1 martin 1.37 //%LICENSE////////////////////////////////////////////////////////////////
|
2 martin 1.38 //
|
3 martin 1.37 // Licensed to The Open Group (TOG) under one or more contributor license
4 // agreements. Refer to the OpenPegasusNOTICE.txt file distributed with
5 // this work for additional information regarding copyright ownership.
6 // Each contributor licenses this file to you under the OpenPegasus Open
7 // Source License; you may not use this file except in compliance with the
8 // License.
|
9 martin 1.38 //
|
10 martin 1.37 // Permission is hereby granted, free of charge, to any person obtaining a
11 // copy of this software and associated documentation files (the "Software"),
12 // to deal in the Software without restriction, including without limitation
13 // the rights to use, copy, modify, merge, publish, distribute, sublicense,
14 // and/or sell copies of the Software, and to permit persons to whom the
15 // Software is furnished to do so, subject to the following conditions:
|
16 martin 1.38 //
|
17 martin 1.37 // The above copyright notice and this permission notice shall be included
18 // in all copies or substantial portions of the Software.
|
19 martin 1.38 //
|
20 martin 1.37 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
21 martin 1.38 // OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
22 martin 1.37 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
23 // IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
24 // CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
25 // TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
26 // SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
27 martin 1.38 //
|
28 martin 1.37 //////////////////////////////////////////////////////////////////////////
|
29 mike 1.2 //
30 //%/////////////////////////////////////////////////////////////////////////////
31
32 #include <Pegasus/Common/System.h>
33 #include <Pegasus/Common/XmlWriter.h>
|
34 kumpf 1.3 #include <Pegasus/Common/Tracer.h>
|
35 kumpf 1.7 #include <Pegasus/Common/PegasusVersion.h>
|
36 thilo.boehm 1.32 #include <Pegasus/Common/HTTPMessage.h>
|
37 kumpf 1.7
|
38 mike 1.2 #include <Pegasus/Config/ConfigManager.h>
|
39 kumpf 1.6
40 #include "LocalAuthenticationHandler.h"
41 #include "BasicAuthenticationHandler.h"
|
42 mike 1.2 #include "AuthenticationManager.h"
43
|
44 a.arora 1.20 #include <Pegasus/Common/AutoPtr.h>
45
|
46 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
|
47 gerarda 1.16 #include "KerberosAuthenticationHandler.h"
|
48 gerarda 1.12 #endif
49
50
|
51 mike 1.2 PEGASUS_USING_STD;
52
53 PEGASUS_NAMESPACE_BEGIN
54
55 //
56 // Constructor
57 //
58 AuthenticationManager::AuthenticationManager()
59 {
|
60 kumpf 1.6 PEG_METHOD_ENTER(
61 TRC_AUTHENTICATION, "AuthenticationManager::AuthenticationManager()");
|
62 kumpf 1.3
|
63 mike 1.2 //
|
64 kumpf 1.6 // get authentication handlers
|
65 mike 1.2 //
66 _localAuthHandler = _getLocalAuthHandler();
67
68 _httpAuthHandler = _getHttpAuthHandler();
69
|
70 kumpf 1.6 PEG_METHOD_EXIT();
|
71 mike 1.2 }
72
73 //
74 // Destructor
75 //
76 AuthenticationManager::~AuthenticationManager()
77 {
|
78 kumpf 1.6 PEG_METHOD_ENTER(
79 TRC_AUTHENTICATION, "AuthenticationManager::~AuthenticationManager()");
|
80 kumpf 1.3
|
81 mike 1.2 //
|
82 kumpf 1.6 // delete authentication handlers
|
83 mike 1.2 //
|
84 kumpf 1.24 delete _localAuthHandler;
85 delete _httpAuthHandler;
|
86 kumpf 1.3
|
87 kumpf 1.6 PEG_METHOD_EXIT();
|
88 mike 1.2 }
89
|
90 marek 1.25 Boolean AuthenticationManager::isRemotePrivilegedUserAccessAllowed(
91 String & userName)
92 {
93 //
94 // Reject access if the user is privileged and remote privileged user
95 // access is not enabled.
96 //
97 if (!ConfigManager::parseBooleanValue(ConfigManager::getInstance()->
98 getCurrentValue("enableRemotePrivilegedUserAccess"))
99 && System::isPrivilegedUser(userName))
100 {
101 Logger::put_l(
102 Logger::STANDARD_LOG, System::CIMSERVER, Logger::INFORMATION,
|
103 kumpf 1.36 MessageLoaderParms(
104 "Security.Authentication.BasicAuthenticationHandler."
105 "PRIVILEGED_ACCESS_DISABLED",
106 "Authentication failed for user '$0' because "
107 "enableRemotePrivilegedUserAccess is not set to 'true'.",
108 userName));
|
109 marek 1.25 return false;
110 }
111 return true;
112 }
113
|
114 mike 1.2 //
115 // Perform http authentication
116 //
|
117 kumpf 1.29 Boolean AuthenticationManager::performHttpAuthentication(
|
118 kumpf 1.3 const String& authHeader,
|
119 kumpf 1.29 AuthenticationInfo* authInfo)
|
120 mike 1.2 {
|
121 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
122 "AuthenticationManager::performHttpAuthentication()");
|
123 kumpf 1.3
|
124 kumpf 1.29 String authType;
125 String cookie;
|
126 mike 1.2
127 //
|
128 kumpf 1.6 // Parse the HTTP authentication header for authentication information
|
129 mike 1.2 //
|
130 thilo.boehm 1.32 if ( !HTTPMessage::parseHttpAuthHeader(authHeader, authType, cookie) )
|
131 mike 1.2 {
|
132 marek 1.33 PEG_TRACE((
133 TRC_DISCARDED_DATA,
|
134 marek 1.35 Tracer::LEVEL1,
|
135 marek 1.33 "HTTPAuthentication failed. "
136 "Malformed HTTP authentication header: %s",
137 (const char*)authHeader.getCString()));
|
138 kumpf 1.6 PEG_METHOD_EXIT();
|
139 kumpf 1.5 return false;
|
140 mike 1.2 }
141
|
142 kumpf 1.6 Boolean authenticated = false;
|
143 mike 1.2
144 //
|
145 kumpf 1.6 // Check the authenticationinformation and do the authentication
|
146 mike 1.2 //
|
147 kumpf 1.6 if ( String::equalNoCase(authType, "Basic") &&
|
148 kavita.gupta 1.40 String::equal(_httpAuthType, "Basic") )
|
149 mike 1.2 {
150 authenticated = _httpAuthHandler->authenticate(cookie, authInfo);
151 }
|
152 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
153 else if ( String::equalNoCase(authType, "Negotiate") &&
|
154 kavita.gupta 1.40 String::equal(_httpAuthType, "Kerberos") )
|
155 gerarda 1.12 {
156 authenticated = _httpAuthHandler->authenticate(cookie, authInfo);
157 }
158 #endif
|
159 kumpf 1.31 // FUTURE: Add code to check for "Digest" when digest
|
160 kumpf 1.6 // authentication is implemented.
|
161 mike 1.2
|
162 kumpf 1.6 if ( authenticated )
|
163 mike 1.2 {
|
164 kumpf 1.6 authInfo->setAuthType(authType);
|
165 mike 1.2 }
166
|
167 kumpf 1.6 PEG_METHOD_EXIT();
|
168 kumpf 1.3
|
169 kumpf 1.29 return authenticated;
|
170 mike 1.2 }
171
172 //
173 // Perform pegasus sepcific local authentication
174 //
|
175 kumpf 1.29 Boolean AuthenticationManager::performPegasusAuthentication(
|
176 kumpf 1.3 const String& authHeader,
|
177 kumpf 1.29 AuthenticationInfo* authInfo)
|
178 mike 1.2 {
|
179 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
180 "AuthenticationManager::performPegasusAuthentication()");
|
181 kumpf 1.3
|
182 mike 1.2 Boolean authenticated = false;
183
|
184 kumpf 1.29 String authType;
185 String userName;
186 String cookie;
|
187 david 1.11
|
188 mike 1.2 //
|
189 kumpf 1.6 // Parse the pegasus authentication header authentication information
|
190 mike 1.2 //
|
191 thilo.boehm 1.32 if ( !HTTPMessage::parseLocalAuthHeader(authHeader,
192 authType, userName, cookie) )
|
193 kumpf 1.6 {
|
194 marek 1.33 PEG_TRACE((
195 TRC_DISCARDED_DATA,
|
196 marek 1.35 Tracer::LEVEL1,
|
197 marek 1.33 "PegasusAuthentication failed. "
198 "Malformed Pegasus authentication header: %s",
199 (const char*)authHeader.getCString()));
|
200 kumpf 1.6 PEG_METHOD_EXIT();
201 return false;
202 }
|
203 mike 1.2
|
204 sushma.fernandes 1.28 // The HTTPAuthenticatorDelegator ensures only local authentication
205 // requests get here.
206 PEGASUS_ASSERT(authType == "Local");
|
207 mike 1.2
|
208 kumpf 1.31 authenticated =
|
209 mike 1.2 _localAuthHandler->authenticate(cookie, authInfo);
210
|
211 kumpf 1.6 if ( authenticated )
|
212 mike 1.2 {
|
213 kumpf 1.4 authInfo->setAuthType(authType);
|
214 mike 1.2 }
215
|
216 kumpf 1.6 PEG_METHOD_EXIT();
|
217 kumpf 1.3
|
218 kumpf 1.29 return authenticated;
|
219 mike 1.2 }
220
221 //
|
222 sushma.fernandes 1.22 // Validate user.
223 //
224 Boolean AuthenticationManager::validateUserForHttpAuth (const String& userName)
225 {
226 return _httpAuthHandler->validateUser(userName);
227 }
228
229 //
|
230 mike 1.2 // Get pegasus/local authentication response header
231 //
|
232 kumpf 1.29 String AuthenticationManager::getPegasusAuthResponseHeader(
|
233 kumpf 1.3 const String& authHeader,
|
234 kumpf 1.29 AuthenticationInfo* authInfo)
|
235 mike 1.2 {
|
236 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
237 "AuthenticationManager::getPegasusAuthResponseHeader()");
|
238 kumpf 1.3
|
239 kumpf 1.29 String respHeader;
|
240 kumpf 1.3
|
241 kumpf 1.29 String authType;
242 String userName;
243 String cookie;
|
244 mike 1.2
245 //
|
246 kumpf 1.6 // Parse the pegasus authentication header authentication information
|
247 mike 1.2 //
|
248 kumpf 1.39 if ( !HTTPMessage::parseLocalAuthHeader(authHeader,
|
249 thilo.boehm 1.32 authType, userName, cookie) )
|
250 kumpf 1.6 {
251 PEG_METHOD_EXIT();
|
252 kumpf 1.29 return respHeader;
|
253 kumpf 1.6 }
|
254 mike 1.2
255 //
|
256 kumpf 1.31 // User name can not be empty
|
257 mike 1.2 //
|
258 kumpf 1.29 if (String::equal(userName, String::EMPTY))
|
259 mike 1.2 {
|
260 kumpf 1.6 PEG_METHOD_EXIT();
|
261 kumpf 1.29 return respHeader;
|
262 mike 1.2 }
263
|
264 kumpf 1.31 respHeader =
|
265 kumpf 1.6 _localAuthHandler->getAuthResponseHeader(authType, userName, authInfo);
266
267 PEG_METHOD_EXIT();
268
|
269 kumpf 1.29 return respHeader;
|
270 kumpf 1.3
|
271 mike 1.2 }
272
273 //
274 // Get HTTP authentication response header
275 //
|
276 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
|
277 kumpf 1.29 String AuthenticationManager::getHttpAuthResponseHeader(
278 AuthenticationInfo* authInfo)
|
279 kumpf 1.31 #else
|
280 mike 1.2 String AuthenticationManager::getHttpAuthResponseHeader()
|
281 gerarda 1.12 #endif
|
282 mike 1.2 {
|
283 kumpf 1.29 PEG_METHOD_ENTER(TRC_AUTHENTICATION,
284 "AuthenticationManager::getHttpAuthResponseHeader()");
|
285 kumpf 1.3
|
286 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
287 String respHeader = _httpAuthHandler->getAuthResponseHeader(
|
288 kumpf 1.31 String::EMPTY, String::EMPTY, authInfo);
|
289 gerarda 1.12 #else
|
290 kumpf 1.6 String respHeader = _httpAuthHandler->getAuthResponseHeader();
|
291 gerarda 1.12 #endif
|
292 kumpf 1.3
|
293 kumpf 1.6 PEG_METHOD_EXIT();
|
294 kumpf 1.3
|
295 kumpf 1.29 return respHeader;
|
296 mike 1.2 }
297
298 //
299 // Get local authentication handler
300 //
301 Authenticator* AuthenticationManager::_getLocalAuthHandler()
302 {
|
303 kumpf 1.6 PEG_METHOD_ENTER(
304 TRC_AUTHENTICATION, "AuthenticationManager::_getLocalAuthHandler()");
|
305 kumpf 1.3
|
306 kumpf 1.6 PEG_METHOD_EXIT();
|
307 mike 1.2 //
308 // create and return a local authentication handler.
309 //
|
310 kumpf 1.31 return new LocalAuthenticationHandler();
|
311 mike 1.2 }
312
313
314 //
315 // Get Http authentication handler
316 //
317 Authenticator* AuthenticationManager::_getHttpAuthHandler()
318 {
|
319 kumpf 1.6 PEG_METHOD_ENTER(
320 TRC_AUTHENTICATION, "AuthenticationManager::_getHttpAuthHandler()");
|
321 a.arora 1.20 AutoPtr<Authenticator> handler;
|
322 mike 1.2
323 //
|
324 kumpf 1.6 // get the configured authentication type
|
325 mike 1.2 //
|
326 a.arora 1.20 AutoPtr<ConfigManager> configManager(ConfigManager::getInstance());
|
327 mike 1.2
|
328 kumpf 1.6 _httpAuthType = configManager->getCurrentValue("httpAuthType");
|
329 a.arora 1.20 configManager.release();
|
330 mike 1.2 //
|
331 kumpf 1.6 // create a authentication handler.
|
332 mike 1.2 //
|
333 kavita.gupta 1.40 if ( String::equal(_httpAuthType, "Basic") )
|
334 mike 1.2 {
|
335 a.arora 1.20 handler.reset((Authenticator* ) new BasicAuthenticationHandler( ));
|
336 mike 1.2 }
|
337 gerarda 1.12 #ifdef PEGASUS_KERBEROS_AUTHENTICATION
|
338 kavita.gupta 1.40 else if ( String::equal(_httpAuthType, "Kerberos") )
|
339 gerarda 1.12 {
|
340 kumpf 1.31 handler.reset((Authenticator*) new KerberosAuthenticationHandler());
341 AutoPtr<KerberosAuthenticationHandler> kerberosHandler(
342 (KerberosAuthenticationHandler *)handler.get());
|
343 gerarda 1.12 int itFailed = kerberosHandler->initialize();
|
344 a.arora 1.20 kerberosHandler.release();
|
345 gerarda 1.12 if (itFailed)
346 {
|
347 a.arora 1.20 if (handler.get())
|
348 gerarda 1.12 {
|
349 a.arora 1.20 handler.reset(0);
|
350 gerarda 1.12 }
|
351 kumpf 1.30 MessageLoaderParms parms(
|
352 kumpf 1.31 "Security.Authentication.AuthenticationManager."
|
353 kumpf 1.30 "AUTHENTICATION_HANDLER_KERBEROS_FAILED_TO_INITIALIZE",
354 "CIMOM server authentication handler for Kerberos failed to "
355 "initialize properly.");
|
356 kumpf 1.36 Logger::put_l(Logger::ERROR_LOG, System::CIMSERVER, Logger::SEVERE,
357 parms);
|
358 kumpf 1.31 throw Exception(parms);
|
359 gerarda 1.12 }
360 }
361 #endif
|
362 kumpf 1.31 // FUTURE: uncomment these line when Digest authentication
|
363 kumpf 1.6 // is implemented.
364 //
|
365 kavita.gupta 1.40 //else if (String::equal(_httpAuthType, "Digest"))
|
366 mike 1.2 //{
367 // handler = (Authenticator* ) new DigestAuthenticationHandler( );
368 //}
|
369 kumpf 1.31 else
|
370 kumpf 1.6 {
371 //
372 // This should never happen. Gets here only if Security Config
373 // property owner has not validated the configured http auth type.
374 //
375 PEGASUS_ASSERT(0);
376 }
|
377 kumpf 1.31
|
378 kumpf 1.6 PEG_METHOD_EXIT();
|
379 kumpf 1.31 return handler.release();
|
380 mike 1.2 }
381
382 PEGASUS_NAMESPACE_END
|