source: trunk/bin/acl.cli.php @ 668

#!/usr/bin/env php
<?php
/**
 * The Strangecode Codebase - a general application development framework for PHP
 * For details visit the project site: <http://trac.strangecode.com/codebase/>
 * Copyright 2001-2012 Strangecode, LLC
 *
 * This file is part of The Strangecode Codebase.
 *
 * The Strangecode Codebase is free software: you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as published by the
 * Free Software Foundation, either version 3 of the License, or (at your option)
 * any later version.
 *
 * The Strangecode Codebase is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
 * details.
 *
 * You should have received a copy of the GNU General Public License along with
 * The Strangecode Codebase. If not, see <http://www.gnu.org/licenses/>.
 */

/*
* acl.cli.php
*
* @author   Quinn Comendant <quinn@strangecode.com>
* @version  1.1
* @since    14 Jun 2006 23:10:45
*/

/********************************************************************
* CONFIG
********************************************************************/

require_once dirname(__FILE__) . '/_config.inc.php';

// Give them a fighting chance. Show the help message. ;P
if ($_SERVER['argc'] <= 1) {
    help();
}

// ACL!
require_once CODEBASE_PATH . '/lib/ACL.inc.php';
$acl =& ACL::getInstance();
$acl->setParam(array(
    'create_table' => false,
    'enable_cache' => false,
));


/********************************************************************
* MAIN
********************************************************************/

if (!$db->tableExists('acl_tbl')) {
    printf("This project doesn't appear to be using ACL (there is no acl_tbl in the %s DB).\n", $app->getParam('db_name'));
    $app->stop();
    die;
}

$op = $_SERVER['argv'][1];
switch ($op) {
case 'list' :
    $type = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
    switch ($type) {
    case 'aro' :
    case 'aco' :
    case 'axo' :
        listObjects($type);
        break;
    case 'all' :
        listObjects('aro');
        listObjects('aco');
        listObjects('axo');
        break;
    case 'perms' :
    default :
        listPerms();
        break;
    }
    break;

case 'addaro' :
case 'addaco' :
case 'addaxo' :
    $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
    $parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
    if (!isset($object)) {
        echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n";
        break;
    }
    echo $acl->add($object, $parent, str_replace('add', '', $op)) ? "Ok\n" : "Error!\n";
    break;

case 'mvaro' :
case 'mvaco' :
case 'mvaxo' :
    $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
    $parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
    if (!isset($object)) {
        echo "'mv*' commands require at least one argument. Try 'help' if you are lost.\n";
        break;
    }
    echo $acl->move($object, $parent, str_replace('mv', '', $op)) ? "Ok\n" : "Error!\n";
    break;

case 'rmaro' :
case 'rmaco' :
case 'rmaxo' :
    $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
    if (!isset($object)) {
        echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n";
        break;
    }
    echo $acl->remove($object, str_replace('rm', '', $op)) ? "Ok\n" : "Error!\n";
    break;

case 'initdb' :
    echo $acl->initDB(true) ? "Ok\n" : "Error!\n";
    break;

case 'grant' :
    $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
    $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
    $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
    if (!isset($aro)) {
        echo "'grant' command require at least one argument. Try 'help' if you are lost.\n";
        break;
    }
    echo $acl->grant($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
    break;

case 'revoke' :
    $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
    $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
    $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
    if (!isset($aro)) {
        echo "'revoke' command require at least one argument. Try 'help' if you are lost.\n";
        break;
    }
    echo $acl->revoke($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
    break;

case 'delete' :
    $aro = isset($_SERVER['argv'][2]) && 'null' != $_SERVER['argv'][2] ? $_SERVER['argv'][2] : null;
    $aco = isset($_SERVER['argv'][3]) && 'null' != $_SERVER['argv'][3] ? $_SERVER['argv'][3] : null;
    $axo = isset($_SERVER['argv'][4]) && 'null' != $_SERVER['argv'][4] ? $_SERVER['argv'][4] : null;
    if (!isset($_SERVER['argv'][2]) || !isset($_SERVER['argv'][3]) || !isset($_SERVER['argv'][4])) {
        echo "'delete' command require all three arguments to be specified. Try 'help' if you are lost.\n";
        break;
    }
    echo $acl->delete($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
    break;

case 'check' :
    $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
    $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
    $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
    if (!isset($aro)) {
        echo "'check' command require at least one argument. Try 'help' if you are lost.\n";
        break;
    }
    echo $acl->check($aro, $aco, $axo) ? "allow\n" : "deny\n";
    break;

case 'help' :
    help();
    break;

default :
    echo "'$op' is not an understood command. Try 'help' if you are lost.\n";
    break;
}

$app->stop();
die;


/********************************************************************
* FUNCTIONS
********************************************************************/

function help()
{
    global $cli_executed;

    ?>
Access Control List command line tool.

This script must be run in the common site directory (i.e. the parent
directory of the document root). DB credentials are retrieved from:
global/db_auth.inc.php so this file must exist. Furthermore this script
must be executed as the owner of the db_auth.inc.php file.

Three types of objects are managed by this interface:

  ARO - Access Request Objects
  ACO - Access Control Objects
  AXO - Access Xtra Objects

These are most often used as a USER -> ACTION -> OBJECT model,
but could just as easily be SPICES -> CUISINES -> DISHES. A privilege is
allowed if a user (ARO) can perform an action (ACO) on something (AXO).
For example, with an `ARO->ACO->AXO` of `Bob->edit->4`, Bob can edit article 4.
If the AXO were omitted (i.e. just `Bob->edit`), this becomes "Bob can edit"
(he can edit any object).

Each access object is stored as a node in hierarchical tree structure.
A permission granted to a node is applied to all its children. If a child
node is specified with a permission more specific than its ancestors, the
child will take precedence. If no permission is specified, root is used,
implying access to any object of that type.

Usage: <?php echo $cli_executed; ?> command [args]

Where command is any of the following (with arguments):

    initdb
    list [aro | aco | axo | all | perms]
    check aro [aco] [axo]
    addaro aro [parent]
    addaco aco [parent]
    addaxo axo [parent]
    mvaro aro [parent]
    mvaco aco [parent]
    mvaxo axo [parent]
    rmaro aro
    rmaco aco
    rmaxo axo
    grant aro [aco] [axo]
    revoke aro [aco] [axo]
    delete aro aco axo

For the add*, mv*, grant, and revoke commands if any of the optional
args are not provided, 'root' is assumed. The delete command requires
all object types to be specified; Passing the string 'null' will cause
all matches in that column to be deleted. run with 'grants' to view what
can be deleted.
<?php
    die;
}


/*
* Print the tree structure of a specified table (aro_tbl, aco_tbl, or axo_tbl).
*
* @access   public
* @param    string $type Table to call, one of: aro, aco, or axo.
* @param    string $root Root node from which to begin calculating.
* @return   bool Returns false on error.
* @author   Quinn Comendant <quinn@strangecode.com>
* @version  1.0
* @since    17 Jun 2006 23:41:22
*/
function listObjects($type, $root=null)
{
    global $acl;

    $app =& App::getInstance();
    $db =& DB::getInstance();

    switch ($type) {
    case 'aro' :
        printf("\n%-45s %s\n", 'Request objects', 'Added');
        break;
    case 'aco' :
        printf("\n%-45s %s\n", 'Control objects', 'Added');
        break;
    case 'axo' :
        printf("\n%-45s %s\n", 'Xtra objects', 'Added');
        break;
    default :
        $app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
        return false;
    }

    echo "---------------------------------------------------------------------\n";

    foreach ($acl->getList($type, $root) as $o) {
        // Display indented node title.
        printf("%-45s %s\n", str_repeat('    ', $o['depth']) . $o['name'], date($app->getParam('date_format') . ' ' . $app->getParam('time_format'), strtotime($o['added_datetime'])));
    }

    echo "\n";
}

/*
* List all entries in the acl_tbl.
*
* @access   public
* @author   Quinn Comendant <quinn@strangecode.com>
* @version  1.0
* @since    17 Jun 2006 15:11:53
*/
function listPerms()
{
    $app =& App::getInstance();
    $db =& DB::getInstance();

    // Retrieve access value from db.
    $qid = $db->query("
        SELECT aro_tbl.name AS aro, aco_tbl.name AS aco, axo_tbl.name AS axo, acl_tbl.access, acl_tbl.added_datetime
        FROM acl_tbl
        LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
        LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
        LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
        ORDER BY aro_tbl.lft ASC, aco_tbl.lft ASC, axo_tbl.lft ASC
    ");
    echo "\n";
    printf("%-25s %-25s %-25s %-6s %-10s\n", 'Request objects', 'Control objects', 'Xtra objects', 'Grant', 'Added');
    echo "------------------------------------------------------------------------------------------------\n";
    while ($p = mysql_fetch_assoc($qid)) {
        printf("%-25s %-25s %-25s \033[0;%sm%-6s\033[0m %-10s\n", $p['aro'], $p['aco'], $p['axo'], ('allow' == $p['access'] ? '32' : '31'), $p['access'], date($app->getParam('date_format'), strtotime($p['added_datetime'])));
    }
}