void CAuthorDlg::AddResPermissions(const char *name) { ISecResource *res = m_sec_resources->getResource(name); if (res) { unsigned flags = res->getAccessFlags(); if ((flags & allperms)) { m_permissions += res->getName(); m_permissions += " = "; unsigned attr = 1; int index = 0; while (perm_descr[index] != NULL) { if (flags & (1<<index)) { m_permissions += perm_descr[index]; } index++; } m_permissions += "\r\n"; } } }
void CResPermissionsCache::add( IArrayOf<ISecResource>& resources ) { time_t tstamp; time(&tstamp); int nresources = resources.ordinality(); for (int i = 0; i < nresources; i++) { ISecResource* secResource = &resources.item(i); if(!secResource) continue; const char* resource = secResource->getName(); SecResourceType resourcetype = secResource->getResourceType(); if(resource == NULL) continue; int permissions = secResource->getAccessFlags(); if(permissions == -1) continue; MapResAccess::iterator it = m_resAccessMap.find(SecCacheKeyEntry(resource, resourcetype)); if (it != m_resAccessMap.end())//already exists so overwrite it but first remove existing timestamp info { ResPermCacheEntry& resParamCacheEntry = (*it).second; time_t oldtstamp = resParamCacheEntry.first; //there may be multiple resources associated with the same timestamp //in the multimap so find this entry // MapTimeStamp::iterator itL = m_timestampMap.lower_bound( oldtstamp ); MapTimeStamp::iterator itU = m_timestampMap.upper_bound( oldtstamp ); MapTimeStamp::iterator its; for ( its = itL; its != itU; its++) { SecCacheKeyEntry& cachekey = (*its).second; if (cachekey.first == resource && cachekey.second == resourcetype) { m_timestampMap.erase(its); break; } } m_resAccessMap.erase(SecCacheKeyEntry(resource, resourcetype)); } #ifdef _DEBUG DBGLOG("CACHE: CResPermissionsCache Adding %s:%s(%d)", m_user.c_str(), resource, permissions); #endif m_resAccessMap.insert( pair<SecCacheKeyEntry, ResPermCacheEntry>(SecCacheKeyEntry(resource, resourcetype), ResPermCacheEntry(tstamp, secResource->clone()))); m_timestampMap.insert( pair<time_t, SecCacheKeyEntry>(tstamp, SecCacheKeyEntry(resource, resourcetype))); } }
bool CPermissionsCache::addManagedFileScopes(IArrayOf<ISecResource>& scopes) { WriteLockBlock writeLock(m_scopesRWLock); ForEachItemIn(x, scopes) { ISecResource* scope = &scopes.item(x); if(!scope) continue; const char* cachekey = scope->getName(); if(cachekey == NULL) continue; map<string, ISecResource*>::iterator it = m_managedFileScopesMap.find(cachekey); if (it != m_managedFileScopesMap.end()) { ISecResource *res = (*it).second; res->Release(); m_managedFileScopesMap.erase(it); } #ifdef _DEBUG DBGLOG("Caching Managed File Scope %s",cachekey); #endif m_managedFileScopesMap.insert( pair<string, ISecResource*>(cachekey, LINK(scope))); }
bool SecHandler::authorizeSecReqFeatures(StringArray & features, IEspStringIntMap & pmap, unsigned *required) { if(features.length() == 0) return false; if(m_secmgr.get() == NULL) { for(unsigned i = 0; i < features.length(); i++) { const char* feature = features.item(i); if(feature != NULL && feature[0] != 0) pmap.setValue(feature, SecAccess_Full); } return true; } if(m_user.get() == NULL) { AuditMessage(AUDIT_TYPE_ACCESS_FAILURE, "Authorization", "Access Denied: No username provided"); return false; } Owned<ISecResourceList> plist = m_secmgr->createResourceList("FeatureMap"); std::map<std::string, std::string> namemap; unsigned i; for(i = 0; i < features.length(); i++) { const char* feature = features.item(i); if(feature == NULL || feature[0] == 0) continue; if(m_feature_authmap.get() == NULL) { plist->addResource(feature); namemap[feature] = feature; } else { ISecResourceList* rlist = m_feature_authmap->queryResourceList(feature); ISecResource* resource = NULL; if(rlist != NULL && (resource = rlist->queryResource((unsigned)0)) != NULL) { plist->addResource(resource->clone()); namemap[resource->getName()] = feature; } else { // Use the feature name as the resource name if no authmap was found ISecResource* res = plist->addResource(feature); res->setRequiredAccessFlags(SecAccess_Unknown); namemap[feature] = feature; } } } bool auth_ok = false; try { auth_ok = m_secmgr->authorize(*m_user.get(), plist, m_secureContext.get()); } catch(IException* e) { StringBuffer errmsg; e->errorMessage(errmsg); ERRLOG("Exception authorizing, error=%s\n", errmsg.str()); return false; } catch(...) { ERRLOG("Unknown exception authorizing\n"); return false; } if(auth_ok) { for(i = 0; i < (unsigned)plist->count(); i++) { ISecResource* resource = plist->queryResource(i); if(resource != NULL) { std::string feature = namemap[resource->getName()]; if(feature.size() == 0) continue; pmap.setValue(feature.c_str(), resource->getAccessFlags()); if (required && required[i]>0 && resource->getAccessFlags()<required[i]) { AuditMessage(AUDIT_TYPE_ACCESS_FAILURE, "Authorization", "Access Denied: Not enough access rights for resource", "Resource: %s [%s]", resource->getName(), resource->getDescription()); } } } } return auth_ok; }