Beispiel #1
0
 bool enableScopeScans(IUserDescriptor *udesc, bool enable, int * err)
 {
     bool superUser;
     StringBuffer username;
     StringBuffer password;
     udesc->getUserName(username);
     udesc->getPassword(password);
     Owned<ISecUser> user = ldapsecurity->createUser(username);
     user->credentials().setPassword(password);
     if (!ldapsecurity->authenticateUser(*user,superUser) || !superUser)
     {
         *err = -1;
         return false;
     }
     unsigned flags = getLDAPflags();
     if (enable)
     {
         DBGLOG("Scope Scans Enabled by user %s",username.str());
         flags |= (unsigned)DLF_SCOPESCANS;
     }
     else
     {
         DBGLOG("Scope Scans Disabled by user %s",username.str());
         flags &= ~(unsigned)DLF_SCOPESCANS;
     }
     setLDAPflags(flags);
     *err = 0;
     return true;
 }
 virtual int run()
 {
     int access = 0;
     int total = 0, mint = -1, maxt = 0;
     for(int i = 0; i < m_rounds; i++)
     {
         time_t start, stop;
         time(&start);
         {
             //synchronized block(m_mutex);
             Owned<ISecUser> usr = m_secmgr->createUser(m_user.get());
             usr->credentials().setPassword(m_passwd.get());
             //access = m_secmgr->authorizeFileScope(*usr, m_resource.get());
             access = m_secmgr->authorizeEx(m_rtype, *usr, m_resource.get());
         }
         time(&stop);
         int span = (int)(stop - start);
         total += span;
         if(mint == -1 || mint > span)
             mint = span;
         if(maxt < span)
             maxt = span;
         if((i+1)%100 == 0)
             DBGLOG("Finished %d times\n", i+1);
     }
     DBGLOG("Permission: %d, min: %d, max: %d, average:%f", access, mint, maxt, total*1.0/m_rounds);
     return 0;
 }
Beispiel #3
0
    int getPermissions(const char *key,const char *obj,IUserDescriptor *udesc,unsigned auditflags)
    {
        if (!ldapsecurity||((getLDAPflags()&DLF_ENABLED)==0)) 
            return 255;
        bool filescope = stricmp(key,"Scope")==0;
        bool wuscope = stricmp(key,"workunit")==0;
        if (filescope||wuscope) {
            StringBuffer username;
            StringBuffer password;
            int perm = 0;
            if (udesc) {
                udesc->getUserName(username);
                udesc->getPassword(password);
            }
            if (username.length()==0)  {
#ifndef _NO_DALIUSER_STACKTRACE
                DBGLOG("UNEXPECTED USER (NULL) in daldap.cpp getPermissions() line %d", __LINE__);
                //following debug code to be removed
                PrintStackReport();
#endif
                username.append(filesdefaultuser);
                decrypt(password, filesdefaultpassword);
            }
            unsigned start = msTick();
            Owned<ISecUser> user = ldapsecurity->createUser(username);
            if (user) {
                user->credentials().setPassword(password);
                if (filescope)
                    perm=ldapsecurity->authorizeFileScope(*user, obj);
                else if (wuscope)
                    perm=ldapsecurity->authorizeWorkunitScope(*user, obj);
                if (perm==-1)
                    perm = 0;
            }
            unsigned taken = msTick()-start;
#ifndef _DEBUG
            if (taken>100) 
#endif
            {
                PROGLOG("LDAP: getPermissions(%s) scope=%s user=%s returns %d in %d ms",key?key:"NULL",obj?obj:"NULL",username.str(),perm,taken);
            }
            if (auditflags&DALI_LDAP_AUDIT_REPORT) {
                StringBuffer auditstr;
                if ((auditflags&DALI_LDAP_READ_WANTED)&&!HASREADPERMISSION(perm)) 
                    auditstr.append("Lookup Access Denied");
                else if ((auditflags&DALI_LDAP_WRITE_WANTED)&&!HASWRITEPERMISSION(perm)) 
                    auditstr.append("Create Access Denied");
                if (auditstr.length()) {
                    auditstr.append(":\n\tProcess:\tdaserver");
                    auditstr.appendf("\n\tUser:\t%s",username.str());
                    auditstr.appendf("\n\tScope:\t%s\n",obj?obj:"");
                    SYSLOG(AUDIT_TYPE_ACCESS_FAILURE,auditstr.str());
                }
            }
            return perm;
        }
        return 255;
    }
Beispiel #4
0
    bool enableScopeScans(IUserDescriptor *udesc, bool enable, int * err)
    {
        bool superUser;
        StringBuffer username;
        StringBuffer password;
        udesc->getUserName(username);
        udesc->getPassword(password);
        Owned<ISecUser> user = ldapsecurity->createUser(username);

        //Check user's digital signature, if present
        bool authenticated = false;
        if (!isEmptyString(udesc->querySignature()))
        {
            if (nullptr == pDSM)
                pDSM = queryDigitalSignatureManagerInstanceFromEnv();
            if (pDSM && pDSM->isDigiVerifierConfigured())
            {
                StringBuffer b64Signature(udesc->querySignature());
                if (!pDSM->digiVerify(username, b64Signature))//digital signature valid?
                {
                    ERRLOG("LDAP: enableScopeScans(%s) : Invalid user digital signature", username.str());
                    *err = -1;
                    return false;
                }
                else
                    authenticated = true;
            }
        }

        if (!authenticated)
        {
            user->credentials().setPassword(password);
            if (!ldapsecurity->authenticateUser(*user, &superUser) || !superUser)
            {
                *err = -1;
                return false;
            }
        }

        unsigned flags = getLDAPflags();
        if (enable)
        {
            DBGLOG("Scope Scans Enabled by user %s",username.str());
            flags |= (unsigned)DLF_SCOPESCANS;
        }
        else
        {
            DBGLOG("Scope Scans Disabled by user %s",username.str());
            flags &= ~(unsigned)DLF_SCOPESCANS;
        }
        setLDAPflags(flags);
        *err = 0;
        return true;
    }
Beispiel #5
0
 bool clearPermissionsCache(IUserDescriptor *udesc)
 {
     if (!ldapsecurity || ((getLDAPflags() & DLF_ENABLED) == 0))
         return true;
     StringBuffer username;
     StringBuffer password;
     udesc->getUserName(username);
     udesc->getPassword(password);
     Owned<ISecUser> user = ldapsecurity->createUser(username);
     user->credentials().setPassword(password);
     return ldapsecurity->clearPermissionsCache(*user);
 }
Beispiel #6
0
    SecAccessFlags getPermissions(const char *key,const char *obj,IUserDescriptor *udesc,unsigned auditflags,const char * reqSignature, CDateTime * reqUTCTimestamp)
    {
        if (!ldapsecurity||((getLDAPflags()&DLF_ENABLED)==0)) 
            return SecAccess_Full;
        StringBuffer username;
        StringBuffer password;
        if (udesc) 
        {
            udesc->getUserName(username);
            udesc->getPassword(password);
        }
        else
        {
            WARNLOG("NULL UserDescriptor in daldap.cpp getPermissions('%s')",key ? key : "NULL");
        }

        if (0 == username.length())
        {
            username.append(filesdefaultuser);
            decrypt(password, filesdefaultpassword);
        }

        Owned<ISecUser> user = ldapsecurity->createUser(username);
        user->credentials().setPassword(password);

        bool authenticated = false;

        //Check that the digital signature provided by the caller (signature of
        //caller's "scope;username;timeStamp") matches what we expect it to be
        if (!isEmptyString(reqSignature))
        {
            if (nullptr == pDSM)
                pDSM = queryDigitalSignatureManagerInstanceFromEnv();
            if (pDSM && pDSM->isDigiVerifierConfigured())
            {
                StringBuffer requestTimestamp;
                reqUTCTimestamp->getString(requestTimestamp, false);//extract timestamp string from Dali request

                CDateTime now;
                now.setNow();
                if (now.compare(*reqUTCTimestamp) < 0)//timestamp from the future?
                {
                    ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s Request digital signature timestamp %s from the future",key?key:"NULL",obj?obj:"NULL",username.str(), requestTimestamp.str());
                    return SecAccess_None;//deny
                }

                CDateTime expiry;
                expiry.set(now);
                expiry.adjustTime(requestSignatureExpiryMinutes);//compute expiration timestamp

                if (expiry.compare(*reqUTCTimestamp) < 0)//timestamp too far in the past?
                {
                    ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s Expired request digital signature timestamp %s",key?key:"NULL",obj?obj:"NULL",username.str(), requestTimestamp.str());
                    return SecAccess_None;//deny
                }

                VStringBuffer expectedStr("%s;%s;%s", obj, username.str(), requestTimestamp.str());
                StringBuffer b64Signature(reqSignature);// signature of scope;user;timestamp

                if (!pDSM->digiVerify(expectedStr, b64Signature))//does the digital signature match what we expect?
                {
                    ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s fails digital signature verification",key?key:"NULL",obj?obj:"NULL",username.str());
                    return SecAccess_None;//deny
                }

                authenticated = true;//Digital signature verified
            }
            else
                ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s digital signature support not available",key?key:"NULL",obj?obj:"NULL",username.str());
        }

        if (!authenticated && !ldapsecurity->authenticateUser(*user, NULL))
        {
            ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s fails LDAP authentication",key?key:"NULL",obj?obj:"NULL",username.str());
            return SecAccess_None;//deny
        }

        bool filescope = stricmp(key,"Scope")==0;
        bool wuscope = stricmp(key,"workunit")==0;

        if (filescope || wuscope) {
            SecAccessFlags perm = SecAccess_None;
            unsigned start = msTick();
            if (filescope)
                perm=ldapsecurity->authorizeFileScope(*user, obj);
            else if (wuscope)
                perm=ldapsecurity->authorizeWorkunitScope(*user, obj);
            if (perm == SecAccess_Unavailable)
                perm = SecAccess_None;

            unsigned taken = msTick()-start;
#ifndef _DEBUG
            if (taken>100) 
#endif
            {
                PROGLOG("LDAP: getPermissions(%s) scope=%s user=%s returns %d in %d ms",key?key:"NULL",obj?obj:"NULL",username.str(),perm,taken);
            }
            if (auditflags&DALI_LDAP_AUDIT_REPORT) {
                StringBuffer auditstr;
                if ((auditflags&DALI_LDAP_READ_WANTED)&&!HASREADPERMISSION(perm)) 
                    auditstr.append("Lookup Access Denied");
                else if ((auditflags&DALI_LDAP_WRITE_WANTED)&&!HASWRITEPERMISSION(perm)) 
                    auditstr.append("Create Access Denied");
                if (auditstr.length()) {
                    auditstr.append(":\n\tProcess:\tdaserver");
                    auditstr.appendf("\n\tUser:\t%s",username.str());
                    auditstr.appendf("\n\tScope:\t%s\n",obj?obj:"");
                    SYSLOG(AUDIT_TYPE_ACCESS_FAILURE,auditstr.str());
                }
            }
            return perm;
        }
        return SecAccess_Full;
    }
Beispiel #7
0
//-----------------------------------------------------
//
//-----------------------------------------------------
bool initLDAP(IPropertyTree * ldapProps)
{
    StringAttr serverType( ldapProps->queryProp("@serverType") );
    if (!serverType.length())
    {
        fprintf(stderr, "\nERROR: serverType not set in LDAPServer component");
        return false;
    }

    StringBuffer hpccUser;
    StringBuffer hpccPwd;
    ldapProps->getProp("@systemUser", hpccUser);
    ldapProps->getProp("@systemPassword", hpccPwd);
    if (0==hpccUser.length() || 0==hpccPwd.length())
    {
        fprintf(stderr, "\nERROR: HPCC systemUser credentials not found in configuration");
        return false;
    }

    StringBuffer ldapAddress;
    ldapProps->getProp("@ldapAddress", ldapAddress);

    //Get LDAP admin creds from user
    char buff[100];
    fprintf(stdout, "\nEnter the '%s' LDAP Admin User name on '%s'...",serverType.get(),ldapAddress.str());
    do
    {
        char * line = fgets(buff, sizeof(buff), stdin);
        if (!line)
            return false;
    }
    while (buff[0] == (char)'\n');

    if (buff[strlen(buff)-1] == '\n')
        buff[strlen(buff)-1] = (char)NULL;
    StringAttr ldapUser(buff);

    fprintf(stdout, "Enter the LDAP Admin user '%s' password...",ldapUser.get());
    char * line = fgets(buff, sizeof(buff), stdin);
    if (!line)
        return false;

    if (buff[strlen(buff)-1] == '\n')
        buff[strlen(buff)-1] = (char)NULL;
    StringAttr ldapPwd(buff);
    if (0==ldapUser.length() || 0==ldapPwd.length())
    {
        fprintf(stderr, "\nERROR: Invalid LDAP Admin account credentials entered");
        return false;
    }

    fprintf(stdout, "\nReady to initialize HPCC LDAP Environment, using the following settings");
    fprintf(stdout, "\n\tLDAP Server     : %s", ldapAddress.str());
    fprintf(stdout, "\n\tLDAP Type       : %s", serverType.get());
    fprintf(stdout, "\n\tHPCC Admin User : %s", hpccUser.str());
    fprintf(stdout, "\nProceed?  y/n ");
    for (;;)
    {
        int c = getchar();
        if (c == 'y' || c == 'Y')
            break;
        else if (c == 'n' || c == 'N')
            return true;
    }

    if (stricmp(serverType.get(),"ActiveDirectory"))
        ldapProps->setProp("@systemBasedn", "");

    //Replace system user with LDAP Admin credentials
    ldapProps->setProp("@systemUser", ldapUser);
    ldapProps->setProp("@systemCommonName", ldapUser);
    StringBuffer sb;
    encrypt(sb,ldapPwd);
    ldapProps->setProp("@systemPassword", sb.str());

    //Create security manager. This creates the required OUs
    Owned<ISecManager> secMgr;
    try
    {
        secMgr.setown(newLdapSecManager("initldap", *LINK(ldapProps)));
    }
    catch(IException *e)
    {
        StringBuffer buff;
        e->errorMessage(buff);
        e->Release();
        fprintf(stderr, "\nERROR: Unable to create security manager : %s", buff.str());
        return false;
    }

    //Create HPCC Admin user
    Owned<ISecUser> user = secMgr->createUser(hpccUser.str());
    StringBuffer pwd;
    decrypt(pwd, hpccPwd.str());
    user->credentials().setPassword(pwd.str());
    try { secMgr->addUser(*user.get()); }
    catch(...) {}//user may already exist, so just move on

    //Add HPCC admin user to Administrators group
    CLdapSecManager* ldapSecMgr = dynamic_cast<CLdapSecManager*>(secMgr.get());
    if (!ldapSecMgr)
    {
        fprintf(stderr, "\nERROR: Unable to access CLdapSecManager object");
        return false;
    }
    StringAttr adminGroup;
    bool isActiveDir = true;
    if (0 == stricmp(serverType.get(),"ActiveDirectory"))
        adminGroup.set("Administrators");
    else
        adminGroup.set("Directory Administrators");
    try { ldapSecMgr->changeUserGroup("add", hpccUser.str(), adminGroup); }
    catch(...) {}//user may already be in group so just move on

    fprintf(stdout, "\n\nLDAP Initialization successful\n");
    return true;
}
int main(int argc, char* argv[])
{
    if(argc < 2)
    {
        usage();
        return -1;
    }

    InitModuleObjects();

    const char *action = NULL, *configfile = NULL, *username = NULL, *passwd = NULL, 
        *resource = NULL, *resourcetype = NULL, *newpasswd = NULL, *firstname = NULL, *lastname=NULL;

    bool stress = false;
    int numthrds = 0;
    int numrounds = 0;
    int numfiles = 0;

    int i = 1;
    while(i<argc)
    {
        if (stricmp(argv[i], "-ac")==0 || stricmp(argv[i], "-au") == 0 || stricmp(argv[i], "-ar") == 0|| stricmp(argv[i], "-cp") == 0)
        {
            action = argv[i++];
        }
        else if (stricmp(argv[i], "-c")==0)
        {
            i++;
            configfile = argv[i++];
        }
        else if (stricmp(argv[i],"-u")==0)
        {
            i++;
            username = argv[i++];
        }
        else if (stricmp(argv[i], "-p")==0)
        {
            i++;
            passwd = argv[i++];
        }
        else if (stricmp(argv[i], "-r")==0)
        {
            i++;
            resource = argv[i++];
        }
        else if (stricmp(argv[i], "-t") == 0)
        {
            i++;
            resourcetype = argv[i++];
        }
        else if (stricmp(argv[i], "-np") == 0)
        {
            i++;
            newpasswd = argv[i++];
        }
        else if (stricmp(argv[i], "-fn") == 0)
        {
            i++;
            firstname = argv[i++];
        }
        else if (stricmp(argv[i], "-ln") == 0)
        {
            i++;
            lastname = argv[i++];
        }
        else if (stricmp(argv[i], "-stress") == 0)
        {
            stress = true;
            i++;
            numthrds = atoi(argv[i++]);
            numrounds = atoi(argv[i++]);
        }
        else if (stricmp(argv[i], "-open") == 0)
        {
            i++;
            numfiles = atoi(argv[i++]);
        }
        else
        {
            printf("Error: command format error\n");
            usage();
            return -1;
        }
    }

    if(configfile == NULL || *configfile == '\0')
    {
        printf("You have to specify the config file");
        return -1;
    }
    
    try
    {
        Owned<IPropertyTree> cfg = createPTreeFromXMLFile(configfile);
        Owned<IPropertyTree> seccfg = cfg->getPropTree(".//ldapSecurity");
        if(seccfg == NULL)
        {
            printf("ldapSecurity not found\n");
            return -1;
        }
#ifdef _NO_LDAP
        printf("System was built with _NO_LDAP\n");
        return -1;
#else
        Owned<ISecManager> secmgr = newLdapSecManager("test", *LINK(seccfg));
        if(secmgr == NULL)
        {
            printf("security manager can't be created\n");
            return -1;
        }

        if(action == NULL || stricmp(action, "-ac") == 0)
        {
            if(username == NULL || *username == '\0')
            {
                printf("missing username\n");
                return -1;
            }
            if(resource == NULL || *resource == '\0')
            {
                printf("missing resource\n");
                return -1;
            }

            SecResourceType rtype = RT_DEFAULT;
            if((resourcetype != NULL) && (stricmp(resourcetype, "filescope") == 0))
                rtype = RT_FILE_SCOPE;
            else if((resourcetype != NULL) && (stricmp(resourcetype, "workunit") == 0))
                rtype = RT_WORKUNIT_SCOPE;

            StringBuffer passbuf;
            if(passwd == NULL || *passwd == '\0')
            {
                getpassword("Enter password: "******"%s's permission = %d \n", resource, access);
            }
            else
            {
                CPermissionCheckThread** thrds = new CPermissionCheckThread*[numthrds];
                for(int i = 0; i < numthrds; i++)   
                    thrds[i] = new CPermissionCheckThread(secmgr, username, passwd, resource, rtype, numrounds);
                for(int j = 0; j < numthrds; j++)
                    thrds[j]->start();
                for(int k = 0; k < numthrds; k++)
                    thrds[k]->join();
            }
        }
        else if(stricmp(action, "-au") == 0)
        {
            if(username == NULL || *username == '\0')
            {
                printf("missing username\n");
                return -1;
            }

            Owned<ISecUser> usr = secmgr->createUser(username);
            if(firstname != NULL)
                usr->setFirstName(firstname);
            if(lastname != NULL)
                usr->setLastName(lastname);
            usr->credentials().setPassword(passwd);
            bool ok = usr?secmgr->addUser(*usr):false;
            if(ok)
                printf("user %s added\n", username);
            else
                printf("user %s not added\n", username);
        }
        else if(stricmp(action, "-ar") == 0)
        {
            if(resource == NULL || *resource == '\0')
            {
                printf("missing resource\n");
                return -1;
            }

            SecResourceType rtype = RT_DEFAULT;
            if((resourcetype != NULL) && (stricmp(resourcetype, "filescope") == 0))
                rtype = RT_FILE_SCOPE;
            else if((resourcetype != NULL) && (stricmp(resourcetype, "workunit") == 0))
                rtype = RT_WORKUNIT_SCOPE;

            Owned<ISecUser> usr;
            if(username != NULL && *username != '\0')
                usr.setown(secmgr->createUser(username));

            bool ok = secmgr->addResourceEx(rtype, *usr, resource, PT_ADMINISTRATORS_ONLY, NULL);
            if(!ok)
                printf("resource not added\n");
            else
                printf("resource %s added\n", resource);
        }
        else if(stricmp(action, "-cp") == 0)
        {
            if(username == NULL || *username == '\0')
            {
                printf("missing username\n");
                return -1;
            }
            StringBuffer passbuf, newpassbuf;
            if(passwd == NULL || *passwd == '\0')
            {
                getpassword("Enter password: "******"\nEnter new password: "******"user password changed\n");
            else
                printf("user password not changed\n");          
        }
#endif
    }
    catch(IException* e)
    {
        StringBuffer errmsg;
        e->errorMessage(errmsg);
        printf("%s\n", errmsg.str());
    }
    catch(...)
    {
        printf("Unknown exception\n");
    }

    releaseAtoms();

    return 0;
}