HPCC-11231 Add FileScopeAccess control to access file scope permissions

The FileScopeAccess is added to WsAccess which allows authenticated
user to control File Scope access.

Also add code to check permission before allowing a user to access Enable
/disable scope scan and Clear Permission Cache.

Signed-off-by: Kevin Wang kevin.wang@lexisnexis.com

esp/eclwatch/ws_XSLT/access_permissionresetinput.xslt

@@ -303,8 +303,8 @@
         <input type="hidden" name="rtitle" value="{rtitle}"/>
         <input type="hidden" name="prefix" value="{prefix}"/>
         <input type="hidden" name="BasednName" value="{BasednName}"/>
-        <input type="hidden" name="userarray" value=""/>
-        <input type="hidden" name="grouparray" value=""/>
+        <input type="hidden" id="userarray" name="userarray" value=""/>
+        <input type="hidden" id="grouparray" name="grouparray" value=""/>
 
         <h3>Permission Reset</h3>
         <div>

esp/services/ws_access/ws_accessService.cpp

@@ -28,21 +28,31 @@
 #define MSG_SEC_MANAGER_IS_NULL "Security manager is not found. Please check if the system authentication is set up correctly"
 #define MSG_SEC_MANAGER_ISNT_LDAP "LDAP Security manager is required for this feature. Please enable LDAP in the system configuration"
 
+#define FILE_SCOPE_URL "FileScopeAccess"
+#define FILE_SCOPE_RTYPE "file"
+#define FILE_SCOPE_RTITLE "FileScope"
+
 #define MAX_USERS_DISPLAY 400
 #define MAX_RESOURCES_DISPLAY 3000
 static const long MAXXLSTRANSFER = 5000000;
 
-void checkUser(IEspContext& context)
+void checkUser(IEspContext& context, const char* rtype = NULL, const char* rtitle = NULL, unsigned int SecAccessFlags = SecAccess_Full)
 {
     CLdapSecManager* secmgr = dynamic_cast<CLdapSecManager*>(context.querySecManager());
     if(secmgr == NULL)
         throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
 
+    if (rtype && rtitle && strieq(rtype, FILE_SCOPE_RTYPE) && strieq(rtitle, FILE_SCOPE_RTITLE))
+    {
+        if (!context.validateFeatureAccess(FILE_SCOPE_URL, SecAccessFlags, false))
+            throw MakeStringException(ECLWATCH_DFU_WU_ACCESS_DENIED, "Access to File Scope is denied.");
+        return;
+    }
+
     if(!secmgr->isSuperUser(context.queryUser()))
         throw MakeStringException(ECLWATCH_ADMIN_ACCESS_DENIED, "Access denied, administrators only.");
 }
 
-
 void Cws_accessEx::init(IPropertyTree *cfg, const char *process, const char *service)
 {
     if(cfg == NULL)
@@ -108,9 +118,9 @@ void Cws_accessEx::init(IPropertyTree *cfg, const char *process, const char *ser
         Owned<IEspDnStruct> onedn = createDnStruct();
         onedn->setBasedn(files_basedn);
         onedn->setName("File Scopes");
-        onedn->setRtype("file");
+        onedn->setRtype(FILE_SCOPE_RTYPE);
         m_rawbasedns.append(*onedn.getLink());
-        onedn->setRtitle("FileScope");
+        onedn->setRtitle(FILE_SCOPE_RTITLE);
     }
 
     StringBuffer workunits_basedn;
@@ -1310,11 +1320,27 @@ bool Cws_accessEx::onPermissions(IEspContext &context, IEspBasednsRequest &req,
     return true;
 }
 
+const char* Cws_accessEx::getBaseDN(IEspContext &context, const char* rtype, StringBuffer& baseDN)
+{
+    if(!m_basedns.length())
+        setBasedns(context);
+    ForEachItemIn(y, m_basedns)
+    {
+        IEspDnStruct* curbasedn = &(m_basedns.item(y));
+        if(strieq(curbasedn->getRtype(), rtype))
+        {
+            baseDN.set(curbasedn->getBasedn());
+            return baseDN.str();
+        }
+    }
+    return NULL;
+}
+
 bool Cws_accessEx::onResources(IEspContext &context, IEspResourcesRequest &req, IEspResourcesResponse &resp)
 {
     try
     {
-        checkUser(context);
+        checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Read);
 
         CLdapSecManager* secmgr = queryLDAPSecurityManager(context);
         if(secmgr == NULL)
@@ -1324,6 +1350,15 @@ bool Cws_accessEx::onResources(IEspContext &context, IEspResourcesRequest &req,
         const char* filterInput = req.getSearchinput();
         const char* basedn = req.getBasedn();
         const char* rtypestr = req.getRtype();
+        if (!rtypestr || !*rtypestr)
+            throw MakeStringException(ECLWATCH_INVALID_INPUT, "Rtype not specified");
+        StringBuffer baseDN;
+        if (!basedn || !*basedn)
+        {
+            basedn = getBaseDN(context, rtypestr, baseDN);
+            if (!basedn || !*basedn)
+                throw MakeStringException(ECLWATCH_INVALID_INPUT, "BaseDN not found");
+        }
 
         const char* moduletemplate = NULL;
         ForEachItemIn(x, m_basedns)
@@ -1473,7 +1508,7 @@ bool Cws_accessEx::onResourceAddInput(IEspContext &context, IEspResourceAddInput
 {
     try
     {
-        checkUser(context);
+        checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full);
 
         resp.setBasedn(req.getBasedn());
         resp.setRtype(req.getRtype());
@@ -1508,7 +1543,7 @@ bool Cws_accessEx::onResourceAdd(IEspContext &context, IEspResourceAddRequest &r
 {
     try
     {
-        checkUser(context);
+        checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full);
 
         ISecManager* secmgr = context.querySecManager();
 
@@ -1615,7 +1650,7 @@ bool Cws_accessEx::onResourceDelete(IEspContext &context, IEspResourceDeleteRequ
 {
     try
     {
-        checkUser(context);
+        checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full);
 
         CLdapSecManager* secmgr = (CLdapSecManager*)(context.querySecManager());
 
@@ -1709,7 +1744,7 @@ bool Cws_accessEx::onResourcePermissions(IEspContext &context, IEspResourcePermi
 {
     try
     {
-        checkUser(context);
+        checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Read);
 
         ISecManager* secmgr = context.querySecManager();
 
@@ -1795,7 +1830,7 @@ bool Cws_accessEx::onPermissionAddInput(IEspContext &context, IEspPermissionAddR
 {
     try
     {
-        checkUser(context);
+        checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full);
 
         resp.setBasedn(req.getBasedn());
         resp.setRname(req.getRname());
@@ -1833,7 +1868,7 @@ bool Cws_accessEx::onPermissionsResetInput(IEspContext &context, IEspPermissions
 {
     try
     {
-        checkUser(context);
+        checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full);
 
         resp.setBasedn(req.getBasedn());
         //resp.setRname(req.getRname());
@@ -1919,6 +1954,8 @@ bool Cws_accessEx::onPermissionsResetInput(IEspContext &context, IEspPermissions
 
 bool Cws_accessEx::onClearPermissionsCache(IEspContext &context, IEspClearPermissionsCacheRequest &req, IEspClearPermissionsCacheResponse &resp)
 {
+    checkUser(context);
+
     ISecManager* secmgr = context.querySecManager();
     if(secmgr == NULL)
         throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
@@ -1965,6 +2002,8 @@ bool Cws_accessEx::onQueryScopeScansEnabled(IEspContext &context, IEspQueryScope
 
 bool Cws_accessEx::onEnableScopeScans(IEspContext &context, IEspEnableScopeScansRequest &req, IEspEnableScopeScansResponse &resp)
 {
+    checkUser(context, FILE_SCOPE_RTYPE, FILE_SCOPE_RTITLE, SecAccess_Full);
+
     StringBuffer retMsg;
     int rc = enableDisableScopeScans(context, true, retMsg);
     resp.updateScopeScansStatus().setIsEnabled(rc == 0);
@@ -1975,6 +2014,8 @@ bool Cws_accessEx::onEnableScopeScans(IEspContext &context, IEspEnableScopeScans
 
 bool Cws_accessEx::onDisableScopeScans(IEspContext &context, IEspDisableScopeScansRequest &req, IEspDisableScopeScansResponse &resp)
 {
+    checkUser(context, FILE_SCOPE_RTYPE, FILE_SCOPE_RTITLE, SecAccess_Full);
+
     StringBuffer retMsg;
     int rc = enableDisableScopeScans(context, false, retMsg);
     resp.updateScopeScansStatus().setIsEnabled(rc != 0);
@@ -2050,7 +2091,7 @@ bool Cws_accessEx::onPermissionsReset(IEspContext &context, IEspPermissionsReset
 {
     try
     {
-        checkUser(context);
+        checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full);
 
         resp.setBasedn(req.getBasedn());
         resp.setRname(req.getRname());
@@ -2418,7 +2459,7 @@ bool Cws_accessEx::onPermissionAction(IEspContext &context, IEspPermissionAction
 {
     try
     {
-        checkUser(context);
+        checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full);
 
         resp.setBasedn(req.getBasedn());
         resp.setRname(req.getRname());
@@ -3337,7 +3378,7 @@ bool Cws_accessEx::onFilePermission(IEspContext &context, IEspFilePermissionRequ
                 throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
         }
 
-        checkUser(context);
+        checkUser(context, FILE_SCOPE_RTYPE, FILE_SCOPE_RTITLE, SecAccess_Read);
 
         //Get all users for input form
         int numusers = secmgr->countUsers("", MAX_USERS_DISPLAY);

esp/services/ws_access/ws_accessService.hpp

@@ -53,6 +53,7 @@ public:
             ensureNavLink(*folder, "Users", "/ws_access/Users", "Users");
             ensureNavLink(*folder, "Groups", "/ws_access/Groups", "Groups");
             ensureNavLink(*folder, "Permissions", "/ws_access/Permissions", "Permissions");
+            ensureNavLink(*folder, "FileScopes", "/ws_access/Resources?rtype=file&rtitle=FileScope", "FileScopes");
         }
     }
 
@@ -67,6 +68,7 @@ class Cws_accessEx : public Cws_access
     SecResourceType str2type(const char* rtstr);
 
     void setBasedns(IEspContext &context);
+    const char* getBaseDN(IEspContext &context, const char* rtype, StringBuffer& baseDN);
     bool permissionAddInputOnResource(IEspContext &context, IEspPermissionAddRequest &req, IEspPermissionAddResponse &resp);
     bool permissionAddInputOnAccount(IEspContext &context, const char* accountName, IEspPermissionAddRequest &req, IEspPermissionAddResponse &resp);
     bool getNewFileScopePermissions(ISecManager* secmgr, IEspResourceAddRequest &req, StringBuffer& existingResource, StringArray& newResources);

initfiles/componentfiles/configxml/buildsetCC.xml.in

@@ -165,6 +165,10 @@
                           path="FileIOAccess"
                           resource="FileIOAccess"
                           service="ws_fileio"/>
+     <AuthenticateFeature description="Access to permissions for file scopes"
+                          path="FileScopeAccess"
+                          resource="FileScopeAccess"
+                          service="ws_access"/>
      <AuthenticateFeature description="Access to WS ECL service"
                           path="WsEclAccess"
                           resource="WsEclAccess"

initfiles/etc/DIR_NAME/environment.xml.in

@@ -167,6 +167,10 @@
                           path="FileIOAccess"
                           resource="FileIOAccess"
                           service="ws_fileio"/>
+     <AuthenticateFeature description="Access to permissions for file scopes"
+                          path="FileScopeAccess"
+                          resource="FileScopeAccess"
+                          service="ws_access"/>
      <AuthenticateFeature description="Access to WS ECL service"
                           path="WsEclAccess"
                           resource="WsEclAccess"
@@ -535,6 +539,11 @@
                          resource="FileIOAccess"
                          service="ws_fileio"/>
     <AuthenticateFeature authenticate="Yes"
+                         description="Access to permissions for file scopes"
+                         path="FileScopeAccess"
+                         resource="FileScopeAccess"
+                         service="ws_access"/>
+    <AuthenticateFeature authenticate="Yes"
                          description="Access to WS ECL service"
                          path="WsEclAccess"
                          resource="WsEclAccess"
@@ -695,6 +704,10 @@
                          path="FileIOAccess"
                          resource="FileIOAccess"
                          service="ws_fileio"/>
+    <AuthenticateFeature description="Access to permissions for file scopes"
+                         path="FileScopeAccess"
+                         resource="FileScopeAccess"
+                         service="ws_access"/>
     <AuthenticateFeature description="Access to WS ECL service"
                          path="WsEclAccess"
                          resource="WsEclAccess"