Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-local
[kai/samba.git] / source4 / dsdb / samdb / ldb_modules / kludge_acl.c
1 /* 
2    ldb database library
3
4    Copyright (C) Andrew Bartlett 2005
5    Copyright (C) Simo Sorce 2006
6
7     This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11    
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16    
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 /*
22  *  Name: ldb
23  *
24  *  Component: ldb kludge ACL module
25  *
26  *  Description: Simple module to enforce a simple form of access
27  *               control, sufficient for securing a default Samba4 
28  *               installation.
29  *
30  *  Author: Andrew Bartlett
31  */
32
33 #include "includes.h"
34 #include "ldb/include/ldb.h"
35 #include "ldb/include/ldb_errors.h"
36 #include "ldb/include/ldb_private.h"
37 #include "auth/auth.h"
38 #include "libcli/security/security.h"
39 #include "dsdb/samdb/samdb.h"
40
41 /* Kludge ACL rules:
42  *
43  * - System can read passwords
44  * - Administrators can write anything
45  * - Users can read anything that is not a password
46  *
47  */
48
49 struct kludge_private_data {
50         const char **password_attrs;
51 };
52
53 static enum security_user_level what_is_user(struct ldb_module *module) 
54 {
55         struct auth_session_info *session_info
56                 = (struct auth_session_info *)ldb_get_opaque(module->ldb, "sessionInfo");
57         return security_session_user_level(session_info);
58 }
59
60 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module) 
61 {
62         struct auth_session_info *session_info
63                 = (struct auth_session_info *)ldb_get_opaque(module->ldb, "sessionInfo");
64         if (!session_info) {
65                 return "UNKNOWN (NULL)";
66         }
67         
68         return talloc_asprintf(mem_ctx, "%s\\%s",
69                                session_info->server_info->domain_name,
70                                session_info->server_info->account_name);
71 }
72
73 /* search */
74 struct kludge_acl_context {
75
76         struct ldb_module *module;
77         void *up_context;
78         int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
79
80         enum security_user_level user_type;
81         bool allowedAttributes;
82         bool allowedAttributesEffective;
83         bool allowedChildClasses;
84         bool allowedChildClassesEffective;
85         const char **attrs;
86 };
87
88 /* read all objectClasses */
89
90 static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_message *msg,
91                                         const char *attrName) 
92 {
93         struct ldb_message_element *oc_el;
94         struct ldb_message_element *allowedAttributes;
95         const struct dsdb_schema *schema = dsdb_get_schema(ldb);
96         const struct dsdb_class *class;
97         int i, j, ret;
98
99         /* If we don't have a schema yet, we can't do anything... */
100         if (schema == NULL) {
101                 return LDB_SUCCESS;
102         }
103
104         /* Must remove any existing attribute, or else confusion reins */
105         ldb_msg_remove_attr(msg, attrName);
106         ret = ldb_msg_add_empty(msg, attrName, 0, &allowedAttributes);
107         if (ret != LDB_SUCCESS) {
108                 return ret;
109         }
110         
111         /* To ensure that oc_el is valid, we must look for it after 
112            we alter the element array in ldb_msg_add_empty() */
113         oc_el = ldb_msg_find_element(msg, "objectClass");
114
115         for (i=0; oc_el && i < oc_el->num_values; i++) {
116                 class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
117                 if (!class) {
118                         /* We don't know this class?  what is going on? */
119                         continue;
120                 }
121
122                 for (j=0; class->mayContain && class->mayContain[j]; j++) {
123                         ldb_msg_add_string(msg, attrName, class->mayContain[j]);
124                 }
125                 for (j=0; class->mustContain && class->mustContain[j]; j++) {
126                         ldb_msg_add_string(msg, attrName, class->mustContain[j]);
127                 }
128                 for (j=0; class->systemMayContain && class->systemMayContain[j]; j++) {
129                         ldb_msg_add_string(msg, attrName, class->systemMayContain[j]);
130                 }
131                 for (j=0; class->systemMustContain && class->systemMustContain[j]; j++) {
132                         ldb_msg_add_string(msg, attrName, class->systemMustContain[j]);
133                 }
134         }
135                 
136         if (allowedAttributes->num_values > 1) {
137                 qsort(allowedAttributes->values, 
138                       allowedAttributes->num_values, 
139                       sizeof(*allowedAttributes->values),
140                       (comparison_fn_t)data_blob_cmp);
141         
142                 for (i=1 ; i < allowedAttributes->num_values; i++) {
143                         struct ldb_val *val1 = &allowedAttributes->values[i-1];
144                         struct ldb_val *val2 = &allowedAttributes->values[i];
145                         if (data_blob_cmp(val1, val2) == 0) {
146                                 memmove(val1, val2, (allowedAttributes->num_values - i) * sizeof( struct ldb_val)); 
147                                 allowedAttributes->num_values--;
148                                 i--;
149                         }
150                 }
151         }
152
153         return 0;
154
155 }
156 /* read all objectClasses */
157
158 static int kludge_acl_childClasses(struct ldb_context *ldb, struct ldb_message *msg,
159                                    const char *attrName) 
160 {
161         struct ldb_message_element *oc_el;
162         struct ldb_message_element *allowedClasses;
163         const struct dsdb_schema *schema = dsdb_get_schema(ldb);
164         const struct dsdb_class *class;
165         int i, j, ret;
166
167         /* If we don't have a schema yet, we can't do anything... */
168         if (schema == NULL) {
169                 return LDB_SUCCESS;
170         }
171
172         /* Must remove any existing attribute, or else confusion reins */
173         ldb_msg_remove_attr(msg, attrName);
174         ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
175         if (ret != LDB_SUCCESS) {
176                 return ret;
177         }
178         
179         /* To ensure that oc_el is valid, we must look for it after 
180            we alter the element array in ldb_msg_add_empty() */
181         oc_el = ldb_msg_find_element(msg, "objectClass");
182
183         for (i=0; oc_el && i < oc_el->num_values; i++) {
184                 class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
185                 if (!class) {
186                         /* We don't know this class?  what is going on? */
187                         continue;
188                 }
189
190                 for (j=0; class->possibleInferiors && class->possibleInferiors[j]; j++) {
191                         ldb_msg_add_string(msg, attrName, class->possibleInferiors[j]);
192                 }
193         }
194                 
195         if (allowedClasses->num_values > 1) {
196                 qsort(allowedClasses->values, 
197                       allowedClasses->num_values, 
198                       sizeof(*allowedClasses->values),
199                       (comparison_fn_t)data_blob_cmp);
200         
201                 for (i=1 ; i < allowedClasses->num_values; i++) {
202                         struct ldb_val *val1 = &allowedClasses->values[i-1];
203                         struct ldb_val *val2 = &allowedClasses->values[i];
204                         if (data_blob_cmp(val1, val2) == 0) {
205                                 memmove(val1, val2, (allowedClasses->num_values - i) * sizeof( struct ldb_val)); 
206                                 allowedClasses->num_values--;
207                                 i--;
208                         }
209                 }
210         }
211
212         return 0;
213
214 }
215
216 /* find all attributes allowed by all these objectClasses */
217
218 static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
219 {
220         struct kludge_acl_context *ac;
221         struct kludge_private_data *data;
222         int i, ret;
223
224         ac = talloc_get_type(context, struct kludge_acl_context);
225         data = talloc_get_type(ac->module->private_data, struct kludge_private_data);
226
227         if (ares->type != LDB_REPLY_ENTRY) {
228                 return ac->up_callback(ldb, ac->up_context, ares);
229         }
230
231         if (ac->allowedAttributes) {
232                 ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributes");
233                 if (ret != LDB_SUCCESS) {
234                         return ret;
235
236                 }
237         }
238         if (ac->allowedChildClasses) {
239                 ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClasses");
240                 if (ret != LDB_SUCCESS) {
241                         return ret;
242                 }
243         }
244
245         if (data && data->password_attrs) /* if we are not initialized just get through */
246         {
247                 switch (ac->user_type) {
248                 case SECURITY_SYSTEM:
249                 case SECURITY_ADMINISTRATOR:
250                         if (ac->allowedAttributesEffective) {
251                                 ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective");
252                                 if (ret != LDB_SUCCESS) {
253                                         return ret;
254                                 }
255                         }
256                         if (ac->allowedChildClassesEffective) {
257                                 ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClassesEffective");
258                                 if (ret != LDB_SUCCESS) {
259                                         return ret;
260                                 }
261                         }
262                         break;
263                 default:
264                         /* remove password attributes */
265                         for (i = 0; data->password_attrs[i]; i++) {
266                                 ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
267                         }
268                 }
269         }
270
271         if ((ac->allowedAttributes || ac->allowedAttributesEffective
272              || ac->allowedChildClasses || ac->allowedChildClassesEffective) && 
273             (!ldb_attr_in_list(ac->attrs, "objectClass") && 
274              !ldb_attr_in_list(ac->attrs, "*"))) {
275                 ldb_msg_remove_attr(ares->message, "objectClass");
276         }
277
278         return ac->up_callback(ldb, ac->up_context, ares);
279 }
280
281 static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
282 {
283         struct kludge_acl_context *ac;
284         struct ldb_request *down_req;
285         struct kludge_private_data *data;
286         int ret, i;
287
288         req->handle = NULL;
289
290         ac = talloc(req, struct kludge_acl_context);
291         if (ac == NULL) {
292                 ldb_oom(module->ldb);
293                 return LDB_ERR_OPERATIONS_ERROR;
294         }
295
296         data = talloc_get_type(module->private_data, struct kludge_private_data);
297
298         ac->module = module;
299         ac->up_context = req->context;
300         ac->up_callback = req->callback;
301         ac->user_type = what_is_user(module);
302         ac->attrs = req->op.search.attrs;
303
304         down_req = talloc_zero(req, struct ldb_request);
305         if (down_req == NULL) {
306                 ldb_oom(module->ldb);
307                 return LDB_ERR_OPERATIONS_ERROR;
308         }
309
310         down_req->operation = req->operation;
311         down_req->op.search.base = req->op.search.base;
312         down_req->op.search.scope = req->op.search.scope;
313         down_req->op.search.tree = req->op.search.tree;
314         down_req->op.search.attrs = req->op.search.attrs;
315
316         ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
317
318         ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
319
320         ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
321
322         ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
323
324         if (ac->allowedAttributes || ac->allowedAttributesEffective || ac->allowedChildClasses || ac->allowedChildClassesEffective) {
325                 down_req->op.search.attrs
326                         = ldb_attr_list_copy_add(down_req, down_req->op.search.attrs, "objectClass");
327         }
328
329         /*  FIXME: I hink we should copy the tree and keep the original
330          *  unmodified. SSS */
331         /* replace any attributes in the parse tree that are private,
332            so we don't allow a search for 'sambaPassword=penguin',
333            just as we would not allow that attribute to be returned */
334         switch (ac->user_type) {
335         case SECURITY_SYSTEM:
336                 break;
337         default:
338                 /* remove password attributes */
339                 for (i = 0; data && data->password_attrs && data->password_attrs[i]; i++) {
340                         ldb_parse_tree_attr_replace(down_req->op.search.tree, 
341                                                     data->password_attrs[i],
342                                                     "kludgeACLredactedattribute");
343                 }
344         }
345
346         down_req->controls = req->controls;
347
348         down_req->context = ac;
349         down_req->callback = kludge_acl_callback;
350         ldb_set_timeout_from_prev_req(module->ldb, req, down_req);
351
352         /* perform the search */
353         ret = ldb_next_request(module, down_req);
354
355         /* do not free down_req as the call results may be linked to it,
356          * it will be freed when the upper level request get freed */
357         if (ret == LDB_SUCCESS) {
358                 req->handle = down_req->handle;
359         }
360
361         return ret;
362 }
363
364 /* ANY change type */
365 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
366 {
367         enum security_user_level user_type = what_is_user(module);
368         switch (user_type) {
369         case SECURITY_SYSTEM:
370         case SECURITY_ADMINISTRATOR:
371                 return ldb_next_request(module, req);
372         default:
373                 ldb_asprintf_errstring(module->ldb,
374                                        "kludge_acl_change: "
375                                        "attempted database modify not permitted. "
376                                        "User %s is not SYSTEM or an administrator",
377                                        user_name(req, module));
378                 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
379         }
380 }
381
382 static int kludge_acl_init(struct ldb_module *module)
383 {
384         int ret, i;
385         TALLOC_CTX *mem_ctx = talloc_new(module);
386         static const char *attrs[] = { "passwordAttribute", NULL };
387         struct ldb_result *res;
388         struct ldb_message *msg;
389         struct ldb_message_element *password_attributes;
390
391         struct kludge_private_data *data;
392
393         data = talloc(module, struct kludge_private_data);
394         if (data == NULL) {
395                 ldb_oom(module->ldb);
396                 return LDB_ERR_OPERATIONS_ERROR;
397         }
398
399         data->password_attrs = NULL;
400         module->private_data = data;
401
402         if (!mem_ctx) {
403                 ldb_oom(module->ldb);
404                 return LDB_ERR_OPERATIONS_ERROR;
405         }
406
407         ret = ldb_search(module->ldb, ldb_dn_new(mem_ctx, module->ldb, "@KLUDGEACL"),
408                          LDB_SCOPE_BASE,
409                          NULL, attrs,
410                          &res);
411         if (ret != LDB_SUCCESS) {
412                 goto done;
413         }
414         talloc_steal(mem_ctx, res);
415         if (res->count == 0) {
416                 goto done;
417         }
418
419         if (res->count > 1) {
420                 talloc_free(mem_ctx);
421                 return LDB_ERR_CONSTRAINT_VIOLATION;
422         }
423
424         msg = res->msgs[0];
425
426         password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
427         if (!password_attributes) {
428                 goto done;
429         }
430         data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
431         if (!data->password_attrs) {
432                 talloc_free(mem_ctx);
433                 ldb_oom(module->ldb);
434                 return LDB_ERR_OPERATIONS_ERROR;
435         }
436         for (i=0; i < password_attributes->num_values; i++) {
437                 data->password_attrs[i] = (const char *)password_attributes->values[i].data;    
438                 talloc_steal(data->password_attrs, password_attributes->values[i].data);
439         }
440         data->password_attrs[i] = NULL;
441
442 done:
443         talloc_free(mem_ctx);
444         return ldb_next_init(module);
445 }
446
447 _PUBLIC_ const struct ldb_module_ops ldb_kludge_acl_module_ops = {
448         .name              = "kludge_acl",
449         .search            = kludge_acl_search,
450         .add               = kludge_acl_change,
451         .modify            = kludge_acl_change,
452         .del               = kludge_acl_change,
453         .rename            = kludge_acl_change,
454         .extended          = kludge_acl_change,
455         .init_context      = kludge_acl_init
456 };