source: trunk/bin/acl.cli.php @ 349

#!/usr/bin/php
<?php
/*
* acl.cli.php
* Code by Strangecode :: www.strangecode.com :: This document contains copyrighted information.
* @author   Quinn Comendant <quinn@strangecode.com>
* @version  1.0
* @since    14 Jun 2006 23:10:45
*/


/********************************************************************
* STARTUP
********************************************************************/

$this_script = basename($_SERVER['argv'][0]);

// Give them a fighting chance. Show the help message. ;P
if ($_SERVER['argc'] <= 1) {
    help();
}

// Make sure necessary files exist.
define('COMMON_BASE', realpath('.'));
$db_quth_file = COMMON_BASE . '/global/db_auth.inc.php';
if (!file_exists($db_quth_file)) {
    die(sprintf("%s error: the current directory must be common site directory (i.e. the parent directory of the document root) AND the global/db_auth.inc.php file must exist.\n", $this_script));
}

if (fileowner($db_quth_file) != getmyuid()) {
    die(sprintf("%s error: you must execute this script as the owner of the web files.\n", $this_script));
}

// Set include path.
ini_set('include_path', get_include_path()
    . PATH_SEPARATOR . COMMON_BASE
);


/********************************************************************
* CONFIG
********************************************************************/

// Include core libraries.
require_once 'codebase/lib/App.inc.php';
require_once 'codebase/lib/Utilities.inc.php';

$app =& App::getInstance('module_maker');
$app->setParam(array(
    'site_name' => 'ACL cli',
    'site_email' => 'codebase@strangecode.com',
    'enable_session' => false,
    'enable_db' => true,
    'db_always_debug' => false,
    'db_debug' => true,
    'db_die_on_failure' => true,
    'display_errors' => true,
    'error_reporting' => E_ALL,
    'log_file_priority' => LOG_INFO,
    'log_screen_priority' => LOG_ERR,
    'log_directory' => COMMON_BASE . '/log',
    'log_filename' => 'site_log',
));
require_once 'global/db_auth.inc.php';

// Start application-based functionality: database, session, environment, ini setup, etc.
// Most configuration parameters must be set before starting the App.
$app->start();

// Global DB object. Automatically pre-configured by $app->start().
$db =& DB::getInstance();

// ACL!
require_once 'codebase/lib/ACL.inc.php';
$acl =& ACL::getInstance();
$acl->setParam(array('create_table' => false));


/********************************************************************
* MAIN
********************************************************************/

$op = $_SERVER['argv'][1];
switch ($op) {
case 'list' :
    $type = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
    switch ($type) {
    case 'aro' :
    case 'aco' :
    case 'axo' :
        listObjects('root', $type);
        break;
    case 'all' :
        listObjects('root', 'aro');                               
        listObjects('root', 'aco');                               
        listObjects('root', 'axo');
        break;
    case 'perms' :
        default :
        listPerms();
        break;
    }
    break;

case 'addaro' :
case 'addaco' :
case 'addaxo' :
    $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
    $parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
    if (!isset($object)) {
        echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n";
        break;
    }
    echo $acl->add($object, $parent, str_replace('add', '', $op)) ? "Ok\n" : "Error!\n";
    break;

case 'mvaro' :
case 'mvaco' :
case 'mvaxo' :
    $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
    $parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
    if (!isset($object)) {
        echo "'mv*' commands require at least one argument. Try 'help' if you are lost.\n";
        break;
    }
    echo $acl->move($object, $parent, str_replace('mv', '', $op)) ? "Ok\n" : "Error!\n";
    break;

case 'rmaro' :
case 'rmaco' :
case 'rmaxo' :
    $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
    if (!isset($object)) {
        echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n";
        break;
    }
    echo $acl->remove($object, str_replace('rm', '', $op)) ? "Ok\n" : "Error!\n";
    break;

case 'initdb' :
    echo $acl->initDB(true) ? "Ok\n" : "Error!\n";
    break;

case 'grant' :
    $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
    $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
    $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
    if (!isset($aro)) {
        echo "'grant' command require at least one argument. Try 'help' if you are lost.\n";
        break;
    }
    echo $acl->grant($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
    break;

case 'revoke' :
    $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
    $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
    $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
    if (!isset($aro)) {
        echo "'revoke' command require at least one argument. Try 'help' if you are lost.\n";
        break;
    }
    echo $acl->revoke($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
    break;

case 'delete' :
    $aro = isset($_SERVER['argv'][2]) && 'null' != $_SERVER['argv'][2] ? $_SERVER['argv'][2] : null;
    $aco = isset($_SERVER['argv'][3]) && 'null' != $_SERVER['argv'][3] ? $_SERVER['argv'][3] : null;
    $axo = isset($_SERVER['argv'][4]) && 'null' != $_SERVER['argv'][4] ? $_SERVER['argv'][4] : null;
    if (!isset($_SERVER['argv'][2]) || !isset($_SERVER['argv'][3]) || !isset($_SERVER['argv'][4])) {
        echo "'delete' command require all three arguments to be specified. Try 'help' if you are lost.\n";
        break;
    }
    echo $acl->delete($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
    break;

case 'check' :
    $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
    $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
    $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
    if (!isset($aro)) {
        echo "'check' command require at least one argument. Try 'help' if you are lost.\n";
        break;
    }
    echo $acl->check($aro, $aco, $axo) ? "allow\n" : "deny\n";
    break;

case 'help' :
    help();
    break;

default :
    echo "'$op' is not an understood command. Try 'help' if you are lost.\n";
    break;
}


/********************************************************************
* FUNCTIONS
********************************************************************/

function help()
{
    global $this_script;

    ?>
Access Control List command line tool.

This script must be run in the common site directory (i.e. the parent
directory of the document root). DB credentials are retrieved from:
global/db_auth.inc.php so this file must exist. Further more this script
must be executed as the owner of the db_auth.inc.php file.

Three types of objects are managed by this interface: ARO - Access
Request Objects, ACO - Access Control Objects, and AXO - Access Xtra
Objects. These are most often used as a USER -> ACTION -> OBJECT model,
but can just as easily be SPICES -> CUISINES -> DISHES A privilege is
allowed if a user (ARO) can perform an action (ACO) on something (AXO).
For example, Bob can edit article 4. If the AXO if omitted, this becomes
"Bob can edit" (period).

Each access object is stored as a node in hierarchical tree structures. A
permission granted to a node is applied to all its children. If a child
node is specified a different permission that is more specific that
anything on the branch it will take precedence. If no permission is
specified, root is used for that object. Root, in this case, means
"anything" since it is at the top of all branches.

Usage: <?php echo $this_script; ?> command [args]

Where command is any of the following (with arguments):
    
    initdb
    list [aro | aco | axo | all | perms]
    check aro [aco] [axo]
    addaro aro [parent]
    addaco aco [parent]
    addaxo axo [parent]
    mvaro aro [parent]
    mvaco aco [parent]
    mvaxo axo [parent]
    rmaro aro
    rmaco aco
    rmaxo axo
    grant aro [aco] [axo]
    revoke aro [aco] [axo]
    delete [aro] [aco] [axo]
    

For the add*, mv*, grant, and revoke commands if any of the optional 
args are not provided, 'root' is assumed. For the delete command 
'null' is considered a wild-card to delete all objects of that type.


Strangecode :: www.strangecode.com
<?php
    die;
}


/*
* Print the tree structure of a specified table (aro_tbl, aco_tbl, or axo_tbl).
*
* @access   public
* @param    string $root Root node from which to begin calculating.
* @param    string $type Table to call, one of: aro, aco, or axo.
* @return   bool Returns false on error.
* @author   Quinn Comendant <quinn@strangecode.com>
* @version  1.0
* @since    17 Jun 2006 23:41:22
*/
function listObjects($root, $type)
{
    $app =& App::getInstance();
    $db =& DB::getInstance();
    global $this_script;
    
    echo "\n";

    switch ($type) {
    case 'aro' :
        $tbl = 'aro_tbl';
        printf("%-35s %-5s %-5s %s\n", 'Request objects', 'lft', 'rgt', 'Added');
        break;
    case 'aco' :
        $tbl = 'aco_tbl';
        printf("%-35s %-5s %-5s %s\n", 'Control objects', 'lft', 'rgt', 'Added');
        break;
    case 'axo' :
        $tbl = 'axo_tbl';
        printf("%-35s %-5s %-5s %s\n", 'Xtra objects', 'lft', 'rgt', 'Added');
        break;
    default :
        $app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
        return false;
        break;
    }

    echo "-----------------------------------------------------------\n";

    // Retrieve the left and right value of the $root node.
    $qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($root) . "'");
    list($lft, $rgt) = mysql_fetch_row($qid);
    
    $depth = array();
    
    // Retrieve all descendants of the root node
    $qid = $db->query("SELECT name, lft, rgt, added_datetime FROM $tbl WHERE lft BETWEEN $lft AND $rgt ORDER BY lft ASC");
    while (list($name, $lft, $rgt, $added_datetime) = mysql_fetch_row($qid)) {
        // If the last element of $depth is less than the current rgt it means we finished with a set of children nodes.
        while (sizeof($depth) > 0 && end($depth) < $rgt) {
            array_pop($depth);
        }
    
        // Display indented node title.
        printf("%-35s %-5s %-5s %s\n", str_repeat('    ', sizeof($depth)) . $name, $lft, $rgt, date($app->getParam('date_format'), strtotime($added_datetime)));
        
        // Add this node to the stack.
        $depth[] = $rgt;
    }
}

/*
* List all entries in the acl_tbl.
*
* @access   public
* @author   Quinn Comendant <quinn@strangecode.com>
* @version  1.0
* @since    17 Jun 2006 15:11:53
*/
function listPerms()
{
    $app =& App::getInstance();
    $db =& DB::getInstance();
    global $this_script;
    
    // Retrieve access value from db.
    $qid = $db->query("
        SELECT aro_tbl.name AS aro, aco_tbl.name AS aco, axo_tbl.name AS axo, acl_tbl.access, acl_tbl.added_datetime
        FROM acl_tbl
        LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
        LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
        LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
        ORDER BY aro_tbl.lft ASC, aco_tbl.lft ASC, axo_tbl.lft ASC
    ");
    echo "\n";
    printf("%-25s %-25s %-25s %-6s %-10s\n", 'Request objects', 'Control objects', 'Xtra objects', '', 'Added');
    echo "------------------------------------------------------------------------------------------------\n";
    while ($p = mysql_fetch_assoc($qid)) {
        printf("%-25s %-25s %-25s \033[0;%sm%-6s\033[0m %-10s\n", $p['aro'], $p['aco'], $p['axo'], ('allow' == $p['access'] ? '32' : '31'), $p['access'], date($app->getParam('date_format'), strtotime($p['added_datetime'])));
    }    
}


?>