[208] | 1 | #!/usr/bin/php |
---|
[171] | 2 | <?php |
---|
[362] | 3 | /** |
---|
| 4 | * The Strangecode Codebase - a general application development framework for PHP |
---|
| 5 | * For details visit the project site: <http://trac.strangecode.com/codebase/> |
---|
[396] | 6 | * Copyright 2001-2012 Strangecode, LLC |
---|
[468] | 7 | * |
---|
[362] | 8 | * This file is part of The Strangecode Codebase. |
---|
| 9 | * |
---|
| 10 | * The Strangecode Codebase is free software: you can redistribute it and/or |
---|
| 11 | * modify it under the terms of the GNU General Public License as published by the |
---|
| 12 | * Free Software Foundation, either version 3 of the License, or (at your option) |
---|
| 13 | * any later version. |
---|
[468] | 14 | * |
---|
[362] | 15 | * The Strangecode Codebase is distributed in the hope that it will be useful, but |
---|
| 16 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
---|
| 17 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more |
---|
| 18 | * details. |
---|
[468] | 19 | * |
---|
[362] | 20 | * You should have received a copy of the GNU General Public License along with |
---|
| 21 | * The Strangecode Codebase. If not, see <http://www.gnu.org/licenses/>. |
---|
| 22 | */ |
---|
| 23 | |
---|
[171] | 24 | /* |
---|
| 25 | * acl.cli.php |
---|
[362] | 26 | * |
---|
[171] | 27 | * @author Quinn Comendant <quinn@strangecode.com> |
---|
| 28 | * @version 1.0 |
---|
| 29 | * @since 14 Jun 2006 23:10:45 |
---|
| 30 | */ |
---|
| 31 | |
---|
| 32 | |
---|
| 33 | /******************************************************************** |
---|
| 34 | * STARTUP |
---|
| 35 | ********************************************************************/ |
---|
| 36 | |
---|
[174] | 37 | $this_script = basename($_SERVER['argv'][0]); |
---|
| 38 | |
---|
[171] | 39 | // Give them a fighting chance. Show the help message. ;P |
---|
| 40 | if ($_SERVER['argc'] <= 1) { |
---|
| 41 | help(); |
---|
| 42 | } |
---|
| 43 | |
---|
| 44 | // Make sure necessary files exist. |
---|
| 45 | define('COMMON_BASE', realpath('.')); |
---|
[502] | 46 | $db_auth_file = false; |
---|
| 47 | $rii = new RecursiveIteratorIterator(new RecursiveDirectoryIterator(COMMON_BASE)); |
---|
| 48 | $rii->setMaxDepth(2); |
---|
| 49 | foreach ($rii as $filename => $file) { |
---|
| 50 | if (mb_strpos($filename, 'db_auth.inc.php') !== false) { |
---|
| 51 | $db_auth_file = $filename; |
---|
| 52 | break; |
---|
| 53 | } |
---|
[171] | 54 | } |
---|
[502] | 55 | if (!$db_auth_file) { |
---|
| 56 | die(sprintf("%s error: the current directory must be common site directory (i.e. the parent directory of the document root) AND the db_auth.inc.php file must exist.\n", $this_script)); |
---|
| 57 | } |
---|
| 58 | if (fileowner($db_auth_file) != getmyuid()) { |
---|
[174] | 59 | die(sprintf("%s error: you must execute this script as the owner of the web files.\n", $this_script)); |
---|
[171] | 60 | } |
---|
| 61 | |
---|
| 62 | // Set include path. |
---|
[502] | 63 | ini_set('include_path', get_include_path() . PATH_SEPARATOR . COMMON_BASE); |
---|
[171] | 64 | |
---|
| 65 | /******************************************************************** |
---|
| 66 | * CONFIG |
---|
| 67 | ********************************************************************/ |
---|
| 68 | |
---|
| 69 | // Include core libraries. |
---|
| 70 | require_once 'codebase/lib/App.inc.php'; |
---|
| 71 | require_once 'codebase/lib/Utilities.inc.php'; |
---|
| 72 | |
---|
[484] | 73 | define('_CLI', true); |
---|
[171] | 74 | $app =& App::getInstance('module_maker'); |
---|
| 75 | $app->setParam(array( |
---|
| 76 | 'site_name' => 'ACL cli', |
---|
| 77 | 'site_email' => 'codebase@strangecode.com', |
---|
| 78 | 'enable_session' => false, |
---|
| 79 | 'enable_db' => true, |
---|
| 80 | 'db_always_debug' => false, |
---|
| 81 | 'db_debug' => true, |
---|
| 82 | 'db_die_on_failure' => true, |
---|
| 83 | 'display_errors' => true, |
---|
| 84 | 'error_reporting' => E_ALL, |
---|
[174] | 85 | 'log_file_priority' => LOG_INFO, |
---|
| 86 | 'log_screen_priority' => LOG_ERR, |
---|
[171] | 87 | 'log_directory' => COMMON_BASE . '/log', |
---|
| 88 | 'log_filename' => 'site_log', |
---|
| 89 | )); |
---|
[502] | 90 | require_once $db_auth_file; |
---|
[171] | 91 | |
---|
| 92 | // Start application-based functionality: database, session, environment, ini setup, etc. |
---|
| 93 | // Most configuration parameters must be set before starting the App. |
---|
| 94 | $app->start(); |
---|
| 95 | |
---|
| 96 | // Global DB object. Automatically pre-configured by $app->start(). |
---|
| 97 | $db =& DB::getInstance(); |
---|
| 98 | |
---|
| 99 | // ACL! |
---|
| 100 | require_once 'codebase/lib/ACL.inc.php'; |
---|
| 101 | $acl =& ACL::getInstance(); |
---|
[173] | 102 | $acl->setParam(array('create_table' => false)); |
---|
[171] | 103 | |
---|
| 104 | |
---|
| 105 | /******************************************************************** |
---|
| 106 | * MAIN |
---|
| 107 | ********************************************************************/ |
---|
| 108 | |
---|
[484] | 109 | if (!$db->tableExists('acl_tbl')) { |
---|
| 110 | printf("This project doesn't appear to be using ACL (there is no acl_tbl in the %s DB).\n", $app->getParam('db_name')); |
---|
[502] | 111 | $app->stop(); |
---|
[484] | 112 | die; |
---|
| 113 | } |
---|
| 114 | |
---|
[171] | 115 | $op = $_SERVER['argv'][1]; |
---|
| 116 | switch ($op) { |
---|
| 117 | case 'list' : |
---|
[174] | 118 | $type = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
| 119 | switch ($type) { |
---|
| 120 | case 'aro' : |
---|
| 121 | case 'aco' : |
---|
| 122 | case 'axo' : |
---|
| 123 | listObjects('root', $type); |
---|
| 124 | break; |
---|
| 125 | case 'all' : |
---|
[468] | 126 | listObjects('root', 'aro'); |
---|
| 127 | listObjects('root', 'aco'); |
---|
[174] | 128 | listObjects('root', 'axo'); |
---|
| 129 | break; |
---|
| 130 | case 'perms' : |
---|
[415] | 131 | default : |
---|
[174] | 132 | listPerms(); |
---|
| 133 | break; |
---|
| 134 | } |
---|
| 135 | break; |
---|
[171] | 136 | |
---|
| 137 | case 'addaro' : |
---|
| 138 | case 'addaco' : |
---|
| 139 | case 'addaxo' : |
---|
| 140 | $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
| 141 | $parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null; |
---|
| 142 | if (!isset($object)) { |
---|
| 143 | echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n"; |
---|
[175] | 144 | break; |
---|
[171] | 145 | } |
---|
| 146 | echo $acl->add($object, $parent, str_replace('add', '', $op)) ? "Ok\n" : "Error!\n"; |
---|
| 147 | break; |
---|
| 148 | |
---|
[174] | 149 | case 'mvaro' : |
---|
| 150 | case 'mvaco' : |
---|
| 151 | case 'mvaxo' : |
---|
| 152 | $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
| 153 | $parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null; |
---|
| 154 | if (!isset($object)) { |
---|
| 155 | echo "'mv*' commands require at least one argument. Try 'help' if you are lost.\n"; |
---|
[175] | 156 | break; |
---|
[174] | 157 | } |
---|
| 158 | echo $acl->move($object, $parent, str_replace('mv', '', $op)) ? "Ok\n" : "Error!\n"; |
---|
| 159 | break; |
---|
| 160 | |
---|
[171] | 161 | case 'rmaro' : |
---|
| 162 | case 'rmaco' : |
---|
| 163 | case 'rmaxo' : |
---|
| 164 | $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
| 165 | if (!isset($object)) { |
---|
| 166 | echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n"; |
---|
[175] | 167 | break; |
---|
[171] | 168 | } |
---|
| 169 | echo $acl->remove($object, str_replace('rm', '', $op)) ? "Ok\n" : "Error!\n"; |
---|
| 170 | break; |
---|
| 171 | |
---|
[173] | 172 | case 'initdb' : |
---|
[172] | 173 | echo $acl->initDB(true) ? "Ok\n" : "Error!\n"; |
---|
| 174 | break; |
---|
| 175 | |
---|
[171] | 176 | case 'grant' : |
---|
| 177 | $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
| 178 | $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null; |
---|
| 179 | $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null; |
---|
| 180 | if (!isset($aro)) { |
---|
| 181 | echo "'grant' command require at least one argument. Try 'help' if you are lost.\n"; |
---|
[175] | 182 | break; |
---|
[171] | 183 | } |
---|
| 184 | echo $acl->grant($aro, $aco, $axo) ? "Ok\n" : "Error!\n"; |
---|
| 185 | break; |
---|
| 186 | |
---|
| 187 | case 'revoke' : |
---|
| 188 | $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
| 189 | $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null; |
---|
| 190 | $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null; |
---|
| 191 | if (!isset($aro)) { |
---|
| 192 | echo "'revoke' command require at least one argument. Try 'help' if you are lost.\n"; |
---|
[175] | 193 | break; |
---|
[171] | 194 | } |
---|
| 195 | echo $acl->revoke($aro, $aco, $axo) ? "Ok\n" : "Error!\n"; |
---|
| 196 | break; |
---|
| 197 | |
---|
[175] | 198 | case 'delete' : |
---|
| 199 | $aro = isset($_SERVER['argv'][2]) && 'null' != $_SERVER['argv'][2] ? $_SERVER['argv'][2] : null; |
---|
| 200 | $aco = isset($_SERVER['argv'][3]) && 'null' != $_SERVER['argv'][3] ? $_SERVER['argv'][3] : null; |
---|
| 201 | $axo = isset($_SERVER['argv'][4]) && 'null' != $_SERVER['argv'][4] ? $_SERVER['argv'][4] : null; |
---|
| 202 | if (!isset($_SERVER['argv'][2]) || !isset($_SERVER['argv'][3]) || !isset($_SERVER['argv'][4])) { |
---|
| 203 | echo "'delete' command require all three arguments to be specified. Try 'help' if you are lost.\n"; |
---|
| 204 | break; |
---|
| 205 | } |
---|
| 206 | echo $acl->delete($aro, $aco, $axo) ? "Ok\n" : "Error!\n"; |
---|
| 207 | break; |
---|
| 208 | |
---|
[171] | 209 | case 'check' : |
---|
| 210 | $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
| 211 | $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null; |
---|
| 212 | $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null; |
---|
| 213 | if (!isset($aro)) { |
---|
| 214 | echo "'check' command require at least one argument. Try 'help' if you are lost.\n"; |
---|
[175] | 215 | break; |
---|
[171] | 216 | } |
---|
| 217 | echo $acl->check($aro, $aco, $axo) ? "allow\n" : "deny\n"; |
---|
| 218 | break; |
---|
| 219 | |
---|
| 220 | case 'help' : |
---|
| 221 | help(); |
---|
| 222 | break; |
---|
| 223 | |
---|
| 224 | default : |
---|
| 225 | echo "'$op' is not an understood command. Try 'help' if you are lost.\n"; |
---|
| 226 | break; |
---|
| 227 | } |
---|
| 228 | |
---|
[502] | 229 | $app->stop(); |
---|
| 230 | die; |
---|
[171] | 231 | |
---|
[502] | 232 | |
---|
[171] | 233 | /******************************************************************** |
---|
| 234 | * FUNCTIONS |
---|
| 235 | ********************************************************************/ |
---|
| 236 | |
---|
| 237 | function help() |
---|
| 238 | { |
---|
[174] | 239 | global $this_script; |
---|
| 240 | |
---|
[171] | 241 | ?> |
---|
| 242 | Access Control List command line tool. |
---|
| 243 | |
---|
| 244 | This script must be run in the common site directory (i.e. the parent |
---|
| 245 | directory of the document root). DB credentials are retrieved from: |
---|
[398] | 246 | global/db_auth.inc.php so this file must exist. Furthermore this script |
---|
[171] | 247 | must be executed as the owner of the db_auth.inc.php file. |
---|
| 248 | |
---|
[482] | 249 | Three types of objects are managed by this interface: |
---|
| 250 | |
---|
| 251 | ARO - Access Request Objects |
---|
| 252 | ACO - Access Control Objects |
---|
| 253 | AXO - Access Xtra Objects |
---|
| 254 | |
---|
| 255 | These are most often used as a USER -> ACTION -> OBJECT model, |
---|
[398] | 256 | but could just as easily be SPICES -> CUISINES -> DISHES. A privilege is |
---|
[171] | 257 | allowed if a user (ARO) can perform an action (ACO) on something (AXO). |
---|
[468] | 258 | For example, with an `ARO->ACO->AXO` of `Bob->edit->4`, Bob can edit article 4. |
---|
| 259 | If the AXO were omitted (i.e. just `Bob->edit`), this becomes "Bob can edit" |
---|
[398] | 260 | (he can edit any object). |
---|
[171] | 261 | |
---|
[484] | 262 | Each access object is stored as a node in hierarchical tree structure. |
---|
[398] | 263 | A permission granted to a node is applied to all its children. If a child |
---|
[484] | 264 | node is specified with a permission more specific than its ancestors, the |
---|
| 265 | child will take precedence. If no permission is specified, root is used, |
---|
| 266 | implying access to any object of that type. |
---|
[171] | 267 | |
---|
[234] | 268 | Usage: <?php echo $this_script; ?> command [args] |
---|
[171] | 269 | |
---|
[234] | 270 | Where command is any of the following (with arguments): |
---|
[468] | 271 | |
---|
[174] | 272 | initdb |
---|
| 273 | list [aro | aco | axo | all | perms] |
---|
[234] | 274 | check aro [aco] [axo] |
---|
| 275 | addaro aro [parent] |
---|
| 276 | addaco aco [parent] |
---|
| 277 | addaxo axo [parent] |
---|
| 278 | mvaro aro [parent] |
---|
| 279 | mvaco aco [parent] |
---|
| 280 | mvaxo axo [parent] |
---|
| 281 | rmaro aro |
---|
| 282 | rmaco aco |
---|
| 283 | rmaxo axo |
---|
| 284 | grant aro [aco] [axo] |
---|
| 285 | revoke aro [aco] [axo] |
---|
[482] | 286 | delete aro aco axo |
---|
[171] | 287 | |
---|
[468] | 288 | For the add*, mv*, grant, and revoke commands if any of the optional |
---|
[482] | 289 | args are not provided, 'root' is assumed. The delete command requires |
---|
| 290 | all object types to be specified; Passing the string 'null' will cause |
---|
| 291 | all matches in that column to be deleted. run with 'grants' to view what |
---|
| 292 | can be deleted. |
---|
[171] | 293 | <?php |
---|
| 294 | die; |
---|
| 295 | } |
---|
| 296 | |
---|
| 297 | |
---|
[174] | 298 | /* |
---|
| 299 | * Print the tree structure of a specified table (aro_tbl, aco_tbl, or axo_tbl). |
---|
| 300 | * |
---|
| 301 | * @access public |
---|
| 302 | * @param string $root Root node from which to begin calculating. |
---|
| 303 | * @param string $type Table to call, one of: aro, aco, or axo. |
---|
| 304 | * @return bool Returns false on error. |
---|
| 305 | * @author Quinn Comendant <quinn@strangecode.com> |
---|
| 306 | * @version 1.0 |
---|
| 307 | * @since 17 Jun 2006 23:41:22 |
---|
| 308 | */ |
---|
| 309 | function listObjects($root, $type) |
---|
[171] | 310 | { |
---|
| 311 | $app =& App::getInstance(); |
---|
| 312 | $db =& DB::getInstance(); |
---|
[174] | 313 | global $this_script; |
---|
[468] | 314 | |
---|
[174] | 315 | echo "\n"; |
---|
| 316 | |
---|
[171] | 317 | switch ($type) { |
---|
| 318 | case 'aro' : |
---|
| 319 | $tbl = 'aro_tbl'; |
---|
[502] | 320 | printf("%-45s %s\n", 'Request objects', 'Added'); |
---|
[171] | 321 | break; |
---|
| 322 | case 'aco' : |
---|
| 323 | $tbl = 'aco_tbl'; |
---|
[502] | 324 | printf("%-45s %s\n", 'Control objects', 'Added'); |
---|
[171] | 325 | break; |
---|
| 326 | case 'axo' : |
---|
| 327 | $tbl = 'axo_tbl'; |
---|
[502] | 328 | printf("%-45s %s\n", 'Xtra objects', 'Added'); |
---|
[171] | 329 | break; |
---|
| 330 | default : |
---|
| 331 | $app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__); |
---|
| 332 | return false; |
---|
| 333 | break; |
---|
| 334 | } |
---|
[174] | 335 | |
---|
[502] | 336 | echo "---------------------------------------------------------------------\n"; |
---|
[174] | 337 | |
---|
[171] | 338 | // Retrieve the left and right value of the $root node. |
---|
| 339 | $qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($root) . "'"); |
---|
| 340 | list($lft, $rgt) = mysql_fetch_row($qid); |
---|
[468] | 341 | |
---|
[171] | 342 | $depth = array(); |
---|
[468] | 343 | |
---|
[171] | 344 | // Retrieve all descendants of the root node |
---|
| 345 | $qid = $db->query("SELECT name, lft, rgt, added_datetime FROM $tbl WHERE lft BETWEEN $lft AND $rgt ORDER BY lft ASC"); |
---|
| 346 | while (list($name, $lft, $rgt, $added_datetime) = mysql_fetch_row($qid)) { |
---|
| 347 | // If the last element of $depth is less than the current rgt it means we finished with a set of children nodes. |
---|
| 348 | while (sizeof($depth) > 0 && end($depth) < $rgt) { |
---|
| 349 | array_pop($depth); |
---|
| 350 | } |
---|
[468] | 351 | |
---|
[171] | 352 | // Display indented node title. |
---|
[502] | 353 | printf("%-45s %s\n", str_repeat(' ', sizeof($depth)) . $name, date($app->getParam('date_format') . ' ' . $app->getParam('time_format'), strtotime($added_datetime))); |
---|
[468] | 354 | |
---|
[171] | 355 | // Add this node to the stack. |
---|
| 356 | $depth[] = $rgt; |
---|
| 357 | } |
---|
| 358 | } |
---|
| 359 | |
---|
[174] | 360 | /* |
---|
| 361 | * List all entries in the acl_tbl. |
---|
| 362 | * |
---|
| 363 | * @access public |
---|
| 364 | * @author Quinn Comendant <quinn@strangecode.com> |
---|
| 365 | * @version 1.0 |
---|
| 366 | * @since 17 Jun 2006 15:11:53 |
---|
| 367 | */ |
---|
| 368 | function listPerms() |
---|
| 369 | { |
---|
| 370 | $app =& App::getInstance(); |
---|
| 371 | $db =& DB::getInstance(); |
---|
| 372 | global $this_script; |
---|
[468] | 373 | |
---|
[334] | 374 | // Retrieve access value from db. |
---|
[174] | 375 | $qid = $db->query(" |
---|
| 376 | SELECT aro_tbl.name AS aro, aco_tbl.name AS aco, axo_tbl.name AS axo, acl_tbl.access, acl_tbl.added_datetime |
---|
| 377 | FROM acl_tbl |
---|
| 378 | LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id) |
---|
| 379 | LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id) |
---|
| 380 | LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id) |
---|
[208] | 381 | ORDER BY aro_tbl.lft ASC, aco_tbl.lft ASC, axo_tbl.lft ASC |
---|
[174] | 382 | "); |
---|
| 383 | echo "\n"; |
---|
[502] | 384 | printf("%-25s %-25s %-25s %-6s %-10s\n", 'Request objects', 'Control objects', 'Xtra objects', 'Grant', 'Added'); |
---|
[174] | 385 | echo "------------------------------------------------------------------------------------------------\n"; |
---|
| 386 | while ($p = mysql_fetch_assoc($qid)) { |
---|
| 387 | printf("%-25s %-25s %-25s \033[0;%sm%-6s\033[0m %-10s\n", $p['aro'], $p['aco'], $p['axo'], ('allow' == $p['access'] ? '32' : '31'), $p['access'], date($app->getParam('date_format'), strtotime($p['added_datetime']))); |
---|
[468] | 388 | } |
---|
[174] | 389 | } |
---|
[171] | 390 | |
---|
[174] | 391 | |
---|