![]() ![]() |
![]() |
File: [Pegasus] / pegasus / src / Pegasus / Security / Authentication / LocalAuthenticationHandler.cpp
(download)
Revision: 1.29, Wed Jun 5 13:09:26 2013 UTC (11 years, 1 month ago) by marek Branch: MAIN CVS Tags: preBug9676, postBug9676, TASK-TASK_PEP362_RestfulService_branch-root, TASK-TASK_PEP362_RestfulService_branch-merged_out_from_trunk, TASK-TASK_PEP362_RestfulService_branch-merged_in_to_trunk, TASK-TASK_PEP362_RestfulService_branch-merged_in_from_branch, TASK-TASK_PEP362_RestfulService_branch-branch, TASK-PEP362_RestfulService-root, TASK-PEP362_RestfulService-merged_out_to_branch, TASK-PEP362_RestfulService-merged_out_from_trunk, TASK-PEP362_RestfulService-merged_in_to_trunk, TASK-PEP362_RestfulService-merged_in_from_branch, TASK-PEP362_RestfulService-branch, TASK-PEP317_pullop-merged_out_from_trunk, TASK-PEP317_pullop-merged_in_to_trunk, RELEASE_2_14_1, RELEASE_2_14_0-RC2, RELEASE_2_14_0-RC1, RELEASE_2_14_0, RELEASE_2_14-root, RELEASE_2_14-branch, RELEASE_2_13_0-RC2, RELEASE_2_13_0-RC1, RELEASE_2_13_0-FC, RELEASE_2_13_0, RELEASE_2_13-root, RELEASE_2_13-branch, HEAD, CIMRS_WORK_20130824 Changes since 1.28: +12 -12 lines BUG#:9639 TITLE: Many PAM errors are not reported correctly DESCRIPTION: |
//%LICENSE//////////////////////////////////////////////////////////////// // // Licensed to The Open Group (TOG) under one or more contributor license // agreements. Refer to the OpenPegasusNOTICE.txt file distributed with // this work for additional information regarding copyright ownership. // Each contributor licenses this file to you under the OpenPegasus Open // Source License; you may not use this file except in compliance with the // License. // // Permission is hereby granted, free of charge, to any person obtaining a // copy of this software and associated documentation files (the "Software"), // to deal in the Software without restriction, including without limitation // the rights to use, copy, modify, merge, publish, distribute, sublicense, // and/or sell copies of the Software, and to permit persons to whom the // Software is furnished to do so, subject to the following conditions: // // The above copyright notice and this permission notice shall be included // in all copies or substantial portions of the Software. // // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS // OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. // IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY // CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, // TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE // SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. // ////////////////////////////////////////////////////////////////////////// // //%///////////////////////////////////////////////////////////////////////////// #include <Pegasus/Common/AuditLogger.h> #include <Pegasus/Common/Logger.h> #include <Pegasus/Common/Tracer.h> #include "SecureLocalAuthenticator.h" #include "LocalAuthenticationHandler.h" #ifdef PEGASUS_ZOS_SECURITY // This include file will not be provided in the OpenGroup CVS for now. // Do NOT try to include it in your compile # include <Pegasus/Common/safCheckzOS_inline.h> #endif PEGASUS_USING_STD; PEGASUS_NAMESPACE_BEGIN LocalAuthenticationHandler::LocalAuthenticationHandler() { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "LocalAuthenticationHandler::LocalAuthenticationHandler()"); _localAuthenticator.reset( (LocalAuthenticator*) new SecureLocalAuthenticator()); PEG_METHOD_EXIT(); } LocalAuthenticationHandler::~LocalAuthenticationHandler() { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "LocalAuthenticationHandler::~LocalAuthenticationHandler()"); PEG_METHOD_EXIT(); } AuthenticationStatus LocalAuthenticationHandler::authenticate( const String& authHeader, AuthenticationInfo* authInfo) { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "LocalAuthenticationHandler::authenticate()"); // Look for ':' seperator Uint32 colon1 = authHeader.find(':'); if (colon1 == PEG_NOT_FOUND) { PEG_METHOD_EXIT(); return AuthenticationStatus(AUTHSC_UNAUTHORIZED); } String userName = authHeader.subString(0, colon1); // Look for another ':' seperator Uint32 colon2 = authHeader.find(colon1 + 1, ':'); String filePath; String secretReceived; if (colon2 == PEG_NOT_FOUND) { filePath = String::EMPTY; secretReceived = authHeader.subString(colon1 + 1); } else { filePath = authHeader.subString(colon1 + 1, (colon2 - colon1 - 1)); secretReceived = authHeader.subString(colon2 + 1); } // // Check for the expected file path in the authentication header // if (filePath != authInfo->getLocalAuthFilePath()) { PEG_METHOD_EXIT(); return AuthenticationStatus(AUTHSC_UNAUTHORIZED); } // // Check if the authentication information is present // if (secretReceived.size() == 0 || userName.size() == 0) { PEG_METHOD_EXIT(); return AuthenticationStatus(AUTHSC_UNAUTHORIZED); } String authenticatedUsername = authInfo->getAuthenticatedUser(); // // If this connection has been previously authenticated then ensure // the username passed with the current request matches the // username previously authenticated. // if (authenticatedUsername.size() != 0 && userName != authenticatedUsername) { PEG_METHOD_EXIT(); return AuthenticationStatus(AUTHSC_UNAUTHORIZED); } // // Check if the user is a valid system user // if (!System::isSystemUser(userName.getCString())) { PEG_METHOD_EXIT(); return AuthenticationStatus(AUTHSC_UNAUTHORIZED); } // Check if the user is authorized to CIMSERV #ifdef PEGASUS_ZOS_SECURITY if (!CheckProfileCIMSERVclassWBEM(userName, __READ_RESOURCE)) { Logger::put_l(Logger::STANDARD_LOG, ZOS_SECURITY_NAME, Logger::WARNING, MessageLoaderParms( "Security.Authentication.LocalAuthenticationHandler." "NOREAD_CIMSERV_ACCESS.PEGASUS_OS_ZOS", "Request UserID $0 doesn't have READ permission " "to profile CIMSERV CL(WBEM).", userName)); return AuthenticationStatus(AUTHSC_UNAUTHORIZED); } #endif // It is not necessary to check remote privileged user access for local // connections; set the flag to "check done" authInfo->setRemotePrivilegedUserAccessChecked(); // Authenticate AuthenticationStatus authStatus = _localAuthenticator->authenticate( filePath, secretReceived, authInfo->getLocalAuthSecret()); if (authStatus.isSuccess()) { authInfo->setAuthenticatedUser(userName); // For Privilege Separation, remember the secret on subsequent requests authInfo->setLocalAuthSecret(secretReceived); } else { // log a failed authentication Logger::put_l( Logger::STANDARD_LOG, System::CIMSERVER, Logger::INFORMATION, MessageLoaderParms( "Security.Authentication.LocalAuthenticationHandler." "LOCAL_AUTHENTICATION_FAILURE", "Local Authentication failed for user $0 from client " "IP address $1.",userName,authInfo->getIpAddress())); } PEG_AUDIT_LOG(logLocalAuthentication(userName, authStatus.isSuccess())); PEG_METHOD_EXIT(); return authStatus; } AuthenticationStatus LocalAuthenticationHandler::validateUser( const String& userName, AuthenticationInfo* authInfo) { return _localAuthenticator->validateUser(userName,authInfo); } String LocalAuthenticationHandler::getAuthResponseHeader( const String& authType, const String& userName, AuthenticationInfo* authInfo) { PEG_METHOD_ENTER(TRC_AUTHENTICATION, "LocalAuthenticationHandler::getAuthResponseHeader()"); String secret; String filePath; String authResp; // // Check if the user is a valid system user // if (!System::isSystemUser(userName.getCString())) { PEG_METHOD_EXIT(); return authResp; } authResp = _localAuthenticator->getAuthResponseHeader( authType, userName, filePath, secret); authInfo->setLocalAuthFilePath(filePath); authInfo->setLocalAuthSecret(secret); PEG_METHOD_EXIT(); return authResp; } PEGASUS_NAMESPACE_END
No CVS admin address has been configured |
Powered by ViewCVS 0.9.2 |