void CAuthorDlg::AddResPermissions(const char *name)
{
ISecResource *res = m_sec_resources->getResource(name);
if (res)
{
unsigned flags = res->getAccessFlags();
if ((flags & allperms))
{
m_permissions += res->getName();
m_permissions += " = ";
unsigned attr = 1;
int index = 0;
while (perm_descr[index] != NULL)
{
if (flags & (1<<index))
{
m_permissions += perm_descr[index];
}
index++;
}
m_permissions += "\r\n";
}
}
}
void CResPermissionsCache::add( IArrayOf<ISecResource>& resources )
{
time_t tstamp;
time(&tstamp);
int nresources = resources.ordinality();
for (int i = 0; i < nresources; i++)
{
ISecResource* secResource = &resources.item(i);
if(!secResource)
continue;
const char* resource = secResource->getName();
SecResourceType resourcetype = secResource->getResourceType();
if(resource == NULL)
continue;
int permissions = secResource->getAccessFlags();
if(permissions == -1)
continue;
MapResAccess::iterator it = m_resAccessMap.find(SecCacheKeyEntry(resource, resourcetype));
if (it != m_resAccessMap.end())//already exists so overwrite it but first remove existing timestamp info
{
ResPermCacheEntry& resParamCacheEntry = (*it).second;
time_t oldtstamp = resParamCacheEntry.first;
//there may be multiple resources associated with the same timestamp
//in the multimap so find this entry
//
MapTimeStamp::iterator itL = m_timestampMap.lower_bound( oldtstamp );
MapTimeStamp::iterator itU = m_timestampMap.upper_bound( oldtstamp );
MapTimeStamp::iterator its;
for ( its = itL; its != itU; its++)
{
SecCacheKeyEntry& cachekey = (*its).second;
if (cachekey.first == resource && cachekey.second == resourcetype)
{
m_timestampMap.erase(its);
break;
}
}
m_resAccessMap.erase(SecCacheKeyEntry(resource, resourcetype));
}
#ifdef _DEBUG
DBGLOG("CACHE: CResPermissionsCache Adding %s:%s(%d)", m_user.c_str(), resource, permissions);
#endif
m_resAccessMap.insert( pair<SecCacheKeyEntry, ResPermCacheEntry>(SecCacheKeyEntry(resource, resourcetype), ResPermCacheEntry(tstamp, secResource->clone())));
m_timestampMap.insert( pair<time_t, SecCacheKeyEntry>(tstamp, SecCacheKeyEntry(resource, resourcetype)));
}
}
bool CPermissionsCache::addManagedFileScopes(IArrayOf<ISecResource>& scopes)
{
WriteLockBlock writeLock(m_scopesRWLock);
ForEachItemIn(x, scopes)
{
ISecResource* scope = &scopes.item(x);
if(!scope)
continue;
const char* cachekey = scope->getName();
if(cachekey == NULL)
continue;
map<string, ISecResource*>::iterator it = m_managedFileScopesMap.find(cachekey);
if (it != m_managedFileScopesMap.end())
{
ISecResource *res = (*it).second;
res->Release();
m_managedFileScopesMap.erase(it);
}
#ifdef _DEBUG
DBGLOG("Caching Managed File Scope %s",cachekey);
#endif
m_managedFileScopesMap.insert( pair<string, ISecResource*>(cachekey, LINK(scope)));
}
bool SecHandler::authorizeSecReqFeatures(StringArray & features, IEspStringIntMap & pmap, unsigned *required)
{
if(features.length() == 0)
return false;
if(m_secmgr.get() == NULL)
{
for(unsigned i = 0; i < features.length(); i++)
{
const char* feature = features.item(i);
if(feature != NULL && feature[0] != 0)
pmap.setValue(feature, SecAccess_Full);
}
return true;
}
if(m_user.get() == NULL)
{
AuditMessage(AUDIT_TYPE_ACCESS_FAILURE, "Authorization", "Access Denied: No username provided");
return false;
}
Owned<ISecResourceList> plist = m_secmgr->createResourceList("FeatureMap");
std::map<std::string, std::string> namemap;
unsigned i;
for(i = 0; i < features.length(); i++)
{
const char* feature = features.item(i);
if(feature == NULL || feature[0] == 0)
continue;
if(m_feature_authmap.get() == NULL)
{
plist->addResource(feature);
namemap[feature] = feature;
}
else
{
ISecResourceList* rlist = m_feature_authmap->queryResourceList(feature);
ISecResource* resource = NULL;
if(rlist != NULL && (resource = rlist->queryResource((unsigned)0)) != NULL)
{
plist->addResource(resource->clone());
namemap[resource->getName()] = feature;
}
else
{
// Use the feature name as the resource name if no authmap was found
ISecResource* res = plist->addResource(feature);
res->setRequiredAccessFlags(SecAccess_Unknown);
namemap[feature] = feature;
}
}
}
bool auth_ok = false;
try
{
auth_ok = m_secmgr->authorize(*m_user.get(), plist, m_secureContext.get());
}
catch(IException* e)
{
StringBuffer errmsg;
e->errorMessage(errmsg);
ERRLOG("Exception authorizing, error=%s\n", errmsg.str());
return false;
}
catch(...)
{
ERRLOG("Unknown exception authorizing\n");
return false;
}
if(auth_ok)
{
for(i = 0; i < (unsigned)plist->count(); i++)
{
ISecResource* resource = plist->queryResource(i);
if(resource != NULL)
{
std::string feature = namemap[resource->getName()];
if(feature.size() == 0)
continue;
pmap.setValue(feature.c_str(), resource->getAccessFlags());
if (required && required[i]>0 && resource->getAccessFlags()<required[i])
{
AuditMessage(AUDIT_TYPE_ACCESS_FAILURE, "Authorization", "Access Denied: Not enough access rights for resource", "Resource: %s [%s]", resource->getName(), resource->getDescription());
}
}
}
}
return auth_ok;
}
