bool Cws_accountEx::onMyAccount(IEspContext &context, IEspMyAccountRequest &req, IEspMyAccountResponse &resp)
{
try
{
ISecUser* user = context.queryUser();
if(user != NULL)
{
CDateTime dt;
user->getPasswordExpiration(dt);
StringBuffer sb;
if (dt.isNull())
sb.append("Never");
else
{
dt.getString(sb);
sb.replace('T', (char)0);//chop off timestring
}
resp.setPasswordExpiration(sb.str());
resp.setPasswordDaysRemaining(user->getPasswordDaysRemaining());
resp.setFirstName(user->getFirstName());
resp.setLastName(user->getLastName());
resp.setUsername(user->getName());
}
}
catch(IException* e)
{
FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
}
return true;
}
void CPermissionsCache::removePermissions( ISecUser& sec_user)
{
synchronized block(m_cachemonitor);
const char* user = sec_user.getName();
if(user != NULL && *user != '\0')
{
m_resPermissionsMap.erase(user);
}
}
bool CPermissionsCache::lookup(ISecUser& sec_user)
{
if(!isCacheEnabled())
return false;
const char* username = sec_user.getName();
if(!username || !*username)
return false;
string key(username);
ReadLockBlock readLock(m_userCacheRWLock );
MapUserCache::iterator it = m_userCache.find(key);
if (it == m_userCache.end())
return false;
CachedUser* user = (CachedUser*)(it->second);
time_t now;
time(&now);
if(user->getTimestamp() < (now - m_cacheTimeout))
{
m_userCache.erase(username);
delete user;
return false;
}
const char* cachedpw = user->queryUser()->credentials().getPassword();
StringBuffer pw(sec_user.credentials().getPassword());
if(cachedpw && pw.length() > 0)
{
StringBuffer md5pbuf;
md5_string(pw, md5pbuf);
if(strcmp(cachedpw, md5pbuf.str()) == 0)
{
#ifdef _DEBUG
DBGLOG("CACHE: CPermissionsCache Found validated user %s", username);
#endif
// Copy cached user to the sec_user structure, but still keep the original clear text password.
user->queryUser()->copyTo(sec_user);
sec_user.credentials().setPassword(pw.str());
return true;
}
else
{
m_userCache.erase(username);
delete user;
return false;
}
}
return false;
}
void CPermissionsCache::removePermissions( ISecUser& sec_user)
{
const char* user = sec_user.getName();
if(user != NULL && *user != '\0')
{
#ifdef _DEBUG
DBGLOG("CACHE: CPermissionsCache Removing permissions for user %s", user);
#endif
WriteLockBlock writeLock(m_resPermCacheRWLock);
m_resPermissionsMap.erase(user);
}
}
bool CLocalSecurityManager::IsPasswordValid(ISecUser& sec_user)
{
IAuthenticatedUser* au = createAuthenticatedUser();
StringBuffer userbuf;
#ifdef _WIN32
const char* realm = sec_user.getRealm();
if(realm&&*realm)
userbuf.append(realm).append("\\");
#endif
userbuf.append(sec_user.getName());
return au->login(userbuf.str(), sec_user.credentials().getPassword());
}
void CPermissionsCache::removeFromUserCache(ISecUser& sec_user)
{
const char* username = sec_user.getName();
if(username && *username)
{
synchronized block(m_userCacheMonitor);
CachedUser* user = m_userCache[username];
if(user)
{
m_userCache.erase(username);
delete user;
}
}
}
bool Cws_accountEx::onUpdateUserInput(IEspContext &context, IEspUpdateUserInputRequest &req, IEspUpdateUserInputResponse &resp)
{
try
{
ISecUser* user = context.queryUser();
if(user != NULL)
{
resp.setUsername(user->getName());
}
}
catch(IException* e)
{
FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
}
return true;
}
void CPermissionsCache::removeFromUserCache(ISecUser& sec_user)
{
const char* username = sec_user.getName();
if(username && *username)
{
synchronized block(m_userCacheMonitor);
string key(username);
MapUserCache::iterator it = m_userCache.find(key);
if (it != m_userCache.end())
{
CachedUser* user = (CachedUser*)(it->second);
m_userCache.erase(username);
delete user;
}
}
}
bool CPermissionsCache::lookup(ISecUser& sec_user)
{
if(!isCacheEnabled())
return false;
const char* username = sec_user.getName();
if(!username || !*username)
return false;
synchronized block(m_userCacheMonitor);
CachedUser* user = m_userCache[username];
if(user == NULL)
return false;
time_t now;
time(&now);
if(user->getTimestamp() < (now - m_cacheTimeout))
{
m_userCache.erase(username);
delete user;
return false;
}
const char* cachedpw = user->queryUser()->credentials().getPassword();
StringBuffer pw(sec_user.credentials().getPassword());
if(cachedpw && pw.length() > 0)
{
StringBuffer md5pbuf;
md5_string(pw, md5pbuf);
if(strcmp(cachedpw, md5pbuf.str()) == 0)
{
// Copy cached user to the sec_user structure, but still keep the original clear text password.
user->queryUser()->copyTo(sec_user);
sec_user.credentials().setPassword(pw.str());
return true;
}
else
{
m_userCache.erase(username);
delete user;
return false;
}
}
return false;
}
void CPermissionsCache::add(ISecUser& sec_user)
{
if(!isCacheEnabled() || &sec_user == NULL)
return;
const char* username = sec_user.getName();
if(!username || !*username)
return;
synchronized block(m_userCacheMonitor);
CachedUser* user = m_userCache[username];
if(user)
{
m_userCache.erase(username);
delete user;
}
m_userCache[username] = new CachedUser(sec_user.clone());
}
void CPermissionsCache::add( ISecUser& sec_user, IArrayOf<ISecResource>& resources )
{
synchronized block(m_cachemonitor);
const char* user = sec_user.getName();
MapResPermissionsCache::const_iterator i = m_resPermissionsMap.find( user );
CResPermissionsCache* pResPermissionsCache;
if (i == m_resPermissionsMap.end())
{
//DBGLOG("CACHE: Adding cache for %s", user);
pResPermissionsCache = new CResPermissionsCache(this, user);
m_resPermissionsMap.insert(pair<string, CResPermissionsCache*>(user, pResPermissionsCache));
}
else
pResPermissionsCache = (*i).second;
pResPermissionsCache->add( resources );
}
void CPermissionsCache::removeFromUserCache(ISecUser& sec_user)
{
const char* username = sec_user.getName();
if(username && *username)
{
string key(username);
WriteLockBlock writeLock(m_userCacheRWLock );
MapUserCache::iterator it = m_userCache.find(key);
if (it != m_userCache.end())
{
CachedUser* user = (CachedUser*)(it->second);
m_userCache.erase(username);
delete user;
#ifdef _DEBUG
DBGLOG("CACHE: CPermissionsCache Removing cached user %s", username);
#endif
}
}
}
bool CWsPackageProcessEx::onEcho(IEspContext &context, IEspEchoRequest &req, IEspEchoResponse &resp)
{
StringBuffer respMsg;
ISecUser* user = context.queryUser();
if(user != NULL)
{
const char* name = user->getName();
if (name && *name)
respMsg.appendf("%s: ", name);
}
const char* reqMsg = req.getRequest();
if (reqMsg && *reqMsg)
respMsg.append(reqMsg);
else
respMsg.append("??");
resp.setResponse(respMsg.str());
return true;
}
void CPermissionsCache::add(ISecUser& sec_user)
{
if(!isCacheEnabled())
return;
const char* username = sec_user.getName();
if(!username || !*username)
return;
synchronized block(m_userCacheMonitor);
string key(username);
MapUserCache::iterator it = m_userCache.find(key);
CachedUser* user = NULL;
if (it != m_userCache.end())
{
user = (CachedUser*)(it->second);
m_userCache.erase(username);
delete user;
}
m_userCache[username] = new CachedUser(sec_user.clone());
}
int CPermissionsCache::lookup( ISecUser& sec_user, IArrayOf<ISecResource>& resources,
bool* pFound)
{
synchronized block(m_cachemonitor);
const char* userId = sec_user.getName();
int nFound;
MapResPermissionsCache::const_iterator i = m_resPermissionsMap.find( userId );
if (i != m_resPermissionsMap.end())
{
CResPermissionsCache* pResPermissionsCache = (*i).second;
nFound = pResPermissionsCache->lookup( resources, pFound );
}
else
{
nFound = 0;
memset(pFound, 0, sizeof(bool)*resources.ordinality());
//DBGLOG("CACHE: Looking up %s:*", userId);
}
return nFound;
}
bool IsPasswordValid(ISecUser& sec_user)
{
StringBuffer user;
user.append(sec_user.getName());
if (0 == user.length())
throw MakeStringException(-1, "htpasswd User name is NULL");
CriticalBlock block(crit);
if (!apr_initialized)
initAPR();
loadPwds();//reload password file if modified
StringBuffer *encPW = userMap.getValue(user.str());
if (encPW && encPW->length())
{
apr_status_t rc = apr_password_validate(sec_user.credentials().getPassword(), encPW->str());
if (rc != APR_SUCCESS)
DBGLOG("htpasswd authentication for user %s failed - APR RC %d", user.str(), rc );
return rc == APR_SUCCESS;
}
DBGLOG("User %s not in htpasswd file", user.str());
return false;
}
int CPermissionsCache::lookup( ISecUser& sec_user, IArrayOf<ISecResource>& resources,
bool* pFound)
{
const char* userId = sec_user.getName();
int nFound;
ReadLockBlock readLock(m_resPermCacheRWLock);
MapResPermissionsCache::const_iterator i = m_resPermissionsMap.find( userId );
if (i != m_resPermissionsMap.end())
{
CResPermissionsCache* pResPermissionsCache = (*i).second;
nFound = pResPermissionsCache->lookup( resources, pFound );
}
else
{
nFound = 0;
memset(pFound, 0, sizeof(bool)*resources.ordinality());
}
#ifdef _DEBUG
DBGLOG("CACHE: CPermissionsCache Looked up resources for %s:*, found %d of %d matches", userId, nFound, resources.ordinality());
#endif
return nFound;
}
void CPermissionsCache::add( ISecUser& sec_user, IArrayOf<ISecResource>& resources )
{
const char* user = sec_user.getName();
WriteLockBlock writeLock(m_resPermCacheRWLock);
MapResPermissionsCache::const_iterator i = m_resPermissionsMap.find( user );
CResPermissionsCache* pResPermissionsCache;
if (i == m_resPermissionsMap.end())
{
#ifdef _DEBUG
DBGLOG("CACHE: CPermissionsCache Adding resources to cache for new user %s", user);
#endif
pResPermissionsCache = new CResPermissionsCache(this, user);
m_resPermissionsMap.insert(pair<string, CResPermissionsCache*>(user, pResPermissionsCache));
}
else
{
#ifdef _DEBUG
DBGLOG("CACHE: CPermissionsCache Adding resources to cache for existing user %s", user);
#endif
pResPermissionsCache = (*i).second;
}
pResPermissionsCache->add( resources );
}
void CPermissionsCache::add(ISecUser& sec_user)
{
if(!isCacheEnabled())
return;
const char* username = sec_user.getName();
if(!username || !*username)
return;
string key(username);
WriteLockBlock writeLock(m_userCacheRWLock );
MapUserCache::iterator it = m_userCache.find(key);
CachedUser* user = NULL;
if (it != m_userCache.end())
{
user = (CachedUser*)(it->second);
m_userCache.erase(username);
delete user;
}
#ifdef _DEBUG
DBGLOG("CACHE: CPermissionsCache Adding cached user %s", username);
#endif
m_userCache[username] = new CachedUser(sec_user.clone());
}
bool Cws_accountEx::onUpdateUser(IEspContext &context, IEspUpdateUserRequest & req, IEspUpdateUserResponse & resp)
{
try
{
CLdapSecManager* secmgr = dynamic_cast<CLdapSecManager*>(context.querySecManager());
if(secmgr == NULL)
{
throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, "Security manager can't be converted to LdapSecManager. Only LdapSecManager supports this function.");
}
ISecUser* user = context.queryUser();
if(user == NULL)
{
resp.setRetcode(-1);
resp.setMessage("Can't find user in esp context. Please check if the user was properly logged in.");
return false;
}
if(req.getUsername() == NULL || strcmp(req.getUsername(), user->getName()) != 0)
{
resp.setRetcode(-1);
resp.setMessage("Username/password don't match.");
return false;
}
const char* oldpass = req.getOldpass();
if(oldpass == NULL || strcmp(oldpass, user->credentials().getPassword()) != 0)
{
resp.setRetcode(-1);
resp.setMessage("Username/password don't match.");
return false;
}
const char* newpass1 = req.getNewpass1();
const char* newpass2 = req.getNewpass2();
if(newpass1 == NULL || newpass2 == NULL || strlen(newpass1) < 4 || strlen(newpass2) < 4)
{
resp.setRetcode(-1);
resp.setMessage("New password must be 4 characters or longer.");
return false;
}
if(strcmp(newpass1, newpass2) != 0)
{
resp.setRetcode(-1);
resp.setMessage("Password and retype don't match.");
return false;
}
if(strcmp(oldpass, newpass1) == 0)
{
resp.setRetcode(-1);
resp.setMessage("New password can't be the same as current password.");
return false;
}
const char* pwscheme = secmgr->getPasswordStorageScheme();
bool isCrypt = pwscheme && (stricmp(pwscheme, "CRYPT") == 0);
if(isCrypt && strncmp(oldpass, newpass1, 8) == 0)
{
resp.setRetcode(-1);
resp.setMessage("The first 8 characters of the new password must be different from before.");
return false;
}
bool ok = false;
try
{
ok = secmgr->updateUserPassword(*user, newpass1, oldpass);
}
catch(IException* e)
{
StringBuffer emsg;
e->errorMessage(emsg);
resp.setRetcode(-1);
resp.setMessage(emsg.str());
return false;
}
catch(...)
{
ok = false;
}
if(!ok)
{
throw MakeStringException(ECLWATCH_CANNOT_CHANGE_PASSWORD, "Failed in changing password.");
}
resp.setRetcode(0);
if(isCrypt && strlen(newpass1) > 8)
resp.setMessage("Your password has been changed successfully, however, only the first 8 chars are effective.");
else
resp.setMessage("Your password has been changed successfully.");
}
catch(IException* e)
{
FORWARDEXCEPTION(context, e, ECLWATCH_INTERNAL_ERROR);
}
return true;
}
