7857e1fa256d541dc931c7d4fde498687fc20cc4
[bbaumbach/samba-autobuild/.git] / source4 / dsdb / common / dsdb_access.c
1 /*
2   ldb database library
3
4   Copyright (C) Nadezhda Ivanova 2010
5
6   This program is free software; you can redistribute it and/or modify
7   it under the terms of the GNU General Public License as published by
8   the Free Software Foundation; either version 3 of the License, or
9   (at your option) any later version.
10
11   This program is distributed in the hope that it will be useful,
12   but WITHOUT ANY WARRANTY; without even the implied warranty of
13   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14   GNU General Public License for more details.
15
16   You should have received a copy of the GNU General Public License
17   along with this program.  If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /*
21  *  Name: dsdb_access
22  *
23  *  Description: utility functions for access checking on objects
24  *
25  *  Authors: Nadezhda Ivanova
26  */
27
28 #include "includes.h"
29 #include "ldb.h"
30 #include "ldb_errors.h"
31 #include "libcli/security/security.h"
32 #include "librpc/gen_ndr/ndr_security.h"
33 #include "libcli/ldap/ldap_ndr.h"
34 #include "param/param.h"
35 #include "auth/auth.h"
36 #include "dsdb/samdb/samdb.h"
37
38 void dsdb_acl_debug(struct security_descriptor *sd,
39                       struct security_token *token,
40                       struct ldb_dn *dn,
41                       bool denied,
42                       int level)
43 {
44         if (denied) {
45                 DEBUG(level, ("Access on %s denied", ldb_dn_get_linearized(dn)));
46         } else {
47                 DEBUG(level, ("Access on %s granted", ldb_dn_get_linearized(dn)));
48         }
49
50         DEBUG(level,("Security context: %s\n",
51                      ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_token,"", token)));
52         DEBUG(level,("Security descriptor: %s\n",
53                      ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor,"", sd)));
54 }
55
56 int dsdb_get_sd_from_ldb_message(TALLOC_CTX *mem_ctx,
57                                  struct ldb_message *acl_res,
58                                  struct security_descriptor **sd)
59 {
60         struct ldb_message_element *sd_element;
61         enum ndr_err_code ndr_err;
62
63         sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor");
64         if (!sd_element) {
65                 *sd = NULL;
66                 return LDB_SUCCESS;
67         }
68         *sd = talloc(mem_ctx, struct security_descriptor);
69         if(!*sd) {
70                 return LDB_ERR_OPERATIONS_ERROR;
71         }
72         ndr_err = ndr_pull_struct_blob(&sd_element->values[0], *sd, NULL, *sd,
73                                        (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
74
75         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
76                 return LDB_ERR_OPERATIONS_ERROR;
77         }
78
79         return LDB_SUCCESS;
80 }
81
82 int dsdb_check_access_on_dn_internal(struct ldb_result *acl_res,
83                                      TALLOC_CTX *mem_ctx,
84                                      struct security_token *token,
85                                      struct ldb_dn *dn,
86                                      uint32_t access,
87                                      const struct GUID *guid)
88 {
89         struct security_descriptor *sd = NULL;
90         struct dom_sid *sid = NULL;
91         struct object_tree *root = NULL;
92         struct object_tree *new_node = NULL;
93         NTSTATUS status;
94         uint32_t access_granted;
95         int ret;
96
97         ret = dsdb_get_sd_from_ldb_message(mem_ctx, acl_res->msgs[0], &sd);
98         if (ret != LDB_SUCCESS) {
99                 return LDB_ERR_OPERATIONS_ERROR;
100         }
101         /* Theoretically we pass the check if the object has no sd */
102         if (!sd) {
103                 return LDB_SUCCESS;
104         }
105         sid = samdb_result_dom_sid(mem_ctx, acl_res->msgs[0], "objectSid");
106         if (guid) {
107                 if (!insert_in_object_tree(mem_ctx, guid, access, &root, &new_node)) {
108                         return LDB_ERR_OPERATIONS_ERROR;
109                 }
110         }
111         status = sec_access_check_ds(sd, token,
112                                      access,
113                                      &access_granted,
114                                      root,
115                                      sid);
116         if (!NT_STATUS_IS_OK(status)) {
117                 dsdb_acl_debug(sd,
118                                token,
119                                dn,
120                                true,
121                                10);
122                 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
123         }
124         return LDB_SUCCESS;
125 }
126
127 /* performs an access check from outside the module stack
128  * given the dn of the object to be checked, the required access
129  * guid is either the guid of the extended right, or NULL
130  */
131
132 int dsdb_check_access_on_dn(struct ldb_context *ldb,
133                             TALLOC_CTX *mem_ctx,
134                             struct ldb_dn *dn,
135                             uint32_t access,
136                             const struct GUID *guid)
137 {
138         int ret;
139         struct ldb_result *acl_res;
140         static const char *acl_attrs[] = {
141                 "nTSecurityDescriptor",
142                 "objectSid",
143                 NULL
144         };
145
146         struct auth_session_info *session_info
147                 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
148         if(!session_info) {
149                 return LDB_ERR_OPERATIONS_ERROR;
150         }
151
152         ret = ldb_search(ldb, mem_ctx, &acl_res, dn, LDB_SCOPE_BASE, acl_attrs, NULL);
153         if (ret != LDB_SUCCESS) {
154                 DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
155                 return ret;
156         }
157
158         return dsdb_check_access_on_dn_internal(acl_res,
159                                                 mem_ctx,
160                                                 session_info->security_token,
161                                                 dn,
162                                                 access,
163                                                 guid);
164 }
165