void CAuthorDlg::AddResPermissions(const char *name) { ISecResource *res = m_sec_resources->getResource(name); if (res) { unsigned flags = res->getAccessFlags(); if ((flags & allperms)) { m_permissions += res->getName(); m_permissions += " = "; unsigned attr = 1; int index = 0; while (perm_descr[index] != NULL) { if (flags & (1<<index)) { m_permissions += perm_descr[index]; } index++; } m_permissions += "\r\n"; } } }
CResPermissionsCache::~CResPermissionsCache() { MapResAccess::const_iterator i; MapResAccess::const_iterator iEnd = m_resAccessMap.end(); for (i = m_resAccessMap.begin(); i != iEnd; i++) { ISecResource* ptr = ((*i).second).second; if(ptr) { ptr->Release(); } } }
void CResPermissionsCache::add( IArrayOf<ISecResource>& resources ) { time_t tstamp; time(&tstamp); int nresources = resources.ordinality(); for (int i = 0; i < nresources; i++) { ISecResource* secResource = &resources.item(i); if(!secResource) continue; const char* resource = secResource->getName(); SecResourceType resourcetype = secResource->getResourceType(); if(resource == NULL) continue; int permissions = secResource->getAccessFlags(); if(permissions == -1) continue; MapResAccess::iterator it = m_resAccessMap.find(SecCacheKeyEntry(resource, resourcetype)); if (it != m_resAccessMap.end())//already exists so overwrite it but first remove existing timestamp info { ResPermCacheEntry& resParamCacheEntry = (*it).second; time_t oldtstamp = resParamCacheEntry.first; //there may be multiple resources associated with the same timestamp //in the multimap so find this entry // MapTimeStamp::iterator itL = m_timestampMap.lower_bound( oldtstamp ); MapTimeStamp::iterator itU = m_timestampMap.upper_bound( oldtstamp ); MapTimeStamp::iterator its; for ( its = itL; its != itU; its++) { SecCacheKeyEntry& cachekey = (*its).second; if (cachekey.first == resource && cachekey.second == resourcetype) { m_timestampMap.erase(its); break; } } m_resAccessMap.erase(SecCacheKeyEntry(resource, resourcetype)); } #ifdef _DEBUG DBGLOG("CACHE: CResPermissionsCache Adding %s:%s(%d)", m_user.c_str(), resource, permissions); #endif m_resAccessMap.insert( pair<SecCacheKeyEntry, ResPermCacheEntry>(SecCacheKeyEntry(resource, resourcetype), ResPermCacheEntry(tstamp, secResource->clone()))); m_timestampMap.insert( pair<time_t, SecCacheKeyEntry>(tstamp, SecCacheKeyEntry(resource, resourcetype))); } }
virtual bool authorizeWorkunitScope(ISecUser & user, ISecResourceList * resources) { if(resources) { int cnt = resources->count(); for(int i = 0; i < cnt; i++) { ISecResource* r = resources->queryResource(i); if(r) r->setAccessFlags(SecAccess_Full); } } return true; }
IAuthMap * CLocalSecurityManager::createAuthMap(IPropertyTree * authconfig) { CAuthMap* authmap = new CAuthMap(this); IPropertyTreeIterator *loc_iter = NULL; loc_iter = authconfig->getElements(".//Location"); if (loc_iter != NULL) { IPropertyTree *location = NULL; loc_iter->first(); while(loc_iter->isValid()) { location = &loc_iter->query(); if (location) { StringBuffer pathstr, rstr, required, description; location->getProp("@path", pathstr); location->getProp("@resource", rstr); location->getProp("@required", required); location->getProp("@description", description); if(pathstr.length() == 0) throw MakeStringException(-1, "path empty in Authenticate/Location"); if(rstr.length() == 0) throw MakeStringException(-1, "resource empty in Authenticate/Location"); ISecResourceList* rlist = authmap->queryResourceList(pathstr.str()); if(rlist == NULL) { rlist = createResourceList("localsecurity"); authmap->add(pathstr.str(), rlist); } ISecResource* rs = rlist->addResource(rstr.str()); unsigned requiredaccess = str2perm(required.str()); rs->setRequiredAccessFlags(requiredaccess); rs->setDescription(description.str()); } loc_iter->next(); } loc_iter->Release(); loc_iter = NULL; } return authmap; }
IAuthMap * createAuthMap(IPropertyTree * authconfig) { CAuthMap* authmap = new CAuthMap(this); Owned<IPropertyTreeIterator> loc_iter; loc_iter.setown(authconfig->getElements(".//Location")); if (loc_iter) { IPropertyTree *location = NULL; loc_iter->first(); while(loc_iter->isValid()) { location = &loc_iter->query(); if (location) { StringBuffer pathstr, rstr, required, description; location->getProp("@path", pathstr); location->getProp("@resource", rstr); location->getProp("@required", required); location->getProp("@description", description); if(pathstr.length() == 0) throw MakeStringException(-1, "path empty in Authenticate/Location"); if(rstr.length() == 0) throw MakeStringException(-1, "resource empty in Authenticate/Location"); ISecResourceList* rlist = authmap->queryResourceList(pathstr.str()); if(rlist == NULL) { rlist = createResourceList("htpasswdsecurity"); authmap->add(pathstr.str(), rlist); } ISecResource* rs = rlist->addResource(rstr.str()); SecAccessFlags requiredaccess = str2perm(required.str()); rs->setRequiredAccessFlags(requiredaccess); rs->setDescription(description.str()); rs->setAccessFlags(SecAccess_Full);//grant full access to authenticated users } loc_iter->next(); } } return authmap; }
bool CPermissionsCache::addManagedFileScopes(IArrayOf<ISecResource>& scopes) { WriteLockBlock writeLock(m_scopesRWLock); ForEachItemIn(x, scopes) { ISecResource* scope = &scopes.item(x); if(!scope) continue; const char* cachekey = scope->getName(); if(cachekey == NULL) continue; map<string, ISecResource*>::iterator it = m_managedFileScopesMap.find(cachekey); if (it != m_managedFileScopesMap.end()) { ISecResource *res = (*it).second; res->Release(); m_managedFileScopesMap.erase(it); } #ifdef _DEBUG DBGLOG("Caching Managed File Scope %s",cachekey); #endif m_managedFileScopesMap.insert( pair<string, ISecResource*>(cachekey, LINK(scope))); }
IAuthMap * createFeatureMap(IPropertyTree * authconfig) { CAuthMap* feature_authmap = new CAuthMap(this); Owned<IPropertyTreeIterator> feature_iter; feature_iter.setown(authconfig->getElements(".//Feature")); ForEach(*feature_iter) { IPropertyTree *feature = NULL; feature = &feature_iter->query(); if (feature) { StringBuffer pathstr, rstr, required, description; feature->getProp("@path", pathstr); feature->getProp("@resource", rstr); feature->getProp("@required", required); feature->getProp("@description", description); ISecResourceList* rlist = feature_authmap->queryResourceList(pathstr.str()); if(rlist == NULL) { rlist = createResourceList(pathstr.str()); feature_authmap->add(pathstr.str(), rlist); } if (!rstr.isEmpty()) { ISecResource* rs = rlist->addResource(rstr.str()); SecAccessFlags requiredaccess = str2perm(required.str()); rs->setRequiredAccessFlags(requiredaccess); rs->setDescription(description.str()); rs->setAccessFlags(SecAccess_Full);//grant full access to authenticated users } } } return feature_authmap; }
bool SecHandler::authorizeSecReqFeatures(StringArray & features, IEspStringIntMap & pmap, unsigned *required) { if(features.length() == 0) return false; if(m_secmgr.get() == NULL) { for(unsigned i = 0; i < features.length(); i++) { const char* feature = features.item(i); if(feature != NULL && feature[0] != 0) pmap.setValue(feature, SecAccess_Full); } return true; } if(m_user.get() == NULL) { AuditMessage(AUDIT_TYPE_ACCESS_FAILURE, "Authorization", "Access Denied: No username provided"); return false; } Owned<ISecResourceList> plist = m_secmgr->createResourceList("FeatureMap"); std::map<std::string, std::string> namemap; unsigned i; for(i = 0; i < features.length(); i++) { const char* feature = features.item(i); if(feature == NULL || feature[0] == 0) continue; if(m_feature_authmap.get() == NULL) { plist->addResource(feature); namemap[feature] = feature; } else { ISecResourceList* rlist = m_feature_authmap->queryResourceList(feature); ISecResource* resource = NULL; if(rlist != NULL && (resource = rlist->queryResource((unsigned)0)) != NULL) { plist->addResource(resource->clone()); namemap[resource->getName()] = feature; } else { // Use the feature name as the resource name if no authmap was found ISecResource* res = plist->addResource(feature); res->setRequiredAccessFlags(SecAccess_Unknown); namemap[feature] = feature; } } } bool auth_ok = false; try { auth_ok = m_secmgr->authorize(*m_user.get(), plist, m_secureContext.get()); } catch(IException* e) { StringBuffer errmsg; e->errorMessage(errmsg); ERRLOG("Exception authorizing, error=%s\n", errmsg.str()); return false; } catch(...) { ERRLOG("Unknown exception authorizing\n"); return false; } if(auth_ok) { for(i = 0; i < (unsigned)plist->count(); i++) { ISecResource* resource = plist->queryResource(i); if(resource != NULL) { std::string feature = namemap[resource->getName()]; if(feature.size() == 0) continue; pmap.setValue(feature.c_str(), resource->getAccessFlags()); if (required && required[i]>0 && resource->getAccessFlags()<required[i]) { AuditMessage(AUDIT_TYPE_ACCESS_FAILURE, "Authorization", "Access Denied: Not enough access rights for resource", "Resource: %s [%s]", resource->getName(), resource->getDescription()); } } } } return auth_ok; }
bool CBaseSecurityManager::updateSettings(ISecUser & sec_user,IArrayOf<ISecResource>& rlist) { CSecureUser* user = (CSecureUser*)&sec_user; if(user == NULL) return false; int usernum = findUser(user->getName(),user->getRealm()); if(usernum < 0) { PrintLog("User number of %s can't be found", user->getName()); return false; } bool sqchecked = false, sqverified = false, otpchecked = false; int otpok = -1; ForEachItemIn(x, rlist) { ISecResource* secRes = (ISecResource*)(&(rlist.item(x))); if(secRes == NULL) continue; //AccessFlags default value is -1. Set it to 0 so that the settings can be cached. AccessFlags is not being used for settings. secRes->setAccessFlags(0); if(secRes->getParameter("userprop") && *secRes->getParameter("userprop")!='\0') { //if we have a parameter in the user or company table it will have been added as a parameter to the ISecUser when // the authentication query was run. We should keep this messiness here so that the the end user is insulated.... dbValidateSetting(*secRes,sec_user); continue; } const char* resource_name = secRes->getParameter("resource"); if(resource_name && *resource_name && (stricmp(resource_name, "SSN Masking") == 0 || stricmp(resource_name, "Driver License Masking") == 0)) { //If OTP Enabled and OTP2FACTOR cookie not valid, mask if(m_enableOTP) { if(!otpchecked) { const char* otpcookie = sec_user.getProperty("OTP2FACTOR"); // -1 means OTP is not enabled for the user. 0: failed verfication, 1: passed verification. otpok = validateOTP(&sec_user, otpcookie); otpchecked = true; } if(otpok == 0) { CSecurityResource* cres = dynamic_cast<CSecurityResource*>(secRes); if(resource_name && *resource_name && cres) { if(stricmp(resource_name, "SSN Masking") == 0) { cres->setValue("All"); continue; } else if(stricmp(resource_name, "Driver License Masking") == 0) { cres->setValue("1"); continue; } } } else if(otpok == 1) { CSecurityResource* cres = dynamic_cast<CSecurityResource*>(secRes); if(resource_name && *resource_name && cres) { if(stricmp(resource_name, "SSN Masking") == 0) { cres->setValue("None"); continue; } else if(stricmp(resource_name, "Driver License Masking") == 0) { cres->setValue("0"); continue; } } } } if(m_enableIPRoaming && sec_user.getPropertyInt("IPRoaming") == 1) { if(!sqchecked) { const char* sequest = sec_user.getProperty("SEQUEST"); if(sequest && *sequest) { sqverified = validateSecurityQuestion(&sec_user, sequest); } sqchecked = true; } if(!sqverified) { CSecurityResource* cres = dynamic_cast<CSecurityResource*>(secRes); if(resource_name && *resource_name && cres) { if(stricmp(resource_name, "SSN Masking") == 0) { cres->setValue("All"); continue; } else if(stricmp(resource_name, "Driver License Masking") == 0) { cres->setValue("1"); continue; } } } } } dbValidateSetting(*secRes,usernum,user->getRealm()); }