version 1.2, 2001/12/13 14:54:31
|
version 1.29, 2013/06/05 14:09:26
|
|
|
//%///////////////////////////////////////////////////////////////////////////// |
//%LICENSE//////////////////////////////////////////////////////////////// |
// | // |
// Copyright (c) 2000, 2001 BMC Software, Hewlett-Packard Company, IBM, |
// Licensed to The Open Group (TOG) under one or more contributor license |
// The Open Group, Tivoli Systems |
// agreements. Refer to the OpenPegasusNOTICE.txt file distributed with |
|
// this work for additional information regarding copyright ownership. |
|
// Each contributor licenses this file to you under the OpenPegasus Open |
|
// Source License; you may not use this file except in compliance with the |
|
// License. |
// | // |
// Permission is hereby granted, free of charge, to any person obtaining a | // Permission is hereby granted, free of charge, to any person obtaining a |
// copy of this software and associated documentation files (the "Software"), | // copy of this software and associated documentation files (the "Software"), |
|
|
// and/or sell copies of the Software, and to permit persons to whom the | // and/or sell copies of the Software, and to permit persons to whom the |
// Software is furnished to do so, subject to the following conditions: | // Software is furnished to do so, subject to the following conditions: |
// | // |
// The above copyright notice and this permission notice shall be included in |
// The above copyright notice and this permission notice shall be included |
// all copies of substantial portions of this software. |
// in all copies or substantial portions of the Software. |
// |
|
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
|
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
|
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL |
|
// THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
|
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
|
// FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER |
|
// DEALINGS IN THE SOFTWARE. |
|
// | // |
//============================================================================== |
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS |
|
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF |
|
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. |
|
// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY |
|
// CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, |
|
// TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE |
|
// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
// | // |
// Author: Nag Boranna, Hewlett-Packard Company(nagaraja_boranna@hp.com) |
////////////////////////////////////////////////////////////////////////// |
// |
|
// Modified By: |
|
// | // |
//%///////////////////////////////////////////////////////////////////////////// | //%///////////////////////////////////////////////////////////////////////////// |
| |
|
#include <Pegasus/Common/AuditLogger.h> |
#include <Pegasus/Common/Logger.h> | #include <Pegasus/Common/Logger.h> |
#include <Pegasus/Security/Authentication/SecureLocalAuthenticator.h> |
#include <Pegasus/Common/Tracer.h> |
|
|
|
#include "SecureLocalAuthenticator.h" |
#include "LocalAuthenticationHandler.h" | #include "LocalAuthenticationHandler.h" |
| |
|
#ifdef PEGASUS_ZOS_SECURITY |
|
// This include file will not be provided in the OpenGroup CVS for now. |
|
// Do NOT try to include it in your compile |
|
# include <Pegasus/Common/safCheckzOS_inline.h> |
|
#endif |
|
|
PEGASUS_USING_STD; | PEGASUS_USING_STD; |
| |
PEGASUS_NAMESPACE_BEGIN | PEGASUS_NAMESPACE_BEGIN |
|
|
| |
LocalAuthenticationHandler::LocalAuthenticationHandler() | LocalAuthenticationHandler::LocalAuthenticationHandler() |
{ | { |
// ATTN: Load the local authentication module here |
PEG_METHOD_ENTER(TRC_AUTHENTICATION, |
|
"LocalAuthenticationHandler::LocalAuthenticationHandler()"); |
|
|
|
_localAuthenticator.reset( |
|
(LocalAuthenticator*) new SecureLocalAuthenticator()); |
| |
_localAuthenticator = (LocalAuthenticator*) new SecureLocalAuthenticator(); |
PEG_METHOD_EXIT(); |
} | } |
| |
LocalAuthenticationHandler::~LocalAuthenticationHandler() | LocalAuthenticationHandler::~LocalAuthenticationHandler() |
{ | { |
delete _localAuthenticator; |
PEG_METHOD_ENTER(TRC_AUTHENTICATION, |
|
"LocalAuthenticationHandler::~LocalAuthenticationHandler()"); |
|
|
|
PEG_METHOD_EXIT(); |
} | } |
| |
Boolean LocalAuthenticationHandler::authenticate( |
AuthenticationStatus LocalAuthenticationHandler::authenticate( |
String authHeader, |
const String& authHeader, |
AuthenticationInfo* authInfo) | AuthenticationInfo* authInfo) |
{ | { |
Boolean authenticated = false; |
PEG_METHOD_ENTER(TRC_AUTHENTICATION, |
|
"LocalAuthenticationHandler::authenticate()"); |
| |
// Look for ':' seperator | // Look for ':' seperator |
Uint32 colon1 = authHeader.find(':'); | Uint32 colon1 = authHeader.find(':'); |
| |
if ( colon1 == PEG_NOT_FOUND ) | if ( colon1 == PEG_NOT_FOUND ) |
{ | { |
return ( authenticated ); |
PEG_METHOD_EXIT(); |
|
return AuthenticationStatus(AUTHSC_UNAUTHORIZED); |
} | } |
| |
String userName = authHeader.subString(0, colon1); | String userName = authHeader.subString(0, colon1); |
|
|
// Look for another ':' seperator | // Look for another ':' seperator |
Uint32 colon2 = authHeader.find(colon1 + 1, ':'); | Uint32 colon2 = authHeader.find(colon1 + 1, ':'); |
| |
if ( colon1 == PEG_NOT_FOUND ) |
String filePath; |
|
|
|
String secretReceived; |
|
|
|
if (colon2 == PEG_NOT_FOUND) |
|
{ |
|
filePath = String::EMPTY; |
|
|
|
secretReceived = authHeader.subString(colon1 + 1); |
|
} |
|
else |
|
{ |
|
filePath = authHeader.subString(colon1 + 1, (colon2 - colon1 - 1)); |
|
|
|
secretReceived = authHeader.subString(colon2 + 1); |
|
} |
|
|
|
// |
|
// Check for the expected file path in the authentication header |
|
// |
|
if (filePath != authInfo->getLocalAuthFilePath()) |
|
{ |
|
PEG_METHOD_EXIT(); |
|
return AuthenticationStatus(AUTHSC_UNAUTHORIZED); |
|
} |
|
|
|
// |
|
// Check if the authentication information is present |
|
// |
|
if (secretReceived.size() == 0 || userName.size() == 0) |
|
{ |
|
PEG_METHOD_EXIT(); |
|
return AuthenticationStatus(AUTHSC_UNAUTHORIZED); |
|
} |
|
|
|
String authenticatedUsername = authInfo->getAuthenticatedUser(); |
|
|
|
// |
|
// If this connection has been previously authenticated then ensure |
|
// the username passed with the current request matches the |
|
// username previously authenticated. |
|
// |
|
if (authenticatedUsername.size() != 0 && |
|
userName != authenticatedUsername) |
{ | { |
return ( authenticated ); |
PEG_METHOD_EXIT(); |
|
return AuthenticationStatus(AUTHSC_UNAUTHORIZED); |
} | } |
| |
String filePath = authHeader.subString( colon1 + 1, (colon2 - colon1 - 1) ); |
// |
|
// Check if the user is a valid system user |
|
// |
|
if (!System::isSystemUser(userName.getCString())) |
|
{ |
|
PEG_METHOD_EXIT(); |
|
return AuthenticationStatus(AUTHSC_UNAUTHORIZED); |
|
} |
|
|
|
// Check if the user is authorized to CIMSERV |
|
#ifdef PEGASUS_ZOS_SECURITY |
|
if (!CheckProfileCIMSERVclassWBEM(userName, __READ_RESOURCE)) |
|
{ |
|
Logger::put_l(Logger::STANDARD_LOG, ZOS_SECURITY_NAME, Logger::WARNING, |
|
MessageLoaderParms( |
|
"Security.Authentication.LocalAuthenticationHandler." |
|
"NOREAD_CIMSERV_ACCESS.PEGASUS_OS_ZOS", |
|
"Request UserID $0 doesn't have READ permission " |
|
"to profile CIMSERV CL(WBEM).", |
|
userName)); |
|
return AuthenticationStatus(AUTHSC_UNAUTHORIZED); |
|
} |
|
#endif |
| |
String secretReceived = authHeader.subString( colon2 + 1 ); |
// It is not necessary to check remote privileged user access for local |
|
// connections; set the flag to "check done" |
|
authInfo->setRemotePrivilegedUserAccessChecked(); |
| |
authenticated = _localAuthenticator->authenticate(filePath, |
// Authenticate |
secretReceived, authInfo->getAuthChallenge()); |
AuthenticationStatus authStatus = _localAuthenticator->authenticate( |
|
filePath, secretReceived, authInfo->getLocalAuthSecret()); |
| |
if (authenticated) |
if (authStatus.isSuccess()) |
{ | { |
authInfo->setAuthenticatedUser(userName); | authInfo->setAuthenticatedUser(userName); |
|
// For Privilege Separation, remember the secret on subsequent requests |
|
authInfo->setLocalAuthSecret(secretReceived); |
|
} |
|
else |
|
{ |
|
// log a failed authentication |
|
Logger::put_l( |
|
Logger::STANDARD_LOG, System::CIMSERVER, Logger::INFORMATION, |
|
MessageLoaderParms( |
|
"Security.Authentication.LocalAuthenticationHandler." |
|
"LOCAL_AUTHENTICATION_FAILURE", |
|
"Local Authentication failed for user $0 from client " |
|
"IP address $1.",userName,authInfo->getIpAddress())); |
} | } |
| |
return ( authenticated ); |
PEG_AUDIT_LOG(logLocalAuthentication(userName, authStatus.isSuccess())); |
|
|
|
PEG_METHOD_EXIT(); |
|
|
|
return authStatus; |
|
} |
|
|
|
AuthenticationStatus LocalAuthenticationHandler::validateUser( |
|
const String& userName, |
|
AuthenticationInfo* authInfo) |
|
{ |
|
return _localAuthenticator->validateUser(userName,authInfo); |
} | } |
| |
String LocalAuthenticationHandler::getAuthResponseHeader( | String LocalAuthenticationHandler::getAuthResponseHeader( |
String userName, |
const String& authType, |
|
const String& userName, |
AuthenticationInfo* authInfo) | AuthenticationInfo* authInfo) |
{ | { |
String challenge; |
PEG_METHOD_ENTER(TRC_AUTHENTICATION, |
|
"LocalAuthenticationHandler::getAuthResponseHeader()"); |
|
|
|
String secret; |
|
String filePath; |
|
String authResp; |
|
|
|
// |
|
// Check if the user is a valid system user |
|
// |
|
if (!System::isSystemUser(userName.getCString())) |
|
{ |
|
PEG_METHOD_EXIT(); |
|
return authResp; |
|
} |
|
|
|
authResp = _localAuthenticator->getAuthResponseHeader( |
|
authType, userName, filePath, secret); |
| |
String authResp = _localAuthenticator->getAuthResponseHeader(userName, challenge); |
authInfo->setLocalAuthFilePath(filePath); |
|
authInfo->setLocalAuthSecret(secret); |
| |
authInfo->setAuthChallenge(challenge); |
PEG_METHOD_EXIT(); |
| |
return(authResp); |
return authResp; |
} | } |
| |
PEGASUS_NAMESPACE_END | PEGASUS_NAMESPACE_END |