IAuthMap * CLocalSecurityManager::createAuthMap(IPropertyTree * authconfig) { CAuthMap* authmap = new CAuthMap(this); IPropertyTreeIterator *loc_iter = NULL; loc_iter = authconfig->getElements(".//Location"); if (loc_iter != NULL) { IPropertyTree *location = NULL; loc_iter->first(); while(loc_iter->isValid()) { location = &loc_iter->query(); if (location) { StringBuffer pathstr, rstr, required, description; location->getProp("@path", pathstr); location->getProp("@resource", rstr); location->getProp("@required", required); location->getProp("@description", description); if(pathstr.length() == 0) throw MakeStringException(-1, "path empty in Authenticate/Location"); if(rstr.length() == 0) throw MakeStringException(-1, "resource empty in Authenticate/Location"); ISecResourceList* rlist = authmap->queryResourceList(pathstr.str()); if(rlist == NULL) { rlist = createResourceList("localsecurity"); authmap->add(pathstr.str(), rlist); } ISecResource* rs = rlist->addResource(rstr.str()); unsigned requiredaccess = str2perm(required.str()); rs->setRequiredAccessFlags(requiredaccess); rs->setDescription(description.str()); } loc_iter->next(); } loc_iter->Release(); loc_iter = NULL; } return authmap; }
IAuthMap * createAuthMap(IPropertyTree * authconfig) { CAuthMap* authmap = new CAuthMap(this); Owned<IPropertyTreeIterator> loc_iter; loc_iter.setown(authconfig->getElements(".//Location")); if (loc_iter) { IPropertyTree *location = NULL; loc_iter->first(); while(loc_iter->isValid()) { location = &loc_iter->query(); if (location) { StringBuffer pathstr, rstr, required, description; location->getProp("@path", pathstr); location->getProp("@resource", rstr); location->getProp("@required", required); location->getProp("@description", description); if(pathstr.length() == 0) throw MakeStringException(-1, "path empty in Authenticate/Location"); if(rstr.length() == 0) throw MakeStringException(-1, "resource empty in Authenticate/Location"); ISecResourceList* rlist = authmap->queryResourceList(pathstr.str()); if(rlist == NULL) { rlist = createResourceList("htpasswdsecurity"); authmap->add(pathstr.str(), rlist); } ISecResource* rs = rlist->addResource(rstr.str()); SecAccessFlags requiredaccess = str2perm(required.str()); rs->setRequiredAccessFlags(requiredaccess); rs->setDescription(description.str()); rs->setAccessFlags(SecAccess_Full);//grant full access to authenticated users } loc_iter->next(); } } return authmap; }
IAuthMap * createFeatureMap(IPropertyTree * authconfig) { CAuthMap* feature_authmap = new CAuthMap(this); Owned<IPropertyTreeIterator> feature_iter; feature_iter.setown(authconfig->getElements(".//Feature")); ForEach(*feature_iter) { IPropertyTree *feature = NULL; feature = &feature_iter->query(); if (feature) { StringBuffer pathstr, rstr, required, description; feature->getProp("@path", pathstr); feature->getProp("@resource", rstr); feature->getProp("@required", required); feature->getProp("@description", description); ISecResourceList* rlist = feature_authmap->queryResourceList(pathstr.str()); if(rlist == NULL) { rlist = createResourceList(pathstr.str()); feature_authmap->add(pathstr.str(), rlist); } if (!rstr.isEmpty()) { ISecResource* rs = rlist->addResource(rstr.str()); SecAccessFlags requiredaccess = str2perm(required.str()); rs->setRequiredAccessFlags(requiredaccess); rs->setDescription(description.str()); rs->setAccessFlags(SecAccess_Full);//grant full access to authenticated users } } } return feature_authmap; }
bool SecHandler::authorizeSecReqFeatures(StringArray & features, IEspStringIntMap & pmap, unsigned *required) { if(features.length() == 0) return false; if(m_secmgr.get() == NULL) { for(unsigned i = 0; i < features.length(); i++) { const char* feature = features.item(i); if(feature != NULL && feature[0] != 0) pmap.setValue(feature, SecAccess_Full); } return true; } if(m_user.get() == NULL) { AuditMessage(AUDIT_TYPE_ACCESS_FAILURE, "Authorization", "Access Denied: No username provided"); return false; } Owned<ISecResourceList> plist = m_secmgr->createResourceList("FeatureMap"); std::map<std::string, std::string> namemap; unsigned i; for(i = 0; i < features.length(); i++) { const char* feature = features.item(i); if(feature == NULL || feature[0] == 0) continue; if(m_feature_authmap.get() == NULL) { plist->addResource(feature); namemap[feature] = feature; } else { ISecResourceList* rlist = m_feature_authmap->queryResourceList(feature); ISecResource* resource = NULL; if(rlist != NULL && (resource = rlist->queryResource((unsigned)0)) != NULL) { plist->addResource(resource->clone()); namemap[resource->getName()] = feature; } else { // Use the feature name as the resource name if no authmap was found ISecResource* res = plist->addResource(feature); res->setRequiredAccessFlags(SecAccess_Unknown); namemap[feature] = feature; } } } bool auth_ok = false; try { auth_ok = m_secmgr->authorize(*m_user.get(), plist, m_secureContext.get()); } catch(IException* e) { StringBuffer errmsg; e->errorMessage(errmsg); ERRLOG("Exception authorizing, error=%s\n", errmsg.str()); return false; } catch(...) { ERRLOG("Unknown exception authorizing\n"); return false; } if(auth_ok) { for(i = 0; i < (unsigned)plist->count(); i++) { ISecResource* resource = plist->queryResource(i); if(resource != NULL) { std::string feature = namemap[resource->getName()]; if(feature.size() == 0) continue; pmap.setValue(feature.c_str(), resource->getAccessFlags()); if (required && required[i]>0 && resource->getAccessFlags()<required[i]) { AuditMessage(AUDIT_TYPE_ACCESS_FAILURE, "Authorization", "Access Denied: Not enough access rights for resource", "Resource: %s [%s]", resource->getName(), resource->getDescription()); } } } } return auth_ok; }