s4-dsdb: fixed const misuse in acl module
[ira/wip.git] / source4 / dsdb / samdb / ldb_modules / acl.c
1 /*
2   ldb database library
3
4   Copyright (C) Simo Sorce 2006-2008
5   Copyright (C) Nadezhda Ivanova 2009
6   Copyright (C) Anatoliy Atanasov  2009
7
8   This program is free software; you can redistribute it and/or modify
9   it under the terms of the GNU General Public License as published by
10   the Free Software Foundation; either version 3 of the License, or
11   (at your option) any later version.
12
13   This program is distributed in the hope that it will be useful,
14   but WITHOUT ANY WARRANTY; without even the implied warranty of
15   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16   GNU General Public License for more details.
17
18   You should have received a copy of the GNU General Public License
19   along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /*
23  *  Name: ldb
24  *
25  *  Component: ldb ACL module
26  *
27  *  Description: Module that performs authorisation access checks based on the
28  *               account's security context and the DACL of the object being polled.
29  *               Only DACL checks implemented at this point
30  *
31  *  Authors: Nadezhda Ivanova, Anatoliy Atanasov
32  */
33
34 #include "includes.h"
35 #include "ldb_module.h"
36 #include "auth/auth.h"
37 #include "libcli/security/security.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/gen_ndr/ndr_security.h"
40 #include "param/param.h"
41 #include "dsdb/samdb/ldb_modules/util.h"
42
43 struct extended_access_check_attribute {
44         const char *oa_name;
45         const uint32_t requires_rights;
46 };
47
48 struct acl_private {
49         bool acl_perform;
50         const char **password_attrs;
51 };
52
53 struct acl_context {
54         struct ldb_module *module;
55         struct ldb_request *req;
56         bool am_system;
57         bool allowedAttributes;
58         bool allowedAttributesEffective;
59         bool allowedChildClasses;
60         bool allowedChildClassesEffective;
61         bool sDRightsEffective;
62         const char * const *attrs;
63 };
64
65 bool is_root_base_dn(struct ldb_context *ldb, struct ldb_dn *dn_to_check)
66 {
67         int result;
68         struct ldb_dn *root_base_dn = ldb_get_root_basedn(ldb);
69         result = ldb_dn_compare(root_base_dn,dn_to_check);
70         return (result==0);
71 }
72
73 static struct security_token *acl_user_token(struct ldb_module *module)
74 {
75         struct ldb_context *ldb = ldb_module_get_ctx(module);
76         struct auth_session_info *session_info
77                 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
78         if(!session_info) {
79                 return NULL;
80         }
81         return session_info->security_token;
82 }
83
84 static int acl_module_init(struct ldb_module *module)
85 {
86         struct ldb_context *ldb;
87         struct acl_private *data;
88         int ret, i;
89         TALLOC_CTX *mem_ctx = talloc_new(module);
90         static const char *attrs[] = { "passwordAttribute", NULL };
91         struct ldb_result *res;
92         struct ldb_message *msg;
93         struct ldb_message_element *password_attributes;
94
95         ldb = ldb_module_get_ctx(module);
96
97         ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID);
98         if (ret != LDB_SUCCESS) {
99                 ldb_debug(ldb, LDB_DEBUG_ERROR,
100                           "acl_module_init: Unable to register control with rootdse!\n");
101                 return LDB_ERR_OPERATIONS_ERROR;
102         }
103
104         data = talloc(module, struct acl_private);
105         if (data == NULL) {
106                 ldb_oom(ldb);
107                 return LDB_ERR_OPERATIONS_ERROR;
108         }
109
110         data->password_attrs = NULL;
111         data->acl_perform = lp_parm_bool(ldb_get_opaque(ldb, "loadparm"),
112                                          NULL, "acl", "perform", false);
113         ldb_module_set_private(module, data);
114
115         if (!mem_ctx) {
116                 ldb_oom(ldb);
117                 return LDB_ERR_OPERATIONS_ERROR;
118         }
119
120         ret = ldb_search(ldb, mem_ctx, &res,
121                          ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
122                          LDB_SCOPE_BASE, attrs, NULL);
123         if (ret != LDB_SUCCESS) {
124                 goto done;
125         }
126         if (res->count == 0) {
127                 goto done;
128         }
129
130         if (res->count > 1) {
131                 talloc_free(mem_ctx);
132                 return LDB_ERR_CONSTRAINT_VIOLATION;
133         }
134
135         msg = res->msgs[0];
136
137         password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
138         if (!password_attributes) {
139                 goto done;
140         }
141         data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
142         if (!data->password_attrs) {
143                 talloc_free(mem_ctx);
144                 ldb_oom(ldb);
145                 return LDB_ERR_OPERATIONS_ERROR;
146         }
147         for (i=0; i < password_attributes->num_values; i++) {
148                 data->password_attrs[i] = (const char *)password_attributes->values[i].data;
149                 talloc_steal(data->password_attrs, password_attributes->values[i].data);
150         }
151         data->password_attrs[i] = NULL;
152
153 done:
154         talloc_free(mem_ctx);
155         return ldb_next_init(module);
156 }
157
158 static int get_sd_from_ldb_message(TALLOC_CTX *mem_ctx,
159                                    struct ldb_message *acl_res,
160                                    struct security_descriptor **sd)
161 {
162         struct ldb_message_element *sd_element;
163         enum ndr_err_code ndr_err;
164
165         sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor");
166         if (!sd_element) {
167                 *sd = NULL;
168                 return LDB_SUCCESS;
169         }
170         *sd = talloc(mem_ctx, struct security_descriptor);
171         if(!*sd) {
172                 return LDB_ERR_OPERATIONS_ERROR;
173         }
174         ndr_err = ndr_pull_struct_blob(&sd_element->values[0], *sd, NULL, *sd,
175                                        (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
176
177         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
178                 return LDB_ERR_OPERATIONS_ERROR;
179         }
180
181         return LDB_SUCCESS;
182 }
183
184 static const struct GUID *get_oc_guid_from_message(struct ldb_module *module,
185                                                    struct ldb_message *msg)
186 {
187         struct ldb_message_element *oc_el;
188         struct ldb_context *ldb = ldb_module_get_ctx(module);
189
190         oc_el = ldb_msg_find_element(msg, "objectClass");
191         if (!oc_el) {
192                 return NULL;
193         }
194
195         return class_schemaid_guid_by_lDAPDisplayName(dsdb_get_schema(ldb),
196                                                       (char *)oc_el->values[oc_el->num_values-1].data);
197 }
198
199 static int get_dom_sid_from_ldb_message(TALLOC_CTX *mem_ctx,
200                                    struct ldb_message *acl_res,
201                                    struct dom_sid **sid)
202 {
203         struct ldb_message_element *sid_element;
204         enum ndr_err_code ndr_err;
205
206         sid_element = ldb_msg_find_element(acl_res, "objectSid");
207         if (!sid_element) {
208                 *sid = NULL;
209                 return LDB_SUCCESS;
210         }
211         *sid = talloc(mem_ctx, struct dom_sid);
212         if(!*sid) {
213                 return LDB_ERR_OPERATIONS_ERROR;
214         }
215         ndr_err = ndr_pull_struct_blob(&sid_element->values[0], *sid, NULL, *sid,
216                                        (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
217
218         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
219                 return LDB_ERR_OPERATIONS_ERROR;
220         }
221
222         return LDB_SUCCESS;
223 }
224
225
226 static void acl_debug(struct security_descriptor *sd,
227                       struct security_token *token,
228                       struct ldb_dn *dn,
229                       bool denied,
230                       int level)
231 {
232         if (denied) {
233                 DEBUG(level, ("Access on %s denied", ldb_dn_get_linearized(dn)));
234         } else {
235                 DEBUG(level, ("Access on %s granted", ldb_dn_get_linearized(dn)));
236         }
237
238         DEBUG(level,("Security context: %s\n",
239                      ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_token,"", token)));
240         DEBUG(level,("Security descriptor: %s\n",
241                      ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor,"", sd)));
242 }
243
244 static int check_access_on_dn(struct ldb_module *module,
245                               TALLOC_CTX *mem_ctx,
246                               struct ldb_dn *dn,
247                               uint32_t access,
248                               struct object_tree *tree)
249 {
250         int ret;
251         struct ldb_context *ldb = ldb_module_get_ctx(module);
252         struct ldb_result *acl_res;
253         struct security_descriptor *sd = NULL;
254         struct dom_sid *sid = NULL;
255         NTSTATUS status;
256         uint32_t access_granted;
257         static const char *acl_attrs[] = {
258                 "nTSecurityDescriptor",
259                 "objectSid",
260                 NULL
261         };
262
263         ret = ldb_search(ldb, mem_ctx, &acl_res, dn, LDB_SCOPE_BASE, acl_attrs, NULL);
264         /* we sould be able to find the parent */
265         if (ret != LDB_SUCCESS) {
266                 DEBUG(10,("acl: failed to find object %s\n", ldb_dn_get_linearized(dn)));
267                 return ret;
268         }
269
270         ret = get_sd_from_ldb_message(mem_ctx, acl_res->msgs[0], &sd);
271         if (ret != LDB_SUCCESS) {
272                 return LDB_ERR_OPERATIONS_ERROR;
273         }
274         /* Theoretically we pass the check if the object has no sd */
275         if (!sd) {
276                 return LDB_SUCCESS;
277         }
278         ret = get_dom_sid_from_ldb_message(mem_ctx, acl_res->msgs[0], &sid);
279         if (ret != LDB_SUCCESS) {
280                 return LDB_ERR_OPERATIONS_ERROR;
281         }
282
283         status = sec_access_check_ds(sd, acl_user_token(module),
284                                      access,
285                                      &access_granted,
286                                      tree,
287                                      sid);
288         if (!NT_STATUS_IS_OK(status)) {
289                 acl_debug(sd,
290                           acl_user_token(module),
291                           dn,
292                           true,
293                           10);
294                 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
295         }
296         return LDB_SUCCESS;
297 }
298
299 static int acl_check_access_on_attribute(struct ldb_module *module,
300                                          TALLOC_CTX *mem_ctx,
301                                          struct security_descriptor *sd,
302                                          struct dom_sid *rp_sid,
303                                          uint32_t access,
304                                          const struct dsdb_attribute *attr)
305 {
306         int ret;
307         NTSTATUS status;
308         uint32_t access_granted;
309         struct object_tree *root = NULL;
310         struct object_tree *new_node = NULL;
311         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
312         struct security_token *token = acl_user_token(module);
313         if (attr) {
314                 if (!GUID_all_zero(&attr->attributeSecurityGUID)) {
315                         if (!insert_in_object_tree(tmp_ctx,
316                                                    &attr->attributeSecurityGUID, access,
317                                                    &root, &new_node)) {
318                                 DEBUG(10, ("acl_search: cannot add to object tree securityGUID\n"));
319                                 goto fail;
320                         }
321
322                         if (!insert_in_object_tree(tmp_ctx,
323                                                    &attr->schemaIDGUID, access, &new_node, &new_node)) {
324                                 DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
325                                 goto fail;
326                         }
327                 }
328                 else {
329                         if (!insert_in_object_tree(tmp_ctx,
330                                                    &attr->schemaIDGUID, access, &root, &new_node)) {
331                                 DEBUG(10, ("acl_search: cannot add to object tree attributeGUID\n"));
332                                 goto fail;
333                         }
334                 }
335         }
336         status = sec_access_check_ds(sd, token,
337                                      access,
338                                      &access_granted,
339                                      root,
340                                      rp_sid);
341         if (!NT_STATUS_IS_OK(status)) {
342                 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
343         }
344         else {
345                 ret = LDB_SUCCESS;
346         }
347         return ret;
348 fail:
349         return LDB_ERR_OPERATIONS_ERROR;
350 }
351
352 static int acl_check_access_on_class(struct ldb_module *module,
353                                      TALLOC_CTX *mem_ctx,
354                                      struct security_descriptor *sd,
355                                      struct dom_sid *rp_sid,
356                                      uint32_t access,
357                                      const char *class_name)
358 {
359         int ret;
360         struct ldb_context *ldb = ldb_module_get_ctx(module);
361         NTSTATUS status;
362         uint32_t access_granted;
363         struct object_tree *root = NULL;
364         struct object_tree *new_node = NULL;
365         const struct GUID *guid;
366         const struct dsdb_schema *schema = dsdb_get_schema(ldb);
367         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
368         struct security_token *token = acl_user_token(module);
369         if (class_name) {
370                 guid = class_schemaid_guid_by_lDAPDisplayName(schema, class_name);
371                 if (!guid) {
372                         DEBUG(10, ("acl_search: cannot find class %s\n",
373                                    class_name));
374                         goto fail;
375                 }
376                 if (!insert_in_object_tree(tmp_ctx,
377                                            guid, access,
378                                            &root, &new_node)) {
379                         DEBUG(10, ("acl_search: cannot add to object tree guid\n"));
380                         goto fail;
381                 }
382         }
383         status = sec_access_check_ds(sd, token,
384                                      access,
385                                      &access_granted,
386                                      root,
387                                      rp_sid);
388         if (!NT_STATUS_IS_OK(status)) {
389                 ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
390         }
391         else {
392                 ret = LDB_SUCCESS;
393         }
394         return ret;
395 fail:
396         return LDB_ERR_OPERATIONS_ERROR;
397 }
398
399 static int acl_allowedAttributes(struct ldb_module *module,
400                                  struct ldb_message *sd_msg,
401                                  struct ldb_message *msg,
402                                  struct acl_context *ac)
403 {
404         struct ldb_message_element *oc_el;
405         struct ldb_context *ldb = ldb_module_get_ctx(module);
406         const struct dsdb_schema *schema = dsdb_get_schema(ldb);
407         TALLOC_CTX *mem_ctx;
408         const char **attr_list;
409         int i, ret;
410
411         /* If we don't have a schema yet, we can't do anything... */
412         if (schema == NULL) {
413                 return LDB_SUCCESS;
414         }
415
416         /* Must remove any existing attribute */
417         if (ac->allowedAttributes) {
418                 ldb_msg_remove_attr(msg, "allowedAttributes");
419         }
420
421         mem_ctx = talloc_new(msg);
422         if (!mem_ctx) {
423                 ldb_oom(ldb);
424                 return LDB_ERR_OPERATIONS_ERROR;
425         }
426
427         oc_el = ldb_msg_find_element(sd_msg, "objectClass");
428         attr_list = dsdb_full_attribute_list(mem_ctx, schema, oc_el, DSDB_SCHEMA_ALL);
429         if (!attr_list) {
430                 ldb_asprintf_errstring(ldb, "acl: Failed to get list of attributes");
431                 talloc_free(mem_ctx);
432                 return LDB_ERR_OPERATIONS_ERROR;
433         }
434         if (ac->allowedAttributes) {
435                 for (i=0; attr_list && attr_list[i]; i++) {
436                         ldb_msg_add_string(msg, "allowedAttributes", attr_list[i]);
437                 }
438         }
439         if (ac->allowedAttributesEffective) {
440                 struct security_descriptor *sd;
441                 struct dom_sid *sid = NULL;
442                 struct ldb_control *as_system = ldb_request_get_control(ac->req,
443                                                                         LDB_CONTROL_AS_SYSTEM_OID);
444                 ldb_msg_remove_attr(msg, "allowedAttributesEffective");
445                 if (ac->am_system || as_system) {
446                         for (i=0; attr_list && attr_list[i]; i++) {
447                                 ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]);
448                         }
449                         return LDB_SUCCESS;
450                 }
451
452                 ret = get_sd_from_ldb_message(mem_ctx, sd_msg, &sd);
453
454                 if (ret != LDB_SUCCESS) {
455                         return ret;
456                 }
457                 ret = get_dom_sid_from_ldb_message(mem_ctx, sd_msg, &sid);
458
459                 if (ret != LDB_SUCCESS) {
460                         return ret;
461                 }
462                 for (i=0; attr_list && attr_list[i]; i++) {
463                         const struct dsdb_attribute *attr = dsdb_attribute_by_lDAPDisplayName(schema,
464                                                                                         attr_list[i]);
465                         if (!attr) {
466                                 return LDB_ERR_OPERATIONS_ERROR;
467                         }
468                         /* remove constructed attributes */
469                         if (attr->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED
470                             || attr->systemOnly
471                             || (attr->linkID != 0 && attr->linkID % 2 != 0 )) {
472                                 continue;
473                         }
474                         ret = acl_check_access_on_attribute(module,
475                                                             msg,
476                                                             sd,
477                                                             sid,
478                                                             SEC_ADS_WRITE_PROP,
479                                                             attr);
480                         if (ret == LDB_SUCCESS) {
481                                 ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]);
482                         }
483                 }
484         }
485         return LDB_SUCCESS;
486 }
487
488 static int acl_childClasses(struct ldb_module *module,
489                             struct ldb_message *sd_msg,
490                             struct ldb_message *msg,
491                             const char *attrName)
492 {
493         struct ldb_message_element *oc_el;
494         struct ldb_message_element *allowedClasses;
495         struct ldb_context *ldb = ldb_module_get_ctx(module);
496         const struct dsdb_schema *schema = dsdb_get_schema(ldb);
497         const struct dsdb_class *sclass;
498         int i, j, ret;
499
500         /* If we don't have a schema yet, we can't do anything... */
501         if (schema == NULL) {
502                 return LDB_SUCCESS;
503         }
504
505         /* Must remove any existing attribute, or else confusion reins */
506         ldb_msg_remove_attr(msg, attrName);
507         ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
508         if (ret != LDB_SUCCESS) {
509                 return ret;
510         }
511
512         oc_el = ldb_msg_find_element(sd_msg, "objectClass");
513
514         for (i=0; oc_el && i < oc_el->num_values; i++) {
515                 sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &oc_el->values[i]);
516                 if (!sclass) {
517                         /* We don't know this class?  what is going on? */
518                         continue;
519                 }
520
521                 for (j=0; sclass->possibleInferiors && sclass->possibleInferiors[j]; j++) {
522                         ldb_msg_add_string(msg, attrName, sclass->possibleInferiors[j]);
523                 }
524         }
525         if (allowedClasses->num_values > 1) {
526                 qsort(allowedClasses->values,
527                       allowedClasses->num_values,
528                       sizeof(*allowedClasses->values),
529                       (comparison_fn_t)data_blob_cmp);
530
531                 for (i=1 ; i < allowedClasses->num_values; i++) {
532                         struct ldb_val *val1 = &allowedClasses->values[i-1];
533                         struct ldb_val *val2 = &allowedClasses->values[i];
534                         if (data_blob_cmp(val1, val2) == 0) {
535                                 memmove(val1, val2, (allowedClasses->num_values - i) * sizeof(struct ldb_val));
536                                 allowedClasses->num_values--;
537                                 i--;
538                         }
539                 }
540         }
541
542         return LDB_SUCCESS;
543 }
544
545 static int acl_childClassesEffective(struct ldb_module *module,
546                                      struct ldb_message *sd_msg,
547                                      struct ldb_message *msg,
548                                      struct acl_context *ac)
549 {
550         struct ldb_message_element *oc_el;
551         struct ldb_message_element *allowedClasses = NULL;
552         struct ldb_context *ldb = ldb_module_get_ctx(module);
553         const struct dsdb_schema *schema = dsdb_get_schema(ldb);
554         const struct dsdb_class *sclass;
555         struct security_descriptor *sd;
556         struct ldb_control *as_system = ldb_request_get_control(ac->req,
557                                                                 LDB_CONTROL_AS_SYSTEM_OID);
558         struct dom_sid *sid = NULL;
559         int i, j, ret;
560
561         if (ac->am_system || as_system) {
562                 return acl_childClasses(module, sd_msg, msg, "allowedChildClassesEffective");
563         }
564
565         /* If we don't have a schema yet, we can't do anything... */
566         if (schema == NULL) {
567                 return LDB_SUCCESS;
568         }
569
570         /* Must remove any existing attribute, or else confusion reins */
571         ldb_msg_remove_attr(msg, "allowedChildClassesEffective");
572
573         oc_el = ldb_msg_find_element(sd_msg, "objectClass");
574         ret = get_sd_from_ldb_message(msg, sd_msg, &sd);
575         if (ret != LDB_SUCCESS) {
576                 return ret;
577         }
578         ret = get_dom_sid_from_ldb_message(msg, sd_msg, &sid);
579
580         if (ret != LDB_SUCCESS) {
581                 return ret;
582         }
583         for (i=0; oc_el && i < oc_el->num_values; i++) {
584                 sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &oc_el->values[i]);
585                 if (!sclass) {
586                         /* We don't know this class?  what is going on? */
587                         continue;
588                 }
589
590                 for (j=0; sclass->possibleInferiors && sclass->possibleInferiors[j]; j++) {
591                         ret = acl_check_access_on_class(module,
592                                                         msg,
593                                                         sd,
594                                                         sid,
595                                                         SEC_ADS_CREATE_CHILD,
596                                                         sclass->possibleInferiors[j]);
597                         if (ret == LDB_SUCCESS) {
598                                 ldb_msg_add_string(msg, "allowedChildClassesEffective",
599                                                    sclass->possibleInferiors[j]);
600                         }
601                 }
602         }
603         allowedClasses = ldb_msg_find_element(msg, "allowedChildClassesEffective");
604         if (!allowedClasses) {
605                 return LDB_SUCCESS;
606         }
607
608         if (allowedClasses->num_values > 1) {
609                 qsort(allowedClasses->values,
610                       allowedClasses->num_values,
611                       sizeof(*allowedClasses->values),
612                       (comparison_fn_t)data_blob_cmp);
613                 for (i=1 ; i < allowedClasses->num_values; i++) {
614                         struct ldb_val *val1 = &allowedClasses->values[i-1];
615                         struct ldb_val *val2 = &allowedClasses->values[i];
616                         if (data_blob_cmp(val1, val2) == 0) {
617                                 memmove(val1, val2, (allowedClasses->num_values - i) * sizeof( struct ldb_val));
618                                 allowedClasses->num_values--;
619                                 i--;
620                         }
621                 }
622         }
623         return LDB_SUCCESS;
624 }
625
626 static int acl_sDRightsEffective(struct ldb_module *module,
627                                  struct ldb_message *sd_msg,
628                                  struct ldb_message *msg,
629                                  struct acl_context *ac)
630 {
631         struct ldb_message_element *rightsEffective;
632         int ret;
633         struct security_descriptor *sd;
634         struct ldb_control *as_system = ldb_request_get_control(ac->req,
635                                                                 LDB_CONTROL_AS_SYSTEM_OID);
636         struct dom_sid *sid = NULL;
637         uint32_t flags = 0;
638
639         /* Must remove any existing attribute, or else confusion reins */
640         ldb_msg_remove_attr(msg, "sDRightsEffective");
641         ret = ldb_msg_add_empty(msg, "sDRightsEffective", 0, &rightsEffective);
642         if (ret != LDB_SUCCESS) {
643                 return ret;
644         }
645         if (ac->am_system || as_system) {
646                 flags = SECINFO_OWNER | SECINFO_GROUP |  SECINFO_SACL |  SECINFO_DACL;
647         }
648         else {
649                 /* Get the security descriptor from the message */
650                 ret = get_sd_from_ldb_message(msg, sd_msg, &sd);
651                 if (ret != LDB_SUCCESS) {
652                         return ret;
653                 }
654                 ret = get_dom_sid_from_ldb_message(msg, sd_msg, &sid);
655
656                 if (ret != LDB_SUCCESS) {
657                         return ret;
658                 }
659                 ret = acl_check_access_on_attribute(module,
660                                                     msg,
661                                                     sd,
662                                                     sid,
663                                                     SEC_STD_WRITE_OWNER,
664                                                     NULL);
665                 if (ret == LDB_SUCCESS) {
666                         flags |= SECINFO_OWNER | SECINFO_GROUP;
667                 }
668                 ret = acl_check_access_on_attribute(module,
669                                                     msg,
670                                                     sd,
671                                                     sid,
672                                                     SEC_STD_WRITE_DAC,
673                                                     NULL);
674                 if (ret == LDB_SUCCESS) {
675                         flags |= SECINFO_DACL;
676                 }
677                 ret = acl_check_access_on_attribute(module,
678                                                     msg,
679                                                     sd,
680                                                     sid,
681                                                     SEC_FLAG_SYSTEM_SECURITY,
682                                                     NULL);
683                 if (ret == LDB_SUCCESS) {
684                         flags |= SECINFO_SACL;
685                 }
686         }
687         ldb_msg_add_fmt(msg, "sDRightsEffective", "%u", flags);
688         return LDB_SUCCESS;
689 }
690
691 static int acl_add(struct ldb_module *module, struct ldb_request *req)
692 {
693         int ret;
694         struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.add.message->dn);
695         struct ldb_context *ldb;
696         struct ldb_message_element *oc_el;
697         const struct GUID *guid;
698         struct object_tree *root = NULL;
699         struct object_tree *new_node = NULL;
700         struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
701
702         if (dsdb_module_am_system(module) || as_system) {
703                 return ldb_next_request(module, req);
704         }
705
706         if (ldb_dn_is_special(req->op.add.message->dn)) {
707                 return ldb_next_request(module, req);
708         }
709         ldb = ldb_module_get_ctx(module);
710         /* Creating an NC. There is probably something we should do here,
711          * but we will establish that later */
712         if ((ldb_dn_compare(req->op.add.message->dn, (ldb_get_schema_basedn(ldb))) == 0) ||
713             (ldb_dn_compare(req->op.add.message->dn, (ldb_get_config_basedn(ldb))) == 0) ||
714             (ldb_dn_compare(req->op.add.message->dn, (ldb_get_root_basedn(ldb))) == 0)) {
715                 return ldb_next_request(module, req);
716         }
717
718         oc_el = ldb_msg_find_element(req->op.add.message, "objectClass");
719         if (!oc_el || oc_el->num_values == 0) {
720                 DEBUG(10,("acl:operation error %s\n", ldb_dn_get_linearized(req->op.add.message->dn)));
721                 return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
722         }
723
724         guid = class_schemaid_guid_by_lDAPDisplayName(dsdb_get_schema(ldb),
725                                                       (char *)oc_el->values[oc_el->num_values-1].data);
726
727         if (!insert_in_object_tree(req, guid, SEC_ADS_CREATE_CHILD, &root, &new_node)) {
728                 return LDB_ERR_OPERATIONS_ERROR;
729         }
730
731         ret = check_access_on_dn(module, req, parent, SEC_ADS_CREATE_CHILD, root);
732         if (ret != LDB_SUCCESS) {
733                 return ret;
734         }
735
736         return ldb_next_request(module, req);
737 }
738
739 static int acl_modify(struct ldb_module *module, struct ldb_request *req)
740 {
741         int ret;
742         struct ldb_context *ldb = ldb_module_get_ctx(module);
743         const struct dsdb_schema *schema = dsdb_get_schema(ldb);
744         int i;
745         bool modify_sd = false;
746         const struct GUID *guid;
747         uint32_t access_granted;
748         struct object_tree *root = NULL;
749         struct object_tree *new_node = NULL;
750         NTSTATUS status;
751         struct ldb_result *acl_res;
752         struct security_descriptor *sd;
753         struct dom_sid *sid = NULL;
754         struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
755         TALLOC_CTX *tmp_ctx = talloc_new(req);
756         static const char *acl_attrs[] = {
757                 "nTSecurityDescriptor",
758                 "objectClass",
759                 "objectSid",
760                 NULL
761         };
762
763         /* Don't print this debug statement if elements[0].name is going to be NULL */
764         if(req->op.mod.message->num_elements > 0)
765         {
766                 DEBUG(10, ("ldb:acl_modify: %s\n", req->op.mod.message->elements[0].name));
767         }
768         if (dsdb_module_am_system(module) || as_system) {
769                 return ldb_next_request(module, req);
770         }
771         if (ldb_dn_is_special(req->op.mod.message->dn)) {
772                 return ldb_next_request(module, req);
773         }
774         ret = ldb_search(ldb, req, &acl_res, req->op.mod.message->dn,
775                          LDB_SCOPE_BASE, acl_attrs, NULL);
776
777         if (ret != LDB_SUCCESS) {
778                 return ret;
779         }
780
781         ret = get_sd_from_ldb_message(req, acl_res->msgs[0], &sd);
782         if (ret != LDB_SUCCESS) {
783                 DEBUG(10, ("acl_modify: cannot get descriptor\n"));
784                 return ret;
785         }
786         /* Theoretically we pass the check if the object has no sd */
787         if (!sd) {
788                 return LDB_SUCCESS;
789         }
790
791         guid = get_oc_guid_from_message(module,acl_res->msgs[0]);
792         if (!guid) {
793                 DEBUG(10, ("acl_modify: cannot get guid\n"));
794                 goto fail;
795         }
796
797         ret = get_dom_sid_from_ldb_message(req, acl_res->msgs[0], &sid);
798         if (ret != LDB_SUCCESS) {
799                 return LDB_ERR_OPERATIONS_ERROR;
800         }
801
802         if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
803                                    &root, &new_node)) {
804                 DEBUG(10, ("acl_modify: cannot add to object tree\n"));
805                 goto fail;
806         }
807         for (i=0; i < req->op.mod.message->num_elements; i++){
808                 const struct dsdb_attribute *attr;
809                 /* clearTextPassword is not in schema */
810                 if (strcmp("clearTextPassword", req->op.mod.message->elements[i].name) == 0) {
811                         attr = dsdb_attribute_by_lDAPDisplayName(schema, "unicodePwd");
812                 } else {
813                         attr = dsdb_attribute_by_lDAPDisplayName(schema,
814                                                                  req->op.mod.message->elements[i].name);
815                 }
816                 if (strcmp("nTSecurityDescriptor", req->op.mod.message->elements[i].name) == 0) {
817                         modify_sd = true;
818                 } else {
819
820                         if (!attr) {
821                                 DEBUG(10, ("acl_modify: cannot find attribute %s\n",
822                                            req->op.mod.message->elements[i].name));
823                                 goto fail;
824                         }
825                         if (!insert_in_object_tree(tmp_ctx,
826                                                    &attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
827                                                    &new_node, &new_node)) {
828                                 DEBUG(10, ("acl_modify: cannot add to object tree securityGUID\n"));
829                                 goto fail;
830                         }
831
832                         if (!insert_in_object_tree(tmp_ctx,
833                                                    &attr->schemaIDGUID, SEC_ADS_WRITE_PROP, &new_node, &new_node)) {
834                                 DEBUG(10, ("acl_modify: cannot add to object tree attributeGUID\n"));
835                                 goto fail;
836                         }
837                 }
838         }
839
840         if (root->num_of_children > 0) {
841                 status = sec_access_check_ds(sd, acl_user_token(module),
842                                              SEC_ADS_WRITE_PROP,
843                                              &access_granted,
844                                              root,
845                                              sid);
846
847                 if (!NT_STATUS_IS_OK(status)) {
848                         DEBUG(10, ("Object %s nas no write property access\n",
849                                    ldb_dn_get_linearized(req->op.mod.message->dn)));
850                         acl_debug(sd,
851                                   acl_user_token(module),
852                                   req->op.mod.message->dn,
853                                   true,
854                                   10);
855                         talloc_free(tmp_ctx);
856                         return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
857                 }
858         }
859         if (modify_sd) {
860                 status = sec_access_check_ds(sd, acl_user_token(module),
861                                              SEC_STD_WRITE_DAC,
862                                              &access_granted,
863                                              NULL,
864                                              sid);
865
866                 if (!NT_STATUS_IS_OK(status)) {
867                         DEBUG(10, ("Object %s nas no write dacl access\n",
868                                    ldb_dn_get_linearized(req->op.mod.message->dn)));
869                         acl_debug(sd,
870                                   acl_user_token(module),
871                                   req->op.mod.message->dn,
872                                   true,
873                                   10);
874                         talloc_free(tmp_ctx);
875                         return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
876                 }
877         }
878
879         talloc_free(tmp_ctx);
880         return ldb_next_request(module, req);
881 fail:
882         talloc_free(tmp_ctx);
883         return LDB_ERR_OPERATIONS_ERROR;
884 }
885
886 /* similar to the modify for the time being.
887  * We need to concider the special delete tree case, though - TODO */
888 static int acl_delete(struct ldb_module *module, struct ldb_request *req)
889 {
890         int ret;
891         struct ldb_dn *parent = ldb_dn_get_parent(req, req->op.del.dn);
892         struct ldb_context *ldb;
893         struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
894
895         DEBUG(10, ("ldb:acl_delete: %s\n", ldb_dn_get_linearized(req->op.del.dn)));
896         if (dsdb_module_am_system(module) || as_system) {
897                 return ldb_next_request(module, req);
898         }
899
900         if (ldb_dn_is_special(req->op.del.dn)) {
901                 return ldb_next_request(module, req);
902         }
903         ldb = ldb_module_get_ctx(module);
904         /* first check if we have delete object right */
905         ret = check_access_on_dn(module, req, req->op.del.dn, SEC_STD_DELETE, NULL);
906         if (ret == LDB_SUCCESS) {
907                 return ldb_next_request(module, req);
908         }
909
910         /* Nope, we don't have delete object. Lets check if we have delete child on the parent */
911         /* No parent, so check fails */
912         if ((ldb_dn_compare(req->op.del.dn, (ldb_get_schema_basedn(ldb))) == 0) ||
913             (ldb_dn_compare(req->op.del.dn, (ldb_get_config_basedn(ldb))) == 0) ||
914             (ldb_dn_compare(req->op.del.dn, (ldb_get_root_basedn(ldb))) == 0)) {
915                 DEBUG(10,("acl:deleting an NC\n"));
916                 return ldb_module_done(req, NULL, NULL, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS);
917         }
918
919         ret = check_access_on_dn(module, req, parent, SEC_ADS_DELETE_CHILD, NULL);
920         if (ret != LDB_SUCCESS) {
921                 return ret;
922         }
923         return ldb_next_request(module, req);
924 }
925
926 static int acl_rename(struct ldb_module *module, struct ldb_request *req)
927 {
928         int ret;
929         struct ldb_dn *oldparent = ldb_dn_get_parent(req, req->op.rename.olddn);
930         struct ldb_dn *newparent = ldb_dn_get_parent(req, req->op.rename.newdn);
931         struct ldb_context *ldb;
932         struct security_descriptor *sd = NULL;
933         struct dom_sid *sid = NULL;
934         struct ldb_result *acl_res;
935         const struct GUID *guid;
936         struct object_tree *root = NULL;
937         struct object_tree *new_node = NULL;
938         struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
939         TALLOC_CTX *tmp_ctx = talloc_new(req);
940         NTSTATUS status;
941         uint32_t access_granted;
942         static const char *acl_attrs[] = {
943                 "nTSecurityDescriptor",
944                 "objectClass",
945                 "objectSid",
946                 NULL
947         };
948
949         DEBUG(10, ("ldb:acl_rename: %s\n", ldb_dn_get_linearized(req->op.rename.olddn)));
950         if (dsdb_module_am_system(module) || as_system) {
951                 return ldb_next_request(module, req);
952         }
953         if (ldb_dn_is_special(req->op.rename.olddn)) {
954                 return ldb_next_request(module, req);
955         }
956         ldb = ldb_module_get_ctx(module);
957
958         /* TODO search to include deleted objects */
959         ret = ldb_search(ldb, req, &acl_res, req->op.rename.olddn,
960                          LDB_SCOPE_BASE, acl_attrs, NULL);
961         /* we sould be able to find the parent */
962         if (ret != LDB_SUCCESS) {
963                 DEBUG(10,("acl: failed to find object %s\n",
964                           ldb_dn_get_linearized(req->op.rename.olddn)));
965                 return ret;
966         }
967
968         guid = get_oc_guid_from_message(module,acl_res->msgs[0]);
969         if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
970                                    &root, &new_node)) {
971                 return LDB_ERR_OPERATIONS_ERROR;
972         };
973
974         guid = attribute_schemaid_guid_by_lDAPDisplayName(dsdb_get_schema(ldb),
975                                                           "name");
976         if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
977                                    &new_node, &new_node)) {
978                 return LDB_ERR_OPERATIONS_ERROR;
979         };
980
981         ret = get_sd_from_ldb_message(req, acl_res->msgs[0], &sd);
982
983         if (ret != LDB_SUCCESS) {
984                 return LDB_ERR_OPERATIONS_ERROR;
985         }
986         /* Theoretically we pass the check if the object has no sd */
987         if (!sd) {
988                 return LDB_SUCCESS;
989         }
990         ret = get_dom_sid_from_ldb_message(req, acl_res->msgs[0], &sid);
991         if (ret != LDB_SUCCESS) {
992                 return LDB_ERR_OPERATIONS_ERROR;
993         }
994
995         status = sec_access_check_ds(sd, acl_user_token(module),
996                                      SEC_ADS_WRITE_PROP,
997                                      &access_granted,
998                                      root,
999                                      sid);
1000
1001         if (!NT_STATUS_IS_OK(status)) {
1002                 DEBUG(10, ("Object %s nas no wp on name\n",
1003                            ldb_dn_get_linearized(req->op.rename.olddn)));
1004                 acl_debug(sd,
1005                           acl_user_token(module),
1006                           req->op.rename.olddn,
1007                           true,
1008                           10);
1009                 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
1010         }
1011
1012         if (ldb_dn_compare(oldparent, newparent) == 0) {
1013                 /* regular rename, not move, nothing more to do */
1014                 return ldb_next_request(module, req);
1015         }
1016
1017         /* What exactly to do in this case? It would fail anyway.. */
1018         if ((ldb_dn_compare(req->op.rename.newdn, (ldb_get_schema_basedn(ldb))) == 0) ||
1019             (ldb_dn_compare(req->op.rename.newdn, (ldb_get_config_basedn(ldb))) == 0) ||
1020             (ldb_dn_compare(req->op.rename.newdn, (ldb_get_root_basedn(ldb))) == 0)) {
1021                 DEBUG(10,("acl:moving as an NC\n"));
1022                 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
1023         }
1024         /* new parent should have create child */
1025         talloc_free(tmp_ctx);
1026         tmp_ctx = talloc_new(req);
1027         root = NULL;
1028         new_node = NULL;
1029         guid = get_oc_guid_from_message(module,acl_res->msgs[0]);
1030         if (!guid) {
1031                 DEBUG(10,("acl:renamed object has no object class\n"));
1032                 return ldb_module_done(req, NULL, NULL,  LDB_ERR_OPERATIONS_ERROR);
1033         }
1034         if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_CREATE_CHILD,
1035                                    &root, &new_node)) {
1036                 return LDB_ERR_OPERATIONS_ERROR;
1037         }
1038         ret = check_access_on_dn(module, req, newparent, SEC_ADS_CREATE_CHILD, root);
1039         if (ret != LDB_SUCCESS) {
1040                 DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
1041                 return ret;
1042         }
1043         /* do we have delete object on the object? */
1044
1045         status = sec_access_check_ds(sd, acl_user_token(module),
1046                                      SEC_STD_DELETE,
1047                                      &access_granted,
1048                                      NULL,
1049                                      sid);
1050
1051         if (NT_STATUS_IS_OK(status)) {
1052                 return ldb_next_request(module, req);
1053         }
1054         /* what about delete child on the current parent */
1055         ret = check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL);
1056         if (ret != LDB_SUCCESS) {
1057                 DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
1058                 return ldb_module_done(req, NULL, NULL, ret);
1059         }
1060         return ldb_next_request(module, req);
1061 }
1062
1063 static int acl_search_callback(struct ldb_request *req, struct ldb_reply *ares)
1064 {
1065         struct ldb_context *ldb;
1066         struct acl_context *ac;
1067         struct acl_private *data;
1068         struct ldb_result *acl_res;
1069         static const char *acl_attrs[] = {
1070                 "objectClass",
1071                 "nTSecurityDescriptor",
1072                 "objectSid",
1073                 NULL
1074         };
1075         int ret, i;
1076
1077         ac = talloc_get_type(req->context, struct acl_context);
1078         data = talloc_get_type(ldb_module_get_private(ac->module), struct acl_private);
1079         ldb = ldb_module_get_ctx(ac->module);
1080
1081         if (!ares) {
1082                 return ldb_module_done(ac->req, NULL, NULL,
1083                                        LDB_ERR_OPERATIONS_ERROR);
1084         }
1085         if (ares->error != LDB_SUCCESS) {
1086                 return ldb_module_done(ac->req, ares->controls,
1087                                        ares->response, ares->error);
1088         }
1089
1090         switch (ares->type) {
1091         case LDB_REPLY_ENTRY:
1092                 if (ac->allowedAttributes 
1093                     || ac->allowedChildClasses
1094                     || ac->allowedChildClassesEffective
1095                     || ac->allowedAttributesEffective
1096                     || ac->sDRightsEffective) {
1097                         ret = ldb_search(ldb, ac, &acl_res, ares->message->dn, LDB_SCOPE_BASE, acl_attrs, NULL);
1098                         if (ret != LDB_SUCCESS) {
1099                                 return ldb_module_done(ac->req, NULL, NULL, ret);
1100                         }
1101                         if (ac->allowedAttributes || ac->allowedAttributesEffective) {
1102                                 ret = acl_allowedAttributes(ac->module, acl_res->msgs[0], ares->message, ac);
1103                                 if (ret != LDB_SUCCESS) {
1104                                         return ldb_module_done(ac->req, NULL, NULL, ret);
1105                                 }
1106                         }
1107                         if (ac->allowedChildClasses) {
1108                                 ret = acl_childClasses(ac->module, acl_res->msgs[0],
1109                                                        ares->message, "allowedChildClasses");
1110                                 if (ret != LDB_SUCCESS) {
1111                                         return ldb_module_done(ac->req, NULL, NULL, ret);
1112                                 }
1113                         }
1114                         if (ac->allowedChildClassesEffective) {
1115                                 ret = acl_childClassesEffective(ac->module,
1116                                                                 acl_res->msgs[0], ares->message, ac);
1117                                 if (ret != LDB_SUCCESS) {
1118                                         return ldb_module_done(ac->req, NULL, NULL, ret);
1119                                 }
1120                         }
1121                         if (ac->sDRightsEffective) {
1122                                 ret = acl_sDRightsEffective(ac->module,
1123                                                             acl_res->msgs[0], ares->message, ac);
1124                                 if (ret != LDB_SUCCESS) {
1125                                         return ldb_module_done(ac->req, NULL, NULL, ret);
1126                                 }
1127                         }
1128                 }
1129                 if (data && data->password_attrs) {
1130                         if (!ac->am_system) {
1131                                 for (i = 0; data->password_attrs[i]; i++) {
1132                                         ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
1133                                 }
1134                         }
1135                 }
1136                 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
1137
1138         case LDB_REPLY_REFERRAL:
1139                 return ldb_module_send_referral(ac->req, ares->referral);
1140
1141         case LDB_REPLY_DONE:
1142                 return ldb_module_done(ac->req, ares->controls,
1143                                        ares->response, LDB_SUCCESS);
1144
1145         }
1146         return LDB_SUCCESS;
1147 }
1148
1149 static int acl_search(struct ldb_module *module, struct ldb_request *req)
1150 {
1151         struct ldb_context *ldb;
1152         struct acl_context *ac;
1153         struct ldb_request *down_req;
1154         struct acl_private *data;
1155         int ret, i;
1156
1157         ldb = ldb_module_get_ctx(module);
1158
1159         ac = talloc_zero(req, struct acl_context);
1160         if (ac == NULL) {
1161                 ldb_oom(ldb);
1162                 return LDB_ERR_OPERATIONS_ERROR;
1163         }
1164         data = talloc_get_type(ldb_module_get_private(module), struct acl_private);
1165
1166         ac->module = module;
1167         ac->req = req;
1168         ac->am_system = dsdb_module_am_system(module);
1169         ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
1170         ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
1171         ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
1172         ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
1173         ac->sDRightsEffective = ldb_attr_in_list(req->op.search.attrs, "sDRightsEffective");
1174
1175         /* replace any attributes in the parse tree that are private,
1176            so we don't allow a search for 'userPassword=penguin',
1177            just as we would not allow that attribute to be returned */
1178         if (ac->am_system) {
1179                 /* FIXME: We should copy the tree and keep the original unmodified. */
1180                 /* remove password attributes */
1181                 if (data && data->password_attrs) {
1182                         for (i = 0; data->password_attrs[i]; i++) {
1183                                 ldb_parse_tree_attr_replace(req->op.search.tree,
1184                                                             data->password_attrs[i],
1185                                                             "kludgeACLredactedattribute");
1186                         }
1187                 }
1188         }
1189         ret = ldb_build_search_req_ex(&down_req,
1190                                       ldb, ac,
1191                                       req->op.search.base,
1192                                       req->op.search.scope,
1193                                       req->op.search.tree,
1194                                       req->op.search.attrs,
1195                                       req->controls,
1196                                       ac, acl_search_callback,
1197                                       req);
1198         if (ret != LDB_SUCCESS) {
1199                 return ret;
1200         }
1201         /* perform the search */
1202         return ldb_next_request(module, down_req);
1203 }
1204
1205 _PUBLIC_ const struct ldb_module_ops ldb_acl_module_ops = {
1206         .name              = "acl",
1207         .search            = acl_search,
1208         .add               = acl_add,
1209         .modify            = acl_modify,
1210         .del               = acl_delete,
1211         .rename            = acl_rename,
1212         .init_context      = acl_module_init
1213 };