2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Executor/Messages.h.orig pegasus/src/Executor/Messages.h
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Executor/Messages.h.orig 2015-03-31 14:49:58.125082973 +0200
|
|
|
|
+++ pegasus/src/Executor/Messages.h 2015-03-31 14:50:29.243214138 +0200
|
2012-10-16 13:42:59 +00:00
|
|
|
@@ -199,6 +199,7 @@ struct ExecutorAuthenticatePasswordReque
|
|
|
|
{
|
|
|
|
char username[EXECUTOR_BUFFER_SIZE];
|
|
|
|
char password[EXECUTOR_BUFFER_SIZE];
|
|
|
|
+ Boolean isRemoteUser;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct ExecutorAuthenticatePasswordResponse
|
|
|
|
diff -up pegasus/src/Executor/PAMAuth.h.orig pegasus/src/Executor/PAMAuth.h
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Executor/PAMAuth.h.orig 2015-03-31 14:50:48.589295683 +0200
|
|
|
|
+++ pegasus/src/Executor/PAMAuth.h 2015-03-31 14:57:25.561982718 +0200
|
2009-06-16 12:09:03 +00:00
|
|
|
@@ -49,6 +49,9 @@
|
2008-11-11 13:39:19 +00:00
|
|
|
#include <Executor/Defines.h>
|
|
|
|
#include <Executor/Socket.h>
|
|
|
|
|
|
|
|
+#include <syslog.h>
|
2012-10-16 13:42:59 +00:00
|
|
|
+typedef bool Boolean;
|
2008-11-11 13:39:19 +00:00
|
|
|
+
|
2011-02-16 10:39:40 +00:00
|
|
|
#ifdef PEGASUS_FLAVOR
|
|
|
|
# define PAM_CONFIG_FILE "wbem" PEGASUS_FLAVOR
|
|
|
|
#else
|
2013-09-03 10:30:53 +00:00
|
|
|
@@ -397,7 +400,7 @@ static int PAMValidateUserCallback(
|
2008-11-11 13:39:19 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
static int PAMAuthenticateInProcess(
|
|
|
|
- const char* username, const char* password)
|
|
|
|
+ const char* username, const char* password, const Boolean isRemoteUser)
|
|
|
|
{
|
|
|
|
PAMData data;
|
|
|
|
struct pam_conv pconv;
|
2013-09-03 10:30:53 +00:00
|
|
|
@@ -412,24 +415,54 @@ static int PAMAuthenticateInProcess(
|
|
|
|
/* intentionally for testing purposes */
|
|
|
|
/* return PAM_SERVICE_ERR; */
|
2008-11-11 13:39:19 +00:00
|
|
|
|
2013-09-03 10:30:53 +00:00
|
|
|
- pam_rc = pam_start(PAM_CONFIG_FILE, username, &pconv, &handle);
|
2008-11-11 13:39:19 +00:00
|
|
|
+ // NOTE: if any pam call should log anything, our syslog socket will be redirected
|
|
|
|
+ // to the AUTH facility, so we need to redirect it back after each pam call.
|
2015-04-08 11:11:12 +00:00
|
|
|
+
|
2013-09-03 10:30:53 +00:00
|
|
|
+ if ((pam_rc = pam_start(PAM_CONFIG_FILE, username, &pconv, &handle)) != PAM_SUCCESS)
|
2015-04-08 11:11:12 +00:00
|
|
|
+ {
|
2008-11-11 13:39:19 +00:00
|
|
|
+ closelog();
|
|
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
2013-09-03 10:30:53 +00:00
|
|
|
+ syslog(LOG_ERR, "pam_start failed: %s", pam_strerror(handle, pam_rc));
|
2008-11-11 13:39:19 +00:00
|
|
|
+ syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
|
|
|
|
+ isRemoteUser ? "remote" : "local", username);
|
|
|
|
+ return -1;
|
2015-04-08 11:11:12 +00:00
|
|
|
+ }
|
2008-11-11 13:39:19 +00:00
|
|
|
|
2013-09-03 10:30:53 +00:00
|
|
|
- if (pam_rc != PAM_SUCCESS)
|
|
|
|
+ if ((pam_rc = pam_set_item(handle, PAM_TTY, isRemoteUser ? "wbemNetwork" : "wbemLocal")) != PAM_SUCCESS)
|
|
|
|
{
|
|
|
|
- return pam_rc;
|
2015-04-08 11:11:12 +00:00
|
|
|
+ pam_end(handle, 0);
|
2008-11-11 13:39:19 +00:00
|
|
|
+ closelog();
|
|
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
2013-09-03 10:30:53 +00:00
|
|
|
+ syslog(LOG_ERR, "pam_set_item(PAM_TTY=wbem) failed: %s", pam_strerror(handle, pam_rc));
|
2008-11-11 13:39:19 +00:00
|
|
|
+ syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
|
|
|
|
+ isRemoteUser ? "remote" : "local", username);
|
2013-09-03 10:30:53 +00:00
|
|
|
+ return -1;
|
|
|
|
}
|
2008-11-11 13:39:19 +00:00
|
|
|
|
2015-04-08 11:11:12 +00:00
|
|
|
- pam_rc = pam_authenticate(handle, 0);
|
|
|
|
- if (pam_rc != PAM_SUCCESS)
|
2013-09-03 10:30:53 +00:00
|
|
|
+ if ((pam_rc = pam_authenticate(handle, 0)) != PAM_SUCCESS)
|
2015-04-08 11:11:12 +00:00
|
|
|
{
|
|
|
|
pam_end(handle, 0);
|
|
|
|
- return pam_rc;
|
2008-11-11 13:39:19 +00:00
|
|
|
+ closelog();
|
|
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
2013-09-03 10:30:53 +00:00
|
|
|
+ syslog(LOG_ERR, "pam_authenticate failed: %s",pam_strerror(handle, pam_rc));
|
2008-11-11 13:39:19 +00:00
|
|
|
+ syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
|
|
|
|
+ isRemoteUser ? "remote" : "local", username);
|
2013-09-03 10:30:53 +00:00
|
|
|
+ return -1;
|
2015-04-08 11:11:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
- pam_rc = pam_acct_mgmt(handle, 0);
|
2013-09-03 10:30:53 +00:00
|
|
|
+ if ((pam_rc = pam_acct_mgmt(handle, 0)) != PAM_SUCCESS)
|
|
|
|
+ {
|
|
|
|
+ pam_end(handle, 0);
|
2008-11-11 13:39:19 +00:00
|
|
|
+ closelog();
|
|
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
2013-09-03 10:30:53 +00:00
|
|
|
+ syslog(LOG_ERR, "pam_acct_mgmt failed: %s",pam_strerror(handle, pam_rc));
|
2008-11-11 13:39:19 +00:00
|
|
|
+ syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
|
|
|
|
+ isRemoteUser ? "remote" : "local", username);
|
2013-09-03 10:30:53 +00:00
|
|
|
+ return -1;
|
2015-04-08 11:11:12 +00:00
|
|
|
+ }
|
2008-11-11 13:39:19 +00:00
|
|
|
|
2013-09-03 10:30:53 +00:00
|
|
|
pam_end(handle, 0);
|
|
|
|
- return pam_rc;
|
|
|
|
+ return 0;
|
|
|
|
}
|
2008-11-11 13:39:19 +00:00
|
|
|
|
2013-09-03 10:30:53 +00:00
|
|
|
/*
|
|
|
|
@@ -452,16 +485,34 @@ static int PAMValidateUserInProcess(cons
|
2008-11-11 13:39:19 +00:00
|
|
|
pconv.conv = PAMValidateUserCallback;
|
|
|
|
pconv.appdata_ptr = &data;
|
|
|
|
|
2013-09-03 10:30:53 +00:00
|
|
|
- pam_rc = pam_start(PAM_CONFIG_FILE, username, &pconv, &phandle);
|
|
|
|
- if (pam_rc != PAM_SUCCESS)
|
|
|
|
+ if ((pam_rc = pam_start(PAM_CONFIG_FILE, username, &pconv, &phandle)) != PAM_SUCCESS)
|
2015-04-08 11:11:12 +00:00
|
|
|
+ {
|
2013-09-03 10:30:53 +00:00
|
|
|
+ closelog();
|
|
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
|
|
|
+ syslog(LOG_ERR, "pam_start() failed: %s", pam_strerror(phandle, pam_rc));
|
|
|
|
+ return -1;
|
2015-04-08 11:11:12 +00:00
|
|
|
+ }
|
|
|
|
+
|
2013-09-03 10:30:53 +00:00
|
|
|
+ if ((pam_rc = pam_set_item(phandle, PAM_TTY, "wbemLocal")) != PAM_SUCCESS)
|
2015-04-08 11:11:12 +00:00
|
|
|
{
|
|
|
|
- return pam_rc;
|
2013-09-03 10:30:53 +00:00
|
|
|
+ pam_end(phandle, 0);
|
2008-11-11 13:39:19 +00:00
|
|
|
+ closelog();
|
|
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
2013-09-03 10:30:53 +00:00
|
|
|
+ syslog(LOG_ERR, "pam_set_item(PAM_TTY=wbemLocal) failed: %s", pam_strerror(phandle, pam_rc));
|
|
|
|
+ return -1;
|
2015-04-08 11:11:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
- pam_rc = pam_acct_mgmt(phandle, 0);
|
2013-09-03 10:30:53 +00:00
|
|
|
+ if ((pam_rc = pam_acct_mgmt(phandle, 0)) != PAM_SUCCESS)
|
2008-11-11 13:39:19 +00:00
|
|
|
+ {
|
|
|
|
+ pam_end(phandle, 0);
|
|
|
|
+ closelog();
|
|
|
|
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
|
2013-09-03 10:30:53 +00:00
|
|
|
+ syslog(LOG_ERR, "pam_acct_mgmt() failed: %s", pam_strerror(phandle, pam_rc));
|
2008-11-11 13:39:19 +00:00
|
|
|
+ return -1;
|
|
|
|
+ }
|
|
|
|
|
2013-09-03 10:30:53 +00:00
|
|
|
pam_end(phandle, 0);
|
|
|
|
- return pam_rc;
|
|
|
|
+ return 0;
|
|
|
|
}
|
2008-11-11 13:39:19 +00:00
|
|
|
|
2013-09-03 10:30:53 +00:00
|
|
|
/*
|
|
|
|
@@ -474,12 +525,12 @@ static int PAMValidateUserInProcess(cons
|
2008-11-11 13:39:19 +00:00
|
|
|
**==============================================================================
|
|
|
|
*/
|
|
|
|
|
|
|
|
-static int PAMAuthenticate(const char* username, const char* password)
|
|
|
|
+static int PAMAuthenticate(const char* username, const char* password, const Boolean isRemoteUser)
|
|
|
|
{
|
|
|
|
#ifdef PEGASUS_USE_PAM_STANDALONE_PROC
|
|
|
|
return CimserveraProcessOperation("authenticate", username, password);
|
|
|
|
#else
|
|
|
|
- return PAMAuthenticateInProcess(username, password);
|
|
|
|
+ return PAMAuthenticateInProcess(username, password, isRemoteUser);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Executor/Parent.c.orig pegasus/src/Executor/Parent.c
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Executor/Parent.c.orig 2015-03-31 14:57:37.595034076 +0200
|
|
|
|
+++ pegasus/src/Executor/Parent.c 2015-03-31 14:58:11.034176796 +0200
|
2013-09-03 10:30:53 +00:00
|
|
|
@@ -634,7 +634,7 @@ static void HandleAuthenticatePasswordRe
|
2011-05-19 13:50:06 +00:00
|
|
|
|
|
|
|
#if defined(PEGASUS_PAM_AUTHENTICATION)
|
|
|
|
|
2013-09-03 10:30:53 +00:00
|
|
|
- status = PAMAuthenticate(request.username, request.password);
|
|
|
|
+ status = PAMAuthenticate(request.username, request.password, request.isRemoteUser);
|
|
|
|
|
|
|
|
if (status == PAM_SUCCESS)
|
2011-05-19 13:50:06 +00:00
|
|
|
{
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c.orig pegasus/src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c.orig 2015-03-31 14:58:30.460259707 +0200
|
|
|
|
+++ pegasus/src/Executor/tests/PAMAuth/TestExecutorPAMAuth.c 2015-03-31 14:58:55.882368210 +0200
|
2011-05-19 13:50:06 +00:00
|
|
|
@@ -49,7 +49,7 @@ int main()
|
|
|
|
sprintf(prompt, "Enter password for %s: ", PEGASUS_CIMSERVERMAIN_USER);
|
|
|
|
pw = getpass(prompt);
|
|
|
|
|
|
|
|
- if (PAMAuthenticate(PEGASUS_CIMSERVERMAIN_USER, pw) == 0)
|
|
|
|
+ if (PAMAuthenticate(PEGASUS_CIMSERVERMAIN_USER, pw, 0) == 0)
|
|
|
|
printf("Correct password\n");
|
|
|
|
else
|
|
|
|
printf("Wrong password\n");
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Common/AuthenticationInfo.h.orig pegasus/src/Pegasus/Common/AuthenticationInfo.h
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Common/AuthenticationInfo.h.orig 2015-03-31 14:59:10.875432201 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Common/AuthenticationInfo.h 2015-03-31 15:00:03.130655230 +0200
|
|
|
|
@@ -348,6 +348,22 @@ public:
|
|
|
|
_rep->setAuthHandle(authHandle);
|
2008-11-11 13:39:19 +00:00
|
|
|
}
|
|
|
|
|
2009-06-16 12:09:03 +00:00
|
|
|
+ /** Indicate whether the user is Remote
|
|
|
|
+ */
|
|
|
|
+ Boolean isRemoteUser() const
|
|
|
|
+ {
|
|
|
|
+ CheckRep(_rep);
|
|
|
|
+ return _rep->isRemoteUser();
|
|
|
|
+ }
|
2008-11-11 13:39:19 +00:00
|
|
|
+
|
2009-06-16 12:09:03 +00:00
|
|
|
+ /** Set the Remote User flag
|
|
|
|
+ */
|
|
|
|
+ void setRemoteUser(Boolean isRemoteUser)
|
|
|
|
+ {
|
|
|
|
+ CheckRep(_rep);
|
|
|
|
+ _rep->setRemoteUser(isRemoteUser);
|
|
|
|
+ }
|
2008-11-11 13:39:19 +00:00
|
|
|
+
|
2015-04-08 11:11:12 +00:00
|
|
|
AuthHandle getAuthHandle()
|
2013-09-03 10:30:53 +00:00
|
|
|
{
|
|
|
|
CheckRep(_rep);
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp.orig pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp.orig 2015-03-31 15:00:26.267753980 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp 2015-03-31 15:01:53.018124238 +0200
|
|
|
|
@@ -48,6 +48,7 @@ const String AuthenticationInfoRep::AUTH
|
2013-09-03 10:30:53 +00:00
|
|
|
AuthenticationInfoRep::AuthenticationInfoRep()
|
2008-11-11 13:39:19 +00:00
|
|
|
: _connectionAuthenticated(false),
|
2013-09-03 10:30:53 +00:00
|
|
|
_wasRemotePrivilegedUserAccessChecked(false),
|
|
|
|
+ _isRemoteUser(true),
|
|
|
|
_authHandle(),
|
|
|
|
_isExpiredPassword(false)
|
2015-04-08 11:11:12 +00:00
|
|
|
#ifdef PEGASUS_ENABLE_SESSION_COOKIES
|
|
|
|
@@ -86,6 +87,16 @@ AuthenticationInfoRep::~AuthenticationIn
|
|
|
|
|
2008-11-11 13:39:19 +00:00
|
|
|
PEG_METHOD_EXIT();
|
|
|
|
}
|
2015-04-08 11:11:12 +00:00
|
|
|
+
|
2009-06-16 12:09:03 +00:00
|
|
|
+void AuthenticationInfoRep::setRemoteUser(Boolean isRemoteUser)
|
2008-11-11 13:39:19 +00:00
|
|
|
+{
|
|
|
|
+ PEG_METHOD_ENTER(TRC_AUTHENTICATION,
|
|
|
|
+ "AuthenticationInfoRep::setRemoteUser");
|
|
|
|
+
|
|
|
|
+ _isRemoteUser = isRemoteUser;
|
|
|
|
+
|
|
|
|
+ PEG_METHOD_EXIT();
|
|
|
|
+}
|
2015-04-08 11:11:12 +00:00
|
|
|
|
2008-11-11 13:39:19 +00:00
|
|
|
void AuthenticationInfoRep::setConnectionAuthenticated(
|
|
|
|
Boolean connectionAuthenticated)
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Common/AuthenticationInfoRep.h.orig pegasus/src/Pegasus/Common/AuthenticationInfoRep.h
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Common/AuthenticationInfoRep.h.orig 2015-03-31 15:02:17.868230300 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Common/AuthenticationInfoRep.h 2015-03-31 15:03:53.065636608 +0200
|
|
|
|
@@ -148,6 +148,13 @@ public:
|
|
|
|
}
|
|
|
|
#endif //PEGASUS_NEGOTIATE_AUTHENTICATION
|
2008-11-11 13:39:19 +00:00
|
|
|
|
|
|
|
+ Boolean isRemoteUser() const
|
|
|
|
+ {
|
|
|
|
+ return _isRemoteUser;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ void setRemoteUser(Boolean isRemoteUser);
|
|
|
|
+
|
|
|
|
Array<SSLCertificateInfo*> getClientCertificateChain()
|
|
|
|
{
|
|
|
|
return _clientCertificate;
|
2015-04-08 11:11:12 +00:00
|
|
|
@@ -233,6 +240,8 @@ private:
|
2008-11-11 13:39:19 +00:00
|
|
|
|
|
|
|
Array<SSLCertificateInfo*> _clientCertificate;
|
|
|
|
|
2013-09-03 10:30:53 +00:00
|
|
|
+ Boolean _isRemoteUser;
|
|
|
|
+
|
|
|
|
AuthHandle _authHandle;
|
|
|
|
String _userRole;
|
|
|
|
Boolean _isExpiredPassword;
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Common/Executor.cpp.orig pegasus/src/Pegasus/Common/Executor.cpp
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Common/Executor.cpp.orig 2015-03-31 15:04:10.843712487 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Common/Executor.cpp 2015-03-31 15:08:16.953762900 +0200
|
2011-05-19 13:50:06 +00:00
|
|
|
@@ -126,7 +126,8 @@ public:
|
2008-11-11 13:39:19 +00:00
|
|
|
|
|
|
|
virtual int authenticatePassword(
|
|
|
|
const char* username,
|
|
|
|
- const char* password) = 0;
|
|
|
|
+ const char* password,
|
|
|
|
+ Boolean isRemoteUser) = 0;
|
|
|
|
|
|
|
|
virtual int validateUser(
|
|
|
|
const char* username) = 0;
|
2013-09-03 10:30:53 +00:00
|
|
|
@@ -562,9 +563,10 @@ public:
|
|
|
|
#if defined(PEGASUS_PAM_AUTHENTICATION)
|
2008-11-11 13:39:19 +00:00
|
|
|
virtual int authenticatePassword(
|
|
|
|
const char* username,
|
|
|
|
- const char* password)
|
|
|
|
+ const char* password,
|
|
|
|
+ Boolean isRemoteUser)
|
|
|
|
{
|
|
|
|
- return PAMAuthenticate(username, password);
|
|
|
|
+ return PAMAuthenticate(username, password, isRemoteUser);
|
2013-09-03 10:30:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
virtual int validateUser(
|
|
|
|
@@ -912,7 +914,8 @@ public:
|
2008-11-11 13:39:19 +00:00
|
|
|
|
|
|
|
virtual int authenticatePassword(
|
|
|
|
const char* username,
|
|
|
|
- const char* password)
|
|
|
|
+ const char* password,
|
|
|
|
+ Boolean isRemoteUser)
|
|
|
|
{
|
|
|
|
AutoMutex autoMutex(_mutex);
|
|
|
|
|
2013-09-03 10:30:53 +00:00
|
|
|
@@ -930,6 +933,7 @@ public:
|
2012-10-16 13:42:59 +00:00
|
|
|
memset(&request, 0, sizeof(request));
|
|
|
|
Strlcpy(request.username, username, EXECUTOR_BUFFER_SIZE);
|
|
|
|
Strlcpy(request.password, password, EXECUTOR_BUFFER_SIZE);
|
|
|
|
+ request.isRemoteUser = isRemoteUser;
|
|
|
|
|
|
|
|
if (SendBlock(_sock, &request, sizeof(request)) != sizeof(request))
|
|
|
|
return -1;
|
2013-09-03 10:30:53 +00:00
|
|
|
@@ -1181,10 +1185,11 @@ int Executor::reapProviderAgent(
|
2008-11-11 13:39:19 +00:00
|
|
|
|
|
|
|
int Executor::authenticatePassword(
|
|
|
|
const char* username,
|
|
|
|
- const char* password)
|
|
|
|
+ const char* password,
|
|
|
|
+ Boolean isRemoteUser)
|
|
|
|
{
|
|
|
|
once(&_executorImplOnce, _initExecutorImpl);
|
|
|
|
- return _executorImpl->authenticatePassword(username, password);
|
|
|
|
+ return _executorImpl->authenticatePassword(username, password, isRemoteUser);
|
|
|
|
}
|
|
|
|
|
|
|
|
int Executor::validateUser(
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Common/Executor.h.orig pegasus/src/Pegasus/Common/Executor.h
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Common/Executor.h.orig 2015-03-31 15:08:26.668804365 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Common/Executor.h 2015-03-31 15:08:46.535889158 +0200
|
2011-05-19 13:50:06 +00:00
|
|
|
@@ -184,7 +184,8 @@ public:
|
2008-11-11 13:39:19 +00:00
|
|
|
*/
|
|
|
|
static int authenticatePassword(
|
|
|
|
const char* username,
|
|
|
|
- const char* password);
|
|
|
|
+ const char* password,
|
|
|
|
+ Boolean isRemoteUser);
|
|
|
|
|
|
|
|
/** Check whether the given user is valid for the underlying authentcation
|
|
|
|
mechanism.
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Common/HTTPConnection.cpp.orig pegasus/src/Pegasus/Common/HTTPConnection.cpp
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Common/HTTPConnection.cpp.orig 2015-03-31 15:09:05.706970982 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Common/HTTPConnection.cpp 2015-03-31 15:10:08.472238867 +0200
|
|
|
|
@@ -2295,6 +2295,70 @@ void HTTPConnection::_handleReadEvent()
|
2008-11-11 13:39:19 +00:00
|
|
|
message->contentLanguages = contentLanguages;
|
|
|
|
message->dest = _outputMessageQueue->getQueueId();
|
|
|
|
|
|
|
|
+ // Allow authenticators to differentiate Remote and Local users:
|
2012-10-16 13:42:59 +00:00
|
|
|
+ struct sockaddr_storage sin_peer, sin_svr;
|
|
|
|
+ socklen_t slen1 = sizeof (struct sockaddr_storage), slen2 = sizeof (struct sockaddr_storage);
|
2008-11-11 13:39:19 +00:00
|
|
|
+ uint32_t sock = _socket.get()->getSocket() ;
|
|
|
|
+ memset(&sin_peer,'\0',slen1);
|
|
|
|
+ memset(&sin_svr, '\0',slen2);
|
|
|
|
+ if ( ( ::getpeername( sock, (struct sockaddr*)&sin_peer, &slen1) == 0 )
|
|
|
|
+ ||( ::getsockname( sock, (struct sockaddr*)&sin_svr, &slen2) == 0 )
|
|
|
|
+ )
|
|
|
|
+ {
|
2012-10-16 13:42:59 +00:00
|
|
|
+ PEG_TRACE((TRC_HTTP, Tracer::LEVEL4,
|
|
|
|
+ "sin_peer.ss_family: %d",
|
|
|
|
+ sin_peer.ss_family));
|
|
|
|
+ if( sin_peer.ss_family == AF_INET )
|
2008-11-11 13:39:19 +00:00
|
|
|
+ {
|
2012-10-16 13:42:59 +00:00
|
|
|
+ struct sockaddr_in *s = (struct sockaddr_in *)&sin_peer;
|
|
|
|
+ if( ((ntohl( s->sin_addr.s_addr ) >> 24) & 0xff) == 127 )
|
2008-11-11 13:39:19 +00:00
|
|
|
+ // message was sent FROM localhost interface
|
|
|
|
+ message->isFromRemoteHost = false;
|
|
|
|
+ }
|
2012-10-16 13:42:59 +00:00
|
|
|
+ if( sin_peer.ss_family == AF_INET6 )
|
2008-11-11 13:39:19 +00:00
|
|
|
+ {
|
2012-10-16 13:42:59 +00:00
|
|
|
+ char straddr[INET6_ADDRSTRLEN];
|
|
|
|
+ struct sockaddr_in6 *s = (struct sockaddr_in6 *)&sin_peer;
|
|
|
|
+ static const unsigned char localhost_bytes[] =
|
|
|
|
+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 };
|
|
|
|
+ inet_ntop(AF_INET6, &s->sin6_addr, straddr, sizeof(straddr));
|
|
|
|
+ PEG_TRACE((TRC_HTTP, Tracer::LEVEL4,
|
|
|
|
+ "Peer IP address: %s",
|
|
|
|
+ straddr));
|
|
|
|
+ if(memcmp(s->sin6_addr.s6_addr, localhost_bytes, 16) == 0)
|
|
|
|
+ // message was sent FROM localhost interface
|
|
|
|
+ message->isFromRemoteHost = false;
|
|
|
|
+ }
|
|
|
|
+ PEG_TRACE((TRC_HTTP, Tracer::LEVEL4,
|
|
|
|
+ "sin_svr.ss_family: %d",
|
|
|
|
+ sin_svr.ss_family));
|
|
|
|
+ if( sin_svr.ss_family == AF_INET )
|
|
|
|
+ {
|
|
|
|
+ struct sockaddr_in *s = (struct sockaddr_in *)&sin_svr;
|
|
|
|
+ if( ((ntohl( s->sin_addr.s_addr ) >> 24) & 0xff) == 127 )
|
|
|
|
+ // message was sent TO localhost interface
|
|
|
|
+ message->isFromRemoteHost = false;
|
|
|
|
+ }
|
|
|
|
+ if( sin_svr.ss_family == AF_INET6 )
|
|
|
|
+ {
|
|
|
|
+ char straddr[INET6_ADDRSTRLEN];
|
|
|
|
+ struct sockaddr_in6 *s = (struct sockaddr_in6 *)&sin_svr;
|
|
|
|
+ static const unsigned char localhost_bytes[] =
|
|
|
|
+ { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 };
|
|
|
|
+ inet_ntop(AF_INET6, &s->sin6_addr, straddr, sizeof(straddr));
|
|
|
|
+ PEG_TRACE((TRC_HTTP, Tracer::LEVEL4,
|
|
|
|
+ "svr IP address: %s",
|
|
|
|
+ straddr));
|
|
|
|
+ if(memcmp(s->sin6_addr.s6_addr, localhost_bytes, 16) == 0)
|
2008-11-11 13:39:19 +00:00
|
|
|
+ // message was sent TO localhost interface
|
|
|
|
+ message->isFromRemoteHost = false;
|
|
|
|
+ }
|
|
|
|
+ }
|
2012-10-16 13:42:59 +00:00
|
|
|
+
|
|
|
|
+ PEG_TRACE((TRC_HTTP, Tracer::LEVEL4,
|
|
|
|
+ "isFromRemoteHost: %d",
|
|
|
|
+ message->isFromRemoteHost));
|
2008-11-11 13:39:19 +00:00
|
|
|
+
|
|
|
|
//
|
|
|
|
// The _closeConnection method sets the _connectionClosePending flag.
|
|
|
|
// If we are executing on the client side and the
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Common/HTTPMessage.cpp.orig pegasus/src/Pegasus/Common/HTTPMessage.cpp
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Common/HTTPMessage.cpp.orig 2015-03-31 15:10:32.186340162 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Common/HTTPMessage.cpp 2015-03-31 15:11:00.008459185 +0200
|
2013-09-03 10:30:53 +00:00
|
|
|
@@ -133,7 +133,8 @@ HTTPMessage::HTTPMessage(
|
2008-11-11 13:39:19 +00:00
|
|
|
authInfo(0),
|
|
|
|
acceptLanguagesDecoded(false),
|
2011-05-19 13:50:06 +00:00
|
|
|
contentLanguagesDecoded(false),
|
|
|
|
- binaryResponse(false)
|
|
|
|
+ binaryResponse(false),
|
2008-11-11 13:39:19 +00:00
|
|
|
+ isFromRemoteHost(true)
|
|
|
|
{
|
|
|
|
if (cimException_)
|
|
|
|
cimException = *cimException_;
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Common/HTTPMessage.h.orig pegasus/src/Pegasus/Common/HTTPMessage.h
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Common/HTTPMessage.h.orig 2015-03-31 15:11:13.706517786 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Common/HTTPMessage.h 2015-03-31 15:11:33.528602586 +0200
|
2009-06-16 12:09:03 +00:00
|
|
|
@@ -73,6 +73,7 @@ public:
|
2008-11-11 13:39:19 +00:00
|
|
|
ContentLanguageList contentLanguages;
|
|
|
|
Boolean acceptLanguagesDecoded;
|
|
|
|
Boolean contentLanguagesDecoded;
|
|
|
|
+ Boolean isFromRemoteHost;
|
|
|
|
CIMException cimException;
|
2011-05-19 13:50:06 +00:00
|
|
|
bool binaryResponse;
|
2008-11-11 13:39:19 +00:00
|
|
|
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp.orig pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp.orig 2015-03-31 15:11:50.617675692 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp 2015-03-31 15:12:49.031925589 +0200
|
2009-06-16 12:09:03 +00:00
|
|
|
@@ -76,7 +76,7 @@ void testExecutorLoopbackImpl()
|
2008-11-11 13:39:19 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
PEGASUS_TEST_ASSERT(Executor::authenticatePassword(
|
2013-09-03 10:30:53 +00:00
|
|
|
- "xnonexistentuserx", "wrongpassword") != 0);
|
|
|
|
+ "xnonexistentuserx", "wrongpassword", true) != 0);
|
|
|
|
PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") != 0);
|
2008-11-11 13:39:19 +00:00
|
|
|
|
|
|
|
char challengeFilePath[EXECUTOR_BUFFER_SIZE];
|
2009-06-16 12:09:03 +00:00
|
|
|
@@ -115,7 +115,7 @@ void testExecutorSocketImpl()
|
2008-11-11 13:39:19 +00:00
|
|
|
PEGASUS_TEST_ASSERT(Executor::reapProviderAgent(123) == 0);
|
|
|
|
|
|
|
|
PEGASUS_TEST_ASSERT(Executor::authenticatePassword(
|
|
|
|
- "xnonexistentuserx", "wrongpassword") == -1);
|
|
|
|
+ "xnonexistentuserx", "wrongpassword", true) == -1);
|
|
|
|
PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1);
|
|
|
|
|
|
|
|
char challengeFilePath[EXECUTOR_BUFFER_SIZE];
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp.orig pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp.orig 2015-03-31 15:12:58.057964203 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp 2015-03-31 15:13:19.591056322 +0200
|
|
|
|
@@ -159,6 +159,7 @@ AuthenticationStatus BasicAuthentication
|
2013-09-03 10:30:53 +00:00
|
|
|
_basicAuthenticator->authenticate(
|
|
|
|
userName,
|
|
|
|
password,
|
|
|
|
+ authInfo->isRemoteUser(),
|
|
|
|
authInfo);
|
2008-11-11 13:39:19 +00:00
|
|
|
|
|
|
|
// Log audit message.
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h.orig pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h.orig 2015-03-31 15:13:32.889113211 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h 2015-03-31 15:13:51.240191720 +0200
|
2013-09-03 10:30:53 +00:00
|
|
|
@@ -65,6 +65,7 @@ public:
|
|
|
|
virtual AuthenticationStatus authenticate(
|
2009-06-16 12:09:03 +00:00
|
|
|
const String& userName,
|
2013-09-03 10:30:53 +00:00
|
|
|
const String& password,
|
|
|
|
+ Boolean isRemoteUser,
|
|
|
|
AuthenticationInfo* authInfo) = 0;
|
2008-11-11 13:39:19 +00:00
|
|
|
|
|
|
|
/** Construct and return the HTTP Basic authentication challenge header
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h.orig pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h.orig 2015-03-31 15:14:04.185247096 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h 2015-03-31 15:14:20.391316426 +0200
|
2013-09-03 10:30:53 +00:00
|
|
|
@@ -54,6 +54,7 @@ public:
|
|
|
|
AuthenticationStatus authenticate(
|
2009-06-16 12:09:03 +00:00
|
|
|
const String& userName,
|
2013-09-03 10:30:53 +00:00
|
|
|
const String& password,
|
|
|
|
+ Boolean isRemoteUser,
|
|
|
|
AuthenticationInfo* authInfo);
|
2008-11-11 13:39:19 +00:00
|
|
|
|
2013-09-03 10:30:53 +00:00
|
|
|
AuthenticationStatus validateUser(
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp.orig pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp.orig 2015-03-31 15:14:32.937370098 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp 2015-03-31 15:14:52.631454350 +0200
|
2013-09-03 10:30:53 +00:00
|
|
|
@@ -74,6 +74,7 @@ PAMBasicAuthenticator::~PAMBasicAuthenti
|
|
|
|
AuthenticationStatus PAMBasicAuthenticator::authenticate(
|
2009-06-16 12:09:03 +00:00
|
|
|
const String& userName,
|
2013-09-03 10:30:53 +00:00
|
|
|
const String& password,
|
|
|
|
+ Boolean isRemoteUser,
|
|
|
|
AuthenticationInfo* authInfo)
|
2008-11-11 13:39:19 +00:00
|
|
|
{
|
|
|
|
PEG_METHOD_ENTER(TRC_AUTHENTICATION,
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.orig pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.orig 2015-03-31 15:15:08.521522327 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp 2015-03-31 15:15:49.255696589 +0200
|
2013-09-03 10:30:53 +00:00
|
|
|
@@ -66,6 +66,7 @@ PAMBasicAuthenticator::~PAMBasicAuthenti
|
|
|
|
AuthenticationStatus PAMBasicAuthenticator::authenticate(
|
2009-06-16 12:09:03 +00:00
|
|
|
const String& userName,
|
2013-09-03 10:30:53 +00:00
|
|
|
const String& password,
|
|
|
|
+ Boolean isRemoteUser,
|
|
|
|
AuthenticationInfo* authInfo)
|
2008-11-11 13:39:19 +00:00
|
|
|
{
|
|
|
|
PEG_METHOD_ENTER(TRC_AUTHENTICATION,
|
2013-09-03 10:30:53 +00:00
|
|
|
@@ -74,7 +75,8 @@ AuthenticationStatus PAMBasicAuthenticat
|
|
|
|
int pam_rc =
|
|
|
|
Executor::authenticatePassword(
|
|
|
|
userName.getCString(),
|
|
|
|
- password.getCString());
|
|
|
|
+ password.getCString(),
|
|
|
|
+ isRemoteUser);
|
|
|
|
|
|
|
|
// return code of -1 will be translated to AUTHSC_UNAUTHORIZED
|
|
|
|
AuthenticationStatus authStatus = _getAuthStatusFromPAM_RC(pam_rc);
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp.orig pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp.orig 2015-03-31 15:16:03.097755805 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp 2015-03-31 15:16:24.758848473 +0200
|
|
|
|
@@ -239,7 +239,7 @@ AuthenticationStatus SecureBasicAuthenti
|
2008-11-11 13:39:19 +00:00
|
|
|
if (Executor::detectExecutor() == 0)
|
|
|
|
{
|
|
|
|
if (Executor::authenticatePassword(
|
|
|
|
- userName.getCString(), password.getCString()) == 0)
|
|
|
|
+ userName.getCString(), password.getCString(), true) == 0)
|
|
|
|
{
|
|
|
|
authenticated = true;
|
|
|
|
}
|
2012-10-16 13:42:59 +00:00
|
|
|
diff -up pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp.orig pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp
|
2015-04-08 11:11:12 +00:00
|
|
|
--- pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp.orig 2015-03-31 15:16:39.848913028 +0200
|
|
|
|
+++ pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp 2015-03-31 15:17:21.079089410 +0200
|
|
|
|
@@ -431,6 +431,9 @@ void HTTPAuthenticatorDelegator::handleH
|
2009-06-16 12:09:03 +00:00
|
|
|
Tracer::LEVEL3,
|
|
|
|
"HTTPAuthenticatorDelegator - Authentication processing start");
|
2008-11-11 13:39:19 +00:00
|
|
|
|
|
|
|
+ // Let Authenticators know whether this user is Local or Remote:
|
|
|
|
+ httpMessage->authInfo->setRemoteUser( httpMessage->isFromRemoteHost );
|
|
|
|
+
|
|
|
|
//
|
|
|
|
// Handle authentication:
|
|
|
|
//
|