1 karl 1.20 //%2006////////////////////////////////////////////////////////////////////////
|
2 mike 1.2 //
|
3 karl 1.16 // Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development
4 // Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.
5 // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.;
|
6 karl 1.15 // IBM Corp.; EMC Corporation, The Open Group.
|
7 karl 1.16 // Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.;
8 // IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.
|
9 karl 1.18 // Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.;
10 // EMC Corporation; VERITAS Software Corporation; The Open Group.
|
11 karl 1.20 // Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.;
12 // EMC Corporation; Symantec Corporation; The Open Group.
|
13 mike 1.2 //
14 // Permission is hereby granted, free of charge, to any person obtaining a copy
|
15 kumpf 1.10 // of this software and associated documentation files (the "Software"), to
16 // deal in the Software without restriction, including without limitation the
17 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
18 mike 1.2 // sell copies of the Software, and to permit persons to whom the Software is
19 // furnished to do so, subject to the following conditions:
|
20 karl 1.20 //
|
21 kumpf 1.10 // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
|
22 mike 1.2 // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
23 // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
|
24 kumpf 1.10 // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
25 // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
26 // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
|
27 mike 1.2 // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
29 //
|
30 kumpf 1.10 //==============================================================================
|
31 mike 1.2 //
32 // Author: Sushma Fernandes (sushma_fernandes@hp.com)
33 //
34 // Modified By: Nag Boranna, Hewlett Packard Company (nagaraja_boranna@hp.com)
|
35 kumpf 1.9 // Carol Ann Krug Graves, Hewlett-Packard Company
36 // (carolann_graves@hp.com)
|
37 joyce.j 1.17 // Josephine Eskaline Joyce, IBM (jojustin@in.ibm.com) for PEP#101
|
38 david.dillard 1.19 // David Dillard, VERITAS Software Corp.
39 // (david.dillard@veritas.com)
|
40 mike 1.2 //
41 //%////////////////////////////////////////////////////////////////////////////
42
43
44 ///////////////////////////////////////////////////////////////////////////////
|
45 david.dillard 1.19 //
46 // This file implements the functionality required to manage auth table.
|
47 mike 1.2 //
48 ///////////////////////////////////////////////////////////////////////////////
49
50 #include <Pegasus/Common/FileSystem.h>
51 #include <Pegasus/Common/HashTable.h>
52 #include <Pegasus/Common/Logger.h>
53 #include <Pegasus/Common/System.h>
54 #include <Pegasus/Common/Tracer.h>
55 #include <Pegasus/Common/CIMInstance.h>
|
56 kumpf 1.6 #include <Pegasus/Common/Constants.h>
|
57 kumpf 1.11 #include <Pegasus/Common/XmlWriter.h>
|
58 mike 1.2
|
59 kumpf 1.5 #include "AuthorizationHandler.h"
60 #include "UserExceptions.h"
61
|
62 gerarda 1.13 #ifdef PEGASUS_OS_OS400
63 #include "qycmutiltyUtility.H"
|
64 david 1.14 #include "OS400ConvertChar.h"
|
65 gerarda 1.13 #endif
|
66 mike 1.2
67 PEGASUS_USING_STD;
68
69 PEGASUS_NAMESPACE_BEGIN
70
71
|
72 kumpf 1.7 //
73 // This constant represents the User name property in the schema
74 //
|
75 kumpf 1.11 static const CIMName PROPERTY_NAME_USERNAME = CIMName ("Username");
|
76 mike 1.2
|
77 kumpf 1.7 //
78 // This constant represents the Namespace property in the schema
79 //
|
80 kumpf 1.11 static const CIMName PROPERTY_NAME_NAMESPACE = CIMName ("Namespace");
|
81 mike 1.2
|
82 kumpf 1.7 //
83 // This constant represents the Authorizations property in the schema
84 //
|
85 kumpf 1.11 static const CIMName PROPERTY_NAME_AUTHORIZATION = CIMName ("Authorization");
|
86 mike 1.2
87
|
88 kumpf 1.7 //
89 // List of all the CIM Operations
90 //
91 // Note: The following tables contain all the existing CIM Operations.
|
92 david.dillard 1.19 // Any new CIM Operations created must be included in one of these tables,
93 // otherwise no CIM requests will have authorization to execute those
|
94 kumpf 1.7 // new operations.
|
95 david.dillard 1.19 //
|
96 mike 1.2
|
97 kumpf 1.7 //
98 // List of read only CIM Operations
99 //
|
100 kumpf 1.11 static const CIMName READ_OPERATIONS [] = {
101 CIMName ("GetClass"),
102 CIMName ("GetInstance"),
103 CIMName ("EnumerateClassNames"),
104 CIMName ("References"),
105 CIMName ("ReferenceNames"),
106 CIMName ("AssociatorNames"),
107 CIMName ("Associators"),
108 CIMName ("EnumerateInstanceNames"),
109 CIMName ("GetQualifier"),
110 CIMName ("EnumerateQualifiers"),
111 CIMName ("EnumerateClasses"),
112 CIMName ("EnumerateInstances"),
113 CIMName ("ExecQuery"),
114 CIMName ("GetProperty") };
|
115 david.dillard 1.19
|
116 kumpf 1.7 //
117 // List of write CIM Operations
118 //
|
119 kumpf 1.11 static const CIMName WRITE_OPERATIONS [] = {
120 CIMName ("CreateClass"),
121 CIMName ("CreateInstance"),
122 CIMName ("DeleteQualifier"),
123 CIMName ("SetQualifier"),
124 CIMName ("ModifyClass"),
125 CIMName ("ModifyInstance"),
126 CIMName ("DeleteClass"),
127 CIMName ("DeleteInstance"),
128 CIMName ("SetProperty"),
129 CIMName ("InvokeMethod"),
130 CIMName ("EnableIndicationSubscription"),
131 CIMName ("ModifyIndicationSubscription"),
132 CIMName ("DisableIndicationSubscription") };
|
133 david.dillard 1.19
|
134 mike 1.2
135 //
136 // Constructor
137 //
138 AuthorizationHandler::AuthorizationHandler(CIMRepository* repository)
139 {
|
140 kumpf 1.7 PEG_METHOD_ENTER(
141 TRC_AUTHORIZATION, "AuthorizationHandler::AuthorizationHandler()");
|
142 kumpf 1.5
|
143 mike 1.2 _repository = repository;
144
145 try
146 {
147 _loadAllAuthorizations();
148 }
|
149 kumpf 1.21 catch (Exception&)
|
150 mike 1.2 {
|
151 kumpf 1.7 //ATTN-NB-03-20020402: Should this exception be thrown or ignored ?
152 //throw e;
153
|
154 kumpf 1.12 // cerr << PEGASUS_CLASSNAME_AUTHORIZATION << " class not loaded, ";
155 // cerr << "No authorizations configured." << endl;
|
156 mike 1.2 }
|
157 kumpf 1.5
|
158 kumpf 1.7 PEG_METHOD_EXIT();
|
159 mike 1.2 }
160
161 //
|
162 david.dillard 1.19 // Destructor.
|
163 mike 1.2 //
164 AuthorizationHandler::~AuthorizationHandler()
165 {
|
166 kumpf 1.7 PEG_METHOD_ENTER(
167 TRC_AUTHORIZATION, "AuthorizationHandler::~AuthorizationHandler()");
|
168 mike 1.2
|
169 kumpf 1.7 PEG_METHOD_EXIT();
|
170 mike 1.2 }
171
172 //
173 // Check if a given namespace exists
174 //
|
175 david.dillard 1.19 Boolean AuthorizationHandler::verifyNamespace(
|
176 kumpf 1.11 const CIMNamespaceName& nameSpace )
|
177 mike 1.2 {
|
178 kumpf 1.7 PEG_METHOD_ENTER(
179 TRC_AUTHORIZATION, "AuthorizationHandler::verifyNamespace()");
|
180 kumpf 1.5
|
181 mike 1.2 try
182 {
183 //
|
184 david.dillard 1.19 // call enumerateNameSpaces to get all the namespaces
|
185 kumpf 1.3 // in the repository
|
186 mike 1.2 //
|
187 kumpf 1.11 Array<CIMNamespaceName> namespaceNames =
|
188 kumpf 1.3 _repository->enumerateNameSpaces();
|
189 mike 1.2
190 //
191 // check for the given namespace
192 //
|
193 kumpf 1.3 Uint32 size = namespaceNames.size();
194
195 for (Uint32 i = 0; i < size; i++)
|
196 mike 1.2 {
|
197 kumpf 1.11 if (nameSpace.equal (namespaceNames[i]))
|
198 kumpf 1.3 {
|
199 kumpf 1.7 PEG_METHOD_EXIT();
|
200 kumpf 1.3 return true;
201 }
|
202 mike 1.2 }
|
203 kumpf 1.3 }
204 catch (Exception& e)
|
205 mike 1.2 {
|
206 kumpf 1.7 PEG_METHOD_EXIT();
|
207 kumpf 1.11 throw InvalidNamespace(nameSpace.getString() + e.getMessage());
|
208 mike 1.2 }
|
209 kumpf 1.3
|
210 kumpf 1.7 PEG_METHOD_EXIT();
|
211 kumpf 1.5
|
212 kumpf 1.3 return false;
|
213 mike 1.2 }
214
|
215 david.dillard 1.19 //
|
216 mike 1.2 // Load all user names and password
217 //
218 void AuthorizationHandler::_loadAllAuthorizations()
219 {
|
220 kumpf 1.7 PEG_METHOD_ENTER(
221 TRC_AUTHORIZATION, "AuthorizationHandler::_loadAllAuthorizations()");
|
222 kumpf 1.5
|
223 kumpf 1.9 Array<CIMInstance> namedInstances;
|
224 mike 1.2
225 try
226 {
227 //
|
228 kumpf 1.22 // call enumerateInstancesForClass of the repository
|
229 mike 1.2 //
|
230 kumpf 1.22 namedInstances = _repository->enumerateInstancesForClass(
|
231 david.dillard 1.19 PEGASUS_NAMESPACENAME_AUTHORIZATION, PEGASUS_CLASSNAME_AUTHORIZATION);
|
232 mike 1.2
233 //
234 // get all the user names, namespaces, and authorizations
235 //
236 for (Uint32 i = 0; i < namedInstances.size(); i++)
237 {
|
238 kumpf 1.9 CIMInstance& authInstance = namedInstances[i];
|
239 mike 1.2
240 //
241 // get user name
242 //
243 Uint32 pos = authInstance.findProperty(PROPERTY_NAME_USERNAME);
244 CIMProperty prop = (CIMProperty)authInstance.getProperty(pos);
245 String userName = prop.getValue().toString();
246
247 //
248 // get namespace name
249 //
250 pos = authInstance.findProperty(PROPERTY_NAME_NAMESPACE);
251 prop = (CIMProperty)authInstance.getProperty(pos);
252 String nameSpace = prop.getValue().toString();
253
254 //
255 // get authorizations
256 //
257 pos = authInstance.findProperty(PROPERTY_NAME_AUTHORIZATION);
258 prop = (CIMProperty)authInstance.getProperty(pos);
259 String auth = prop.getValue().toString();
260 mike 1.2
261 //
262 // Add authorization to the table
263 //
|
264 kumpf 1.3 _authTable.insert(userName + nameSpace, auth);
|
265 mike 1.2 }
266
267 }
|
268 david.dillard 1.19 catch(const Exception&)
|
269 mike 1.2 {
|
270 kumpf 1.7 PEG_METHOD_EXIT();
|
271 david.dillard 1.19 throw;
|
272 mike 1.2 }
273
|
274 kumpf 1.7 PEG_METHOD_EXIT();
|
275 mike 1.2 }
276
277 void AuthorizationHandler::setAuthorization(
278 const String& userName,
|
279 kumpf 1.11 const CIMNamespaceName& nameSpace,
|
280 mike 1.2 const String& auth)
281 {
|
282 kumpf 1.7 PEG_METHOD_ENTER(
283 TRC_AUTHORIZATION, "AuthorizationHandler::setAuthorization()");
|
284 kumpf 1.5
|
285 mike 1.2 //
|
286 kumpf 1.3 // Remove auth if it already exists
|
287 mike 1.2 //
|
288 kumpf 1.11 _authTable.remove(userName + nameSpace.getString());
|
289 mike 1.2
290 //
|
291 kumpf 1.3 // Insert the specified authorization
|
292 mike 1.2 //
|
293 kumpf 1.11 if (!_authTable.insert(userName + nameSpace.getString(), auth))
|
294 mike 1.2 {
|
295 kumpf 1.7 PEG_METHOD_EXIT();
|
296 mike 1.2 throw AuthorizationCacheError();
297 }
298
|
299 kumpf 1.7 PEG_METHOD_EXIT();
|
300 mike 1.2 }
301
302 void AuthorizationHandler::removeAuthorization(
303 const String& userName,
|
304 kumpf 1.11 const CIMNamespaceName& nameSpace)
|
305 mike 1.2 {
|
306 kumpf 1.7 PEG_METHOD_ENTER(
307 TRC_AUTHORIZATION, "AuthorizationHandler::removeAuthorization()");
|
308 kumpf 1.5
|
309 mike 1.2 //
|
310 kumpf 1.3 // Remove the specified authorization
|
311 mike 1.2 //
|
312 kumpf 1.11 if (!_authTable.remove(userName + nameSpace.getString()))
|
313 mike 1.2 {
|
314 kumpf 1.7 PEG_METHOD_EXIT();
|
315 kumpf 1.11 throw AuthorizationEntryNotFound(userName, nameSpace.getString());
|
316 mike 1.2 }
|
317 kumpf 1.7 PEG_METHOD_EXIT();
|
318 mike 1.2 }
319
320 String AuthorizationHandler::getAuthorization(
321 const String& userName,
|
322 kumpf 1.11 const CIMNamespaceName& nameSpace)
|
323 mike 1.2 {
|
324 kumpf 1.7 PEG_METHOD_ENTER(
325 TRC_AUTHORIZATION, "AuthorizationHandler::getAuthorization()");
|
326 kumpf 1.5
|
327 mike 1.2 String auth;
328
|
329 kumpf 1.3 //
330 // Get authorization for the specified userName and nameSpace
331 //
|
332 kumpf 1.11 if (!_authTable.lookup(userName + nameSpace.getString(), auth))
|
333 mike 1.2 {
|
334 kumpf 1.7 PEG_METHOD_EXIT();
|
335 kumpf 1.11 throw AuthorizationEntryNotFound(userName, nameSpace.getString());
|
336 mike 1.2 }
337
|
338 kumpf 1.7 PEG_METHOD_EXIT();
|
339 kumpf 1.5
|
340 mike 1.2 return auth;
341 }
342
343 //
344 // Verify whether the specified operation has authorization
345 // to be performed by the specified user.
346 //
347 Boolean AuthorizationHandler::verifyAuthorization(
348 const String& userName,
|
349 kumpf 1.11 const CIMNamespaceName& nameSpace,
350 const CIMName& cimMethodName)
|
351 mike 1.2 {
|
352 kumpf 1.7 PEG_METHOD_ENTER(
353 TRC_AUTHORIZATION, "AuthorizationHandler::verifyAuthorization()");
|
354 kumpf 1.5
|
355 mike 1.2 Boolean authorized = false;
|
356 kumpf 1.3 Boolean readOperation = false;
357 Boolean writeOperation = false;
|
358 mike 1.2
359 Uint32 readOpSize = sizeof(READ_OPERATIONS) / sizeof(READ_OPERATIONS[0]);
360
361 Uint32 writeOpSize = sizeof(WRITE_OPERATIONS) / sizeof(WRITE_OPERATIONS[0]);
362
|
363 kumpf 1.3 for (Uint32 i = 0; i < readOpSize; i++ )
364 {
|
365 kumpf 1.11 if (cimMethodName.equal (READ_OPERATIONS[i]))
|
366 kumpf 1.3 {
367 readOperation = true;
368 break;
369 }
370 }
371 if ( !readOperation )
372 {
373 for (Uint32 i = 0; i < writeOpSize; i++ )
374 {
|
375 kumpf 1.11 if (cimMethodName.equal (WRITE_OPERATIONS[i]))
|
376 kumpf 1.3 {
377 writeOperation = true;
378 break;
379 }
380 }
381 }
382
|
383 gerarda 1.13 #ifdef PEGASUS_OS_OS400
384 if (readOperation || writeOperation)
385 {
|
386 david 1.14 // Use OS/400 Application Administration to do cim operation verification
387 // (note - need to convert to EBCDIC before calling ycm)
388 CString userCStr = userName.getCString();
389 const char * user = (const char *)userCStr;
390 AtoE((char *)user);
391 CString nsCStr = nameSpace.getString().getCString();
392 const char * ns = (const char *)nsCStr;
393 AtoE((char *)ns);
394 CString cimMethCStr = cimMethodName.getString().getCString();
395 const char * cimMeth = (const char *)cimMethCStr;
396 AtoE((char *)cimMeth);
|
397 gerarda 1.13 int os400auth =
|
398 david 1.14 ycmVerifyFunctionAuthorization(user,
399 ns,
400 cimMeth);
|
401 david.dillard 1.19 if (os400auth == TRUE)
|
402 gerarda 1.13 authorized = true;
403 }
404 #else
|
405 mike 1.2 //
406 // Get the authorization of the specified user and namespace
407 //
408 String auth;
409 try
410 {
411 auth = getAuthorization(userName, nameSpace);
412 }
|
413 kumpf 1.21 catch (Exception&)
|
414 mike 1.2 {
|
415 kumpf 1.7 PEG_METHOD_EXIT();
|
416 mike 1.2 return authorized;
417 }
418
|
419 kumpf 1.3 if ( ( String::equal(auth, "rw") || String::equal(auth, "wr") ) &&
420 ( readOperation || writeOperation ) )
|
421 mike 1.2 {
|
422 kumpf 1.3 authorized = true;
|
423 mike 1.2 }
|
424 kumpf 1.3 else if ( String::equal(auth, "r") && readOperation )
|
425 mike 1.2 {
|
426 kumpf 1.3 authorized = true;
|
427 mike 1.2 }
|
428 kumpf 1.3 else if ( String::equal(auth, "w") && writeOperation )
|
429 mike 1.2 {
|
430 kumpf 1.3 authorized = true;
|
431 mike 1.2 }
|
432 gerarda 1.13 #endif
|
433 kumpf 1.5
|
434 kumpf 1.7 PEG_METHOD_EXIT();
|
435 mike 1.2
436 return authorized;
437 }
438
439 PEGASUS_NAMESPACE_END
440
441
|
Return to
AuthorizationHandler.cpp
CVS log
Up to [Pegasus] / pegasus / src / Pegasus / Security / UserManager