#!/usr/bin/env php
* Copyright 2001-2012 Strangecode, LLC
*
* This file is part of The Strangecode Codebase.
*
* The Strangecode Codebase is free software: you can redistribute it and/or
* modify it under the terms of the GNU General Public License as published by the
* Free Software Foundation, either version 3 of the License, or (at your option)
* any later version.
*
* The Strangecode Codebase is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* The Strangecode Codebase. If not, see .
*/
/*
* acl.cli.php
*
* @author Quinn Comendant
* @version 1.1
* @since 14 Jun 2006 23:10:45
*/
/********************************************************************
* CONFIG
********************************************************************/
require_once dirname(__FILE__) . '/_config.inc.php';
// Give them a fighting chance. Show the help message. ;P
if ($_SERVER['argc'] <= 1) {
help();
}
// ACL!
require_once CODEBASE_PATH . '/lib/ACL.inc.php';
$acl =& ACL::getInstance();
$acl->setParam(array(
'create_table' => false,
'enable_cache' => false,
));
/********************************************************************
* MAIN
********************************************************************/
if (!$db->tableExists('acl_tbl')) {
printf("This project doesn't appear to be using ACL (there is no acl_tbl in the %s DB).\n", $app->getParam('db_name'));
$app->stop();
die;
}
$op = $_SERVER['argv'][1];
switch ($op) {
case 'list' :
$type = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
switch ($type) {
case 'aro' :
case 'aco' :
case 'axo' :
listObjects($type);
break;
case 'all' :
listObjects('aro');
listObjects('aco');
listObjects('axo');
break;
case 'perms' :
default :
listPerms();
break;
}
break;
case 'addaro' :
case 'addaco' :
case 'addaxo' :
$object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
$parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
if (!isset($object)) {
echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n";
break;
}
echo $acl->add($object, $parent, str_replace('add', '', $op)) ? "Ok\n" : "Error!\n";
break;
case 'mvaro' :
case 'mvaco' :
case 'mvaxo' :
$object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
$parent = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
if (!isset($object)) {
echo "'mv*' commands require at least one argument. Try 'help' if you are lost.\n";
break;
}
echo $acl->move($object, $parent, str_replace('mv', '', $op)) ? "Ok\n" : "Error!\n";
break;
case 'rmaro' :
case 'rmaco' :
case 'rmaxo' :
$object = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
if (!isset($object)) {
echo "'add*' commands require at least one argument. Try 'help' if you are lost.\n";
break;
}
echo $acl->remove($object, str_replace('rm', '', $op)) ? "Ok\n" : "Error!\n";
break;
case 'initdb' :
echo $acl->initDB(true) ? "Ok\n" : "Error!\n";
break;
case 'grant' :
$aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
$aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
$axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
if (!isset($aro)) {
echo "'grant' command require at least one argument. Try 'help' if you are lost.\n";
break;
}
echo $acl->grant($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
break;
case 'revoke' :
$aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
$aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
$axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
if (!isset($aro)) {
echo "'revoke' command require at least one argument. Try 'help' if you are lost.\n";
break;
}
echo $acl->revoke($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
break;
case 'delete' :
$aro = isset($_SERVER['argv'][2]) && 'null' != $_SERVER['argv'][2] ? $_SERVER['argv'][2] : null;
$aco = isset($_SERVER['argv'][3]) && 'null' != $_SERVER['argv'][3] ? $_SERVER['argv'][3] : null;
$axo = isset($_SERVER['argv'][4]) && 'null' != $_SERVER['argv'][4] ? $_SERVER['argv'][4] : null;
if (!isset($_SERVER['argv'][2]) || !isset($_SERVER['argv'][3]) || !isset($_SERVER['argv'][4])) {
echo "'delete' command require all three arguments to be specified. Try 'help' if you are lost.\n";
break;
}
echo $acl->delete($aro, $aco, $axo) ? "Ok\n" : "Error!\n";
break;
case 'check' :
$aro = isset($_SERVER['argv'][2]) ? $_SERVER['argv'][2] : null;
$aco = isset($_SERVER['argv'][3]) ? $_SERVER['argv'][3] : null;
$axo = isset($_SERVER['argv'][4]) ? $_SERVER['argv'][4] : null;
if (!isset($aro)) {
echo "'check' command require at least one argument. Try 'help' if you are lost.\n";
break;
}
echo $acl->check($aro, $aco, $axo) ? "allow\n" : "deny\n";
break;
case 'help' :
help();
break;
default :
echo "'$op' is not an understood command. Try 'help' if you are lost.\n";
break;
}
$app->stop();
die;
/********************************************************************
* FUNCTIONS
********************************************************************/
function help()
{
global $cli_executed;
?>
Access Control List command line tool.
This script must be run in a common site directory configured with a DB auth file,
e.g., `lib/db_auth.json`, readable by the user executing this script.
Three types of objects are managed by this interface:
ARO - Access Request Objects
ACO - Access Control Objects
AXO - Access Xtra Objects
These are most often used as a USER -> ACTION -> OBJECT model,
but could just as easily be SPICES -> CUISINES -> DISHES. A privilege is
allowed if a user (ARO) can perform an action (ACO) on something (AXO).
For example, with an `ARO->ACO->AXO` of `Bob->edit->4`, Bob can edit article 4.
If the AXO were omitted (i.e. just `Bob->edit`), this becomes "Bob can edit"
(he can edit any object).
Each access object is stored as a node in hierarchical tree structure.
A permission granted to a node is applied to all its children. If a child
node is specified with a permission more specific than its ancestors, the
child will take precedence. If no permission is specified, root is used,
implying access to any object of that type.
Usage: command [args]
Where command is any of the following (with arguments):
initdb
list [aro | aco | axo | all | perms]
check aro [aco] [axo]
addaro aro [parent]
addaco aco [parent]
addaxo axo [parent]
mvaro aro [parent]
mvaco aco [parent]
mvaxo axo [parent]
rmaro aro
rmaco aco
rmaxo axo
grant aro [aco] [axo]
revoke aro [aco] [axo]
delete aro aco axo
For the add*, mv*, grant, and revoke commands if any of the optional
args are not provided, 'root' is assumed. The delete command requires
all object types to be specified; Passing the string 'null' will cause
all matches in that column to be deleted. run with 'grants' to view what
can be deleted.
* @version 1.0
* @since 17 Jun 2006 23:41:22
*/
function listObjects($type, $root=null)
{
global $acl;
$app =& App::getInstance();
$db =& DB::getInstance();
switch ($type) {
case 'aro' :
printf("\n%-45s %s\n", 'Request objects', 'Added');
break;
case 'aco' :
printf("\n%-45s %s\n", 'Control objects', 'Added');
break;
case 'axo' :
printf("\n%-45s %s\n", 'Xtra objects', 'Added');
break;
default :
$app->logMsg(sprintf('Invalid access object type: %s', $type), LOG_ERR, __FILE__, __LINE__);
return false;
}
echo "---------------------------------------------------------------------\n";
foreach ($acl->getList($type, $root) as $o) {
// Display indented node title.
printf("%-45s %s\n", str_repeat(' ', $o['depth']) . $o['name'], date($app->getParam('date_format') . ' ' . $app->getParam('time_format'), strtotime($o['added_datetime'])));
}
echo "\n";
}
/*
* List all entries in the acl_tbl.
*
* @access public
* @author Quinn Comendant
* @version 1.0
* @since 17 Jun 2006 15:11:53
*/
function listPerms()
{
$app =& App::getInstance();
$db =& DB::getInstance();
// Retrieve access value from db.
$qid = $db->query("
SELECT aro_tbl.name AS aro, aco_tbl.name AS aco, axo_tbl.name AS axo, acl_tbl.access, acl_tbl.added_datetime
FROM acl_tbl
LEFT JOIN aro_tbl ON (acl_tbl.aro_id = aro_tbl.aro_id)
LEFT JOIN aco_tbl ON (acl_tbl.aco_id = aco_tbl.aco_id)
LEFT JOIN axo_tbl ON (acl_tbl.axo_id = axo_tbl.axo_id)
ORDER BY aro_tbl.lft ASC, aco_tbl.lft ASC, axo_tbl.lft ASC
");
echo "\n";
printf("%-25s %-25s %-25s %-6s %-10s\n", 'Request objects', 'Control objects', 'Xtra objects', 'Grant', 'Added');
echo "------------------------------------------------------------------------------------------------\n";
while ($p = mysql_fetch_assoc($qid)) {
printf("%-25s %-25s %-25s \033[0;%sm%-6s\033[0m %-10s\n", $p['aro'], $p['aco'], $p['axo'], ('allow' == $p['access'] ? '32' : '31'), $p['access'], date($app->getParam('date_format'), strtotime($p['added_datetime'])));
}
}