50bf88869158e5a1ff9eb649956c2c7edd1f5c23
[amitay/samba.git] / source4 / dsdb / samdb / ldb_modules / acl_util.c
1 /*
2   ACL utility functions
3
4   Copyright (C) Nadezhda Ivanova 2010
5
6   This program is free software; you can redistribute it and/or modify
7   it under the terms of the GNU General Public License as published by
8   the Free Software Foundation; either version 3 of the License, or
9   (at your option) any later version.
10
11   This program is distributed in the hope that it will be useful,
12   but WITHOUT ANY WARRANTY; without even the implied warranty of
13   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14   GNU General Public License for more details.
15
16   You should have received a copy of the GNU General Public License
17   along with this program.  If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /*
21  *  Name: acl_util
22  *
23  *  Component: ldb ACL modules
24  *
25  *  Description: Some auxiliary functions used for access checking
26  *
27  *  Author: Nadezhda Ivanova
28  */
29 #include "includes.h"
30 #include "ldb_module.h"
31 #include "auth/auth.h"
32 #include "libcli/security/security.h"
33 #include "dsdb/samdb/samdb.h"
34 #include "librpc/gen_ndr/ndr_security.h"
35 #include "param/param.h"
36 #include "dsdb/samdb/ldb_modules/util.h"
37
38 struct security_token *acl_user_token(struct ldb_module *module)
39 {
40         struct ldb_context *ldb = ldb_module_get_ctx(module);
41         struct auth_session_info *session_info
42                 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
43         if(!session_info) {
44                 return NULL;
45         }
46         return session_info->security_token;
47 }
48
49 /* performs an access check from inside the module stack
50  * given the dn of the object to be checked, the required access
51  * guid is either the guid of the extended right, or NULL
52  */
53
54 int dsdb_module_check_access_on_dn(struct ldb_module *module,
55                                    TALLOC_CTX *mem_ctx,
56                                    struct ldb_dn *dn,
57                                    uint32_t access_mask,
58                                    const struct GUID *guid,
59                                    struct ldb_request *parent)
60 {
61         int ret;
62         struct ldb_result *acl_res;
63         static const char *acl_attrs[] = {
64                 "nTSecurityDescriptor",
65                 "objectSid",
66                 NULL
67         };
68         struct ldb_context *ldb = ldb_module_get_ctx(module);
69         struct auth_session_info *session_info
70                 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
71         if(!session_info) {
72                 return ldb_operr(ldb);
73         }
74         ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn,
75                                     acl_attrs,
76                                     DSDB_FLAG_NEXT_MODULE |
77                                     DSDB_SEARCH_SHOW_RECYCLED,
78                                     parent);
79         if (ret != LDB_SUCCESS) {
80                 ldb_asprintf_errstring(ldb_module_get_ctx(module),
81                                        "access_check: failed to find object %s\n",
82                                        ldb_dn_get_linearized(dn));
83                 return ret;
84         }
85         return dsdb_check_access_on_dn_internal(ldb, acl_res,
86                                                 mem_ctx,
87                                                 session_info->security_token,
88                                                 dn,
89                                                 access_mask,
90                                                 guid);
91 }
92
93 int acl_check_access_on_attribute(struct ldb_module *module,
94                                   TALLOC_CTX *mem_ctx,
95                                   struct security_descriptor *sd,
96                                   struct dom_sid *rp_sid,
97                                   uint32_t access_mask,
98                                   const struct dsdb_attribute *attr)
99 {
100         int ret;
101         NTSTATUS status;
102         uint32_t access_granted;
103         struct object_tree *root = NULL;
104         struct object_tree *new_node = NULL;
105         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
106         struct security_token *token = acl_user_token(module);
107         if (attr) {
108                 if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
109                         if (!insert_in_object_tree(tmp_ctx,
110                                                    &attr->attributeSecurityGUID,
111                                                    access_mask, &root,
112                                                    &new_node)) {
113                                 DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
114                                 goto fail;
115                         }
116
117                         if (!insert_in_object_tree(tmp_ctx,
118                                                    &attr->schemaIDGUID,
119                                                    access_mask, &new_node,
120                                                    &new_node)) {
121                                 DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
122                                 goto fail;
123                         }
124                 }
125                 else {
126                         if (!insert_in_object_tree(tmp_ctx,
127                                                    &attr->schemaIDGUID,
128                                                    access_mask, &root,
129                                                    &new_node)) {
130                                 DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
131                                 goto fail;
132                         }
133                 }
134         }
135         status = sec_access_check_ds(sd, token,
136                                      access_mask,
137                                      &access_granted,
138                                      root,
139                                      rp_sid);
140         if (!NT_STATUS_IS_OK(status)) {
141                 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
142         }
143         else {
144                 ret = LDB_SUCCESS;
145         }
146         talloc_free(tmp_ctx);
147         return ret;
148 fail:
149         talloc_free(tmp_ctx);
150         return ldb_operr(ldb_module_get_ctx(module));
151 }
152
153
154 /* checks for validated writes */
155 int acl_check_extended_right(TALLOC_CTX *mem_ctx,
156                              struct security_descriptor *sd,
157                              struct security_token *token,
158                              const char *ext_right,
159                              uint32_t right_type,
160                              struct dom_sid *sid)
161 {
162         struct GUID right;
163         NTSTATUS status;
164         uint32_t access_granted;
165         struct object_tree *root = NULL;
166         struct object_tree *new_node = NULL;
167         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
168
169         GUID_from_string(ext_right, &right);
170
171         if (!insert_in_object_tree(tmp_ctx, &right, right_type,
172                                    &root, &new_node)) {
173                 DEBUG(10, ("acl_ext_right: cannot add to object tree\n"));
174                 talloc_free(tmp_ctx);
175                 return LDB_ERR_OPERATIONS_ERROR;
176         }
177         status = sec_access_check_ds(sd, token,
178                                      right_type,
179                                      &access_granted,
180                                      root,
181                                      sid);
182
183         if (!NT_STATUS_IS_OK(status)) {
184                 talloc_free(tmp_ctx);
185                 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
186         }
187         talloc_free(tmp_ctx);
188         return LDB_SUCCESS;
189 }
190
191 const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
192 {
193         struct ldb_context *ldb = ldb_module_get_ctx(module);
194         struct auth_session_info *session_info
195                 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
196         if (!session_info) {
197                 return "UNKNOWN (NULL)";
198         }
199
200         return talloc_asprintf(mem_ctx, "%s\\%s",
201                                session_info->info->domain_name,
202                                session_info->info->account_name);
203 }