cimoperationrequestauthorizer.cpp

Pegasus is an open-source implementationof the DMTF CIM and WBEM standards. It is designed to be por

            break;

        case CIM_INVOKE_METHOD_REQUEST_MESSAGE:
            cimMethodName = "InvokeMethod";
            break;

        default:
            PEGASUS_ASSERT(0);
            break;
    }

#ifdef PEGASUS_ZOS_SECURITY
    if (checkRequestTypeAuthorizationZOS(
            req->getType(), userName, nameSpace) == false)
    {
        //
        // user is not authorized, send an
        // error message to the requesting client.
        //
        if (cimMethodName == "InvokeMethod")
        {
            sendMethodError(
                queueId,
                req->getHttpMethod(),
                req->messageId,
                ((CIMInvokeMethodRequestMessage*)req.get())->methodName,
                PEGASUS_CIM_EXCEPTION_L(CIM_ERR_ACCESS_DENIED,
                    MessageLoaderParms(
                        "Server.CIMOperationRequestAuthorizer.NOT_AUTHORIZED",
                        "Not authorized to run $0 in the namespace $1",
                        cimMethodName, nameSpace.getString())));
        }
        else
        {
            sendIMethodError(
                queueId,
                req->getHttpMethod(),
                req->messageId,
                cimMethodName,
                PEGASUS_CIM_EXCEPTION_L(CIM_ERR_ACCESS_DENIED,
                    MessageLoaderParms(
                        "Server.CIMOperationRequestAuthorizer.NOT_AUTHORIZED",
                        "Not authorized to run $0 in the namespace $1",
                        cimMethodName, nameSpace.getString())));
        }
        PEG_METHOD_EXIT();
        return;
    }
#endif

#ifdef PEGASUS_ENABLE_USERGROUP_AUTHORIZATION
    //
    // If the user is not privileged and authorized user group is specified,
    // then perform the user group authorization check.
    //
    try
    {
        if ( ! System::isPrivilegedUser(userName) )
        {
            Uint32 size = _authorizedUserGroups.size();

            if (size > 0)
            {
                Boolean authorized = false;

                //
                // Check if the user name is in the authorized user groups.
                //
                for (Uint32 i = 0; i < size; i++)
                {
                    //
                    // Check if the user is a member of the group
                    //
                    if (System::isGroupMember(userName.getCString(),
                            _authorizedUserGroups[i].getCString()))
                    {
                        authorized = true;
                        break;
                    }
                }

                //
                // If the user is not a member of any of the authorized
                // user groups then generate error response.
                //
                if (!authorized)
                {
                    PEG_TRACE_STRING(TRC_SERVER, Tracer::LEVEL2,
                        "Authorization Failed: User '" + userName +
                            "' is not a member of the authorized groups");

                    MessageLoaderParms msgLoaderParms(
                        "Server.CIMOperationRequestAuthorizer."
                            "NOT_IN_AUTHORIZED_GRP",
                        "User '$0' is not authorized to access CIM data.",
                        userName);

                    //
                    // user is not in the authorized user groups, send an
                    // error message to the requesting client.
                    //
                    if (cimMethodName == "InvokeMethod")
                    {
                        sendMethodError(
                            queueId,
                            req->getHttpMethod(),
                            req->messageId,
                            ((CIMInvokeMethodRequestMessage*)req.get())->
                                methodName,
                            PEGASUS_CIM_EXCEPTION_L(CIM_ERR_ACCESS_DENIED,
                                msgLoaderParms));
                        PEG_METHOD_EXIT();
                        return;
                    }
                    else
                    {
                        sendIMethodError(
                            queueId,
                            req->getHttpMethod(),
                            req->messageId,
                            cimMethodName,
                            PEGASUS_CIM_EXCEPTION_L(CIM_ERR_ACCESS_DENIED,
                                msgLoaderParms));
                        PEG_METHOD_EXIT();
                        return;
                    }
                }
            }
        }
    }
    catch (InternalSystemError& ise)
    {
        sendIMethodError(
            queueId,
            req->getHttpMethod(),
            req->messageId,
            cimMethodName,
            PEGASUS_CIM_EXCEPTION(CIM_ERR_ACCESS_DENIED, ise.getMessage()));
        PEG_METHOD_EXIT();
        return;
    }
#endif  // #ifdef PEGASUS_ENABLE_USERGROUP_AUTHORIZATION

    //
    // Get a config manager instance
    //
    ConfigManager* configManager = ConfigManager::getInstance();

    //
    // Do namespace authorization verification
    //
    if (ConfigManager::parseBooleanValue(
        configManager->getCurrentValue("enableNamespaceAuthorization")))
    {
        //
        // If the user is not privileged, perform the authorization check.
        //
#if !defined(PEGASUS_PLATFORM_OS400_ISERIES_IBM)
        if (!System::isPrivilegedUser(userName))
#else
        // On OS/400, always check authorization if remote user.
        // Always allow local privileged users through.
        // Check authorization for local non-privileged users.
        // (User authorization to providers are checked downstream from here).
        if (!String::equalNoCase(authType,"Local") ||
            !System::isPrivilegedUser(userName))
#endif
        {
            UserManager* userManager = UserManager::getInstance();

            if (!userManager ||
                !userManager->verifyAuthorization(
                     userName, nameSpace, cimMethodName))
            {
                if (cimMethodName == "InvokeMethod")
                {
                    sendMethodError(
                      queueId,
                      req->getHttpMethod(),
                      req->messageId,
                      ((CIMInvokeMethodRequestMessage*)req.get())->methodName,
                      PEGASUS_CIM_EXCEPTION_L(CIM_ERR_ACCESS_DENIED,
                          MessageLoaderParms(
                              "Server.CIMOperationRequestAuthorizer."
                                  "NOT_AUTHORIZED",
                              "Not authorized to run $0 in the namespace $1",
                              cimMethodName, nameSpace.getString())));
                }
                else
                {
                    sendIMethodError(
                        queueId,
                        req->getHttpMethod(),
                        req->messageId,
                        cimMethodName,
                        PEGASUS_CIM_EXCEPTION_L(CIM_ERR_ACCESS_DENIED,
                            MessageLoaderParms(
                                "Server.CIMOperationRequestAuthorizer."
                                    "NOT_AUTHORIZED",
                                "Not authorized to run $0 in the namespace $1",
                                cimMethodName, nameSpace.getString())));
                }

                PEG_METHOD_EXIT();
                return;
            }
        }
    }

    //
    // Enqueue the request
    //
    _outputQueue->enqueue(req.release());

    PEG_METHOD_EXIT();
}

void CIMOperationRequestAuthorizer::handleEnqueue()
{
    PEG_METHOD_ENTER(TRC_SERVER,
        "CIMOperationRequestAuthorizer::handleEnqueue");

    Message* request = dequeue();
    if (request)
        handleEnqueue(request);

    PEG_METHOD_EXIT();
}

void CIMOperationRequestAuthorizer::setServerTerminating(Boolean flag)
{
    PEG_METHOD_ENTER(TRC_SERVER,
        "CIMOperationRequestAuthorizer::setServerTerminating");

    _serverTerminating = flag;

    PEG_METHOD_EXIT();
}

Array<String> CIMOperationRequestAuthorizer::_getAuthorizedUserGroups()
{
    PEG_METHOD_ENTER(TRC_SERVER,
        "CIMOperationRequestAuthorizer::getAuthorizedUserGroups");

    Array<String> authorizedGroups;

    String groupNames = String::EMPTY;

    //
    // Get a config manager instance
    //
    ConfigManager* configManager = ConfigManager::getInstance();

    groupNames = configManager->getCurrentValue("authorizedUserGroups");

    //
    // Check if the group name is empty
    //
    if (groupNames == String::EMPTY || groupNames == "")
    {
        PEG_METHOD_EXIT();
        return authorizedGroups;
    }

    //
    // Append _GROUPNAME_SEPARATOR to the end of the groups
    //
    groupNames.append(_GROUPNAME_SEPARATOR);

    Uint32 position = 0;
    String groupName;

    while (groupNames != String::EMPTY)
    {
        //
        // Get a group name from user groups
        // User groups are separated by _GROUPNAME_SEPARATOR
        //
        position = groupNames.find(_GROUPNAME_SEPARATOR);
        groupName = groupNames.subString(0,(position));

        authorizedGroups.append(groupName);

        // Remove the searched group name
        groupNames.remove(0, position + 1);
    }

    PEG_METHOD_EXIT();

    return authorizedGroups;
}

PEGASUS_NAMESPACE_END