]> git.sur5r.net Git - openldap/blob - servers/slapd/slapacl.c
Merge remote-tracking branch 'origin/mdb.master' into OPENLDAP_REL_ENG_2_5
[openldap] / servers / slapd / slapacl.c
1 /* $OpenLDAP$ */
2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3  *
4  * Copyright 2004-2014 The OpenLDAP Foundation.
5  * Portions Copyright 2004 Pierangelo Masarati.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted only as authorized by the OpenLDAP
10  * Public License.
11  *
12  * A copy of this license is available in file LICENSE in the
13  * top-level directory of the distribution or, alternatively, at
14  * <http://www.OpenLDAP.org/license.html>.
15  */
16 /* ACKNOWLEDGEMENTS:
17  * This work was initially developed by Pierangelo Masarati for inclusion
18  * in OpenLDAP Software.
19  */
20
21 #include "portable.h"
22
23 #include <stdio.h>
24
25 #include <ac/stdlib.h>
26
27 #include <ac/ctype.h>
28 #include <ac/string.h>
29 #include <ac/socket.h>
30 #include <ac/unistd.h>
31
32 #include <lber.h>
33 #include <ldif.h>
34 #include <lutil.h>
35
36 #include "slapcommon.h"
37
38 static int
39 print_access(
40         Operation               *op,
41         Entry                   *e,
42         AttributeDescription    *desc,
43         struct berval           *val,
44         struct berval           *nval )
45 {
46         int                     rc;
47         slap_mask_t             mask;
48         char                    accessmaskbuf[ACCESSMASK_MAXLEN];
49
50         rc = access_allowed_mask( op, e, desc, nval, ACL_AUTH, NULL, &mask );
51
52         fprintf( stderr, "%s%s%s: %s\n",
53                         desc->ad_cname.bv_val,
54                         ( val && !BER_BVISNULL( val ) ) ? "=" : "",
55                         ( val && !BER_BVISNULL( val ) ) ?
56                                 ( desc == slap_schema.si_ad_userPassword ?
57                                         "****" : val->bv_val ) : "",
58                         accessmask2str( mask, accessmaskbuf, 1 ) );
59
60         return rc;
61 }
62
63 int
64 slapacl( int argc, char **argv )
65 {
66         int                     rc = EXIT_SUCCESS;
67         const char              *progname = "slapacl";
68         Connection              conn = { 0 };
69         Listener                listener;
70         OperationBuffer opbuf;
71         Operation               *op = NULL;
72         Entry                   e = { 0 }, *ep = &e;
73         char                    *attr = NULL;
74         int                     doclose = 0;
75         BackendDB               *bd;
76         void                    *thrctx;
77
78         slap_tool_init( progname, SLAPACL, argc, argv );
79
80         if ( !dryrun ) {
81                 int     i = 0;
82
83                 LDAP_STAILQ_FOREACH( bd, &backendDB, be_next ) {
84                         if ( bd != be && backend_startup( bd ) ) {
85                                 fprintf( stderr, "backend_startup(#%d%s%s) failed\n",
86                                                 i,
87                                                 bd->be_suffix ? ": " : "",
88                                                 bd->be_suffix ? bd->be_suffix[0].bv_val : "" );
89                                 rc = 1;
90                                 goto destroy;
91                         }
92
93                         i++;
94                 }
95         }
96
97         argv = &argv[ optind ];
98         argc -= optind;
99
100         thrctx = ldap_pvt_thread_pool_context();
101         connection_fake_init( &conn, &opbuf, thrctx );
102         op = &opbuf.ob_op;
103         op->o_tmpmemctx = NULL;
104
105         conn.c_listener = &listener;
106         conn.c_listener_url = listener_url;
107         conn.c_peer_domain = peer_domain;
108         conn.c_peer_name = peer_name;
109         conn.c_sock_name = sock_name;
110         op->o_ssf = ssf;
111         op->o_transport_ssf = transport_ssf;
112         op->o_tls_ssf = tls_ssf;
113         op->o_sasl_ssf = sasl_ssf;
114
115         if ( !BER_BVISNULL( &authcID ) ) {
116                 if ( !BER_BVISNULL( &authcDN ) ) {
117                         fprintf( stderr, "both authcID=\"%s\" "
118                                         "and authcDN=\"%s\" provided\n",
119                                         authcID.bv_val, authcDN.bv_val );
120                         rc = 1;
121                         goto destroy;
122                 }
123
124                 rc = slap_sasl_getdn( &conn, op, &authcID, NULL,
125                                 &authcDN, SLAP_GETDN_AUTHCID );
126                 if ( rc != LDAP_SUCCESS ) {
127                         fprintf( stderr, "authcID: <%s> check failed %d (%s)\n",
128                                         authcID.bv_val, rc,
129                                         ldap_err2string( rc ) );
130                         rc = 1;
131                         goto destroy;
132                 }
133
134         } else if ( !BER_BVISNULL( &authcDN ) ) {
135                 struct berval   ndn;
136
137                 rc = dnNormalize( 0, NULL, NULL, &authcDN, &ndn, NULL );
138                 if ( rc != LDAP_SUCCESS ) {
139                         fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
140                                         authcDN.bv_val, rc,
141                                         ldap_err2string( rc ) );
142                         rc = 1;
143                         goto destroy;
144                 }
145                 ch_free( authcDN.bv_val );
146                 authcDN = ndn;
147         }
148
149         if ( !BER_BVISNULL( &authzID ) ) {
150                 if ( !BER_BVISNULL( &authzDN ) ) {
151                         fprintf( stderr, "both authzID=\"%s\" "
152                                         "and authzDN=\"%s\" provided\n",
153                                         authzID.bv_val, authzDN.bv_val );
154                         rc = 1;
155                         goto destroy;
156                 }
157
158                 rc = slap_sasl_getdn( &conn, op, &authzID, NULL,
159                                 &authzDN, SLAP_GETDN_AUTHZID );
160                 if ( rc != LDAP_SUCCESS ) {
161                         fprintf( stderr, "authzID: <%s> check failed %d (%s)\n",
162                                         authzID.bv_val, rc,
163                                         ldap_err2string( rc ) );
164                         rc = 1;
165                         goto destroy;
166                 }
167
168         } else if ( !BER_BVISNULL( &authzDN ) ) {
169                 struct berval   ndn;
170
171                 rc = dnNormalize( 0, NULL, NULL, &authzDN, &ndn, NULL );
172                 if ( rc != LDAP_SUCCESS ) {
173                         fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n",
174                                         authzDN.bv_val, rc,
175                                         ldap_err2string( rc ) );
176                         rc = 1;
177                         goto destroy;
178                 }
179                 ch_free( authzDN.bv_val );
180                 authzDN = ndn;
181         }
182
183
184         if ( !BER_BVISNULL( &authcDN ) ) {
185                 fprintf( stderr, "authcDN: \"%s\"\n", authcDN.bv_val );
186         }
187
188         if ( !BER_BVISNULL( &authzDN ) ) {
189                 fprintf( stderr, "authzDN: \"%s\"\n", authzDN.bv_val );
190         }
191
192         if ( !BER_BVISNULL( &authzDN ) ) {
193                 op->o_dn = authzDN;
194                 op->o_ndn = authzDN;
195                 
196                 if ( !BER_BVISNULL( &authcDN ) ) {
197                         op->o_conn->c_dn = authcDN;
198                         op->o_conn->c_ndn = authcDN;
199
200                 } else {
201                         op->o_conn->c_dn = authzDN;
202                         op->o_conn->c_ndn = authzDN;
203                 }
204
205         } else if ( !BER_BVISNULL( &authcDN ) ) {
206                 op->o_conn->c_dn = authcDN;
207                 op->o_conn->c_ndn = authcDN;
208                 op->o_dn = authcDN;
209                 op->o_ndn = authcDN;
210         }
211
212         assert( !BER_BVISNULL( &baseDN ) );
213         rc = dnPrettyNormal( NULL, &baseDN, &e.e_name, &e.e_nname, NULL );
214         if ( rc != LDAP_SUCCESS ) {
215                 fprintf( stderr, "base=\"%s\" normalization failed %d (%s)\n",
216                                 baseDN.bv_val, rc,
217                                 ldap_err2string( rc ) );
218                 rc = 1;
219                 goto destroy;
220         }
221
222         op->o_bd = be;
223         if ( op->o_bd == NULL ) {
224                 /* NOTE: if no database could be found (e.g. because
225                  * accessing the rootDSE or so), use the frontendDB
226                  * rules; might need work */
227                 op->o_bd = frontendDB;
228         }
229
230         if ( !dryrun ) {
231                 ID      id;
232
233                 if ( be == NULL ) {
234                         fprintf( stderr, "%s: no target database "
235                                 "has been found for baseDN=\"%s\"; "
236                                 "you may try with \"-u\" (dry run).\n",
237                                 baseDN.bv_val, progname );
238                         rc = 1;
239                         goto destroy;
240                 }
241
242                 if ( !be->be_entry_open ||
243                         !be->be_entry_close ||
244                         !be->be_dn2id_get ||
245                         !be->be_entry_get )
246                 {
247                         fprintf( stderr, "%s: target database "
248                                 "doesn't support necessary operations; "
249                                 "you may try with \"-u\" (dry run).\n",
250                                 progname );
251                         rc = 1;
252                         goto destroy;
253                 }
254
255                 if ( be->be_entry_open( be, 0 ) != 0 ) {
256                         fprintf( stderr, "%s: could not open database.\n",
257                                 progname );
258                         rc = 1;
259                         goto destroy;
260                 }
261
262                 doclose = 1;
263
264                 id = be->be_dn2id_get( be, &e.e_nname );
265                 if ( id == NOID ) {
266                         fprintf( stderr, "%s: unable to fetch ID of DN \"%s\"\n",
267                                 progname, e.e_nname.bv_val );
268                         rc = 1;
269                         goto destroy;
270                 }
271                 ep = be->be_entry_get( be, id );
272                 if ( ep == NULL ) {
273                         fprintf( stderr, "%s: unable to fetch entry \"%s\" (%lu)\n",
274                                 progname, e.e_nname.bv_val, id );
275                         rc = 1;
276                         goto destroy;
277
278                 }
279
280                 if ( argc == 0 ) {
281                         Attribute       *a;
282
283                         (void)print_access( op, ep, slap_schema.si_ad_entry, NULL, NULL );
284                         (void)print_access( op, ep, slap_schema.si_ad_children, NULL, NULL );
285
286                         for ( a = ep->e_attrs; a; a = a->a_next ) {
287                                 int     i;
288
289                                 for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) {
290                                         (void)print_access( op, ep, a->a_desc,
291                                                         &a->a_vals[ i ],
292                                                         &a->a_nvals[ i ] );
293                                 }
294                         }
295                 }
296         }
297
298         for ( ; argc--; argv++ ) {
299                 slap_mask_t             mask;
300                 AttributeDescription    *desc = NULL;
301                 struct berval           val = BER_BVNULL,
302                                         *valp = NULL;
303                 const char              *text;
304                 char                    accessmaskbuf[ACCESSMASK_MAXLEN];
305                 char                    *accessstr;
306                 slap_access_t           access = ACL_AUTH;
307
308                 if ( attr == NULL ) {
309                         attr = argv[ 0 ];
310                 }
311
312                 val.bv_val = strchr( attr, ':' );
313                 if ( val.bv_val != NULL ) {
314                         val.bv_val[0] = '\0';
315                         val.bv_val++;
316                         val.bv_len = strlen( val.bv_val );
317                         valp = &val;
318                 }
319
320                 accessstr = strchr( attr, '/' );
321                 if ( accessstr != NULL ) {
322                         int     invalid = 0;
323
324                         accessstr[0] = '\0';
325                         accessstr++;
326                         access = str2access( accessstr );
327                         switch ( access ) {
328                         case ACL_INVALID_ACCESS:
329                                 fprintf( stderr, "unknown access \"%s\" for attribute \"%s\"\n",
330                                                 accessstr, attr );
331                                 invalid = 1;
332                                 break;
333
334                         case ACL_NONE:
335                                 fprintf( stderr, "\"none\" not allowed for attribute \"%s\"\n",
336                                                 attr );
337                                 invalid = 1;
338                                 break;
339
340                         default:
341                                 break;
342                         }
343
344                         if ( invalid ) {
345                                 if ( continuemode ) {
346                                         continue;
347                                 }
348                                 break;
349                         }
350                 }
351
352                 rc = slap_str2ad( attr, &desc, &text );
353                 if ( rc != LDAP_SUCCESS ) {
354                         fprintf( stderr, "slap_str2ad(%s) failed %d (%s)\n",
355                                         attr, rc, ldap_err2string( rc ) );
356                         if ( continuemode ) {
357                                 continue;
358                         }
359                         break;
360                 }
361
362                 rc = access_allowed_mask( op, ep, desc, valp, access,
363                                 NULL, &mask );
364
365                 if ( accessstr ) {
366                         fprintf( stderr, "%s access to %s%s%s: %s\n",
367                                         accessstr,
368                                         desc->ad_cname.bv_val,
369                                         val.bv_val ? "=" : "",
370                                         val.bv_val ? val.bv_val : "",
371                                         rc ? "ALLOWED" : "DENIED" );
372
373                 } else {
374                         fprintf( stderr, "%s%s%s: %s\n",
375                                         desc->ad_cname.bv_val,
376                                         val.bv_val ? "=" : "",
377                                         val.bv_val ? val.bv_val : "",
378                                         accessmask2str( mask, accessmaskbuf, 1 ) );
379                 }
380                 rc = 0;
381                 attr = NULL;
382         }
383
384 destroy:;
385         if ( !BER_BVISNULL( &e.e_name ) ) {
386                 ber_memfree( e.e_name.bv_val );
387         }
388         if ( !BER_BVISNULL( &e.e_nname ) ) {
389                 ber_memfree( e.e_nname.bv_val );
390         }
391         if ( !dryrun && be ) {
392                 if ( ep && ep != &e ) {
393                         be_entry_release_r( op, ep );
394                 }
395                 if ( doclose ) {
396                         be->be_entry_close( be );
397                 }
398
399                 LDAP_STAILQ_FOREACH( bd, &backendDB, be_next ) {
400                         if ( bd != be ) {
401                                 backend_shutdown( bd );
402                         }
403                 }
404         }
405
406         if ( slap_tool_destroy())
407                 rc = EXIT_FAILURE;
408
409         return rc;
410 }
411