39e67b7793a34484bcfa01719f0ecebe58d815c1
[amitay/samba.git] / source4 / dsdb / common / dsdb_access.c
1 /*
2   ldb database library
3
4   Copyright (C) Nadezhda Ivanova 2010
5
6   This program is free software; you can redistribute it and/or modify
7   it under the terms of the GNU General Public License as published by
8   the Free Software Foundation; either version 3 of the License, or
9   (at your option) any later version.
10
11   This program is distributed in the hope that it will be useful,
12   but WITHOUT ANY WARRANTY; without even the implied warranty of
13   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14   GNU General Public License for more details.
15
16   You should have received a copy of the GNU General Public License
17   along with this program.  If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /*
21  *  Name: dsdb_access
22  *
23  *  Description: utility functions for access checking on objects
24  *
25  *  Authors: Nadezhda Ivanova
26  */
27
28 #include "includes.h"
29 #include "ldb.h"
30 #include "ldb_module.h"
31 #include "ldb_errors.h"
32 #include "libcli/security/security.h"
33 #include "librpc/gen_ndr/ndr_security.h"
34 #include "libcli/ldap/ldap_ndr.h"
35 #include "param/param.h"
36 #include "auth/auth.h"
37 #include "dsdb/samdb/samdb.h"
38 #include "dsdb/common/util.h"
39
40 void dsdb_acl_debug(struct security_descriptor *sd,
41                       struct security_token *token,
42                       struct ldb_dn *dn,
43                       bool denied,
44                       int level)
45 {
46         if (denied) {
47                 DEBUG(level, ("Access on %s denied", ldb_dn_get_linearized(dn)));
48         } else {
49                 DEBUG(level, ("Access on %s granted", ldb_dn_get_linearized(dn)));
50         }
51
52         DEBUG(level,("Security context: %s\n",
53                      ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_token,"", token)));
54         DEBUG(level,("Security descriptor: %s\n",
55                      ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor,"", sd)));
56 }
57
58 int dsdb_get_sd_from_ldb_message(struct ldb_context *ldb,
59                                  TALLOC_CTX *mem_ctx,
60                                  struct ldb_message *acl_res,
61                                  struct security_descriptor **sd)
62 {
63         struct ldb_message_element *sd_element;
64         enum ndr_err_code ndr_err;
65
66         sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor");
67         if (!sd_element) {
68                 *sd = NULL;
69                 return LDB_SUCCESS;
70         }
71         *sd = talloc(mem_ctx, struct security_descriptor);
72         if(!*sd) {
73                 return ldb_oom(ldb);
74         }
75         ndr_err = ndr_pull_struct_blob(&sd_element->values[0], *sd, *sd,
76                                        (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
77
78         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
79                 return ldb_operr(ldb);
80         }
81
82         return LDB_SUCCESS;
83 }
84
85 int dsdb_check_access_on_dn_internal(struct ldb_context *ldb,
86                                      struct ldb_result *acl_res,
87                                      TALLOC_CTX *mem_ctx,
88                                      struct security_token *token,
89                                      struct ldb_dn *dn,
90                                      uint32_t access_mask,
91                                      const struct GUID *guid)
92 {
93         struct security_descriptor *sd = NULL;
94         struct dom_sid *sid = NULL;
95         struct object_tree *root = NULL;
96         struct object_tree *new_node = NULL;
97         NTSTATUS status;
98         uint32_t access_granted;
99         int ret;
100
101         ret = dsdb_get_sd_from_ldb_message(ldb, mem_ctx, acl_res->msgs[0], &sd);
102         if (ret != LDB_SUCCESS) {
103                 return ldb_operr(ldb);
104         }
105         /* Theoretically we pass the check if the object has no sd */
106         if (!sd) {
107                 return LDB_SUCCESS;
108         }
109         sid = samdb_result_dom_sid(mem_ctx, acl_res->msgs[0], "objectSid");
110         if (guid) {
111                 if (!insert_in_object_tree(mem_ctx, guid, access_mask, &root,
112                                            &new_node)) {
113                         return ldb_operr(ldb);
114                 }
115         }
116         status = sec_access_check_ds(sd, token,
117                                      access_mask,
118                                      &access_granted,
119                                      root,
120                                      sid);
121         if (!NT_STATUS_IS_OK(status)) {
122                 dsdb_acl_debug(sd,
123                                token,
124                                dn,
125                                true,
126                                10);
127                 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
128         }
129         return LDB_SUCCESS;
130 }
131
132 /* performs an access check from outside the module stack
133  * given the dn of the object to be checked, the required access
134  * guid is either the guid of the extended right, or NULL
135  */
136
137 int dsdb_check_access_on_dn(struct ldb_context *ldb,
138                             TALLOC_CTX *mem_ctx,
139                             struct ldb_dn *dn,
140                             struct security_token *token,
141                             uint32_t access_mask,
142                             const char *ext_right)
143 {
144         int ret;
145         struct GUID guid;
146         struct ldb_result *acl_res;
147         static const char *acl_attrs[] = {
148                 "nTSecurityDescriptor",
149                 "objectSid",
150                 NULL
151         };
152         NTSTATUS status = GUID_from_string(ext_right, &guid);
153         if (!NT_STATUS_IS_OK(status)) {
154                 return LDB_ERR_OPERATIONS_ERROR;
155         }
156
157         ret = dsdb_search_dn(ldb, mem_ctx, &acl_res, dn, acl_attrs, DSDB_SEARCH_SHOW_DELETED);
158         if (ret != LDB_SUCCESS) {
159                 DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
160                 return ret;
161         }
162
163         return dsdb_check_access_on_dn_internal(ldb, acl_res,
164                                                 mem_ctx,
165                                                 token,
166                                                 dn,
167                                                 access_mask,
168                                                 &guid);
169 }
170