📄 httpauthenticatordelegator.cpp
字号:
if (FileSystem::isDirectory( ConfigManager::getHomedPath(trustStore))) { PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL4, "Truststore is a directory, lookup username"); // Get the client certificate chain to determine the correct // username mapping. Starting with the peer certificate, // work your way up the chain towards the root certificate // until a match is found in the repository. Array<SSLCertificateInfo*> clientCertificateChain = httpMessage->authInfo->getClientCertificateChain(); SSLCertificateInfo* clientCertificate = NULL; Tracer::trace(TRC_HTTP, Tracer::LEVEL4, "Client certificate chain length: %d.", clientCertificateChain.size()); Uint32 loopCount = clientCertificateChain.size() - 1; for (Uint32 i = 0; i <= loopCount ; i++) { clientCertificate = clientCertificateChain[i]; if (clientCertificate == NULL) { MessageLoaderParms msgParms( "Pegasus.Server.HTTPAuthenticatorDelegator." "BAD_CERTIFICATE", "The certificate used for authentication is not " "valid."); String msg(MessageLoader::getMessage(msgParms)); _sendHttpError( queueId, HTTP_STATUS_UNAUTHORIZED, String::EMPTY, msg, closeConnect); PEG_METHOD_EXIT(); return; } PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL4, "Certificate toString " + clientCertificate->toString()); //get certificate properties String issuerName = clientCertificate->getIssuerName(); char serialNumber[256]; sprintf(serialNumber, "%lu", clientCertificate->getSerialNumber()); // // The truststore type key property is deprecated. To retain // backward compatibility, add the truststore type property // to the key bindings and set it to cimserver truststore. // //construct the corresponding PG_SSLCertificate instance Array<CIMKeyBinding> keyBindings; keyBindings.append(CIMKeyBinding( "IssuerName", issuerName, CIMKeyBinding::STRING)); keyBindings.append(CIMKeyBinding( "SerialNumber", serialNumber, CIMKeyBinding::STRING)); keyBindings.append(CIMKeyBinding("TruststoreType", PG_SSLCERTIFICATE_TSTYPE_VALUE_SERVER)); CIMObjectPath cimObjectPath( "localhost", PEGASUS_NAMESPACENAME_CERTIFICATE, PEGASUS_CLASSNAME_CERTIFICATE, keyBindings); PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL4, "Client Certificate COP: " + cimObjectPath.toString()); CIMInstance cimInstance; CIMValue value; Uint32 pos; String userName = String::EMPTY; //attempt to get the username registered to the certificate try { cimInstance = _repository->getInstance( PEGASUS_NAMESPACENAME_CERTIFICATE, cimObjectPath); pos = cimInstance.findProperty("RegisteredUserName"); if (pos != PEG_NOT_FOUND && !(value = cimInstance.getProperty(pos). getValue()).isNull()) { value.get(userName); // // If a user name is specified, our search is // complete // if (userName.size()) { PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, "User name for certificate is " + userName); certUserName = userName; break; } // No user name is specified; continue up the chain Tracer::trace(TRC_HTTP, Tracer::LEVEL4, "The certificate at level %u has no " "associated username, moving up the chain", i); } else { Logger::put( Logger::ERROR_LOG, System::CIMSERVER, Logger::TRACE, "HTTPAuthenticatorDelegator - Bailing, no " "username is registered to this " "certificate."); } } catch (CIMException& e) { // this certificate did not have a registration // associated with it; continue up the chain if (e.getCode() == CIM_ERR_NOT_FOUND) { PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL4, "No registration for this certificate, try " "next certificate in chain"); continue; } else { Logger::put( Logger::ERROR_LOG, System::CIMSERVER, Logger::TRACE, "HTTPAuthenticatorDelegator - Bailing, " "the certificate used for authentication " "is not valid."); MessageLoaderParms msgParms( "Pegasus.Server.HTTPAuthenticatorDelegator." "BAD_CERTIFICATE", "The certificate used for authentication is " "not valid."); String msg(MessageLoader::getMessage(msgParms)); PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, msg); _sendHttpError( queueId, HTTP_STATUS_UNAUTHORIZED, String::EMPTY, msg, closeConnect); PEG_METHOD_EXIT(); return; } } catch (...) { // this scenario can occur if a certificate cached // on the server was deleted openssl would not pick // up the deletion but we would pick it up here when // we went to look it up in the repository Logger::put( Logger::ERROR_LOG, System::CIMSERVER, Logger::TRACE, "HTTPAuthenticatorDelegator - Bailing, the " "certificate used for authentication is not " "valid."); MessageLoaderParms msgParms( "Pegasus.Server.HTTPAuthenticatorDelegator." "BAD_CERTIFICATE", "The certificate used for authentication is not " "valid."); String msg(MessageLoader::getMessage(msgParms)); PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL3, msg); _sendHttpError( queueId, HTTP_STATUS_UNAUTHORIZED, String::EMPTY, msg, closeConnect); PEG_METHOD_EXIT(); return; } } //end for clientcertificatechain } //end sslTrustStore directory else { // trustStore is a single CA file, lookup username // user was already verified as a valid system user during // server startup certUserName = configManager->getCurrentValue("sslTrustStoreUserName"); } // // Validate user information // if (!_authenticationManager->validateUserForHttpAuth(certUserName)) { MessageLoaderParms msgParms( "Pegasus.Server.HTTPAuthenticatorDelegator." "BAD_CERTIFICATE_USERNAME", "The username registered to this certificate is not a " "valid user."); _sendHttpError( queueId, HTTP_STATUS_UNAUTHORIZED, String::EMPTY, MessageLoader::getMessage(msgParms), closeConnect); PEG_METHOD_EXIT(); return; } httpMessage->authInfo->setAuthenticatedUser(certUserName); PEG_TRACE_STRING( TRC_HTTP, Tracer::LEVEL3, "User name for certificate is " + certUserName); Logger::put( Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE, "HTTPAuthenticatorDelegator - The trusted client certificate " "is registered to $0.", certUserName); } } //end enableAuthentication PEG_TRACE_STRING(TRC_HTTP, Tracer::LEVEL4, "Exited authentication loop"); AcceptLanguageList acceptLanguages; ContentLanguageList contentLanguages; try { // Get and validate the Accept-Language header, if set String acceptLanguageHeader; if (HTTPMessage::lookupHeader( headers, _HTTP_HEADER_ACCEPT_LANGUAGE, acceptLanguageHeader, false)) { acceptLanguages = LanguageParser::parseAcceptLanguageHeader( acceptLanguageHeader); httpMessage->acceptLanguagesDecoded = true; } // Get and validate the Content-Language header, if set String contentLanguageHeader; if (HTTPMessage::lookupHeader( headers, _HTTP_HEADER_CONTENT_LANGUAGE, contentLanguageHeader, false)) { contentLanguages = LanguageParser::parseContentLanguageHeader( contentLanguageHeader); httpMessage->contentLanguagesDecoded = true; } } catch (Exception& e) { // clear any existing languages to force messages to come from the // root bundle Thread::clearLanguages(); MessageLoaderParms msgParms( "Pegasus.Server.HTTPAuthenticatorDelegator.REQUEST_NOT_VALID", "request-not-valid"); String msg(MessageLoader::getMessage(msgParms)); _sendHttpError( queueId, HTTP_STATUS_BADREQUEST, msg, e.getMessage(), closeConnect); PEG_METHOD_EXIT(); return; } Thread::setLanguages(new AcceptLanguageList(acceptLanguages)); httpMessage->acceptLanguages = acceptLanguages; httpMessage->contentLanguages = contentLanguages; // // Parse the request line: // String methodName; String requestUri; String httpVersion; HttpMethod httpMethod = HTTP_METHOD__POST; HTTPMessage::parseRequestLine( startLine, methodName, requestUri, httpVersion); // // Set HTTP method for the request // if (methodName == _HTTP_METHOD_MPOST) { httpMethod = HTTP_METHOD_M_POST; } if (methodName != _HTTP_METHOD_MPOST && methodName != _HTTP_METHOD) { // Only POST and M-POST are implemented by this server _sendHttpError( queueId, HTTP_STATUS_NOTIMPLEMENTED, String::EMPTY, String::EMPTY, closeConnect); } else if ((httpMethod == HTTP_METHOD_M_POST) && (httpVersion == _HTTP_VERSION_1_0)) { // // M-POST method is not valid with version 1.0 // _sendHttpError( queueId, HTTP_STATUS_BADREQUEST, String::EMPTY, String::EMPTY, closeConnect); } else { // // Process M-POST and POST messages: // PEG_LOGGER_TRACE(( Logger::STANDARD_LOG, System::CIMSERVER, Logger::TRACE, "HTTPAuthenticatorDelegator - M-POST/POST processing start")); httpMessage->message.append('\0'); if (!authenticated && enableAuthentication) { //⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -