1 karl 1.23 //%2006////////////////////////////////////////////////////////////////////////
|
2 mike 1.2 //
|
3 karl 1.19 // Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development
4 // Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.
5 // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.;
|
6 karl 1.18 // IBM Corp.; EMC Corporation, The Open Group.
|
7 karl 1.19 // Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.;
8 // IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.
|
9 karl 1.21 // Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.;
10 // EMC Corporation; VERITAS Software Corporation; The Open Group.
|
11 karl 1.23 // Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.;
12 // EMC Corporation; Symantec Corporation; The Open Group.
|
13 mike 1.2 //
|
14 kumpf 1.9 // Permission is hereby granted, free of charge, to any person obtaining a copy
15 // of this software and associated documentation files (the "Software"), to
16 // deal in the Software without restriction, including without limitation the
17 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
18 // sell copies of the Software, and to permit persons to whom the Software is
19 // furnished to do so, subject to the following conditions:
20 //
21 // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
22 // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
23 // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
24 // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
25 // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
26 // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
27 // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
29 mike 1.2 //
30 //==============================================================================
31 //
32 //%/////////////////////////////////////////////////////////////////////////////
33
34 #include <Pegasus/Common/System.h>
35 #include <Pegasus/Common/XmlWriter.h>
|
36 kumpf 1.3 #include <Pegasus/Common/Tracer.h>
|
37 kumpf 1.7 #include <Pegasus/Common/PegasusVersion.h>
38
|
39 mike 1.2 #include <Pegasus/Config/ConfigManager.h>
|
40 kumpf 1.6
41 #include "LocalAuthenticationHandler.h"
42 #include "BasicAuthenticationHandler.h"
|
43 mike 1.2 #include "AuthenticationManager.h"
44
|
45 a.arora 1.20 #include <Pegasus/Common/AutoPtr.h>
46
|
47 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
|
48 gerarda 1.16 #include "KerberosAuthenticationHandler.h"
|
49 gerarda 1.12 #endif
50
51
|
52 mike 1.2 PEGASUS_USING_STD;
53
54 PEGASUS_NAMESPACE_BEGIN
55
56 //
57 // Constructor
58 //
59 AuthenticationManager::AuthenticationManager()
60 {
|
61 kumpf 1.6 PEG_METHOD_ENTER(
62 TRC_AUTHENTICATION, "AuthenticationManager::AuthenticationManager()");
|
63 kumpf 1.3
|
64 mike 1.2 //
|
65 kumpf 1.6 // get authentication handlers
|
66 mike 1.2 //
67 _localAuthHandler = _getLocalAuthHandler();
68
69 _httpAuthHandler = _getHttpAuthHandler();
70
|
71 kumpf 1.6 PEG_METHOD_EXIT();
|
72 mike 1.2 }
73
74 //
75 // Destructor
76 //
77 AuthenticationManager::~AuthenticationManager()
78 {
|
79 kumpf 1.6 PEG_METHOD_ENTER(
80 TRC_AUTHENTICATION, "AuthenticationManager::~AuthenticationManager()");
|
81 kumpf 1.3
|
82 mike 1.2 //
|
83 kumpf 1.6 // delete authentication handlers
|
84 mike 1.2 //
|
85 kumpf 1.24 delete _localAuthHandler;
86 delete _httpAuthHandler;
|
87 kumpf 1.3
|
88 kumpf 1.6 PEG_METHOD_EXIT();
|
89 mike 1.2 }
90
|
91 marek 1.25 Boolean AuthenticationManager::isRemotePrivilegedUserAccessAllowed(
92 String & userName)
93 {
94 //
95 // Reject access if the user is privileged and remote privileged user
96 // access is not enabled.
97 //
98 if (!ConfigManager::parseBooleanValue(ConfigManager::getInstance()->
99 getCurrentValue("enableRemotePrivilegedUserAccess"))
100 && System::isPrivilegedUser(userName))
101 {
|
102 marek 1.27 PEG_TRACE((TRC_AUTHENTICATION, Tracer::LEVEL2,
|
103 marek 1.25 "Authentication failed for user '%s' because "
104 "enableRemotePrivilegedUserAccess is not set to 'true'.",
|
105 marek 1.27 (const char*) userName.getCString()));
|
106 marek 1.25 Logger::put_l(
107 Logger::STANDARD_LOG, System::CIMSERVER, Logger::INFORMATION,
108 "Security.Authentication.BasicAuthenticationHandler."
109 "PRIVILEGED_ACCESS_DISABLED",
110 "Authentication failed for user '$0' because "
111 "enableRemotePrivilegedUserAccess is not set to 'true'.",
112 userName);
113 return false;
114 }
115 return true;
116 }
117
|
118 mike 1.2 //
119 // Perform http authentication
120 //
|
121 kumpf 1.29 Boolean AuthenticationManager::performHttpAuthentication(
|
122 kumpf 1.3 const String& authHeader,
|
123 kumpf 1.29 AuthenticationInfo* authInfo)
|
124 mike 1.2 {
|
125 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
126 "AuthenticationManager::performHttpAuthentication()");
|
127 kumpf 1.3
|
128 kumpf 1.29 String authType;
129 String cookie;
|
130 mike 1.2
|
131 david 1.11 Logger::put(Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE,
|
132 kumpf 1.29 "AuthenticationManager:: performHttpAuthentication - "
133 "Authority Header: $0",
134 authHeader);
|
135 david 1.11
|
136 mike 1.2 //
|
137 kumpf 1.6 // Parse the HTTP authentication header for authentication information
|
138 mike 1.2 //
|
139 kumpf 1.6 if ( !_parseHttpAuthHeader(authHeader, authType, cookie) )
|
140 mike 1.2 {
|
141 kumpf 1.6 PEG_METHOD_EXIT();
|
142 kumpf 1.5 return false;
|
143 mike 1.2 }
144
|
145 kumpf 1.6 Boolean authenticated = false;
|
146 mike 1.2
147 //
|
148 kumpf 1.6 // Check the authenticationinformation and do the authentication
|
149 mike 1.2 //
|
150 kumpf 1.6 if ( String::equalNoCase(authType, "Basic") &&
151 String::equalNoCase(_httpAuthType, "Basic") )
|
152 mike 1.2 {
153 authenticated = _httpAuthHandler->authenticate(cookie, authInfo);
154 }
|
155 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
156 else if ( String::equalNoCase(authType, "Negotiate") &&
157 String::equalNoCase(_httpAuthType, "Kerberos") )
158 {
159 authenticated = _httpAuthHandler->authenticate(cookie, authInfo);
160 }
161 #endif
|
162 kumpf 1.8 // FUTURE: Add code to check for "Digest" when digest
|
163 kumpf 1.6 // authentication is implemented.
|
164 mike 1.2
|
165 kumpf 1.6 if ( authenticated )
|
166 mike 1.2 {
|
167 kumpf 1.6 authInfo->setAuthType(authType);
|
168 mike 1.2 }
169
|
170 kumpf 1.6 PEG_METHOD_EXIT();
|
171 kumpf 1.3
|
172 kumpf 1.29 return authenticated;
|
173 mike 1.2 }
174
175 //
176 // Perform pegasus sepcific local authentication
177 //
|
178 kumpf 1.29 Boolean AuthenticationManager::performPegasusAuthentication(
|
179 kumpf 1.3 const String& authHeader,
|
180 kumpf 1.29 AuthenticationInfo* authInfo)
|
181 mike 1.2 {
|
182 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
183 "AuthenticationManager::performPegasusAuthentication()");
|
184 kumpf 1.3
|
185 mike 1.2 Boolean authenticated = false;
186
|
187 kumpf 1.29 String authType;
188 String userName;
189 String cookie;
|
190 david 1.11
191 Logger::put(Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE,
|
192 kumpf 1.29 "AuthenticationManager:: performPegasusAuthentication - "
193 "Authority Header: $0",
194 authHeader);
|
195 mike 1.2
196 //
|
197 kumpf 1.6 // Parse the pegasus authentication header authentication information
|
198 mike 1.2 //
|
199 kumpf 1.6 if ( !_parseLocalAuthHeader(authHeader, authType, userName, cookie) )
200 {
201 PEG_METHOD_EXIT();
202 return false;
203 }
|
204 mike 1.2
|
205 sushma.fernandes 1.28 // The HTTPAuthenticatorDelegator ensures only local authentication
206 // requests get here.
207 PEGASUS_ASSERT(authType == "Local");
|
208 mike 1.2
209 authenticated =
210 _localAuthHandler->authenticate(cookie, authInfo);
211
|
212 kumpf 1.6 if ( authenticated )
|
213 mike 1.2 {
|
214 kumpf 1.4 authInfo->setAuthType(authType);
|
215 mike 1.2 }
216
|
217 kumpf 1.6 PEG_METHOD_EXIT();
|
218 kumpf 1.3
|
219 kumpf 1.29 return authenticated;
|
220 mike 1.2 }
221
222 //
|
223 sushma.fernandes 1.22 // Validate user.
224 //
225 Boolean AuthenticationManager::validateUserForHttpAuth (const String& userName)
226 {
227 return _httpAuthHandler->validateUser(userName);
228 }
229
230 //
|
231 mike 1.2 // Get pegasus/local authentication response header
232 //
|
233 kumpf 1.29 String AuthenticationManager::getPegasusAuthResponseHeader(
|
234 kumpf 1.3 const String& authHeader,
|
235 kumpf 1.29 AuthenticationInfo* authInfo)
|
236 mike 1.2 {
|
237 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
238 "AuthenticationManager::getPegasusAuthResponseHeader()");
|
239 kumpf 1.3
|
240 kumpf 1.29 String respHeader;
|
241 kumpf 1.3
|
242 kumpf 1.29 String authType;
243 String userName;
244 String cookie;
|
245 mike 1.2
246 //
|
247 kumpf 1.6 // Parse the pegasus authentication header authentication information
|
248 mike 1.2 //
|
249 kumpf 1.6 if ( !_parseLocalAuthHeader(authHeader, authType, userName, cookie) )
250 {
251 PEG_METHOD_EXIT();
|
252 kumpf 1.29 return respHeader;
|
253 kumpf 1.6 }
|
254 mike 1.2
255 //
|
256 kumpf 1.6 // User name can not be empty
|
257 mike 1.2 //
|
258 kumpf 1.29 if (String::equal(userName, String::EMPTY))
|
259 mike 1.2 {
|
260 kumpf 1.6 PEG_METHOD_EXIT();
|
261 kumpf 1.29 return respHeader;
|
262 mike 1.2 }
263
|
264 kumpf 1.6 respHeader =
265 _localAuthHandler->getAuthResponseHeader(authType, userName, authInfo);
266
267 PEG_METHOD_EXIT();
268
|
269 kumpf 1.29 return respHeader;
|
270 kumpf 1.3
|
271 mike 1.2 }
272
273 //
274 // Get HTTP authentication response header
275 //
|
276 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
|
277 kumpf 1.29 String AuthenticationManager::getHttpAuthResponseHeader(
278 AuthenticationInfo* authInfo)
|
279 gerarda 1.12 #else
|
280 mike 1.2 String AuthenticationManager::getHttpAuthResponseHeader()
|
281 gerarda 1.12 #endif
|
282 mike 1.2 {
|
283 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
284 "AuthenticationManager::getHttpAuthResponseHeader()");
|
285 kumpf 1.3
|
286 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
287 String respHeader = _httpAuthHandler->getAuthResponseHeader(
288 String::EMPTY, String::EMPTY, authInfo);
289 #else
|
290 kumpf 1.6 String respHeader = _httpAuthHandler->getAuthResponseHeader();
|
291 gerarda 1.12 #endif
|
292 kumpf 1.3
|
293 kumpf 1.6 PEG_METHOD_EXIT();
|
294 kumpf 1.3
|
295 kumpf 1.29 return respHeader;
|
296 mike 1.2 }
297
298 //
|
299 kumpf 1.6 // parse the local authentication header
|
300 mike 1.2 //
|
301 kumpf 1.6 Boolean AuthenticationManager::_parseLocalAuthHeader(
|
302 kumpf 1.3 const String& authHeader, String& authType, String& userName, String& cookie)
|
303 mike 1.2 {
|
304 kumpf 1.6 PEG_METHOD_ENTER(
305 TRC_AUTHENTICATION, "AuthenticationManager::_parseLocalAuthHeader()");
|
306 kumpf 1.3
|
307 kumpf 1.6 //
308 // Extract the authentication type:
309 //
310 Uint32 space = authHeader.find(' ');
|
311 kumpf 1.3
|
312 kumpf 1.10 if ( space == PEG_NOT_FOUND )
|
313 mike 1.2 {
|
314 kumpf 1.6 PEG_METHOD_EXIT();
315 return false;
|
316 mike 1.2 }
317
|
318 kumpf 1.6 authType = authHeader.subString(0, space);
319
320 Uint32 startQuote = authHeader.find(space, '"');
321
322 if ( startQuote == PEG_NOT_FOUND )
|
323 mike 1.2 {
|
324 kumpf 1.6 PEG_METHOD_EXIT();
325 return false;
|
326 mike 1.2 }
327
328 Uint32 endQuote = authHeader.find(startQuote + 1, '"');
|
329 kumpf 1.6
330 if ( endQuote == PEG_NOT_FOUND )
|
331 mike 1.2 {
|
332 kumpf 1.6 PEG_METHOD_EXIT();
333 return false;
|
334 mike 1.2 }
335
336 String temp = authHeader.subString(
337 startQuote + 1, (endQuote - startQuote - 1));
338
|
339 kumpf 1.6 //
340 // Extract the user name and cookie:
341 //
342 Uint32 colon = temp.find(0, ':');
|
343 mike 1.2
|
344 kumpf 1.6 if ( colon == PEG_NOT_FOUND )
|
345 mike 1.2 {
346 userName = temp;
347 }
348 else
349 {
|
350 kumpf 1.6 userName = temp.subString(0, colon);
|
351 mike 1.2 cookie = temp;
352 }
|
353 kumpf 1.3
|
354 kumpf 1.6 PEG_METHOD_EXIT();
355
356 return true;
|
357 mike 1.2 }
358
359 //
|
360 kumpf 1.6 // parse the HTTP authentication header
361 //
362 Boolean AuthenticationManager::_parseHttpAuthHeader(
363 const String& authHeader, String& authType, String& cookie)
364 {
365 PEG_METHOD_ENTER(
366 TRC_AUTHENTICATION, "AuthenticationManager::_parseHttpAuthHeader()");
367
368 //
369 // Extract the authentication type:
370 //
371 Uint32 space = authHeader.find(' ');
372
|
373 kumpf 1.10 if ( space == PEG_NOT_FOUND )
|
374 kumpf 1.6 {
375 PEG_METHOD_EXIT();
376 return false;
377 }
378
379 authType = authHeader.subString(0, space);
380
381 //
382 // Extract the cookie:
383 //
384 cookie = authHeader.subString(space + 1);
385
386 PEG_METHOD_EXIT();
387
388 return true;
389 }
390 //
|
391 mike 1.2 // Get local authentication handler
392 //
393 Authenticator* AuthenticationManager::_getLocalAuthHandler()
394 {
|
395 kumpf 1.6 PEG_METHOD_ENTER(
396 TRC_AUTHENTICATION, "AuthenticationManager::_getLocalAuthHandler()");
|
397 kumpf 1.3
|
398 kumpf 1.6 PEG_METHOD_EXIT();
|
399 mike 1.2 //
400 // create and return a local authentication handler.
401 //
402 return (new LocalAuthenticationHandler());
403 }
404
405
406 //
407 // Get Http authentication handler
408 //
409 Authenticator* AuthenticationManager::_getHttpAuthHandler()
410 {
|
411 kumpf 1.6 PEG_METHOD_ENTER(
412 TRC_AUTHENTICATION, "AuthenticationManager::_getHttpAuthHandler()");
|
413 a.arora 1.20 AutoPtr<Authenticator> handler;
|
414 mike 1.2
415 //
|
416 kumpf 1.6 // get the configured authentication type
|
417 mike 1.2 //
|
418 a.arora 1.20 AutoPtr<ConfigManager> configManager(ConfigManager::getInstance());
|
419 mike 1.2
|
420 kumpf 1.6 _httpAuthType = configManager->getCurrentValue("httpAuthType");
|
421 a.arora 1.20 configManager.release();
|
422 mike 1.2 //
|
423 kumpf 1.6 // create a authentication handler.
|
424 mike 1.2 //
|
425 kumpf 1.6 if ( String::equalNoCase(_httpAuthType, "Basic") )
|
426 mike 1.2 {
|
427 a.arora 1.20 handler.reset((Authenticator* ) new BasicAuthenticationHandler( ));
|
428 mike 1.2 }
|
429 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
430 else if ( String::equalNoCase(_httpAuthType, "Kerberos") )
431 {
|
432 a.arora 1.20 handler.reset((Authenticator* ) new KerberosAuthenticationHandler( ));
433 AutoPtr<KerberosAuthenticationHandler> kerberosHandler((KerberosAuthenticationHandler *)handler.get());
|
434 gerarda 1.12 int itFailed = kerberosHandler->initialize();
|
435 a.arora 1.20 kerberosHandler.release();
|
436 gerarda 1.12 if (itFailed)
437 {
|
438 a.arora 1.20 if (handler.get())
|
439 gerarda 1.12 {
|
440 a.arora 1.20 handler.reset(0);
|
441 gerarda 1.12 }
|
442 humberto 1.15 Logger::put_l(Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
|
443 kumpf 1.30 "Security.Authentication.AuthenticationManager."
444 "AUTHENTICATION_HANDLER_KERBEROS_FAILED_TO_INITIALIZE",
445 "CIMOM server authentication handler for Kerberos failed to "
446 "initialize properly.");
447 MessageLoaderParms parms(
448 "Security.Authentication.AuthenticationManager."
449 "AUTHENTICATION_HANDLER_KERBEROS_FAILED_TO_INITIALIZE",
450 "CIMOM server authentication handler for Kerberos failed to "
451 "initialize properly.");
|
452 gerarda 1.17 throw Exception(parms);
|
453 gerarda 1.12 }
454 }
455 #endif
|
456 kumpf 1.8 // FUTURE: uncomment these line when Digest authentication
|
457 kumpf 1.6 // is implemented.
458 //
459 //else if (String::equalNoCase(_httpAuthType, "Digest"))
|
460 mike 1.2 //{
461 // handler = (Authenticator* ) new DigestAuthenticationHandler( );
462 //}
|
463 kumpf 1.6 else
464 {
465 //
466 // This should never happen. Gets here only if Security Config
467 // property owner has not validated the configured http auth type.
468 //
469 PEGASUS_ASSERT(0);
470 }
|
471 mike 1.2
|
472 kumpf 1.6 PEG_METHOD_EXIT();
|
473 a.arora 1.20 return ( handler.release() );
|
474 mike 1.2 }
475
476
477 PEGASUS_NAMESPACE_END
478
|