ws_accessService.cpp 143 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131413241334134413541364137413841394140414141424143414441454146414741484149415041514152
  1. /*##############################################################################
  2. HPCC SYSTEMS software Copyright (C) 2012 HPCC Systems®.
  3. Licensed under the Apache License, Version 2.0 (the "License");
  4. you may not use this file except in compliance with the License.
  5. You may obtain a copy of the License at
  6. http://www.apache.org/licenses/LICENSE-2.0
  7. Unless required by applicable law or agreed to in writing, software
  8. distributed under the License is distributed on an "AS IS" BASIS,
  9. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  10. See the License for the specific language governing permissions and
  11. limitations under the License.
  12. ############################################################################## */
  13. #pragma warning (disable : 4786)
  14. #include <stdlib.h>
  15. #include "ws_accessService.hpp"
  16. #include "exception_util.hpp"
  17. #include "dasess.hpp"
  18. #include <set>
  19. #define MSG_SEC_MANAGER_IS_NULL "Security manager is not found. Please check if the system authentication is set up correctly"
  20. #define MSG_SEC_MANAGER_ISNT_LDAP "LDAP Security manager is required for this feature. Please enable LDAP in the system configuration"
  21. #define FILE_SCOPE_URL "FileScopeAccess"
  22. #define FILE_SCOPE_RTYPE "file"
  23. #define FILE_SCOPE_RTITLE "FileScope"
  24. #define MAX_USERS_DISPLAY 400
  25. #define MAX_RESOURCES_DISPLAY 3000
  26. static const long MAXXLSTRANSFER = 5000000;
  27. void checkUser(IEspContext& context, const char* rtype = NULL, const char* rtitle = NULL, unsigned int SecAccessFlags = SecAccess_Full)
  28. {
  29. CLdapSecManager* secmgr = dynamic_cast<CLdapSecManager*>(context.querySecManager());
  30. if(secmgr == NULL)
  31. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  32. if (rtype && rtitle && strieq(rtype, FILE_SCOPE_RTYPE) && strieq(rtitle, FILE_SCOPE_RTITLE))
  33. {
  34. if (!context.validateFeatureAccess(FILE_SCOPE_URL, SecAccessFlags, false))
  35. throw MakeStringException(ECLWATCH_DFU_WU_ACCESS_DENIED, "Access to File Scope is denied.");
  36. return;
  37. }
  38. if(!secmgr->isSuperUser(context.queryUser()))
  39. throw MakeStringException(ECLWATCH_ADMIN_ACCESS_DENIED, "Access denied, administrators only.");
  40. }
  41. void Cws_accessEx::init(IPropertyTree *cfg, const char *process, const char *service)
  42. {
  43. if(cfg == NULL)
  44. throw MakeStringException(-1, "can't initialize Cws_accessEx, cfg is NULL");
  45. StringBuffer xpath;
  46. xpath.appendf("Software/EspProcess[@name=\"%s\"]/EspService[@name=\"%s\"]", process, service);
  47. IPropertyTree* servicecfg = cfg->getPropTree(xpath.str());
  48. if(servicecfg == NULL)
  49. {
  50. WARNLOG(-1, "config not found for service %s/%s",process, service);
  51. return;
  52. }
  53. m_servicecfg.setown(servicecfg);
  54. /* Config is like -
  55. <Modules basedn="ou=le,ou=ecl,dc=le">
  56. <Eclserver name="eclserver" basedn="ou=le,ou=ecl,dc=le" templateName="repository.newmoduletemplate"/>
  57. </Modules>
  58. <Files basedn="ou=Files,ou=ecl"/>
  59. <Resources>
  60. <Binding name="EspBinding" service="espsmc" port="8010" basedn="ou=SMC,ou=EspServices,ou=ecl" workunitsBasedn="ou=workunits,ou=ecl"/>
  61. </Resources>
  62. */
  63. Owned<IPropertyTreeIterator> eclservers = m_servicecfg->getElements("Modules/Eclserver");
  64. for (eclservers->first(); eclservers->isValid(); eclservers->next())
  65. {
  66. const char *templatename = eclservers->query().queryProp("@templateName");
  67. const char* basedn = eclservers->query().queryProp("@basedn");
  68. if(basedn && *basedn)
  69. {
  70. StringBuffer name, head;
  71. const char* eclservername = eclservers->query().queryProp("@name");
  72. name.append("Repository Modules for ").append(eclservername);
  73. Owned<IEspDnStruct> onedn = createDnStruct();
  74. onedn->setBasedn(basedn);
  75. onedn->setName(name.str());
  76. onedn->setRtype("module");
  77. onedn->setRtitle("Module");
  78. if(templatename != NULL)
  79. {
  80. onedn->setTemplatename(templatename);
  81. }
  82. m_rawbasedns.append(*onedn.getLink());
  83. }
  84. }
  85. const char* modules_basedn = m_servicecfg->queryProp("Modules/@basedn");
  86. if(modules_basedn && *modules_basedn)
  87. {
  88. Owned<IEspDnStruct> onedn = createDnStruct();
  89. onedn->setBasedn(modules_basedn);
  90. onedn->setName("Repository Modules");
  91. onedn->setRtype("module");
  92. onedn->setRtitle("Module");
  93. m_rawbasedns.append(*onedn.getLink());
  94. }
  95. const char* files_basedn = m_servicecfg->queryProp("Files/@basedn");
  96. if(files_basedn && *files_basedn)
  97. {
  98. Owned<IEspDnStruct> onedn = createDnStruct();
  99. onedn->setBasedn(files_basedn);
  100. onedn->setName("File Scopes");
  101. onedn->setRtype(FILE_SCOPE_RTYPE);
  102. m_rawbasedns.append(*onedn.getLink());
  103. onedn->setRtitle(FILE_SCOPE_RTITLE);
  104. }
  105. StringBuffer workunits_basedn;
  106. Owned<IPropertyTreeIterator> bindings = m_servicecfg->getElements("Resources/Binding");
  107. for (bindings->first(); bindings->isValid(); bindings->next())
  108. {
  109. const char *service = bindings->query().queryProp("@service");
  110. const char* basedn = bindings->query().queryProp("@basedn");
  111. if(workunits_basedn.length() == 0)
  112. {
  113. const char* wubasedn = bindings->query().queryProp("@workunitsBasedn");
  114. if(wubasedn != NULL)
  115. workunits_basedn.append(wubasedn);
  116. }
  117. if(basedn && *basedn)
  118. {
  119. StringBuffer name, head;
  120. name.append("Esp Features for ");
  121. const char* bptr = basedn;
  122. while(*bptr != '\0' && *bptr != '=')
  123. bptr++;
  124. if(*bptr != '\0')
  125. bptr++;
  126. const char* colon = strstr(bptr, ",");
  127. if(colon == NULL)
  128. head.append(bptr);
  129. else
  130. head.append(colon - bptr, bptr);
  131. if(stricmp(head.str(), "WsAttributesAccess") == 0)
  132. continue;
  133. Owned<IEspDnStruct> onedn = createDnStruct();
  134. onedn->setBasedn(basedn);
  135. name.append(head.str());
  136. onedn->setName(name.str());
  137. onedn->setRtype("service");
  138. head.append(" Feature");
  139. onedn->setRtitle(head.str());
  140. m_rawbasedns.append(*onedn.getLink());
  141. }
  142. }
  143. if(workunits_basedn.length() > 0)
  144. {
  145. Owned<IEspDnStruct> onedn = createDnStruct();
  146. onedn->setBasedn(workunits_basedn.str());
  147. onedn->setName("Workunit Scopes");
  148. onedn->setRtype("workunit");
  149. onedn->setRtitle("WorkunitScope");
  150. m_rawbasedns.append(*onedn.getLink());
  151. }
  152. }
  153. CLdapSecManager* Cws_accessEx::queryLDAPSecurityManager(IEspContext &context)
  154. {
  155. ISecManager* secMgr = context.querySecManager();
  156. if(secMgr && secMgr->querySecMgrType() != SMT_LDAP)
  157. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_ISNT_LDAP);
  158. return dynamic_cast<CLdapSecManager*>(secMgr);
  159. }
  160. void Cws_accessEx::setBasedns(IEspContext &context)
  161. {
  162. CLdapSecManager* secmgr = (CLdapSecManager*)(context.querySecManager());
  163. if(secmgr == NULL)
  164. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  165. set<string> alreadythere;
  166. ForEachItemInRev(x, m_rawbasedns)
  167. {
  168. IEspDnStruct* basedn = &(m_rawbasedns.popGet());
  169. const char* tname = basedn->getTemplatename();
  170. StringBuffer nbasedn;
  171. secmgr->normalizeDn(basedn->getBasedn(), nbasedn);
  172. if(alreadythere.find(nbasedn.str()) == alreadythere.end())
  173. {
  174. alreadythere.insert(nbasedn.str());
  175. Owned<IEspDnStruct> onedn = createDnStruct();
  176. onedn->setBasedn(nbasedn.str());
  177. onedn->setName(basedn->getName());
  178. onedn->setRtype(basedn->getRtype());
  179. onedn->setRtitle(basedn->getRtitle());
  180. if(tname != NULL && *tname != '\0')
  181. onedn->setTemplatename(tname);
  182. m_basedns.append(*onedn.getLink());
  183. }
  184. else
  185. {
  186. ForEachItemIn(y, m_basedns)
  187. {
  188. IEspDnStruct* curbasedn = &(m_basedns.item(y));
  189. if(stricmp(curbasedn->getBasedn(), nbasedn.str()) == 0)
  190. {
  191. const char* curtname = curbasedn->getTemplatename();
  192. if((curtname == NULL || *curtname == '\0') && (tname != NULL && *tname != '\0'))
  193. curbasedn->setTemplatename(tname);
  194. break;
  195. }
  196. }
  197. }
  198. }
  199. return;
  200. }
  201. bool Cws_accessEx::getNewFileScopePermissions(ISecManager* secmgr, IEspResourceAddRequest &req, StringBuffer& existingResource, StringArray& newResources)
  202. {
  203. if (!secmgr)
  204. return false;
  205. const char* name0 = req.getName();
  206. if (!name0 || !*name0)
  207. return false;
  208. char* pStr0 = (char*) name0;
  209. while (pStr0[0] == ':') //in case of some ':' by mistake
  210. pStr0++;
  211. if (pStr0[0] == 0)
  212. return false;
  213. StringBuffer lastFileScope;
  214. char* pStr = strstr(pStr0, "::");
  215. while (pStr)
  216. {
  217. char fileScope[10240];
  218. strncpy(fileScope, pStr0, pStr-pStr0);
  219. fileScope[pStr-pStr0] = 0;
  220. if (lastFileScope.length() < 1)
  221. lastFileScope.append(fileScope);
  222. else
  223. lastFileScope.appendf("::%s", fileScope);
  224. newResources.append(lastFileScope.str());
  225. pStr0 = pStr+2;
  226. while (pStr0[0] == ':') //in case of more than two ':' by mistake
  227. pStr0++;
  228. if (pStr0[0] == 0)
  229. break;
  230. pStr = strstr(pStr0, "::");
  231. }
  232. if (pStr0[0] != 0)
  233. {
  234. if (lastFileScope.length() < 1)
  235. lastFileScope.append(pStr0);
  236. else
  237. lastFileScope.appendf("::%s", pStr0);
  238. newResources.append(lastFileScope.str());
  239. }
  240. CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
  241. while (newResources.ordinality())
  242. {
  243. StringBuffer namebuf = newResources.item(0);
  244. try
  245. {
  246. IArrayOf<CPermission> permissions;
  247. ldapsecmgr->getPermissionsArray(req.getBasedn(), str2type(req.getRtype()), namebuf.str(), permissions);
  248. if (!permissions.ordinality())
  249. {
  250. break;
  251. }
  252. }
  253. catch(IException* e) //exception may be thrown when no permission for the resource
  254. {
  255. e->Release();
  256. break;
  257. }
  258. existingResource.clear().append(namebuf);
  259. newResources.remove(0);
  260. }
  261. return true;
  262. }
  263. bool Cws_accessEx::setNewFileScopePermissions(ISecManager* secmgr, IEspResourceAddRequest &req, StringBuffer& existingResource, StringArray& newResources)
  264. {
  265. if (!secmgr || !newResources.ordinality())
  266. {
  267. return false;
  268. }
  269. const char* basedn = req.getBasedn();
  270. if (!basedn || !*basedn)
  271. {
  272. return false;
  273. }
  274. StringBuffer basednBuf;
  275. basednBuf.append(basedn);
  276. if (existingResource.length() < 1)
  277. {
  278. existingResource.append("files");
  279. const char* comma = strchr(basedn, ',');
  280. const char* eqsign = strchr(basedn, '=');
  281. if(eqsign && comma && (strlen(comma) > 1))
  282. {
  283. basednBuf.clear().append(comma + 1);
  284. }
  285. }
  286. IArrayOf<CPermission> requiredPermissions;
  287. CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
  288. ldapsecmgr->getPermissionsArray(basednBuf, str2type(req.getRtype()), existingResource.str(), requiredPermissions);
  289. if (!requiredPermissions.ordinality())
  290. {
  291. return false;
  292. }
  293. ForEachItemIn(x, requiredPermissions)
  294. {
  295. CPermission& perm = requiredPermissions.item(x);
  296. int accType = perm.getAccount_type(); //0-individual, 1 - group
  297. const char* actname = perm.getAccount_name();
  298. if (!actname || !*actname)
  299. continue;
  300. CPermissionAction paction;
  301. paction.m_basedn.append(req.getBasedn());
  302. paction.m_rtype = str2type(req.getRtype());
  303. paction.m_account_type = (ACT_TYPE)accType;
  304. paction.m_account_name.append(actname);
  305. paction.m_allows = perm.getAllows();
  306. paction.m_denies = perm.getDenies();
  307. if ((accType != GROUP_ACT) || ((stricmp(actname, "Administrators") != 0) && (stricmp(actname, "Authenticated Users") != 0)))
  308. {
  309. paction.m_action.append("add");
  310. }
  311. else
  312. {
  313. paction.m_action.append("update");
  314. }
  315. ForEachItemIn(y, newResources)
  316. {
  317. StringBuffer namebuf = newResources.item(y);
  318. paction.m_rname.clear().append(namebuf.str());
  319. ldapsecmgr->changePermission(paction);
  320. }
  321. }
  322. return true;
  323. }
  324. bool Cws_accessEx::onUsers(IEspContext &context, IEspUserRequest &req, IEspUserResponse &resp)
  325. {
  326. try
  327. {
  328. CLdapSecManager* secmgr = queryLDAPSecurityManager(context);
  329. double version = context.getClientVersion();
  330. if (version > 1.03)
  331. {
  332. if(secmgr == NULL)
  333. {
  334. resp.setNoSecMngr(true);
  335. return true;
  336. }
  337. }
  338. else
  339. {
  340. if(secmgr == NULL)
  341. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  342. }
  343. checkUser(context);
  344. const char* searchstr = req.getSearchinput();
  345. int numusers = secmgr->countUsers(searchstr, MAX_USERS_DISPLAY);
  346. if(numusers == -1)
  347. {
  348. resp.setToomany(true);
  349. return true;
  350. }
  351. resp.setToomany(false);
  352. /*
  353. LdapServerType servertype = secmgr->getLdapServerType();
  354. if(servertype != ACTIVE_DIRECTORY)
  355. resp.setPosixok(true);
  356. else
  357. resp.setPosixok(false);
  358. */
  359. resp.setPosixok(false);
  360. IArrayOf<IEspUserInfo> espusers;
  361. IUserArray users;
  362. secmgr->searchUsers(searchstr, users);
  363. ForEachItemIn(x, users)
  364. {
  365. ISecUser* usr = &users.item(x);
  366. if(usr)
  367. {
  368. Owned<IEspUserInfo> oneusr = createUserInfo();
  369. oneusr->setUsername(usr->getName());
  370. oneusr->setFullname(usr->getFullName());
  371. double version = context.getClientVersion();
  372. if (version >= 1.07)
  373. {
  374. StringBuffer sb;
  375. switch (usr->getPasswordDaysRemaining())//-1 if expired, -2 if never expires
  376. {
  377. case scPasswordExpired:
  378. sb.set("Expired");
  379. break;
  380. case scPasswordNeverExpires:
  381. sb.set("Never");
  382. break;
  383. default:
  384. {
  385. CDateTime dt;
  386. usr->getPasswordExpiration(dt);
  387. dt.getDateString(sb);
  388. break;
  389. }
  390. }
  391. oneusr->setPasswordexpiration(sb.str());
  392. }
  393. espusers.append(*oneusr.getLink());
  394. }
  395. }
  396. resp.setUsers(espusers);
  397. }
  398. catch(IException* e)
  399. {
  400. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  401. }
  402. return true;
  403. }
  404. bool Cws_accessEx::onUserQuery(IEspContext &context, IEspUserQueryRequest &req, IEspUserQueryResponse &resp)
  405. {
  406. try
  407. {
  408. CLdapSecManager* secmgr = queryLDAPSecurityManager(context);
  409. if(!secmgr)
  410. {
  411. resp.setNoSecMngr(true);
  412. return true;
  413. }
  414. checkUser(context);
  415. __int64 pageStartFrom = 0;
  416. unsigned pageSize = 100;
  417. if (!req.getPageSize_isNull())
  418. pageSize = req.getPageSize();
  419. if (!req.getPageStartFrom_isNull())
  420. pageStartFrom = req.getPageStartFrom();
  421. UserField sortOrder[2] = {UFName, UFterm};
  422. CUserSortBy sortBy = req.getSortBy();
  423. switch (sortBy)
  424. {
  425. case CUserSortBy_FullName:
  426. sortOrder[0] = UFFullName;
  427. break;
  428. case CUserSortBy_PasswordExpiration:
  429. sortOrder[0] = UFPasswordExpiration;
  430. break;
  431. default:
  432. break;
  433. }
  434. sortOrder[0] = (UserField) (sortOrder[0] | UFnocase);
  435. bool descending = req.getDescending();
  436. if (descending)
  437. sortOrder[0] = (UserField) (sortOrder[0] | UFreverse);
  438. unsigned total;
  439. __int64 cacheHint;
  440. IArrayOf<IEspUserInfo> espUsers;
  441. Owned<ISecItemIterator> it = secmgr->getUsersSorted(req.getName(), sortOrder, (const __int64) pageStartFrom, (const unsigned) pageSize, &total, &cacheHint);
  442. ForEach(*it)
  443. {
  444. IPropertyTree& usr = it->query();
  445. const char* userName = usr.queryProp(getUserFieldNames(UFName));
  446. if (!userName || !*userName)
  447. continue;
  448. Owned<IEspUserInfo> userInfo = createUserInfo();
  449. userInfo->setUsername(userName);
  450. const char* fullName = usr.queryProp(getUserFieldNames(UFFullName));
  451. if (fullName && *fullName)
  452. userInfo->setFullname(fullName);
  453. const char* passwordExpiration = usr.queryProp(getUserFieldNames(UFPasswordExpiration));
  454. if (passwordExpiration && *passwordExpiration)
  455. userInfo->setPasswordexpiration(passwordExpiration);
  456. espUsers.append(*userInfo.getClear());
  457. }
  458. resp.setUsers(espUsers);
  459. resp.setTotalUsers(total);
  460. resp.setCacheHint(cacheHint);
  461. }
  462. catch(IException* e)
  463. {
  464. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  465. }
  466. return true;
  467. }
  468. bool Cws_accessEx::onUserEdit(IEspContext &context, IEspUserEditRequest &req, IEspUserEditResponse &resp)
  469. {
  470. try
  471. {
  472. checkUser(context);
  473. ISecManager* secmgr = context.querySecManager();
  474. if(secmgr == NULL)
  475. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  476. CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
  477. resp.setUsername(req.getUsername());
  478. StringArray groupnames;
  479. ldapsecmgr->getGroups(req.getUsername(), groupnames);
  480. IArrayOf<IEspGroupInfo> groups;
  481. for(unsigned i = 0; i < groupnames.length(); i++)
  482. {
  483. const char* grpname = groupnames.item(i);
  484. if(grpname == NULL || grpname[0] == '\0')
  485. continue;
  486. Owned<IEspGroupInfo> onegrp = createGroupInfo();
  487. onegrp->setName(grpname);
  488. groups.append(*onegrp.getLink());
  489. }
  490. resp.setGroups(groups);
  491. }
  492. catch(IException* e)
  493. {
  494. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  495. }
  496. return true;
  497. }
  498. bool Cws_accessEx::onUserGroupEditInput(IEspContext &context, IEspUserGroupEditInputRequest &req, IEspUserGroupEditInputResponse &resp)
  499. {
  500. try
  501. {
  502. checkUser(context);
  503. ISecManager* secmgr = context.querySecManager();
  504. if(secmgr == NULL)
  505. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  506. CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
  507. resp.setUsername(req.getUsername());
  508. set<string> ogrps;
  509. ogrps.insert("Authenticated Users");
  510. StringArray grps;
  511. ldapsecmgr->getGroups(req.getUsername(), grps);
  512. unsigned i = 0;
  513. for(i = 0; i < grps.length(); i++)
  514. {
  515. const char* grp = grps.item(i);
  516. if(grp != NULL && *grp != '\0')
  517. {
  518. ogrps.insert(grp);
  519. }
  520. }
  521. StringArray groupnames;
  522. StringArray managedBy;
  523. StringArray descriptions;
  524. ldapsecmgr->getAllGroups(groupnames, managedBy, descriptions);
  525. IArrayOf<IEspGroupInfo> groups;
  526. for(i = 0; i < groupnames.length(); i++)
  527. {
  528. const char* grpname = groupnames.item(i);
  529. if(grpname == NULL || grpname[0] == '\0')
  530. continue;
  531. if(ogrps.find(grpname) == ogrps.end())
  532. {
  533. Owned<IEspGroupInfo> onegrp = createGroupInfo();
  534. onegrp->setName(grpname);
  535. onegrp->setGroupDesc(descriptions.item(i));
  536. onegrp->setGroupOwner(managedBy.item(i));
  537. groups.append(*onegrp.getLink());
  538. }
  539. }
  540. resp.setGroups(groups);
  541. }
  542. catch(IException* e)
  543. {
  544. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  545. }
  546. return true;
  547. }
  548. bool Cws_accessEx::onUserGroupEdit(IEspContext &context, IEspUserGroupEditRequest &req, IEspUserGroupEditResponse &resp)
  549. {
  550. try
  551. {
  552. checkUser(context);
  553. CLdapSecManager* secmgr = (CLdapSecManager*)(context.querySecManager());
  554. if(secmgr == NULL)
  555. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  556. const char* username = req.getUsername();
  557. if(username == NULL || *username == '\0')
  558. {
  559. resp.setRetcode(-1);
  560. resp.setRetmsg("username can't be empty");
  561. return false;
  562. }
  563. StringArray& groupnames = req.getGroupnames();
  564. try
  565. {
  566. for(unsigned i = 0; i < groupnames.length(); i++)
  567. {
  568. const char* grpname = groupnames.item(i);
  569. if(grpname == NULL || *grpname == '\0')
  570. continue;
  571. secmgr->changeUserGroup(req.getAction(), username, grpname);
  572. }
  573. }
  574. catch(IException* e)
  575. {
  576. StringBuffer errmsg;
  577. e->errorMessage(errmsg);
  578. DBGLOG("error changing user's group membership: %s", errmsg.str());
  579. resp.setRetcode(e->errorCode());
  580. resp.setRetmsg(errmsg.str());
  581. return false;
  582. }
  583. resp.setRetcode(0);
  584. resp.setUsername(username);
  585. resp.setAction(req.getAction());
  586. if(stricmp(req.getAction(), "add") == 0)
  587. resp.setRetmsg("user successfully added to groups");
  588. else
  589. resp.setRetmsg("user successfully deleted from groups");
  590. }
  591. catch(IException* e)
  592. {
  593. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  594. }
  595. return true;
  596. }
  597. bool Cws_accessEx::onGroups(IEspContext &context, IEspGroupRequest &req, IEspGroupResponse &resp)
  598. {
  599. try
  600. {
  601. CLdapSecManager* secmgr0 = queryLDAPSecurityManager(context);
  602. double version = context.getClientVersion();
  603. if (version > 1.03)
  604. {
  605. if(secmgr0 == NULL)
  606. {
  607. //throw MakeStringException(-1, "SecManager is NULL, please check if the binding's authentication is set up correctly");
  608. resp.setNoSecMngr(true);
  609. return true;
  610. }
  611. }
  612. checkUser(context);
  613. StringArray groupnames;
  614. StringArray groupManagedBy;
  615. StringArray groupDescriptions;
  616. ISecManager* secmgr = context.querySecManager();
  617. if(secmgr == NULL)
  618. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  619. secmgr->getAllGroups(groupnames, groupManagedBy, groupDescriptions);
  620. ///groupnames.append("Administrators");
  621. ///groupnames.append("Full_Access_TestingOnly");
  622. //groupnames.kill();
  623. if (groupnames.length() > 0)
  624. {
  625. IArrayOf<IEspGroupInfo> groups;
  626. for(unsigned i = 0; i < groupnames.length(); i++)
  627. {
  628. const char* grpname = groupnames.item(i);
  629. //if(grpname == NULL || grpname[0] == '\0' || stricmp(grpname, "Authenticated Users") == 0)
  630. if(grpname == NULL || grpname[0] == '\0')
  631. continue;
  632. Owned<IEspGroupInfo> onegrp = createGroupInfo();
  633. onegrp->setName(grpname);
  634. onegrp->setGroupDesc(groupDescriptions.item(i));
  635. onegrp->setGroupOwner(groupManagedBy.item(i));
  636. groups.append(*onegrp.getLink());
  637. }
  638. resp.setGroups(groups);
  639. }
  640. /*
  641. IArrayOf<IEspGroupInfo> groups;
  642. Owned<IEspGroupInfo> onegrp = createGroupInfo();
  643. onegrp->setName("grpname");
  644. groups.append(*onegrp.getLink());
  645. resp.setGroups(groups);
  646. */
  647. }
  648. catch(IException* e)
  649. {
  650. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  651. }
  652. return true;
  653. }
  654. bool Cws_accessEx::onGroupQuery(IEspContext &context, IEspGroupQueryRequest &req, IEspGroupQueryResponse &resp)
  655. {
  656. try
  657. {
  658. CLdapSecManager* secmgr = queryLDAPSecurityManager(context);
  659. if(!secmgr)
  660. {
  661. resp.setNoSecMngr(true);
  662. return true;
  663. }
  664. checkUser(context);
  665. __int64 pageStartFrom = 0;
  666. unsigned pageSize = 100;
  667. if (!req.getPageSize_isNull())
  668. pageSize = req.getPageSize();
  669. if (!req.getPageStartFrom_isNull())
  670. pageStartFrom = req.getPageStartFrom();
  671. GroupField sortOrder[2] = {GFName, GFterm};
  672. CGroupSortBy sortBy = req.getSortBy();
  673. switch (sortBy)
  674. {
  675. case CGroupSortBy_ManagedBy:
  676. sortOrder[0] = GFManagedBy;
  677. break;
  678. default:
  679. break;
  680. }
  681. sortOrder[0] = (GroupField) (sortOrder[0] | UFnocase);
  682. bool descending = req.getDescending();
  683. if (descending)
  684. sortOrder[0] = (GroupField) (sortOrder[0] | UFreverse);
  685. unsigned total;
  686. __int64 cacheHint;
  687. IArrayOf<IEspGroupInfo> groups;
  688. Owned<ISecItemIterator> it = secmgr->getGroupsSorted(sortOrder, (const __int64) pageStartFrom, (const unsigned) pageSize, &total, &cacheHint);
  689. ForEach(*it)
  690. {
  691. IPropertyTree& g = it->query();
  692. const char* groupName = g.queryProp(getGroupFieldNames(GFName));
  693. if (!groupName || !*groupName)
  694. continue;
  695. Owned<IEspGroupInfo> groupInfo = createGroupInfo();
  696. groupInfo->setName(groupName);
  697. const char* managedBy = g.queryProp(getGroupFieldNames(GFManagedBy));
  698. if (managedBy && *managedBy)
  699. groupInfo->setGroupOwner(managedBy);
  700. const char* desc = g.queryProp(getGroupFieldNames(GFDesc));
  701. if (desc && *desc)
  702. groupInfo->setGroupDesc(desc);
  703. groups.append(*groupInfo.getClear());
  704. }
  705. resp.setGroups(groups);
  706. resp.setTotalGroups(total);
  707. resp.setCacheHint(cacheHint);
  708. }
  709. catch(IException* e)
  710. {
  711. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  712. }
  713. return true;
  714. }
  715. bool Cws_accessEx::onAddUser(IEspContext &context, IEspAddUserRequest &req, IEspAddUserResponse &resp)
  716. {
  717. try
  718. {
  719. checkUser(context);
  720. ISecManager* secmgr = context.querySecManager();
  721. if(secmgr == NULL)
  722. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  723. const char* username = req.getUsername();
  724. if(username == NULL || *username == '\0')
  725. {
  726. resp.setRetcode(-1);
  727. resp.setRetmsg("username can't be empty");
  728. return false;
  729. }
  730. if(strchr(username, ' '))
  731. {
  732. resp.setRetcode(-1);
  733. resp.setRetmsg("Username can't contain spaces");
  734. return false;
  735. }
  736. CLdapSecManager* secmgr0 = (CLdapSecManager*)secmgr;
  737. if((secmgr0->getLdapServerType() == ACTIVE_DIRECTORY) && (strlen(username) > 20))
  738. {
  739. resp.setRetcode(-1);
  740. resp.setRetmsg("Username can't be more than 20 characters.");
  741. return false;
  742. }
  743. const char* pass1 = req.getPassword1();
  744. const char* pass2 = req.getPassword2();
  745. if(pass1 == NULL || pass2 == NULL || *pass1 == '\0' || *pass2 == '\0' || strcmp(pass1, pass2) != 0)
  746. {
  747. resp.setRetcode(-1);
  748. resp.setRetmsg("password and retype can't be empty and must match.");
  749. return false;
  750. }
  751. Owned<ISecUser> user = secmgr->createUser(username);
  752. ISecCredentials& cred = user->credentials();
  753. const char* firstname = req.getFirstname();
  754. const char* lastname = req.getLastname();
  755. if(firstname != NULL)
  756. user->setFirstName(firstname);
  757. if(lastname != NULL)
  758. user->setLastName(lastname);
  759. if(pass1 != NULL)
  760. cred.setPassword(pass1);
  761. try
  762. {
  763. if (user.get())
  764. secmgr->addUser(*user.get());
  765. }
  766. catch(IException* e)
  767. {
  768. resp.setRetcode(-1);
  769. StringBuffer errmsg;
  770. resp.setRetmsg(e->errorMessage(errmsg).str());
  771. return false;
  772. }
  773. resp.setRetcode(0);
  774. resp.setRetmsg("User successfully added");
  775. }
  776. catch(IException* e)
  777. {
  778. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  779. }
  780. return true;
  781. }
  782. bool Cws_accessEx::onUserAction(IEspContext &context, IEspUserActionRequest &req, IEspUserActionResponse &resp)
  783. {
  784. try
  785. {
  786. checkUser(context);
  787. CLdapSecManager* secmgr = (CLdapSecManager*)(context.querySecManager());
  788. if(secmgr == NULL)
  789. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  790. const char* action = req.getActionType();
  791. if (!action || !*action)
  792. throw MakeStringException(ECLWATCH_INVALID_ACTION, "Action not specified.");
  793. if (!stricmp(action, "delete"))
  794. {
  795. StringArray& usernames = req.getUsernames();
  796. for(unsigned i = 0; i < usernames.length(); i++)
  797. {
  798. const char* username = usernames.item(i);
  799. Owned<ISecUser> user = secmgr->createUser(username);
  800. secmgr->deleteUser(user.get());
  801. }
  802. }
  803. else if (!stricmp(action, "export"))
  804. {
  805. StringBuffer users;
  806. StringArray& usernames = req.getUsernames();
  807. for(unsigned i = 0; i < usernames.length(); i++)
  808. {
  809. const char* username = usernames.item(i);
  810. if (i > 0)
  811. users.appendf("&usernames_i%d=%s", i+1, username);
  812. else
  813. users.append(username);
  814. }
  815. resp.setRedirectUrl(StringBuffer("/ws_access/UserAccountExport?usernames_i1=").append(users).str());
  816. }
  817. resp.setAction(action);
  818. }
  819. catch(IException* e)
  820. {
  821. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  822. }
  823. return true;
  824. }
  825. bool Cws_accessEx::onGroupAdd(IEspContext &context, IEspGroupAddRequest &req, IEspGroupAddResponse &resp)
  826. {
  827. try
  828. {
  829. checkUser(context);
  830. CLdapSecManager* secmgr = (CLdapSecManager*)(context.querySecManager());
  831. if(secmgr == NULL)
  832. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  833. const char* groupname = req.getGroupname();
  834. if(groupname == NULL || *groupname == '\0')
  835. {
  836. resp.setRetcode(-1);
  837. resp.setRetmsg("Group name can't be empty");
  838. return false;
  839. }
  840. resp.setGroupname(groupname);
  841. double version = context.getClientVersion();
  842. const char * groupDesc = NULL;
  843. const char * groupOwner = NULL;
  844. if (version >= 1.09)
  845. {
  846. groupDesc = req.getGroupDesc();
  847. groupOwner = req.getGroupOwner();
  848. }
  849. try
  850. {
  851. secmgr->addGroup(groupname, groupOwner, groupDesc);
  852. }
  853. catch(IException* e)
  854. {
  855. StringBuffer emsg;
  856. e->errorMessage(emsg);
  857. resp.setRetcode(e->errorCode());
  858. resp.setRetmsg(emsg.str());
  859. return false;
  860. }
  861. catch(...)
  862. {
  863. resp.setRetcode(-1);
  864. resp.setRetmsg("Unknown error");
  865. return false;
  866. }
  867. resp.setRetcode(0);
  868. }
  869. catch(IException* e)
  870. {
  871. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  872. }
  873. return true;
  874. }
  875. bool Cws_accessEx::onGroupAction(IEspContext &context, IEspGroupActionRequest &req, IEspGroupActionResponse &resp)
  876. {
  877. try
  878. {
  879. checkUser(context);
  880. CLdapSecManager* secmgr = queryLDAPSecurityManager(context);
  881. if(secmgr == NULL)
  882. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  883. const char* action = req.getActionType();
  884. if (!action || !*action)
  885. throw MakeStringException(ECLWATCH_INVALID_ACTION, "Action not specified.");
  886. if (!stricmp(action, "export"))
  887. {
  888. StringBuffer groups;
  889. StringArray& groupnames = req.getGroupnames();
  890. for(unsigned i = 0; i < groupnames.length(); i++)
  891. {
  892. const char* group = groupnames.item(i);
  893. if (i > 0)
  894. groups.appendf("&groupnames_i%d=%s", i+1, group);
  895. else
  896. groups.append(group);
  897. }
  898. resp.setRedirectUrl(StringBuffer("/ws_access/UserAccountExport?groupnames_i1=").append(groups).str());
  899. }
  900. else if (!stricmp(action, "delete"))
  901. {
  902. CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
  903. StringArray& groupnames = req.getGroupnames();
  904. IArrayOf<IEspAccountPermission> accountPermissions;
  905. double version = context.getClientVersion();
  906. if (version > 1.01)
  907. {
  908. bool bDeletePermission = false;
  909. if(!req.getDeletePermission_isNull())
  910. bDeletePermission = req.getDeletePermission();
  911. if(m_basedns.length() == 0)
  912. {
  913. setBasedns(context);
  914. }
  915. ForEachItemIn(y, m_basedns)
  916. {
  917. IEspDnStruct* curbasedn = &(m_basedns.item(y));
  918. const char *aBasedn = curbasedn->getBasedn();
  919. const char *aRtype = curbasedn->getRtype();
  920. if (!aBasedn || !*aBasedn ||!aRtype || !*aRtype)
  921. continue;
  922. SecResourceType rtype = str2type(aRtype);
  923. IArrayOf<IEspResource> ResourceArray;
  924. if(rtype == RT_WORKUNIT_SCOPE)
  925. {
  926. StringBuffer deft_basedn, deft_name;
  927. const char* comma = strchr(aBasedn, ',');
  928. const char* eqsign = strchr(aBasedn, '=');
  929. if(eqsign != NULL)
  930. {
  931. if(comma == NULL)
  932. deft_name.append(eqsign+1);
  933. else
  934. {
  935. deft_name.append(comma - eqsign - 1, eqsign+1);
  936. deft_basedn.append(comma + 1);
  937. }
  938. }
  939. if (deft_name.length() > 0)
  940. {
  941. Owned<IEspResource> oneresource = createResource();
  942. oneresource->setName(deft_name);
  943. oneresource->setDescription(deft_basedn);
  944. ResourceArray.append(*oneresource.getLink());
  945. }
  946. }
  947. IArrayOf<ISecResource> resources;
  948. if(secmgr->getResources(rtype, aBasedn, resources))
  949. {
  950. ForEachItemIn(y1, resources)
  951. {
  952. ISecResource& r = resources.item(y1);
  953. const char* rname = r.getName();
  954. if(rname == NULL || *rname == '\0')
  955. continue;
  956. Owned<IEspResource> oneresource = createResource();
  957. oneresource->setName(rname);
  958. oneresource->setDescription(aBasedn);
  959. ResourceArray.append(*oneresource.getLink());
  960. }
  961. }
  962. ForEachItemIn(y2, ResourceArray)
  963. {
  964. IEspResource& r = ResourceArray.item(y2);
  965. const char* rname = r.getName();
  966. const char* bnname = r.getDescription();
  967. if(rname == NULL || *rname == '\0')
  968. continue;
  969. StringBuffer namebuf(rname);
  970. //const char* prefix = req.getPrefix();
  971. //if(prefix && *prefix)
  972. // namebuf.insert(0, prefix);
  973. try
  974. {
  975. IArrayOf<CPermission> permissions;
  976. ldapsecmgr->getPermissionsArray(bnname, rtype, namebuf.str(), permissions);
  977. ForEachItemIn(x, permissions)
  978. {
  979. CPermission& perm = permissions.item(x);
  980. const char* actname = perm.getAccount_name();
  981. int accountType = perm.getAccount_type(); //0-individual, 1 - group
  982. //if ((bGroupAccount && accountType < 1) || (!bGroupAccount && accountType > 0))
  983. if (accountType < 1 || !actname || !*actname) //Support Group only
  984. continue;
  985. ForEachItemIn(x1, groupnames)
  986. {
  987. const char* groupname = groupnames.item(x1);
  988. if (groupname && !strcmp(actname, groupname))
  989. {
  990. ///bDeletePermission = true;
  991. if (!bDeletePermission)
  992. {
  993. Owned<IEspAccountPermission> onepermission = createAccountPermission();
  994. onepermission->setBasedn(bnname);
  995. onepermission->setRType(aRtype);
  996. onepermission->setResourceName(namebuf.str());
  997. onepermission->setPermissionName(groupname);
  998. accountPermissions.append(*onepermission.getLink());
  999. }
  1000. else
  1001. {
  1002. CPermissionAction paction;
  1003. paction.m_basedn.append(bnname);
  1004. paction.m_rtype = rtype;
  1005. paction.m_rname.append(namebuf.str());
  1006. paction.m_account_name.append(actname);
  1007. paction.m_account_type = (ACT_TYPE) accountType;
  1008. paction.m_allows = perm.getAllows();
  1009. paction.m_denies = perm.getDenies();
  1010. paction.m_action.append("delete");
  1011. if(!ldapsecmgr->changePermission(paction))
  1012. {
  1013. resp.setRetcode(-1);
  1014. resp.setRetmsg("Unknown error");
  1015. return false;
  1016. }
  1017. }
  1018. break;
  1019. }
  1020. }
  1021. }
  1022. }
  1023. catch(IException* e)
  1024. {
  1025. e->Release();
  1026. }
  1027. }
  1028. }
  1029. }
  1030. try
  1031. {
  1032. if (accountPermissions.length() < 1)
  1033. {
  1034. ForEachItemIn(x1, groupnames)
  1035. {
  1036. const char* groupname = groupnames.item(x1);
  1037. secmgr->deleteGroup(groupname);
  1038. }
  1039. }
  1040. else
  1041. {
  1042. StringBuffer groupnamestr;
  1043. groupnamestr.append("DeletePermission=1");
  1044. ForEachItemIn(x1, groupnames)
  1045. {
  1046. const char* groupname = groupnames.item(x1);
  1047. groupnamestr.appendf("&groupnames_i%d=%s", x1+1, groupname);
  1048. }
  1049. resp.setPermissions(accountPermissions);
  1050. resp.setGroupnames(groupnamestr.str());
  1051. resp.setRetcode(0);
  1052. }
  1053. }
  1054. catch(IException* e)
  1055. {
  1056. StringBuffer emsg;
  1057. e->errorMessage(emsg);
  1058. resp.setRetcode(e->errorCode());
  1059. resp.setRetmsg(emsg.str());
  1060. return false;
  1061. }
  1062. catch(...)
  1063. {
  1064. resp.setRetcode(-1);
  1065. resp.setRetmsg("Unknown error");
  1066. return false;
  1067. }
  1068. }
  1069. resp.setRetcode(0);
  1070. }
  1071. catch(IException* e)
  1072. {
  1073. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  1074. }
  1075. return true;
  1076. }
  1077. bool Cws_accessEx::onGroupEdit(IEspContext &context, IEspGroupEditRequest &req, IEspGroupEditResponse &resp)
  1078. {
  1079. try
  1080. {
  1081. checkUser(context);
  1082. ISecManager* secmgr = context.querySecManager();
  1083. if(secmgr == NULL)
  1084. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  1085. CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
  1086. resp.setGroupname(req.getGroupname());
  1087. StringArray usernames;
  1088. ldapsecmgr->getGroupMembers(req.getGroupname(), usernames);
  1089. IArrayOf<IEspUserInfo> users;
  1090. unsigned i = 0;
  1091. for(i = 0; i < usernames.length(); i++)
  1092. {
  1093. const char* usrname = usernames.item(i);
  1094. if(usrname == NULL || usrname[0] == '\0')
  1095. continue;
  1096. ///////////////////////////////////////BUG#41536///////////////
  1097. bool bFound = false;
  1098. IUserArray usersInBaseDN;
  1099. ldapsecmgr->searchUsers(usrname, usersInBaseDN);
  1100. ForEachItemIn(x, usersInBaseDN)
  1101. {
  1102. ISecUser* usr = &usersInBaseDN.item(x);
  1103. if(usr)
  1104. {
  1105. const char* usrname = usr->getName();
  1106. if(usrname == NULL || usrname[0] == '\0')
  1107. continue;
  1108. bFound = true;
  1109. break;
  1110. }
  1111. }
  1112. if (!bFound)
  1113. continue;
  1114. //////////////////////////////////////////////////////////////
  1115. Owned<IEspUserInfo> oneusr = createUserInfo();
  1116. oneusr->setUsername(usrname);
  1117. users.append(*oneusr.getLink());
  1118. }
  1119. resp.setUsers(users);
  1120. }
  1121. catch(IException* e)
  1122. {
  1123. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  1124. }
  1125. return true;
  1126. }
  1127. bool Cws_accessEx::onGroupMemberQuery(IEspContext &context, IEspGroupMemberQueryRequest &req, IEspGroupMemberQueryResponse &resp)
  1128. {
  1129. try
  1130. {
  1131. CLdapSecManager* secmgr = queryLDAPSecurityManager(context);
  1132. if(!secmgr)
  1133. {
  1134. resp.setNoSecMngr(true);
  1135. return true;
  1136. }
  1137. checkUser(context);
  1138. __int64 pageStartFrom = 0;
  1139. unsigned pageSize = 100;
  1140. if (!req.getPageSize_isNull())
  1141. pageSize = req.getPageSize();
  1142. if (!req.getPageStartFrom_isNull())
  1143. pageStartFrom = req.getPageStartFrom();
  1144. UserField sortOrder[2] = {UFName, UFterm};
  1145. CUserSortBy sortBy = req.getSortBy();
  1146. switch (sortBy)
  1147. {
  1148. case CUserSortBy_FullName:
  1149. sortOrder[0] = UFFullName;
  1150. break;
  1151. case CUserSortBy_PasswordExpiration:
  1152. sortOrder[0] = UFPasswordExpiration;
  1153. break;
  1154. default:
  1155. break;
  1156. }
  1157. sortOrder[0] = (UserField) (sortOrder[0] | UFnocase);
  1158. bool descending = req.getDescending();
  1159. if (descending)
  1160. sortOrder[0] = (UserField) (sortOrder[0] | UFreverse);
  1161. unsigned total;
  1162. __int64 cacheHint;
  1163. IArrayOf<IEspUserInfo> users;
  1164. Owned<ISecItemIterator> it = secmgr->getGroupMembersSorted(req.getGroupName(), sortOrder, (const __int64) pageStartFrom, (const unsigned) pageSize, &total, &cacheHint);
  1165. ForEach(*it)
  1166. {
  1167. IPropertyTree& usr = it->query();
  1168. const char* userName = usr.queryProp(getUserFieldNames(UFName));
  1169. if (!userName || !*userName)
  1170. continue;
  1171. Owned<IEspUserInfo> userInfo = createUserInfo();
  1172. userInfo->setUsername(userName);
  1173. const char* fullName = usr.queryProp(getUserFieldNames(UFFullName));
  1174. if (fullName && *fullName)
  1175. userInfo->setFullname(fullName);
  1176. const char* passwordExpiration = usr.queryProp(getUserFieldNames(UFPasswordExpiration));
  1177. if (passwordExpiration && *passwordExpiration)
  1178. userInfo->setPasswordexpiration(passwordExpiration);
  1179. users.append(*userInfo.getLink());
  1180. }
  1181. resp.setUsers(users);
  1182. resp.setTotalUsers(total);
  1183. resp.setCacheHint(cacheHint);
  1184. }
  1185. catch(IException* e)
  1186. {
  1187. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  1188. }
  1189. return true;
  1190. }
  1191. bool Cws_accessEx::onGroupMemberEditInput(IEspContext &context, IEspGroupMemberEditInputRequest &req, IEspGroupMemberEditInputResponse &resp)
  1192. {
  1193. try
  1194. {
  1195. checkUser(context);
  1196. CLdapSecManager* secmgr = (CLdapSecManager*)context.querySecManager();
  1197. if(secmgr == NULL)
  1198. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  1199. CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
  1200. resp.setGroupname(req.getGroupname());
  1201. set<string> ousrs;
  1202. StringArray ousernames;
  1203. ldapsecmgr->getGroupMembers(req.getGroupname(), ousernames);
  1204. unsigned i = 0;
  1205. for(i = 0; i < ousernames.length(); i++)
  1206. {
  1207. const char* username = ousernames.item(i);
  1208. if(username != NULL && *username != '\0')
  1209. {
  1210. ousrs.insert(username);
  1211. }
  1212. }
  1213. const char* searchstr = req.getSearchinput();
  1214. int numusers = secmgr->countUsers(searchstr, MAX_USERS_DISPLAY+ousernames.ordinality());
  1215. if(numusers == -1)
  1216. {
  1217. resp.setToomany(true);
  1218. return true;
  1219. }
  1220. resp.setToomany(false);
  1221. IArrayOf<IEspUserInfo> espusers;
  1222. IUserArray users;
  1223. secmgr->searchUsers(searchstr, users);
  1224. ForEachItemIn(x, users)
  1225. {
  1226. ISecUser* usr = &users.item(x);
  1227. if(usr)
  1228. {
  1229. const char* usrname = usr->getName();
  1230. if(usrname == NULL || usrname[0] == '\0')
  1231. continue;
  1232. if(ousrs.find(usrname) == ousrs.end())
  1233. {
  1234. Owned<IEspUserInfo> oneusr = createUserInfo();
  1235. oneusr->setUsername(usr->getName());
  1236. espusers.append(*oneusr.getLink());
  1237. }
  1238. }
  1239. }
  1240. resp.setUsers(espusers);
  1241. }
  1242. catch(IException* e)
  1243. {
  1244. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  1245. }
  1246. return true;
  1247. }
  1248. bool Cws_accessEx::onGroupMemberEdit(IEspContext &context, IEspGroupMemberEditRequest &req, IEspGroupMemberEditResponse &resp)
  1249. {
  1250. try
  1251. {
  1252. checkUser(context);
  1253. CLdapSecManager* secmgr = (CLdapSecManager*)(context.querySecManager());
  1254. if(secmgr == NULL)
  1255. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  1256. const char* groupname = req.getGroupname();
  1257. if(groupname == NULL || *groupname == '\0')
  1258. {
  1259. resp.setRetcode(-1);
  1260. resp.setRetmsg("group can't be empty");
  1261. return false;
  1262. }
  1263. ///////////////////////////////////////BUG#41536///////////////
  1264. StringArray existing_usernames;
  1265. if (!stricmp(req.getAction(), "add"))
  1266. secmgr->getGroupMembers(groupname, existing_usernames);
  1267. //////////////////////////////////////////////////////
  1268. StringArray& usernames = req.getUsernames();
  1269. try
  1270. {
  1271. for(unsigned i = 0; i < usernames.length(); i++)
  1272. {
  1273. const char* usrname = usernames.item(i);
  1274. if(usrname == NULL || *usrname == '\0')
  1275. continue;
  1276. ///////////////////////////////////////BUG#41536///////////////
  1277. bool bFound = false;
  1278. if (existing_usernames.length() > 0)
  1279. {
  1280. for(unsigned i = 0; i < existing_usernames.length(); i++)
  1281. {
  1282. const char* existing_usrname = existing_usernames.item(i);
  1283. if(existing_usrname == NULL || existing_usrname[0] == '\0')
  1284. continue;
  1285. if (!strcmp(usrname, existing_usrname))
  1286. {
  1287. bFound = true;
  1288. break;
  1289. }
  1290. }
  1291. }
  1292. if (!bFound)
  1293. //////////////////////////////////////////////////////
  1294. secmgr->changeUserGroup(req.getAction(), usrname, groupname);
  1295. }
  1296. }
  1297. catch(IException* e)
  1298. {
  1299. StringBuffer errmsg;
  1300. e->errorMessage(errmsg);
  1301. DBGLOG("error changing user's group membership: %s", errmsg.str());
  1302. resp.setRetcode(e->errorCode());
  1303. resp.setRetmsg(errmsg.str());
  1304. return false;
  1305. }
  1306. resp.setRetcode(0);
  1307. resp.setGroupname(groupname);
  1308. resp.setAction(req.getAction());
  1309. if(stricmp(req.getAction(), "add") == 0)
  1310. resp.setRetmsg("members successfully added to group");
  1311. else
  1312. resp.setRetmsg("members successfully deleted from group");
  1313. }
  1314. catch(IException* e)
  1315. {
  1316. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  1317. }
  1318. return true;
  1319. }
  1320. bool Cws_accessEx::onPermissions(IEspContext &context, IEspBasednsRequest &req, IEspBasednsResponse &resp)
  1321. {
  1322. try
  1323. {
  1324. CLdapSecManager* secmgr = queryLDAPSecurityManager(context);
  1325. double version = context.getClientVersion();
  1326. if (version > 1.03)
  1327. {
  1328. if(secmgr == NULL)
  1329. {
  1330. resp.setNoSecMngr(true);
  1331. return true;
  1332. }
  1333. }
  1334. else
  1335. {
  1336. if(secmgr == NULL)
  1337. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  1338. }
  1339. checkUser(context);
  1340. if(m_basedns.length() == 0)
  1341. {
  1342. setBasedns(context);
  1343. }
  1344. resp.setBasedns(m_basedns);
  1345. }
  1346. catch(IException* e)
  1347. {
  1348. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  1349. }
  1350. return true;
  1351. }
  1352. const char* Cws_accessEx::getBaseDN(IEspContext &context, const char* rtype, StringBuffer& baseDN)
  1353. {
  1354. if(!m_basedns.length())
  1355. setBasedns(context);
  1356. ForEachItemIn(y, m_basedns)
  1357. {
  1358. IEspDnStruct* curbasedn = &(m_basedns.item(y));
  1359. if(strieq(curbasedn->getRtype(), rtype))
  1360. {
  1361. baseDN.set(curbasedn->getBasedn());
  1362. return baseDN.str();
  1363. }
  1364. }
  1365. return NULL;
  1366. }
  1367. bool Cws_accessEx::onResources(IEspContext &context, IEspResourcesRequest &req, IEspResourcesResponse &resp)
  1368. {
  1369. try
  1370. {
  1371. checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Read);
  1372. CLdapSecManager* secmgr = queryLDAPSecurityManager(context);
  1373. if(secmgr == NULL)
  1374. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  1375. double version = context.getClientVersion();
  1376. const char* filterInput = req.getSearchinput();
  1377. const char* basedn = req.getBasedn();
  1378. const char* rtypestr = req.getRtype();
  1379. if (!rtypestr || !*rtypestr)
  1380. throw MakeStringException(ECLWATCH_INVALID_INPUT, "Rtype not specified");
  1381. StringBuffer baseDN;
  1382. if (!basedn || !*basedn)
  1383. {
  1384. basedn = getBaseDN(context, rtypestr, baseDN);
  1385. if (!basedn || !*basedn)
  1386. throw MakeStringException(ECLWATCH_INVALID_INPUT, "BaseDN not found");
  1387. }
  1388. const char* moduletemplate = NULL;
  1389. ForEachItemIn(x, m_basedns)
  1390. {
  1391. IEspDnStruct* curbasedn = &(m_basedns.item(x));
  1392. if(stricmp(curbasedn->getBasedn(), basedn) == 0)
  1393. {
  1394. moduletemplate = curbasedn->getTemplatename();
  1395. }
  1396. }
  1397. resp.setBasedn(basedn);
  1398. resp.setRtype(rtypestr);
  1399. resp.setRtitle(req.getRtitle());
  1400. SecResourceType rtype = str2type(rtypestr);
  1401. if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
  1402. {
  1403. StringBuffer deft_basedn, deft_name;
  1404. const char* comma = strchr(basedn, ',');
  1405. const char* eqsign = strchr(basedn, '=');
  1406. if(eqsign != NULL)
  1407. {
  1408. if(comma == NULL)
  1409. deft_name.append(eqsign+1);
  1410. else
  1411. {
  1412. deft_name.append(comma - eqsign - 1, eqsign+1);
  1413. deft_basedn.append(comma + 1);
  1414. }
  1415. resp.setDefault_basedn(deft_basedn.str());
  1416. resp.setDefault_name(deft_name.str());
  1417. }
  1418. }
  1419. IArrayOf<IEspResource> rarray;
  1420. IArrayOf<ISecResource> resources;
  1421. const char* prefix = req.getPrefix();
  1422. int prefixlen = 0;
  1423. if(prefix && *prefix)
  1424. {
  1425. prefixlen = strlen(prefix);
  1426. resp.setPrefix(prefix);
  1427. }
  1428. if (version > 1.04)
  1429. {
  1430. int numResources = -1;
  1431. if (req.getRtitle() && !stricmp(req.getRtitle(), "CodeGenerator Permission"))
  1432. numResources = secmgr->countResources(basedn, prefix, MAX_RESOURCES_DISPLAY);
  1433. else
  1434. numResources = secmgr->countResources(basedn, filterInput, MAX_RESOURCES_DISPLAY);
  1435. if(numResources == -1)
  1436. {
  1437. resp.setToomany(true);
  1438. return true;
  1439. }
  1440. else
  1441. {
  1442. resp.setToomany(false);
  1443. }
  1444. }
  1445. if ((!filterInput || !*filterInput) && req.getRtitle() && !stricmp(req.getRtitle(), "CodeGenerator Permission"))
  1446. {
  1447. if(!secmgr->getResourcesEx(rtype, basedn, prefix, resources))
  1448. return false;
  1449. }
  1450. else
  1451. {
  1452. if(!secmgr->getResourcesEx(rtype, basedn, filterInput, resources))
  1453. return false;
  1454. }
  1455. ILdapConfig* cfg = secmgr->queryConfig();
  1456. for(unsigned i = 0; i < resources.length(); i++)
  1457. {
  1458. ISecResource& r = resources.item(i);
  1459. Owned<IEspResource> oneresource = createResource();
  1460. oneresource->setIsSpecial(false);
  1461. const char* rname = r.getName();
  1462. if(rname == NULL || *rname == '\0')
  1463. continue;
  1464. if(prefix && *prefix)
  1465. {
  1466. if(strncmp(prefix, rname, prefixlen) != 0)
  1467. continue;
  1468. else
  1469. rname += prefixlen;
  1470. }
  1471. if(rtype == RT_MODULE)
  1472. {
  1473. if(stricmp(rname, "repository") != 0)
  1474. {
  1475. if(moduletemplate != NULL && stricmp(rname, moduletemplate) == 0)
  1476. oneresource->setIsSpecial(true);
  1477. if(Utils::strncasecmp(rname, "repository.", 11) == 0)
  1478. rname = rname + 11;
  1479. else
  1480. continue;
  1481. }
  1482. else
  1483. {
  1484. oneresource->setIsSpecial(true);
  1485. }
  1486. }
  1487. else if(rtype == RT_FILE_SCOPE && stricmp(rname, "file") == 0)
  1488. {
  1489. //oneresource->setIsSpecial(true); //33067
  1490. continue;
  1491. }
  1492. oneresource->setName(rname);
  1493. oneresource->setDescription(r.getDescription());
  1494. rarray.append(*oneresource.getLink());
  1495. }
  1496. if (version >= 1.08)
  1497. {
  1498. Owned<IUserDescriptor> userdesc;
  1499. userdesc.setown(createUserDescriptor());
  1500. userdesc->set(context.queryUserId(), context.queryPassword());
  1501. int retCode;
  1502. StringBuffer retMsg;
  1503. bool isEnabled = querySessionManager().queryScopeScansEnabled(userdesc, &retCode, retMsg);
  1504. if (retCode != 0)
  1505. DBGLOG("Error %d querying scope scan status : %s", retCode, retMsg.str());
  1506. resp.updateScopeScansStatus().setIsEnabled(isEnabled);
  1507. resp.updateScopeScansStatus().setRetcode(retCode);
  1508. resp.updateScopeScansStatus().setRetmsg(retMsg.str());
  1509. }
  1510. resp.setResources(rarray);
  1511. }
  1512. catch(IException* e)
  1513. {
  1514. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  1515. }
  1516. return true;
  1517. }
  1518. bool Cws_accessEx::onResourceQuery(IEspContext &context, IEspResourceQueryRequest &req, IEspResourceQueryResponse &resp)
  1519. {
  1520. try
  1521. {
  1522. CLdapSecManager* secmgr = queryLDAPSecurityManager(context);
  1523. if(!secmgr)
  1524. {
  1525. resp.setNoSecMngr(true);
  1526. return true;
  1527. }
  1528. checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Read);
  1529. const char* rtypeStr = req.getRtype();
  1530. if (!rtypeStr || !*rtypeStr)
  1531. throw MakeStringException(ECLWATCH_INVALID_INPUT, "Rtype not specified");
  1532. StringBuffer baseDN;
  1533. const char* basednStr = req.getBasedn();
  1534. if (!basednStr || !*basednStr)
  1535. {
  1536. basednStr = getBaseDN(context, rtypeStr, baseDN);
  1537. if (!basednStr || !*basednStr)
  1538. throw MakeStringException(ECLWATCH_INVALID_INPUT, "BaseDN not found");
  1539. }
  1540. SecResourceType rtype = str2type(rtypeStr);
  1541. const char* moduleTemplate = NULL;
  1542. ForEachItemIn(x, m_basedns)
  1543. {
  1544. IEspDnStruct* curbasedn = &(m_basedns.item(x));
  1545. if(strieq(curbasedn->getBasedn(), basednStr))
  1546. {
  1547. moduleTemplate = curbasedn->getTemplatename();
  1548. break;
  1549. }
  1550. }
  1551. StringBuffer nameReq = req.getName();
  1552. const char* prefix = req.getPrefix();
  1553. if (!nameReq.length() && req.getRtitle() && !stricmp(req.getRtitle(), "CodeGenerator Permission"))
  1554. nameReq.set(prefix);
  1555. __int64 pageStartFrom = 0;
  1556. unsigned pageSize = 100;
  1557. if (!req.getPageSize_isNull())
  1558. pageSize = req.getPageSize();
  1559. if (!req.getPageStartFrom_isNull())
  1560. pageStartFrom = req.getPageStartFrom();
  1561. ResourceField sortOrder[2] = {(ResourceField) (RFName | RFnocase), RFterm};
  1562. bool descending = req.getDescending();
  1563. if (descending)
  1564. sortOrder[0] = (ResourceField) (sortOrder[0] | RFreverse);
  1565. unsigned total;
  1566. __int64 cacheHint;
  1567. IArrayOf<IEspResource> rarray;
  1568. Owned<ISecItemIterator> it = secmgr->getResourcesSorted(rtype, basednStr, nameReq.str(),
  1569. RF_RT_FILE_SCOPE_FILE | RF_RT_MODULE_NO_REPOSITORY, sortOrder,
  1570. (const __int64) pageStartFrom, (const unsigned) pageSize, &total, &cacheHint);
  1571. ForEach(*it)
  1572. {
  1573. IPropertyTree& r = it->query();
  1574. const char* rname = r.queryProp(getResourceFieldNames(RFName));
  1575. if(!rname || !*rname)
  1576. continue;
  1577. if(prefix && *prefix)
  1578. rname += strlen(prefix); //Remove the prefix from the name
  1579. bool isSpecial = false;
  1580. if(rtype == RT_MODULE)
  1581. {
  1582. if(strieq(rname, "repository"))
  1583. isSpecial = true;
  1584. else
  1585. {
  1586. if(moduleTemplate != NULL && stricmp(rname, moduleTemplate) == 0)
  1587. isSpecial = true;
  1588. rname = rname + 11; //Remove "repository." from the name
  1589. }
  1590. }
  1591. Owned<IEspResource> oneresource = createResource();
  1592. oneresource->setName(rname);
  1593. oneresource->setIsSpecial(isSpecial);
  1594. const char* desc = r.queryProp(getResourceFieldNames(RFDesc));
  1595. if (desc && *desc)
  1596. oneresource->setDescription(desc);
  1597. rarray.append(*oneresource.getClear());
  1598. }
  1599. resp.setResources(rarray);
  1600. resp.setTotalResources(total);
  1601. resp.setCacheHint(cacheHint);
  1602. }
  1603. catch(IException* e)
  1604. {
  1605. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  1606. }
  1607. return true;
  1608. }
  1609. bool Cws_accessEx::onResourceAddInput(IEspContext &context, IEspResourceAddInputRequest &req, IEspResourceAddInputResponse &resp)
  1610. {
  1611. try
  1612. {
  1613. checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full);
  1614. resp.setBasedn(req.getBasedn());
  1615. resp.setRtype(req.getRtype());
  1616. resp.setRtitle(req.getRtitle());
  1617. resp.setPrefix(req.getPrefix());
  1618. }
  1619. catch(IException* e)
  1620. {
  1621. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  1622. }
  1623. return true;
  1624. }
  1625. SecResourceType Cws_accessEx::str2type(const char* rtstr)
  1626. {
  1627. if(rtstr == NULL || *rtstr == '\0')
  1628. return RT_DEFAULT;
  1629. else if(stricmp(rtstr, "module") == 0)
  1630. return RT_MODULE;
  1631. else if(stricmp(rtstr, "service") == 0)
  1632. return RT_SERVICE;
  1633. else if(stricmp(rtstr, "file") == 0)
  1634. return RT_FILE_SCOPE;
  1635. else if(stricmp(rtstr, "workunit") == 0)
  1636. return RT_WORKUNIT_SCOPE;
  1637. else
  1638. return RT_DEFAULT;
  1639. }
  1640. bool Cws_accessEx::onResourceAdd(IEspContext &context, IEspResourceAddRequest &req, IEspResourceAddResponse &resp)
  1641. {
  1642. try
  1643. {
  1644. checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full);
  1645. ISecManager* secmgr = context.querySecManager();
  1646. if(secmgr == NULL)
  1647. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  1648. resp.setBasedn(req.getBasedn());
  1649. resp.setRtype(req.getRtype());
  1650. resp.setRtitle(req.getRtitle());
  1651. resp.setPrefix(req.getPrefix());
  1652. StringBuffer lastResource;
  1653. StringArray newResources;
  1654. if(str2type(req.getRtype()) == RT_FILE_SCOPE)
  1655. {
  1656. getNewFileScopePermissions(secmgr, req, lastResource, newResources);
  1657. }
  1658. SecResourceType rtype = str2type(req.getRtype());
  1659. try
  1660. {
  1661. ISecUser* usr = NULL;
  1662. Owned<ISecResourceList> rlist = secmgr->createResourceList("ws_access");
  1663. const char* name = req.getName();
  1664. if(name == NULL || *name == '\0')
  1665. {
  1666. resp.setRetcode(-1);
  1667. StringBuffer errmsg;
  1668. errmsg.append(req.getRtitle()).append(" name can't be empty");
  1669. resp.setRetmsg(errmsg.str());
  1670. return false;
  1671. }
  1672. if(strchr(name, '\\') != NULL || strchr(name, '/') != NULL)
  1673. {
  1674. resp.setRetcode(-1);
  1675. StringBuffer errmsg;
  1676. errmsg.append(" you can't have '\\' or '/' in the name");
  1677. resp.setRetmsg(errmsg.str());
  1678. return false;
  1679. }
  1680. const char* ptr = strchr(name, ':');
  1681. while(ptr != NULL)
  1682. {
  1683. if(*(ptr+1) != ':')
  1684. throw MakeStringException(ECLWATCH_SINGLE_COLON_NOT_ALLOWED, "Single colon is not allowed in scope names. Please use double colon");
  1685. ptr = strchr(ptr+2, ':');
  1686. }
  1687. StringBuffer namebuf(name);
  1688. if(rtype == RT_MODULE && stricmp(name, "repository") != 0 && Utils::strncasecmp(name, "repository.", 11) != 0)
  1689. namebuf.insert(0, "repository.");
  1690. const char* prefix = req.getPrefix();
  1691. if(prefix && *prefix)
  1692. namebuf.insert(0, prefix);
  1693. ISecResource* r = rlist->addResource(namebuf.str());
  1694. r->setDescription(req.getDescription());
  1695. secmgr->addResourcesEx(rtype, *usr, rlist, PT_ADMINISTRATORS_ONLY, req.getBasedn());
  1696. if(str2type(req.getRtype()) == RT_FILE_SCOPE && newResources.ordinality())
  1697. {
  1698. setNewFileScopePermissions(secmgr, req, lastResource, newResources);
  1699. StringBuffer retmsg;
  1700. ForEachItemIn(y, newResources)
  1701. {
  1702. StringBuffer namebuf = newResources.item(y);
  1703. if (retmsg.length() < 1)
  1704. retmsg.append(namebuf);
  1705. else
  1706. retmsg.appendf(", %s", namebuf.str());
  1707. }
  1708. resp.setRetmsg(retmsg.str());
  1709. }
  1710. }
  1711. catch(IException* e)
  1712. {
  1713. StringBuffer emsg;
  1714. e->errorMessage(emsg);
  1715. resp.setRetcode(e->errorCode());
  1716. resp.setRetmsg(emsg.str());
  1717. return false;
  1718. }
  1719. catch(...)
  1720. {
  1721. resp.setRetcode(-1);
  1722. resp.setRetmsg("unknown error");
  1723. return false;
  1724. }
  1725. resp.setRetcode(0);
  1726. }
  1727. catch(IException* e)
  1728. {
  1729. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  1730. }
  1731. return true;
  1732. }
  1733. bool Cws_accessEx::onResourceDelete(IEspContext &context, IEspResourceDeleteRequest &req, IEspResourceDeleteResponse &resp)
  1734. {
  1735. try
  1736. {
  1737. checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full);
  1738. CLdapSecManager* secmgr = (CLdapSecManager*)(context.querySecManager());
  1739. if(secmgr == NULL)
  1740. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  1741. StringArray& names = req.getNames();
  1742. int doUpdate = req.getDoUpdate();
  1743. if (doUpdate)
  1744. {
  1745. const char* basedn = req.getBasedn();
  1746. const char* rtype = req.getRtype();
  1747. const char* rtitle = req.getRtitle();
  1748. const char* prefix = req.getPrefix();
  1749. StringBuffer url("/ws_access/PermissionsResetInput");
  1750. url.appendf("?basedn=%s", basedn);
  1751. url.appendf("&rtype=%s", rtype);
  1752. url.appendf("&rtitle=%s", rtitle);
  1753. url.appendf("&prefix=%s", prefix);
  1754. if (names.length() < 1)
  1755. throw MakeStringException(ECLWATCH_INVALID_RESOURCE_NAME, "Please select a resource name.");
  1756. for(unsigned i = 0; i < names.length(); i++)
  1757. {
  1758. const char* name = names.item(i);
  1759. if(name == NULL || *name == '\0')
  1760. continue;
  1761. url.appendf("&names_i%d=%s", i, name);
  1762. }
  1763. resp.setRedirectUrl(url);
  1764. return true;
  1765. }
  1766. resp.setBasedn(req.getBasedn());
  1767. resp.setRtype(req.getRtype());
  1768. resp.setRtitle(req.getRtitle());
  1769. resp.setPrefix(req.getPrefix());
  1770. SecResourceType rtype = str2type(req.getRtype());
  1771. try
  1772. {
  1773. for(unsigned i = 0; i < names.length(); i++)
  1774. {
  1775. const char* name = names.item(i);
  1776. if(name == NULL || *name == '\0')
  1777. continue;
  1778. StringBuffer namebuf(name);
  1779. if(rtype == RT_MODULE && stricmp(name, "repository") != 0 && Utils::strncasecmp(name, "repository.", 11) != 0)
  1780. namebuf.insert(0, "repository.");
  1781. const char* prefix = req.getPrefix();
  1782. if(prefix && *prefix)
  1783. namebuf.insert(0, prefix);
  1784. secmgr->deleteResource(rtype, namebuf.str(), req.getBasedn());
  1785. }
  1786. }
  1787. catch(IException* e)
  1788. {
  1789. StringBuffer emsg;
  1790. e->errorMessage(emsg);
  1791. resp.setRetcode(e->errorCode());
  1792. resp.setRetmsg(emsg.str());
  1793. return false;
  1794. }
  1795. catch(...)
  1796. {
  1797. resp.setRetcode(-1);
  1798. resp.setRetmsg("Unknown error");
  1799. return false;
  1800. }
  1801. resp.setRetcode(0);
  1802. }
  1803. catch(IException* e)
  1804. {
  1805. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  1806. }
  1807. return true;
  1808. }
  1809. bool Cws_accessEx::onResourcePermissions(IEspContext &context, IEspResourcePermissionsRequest &req, IEspResourcePermissionsResponse &resp)
  1810. {
  1811. try
  1812. {
  1813. checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Read);
  1814. ISecManager* secmgr = context.querySecManager();
  1815. if(secmgr == NULL)
  1816. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  1817. CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
  1818. const char* name = req.getName();
  1819. StringBuffer namebuf(name);
  1820. if(str2type(req.getRtype()) == RT_MODULE && stricmp(name, "repository") != 0 && Utils::strncasecmp(name, "repository.", 11) != 0)
  1821. namebuf.insert(0, "repository.");
  1822. const char* prefix = req.getPrefix();
  1823. if(prefix && *prefix)
  1824. namebuf.insert(0, prefix);
  1825. IArrayOf<CPermission> permissions;
  1826. ldapsecmgr->getPermissionsArray(req.getBasedn(), str2type(req.getRtype()), namebuf.str(), permissions);
  1827. IArrayOf<IEspResourcePermission> parray;
  1828. ForEachItemIn(x, permissions)
  1829. {
  1830. CPermission& perm = permissions.item(x);
  1831. Owned<IEspResourcePermission> onepermission = createResourcePermission();
  1832. const char* actname = perm.getAccount_name();
  1833. if(actname != NULL && *actname != '\0')
  1834. {
  1835. StringBuffer escapedname;
  1836. int i = 0;
  1837. char c;
  1838. while((c = actname[i++]) != '\0')
  1839. {
  1840. if(c == '\'')
  1841. escapedname.append('\\').append('\'');
  1842. else
  1843. escapedname.append(c);
  1844. }
  1845. onepermission->setAccount_name(actname);
  1846. onepermission->setEscaped_account_name(escapedname.str());
  1847. }
  1848. onepermission->setAccount_type(perm.getAccount_type());
  1849. int allows = perm.getAllows();
  1850. int denies = perm.getDenies();
  1851. if((allows & NewSecAccess_Access) == NewSecAccess_Access)
  1852. onepermission->setAllow_access(true);
  1853. if((allows & NewSecAccess_Read) == NewSecAccess_Read)
  1854. onepermission->setAllow_read(true);
  1855. if((allows & NewSecAccess_Write) == NewSecAccess_Write)
  1856. onepermission->setAllow_write(true);
  1857. if((allows & NewSecAccess_Full) == NewSecAccess_Full)
  1858. onepermission->setAllow_full(true);
  1859. if((denies & NewSecAccess_Access) == NewSecAccess_Access)
  1860. onepermission->setDeny_access(true);
  1861. if((denies & NewSecAccess_Read) == NewSecAccess_Read)
  1862. onepermission->setDeny_read(true);
  1863. if((denies & NewSecAccess_Write) == NewSecAccess_Write)
  1864. onepermission->setDeny_write(true);
  1865. if((denies & NewSecAccess_Full) == NewSecAccess_Full)
  1866. onepermission->setDeny_full(true);
  1867. parray.append(*onepermission.getLink());
  1868. }
  1869. resp.setBasedn(req.getBasedn());
  1870. resp.setRtype(req.getRtype());
  1871. resp.setRtitle(req.getRtitle());
  1872. resp.setName(req.getName());
  1873. resp.setPrefix(req.getPrefix());
  1874. resp.setPermissions(parray);
  1875. }
  1876. catch(IException* e)
  1877. {
  1878. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  1879. }
  1880. return true;
  1881. }
  1882. bool Cws_accessEx::onPermissionAddInput(IEspContext &context, IEspPermissionAddRequest &req, IEspPermissionAddResponse &resp)
  1883. {
  1884. try
  1885. {
  1886. checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full);
  1887. resp.setBasedn(req.getBasedn());
  1888. resp.setRname(req.getRname());
  1889. resp.setRtype(req.getRtype());
  1890. resp.setRtitle(req.getRtitle());
  1891. resp.setPrefix(req.getPrefix());
  1892. double version = context.getClientVersion();
  1893. if (version < 1.01)
  1894. {
  1895. return permissionAddInputOnResource(context, req, resp);
  1896. }
  1897. else
  1898. {
  1899. const char* accountName = req.getAccountName();
  1900. if (!accountName || !*accountName)
  1901. {
  1902. return permissionAddInputOnResource(context, req, resp);
  1903. }
  1904. else
  1905. {
  1906. return permissionAddInputOnAccount(context, accountName, req, resp);
  1907. }
  1908. }
  1909. }
  1910. catch(IException* e)
  1911. {
  1912. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  1913. }
  1914. return true;
  1915. }
  1916. bool Cws_accessEx::onPermissionsResetInput(IEspContext &context, IEspPermissionsResetInputRequest &req, IEspPermissionsResetInputResponse &resp)
  1917. {
  1918. try
  1919. {
  1920. checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full);
  1921. resp.setBasedn(req.getBasedn());
  1922. //resp.setRname(req.getRname());
  1923. resp.setRname("Test");
  1924. resp.setRtype(req.getRtype());
  1925. resp.setRtitle(req.getRtitle());
  1926. resp.setPrefix(req.getPrefix());
  1927. StringArray& names = req.getNames();
  1928. if (names.length() < 1)
  1929. throw MakeStringException(ECLWATCH_INVALID_PERMISSION_NAME, "Please select a permission.");
  1930. StringBuffer nameList; //For forwarding to Submit page
  1931. StringArray names1;
  1932. ForEachItemIn(k, names)
  1933. {
  1934. const char* name1 = names.item(k);
  1935. nameList.appendf("%s,", name1);
  1936. names1.append(name1);
  1937. }
  1938. resp.setResourceList(nameList.str());
  1939. resp.setResources(names);
  1940. CLdapSecManager* secmgr = (CLdapSecManager*)context.querySecManager();
  1941. if(secmgr == NULL)
  1942. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  1943. int numusers = secmgr->countUsers("", MAX_USERS_DISPLAY);
  1944. if(numusers == -1)
  1945. {
  1946. resp.setToomany(true);
  1947. }
  1948. else
  1949. {
  1950. resp.setToomany(false);
  1951. IArrayOf<IEspUserInfo> espusers;
  1952. IUserArray users;
  1953. secmgr->getAllUsers(users);
  1954. ForEachItemIn(x, users)
  1955. {
  1956. CLdapSecUser* usr = dynamic_cast<CLdapSecUser*>(&users.item(x));
  1957. if(usr)
  1958. {
  1959. Owned<IEspUserInfo> oneusr = createUserInfo();
  1960. oneusr->setUsername(usr->getName());
  1961. oneusr->setFullname(usr->getFullName());
  1962. espusers.append(*oneusr.getLink());
  1963. }
  1964. }
  1965. resp.setUsers(espusers);
  1966. }
  1967. IArrayOf<IEspGroupInfo> groups;
  1968. if(secmgr->getLdapServerType() != ACTIVE_DIRECTORY)
  1969. {
  1970. Owned<IEspGroupInfo> onegrp = createGroupInfo();
  1971. onegrp->setName("anyone");
  1972. groups.append(*onegrp.getLink());
  1973. }
  1974. StringArray grpnames;
  1975. StringArray managedBy;
  1976. StringArray descriptions;
  1977. secmgr->getAllGroups(grpnames, managedBy, descriptions);
  1978. for(unsigned i = 0; i < grpnames.length(); i++)
  1979. {
  1980. const char* grpname = grpnames.item(i);
  1981. if(grpname == NULL || *grpname == '\0')
  1982. continue;
  1983. Owned<IEspGroupInfo> onegrp = createGroupInfo();
  1984. onegrp->setName(grpname);
  1985. onegrp->setGroupDesc(descriptions.item(i));
  1986. onegrp->setGroupOwner(managedBy.item(i));
  1987. groups.append(*onegrp.getLink());
  1988. }
  1989. resp.setGroups(groups);
  1990. }
  1991. catch(IException* e)
  1992. {
  1993. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  1994. }
  1995. return true;
  1996. }
  1997. bool Cws_accessEx::onClearPermissionsCache(IEspContext &context, IEspClearPermissionsCacheRequest &req, IEspClearPermissionsCacheResponse &resp)
  1998. {
  1999. checkUser(context);
  2000. ISecManager* secmgr = context.querySecManager();
  2001. if(secmgr == NULL)
  2002. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2003. //Clear local cache
  2004. Owned<ISecUser> user = secmgr->createUser(context.queryUserId());
  2005. ISecCredentials& cred = user->credentials();
  2006. cred.setPassword(context.queryPassword());
  2007. bool ok = secmgr->clearPermissionsCache(*user);
  2008. //Request DALI to clear its cache
  2009. if (ok)
  2010. {
  2011. Owned<IUserDescriptor> userdesc;
  2012. userdesc.setown(createUserDescriptor());
  2013. userdesc->set(context.queryUserId(), context.queryPassword());
  2014. ok = querySessionManager().clearPermissionsCache(userdesc);
  2015. }
  2016. resp.setRetcode(ok ? 0 : -1);
  2017. return true;
  2018. }
  2019. bool Cws_accessEx::onQueryScopeScansEnabled(IEspContext &context, IEspQueryScopeScansEnabledRequest &req, IEspQueryScopeScansEnabledResponse &resp)
  2020. {
  2021. ISecManager* secmgr = context.querySecManager();
  2022. if(secmgr == NULL)
  2023. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2024. Owned<IUserDescriptor> userdesc;
  2025. userdesc.setown(createUserDescriptor());
  2026. userdesc->set(context.queryUserId(), context.queryPassword());
  2027. int retCode;
  2028. StringBuffer retMsg;
  2029. bool isEnabled = querySessionManager().queryScopeScansEnabled(userdesc, &retCode, retMsg);
  2030. if (retCode != 0)
  2031. throw MakeStringException(ECLWATCH_OLD_CLIENT_VERSION, "Error %d querying scope scan status : %s", retCode, retMsg.str());
  2032. resp.updateScopeScansStatus().setIsEnabled(isEnabled);
  2033. resp.updateScopeScansStatus().setRetcode(retCode);
  2034. resp.updateScopeScansStatus().setRetmsg(retMsg.str());
  2035. return true;
  2036. }
  2037. bool Cws_accessEx::onEnableScopeScans(IEspContext &context, IEspEnableScopeScansRequest &req, IEspEnableScopeScansResponse &resp)
  2038. {
  2039. checkUser(context, FILE_SCOPE_RTYPE, FILE_SCOPE_RTITLE, SecAccess_Full);
  2040. StringBuffer retMsg;
  2041. int rc = enableDisableScopeScans(context, true, retMsg);
  2042. resp.updateScopeScansStatus().setIsEnabled(rc == 0);
  2043. resp.updateScopeScansStatus().setRetcode(rc);
  2044. resp.updateScopeScansStatus().setRetmsg(retMsg.str());
  2045. return true;
  2046. }
  2047. bool Cws_accessEx::onDisableScopeScans(IEspContext &context, IEspDisableScopeScansRequest &req, IEspDisableScopeScansResponse &resp)
  2048. {
  2049. checkUser(context, FILE_SCOPE_RTYPE, FILE_SCOPE_RTITLE, SecAccess_Full);
  2050. StringBuffer retMsg;
  2051. int rc = enableDisableScopeScans(context, false, retMsg);
  2052. resp.updateScopeScansStatus().setIsEnabled(rc != 0);
  2053. resp.updateScopeScansStatus().setRetcode(rc);
  2054. resp.updateScopeScansStatus().setRetmsg(retMsg.str());
  2055. return true;
  2056. }
  2057. int Cws_accessEx::enableDisableScopeScans(IEspContext &context, bool doEnable, StringBuffer &retMsg)
  2058. {
  2059. ISecManager* secmgr = context.querySecManager();
  2060. if(secmgr == NULL)
  2061. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2062. Owned<IUserDescriptor> userdesc;
  2063. userdesc.setown(createUserDescriptor());
  2064. userdesc->set(context.queryUserId(), context.queryPassword());
  2065. int retCode;
  2066. bool rc = querySessionManager().enableScopeScans(userdesc, doEnable, &retCode, retMsg);
  2067. if (!rc || retCode != 0)
  2068. DBGLOG("Error %d enabling Scope Scans : %s", retCode, retMsg.str());
  2069. return retCode;
  2070. }
  2071. bool Cws_accessEx::permissionsReset(CLdapSecManager* ldapsecmgr, const char* basedn, const char* rtype0, const char* prefix,
  2072. const char* resourceName, ACT_TYPE accountType, const char* accountName,
  2073. bool allow_access, bool allow_read, bool allow_write, bool allow_full,
  2074. bool deny_access, bool deny_read, bool deny_write, bool deny_full)
  2075. {
  2076. CPermissionAction paction;
  2077. paction.m_basedn.append(basedn);
  2078. //const char* name = req.getRname();
  2079. StringBuffer namebuf(resourceName);
  2080. SecResourceType rtype = str2type(rtype0);
  2081. if(rtype == RT_MODULE && stricmp(resourceName, "repository") != 0 && Utils::strncasecmp(resourceName, "repository.", 11) != 0)
  2082. namebuf.insert(0, "repository.");
  2083. if(prefix && *prefix)
  2084. namebuf.insert(0, prefix);
  2085. paction.m_rname.append(namebuf.str());
  2086. paction.m_rtype = str2type(rtype0);
  2087. paction.m_allows = 0;
  2088. paction.m_denies = 0;
  2089. if(allow_full)
  2090. paction.m_allows |= NewSecAccess_Full;
  2091. if(allow_read)
  2092. paction.m_allows |= NewSecAccess_Read;
  2093. if(allow_write)
  2094. paction.m_allows |= NewSecAccess_Write;
  2095. if(allow_access)
  2096. paction.m_allows |= NewSecAccess_Access;
  2097. if(deny_full)
  2098. paction.m_denies |= NewSecAccess_Full;
  2099. if(deny_read)
  2100. paction.m_denies |= NewSecAccess_Read;
  2101. if(deny_write)
  2102. paction.m_denies |= NewSecAccess_Write;
  2103. if(deny_access)
  2104. paction.m_denies |= NewSecAccess_Access;
  2105. paction.m_action.append("update");
  2106. paction.m_account_type = accountType;
  2107. paction.m_account_name.append(accountName);
  2108. bool ret = ldapsecmgr->changePermission(paction);
  2109. return ret;
  2110. }
  2111. bool Cws_accessEx::onPermissionsReset(IEspContext &context, IEspPermissionsResetRequest &req, IEspPermissionsResetResponse &resp)
  2112. {
  2113. try
  2114. {
  2115. checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full);
  2116. resp.setBasedn(req.getBasedn());
  2117. resp.setRname(req.getRname());
  2118. resp.setRtype(req.getRtype());
  2119. resp.setRtitle(req.getRtitle());
  2120. resp.setPrefix(req.getPrefix());
  2121. ISecManager* secmgr = context.querySecManager();
  2122. if(secmgr == NULL)
  2123. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2124. CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
  2125. const char* users = req.getUserarray();
  2126. const char* groups = req.getGrouparray();
  2127. if ((!users || !*users) && (!groups || !*groups))
  2128. throw MakeStringException(ECLWATCH_INVALID_ACCOUNT_NAME, "A user or group must be specified.");
  2129. StringArray& resources = req.getNames();
  2130. if (resources.length() < 1)
  2131. throw MakeStringException(ECLWATCH_INVALID_RESOURCE_NAME, "A resource name must be specified.");
  2132. StringArray userAccounts, groupAccounts;
  2133. if (users && *users)
  2134. {
  2135. char* pTr = (char*) users;
  2136. while (pTr)
  2137. {
  2138. char* ppTr = strchr(pTr, ',');
  2139. if (!ppTr)
  2140. break;
  2141. if (ppTr - pTr > 1)
  2142. {
  2143. char userName[255];
  2144. strncpy(userName, pTr, ppTr - pTr);
  2145. userName[ppTr - pTr] = 0;
  2146. userAccounts.append(userName);
  2147. }
  2148. pTr = ppTr+1;
  2149. }
  2150. }
  2151. if (groups && *groups)
  2152. {
  2153. char* pTr = (char*) groups;
  2154. while (pTr)
  2155. {
  2156. char* ppTr = strchr(pTr, ',');
  2157. if (!ppTr)
  2158. break;
  2159. if (ppTr - pTr > 1)
  2160. {
  2161. char userName[255];
  2162. strncpy(userName, pTr, ppTr - pTr);
  2163. userName[ppTr - pTr] = 0;
  2164. groupAccounts.append(userName);
  2165. }
  2166. pTr = ppTr+1;
  2167. }
  2168. }
  2169. if (userAccounts.length() < 1 && groupAccounts.length() < 1)
  2170. throw MakeStringException(ECLWATCH_INVALID_ACCOUNT_NAME, "A user or group must be specified.");
  2171. for(unsigned i = 0; i < resources.length(); i++)
  2172. {
  2173. const char* name = resources.item(i);
  2174. if (!name || !*name)
  2175. continue;
  2176. bool ret = true;
  2177. StringBuffer retmsg;
  2178. try
  2179. {
  2180. if (userAccounts.length() > 0)
  2181. {
  2182. for(unsigned j = 0; j < userAccounts.length(); j++)
  2183. {
  2184. const char* name0 = userAccounts.item(j);
  2185. if (!name0 || !*name0)
  2186. continue;
  2187. ret = permissionsReset(ldapsecmgr, req.getBasedn(), req.getRtype(), req.getPrefix(), name, USER_ACT, name0,
  2188. req.getAllow_access(), req.getAllow_read(), req.getAllow_write(), req.getAllow_full(),
  2189. req.getDeny_access(), req.getDeny_read(), req.getDeny_write(), req.getDeny_full());
  2190. if(!ret)
  2191. {
  2192. resp.setRetcode(-1);
  2193. resp.setRetmsg("Unknown error");
  2194. return false;
  2195. }
  2196. }
  2197. }
  2198. if (groupAccounts.length() > 0)
  2199. {
  2200. for(unsigned j = 0; j < groupAccounts.length(); j++)
  2201. {
  2202. const char* name0 = groupAccounts.item(j);
  2203. if (!name0 || !*name0)
  2204. continue;
  2205. ret = permissionsReset(ldapsecmgr, req.getBasedn(), req.getRtype(), req.getPrefix(), name, GROUP_ACT, name0,
  2206. req.getAllow_access(), req.getAllow_read(), req.getAllow_write(), req.getAllow_full(),
  2207. req.getDeny_access(), req.getDeny_read(), req.getDeny_write(), req.getDeny_full());
  2208. if(!ret)
  2209. {
  2210. resp.setRetcode(-1);
  2211. resp.setRetmsg("Unknown error");
  2212. return false;
  2213. }
  2214. }
  2215. }
  2216. }
  2217. catch(IException* e)
  2218. {
  2219. resp.setRetcode(e->errorCode());
  2220. e->errorMessage(retmsg);
  2221. resp.setRetmsg(retmsg.str());
  2222. return false;
  2223. }
  2224. }
  2225. resp.setRetcode(0);
  2226. }
  2227. catch(IException* e)
  2228. {
  2229. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  2230. }
  2231. return true;
  2232. }
  2233. //For every resources inside a baseDN, if there is no permission for this account, add the baseDN name to the basednNames list
  2234. void Cws_accessEx::getBaseDNsForAddingPermssionToAccount(CLdapSecManager* secmgr, const char* prefix, const char* accountName,
  2235. int accountType, StringArray& basednNames)
  2236. {
  2237. if(secmgr == NULL)
  2238. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2239. ForEachItemIn(i, m_basedns)
  2240. {
  2241. IEspDnStruct* curbasedn = &(m_basedns.item(i));
  2242. const char *basednName = curbasedn->getName();
  2243. if (!basednName || !*basednName)
  2244. continue;
  2245. const char *basedn = curbasedn->getBasedn();
  2246. const char *rtypestr = curbasedn->getRtype();
  2247. if (!basedn || !*basedn || !rtypestr || !*rtypestr)
  2248. continue;
  2249. IArrayOf<ISecResource> resources;
  2250. SecResourceType rtype = str2type(rtypestr);
  2251. if(!secmgr->getResources(rtype, basedn, resources))
  2252. continue;
  2253. ForEachItemIn(j, resources)
  2254. {
  2255. ISecResource& r = resources.item(j);
  2256. const char* rname = r.getName();
  2257. if(!rname || !*rname)
  2258. continue;
  2259. if(prefix && *prefix)
  2260. {
  2261. int prefixlen = strlen(prefix);
  2262. if(strncmp(prefix, rname, prefixlen) == 0)
  2263. rname += prefixlen;
  2264. }
  2265. StringBuffer namebuf(rname);
  2266. if((rtype == RT_MODULE) && !strieq(rname, "repository") && Utils::strncasecmp(rname, "repository.", 11) != 0)
  2267. namebuf.insert(0, "repository.");
  2268. if(prefix && *prefix)
  2269. namebuf.insert(0, prefix);
  2270. try
  2271. {
  2272. IArrayOf<CPermission> permissions;
  2273. secmgr->getPermissionsArray(basedn, rtype, namebuf.str(), permissions);
  2274. bool foundPermissionInThisAccount = false;
  2275. ForEachItemIn(k, permissions)
  2276. {
  2277. CPermission& perm = permissions.item(k);
  2278. if ((accountType == perm.getAccount_type()) && perm.getAccount_name() && streq(perm.getAccount_name(), accountName))
  2279. {
  2280. foundPermissionInThisAccount = true;
  2281. break;
  2282. }
  2283. }
  2284. if (!foundPermissionInThisAccount)
  2285. {
  2286. basednNames.append(basednName);
  2287. break;
  2288. }
  2289. }
  2290. catch(IException* e) //exception may be thrown when no permission for the resource
  2291. {
  2292. e->Release();
  2293. break;
  2294. }
  2295. }
  2296. }
  2297. return;
  2298. }
  2299. bool Cws_accessEx::permissionAddInputOnResource(IEspContext &context, IEspPermissionAddRequest &req, IEspPermissionAddResponse &resp)
  2300. {
  2301. CLdapSecManager* secmgr = (CLdapSecManager*)context.querySecManager();
  2302. if(secmgr == NULL)
  2303. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2304. int numusers = secmgr->countUsers("", MAX_USERS_DISPLAY);
  2305. if(numusers == -1)
  2306. {
  2307. resp.setToomany(true);
  2308. }
  2309. else
  2310. {
  2311. resp.setToomany(false);
  2312. IArrayOf<IEspUserInfo> espusers;
  2313. IUserArray users;
  2314. secmgr->getAllUsers(users);
  2315. ForEachItemIn(x, users)
  2316. {
  2317. CLdapSecUser* usr = dynamic_cast<CLdapSecUser*>(&users.item(x));
  2318. if(usr)
  2319. {
  2320. Owned<IEspUserInfo> oneusr = createUserInfo();
  2321. oneusr->setUsername(usr->getName());
  2322. oneusr->setFullname(usr->getFullName());
  2323. espusers.append(*oneusr.getLink());
  2324. }
  2325. }
  2326. resp.setUsers(espusers);
  2327. }
  2328. IArrayOf<IEspGroupInfo> groups;
  2329. if(secmgr->getLdapServerType() != ACTIVE_DIRECTORY)
  2330. {
  2331. Owned<IEspGroupInfo> onegrp = createGroupInfo();
  2332. onegrp->setName("anyone");
  2333. groups.append(*onegrp.getLink());
  2334. }
  2335. StringArray grpnames;
  2336. StringArray managedBy;
  2337. StringArray descriptions;
  2338. secmgr->getAllGroups(grpnames, managedBy, descriptions);
  2339. for(unsigned i = 0; i < grpnames.length(); i++)
  2340. {
  2341. const char* grpname = grpnames.item(i);
  2342. if(grpname == NULL || *grpname == '\0')
  2343. continue;
  2344. Owned<IEspGroupInfo> onegrp = createGroupInfo();
  2345. onegrp->setName(grpname);
  2346. onegrp->setGroupDesc(descriptions.item(i));
  2347. onegrp->setGroupOwner(managedBy.item(i));
  2348. groups.append(*onegrp.getLink());
  2349. }
  2350. resp.setGroups(groups);
  2351. return true;
  2352. }
  2353. bool Cws_accessEx::permissionAddInputOnAccount(IEspContext &context, const char* accountName, IEspPermissionAddRequest &req, IEspPermissionAddResponse &resp)
  2354. {
  2355. CLdapSecManager* secmgr = (CLdapSecManager*)context.querySecManager();
  2356. if(secmgr == NULL)
  2357. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2358. resp.setBasednName(req.getBasednName());
  2359. resp.setAccountName(req.getAccountName());
  2360. resp.setAccountType(req.getAccountType());
  2361. const char* prefix = req.getPrefix();
  2362. const char* basednName = req.getBasednName();
  2363. int accountType = req.getAccountType();
  2364. if (basednName && *basednName)
  2365. {
  2366. ForEachItemIn(y, m_basedns)
  2367. {
  2368. IEspDnStruct* curbasedn = &(m_basedns.item(y));
  2369. const char *aName = curbasedn->getName();
  2370. if (!aName || stricmp(basednName, aName))
  2371. continue;
  2372. const char *basedn = curbasedn->getBasedn();
  2373. const char *rtypestr = curbasedn->getRtype();
  2374. if (!basedn || !*basedn || !rtypestr || !*rtypestr)
  2375. continue;
  2376. IArrayOf<ISecResource> resources;
  2377. SecResourceType rtype = str2type(rtypestr);
  2378. if(secmgr->getResources(rtype, basedn, resources))
  2379. {
  2380. StringArray resourcenames;
  2381. for(unsigned i = 0; i < resources.length(); i++)
  2382. {
  2383. ISecResource& r = resources.item(i);
  2384. const char* rname = r.getName();
  2385. if(rname == NULL || *rname == '\0')
  2386. continue;
  2387. if(prefix && *prefix)
  2388. {
  2389. int prefixlen = strlen(prefix);
  2390. if(strncmp(prefix, rname, prefixlen) == 0)
  2391. rname += prefixlen;
  2392. }
  2393. if((rtype == RT_MODULE) && stricmp(rname, "repository"))
  2394. {
  2395. if(Utils::strncasecmp(rname, "repository.", 11) == 0)
  2396. rname = rname + 11;
  2397. else
  2398. continue;
  2399. }
  2400. StringBuffer namebuf(rname);
  2401. if((rtype == RT_MODULE) && stricmp(rname, "repository") != 0 && Utils::strncasecmp(rname, "repository.", 11) != 0)
  2402. namebuf.insert(0, "repository.");
  2403. if(prefix && *prefix)
  2404. namebuf.insert(0, prefix);
  2405. try
  2406. {
  2407. IArrayOf<CPermission> permissions;
  2408. secmgr->getPermissionsArray(basedn, rtype, namebuf.str(), permissions);
  2409. bool found = false;
  2410. ForEachItemIn(x, permissions)
  2411. {
  2412. CPermission& perm = permissions.item(x);
  2413. const char* actname = perm.getAccount_name();
  2414. int accType = perm.getAccount_type(); //0-individual, 1 - group
  2415. if ((accountType == accType) && actname && !strcmp(actname, accountName))
  2416. {
  2417. found = true;
  2418. break;
  2419. }
  2420. }
  2421. if (!found)
  2422. resourcenames.append(rname);
  2423. }
  2424. catch(IException* e) //exception may be thrown when no permission for the resource
  2425. {
  2426. e->Release();
  2427. break;
  2428. }
  2429. }
  2430. if (resourcenames.length() > 0)
  2431. resp.setResources(resourcenames);
  2432. }
  2433. }
  2434. }
  2435. return true;
  2436. }
  2437. bool Cws_accessEx::onPermissionAction(IEspContext &context, IEspPermissionActionRequest &req, IEspPermissionActionResponse &resp)
  2438. {
  2439. try
  2440. {
  2441. checkUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full);
  2442. resp.setBasedn(req.getBasedn());
  2443. resp.setRname(req.getRname());
  2444. resp.setRtype(req.getRtype());
  2445. resp.setRtitle(req.getRtitle());
  2446. resp.setPrefix(req.getPrefix());
  2447. CLdapSecManager* ldapsecmgr = queryLDAPSecurityManager(context);
  2448. if(ldapsecmgr == NULL)
  2449. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2450. CPermissionAction paction;
  2451. paction.m_basedn.append(req.getBasedn());
  2452. const char* name = req.getRname();
  2453. StringBuffer namebuf(name);
  2454. SecResourceType rtype = str2type(req.getRtype());
  2455. if(rtype == RT_MODULE && stricmp(name, "repository") != 0 && Utils::strncasecmp(name, "repository.", 11) != 0)
  2456. namebuf.insert(0, "repository.");
  2457. const char* prefix = req.getPrefix();
  2458. if(prefix && *prefix)
  2459. namebuf.insert(0, prefix);
  2460. double version = context.getClientVersion();
  2461. paction.m_rname.append(namebuf.str());
  2462. paction.m_rtype = str2type(req.getRtype());
  2463. paction.m_account_type = (ACT_TYPE)req.getAccount_type();
  2464. if(stricmp(req.getAction(), "add") == 0)
  2465. {
  2466. StringBuffer basednNameStr, resourceNameStr;
  2467. if (version >= 1.01)
  2468. {
  2469. const char* basedn_name = req.getBasednName();
  2470. const char* resource_name = req.getResourceName();
  2471. if (basedn_name && *basedn_name)
  2472. basednNameStr.append(basedn_name);
  2473. if (resource_name && *resource_name)
  2474. resourceNameStr.append(resource_name);
  2475. }
  2476. const char* user = req.getUser();
  2477. const char* grp = req.getGroup();
  2478. if(user != NULL && *user != '\0')
  2479. {
  2480. paction.m_account_name.append(user);
  2481. paction.m_account_type = USER_ACT;
  2482. }
  2483. else if(grp != NULL && *grp != '\0')
  2484. {
  2485. paction.m_account_name.append(grp);
  2486. // anyone is actually treated as a virtual "user" by sun and open ldap.
  2487. if((ldapsecmgr->getLdapServerType() != ACTIVE_DIRECTORY) && (stricmp(grp, "anyone") == 0))
  2488. paction.m_account_type = USER_ACT;
  2489. else
  2490. paction.m_account_type = GROUP_ACT;
  2491. }
  2492. else if((basednNameStr.length() > 0) && (resourceNameStr.length() > 0))
  2493. {
  2494. const char* account_name = req.getAccount_name();
  2495. if (!account_name || !*account_name)
  2496. {
  2497. resp.setRetcode(-1);
  2498. resp.setRetmsg("Please input or select user/group");
  2499. return false;
  2500. }
  2501. paction.m_account_name.clear().append(account_name);
  2502. ForEachItemIn(y, m_basedns)
  2503. {
  2504. IEspDnStruct* curbasedn = &(m_basedns.item(y));
  2505. const char *aName = curbasedn->getName();
  2506. if (!aName || stricmp(basednNameStr.str(), aName))
  2507. continue;
  2508. const char *basedn = curbasedn->getBasedn();
  2509. const char *rtypestr = curbasedn->getRtype();
  2510. if (!basedn || !*basedn || !rtypestr || !*rtypestr)
  2511. continue;
  2512. StringBuffer namebuf(resourceNameStr);
  2513. SecResourceType rtype = str2type(rtypestr);
  2514. if(rtype == RT_MODULE && stricmp(namebuf.str(), "codegenerator.cpp") && stricmp(namebuf.str(), "repository") != 0 && Utils::strncasecmp(namebuf.str(), "repository.", 11) != 0)
  2515. namebuf.insert(0, "repository.");
  2516. if(prefix && *prefix)
  2517. namebuf.insert(0, prefix);
  2518. paction.m_basedn.clear().append(basedn);
  2519. paction.m_rname.clear().append(namebuf.str());
  2520. paction.m_rtype = rtype;
  2521. break;
  2522. }
  2523. resp.setAccountName(account_name);
  2524. if (req.getAccount_type() < 1)
  2525. resp.setIsGroup(false);
  2526. else
  2527. resp.setIsGroup(true);
  2528. }
  2529. else
  2530. {
  2531. resp.setRetcode(-1);
  2532. resp.setRetmsg("Please input or select user/group");
  2533. return false;
  2534. }
  2535. }
  2536. else
  2537. {
  2538. paction.m_account_name.append(req.getAccount_name());
  2539. if (version >= 1.01)
  2540. {
  2541. resp.setAccountName(req.getAccount_name());
  2542. if (req.getAccount_type() < 1)
  2543. resp.setIsGroup(false);
  2544. else
  2545. resp.setIsGroup(true);
  2546. }
  2547. }
  2548. paction.m_allows = 0;
  2549. paction.m_denies = 0;
  2550. if(req.getAllow_full())
  2551. paction.m_allows |= NewSecAccess_Full;
  2552. if(req.getAllow_read())
  2553. paction.m_allows |= NewSecAccess_Read;
  2554. if(req.getAllow_write())
  2555. paction.m_allows |= NewSecAccess_Write;
  2556. if(req.getAllow_access())
  2557. paction.m_allows |= NewSecAccess_Access;
  2558. if(req.getDeny_full())
  2559. paction.m_denies |= NewSecAccess_Full;
  2560. if(req.getDeny_read())
  2561. paction.m_denies |= NewSecAccess_Read;
  2562. if(req.getDeny_write())
  2563. paction.m_denies |= NewSecAccess_Write;
  2564. if(req.getDeny_access())
  2565. paction.m_denies |= NewSecAccess_Access;
  2566. paction.m_action.append(req.getAction());
  2567. bool ret = true;
  2568. StringBuffer retmsg;
  2569. try
  2570. {
  2571. ret = ldapsecmgr->changePermission(paction);
  2572. }
  2573. catch(IException* e)
  2574. {
  2575. resp.setRetcode(e->errorCode());
  2576. e->errorMessage(retmsg);
  2577. resp.setRetmsg(retmsg.str());
  2578. return false;
  2579. }
  2580. if(!ret)
  2581. {
  2582. resp.setRetcode(-1);
  2583. resp.setRetmsg("Unknown error");
  2584. return false;
  2585. }
  2586. resp.setRetcode(0);
  2587. }
  2588. catch(IException* e)
  2589. {
  2590. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  2591. }
  2592. return true;
  2593. }
  2594. bool Cws_accessEx::onUserResetPassInput(IEspContext &context, IEspUserResetPassInputRequest &req, IEspUserResetPassInputResponse &resp)
  2595. {
  2596. try
  2597. {
  2598. checkUser(context);
  2599. resp.setUsername(req.getUsername());
  2600. }
  2601. catch(IException* e)
  2602. {
  2603. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  2604. }
  2605. return true;
  2606. }
  2607. bool Cws_accessEx::onUserResetPass(IEspContext &context, IEspUserResetPassRequest &req, IEspUserResetPassResponse &resp)
  2608. {
  2609. try
  2610. {
  2611. checkUser(context);
  2612. resp.setUsername(req.getUsername());
  2613. ISecManager* secmgr = context.querySecManager();
  2614. if(secmgr == NULL)
  2615. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2616. CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
  2617. const char* username = req.getUsername();
  2618. if(username == NULL)
  2619. {
  2620. resp.setRetcode(-1);
  2621. resp.setRetmsg("username can't be empty");
  2622. return false;
  2623. }
  2624. const char* newpass1 = req.getNewPassword();
  2625. const char* newpass2 = req.getNewPasswordRetype();
  2626. if(newpass1 == NULL || newpass2 == NULL || *newpass1 == '\0' || *newpass2 == '\0' || strcmp(newpass1, newpass2) != 0)
  2627. {
  2628. resp.setRetcode(-1);
  2629. resp.setRetmsg("new password and retype can't be empty and must match");
  2630. return false;
  2631. }
  2632. bool ret = ldapsecmgr->updateUserPassword(username, req.getNewPassword());
  2633. if(ret)
  2634. {
  2635. resp.setRetcode(0);
  2636. resp.setRetmsg("");
  2637. return false;
  2638. }
  2639. else
  2640. {
  2641. resp.setRetcode(-1);
  2642. }
  2643. }
  2644. catch(IException* e)
  2645. {
  2646. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  2647. }
  2648. return true;
  2649. }
  2650. bool Cws_accessEx::onUserPosix(IEspContext &context, IEspUserPosixRequest &req, IEspUserPosixResponse &resp)
  2651. {
  2652. try
  2653. {
  2654. checkUser(context);
  2655. CLdapSecManager* secmgr = (CLdapSecManager*)context.querySecManager();
  2656. if(secmgr == NULL)
  2657. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2658. const char* username = req.getUsername();
  2659. if(username == NULL || *username == '\0')
  2660. {
  2661. resp.setRetcode(-1);
  2662. resp.setRetmsg("username can't be empty");
  2663. return false;
  2664. }
  2665. bool enable = req.getPosixenabled();
  2666. Owned<CLdapSecUser> user = (CLdapSecUser*)secmgr->createUser(username);
  2667. if(enable)
  2668. {
  2669. const char* gidnumber = req.getGidnumber();
  2670. const char* uidnumber = req.getUidnumber();
  2671. const char* homedirectory = req.getHomedirectory();
  2672. const char* loginshell = req.getLoginshell();
  2673. if(!gidnumber || !*gidnumber || !uidnumber || !*uidnumber || !homedirectory || !*homedirectory)
  2674. {
  2675. resp.setRetcode(-1);
  2676. resp.setRetmsg("gidnumber, uidnumber and homedirectory are required.");
  2677. return false;
  2678. }
  2679. unsigned i;
  2680. for(i = 0; i < strlen(gidnumber); i++)
  2681. {
  2682. if(!isdigit(gidnumber[i]))
  2683. throw MakeStringException(ECLWATCH_ID_MUST_BE_ALL_DIGITS, "Group ID Number should be all digits");
  2684. }
  2685. for(i = 0; i < strlen(uidnumber); i++)
  2686. {
  2687. if(!isdigit(uidnumber[i]))
  2688. throw MakeStringException(ECLWATCH_ID_MUST_BE_ALL_DIGITS, "User ID Number should be all digits");
  2689. }
  2690. user->setGidnumber(gidnumber);
  2691. user->setUidnumber(uidnumber);
  2692. user->setHomedirectory(homedirectory);
  2693. user->setLoginshell(loginshell);
  2694. }
  2695. try
  2696. {
  2697. secmgr->updateUser(enable?"posixenable":"posixdisable", *user.get());
  2698. }
  2699. catch(IException* e)
  2700. {
  2701. resp.setRetcode(-1);
  2702. StringBuffer errmsg;
  2703. resp.setRetmsg(e->errorMessage(errmsg).str());
  2704. return false;
  2705. }
  2706. resp.setUsername(username);
  2707. resp.setRetcode(0);
  2708. resp.setRetmsg("User's posix account info has been successfully updated");
  2709. }
  2710. catch(IException* e)
  2711. {
  2712. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  2713. }
  2714. return true;
  2715. }
  2716. bool Cws_accessEx::onUserPosixInput(IEspContext &context, IEspUserPosixInputRequest &req, IEspUserPosixInputResponse &resp)
  2717. {
  2718. try
  2719. {
  2720. checkUser(context);
  2721. CLdapSecManager* secmgr = (CLdapSecManager*)context.querySecManager();
  2722. if(secmgr == NULL)
  2723. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2724. const char* username = req.getUsername();
  2725. if(username == NULL || *username == '\0')
  2726. {
  2727. throw MakeStringException(ECLWATCH_INVALID_ACCOUNT_NAME, "Please specify a username.");
  2728. }
  2729. Owned<CLdapSecUser> user = (CLdapSecUser*)secmgr->createUser(username);
  2730. secmgr->getUserInfo(*user.get());
  2731. resp.setUsername(username);
  2732. resp.setPosixenabled(user->getPosixenabled());
  2733. if(user->getGidnumber())
  2734. resp.setGidnumber(user->getGidnumber());
  2735. if(user->getUidnumber())
  2736. resp.setUidnumber(user->getUidnumber());
  2737. if(user->getHomedirectory())
  2738. resp.setHomedirectory(user->getHomedirectory());
  2739. if(user->getLoginshell())
  2740. resp.setLoginshell(user->getLoginshell());
  2741. }
  2742. catch(IException* e)
  2743. {
  2744. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  2745. }
  2746. return true;
  2747. }
  2748. bool Cws_accessEx::onUserInfoEdit(IEspContext &context, IEspUserInfoEditRequest &req, IEspUserInfoEditResponse &resp)
  2749. {
  2750. try
  2751. {
  2752. checkUser(context);
  2753. CLdapSecManager* secmgr = (CLdapSecManager*)context.querySecManager();
  2754. if(secmgr == NULL)
  2755. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2756. const char* username = req.getUsername();
  2757. if(username == NULL || *username == '\0')
  2758. {
  2759. resp.setRetcode(-1);
  2760. resp.setRetmsg("username can't be empty");
  2761. return false;
  2762. }
  2763. const char* firstname = req.getFirstname();
  2764. const char* lastname = req.getLastname();
  2765. if((!firstname || !*firstname) && (!lastname || !*lastname))
  2766. {
  2767. resp.setRetcode(-1);
  2768. resp.setRetmsg("Please specify both firstname and lastname");
  2769. return false;
  2770. }
  2771. Owned<CLdapSecUser> user = (CLdapSecUser*)secmgr->createUser(username);
  2772. user->setFirstName(firstname);
  2773. user->setLastName(lastname);
  2774. try
  2775. {
  2776. secmgr->updateUser("names", *user.get());
  2777. }
  2778. catch(IException* e)
  2779. {
  2780. resp.setRetcode(-1);
  2781. StringBuffer errmsg;
  2782. resp.setRetmsg(e->errorMessage(errmsg).str());
  2783. return false;
  2784. }
  2785. resp.setUsername(username);
  2786. resp.setRetcode(0);
  2787. resp.setRetmsg("User's account info has been successfully updated");
  2788. }
  2789. catch(IException* e)
  2790. {
  2791. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  2792. }
  2793. return true;
  2794. }
  2795. bool Cws_accessEx::onUserInfoEditInput(IEspContext &context, IEspUserInfoEditInputRequest &req, IEspUserInfoEditInputResponse &resp)
  2796. {
  2797. try
  2798. {
  2799. checkUser(context);
  2800. CLdapSecManager* secmgr = (CLdapSecManager*)context.querySecManager();
  2801. if(secmgr == NULL)
  2802. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2803. const char* username = req.getUsername();
  2804. if(username == NULL || *username == '\0')
  2805. {
  2806. throw MakeStringException(ECLWATCH_INVALID_ACCOUNT_NAME, "Please specify a username.");
  2807. }
  2808. Owned<CLdapSecUser> user = (CLdapSecUser*)secmgr->createUser(username);
  2809. secmgr->getUserInfo(*user.get());
  2810. resp.setUsername(username);
  2811. resp.setFirstname(user->getFirstName());
  2812. resp.setLastname(user->getLastName());
  2813. }
  2814. catch(IException* e)
  2815. {
  2816. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  2817. }
  2818. return true;
  2819. }
  2820. bool Cws_accessEx::onUserSudoersInput(IEspContext &context, IEspUserSudoersInputRequest &req, IEspUserSudoersInputResponse &resp)
  2821. {
  2822. try
  2823. {
  2824. checkUser(context);
  2825. CLdapSecManager* secmgr = (CLdapSecManager*)context.querySecManager();
  2826. if(secmgr == NULL)
  2827. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2828. const char* username = req.getUsername();
  2829. if(username == NULL || *username == '\0')
  2830. {
  2831. throw MakeStringException(ECLWATCH_INVALID_ACCOUNT_NAME, "Please specify a username.");
  2832. }
  2833. Owned<CLdapSecUser> user = (CLdapSecUser*)secmgr->createUser(username);
  2834. secmgr->getUserInfo(*user.get(), "sudoers");
  2835. resp.setUsername(username);
  2836. resp.setInsudoers(user->getInSudoers());
  2837. if(user->getInSudoers())
  2838. {
  2839. resp.setSudoHost(user->getSudoHost());
  2840. resp.setSudoCommand(user->getSudoCommand());
  2841. resp.setSudoOption(user->getSudoOption());
  2842. }
  2843. else
  2844. {
  2845. resp.setSudoHost("ALL");
  2846. resp.setSudoCommand("ALL");
  2847. resp.setSudoOption("!authenticate");
  2848. }
  2849. }
  2850. catch(IException* e)
  2851. {
  2852. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  2853. }
  2854. return true;
  2855. }
  2856. bool Cws_accessEx::onUserSudoers(IEspContext &context, IEspUserSudoersRequest &req, IEspUserSudoersResponse &resp)
  2857. {
  2858. try
  2859. {
  2860. checkUser(context);
  2861. CLdapSecManager* secmgr = (CLdapSecManager*)context.querySecManager();
  2862. if(secmgr == NULL)
  2863. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2864. const char* username = req.getUsername();
  2865. if(username == NULL || *username == '\0')
  2866. {
  2867. resp.setRetcode(-1);
  2868. resp.setRetmsg("username can't be empty");
  2869. return false;
  2870. }
  2871. resp.setUsername(username);
  2872. Owned<CLdapSecUser> user = (CLdapSecUser*)secmgr->createUser(username);
  2873. const char* action = req.getAction();
  2874. if(!action || !*action)
  2875. {
  2876. resp.setRetcode(-1);
  2877. resp.setRetmsg("Action can't be empty");
  2878. return false;
  2879. }
  2880. user->setSudoHost(req.getSudoHost());
  2881. user->setSudoCommand(req.getSudoCommand());
  2882. user->setSudoOption(req.getSudoOption());
  2883. bool ok = false;
  2884. StringBuffer retmsg;
  2885. try
  2886. {
  2887. if(stricmp(action, "add") == 0)
  2888. ok = secmgr->updateUser("sudoersadd", *user.get());
  2889. else if(stricmp(action, "delete") == 0)
  2890. ok = secmgr->updateUser("sudoersdelete", *user.get());
  2891. else if(stricmp(action, "update") == 0)
  2892. ok = secmgr->updateUser("sudoersupdate", *user.get());
  2893. }
  2894. catch(IException* e)
  2895. {
  2896. ok = false;
  2897. e->errorMessage(retmsg);
  2898. e->Release();
  2899. }
  2900. catch(...)
  2901. {
  2902. ok = false;
  2903. retmsg.append("unknown exception");
  2904. }
  2905. if(!ok)
  2906. {
  2907. resp.setRetcode(-1);
  2908. resp.setRetmsg(retmsg.str());
  2909. }
  2910. else
  2911. {
  2912. resp.setRetcode(0);
  2913. resp.setRetmsg("succeeded.");
  2914. }
  2915. }
  2916. catch(IException* e)
  2917. {
  2918. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  2919. }
  2920. return true;
  2921. }
  2922. bool Cws_accessEx::onAccountPermissions(IEspContext &context, IEspAccountPermissionsRequest &req, IEspAccountPermissionsResponse &resp)
  2923. {
  2924. try
  2925. {
  2926. StringBuffer userID;
  2927. bool bGroupAccount = req.getIsGroup();
  2928. const char* username = req.getAccountName();
  2929. if(!username || !*username)
  2930. {//send back the permissions for the current user.
  2931. context.getUserID(userID);
  2932. if (!userID.length())
  2933. throw MakeStringException(ECLWATCH_INVALID_INPUT, "Could not get user ID.");
  2934. username = userID.str();
  2935. bGroupAccount = false;
  2936. }
  2937. else
  2938. checkUser(context);
  2939. double version = context.getClientVersion();
  2940. CLdapSecManager* ldapsecmgr = queryLDAPSecurityManager(context);
  2941. if(ldapsecmgr == NULL)
  2942. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  2943. bool bIncludeGroup = req.getIncludeGroup();
  2944. if(m_basedns.length() == 0)
  2945. {
  2946. setBasedns(context);
  2947. }
  2948. StringArray groupnames;
  2949. if (version > 1.02 && !bGroupAccount && bIncludeGroup)
  2950. {
  2951. ldapsecmgr->getGroups(username, groupnames);
  2952. }
  2953. groupnames.append("Authenticated Users");
  2954. groupnames.append("everyone");
  2955. IArrayOf<IEspAccountPermission> accountPermissions;
  2956. bool bAuthUsersPerm = false;
  2957. Owned<IEspGroupAccountPermission> grouppermission1 = createGroupAccountPermission();
  2958. grouppermission1->setGroupName("Authenticated Users");
  2959. if (version > 1.05)
  2960. {
  2961. StringArray basednNames;
  2962. getBaseDNsForAddingPermssionToAccount(ldapsecmgr, NULL, "Authenticated Users", 1, basednNames);
  2963. if (basednNames.length() > 0)
  2964. grouppermission1->setBasednNames(basednNames);
  2965. }
  2966. IArrayOf<IConstAccountPermission>& authUsersPermissions = grouppermission1->getPermissions();
  2967. bool bEveryonePerm = false;
  2968. Owned<IEspGroupAccountPermission> grouppermission2 = createGroupAccountPermission();
  2969. grouppermission2->setGroupName("Everyone");
  2970. if (version > 1.05)
  2971. {
  2972. StringArray basednNames;
  2973. getBaseDNsForAddingPermssionToAccount(ldapsecmgr, NULL, "Everyone", 1, basednNames);
  2974. if (basednNames.length() > 0)
  2975. grouppermission2->setBasednNames(basednNames);
  2976. }
  2977. IArrayOf<IConstAccountPermission>& everyonePermissions = grouppermission2->getPermissions();
  2978. IArrayOf<IEspGroupAccountPermission> groupAccountPermissions;
  2979. StringBuffer moduleBasedn; //To be used by the Permission: codegenerator.cpp
  2980. ForEachItemIn(y1, m_basedns)
  2981. {
  2982. IEspDnStruct* curbasedn = &(m_basedns.item(y1));
  2983. const char *aName = curbasedn->getName();
  2984. const char *aBasedn = curbasedn->getBasedn();
  2985. const char *aRtype = curbasedn->getRtype();
  2986. const char *aRtitle = curbasedn->getRtitle();
  2987. if (!aName || !*aName ||!aBasedn || !*aBasedn ||!aRtype || !*aRtype ||!aRtitle || !*aRtitle)
  2988. continue;
  2989. SecResourceType rtype = str2type(aRtype);
  2990. if (rtype == RT_MODULE)
  2991. {
  2992. moduleBasedn.append(aBasedn);
  2993. break;
  2994. }
  2995. }
  2996. ForEachItemIn(y, m_basedns)
  2997. {
  2998. IEspDnStruct* curbasedn = &(m_basedns.item(y));
  2999. const char *aName = curbasedn->getName();
  3000. const char *aBasedn = curbasedn->getBasedn();
  3001. const char *aRtype = curbasedn->getRtype();
  3002. const char *aRtitle = curbasedn->getRtitle();
  3003. if (!aName || !*aName ||!aBasedn || !*aBasedn ||!aRtype || !*aRtype ||!aRtitle || !*aRtitle)
  3004. continue;
  3005. SecResourceType rtype = str2type(aRtype);
  3006. IArrayOf<IEspResource> ResourceArray;
  3007. //if(rtype == RT_FILE_SCOPE || rtype == RT_WORKUNIT_SCOPE)
  3008. if(rtype == RT_WORKUNIT_SCOPE)
  3009. {
  3010. StringBuffer deft_basedn, deft_name;
  3011. const char* comma = strchr(aBasedn, ',');
  3012. const char* eqsign = strchr(aBasedn, '=');
  3013. if(eqsign != NULL)
  3014. {
  3015. if(comma == NULL)
  3016. deft_name.append(eqsign+1);
  3017. else
  3018. {
  3019. deft_name.append(comma - eqsign - 1, eqsign+1);
  3020. deft_basedn.append(comma + 1);
  3021. }
  3022. }
  3023. if (deft_name.length() > 0)
  3024. {
  3025. Owned<IEspResource> oneresource = createResource();
  3026. oneresource->setName(deft_name);
  3027. oneresource->setDescription(deft_basedn);
  3028. ResourceArray.append(*oneresource.getLink());
  3029. }
  3030. }
  3031. IArrayOf<ISecResource> resources;
  3032. if(ldapsecmgr->getResources(rtype, aBasedn, resources))
  3033. {
  3034. ForEachItemIn(y1, resources)
  3035. {
  3036. ISecResource& r = resources.item(y1);
  3037. const char* rname = r.getName();
  3038. if(rname == NULL || *rname == '\0')
  3039. continue;
  3040. //permission codegenerator.cpp is saved as a service permission (not a module permission)
  3041. //when it is added for a user
  3042. if ((rtype == RT_MODULE) && (!stricmp(rname, "codegenerator.cpp")))
  3043. continue;
  3044. if((rtype == RT_MODULE) && Utils::strncasecmp(rname, "repository", 10))
  3045. {
  3046. continue;
  3047. }
  3048. Owned<IEspResource> oneresource = createResource();
  3049. oneresource->setName(rname);
  3050. oneresource->setDescription(aBasedn);
  3051. ResourceArray.append(*oneresource.getLink());
  3052. }
  3053. }
  3054. if(rtype == RT_SERVICE && moduleBasedn.length() > 0)
  3055. { //permission codegenerator.cpp is saved as a service permission when it is added for a user
  3056. Owned<IEspResource> oneresource = createResource();
  3057. oneresource->setName("codegenerator.cpp");
  3058. oneresource->setDescription(moduleBasedn.str());
  3059. ResourceArray.append(*oneresource.getLink());
  3060. moduleBasedn.clear();
  3061. }
  3062. ForEachItemIn(y2, ResourceArray)
  3063. {
  3064. IEspResource& r = ResourceArray.item(y2);
  3065. const char* rname = r.getName();
  3066. const char* dnname = r.getDescription();
  3067. if(rname == NULL || *rname == '\0')
  3068. continue;
  3069. StringBuffer namebuf(rname);
  3070. //const char* prefix = req.getPrefix();
  3071. //if(prefix && *prefix)
  3072. // namebuf.insert(0, prefix);
  3073. try
  3074. {
  3075. IArrayOf<CPermission> permissions;
  3076. ldapsecmgr->getPermissionsArray(dnname, rtype, namebuf.str(), permissions);
  3077. ForEachItemIn(x, permissions)
  3078. {
  3079. CPermission& perm = permissions.item(x);
  3080. int accountType = perm.getAccount_type(); //0-individual, 1 - group
  3081. if (bGroupAccount && accountType < 1)
  3082. continue;
  3083. if (!bGroupAccount && (accountType > 0) && (groupnames.length() < 1))
  3084. continue;
  3085. StringBuffer escapedname;
  3086. const char* actname = perm.getAccount_name();
  3087. if ((!bGroupAccount && accountType < 1) || (bGroupAccount && accountType > 0))
  3088. {
  3089. if(!actname || strcmp(actname, username))
  3090. continue;
  3091. }
  3092. else if (version > 1.02)
  3093. {
  3094. if(!actname || groupnames.length() < 1)
  3095. continue;
  3096. bool bFound = false;
  3097. for(unsigned i = 0; i < groupnames.length(); i++)
  3098. {
  3099. const char* group = groupnames.item(i);
  3100. if (!group || strcmp(actname, group))
  3101. continue;
  3102. bFound = true;
  3103. break;
  3104. }
  3105. if (!bFound)
  3106. continue;
  3107. }
  3108. Owned<IEspAccountPermission> onepermission = createAccountPermission();
  3109. onepermission->setBasedn(dnname);
  3110. onepermission->setRType(aRtype);
  3111. onepermission->setResourceName(aRtitle);
  3112. onepermission->setPermissionName(namebuf.str());
  3113. int allows = perm.getAllows();
  3114. int denies = perm.getDenies();
  3115. if((allows & NewSecAccess_Access) == NewSecAccess_Access)
  3116. onepermission->setAllow_access(true);
  3117. if((allows & NewSecAccess_Read) == NewSecAccess_Read)
  3118. onepermission->setAllow_read(true);
  3119. if((allows & NewSecAccess_Write) == NewSecAccess_Write)
  3120. onepermission->setAllow_write(true);
  3121. if((allows & NewSecAccess_Full) == NewSecAccess_Full)
  3122. onepermission->setAllow_full(true);
  3123. if((denies & NewSecAccess_Access) == NewSecAccess_Access)
  3124. onepermission->setDeny_access(true);
  3125. if((denies & NewSecAccess_Read) == NewSecAccess_Read)
  3126. onepermission->setDeny_read(true);
  3127. if((denies & NewSecAccess_Write) == NewSecAccess_Write)
  3128. onepermission->setDeny_write(true);
  3129. if((denies & NewSecAccess_Full) == NewSecAccess_Full)
  3130. onepermission->setDeny_full(true);
  3131. if ((!bGroupAccount && accountType < 1) || (bGroupAccount && accountType > 0))
  3132. accountPermissions.append(*onepermission.getLink());
  3133. else if (version > 1.02)
  3134. {
  3135. if (!strcmp(actname, "Authenticated Users"))
  3136. {
  3137. authUsersPermissions.append(*onepermission.getLink());
  3138. bAuthUsersPerm = true;
  3139. }
  3140. else if (!strcmp(actname, "everyone"))
  3141. {
  3142. everyonePermissions.append(*onepermission.getLink());
  3143. bEveryonePerm = true;
  3144. }
  3145. else
  3146. {
  3147. bool bFound = false;
  3148. ForEachItemIn(k, groupAccountPermissions)
  3149. {
  3150. IEspGroupAccountPermission& grouppermission0 = groupAccountPermissions.item(k);
  3151. const char* g_name = grouppermission0.getGroupName();
  3152. if (!g_name || strcmp(actname, g_name))
  3153. continue;
  3154. IArrayOf<IConstAccountPermission>& g_permission = grouppermission0.getPermissions();
  3155. g_permission.append(*onepermission.getLink());
  3156. bFound = true;
  3157. break;
  3158. }
  3159. if (!bFound)
  3160. {
  3161. Owned<IEspGroupAccountPermission> grouppermission = createGroupAccountPermission();
  3162. grouppermission->setGroupName(actname);
  3163. if (version > 1.05)
  3164. {
  3165. StringArray basednNames;
  3166. getBaseDNsForAddingPermssionToAccount(ldapsecmgr, NULL, actname, 1, basednNames);
  3167. if (basednNames.length() > 0)
  3168. grouppermission->setBasednNames(basednNames);
  3169. }
  3170. IArrayOf<IConstAccountPermission>& g_permission = grouppermission->getPermissions();
  3171. g_permission.append(*onepermission.getLink());
  3172. groupAccountPermissions.append(*grouppermission.getLink());
  3173. }
  3174. }
  3175. }
  3176. }
  3177. }
  3178. catch(IException* e) //exception may be thrown when no permission for the resource
  3179. {
  3180. e->Release();
  3181. }
  3182. }
  3183. }
  3184. StringArray basednNames;
  3185. getBaseDNsForAddingPermssionToAccount(ldapsecmgr, NULL, username, bGroupAccount? 1:0, basednNames);
  3186. if (basednNames.length() > 0)
  3187. {
  3188. resp.setBasednNames(basednNames);
  3189. }
  3190. if (accountPermissions.length() > 0)
  3191. {
  3192. resp.setPermissions(accountPermissions);
  3193. }
  3194. if (version > 1.02)
  3195. {
  3196. if (bAuthUsersPerm)
  3197. {
  3198. groupAccountPermissions.append(*grouppermission1.getLink());
  3199. }
  3200. if (bEveryonePerm)
  3201. {
  3202. groupAccountPermissions.append(*grouppermission2.getLink());
  3203. }
  3204. if (groupAccountPermissions.length() > 0)
  3205. {
  3206. resp.setGroupPermissions(groupAccountPermissions);
  3207. }
  3208. }
  3209. resp.setAccountName(username);
  3210. resp.setIsGroup(bGroupAccount);
  3211. }
  3212. catch(IException* e)
  3213. {
  3214. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  3215. }
  3216. return true;
  3217. }
  3218. bool Cws_accessEx::onFilePermission(IEspContext &context, IEspFilePermissionRequest &req, IEspFilePermissionResponse &resp)
  3219. {
  3220. try
  3221. {
  3222. CLdapSecManager* secmgr = queryLDAPSecurityManager(context);
  3223. double version = context.getClientVersion();
  3224. if (version > 1.03)
  3225. {
  3226. if(secmgr == NULL)
  3227. {
  3228. resp.setNoSecMngr(true);
  3229. return true;
  3230. }
  3231. }
  3232. else
  3233. {
  3234. if(secmgr == NULL)
  3235. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  3236. }
  3237. checkUser(context, FILE_SCOPE_RTYPE, FILE_SCOPE_RTITLE, SecAccess_Read);
  3238. //Get all users for input form
  3239. int numusers = secmgr->countUsers("", MAX_USERS_DISPLAY);
  3240. if(numusers == -1)
  3241. {
  3242. resp.setToomany(true);
  3243. }
  3244. else
  3245. {
  3246. resp.setToomany(false);
  3247. IArrayOf<IEspUserInfo> espusers;
  3248. IUserArray users;
  3249. secmgr->getAllUsers(users);
  3250. ForEachItemIn(x, users)
  3251. {
  3252. CLdapSecUser* usr = dynamic_cast<CLdapSecUser*>(&users.item(x));
  3253. if(usr)
  3254. {
  3255. Owned<IEspUserInfo> oneusr = createUserInfo();
  3256. oneusr->setUsername(usr->getName());
  3257. oneusr->setFullname(usr->getFullName());
  3258. espusers.append(*oneusr.getLink());
  3259. }
  3260. }
  3261. resp.setUsers(espusers);
  3262. }
  3263. //Get all groups for input form
  3264. StringArray groupnames;
  3265. StringArray managedBy;
  3266. StringArray descriptions;
  3267. secmgr->getAllGroups(groupnames, managedBy, descriptions);
  3268. ///groupnames.append("Authenticated Users");
  3269. ///groupnames.append("Administrators");
  3270. if (groupnames.length() > 0)
  3271. {
  3272. IArrayOf<IEspGroupInfo> groups;
  3273. for(unsigned i = 0; i < groupnames.length(); i++)
  3274. {
  3275. const char* grpname = groupnames.item(i);
  3276. if(grpname == NULL || grpname[0] == '\0')
  3277. continue;
  3278. Owned<IEspGroupInfo> onegrp = createGroupInfo();
  3279. onegrp->setName(grpname);
  3280. onegrp->setGroupDesc(descriptions.item(i));
  3281. onegrp->setGroupOwner(managedBy.item(i));
  3282. groups.append(*onegrp.getLink());
  3283. }
  3284. resp.setGroups(groups);
  3285. }
  3286. const char* fileName = req.getFileName();
  3287. const char* userName = req.getUserName();
  3288. const char* groupName = req.getGroupName();
  3289. if (!fileName || !*fileName)
  3290. return true; //no file name is set when the input form is launched first time
  3291. if ((!groupName || !*groupName) && (!userName || !*userName))
  3292. throw MakeStringException(ECLWATCH_INVALID_ACCOUNT_NAME, "Either user name or group name has to be specified.");
  3293. int access = -1;
  3294. if (userName && *userName) //for user
  3295. {
  3296. resp.setFileName(fileName);
  3297. resp.setUserName(userName);
  3298. Owned<ISecUser> sec_user = secmgr->findUser(userName);
  3299. if (sec_user)
  3300. {
  3301. StringBuffer accessStr;
  3302. access = secmgr->authorizeEx(RT_FILE_SCOPE, *sec_user, fileName, false);
  3303. switch (access)
  3304. {
  3305. case SecAccess_Full:
  3306. resp.setUserPermission("Full Access Permission");
  3307. break;
  3308. case SecAccess_Write:
  3309. resp.setUserPermission("Write Access Permission");
  3310. break;
  3311. case SecAccess_Read:
  3312. resp.setUserPermission("Read Access Permission");
  3313. break;
  3314. case SecAccess_Access:
  3315. resp.setUserPermission("Access Permission");
  3316. break;
  3317. case SecAccess_None:
  3318. resp.setUserPermission("None Access Permission");
  3319. break;
  3320. default:
  3321. resp.setUserPermission("Permission Unknown");
  3322. break;
  3323. }
  3324. }
  3325. }
  3326. else //for group
  3327. {
  3328. resp.setFileName(fileName);
  3329. resp.setGroupName(groupName);
  3330. if(m_basedns.length() == 0) //basedns may never be set
  3331. {
  3332. setBasedns(context);
  3333. }
  3334. //Find out the basedn for RT_FILE_SCOPE
  3335. CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
  3336. StringBuffer basednStr;
  3337. ForEachItemIn(y, m_basedns)
  3338. {
  3339. IEspDnStruct* curbasedn = &(m_basedns.item(y));
  3340. const char *aBasedn = curbasedn->getBasedn();
  3341. const char *aRtype = curbasedn->getRtype();
  3342. if (!aBasedn || !*aBasedn || !aRtype || !*aRtype)
  3343. continue;
  3344. SecResourceType rtype = str2type(aRtype);
  3345. if (rtype != RT_FILE_SCOPE)
  3346. continue;
  3347. basednStr.append(aBasedn);
  3348. }
  3349. char* pStr0 = (char*) fileName;
  3350. while (pStr0[0] == ':') //in case of some ':' by mistake
  3351. pStr0++;
  3352. //Check the permissin for the file and the group
  3353. if (*pStr0 && basednStr.length() > 0)
  3354. {
  3355. StringBuffer lastFileScope;
  3356. StringArray scopes;
  3357. char* pStr = strstr(pStr0, "::");
  3358. while (pStr)
  3359. {
  3360. char fileScope[10240];
  3361. strncpy(fileScope, pStr0, pStr-pStr0);
  3362. fileScope[pStr-pStr0] = 0;
  3363. if (lastFileScope.length() < 1)
  3364. lastFileScope.append(fileScope);
  3365. else
  3366. lastFileScope.appendf("::%s", fileScope);
  3367. scopes.add(lastFileScope.str(), 0);
  3368. pStr0 = pStr+2;
  3369. while (pStr0[0] == ':') //in case of more than two ':' by mistake
  3370. pStr0++;
  3371. if (pStr0[0] == 0)
  3372. break;
  3373. pStr = strstr(pStr0, "::");
  3374. }
  3375. if (pStr0[0] != 0)
  3376. {
  3377. if (lastFileScope.length() < 1)
  3378. lastFileScope.append(pStr0);
  3379. else
  3380. lastFileScope.appendf("::%s", pStr0);
  3381. scopes.add(lastFileScope.str(), 0);
  3382. }
  3383. access = 0;
  3384. ForEachItemIn(y, scopes)
  3385. {
  3386. StringBuffer namebuf = scopes.item(y);
  3387. try
  3388. {
  3389. IArrayOf<CPermission> permissions;
  3390. ldapsecmgr->getPermissionsArray(basednStr.str(), RT_FILE_SCOPE, namebuf.str(), permissions);
  3391. ForEachItemIn(x, permissions)
  3392. {
  3393. CPermission& perm = permissions.item(x);
  3394. int accountType = perm.getAccount_type(); //0-individual, 1 - group
  3395. if (accountType < 1)
  3396. continue;
  3397. const char* actname = perm.getAccount_name();
  3398. if(!actname || strcmp(actname, groupName))
  3399. continue;
  3400. int allows = perm.getAllows();
  3401. int denies = perm.getDenies();
  3402. access = allows & (~denies);
  3403. break;
  3404. }
  3405. }
  3406. catch(IException* e) //exception may be thrown when no permission for the resource
  3407. {
  3408. e->Release();
  3409. }
  3410. if (access != 0)
  3411. break;
  3412. }
  3413. }
  3414. //Convert permission type to display string
  3415. if((access & NewSecAccess_Full) == NewSecAccess_Full)
  3416. resp.setUserPermission("Full Access Permission");
  3417. else if((access & NewSecAccess_Write) == NewSecAccess_Write)
  3418. resp.setUserPermission("Write Access Permission");
  3419. else if((access & NewSecAccess_Read) == NewSecAccess_Read)
  3420. resp.setUserPermission("Read Access Permission");
  3421. else if((access & NewSecAccess_Access) == NewSecAccess_Access)
  3422. resp.setUserPermission("Access Permission");
  3423. else if (access == 0)
  3424. resp.setUserPermission("None Access Permission");
  3425. else
  3426. resp.setUserPermission("Permission Unknown");
  3427. }
  3428. }
  3429. catch(IException* e)
  3430. {
  3431. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  3432. }
  3433. return true;
  3434. }
  3435. bool Cws_accessEx::onUserAccountExport(IEspContext &context, IEspUserAccountExportRequest &req, IEspUserAccountExportResponse &resp)
  3436. {
  3437. try
  3438. {
  3439. CLdapSecManager* secmgr = dynamic_cast<CLdapSecManager*>(context.querySecManager());
  3440. if(secmgr == NULL)
  3441. {
  3442. throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL);
  3443. }
  3444. CLdapSecManager* ldapsecmgr = (CLdapSecManager*)secmgr;
  3445. checkUser(context);
  3446. StringBuffer xls;
  3447. xls.append("<html xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\">");
  3448. xls.append("<head>");
  3449. xls.append("<META http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\">");
  3450. xls.append("<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\">");
  3451. xls.append("<title>User Account Information</title>");
  3452. xls.append("</head>");
  3453. xls.append("<body>");
  3454. xls.append("<table xmlns:msxsl=\"urn:schemas-microsoft-com:xslt\" cellspacing=\"0\" frame=\"box\" rules=\"all\">");
  3455. xls.append("<thead>");
  3456. xls.append("<tr valign=\"bottom\">");
  3457. xls.append("<th>Login Name</th>");
  3458. xls.append("<th>First Name</th>");
  3459. xls.append("<th>Last Name</th>");
  3460. xls.append("<th>Group Name</th>");
  3461. xls.append("</tr>");
  3462. StringArray& usernames = req.getUsernames();
  3463. StringArray& groupnames = req.getGroupnames();
  3464. if (usernames.length() > 0)
  3465. {
  3466. for(unsigned i = 0; i < usernames.length(); i++)
  3467. {
  3468. const char* username = usernames.item(i);
  3469. if (!username || !*username)
  3470. continue;
  3471. Owned<CLdapSecUser> user = (CLdapSecUser*)secmgr->createUser(username);
  3472. secmgr->getUserInfo(*user.get());
  3473. const char* firstname = user->getFirstName();
  3474. const char* lastname = user->getLastName();
  3475. StringArray groupnames1;
  3476. ldapsecmgr->getGroups(username, groupnames1);
  3477. ///groupnames1.append("TestGroup1");
  3478. ///groupnames1.append("TestGroup2");
  3479. if (groupnames1.length() < 1)
  3480. {
  3481. xls.append("<tr>");
  3482. xls.appendf("<td>%s</td>", username);
  3483. if (!firstname || !*firstname)
  3484. xls.append("<td></td>");
  3485. else
  3486. xls.appendf("<td>%s</td>", firstname);
  3487. if (!lastname || !*lastname)
  3488. xls.append("<td></td>");
  3489. else
  3490. xls.appendf("<td>%s</td>", lastname);
  3491. xls.append("<td></td>");
  3492. xls.append("</tr>");
  3493. }
  3494. else
  3495. {
  3496. for(unsigned i = 0; i < groupnames1.length(); i++)
  3497. {
  3498. const char* grpname = groupnames1.item(i);
  3499. if(grpname == NULL || grpname[0] == '\0')
  3500. continue;
  3501. xls.append("<tr>");
  3502. xls.appendf("<td>%s</td>", username);
  3503. if (!firstname || !*firstname)
  3504. xls.append("<td></td>");
  3505. else
  3506. xls.appendf("<td>%s</td>", firstname);
  3507. if (!lastname || !*lastname)
  3508. xls.append("<td></td>");
  3509. else
  3510. xls.appendf("<td>%s</td>", lastname);
  3511. xls.appendf("<td>%s</td>", grpname);
  3512. xls.append("</tr>");
  3513. }
  3514. }
  3515. }
  3516. }
  3517. else if (groupnames.length() > 0)
  3518. {
  3519. for(unsigned i = 0; i < groupnames.length(); i++)
  3520. {
  3521. const char* groupname = groupnames.item(i);
  3522. if (!groupname || !*groupname)
  3523. continue;
  3524. StringArray usernames1;
  3525. ldapsecmgr->getGroupMembers(groupname, usernames1);
  3526. ///usernames1.append("_clo");
  3527. ///usernames1.append("_rkc");
  3528. for(unsigned j = 0; j < usernames1.length(); j++)
  3529. {
  3530. const char* usrname = usernames1.item(j);
  3531. if(usrname == NULL || usrname[0] == '\0')
  3532. continue;
  3533. Owned<CLdapSecUser> user = (CLdapSecUser*)secmgr->createUser(usrname);
  3534. secmgr->getUserInfo(*user.get());
  3535. const char* firstname = user->getFirstName();
  3536. const char* lastname = user->getLastName();
  3537. xls.append("<tr>");
  3538. xls.appendf("<td>%s</td>", usrname);
  3539. if (!firstname || !*firstname)
  3540. xls.append("<td></td>");
  3541. else
  3542. xls.appendf("<td>%s</td>", firstname);
  3543. if (!lastname || !*lastname)
  3544. xls.append("<td></td>");
  3545. else
  3546. xls.appendf("<td>%s</td>", lastname);
  3547. xls.appendf("<td>%s</td>", groupname);
  3548. xls.append("</tr>");
  3549. }
  3550. }
  3551. }
  3552. xls.append("</thead>");
  3553. xls.append("</table>");
  3554. xls.append("</body>");
  3555. xls.append("</html>");
  3556. MemoryBuffer buff;
  3557. buff.setBuffer(xls.length(), (void*)xls.str());
  3558. resp.setResult(buff);
  3559. resp.setResult_mimetype("application/vnd.ms-excel");
  3560. }
  3561. catch(IException* e)
  3562. {
  3563. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  3564. }
  3565. return true;
  3566. }
  3567. int Cws_accessSoapBindingEx::onGetForm(IEspContext &context, CHttpRequest* request, CHttpResponse* response, const char *service, const char *method)
  3568. {
  3569. try
  3570. {
  3571. if(stricmp(method,"SecurityNotEnabled")==0)
  3572. {
  3573. StringBuffer page;
  3574. page.append(
  3575. "<html>"
  3576. "<head>"
  3577. "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />"
  3578. "<link rel=\"stylesheet\" type=\"text/css\" href=\"/esp/files/default.css\"/>"
  3579. "<link rel=\"stylesheet\" type=\"text/css\" href=\"/esp/files/yui/build/fonts/fonts-min.css\" />"
  3580. "<title>Security Not Enabled</title>"
  3581. "</head>"
  3582. "<body>"
  3583. "<p style=\"text-align:centre;\">In order to use this feature, authentication should be enabled.");
  3584. page.append("</p></body>"
  3585. "</html>");
  3586. response->setContent(page.str());
  3587. response->setContentType("text/html");
  3588. response->send();
  3589. return 0;
  3590. }
  3591. else if(stricmp(method,"FirefoxNotSupport")==0)
  3592. {
  3593. StringBuffer page;
  3594. page.append(
  3595. "<html>"
  3596. "<head>"
  3597. "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />"
  3598. "<link rel=\"stylesheet\" type=\"text/css\" href=\"/esp/files/default.css\"/>"
  3599. "<link rel=\"stylesheet\" type=\"text/css\" href=\"/esp/files/yui/build/fonts/fonts-min.css\" />"
  3600. "<title>Firefox Not Support</title>"
  3601. "</head>"
  3602. "<body>"
  3603. "<p style=\"text-align:centre;\">This feature is not supported under Firefox.");
  3604. page.append("</p></body>"
  3605. "</html>");
  3606. response->setContent(page.str());
  3607. response->setContentType("text/html");
  3608. response->send();
  3609. return 0;
  3610. }
  3611. }
  3612. catch(IException* e)
  3613. {
  3614. FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
  3615. }
  3616. return onGetForm(context, request, response, service, method);
  3617. }