12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355 |
- /*##############################################################################
- HPCC SYSTEMS software Copyright (C) 2012 HPCC Systems®.
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- ############################################################################## */
- #ifdef _WIN32
- #define AXA_API __declspec(dllexport)
- #endif
- #include "ldapsecurity.ipp"
- #include "ldapsecurity.hpp"
- #include "authmap.ipp"
- /**********************************************************
- * CLdapSecUser *
- **********************************************************/
- CLdapSecUser::CLdapSecUser(const char *name, const char *pw) :
- m_pw(pw), m_authenticateStatus(AS_UNKNOWN)
- {
- setName(name);
- }
- CLdapSecUser::~CLdapSecUser()
- {
- }
- //non-interfaced functions
- void CLdapSecUser::setUserID(unsigned userid)
- {
- m_userid = userid;
- }
- void CLdapSecUser::setUserSid(int sidlen, const char* sid)
- {
- m_usersid.clear();
- m_usersid.append(sidlen, sid);
- }
- MemoryBuffer& CLdapSecUser::getUserSid()
- {
- return m_usersid;
- }
- //interface ISecUser
- const char * CLdapSecUser::getName()
- {
- return m_name.get();
- }
- bool CLdapSecUser::setName(const char * name)
- {
- if(name != NULL)
- {
- const char* atsign = strchr(name, '@');
- if(atsign != NULL)
- {
- m_name.set(name, atsign - name);
- m_realm.set(atsign + 1);
- }
- else
- {
- m_name.set(name);
- }
- }
- return TRUE;
- }
- const char * CLdapSecUser::getFullName()
- {
- return m_fullname.get();
- }
- bool CLdapSecUser::setFullName(const char * name)
- {
- if(name != NULL)
- {
- m_fullname.set(name);
- }
- return true;
- }
- const char * CLdapSecUser::getFirstName()
- {
- return m_firstname.get();
- }
- bool CLdapSecUser::setFirstName(const char * fname)
- {
- if(fname != NULL)
- {
- m_firstname.set(fname);
- }
- return true;
- }
- const char * CLdapSecUser::getLastName()
- {
- return m_lastname.get();
- }
- bool CLdapSecUser::setLastName(const char * lname)
- {
- if(lname != NULL)
- {
- m_lastname.set(lname);
- }
- return true;
- }
- const char * CLdapSecUser::getRealm()
- {
- return m_realm.get();
- }
- bool CLdapSecUser::setRealm(const char * name)
- {
- m_realm.set(name);
- return TRUE;
- }
- const char * CLdapSecUser::getFqdn()
- {
- return m_Fqdn.get();
- }
-
- bool CLdapSecUser::setFqdn(const char * Fqdn)
- {
- m_Fqdn.set(Fqdn);
- return true;
- }
- const char *CLdapSecUser::getPeer()
- {
- return m_Peer.get();
- }
- bool CLdapSecUser::setPeer(const char *Peer)
- {
- m_Peer.set(Peer);
- return true;
- }
- ISecCredentials & CLdapSecUser::credentials()
- {
- return *this;
- }
- unsigned CLdapSecUser::getUserID()
- {
- return m_userid;
- }
- //interface ISecCredentials
- bool CLdapSecUser::setPassword(const char * pw)
- {
- m_pw.set(pw);
- return TRUE;
- }
- const char* CLdapSecUser::getPassword()
- {
- return m_pw;
- }
- bool CLdapSecUser::setEncodedPassword(SecPasswordEncoding enc, void * pw, unsigned length, void * salt, unsigned saltlen)
- {
- return FALSE; //not supported yet
- }
- bool CLdapSecUser::addToken(unsigned type, void * data, unsigned length)
- {
- return FALSE; //not supported yet
- }
- void CLdapSecUser::copyTo(ISecUser& destination)
- {
- CLdapSecUser* dest = dynamic_cast<CLdapSecUser*>(&destination);
- if(!dest)
- return;
- dest->setAuthenticateStatus(getAuthenticateStatus());
- dest->setName(getName());
- dest->setFullName(getFullName());
- dest->setFirstName(getFirstName());
- dest->setLastName(getLastName());
- dest->setRealm(getRealm());
- dest->credentials().setPassword(credentials().getPassword());
- dest->setUserSid(m_usersid.length(), m_usersid.toByteArray());
- dest->setUserID(m_userid);
- dest->setPasswordExpiration(m_passwordExpiration);
- }
- ISecUser * CLdapSecUser::clone()
- {
- CLdapSecUser* newuser = new CLdapSecUser(m_name.get(), m_pw.get());
- if(newuser)
- copyTo(*newuser);
- return newuser;
- }
- /**********************************************************
- * CLdapSecResource *
- **********************************************************/
- CLdapSecResource::CLdapSecResource(const char *name) : m_name(name), m_access(0), m_required_access(0)
- {
- m_resourcetype = RT_DEFAULT;
- }
- void CLdapSecResource::addAccess(int flags)
- {
- m_access |= flags;
- }
- void CLdapSecResource::setAccessFlags(int flags)
- {
- m_access = flags;
- }
- void CLdapSecResource::setRequiredAccessFlags(int flags)
- {
- m_required_access = flags;
- }
- int CLdapSecResource::getRequiredAccessFlags()
- {
- return m_required_access;
- }
- //interface ISecResource : extends IInterface
- const char * CLdapSecResource::getName()
- {
- return m_name.get();
- }
- int CLdapSecResource::getAccessFlags()
- {
- return m_access;
- }
- int CLdapSecResource::addParameter(const char* name, const char* value)
- {
- if (!m_parameters)
- m_parameters.setown(createProperties(false));
- m_parameters->setProp(name, value);
- return 0;
- }
- const char * CLdapSecResource::getParameter(const char * name)
- {
- if (m_parameters)
- {
- const char *value = m_parameters->queryProp(name);
- return value;
- }
- return NULL;
- }
- void CLdapSecResource::setDescription(const char* description)
- {
- m_description.clear().append(description);
- }
- const char* CLdapSecResource::getDescription()
- {
- return m_description.str();
- }
- void CLdapSecResource::setValue(const char* value)
- {
- m_value.clear();
- m_value.append(value);
- }
- const char* CLdapSecResource::getValue()
- {
- return m_value.str();
- }
- ISecResource * CLdapSecResource::clone()
- {
- CLdapSecResource* _res = new CLdapSecResource(m_name.get());
- if(!_res)
- return NULL;
-
- _res->setResourceType(m_resourcetype);
- _res->setValue(m_value.str());
- _res->m_access = m_access;
- _res->m_required_access = m_required_access;
- _res->setDescription(m_description.str());
- if(!m_parameters)
- return _res;
- Owned<IPropertyIterator> Itr = m_parameters->getIterator();
- Itr->first();
- while(Itr->isValid())
- {
- _res->addParameter(Itr->getPropKey(),m_parameters->queryProp(Itr->getPropKey()));
- Itr->next();
- }
- return _res;
- }
- void CLdapSecResource::copy(ISecResource* from)
- {
- if(!from)
- return;
- CLdapSecResource* ldapfrom = dynamic_cast<CLdapSecResource*>(from);
- if(!ldapfrom)
- return;
- m_access = ldapfrom->m_access;
- setDescription(ldapfrom->m_description.str());
- if(m_parameters.get())
- {
- m_parameters.clear();
- }
- if(!ldapfrom->m_parameters.get())
- return;
- Owned<IPropertyIterator> Itr = ldapfrom->m_parameters->getIterator();
- Itr->first();
- while(Itr->isValid())
- {
- addParameter(Itr->getPropKey(), ldapfrom->m_parameters->queryProp(Itr->getPropKey()));
- Itr->next();
- }
- return;
- }
- SecResourceType CLdapSecResource::getResourceType()
- {
- return m_resourcetype;
- }
- void CLdapSecResource::setResourceType(SecResourceType resourcetype)
- {
- m_resourcetype = resourcetype;
- }
- /**********************************************************
- * CLdapSecResourceList *
- **********************************************************/
- CLdapSecResourceList::CLdapSecResourceList(const char *name) : m_complete(0)
- {
- m_name.set(name);
- }
- void CLdapSecResourceList::setAuthorizationComplete(bool value)
- {
- m_complete=value;
- }
- IArrayOf<ISecResource>& CLdapSecResourceList::getResourceList()
- {
- return m_rlist;
- }
- //interface ISecResourceList : extends IInterface
- bool CLdapSecResourceList::isAuthorizationComplete()
- {
- return m_complete;
- }
- ISecResourceList * CLdapSecResourceList::clone()
- {
- CLdapSecResourceList* _newList = new CLdapSecResourceList(m_name.get());
- if(!_newList)
- return NULL;
- copyTo(*_newList);
- return _newList;
- }
- bool CLdapSecResourceList::copyTo(ISecResourceList& destination)
- {
- ForEachItemIn(x, m_rlist)
- {
- CLdapSecResource* res = (CLdapSecResource*)(&(m_rlist.item(x)));
- if(res)
- destination.addResource(res->clone());
- }
- return false;
- }
- ISecResource* CLdapSecResourceList::addResource(const char * name)
- {
- if(!name || !*name)
- return NULL;
- ISecResource* resource = m_rmap[name];
- if(resource == NULL)
- {
- resource = new CLdapSecResource(name);
- m_rlist.append(*resource);
- m_rmap[name] = resource;
- }
- return resource;
- }
- void CLdapSecResourceList::addResource(ISecResource * resource)
- {
- if(resource == NULL)
- return;
- const char* name = resource->getName();
- if(!name || !*name)
- return;
- ISecResource* r = m_rmap[name];
- if(r == NULL)
- {
- m_rlist.append(*resource);
- m_rmap[name] = resource;
- }
- }
- bool CLdapSecResourceList::addCustomResource(const char * name, const char * config)
- {
- return false;
- }
- ISecResource * CLdapSecResourceList::getResource(const char * Resource)
- {
- if(!Resource || !*Resource)
- return NULL;
- ISecResource* r = m_rmap[Resource];
- if(r)
- return LINK(r);
- else
- return NULL;
- }
- void CLdapSecResourceList::clear()
- {
- m_rlist.kill();
- }
- int CLdapSecResourceList::count()
- {
- return m_rlist.length();
- }
- const char* CLdapSecResourceList::getName()
- {
- return m_name.get();
- }
- ISecResource * CLdapSecResourceList::queryResource(unsigned seq)
- {
- if(seq < m_rlist.length())
- return &(m_rlist.item(seq));
- else
- return NULL;
- }
- ISecPropertyIterator * CLdapSecResourceList::getPropertyItr()
- {
- return new ArrayIIteratorOf<IArrayOf<struct ISecResource>, ISecProperty, ISecPropertyIterator>(m_rlist);
- }
- ISecProperty* CLdapSecResourceList::findProperty(const char* name)
- {
- if(!name || !*name)
- return NULL;
- return m_rmap[name];
- }
- /**********************************************************
- * CLdapSecManager *
- **********************************************************/
- CLdapSecManager::CLdapSecManager(const char *serviceName, const char *config)
- {
- IPropertyTree* cfg = createPTreeFromXMLString(config, ipt_caseInsensitive);
- if(cfg == NULL)
- {
- throw MakeStringException(-1, "createPTreeFromXMLString() failed for %s", config);
- }
- init(serviceName, cfg);
- }
- void CLdapSecManager::init(const char *serviceName, IPropertyTree* cfg)
- {
- for(int i = 0; i < RT_SCOPE_MAX; i++)
- m_cache_off[i] = false;
-
- m_usercache_off = false;
- m_cfg.setown(cfg);
- cfg->getProp(".//@ldapAddress", m_server);
- cfg->getProp(".//@description", m_description);
- ILdapClient* ldap_client = createLdapClient(cfg);
-
- IPermissionProcessor* pp;
- if(ldap_client->getServerType() == ACTIVE_DIRECTORY)
- pp = new PermissionProcessor(cfg);
- else if(ldap_client->getServerType() == IPLANET)
- pp = new CIPlanetAciProcessor(cfg);
- else if(ldap_client->getServerType() == OPEN_LDAP)
- {
- if (0 == stricmp(ldap_client->getLdapConfig()->getCfgServerType(), "389DirectoryServer"))//uses iPlanet style ACI
- pp = new CIPlanetAciProcessor(cfg);
- else
- pp = new COpenLdapAciProcessor(cfg);
- }
- else
- throwUnexpected();
- ldap_client->init(pp);
- pp->setLdapClient(ldap_client);
- m_ldap_client.setown(ldap_client);
- m_pp.setown(pp);
- int cachetimeout = cfg->getPropInt("@cacheTimeout", 5);
- if (cfg->getPropBool("@sharedCache", true))
- m_permissionsCache.setown(CPermissionsCache::getInstance(cfg->queryProp("@name")));
- else
- m_permissionsCache.setown(new CPermissionsCache());
- m_permissionsCache->setCacheTimeout( 60 * cachetimeout);
- m_permissionsCache->setTransactionalEnabled(true);
- m_permissionsCache->setSecManager(this);
- m_passwordExpirationWarningDays = cfg->getPropInt(".//@passwordExpirationWarningDays", 10); //Default to 10 days
- };
- CLdapSecManager::CLdapSecManager(const char *serviceName, IPropertyTree &config)
- {
- init(serviceName, &config);
- }
- CLdapSecManager::~CLdapSecManager()
- {
- }
- //interface ISecManager : extends IInterface
- ISecUser * CLdapSecManager::createUser(const char * user_name)
- {
- return (new CLdapSecUser(user_name, NULL));
- }
- ISecResourceList * CLdapSecManager::createResourceList(const char * rlname)
- {
- return (new CLdapSecResourceList(rlname));
- }
- bool CLdapSecManager::subscribe(ISecAuthenticEvents & events)
- {
- m_subscriber.set(&events);
- return true;
- }
- bool CLdapSecManager::unsubscribe(ISecAuthenticEvents & events)
- {
- if (&events == m_subscriber.get())
- {
- m_subscriber.set(NULL);
- }
- return true;
- }
- bool CLdapSecManager::authenticate(ISecUser* user)
- {
- if(!user)
- return false;
- if(user->getAuthenticateStatus() == AS_AUTHENTICATED)
- return true;
- if(m_permissionsCache->isCacheEnabled() && !m_usercache_off && m_permissionsCache->lookup(*user))
- {
- user->setAuthenticateStatus(AS_AUTHENTICATED);
- return true;
- }
- bool ok = m_ldap_client->authenticate(*user);
- if(ok)
- {
- if(m_permissionsCache->isCacheEnabled() && !m_usercache_off)
- m_permissionsCache->add(*user);
- user->setAuthenticateStatus(AS_AUTHENTICATED);
- }
- return ok;
- }
- bool CLdapSecManager::authorizeEx(SecResourceType rtype, ISecUser& sec_user, ISecResourceList * Resources, IEspSecureContext* secureContext)
- {
- if(!authenticate(&sec_user))
- {
- return false;
- }
- CLdapSecResourceList * reslist = (CLdapSecResourceList*)Resources;
- if(!reslist)
- return true;
- IArrayOf<ISecResource>& rlist = reslist->getResourceList();
- int nResources = rlist.length();
- int ri;
- for(ri = 0; ri < nResources; ri++)
- {
- ISecResource* res = &rlist.item(ri);
- if(res != NULL)
- res->setResourceType(rtype);
- }
- if (nResources <= 0)
- return true;
- bool rc;
- time_t tctime = getThreadCreateTime();
- if ((m_permissionsCache->isCacheEnabled() || (m_permissionsCache->isTransactionalEnabled() && tctime > 0)) && (!m_cache_off[rtype]))
- {
- bool* cached_found = (bool*)alloca(nResources*sizeof(bool));
- int nFound = m_permissionsCache->lookup(sec_user, rlist, cached_found);
- if (nFound < nResources)
- {
- IArrayOf<ISecResource> rlist2;
- int i;
- for (i=0; i < nResources; i++)
- {
- if (*(cached_found+i) == false)
- {
- ISecResource& secRes = rlist.item(i);
- secRes.Link();
- rlist2.append(secRes);
- //DBGLOG("CACHE: Fetching permissions for %s:%s", sec_user.getName(), secRes.getName());
- }
- }
- rc = m_ldap_client->authorize(rtype, sec_user, rlist2);
- if (rc)
- m_permissionsCache->add(sec_user, rlist2);
- }
- else
- rc = true;
- }
- else
- {
- rc = m_ldap_client->authorize(rtype, sec_user, rlist);
- }
- return rc;
- }
- int CLdapSecManager::authorizeEx(SecResourceType rtype, ISecUser & user, const char * resourcename, IEspSecureContext* secureContext)
- {
- if(!resourcename || !*resourcename)
- return SecAccess_Full;
- Owned<ISecResourceList> rlist;
- rlist.setown(createResourceList("resources"));
- rlist->addResource(resourcename);
-
- bool ok = authorizeEx(rtype, user, rlist.get(), secureContext);
- if(ok)
- return rlist->queryResource(0)->getAccessFlags();
- else
- return -1;
- }
- bool CLdapSecManager::authorizeEx(SecResourceType rtype, ISecUser& sec_user, ISecResourceList * Resources, bool doAuthentication)
- {
- if(doAuthentication && !authenticate(&sec_user))
- {
- return false;
- }
- CLdapSecResourceList * reslist = (CLdapSecResourceList*)Resources;
- if(!reslist)
- return true;
- IArrayOf<ISecResource>& rlist = reslist->getResourceList();
- int nResources = rlist.length();
- int ri;
- for(ri = 0; ri < nResources; ri++)
- {
- ISecResource* res = &rlist.item(ri);
- if(res != NULL)
- res->setResourceType(rtype);
- }
- if (nResources <= 0)
- return true;
- bool rc;
- time_t tctime = getThreadCreateTime();
- if ((m_permissionsCache->isCacheEnabled() || (m_permissionsCache->isTransactionalEnabled() && tctime > 0)) && (!m_cache_off[rtype]))
- {
- bool* cached_found = (bool*)alloca(nResources*sizeof(bool));
- int nFound = m_permissionsCache->lookup(sec_user, rlist, cached_found);
- if (nFound < nResources)
- {
- IArrayOf<ISecResource> rlist2;
- int i;
- for (i=0; i < nResources; i++)
- {
- if (*(cached_found+i) == false)
- {
- ISecResource& secRes = rlist.item(i);
- secRes.Link();
- rlist2.append(secRes);
- //DBGLOG("CACHE: Fetching permissions for %s:%s", sec_user.getName(), secRes.getName());
- }
- }
- rc = m_ldap_client->authorize(rtype, sec_user, rlist2);
- if (rc)
- m_permissionsCache->add(sec_user, rlist2);
- }
- else
- rc = true;
- }
- else
- {
- rc = m_ldap_client->authorize(rtype, sec_user, rlist);
- }
- return rc;
- }
- int CLdapSecManager::authorizeEx(SecResourceType rtype, ISecUser & user, const char * resourcename, bool doAuthentication)
- {
- if(!resourcename || !*resourcename)
- return SecAccess_Full;
- Owned<ISecResourceList> rlist;
- rlist.setown(createResourceList("resources"));
- rlist->addResource(resourcename);
-
- bool ok = authorizeEx(rtype, user, rlist.get(), doAuthentication);
- if(ok)
- return rlist->queryResource(0)->getAccessFlags();
- else
- return -1;
- }
- int CLdapSecManager::getAccessFlagsEx(SecResourceType rtype, ISecUser & user, const char * resourcename)
- {
- if(!resourcename || !*resourcename)
- return -1;
- Owned<ISecResourceList> rlist0;
- rlist0.setown(createResourceList("resources"));
- rlist0->addResource(resourcename);
-
- CLdapSecResourceList * reslist = (CLdapSecResourceList*)rlist0.get();
- if(!reslist)
- return -1;
- IArrayOf<ISecResource>& rlist = reslist->getResourceList();
- int nResources = rlist.length();
- int ri;
- for(ri = 0; ri < nResources; ri++)
- {
- ISecResource* res = &rlist.item(ri);
- if(res != NULL)
- res->setResourceType(rtype);
- }
- if (nResources <= 0)
- return -1;
- bool ok = false;
- time_t tctime = getThreadCreateTime();
- if ((m_permissionsCache->isCacheEnabled() || (m_permissionsCache->isTransactionalEnabled() && tctime > 0)) && (!m_cache_off[rtype]))
- {
- bool* cached_found = (bool*)alloca(nResources*sizeof(bool));
- int nFound = m_permissionsCache->lookup(user, rlist, cached_found);
- if (nFound < nResources)
- {
- IArrayOf<ISecResource> rlist2;
- int i;
- for (i=0; i < nResources; i++)
- {
- if (*(cached_found+i) == false)
- {
- ISecResource& secRes = rlist.item(i);
- secRes.Link();
- rlist2.append(secRes);
- //DBGLOG("CACHE: Fetching permissions for %s:%s", sec_user.getName(), secRes.getName());
- }
- }
- ok = m_ldap_client->authorize(rtype, user, rlist2);
- if (ok)
- m_permissionsCache->add(user, rlist2);
- }
- else
- ok = true;
- }
- else
- {
- ok = m_ldap_client->authorize(rtype, user, rlist);
- }
- //bool ok = authorizeEx(rtype, user, rlist.get());
- if(ok)
- return rlist0->queryResource(0)->getAccessFlags();
- else
- return -1;
- }
- bool CLdapSecManager::authorize(ISecUser& sec_user, ISecResourceList * Resources, IEspSecureContext* secureContext)
- {
- return authorizeEx(RT_DEFAULT, sec_user, Resources, secureContext);
- }
- int CLdapSecManager::authorizeFileScope(ISecUser & user, const char * filescope)
- {
- if(filescope == 0 || filescope[0] == '\0')
- return SecAccess_Full;
- StringBuffer managedFilescope;
- if(m_permissionsCache->isCacheEnabled() && !m_usercache_off)
- {
- int accessFlags;
- //See if file scope in question is managed by LDAP permissions.
- // If not, return default file permission (dont call out to LDAP)
- // If is, look in cache for permission of longest matching managed scope strings. If found return that permission (no call to LDAP),
- // otherwise a call to LDAP "authorizeFileScope" is necessary, specifying the longest matching managed scope string
- bool gotPerms = m_permissionsCache->queryPermsManagedFileScope(user, filescope, managedFilescope, &accessFlags);
- if (gotPerms)
- return accessFlags;
- }
- Owned<ISecResourceList> rlist;
- rlist.setown(createResourceList("FileScope"));
- rlist->addResource(managedFilescope.length() ? managedFilescope.str() : filescope );
-
- bool ok = authorizeFileScope(user, rlist.get());
- if(ok)
- return rlist->queryResource(0)->getAccessFlags();
- else
- return -1;
- }
-
- bool CLdapSecManager::authorizeFileScope(ISecUser & user, ISecResourceList * resources)
- {
- return authorizeEx(RT_FILE_SCOPE, user, resources);
- }
- int CLdapSecManager::authorizeWorkunitScope(ISecUser & user, const char * wuscope)
- {
- if(wuscope == 0 || wuscope[0] == '\0')
- return SecAccess_Full;
- Owned<ISecResourceList> rlist;
- rlist.setown(createResourceList("WorkunitScope"));
- rlist->addResource(wuscope);
-
- bool ok = authorizeWorkunitScope(user, rlist.get());
- if(ok)
- return rlist->queryResource(0)->getAccessFlags();
- else
- return -1;
- }
-
- bool CLdapSecManager::authorizeWorkunitScope(ISecUser & user, ISecResourceList * resources)
- {
- return authorizeEx(RT_WORKUNIT_SCOPE, user, resources);
- }
- bool CLdapSecManager::addResourcesEx(SecResourceType rtype, ISecUser& sec_user, ISecResourceList * resources, SecPermissionType ptype, const char* basedn)
- {
- CLdapSecResourceList * reslist = (CLdapSecResourceList*)resources;
- if(!reslist)
- return true;
- IArrayOf<ISecResource>& rlist = reslist->getResourceList();
- if(rlist.length() <= 0)
- return true;
-
- return m_ldap_client->addResources(rtype, sec_user, rlist, ptype, basedn);
- }
- bool CLdapSecManager::addResourceEx(SecResourceType rtype, ISecUser& user, const char* resourcename, SecPermissionType ptype, const char* basedn)
- {
- Owned<ISecResourceList> rlist;
- rlist.setown(createResourceList("resources"));
- rlist->addResource(resourcename);
-
- return addResourcesEx(rtype, user, rlist.get(), ptype, basedn);
- }
- bool CLdapSecManager::addResources(ISecUser& sec_user, ISecResourceList * resources)
- {
- return addResourcesEx(RT_DEFAULT, sec_user, resources);
- }
- bool CLdapSecManager::addUser(ISecUser & user)
- {
- bool ok = m_ldap_client->addUser(user);
- if(!ok)
- return false;
- return m_pp->retrieveUserInfo(user);
- }
- ISecUser * CLdapSecManager::lookupUser(unsigned uid)
- {
- return m_ldap_client->lookupUser(uid);
- }
- ISecUser * CLdapSecManager::findUser(const char * username)
- {
- if(username == NULL || strlen(username) == 0)
- {
- DBGLOG("findUser - username is empty");
- return NULL;
- }
- Owned<ISecUser> user;
- user.setown(createUser(username));
- try
- {
- bool ok = m_pp->retrieveUserInfo(*user);
- if(ok)
- {
- return LINK(user.get());
- }
- else
- {
- return NULL;
- }
- }
- catch(IException*)
- {
- return NULL;
- }
- catch(...)
- {
- return NULL;
- }
- }
- ISecUserIterator * CLdapSecManager::getAllUsers()
- {
- synchronized block(m_monitor);
- m_user_array.popAll(true);
- m_ldap_client->retrieveUsers(m_user_array);
- return new ArrayIIteratorOf<IUserArray, ISecUser, ISecUserIterator>(m_user_array);
- }
- void CLdapSecManager::searchUsers(const char* searchstr, IUserArray& users)
- {
- m_ldap_client->retrieveUsers(searchstr, users);
- }
- ISecItemIterator* CLdapSecManager::getUsersSorted(const char* userName, UserField* sortOrder, const unsigned pageStartFrom,
- const unsigned pageSize, unsigned* total, __int64* cacheHint)
- {
- return m_ldap_client->getUsersSorted(userName, sortOrder, pageStartFrom, pageSize, total, cacheHint);
- }
- void CLdapSecManager::getAllUsers(IUserArray& users)
- {
- m_ldap_client->retrieveUsers(users);
- }
- bool CLdapSecManager::getResources(SecResourceType rtype, const char * basedn, IArrayOf<ISecResource> & resources)
- {
- return m_ldap_client->getResources(rtype, basedn, "", resources);
- }
- bool CLdapSecManager::getResourcesEx(SecResourceType rtype, const char * basedn, const char* searchstr, IArrayOf<ISecResource> & resources)
- {
- return m_ldap_client->getResourcesEx(rtype, basedn, "", searchstr, resources);
- }
- ISecItemIterator* CLdapSecManager::getResourcesSorted(SecResourceType rtype, const char * basedn, const char * resourceName, unsigned extraNameFilter,
- ResourceField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned *total, __int64 *cachehint)
- {
- return m_ldap_client->getResourcesSorted(rtype, basedn, resourceName, extraNameFilter, sortOrder, pageStartFrom, pageSize, total, cachehint);
- }
- void CLdapSecManager::setExtraParam(const char * name, const char * value)
- {
- if(name == NULL || name[0] == '\0')
- return;
- if (!m_extraparams)
- m_extraparams.setown(createProperties(false));
- m_extraparams->setProp(name, value);
- if(value != NULL && value[0] != '\0')
- {
- if(stricmp(name, "resourcesBasedn") == 0)
- m_ldap_client->setResourceBasedn(value, RT_DEFAULT);
- else if(stricmp(name, "workunitsBasedn") == 0)
- m_ldap_client->setResourceBasedn(value, RT_WORKUNIT_SCOPE);
- }
- }
- IAuthMap * CLdapSecManager::createAuthMap(IPropertyTree * authconfig)
- {
- CAuthMap* authmap = new CAuthMap(this);
- IPropertyTreeIterator *loc_iter = NULL;
- loc_iter = authconfig->getElements(".//Location");
- if (loc_iter != NULL)
- {
- IPropertyTree *location = NULL;
- loc_iter->first();
- while(loc_iter->isValid())
- {
- location = &loc_iter->query();
- if (location)
- {
- StringBuffer pathstr, rstr, required, description;
- location->getProp("@path", pathstr);
- location->getProp("@resource", rstr);
- location->getProp("@required", required);
- location->getProp("@description", description);
-
- if(pathstr.length() == 0)
- throw MakeStringException(-1, "path empty in Authenticate/Location");
- if(rstr.length() == 0)
- throw MakeStringException(-1, "resource empty in Authenticate/Location");
- ISecResourceList* rlist = authmap->queryResourceList(pathstr.str());
- if(rlist == NULL)
- {
- rlist = createResourceList("ldapsecurity");
- authmap->add(pathstr.str(), rlist);
- }
- ISecResource* rs = rlist->addResource(rstr.str());
- unsigned requiredaccess = str2perm(required.str());
- rs->setRequiredAccessFlags(requiredaccess);
- rs->setDescription(description.str());
- }
- loc_iter->next();
- }
- loc_iter->Release();
- loc_iter = NULL;
- }
- authmap->addToBackend();
- return authmap;
- }
- IAuthMap * CLdapSecManager::createFeatureMap(IPropertyTree * authconfig)
- {
- CAuthMap* feature_authmap = new CAuthMap(this);
- IPropertyTreeIterator *feature_iter = NULL;
- feature_iter = authconfig->getElements(".//Feature");
- if (feature_iter != NULL)
- {
- IPropertyTree *feature = NULL;
- feature_iter->first();
- while(feature_iter->isValid())
- {
- feature = &feature_iter->query();
- if (feature)
- {
- StringBuffer pathstr, rstr, required, description;
- feature->getProp("@path", pathstr);
- feature->getProp("@resource", rstr);
- feature->getProp("@required", required);
- feature->getProp("@description", description);
- ISecResourceList* rlist = feature_authmap->queryResourceList(pathstr.str());
- if(rlist == NULL)
- {
- rlist = createResourceList(pathstr.str());
- feature_authmap->add(pathstr.str(), rlist);
- }
- ISecResource* rs = rlist->addResource(rstr.str());
- unsigned requiredaccess = str2perm(required.str());
- rs->setRequiredAccessFlags(requiredaccess);
- rs->setDescription(description.str());
- }
- feature_iter->next();
- }
- feature_iter->Release();
- feature_iter = NULL;
- }
- feature_authmap->addToBackend();
-
- return feature_authmap;
- }
- bool CLdapSecManager::updateUserPassword(ISecUser& user, const char* newPassword, const char* currPassword)
- {
- // Authenticate User first
- if(!authenticate(&user) && user.getAuthenticateStatus() != AS_PASSWORD_VALID_BUT_EXPIRED)
- {
- return false;
- }
- //Update password if authenticated
- bool ok = m_ldap_client->updateUserPassword(user, newPassword, currPassword);
- if(ok && m_permissionsCache->isCacheEnabled() && !m_usercache_off)
- {
- m_permissionsCache->removeFromUserCache(user);
- }
- return ok;
- }
- bool CLdapSecManager::updateUser(const char* type, ISecUser& user)
- {
- bool ok = m_ldap_client->updateUser(type, user);
- if(ok && m_permissionsCache->isCacheEnabled() && !m_usercache_off)
- m_permissionsCache->removeFromUserCache(user);
- return ok;
- }
- bool CLdapSecManager::updateUserPassword(const char* username, const char* newPassword)
- {
- return m_ldap_client->updateUserPassword(username, newPassword);
- }
- void CLdapSecManager::getAllGroups(StringArray & groups, StringArray & managedBy, StringArray & descriptions)
- {
- m_ldap_client->getAllGroups(groups, managedBy, descriptions);
- }
- ISecItemIterator* CLdapSecManager::getGroupsSorted(GroupField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize,
- unsigned *total, __int64 *cachehint)
- {
- return m_ldap_client->getGroupsSorted(sortOrder, pageStartFrom, pageSize, total, cachehint);
- }
- ISecItemIterator* CLdapSecManager::getGroupMembersSorted(const char* groupName, UserField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize,
- unsigned *total, __int64 *cachehint)
- {
- return m_ldap_client->getGroupMembersSorted(groupName, sortOrder, pageStartFrom, pageSize, total, cachehint);
- }
- bool CLdapSecManager::getPermissionsArray(const char* basedn, SecResourceType rtype, const char* name, IArrayOf<CPermission>& permissions)
- {
- return m_ldap_client->getPermissionsArray(basedn, rtype, name, permissions);
- }
- void CLdapSecManager::addGroup(const char* groupname, const char * groupOwner, const char * groupDesc)
- {
- m_ldap_client->addGroup(groupname, groupOwner, groupDesc);
- }
- void CLdapSecManager::deleteGroup(const char* groupname)
- {
- m_ldap_client->deleteGroup(groupname);
- }
- bool CLdapSecManager::changePermission(CPermissionAction& action)
- {
- return m_ldap_client->changePermission(action);
- }
- void CLdapSecManager::getGroups(const char* username, StringArray & groups)
- {
- m_ldap_client->getGroups(username, groups);
- }
- void CLdapSecManager::changeUserGroup(const char* action, const char* username, const char* groupname)
- {
- m_ldap_client->changeUserGroup(action, username, groupname);
- }
- bool CLdapSecManager::deleteUser(ISecUser* user)
- {
- return m_ldap_client->deleteUser(user);
- }
- void CLdapSecManager::getGroupMembers(const char* groupname, StringArray & users)
- {
- m_ldap_client->getGroupMembers(groupname, users);
- }
- void CLdapSecManager::deleteResource(SecResourceType rtype, const char * name, const char * basedn)
- {
- m_ldap_client->deleteResource(rtype, name, basedn);
- time_t tctime = getThreadCreateTime();
- if ((m_permissionsCache->isCacheEnabled() || (m_permissionsCache->isTransactionalEnabled() && tctime > 0)) && (!m_cache_off[rtype]))
- m_permissionsCache->remove(rtype, name);
- }
- void CLdapSecManager::renameResource(SecResourceType rtype, const char * oldname, const char * newname, const char * basedn)
- {
- m_ldap_client->renameResource(rtype, oldname, newname, basedn);
- time_t tctime = getThreadCreateTime();
- if ((m_permissionsCache->isCacheEnabled() || (m_permissionsCache->isTransactionalEnabled() && tctime > 0)) && (!m_cache_off[rtype]))
- m_permissionsCache->remove(rtype, oldname);
- }
- void CLdapSecManager::copyResource(SecResourceType rtype, const char * oldname, const char * newname, const char * basedn)
- {
- m_ldap_client->copyResource(rtype, oldname, newname, basedn);
- }
- void CLdapSecManager::normalizeDn(const char* dn, StringBuffer& ndn)
- {
- m_ldap_client->normalizeDn(dn, ndn);
- }
- bool CLdapSecManager::isSuperUser(ISecUser* user)
- {
- return m_ldap_client->isSuperUser(user);
- }
- ILdapConfig* CLdapSecManager::queryConfig()
- {
- return m_ldap_client->queryConfig();
- }
- void CLdapSecManager::cacheSwitch(SecResourceType rtype, bool on)
- {
- m_cache_off[rtype] = !on;
- // To make things simple, turning off any resource type's permission cache turns off the userCache.
- if(!on)
- m_usercache_off = true;
- }
- int CLdapSecManager::countUsers(const char* searchstr, int limit)
- {
- return m_ldap_client->countUsers(searchstr, limit);
- }
- int CLdapSecManager::countResources(const char* basedn, const char* searchstr, int limit)
- {
- return m_ldap_client->countResources(basedn, searchstr, limit);
- }
- bool CLdapSecManager::getUserInfo(ISecUser& user, const char* infotype)
- {
- return m_ldap_client->getUserInfo(user, infotype);
- }
- bool CLdapSecManager::createUserScopes()
- {
- Owned<ISecUserIterator> it = getAllUsers();
- it->first();
- bool rc = true;
- while(it->isValid())
- {
- ISecUser &user = it->get();
- if (!m_ldap_client->createUserScope(user))
- {
- PROGLOG("Error creating scope for user '%s'", user.getName());
- rc = false;
- }
- it->next();
- }
- return rc;
- }
- aindex_t CLdapSecManager::getManagedFileScopes(IArrayOf<ISecResource>& scopes)
- {
- return m_ldap_client->getManagedFileScopes(scopes);
- }
- int CLdapSecManager::queryDefaultPermission(ISecUser& user)
- {
- return m_ldap_client->queryDefaultPermission(user);
- }
- bool CLdapSecManager::clearPermissionsCache(ISecUser& user)
- {
- if(m_permissionsCache->isCacheEnabled())
- {
- if (!authenticate(&user))
- {
- PROGLOG("User %s not authorized to clear permissions cache", user.getName());
- return false;
- }
- if (!isSuperUser(&user))
- {
- PROGLOG("User %s denied, only a superuser can clear permissions cache", user.getName());
- return false;
- }
- m_permissionsCache->flush();
- }
- return true;
- }
- bool CLdapSecManager::authenticateUser(ISecUser & user, bool &superUser)
- {
- if (!authenticate(&user))
- return false;
- superUser = isSuperUser(&user);
- return true;
- }
- extern "C"
- {
- LDAPSECURITY_API ISecManager * newLdapSecManager(const char *serviceName, IPropertyTree &config)
- {
- return new CLdapSecManager(serviceName, config);
- }
- LDAPSECURITY_API IAuthMap *newDefaultAuthMap(IPropertyTree* config)
- {
- CAuthMap* authmap = new CAuthMap(NULL);
- IPropertyTreeIterator *loc_iter = NULL;
- loc_iter = config->getElements(".//Location");
- if (loc_iter != NULL)
- {
- IPropertyTree *location = NULL;
- loc_iter->first();
- while(loc_iter->isValid())
- {
- location = &loc_iter->query();
- if (location)
- {
- StringBuffer pathstr, rstr;
- location->getProp("@path", pathstr);
- authmap->add(pathstr.str(), NULL);
- }
- loc_iter->next();
- }
- loc_iter->Release();
- loc_iter = NULL;
- }
- return authmap;
- }
- }
|