1 karl 1.23 //%2006////////////////////////////////////////////////////////////////////////
|
2 mike 1.2 //
|
3 karl 1.19 // Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development
4 // Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.
5 // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.;
|
6 karl 1.18 // IBM Corp.; EMC Corporation, The Open Group.
|
7 karl 1.19 // Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.;
8 // IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.
|
9 karl 1.21 // Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.;
10 // EMC Corporation; VERITAS Software Corporation; The Open Group.
|
11 karl 1.23 // Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.;
12 // EMC Corporation; Symantec Corporation; The Open Group.
|
13 mike 1.2 //
|
14 kumpf 1.9 // Permission is hereby granted, free of charge, to any person obtaining a copy
15 // of this software and associated documentation files (the "Software"), to
16 // deal in the Software without restriction, including without limitation the
17 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
18 // sell copies of the Software, and to permit persons to whom the Software is
19 // furnished to do so, subject to the following conditions:
20 //
21 // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
22 // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
23 // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
24 // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
25 // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
26 // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
27 // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
29 mike 1.2 //
30 //==============================================================================
31 //
32 //%/////////////////////////////////////////////////////////////////////////////
33
34 #include <Pegasus/Common/System.h>
35 #include <Pegasus/Common/XmlWriter.h>
|
36 kumpf 1.3 #include <Pegasus/Common/Tracer.h>
|
37 kumpf 1.7 #include <Pegasus/Common/PegasusVersion.h>
|
38 thilo.boehm 1.32 #include <Pegasus/Common/HTTPMessage.h>
|
39 kumpf 1.7
|
40 mike 1.2 #include <Pegasus/Config/ConfigManager.h>
|
41 kumpf 1.6
42 #include "LocalAuthenticationHandler.h"
43 #include "BasicAuthenticationHandler.h"
|
44 mike 1.2 #include "AuthenticationManager.h"
45
|
46 a.arora 1.20 #include <Pegasus/Common/AutoPtr.h>
47
|
48 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
|
49 gerarda 1.16 #include "KerberosAuthenticationHandler.h"
|
50 gerarda 1.12 #endif
51
52
|
53 mike 1.2 PEGASUS_USING_STD;
54
55 PEGASUS_NAMESPACE_BEGIN
56
57 //
58 // Constructor
59 //
60 AuthenticationManager::AuthenticationManager()
61 {
|
62 kumpf 1.6 PEG_METHOD_ENTER(
63 TRC_AUTHENTICATION, "AuthenticationManager::AuthenticationManager()");
|
64 kumpf 1.3
|
65 mike 1.2 //
|
66 kumpf 1.6 // get authentication handlers
|
67 mike 1.2 //
68 _localAuthHandler = _getLocalAuthHandler();
69
70 _httpAuthHandler = _getHttpAuthHandler();
71
|
72 kumpf 1.6 PEG_METHOD_EXIT();
|
73 mike 1.2 }
74
75 //
76 // Destructor
77 //
78 AuthenticationManager::~AuthenticationManager()
79 {
|
80 kumpf 1.6 PEG_METHOD_ENTER(
81 TRC_AUTHENTICATION, "AuthenticationManager::~AuthenticationManager()");
|
82 kumpf 1.3
|
83 mike 1.2 //
|
84 kumpf 1.6 // delete authentication handlers
|
85 mike 1.2 //
|
86 kumpf 1.24 delete _localAuthHandler;
87 delete _httpAuthHandler;
|
88 kumpf 1.3
|
89 kumpf 1.6 PEG_METHOD_EXIT();
|
90 mike 1.2 }
91
|
92 marek 1.25 Boolean AuthenticationManager::isRemotePrivilegedUserAccessAllowed(
93 String & userName)
94 {
95 //
96 // Reject access if the user is privileged and remote privileged user
97 // access is not enabled.
98 //
99 if (!ConfigManager::parseBooleanValue(ConfigManager::getInstance()->
100 getCurrentValue("enableRemotePrivilegedUserAccess"))
101 && System::isPrivilegedUser(userName))
102 {
|
103 marek 1.27 PEG_TRACE((TRC_AUTHENTICATION, Tracer::LEVEL2,
|
104 marek 1.25 "Authentication failed for user '%s' because "
105 "enableRemotePrivilegedUserAccess is not set to 'true'.",
|
106 marek 1.27 (const char*) userName.getCString()));
|
107 marek 1.25 Logger::put_l(
108 Logger::STANDARD_LOG, System::CIMSERVER, Logger::INFORMATION,
109 "Security.Authentication.BasicAuthenticationHandler."
110 "PRIVILEGED_ACCESS_DISABLED",
111 "Authentication failed for user '$0' because "
112 "enableRemotePrivilegedUserAccess is not set to 'true'.",
113 userName);
114 return false;
115 }
116 return true;
117 }
118
|
119 mike 1.2 //
120 // Perform http authentication
121 //
|
122 kumpf 1.29 Boolean AuthenticationManager::performHttpAuthentication(
|
123 kumpf 1.3 const String& authHeader,
|
124 kumpf 1.29 AuthenticationInfo* authInfo)
|
125 mike 1.2 {
|
126 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
127 "AuthenticationManager::performHttpAuthentication()");
|
128 kumpf 1.3
|
129 kumpf 1.29 String authType;
130 String cookie;
|
131 mike 1.2
|
132 david 1.11 Logger::put(Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE,
|
133 kumpf 1.29 "AuthenticationManager:: performHttpAuthentication - "
134 "Authority Header: $0",
|
135 kumpf 1.31 authHeader);
|
136 david 1.11
|
137 mike 1.2 //
|
138 kumpf 1.6 // Parse the HTTP authentication header for authentication information
|
139 mike 1.2 //
|
140 thilo.boehm 1.32 if ( !HTTPMessage::parseHttpAuthHeader(authHeader, authType, cookie) )
|
141 mike 1.2 {
|
142 kumpf 1.6 PEG_METHOD_EXIT();
|
143 kumpf 1.5 return false;
|
144 mike 1.2 }
145
|
146 kumpf 1.6 Boolean authenticated = false;
|
147 mike 1.2
148 //
|
149 kumpf 1.6 // Check the authenticationinformation and do the authentication
|
150 mike 1.2 //
|
151 kumpf 1.6 if ( String::equalNoCase(authType, "Basic") &&
152 String::equalNoCase(_httpAuthType, "Basic") )
|
153 mike 1.2 {
154 authenticated = _httpAuthHandler->authenticate(cookie, authInfo);
155 }
|
156 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
157 else if ( String::equalNoCase(authType, "Negotiate") &&
158 String::equalNoCase(_httpAuthType, "Kerberos") )
159 {
160 authenticated = _httpAuthHandler->authenticate(cookie, authInfo);
161 }
162 #endif
|
163 kumpf 1.31 // FUTURE: Add code to check for "Digest" when digest
|
164 kumpf 1.6 // authentication is implemented.
|
165 mike 1.2
|
166 kumpf 1.6 if ( authenticated )
|
167 mike 1.2 {
|
168 kumpf 1.6 authInfo->setAuthType(authType);
|
169 mike 1.2 }
170
|
171 kumpf 1.6 PEG_METHOD_EXIT();
|
172 kumpf 1.3
|
173 kumpf 1.29 return authenticated;
|
174 mike 1.2 }
175
176 //
177 // Perform pegasus sepcific local authentication
178 //
|
179 kumpf 1.29 Boolean AuthenticationManager::performPegasusAuthentication(
|
180 kumpf 1.3 const String& authHeader,
|
181 kumpf 1.29 AuthenticationInfo* authInfo)
|
182 mike 1.2 {
|
183 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
184 "AuthenticationManager::performPegasusAuthentication()");
|
185 kumpf 1.3
|
186 mike 1.2 Boolean authenticated = false;
187
|
188 kumpf 1.29 String authType;
189 String userName;
190 String cookie;
|
191 david 1.11
192 Logger::put(Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE,
|
193 kumpf 1.29 "AuthenticationManager:: performPegasusAuthentication - "
194 "Authority Header: $0",
|
195 kumpf 1.31 authHeader);
|
196 mike 1.2
197 //
|
198 kumpf 1.6 // Parse the pegasus authentication header authentication information
|
199 mike 1.2 //
|
200 thilo.boehm 1.32 if ( !HTTPMessage::parseLocalAuthHeader(authHeader,
201 authType, userName, cookie) )
|
202 kumpf 1.6 {
203 PEG_METHOD_EXIT();
204 return false;
205 }
|
206 mike 1.2
|
207 sushma.fernandes 1.28 // The HTTPAuthenticatorDelegator ensures only local authentication
208 // requests get here.
209 PEGASUS_ASSERT(authType == "Local");
|
210 mike 1.2
|
211 kumpf 1.31 authenticated =
|
212 mike 1.2 _localAuthHandler->authenticate(cookie, authInfo);
213
|
214 kumpf 1.6 if ( authenticated )
|
215 mike 1.2 {
|
216 kumpf 1.4 authInfo->setAuthType(authType);
|
217 mike 1.2 }
218
|
219 kumpf 1.6 PEG_METHOD_EXIT();
|
220 kumpf 1.3
|
221 kumpf 1.29 return authenticated;
|
222 mike 1.2 }
223
224 //
|
225 sushma.fernandes 1.22 // Validate user.
226 //
227 Boolean AuthenticationManager::validateUserForHttpAuth (const String& userName)
228 {
229 return _httpAuthHandler->validateUser(userName);
230 }
231
232 //
|
233 mike 1.2 // Get pegasus/local authentication response header
234 //
|
235 kumpf 1.29 String AuthenticationManager::getPegasusAuthResponseHeader(
|
236 kumpf 1.3 const String& authHeader,
|
237 kumpf 1.29 AuthenticationInfo* authInfo)
|
238 mike 1.2 {
|
239 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
240 "AuthenticationManager::getPegasusAuthResponseHeader()");
|
241 kumpf 1.3
|
242 kumpf 1.29 String respHeader;
|
243 kumpf 1.3
|
244 kumpf 1.29 String authType;
245 String userName;
246 String cookie;
|
247 mike 1.2
248 //
|
249 kumpf 1.6 // Parse the pegasus authentication header authentication information
|
250 mike 1.2 //
|
251 thilo.boehm 1.32 if ( !HTTPMessage::parseLocalAuthHeader(authHeader,
252 authType, userName, cookie) )
|
253 kumpf 1.6 {
254 PEG_METHOD_EXIT();
|
255 kumpf 1.29 return respHeader;
|
256 kumpf 1.6 }
|
257 mike 1.2
258 //
|
259 kumpf 1.31 // User name can not be empty
|
260 mike 1.2 //
|
261 kumpf 1.29 if (String::equal(userName, String::EMPTY))
|
262 mike 1.2 {
|
263 kumpf 1.6 PEG_METHOD_EXIT();
|
264 kumpf 1.29 return respHeader;
|
265 mike 1.2 }
266
|
267 kumpf 1.31 respHeader =
|
268 kumpf 1.6 _localAuthHandler->getAuthResponseHeader(authType, userName, authInfo);
269
270 PEG_METHOD_EXIT();
271
|
272 kumpf 1.29 return respHeader;
|
273 kumpf 1.3
|
274 mike 1.2 }
275
276 //
277 // Get HTTP authentication response header
278 //
|
279 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
|
280 kumpf 1.29 String AuthenticationManager::getHttpAuthResponseHeader(
281 AuthenticationInfo* authInfo)
|
282 kumpf 1.31 #else
|
283 mike 1.2 String AuthenticationManager::getHttpAuthResponseHeader()
|
284 gerarda 1.12 #endif
|
285 mike 1.2 {
|
286 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
287 "AuthenticationManager::getHttpAuthResponseHeader()");
|
288 kumpf 1.3
|
289 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
290 String respHeader = _httpAuthHandler->getAuthResponseHeader(
|
291 kumpf 1.31 String::EMPTY, String::EMPTY, authInfo);
|
292 gerarda 1.12 #else
|
293 kumpf 1.6 String respHeader = _httpAuthHandler->getAuthResponseHeader();
|
294 gerarda 1.12 #endif
|
295 kumpf 1.3
|
296 kumpf 1.6 PEG_METHOD_EXIT();
|
297 kumpf 1.3
|
298 kumpf 1.29 return respHeader;
|
299 mike 1.2 }
300
301 //
302 // Get local authentication handler
303 //
304 Authenticator* AuthenticationManager::_getLocalAuthHandler()
305 {
|
306 kumpf 1.6 PEG_METHOD_ENTER(
307 TRC_AUTHENTICATION, "AuthenticationManager::_getLocalAuthHandler()");
|
308 kumpf 1.3
|
309 kumpf 1.6 PEG_METHOD_EXIT();
|
310 mike 1.2 //
311 // create and return a local authentication handler.
312 //
|
313 kumpf 1.31 return new LocalAuthenticationHandler();
|
314 mike 1.2 }
315
316
317 //
318 // Get Http authentication handler
319 //
320 Authenticator* AuthenticationManager::_getHttpAuthHandler()
321 {
|
322 kumpf 1.6 PEG_METHOD_ENTER(
323 TRC_AUTHENTICATION, "AuthenticationManager::_getHttpAuthHandler()");
|
324 a.arora 1.20 AutoPtr<Authenticator> handler;
|
325 mike 1.2
326 //
|
327 kumpf 1.6 // get the configured authentication type
|
328 mike 1.2 //
|
329 a.arora 1.20 AutoPtr<ConfigManager> configManager(ConfigManager::getInstance());
|
330 mike 1.2
|
331 kumpf 1.6 _httpAuthType = configManager->getCurrentValue("httpAuthType");
|
332 a.arora 1.20 configManager.release();
|
333 mike 1.2 //
|
334 kumpf 1.6 // create a authentication handler.
|
335 mike 1.2 //
|
336 kumpf 1.6 if ( String::equalNoCase(_httpAuthType, "Basic") )
|
337 mike 1.2 {
|
338 a.arora 1.20 handler.reset((Authenticator* ) new BasicAuthenticationHandler( ));
|
339 mike 1.2 }
|
340 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
341 else if ( String::equalNoCase(_httpAuthType, "Kerberos") )
342 {
|
343 kumpf 1.31 handler.reset((Authenticator*) new KerberosAuthenticationHandler());
344 AutoPtr<KerberosAuthenticationHandler> kerberosHandler(
345 (KerberosAuthenticationHandler *)handler.get());
|
346 gerarda 1.12 int itFailed = kerberosHandler->initialize();
|
347 a.arora 1.20 kerberosHandler.release();
|
348 gerarda 1.12 if (itFailed)
349 {
|
350 a.arora 1.20 if (handler.get())
|
351 gerarda 1.12 {
|
352 a.arora 1.20 handler.reset(0);
|
353 gerarda 1.12 }
|
354 kumpf 1.31 Logger::put_l(Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
|
355 kumpf 1.30 "Security.Authentication.AuthenticationManager."
356 "AUTHENTICATION_HANDLER_KERBEROS_FAILED_TO_INITIALIZE",
357 "CIMOM server authentication handler for Kerberos failed to "
358 "initialize properly.");
359 MessageLoaderParms parms(
|
360 kumpf 1.31 "Security.Authentication.AuthenticationManager."
|
361 kumpf 1.30 "AUTHENTICATION_HANDLER_KERBEROS_FAILED_TO_INITIALIZE",
362 "CIMOM server authentication handler for Kerberos failed to "
363 "initialize properly.");
|
364 kumpf 1.31 throw Exception(parms);
|
365 gerarda 1.12 }
366 }
367 #endif
|
368 kumpf 1.31 // FUTURE: uncomment these line when Digest authentication
|
369 kumpf 1.6 // is implemented.
370 //
371 //else if (String::equalNoCase(_httpAuthType, "Digest"))
|
372 mike 1.2 //{
373 // handler = (Authenticator* ) new DigestAuthenticationHandler( );
374 //}
|
375 kumpf 1.31 else
|
376 kumpf 1.6 {
377 //
378 // This should never happen. Gets here only if Security Config
379 // property owner has not validated the configured http auth type.
380 //
381 PEGASUS_ASSERT(0);
382 }
|
383 kumpf 1.31
|
384 kumpf 1.6 PEG_METHOD_EXIT();
|
385 kumpf 1.31 return handler.release();
|
386 mike 1.2 }
387
388 PEGASUS_NAMESPACE_END
|