seclib.hpp 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383
  1. /*##############################################################################
  2. HPCC SYSTEMS software Copyright (C) 2012 HPCC Systems.
  3. Licensed under the Apache License, Version 2.0 (the "License");
  4. you may not use this file except in compliance with the License.
  5. You may obtain a copy of the License at
  6. http://www.apache.org/licenses/LICENSE-2.0
  7. Unless required by applicable law or agreed to in writing, software
  8. distributed under the License is distributed on an "AS IS" BASIS,
  9. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  10. See the License for the specific language governing permissions and
  11. limitations under the License.
  12. ############################################################################## */
  13. #ifndef _SECLIB_HPP__
  14. #define _SECLIB_HPP__
  15. #include "jlib.hpp"
  16. #include "jtime.hpp"
  17. #include "jexcept.hpp"
  18. #ifndef SECLIB_API
  19. #ifdef _WIN32
  20. #ifndef SECLIB_EXPORTS
  21. #define SECLIB_API __declspec(dllimport)
  22. #else
  23. #define SECLIB_API __declspec(dllexport)
  24. #endif //SECLIB_EXPORTS
  25. #else
  26. #define SECLIB_API
  27. #endif //_WIN32
  28. #endif
  29. #ifdef _WIN32
  30. #define SECLIB "seclib.dll"
  31. #define LDAPSECLIB "LdapSecurity.dll"
  32. #else
  33. #define SECLIB "libseclib.so"
  34. #define LDAPSECLIB "libLdapSecurity.so"
  35. #endif
  36. enum NewSecAccessFlags
  37. {
  38. NewSecAccess_None = 0,
  39. NewSecAccess_Access = 1,
  40. NewSecAccess_Read = 2,
  41. NewSecAccess_Write = 4,
  42. NewSecAccess_Full = 255
  43. };
  44. enum SecAccessFlags
  45. {
  46. SecAccess_Unknown = -255,
  47. SecAccess_None = 0,
  48. SecAccess_Access = 1,
  49. SecAccess_Read = 3,
  50. SecAccess_Write = 7,
  51. SecAccess_Full = 255
  52. };
  53. enum SecResourceType
  54. {
  55. RT_DEFAULT = 0,
  56. RT_MODULE = 1,
  57. RT_SERVICE = 2,
  58. RT_FILE_SCOPE = 3,
  59. RT_WORKUNIT_SCOPE = 4,
  60. RT_SUDOERS = 5,
  61. RT_TRIAL = 6,
  62. RT_SCOPE_MAX = 7
  63. };
  64. const char* resTypeDesc(SecResourceType type);
  65. enum SecPermissionType
  66. {
  67. PT_DEFAULT = 0,
  68. PT_ADMINISTRATORS_ONLY = 1,
  69. PT_ADMINISTRATORS_AND_USER = 2 //excludes Authenticated users
  70. };
  71. #define DEFAULT_REQUIRED_ACCESS SecAccess_Read
  72. enum SecPasswordEncoding
  73. {
  74. SecPwEnc_unknown = 0,
  75. SecPwEnc_plain_text = 1,
  76. SecPwEnc_salt_sha1 = 2,
  77. SecPwEnc_salt_md5 = 3,
  78. SecPwEnc_Rijndael = 4,
  79. SecPwEnc_salt_accurint_md5 = 5
  80. };
  81. enum SecUserStatus
  82. {
  83. SecUserStatus_Inhouse = 0,
  84. SecUserStatus_Active = 1,
  85. SecUserStatus_Exempt = 2,
  86. SecUserStatus_FreeTrial = 3,
  87. SecUserStatus_csdemo = 4,
  88. SecUserStatus_Rollover = 5,
  89. SecUserStatus_Suspended = 6,
  90. SecUserStatus_Terminated = 7,
  91. SecUserStatus_TrialExpired = 8,
  92. SecUserStatus_Status_Hold = 9,
  93. SecUserStatus_Unknown = 10
  94. };
  95. interface ISecCredentials : extends IInterface
  96. {
  97. virtual bool setPassword(const char * pw) = 0;
  98. virtual const char * getPassword() = 0;
  99. virtual bool addToken(unsigned type, void * data, unsigned length) = 0;
  100. virtual bool setPasswordExpiration(CDateTime & expirationDate) = 0;
  101. virtual CDateTime & getPasswordExpiration(CDateTime & expirationDate) = 0;
  102. virtual int getPasswordDaysRemaining() = 0;
  103. };
  104. //LDAP authentication status
  105. enum authStatus
  106. {
  107. AS_AUTHENTICATED = 0,
  108. AS_UNKNOWN = 1,//have not attempted to authenticate
  109. AS_UNEXPECTED_ERROR = 2,
  110. AS_INVALID_CREDENTIALS = 3,
  111. AS_PASSWORD_EXPIRED = 4
  112. };
  113. class CDateTime;
  114. interface ISecUser : extends IInterface
  115. {
  116. virtual const char * getName() = 0;
  117. virtual bool setName(const char * name) = 0;
  118. virtual const char * getFullName() = 0;
  119. virtual bool setFullName(const char * name) = 0;
  120. virtual const char * getFirstName() = 0;
  121. virtual bool setFirstName(const char * fname) = 0;
  122. virtual const char * getLastName() = 0;
  123. virtual bool setLastName(const char * lname) = 0;
  124. virtual const char * getRealm() = 0;
  125. virtual bool setRealm(const char * realm) = 0;
  126. virtual const char * getFqdn() = 0;
  127. virtual bool setFqdn(const char * Fqdn) = 0;
  128. virtual const char * getPeer() = 0;
  129. virtual bool setPeer(const char * Peer) = 0;
  130. virtual SecUserStatus getStatus() = 0;
  131. virtual bool setStatus(SecUserStatus Status) = 0;
  132. virtual authStatus getAuthenticateStatus() = 0;
  133. virtual void setAuthenticateStatus(authStatus status) = 0;
  134. virtual ISecCredentials & credentials() = 0;
  135. virtual unsigned getUserID() = 0;
  136. virtual void copyTo(ISecUser & destination) = 0;
  137. virtual CDateTime & getPasswordExpiration(CDateTime & expirationDate) = 0;
  138. virtual bool setPasswordExpiration(CDateTime & expirationDate) = 0;
  139. virtual int getPasswordDaysRemaining() = 0;
  140. virtual void setProperty(const char * name, const char * value) = 0;
  141. virtual const char * getProperty(const char * name) = 0;
  142. virtual void setPropertyInt(const char * name, int value) = 0;
  143. virtual int getPropertyInt(const char * name) = 0;
  144. virtual ISecUser * clone() = 0;
  145. };
  146. interface ISecAuthenticEvents : extends IInterface
  147. {
  148. virtual bool onAuthenticationSuccess(ISecUser & User) = 0;
  149. virtual bool onAuthenticationFailure(ISecUser & User, unsigned reason, const char * description) = 0;
  150. virtual bool onRealmRequired(ISecUser & User) = 0;
  151. virtual bool onPasswordRequired(ISecUser & User, void * salt, unsigned salt_len) = 0;
  152. virtual bool onTokenRequired(ISecUser & User, unsigned type, void * salt, unsigned salt_len) = 0;
  153. };
  154. interface ISecProperty : extends IInterface
  155. {
  156. virtual const char * getName() = 0;
  157. virtual const char * getValue() = 0;
  158. };
  159. interface ISecResource : extends ISecProperty
  160. {
  161. virtual void setAccessFlags(int flags) = 0;
  162. virtual int getAccessFlags() = 0;
  163. virtual void setRequiredAccessFlags(int flags) = 0;
  164. virtual int getRequiredAccessFlags() = 0;
  165. virtual int addParameter(const char * name, const char * value) = 0;
  166. virtual const char * getParameter(const char * name) = 0;
  167. virtual void setDescription(const char * description) = 0;
  168. virtual const char * getDescription() = 0;
  169. virtual ISecResource * clone() = 0;
  170. virtual void copy(ISecResource * from) = 0;
  171. virtual SecResourceType getResourceType() = 0;
  172. virtual void setResourceType(SecResourceType resourcetype) = 0;
  173. virtual StringBuffer & toString(StringBuffer & s) = 0;
  174. };
  175. interface ISecPropertyIterator : extends IIteratorOf<ISecProperty>
  176. {
  177. };
  178. interface ISecPropertyList : extends IInterface
  179. {
  180. virtual ISecPropertyIterator * getPropertyItr() = 0;
  181. virtual ISecProperty * findProperty(const char * name) = 0;
  182. };
  183. interface ISecResourceList : extends ISecPropertyList
  184. {
  185. virtual bool isAuthorizationComplete() = 0;
  186. virtual ISecResourceList * clone() = 0;
  187. virtual bool copyTo(ISecResourceList & destination) = 0;
  188. virtual void clear() = 0;
  189. virtual ISecResource * addResource(const char * name) = 0;
  190. virtual void addResource(ISecResource * resource) = 0;
  191. virtual bool addCustomResource(const char * name, const char * config) = 0;
  192. virtual ISecResource * getResource(const char * feature) = 0;
  193. virtual ISecResource * queryResource(unsigned seq) = 0;
  194. virtual int count() = 0;
  195. virtual const char * getName() = 0;
  196. virtual StringBuffer & toString(StringBuffer & s) = 0;
  197. };
  198. typedef IArrayOf<ISecUser> IUserArray;
  199. typedef IArrayOf<ISecResource> IResourceArray;
  200. typedef IArrayOf<ISecProperty> IPropertyArray;
  201. interface ISecUserIterator : extends IIteratorOf<ISecUser>
  202. {
  203. };
  204. interface IAuthMap : extends IInterface
  205. {
  206. virtual int add(const char * path, ISecResourceList * resourceList) = 0;
  207. virtual bool shouldAuth(const char * path) = 0;
  208. virtual ISecResourceList * queryResourceList(const char * path) = 0;
  209. virtual ISecResourceList * getResourceList(const char * path) = 0;
  210. };
  211. interface ISecManager : extends IInterface
  212. {
  213. virtual ISecUser * createUser(const char * user_name) = 0;
  214. virtual ISecResourceList * createResourceList(const char * rlname) = 0;
  215. virtual bool subscribe(ISecAuthenticEvents & events) = 0;
  216. virtual bool unsubscribe(ISecAuthenticEvents & events) = 0;
  217. virtual bool authorize(ISecUser & user, ISecResourceList * resources) = 0;
  218. virtual bool authorizeEx(SecResourceType rtype, ISecUser & user, ISecResourceList * resources) = 0;
  219. virtual int authorizeEx(SecResourceType rtype, ISecUser & user, const char * resourcename) = 0;
  220. virtual int getAccessFlagsEx(SecResourceType rtype, ISecUser & user, const char * resourcename) = 0;
  221. virtual int authorizeFileScope(ISecUser & user, const char * filescope) = 0;
  222. virtual bool authorizeFileScope(ISecUser & user, ISecResourceList * resources) = 0;
  223. virtual bool addResources(ISecUser & user, ISecResourceList * resources) = 0;
  224. virtual bool addResourcesEx(SecResourceType rtype, ISecUser & user, ISecResourceList * resources, SecPermissionType ptype, const char * basedn) = 0;
  225. virtual bool addResourceEx(SecResourceType rtype, ISecUser & user, const char * resourcename, SecPermissionType ptype, const char * basedn) = 0;
  226. virtual bool getResources(SecResourceType rtype, const char * basedn, IResourceArray & resources) = 0;
  227. virtual bool updateResources(ISecUser & user, ISecResourceList * resources) = 0;
  228. virtual bool updateSettings(ISecUser & user, ISecPropertyList * resources) = 0;
  229. virtual bool addUser(ISecUser & user) = 0;
  230. virtual ISecUser * findUser(const char * username) = 0;
  231. virtual ISecUser * lookupUser(unsigned uid) = 0;
  232. virtual ISecUserIterator * getAllUsers() = 0;
  233. virtual void getAllGroups(StringArray & groups) = 0;
  234. virtual bool updateUserPassword(ISecUser & user, const char * newPassword, const char* currPassword = 0) = 0;
  235. virtual bool initUser(ISecUser & user) = 0;
  236. virtual void setExtraParam(const char * name, const char * value) = 0;
  237. virtual IAuthMap * createAuthMap(IPropertyTree * authconfig) = 0;
  238. virtual IAuthMap * createFeatureMap(IPropertyTree * authconfig) = 0;
  239. virtual IAuthMap * createSettingMap(IPropertyTree * authconfig) = 0;
  240. virtual void deleteResource(SecResourceType rtype, const char * name, const char * basedn) = 0;
  241. virtual void renameResource(SecResourceType rtype, const char * oldname, const char * newname, const char * basedn) = 0;
  242. virtual void copyResource(SecResourceType rtype, const char * oldname, const char * newname, const char * basedn) = 0;
  243. virtual void cacheSwitch(SecResourceType rtype, bool on) = 0;
  244. virtual bool authTypeRequired(SecResourceType rtype) = 0;
  245. virtual int authorizeWorkunitScope(ISecUser & user, const char * filescope) = 0;
  246. virtual bool authorizeWorkunitScope(ISecUser & user, ISecResourceList * resources) = 0;
  247. virtual const char * getDescription() = 0;
  248. virtual unsigned getPasswordExpirationWarningDays() = 0;
  249. virtual bool createUserScopes() = 0;
  250. };
  251. interface IExtSecurityManager
  252. {
  253. virtual bool getExtensionTag(ISecUser & user, const char * tagName, StringBuffer & value) = 0;
  254. };
  255. interface IRestartHandler : extends IInterface
  256. {
  257. virtual void Restart() = 0;
  258. };
  259. interface IRestartManager : extends IInterface
  260. {
  261. virtual void setRestartHandler(IRestartHandler * pRestartHandler) = 0;
  262. };
  263. const char* const sec_CompanyName = "sec_company_name";
  264. const char* const sec_CompanyAddress = "sec_company_address";
  265. const char* const sec_CompanyCity = "sec_company_city";
  266. const char* const sec_CompanyState = "sec_company_state";
  267. const char* const sec_CompanyZip = "sec_company_zip";
  268. typedef ISecManager* (*createSecManager_t)(const char *model_name, const char *serviceName, IPropertyTree &config);
  269. typedef IAuthMap* (*createDefaultAuthMap_t)(IPropertyTree* config);
  270. typedef ISecManager* (*newLdapSecManager_t)(const char *serviceName, IPropertyTree &config);
  271. extern "C" SECLIB_API ISecManager *createSecManager(const char *model_name, const char *serviceName, IPropertyTree &config);
  272. extern "C" SECLIB_API IAuthMap *createDefaultAuthMap(IPropertyTree* config);
  273. class SecLibLoader
  274. {
  275. public:
  276. static ISecManager* loadSecManager(const char* model_name, const char* servicename, IPropertyTree* cfg)
  277. {
  278. if(model_name && stricmp(model_name, "LdapSecurity") == 0)
  279. {
  280. HINSTANCE ldapseclib = LoadSharedObject(LDAPSECLIB, true, false);
  281. if(ldapseclib == NULL)
  282. throw MakeStringException(-1, "can't load library %s", LDAPSECLIB);
  283. newLdapSecManager_t xproc = NULL;
  284. xproc = (newLdapSecManager_t)GetSharedProcedure(ldapseclib, "newLdapSecManager");
  285. if (xproc)
  286. return xproc(servicename, *cfg);
  287. else
  288. throw MakeStringException(-1, "procedure newLdapSecManager of %s can't be loaded", LDAPSECLIB);
  289. }
  290. else
  291. {
  292. HINSTANCE seclib = LoadSharedObject(SECLIB, true, false); // ,false,true may actually be more helpful, could delete next two lines.
  293. if(seclib == NULL)
  294. throw MakeStringException(-1, "can't load library %s", SECLIB);
  295. createSecManager_t xproc = NULL;
  296. xproc = (createSecManager_t)GetSharedProcedure(seclib, "createSecManager");
  297. if (xproc)
  298. return xproc(model_name, servicename, *cfg);
  299. else
  300. throw MakeStringException(-1, "procedure createSecManager of %s can't be loaded", SECLIB);
  301. }
  302. }
  303. static IAuthMap* loadDefaultAuthMap(IPropertyTree* cfg)
  304. {
  305. HINSTANCE seclib = LoadSharedObject(SECLIB, true, false); // ,false,true may actually be more helpful.
  306. if(seclib == NULL)
  307. throw MakeStringException(-1, "can't load library %s", SECLIB);
  308. createDefaultAuthMap_t xproc = NULL;
  309. xproc = (createDefaultAuthMap_t)GetSharedProcedure(seclib, "createDefaultAuthMap");
  310. if (xproc)
  311. return xproc(cfg);
  312. else
  313. throw MakeStringException(-1, "procedure createDefaultAuthMap of %s can't be loaded", SECLIB);
  314. }
  315. };
  316. #endif