version 1.81, 2008/01/11 19:44:50
|
version 1.82, 2008/03/11 17:33:17
|
|
|
#include <Pegasus/Common/HTTPConnection.h> | #include <Pegasus/Common/HTTPConnection.h> |
#include <Pegasus/Common/HTTPMessage.h> | #include <Pegasus/Common/HTTPMessage.h> |
#include <Pegasus/Common/XmlWriter.h> | #include <Pegasus/Common/XmlWriter.h> |
#include <Pegasus/Config/ConfigManager.h> |
|
#include <Pegasus/Common/Thread.h> | #include <Pegasus/Common/Thread.h> |
#include "HTTPAuthenticatorDelegator.h" |
|
#include <Pegasus/Common/MessageLoader.h> | #include <Pegasus/Common/MessageLoader.h> |
#include <Pegasus/Common/FileSystem.h> | #include <Pegasus/Common/FileSystem.h> |
#include <Pegasus/Common/LanguageParser.h> | #include <Pegasus/Common/LanguageParser.h> |
|
#include <Pegasus/Config/ConfigManager.h> |
|
#include "HTTPAuthenticatorDelegator.h" |
| |
#ifdef PEGASUS_KERBEROS_AUTHENTICATION | #ifdef PEGASUS_KERBEROS_AUTHENTICATION |
# include <Pegasus/Common/CIMKerberosSecurityAssociation.h> | # include <Pegasus/Common/CIMKerberosSecurityAssociation.h> |
|
|
| |
Message* message = dequeue(); | Message* message = dequeue(); |
if (message) | if (message) |
|
{ |
handleEnqueue(message); | handleEnqueue(message); |
|
} |
| |
PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
} | } |
|
|
PEG_TRACE_CSTRING(TRC_HTTP, Tracer::LEVEL3, | PEG_TRACE_CSTRING(TRC_HTTP, Tracer::LEVEL3, |
"Client was authenticated via trusted SSL certificate."); | "Client was authenticated via trusted SSL certificate."); |
| |
String trustStore = configManager->getCurrentValue("sslTrustStore"); |
String trustStore = |
|
configManager->getCurrentValue("sslTrustStore"); |
| |
if (FileSystem::isDirectory( | if (FileSystem::isDirectory( |
ConfigManager::getHomedPath(trustStore))) | ConfigManager::getHomedPath(trustStore))) |
|
|
PEG_TRACE_CSTRING(TRC_HTTP, Tracer::LEVEL4, | PEG_TRACE_CSTRING(TRC_HTTP, Tracer::LEVEL4, |
"Truststore is a directory, lookup username"); | "Truststore is a directory, lookup username"); |
| |
// Get the client certificate chain to determine the correct |
// Get the client certificate chain to determine the |
// username mapping. Starting with the peer certificate, |
// correct username mapping. Starting with the peer |
// work your way up the chain towards the root certificate |
// certificate, work your way up the chain towards the |
// until a match is found in the repository. |
// root certificate until a match is found in the |
|
// repository. |
Array<SSLCertificateInfo*> clientCertificateChain = | Array<SSLCertificateInfo*> clientCertificateChain = |
httpMessage->authInfo->getClientCertificateChain(); | httpMessage->authInfo->getClientCertificateChain(); |
SSLCertificateInfo* clientCertificate = NULL; | SSLCertificateInfo* clientCertificate = NULL; |
|
|
MessageLoaderParms msgParms( | MessageLoaderParms msgParms( |
"Pegasus.Server.HTTPAuthenticatorDelegator." | "Pegasus.Server.HTTPAuthenticatorDelegator." |
"BAD_CERTIFICATE", | "BAD_CERTIFICATE", |
"The certificate used for authentication is not " |
"The certificate used for authentication is " |
"valid."); |
"not valid."); |
String msg(MessageLoader::getMessage(msgParms)); |
|
_sendHttpError( | _sendHttpError( |
queueId, | queueId, |
HTTP_STATUS_UNAUTHORIZED, | HTTP_STATUS_UNAUTHORIZED, |
String::EMPTY, | String::EMPTY, |
msg, |
MessageLoader::getMessage(msgParms), |
closeConnect); | closeConnect); |
PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
return; | return; |
|
|
"Certificate toString " + | "Certificate toString " + |
clientCertificate->toString()); | clientCertificate->toString()); |
| |
//get certificate properties |
// Get certificate properties |
issuerName = clientCertificate->getIssuerName(); | issuerName = clientCertificate->getIssuerName(); |
sprintf(serialNumber, "%lu", | sprintf(serialNumber, "%lu", |
clientCertificate->getSerialNumber()); | clientCertificate->getSerialNumber()); |
subjectName = clientCertificate->getSubjectName(); | subjectName = clientCertificate->getSubjectName(); |
| |
// | // |
// The truststore type key property is deprecated. To retain |
// The truststore type key property is deprecated. To |
// backward compatibility, add the truststore type property |
// retain backward compatibility, add the truststore |
// to the key bindings and set it to cimserver truststore. |
// type property to the key bindings and set it to |
|
// cimserver truststore. |
// | // |
| |
//construct the corresponding PG_SSLCertificate instance |
// Construct the corresponding PG_SSLCertificate |
|
// instance |
Array<CIMKeyBinding> keyBindings; | Array<CIMKeyBinding> keyBindings; |
keyBindings.append(CIMKeyBinding( | keyBindings.append(CIMKeyBinding( |
"IssuerName", issuerName, CIMKeyBinding::STRING)); | "IssuerName", issuerName, CIMKeyBinding::STRING)); |
keyBindings.append(CIMKeyBinding( | keyBindings.append(CIMKeyBinding( |
"SerialNumber", serialNumber, CIMKeyBinding::STRING)); |
"SerialNumber", |
|
serialNumber, |
|
CIMKeyBinding::STRING)); |
keyBindings.append(CIMKeyBinding("TruststoreType", | keyBindings.append(CIMKeyBinding("TruststoreType", |
PG_SSLCERTIFICATE_TSTYPE_VALUE_SERVER)); | PG_SSLCERTIFICATE_TSTYPE_VALUE_SERVER)); |
| |
|
|
keyBindings); | keyBindings); |
| |
PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL4, | PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL4, |
"Client Certificate COP: " + cimObjectPath.toString()); |
"Client Certificate COP: " + |
|
cimObjectPath.toString()); |
| |
CIMInstance cimInstance; | CIMInstance cimInstance; |
CIMValue value; | CIMValue value; |
Uint32 pos; | Uint32 pos; |
String userName; | String userName; |
| |
//attempt to get the username registered to the certificate |
// Attempt to get the username registered to the |
|
// certificate |
try | try |
{ | { |
cimInstance = _repository->getInstance( | cimInstance = _repository->getInstance( |
PEGASUS_NAMESPACENAME_CERTIFICATE, cimObjectPath); |
PEGASUS_NAMESPACENAME_CERTIFICATE, |
|
cimObjectPath); |
| |
pos = cimInstance.findProperty("RegisteredUserName"); |
pos = |
|
cimInstance.findProperty("RegisteredUserName"); |
| |
if (pos != PEG_NOT_FOUND && | if (pos != PEG_NOT_FOUND && |
!(value = cimInstance.getProperty(pos). | !(value = cimInstance.getProperty(pos). |
|
|
if (userName.size()) | if (userName.size()) |
{ | { |
PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, | PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, |
"User name for certificate is " + userName); |
"User name for certificate is " + |
|
userName); |
certUserName = userName; | certUserName = userName; |
break; | break; |
} | } |
| |
// No user name is specified; continue up the chain |
// No user name is specified; continue up the |
|
// chain |
PEG_TRACE((TRC_HTTP, Tracer::LEVEL4, | PEG_TRACE((TRC_HTTP, Tracer::LEVEL4, |
"The certificate at level %u has no " | "The certificate at level %u has no " |
"associated username, moving up the chain", |
"associated username; moving up the " |
|
"chain", |
i)); | i)); |
} | } |
else | else |
|
|
if (e.getCode() == CIM_ERR_NOT_FOUND) | if (e.getCode() == CIM_ERR_NOT_FOUND) |
{ | { |
PEG_TRACE_CSTRING(TRC_HTTP, Tracer::LEVEL4, | PEG_TRACE_CSTRING(TRC_HTTP, Tracer::LEVEL4, |
"No registration for this certificate, try " |
"No registration for this certificate; " |
"next certificate in chain"); |
"try next certificate in chain"); |
continue; | continue; |
} | } |
else | else |
|
|
System::CIMSERVER, | System::CIMSERVER, |
Logger::TRACE, | Logger::TRACE, |
"HTTPAuthenticatorDelegator - Bailing, " | "HTTPAuthenticatorDelegator - Bailing, " |
"the certificate used for authentication " |
"the certificate used for " |
"is not valid."); |
"authentication is not valid."); |
MessageLoaderParms msgParms( | MessageLoaderParms msgParms( |
"Pegasus.Server.HTTPAuthenticatorDelegator." | "Pegasus.Server.HTTPAuthenticatorDelegator." |
"BAD_CERTIFICATE", | "BAD_CERTIFICATE", |
"The certificate used for authentication is " |
"The certificate used for authentication " |
"not valid."); |
"is not valid."); |
String msg(MessageLoader::getMessage(msgParms)); | String msg(MessageLoader::getMessage(msgParms)); |
PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, msg); | PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, msg); |
_sendHttpError( | _sendHttpError( |
|
|
} | } |
catch (...) | catch (...) |
{ | { |
// this scenario can occur if a certificate cached |
// This scenario can occur if a certificate cached |
// on the server was deleted openssl would not pick | // on the server was deleted openssl would not pick |
// up the deletion but we would pick it up here when |
// up the deletion but we would pick it up here |
// we went to look it up in the repository |
// when we went to look it up in the repository |
Logger::put( | Logger::put( |
Logger::ERROR_LOG, System::CIMSERVER, Logger::TRACE, |
Logger::ERROR_LOG, |
|
System::CIMSERVER, |
|
Logger::TRACE, |
"HTTPAuthenticatorDelegator - Bailing, the " | "HTTPAuthenticatorDelegator - Bailing, the " |
"certificate used for authentication is not " |
"certificate used for authentication is " |
"valid."); |
"not valid."); |
MessageLoaderParms msgParms( | MessageLoaderParms msgParms( |
"Pegasus.Server.HTTPAuthenticatorDelegator." | "Pegasus.Server.HTTPAuthenticatorDelegator." |
"BAD_CERTIFICATE", | "BAD_CERTIFICATE", |
"The certificate used for authentication is not " |
"The certificate used for authentication is " |
"valid."); |
"not valid."); |
String msg(MessageLoader::getMessage(msgParms)); | String msg(MessageLoader::getMessage(msgParms)); |
PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, msg); | PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, msg); |
_sendHttpError( | _sendHttpError( |
|
|
return; | return; |
} | } |
| |
if (!_authenticationManager->validateUserForHttpAuth(certUserName)) |
if (!_authenticationManager->validateUserForHttpAuth( |
|
certUserName)) |
{ | { |
PEG_AUDIT_LOG(logCertificateBasedUserValidation( | PEG_AUDIT_LOG(logCertificateBasedUserValidation( |
certUserName, | certUserName, |
|
|
"Pegasus.Server.HTTPAuthenticatorDelegator." | "Pegasus.Server.HTTPAuthenticatorDelegator." |
"CERTIFICATE_USER_NOT_VALID", | "CERTIFICATE_USER_NOT_VALID", |
"User '$0' registered to this certificate is not a " | "User '$0' registered to this certificate is not a " |
"valid user.", certUserName); |
"valid user.", |
|
certUserName); |
_sendHttpError( | _sendHttpError( |
queueId, | queueId, |
HTTP_STATUS_UNAUTHORIZED, | HTTP_STATUS_UNAUTHORIZED, |
|
|
Logger::STANDARD_LOG, | Logger::STANDARD_LOG, |
System::CIMSERVER, | System::CIMSERVER, |
Logger::TRACE, | Logger::TRACE, |
"HTTPAuthenticatorDelegator - The trusted client certificate " |
"HTTPAuthenticatorDelegator - The trusted client " |
"is registered to $0.", |
"certificate is registered to $0.", |
certUserName); | certUserName); |
} // end AuthenticationInfoRep::AUTH_TYPE_SSL | } // end AuthenticationInfoRep::AUTH_TYPE_SSL |
| |