From 05f101be6b83239e2d5ce9c0e3bd6b90fecbe4e2 Mon Sep 17 00:00:00 2001 From: vcrhonek Date: Tue, 11 Nov 2008 13:39:19 +0000 Subject: [PATCH] Fix local or remote auth patch to work correctly with new code base --- pegasus-2.7.0-local-or-remote-auth.patch | 225 ------------ pegasus-2.7.2-local-or-remote-auth.patch | 450 +++++++++++++++++++++++ tog-pegasus.spec | 10 +- 3 files changed, 457 insertions(+), 228 deletions(-) delete mode 100644 pegasus-2.7.0-local-or-remote-auth.patch create mode 100644 pegasus-2.7.2-local-or-remote-auth.patch diff --git a/pegasus-2.7.0-local-or-remote-auth.patch b/pegasus-2.7.0-local-or-remote-auth.patch deleted file mode 100644 index b1c1c10..0000000 --- a/pegasus-2.7.0-local-or-remote-auth.patch +++ /dev/null @@ -1,225 +0,0 @@ -diff -up pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp_old pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp ---- pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp_old 2008-01-14 16:27:44.000000000 +0100 -+++ pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp 2008-01-14 16:30:46.000000000 +0100 -@@ -403,6 +403,9 @@ void HTTPAuthenticatorDelegator::handleH - Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE, - "HTTPAuthenticatorDelegator - Authentication processing start")); - -+ // Let Authenticators know whether this user is Local or Remote: -+ httpMessage->authInfo->setRemoteUser( httpMessage->fromRemoteHost ); -+ - // - // Handle authentication: - // -diff -up pegasus/src/Pegasus/Common/AuthenticationInfo.h_old pegasus/src/Pegasus/Common/AuthenticationInfo.h ---- pegasus/src/Pegasus/Common/AuthenticationInfo.h_old 2008-01-14 16:03:49.000000000 +0100 -+++ pegasus/src/Pegasus/Common/AuthenticationInfo.h 2008-01-14 16:05:06.000000000 +0100 -@@ -356,6 +356,22 @@ public: - return _rep->getRemotePrivilegedUserAccessChecked(); - } - -+ /** Indicate whether the user is Remote -+ */ -+ Boolean isRemoteUser() const -+ { -+ _checkRep(); -+ return _rep->isRemoteUser(); -+ } -+ -+ /** Set the Remote User flag -+ */ -+ void setRemoteUser(Boolean remoteUser) -+ { -+ _checkRep(); -+ _rep->setRemoteUser(remoteUser); -+ } -+ - private: - - AuthenticationInfo(AuthenticationInfoRep* rep) : _rep(rep) -diff -up pegasus/src/Pegasus/Common/HTTPConnection.cpp_old pegasus/src/Pegasus/Common/HTTPConnection.cpp ---- pegasus/src/Pegasus/Common/HTTPConnection.cpp_old 2008-01-14 16:08:30.000000000 +0100 -+++ pegasus/src/Pegasus/Common/HTTPConnection.cpp 2008-01-14 16:12:45.000000000 +0100 -@@ -2039,6 +2039,30 @@ void HTTPConnection::_handleReadEvent() - _incomingBuffer).get())); - } - -+ // Allow authenticators to differentiate Remote and Local users: -+ struct sockaddr_in sin_peer, sin_svr; // don't need to worry about IPv6 yet ... -+ socklen_t slen1=sizeof(struct sockaddr_in), slen2=sizeof(struct sockaddr_in); -+ uint32_t sock = _socket.get()->getSocket() ; -+ memset(&sin_peer,'\0',slen1); -+ memset(&sin_svr, '\0',slen2); -+ if ( ( ::getpeername( sock, (struct sockaddr*)&sin_peer, &slen1) == 0 ) -+ ||( ::getsockname( sock, (struct sockaddr*)&sin_svr, &slen2) == 0 ) -+ ) -+ { -+ if( sin_peer.sin_family == AF_INET ) -+ { -+ if( ((ntohl( sin_peer.sin_addr.s_addr ) >> 24) & 0xff) == 127 ) -+ // message was sent FROM localhost interface -+ message->fromRemoteHost = false; -+ } -+ if( sin_svr.sin_family == AF_INET ) -+ { -+ if( ((ntohl( sin_svr.sin_addr.s_addr ) >> 24) & 0xff) == 127 ) -+ // message was sent TO localhost interface -+ message->fromRemoteHost = false; -+ } -+ } -+ - // - // increment request count - // -diff -up pegasus/src/Pegasus/Common/HTTPMessage.h_old pegasus/src/Pegasus/Common/HTTPMessage.h ---- pegasus/src/Pegasus/Common/HTTPMessage.h_old 2008-01-14 16:13:39.000000000 +0100 -+++ pegasus/src/Pegasus/Common/HTTPMessage.h 2008-01-14 16:14:02.000000000 +0100 -@@ -75,6 +75,7 @@ public: - ContentLanguageList contentLanguages; - Boolean acceptLanguagesDecoded; - Boolean contentLanguagesDecoded; -+ Boolean fromRemoteHost; - CIMException cimException; - - void parse( -diff -up pegasus/src/Pegasus/Common/AuthenticationInfoRep.h_old pegasus/src/Pegasus/Common/AuthenticationInfoRep.h ---- pegasus/src/Pegasus/Common/AuthenticationInfoRep.h_old 2008-01-14 16:06:42.000000000 +0100 -+++ pegasus/src/Pegasus/Common/AuthenticationInfoRep.h 2008-01-14 16:08:22.000000000 +0100 -@@ -149,6 +149,13 @@ public: - void setSecurityAssociation(); - #endif - -+ Boolean isRemoteUser() const -+ { -+ return _remoteUser; -+ } -+ -+ void setRemoteUser(Boolean remoteUser); -+ - Array getClientCertificateChain() - { - return _clientCertificate; -@@ -192,6 +199,7 @@ private: - Boolean _wasRemotePrivilegedUserAccessChecked; - - Array _clientCertificate; -+ Boolean _remoteUser; - }; - - PEGASUS_NAMESPACE_END -diff -up pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp_old pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp ---- pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp_old 2008-01-14 16:05:14.000000000 +0100 -+++ pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp 2008-01-14 16:06:34.000000000 +0100 -@@ -46,7 +46,8 @@ const String AuthenticationInfoRep::AUTH - - AuthenticationInfoRep::AuthenticationInfoRep(Boolean flag) - : _connectionAuthenticated(false), -- _wasRemotePrivilegedUserAccessChecked(false) -+ _wasRemotePrivilegedUserAccessChecked(false), -+ _remoteUser(true) - { - PEG_METHOD_ENTER( - TRC_AUTHENTICATION, "AuthenticationInfoRep::AuthenticationInfoRep"); -@@ -54,6 +55,16 @@ AuthenticationInfoRep::AuthenticationInf - PEG_METHOD_EXIT(); - } - -+void AuthenticationInfoRep::setRemoteUser(Boolean remoteUser) -+{ -+ PEG_METHOD_ENTER(TRC_AUTHENTICATION, -+ "AuthenticationInfoRep::setRemoteUser"); -+ -+ _remoteUser = remoteUser; -+ -+ PEG_METHOD_EXIT(); -+} -+ - AuthenticationInfoRep::~AuthenticationInfoRep() - { - PEG_METHOD_ENTER( -diff -up pegasus/src/Pegasus/Common/HTTPMessage.cpp_old pegasus/src/Pegasus/Common/HTTPMessage.cpp ---- pegasus/src/Pegasus/Common/HTTPMessage.cpp_old 2008-01-14 16:13:00.000000000 +0100 -+++ pegasus/src/Pegasus/Common/HTTPMessage.cpp 2008-01-14 16:13:27.000000000 +0100 -@@ -120,7 +120,8 @@ HTTPMessage::HTTPMessage( - queueId(queueId_), - authInfo(0), - acceptLanguagesDecoded(false), -- contentLanguagesDecoded(false) -+ contentLanguagesDecoded(false), -+ fromRemoteHost(true) - { - if (cimException_) - cimException = *cimException_; -diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h_old pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h ---- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h_old 2008-01-14 16:15:56.000000000 +0100 -+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h 2008-01-14 16:16:41.000000000 +0100 -@@ -55,7 +55,8 @@ public: - - Boolean authenticate( - const String& userName, -- const String& password); -+ const String& password, -+ Boolean isRemoteUser); - - Boolean validateUser(const String& userName); - -diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp_old pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp ---- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp_old 2008-01-14 16:22:01.000000000 +0100 -+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp 2008-01-14 16:22:31.000000000 +0100 -@@ -85,7 +85,8 @@ PAMBasicAuthenticator::~PAMBasicAuthenti - - Boolean PAMBasicAuthenticator::authenticate( - const String& userName, -- const String& password) -+ const String& password, -+ Boolean isRemoteUser) - { - PEG_METHOD_ENTER(TRC_AUTHENTICATION, - "PAMBasicAuthenticator::authenticate()"); -diff -up pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h_old pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h ---- pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h_old 2008-01-14 16:14:59.000000000 +0100 -+++ pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h 2008-01-14 16:15:46.000000000 +0100 -@@ -67,7 +67,8 @@ public: - */ - virtual Boolean authenticate( - const String& userName, -- const String& password) = 0; -+ const String& password, -+ Boolean isRemoteUser) = 0; - - /** Construct and return the HTTP Basic authentication challenge header - @return A string containing the authentication challenge header. -diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp_old pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp ---- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp_old 2008-01-14 16:22:42.000000000 +0100 -+++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp 2008-01-14 16:25:46.000000000 +0100 -@@ -36,6 +36,8 @@ - #include - #include "PAMBasicAuthenticator.h" - -+#include -+ - PEGASUS_USING_STD; - - PEGASUS_NAMESPACE_BEGIN -@@ -72,7 +74,8 @@ PAMBasicAuthenticator::~PAMBasicAuthenti - - Boolean PAMBasicAuthenticator::authenticate( - const String& userName, -- const String& password) -+ const String& password, -+ Boolean isRemoteUser) - { - PEG_METHOD_ENTER(TRC_AUTHENTICATION, - "PAMBasicAuthenticator::authenticate()"); -diff -up pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp_old pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp ---- pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp_old 2008-01-14 16:14:09.000000000 +0100 -+++ pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp 2008-01-14 16:14:42.000000000 +0100 -@@ -164,7 +164,7 @@ Boolean BasicAuthenticationHandler::auth - } - authInfo->setRemotePrivilegedUserAccessChecked(); - -- authenticated = _basicAuthenticator->authenticate(userName, password); -+ authenticated = _basicAuthenticator->authenticate(userName, password, authInfo->isRemoteUser()); - - // Log audit message. - PEG_AUDIT_LOG(logBasicAuthentication( diff --git a/pegasus-2.7.2-local-or-remote-auth.patch b/pegasus-2.7.2-local-or-remote-auth.patch new file mode 100644 index 0000000..76a9a47 --- /dev/null +++ b/pegasus-2.7.2-local-or-remote-auth.patch @@ -0,0 +1,450 @@ +diff -up pegasus/src/Executor/PAMAuth.h.old pegasus/src/Executor/PAMAuth.h +--- pegasus/src/Executor/PAMAuth.h.old 2007-07-25 21:43:47.000000000 +0200 ++++ pegasus/src/Executor/PAMAuth.h 2008-11-11 13:36:19.000000000 +0100 +@@ -53,6 +53,9 @@ + #include + #include + ++#include ++typedef bool Boolean; ++ + /* + **============================================================================== + ** +@@ -397,29 +400,60 @@ static int PAMValidateUserCallback( + */ + + static int PAMAuthenticateInProcess( +- const char* username, const char* password) ++ const char* username, const char* password, const Boolean isRemoteUser) + { + PAMData data; + struct pam_conv pconv; + pam_handle_t* handle; ++ int retcode; + + data.password = password; + pconv.conv = PAMAuthenticateCallback; + pconv.appdata_ptr = &data; + ++ // NOTE: if any pam call should log anything, our syslog socket will be redirected ++ // to the AUTH facility, so we need to redirect it back after each pam call. ++ ++ if ((retcode = pam_start("wbem", username, &pconv, &handle)) != PAM_SUCCESS) ++ { ++ closelog(); ++ openlog("cimserver", LOG_PID, LOG_DAEMON); ++ syslog( LOG_ERR, "pam_start failed: %s", pam_strerror(handle, retcode)); ++ syslog(LOG_ERR, "PAM authentication failed for %s user: %s", ++ isRemoteUser ? "remote" : "local", username); ++ return -1; ++ } + +- if (pam_start("wbem", username, &pconv, &handle) != PAM_SUCCESS) ++ if ((retcode = pam_set_item(handle, PAM_TTY, isRemoteUser ? "wbemNetwork" : "wbemLocal")) != PAM_SUCCESS) ++ { ++ pam_end(handle, 0); ++ closelog(); ++ openlog("cimserver", LOG_PID, LOG_DAEMON); ++ syslog( LOG_ERR, "pam_set_item(PAM_TTY=wbem) failed: %s", pam_strerror(handle, retcode)); ++ syslog(LOG_ERR, "PAM authentication failed for %s user: %s", ++ isRemoteUser ? "remote" : "local", username); + return -1; ++ } + +- if (pam_authenticate(handle, 0) != PAM_SUCCESS) ++ if ((retcode = pam_authenticate(handle, 0)) != PAM_SUCCESS) + { + pam_end(handle, 0); ++ closelog(); ++ openlog("cimserver", LOG_PID, LOG_DAEMON); ++ syslog(LOG_ERR, "pam_authenticate failed: %s",pam_strerror(handle, retcode)); ++ syslog(LOG_ERR, "PAM authentication failed for %s user: %s", ++ isRemoteUser ? "remote" : "local", username); + return -1; + } + +- if (pam_acct_mgmt(handle, 0) != PAM_SUCCESS) ++ if ((retcode = pam_acct_mgmt(handle, 0)) != PAM_SUCCESS) + { + pam_end(handle, 0); ++ closelog(); ++ openlog("cimserver", LOG_PID, LOG_DAEMON); ++ syslog(LOG_ERR, "pam_acct_mgmt failed: %s",pam_strerror(handle, retcode)); ++ syslog(LOG_ERR, "PAM authentication failed for %s user: %s", ++ isRemoteUser ? "remote" : "local", username); + return -1; + } + +@@ -443,16 +477,34 @@ static int PAMValidateUserInProcess(cons + PAMData data; + struct pam_conv pconv; + pam_handle_t* phandle; ++ int retcode; + + pconv.conv = PAMValidateUserCallback; + pconv.appdata_ptr = &data; + +- if (pam_start("wbem", username, &pconv, &phandle) != PAM_SUCCESS) ++ if ((retcode = pam_start("wbem", username, &pconv, &phandle)) != PAM_SUCCESS) ++ { ++ closelog(); ++ openlog("cimserver", LOG_PID, LOG_DAEMON); ++ syslog( LOG_ERR, "pam_start() failed: %s", pam_strerror(phandle, retcode)); + return -1; ++ } ++ ++ if ((retcode = pam_set_item(phandle, PAM_TTY, "wbemLocal")) != PAM_SUCCESS) ++ { ++ pam_end(phandle, 0); ++ closelog(); ++ openlog("cimserver", LOG_PID, LOG_DAEMON); ++ syslog( LOG_ERR, "pam_set_item(PAM_TTY=wbemLocal) failed: %s", pam_strerror(phandle, retcode)); ++ return -1; ++ } + +- if (pam_acct_mgmt(phandle, 0) != PAM_SUCCESS) ++ if ((retcode = pam_acct_mgmt(phandle, 0)) != PAM_SUCCESS) + { + pam_end(phandle, 0); ++ closelog(); ++ openlog("cimserver", LOG_PID, LOG_DAEMON); ++ syslog( LOG_ERR, "pam_acct_mgmt() failed: %s", pam_strerror(phandle, retcode)); + return -1; + } + +@@ -471,12 +523,12 @@ static int PAMValidateUserInProcess(cons + **============================================================================== + */ + +-static int PAMAuthenticate(const char* username, const char* password) ++static int PAMAuthenticate(const char* username, const char* password, const Boolean isRemoteUser) + { + #ifdef PEGASUS_USE_PAM_STANDALONE_PROC + return CimserveraProcessOperation("authenticate", username, password); + #else +- return PAMAuthenticateInProcess(username, password); ++ return PAMAuthenticateInProcess(username, password, isRemoteUser); + #endif + } + +diff -up pegasus/src/Pegasus/Common/AuthenticationInfo.h.old pegasus/src/Pegasus/Common/AuthenticationInfo.h +--- pegasus/src/Pegasus/Common/AuthenticationInfo.h.old 2007-09-03 13:27:02.000000000 +0200 ++++ pegasus/src/Pegasus/Common/AuthenticationInfo.h 2008-11-11 13:27:58.000000000 +0100 +@@ -356,6 +356,22 @@ public: + return _rep->getRemotePrivilegedUserAccessChecked(); + } + ++ /** Indicate whether the user is Remote ++ */ ++ Boolean isRemoteUser() const ++ { ++ CheckRep(_rep); ++ return _rep->isRemoteUser(); ++ } ++ ++ /** Set the Remote User flag ++ */ ++ void setRemoteUser(Boolean isRemoteUser) ++ { ++ CheckRep(_rep); ++ _rep->setRemoteUser(isRemoteUser); ++ } ++ + private: + + AuthenticationInfo(AuthenticationInfoRep* rep) : _rep(rep) +diff -up pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp.old pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp +--- pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp.old 2007-08-22 09:43:37.000000000 +0200 ++++ pegasus/src/Pegasus/Common/AuthenticationInfoRep.cpp 2008-11-11 13:27:58.000000000 +0100 +@@ -46,7 +46,8 @@ const String AuthenticationInfoRep::AUTH + + AuthenticationInfoRep::AuthenticationInfoRep(Boolean flag) + : _connectionAuthenticated(false), +- _wasRemotePrivilegedUserAccessChecked(false) ++ _wasRemotePrivilegedUserAccessChecked(false), ++ _isRemoteUser(true) + { + PEG_METHOD_ENTER( + TRC_AUTHENTICATION, "AuthenticationInfoRep::AuthenticationInfoRep"); +@@ -62,6 +63,16 @@ AuthenticationInfoRep::~AuthenticationIn + PEG_METHOD_EXIT(); + } + ++void AuthenticationInfoRep::setRemoteUser(Boolean isRemoteUser) ++{ ++ PEG_METHOD_ENTER(TRC_AUTHENTICATION, ++ "AuthenticationInfoRep::setRemoteUser"); ++ ++ _isRemoteUser = isRemoteUser; ++ ++ PEG_METHOD_EXIT(); ++} ++ + void AuthenticationInfoRep::setConnectionAuthenticated( + Boolean connectionAuthenticated) + { +diff -up pegasus/src/Pegasus/Common/AuthenticationInfoRep.h.old pegasus/src/Pegasus/Common/AuthenticationInfoRep.h +--- pegasus/src/Pegasus/Common/AuthenticationInfoRep.h.old 2007-08-22 09:43:37.000000000 +0200 ++++ pegasus/src/Pegasus/Common/AuthenticationInfoRep.h 2008-11-11 13:27:58.000000000 +0100 +@@ -149,6 +149,13 @@ public: + void setSecurityAssociation(); + #endif + ++ Boolean isRemoteUser() const ++ { ++ return _isRemoteUser; ++ } ++ ++ void setRemoteUser(Boolean isRemoteUser); ++ + Array getClientCertificateChain() + { + return _clientCertificate; +@@ -192,6 +199,7 @@ private: + Boolean _wasRemotePrivilegedUserAccessChecked; + + Array _clientCertificate; ++ Boolean _isRemoteUser; + }; + + PEGASUS_NAMESPACE_END +diff -up pegasus/src/Pegasus/Common/Executor.cpp.old pegasus/src/Pegasus/Common/Executor.cpp +--- pegasus/src/Pegasus/Common/Executor.cpp.old 2008-02-08 20:42:37.000000000 +0100 ++++ pegasus/src/Pegasus/Common/Executor.cpp 2008-11-11 13:27:58.000000000 +0100 +@@ -122,7 +122,8 @@ public: + + virtual int authenticatePassword( + const char* username, +- const char* password) = 0; ++ const char* password, ++ Boolean isRemoteUser) = 0; + + virtual int validateUser( + const char* username) = 0; +@@ -470,10 +471,11 @@ public: + + virtual int authenticatePassword( + const char* username, +- const char* password) ++ const char* password, ++ Boolean isRemoteUser) + { + #if defined(PEGASUS_PAM_AUTHENTICATION) +- return PAMAuthenticate(username, password); ++ return PAMAuthenticate(username, password, isRemoteUser); + #else + // ATTN: not handled so don't call in this case. + return -1; +@@ -812,7 +814,8 @@ public: + + virtual int authenticatePassword( + const char* username, +- const char* password) ++ const char* password, ++ Boolean isRemoteUser) + { + AutoMutex autoMutex(_mutex); + +@@ -1080,10 +1083,11 @@ int Executor::reapProviderAgent( + + int Executor::authenticatePassword( + const char* username, +- const char* password) ++ const char* password, ++ Boolean isRemoteUser) + { + once(&_executorImplOnce, _initExecutorImpl); +- return _executorImpl->authenticatePassword(username, password); ++ return _executorImpl->authenticatePassword(username, password, isRemoteUser); + } + + int Executor::validateUser( +diff -up pegasus/src/Pegasus/Common/Executor.h.old pegasus/src/Pegasus/Common/Executor.h +--- pegasus/src/Pegasus/Common/Executor.h.old 2008-02-08 20:17:58.000000000 +0100 ++++ pegasus/src/Pegasus/Common/Executor.h 2008-11-11 13:27:58.000000000 +0100 +@@ -185,7 +185,8 @@ public: + */ + static int authenticatePassword( + const char* username, +- const char* password); ++ const char* password, ++ Boolean isRemoteUser); + + /** Check whether the given user is valid for the underlying authentcation + mechanism. +diff -up pegasus/src/Pegasus/Common/HTTPConnection.cpp.old pegasus/src/Pegasus/Common/HTTPConnection.cpp +--- pegasus/src/Pegasus/Common/HTTPConnection.cpp.old 2008-01-25 20:03:23.000000000 +0100 ++++ pegasus/src/Pegasus/Common/HTTPConnection.cpp 2008-11-11 13:27:58.000000000 +0100 +@@ -2117,6 +2117,30 @@ void HTTPConnection::_handleReadEvent() + message->contentLanguages = contentLanguages; + message->dest = _outputMessageQueue->getQueueId(); + ++ // Allow authenticators to differentiate Remote and Local users: ++ struct sockaddr_in sin_peer, sin_svr; // don't need to worry about IPv6 yet ... ++ socklen_t slen1=sizeof(struct sockaddr_in), slen2=sizeof(struct sockaddr_in); ++ uint32_t sock = _socket.get()->getSocket() ; ++ memset(&sin_peer,'\0',slen1); ++ memset(&sin_svr, '\0',slen2); ++ if ( ( ::getpeername( sock, (struct sockaddr*)&sin_peer, &slen1) == 0 ) ++ ||( ::getsockname( sock, (struct sockaddr*)&sin_svr, &slen2) == 0 ) ++ ) ++ { ++ if( sin_peer.sin_family == AF_INET ) ++ { ++ if( ((ntohl( sin_peer.sin_addr.s_addr ) >> 24) & 0xff) == 127 ) ++ // message was sent FROM localhost interface ++ message->isFromRemoteHost = false; ++ } ++ if( sin_svr.sin_family == AF_INET ) ++ { ++ if( ((ntohl( sin_svr.sin_addr.s_addr ) >> 24) & 0xff) == 127 ) ++ // message was sent TO localhost interface ++ message->isFromRemoteHost = false; ++ } ++ } ++ + // + // The _closeConnection method sets the _connectionClosePending flag. + // If we are executing on the client side and the +diff -up pegasus/src/Pegasus/Common/HTTPMessage.cpp.old pegasus/src/Pegasus/Common/HTTPMessage.cpp +--- pegasus/src/Pegasus/Common/HTTPMessage.cpp.old 2007-08-22 09:43:37.000000000 +0200 ++++ pegasus/src/Pegasus/Common/HTTPMessage.cpp 2008-11-11 13:27:58.000000000 +0100 +@@ -120,7 +120,8 @@ HTTPMessage::HTTPMessage( + queueId(queueId_), + authInfo(0), + acceptLanguagesDecoded(false), +- contentLanguagesDecoded(false) ++ contentLanguagesDecoded(false), ++ isFromRemoteHost(true) + { + if (cimException_) + cimException = *cimException_; +diff -up pegasus/src/Pegasus/Common/HTTPMessage.h.old pegasus/src/Pegasus/Common/HTTPMessage.h +--- pegasus/src/Pegasus/Common/HTTPMessage.h.old 2007-08-22 09:43:37.000000000 +0200 ++++ pegasus/src/Pegasus/Common/HTTPMessage.h 2008-11-11 13:27:58.000000000 +0100 +@@ -75,6 +75,7 @@ public: + ContentLanguageList contentLanguages; + Boolean acceptLanguagesDecoded; + Boolean contentLanguagesDecoded; ++ Boolean isFromRemoteHost; + CIMException cimException; + + void parse( +diff -up pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp.old pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp +--- pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp.old 2007-07-25 21:43:49.000000000 +0200 ++++ pegasus/src/Pegasus/Common/tests/Executor/TestExecutor.cpp 2008-11-11 13:27:58.000000000 +0100 +@@ -80,7 +80,7 @@ void testExecutorLoopbackImpl() + #endif + + PEGASUS_TEST_ASSERT(Executor::authenticatePassword( +- "xnonexistentuserx", "wrongpassword") == -1); ++ "xnonexistentuserx", "wrongpassword", true) == -1); + PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1); + + char challengeFilePath[EXECUTOR_BUFFER_SIZE]; +@@ -119,7 +119,7 @@ void testExecutorSocketImpl() + PEGASUS_TEST_ASSERT(Executor::reapProviderAgent(123) == 0); + + PEGASUS_TEST_ASSERT(Executor::authenticatePassword( +- "xnonexistentuserx", "wrongpassword") == -1); ++ "xnonexistentuserx", "wrongpassword", true) == -1); + PEGASUS_TEST_ASSERT(Executor::validateUser("xnonexistentuserx") == -1); + + char challengeFilePath[EXECUTOR_BUFFER_SIZE]; +diff -up pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp.old pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp +--- pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp.old 2008-03-12 07:28:56.000000000 +0100 ++++ pegasus/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp 2008-11-11 13:27:58.000000000 +0100 +@@ -152,7 +152,7 @@ Boolean BasicAuthenticationHandler::auth + } + authInfo->setRemotePrivilegedUserAccessChecked(); + +- authenticated = _basicAuthenticator->authenticate(userName, password); ++ authenticated = _basicAuthenticator->authenticate(userName, password, authInfo->isRemoteUser()); + + // Log audit message. + PEG_AUDIT_LOG(logBasicAuthentication( +diff -up pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h.old pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h +--- pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h.old 2006-01-30 17:18:28.000000000 +0100 ++++ pegasus/src/Pegasus/Security/Authentication/BasicAuthenticator.h 2008-11-11 13:27:58.000000000 +0100 +@@ -67,7 +67,8 @@ public: + */ + virtual Boolean authenticate( + const String& userName, +- const String& password) = 0; ++ const String& password, ++ Boolean isRemoteUser) = 0; + + /** Construct and return the HTTP Basic authentication challenge header + @return A string containing the authentication challenge header. +diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h.old pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h +--- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h.old 2007-05-25 20:35:18.000000000 +0200 ++++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h 2008-11-11 13:27:58.000000000 +0100 +@@ -55,7 +55,8 @@ public: + + Boolean authenticate( + const String& userName, +- const String& password); ++ const String& password, ++ Boolean isRemoteUser); + + Boolean validateUser(const String& userName); + +diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp.old pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp +--- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp.old 2007-06-29 19:43:15.000000000 +0200 ++++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp 2008-11-11 13:27:58.000000000 +0100 +@@ -85,7 +85,8 @@ PAMBasicAuthenticator::~PAMBasicAuthenti + + Boolean PAMBasicAuthenticator::authenticate( + const String& userName, +- const String& password) ++ const String& password, ++ Boolean isRemoteUser) + { + PEG_METHOD_ENTER(TRC_AUTHENTICATION, + "PAMBasicAuthenticator::authenticate()"); +diff -up pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.old pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp +--- pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.old 2007-05-25 20:35:18.000000000 +0200 ++++ pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp 2008-11-11 13:27:58.000000000 +0100 +@@ -72,13 +72,14 @@ PAMBasicAuthenticator::~PAMBasicAuthenti + + Boolean PAMBasicAuthenticator::authenticate( + const String& userName, +- const String& password) ++ const String& password, ++ Boolean isRemoteUser) + { + PEG_METHOD_ENTER(TRC_AUTHENTICATION, + "PAMBasicAuthenticator::authenticate()"); + + if (Executor::authenticatePassword( +- userName.getCString(), password.getCString()) != 0) ++ userName.getCString(), password.getCString(), isRemoteUser) != 0) + { + return false; + } +diff -up pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp.old pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp +--- pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp.old 2008-01-28 10:33:28.000000000 +0100 ++++ pegasus/src/Pegasus/Security/Authentication/SecureBasicAuthenticator.cpp 2008-11-11 13:27:58.000000000 +0100 +@@ -241,7 +241,7 @@ Boolean SecureBasicAuthenticator::authen + if (Executor::detectExecutor() == 0) + { + if (Executor::authenticatePassword( +- userName.getCString(), password.getCString()) == 0) ++ userName.getCString(), password.getCString(), true) == 0) + { + authenticated = true; + } +diff -up pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp.old pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp +--- pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp.old 2007-12-19 14:55:10.000000000 +0100 ++++ pegasus/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp 2008-11-11 13:27:58.000000000 +0100 +@@ -403,6 +403,9 @@ void HTTPAuthenticatorDelegator::handleH + Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE, + "HTTPAuthenticatorDelegator - Authentication processing start")); + ++ // Let Authenticators know whether this user is Local or Remote: ++ httpMessage->authInfo->setRemoteUser( httpMessage->isFromRemoteHost ); ++ + // + // Handle authentication: + // diff --git a/tog-pegasus.spec b/tog-pegasus.spec index 5dd4f6a..103e058 100644 --- a/tog-pegasus.spec +++ b/tog-pegasus.spec @@ -43,7 +43,7 @@ %define _default_patch_fuzz 2 Version: 2.7.2 -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 2 # Summary: OpenPegasus WBEM Services for Linux @@ -71,7 +71,7 @@ Patch3: pegasus-2.7.0-redhat-config.patch # 4: don't see how http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5099 fixed it Patch4: pegasus-2.6.0-cmpi-provider-lib.patch # 5: http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5010 -Patch5: pegasus-2.7.0-local-or-remote-auth.patch +Patch5: pegasus-2.7.2-local-or-remote-auth.patch # 6: http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5012 Patch6: pegasus-2.5.1-pam-wbem.patch # 7: http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5006 @@ -140,13 +140,13 @@ The OpenPegasus WBEM tests for the OpenPegasus %{version} Linux rpm. %patch2 -p1 -b .PIE %patch3 -p1 -b .redhat-config %patch4 -p1 -b .cmpi-provider-lib -%patch5 -p1 -b .local-or-remote-auth %patch6 -p1 -b .pam-wbem %patch7 -p1 -b .fix-tests %patch8 -p1 -b .multilib %patch9 -p1 -b .cimuser %patch11 -p1 -b .no_privilege_separation %patch12 -p1 -b .no_snmp_tests +%patch5 -p1 -b .local-or-remote-auth find . -name 'CVS' -exec /bin/rm -rf '{}' ';' >/dev/null 2>&1 ||:; %build @@ -442,6 +442,10 @@ fi %changelog +* Tue Nov 11 2008 Vitezslav Crhonek - 2:2.7.2-2 +- Fix local or remote auth patch to work correctly with new code base + Related: #459217 + * Thu Nov 6 2008 Vitezslav Crhonek - 2:2.7.2-1 - Update to upstream version 2.7.2 (remove patches added in 2.7.1-1 - they're upstream now)