|
version 1.9, 2002/05/30 15:55:26
|
version 1.35, 2012/05/14 09:12:17
|
|
|
|
| //%//////////////////////////////////////////////////////////////////////////// |
//%LICENSE//////////////////////////////////////////////////////////////// |
| // | // |
| // Copyright (c) 2000, 2001 BMC Software, Hewlett-Packard Company, IBM, |
// Licensed to The Open Group (TOG) under one or more contributor license |
| // The Open Group, Tivoli Systems |
// agreements. Refer to the OpenPegasusNOTICE.txt file distributed with |
| |
// this work for additional information regarding copyright ownership. |
| |
// Each contributor licenses this file to you under the OpenPegasus Open |
| |
// Source License; you may not use this file except in compliance with the |
| |
// License. |
| |
// |
| |
// Permission is hereby granted, free of charge, to any person obtaining a |
| |
// copy of this software and associated documentation files (the "Software"), |
| |
// to deal in the Software without restriction, including without limitation |
| |
// the rights to use, copy, modify, merge, publish, distribute, sublicense, |
| |
// and/or sell copies of the Software, and to permit persons to whom the |
| |
// Software is furnished to do so, subject to the following conditions: |
| |
// |
| |
// The above copyright notice and this permission notice shall be included |
| |
// in all copies or substantial portions of the Software. |
| |
// |
| |
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS |
| |
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF |
| |
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. |
| |
// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY |
| |
// CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, |
| |
// TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE |
| |
// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
| // | // |
| // Permission is hereby granted, free of charge, to any person obtaining a copy |
////////////////////////////////////////////////////////////////////////// |
| // of this software and associated documentation files (the "Software"), to |
|
| // deal in the Software without restriction, including without limitation the |
|
| // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or |
|
| // sell copies of the Software, and to permit persons to whom the Software is |
|
| // furnished to do so, subject to the following conditions: |
|
| // |
|
| // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN |
|
| // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED |
|
| // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT |
|
| // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR |
|
| // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
|
| // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN |
|
| // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION |
|
| // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
|
| // |
|
| //============================================================================= |
|
| // |
|
| // Author: Sushma Fernandes (sushma_fernandes@hp.com) |
|
| // |
|
| // Modified By: Nag Boranna, Hewlett Packard Company (nagaraja_boranna@hp.com) |
|
| // Carol Ann Krug Graves, Hewlett-Packard Company |
|
| // (carolann_graves@hp.com) |
|
| // | // |
| //%//////////////////////////////////////////////////////////////////////////// | //%//////////////////////////////////////////////////////////////////////////// |
| | |
|
|
|
| | |
| #include <Pegasus/Common/FileSystem.h> | #include <Pegasus/Common/FileSystem.h> |
| #include <Pegasus/Common/HashTable.h> | #include <Pegasus/Common/HashTable.h> |
| #include <Pegasus/Common/Destroyer.h> |
|
| #include <Pegasus/Common/Logger.h> | #include <Pegasus/Common/Logger.h> |
| #include <Pegasus/Common/System.h> | #include <Pegasus/Common/System.h> |
| #include <Pegasus/Common/Tracer.h> | #include <Pegasus/Common/Tracer.h> |
| #include <Pegasus/Common/CIMInstance.h> | #include <Pegasus/Common/CIMInstance.h> |
| #include <Pegasus/Common/Constants.h> | #include <Pegasus/Common/Constants.h> |
| |
#include <Pegasus/Common/XmlWriter.h> |
| |
#include <Pegasus/Common/CIMNameCast.h> |
| |
|
| |
#ifdef PEGASUS_OS_PASE |
| |
# include <ILEWrapper/qumemultiutil.h> |
| |
# include <ILEWrapper/ILEUtilities2.h> |
| |
#endif |
| | |
| #include "AuthorizationHandler.h" | #include "AuthorizationHandler.h" |
| #include "UserExceptions.h" | #include "UserExceptions.h" |
| | |
| |
|
| PEGASUS_USING_STD; | PEGASUS_USING_STD; |
| | |
| PEGASUS_NAMESPACE_BEGIN | PEGASUS_NAMESPACE_BEGIN |
|
|
|
| // | // |
| // This constant represents the User name property in the schema | // This constant represents the User name property in the schema |
| // | // |
| static const char PROPERTY_NAME_USERNAME [] = "Username"; |
static const CIMName PROPERTY_NAME_USERNAME = CIMNameCast("Username"); |
| | |
| // | // |
| // This constant represents the Namespace property in the schema | // This constant represents the Namespace property in the schema |
| // | // |
| static const char PROPERTY_NAME_NAMESPACE [] = "Namespace"; |
static const CIMName PROPERTY_NAME_NAMESPACE = CIMNameCast("Namespace"); |
| | |
| // | // |
| // This constant represents the Authorizations property in the schema | // This constant represents the Authorizations property in the schema |
| // | // |
| static const char PROPERTY_NAME_AUTHORIZATION [] = "Authorization"; |
static const CIMName PROPERTY_NAME_AUTHORIZATION = CIMNameCast("Authorization"); |
| | |
| | |
| // | // |
|
|
|
| // | // |
| // List of read only CIM Operations | // List of read only CIM Operations |
| // | // |
| static const char* READ_OPERATIONS [] = { |
static const CIMName READ_OPERATIONS [] = |
| "GetClass", |
{ |
| "GetInstance", |
CIMName("GetClass"), |
| "EnumerateClassNames", |
CIMName("GetInstance"), |
| "References", |
CIMName("EnumerateClassNames"), |
| "ReferenceNames", |
CIMName("References"), |
| "AssociatorNames", |
CIMName("ReferenceNames"), |
| "Associators", |
CIMName("AssociatorNames"), |
| "EnumerateInstanceNames", |
CIMName("Associators"), |
| "GetQualifier", |
CIMName("EnumerateInstanceNames"), |
| "EnumerateQualifiers", |
CIMName("GetQualifier"), |
| "EnumerateClasses", |
CIMName("EnumerateQualifiers"), |
| "EnumerateInstances", |
CIMName("EnumerateClasses"), |
| "ExecQuery", |
CIMName("EnumerateInstances"), |
| "GetProperty" }; |
CIMName("ExecQuery"), |
| |
CIMName("GetProperty") |
| |
}; |
| | |
| // | // |
| // List of write CIM Operations | // List of write CIM Operations |
| // | // |
| static const char* WRITE_OPERATIONS [] = { |
static const CIMName WRITE_OPERATIONS [] = |
| "CreateClass", |
{ |
| "CreateInstance", |
CIMName("CreateClass"), |
| "DeleteQualifier", |
CIMName("CreateInstance"), |
| "SetQualifier", |
CIMName("DeleteQualifier"), |
| "ModifyClass", |
CIMName("SetQualifier"), |
| "ModifyInstance", |
CIMName("ModifyClass"), |
| "DeleteClass", |
CIMName("ModifyInstance"), |
| "DeleteInstance", |
CIMName("DeleteClass"), |
| "SetProperty", |
CIMName("DeleteInstance"), |
| "InvokeMethod", |
CIMName("SetProperty"), |
| "EnableIndicationSubscription", |
CIMName("InvokeMethod"), |
| "ModifyIndicationSubscription", |
CIMName("EnableIndicationSubscription"), |
| "DisableIndicationSubscription" }; |
CIMName("ModifyIndicationSubscription"), |
| |
CIMName("DisableIndicationSubscription") |
| |
}; |
| |
|
| |
static String _getAuthKey(const String &userName, const String &nameSpace) |
| |
{ |
| |
//Separator ":" is used to distinguish "a" +"bc" |
| |
// and "ab"+"c" scenarios |
| |
String key = nameSpace; |
| |
key.append(Char16(':')); |
| |
#ifdef PEGASUS_OS_TYPE_WINDOWS |
| |
key.append(userName); |
| |
key.toLower(); |
| |
#else |
| |
key.toLower(); |
| |
key.append(userName); |
| |
#endif |
| | |
| |
return key; |
| |
} |
| | |
| // | // |
| // Constructor | // Constructor |
|
|
|
| | |
| _repository = repository; | _repository = repository; |
| | |
| try |
|
| { |
|
| _loadAllAuthorizations(); | _loadAllAuthorizations(); |
| } |
|
| catch(Exception& e) |
|
| { |
|
| //ATTN-NB-03-20020402: Should this exception be thrown or ignored ? |
|
| //throw e; |
|
| |
|
| cerr << PEGASUS_CLASSNAME_AUTHORIZATION << " class not loaded, "; |
|
| cerr << "No authorizations configured." << endl; |
|
| } |
|
| | |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| } | } |
|
|
|
| // | // |
| // Check if a given namespace exists | // Check if a given namespace exists |
| // | // |
| Boolean AuthorizationHandler::verifyNamespace( const String& nameSpace ) |
Boolean AuthorizationHandler::verifyNamespace( |
| |
const CIMNamespaceName& nameSpace) |
| { | { |
| PEG_METHOD_ENTER( | PEG_METHOD_ENTER( |
| TRC_AUTHORIZATION, "AuthorizationHandler::verifyNamespace()"); | TRC_AUTHORIZATION, "AuthorizationHandler::verifyNamespace()"); |
|
|
|
| // call enumerateNameSpaces to get all the namespaces | // call enumerateNameSpaces to get all the namespaces |
| // in the repository | // in the repository |
| // | // |
| Array<String> namespaceNames = |
Array<CIMNamespaceName> namespaceNames = |
| _repository->enumerateNameSpaces(); | _repository->enumerateNameSpaces(); |
| | |
| // | // |
|
|
|
| | |
| for (Uint32 i = 0; i < size; i++) | for (Uint32 i = 0; i < size; i++) |
| { | { |
| if (String::equal(nameSpace, namespaceNames[i])) |
if (nameSpace.equal (namespaceNames[i])) |
| { | { |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| return true; | return true; |
|
|
|
| catch (Exception& e) | catch (Exception& e) |
| { | { |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| throw InvalidNamespace(nameSpace + e.getMessage()); |
throw InvalidNamespace(nameSpace.getString() + e.getMessage()); |
| } | } |
| | |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
|
|
|
| try | try |
| { | { |
| // | // |
| // call enumerateInstances of the repository |
// call enumerateInstancesForClass of the repository |
| // | // |
| namedInstances = _repository->enumerateInstances( |
namedInstances = _repository->enumerateInstancesForClass( |
| PEGASUS_NAMESPACENAME_AUTHORIZATION, PEGASUS_CLASSNAME_AUTHORIZATION); |
PEGASUS_NAMESPACENAME_AUTHORIZATION, |
| |
PEGASUS_CLASSNAME_AUTHORIZATION); |
| | |
| // | // |
| // get all the user names, namespaces, and authorizations | // get all the user names, namespaces, and authorizations |
|
|
|
| // | // |
| // Add authorization to the table | // Add authorization to the table |
| // | // |
| _authTable.insert(userName + nameSpace, auth); |
if (!_authTable.insert(_getAuthKey(userName, nameSpace), auth)) |
| |
{ |
| |
throw AuthorizationCacheError(); |
| |
} |
| } | } |
| | |
| } | } |
| catch(Exception& e) |
catch (const CIMException& e) |
| |
{ |
| |
// Allow initialization to succeed with an empty repository |
| |
if (e.getCode() != CIM_ERR_INVALID_NAMESPACE) |
| { | { |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| throw e; |
throw; |
| |
} |
| } | } |
| | |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
|
|
|
| | |
| void AuthorizationHandler::setAuthorization( | void AuthorizationHandler::setAuthorization( |
| const String& userName, | const String& userName, |
| const String& nameSpace, |
const CIMNamespaceName& nameSpace, |
| const String& auth) | const String& auth) |
| { | { |
| PEG_METHOD_ENTER( | PEG_METHOD_ENTER( |
| TRC_AUTHORIZATION, "AuthorizationHandler::setAuthorization()"); | TRC_AUTHORIZATION, "AuthorizationHandler::setAuthorization()"); |
| | |
| |
String key = _getAuthKey(userName, nameSpace.getString()); |
| // | // |
| // Remove auth if it already exists | // Remove auth if it already exists |
| // | // |
| _authTable.remove(userName + nameSpace); |
_authTable.remove(key); |
| | |
| // | // |
| // Insert the specified authorization | // Insert the specified authorization |
| // | // |
| if (!_authTable.insert(userName + nameSpace, auth)) |
if (!_authTable.insert(key, auth)) |
| { | { |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| throw AuthorizationCacheError(); | throw AuthorizationCacheError(); |
|
|
|
| | |
| void AuthorizationHandler::removeAuthorization( | void AuthorizationHandler::removeAuthorization( |
| const String& userName, | const String& userName, |
| const String& nameSpace) |
const CIMNamespaceName& nameSpace) |
| { | { |
| PEG_METHOD_ENTER( | PEG_METHOD_ENTER( |
| TRC_AUTHORIZATION, "AuthorizationHandler::removeAuthorization()"); | TRC_AUTHORIZATION, "AuthorizationHandler::removeAuthorization()"); |
|
|
|
| // | // |
| // Remove the specified authorization | // Remove the specified authorization |
| // | // |
| if (!_authTable.remove(userName + nameSpace)) |
if (!_authTable.remove(_getAuthKey(userName, nameSpace.getString()))) |
| { | { |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| throw AuthorizationEntryNotFound(userName, nameSpace); |
throw AuthorizationEntryNotFound(userName, nameSpace.getString()); |
| } | } |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| } | } |
| | |
| String AuthorizationHandler::getAuthorization( | String AuthorizationHandler::getAuthorization( |
| const String& userName, | const String& userName, |
| const String& nameSpace) |
const CIMNamespaceName& nameSpace) |
| { | { |
| PEG_METHOD_ENTER( | PEG_METHOD_ENTER( |
| TRC_AUTHORIZATION, "AuthorizationHandler::getAuthorization()"); | TRC_AUTHORIZATION, "AuthorizationHandler::getAuthorization()"); |
|
|
|
| // | // |
| // Get authorization for the specified userName and nameSpace | // Get authorization for the specified userName and nameSpace |
| // | // |
| if (!_authTable.lookup(userName + nameSpace, auth)) |
if (!_authTable.lookup(_getAuthKey(userName, nameSpace.getString()), auth)) |
| { | { |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| throw AuthorizationEntryNotFound(userName, nameSpace); |
throw AuthorizationEntryNotFound(userName, nameSpace.getString()); |
| } | } |
| | |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
|
|
|
| // | // |
| Boolean AuthorizationHandler::verifyAuthorization( | Boolean AuthorizationHandler::verifyAuthorization( |
| const String& userName, | const String& userName, |
| const String& nameSpace, |
const CIMNamespaceName& nameSpace, |
| const String& cimMethodName) |
const CIMName& cimMethodName) |
| { | { |
| PEG_METHOD_ENTER( | PEG_METHOD_ENTER( |
| TRC_AUTHORIZATION, "AuthorizationHandler::verifyAuthorization()"); | TRC_AUTHORIZATION, "AuthorizationHandler::verifyAuthorization()"); |
|
|
|
| | |
| for (Uint32 i = 0; i < readOpSize; i++ ) | for (Uint32 i = 0; i < readOpSize; i++ ) |
| { | { |
| if ( String::equal(cimMethodName, READ_OPERATIONS[i]) ) |
if (cimMethodName.equal(READ_OPERATIONS[i])) |
| { | { |
| readOperation = true; | readOperation = true; |
| break; | break; |
|
|
|
| { | { |
| for (Uint32 i = 0; i < writeOpSize; i++ ) | for (Uint32 i = 0; i < writeOpSize; i++ ) |
| { | { |
| if ( String::equal(cimMethodName, WRITE_OPERATIONS[i]) ) |
if (cimMethodName.equal(WRITE_OPERATIONS[i])) |
| { | { |
| writeOperation = true; | writeOperation = true; |
| break; | break; |
|
|
|
| } | } |
| } | } |
| | |
| |
#ifdef PEGASUS_OS_PASE |
| |
if (readOperation || writeOperation) |
| |
{ |
| |
//Use OS/400 Application Administration to do cim operation verification |
| |
CString userCStr = userName.getCString(); |
| |
const char * user = (const char *)userCStr; |
| |
CString cimMethCStr = cimMethodName.getString().getCString(); |
| |
const char * cimMeth = (const char *)cimMethCStr; |
| |
|
| |
CString nameSpaceCStr = nameSpace.getString().getCString(); |
| |
const char * nameSpChar = (const char *)nameSpaceCStr; |
| |
|
| |
int PaseAuth = |
| |
umeVerifyFunctionAuthorization(user, |
| |
cimMeth); |
| |
|
| |
if (PaseAuth == TRUE) |
| |
authorized = true; |
| |
|
| |
/* read operation needn't verify priviledUser */ |
| |
if(authorized && writeOperation) |
| |
{ |
| |
/* |
| |
The Application Admin checks |
| |
we have now cover all class/qualifier |
| |
operations to all namespaces. |
| |
But maybe this is not enough protection |
| |
for the private Pegasus namespaces. |
| |
We should call isPrivilegedUser |
| |
in this case instead of App Admin |
| |
*/ |
| |
if (strcasecmp(nameSpChar,"root/PG_Internal") == 0 |
| |
||strcasecmp(nameSpChar,"root/PG_InterOp") == 0 |
| |
||strcasecmp(nameSpChar,"PG_Internal") == 0 |
| |
||strcasecmp(nameSpChar,"PG_InterOp") == 0 |
| |
||strcasecmp(nameSpChar,"root/interop") == 0 |
| |
||strcasecmp(nameSpChar,"interop") == 0 ) |
| |
{ |
| |
if(!System::isPrivilegedUser(userName)) |
| |
authorized = false; |
| |
} |
| |
} |
| |
} |
| |
#else |
| // | // |
| // Get the authorization of the specified user and namespace | // Get the authorization of the specified user and namespace |
| // | // |
|
|
|
| { | { |
| auth = getAuthorization(userName, nameSpace); | auth = getAuthorization(userName, nameSpace); |
| } | } |
| catch (Exception& e) |
catch (Exception&) |
| { | { |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| return authorized; | return authorized; |
|
|
|
| { | { |
| authorized = true; | authorized = true; |
| } | } |
| |
#endif |
| | |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| | |
Return to
AuthorizationHandler.cpp
CVS log
Up to [Pegasus] / pegasus / src / Pegasus / Security / UserManager