bool enableScopeScans(IUserDescriptor *udesc, bool enable, int * err) { bool superUser; StringBuffer username; StringBuffer password; udesc->getUserName(username); udesc->getPassword(password); Owned<ISecUser> user = ldapsecurity->createUser(username); user->credentials().setPassword(password); if (!ldapsecurity->authenticateUser(*user,superUser) || !superUser) { *err = -1; return false; } unsigned flags = getLDAPflags(); if (enable) { DBGLOG("Scope Scans Enabled by user %s",username.str()); flags |= (unsigned)DLF_SCOPESCANS; } else { DBGLOG("Scope Scans Disabled by user %s",username.str()); flags &= ~(unsigned)DLF_SCOPESCANS; } setLDAPflags(flags); *err = 0; return true; }
virtual int run() { int access = 0; int total = 0, mint = -1, maxt = 0; for(int i = 0; i < m_rounds; i++) { time_t start, stop; time(&start); { //synchronized block(m_mutex); Owned<ISecUser> usr = m_secmgr->createUser(m_user.get()); usr->credentials().setPassword(m_passwd.get()); //access = m_secmgr->authorizeFileScope(*usr, m_resource.get()); access = m_secmgr->authorizeEx(m_rtype, *usr, m_resource.get()); } time(&stop); int span = (int)(stop - start); total += span; if(mint == -1 || mint > span) mint = span; if(maxt < span) maxt = span; if((i+1)%100 == 0) DBGLOG("Finished %d times\n", i+1); } DBGLOG("Permission: %d, min: %d, max: %d, average:%f", access, mint, maxt, total*1.0/m_rounds); return 0; }
int getPermissions(const char *key,const char *obj,IUserDescriptor *udesc,unsigned auditflags) { if (!ldapsecurity||((getLDAPflags()&DLF_ENABLED)==0)) return 255; bool filescope = stricmp(key,"Scope")==0; bool wuscope = stricmp(key,"workunit")==0; if (filescope||wuscope) { StringBuffer username; StringBuffer password; int perm = 0; if (udesc) { udesc->getUserName(username); udesc->getPassword(password); } if (username.length()==0) { #ifndef _NO_DALIUSER_STACKTRACE DBGLOG("UNEXPECTED USER (NULL) in daldap.cpp getPermissions() line %d", __LINE__); //following debug code to be removed PrintStackReport(); #endif username.append(filesdefaultuser); decrypt(password, filesdefaultpassword); } unsigned start = msTick(); Owned<ISecUser> user = ldapsecurity->createUser(username); if (user) { user->credentials().setPassword(password); if (filescope) perm=ldapsecurity->authorizeFileScope(*user, obj); else if (wuscope) perm=ldapsecurity->authorizeWorkunitScope(*user, obj); if (perm==-1) perm = 0; } unsigned taken = msTick()-start; #ifndef _DEBUG if (taken>100) #endif { PROGLOG("LDAP: getPermissions(%s) scope=%s user=%s returns %d in %d ms",key?key:"NULL",obj?obj:"NULL",username.str(),perm,taken); } if (auditflags&DALI_LDAP_AUDIT_REPORT) { StringBuffer auditstr; if ((auditflags&DALI_LDAP_READ_WANTED)&&!HASREADPERMISSION(perm)) auditstr.append("Lookup Access Denied"); else if ((auditflags&DALI_LDAP_WRITE_WANTED)&&!HASWRITEPERMISSION(perm)) auditstr.append("Create Access Denied"); if (auditstr.length()) { auditstr.append(":\n\tProcess:\tdaserver"); auditstr.appendf("\n\tUser:\t%s",username.str()); auditstr.appendf("\n\tScope:\t%s\n",obj?obj:""); SYSLOG(AUDIT_TYPE_ACCESS_FAILURE,auditstr.str()); } } return perm; } return 255; }
bool enableScopeScans(IUserDescriptor *udesc, bool enable, int * err) { bool superUser; StringBuffer username; StringBuffer password; udesc->getUserName(username); udesc->getPassword(password); Owned<ISecUser> user = ldapsecurity->createUser(username); //Check user's digital signature, if present bool authenticated = false; if (!isEmptyString(udesc->querySignature())) { if (nullptr == pDSM) pDSM = queryDigitalSignatureManagerInstanceFromEnv(); if (pDSM && pDSM->isDigiVerifierConfigured()) { StringBuffer b64Signature(udesc->querySignature()); if (!pDSM->digiVerify(username, b64Signature))//digital signature valid? { ERRLOG("LDAP: enableScopeScans(%s) : Invalid user digital signature", username.str()); *err = -1; return false; } else authenticated = true; } } if (!authenticated) { user->credentials().setPassword(password); if (!ldapsecurity->authenticateUser(*user, &superUser) || !superUser) { *err = -1; return false; } } unsigned flags = getLDAPflags(); if (enable) { DBGLOG("Scope Scans Enabled by user %s",username.str()); flags |= (unsigned)DLF_SCOPESCANS; } else { DBGLOG("Scope Scans Disabled by user %s",username.str()); flags &= ~(unsigned)DLF_SCOPESCANS; } setLDAPflags(flags); *err = 0; return true; }
bool clearPermissionsCache(IUserDescriptor *udesc) { if (!ldapsecurity || ((getLDAPflags() & DLF_ENABLED) == 0)) return true; StringBuffer username; StringBuffer password; udesc->getUserName(username); udesc->getPassword(password); Owned<ISecUser> user = ldapsecurity->createUser(username); user->credentials().setPassword(password); return ldapsecurity->clearPermissionsCache(*user); }
SecAccessFlags getPermissions(const char *key,const char *obj,IUserDescriptor *udesc,unsigned auditflags,const char * reqSignature, CDateTime * reqUTCTimestamp) { if (!ldapsecurity||((getLDAPflags()&DLF_ENABLED)==0)) return SecAccess_Full; StringBuffer username; StringBuffer password; if (udesc) { udesc->getUserName(username); udesc->getPassword(password); } else { WARNLOG("NULL UserDescriptor in daldap.cpp getPermissions('%s')",key ? key : "NULL"); } if (0 == username.length()) { username.append(filesdefaultuser); decrypt(password, filesdefaultpassword); } Owned<ISecUser> user = ldapsecurity->createUser(username); user->credentials().setPassword(password); bool authenticated = false; //Check that the digital signature provided by the caller (signature of //caller's "scope;username;timeStamp") matches what we expect it to be if (!isEmptyString(reqSignature)) { if (nullptr == pDSM) pDSM = queryDigitalSignatureManagerInstanceFromEnv(); if (pDSM && pDSM->isDigiVerifierConfigured()) { StringBuffer requestTimestamp; reqUTCTimestamp->getString(requestTimestamp, false);//extract timestamp string from Dali request CDateTime now; now.setNow(); if (now.compare(*reqUTCTimestamp) < 0)//timestamp from the future? { ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s Request digital signature timestamp %s from the future",key?key:"NULL",obj?obj:"NULL",username.str(), requestTimestamp.str()); return SecAccess_None;//deny } CDateTime expiry; expiry.set(now); expiry.adjustTime(requestSignatureExpiryMinutes);//compute expiration timestamp if (expiry.compare(*reqUTCTimestamp) < 0)//timestamp too far in the past? { ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s Expired request digital signature timestamp %s",key?key:"NULL",obj?obj:"NULL",username.str(), requestTimestamp.str()); return SecAccess_None;//deny } VStringBuffer expectedStr("%s;%s;%s", obj, username.str(), requestTimestamp.str()); StringBuffer b64Signature(reqSignature);// signature of scope;user;timestamp if (!pDSM->digiVerify(expectedStr, b64Signature))//does the digital signature match what we expect? { ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s fails digital signature verification",key?key:"NULL",obj?obj:"NULL",username.str()); return SecAccess_None;//deny } authenticated = true;//Digital signature verified } else ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s digital signature support not available",key?key:"NULL",obj?obj:"NULL",username.str()); } if (!authenticated && !ldapsecurity->authenticateUser(*user, NULL)) { ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s fails LDAP authentication",key?key:"NULL",obj?obj:"NULL",username.str()); return SecAccess_None;//deny } bool filescope = stricmp(key,"Scope")==0; bool wuscope = stricmp(key,"workunit")==0; if (filescope || wuscope) { SecAccessFlags perm = SecAccess_None; unsigned start = msTick(); if (filescope) perm=ldapsecurity->authorizeFileScope(*user, obj); else if (wuscope) perm=ldapsecurity->authorizeWorkunitScope(*user, obj); if (perm == SecAccess_Unavailable) perm = SecAccess_None; unsigned taken = msTick()-start; #ifndef _DEBUG if (taken>100) #endif { PROGLOG("LDAP: getPermissions(%s) scope=%s user=%s returns %d in %d ms",key?key:"NULL",obj?obj:"NULL",username.str(),perm,taken); } if (auditflags&DALI_LDAP_AUDIT_REPORT) { StringBuffer auditstr; if ((auditflags&DALI_LDAP_READ_WANTED)&&!HASREADPERMISSION(perm)) auditstr.append("Lookup Access Denied"); else if ((auditflags&DALI_LDAP_WRITE_WANTED)&&!HASWRITEPERMISSION(perm)) auditstr.append("Create Access Denied"); if (auditstr.length()) { auditstr.append(":\n\tProcess:\tdaserver"); auditstr.appendf("\n\tUser:\t%s",username.str()); auditstr.appendf("\n\tScope:\t%s\n",obj?obj:""); SYSLOG(AUDIT_TYPE_ACCESS_FAILURE,auditstr.str()); } } return perm; } return SecAccess_Full; }
//----------------------------------------------------- // //----------------------------------------------------- bool initLDAP(IPropertyTree * ldapProps) { StringAttr serverType( ldapProps->queryProp("@serverType") ); if (!serverType.length()) { fprintf(stderr, "\nERROR: serverType not set in LDAPServer component"); return false; } StringBuffer hpccUser; StringBuffer hpccPwd; ldapProps->getProp("@systemUser", hpccUser); ldapProps->getProp("@systemPassword", hpccPwd); if (0==hpccUser.length() || 0==hpccPwd.length()) { fprintf(stderr, "\nERROR: HPCC systemUser credentials not found in configuration"); return false; } StringBuffer ldapAddress; ldapProps->getProp("@ldapAddress", ldapAddress); //Get LDAP admin creds from user char buff[100]; fprintf(stdout, "\nEnter the '%s' LDAP Admin User name on '%s'...",serverType.get(),ldapAddress.str()); do { char * line = fgets(buff, sizeof(buff), stdin); if (!line) return false; } while (buff[0] == (char)'\n'); if (buff[strlen(buff)-1] == '\n') buff[strlen(buff)-1] = (char)NULL; StringAttr ldapUser(buff); fprintf(stdout, "Enter the LDAP Admin user '%s' password...",ldapUser.get()); char * line = fgets(buff, sizeof(buff), stdin); if (!line) return false; if (buff[strlen(buff)-1] == '\n') buff[strlen(buff)-1] = (char)NULL; StringAttr ldapPwd(buff); if (0==ldapUser.length() || 0==ldapPwd.length()) { fprintf(stderr, "\nERROR: Invalid LDAP Admin account credentials entered"); return false; } fprintf(stdout, "\nReady to initialize HPCC LDAP Environment, using the following settings"); fprintf(stdout, "\n\tLDAP Server : %s", ldapAddress.str()); fprintf(stdout, "\n\tLDAP Type : %s", serverType.get()); fprintf(stdout, "\n\tHPCC Admin User : %s", hpccUser.str()); fprintf(stdout, "\nProceed? y/n "); for (;;) { int c = getchar(); if (c == 'y' || c == 'Y') break; else if (c == 'n' || c == 'N') return true; } if (stricmp(serverType.get(),"ActiveDirectory")) ldapProps->setProp("@systemBasedn", ""); //Replace system user with LDAP Admin credentials ldapProps->setProp("@systemUser", ldapUser); ldapProps->setProp("@systemCommonName", ldapUser); StringBuffer sb; encrypt(sb,ldapPwd); ldapProps->setProp("@systemPassword", sb.str()); //Create security manager. This creates the required OUs Owned<ISecManager> secMgr; try { secMgr.setown(newLdapSecManager("initldap", *LINK(ldapProps))); } catch(IException *e) { StringBuffer buff; e->errorMessage(buff); e->Release(); fprintf(stderr, "\nERROR: Unable to create security manager : %s", buff.str()); return false; } //Create HPCC Admin user Owned<ISecUser> user = secMgr->createUser(hpccUser.str()); StringBuffer pwd; decrypt(pwd, hpccPwd.str()); user->credentials().setPassword(pwd.str()); try { secMgr->addUser(*user.get()); } catch(...) {}//user may already exist, so just move on //Add HPCC admin user to Administrators group CLdapSecManager* ldapSecMgr = dynamic_cast<CLdapSecManager*>(secMgr.get()); if (!ldapSecMgr) { fprintf(stderr, "\nERROR: Unable to access CLdapSecManager object"); return false; } StringAttr adminGroup; bool isActiveDir = true; if (0 == stricmp(serverType.get(),"ActiveDirectory")) adminGroup.set("Administrators"); else adminGroup.set("Directory Administrators"); try { ldapSecMgr->changeUserGroup("add", hpccUser.str(), adminGroup); } catch(...) {}//user may already be in group so just move on fprintf(stdout, "\n\nLDAP Initialization successful\n"); return true; }
int main(int argc, char* argv[]) { if(argc < 2) { usage(); return -1; } InitModuleObjects(); const char *action = NULL, *configfile = NULL, *username = NULL, *passwd = NULL, *resource = NULL, *resourcetype = NULL, *newpasswd = NULL, *firstname = NULL, *lastname=NULL; bool stress = false; int numthrds = 0; int numrounds = 0; int numfiles = 0; int i = 1; while(i<argc) { if (stricmp(argv[i], "-ac")==0 || stricmp(argv[i], "-au") == 0 || stricmp(argv[i], "-ar") == 0|| stricmp(argv[i], "-cp") == 0) { action = argv[i++]; } else if (stricmp(argv[i], "-c")==0) { i++; configfile = argv[i++]; } else if (stricmp(argv[i],"-u")==0) { i++; username = argv[i++]; } else if (stricmp(argv[i], "-p")==0) { i++; passwd = argv[i++]; } else if (stricmp(argv[i], "-r")==0) { i++; resource = argv[i++]; } else if (stricmp(argv[i], "-t") == 0) { i++; resourcetype = argv[i++]; } else if (stricmp(argv[i], "-np") == 0) { i++; newpasswd = argv[i++]; } else if (stricmp(argv[i], "-fn") == 0) { i++; firstname = argv[i++]; } else if (stricmp(argv[i], "-ln") == 0) { i++; lastname = argv[i++]; } else if (stricmp(argv[i], "-stress") == 0) { stress = true; i++; numthrds = atoi(argv[i++]); numrounds = atoi(argv[i++]); } else if (stricmp(argv[i], "-open") == 0) { i++; numfiles = atoi(argv[i++]); } else { printf("Error: command format error\n"); usage(); return -1; } } if(configfile == NULL || *configfile == '\0') { printf("You have to specify the config file"); return -1; } try { Owned<IPropertyTree> cfg = createPTreeFromXMLFile(configfile); Owned<IPropertyTree> seccfg = cfg->getPropTree(".//ldapSecurity"); if(seccfg == NULL) { printf("ldapSecurity not found\n"); return -1; } #ifdef _NO_LDAP printf("System was built with _NO_LDAP\n"); return -1; #else Owned<ISecManager> secmgr = newLdapSecManager("test", *LINK(seccfg)); if(secmgr == NULL) { printf("security manager can't be created\n"); return -1; } if(action == NULL || stricmp(action, "-ac") == 0) { if(username == NULL || *username == '\0') { printf("missing username\n"); return -1; } if(resource == NULL || *resource == '\0') { printf("missing resource\n"); return -1; } SecResourceType rtype = RT_DEFAULT; if((resourcetype != NULL) && (stricmp(resourcetype, "filescope") == 0)) rtype = RT_FILE_SCOPE; else if((resourcetype != NULL) && (stricmp(resourcetype, "workunit") == 0)) rtype = RT_WORKUNIT_SCOPE; StringBuffer passbuf; if(passwd == NULL || *passwd == '\0') { getpassword("Enter password: "******"%s's permission = %d \n", resource, access); } else { CPermissionCheckThread** thrds = new CPermissionCheckThread*[numthrds]; for(int i = 0; i < numthrds; i++) thrds[i] = new CPermissionCheckThread(secmgr, username, passwd, resource, rtype, numrounds); for(int j = 0; j < numthrds; j++) thrds[j]->start(); for(int k = 0; k < numthrds; k++) thrds[k]->join(); } } else if(stricmp(action, "-au") == 0) { if(username == NULL || *username == '\0') { printf("missing username\n"); return -1; } Owned<ISecUser> usr = secmgr->createUser(username); if(firstname != NULL) usr->setFirstName(firstname); if(lastname != NULL) usr->setLastName(lastname); usr->credentials().setPassword(passwd); bool ok = usr?secmgr->addUser(*usr):false; if(ok) printf("user %s added\n", username); else printf("user %s not added\n", username); } else if(stricmp(action, "-ar") == 0) { if(resource == NULL || *resource == '\0') { printf("missing resource\n"); return -1; } SecResourceType rtype = RT_DEFAULT; if((resourcetype != NULL) && (stricmp(resourcetype, "filescope") == 0)) rtype = RT_FILE_SCOPE; else if((resourcetype != NULL) && (stricmp(resourcetype, "workunit") == 0)) rtype = RT_WORKUNIT_SCOPE; Owned<ISecUser> usr; if(username != NULL && *username != '\0') usr.setown(secmgr->createUser(username)); bool ok = secmgr->addResourceEx(rtype, *usr, resource, PT_ADMINISTRATORS_ONLY, NULL); if(!ok) printf("resource not added\n"); else printf("resource %s added\n", resource); } else if(stricmp(action, "-cp") == 0) { if(username == NULL || *username == '\0') { printf("missing username\n"); return -1; } StringBuffer passbuf, newpassbuf; if(passwd == NULL || *passwd == '\0') { getpassword("Enter password: "******"\nEnter new password: "******"user password changed\n"); else printf("user password not changed\n"); } #endif } catch(IException* e) { StringBuffer errmsg; e->errorMessage(errmsg); printf("%s\n", errmsg.str()); } catch(...) { printf("Unknown exception\n"); } releaseAtoms(); return 0; }