 #include <lutil.h>
  34
  35 #include "slapcommon.h"
  36
  37 static int
  38 print_access(
  39         Operation               *op,
  40         Entry                   *e,
  41         AttributeDescription    *desc,
  42         struct berval           *val,
  43         struct berval           *nval )
  44 {
  45         int                     rc;
  46         slap_mask_t             mask;
  47         char                    accessmaskbuf[ACCESSMASK_MAXLEN];
  48         slap_access_t           access = ACL_AUTH;
  49
  50         rc = access_allowed_mask( op, e, desc, nval, ACL_AUTH, NULL, &mask );
  51
  52         fprintf( stderr, "%s%s%s: %s\n",
  53                         desc->ad_cname.bv_val,
  54                         ( val && !BER_BVISNULL( val ) ) ? "=" : "",
  55                         ( val && !BER_BVISNULL( val ) ) ?
  56                                 ( desc == slap_schema.si_ad_userPassword ? "****" : val->bv_val ) : "",
  57                         accessmask2str( mask, accessmaskbuf, 1 ) );
  58
  59         return rc;
  60 }
  61
  62 int
  63 slapacl( int argc, char **argv )
  64 {
  65         int                     rc = EXIT_SUCCESS;
  66         const char              *progname = "slapacl";
  67         Connection              conn = { 0 };
  68         Listener                listener;
  69         char                    opbuf[OPERATION_BUFFER_SIZE];
  70         Operation               *op;
  71         Entry                   e = { 0 }, *ep = &e;
  72         char                    *attr = NULL;
  73
  74         slap_tool_init( progname, SLAPACL, argc, argv );
  75
  76         argv = &argv[ optind ];
  77         argc -= optind;
  78
  79         op = (Operation *)opbuf;
  80         connection_fake_init( &conn, op, &conn );
  81
  82         conn.c_listener = &listener;
  83         conn.c_listener_url = listener_url;
  84         conn.c_peer_domain = peer_domain;
  85         conn.c_peer_name = peer_name;
  86         conn.c_sock_name = sock_name;
  87         op->o_ssf = ssf;
  88         op->o_transport_ssf = transport_ssf;
  89         op->o_tls_ssf = tls_ssf;
  90         op->o_sasl_ssf = sasl_ssf;
  91
  92         if ( !BER_BVISNULL( &authcID ) ) {
  93                 rc = slap_sasl_getdn( &conn, op, &authcID, NULL,
  94                                 &authcDN, SLAP_GETDN_AUTHCID );
  95                 if ( rc != LDAP_SUCCESS ) {
  96                         fprintf( stderr, "ID: <%s> check failed %d (%s)\n",
  97                                         authcID.bv_val, rc,
  98                                         ldap_err2string( rc ) );
  99                         rc = 1;
 100                         goto destroy;
 101                 }
 102
 103         } else if ( !BER_BVISNULL( &authcDN ) ) {
 104                 struct berval   ndn;
 105
 106                 rc = dnNormalize( 0, NULL, NULL, &authcDN, &ndn, NULL );
 107                 if ( rc != LDAP_SUCCESS ) {
 108                         fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
 109                                         authcDN.bv_val, rc,
 110                                         ldap_err2string( rc ) );
 111                         rc = 1;
 112                         goto destroy;
 113                 }
 114                 ch_free( authcDN.bv_val );
 115                 authcDN = ndn;
 116         }
 117
 118
 119         if ( !BER_BVISNULL( &authcDN ) ) {
 120                 fprintf( stderr, "DN: \"%s\"\n", authcDN.bv_val );
 121         }
 122
 123         assert( !BER_BVISNULL( &baseDN ) );
 124         rc = dnPrettyNormal( NULL, &baseDN, &e.e_name, &e.e_nname, NULL );
 125         if ( rc != LDAP_SUCCESS ) {
 126                 fprintf( stderr, "base=\"%s\" normalization failed %d (%s)\n",
 127                                 baseDN.bv_val, rc,
 128                                 ldap_err2string( rc ) );
 129                 rc = 1;
 130                 goto destroy;
 131         }
 132
 133         op->o_bd = be;
 134         if ( !BER_BVISNULL( &authcDN ) ) {
 135                 op->o_dn = authcDN;
 136                 op->o_ndn = authcDN;
 137         }
 138
 139         if ( !dryrun ) {
 140                 ID      id;
 141
 142                 if ( !be->be_entry_open ||
 143                         !be->be_entry_close ||
 144                         !be->be_dn2id_get ||
 145                         !be->be_entry_get )
 146                 {
 147                         fprintf( stderr, "%s: target database "
 148                                 "doesn't support necessary operations; "
 149                                 "you may try with \"-u\" (dry run).\n",
 150                                 progname );
 151                         rc = 1;
 152                         goto destroy;
 153                 }
 154
 155                 if ( be->be_entry_open( be, 0 ) != 0 ) {
 156                         fprintf( stderr, "%s: could not open database.\n",
 157                                 progname );
 158                         rc = 1;
 159                         goto destroy;
 160                 }
 161
 162                 id = be->be_dn2id_get( be, &e.e_nname );
 163                 if ( id == NOID ) {
 164                         fprintf( stderr, "%s: unable to fetch ID of DN \"%s\"\n",
 165                                 progname, e.e_nname.bv_val );
 166                         rc = 1;
 167                         goto destroy;
 168                 }
 169                 if ( be->be_id2entry_get( be, id, &ep ) != 0 ) {
 170                         fprintf( stderr, "%s: unable to fetch entry \"%s\" (%lu)\n",
 171                                 progname, e.e_nname.bv_val, id );
 172                         rc = 1;
 173                         goto destroy;
 174
 175                 }
 176
 177                 if ( argc == 0 ) {
 178                         Attribute       *a;
 179
 180                         (void)print_access( op, ep, slap_schema.si_ad_entry, NULL, NULL );
 181                         (void)print_access( op, ep, slap_schema.si_ad_children, NULL, NULL );
 182
 183                         for ( a = ep->e_attrs; a; a = a->a_next ) {
 184                                 int     i;
 185
 186                                 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
 187                                         (void)print_access( op, ep, a->a_desc,
 188                                                         &a->a_vals[ i ],
 189                                                         &a->a_nvals[ i ] );
 190                                 }
 191                         }
 192                 }
 193         }
 194
 195         for ( ; argc--; argv++ ) {
 196                 slap_mask_t             mask;
 197                 AttributeDescription    *desc = NULL;
 198                 struct berval           val = BER_BVNULL,
 199                                         *valp = NULL;
 200                 const char              *text;
 201                 char                    accessmaskbuf[ACCESSMASK_MAXLEN];
 202                 char                    *accessstr;
 203                 slap_access_t           access = ACL_AUTH;
 204
 205                 if ( attr == NULL ) {
 206                         attr = argv[ 0 ];
 207                 }
 208
 209                 val.bv_val = strchr( attr, ':' );
 210                 if ( val.bv_val != NULL ) {
 211                         val.bv_val[0] = '\0';
 212                         val.bv_val++;
 213                         val.bv_len = strlen( val.bv_val );
 214                         valp = &val;
 215                 }
 216
 217                 accessstr = strchr( attr, '/' );
 218                 if ( accessstr != NULL ) {
 219                         accessstr[0] = '\0';
 220                         accessstr++;
 221                         access = str2access( accessstr );
 222                         if ( access == ACL_INVALID_ACCESS ) {
 223                                 fprintf( stderr, "unknown access \"%s\" for attribute \"%s\"\n",
 224                                                 accessstr, attr );
 225                                 if ( continuemode ) {
 226                                         continue;
 227                                 }
 228                                 break;
 229                         }
 230                 }
 231
 232                 rc = slap_str2ad( attr, &desc, &text );
 233                 if ( rc != LDAP_SUCCESS ) {
 234                         fprintf( stderr, "slap_str2ad(%s) failed %d (%s)\n",
 235                                         attr, rc, ldap_err2string( rc ) );
 236                         if ( continuemode ) {
 237                                 continue;
 238                         }
 239                         break;
 240                 }
 241
 242                 rc = access_allowed_mask( op, ep, desc, valp, access,
 243                                 NULL, &mask );
 244
 245                 if ( accessstr ) {
 246                         fprintf( stderr, "%s access to %s%s%s: %s\n",
 247                                         accessstr,
 248                                         desc->ad_cname.bv_val,
 249                                         val.bv_val ? "=" : "",
 250                                         val.bv_val ? val.bv_val : "",
 251                                         rc ? "ALLOWED" : "DENIED" );
 252
 253                 } else {
 254                         fprintf( stderr, "%s%s%s: %s\n",
 255                                         desc->ad_cname.bv_val,
 256                                         val.bv_val ? "=" : "",
 257                                         val.bv_val ? val.bv_val : "",
 258                                         accessmask2str( mask, accessmaskbuf, 1 ) );
 259                 }
 260                 rc = 0;
 261                 attr = NULL;
 262         }
 263
 264 destroy:;
 265         ber_memfree( e.e_name.bv_val );
 266         ber_memfree( e.e_nname.bv_val );
 267         if ( !dryrun ) {
 268                 if ( ep != &e ) {
 269                         be_entry_release_r( op, ep );
 270                 }
 271                 be->be_entry_close( be );
 272         }
 273
 274         slap_tool_destroy();
 275
 276         return rc;
 277 }
 278