rpms/tog-pegasus
7
0
Fork 0
Code Issues Pull Requests Releases Activity
40faa82d02
tog-pegasus/pegasus-2.5-local-or-remote-auth.patch
jvdias 2ff3d1074a - Implemented new 'make install' target. 
- Re-wrote tog-pegasus.spec file from scratch.
- Ported BZ 167986 authentication code and BZ 167164 + BZ 167165 fixes from
    RHEL-4
2005-10-03 18:09:23 +00:00

430 lines
14 KiB
Diff
Raw Blame History

--- pegasus-2.5/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp.local_or_remote_auth 2005-08-13 20:28:32.000000000 -0400
+++ pegasus-2.5/src/Pegasus/Server/HTTPAuthenticatorDelegator.cpp 2005-09-28 16:18:58.000000000 -0400
@@ -364,6 +364,9 @@
}
}
+ // Let Authenticators know whether this user is Local or Remote:
+ httpMessage->authInfo->setRemoteUser( httpMessage->fromRemoteHost );
+
//
// Handle authentication:
//
--- pegasus-2.5/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp.local_or_remote_auth 2005-07-12 14:05:09.000000000 -0400
+++ pegasus-2.5/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorStub.cpp 2005-09-28 16:18:58.000000000 -0400
@@ -90,7 +90,8 @@
Boolean PAMBasicAuthenticator::authenticate(
const String& userName,
- const String& password)
+ const String& password,
+ Boolean isRemoteUser)
{
PEG_METHOD_ENTER(TRC_AUTHENTICATION,
"PAMBasicAuthenticator::authenticate()");
--- pegasus-2.5/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h.local_or_remote_auth 2005-07-12 14:05:09.000000000 -0400
+++ pegasus-2.5/src/Pegasus/Security/Authentication/PAMBasicAuthenticator.h 2005-09-28 16:18:58.000000000 -0400
@@ -71,7 +71,8 @@
*/
Boolean authenticate(
const String& userName,
- const String& password);
+ const String& password,
+ Boolean isRemoteUser);
/** Verify PAM account management for the requesting user.
@param userName String containing the user name
@@ -100,7 +101,8 @@
Boolean _authenticateByPAM(
const String& userName,
- const String& password);
+ const String& password,
+ Boolean isRemoteUser);
void _createPAMStandalone();
@@ -156,7 +158,8 @@
*/
Boolean authenticate(
const String& userName,
- const String& password);
+ const String& password,
+ Boolean isRemoteUser);
/** Verify whether the user is valid.
@param userName String containing the user name
@@ -218,7 +221,8 @@
Boolean _authenticateByPAM(
const String& userName,
- const String& password);
+ const String& password,
+ Boolean isRemoteUser);
#if defined(PEGASUS_USE_PAM_STANDALONE_PROC)
PAMBasicAuthenticatorStandAlone _pamBasicAuthenticatorStandAlone;
--- pegasus-2.5/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp.local_or_remote_auth 2005-07-12 14:05:09.000000000 -0400
+++ pegasus-2.5/src/Pegasus/Security/Authentication/BasicAuthenticationHandler.cpp 2005-09-28 16:18:58.000000000 -0400
@@ -136,7 +136,7 @@
authInfo->setAuthenticatedUser(userName);
authInfo->setAuthenticatedPassword(password);
#else
- authenticated = _basicAuthenticator->authenticate(userName, password);
+ authenticated = _basicAuthenticator->authenticate(userName, password, authInfo->isRemoteUser());
if (authenticated)
{
--- pegasus-2.5/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp.local_or_remote_auth 2005-07-19 15:14:48.000000000 -0400
+++ pegasus-2.5/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp 2005-09-28 16:47:55.000000000 -0400
@@ -129,7 +129,8 @@
Boolean PAMBasicAuthenticator::authenticate(
const String& userName,
- const String& password)
+ const String& password,
+ Boolean isRemoteUser)
{
PEG_METHOD_ENTER(TRC_AUTHENTICATION,
"PAMBasicAuthenticator::authenticate()");
@@ -137,7 +138,7 @@
Boolean authenticated;
#if !defined(PEGASUS_USE_PAM_STANDALONE_PROC)
- authenticated = _authenticateByPAM(userName, password);
+ authenticated = _authenticateByPAM(userName, password, isRemoteUser);
#else
//
// Mutex to Serialize Authentication calls.
@@ -145,8 +146,9 @@
Tracer::trace(TRC_AUTHENTICATION, Tracer::LEVEL4,
"Authentication Mutex lock.");
AutoMutex lock(_authSerializeMutex);
- authenticated = _pamBasicAuthenticatorStandAlone.authenticate(
- userName, password);
+ authenticated =
+ _pamBasicAuthenticatorStandAlone->authenticate(userName,
+ password);
#endif
PEG_METHOD_EXIT();
@@ -155,7 +157,8 @@
Boolean PAMBasicAuthenticator::_authenticateByPAM(
const String& userName,
- const String& password)
+ const String& password,
+ Boolean isRemoteUser)
{
PEG_METHOD_ENTER(TRC_AUTHENTICATION,
"PAMBasicAuthenticator::_authenticateByPAM()");
@@ -165,6 +168,7 @@
pam_handle_t *phandle;
char *name;
APP_DATA mydata;
+ int retcode;
//
// Store the password for PAM authentication
@@ -178,21 +182,38 @@
// Tracer::trace(TRC_AUTHENTICATION, Tracer::LEVEL4,
// "PAMBasicAuthenticator::_authenticateByPAM() - userName = %s; userPassword = %s",
// (const char *)userName.getCString(), (const char *)password.getCString());
+
+ // NOTE: if any pam call should log anything, our syslog socket will be redirected
+ // to the AUTH facility, so we need to redirect it back after each pam call.
//
//Call pam_start since you need to before making any other PAM calls
//
- if ( ( pam_start(service,
+
+ if ( (retcode = pam_start(service,
(const char *)userName.getCString(), &pconv, &phandle) ) != PAM_SUCCESS )
{
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog( LOG_ERR, "pam_start failed: %s", pam_strerror(phandle, retcode));
PEG_METHOD_EXIT();
return (authenticated);
}
+
+ if ( (retcode = pam_set_item(phandle, PAM_TTY, isRemoteUser ? "wbemNetwork" : "wbemLocal")) != PAM_SUCCESS )
+ {
+ pam_end(phandle, 0);
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog( LOG_ERR, "pam_set_item(PAM_TTY=wbem) failed: %s", pam_strerror(phandle, retcode));
+ PEG_METHOD_EXIT();
+ return (authenticated);
+ }
//
//Call pam_authenticate to authenticate the user
//
- if ( ( pam_authenticate(phandle, 0) ) == PAM_SUCCESS )
+ if ( ( retcode = pam_authenticate(phandle, 0) ) == PAM_SUCCESS )
{
Tracer::trace(TRC_AUTHENTICATION, Tracer::LEVEL4,
"pam_authenticate successful.");
@@ -201,22 +222,40 @@
//checking for password and account expiration, as well as verifying access
//hour restrictions.
//
- if ( ( pam_acct_mgmt(phandle, 0) ) == PAM_SUCCESS )
+
+ if ( ( retcode = pam_acct_mgmt(phandle, 0) ) == PAM_SUCCESS )
{
Tracer::trace(TRC_AUTHENTICATION, Tracer::LEVEL4,
"pam_acct_mgmt successful.");
authenticated = true;
- }
+ }else
+ {
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog(LOG_ERR, "pam_acct_mgmt failed: %s",pam_strerror(phandle, retcode));
+ }
+ }else
+ {
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog(LOG_ERR, "pam_authenticate failed: %s",pam_strerror(phandle, retcode));
}
-
//
//Call pam_end to end our PAM work
//
pam_end(phandle, 0);
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
- PEG_METHOD_EXIT();
+ if ( ! authenticated )
+ syslog(LOG_ERR, "PAM authentication failed for %s user: %s",
+ isRemoteUser ? "remote" : "local",
+ (const char*)userName.getCString()
+ );
+ PEG_METHOD_EXIT();
return (authenticated);
+
}
Boolean PAMBasicAuthenticator::validateUser(const String& userName)
@@ -231,6 +270,7 @@
pam_handle_t *phandle;
char *name;
APP_DATA mydata;
+ int retcode;
const char *service = "wbem";
pconv.conv = PAMBasicAuthenticator::pamValidateUserCallback;
@@ -239,21 +279,43 @@
//
// Call pam_start since you need to before making any other PAM calls
//
- if ( pam_start(service,
- (const char *)userName.getCString(), &pconv, &phandle) != PAM_SUCCESS)
- {
+ if ( (retcode =
+ pam_start(service,(const char *)userName.getCString(), &pconv, &phandle)
+ ) != PAM_SUCCESS
+ )
+ {
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog( LOG_ERR, "pam_start() failed: %s", pam_strerror(phandle, retcode));
PEG_METHOD_EXIT();
return (authenticated);
}
+ if ( (retcode = pam_set_item(phandle, PAM_TTY, "wbemLocal")) != PAM_SUCCESS )
+ {
+ pam_end(phandle, 0);
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog( LOG_ERR, "pam_set_item(PAM_TTY=wbemLocal) failed: %s", pam_strerror(phandle, retcode));
+ PEG_METHOD_EXIT();
+ return (authenticated);
+ }
//
// Call pam_acct_mgmt, to check if the user account is valid. This includes
// checking for account expiration, as well as verifying access
// hour restrictions.
//
- if ( pam_acct_mgmt(phandle, 0) == PAM_SUCCESS )
- {
+ if ( (retcode = pam_acct_mgmt(phandle, 0)) == PAM_SUCCESS )
+ {
authenticated = true;
+ }else
+ {
+ pam_end(phandle, 0);
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+ syslog( LOG_ERR, "pam_acct_mgmt() failed: %s", pam_strerror(phandle, retcode));
+ PEG_METHOD_EXIT();
+ return (authenticated);
}
//
@@ -261,6 +323,9 @@
//
pam_end(phandle, 0);
+ closelog();
+ openlog("cimserver", LOG_PID, LOG_DAEMON);
+
#else
//
// Mutex to Serialize Authentication calls.
--- pegasus-2.5/src/Pegasus/Security/Authentication/BasicAuthenticator.h.local_or_remote_auth 2005-07-12 14:05:09.000000000 -0400
+++ pegasus-2.5/src/Pegasus/Security/Authentication/BasicAuthenticator.h 2005-09-28 16:18:58.000000000 -0400
@@ -65,7 +65,8 @@
*/
virtual Boolean authenticate(
const String& userName,
- const String& password) = 0;
+ const String& password,
+ Boolean isRemoteUser) = 0;
/** Construct and return the HTTP Basic authentication challenge header
@return A string containing the authentication challenge header.
--- pegasus-2.5/src/Pegasus/Common/HTTPMessage.cpp.local_or_remote_auth 2005-05-31 21:51:53.000000000 -0400
+++ pegasus-2.5/src/Pegasus/Common/HTTPMessage.cpp 2005-09-28 16:18:58.000000000 -0400
@@ -101,7 +101,8 @@
message(message_),
queueId(queueId_),
acceptLanguagesDecoded(false),
- contentLanguagesDecoded(false)
+ contentLanguagesDecoded(false),
+ fromRemoteHost(true)
{
if (cimException_)
cimException = *cimException_;
--- pegasus-2.5/src/Pegasus/Common/HTTPMessage.h.local_or_remote_auth 2005-05-12 02:59:56.000000000 -0400
+++ pegasus-2.5/src/Pegasus/Common/HTTPMessage.h 2005-09-28 16:18:58.000000000 -0400
@@ -77,7 +77,8 @@
ContentLanguages contentLanguages;
Boolean acceptLanguagesDecoded;
Boolean contentLanguagesDecoded;
- CIMException cimException;
+ Boolean fromRemoteHost;
+ CIMException cimException;
void parse(
String& startLine,
--- pegasus-2.5/src/Pegasus/Common/AuthenticationInfoRep.cpp.local_or_remote_auth 2005-02-05 17:59:23.000000000 -0500
+++ pegasus-2.5/src/Pegasus/Common/AuthenticationInfoRep.cpp 2005-09-28 16:18:58.000000000 -0400
@@ -55,7 +55,8 @@
_privileged(false),
_authType(String::EMPTY),
_authStatus(NEW_REQUEST),
- _exportConnection(false)
+ _exportConnection(false),
+ _remoteUser(true)
{
PEG_METHOD_ENTER(
TRC_AUTHENTICATION, "AuthenticationInfoRep::AuthenticationInfoRep");
@@ -178,5 +179,14 @@
PEG_METHOD_EXIT();
}
+void AuthenticationInfoRep::setRemoteUser(Boolean remoteUser)
+{
+ PEG_METHOD_ENTER(TRC_AUTHENTICATION,
+ "AuthenticationInfoRep::setRemoteUser");
+
+ _remoteUser = remoteUser;
+
+ PEG_METHOD_EXIT();
+}
PEGASUS_NAMESPACE_END
--- pegasus-2.5/src/Pegasus/Common/AuthenticationInfo.h.local_or_remote_auth 2005-02-05 17:59:23.000000000 -0500
+++ pegasus-2.5/src/Pegasus/Common/AuthenticationInfo.h 2005-09-28 16:18:58.000000000 -0400
@@ -329,6 +329,22 @@
_rep->setClientCertificate(clientCertificate);
}
+ /** Indicate whether the user is Remote
+ */
+ Boolean isRemoteUser() const
+ {
+ _checkRep();
+ return _rep->isRemoteUser();
+ }
+
+ /** Set the Remote User flag
+ */
+ void setRemoteUser(Boolean remoteUser)
+ {
+ _checkRep();
+ _rep->setRemoteUser(remoteUser);
+ }
+
private:
AuthenticationInfo(AuthenticationInfoRep* rep) : _rep(rep)
--- pegasus-2.5/src/Pegasus/Common/AuthenticationInfoRep.h.local_or_remote_auth 2005-02-05 17:59:23.000000000 -0500
+++ pegasus-2.5/src/Pegasus/Common/AuthenticationInfoRep.h 2005-09-28 16:18:58.000000000 -0400
@@ -140,6 +140,14 @@
void setExportConnection(Boolean exportConnection);
+ Boolean isRemoteUser() const
+ {
+ return _remoteUser;
+ }
+
+ void setRemoteUser(Boolean remoteUser);
+
+
//PEP187
SSLCertificateInfo* getClientCertificate()
{
@@ -170,7 +178,8 @@
#endif
Boolean _exportConnection;
- SSLCertificateInfo* _clientCertificate;
+ SSLCertificateInfo* _clientCertificate;
+ Boolean _remoteUser;
};
PEGASUS_NAMESPACE_END
--- pegasus-2.5/src/Pegasus/Common/HTTPConnection.cpp.local_or_remote_auth 2005-08-18 20:24:32.000000000 -0400
+++ pegasus-2.5/src/Pegasus/Common/HTTPConnection.cpp 2005-09-28 16:18:58.000000000 -0400
@@ -1807,6 +1807,30 @@
"_requestCount = %d", _requestCount.value());
message->dest = _outputMessageQueue->getQueueId();
// SendForget(message);
+
+ // Allow authenticators to differentiate Remote and Local users:
+ struct sockaddr_in sin_peer, sin_svr; // don't need to worry about IPv6 yet ...
+ socklen_t slen1=sizeof(struct sockaddr_in), slen2=sizeof(struct sockaddr_in);
+ uint32_t sock = _socket.get()->getSocket() ;
+ memset(&sin_peer,'\0',slen1);
+ memset(&sin_svr, '\0',slen2);
+ if ( ( ::getpeername( sock, (struct sockaddr*)&sin_peer, &slen1) == 0 )
+ ||( ::getsockname( sock, (struct sockaddr*)&sin_svr, &slen2) == 0 )
+ )
+ {
+ if( sin_peer.sin_family == AF_INET )
+ {
+ if( ((ntohl( sin_peer.sin_addr.s_addr ) >> 24) & 0xff) == 127 )
+ // message was sent FROM localhost interface
+ message->fromRemoteHost = false;
+ }
+ if( sin_svr.sin_family == AF_INET )
+ {
+ if( ((ntohl( sin_svr.sin_addr.s_addr ) >> 24) & 0xff) == 127 )
+ // message was sent TO localhost interface
+ message->fromRemoteHost = false;
+ }
+ }
//
// Set the entry status to BUSY.
Reference in New Issue View Git Blame Copy Permalink