HPCC-22415 Remove redundant security checking from dali

Signed-off-by: Gavin Halliday <gavin.halliday@lexisnexis.com>

common/workunit/workunit.cpp

@@ -6756,8 +6756,7 @@ void CLocalWorkUnit::remoteCheckAccess(IUserDescriptor *user, bool writeaccess)
     if (scopename&&*scopename) {
         if (!user)
             user = queryUserDescriptor();
-        CDateTime now;
-        perm = querySessionManager().getPermissionsLDAP("workunit",scopename,user,auditflags,nullptr,now);
+        perm = querySessionManager().getPermissionsLDAP("workunit",scopename,user,auditflags);
         if (perm<0) {
             if (perm == SecAccess_Unavailable)
                 perm = SecAccess_Full;

dali/base/dadfs.cpp

@@ -1261,12 +1261,7 @@ static SecAccessFlags getScopePermissions(const char *scopename,IUserDescriptor
             user = queryDistributedFileDirectory().queryDefaultUser();
         }
 
-        //Create signature
-        CDateTime now;
-        StringBuffer b64sig;
-        createDaliSignature(scopename, user, now, b64sig);
-
-        perms = querySessionManager().getPermissionsLDAP(queryDfsXmlBranchName(DXB_Scope),scopename,user,auditflags, b64sig.str(), now);
+        perms = querySessionManager().getPermissionsLDAP(queryDfsXmlBranchName(DXB_Scope),scopename,user,auditflags);
         if (perms<0) {
             if (perms == SecAccess_Unavailable) {
                 scopePermissionsAvail=false;

dali/base/dasess.cpp

@@ -120,7 +120,7 @@ interface ISessionManagerServer: implements IConnectionMonitor
     virtual void addSession(SessionId id) = 0;
     virtual SessionId lookupProcessSession(INode *node) = 0;
     virtual INode *getProcessSessionNode(SessionId id) =0;
-    virtual SecAccessFlags getPermissionsLDAP(const char *key,const char *obj,IUserDescriptor *udesc,unsigned flags, const char * reqSignature, CDateTime & reqUTCTimestamp, int *err)=0;
+    virtual SecAccessFlags getPermissionsLDAP(const char *key,const char *obj,IUserDescriptor *udesc,unsigned flags, int *err)=0;
     virtual bool clearPermissionsCache(IUserDescriptor *udesc) = 0;
     virtual void stopSession(SessionId sessid,bool failed) = 0;
     virtual void setClientAuth(IDaliClientAuthConnection *authconn) = 0;
@@ -666,15 +666,15 @@ public:
                 if (mb.length()-mb.getPos()>=sizeof(auditflags))
                     mb.read(auditflags);
 
-                StringBuffer reqSignature;
-                CDateTime reqUTCTimestamp;
                 if (mb.remaining() > 0)
                 {
+                    StringBuffer reqSignature; // now ignored
+                    CDateTime reqUTCTimestamp; // also ignored
                     mb.read(reqSignature);
                     reqUTCTimestamp.deserialize(mb);
                 }
                 int err = 0;
-                SecAccessFlags perms = manager.getPermissionsLDAP(key,obj,udesc,auditflags,reqSignature.str(),reqUTCTimestamp,&err);
+                SecAccessFlags perms = manager.getPermissionsLDAP(key,obj,udesc,auditflags,&err);
                 mb.clear().append((int)perms);
                 if (err)
                     mb.append(err);
@@ -953,7 +953,7 @@ public:
     }
 
 
-    SecAccessFlags getPermissionsLDAP(const char *key,const char *obj,IUserDescriptor *udesc,unsigned auditflags,const char * reqSignature, CDateTime & reqUTCTimestamp, int *err)
+    SecAccessFlags getPermissionsLDAP(const char *key,const char *obj,IUserDescriptor *udesc,unsigned auditflags, int *err)
     {
         if (err)
             *err = 0;
@@ -986,21 +986,10 @@ public:
         //Serialize signature. If not provided, compute it
         if (queryDaliServerVersion().compare("3.15") >= 0)
         {
-            if (isEmptyString(reqSignature))
-            {
-                CDateTime now;
-                StringBuffer b64sig;
-                if (createDaliSignature(obj, udesc, now, b64sig))
-                {
-                    mb.append(b64sig.str());
-                    now.serialize(mb);
-                }
-            }
-            else
-            {
-                mb.append(reqSignature);
-                reqUTCTimestamp.serialize(mb);
-            }
+            //Backwards compatibility in case another parameter is added later, otherwise could be removed
+            CDateTime reqUTCTimestamp;
+            mb.append("");
+            reqUTCTimestamp.serialize(mb);
         }
 
 
@@ -1223,8 +1212,6 @@ class CLdapWorkItem : public Thread
 {
     StringAttr key;
     StringAttr obj;
-    StringAttr reqSignature;
-    CDateTime  reqUTCTimestamp;
     Linked<IUserDescriptor> udesc;
     Linked<IDaliLdapConnection> ldapconn;
     unsigned flags;
@@ -1239,13 +1226,10 @@ public:
     {
         running = false;
     }
-    void start(const char *_key,const char *_obj,IUserDescriptor *_udesc,unsigned _flags,const char * _reqSignature, CDateTime & _reqUTCTimestamp)
+    void start(const char *_key,const char *_obj,IUserDescriptor *_udesc,unsigned _flags)
     {
         key.set(_key);
         obj.set(_obj); 
-        reqSignature.set(_reqSignature);
-        if (!_reqUTCTimestamp.isNull())
-            reqUTCTimestamp.set(_reqUTCTimestamp);
 
 #ifdef NULL_DALIUSER_STACKTRACE
         StringBuffer sb;
@@ -1274,7 +1258,7 @@ public:
             if (!running)
                 break;
             try {
-                ret = ldapconn->getPermissions(key,obj,udesc,flags,reqSignature.str(),reqUTCTimestamp);
+                ret = ldapconn->getPermissions(key,obj,udesc,flags);
             }
             catch(IException *e) {
                 LOG(MCoperatorError, unknownJob, e, "CLdapWorkItem"); 
@@ -1747,7 +1731,7 @@ public:
 
     //ISessionManagerServer
     //Dali method to handle permission request
-    virtual SecAccessFlags getPermissionsLDAP(const char *key,const char *obj,IUserDescriptor *udesc,unsigned flags,const char * reqSignature, CDateTime & reqUTCTimestamp, int *err)
+    virtual SecAccessFlags getPermissionsLDAP(const char *key,const char *obj,IUserDescriptor *udesc,unsigned flags, int *err)
     {
         if (err)
             *err = 0;
@@ -1767,7 +1751,7 @@ public:
         }
 #endif
         if ((ldapconn->getLDAPflags()&(DLF_SAFE|DLF_ENABLED))!=(DLF_SAFE|DLF_ENABLED))
-            return ldapconn->getPermissions(key,obj,udesc,flags,reqSignature,reqUTCTimestamp);
+            return ldapconn->getPermissions(key,obj,udesc,flags);
         atomic_inc(&ldapwaiting);
         unsigned retries = 0;
         while (!stopping) {
@@ -1776,7 +1760,7 @@ public:
                 if (!ldapworker)
                     ldapworker.setown(CLdapWorkItem::get(ldapconn,workthreadsem));
                 if (ldapworker) {
-                    ldapworker->start(key,obj,udesc,flags,reqSignature,reqUTCTimestamp);
+                    ldapworker->start(key,obj,udesc,flags);
                     for (unsigned i=0;i<10;i++) {
                         if (i)
                             OWARNLOG("LDAP stalled(%d) - retrying",i);
@@ -1801,7 +1785,7 @@ public:
                             ldapworker.clear();
                             ldapworker.setown(CLdapWorkItem::get(ldapconn,workthreadsem));
                             if (ldapworker)
-                                ldapworker->start(key,obj,udesc,flags,reqSignature,reqUTCTimestamp);
+                                ldapworker->start(key,obj,udesc,flags);
                         }
                     }
                     if (ldapworker)
@@ -2166,7 +2150,6 @@ ISessionManager &querySessionManager()
         assertex(!isCovenActive()||!queryCoven().inCoven()); // Check not Coven server (if occurs - not initialized correctly;
                                                    // If !coven someone is checking for dali so allow
         SessionManager = new CClientSessionManager();
-    
     }
     return *SessionManager;
 }

dali/base/dasess.hpp

@@ -126,7 +126,7 @@ interface ISessionManager: extends IInterface
     virtual StringBuffer &getClientProcessEndpoint(SessionId id,StringBuffer &buf)=0; // for diagnostics
     virtual unsigned queryClientCount() = 0; // for SNMP
 
-    virtual SecAccessFlags getPermissionsLDAP(const char *key,const char *obj,IUserDescriptor *udesc,unsigned auditflags, const char * reqSignature, CDateTime & reqUTCTimestamp, int *err=NULL)=0;
+    virtual SecAccessFlags getPermissionsLDAP(const char *key,const char *obj,IUserDescriptor *udesc,unsigned auditflags, int *err=NULL)=0;
     virtual bool checkScopeScansLDAP()=0;
     virtual unsigned getLDAPflags()=0;
     virtual void setLDAPflags(unsigned flags)=0;

dali/server/daldap.cpp

@@ -126,7 +126,7 @@ public:
     }
 
 
-    SecAccessFlags getPermissions(const char *key,const char *obj,IUserDescriptor *udesc,unsigned auditflags,const char * reqSignature, CDateTime & reqUTCTimestamp)
+    SecAccessFlags getPermissions(const char *key,const char *obj,IUserDescriptor *udesc,unsigned auditflags)
     {
         if (!ldapsecurity||((getLDAPflags()&DLF_ENABLED)==0)) 
             return SecAccess_Full;
@@ -147,80 +147,10 @@ public:
             username.append(filesdefaultuser);
             decrypt(password, filesdefaultpassword);
             OWARNLOG("Missing credentials, injecting deprecated filesdefaultuser");
-            reqSignature = nullptr;
         }
 
         Owned<ISecUser> user = ldapsecurity->createUser(username);
-        user->credentials().setPassword(password);
-
-        //Check that the digital signature provided by the caller (signature of
-        //caller's "scope;username;timeStamp") matches what we expect it to be
-        if (!isEmptyString(reqSignature))
-        {
-            if (nullptr == pDSM)
-                pDSM = queryDigitalSignatureManagerInstanceFromEnv();
-            if (pDSM && pDSM->isDigiVerifierConfigured())
-            {
-                StringBuffer requestTimestamp;
-                reqUTCTimestamp.getString(requestTimestamp, false);//extract timestamp string from Dali request
-
-                CDateTime now;
-                now.setNow();
-                CDateTime daliTime(now);
-                if (requestSignatureAllowedClockVarianceSeconds)//allow for clock variance between machines
-                    daliTime.adjustTimeSecs(requestSignatureAllowedClockVarianceSeconds);
-
-                if (daliTime.compare(reqUTCTimestamp, false) < 0)//timestamp from the future?
-                {
-                    StringBuffer localDaliTimeUTC;
-                    now.getString(localDaliTimeUTC, false);//get UTC timestamp
-                    OERRLOG("LDAP: getPermissions(%s) scope=%s user=%s Request digital signature UTC timestamp %s from the future (Dali UTC time %s)",key?key:"NULL",obj?obj:"NULL",username.str(), requestTimestamp.str(), localDaliTimeUTC.str());
-                    return SecAccess_None;//deny
-                }
-
-                CDateTime expiry(now);
-                expiry.adjustTime(-1 * requestSignatureExpiryMinutes);//compute expiration timestamp
-                if (requestSignatureAllowedClockVarianceSeconds)//allow for clock variance between machines
-                    expiry.adjustTimeSecs(-1 * requestSignatureAllowedClockVarianceSeconds);
-
-                if (reqUTCTimestamp.compare(expiry, false) < 0)//timestamp too far in the past?
-                {
-                    StringBuffer localDaliTimeUTC;
-                    now.getString(localDaliTimeUTC, false);//get UTC timestamp
-                    OERRLOG("LDAP: getPermissions(%s) scope=%s user=%s Expired request digital signature UTC timestamp %s (Dali UTC time %s, configured expiry %d minutes)",key?key:"NULL",obj?obj:"NULL",username.str(), requestTimestamp.str(), localDaliTimeUTC.str(), requestSignatureExpiryMinutes);
-                    return SecAccess_None;//deny
-                }
-
-                VStringBuffer expectedStr("%s;%s;%s", obj, username.str(), requestTimestamp.str());
-                StringBuffer b64Signature(reqSignature);// signature of scope;user;timestamp
-
-                if (!pDSM->digiVerify(b64Signature, expectedStr))//does the digital signature match what we expect?
-                {
-                    OERRLOG("LDAP: getPermissions(%s) scope=%s user=%s fails digital signature verification",key?key:"NULL",obj?obj:"NULL",username.str());
-                    return SecAccess_None;//deny
-                }
-
-                //Mark user as authenticated. The call below to authenticateUser
-                //will add this user to the LDAP cache
-                user->setAuthenticateStatus(AS_AUTHENTICATED);
-            }
-            else
-                OERRLOG("LDAP: getPermissions(%s) scope=%s user=%s Dali received signed request, however Dali is not configured to verify digital signatures",key?key:"NULL",obj?obj:"NULL",username.str());
-        }
-
-        if (!isEmptyString(user->credentials().getPassword()) && !isWorkunitDAToken(user->credentials().getPassword()))
-        {
-            if (!ldapsecurity->authenticateUser(*user, NULL))
-            {
-                const char * extra = "";
-                if (isEmptyString(reqSignature))
-                    extra = " (Password or Dali Signature not provided)";
-                OERRLOG("LDAP: getPermissions(%s) scope=%s user=%s fails LDAP authentication%s",key?key:"NULL",obj?obj:"NULL",username.str(), extra);
-                return SecAccess_None;//deny
-            }
-        }
-        else
-            user->setAuthenticateStatus(AS_AUTHENTICATED);
+        user->setAuthenticateStatus(AS_AUTHENTICATED);
 
         bool filescope = stricmp(key,"Scope")==0;
         bool wuscope = stricmp(key,"workunit")==0;

dali/server/daldap.hpp

@@ -26,7 +26,7 @@ interface IUserDescriptor;
 
 interface IDaliLdapConnection: extends IInterface
 {
-    virtual SecAccessFlags getPermissions(const char *key,const char *obj,IUserDescriptor *udesc,unsigned auditflags,const char * reqSignature, CDateTime & reqUTCTimestamp)=0;
+    virtual SecAccessFlags getPermissions(const char *key,const char *obj,IUserDescriptor *udesc,unsigned auditflags)=0;
     virtual bool checkScopeScans() = 0;
     virtual unsigned getLDAPflags() = 0;
     virtual void setLDAPflags(unsigned flags) = 0;

plugins/workunitservices/workunitservices.cpp

@@ -219,12 +219,7 @@ static bool checkScopeAuthorized(IUserDescriptor *user, const char *scopename)
     SecAccessFlags perm = SecAccess_Full;
     if (scopename && *scopename)
     {
-        //Create signature
-        CDateTime now;
-        StringBuffer b64sig;
-        createDaliSignature(scopename, user, now, b64sig);
-
-        perm = querySessionManager().getPermissionsLDAP("workunit",scopename,user,auditflags, b64sig.str(), now);
+        perm = querySessionManager().getPermissionsLDAP("workunit",scopename,user,auditflags);
         if (perm<0)
         {
             if (perm == SecAccess_Unavailable)