00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022
00023
00024
00025
00026
00027
00028
00029
00030
00035 #include "OW_config.h"
00036 #include "OW_SimpleAuthorizer2.hpp"
00037 #include "OW_Assertion.hpp"
00038 #include "OW_UserInfo.hpp"
00039 #include "OW_OperationContext.hpp"
00040 #include "OW_Logger.hpp"
00041 #include "OW_Format.hpp"
00042 #include "OW_ConfigOpts.hpp"
00043 #include "OW_CIMClass.hpp"
00044 #include "OW_CIMValue.hpp"
00045 #include "OW_CIMException.hpp"
00046 #include "OW_CIMObjectPath.hpp"
00047 #include "OW_CIMInstance.hpp"
00048 #include "OW_CIMProperty.hpp"
00049 #include "OW_CIMQualifierType.hpp"
00050 #include "OW_CIMOMHandleIFC.hpp"
00051
00052 #include <cstring>
00053
00054 namespace OW_NAMESPACE
00055 {
00056
00057 using namespace WBEMFlags;
00058
00059 namespace
00060 {
00061 const String ACCESS_READ("r");
00062 const String ACCESS_WRITE("w");
00063 const String ACCESS_READWRITE("rw");
00064 const String COMPONENT_NAME = "ow.authorizer.simple2";
00065 }
00066
00068 SimpleAuthorizer2::SimpleAuthorizer2()
00069 : Authorizer2IFC()
00070 {
00071 }
00073 SimpleAuthorizer2::~SimpleAuthorizer2()
00074 {
00075 }
00076
00078 bool
00079 SimpleAuthorizer2::checkAccess(const String& opType, const String& ns,
00080 const ServiceEnvironmentIFCRef& env, OperationContext& context)
00081 {
00082 OW_ASSERT(opType == ACCESS_READ || opType == ACCESS_WRITE
00083 || opType == ACCESS_READWRITE);
00084
00085 UserInfo userInfo = context.getUserInfo();
00086 if (userInfo.getInternal())
00087 {
00088 return true;
00089 }
00090
00091 CIMOMHandleIFCRef lch = env->getCIMOMHandle(context,
00092 ServiceEnvironmentIFC::E_USE_PROVIDERS);
00093
00094 LoggerRef lgr = env->getLogger(COMPONENT_NAME);
00095
00096 if (!userInfo.getUserName().empty())
00097 {
00098 String superUser =
00099 env->getConfigItem(ConfigOpts::ACL_SUPERUSER_opt);
00100 if (superUser.equalsIgnoreCase(userInfo.getUserName()))
00101 {
00102 OW_LOG_DEBUG(lgr, "User is SuperUser: checkAccess returning.");
00103 return true;
00104 }
00105 }
00106
00107 String lns(ns);
00108 while (lns.startsWith('/'))
00109 {
00110 lns = lns.substring(1);
00111 }
00112 lns.toLowerCase();
00113 for (;;)
00114 {
00115 if (!userInfo.getUserName().empty())
00116 {
00117 try
00118 {
00119 CIMClass cc = lch->getClass("root/security",
00120 "OpenWBEM_UserACL", E_NOT_LOCAL_ONLY, E_INCLUDE_QUALIFIERS,
00121 E_INCLUDE_CLASS_ORIGIN, NULL);
00122 }
00123 catch(CIMException&)
00124 {
00125 OW_LOG_DEBUG(lgr, "OpenWBEM_UserACL class non-existent in"
00126 " /root/security. ACLs disabled");
00127 return true;
00128 }
00129
00130 CIMObjectPath cop("OpenWBEM_UserACL");
00131 cop.setKeyValue("username", CIMValue(userInfo.getUserName()));
00132 cop.setKeyValue("nspace", CIMValue(lns));
00133 CIMInstance ci(CIMNULL);
00134 try
00135 {
00136 ci = lch->getInstance("root/security", cop,
00137 E_NOT_LOCAL_ONLY, E_INCLUDE_QUALIFIERS,
00138 E_INCLUDE_CLASS_ORIGIN, NULL);
00139 }
00140 catch(const CIMException&)
00141 {
00142 ci.setNull();
00143 }
00144 if (ci)
00145 {
00146 String capability;
00147 CIMProperty capabilityProp = ci.getProperty("capability");
00148 if (capabilityProp)
00149 {
00150 CIMValue cv = capabilityProp.getValue();
00151 if (cv)
00152 {
00153 capability = cv.toString();
00154 }
00155 }
00156
00157 capability.toLowerCase();
00158 if (opType.length() == 1)
00159 {
00160 if (capability.indexOf(opType) == String::npos)
00161 {
00162
00163 OW_THROWCIM(CIMException::ACCESS_DENIED);
00164 }
00165 }
00166 else
00167 {
00168 if (!capability.equals("rw") && !capability.equals("wr"))
00169 {
00170
00171 OW_THROWCIM(CIMException::ACCESS_DENIED);
00172 }
00173 }
00174
00175
00176 return true;
00177 }
00178 }
00179
00180
00181 try
00182 {
00183 CIMClass cc = lch->getClass("root/security",
00184 "OpenWBEM_NamespaceACL", E_NOT_LOCAL_ONLY, E_INCLUDE_QUALIFIERS,
00185 E_INCLUDE_CLASS_ORIGIN, NULL);
00186 }
00187 catch(CIMException&)
00188 {
00189
00190
00191 return true;
00192 }
00193 CIMObjectPath cop("OpenWBEM_NamespaceACL");
00194 cop.setKeyValue("nspace", CIMValue(lns));
00195 CIMInstance ci(CIMNULL);
00196 try
00197 {
00198 ci = lch->getInstance("root/security", cop, E_NOT_LOCAL_ONLY,
00199 E_INCLUDE_QUALIFIERS, E_INCLUDE_CLASS_ORIGIN, NULL);
00200 }
00201 catch(const CIMException& ce)
00202 {
00203 OW_LOG_DEBUG(lgr, Format("Caught exception: %1 in"
00204 " AccessMgr::checkAccess. line=%2", ce, __LINE__));
00205 ci.setNull();
00206 }
00207
00208 if (ci)
00209 {
00210 String capability;
00211 CIMProperty capabilityProp = ci.getProperty("capability");
00212 if (capabilityProp)
00213 {
00214 CIMValue v = capabilityProp.getValue();
00215 if (v)
00216 {
00217 capability = v.toString();
00218 }
00219 }
00220
00221 capability.toLowerCase();
00222 if (opType.length() == 1)
00223 {
00224 if (capability.indexOf(opType) == String::npos)
00225 {
00226
00227 OW_THROWCIM(CIMException::ACCESS_DENIED);
00228 }
00229 }
00230 else
00231 {
00232 if (!capability.equals("rw") && !capability.equals("wr"))
00233 {
00234
00235 OW_THROWCIM(CIMException::ACCESS_DENIED);
00236 }
00237 }
00238
00239
00240 return true;
00241 }
00242 size_t idx = lns.lastIndexOf('/');
00243 if (idx == 0 || idx == String::npos)
00244 {
00245 break;
00246 }
00247 lns = lns.substring(0, idx);
00248 }
00249
00250
00251 OW_THROWCIM(CIMException::ACCESS_DENIED);
00252 return false;
00253 }
00254
00256 bool
00257 SimpleAuthorizer2::doAllowReadInstance(
00258 const ServiceEnvironmentIFCRef& env,
00259 const String& ns,
00260 const String& className,
00261 const StringArray* clientPropertyList,
00262 StringArray& authorizedPropertyList,
00263 OperationContext& context)
00264 {
00265 return checkAccess(ACCESS_READ, ns, env, context);
00266 }
00267 #ifndef OW_DISABLE_INSTANCE_MANIPULATION
00268
00269 bool
00270 SimpleAuthorizer2::doAllowWriteInstance(
00271 const ServiceEnvironmentIFCRef& env,
00272 const String& ns,
00273 const CIMObjectPath& instanceName,
00274 Authorizer2IFC::EDynamicFlag dynamic,
00275 Authorizer2IFC::EWriteFlag flag,
00276 OperationContext& context)
00277 {
00278 return checkAccess(ACCESS_WRITE, ns, env, context);
00279 }
00280 #endif
00281
00282 bool
00283 SimpleAuthorizer2::doAllowReadSchema(
00284 const ServiceEnvironmentIFCRef& env,
00285 const String& ns,
00286 OperationContext& context)
00287 {
00288 return checkAccess(ACCESS_READ, ns, env, context);
00289 }
00290 #if !defined(OW_DISABLE_SCHEMA_MANIPULATION) || !defined(OW_DISABLE_QUALIFIER_DECLARATION)
00291
00292 bool
00293 SimpleAuthorizer2::doAllowWriteSchema(
00294 const ServiceEnvironmentIFCRef& env,
00295 const String& ns,
00296 Authorizer2IFC::EWriteFlag flag,
00297 OperationContext& context)
00298 {
00299 return checkAccess(ACCESS_WRITE, ns, env, context);
00300 }
00301 #endif
00302
00303 bool
00304 SimpleAuthorizer2::doAllowAccessToNameSpace(
00305 const ServiceEnvironmentIFCRef& env,
00306 const String& ns,
00307 Authorizer2IFC::EAccessType accessType,
00308 OperationContext& context)
00309 {
00310 String actype;
00311 switch (accessType)
00312 {
00313 case Authorizer2IFC::E_READ:
00314 actype = ACCESS_READ;
00315 break;
00316 case Authorizer2IFC::E_WRITE:
00317 actype = ACCESS_WRITE;
00318 break;
00319 default:
00320 actype = ACCESS_READWRITE;
00321 break;
00322 }
00323
00324 return checkAccess(actype, ns, env, context);
00325 }
00326 #if !defined(OW_DISABLE_INSTANCE_MANIPULATION) && !defined(OW_DISABLE_NAMESPACE_MANIPULATION)
00327
00328 bool
00329 SimpleAuthorizer2::doAllowCreateNameSpace(
00330 const ServiceEnvironmentIFCRef& env,
00331 const String& ns_,
00332 OperationContext& context)
00333 {
00334 return doAllowAccessToNameSpace(env, ns_, Authorizer2IFC::E_WRITE,
00335 context);
00336 }
00338 bool
00339 SimpleAuthorizer2::doAllowDeleteNameSpace(
00340 const ServiceEnvironmentIFCRef& env,
00341 const String& ns_,
00342 OperationContext& context)
00343 {
00344 return doAllowAccessToNameSpace(env, ns_, Authorizer2IFC::E_WRITE,
00345 context);
00346 }
00347 #endif
00348
00349 bool
00350 SimpleAuthorizer2::doAllowEnumNameSpace(
00351 const ServiceEnvironmentIFCRef& env,
00352 OperationContext& context)
00353 {
00354 return true;
00355 }
00357 bool
00358 SimpleAuthorizer2::doAllowMethodInvocation(
00359 const ServiceEnvironmentIFCRef& env,
00360 const String& ns,
00361 const CIMObjectPath& path,
00362 const String& methodName,
00363 OperationContext& context)
00364 {
00365 return checkAccess(ACCESS_READWRITE, ns, env, context);
00366 }
00367
00368 }
00369
00370
00371 OW_AUTHORIZER2_FACTORY(OpenWBEM::SimpleAuthorizer2, simple);