virtual void copyTo(ISecUser& destination)
{
destination.setAuthenticateStatus(getAuthenticateStatus());
destination.setName(getName());
destination.setFullName(getFullName());
destination.setFirstName(getFirstName());
destination.setLastName(getLastName());
destination.setEmployeeID(getEmployeeID());
destination.setRealm(getRealm());
destination.setFqdn(getFqdn());
destination.setPeer(getPeer());
destination.credentials().setPassword(credentials().getPassword());
destination.credentials().setSessionToken(credentials().getSessionToken());
destination.credentials().setSignature(credentials().getSignature());
CDateTime exp;
credentials().getPasswordExpiration(exp);
destination.credentials().setPasswordExpiration(exp);
CDateTime tmpTime;
destination.setPasswordExpiration(getPasswordExpiration(tmpTime));
destination.setStatus(getStatus());
CriticalBlock b(crit);
Owned<IPropertyIterator> Itr = m_parameters->getIterator();
ForEach(*Itr)
{
destination.setProperty(Itr->getPropKey(),m_parameters->queryProp(Itr->getPropKey()));
}
// DBGLOG("Copied name %s to %s",getName(),destination.getName());
}
bool CPermissionsCache::lookup(ISecUser& sec_user)
{
if(!isCacheEnabled())
return false;
const char* username = sec_user.getName();
if(!username || !*username)
return false;
string key(username);
ReadLockBlock readLock(m_userCacheRWLock );
MapUserCache::iterator it = m_userCache.find(key);
if (it == m_userCache.end())
return false;
CachedUser* user = (CachedUser*)(it->second);
time_t now;
time(&now);
if(user->getTimestamp() < (now - m_cacheTimeout))
{
m_userCache.erase(username);
delete user;
return false;
}
const char* cachedpw = user->queryUser()->credentials().getPassword();
StringBuffer pw(sec_user.credentials().getPassword());
if(cachedpw && pw.length() > 0)
{
StringBuffer md5pbuf;
md5_string(pw, md5pbuf);
if(strcmp(cachedpw, md5pbuf.str()) == 0)
{
#ifdef _DEBUG
DBGLOG("CACHE: CPermissionsCache Found validated user %s", username);
#endif
// Copy cached user to the sec_user structure, but still keep the original clear text password.
user->queryUser()->copyTo(sec_user);
sec_user.credentials().setPassword(pw.str());
return true;
}
else
{
m_userCache.erase(username);
delete user;
return false;
}
}
return false;
}
virtual void copyTo(ISecUser& destination)
{
destination.setAuthenticateStatus(getAuthenticateStatus());
destination.setName(getName());
destination.setFullName(getFullName());
destination.setFirstName(getFirstName());
destination.setLastName(getLastName());
destination.setRealm(getRealm());
destination.setFqdn(getFqdn());
destination.setPeer(getPeer());
destination.credentials().setPassword(credentials().getPassword());
CDateTime tmpTime;
destination.setPasswordExpiration(getPasswordExpiration(tmpTime));
destination.setStatus(getStatus());
if(m_parameters.get()==NULL)
return;
CriticalBlock b(crit);
Owned<IPropertyIterator> Itr = m_parameters->getIterator();
Itr->first();
while(Itr->isValid())
{
destination.setProperty(Itr->getPropKey(),m_parameters->queryProp(Itr->getPropKey()));
Itr->next();
}
//addToken is not currently implemented....
// DBGLOG("Copied name %s to %s",getName(),destination.getName());
}
bool CPermissionsCache::lookup(ISecUser& sec_user)
{
if(!isCacheEnabled())
return false;
const char* username = sec_user.getName();
if(!username || !*username)
return false;
synchronized block(m_userCacheMonitor);
CachedUser* user = m_userCache[username];
if(user == NULL)
return false;
time_t now;
time(&now);
if(user->getTimestamp() < (now - m_cacheTimeout))
{
m_userCache.erase(username);
delete user;
return false;
}
const char* cachedpw = user->queryUser()->credentials().getPassword();
StringBuffer pw(sec_user.credentials().getPassword());
if(cachedpw && pw.length() > 0)
{
StringBuffer md5pbuf;
md5_string(pw, md5pbuf);
if(strcmp(cachedpw, md5pbuf.str()) == 0)
{
// Copy cached user to the sec_user structure, but still keep the original clear text password.
user->queryUser()->copyTo(sec_user);
sec_user.credentials().setPassword(pw.str());
return true;
}
else
{
m_userCache.erase(username);
delete user;
return false;
}
}
return false;
}
bool CLocalSecurityManager::IsPasswordValid(ISecUser& sec_user)
{
IAuthenticatedUser* au = createAuthenticatedUser();
StringBuffer userbuf;
#ifdef _WIN32
const char* realm = sec_user.getRealm();
if(realm&&*realm)
userbuf.append(realm).append("\\");
#endif
userbuf.append(sec_user.getName());
return au->login(userbuf.str(), sec_user.credentials().getPassword());
}
bool IsPasswordValid(ISecUser& sec_user)
{
StringBuffer user;
user.append(sec_user.getName());
if (0 == user.length())
throw MakeStringException(-1, "htpasswd User name is NULL");
CriticalBlock block(crit);
if (!apr_initialized)
initAPR();
loadPwds();//reload password file if modified
StringBuffer *encPW = userMap.getValue(user.str());
if (encPW && encPW->length())
{
apr_status_t rc = apr_password_validate(sec_user.credentials().getPassword(), encPW->str());
if (rc != APR_SUCCESS)
DBGLOG("htpasswd authentication for user %s failed - APR RC %d", user.str(), rc );
return rc == APR_SUCCESS;
}
DBGLOG("User %s not in htpasswd file", user.str());
return false;
}
bool Cws_accountEx::onUpdateUser(IEspContext &context, IEspUpdateUserRequest & req, IEspUpdateUserResponse & resp)
{
try
{
CLdapSecManager* secmgr = dynamic_cast<CLdapSecManager*>(context.querySecManager());
if(secmgr == NULL)
{
throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, "Security manager can't be converted to LdapSecManager. Only LdapSecManager supports this function.");
}
ISecUser* user = context.queryUser();
if(user == NULL)
{
resp.setRetcode(-1);
resp.setMessage("Can't find user in esp context. Please check if the user was properly logged in.");
return false;
}
if(req.getUsername() == NULL || strcmp(req.getUsername(), user->getName()) != 0)
{
resp.setRetcode(-1);
resp.setMessage("Username/password don't match.");
return false;
}
const char* oldpass = req.getOldpass();
if(oldpass == NULL || strcmp(oldpass, user->credentials().getPassword()) != 0)
{
resp.setRetcode(-1);
resp.setMessage("Username/password don't match.");
return false;
}
const char* newpass1 = req.getNewpass1();
const char* newpass2 = req.getNewpass2();
if(newpass1 == NULL || newpass2 == NULL || strlen(newpass1) < 4 || strlen(newpass2) < 4)
{
resp.setRetcode(-1);
resp.setMessage("New password must be 4 characters or longer.");
return false;
}
if(strcmp(newpass1, newpass2) != 0)
{
resp.setRetcode(-1);
resp.setMessage("Password and retype don't match.");
return false;
}
if(strcmp(oldpass, newpass1) == 0)
{
resp.setRetcode(-1);
resp.setMessage("New password can't be the same as current password.");
return false;
}
const char* pwscheme = secmgr->getPasswordStorageScheme();
bool isCrypt = pwscheme && (stricmp(pwscheme, "CRYPT") == 0);
if(isCrypt && strncmp(oldpass, newpass1, 8) == 0)
{
resp.setRetcode(-1);
resp.setMessage("The first 8 characters of the new password must be different from before.");
return false;
}
bool ok = false;
try
{
ok = secmgr->updateUserPassword(*user, newpass1, oldpass);
}
catch(IException* e)
{
StringBuffer emsg;
e->errorMessage(emsg);
resp.setRetcode(-1);
resp.setMessage(emsg.str());
return false;
}
catch(...)
{
ok = false;
}
if(!ok)
{
throw MakeStringException(ECLWATCH_CANNOT_CHANGE_PASSWORD, "Failed in changing password.");
}
resp.setRetcode(0);
if(isCrypt && strlen(newpass1) > 8)
resp.setMessage("Your password has been changed successfully, however, only the first 8 chars are effective.");
else
resp.setMessage("Your password has been changed successfully.");
}
catch(IException* e)
{
FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
}
return true;
}
int CSoapService::processHeader(CHeader* header, IEspContext* ctx)
{
int num = header->getNumBlocks();
if(ctx == NULL)
return 0;
int returnValue = 0;
bool authenticated = !ctx->toBeAuthenticated();
for (int i = 0; i < num; i++)
{
IRpcMessage* oneblock = header->getHeaderBlock(i);
if(oneblock == NULL)
continue;
if(strcmp(oneblock->get_name(), "Security") == 0)
{
bool encodeXML = oneblock->getEncodeXml();
oneblock->setEncodeXml(false);
StringBuffer username, password,realm;
oneblock->get_value("UsernameToken/Username", username);
oneblock->get_value("UsernameToken/Password", password);
oneblock->get_value("RealmToken/Realm", realm);
oneblock->setEncodeXml(encodeXML);
//DBGLOG("username=%s, password=%s", username.str(), password.str());
if(username.length() > 0)
{
ctx->setUserID(username.str());
ctx->setPassword(password.str());
if(realm.length()>0)
ctx->setRealm(realm.str());
ISecManager* secmgr = ctx->querySecManager();
if(secmgr != NULL)
{
ISecUser *user = ctx->queryUser();
if(user==NULL)
{
user = secmgr->createUser(username.str());
ctx->setUser(user);
}
if(user == NULL)
{
WARNLOG("Couldn't create ISecUser object for %s", username.str());
}
user->setName(username.str());
user->credentials().setPassword(password.str());
if(realm.length()>0)
user->setRealm(realm.str());
}
if(ctx->toBeAuthenticated())
{
if(stricmp(m_soapbinding->getTransportType(), "http") == 0)
{
EspHttpBinding* httpbinding = dynamic_cast<EspHttpBinding*>(m_soapbinding.get());
authenticated = httpbinding->doAuth(ctx);
}
else
{
authenticated = false;
}
if(!authenticated)
returnValue = SOAP_AUTHENTICATION_ERROR;
break;
}
}
}
}
if (returnValue == 0)
{
if (authenticated)
return 0;
returnValue = SOAP_AUTHENTICATION_REQUIRED;
}
StringBuffer peerStr;
ctx->getPeer(peerStr);
const char* userId = ctx->queryUserId();
VStringBuffer msg("SOAP request from %s@%s.", (userId&&*userId)?userId:"unknown", (peerStr.length()>0)?peerStr.str():"unknown");
if (returnValue == SOAP_AUTHENTICATION_ERROR)
msg.append(" User authentication failed");
else
msg.append(" User authentication required");
DBGLOG("%s", msg.str());
return returnValue;
}
