1 karl 1.23 //%2006////////////////////////////////////////////////////////////////////////
|
2 mike 1.2 //
|
3 karl 1.19 // Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development
4 // Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.
5 // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.;
|
6 karl 1.18 // IBM Corp.; EMC Corporation, The Open Group.
|
7 karl 1.19 // Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.;
8 // IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.
|
9 karl 1.21 // Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.;
10 // EMC Corporation; VERITAS Software Corporation; The Open Group.
|
11 karl 1.23 // Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.;
12 // EMC Corporation; Symantec Corporation; The Open Group.
|
13 mike 1.2 //
|
14 kumpf 1.9 // Permission is hereby granted, free of charge, to any person obtaining a copy
15 // of this software and associated documentation files (the "Software"), to
16 // deal in the Software without restriction, including without limitation the
17 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
18 // sell copies of the Software, and to permit persons to whom the Software is
19 // furnished to do so, subject to the following conditions:
20 //
21 // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
22 // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
23 // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
24 // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
25 // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
26 // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
27 // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
29 mike 1.2 //
30 //==============================================================================
31 //
32 //%/////////////////////////////////////////////////////////////////////////////
33
34 #include <Pegasus/Common/System.h>
35 #include <Pegasus/Common/XmlWriter.h>
|
36 kumpf 1.3 #include <Pegasus/Common/Tracer.h>
|
37 kumpf 1.7 #include <Pegasus/Common/PegasusVersion.h>
|
38 thilo.boehm 1.32 #include <Pegasus/Common/HTTPMessage.h>
|
39 kumpf 1.7
|
40 mike 1.2 #include <Pegasus/Config/ConfigManager.h>
|
41 kumpf 1.6
42 #include "LocalAuthenticationHandler.h"
43 #include "BasicAuthenticationHandler.h"
|
44 mike 1.2 #include "AuthenticationManager.h"
45
|
46 a.arora 1.20 #include <Pegasus/Common/AutoPtr.h>
47
|
48 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
|
49 gerarda 1.16 #include "KerberosAuthenticationHandler.h"
|
50 gerarda 1.12 #endif
51
52
|
53 mike 1.2 PEGASUS_USING_STD;
54
55 PEGASUS_NAMESPACE_BEGIN
56
57 //
58 // Constructor
59 //
60 AuthenticationManager::AuthenticationManager()
61 {
|
62 kumpf 1.6 PEG_METHOD_ENTER(
63 TRC_AUTHENTICATION, "AuthenticationManager::AuthenticationManager()");
|
64 kumpf 1.3
|
65 mike 1.2 //
|
66 kumpf 1.6 // get authentication handlers
|
67 mike 1.2 //
68 _localAuthHandler = _getLocalAuthHandler();
69
70 _httpAuthHandler = _getHttpAuthHandler();
71
|
72 kumpf 1.6 PEG_METHOD_EXIT();
|
73 mike 1.2 }
74
75 //
76 // Destructor
77 //
78 AuthenticationManager::~AuthenticationManager()
79 {
|
80 kumpf 1.6 PEG_METHOD_ENTER(
81 TRC_AUTHENTICATION, "AuthenticationManager::~AuthenticationManager()");
|
82 kumpf 1.3
|
83 mike 1.2 //
|
84 kumpf 1.6 // delete authentication handlers
|
85 mike 1.2 //
|
86 kumpf 1.24 delete _localAuthHandler;
87 delete _httpAuthHandler;
|
88 kumpf 1.3
|
89 kumpf 1.6 PEG_METHOD_EXIT();
|
90 mike 1.2 }
91
|
92 marek 1.25 Boolean AuthenticationManager::isRemotePrivilegedUserAccessAllowed(
93 String & userName)
94 {
95 //
96 // Reject access if the user is privileged and remote privileged user
97 // access is not enabled.
98 //
99 if (!ConfigManager::parseBooleanValue(ConfigManager::getInstance()->
100 getCurrentValue("enableRemotePrivilegedUserAccess"))
101 && System::isPrivilegedUser(userName))
102 {
103 Logger::put_l(
104 Logger::STANDARD_LOG, System::CIMSERVER, Logger::INFORMATION,
105 "Security.Authentication.BasicAuthenticationHandler."
106 "PRIVILEGED_ACCESS_DISABLED",
107 "Authentication failed for user '$0' because "
108 "enableRemotePrivilegedUserAccess is not set to 'true'.",
109 userName);
110 return false;
111 }
112 return true;
113 marek 1.25 }
114
|
115 mike 1.2 //
116 // Perform http authentication
117 //
|
118 kumpf 1.29 Boolean AuthenticationManager::performHttpAuthentication(
|
119 kumpf 1.3 const String& authHeader,
|
120 kumpf 1.29 AuthenticationInfo* authInfo)
|
121 mike 1.2 {
|
122 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
123 "AuthenticationManager::performHttpAuthentication()");
|
124 kumpf 1.3
|
125 kumpf 1.29 String authType;
126 String cookie;
|
127 mike 1.2
128 //
|
129 kumpf 1.6 // Parse the HTTP authentication header for authentication information
|
130 mike 1.2 //
|
131 thilo.boehm 1.32 if ( !HTTPMessage::parseHttpAuthHeader(authHeader, authType, cookie) )
|
132 mike 1.2 {
|
133 marek 1.33 PEG_TRACE((
134 TRC_DISCARDED_DATA,
|
135 mike 1.34.4.1 Tracer::LEVEL1,
|
136 marek 1.33 "HTTPAuthentication failed. "
137 "Malformed HTTP authentication header: %s",
138 (const char*)authHeader.getCString()));
|
139 kumpf 1.6 PEG_METHOD_EXIT();
|
140 kumpf 1.5 return false;
|
141 mike 1.2 }
142
|
143 kumpf 1.6 Boolean authenticated = false;
|
144 mike 1.2
145 //
|
146 kumpf 1.6 // Check the authenticationinformation and do the authentication
|
147 mike 1.2 //
|
148 kumpf 1.6 if ( String::equalNoCase(authType, "Basic") &&
149 String::equalNoCase(_httpAuthType, "Basic") )
|
150 mike 1.2 {
151 authenticated = _httpAuthHandler->authenticate(cookie, authInfo);
152 }
|
153 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
154 else if ( String::equalNoCase(authType, "Negotiate") &&
155 String::equalNoCase(_httpAuthType, "Kerberos") )
156 {
157 authenticated = _httpAuthHandler->authenticate(cookie, authInfo);
158 }
159 #endif
|
160 kumpf 1.31 // FUTURE: Add code to check for "Digest" when digest
|
161 kumpf 1.6 // authentication is implemented.
|
162 mike 1.2
|
163 kumpf 1.6 if ( authenticated )
|
164 mike 1.2 {
|
165 kumpf 1.6 authInfo->setAuthType(authType);
|
166 mike 1.2 }
167
|
168 kumpf 1.6 PEG_METHOD_EXIT();
|
169 kumpf 1.3
|
170 kumpf 1.29 return authenticated;
|
171 mike 1.2 }
172
173 //
174 // Perform pegasus sepcific local authentication
175 //
|
176 kumpf 1.29 Boolean AuthenticationManager::performPegasusAuthentication(
|
177 kumpf 1.3 const String& authHeader,
|
178 kumpf 1.29 AuthenticationInfo* authInfo)
|
179 mike 1.2 {
|
180 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
181 "AuthenticationManager::performPegasusAuthentication()");
|
182 kumpf 1.3
|
183 mike 1.2 Boolean authenticated = false;
184
|
185 kumpf 1.29 String authType;
186 String userName;
187 String cookie;
|
188 david 1.11
|
189 mike 1.2 //
|
190 kumpf 1.6 // Parse the pegasus authentication header authentication information
|
191 mike 1.2 //
|
192 thilo.boehm 1.32 if ( !HTTPMessage::parseLocalAuthHeader(authHeader,
193 authType, userName, cookie) )
|
194 kumpf 1.6 {
|
195 marek 1.33 PEG_TRACE((
196 TRC_DISCARDED_DATA,
|
197 mike 1.34.4.1 Tracer::LEVEL1,
|
198 marek 1.33 "PegasusAuthentication failed. "
199 "Malformed Pegasus authentication header: %s",
200 (const char*)authHeader.getCString()));
|
201 kumpf 1.6 PEG_METHOD_EXIT();
202 return false;
203 }
|
204 mike 1.2
|
205 sushma.fernandes 1.28 // The HTTPAuthenticatorDelegator ensures only local authentication
206 // requests get here.
207 PEGASUS_ASSERT(authType == "Local");
|
208 mike 1.2
|
209 kumpf 1.31 authenticated =
|
210 mike 1.2 _localAuthHandler->authenticate(cookie, authInfo);
211
|
212 kumpf 1.6 if ( authenticated )
|
213 mike 1.2 {
|
214 kumpf 1.4 authInfo->setAuthType(authType);
|
215 mike 1.2 }
216
|
217 kumpf 1.6 PEG_METHOD_EXIT();
|
218 kumpf 1.3
|
219 kumpf 1.29 return authenticated;
|
220 mike 1.2 }
221
222 //
|
223 sushma.fernandes 1.22 // Validate user.
224 //
225 Boolean AuthenticationManager::validateUserForHttpAuth (const String& userName)
226 {
227 return _httpAuthHandler->validateUser(userName);
228 }
229
230 //
|
231 mike 1.2 // Get pegasus/local authentication response header
232 //
|
233 kumpf 1.29 String AuthenticationManager::getPegasusAuthResponseHeader(
|
234 kumpf 1.3 const String& authHeader,
|
235 kumpf 1.29 AuthenticationInfo* authInfo)
|
236 mike 1.2 {
|
237 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
238 "AuthenticationManager::getPegasusAuthResponseHeader()");
|
239 kumpf 1.3
|
240 kumpf 1.29 String respHeader;
|
241 kumpf 1.3
|
242 kumpf 1.29 String authType;
243 String userName;
244 String cookie;
|
245 mike 1.2
246 //
|
247 kumpf 1.6 // Parse the pegasus authentication header authentication information
|
248 mike 1.2 //
|
249 thilo.boehm 1.32 if ( !HTTPMessage::parseLocalAuthHeader(authHeader,
250 authType, userName, cookie) )
|
251 kumpf 1.6 {
252 PEG_METHOD_EXIT();
|
253 kumpf 1.29 return respHeader;
|
254 kumpf 1.6 }
|
255 mike 1.2
256 //
|
257 kumpf 1.31 // User name can not be empty
|
258 mike 1.2 //
|
259 kumpf 1.29 if (String::equal(userName, String::EMPTY))
|
260 mike 1.2 {
|
261 kumpf 1.6 PEG_METHOD_EXIT();
|
262 kumpf 1.29 return respHeader;
|
263 mike 1.2 }
264
|
265 kumpf 1.31 respHeader =
|
266 kumpf 1.6 _localAuthHandler->getAuthResponseHeader(authType, userName, authInfo);
267
268 PEG_METHOD_EXIT();
269
|
270 kumpf 1.29 return respHeader;
|
271 kumpf 1.3
|
272 mike 1.2 }
273
274 //
275 // Get HTTP authentication response header
276 //
|
277 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
|
278 kumpf 1.29 String AuthenticationManager::getHttpAuthResponseHeader(
279 AuthenticationInfo* authInfo)
|
280 kumpf 1.31 #else
|
281 mike 1.2 String AuthenticationManager::getHttpAuthResponseHeader()
|
282 gerarda 1.12 #endif
|
283 mike 1.2 {
|
284 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
285 "AuthenticationManager::getHttpAuthResponseHeader()");
|
286 kumpf 1.3
|
287 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
288 String respHeader = _httpAuthHandler->getAuthResponseHeader(
|
289 kumpf 1.31 String::EMPTY, String::EMPTY, authInfo);
|
290 gerarda 1.12 #else
|
291 kumpf 1.6 String respHeader = _httpAuthHandler->getAuthResponseHeader();
|
292 gerarda 1.12 #endif
|
293 kumpf 1.3
|
294 kumpf 1.6 PEG_METHOD_EXIT();
|
295 kumpf 1.3
|
296 kumpf 1.29 return respHeader;
|
297 mike 1.2 }
298
299 //
300 // Get local authentication handler
301 //
302 Authenticator* AuthenticationManager::_getLocalAuthHandler()
303 {
|
304 kumpf 1.6 PEG_METHOD_ENTER(
305 TRC_AUTHENTICATION, "AuthenticationManager::_getLocalAuthHandler()");
|
306 kumpf 1.3
|
307 kumpf 1.6 PEG_METHOD_EXIT();
|
308 mike 1.2 //
309 // create and return a local authentication handler.
310 //
|
311 kumpf 1.31 return new LocalAuthenticationHandler();
|
312 mike 1.2 }
313
314
315 //
316 // Get Http authentication handler
317 //
318 Authenticator* AuthenticationManager::_getHttpAuthHandler()
319 {
|
320 kumpf 1.6 PEG_METHOD_ENTER(
321 TRC_AUTHENTICATION, "AuthenticationManager::_getHttpAuthHandler()");
|
322 a.arora 1.20 AutoPtr<Authenticator> handler;
|
323 mike 1.2
324 //
|
325 kumpf 1.6 // get the configured authentication type
|
326 mike 1.2 //
|
327 a.arora 1.20 AutoPtr<ConfigManager> configManager(ConfigManager::getInstance());
|
328 mike 1.2
|
329 kumpf 1.6 _httpAuthType = configManager->getCurrentValue("httpAuthType");
|
330 a.arora 1.20 configManager.release();
|
331 mike 1.2 //
|
332 kumpf 1.6 // create a authentication handler.
|
333 mike 1.2 //
|
334 kumpf 1.6 if ( String::equalNoCase(_httpAuthType, "Basic") )
|
335 mike 1.2 {
|
336 a.arora 1.20 handler.reset((Authenticator* ) new BasicAuthenticationHandler( ));
|
337 mike 1.2 }
|
338 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
339 else if ( String::equalNoCase(_httpAuthType, "Kerberos") )
340 {
|
341 kumpf 1.31 handler.reset((Authenticator*) new KerberosAuthenticationHandler());
342 AutoPtr<KerberosAuthenticationHandler> kerberosHandler(
343 (KerberosAuthenticationHandler *)handler.get());
|
344 gerarda 1.12 int itFailed = kerberosHandler->initialize();
|
345 a.arora 1.20 kerberosHandler.release();
|
346 gerarda 1.12 if (itFailed)
347 {
|
348 a.arora 1.20 if (handler.get())
|
349 gerarda 1.12 {
|
350 a.arora 1.20 handler.reset(0);
|
351 gerarda 1.12 }
|
352 kumpf 1.31 Logger::put_l(Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
|
353 kumpf 1.30 "Security.Authentication.AuthenticationManager."
354 "AUTHENTICATION_HANDLER_KERBEROS_FAILED_TO_INITIALIZE",
355 "CIMOM server authentication handler for Kerberos failed to "
356 "initialize properly.");
357 MessageLoaderParms parms(
|
358 kumpf 1.31 "Security.Authentication.AuthenticationManager."
|
359 kumpf 1.30 "AUTHENTICATION_HANDLER_KERBEROS_FAILED_TO_INITIALIZE",
360 "CIMOM server authentication handler for Kerberos failed to "
361 "initialize properly.");
|
362 kumpf 1.31 throw Exception(parms);
|
363 gerarda 1.12 }
364 }
365 #endif
|
366 kumpf 1.31 // FUTURE: uncomment these line when Digest authentication
|
367 kumpf 1.6 // is implemented.
368 //
369 //else if (String::equalNoCase(_httpAuthType, "Digest"))
|
370 mike 1.2 //{
371 // handler = (Authenticator* ) new DigestAuthenticationHandler( );
372 //}
|
373 kumpf 1.31 else
|
374 kumpf 1.6 {
375 //
376 // This should never happen. Gets here only if Security Config
377 // property owner has not validated the configured http auth type.
378 //
379 PEGASUS_ASSERT(0);
380 }
|
381 kumpf 1.31
|
382 kumpf 1.6 PEG_METHOD_EXIT();
|
383 kumpf 1.31 return handler.release();
|
384 mike 1.2 }
385
386 PEGASUS_NAMESPACE_END
|