Explorar o código

HPCC-13832 Add description and owner to LDAP Group creation

As requested by InfoSec in preparation to the RISK Migration, we need to add
group "description" and "owner" to group entries. This PR adds those fields
to the GroupAdd interface, and also retrieves them via the GroupInfo struct
(where needed)

Signed-off-by: Russ Whitehead <william.whitehead@lexisnexis.com>
Russ Whitehead %!s(int64=10) %!d(string=hai) anos
pai
achega
2dcb344155

+ 5 - 1
esp/scm/ws_access.ecm

@@ -26,6 +26,8 @@ ESPstruct GroupInfo
 {
 {
     string name;
     string name;
     bool deletable;
     bool deletable;
+    [min_ver("1.09")] string groupOwner;
+    [min_ver("1.09")] string groupDesc;
 };
 };
 
 
 ESPstruct AccountPermission
 ESPstruct AccountPermission
@@ -261,6 +263,8 @@ ESPresponse GroupResponse
 ESPrequest GroupAddRequest
 ESPrequest GroupAddRequest
 {
 {
     string groupname;
     string groupname;
+    [min_ver("1.09")] string groupOwner;
+    [min_ver("1.09")] string groupDesc;
 };
 };
 
 
 ESPresponse GroupAddResponse
 ESPresponse GroupAddResponse
@@ -691,7 +695,7 @@ ESPresponse [nil_remove] UserAccountExportResponse
 };
 };
 
 
 
 
-ESPservice [version("1.08"), exceptions_inline("./smc_xslt/exceptions.xslt")] ws_access
+ESPservice [version("1.09"), exceptions_inline("./smc_xslt/exceptions.xslt")] ws_access
 {
 {
     ESPmethod [client_xslt("/esp/xslt/access_users.xslt")] Users(UserRequest, UserResponse);
     ESPmethod [client_xslt("/esp/xslt/access_users.xslt")] Users(UserRequest, UserResponse);
     ESPmethod [client_xslt("/esp/xslt/access_useredit.xslt")] UserEdit(UserEditRequest, UserEditResponse);
     ESPmethod [client_xslt("/esp/xslt/access_useredit.xslt")] UserEdit(UserEditRequest, UserEditResponse);

+ 35 - 6
esp/services/ws_access/ws_accessService.cpp

@@ -532,7 +532,9 @@ bool Cws_accessEx::onUserGroupEditInput(IEspContext &context, IEspUserGroupEditI
         }
         }
 
 
         StringArray groupnames;
         StringArray groupnames;
-        ldapsecmgr->getAllGroups(groupnames);
+        StringArray managedBy;
+        StringArray descriptions;
+        ldapsecmgr->getAllGroups(groupnames, managedBy, descriptions);
         IArrayOf<IEspGroupInfo> groups;
         IArrayOf<IEspGroupInfo> groups;
         for(i = 0; i < groupnames.length(); i++)
         for(i = 0; i < groupnames.length(); i++)
         {
         {
@@ -543,6 +545,8 @@ bool Cws_accessEx::onUserGroupEditInput(IEspContext &context, IEspUserGroupEditI
             {
             {
                 Owned<IEspGroupInfo> onegrp = createGroupInfo();
                 Owned<IEspGroupInfo> onegrp = createGroupInfo();
                 onegrp->setName(grpname);
                 onegrp->setName(grpname);
+                onegrp->setGroupDesc(descriptions.item(i));
+                onegrp->setGroupOwner(managedBy.item(i));
                 groups.append(*onegrp.getLink());
                 groups.append(*onegrp.getLink());
             }
             }
         }
         }
@@ -632,11 +636,13 @@ bool Cws_accessEx::onGroups(IEspContext &context, IEspGroupRequest &req, IEspGro
         checkUser(context);
         checkUser(context);
 
 
         StringArray groupnames;
         StringArray groupnames;
+        StringArray groupManagedBy;
+        StringArray groupDescriptions;
         ISecManager* secmgr = context.querySecManager();
         ISecManager* secmgr = context.querySecManager();
         if(secmgr == NULL)
         if(secmgr == NULL)
             throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
             throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
 
 
-        secmgr->getAllGroups(groupnames);
+        secmgr->getAllGroups(groupnames, groupManagedBy, groupDescriptions);
         ///groupnames.append("Administrators");
         ///groupnames.append("Administrators");
         ///groupnames.append("Full_Access_TestingOnly");
         ///groupnames.append("Full_Access_TestingOnly");
         //groupnames.kill();
         //groupnames.kill();
@@ -651,6 +657,8 @@ bool Cws_accessEx::onGroups(IEspContext &context, IEspGroupRequest &req, IEspGro
                     continue;
                     continue;
                 Owned<IEspGroupInfo> onegrp = createGroupInfo();
                 Owned<IEspGroupInfo> onegrp = createGroupInfo();
                 onegrp->setName(grpname);
                 onegrp->setName(grpname);
+                onegrp->setGroupDesc(groupDescriptions.item(i));
+                onegrp->setGroupOwner(groupManagedBy.item(i));
                 groups.append(*onegrp.getLink());
                 groups.append(*onegrp.getLink());
             }
             }
 
 
@@ -821,9 +829,18 @@ bool Cws_accessEx::onGroupAdd(IEspContext &context, IEspGroupAddRequest &req, IE
 
 
         resp.setGroupname(groupname);
         resp.setGroupname(groupname);
 
 
+        double version = context.getClientVersion();
+        const char * groupDesc = NULL;
+        const char * groupOwner = NULL;
+        if (version >= 1.09)
+        {
+            groupDesc = req.getGroupDesc();
+            groupOwner = req.getGroupOwner();
+        }
+
         try
         try
         {
         {
-            secmgr->addGroup(groupname);
+            secmgr->addGroup(groupname, groupOwner, groupDesc);
         }
         }
         catch(IException* e)
         catch(IException* e)
         {
         {
@@ -1932,7 +1949,9 @@ bool Cws_accessEx::onPermissionsResetInput(IEspContext &context, IEspPermissions
             groups.append(*onegrp.getLink());
             groups.append(*onegrp.getLink());
         }
         }
         StringArray grpnames;
         StringArray grpnames;
-        secmgr->getAllGroups(grpnames);
+        StringArray managedBy;
+        StringArray descriptions;
+        secmgr->getAllGroups(grpnames, managedBy, descriptions);
         for(unsigned i = 0; i < grpnames.length(); i++)
         for(unsigned i = 0; i < grpnames.length(); i++)
         {
         {
             const char* grpname = grpnames.item(i);
             const char* grpname = grpnames.item(i);
@@ -1940,6 +1959,8 @@ bool Cws_accessEx::onPermissionsResetInput(IEspContext &context, IEspPermissions
                 continue;
                 continue;
             Owned<IEspGroupInfo> onegrp = createGroupInfo();
             Owned<IEspGroupInfo> onegrp = createGroupInfo();
             onegrp->setName(grpname);
             onegrp->setName(grpname);
+            onegrp->setGroupDesc(descriptions.item(i));
+            onegrp->setGroupOwner(managedBy.item(i));
             groups.append(*onegrp.getLink());
             groups.append(*onegrp.getLink());
         }
         }
 
 
@@ -2343,7 +2364,9 @@ bool Cws_accessEx::permissionAddInputOnResource(IEspContext &context, IEspPermis
         groups.append(*onegrp.getLink());
         groups.append(*onegrp.getLink());
     }
     }
     StringArray grpnames;
     StringArray grpnames;
-    secmgr->getAllGroups(grpnames);
+    StringArray managedBy;
+    StringArray descriptions;
+    secmgr->getAllGroups(grpnames, managedBy, descriptions);
     for(unsigned i = 0; i < grpnames.length(); i++)
     for(unsigned i = 0; i < grpnames.length(); i++)
     {
     {
         const char* grpname = grpnames.item(i);
         const char* grpname = grpnames.item(i);
@@ -2351,6 +2374,8 @@ bool Cws_accessEx::permissionAddInputOnResource(IEspContext &context, IEspPermis
             continue;
             continue;
         Owned<IEspGroupInfo> onegrp = createGroupInfo();
         Owned<IEspGroupInfo> onegrp = createGroupInfo();
         onegrp->setName(grpname);
         onegrp->setName(grpname);
+        onegrp->setGroupDesc(descriptions.item(i));
+        onegrp->setGroupOwner(managedBy.item(i));
         groups.append(*onegrp.getLink());
         groups.append(*onegrp.getLink());
     }
     }
 
 
@@ -3415,7 +3440,9 @@ bool Cws_accessEx::onFilePermission(IEspContext &context, IEspFilePermissionRequ
 
 
         //Get all groups for input form
         //Get all groups for input form
         StringArray groupnames;
         StringArray groupnames;
-        secmgr->getAllGroups(groupnames);
+        StringArray managedBy;
+        StringArray descriptions;
+        secmgr->getAllGroups(groupnames, managedBy, descriptions);
         ///groupnames.append("Authenticated Users");
         ///groupnames.append("Authenticated Users");
         ///groupnames.append("Administrators");
         ///groupnames.append("Administrators");
         if (groupnames.length() > 0)
         if (groupnames.length() > 0)
@@ -3428,6 +3455,8 @@ bool Cws_accessEx::onFilePermission(IEspContext &context, IEspFilePermissionRequ
                     continue;
                     continue;
                 Owned<IEspGroupInfo> onegrp = createGroupInfo();
                 Owned<IEspGroupInfo> onegrp = createGroupInfo();
                 onegrp->setName(grpname);
                 onegrp->setName(grpname);
+                onegrp->setGroupDesc(descriptions.item(i));
+                onegrp->setGroupOwner(managedBy.item(i));
                 groups.append(*onegrp.getLink());
                 groups.append(*onegrp.getLink());
             }
             }
 
 

+ 42 - 12
system/security/LdapSecurity/ldapconnection.cpp

@@ -1132,7 +1132,7 @@ public:
             }
             }
             try
             try
             {
             {
-                addGroup("Directory Administrators", m_ldapconfig->getBasedn());
+                addGroup("Directory Administrators", NULL, NULL, m_ldapconfig->getBasedn());
             }
             }
             catch(...)
             catch(...)
             {
             {
@@ -3056,16 +3056,22 @@ public:
         return true;
         return true;
     }
     }
 
 
-    virtual void getAllGroups(StringArray & groups)
+    virtual void getAllGroups(StringArray & groups, StringArray & managedBy, StringArray & descriptions)
     {
     {
         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
         if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
         {
         {
             groups.append("Authenticated Users");
             groups.append("Authenticated Users");
+            managedBy.append("");
+            descriptions.append("");
             groups.append("Administrators");
             groups.append("Administrators");
+            managedBy.append("");
+            descriptions.append("");
         }
         }
         else
         else
         {
         {
             groups.append("Directory Administrators");
             groups.append("Directory Administrators");
+            managedBy.append("");
+            descriptions.append("");
         }
         }
 
 
         char        *attribute;
         char        *attribute;
@@ -3082,8 +3088,7 @@ public:
 
 
         Owned<ILdapConnection> lconn = m_connections->getConnection();
         Owned<ILdapConnection> lconn = m_connections->getConnection();
         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
         LDAP* ld = ((CLdapConnection*)lconn.get())->getLd();
-
-        char        *attrs[] = {"cn", NULL};
+        char *attrs[] = {"cn", "managedBy", "description", NULL};
         CLDAPMessage searchResult;
         CLDAPMessage searchResult;
         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getGroupBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult.msg );
         int rc = ldap_search_ext_s(ld, (char*)m_ldapconfig->getGroupBasedn(), LDAP_SCOPE_SUBTREE, (char*)filter.str(), attrs, 0, NULL, NULL, &timeOut, LDAP_NO_LIMIT,   &searchResult.msg );
 
 
@@ -3101,12 +3106,19 @@ public:
                   attribute != NULL;
                   attribute != NULL;
                   attribute = atts.getNext())
                   attribute = atts.getNext())
             {
             {
+                CLDAPGetValuesWrapper vals(ld, message, attribute);
+                if (!vals.hasValues())
+                    continue;
                 if(stricmp(attribute, "cn") == 0)
                 if(stricmp(attribute, "cn") == 0)
                 {
                 {
-                    CLDAPGetValuesWrapper vals(ld, message, attribute);
-                    if (vals.hasValues())
-                        groups.append(vals.queryValues()[0]);
+                    groups.append(vals.queryValues()[0]);
+                    managedBy.append("");
+                    descriptions.append("");
                 }
                 }
+                else if(stricmp(attribute, "managedBy") == 0)
+                    managedBy.replace(vals.queryValues()[0], groups.length() - 1);
+                else if(stricmp(attribute, "description") == 0)
+                    descriptions.replace(vals.queryValues()[0], groups.length() - 1);
             }
             }
         }
         }
     }
     }
@@ -3288,7 +3300,9 @@ public:
         else
         else
         {
         {
             StringArray allgroups;
             StringArray allgroups;
-            getAllGroups(allgroups);
+            StringArray allgroupManagedBy;
+            StringArray allgroupDescription;
+            getAllGroups(allgroups, allgroupManagedBy, allgroupDescription);
             for(unsigned i = 0; i < allgroups.length(); i++)
             for(unsigned i = 0; i < allgroups.length(); i++)
             {
             {
                 const char* grp = allgroups.item(i);
                 const char* grp = allgroups.item(i);
@@ -3352,15 +3366,15 @@ public:
         return true;
         return true;
     }
     }
 
 
-    virtual void addGroup(const char* groupname)
+    virtual void addGroup(const char* groupname, const char * groupOwner, const char * groupDesc)
     {
     {
         if(groupname == NULL || *groupname == '\0')
         if(groupname == NULL || *groupname == '\0')
             throw MakeStringException(-1, "Can't add group, groupname is empty");
             throw MakeStringException(-1, "Can't add group, groupname is empty");
 
 
-        addGroup(groupname, m_ldapconfig->getGroupBasedn());
+        addGroup(groupname, groupOwner, groupDesc, m_ldapconfig->getGroupBasedn());
     }
     }
 
 
-    virtual void addGroup(const char* groupname, const char* basedn)
+    virtual void addGroup(const char* groupname, const char * groupOwner, const char * groupDesc, const char* basedn)
     {
     {
         if(groupname == NULL || *groupname == '\0')
         if(groupname == NULL || *groupname == '\0')
             return;
             return;
@@ -3413,11 +3427,27 @@ public:
             member_values
             member_values
         };
         };
 
 
-        LDAPMod *attrs[5];
+        char *owner_values[] = {(char*)groupOwner, NULL};
+        LDAPMod owner_attr =
+        {
+            LDAP_MOD_ADD,
+            "managedBy",
+            owner_values
+        };
+        char *desc_values[] = {(char*)groupDesc, NULL};
+        LDAPMod desc_attr =
+        {
+            LDAP_MOD_ADD,
+            "description",
+            desc_values
+        };
+        LDAPMod *attrs[6];
         int ind = 0;
         int ind = 0;
         
         
         attrs[ind++] = &cn_attr;
         attrs[ind++] = &cn_attr;
         attrs[ind++] = &oc_attr;
         attrs[ind++] = &oc_attr;
+        attrs[ind++] = &owner_attr;
+        attrs[ind++] = &desc_attr;
         attrs[ind] = NULL;
         attrs[ind] = NULL;
 
 
         Owned<ILdapConnection> lconn = m_connections->getConnection();
         Owned<ILdapConnection> lconn = m_connections->getConnection();

+ 2 - 2
system/security/LdapSecurity/ldapconnection.hpp

@@ -162,7 +162,7 @@ interface ILdapClient : extends IInterface
     virtual void setPermissionProcessor(IPermissionProcessor* pp) = 0;
     virtual void setPermissionProcessor(IPermissionProcessor* pp) = 0;
     virtual bool retrieveUsers(IUserArray& users) = 0;
     virtual bool retrieveUsers(IUserArray& users) = 0;
     virtual bool retrieveUsers(const char* searchstr, IUserArray& users) = 0;
     virtual bool retrieveUsers(const char* searchstr, IUserArray& users) = 0;
-    virtual void getAllGroups(StringArray & groups) = 0;
+    virtual void getAllGroups(StringArray & groups, StringArray & managedBy, StringArray & descriptions) = 0;
     virtual void setResourceBasedn(const char* rbasedn, SecResourceType rtype = RT_DEFAULT) = 0;
     virtual void setResourceBasedn(const char* rbasedn, SecResourceType rtype = RT_DEFAULT) = 0;
     virtual ILdapConfig* getLdapConfig() = 0;
     virtual ILdapConfig* getLdapConfig() = 0;
     virtual bool userInGroup(const char* userdn, const char* groupdn) = 0;
     virtual bool userInGroup(const char* userdn, const char* groupdn) = 0;
@@ -175,7 +175,7 @@ interface ILdapClient : extends IInterface
     virtual bool changePermission(CPermissionAction& action) = 0;
     virtual bool changePermission(CPermissionAction& action) = 0;
     virtual void changeUserGroup(const char* action, const char* username, const char* groupname) = 0;
     virtual void changeUserGroup(const char* action, const char* username, const char* groupname) = 0;
     virtual bool deleteUser(ISecUser* user) = 0;
     virtual bool deleteUser(ISecUser* user) = 0;
-    virtual void addGroup(const char* groupname) = 0;
+    virtual void addGroup(const char* groupname, const char * groupOwner, const char * groupDesc) = 0;
     virtual void deleteGroup(const char* groupname) = 0;
     virtual void deleteGroup(const char* groupname) = 0;
     virtual void getGroupMembers(const char* groupname, StringArray & users) = 0;
     virtual void getGroupMembers(const char* groupname, StringArray & users) = 0;
     virtual void deleteResource(SecResourceType rtype, const char* name, const char* basedn) = 0;
     virtual void deleteResource(SecResourceType rtype, const char* name, const char* basedn) = 0;

+ 4 - 4
system/security/LdapSecurity/ldapsecurity.cpp

@@ -1124,9 +1124,9 @@ bool CLdapSecManager::updateUserPassword(const char* username, const char* newPa
     return m_ldap_client->updateUserPassword(username, newPassword);
     return m_ldap_client->updateUserPassword(username, newPassword);
 }
 }
 
 
-void CLdapSecManager::getAllGroups(StringArray & groups)
+void CLdapSecManager::getAllGroups(StringArray & groups, StringArray & managedBy, StringArray & descriptions)
 {
 {
-    m_ldap_client->getAllGroups(groups);
+    m_ldap_client->getAllGroups(groups, managedBy, descriptions);
 }
 }
 
 
 bool CLdapSecManager::getPermissionsArray(const char* basedn, SecResourceType rtype, const char* name, IArrayOf<CPermission>& permissions)
 bool CLdapSecManager::getPermissionsArray(const char* basedn, SecResourceType rtype, const char* name, IArrayOf<CPermission>& permissions)
@@ -1134,9 +1134,9 @@ bool CLdapSecManager::getPermissionsArray(const char* basedn, SecResourceType rt
     return m_ldap_client->getPermissionsArray(basedn, rtype, name, permissions);
     return m_ldap_client->getPermissionsArray(basedn, rtype, name, permissions);
 }
 }
 
 
-void CLdapSecManager::addGroup(const char* groupname)
+void CLdapSecManager::addGroup(const char* groupname, const char * groupOwner, const char * groupDesc)
 {
 {
-    m_ldap_client->addGroup(groupname);
+    m_ldap_client->addGroup(groupname, groupOwner, groupDesc);
 }
 }
 
 
 void CLdapSecManager::deleteGroup(const char* groupname)
 void CLdapSecManager::deleteGroup(const char* groupname)

+ 2 - 2
system/security/LdapSecurity/ldapsecurity.ipp

@@ -387,12 +387,12 @@ public:
     virtual void cacheSwitch(SecResourceType rtype, bool on);
     virtual void cacheSwitch(SecResourceType rtype, bool on);
 
 
     virtual bool getPermissionsArray(const char* basedn, SecResourceType rtype, const char* name, IArrayOf<CPermission>& permissions);
     virtual bool getPermissionsArray(const char* basedn, SecResourceType rtype, const char* name, IArrayOf<CPermission>& permissions);
-    virtual void getAllGroups(StringArray & groups);
+    virtual void getAllGroups(StringArray & groups, StringArray & managedBy, StringArray & descriptions);
     virtual void getGroups(const char* username, StringArray & groups);
     virtual void getGroups(const char* username, StringArray & groups);
     virtual bool changePermission(CPermissionAction& action);
     virtual bool changePermission(CPermissionAction& action);
     virtual void changeUserGroup(const char* action, const char* username, const char* groupname);
     virtual void changeUserGroup(const char* action, const char* username, const char* groupname);
     virtual bool deleteUser(ISecUser* user);
     virtual bool deleteUser(ISecUser* user);
-    virtual void addGroup(const char* groupname);
+    virtual void addGroup(const char* groupname, const char * groupOwner, const char * groupDesc);
     virtual void deleteGroup(const char* groupname);
     virtual void deleteGroup(const char* groupname);
     virtual void getGroupMembers(const char* groupname, StringArray & users);
     virtual void getGroupMembers(const char* groupname, StringArray & users);
     virtual void deleteResource(SecResourceType rtype, const char * name, const char * basedn);
     virtual void deleteResource(SecResourceType rtype, const char * name, const char * basedn);

+ 1 - 1
system/security/shared/basesecurity.hpp

@@ -244,7 +244,7 @@ public:
 
 
     virtual bool updateUserPassword(ISecUser& user, const char* newPassword, const char* currPassword = NULL);
     virtual bool updateUserPassword(ISecUser& user, const char* newPassword, const char* currPassword = NULL);
     virtual bool IsPasswordExpired(ISecUser& user){return false;}
     virtual bool IsPasswordExpired(ISecUser& user){return false;}
-    void getAllGroups(StringArray & groups) { UNIMPLEMENTED;}
+    void getAllGroups(StringArray & groups, StringArray & managedBy, StringArray & descriptions) { UNIMPLEMENTED;}
     
     
     virtual void deleteResource(SecResourceType rtype, const char * name, const char * basedn)
     virtual void deleteResource(SecResourceType rtype, const char * name, const char * basedn)
     {
     {

+ 1 - 1
system/security/shared/seclib.hpp

@@ -289,7 +289,7 @@ interface ISecManager : extends IInterface
     virtual ISecUser * findUser(const char * username) = 0;
     virtual ISecUser * findUser(const char * username) = 0;
     virtual ISecUser * lookupUser(unsigned uid) = 0;
     virtual ISecUser * lookupUser(unsigned uid) = 0;
     virtual ISecUserIterator * getAllUsers() = 0;
     virtual ISecUserIterator * getAllUsers() = 0;
-    virtual void getAllGroups(StringArray & groups) = 0;
+    virtual void getAllGroups(StringArray & groups, StringArray & managedBy, StringArray & descriptions ) = 0;
     virtual bool updateUserPassword(ISecUser & user, const char * newPassword, const char* currPassword = 0) = 0;
     virtual bool updateUserPassword(ISecUser & user, const char * newPassword, const char* currPassword = 0) = 0;
     virtual bool initUser(ISecUser & user) = 0;
     virtual bool initUser(ISecUser & user) = 0;
     virtual void setExtraParam(const char * name, const char * value) = 0;
     virtual void setExtraParam(const char * name, const char * value) = 0;