1 karl 1.20 //%2006////////////////////////////////////////////////////////////////////////
|
2 mike 1.2 //
|
3 karl 1.16 // Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development
4 // Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.
5 // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.;
|
6 karl 1.15 // IBM Corp.; EMC Corporation, The Open Group.
|
7 karl 1.16 // Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.;
8 // IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.
|
9 karl 1.18 // Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.;
10 // EMC Corporation; VERITAS Software Corporation; The Open Group.
|
11 karl 1.20 // Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.;
12 // EMC Corporation; Symantec Corporation; The Open Group.
|
13 mike 1.2 //
14 // Permission is hereby granted, free of charge, to any person obtaining a copy
|
15 kumpf 1.10 // of this software and associated documentation files (the "Software"), to
16 // deal in the Software without restriction, including without limitation the
17 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
18 mike 1.2 // sell copies of the Software, and to permit persons to whom the Software is
19 // furnished to do so, subject to the following conditions:
|
20 karl 1.20 //
|
21 kumpf 1.10 // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
|
22 mike 1.2 // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
23 // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
|
24 kumpf 1.10 // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
25 // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
26 // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
|
27 mike 1.2 // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
29 //
|
30 kumpf 1.10 //==============================================================================
|
31 mike 1.2 //
32 //%////////////////////////////////////////////////////////////////////////////
33
34
35 ///////////////////////////////////////////////////////////////////////////////
|
36 david.dillard 1.19 //
37 // This file implements the functionality required to manage auth table.
|
38 mike 1.2 //
39 ///////////////////////////////////////////////////////////////////////////////
40
41 #include <Pegasus/Common/FileSystem.h>
42 #include <Pegasus/Common/HashTable.h>
43 #include <Pegasus/Common/Logger.h>
44 #include <Pegasus/Common/System.h>
45 #include <Pegasus/Common/Tracer.h>
46 #include <Pegasus/Common/CIMInstance.h>
|
47 kumpf 1.6 #include <Pegasus/Common/Constants.h>
|
48 kumpf 1.11 #include <Pegasus/Common/XmlWriter.h>
|
49 mike 1.2
|
50 ouyang.jian 1.27 #ifdef PEGASUS_OS_PASE
51 # include <ILEWrapper/qumemultiutil.h>
52 # include <ILEWrapper/ILEUtilities2.h>
53 #endif
54
|
55 kumpf 1.5 #include "AuthorizationHandler.h"
56 #include "UserExceptions.h"
57
|
58 mike 1.2 PEGASUS_USING_STD;
59
60 PEGASUS_NAMESPACE_BEGIN
61
62
|
63 kumpf 1.7 //
64 // This constant represents the User name property in the schema
65 //
|
66 mike 1.29 static const CIMName PROPERTY_NAME_USERNAME = CIMNameCast("Username");
|
67 mike 1.2
|
68 kumpf 1.7 //
69 // This constant represents the Namespace property in the schema
70 //
|
71 mike 1.29 static const CIMName PROPERTY_NAME_NAMESPACE = CIMNameCast("Namespace");
|
72 mike 1.2
|
73 kumpf 1.7 //
74 // This constant represents the Authorizations property in the schema
75 //
|
76 mike 1.29 static const CIMName PROPERTY_NAME_AUTHORIZATION = CIMNameCast("Authorization");
|
77 mike 1.2
78
|
79 kumpf 1.7 //
80 // List of all the CIM Operations
81 //
82 // Note: The following tables contain all the existing CIM Operations.
|
83 david.dillard 1.19 // Any new CIM Operations created must be included in one of these tables,
84 // otherwise no CIM requests will have authorization to execute those
|
85 kumpf 1.7 // new operations.
|
86 david.dillard 1.19 //
|
87 mike 1.2
|
88 kumpf 1.7 //
89 // List of read only CIM Operations
90 //
|
91 kumpf 1.25 static const CIMName READ_OPERATIONS [] =
92 {
93 CIMName("GetClass"),
94 CIMName("GetInstance"),
95 CIMName("EnumerateClassNames"),
96 CIMName("References"),
97 CIMName("ReferenceNames"),
98 CIMName("AssociatorNames"),
99 CIMName("Associators"),
100 CIMName("EnumerateInstanceNames"),
101 CIMName("GetQualifier"),
102 CIMName("EnumerateQualifiers"),
103 CIMName("EnumerateClasses"),
104 CIMName("EnumerateInstances"),
105 CIMName("ExecQuery"),
106 CIMName("GetProperty")
107 };
|
108 david.dillard 1.19
|
109 kumpf 1.7 //
110 // List of write CIM Operations
111 //
|
112 kumpf 1.25 static const CIMName WRITE_OPERATIONS [] =
113 {
114 CIMName("CreateClass"),
115 CIMName("CreateInstance"),
116 CIMName("DeleteQualifier"),
117 CIMName("SetQualifier"),
118 CIMName("ModifyClass"),
119 CIMName("ModifyInstance"),
120 CIMName("DeleteClass"),
121 CIMName("DeleteInstance"),
122 CIMName("SetProperty"),
123 CIMName("InvokeMethod"),
124 CIMName("EnableIndicationSubscription"),
125 CIMName("ModifyIndicationSubscription"),
126 CIMName("DisableIndicationSubscription")
127 };
|
128 david.dillard 1.19
|
129 mike 1.2
130 //
131 // Constructor
132 //
133 AuthorizationHandler::AuthorizationHandler(CIMRepository* repository)
134 {
|
135 kumpf 1.7 PEG_METHOD_ENTER(
136 TRC_AUTHORIZATION, "AuthorizationHandler::AuthorizationHandler()");
|
137 kumpf 1.5
|
138 mike 1.2 _repository = repository;
139
|
140 kumpf 1.23 _loadAllAuthorizations();
|
141 kumpf 1.5
|
142 kumpf 1.7 PEG_METHOD_EXIT();
|
143 mike 1.2 }
144
145 //
|
146 david.dillard 1.19 // Destructor.
|
147 mike 1.2 //
148 AuthorizationHandler::~AuthorizationHandler()
149 {
|
150 kumpf 1.7 PEG_METHOD_ENTER(
151 TRC_AUTHORIZATION, "AuthorizationHandler::~AuthorizationHandler()");
|
152 mike 1.2
|
153 kumpf 1.7 PEG_METHOD_EXIT();
|
154 mike 1.2 }
155
156 //
157 // Check if a given namespace exists
158 //
|
159 david.dillard 1.19 Boolean AuthorizationHandler::verifyNamespace(
|
160 kumpf 1.25 const CIMNamespaceName& nameSpace)
|
161 mike 1.2 {
|
162 kumpf 1.7 PEG_METHOD_ENTER(
163 TRC_AUTHORIZATION, "AuthorizationHandler::verifyNamespace()");
|
164 kumpf 1.5
|
165 mike 1.2 try
166 {
167 //
|
168 david.dillard 1.19 // call enumerateNameSpaces to get all the namespaces
|
169 kumpf 1.3 // in the repository
|
170 mike 1.2 //
|
171 kumpf 1.11 Array<CIMNamespaceName> namespaceNames =
|
172 kumpf 1.3 _repository->enumerateNameSpaces();
|
173 mike 1.2
174 //
175 // check for the given namespace
176 //
|
177 kumpf 1.3 Uint32 size = namespaceNames.size();
178
179 for (Uint32 i = 0; i < size; i++)
|
180 mike 1.2 {
|
181 kumpf 1.11 if (nameSpace.equal (namespaceNames[i]))
|
182 kumpf 1.3 {
|
183 kumpf 1.7 PEG_METHOD_EXIT();
|
184 kumpf 1.3 return true;
185 }
|
186 mike 1.2 }
|
187 kumpf 1.3 }
188 catch (Exception& e)
|
189 mike 1.2 {
|
190 kumpf 1.7 PEG_METHOD_EXIT();
|
191 kumpf 1.25 throw InvalidNamespace(nameSpace.getString() + e.getMessage());
|
192 mike 1.2 }
|
193 kumpf 1.3
|
194 kumpf 1.7 PEG_METHOD_EXIT();
|
195 kumpf 1.5
|
196 kumpf 1.3 return false;
|
197 mike 1.2 }
198
|
199 david.dillard 1.19 //
|
200 mike 1.2 // Load all user names and password
201 //
202 void AuthorizationHandler::_loadAllAuthorizations()
203 {
|
204 kumpf 1.7 PEG_METHOD_ENTER(
205 TRC_AUTHORIZATION, "AuthorizationHandler::_loadAllAuthorizations()");
|
206 kumpf 1.5
|
207 kumpf 1.9 Array<CIMInstance> namedInstances;
|
208 mike 1.2
209 try
210 {
211 //
|
212 kumpf 1.22 // call enumerateInstancesForClass of the repository
|
213 mike 1.2 //
|
214 kumpf 1.22 namedInstances = _repository->enumerateInstancesForClass(
|
215 kumpf 1.25 PEGASUS_NAMESPACENAME_AUTHORIZATION,
216 PEGASUS_CLASSNAME_AUTHORIZATION);
|
217 mike 1.2
218 //
219 // get all the user names, namespaces, and authorizations
220 //
221 for (Uint32 i = 0; i < namedInstances.size(); i++)
222 {
|
223 kumpf 1.9 CIMInstance& authInstance = namedInstances[i];
|
224 mike 1.2
225 //
226 // get user name
227 //
228 Uint32 pos = authInstance.findProperty(PROPERTY_NAME_USERNAME);
229 CIMProperty prop = (CIMProperty)authInstance.getProperty(pos);
230 String userName = prop.getValue().toString();
231
232 //
233 // get namespace name
234 //
235 pos = authInstance.findProperty(PROPERTY_NAME_NAMESPACE);
236 prop = (CIMProperty)authInstance.getProperty(pos);
237 String nameSpace = prop.getValue().toString();
238
239 //
240 // get authorizations
241 //
242 pos = authInstance.findProperty(PROPERTY_NAME_AUTHORIZATION);
243 prop = (CIMProperty)authInstance.getProperty(pos);
244 String auth = prop.getValue().toString();
245 mike 1.2
246 //
247 // Add authorization to the table
248 //
|
249 kumpf 1.23 if (!_authTable.insert(userName + nameSpace, auth))
250 {
251 throw AuthorizationCacheError();
252 }
|
253 mike 1.2 }
254
255 }
|
256 kumpf 1.23 catch (const CIMException& e)
257 {
258 // Allow initialization to succeed with an empty repository
259 if (e.getCode() != CIM_ERR_INVALID_NAMESPACE)
260 {
261 PEG_METHOD_EXIT();
262 throw;
263 }
264 }
|
265 mike 1.2
|
266 kumpf 1.7 PEG_METHOD_EXIT();
|
267 mike 1.2 }
268
269 void AuthorizationHandler::setAuthorization(
|
270 kumpf 1.25 const String& userName,
271 const CIMNamespaceName& nameSpace,
272 const String& auth)
|
273 mike 1.2 {
|
274 kumpf 1.7 PEG_METHOD_ENTER(
275 TRC_AUTHORIZATION, "AuthorizationHandler::setAuthorization()");
|
276 kumpf 1.5
|
277 mike 1.2 //
|
278 kumpf 1.3 // Remove auth if it already exists
|
279 mike 1.2 //
|
280 kumpf 1.11 _authTable.remove(userName + nameSpace.getString());
|
281 mike 1.2
282 //
|
283 kumpf 1.3 // Insert the specified authorization
|
284 mike 1.2 //
|
285 kumpf 1.11 if (!_authTable.insert(userName + nameSpace.getString(), auth))
|
286 mike 1.2 {
|
287 kumpf 1.7 PEG_METHOD_EXIT();
|
288 mike 1.2 throw AuthorizationCacheError();
289 }
290
|
291 kumpf 1.7 PEG_METHOD_EXIT();
|
292 mike 1.2 }
293
294 void AuthorizationHandler::removeAuthorization(
|
295 kumpf 1.25 const String& userName,
296 const CIMNamespaceName& nameSpace)
|
297 mike 1.2 {
|
298 kumpf 1.7 PEG_METHOD_ENTER(
299 TRC_AUTHORIZATION, "AuthorizationHandler::removeAuthorization()");
|
300 kumpf 1.5
|
301 mike 1.2 //
|
302 kumpf 1.3 // Remove the specified authorization
|
303 mike 1.2 //
|
304 kumpf 1.11 if (!_authTable.remove(userName + nameSpace.getString()))
|
305 mike 1.2 {
|
306 kumpf 1.7 PEG_METHOD_EXIT();
|
307 kumpf 1.11 throw AuthorizationEntryNotFound(userName, nameSpace.getString());
|
308 mike 1.2 }
|
309 kumpf 1.7 PEG_METHOD_EXIT();
|
310 mike 1.2 }
311
312 String AuthorizationHandler::getAuthorization(
|
313 kumpf 1.25 const String& userName,
314 const CIMNamespaceName& nameSpace)
|
315 mike 1.2 {
|
316 kumpf 1.7 PEG_METHOD_ENTER(
317 TRC_AUTHORIZATION, "AuthorizationHandler::getAuthorization()");
|
318 kumpf 1.5
|
319 mike 1.2 String auth;
320
|
321 kumpf 1.3 //
322 // Get authorization for the specified userName and nameSpace
323 //
|
324 kumpf 1.11 if (!_authTable.lookup(userName + nameSpace.getString(), auth))
|
325 mike 1.2 {
|
326 kumpf 1.7 PEG_METHOD_EXIT();
|
327 kumpf 1.11 throw AuthorizationEntryNotFound(userName, nameSpace.getString());
|
328 mike 1.2 }
329
|
330 kumpf 1.7 PEG_METHOD_EXIT();
|
331 kumpf 1.5
|
332 mike 1.2 return auth;
333 }
334
335 //
336 // Verify whether the specified operation has authorization
337 // to be performed by the specified user.
338 //
339 Boolean AuthorizationHandler::verifyAuthorization(
|
340 kumpf 1.25 const String& userName,
341 const CIMNamespaceName& nameSpace,
342 const CIMName& cimMethodName)
|
343 mike 1.2 {
|
344 kumpf 1.7 PEG_METHOD_ENTER(
345 TRC_AUTHORIZATION, "AuthorizationHandler::verifyAuthorization()");
|
346 kumpf 1.5
|
347 mike 1.2 Boolean authorized = false;
|
348 kumpf 1.3 Boolean readOperation = false;
349 Boolean writeOperation = false;
|
350 mike 1.2
351 Uint32 readOpSize = sizeof(READ_OPERATIONS) / sizeof(READ_OPERATIONS[0]);
352
353 Uint32 writeOpSize = sizeof(WRITE_OPERATIONS) / sizeof(WRITE_OPERATIONS[0]);
354
|
355 kumpf 1.25 for (Uint32 i = 0; i < readOpSize; i++)
|
356 kumpf 1.3 {
|
357 kumpf 1.25 if (cimMethodName.equal(READ_OPERATIONS[i]))
|
358 kumpf 1.3 {
359 readOperation = true;
360 break;
361 }
362 }
|
363 kumpf 1.25 if (!readOperation)
|
364 kumpf 1.3 {
365 for (Uint32 i = 0; i < writeOpSize; i++ )
366 {
|
367 kumpf 1.25 if (cimMethodName.equal(WRITE_OPERATIONS[i]))
|
368 kumpf 1.3 {
369 writeOperation = true;
370 break;
371 }
372 }
373 }
374
|
375 ouyang.jian 1.27 #ifdef PEGASUS_OS_PASE
376 if (readOperation || writeOperation)
377 {
378 //Use OS/400 Application Administration to do cim operation verification
379 CString userCStr = userName.getCString();
380 const char * user = (const char *)userCStr;
381 CString cimMethCStr = cimMethodName.getString().getCString();
382 const char * cimMeth = (const char *)cimMethCStr;
383
384 CString nameSpaceCStr = nameSpace.getString().getCString();
385 const char * nameSpChar = (const char *)nameSpaceCStr;
386
387 int PaseAuth =
388 umeVerifyFunctionAuthorization(user,
389 cimMeth);
390
391 if (PaseAuth == TRUE)
392 authorized = true;
393
394 /* read operation needn't verify priviledUser */
395 if(authorized && writeOperation)
396 ouyang.jian 1.27 {
397 /*
398 The Application Admin checks
399 we have now cover all class/qualifier
400 operations to all namespaces.
401 But maybe this is not enough protection
402 for the private Pegasus namespaces.
403 We should call isPrivilegedUser
404 in this case instead of App Admin
405 */
406 if (strcasecmp(nameSpChar,"root/PG_Internal") == 0
407 ||strcasecmp(nameSpChar,"root/PG_InterOp") == 0
408 ||strcasecmp(nameSpChar,"PG_Internal") == 0
409 ||strcasecmp(nameSpChar,"PG_InterOp") == 0 )
410 {
411 if(!System::isPrivilegedUser(userName))
412 authorized = false;
413 }
414 }
415 }
416 #else
|
417 mike 1.2 //
418 // Get the authorization of the specified user and namespace
419 //
420 String auth;
421 try
422 {
423 auth = getAuthorization(userName, nameSpace);
424 }
|
425 kumpf 1.21 catch (Exception&)
|
426 mike 1.2 {
|
427 kumpf 1.7 PEG_METHOD_EXIT();
|
428 mike 1.2 return authorized;
429 }
430
|
431 kumpf 1.25 if ((String::equal(auth, "rw") || String::equal(auth, "wr")) &&
432 (readOperation || writeOperation))
|
433 mike 1.2 {
|
434 kumpf 1.3 authorized = true;
|
435 mike 1.2 }
|
436 kumpf 1.25 else if (String::equal(auth, "r") && readOperation)
|
437 mike 1.2 {
|
438 kumpf 1.3 authorized = true;
|
439 mike 1.2 }
|
440 kumpf 1.25 else if (String::equal(auth, "w") && writeOperation)
|
441 mike 1.2 {
|
442 kumpf 1.3 authorized = true;
|
443 mike 1.2 }
|
444 ouyang.jian 1.27 #endif
|
445 kumpf 1.5
|
446 kumpf 1.7 PEG_METHOD_EXIT();
|
447 mike 1.2
448 return authorized;
449 }
450
451 PEGASUS_NAMESPACE_END
452
453
|