diff options
Diffstat (limited to '')
-rw-r--r-- | servers/slapd/slapacl.c | 411 |
1 files changed, 411 insertions, 0 deletions
diff --git a/servers/slapd/slapacl.c b/servers/slapd/slapacl.c new file mode 100644 index 0000000..32c5e7e --- /dev/null +++ b/servers/slapd/slapacl.c @@ -0,0 +1,411 @@ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2004-2021 The OpenLDAP Foundation. + * Portions Copyright 2004 Pierangelo Masarati. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ +/* ACKNOWLEDGEMENTS: + * This work was initially developed by Pierangelo Masarati for inclusion + * in OpenLDAP Software. + */ + +#include "portable.h" + +#include <stdio.h> + +#include <ac/stdlib.h> + +#include <ac/ctype.h> +#include <ac/string.h> +#include <ac/socket.h> +#include <ac/unistd.h> + +#include <lber.h> +#include <ldif.h> +#include <lutil.h> + +#include "slapcommon.h" + +static int +print_access( + Operation *op, + Entry *e, + AttributeDescription *desc, + struct berval *val, + struct berval *nval ) +{ + int rc; + slap_mask_t mask; + char accessmaskbuf[ACCESSMASK_MAXLEN]; + + rc = access_allowed_mask( op, e, desc, nval, ACL_AUTH, NULL, &mask ); + + fprintf( stderr, "%s%s%s: %s\n", + desc->ad_cname.bv_val, + ( val && !BER_BVISNULL( val ) ) ? "=" : "", + ( val && !BER_BVISNULL( val ) ) ? + ( desc == slap_schema.si_ad_userPassword ? + "****" : val->bv_val ) : "", + accessmask2str( mask, accessmaskbuf, 1 ) ); + + return rc; +} + +int +slapacl( int argc, char **argv ) +{ + int rc = EXIT_SUCCESS; + const char *progname = "slapacl"; + Connection conn = { 0 }; + Listener listener; + OperationBuffer opbuf; + Operation *op = NULL; + Entry e = { 0 }, *ep = &e; + char *attr = NULL; + int doclose = 0; + BackendDB *bd; + void *thrctx; + + slap_tool_init( progname, SLAPACL, argc, argv ); + + if ( !dryrun ) { + int i = 0; + + LDAP_STAILQ_FOREACH( bd, &backendDB, be_next ) { + if ( bd != be && backend_startup( bd ) ) { + fprintf( stderr, "backend_startup(#%d%s%s) failed\n", + i, + bd->be_suffix ? ": " : "", + bd->be_suffix ? bd->be_suffix[0].bv_val : "" ); + rc = 1; + goto destroy; + } + + i++; + } + } + + argv = &argv[ optind ]; + argc -= optind; + + thrctx = ldap_pvt_thread_pool_context(); + connection_fake_init( &conn, &opbuf, thrctx ); + op = &opbuf.ob_op; + op->o_tmpmemctx = NULL; + + conn.c_listener = &listener; + conn.c_listener_url = listener_url; + conn.c_peer_domain = peer_domain; + conn.c_peer_name = peer_name; + conn.c_sock_name = sock_name; + op->o_ssf = ssf; + op->o_transport_ssf = transport_ssf; + op->o_tls_ssf = tls_ssf; + op->o_sasl_ssf = sasl_ssf; + + if ( !BER_BVISNULL( &authcID ) ) { + if ( !BER_BVISNULL( &authcDN ) ) { + fprintf( stderr, "both authcID=\"%s\" " + "and authcDN=\"%s\" provided\n", + authcID.bv_val, authcDN.bv_val ); + rc = 1; + goto destroy; + } + + rc = slap_sasl_getdn( &conn, op, &authcID, NULL, + &authcDN, SLAP_GETDN_AUTHCID ); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, "authcID: <%s> check failed %d (%s)\n", + authcID.bv_val, rc, + ldap_err2string( rc ) ); + rc = 1; + goto destroy; + } + + } else if ( !BER_BVISNULL( &authcDN ) ) { + struct berval ndn; + + rc = dnNormalize( 0, NULL, NULL, &authcDN, &ndn, NULL ); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n", + authcDN.bv_val, rc, + ldap_err2string( rc ) ); + rc = 1; + goto destroy; + } + ch_free( authcDN.bv_val ); + authcDN = ndn; + } + + if ( !BER_BVISNULL( &authzID ) ) { + if ( !BER_BVISNULL( &authzDN ) ) { + fprintf( stderr, "both authzID=\"%s\" " + "and authzDN=\"%s\" provided\n", + authzID.bv_val, authzDN.bv_val ); + rc = 1; + goto destroy; + } + + rc = slap_sasl_getdn( &conn, op, &authzID, NULL, + &authzDN, SLAP_GETDN_AUTHZID ); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, "authzID: <%s> check failed %d (%s)\n", + authzID.bv_val, rc, + ldap_err2string( rc ) ); + rc = 1; + goto destroy; + } + + } else if ( !BER_BVISNULL( &authzDN ) ) { + struct berval ndn; + + rc = dnNormalize( 0, NULL, NULL, &authzDN, &ndn, NULL ); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, "autchDN=\"%s\" normalization failed %d (%s)\n", + authzDN.bv_val, rc, + ldap_err2string( rc ) ); + rc = 1; + goto destroy; + } + ch_free( authzDN.bv_val ); + authzDN = ndn; + } + + + if ( !BER_BVISNULL( &authcDN ) ) { + fprintf( stderr, "authcDN: \"%s\"\n", authcDN.bv_val ); + } + + if ( !BER_BVISNULL( &authzDN ) ) { + fprintf( stderr, "authzDN: \"%s\"\n", authzDN.bv_val ); + } + + if ( !BER_BVISNULL( &authzDN ) ) { + op->o_dn = authzDN; + op->o_ndn = authzDN; + + if ( !BER_BVISNULL( &authcDN ) ) { + op->o_conn->c_dn = authcDN; + op->o_conn->c_ndn = authcDN; + + } else { + op->o_conn->c_dn = authzDN; + op->o_conn->c_ndn = authzDN; + } + + } else if ( !BER_BVISNULL( &authcDN ) ) { + op->o_conn->c_dn = authcDN; + op->o_conn->c_ndn = authcDN; + op->o_dn = authcDN; + op->o_ndn = authcDN; + } + + assert( !BER_BVISNULL( &baseDN ) ); + rc = dnPrettyNormal( NULL, &baseDN, &e.e_name, &e.e_nname, NULL ); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, "base=\"%s\" normalization failed %d (%s)\n", + baseDN.bv_val, rc, + ldap_err2string( rc ) ); + rc = 1; + goto destroy; + } + + op->o_bd = be; + if ( op->o_bd == NULL ) { + /* NOTE: if no database could be found (e.g. because + * accessing the rootDSE or so), use the frontendDB + * rules; might need work */ + op->o_bd = frontendDB; + } + + if ( !dryrun ) { + ID id; + + if ( be == NULL ) { + fprintf( stderr, "%s: no target database " + "has been found for baseDN=\"%s\"; " + "you may try with \"-u\" (dry run).\n", + baseDN.bv_val, progname ); + rc = 1; + goto destroy; + } + + if ( !be->be_entry_open || + !be->be_entry_close || + !be->be_dn2id_get || + !be->be_entry_get ) + { + fprintf( stderr, "%s: target database " + "doesn't support necessary operations; " + "you may try with \"-u\" (dry run).\n", + progname ); + rc = 1; + goto destroy; + } + + if ( be->be_entry_open( be, 0 ) != 0 ) { + fprintf( stderr, "%s: could not open database.\n", + progname ); + rc = 1; + goto destroy; + } + + doclose = 1; + + id = be->be_dn2id_get( be, &e.e_nname ); + if ( id == NOID ) { + fprintf( stderr, "%s: unable to fetch ID of DN \"%s\"\n", + progname, e.e_nname.bv_val ); + rc = 1; + goto destroy; + } + ep = be->be_entry_get( be, id ); + if ( ep == NULL ) { + fprintf( stderr, "%s: unable to fetch entry \"%s\" (%lu)\n", + progname, e.e_nname.bv_val, id ); + rc = 1; + goto destroy; + + } + + if ( argc == 0 ) { + Attribute *a; + + (void)print_access( op, ep, slap_schema.si_ad_entry, NULL, NULL ); + (void)print_access( op, ep, slap_schema.si_ad_children, NULL, NULL ); + + for ( a = ep->e_attrs; a; a = a->a_next ) { + int i; + + for ( i = 0; !BER_BVISNULL( &a->a_nvals[ i ] ); i++ ) { + (void)print_access( op, ep, a->a_desc, + &a->a_vals[ i ], + &a->a_nvals[ i ] ); + } + } + } + } + + for ( ; argc--; argv++ ) { + slap_mask_t mask; + AttributeDescription *desc = NULL; + struct berval val = BER_BVNULL, + *valp = NULL; + const char *text; + char accessmaskbuf[ACCESSMASK_MAXLEN]; + char *accessstr; + slap_access_t access = ACL_AUTH; + + if ( attr == NULL ) { + attr = argv[ 0 ]; + } + + val.bv_val = strchr( attr, ':' ); + if ( val.bv_val != NULL ) { + val.bv_val[0] = '\0'; + val.bv_val++; + val.bv_len = strlen( val.bv_val ); + valp = &val; + } + + accessstr = strchr( attr, '/' ); + if ( accessstr != NULL ) { + int invalid = 0; + + accessstr[0] = '\0'; + accessstr++; + access = str2access( accessstr ); + switch ( access ) { + case ACL_INVALID_ACCESS: + fprintf( stderr, "unknown access \"%s\" for attribute \"%s\"\n", + accessstr, attr ); + invalid = 1; + break; + + case ACL_NONE: + fprintf( stderr, "\"none\" not allowed for attribute \"%s\"\n", + attr ); + invalid = 1; + break; + + default: + break; + } + + if ( invalid ) { + if ( continuemode ) { + continue; + } + break; + } + } + + rc = slap_str2ad( attr, &desc, &text ); + if ( rc != LDAP_SUCCESS ) { + fprintf( stderr, "slap_str2ad(%s) failed %d (%s)\n", + attr, rc, ldap_err2string( rc ) ); + if ( continuemode ) { + continue; + } + break; + } + + rc = access_allowed_mask( op, ep, desc, valp, access, + NULL, &mask ); + + if ( accessstr ) { + fprintf( stderr, "%s access to %s%s%s: %s\n", + accessstr, + desc->ad_cname.bv_val, + val.bv_val ? "=" : "", + val.bv_val ? val.bv_val : "", + rc ? "ALLOWED" : "DENIED" ); + + } else { + fprintf( stderr, "%s%s%s: %s\n", + desc->ad_cname.bv_val, + val.bv_val ? "=" : "", + val.bv_val ? val.bv_val : "", + accessmask2str( mask, accessmaskbuf, 1 ) ); + } + rc = 0; + attr = NULL; + } + +destroy:; + if ( !BER_BVISNULL( &e.e_name ) ) { + ber_memfree( e.e_name.bv_val ); + } + if ( !BER_BVISNULL( &e.e_nname ) ) { + ber_memfree( e.e_nname.bv_val ); + } + if ( !dryrun && be ) { + if ( ep && ep != &e ) { + be_entry_release_r( op, ep ); + } + if ( doclose ) { + be->be_entry_close( be ); + } + + LDAP_STAILQ_FOREACH( bd, &backendDB, be_next ) { + if ( bd != be ) { + backend_shutdown( bd ); + } + } + } + + if ( slap_tool_destroy()) + rc = EXIT_FAILURE; + + return rc; +} + |