void CAuthorDlg::AddResPermissions(const char *name)
{
ISecResource *res = m_sec_resources->getResource(name);
if (res)
{
unsigned flags = res->getAccessFlags();
if ((flags & allperms))
{
m_permissions += res->getName();
m_permissions += " = ";
unsigned attr = 1;
int index = 0;
while (perm_descr[index] != NULL)
{
if (flags & (1<<index))
{
m_permissions += perm_descr[index];
}
index++;
}
m_permissions += "\r\n";
}
}
}
CResPermissionsCache::~CResPermissionsCache()
{
MapResAccess::const_iterator i;
MapResAccess::const_iterator iEnd = m_resAccessMap.end();
for (i = m_resAccessMap.begin(); i != iEnd; i++)
{
ISecResource* ptr = ((*i).second).second;
if(ptr)
{
ptr->Release();
}
}
}
void CResPermissionsCache::add( IArrayOf<ISecResource>& resources )
{
time_t tstamp;
time(&tstamp);
int nresources = resources.ordinality();
for (int i = 0; i < nresources; i++)
{
ISecResource* secResource = &resources.item(i);
if(!secResource)
continue;
const char* resource = secResource->getName();
SecResourceType resourcetype = secResource->getResourceType();
if(resource == NULL)
continue;
int permissions = secResource->getAccessFlags();
if(permissions == -1)
continue;
MapResAccess::iterator it = m_resAccessMap.find(SecCacheKeyEntry(resource, resourcetype));
if (it != m_resAccessMap.end())//already exists so overwrite it but first remove existing timestamp info
{
ResPermCacheEntry& resParamCacheEntry = (*it).second;
time_t oldtstamp = resParamCacheEntry.first;
//there may be multiple resources associated with the same timestamp
//in the multimap so find this entry
//
MapTimeStamp::iterator itL = m_timestampMap.lower_bound( oldtstamp );
MapTimeStamp::iterator itU = m_timestampMap.upper_bound( oldtstamp );
MapTimeStamp::iterator its;
for ( its = itL; its != itU; its++)
{
SecCacheKeyEntry& cachekey = (*its).second;
if (cachekey.first == resource && cachekey.second == resourcetype)
{
m_timestampMap.erase(its);
break;
}
}
m_resAccessMap.erase(SecCacheKeyEntry(resource, resourcetype));
}
#ifdef _DEBUG
DBGLOG("CACHE: CResPermissionsCache Adding %s:%s(%d)", m_user.c_str(), resource, permissions);
#endif
m_resAccessMap.insert( pair<SecCacheKeyEntry, ResPermCacheEntry>(SecCacheKeyEntry(resource, resourcetype), ResPermCacheEntry(tstamp, secResource->clone())));
m_timestampMap.insert( pair<time_t, SecCacheKeyEntry>(tstamp, SecCacheKeyEntry(resource, resourcetype)));
}
}
virtual bool authorizeWorkunitScope(ISecUser & user, ISecResourceList * resources)
{
if(resources)
{
int cnt = resources->count();
for(int i = 0; i < cnt; i++)
{
ISecResource* r = resources->queryResource(i);
if(r)
r->setAccessFlags(SecAccess_Full);
}
}
return true;
}
IAuthMap * CLocalSecurityManager::createAuthMap(IPropertyTree * authconfig)
{
CAuthMap* authmap = new CAuthMap(this);
IPropertyTreeIterator *loc_iter = NULL;
loc_iter = authconfig->getElements(".//Location");
if (loc_iter != NULL)
{
IPropertyTree *location = NULL;
loc_iter->first();
while(loc_iter->isValid())
{
location = &loc_iter->query();
if (location)
{
StringBuffer pathstr, rstr, required, description;
location->getProp("@path", pathstr);
location->getProp("@resource", rstr);
location->getProp("@required", required);
location->getProp("@description", description);
if(pathstr.length() == 0)
throw MakeStringException(-1, "path empty in Authenticate/Location");
if(rstr.length() == 0)
throw MakeStringException(-1, "resource empty in Authenticate/Location");
ISecResourceList* rlist = authmap->queryResourceList(pathstr.str());
if(rlist == NULL)
{
rlist = createResourceList("localsecurity");
authmap->add(pathstr.str(), rlist);
}
ISecResource* rs = rlist->addResource(rstr.str());
unsigned requiredaccess = str2perm(required.str());
rs->setRequiredAccessFlags(requiredaccess);
rs->setDescription(description.str());
}
loc_iter->next();
}
loc_iter->Release();
loc_iter = NULL;
}
return authmap;
}
IAuthMap * createAuthMap(IPropertyTree * authconfig)
{
CAuthMap* authmap = new CAuthMap(this);
Owned<IPropertyTreeIterator> loc_iter;
loc_iter.setown(authconfig->getElements(".//Location"));
if (loc_iter)
{
IPropertyTree *location = NULL;
loc_iter->first();
while(loc_iter->isValid())
{
location = &loc_iter->query();
if (location)
{
StringBuffer pathstr, rstr, required, description;
location->getProp("@path", pathstr);
location->getProp("@resource", rstr);
location->getProp("@required", required);
location->getProp("@description", description);
if(pathstr.length() == 0)
throw MakeStringException(-1, "path empty in Authenticate/Location");
if(rstr.length() == 0)
throw MakeStringException(-1, "resource empty in Authenticate/Location");
ISecResourceList* rlist = authmap->queryResourceList(pathstr.str());
if(rlist == NULL)
{
rlist = createResourceList("htpasswdsecurity");
authmap->add(pathstr.str(), rlist);
}
ISecResource* rs = rlist->addResource(rstr.str());
SecAccessFlags requiredaccess = str2perm(required.str());
rs->setRequiredAccessFlags(requiredaccess);
rs->setDescription(description.str());
rs->setAccessFlags(SecAccess_Full);//grant full access to authenticated users
}
loc_iter->next();
}
}
return authmap;
}
bool CPermissionsCache::addManagedFileScopes(IArrayOf<ISecResource>& scopes)
{
WriteLockBlock writeLock(m_scopesRWLock);
ForEachItemIn(x, scopes)
{
ISecResource* scope = &scopes.item(x);
if(!scope)
continue;
const char* cachekey = scope->getName();
if(cachekey == NULL)
continue;
map<string, ISecResource*>::iterator it = m_managedFileScopesMap.find(cachekey);
if (it != m_managedFileScopesMap.end())
{
ISecResource *res = (*it).second;
res->Release();
m_managedFileScopesMap.erase(it);
}
#ifdef _DEBUG
DBGLOG("Caching Managed File Scope %s",cachekey);
#endif
m_managedFileScopesMap.insert( pair<string, ISecResource*>(cachekey, LINK(scope)));
}
IAuthMap * createFeatureMap(IPropertyTree * authconfig)
{
CAuthMap* feature_authmap = new CAuthMap(this);
Owned<IPropertyTreeIterator> feature_iter;
feature_iter.setown(authconfig->getElements(".//Feature"));
ForEach(*feature_iter)
{
IPropertyTree *feature = NULL;
feature = &feature_iter->query();
if (feature)
{
StringBuffer pathstr, rstr, required, description;
feature->getProp("@path", pathstr);
feature->getProp("@resource", rstr);
feature->getProp("@required", required);
feature->getProp("@description", description);
ISecResourceList* rlist = feature_authmap->queryResourceList(pathstr.str());
if(rlist == NULL)
{
rlist = createResourceList(pathstr.str());
feature_authmap->add(pathstr.str(), rlist);
}
if (!rstr.isEmpty())
{
ISecResource* rs = rlist->addResource(rstr.str());
SecAccessFlags requiredaccess = str2perm(required.str());
rs->setRequiredAccessFlags(requiredaccess);
rs->setDescription(description.str());
rs->setAccessFlags(SecAccess_Full);//grant full access to authenticated users
}
}
}
return feature_authmap;
}
bool SecHandler::authorizeSecReqFeatures(StringArray & features, IEspStringIntMap & pmap, unsigned *required)
{
if(features.length() == 0)
return false;
if(m_secmgr.get() == NULL)
{
for(unsigned i = 0; i < features.length(); i++)
{
const char* feature = features.item(i);
if(feature != NULL && feature[0] != 0)
pmap.setValue(feature, SecAccess_Full);
}
return true;
}
if(m_user.get() == NULL)
{
AuditMessage(AUDIT_TYPE_ACCESS_FAILURE, "Authorization", "Access Denied: No username provided");
return false;
}
Owned<ISecResourceList> plist = m_secmgr->createResourceList("FeatureMap");
std::map<std::string, std::string> namemap;
unsigned i;
for(i = 0; i < features.length(); i++)
{
const char* feature = features.item(i);
if(feature == NULL || feature[0] == 0)
continue;
if(m_feature_authmap.get() == NULL)
{
plist->addResource(feature);
namemap[feature] = feature;
}
else
{
ISecResourceList* rlist = m_feature_authmap->queryResourceList(feature);
ISecResource* resource = NULL;
if(rlist != NULL && (resource = rlist->queryResource((unsigned)0)) != NULL)
{
plist->addResource(resource->clone());
namemap[resource->getName()] = feature;
}
else
{
// Use the feature name as the resource name if no authmap was found
ISecResource* res = plist->addResource(feature);
res->setRequiredAccessFlags(SecAccess_Unknown);
namemap[feature] = feature;
}
}
}
bool auth_ok = false;
try
{
auth_ok = m_secmgr->authorize(*m_user.get(), plist, m_secureContext.get());
}
catch(IException* e)
{
StringBuffer errmsg;
e->errorMessage(errmsg);
ERRLOG("Exception authorizing, error=%s\n", errmsg.str());
return false;
}
catch(...)
{
ERRLOG("Unknown exception authorizing\n");
return false;
}
if(auth_ok)
{
for(i = 0; i < (unsigned)plist->count(); i++)
{
ISecResource* resource = plist->queryResource(i);
if(resource != NULL)
{
std::string feature = namemap[resource->getName()];
if(feature.size() == 0)
continue;
pmap.setValue(feature.c_str(), resource->getAccessFlags());
if (required && required[i]>0 && resource->getAccessFlags()<required[i])
{
AuditMessage(AUDIT_TYPE_ACCESS_FAILURE, "Authorization", "Access Denied: Not enough access rights for resource", "Resource: %s [%s]", resource->getName(), resource->getDescription());
}
}
}
}
return auth_ok;
}
bool CBaseSecurityManager::updateSettings(ISecUser & sec_user,IArrayOf<ISecResource>& rlist)
{
CSecureUser* user = (CSecureUser*)&sec_user;
if(user == NULL)
return false;
int usernum = findUser(user->getName(),user->getRealm());
if(usernum < 0)
{
PrintLog("User number of %s can't be found", user->getName());
return false;
}
bool sqchecked = false, sqverified = false, otpchecked = false;
int otpok = -1;
ForEachItemIn(x, rlist)
{
ISecResource* secRes = (ISecResource*)(&(rlist.item(x)));
if(secRes == NULL)
continue;
//AccessFlags default value is -1. Set it to 0 so that the settings can be cached. AccessFlags is not being used for settings.
secRes->setAccessFlags(0);
if(secRes->getParameter("userprop") && *secRes->getParameter("userprop")!='\0')
{
//if we have a parameter in the user or company table it will have been added as a parameter to the ISecUser when
// the authentication query was run. We should keep this messiness here so that the the end user is insulated....
dbValidateSetting(*secRes,sec_user);
continue;
}
const char* resource_name = secRes->getParameter("resource");
if(resource_name && *resource_name &&
(stricmp(resource_name, "SSN Masking") == 0 || stricmp(resource_name, "Driver License Masking") == 0))
{
//If OTP Enabled and OTP2FACTOR cookie not valid, mask
if(m_enableOTP)
{
if(!otpchecked)
{
const char* otpcookie = sec_user.getProperty("OTP2FACTOR");
// -1 means OTP is not enabled for the user. 0: failed verfication, 1: passed verification.
otpok = validateOTP(&sec_user, otpcookie);
otpchecked = true;
}
if(otpok == 0)
{
CSecurityResource* cres = dynamic_cast<CSecurityResource*>(secRes);
if(resource_name && *resource_name && cres)
{
if(stricmp(resource_name, "SSN Masking") == 0)
{
cres->setValue("All");
continue;
}
else if(stricmp(resource_name, "Driver License Masking") == 0)
{
cres->setValue("1");
continue;
}
}
}
else if(otpok == 1)
{
CSecurityResource* cres = dynamic_cast<CSecurityResource*>(secRes);
if(resource_name && *resource_name && cres)
{
if(stricmp(resource_name, "SSN Masking") == 0)
{
cres->setValue("None");
continue;
}
else if(stricmp(resource_name, "Driver License Masking") == 0)
{
cres->setValue("0");
continue;
}
}
}
}
if(m_enableIPRoaming && sec_user.getPropertyInt("IPRoaming") == 1)
{
if(!sqchecked)
{
const char* sequest = sec_user.getProperty("SEQUEST");
if(sequest && *sequest)
{
sqverified = validateSecurityQuestion(&sec_user, sequest);
}
sqchecked = true;
}
if(!sqverified)
{
CSecurityResource* cres = dynamic_cast<CSecurityResource*>(secRes);
if(resource_name && *resource_name && cres)
{
if(stricmp(resource_name, "SSN Masking") == 0)
{
cres->setValue("All");
continue;
}
else if(stricmp(resource_name, "Driver License Masking") == 0)
{
cres->setValue("1");
continue;
}
}
}
}
}
dbValidateSetting(*secRes,usernum,user->getRealm());
}
