示例#1
0
 bool enableScopeScans(IUserDescriptor *udesc, bool enable, int * err)
 {
     bool superUser;
     StringBuffer username;
     StringBuffer password;
     udesc->getUserName(username);
     udesc->getPassword(password);
     Owned<ISecUser> user = ldapsecurity->createUser(username);
     user->credentials().setPassword(password);
     if (!ldapsecurity->authenticateUser(*user,superUser) || !superUser)
     {
         *err = -1;
         return false;
     }
     unsigned flags = getLDAPflags();
     if (enable)
     {
         DBGLOG("Scope Scans Enabled by user %s",username.str());
         flags |= (unsigned)DLF_SCOPESCANS;
     }
     else
     {
         DBGLOG("Scope Scans Disabled by user %s",username.str());
         flags &= ~(unsigned)DLF_SCOPESCANS;
     }
     setLDAPflags(flags);
     *err = 0;
     return true;
 }
示例#2
0
    int getPermissions(const char *key,const char *obj,IUserDescriptor *udesc,unsigned auditflags)
    {
        if (!ldapsecurity||((getLDAPflags()&DLF_ENABLED)==0)) 
            return 255;
        bool filescope = stricmp(key,"Scope")==0;
        bool wuscope = stricmp(key,"workunit")==0;
        if (filescope||wuscope) {
            StringBuffer username;
            StringBuffer password;
            int perm = 0;
            if (udesc) {
                udesc->getUserName(username);
                udesc->getPassword(password);
            }
            if (username.length()==0)  {
#ifndef _NO_DALIUSER_STACKTRACE
                DBGLOG("UNEXPECTED USER (NULL) in daldap.cpp getPermissions() line %d", __LINE__);
                //following debug code to be removed
                PrintStackReport();
#endif
                username.append(filesdefaultuser);
                decrypt(password, filesdefaultpassword);
            }
            unsigned start = msTick();
            Owned<ISecUser> user = ldapsecurity->createUser(username);
            if (user) {
                user->credentials().setPassword(password);
                if (filescope)
                    perm=ldapsecurity->authorizeFileScope(*user, obj);
                else if (wuscope)
                    perm=ldapsecurity->authorizeWorkunitScope(*user, obj);
                if (perm==-1)
                    perm = 0;
            }
            unsigned taken = msTick()-start;
#ifndef _DEBUG
            if (taken>100) 
#endif
            {
                PROGLOG("LDAP: getPermissions(%s) scope=%s user=%s returns %d in %d ms",key?key:"NULL",obj?obj:"NULL",username.str(),perm,taken);
            }
            if (auditflags&DALI_LDAP_AUDIT_REPORT) {
                StringBuffer auditstr;
                if ((auditflags&DALI_LDAP_READ_WANTED)&&!HASREADPERMISSION(perm)) 
                    auditstr.append("Lookup Access Denied");
                else if ((auditflags&DALI_LDAP_WRITE_WANTED)&&!HASWRITEPERMISSION(perm)) 
                    auditstr.append("Create Access Denied");
                if (auditstr.length()) {
                    auditstr.append(":\n\tProcess:\tdaserver");
                    auditstr.appendf("\n\tUser:\t%s",username.str());
                    auditstr.appendf("\n\tScope:\t%s\n",obj?obj:"");
                    SYSLOG(AUDIT_TYPE_ACCESS_FAILURE,auditstr.str());
                }
            }
            return perm;
        }
        return 255;
    }
示例#3
0
    bool enableScopeScans(IUserDescriptor *udesc, bool enable, int * err)
    {
        bool superUser;
        StringBuffer username;
        StringBuffer password;
        udesc->getUserName(username);
        udesc->getPassword(password);
        Owned<ISecUser> user = ldapsecurity->createUser(username);

        //Check user's digital signature, if present
        bool authenticated = false;
        if (!isEmptyString(udesc->querySignature()))
        {
            if (nullptr == pDSM)
                pDSM = queryDigitalSignatureManagerInstanceFromEnv();
            if (pDSM && pDSM->isDigiVerifierConfigured())
            {
                StringBuffer b64Signature(udesc->querySignature());
                if (!pDSM->digiVerify(username, b64Signature))//digital signature valid?
                {
                    ERRLOG("LDAP: enableScopeScans(%s) : Invalid user digital signature", username.str());
                    *err = -1;
                    return false;
                }
                else
                    authenticated = true;
            }
        }

        if (!authenticated)
        {
            user->credentials().setPassword(password);
            if (!ldapsecurity->authenticateUser(*user, &superUser) || !superUser)
            {
                *err = -1;
                return false;
            }
        }

        unsigned flags = getLDAPflags();
        if (enable)
        {
            DBGLOG("Scope Scans Enabled by user %s",username.str());
            flags |= (unsigned)DLF_SCOPESCANS;
        }
        else
        {
            DBGLOG("Scope Scans Disabled by user %s",username.str());
            flags &= ~(unsigned)DLF_SCOPESCANS;
        }
        setLDAPflags(flags);
        *err = 0;
        return true;
    }
示例#4
0
 bool clearPermissionsCache(IUserDescriptor *udesc)
 {
     if (!ldapsecurity || ((getLDAPflags() & DLF_ENABLED) == 0))
         return true;
     StringBuffer username;
     StringBuffer password;
     udesc->getUserName(username);
     udesc->getPassword(password);
     Owned<ISecUser> user = ldapsecurity->createUser(username);
     user->credentials().setPassword(password);
     return ldapsecurity->clearPermissionsCache(*user);
 }
示例#5
0
    SecAccessFlags getPermissions(const char *key,const char *obj,IUserDescriptor *udesc,unsigned auditflags,const char * reqSignature, CDateTime * reqUTCTimestamp)
    {
        if (!ldapsecurity||((getLDAPflags()&DLF_ENABLED)==0)) 
            return SecAccess_Full;
        StringBuffer username;
        StringBuffer password;
        if (udesc) 
        {
            udesc->getUserName(username);
            udesc->getPassword(password);
        }
        else
        {
            WARNLOG("NULL UserDescriptor in daldap.cpp getPermissions('%s')",key ? key : "NULL");
        }

        if (0 == username.length())
        {
            username.append(filesdefaultuser);
            decrypt(password, filesdefaultpassword);
        }

        Owned<ISecUser> user = ldapsecurity->createUser(username);
        user->credentials().setPassword(password);

        bool authenticated = false;

        //Check that the digital signature provided by the caller (signature of
        //caller's "scope;username;timeStamp") matches what we expect it to be
        if (!isEmptyString(reqSignature))
        {
            if (nullptr == pDSM)
                pDSM = queryDigitalSignatureManagerInstanceFromEnv();
            if (pDSM && pDSM->isDigiVerifierConfigured())
            {
                StringBuffer requestTimestamp;
                reqUTCTimestamp->getString(requestTimestamp, false);//extract timestamp string from Dali request

                CDateTime now;
                now.setNow();
                if (now.compare(*reqUTCTimestamp) < 0)//timestamp from the future?
                {
                    ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s Request digital signature timestamp %s from the future",key?key:"NULL",obj?obj:"NULL",username.str(), requestTimestamp.str());
                    return SecAccess_None;//deny
                }

                CDateTime expiry;
                expiry.set(now);
                expiry.adjustTime(requestSignatureExpiryMinutes);//compute expiration timestamp

                if (expiry.compare(*reqUTCTimestamp) < 0)//timestamp too far in the past?
                {
                    ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s Expired request digital signature timestamp %s",key?key:"NULL",obj?obj:"NULL",username.str(), requestTimestamp.str());
                    return SecAccess_None;//deny
                }

                VStringBuffer expectedStr("%s;%s;%s", obj, username.str(), requestTimestamp.str());
                StringBuffer b64Signature(reqSignature);// signature of scope;user;timestamp

                if (!pDSM->digiVerify(expectedStr, b64Signature))//does the digital signature match what we expect?
                {
                    ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s fails digital signature verification",key?key:"NULL",obj?obj:"NULL",username.str());
                    return SecAccess_None;//deny
                }

                authenticated = true;//Digital signature verified
            }
            else
                ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s digital signature support not available",key?key:"NULL",obj?obj:"NULL",username.str());
        }

        if (!authenticated && !ldapsecurity->authenticateUser(*user, NULL))
        {
            ERRLOG("LDAP: getPermissions(%s) scope=%s user=%s fails LDAP authentication",key?key:"NULL",obj?obj:"NULL",username.str());
            return SecAccess_None;//deny
        }

        bool filescope = stricmp(key,"Scope")==0;
        bool wuscope = stricmp(key,"workunit")==0;

        if (filescope || wuscope) {
            SecAccessFlags perm = SecAccess_None;
            unsigned start = msTick();
            if (filescope)
                perm=ldapsecurity->authorizeFileScope(*user, obj);
            else if (wuscope)
                perm=ldapsecurity->authorizeWorkunitScope(*user, obj);
            if (perm == SecAccess_Unavailable)
                perm = SecAccess_None;

            unsigned taken = msTick()-start;
#ifndef _DEBUG
            if (taken>100) 
#endif
            {
                PROGLOG("LDAP: getPermissions(%s) scope=%s user=%s returns %d in %d ms",key?key:"NULL",obj?obj:"NULL",username.str(),perm,taken);
            }
            if (auditflags&DALI_LDAP_AUDIT_REPORT) {
                StringBuffer auditstr;
                if ((auditflags&DALI_LDAP_READ_WANTED)&&!HASREADPERMISSION(perm)) 
                    auditstr.append("Lookup Access Denied");
                else if ((auditflags&DALI_LDAP_WRITE_WANTED)&&!HASWRITEPERMISSION(perm)) 
                    auditstr.append("Create Access Denied");
                if (auditstr.length()) {
                    auditstr.append(":\n\tProcess:\tdaserver");
                    auditstr.appendf("\n\tUser:\t%s",username.str());
                    auditstr.appendf("\n\tScope:\t%s\n",obj?obj:"");
                    SYSLOG(AUDIT_TYPE_ACCESS_FAILURE,auditstr.str());
                }
            }
            return perm;
        }
        return SecAccess_Full;
    }