s4-dsdb: If current attribute list is empty use the one from the request
[kai/samba.git] / source4 / dsdb / samdb / ldb_modules / acl_read.c
1 /*
2   ldb database library
3
4   Copyright (C) Simo Sorce 2006-2008
5   Copyright (C) Nadezhda Ivanova 2010
6
7   This program is free software; you can redistribute it and/or modify
8   it under the terms of the GNU General Public License as published by
9   the Free Software Foundation; either version 3 of the License, or
10   (at your option) any later version.
11
12   This program is distributed in the hope that it will be useful,
13   but WITHOUT ANY WARRANTY; without even the implied warranty of
14   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15   GNU General Public License for more details.
16
17   You should have received a copy of the GNU General Public License
18   along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 /*
22  *  Name: ldb
23  *
24  *  Component: ldb ACL Read module
25  *
26  *  Description: Module that performs authorisation access checks on read requests
27  *               Only DACL checks implemented at this point
28  *
29  *  Author: Nadezhda Ivanova
30  */
31
32 #include "includes.h"
33 #include "ldb_module.h"
34 #include "auth/auth.h"
35 #include "libcli/security/security.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "librpc/gen_ndr/ndr_security.h"
38 #include "param/param.h"
39 #include "dsdb/samdb/ldb_modules/util.h"
40
41
42 struct aclread_context {
43         struct ldb_module *module;
44         struct ldb_request *req;
45         const char * const *attrs;
46         const struct dsdb_schema *schema;
47         bool sd;
48         bool instance_type;
49         bool object_sid;
50 };
51
52 struct aclread_private {
53         bool enabled;
54 };
55
56 static void aclread_mark_inaccesslible(struct ldb_message_element *el) {
57          el->flags |= LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
58 }
59
60 static bool aclread_is_inaccessible(struct ldb_message_element *el) {
61         return el->flags & LDB_FLAG_INTERNAL_INACCESSIBLE_ATTRIBUTE;
62 }
63
64 static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
65 {
66          struct ldb_context *ldb;
67          struct aclread_context *ac;
68          struct ldb_message *ret_msg;
69          struct ldb_message *msg;
70          int ret, num_of_attrs = 0;
71          unsigned int i, k = 0;
72          struct security_descriptor *sd;
73          struct dom_sid *sid = NULL;
74          TALLOC_CTX *tmp_ctx;
75          uint32_t instanceType;
76
77          ac = talloc_get_type(req->context, struct aclread_context);
78          ldb = ldb_module_get_ctx(ac->module);
79          if (!ares) {
80                  return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
81          }
82          if (ares->error != LDB_SUCCESS) {
83                  return ldb_module_done(ac->req, ares->controls,
84                                         ares->response, ares->error);
85          }
86          tmp_ctx = talloc_new(ac);
87          switch (ares->type) {
88          case LDB_REPLY_ENTRY:
89                  msg = ares->message;
90                  ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, msg, &sd);
91                  if (ret != LDB_SUCCESS || sd == NULL ) {
92                          DEBUG(10, ("acl_read: cannot get descriptor\n"));
93                          ret = LDB_ERR_OPERATIONS_ERROR;
94                          goto fail;
95                  }
96                  sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
97                  /* get the object instance type */
98                  instanceType = ldb_msg_find_attr_as_uint(msg,
99                                                          "instanceType", 0);
100                  if (!ldb_dn_is_null(msg->dn) && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
101                  {
102                         /* the object has a parent, so we have to check for visibility */
103                         struct ldb_dn *parent_dn = ldb_dn_get_parent(tmp_ctx, msg->dn);
104                         ret = dsdb_module_check_access_on_dn(ac->module,
105                                                              tmp_ctx,
106                                                              parent_dn,
107                                                              SEC_ADS_LIST,
108                                                              NULL, req);
109                         if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
110                                 talloc_free(tmp_ctx);
111                                 return LDB_SUCCESS;
112                         } else if (ret != LDB_SUCCESS) {
113                                 goto fail;
114                         }
115                  }
116                  /* for every element in the message check RP */
117                  for (i=0; i < msg->num_elements; i++) {
118                          const struct dsdb_attribute *attr;
119                          bool is_sd, is_objectsid, is_instancetype;
120                          uint32_t access_mask;
121                          attr =  dsdb_attribute_by_lDAPDisplayName(ac->schema,
122                                                                    msg->elements[i].name);
123                          if (!attr) {
124                                  DEBUG(2, ("acl_read: cannot find attribute %s in schema\n",
125                                            msg->elements[i].name));
126                                  ret = LDB_ERR_OPERATIONS_ERROR;
127                                  goto fail;
128                          }
129                          is_sd = ldb_attr_cmp("nTSecurityDescriptor",
130                                               msg->elements[i].name) == 0;
131                          is_objectsid = ldb_attr_cmp("objectSid",
132                                                      msg->elements[i].name) == 0;
133                          is_instancetype = ldb_attr_cmp("instanceType",
134                                                         msg->elements[i].name) == 0;
135                          /* these attributes were added to perform access checks and must be removed */
136                          if (is_objectsid && ac->object_sid) {
137                                  aclread_mark_inaccesslible(&msg->elements[i]);
138                                  continue;
139                          }
140                          if (is_instancetype && ac->instance_type) {
141                                  aclread_mark_inaccesslible(&msg->elements[i]);
142                                  continue;
143                          }
144                          if (is_sd && ac->sd) {
145                                  aclread_mark_inaccesslible(&msg->elements[i]);
146                                  continue;
147                          }
148                          /* nTSecurityDescriptor is a special case */
149                          if (is_sd) {
150                                  access_mask = SEC_FLAG_SYSTEM_SECURITY|SEC_STD_READ_CONTROL;
151                          } else {
152                                  access_mask = SEC_ADS_READ_PROP;
153                          }
154                          ret = acl_check_access_on_attribute(ac->module,
155                                                              tmp_ctx,
156                                                              sd,
157                                                              sid,
158                                                              access_mask,
159                                                              attr);
160
161                          if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
162                                  /* do not return this entry if attribute is
163                                     part of the search filter */
164                                  if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
165                                                              msg->elements[i].name)) {
166                                          talloc_free(tmp_ctx);
167                                          return LDB_SUCCESS;
168                                  }
169                                  aclread_mark_inaccesslible(&msg->elements[i]);
170                          } else if (ret != LDB_SUCCESS) {
171                                  goto fail;
172                          }
173                  }
174                  for (i=0; i < msg->num_elements; i++) {
175                          if (!aclread_is_inaccessible(&msg->elements[i])) {
176                                  num_of_attrs++;
177                          }
178                  }
179                  /*create a new message to return*/
180                  ret_msg = ldb_msg_new(ac->req);
181                  ret_msg->dn = msg->dn;
182                  talloc_steal(ret_msg, msg->dn);
183                  ret_msg->num_elements = num_of_attrs;
184                  if (num_of_attrs > 0) {
185                          ret_msg->elements = talloc_array(ret_msg,
186                                                           struct ldb_message_element,
187                                                           num_of_attrs);
188                          if (ret_msg->elements == NULL) {
189                                  return ldb_oom(ldb);
190                          }
191                          for (i=0; i < msg->num_elements; i++) {
192                                  bool to_remove = aclread_is_inaccessible(&msg->elements[i]);
193                                  if (!to_remove) {
194                                          ret_msg->elements[k] = msg->elements[i];
195                                          talloc_steal(ret_msg->elements, msg->elements[i].name);
196                                          talloc_steal(ret_msg->elements, msg->elements[i].values);
197                                          k++;
198                                  }
199                          }
200                  } else {
201                          ret_msg->elements = NULL;
202                  }
203                  talloc_free(tmp_ctx);
204
205                  return ldb_module_send_entry(ac->req, ret_msg, ares->controls);
206          case LDB_REPLY_REFERRAL:
207                  return ldb_module_send_referral(ac->req, ares->referral);
208          case LDB_REPLY_DONE:
209                  return ldb_module_done(ac->req, ares->controls,
210                                         ares->response, LDB_SUCCESS);
211
212          }
213          return LDB_SUCCESS;
214 fail:
215          talloc_free(tmp_ctx);
216          return ldb_module_done(ac->req, NULL, NULL, ret);
217 }
218
219
220 static int aclread_search(struct ldb_module *module, struct ldb_request *req)
221 {
222         struct ldb_context *ldb;
223         int ret;
224         struct aclread_context *ac;
225         struct ldb_request *down_req;
226         struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
227         struct ldb_result *res;
228         struct aclread_private *p;
229         bool is_untrusted = ldb_req_is_untrusted(req);
230         const char * const *attrs = NULL;
231         uint32_t instanceType;
232         static const char *acl_attrs[] = {
233                  "instanceType",
234                  NULL
235         };
236
237         ldb = ldb_module_get_ctx(module);
238         p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
239
240         /* skip access checks if we are system or system control is supplied
241          * or this is not LDAP server request */
242         if (!p || !p->enabled ||
243             dsdb_module_am_system(module)
244             || as_system || !is_untrusted) {
245                 return ldb_next_request(module, req);
246         }
247         /* no checks on special dn */
248         if (ldb_dn_is_special(req->op.search.base)) {
249                 return ldb_next_request(module, req);
250         }
251
252         /* check accessibility of base */
253         if (!ldb_dn_is_null(req->op.search.base)) {
254                 ret = dsdb_module_search_dn(module, req, &res, req->op.search.base,
255                                             acl_attrs,
256                                             DSDB_FLAG_NEXT_MODULE |
257                                             DSDB_SEARCH_SHOW_DELETED, req);
258                 if (ret != LDB_SUCCESS) {
259                         return ldb_error(ldb, ret,
260                                          "acl_read: Error retrieving instanceType for base.");
261                 }
262                 instanceType = ldb_msg_find_attr_as_uint(res->msgs[0],
263                                                          "instanceType", 0);
264                 if (instanceType != 0 && !(instanceType & INSTANCE_TYPE_IS_NC_HEAD))
265                 {
266                         /* the object has a parent, so we have to check for visibility */
267                         struct ldb_dn *parent_dn = ldb_dn_get_parent(req, req->op.search.base);
268                         ret = dsdb_module_check_access_on_dn(module,
269                                                              req,
270                                                              parent_dn,
271                                                              SEC_ADS_LIST,
272                                                              NULL, req);
273                         if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
274                                 return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
275                         } else if (ret != LDB_SUCCESS) {
276                                 return ldb_module_done(req, NULL, NULL, ret);
277                         }
278                 }
279         }
280         ac = talloc_zero(req, struct aclread_context);
281         if (ac == NULL) {
282                 return ldb_oom(ldb);
283         }
284         ac->module = module;
285         ac->req = req;
286         ac->schema = dsdb_get_schema(ldb, req);
287         if (!ac->schema) {
288                 return ldb_operr(ldb);
289         }
290         ac->sd = !(ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"));
291         if (req->op.search.attrs && !ldb_attr_in_list(req->op.search.attrs, "*")) {
292                 if (!ldb_attr_in_list(req->op.search.attrs, "instanceType")) {
293                         ac->instance_type = true;
294                         attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "instanceType");
295                 } else {
296                         attrs = req->op.search.attrs;
297                 }
298                 if (!ldb_attr_in_list(req->op.search.attrs, "objectSid")) {
299                         ac->object_sid = true;
300                         attrs = ldb_attr_list_copy_add(ac, attrs, "objectSid");
301                 }
302         }
303
304         if (ac->sd) {
305                 /* avoid replacing all attributes with nTSecurityDescriptor
306                  * if attribute list is empty */
307                 if (!attrs) {
308                         attrs = ldb_attr_list_copy_add(ac, req->op.search.attrs, "*");
309                 }
310                 attrs = ldb_attr_list_copy_add(ac, attrs, "nTSecurityDescriptor");
311         }
312         ac->attrs = req->op.search.attrs;
313         ret = ldb_build_search_req_ex(&down_req,
314                                       ldb, ac,
315                                       req->op.search.base,
316                                       req->op.search.scope,
317                                       req->op.search.tree,
318                                       attrs,
319                                       req->controls,
320                                       ac, aclread_callback,
321                                       req);
322
323         if (ret != LDB_SUCCESS) {
324                 return LDB_ERR_OPERATIONS_ERROR;
325         }
326
327         return ldb_next_request(module, down_req);
328 }
329
330 static int aclread_init(struct ldb_module *module)
331 {
332         struct ldb_context *ldb = ldb_module_get_ctx(module);
333         struct aclread_private *p = talloc_zero(module, struct aclread_private);
334         if (p == NULL) {
335                 return ldb_module_oom(module);
336         }
337         p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", false);
338         ldb_module_set_private(module, p);
339         return ldb_next_init(module);
340 }
341
342 static const struct ldb_module_ops ldb_aclread_module_ops = {
343         .name              = "aclread",
344         .search            = aclread_search,
345         .init_context      = aclread_init
346 };
347
348 int ldb_aclread_module_init(const char *version)
349 {
350         LDB_MODULE_CHECK_VERSION(version);
351         return ldb_register_module(&ldb_aclread_module_ops);
352 }