1 | #!/usr/bin/env php |
---|
2 | <?php |
---|
3 | /** |
---|
4 | * The Strangecode Codebase - a general application development framework for PHP |
---|
5 | * For details visit the project site: <http://trac.strangecode.com/codebase/> |
---|
6 | * Copyright 2001-2012 Strangecode, LLC |
---|
7 | * |
---|
8 | * This file is part of The Strangecode Codebase. |
---|
9 | * |
---|
10 | * The Strangecode Codebase is free software: you can redistribute it and/or |
---|
11 | * modify it under the terms of the GNU General Public License as published by the |
---|
12 | * Free Software Foundation, either version 3 of the License, or (at your option) |
---|
13 | * any later version. |
---|
14 | * |
---|
15 | * The Strangecode Codebase is distributed in the hope that it will be useful, but |
---|
16 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
---|
17 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more |
---|
18 | * details. |
---|
19 | * |
---|
20 | * You should have received a copy of the GNU General Public License along with |
---|
21 | * The Strangecode Codebase. If not, see <http://www.gnu.org/licenses/>. |
---|
22 | */ |
---|
23 | |
---|
24 | /* |
---|
25 | * acl.cli.php |
---|
26 | * |
---|
27 | * @author Quinn Comendant <quinn@strangecode.com> |
---|
28 | * @version 1.1 |
---|
29 | * @since 14 Jun 2006 23:10:45 |
---|
30 | */ |
---|
31 | |
---|
32 | /******************************************************************** |
---|
33 | * CONFIG |
---|
34 | ********************************************************************/ |
---|
35 | |
---|
36 | require_once dirname(__FILE__) . '/_config.inc.php'; |
---|
37 | |
---|
38 | // Give them a fighting chance. Show the help message. ;P |
---|
39 | if ($_SERVER['argc'] <= 1) { |
---|
40 | help(); |
---|
41 | } |
---|
42 | |
---|
43 | // ACL! |
---|
44 | require_once CODEBASE_PATH . '/lib/ACL.inc.php'; |
---|
45 | $acl =& ACL::getInstance(); |
---|
46 | $acl->setParam(array( |
---|
47 | 'create_table' => false, |
---|
48 | 'enable_cache' => false, |
---|
49 | )); |
---|
50 | |
---|
51 | |
---|
52 | /******************************************************************** |
---|
53 | * MAIN |
---|
54 | ********************************************************************/ |
---|
55 | |
---|
56 | if (!$db->tableExists('acl_tbl')) { |
---|
57 | printf("This project doesn't appear to be using ACL (there is no acl_tbl in the %s DB).\n", $app->getParam('db_name')); |
---|
58 | $app->stop(); |
---|
59 | die; |
---|
60 | } |
---|
61 | |
---|
62 | $op = $_SERVER['argv'][1]; |
---|
63 | switch ($op) { |
---|
64 | case 'list' : |
---|
65 | $type = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
66 | switch ($type) { |
---|
67 | case 'aro' : |
---|
68 | case 'aco' : |
---|
69 | case 'axo' : |
---|
70 | listObjects($type); |
---|
71 | break; |
---|
72 | case 'all' : |
---|
73 | listObjects('aro'); |
---|
74 | listObjects('aco'); |
---|
75 | listObjects('axo'); |
---|
76 | break; |
---|
77 | case 'perms' : |
---|
78 | default : |
---|
79 | listPerms(); |
---|
80 | break; |
---|
81 | } |
---|
82 | break; |
---|
83 | |
---|
84 | case 'addaro' : |
---|
85 | case 'addaco' : |
---|
86 | case 'addaxo' : |
---|
87 | $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
88 | $parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null; |
---|
89 | if (!isset($object)) { |
---|
90 | echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n"; |
---|
91 | break; |
---|
92 | } |
---|
93 | echo $acl->add($object, $parent, str_replace('add', '', $op)) ? "Ok\n" : "Error!\n"; |
---|
94 | break; |
---|
95 | |
---|
96 | case 'mvaro' : |
---|
97 | case 'mvaco' : |
---|
98 | case 'mvaxo' : |
---|
99 | $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
100 | $parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null; |
---|
101 | if (!isset($object)) { |
---|
102 | echo "'mv*' commands require at least one argument. Try 'help' if you are lost.\n"; |
---|
103 | break; |
---|
104 | } |
---|
105 | echo $acl->move($object, $parent, str_replace('mv', '', $op)) ? "Ok\n" : "Error!\n"; |
---|
106 | break; |
---|
107 | |
---|
108 | case 'rmaro' : |
---|
109 | case 'rmaco' : |
---|
110 | case 'rmaxo' : |
---|
111 | $object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
112 | if (!isset($object)) { |
---|
113 | echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n"; |
---|
114 | break; |
---|
115 | } |
---|
116 | echo $acl->remove($object, str_replace('rm', '', $op)) ? "Ok\n" : "Error!\n"; |
---|
117 | break; |
---|
118 | |
---|
119 | case 'initdb' : |
---|
120 | echo $acl->initDB(true) ? "Ok\n" : "Error!\n"; |
---|
121 | break; |
---|
122 | |
---|
123 | case 'grant' : |
---|
124 | $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
125 | $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null; |
---|
126 | $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null; |
---|
127 | if (!isset($aro)) { |
---|
128 | echo "'grant' command require at least one argument. Try 'help' if you are lost.\n"; |
---|
129 | break; |
---|
130 | } |
---|
131 | echo $acl->grant($aro, $aco, $axo) ? "Ok\n" : "Error!\n"; |
---|
132 | break; |
---|
133 | |
---|
134 | case 'revoke' : |
---|
135 | $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
136 | $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null; |
---|
137 | $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null; |
---|
138 | if (!isset($aro)) { |
---|
139 | echo "'revoke' command require at least one argument. Try 'help' if you are lost.\n"; |
---|
140 | break; |
---|
141 | } |
---|
142 | echo $acl->revoke($aro, $aco, $axo) ? "Ok\n" : "Error!\n"; |
---|
143 | break; |
---|
144 | |
---|
145 | case 'delete' : |
---|
146 | $aro = isset($_SERVER['argv'][2]) && 'null' != $_SERVER['argv'][2] ? $_SERVER['argv'][2] : null; |
---|
147 | $aco = isset($_SERVER['argv'][3]) && 'null' != $_SERVER['argv'][3] ? $_SERVER['argv'][3] : null; |
---|
148 | $axo = isset($_SERVER['argv'][4]) && 'null' != $_SERVER['argv'][4] ? $_SERVER['argv'][4] : null; |
---|
149 | if (!isset($_SERVER['argv'][2]) || !isset($_SERVER['argv'][3]) || !isset($_SERVER['argv'][4])) { |
---|
150 | echo "'delete' command require all three arguments to be specified. Try 'help' if you are lost.\n"; |
---|
151 | break; |
---|
152 | } |
---|
153 | echo $acl->delete($aro, $aco, $axo) ? "Ok\n" : "Error!\n"; |
---|
154 | break; |
---|
155 | |
---|
156 | case 'check' : |
---|
157 | $aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null; |
---|
158 | $aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null; |
---|
159 | $axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null; |
---|
160 | if (!isset($aro)) { |
---|
161 | echo "'check' command require at least one argument. Try 'help' if you are lost.\n"; |
---|
162 | break; |
---|
163 | } |
---|
164 | echo $acl->check($aro, $aco, $axo) ? "allow\n" : "deny\n"; |
---|
165 | break; |
---|
166 | |
---|
167 | case 'help' : |
---|
168 | help(); |
---|
169 | break; |
---|
170 | |
---|
171 | default : |
---|
172 | echo "'$op' is not an understood command. Try 'help' if you are lost.\n"; |
---|
173 | break; |
---|
174 | } |
---|
175 | |
---|
176 | $app->stop(); |
---|
177 | die; |
---|
178 | |
---|
179 | |
---|
180 | /******************************************************************** |
---|
181 | * FUNCTIONS |
---|
182 | ********************************************************************/ |
---|
183 | |
---|
184 | function help() |
---|
185 | { |
---|
186 | global $cli_executed; |
---|
187 | |
---|
188 | ?> |
---|
189 | Access Control List command line tool. |
---|
190 | |
---|
191 | This script must be run in a common site directory configured with a DB auth file, |
---|
192 | e.g., `lib/db_auth.json`, readable by the user executing this script. |
---|
193 | |
---|
194 | Three types of objects are managed by this interface: |
---|
195 | |
---|
196 | ARO - Access Request Objects |
---|
197 | ACO - Access Control Objects |
---|
198 | AXO - Access Xtra Objects |
---|
199 | |
---|
200 | These are most often used as a USER -> ACTION -> OBJECT model, |
---|
201 | but could just as easily be SPICES -> CUISINES -> DISHES. A privilege is |
---|
202 | allowed if a user (ARO) can perform an action (ACO) on something (AXO). |
---|
203 | For example, with an `ARO->ACO->AXO` of `Bob->edit->4`, Bob can edit article 4. |
---|
204 | If the AXO were omitted (i.e. just `Bob->edit`), this becomes "Bob can edit" |
---|
205 | (he can edit any object). |
---|
206 | |
---|
207 | Each access object is stored as a node in hierarchical tree structure. |
---|
208 | A permission granted to a node is applied to all its children. If a child |
---|
209 | node is specified with a permission more specific than its ancestors, the |
---|
210 | child will take precedence. If no permission is specified, root is used, |
---|
211 | implying access to any object of that type. |
---|
212 | |
---|
213 | Usage: <?php echo $cli_executed; ?> command [args] |
---|
214 | |
---|
215 | Where command is any of the following (with arguments): |
---|
216 | |
---|
217 | initdb |
---|
218 | list [aro | aco | axo | all | perms] |
---|
219 | check aro [aco] [axo] |
---|
220 | addaro aro [parent] |
---|
221 | addaco aco [parent] |
---|
222 | addaxo axo [parent] |
---|
223 | mvaro aro [parent] |
---|
224 | mvaco aco [parent] |
---|
225 | mvaxo axo [parent] |
---|
226 | rmaro aro |
---|
227 | rmaco aco |
---|
228 | rmaxo axo |
---|
229 | grant aro [aco] [axo] |
---|
230 | revoke aro [aco] [axo] |
---|
231 | delete aro aco axo |
---|
232 | |
---|
233 | For the add*, mv*, grant, and revoke commands if any of the optional |
---|
234 | args are not provided, 'root' is assumed. The delete command requires |
---|
235 | all object types to be specified; Passing the string 'null' will cause |
---|
236 | all matches in that column to be deleted. run with 'grants' to view what |
---|
237 | can be deleted. |
---|
238 | <?php |
---|
239 | die; |
---|
240 | } |
---|
241 | |
---|
242 | |
---|
243 | /* |
---|
244 | * Print the tree structure of a specified table (aro_tbl, aco_tbl, or axo_tbl). |
---|
245 | * |
---|
246 | * @access public |
---|
247 | * @param string $type Table to call, one of: aro, aco, or axo. |
---|
248 | * @param string $root Root node from which to begin calculating. |
---|
249 | * @return bool Returns false on error. |
---|
250 | * @author Quinn Comendant <quinn@strangecode.com> |
---|
251 | * @version 1.0 |
---|
252 | * @since 17 Jun 2006 23:41:22 |
---|
253 | */ |
---|
254 | function listObjects($type, $root=null) |
---|
255 | { |
---|
256 | global $acl; |
---|
257 | |
---|
258 | $app =& App::getInstance(); |
---|
259 | $db =& DB::getInstance(); |
---|
260 | |
---|
261 | switch ($type) { |
---|
262 | case 'aro' : |
---|
263 | printf("\n%-45s %s\n", 'Request objects', 'Added'); |
---|
264 | break; |
---|
265 | case 'aco' : |
---|
266 | printf("\n%-45s %s\n", 'Control objects', 'Added'); |
---|
267 | break; |
---|
268 | case 'axo' : |
---|
269 | printf("\n%-45s %s\n", 'Xtra objects', 'Added'); |
---|
270 | break; |
---|
271 | default : |
---|
272 | $app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__); |
---|
273 | return false; |
---|
274 | } |
---|
275 | |
---|
276 | echo "---------------------------------------------------------------------\n"; |
---|
277 | |
---|
278 | foreach ($acl->getList($type, $root) as $o) { |
---|
279 | // Display indented node title. |
---|
280 | printf("%-45s %s\n", str_repeat(' ', $o['depth']) . $o['name'], date($app->getParam('date_format') . ' ' . $app->getParam('time_format'), strtotime($o['added_datetime']))); |
---|
281 | } |
---|
282 | |
---|
283 | echo "\n"; |
---|
284 | } |
---|
285 | |
---|
286 | /* |
---|
287 | * List all entries in the acl_tbl. |
---|
288 | * |
---|
289 | * @access public |
---|
290 | * @author Quinn Comendant <quinn@strangecode.com> |
---|
291 | * @version 1.0 |
---|
292 | * @since 17 Jun 2006 15:11:53 |
---|
293 | */ |
---|
294 | function listPerms() |
---|
295 | { |
---|
296 | $app =& App::getInstance(); |
---|
297 | $db =& DB::getInstance(); |
---|
298 | |
---|
299 | // Retrieve access value from db. |
---|
300 | $qid = $db->query(" |
---|
301 | SELECT aro_tbl.name AS aro, aco_tbl.name AS aco, axo_tbl.name AS axo, acl_tbl.access, acl_tbl.added_datetime |
---|
302 | FROM acl_tbl |
---|
303 | LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id) |
---|
304 | LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id) |
---|
305 | LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id) |
---|
306 | ORDER BY aro_tbl.lft ASC, aco_tbl.lft ASC, axo_tbl.lft ASC |
---|
307 | "); |
---|
308 | echo "\n"; |
---|
309 | printf("%-25s %-25s %-25s %-6s %-10s\n", 'Request objects', 'Control objects', 'Xtra objects', 'Grant', 'Added'); |
---|
310 | echo "------------------------------------------------------------------------------------------------\n"; |
---|
311 | while ($p = mysql_fetch_assoc($qid)) { |
---|
312 | printf("%-25s %-25s %-25s \033[0;%sm%-6s\033[0m %-10s\n", $p['aro'], $p['aco'], $p['axo'], ('allow' == $p['access'] ? '32' : '31'), $p['access'], date($app->getParam('date_format'), strtotime($p['added_datetime']))); |
---|
313 | } |
---|
314 | } |
---|
315 | |
---|
316 | |
---|