bool SimpleAuthorizer2::checkAccess(const String& opType, const String& ns, const ServiceEnvironmentIFCRef& env, OperationContext& context) { OW_ASSERT(opType == ACCESS_READ || opType == ACCESS_WRITE || opType == ACCESS_READWRITE); UserInfo userInfo = context.getUserInfo(); if (userInfo.getInternal()) { return true; } CIMOMHandleIFCRef lch = env->getCIMOMHandle(context, ServiceEnvironmentIFC::E_USE_PROVIDERS); LoggerRef lgr = env->getLogger(COMPONENT_NAME); if (!userInfo.getUserName().empty()) { String superUser = env->getConfigItem(ConfigOpts::ACL_SUPERUSER_opt); if (superUser.equalsIgnoreCase(userInfo.getUserName())) { OW_LOG_DEBUG(lgr, "User is SuperUser: checkAccess returning."); return true; } } String lns(ns); while (lns.startsWith('/')) { lns = lns.substring(1); } lns.toLowerCase(); for (;;) { if (!userInfo.getUserName().empty()) { try { CIMClass cc = lch->getClass("root/security", "OpenWBEM_UserACL", E_NOT_LOCAL_ONLY, E_INCLUDE_QUALIFIERS, E_INCLUDE_CLASS_ORIGIN, NULL); } catch(CIMException&) { OW_LOG_DEBUG(lgr, "OpenWBEM_UserACL class non-existent in" " /root/security. ACLs disabled"); return true; } CIMObjectPath cop("OpenWBEM_UserACL"); cop.setKeyValue("username", CIMValue(userInfo.getUserName())); cop.setKeyValue("nspace", CIMValue(lns)); CIMInstance ci(CIMNULL); try { ci = lch->getInstance("root/security", cop, E_NOT_LOCAL_ONLY, E_INCLUDE_QUALIFIERS, E_INCLUDE_CLASS_ORIGIN, NULL); } catch(const CIMException&) { ci.setNull(); } if (ci) { String capability; CIMProperty capabilityProp = ci.getProperty("capability"); if (capabilityProp) { CIMValue cv = capabilityProp.getValue(); if (cv) { capability = cv.toString(); } } capability.toLowerCase(); if (opType.length() == 1) { if (capability.indexOf(opType) == String::npos) { // Access to namespace denied for user OW_THROWCIM(CIMException::ACCESS_DENIED); } } else { if (!capability.equals("rw") && !capability.equals("wr")) { // Access to namespace denied for user OW_THROWCIM(CIMException::ACCESS_DENIED); } } // Access to namespace granted for user return true; } } // use default policy for namespace try { CIMClass cc = lch->getClass("root/security", "OpenWBEM_NamespaceACL", E_NOT_LOCAL_ONLY, E_INCLUDE_QUALIFIERS, E_INCLUDE_CLASS_ORIGIN, NULL); } catch(CIMException&) { // OpenWBEM_NamespaceACL class non-existent in /root/security. // namespace ACLs disabled return true; } CIMObjectPath cop("OpenWBEM_NamespaceACL"); cop.setKeyValue("nspace", CIMValue(lns)); CIMInstance ci(CIMNULL); try { ci = lch->getInstance("root/security", cop, E_NOT_LOCAL_ONLY, E_INCLUDE_QUALIFIERS, E_INCLUDE_CLASS_ORIGIN, NULL); } catch(const CIMException& ce) { OW_LOG_DEBUG(lgr, Format("Caught exception: %1 in" " AccessMgr::checkAccess. line=%2", ce, __LINE__)); ci.setNull(); } if (ci) { String capability; CIMProperty capabilityProp = ci.getProperty("capability"); if (capabilityProp) { CIMValue v = capabilityProp.getValue(); if (v) { capability = v.toString(); } } capability.toLowerCase(); if (opType.length() == 1) { if (capability.indexOf(opType) == String::npos) { // Access namespace denied for user OW_THROWCIM(CIMException::ACCESS_DENIED); } } else { if (!capability.equals("rw") && !capability.equals("wr")) { // Access to namespace denied for user OW_THROWCIM(CIMException::ACCESS_DENIED); } } // Access to namespace granted for user return true; } size_t idx = lns.lastIndexOf('/'); if (idx == 0 || idx == String::npos) { break; } lns = lns.substring(0, idx); } // Access to namespace denied for user OW_THROWCIM(CIMException::ACCESS_DENIED); return false; }