|
version 1.81, 2008/01/11 19:44:50
|
version 1.82, 2008/03/11 17:33:17
|
|
|
|
| #include <Pegasus/Common/HTTPConnection.h> | #include <Pegasus/Common/HTTPConnection.h> |
| #include <Pegasus/Common/HTTPMessage.h> | #include <Pegasus/Common/HTTPMessage.h> |
| #include <Pegasus/Common/XmlWriter.h> | #include <Pegasus/Common/XmlWriter.h> |
| #include <Pegasus/Config/ConfigManager.h> |
|
| #include <Pegasus/Common/Thread.h> | #include <Pegasus/Common/Thread.h> |
| #include "HTTPAuthenticatorDelegator.h" |
|
| #include <Pegasus/Common/MessageLoader.h> | #include <Pegasus/Common/MessageLoader.h> |
| #include <Pegasus/Common/FileSystem.h> | #include <Pegasus/Common/FileSystem.h> |
| #include <Pegasus/Common/LanguageParser.h> | #include <Pegasus/Common/LanguageParser.h> |
| |
#include <Pegasus/Config/ConfigManager.h> |
| |
#include "HTTPAuthenticatorDelegator.h" |
| | |
| #ifdef PEGASUS_KERBEROS_AUTHENTICATION | #ifdef PEGASUS_KERBEROS_AUTHENTICATION |
| # include <Pegasus/Common/CIMKerberosSecurityAssociation.h> | # include <Pegasus/Common/CIMKerberosSecurityAssociation.h> |
|
|
|
| | |
| Message* message = dequeue(); | Message* message = dequeue(); |
| if (message) | if (message) |
| |
{ |
| handleEnqueue(message); | handleEnqueue(message); |
| |
} |
| | |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| } | } |
|
|
|
| PEG_TRACE_CSTRING(TRC_HTTP, Tracer::LEVEL3, | PEG_TRACE_CSTRING(TRC_HTTP, Tracer::LEVEL3, |
| "Client was authenticated via trusted SSL certificate."); | "Client was authenticated via trusted SSL certificate."); |
| | |
| String trustStore = configManager->getCurrentValue("sslTrustStore"); |
String trustStore = |
| |
configManager->getCurrentValue("sslTrustStore"); |
| | |
| if (FileSystem::isDirectory( | if (FileSystem::isDirectory( |
| ConfigManager::getHomedPath(trustStore))) | ConfigManager::getHomedPath(trustStore))) |
|
|
|
| PEG_TRACE_CSTRING(TRC_HTTP, Tracer::LEVEL4, | PEG_TRACE_CSTRING(TRC_HTTP, Tracer::LEVEL4, |
| "Truststore is a directory, lookup username"); | "Truststore is a directory, lookup username"); |
| | |
| // Get the client certificate chain to determine the correct |
// Get the client certificate chain to determine the |
| // username mapping. Starting with the peer certificate, |
// correct username mapping. Starting with the peer |
| // work your way up the chain towards the root certificate |
// certificate, work your way up the chain towards the |
| // until a match is found in the repository. |
// root certificate until a match is found in the |
| |
// repository. |
| Array<SSLCertificateInfo*> clientCertificateChain = | Array<SSLCertificateInfo*> clientCertificateChain = |
| httpMessage->authInfo->getClientCertificateChain(); | httpMessage->authInfo->getClientCertificateChain(); |
| SSLCertificateInfo* clientCertificate = NULL; | SSLCertificateInfo* clientCertificate = NULL; |
|
|
|
| MessageLoaderParms msgParms( | MessageLoaderParms msgParms( |
| "Pegasus.Server.HTTPAuthenticatorDelegator." | "Pegasus.Server.HTTPAuthenticatorDelegator." |
| "BAD_CERTIFICATE", | "BAD_CERTIFICATE", |
| "The certificate used for authentication is not " |
"The certificate used for authentication is " |
| "valid."); |
"not valid."); |
| String msg(MessageLoader::getMessage(msgParms)); |
|
| _sendHttpError( | _sendHttpError( |
| queueId, | queueId, |
| HTTP_STATUS_UNAUTHORIZED, | HTTP_STATUS_UNAUTHORIZED, |
| String::EMPTY, | String::EMPTY, |
| msg, |
MessageLoader::getMessage(msgParms), |
| closeConnect); | closeConnect); |
| PEG_METHOD_EXIT(); | PEG_METHOD_EXIT(); |
| return; | return; |
|
|
|
| "Certificate toString " + | "Certificate toString " + |
| clientCertificate->toString()); | clientCertificate->toString()); |
| | |
| //get certificate properties |
// Get certificate properties |
| issuerName = clientCertificate->getIssuerName(); | issuerName = clientCertificate->getIssuerName(); |
| sprintf(serialNumber, "%lu", | sprintf(serialNumber, "%lu", |
| clientCertificate->getSerialNumber()); | clientCertificate->getSerialNumber()); |
| subjectName = clientCertificate->getSubjectName(); | subjectName = clientCertificate->getSubjectName(); |
| | |
| // | // |
| // The truststore type key property is deprecated. To retain |
// The truststore type key property is deprecated. To |
| // backward compatibility, add the truststore type property |
// retain backward compatibility, add the truststore |
| // to the key bindings and set it to cimserver truststore. |
// type property to the key bindings and set it to |
| |
// cimserver truststore. |
| // | // |
| | |
| //construct the corresponding PG_SSLCertificate instance |
// Construct the corresponding PG_SSLCertificate |
| |
// instance |
| Array<CIMKeyBinding> keyBindings; | Array<CIMKeyBinding> keyBindings; |
| keyBindings.append(CIMKeyBinding( | keyBindings.append(CIMKeyBinding( |
| "IssuerName", issuerName, CIMKeyBinding::STRING)); | "IssuerName", issuerName, CIMKeyBinding::STRING)); |
| keyBindings.append(CIMKeyBinding( | keyBindings.append(CIMKeyBinding( |
| "SerialNumber", serialNumber, CIMKeyBinding::STRING)); |
"SerialNumber", |
| |
serialNumber, |
| |
CIMKeyBinding::STRING)); |
| keyBindings.append(CIMKeyBinding("TruststoreType", | keyBindings.append(CIMKeyBinding("TruststoreType", |
| PG_SSLCERTIFICATE_TSTYPE_VALUE_SERVER)); | PG_SSLCERTIFICATE_TSTYPE_VALUE_SERVER)); |
| | |
|
|
|
| keyBindings); | keyBindings); |
| | |
| PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL4, | PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL4, |
| "Client Certificate COP: " + cimObjectPath.toString()); |
"Client Certificate COP: " + |
| |
cimObjectPath.toString()); |
| | |
| CIMInstance cimInstance; | CIMInstance cimInstance; |
| CIMValue value; | CIMValue value; |
| Uint32 pos; | Uint32 pos; |
| String userName; | String userName; |
| | |
| //attempt to get the username registered to the certificate |
// Attempt to get the username registered to the |
| |
// certificate |
| try | try |
| { | { |
| cimInstance = _repository->getInstance( | cimInstance = _repository->getInstance( |
| PEGASUS_NAMESPACENAME_CERTIFICATE, cimObjectPath); |
PEGASUS_NAMESPACENAME_CERTIFICATE, |
| |
cimObjectPath); |
| | |
| pos = cimInstance.findProperty("RegisteredUserName"); |
pos = |
| |
cimInstance.findProperty("RegisteredUserName"); |
| | |
| if (pos != PEG_NOT_FOUND && | if (pos != PEG_NOT_FOUND && |
| !(value = cimInstance.getProperty(pos). | !(value = cimInstance.getProperty(pos). |
|
|
|
| if (userName.size()) | if (userName.size()) |
| { | { |
| PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, | PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, |
| "User name for certificate is " + userName); |
"User name for certificate is " + |
| |
userName); |
| certUserName = userName; | certUserName = userName; |
| break; | break; |
| } | } |
| | |
| // No user name is specified; continue up the chain |
// No user name is specified; continue up the |
| |
// chain |
| PEG_TRACE((TRC_HTTP, Tracer::LEVEL4, | PEG_TRACE((TRC_HTTP, Tracer::LEVEL4, |
| "The certificate at level %u has no " | "The certificate at level %u has no " |
| "associated username, moving up the chain", |
"associated username; moving up the " |
| |
"chain", |
| i)); | i)); |
| } | } |
| else | else |
|
|
|
| if (e.getCode() == CIM_ERR_NOT_FOUND) | if (e.getCode() == CIM_ERR_NOT_FOUND) |
| { | { |
| PEG_TRACE_CSTRING(TRC_HTTP, Tracer::LEVEL4, | PEG_TRACE_CSTRING(TRC_HTTP, Tracer::LEVEL4, |
| "No registration for this certificate, try " |
"No registration for this certificate; " |
| "next certificate in chain"); |
"try next certificate in chain"); |
| continue; | continue; |
| } | } |
| else | else |
|
|
|
| System::CIMSERVER, | System::CIMSERVER, |
| Logger::TRACE, | Logger::TRACE, |
| "HTTPAuthenticatorDelegator - Bailing, " | "HTTPAuthenticatorDelegator - Bailing, " |
| "the certificate used for authentication " |
"the certificate used for " |
| "is not valid."); |
"authentication is not valid."); |
| MessageLoaderParms msgParms( | MessageLoaderParms msgParms( |
| "Pegasus.Server.HTTPAuthenticatorDelegator." | "Pegasus.Server.HTTPAuthenticatorDelegator." |
| "BAD_CERTIFICATE", | "BAD_CERTIFICATE", |
| "The certificate used for authentication is " |
"The certificate used for authentication " |
| "not valid."); |
"is not valid."); |
| String msg(MessageLoader::getMessage(msgParms)); | String msg(MessageLoader::getMessage(msgParms)); |
| PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, msg); | PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, msg); |
| _sendHttpError( | _sendHttpError( |
|
|
|
| } | } |
| catch (...) | catch (...) |
| { | { |
| // this scenario can occur if a certificate cached |
// This scenario can occur if a certificate cached |
| // on the server was deleted openssl would not pick | // on the server was deleted openssl would not pick |
| // up the deletion but we would pick it up here when |
// up the deletion but we would pick it up here |
| // we went to look it up in the repository |
// when we went to look it up in the repository |
| Logger::put( | Logger::put( |
| Logger::ERROR_LOG, System::CIMSERVER, Logger::TRACE, |
Logger::ERROR_LOG, |
| |
System::CIMSERVER, |
| |
Logger::TRACE, |
| "HTTPAuthenticatorDelegator - Bailing, the " | "HTTPAuthenticatorDelegator - Bailing, the " |
| "certificate used for authentication is not " |
"certificate used for authentication is " |
| "valid."); |
"not valid."); |
| MessageLoaderParms msgParms( | MessageLoaderParms msgParms( |
| "Pegasus.Server.HTTPAuthenticatorDelegator." | "Pegasus.Server.HTTPAuthenticatorDelegator." |
| "BAD_CERTIFICATE", | "BAD_CERTIFICATE", |
| "The certificate used for authentication is not " |
"The certificate used for authentication is " |
| "valid."); |
"not valid."); |
| String msg(MessageLoader::getMessage(msgParms)); | String msg(MessageLoader::getMessage(msgParms)); |
| PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, msg); | PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, msg); |
| _sendHttpError( | _sendHttpError( |
|
|
|
| return; | return; |
| } | } |
| | |
| if (!_authenticationManager->validateUserForHttpAuth(certUserName)) |
if (!_authenticationManager->validateUserForHttpAuth( |
| |
certUserName)) |
| { | { |
| PEG_AUDIT_LOG(logCertificateBasedUserValidation( | PEG_AUDIT_LOG(logCertificateBasedUserValidation( |
| certUserName, | certUserName, |
|
|
|
| "Pegasus.Server.HTTPAuthenticatorDelegator." | "Pegasus.Server.HTTPAuthenticatorDelegator." |
| "CERTIFICATE_USER_NOT_VALID", | "CERTIFICATE_USER_NOT_VALID", |
| "User '$0' registered to this certificate is not a " | "User '$0' registered to this certificate is not a " |
| "valid user.", certUserName); |
"valid user.", |
| |
certUserName); |
| _sendHttpError( | _sendHttpError( |
| queueId, | queueId, |
| HTTP_STATUS_UNAUTHORIZED, | HTTP_STATUS_UNAUTHORIZED, |
|
|
|
| Logger::STANDARD_LOG, | Logger::STANDARD_LOG, |
| System::CIMSERVER, | System::CIMSERVER, |
| Logger::TRACE, | Logger::TRACE, |
| "HTTPAuthenticatorDelegator - The trusted client certificate " |
"HTTPAuthenticatorDelegator - The trusted client " |
| "is registered to $0.", |
"certificate is registered to $0.", |
| certUserName); | certUserName); |
| } // end AuthenticationInfoRep::AUTH_TYPE_SSL | } // end AuthenticationInfoRep::AUTH_TYPE_SSL |
| | |
Return to
HTTPAuthenticatorDelegator.cpp
CVS log
Up to [Pegasus] / pegasus / src / Pegasus / Server