Context Navigation

source: trunk/bin/acl.cli.php @ 482

Last change on this file since 482 was 482, checked in by anonymous, 10 years ago
Help text edited
Property svn:executable set to ``*
File size: 12.5 KB

Line
1	#!/usr/bin/php
2	<?php
3	/**
4	* The Strangecode Codebase - a general application development framework for PHP
5	* For details visit the project site: <http://trac.strangecode.com/codebase/>
6	* Copyright 2001-2012 Strangecode, LLC
7	*
8	* This file is part of The Strangecode Codebase.
9	*
10	* The Strangecode Codebase is free software: you can redistribute it and/or
11	* modify it under the terms of the GNU General Public License as published by the
12	* Free Software Foundation, either version 3 of the License, or (at your option)
13	* any later version.
14	*
15	* The Strangecode Codebase is distributed in the hope that it will be useful, but
16	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
17	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
18	* details.
19	*
20	* You should have received a copy of the GNU General Public License along with
21	* The Strangecode Codebase. If not, see <http://www.gnu.org/licenses/>.
22	*/
23
24	/*
25	* acl.cli.php
26	*
27	* @author Quinn Comendant <quinn@strangecode.com>
28	* @version 1.0
29	* @since 14 Jun 2006 23:10:45
30	*/
31
32
33	/********************************************************************
34	* STARTUP
35	********************************************************************/
36
37	$this_script = basename($_SERVER['argv'][0]);
38
39	// Give them a fighting chance. Show the help message. ;P
40	if ($_SERVER['argc'] <= 1) {
41	help();
42	}
43
44	// Make sure necessary files exist.
45	define('COMMON_BASE', realpath('.'));
46	$db_quth_file = COMMON_BASE . '/global/db_auth.inc.php';
47	if (!file_exists($db_quth_file)) {
48	die(sprintf("%s error: the current directory must be common site directory (i.e. the parent directory of the document root) AND the global/db_auth.inc.php file must exist.\n", $this_script));
49	}
50
51	if (fileowner($db_quth_file) != getmyuid()) {
52	die(sprintf("%s error: you must execute this script as the owner of the web files.\n", $this_script));
53	}
54
55	// Set include path.
56	ini_set('include_path', get_include_path()
57	. PATH_SEPARATOR . COMMON_BASE
58	);
59
60
61	/********************************************************************
62	* CONFIG
63	********************************************************************/
64
65	// Include core libraries.
66	require_once 'codebase/lib/App.inc.php';
67	require_once 'codebase/lib/Utilities.inc.php';
68
69	$app =& App::getInstance('module_maker');
70	$app->setParam(array(
71	'site_name' => 'ACL cli',
72	'site_email' => 'codebase@strangecode.com',
73	'enable_session' => false,
74	'enable_db' => true,
75	'db_always_debug' => false,
76	'db_debug' => true,
77	'db_die_on_failure' => true,
78	'display_errors' => true,
79	'error_reporting' => E_ALL,
80	'log_file_priority' => LOG_INFO,
81	'log_screen_priority' => LOG_ERR,
82	'log_directory' => COMMON_BASE . '/log',
83	'log_filename' => 'site_log',
84	));
85	require_once 'global/db_auth.inc.php';
86
87	// Start application-based functionality: database, session, environment, ini setup, etc.
88	// Most configuration parameters must be set before starting the App.
89	$app->start();
90
91	// Global DB object. Automatically pre-configured by $app->start().
92	$db =& DB::getInstance();
93
94	// ACL!
95	require_once 'codebase/lib/ACL.inc.php';
96	$acl =& ACL::getInstance();
97	$acl->setParam(array('create_table' => false));
98
99
100	/********************************************************************
101	* MAIN
102	********************************************************************/
103
104	$op = $_SERVER['argv'][1];
105	switch ($op) {
106	case 'list' :
107	$type = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
108	switch ($type) {
109	case 'aro' :
110	case 'aco' :
111	case 'axo' :
112	listObjects('root', $type);
113	break;
114	case 'all' :
115	listObjects('root', 'aro');
116	listObjects('root', 'aco');
117	listObjects('root', 'axo');
118	break;
119	case 'perms' :
120	default :
121	listPerms();
122	break;
123	}
124	break;
125
126	case 'addaro' :
127	case 'addaco' :
128	case 'addaxo' :
129	$object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
130	$parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
131	if (!isset($object)) {
132	echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n";
133	break;
134	}
135	echo $acl->add($object, $parent, str_replace('add', '', $op)) ? "Ok\n" : "Error!\n";
136	break;
137
138	case 'mvaro' :
139	case 'mvaco' :
140	case 'mvaxo' :
141	$object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
142	$parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
143	if (!isset($object)) {
144	echo "'mv*' commands require at least one argument. Try 'help' if you are lost.\n";
145	break;
146	}
147	echo $acl->move($object, $parent, str_replace('mv', '', $op)) ? "Ok\n" : "Error!\n";
148	break;
149
150	case 'rmaro' :
151	case 'rmaco' :
152	case 'rmaxo' :
153	$object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
154	if (!isset($object)) {
155	echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n";
156	break;
157	}
158	echo $acl->remove($object, str_replace('rm', '', $op)) ? "Ok\n" : "Error!\n";
159	break;
160
161	case 'initdb' :
162	echo $acl->initDB(true) ? "Ok\n" : "Error!\n";
163	break;
164
165	case 'grant' :
166	$aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
167	$aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
168	$axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
169	if (!isset($aro)) {
170	echo "'grant' command require at least one argument. Try 'help' if you are lost.\n";
171	break;
172	}
173	echo $acl->grant($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
174	break;
175
176	case 'revoke' :
177	$aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
178	$aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
179	$axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
180	if (!isset($aro)) {
181	echo "'revoke' command require at least one argument. Try 'help' if you are lost.\n";
182	break;
183	}
184	echo $acl->revoke($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
185	break;
186
187	case 'delete' :
188	$aro = isset($_SERVER['argv'][2]) && 'null' != $_SERVER['argv'][2] ? $_SERVER['argv'][2] : null;
189	$aco = isset($_SERVER['argv'][3]) && 'null' != $_SERVER['argv'][3] ? $_SERVER['argv'][3] : null;
190	$axo = isset($_SERVER['argv'][4]) && 'null' != $_SERVER['argv'][4] ? $_SERVER['argv'][4] : null;
191	if (!isset($_SERVER['argv'][2]) \|\| !isset($_SERVER['argv'][3]) \|\| !isset($_SERVER['argv'][4])) {
192	echo "'delete' command require all three arguments to be specified. Try 'help' if you are lost.\n";
193	break;
194	}
195	echo $acl->delete($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
196	break;
197
198	case 'check' :
199	$aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
200	$aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
201	$axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
202	if (!isset($aro)) {
203	echo "'check' command require at least one argument. Try 'help' if you are lost.\n";
204	break;
205	}
206	echo $acl->check($aro, $aco, $axo) ? "allow\n" : "deny\n";
207	break;
208
209	case 'help' :
210	help();
211	break;
212
213	default :
214	echo "'$op' is not an understood command. Try 'help' if you are lost.\n";
215	break;
216	}
217
218
219	/********************************************************************
220	* FUNCTIONS
221	********************************************************************/
222
223	function help()
224	{
225	global $this_script;
226
227	?>
228	Access Control List command line tool.
229
230	This script must be run in the common site directory (i.e. the parent
231	directory of the document root). DB credentials are retrieved from:
232	global/db_auth.inc.php so this file must exist. Furthermore this script
233	must be executed as the owner of the db_auth.inc.php file.
234
235	Three types of objects are managed by this interface:
236
237	ARO - Access Request Objects
238	ACO - Access Control Objects
239	AXO - Access Xtra Objects
240
241	These are most often used as a USER -> ACTION -> OBJECT model,
242	but could just as easily be SPICES -> CUISINES -> DISHES. A privilege is
243	allowed if a user (ARO) can perform an action (ACO) on something (AXO).
244	For example, with an `ARO->ACO->AXO` of `Bob->edit->4`, Bob can edit article 4.
245	If the AXO were omitted (i.e. just `Bob->edit`), this becomes "Bob can edit"
246	(he can edit any object).
247
248	Each access object is stored as a node in hierarchical tree structures.
249	A permission granted to a node is applied to all its children. If a child
250	node is specified a different permission that is more specific than
251	anything on the branch it will take precedence. If no permission is
252	specified, root is used for that object. Root, in this case, means
253	"anything" since it is at the top of all branches.
254
255	Usage: <?php echo $this_script; ?> command [args]
256
257	Where command is any of the following (with arguments):
258
259	initdb
260	list [aro \| aco \| axo \| all \| perms]
261	check aro [aco] [axo]
262	addaro aro [parent]
263	addaco aco [parent]
264	addaxo axo [parent]
265	mvaro aro [parent]
266	mvaco aco [parent]
267	mvaxo axo [parent]
268	rmaro aro
269	rmaco aco
270	rmaxo axo
271	grant aro [aco] [axo]
272	revoke aro [aco] [axo]
273	delete aro aco axo
274
275
276	For the add, mv, grant, and revoke commands if any of the optional
277	args are not provided, 'root' is assumed. The delete command requires
278	all object types to be specified; Passing the string 'null' will cause
279	all matches in that column to be deleted. run with 'grants' to view what
280	can be deleted.
281	<?php
282	die;
283	}
284
285
286	/*
287	* Print the tree structure of a specified table (aro_tbl, aco_tbl, or axo_tbl).
288	*
289	* @access public
290	* @param string $root Root node from which to begin calculating.
291	* @param string $type Table to call, one of: aro, aco, or axo.
292	* @return bool Returns false on error.
293	* @author Quinn Comendant <quinn@strangecode.com>
294	* @version 1.0
295	* @since 17 Jun 2006 23:41:22
296	*/
297	function listObjects($root, $type)
298	{
299	$app =& App::getInstance();
300	$db =& DB::getInstance();
301	global $this_script;
302
303	echo "\n";
304
305	switch ($type) {
306	case 'aro' :
307	$tbl = 'aro_tbl';
308	printf("%-35s %-5s %-5s %s\n", 'Request objects', 'lft', 'rgt', 'Added');
309	break;
310	case 'aco' :
311	$tbl = 'aco_tbl';
312	printf("%-35s %-5s %-5s %s\n", 'Control objects', 'lft', 'rgt', 'Added');
313	break;
314	case 'axo' :
315	$tbl = 'axo_tbl';
316	printf("%-35s %-5s %-5s %s\n", 'Xtra objects', 'lft', 'rgt', 'Added');
317	break;
318	default :
319	$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
320	return false;
321	break;
322	}
323
324	echo "-----------------------------------------------------------\n";
325
326	// Retrieve the left and right value of the $root node.
327	$qid = $db->query("SELECT lft, rgt FROM $tbl WHERE name = '" . $db->escapeString($root) . "'");
328	list($lft, $rgt) = mysql_fetch_row($qid);
329
330	$depth = array();
331
332	// Retrieve all descendants of the root node
333	$qid = $db->query("SELECT name, lft, rgt, added_datetime FROM $tbl WHERE lft BETWEEN $lft AND $rgt ORDER BY lft ASC");
334	while (list($name, $lft, $rgt, $added_datetime) = mysql_fetch_row($qid)) {
335	// If the last element of $depth is less than the current rgt it means we finished with a set of children nodes.
336	while (sizeof($depth) > 0 && end($depth) < $rgt) {
337	array_pop($depth);
338	}
339
340	// Display indented node title.
341	printf("%-35s %-5s %-5s %s\n", str_repeat(' ', sizeof($depth)) . $name, $lft, $rgt, date($app->getParam('date_format'), strtotime($added_datetime)));
342
343	// Add this node to the stack.
344	$depth[] = $rgt;
345	}
346	}
347
348	/*
349	* List all entries in the acl_tbl.
350	*
351	* @access public
352	* @author Quinn Comendant <quinn@strangecode.com>
353	* @version 1.0
354	* @since 17 Jun 2006 15:11:53
355	*/
356	function listPerms()
357	{
358	$app =& App::getInstance();
359	$db =& DB::getInstance();
360	global $this_script;
361
362	// Retrieve access value from db.
363	$qid = $db->query("
364	SELECT aro_tbl.name AS aro, aco_tbl.name AS aco, axo_tbl.name AS axo, acl_tbl.access, acl_tbl.added_datetime
365	FROM acl_tbl
366	LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
367	LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
368	LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
369	ORDER BY aro_tbl.lft ASC, aco_tbl.lft ASC, axo_tbl.lft ASC
370	");
371	echo "\n";
372	printf("%-25s %-25s %-25s %-6s %-10s\n", 'Request objects', 'Control objects', 'Xtra objects', '', 'Added');
373	echo "------------------------------------------------------------------------------------------------\n";
374	while ($p = mysql_fetch_assoc($qid)) {
375	printf("%-25s %-25s %-25s \033[0;%sm%-6s\033[0m %-10s\n", $p['aro'], $p['aco'], $p['axo'], ('allow' == $p['access'] ? '32' : '31'), $p['access'], date($app->getParam('date_format'), strtotime($p['added_datetime'])));
376	}
377	}
378
379

Note: See TracBrowser for help on using the repository browser.

Download in other formats: