HPCC-30058 Handling of missing HPCCInternal::<username> scope

Remove LDAP check for HpccInternal scopes. Instead, check with code that
the requested username in scope (HpccInternal::<username>) matches the username
provided in the request. Users to be granted access to their scope and subscopes,
anything else to be denied.
Remove code to create HpccInteral root scope, and HpccInternal::<user> scopes,
since these are no longer needed
Also, remove the addScopes tool since, this is no longer needed

Signed-off-by: Russ Whitehead <[email protected]>

dali/server/daldap.cpp

@@ -57,23 +57,6 @@ class CDaliLdapConnection: implements IDaliLdapConnection, public CInterface
     unsigned                ldapflags;
     IDigitalSignatureManager * pDSM = nullptr;
 
-    void createDefaultScopes()
-    {
-        try {
-            Owned<ISecUser> user = ldapsecurity->createUser(nullptr);
-            StringBuffer userTempFileScope(queryDfsXmlBranchName(DXB_Internal));
-            if (ldapsecurity->addResourceEx(RT_FILE_SCOPE, *user, userTempFileScope.str(),PT_ADMINISTRATORS_ONLY, NULL))
-                PROGLOG("LDAP: Created default '%s' scope", userTempFileScope.str());
-            else
-                throw MakeStringException(-1, "Error adding LDAP resource '%s'",userTempFileScope.str());
-        }
-        catch (IException *e) {
-            EXCLOG(e,"LDAP createDefaultScopes");
-            throw;
-        }
-    }
-
-
 public:
     IMPLEMENT_IINTERFACE;
 
@@ -113,7 +96,6 @@ class CDaliLdapConnection: implements IDaliLdapConnection, public CInterface
                     EXCLOG(e,"LDAP server");
                     throw;
                 }
-                createDefaultScopes();
             }
         }
     }

system/security/LdapSecurity/ldapconnection.cpp

@@ -4276,12 +4276,6 @@ class CLdapClient : implements ILdapClient, public CInterface
                 continue;
             changeUserGroup("delete", username, grp);
         }
-
-        //Remove tempfile scope for this user
-        StringBuffer resName(queryDfsXmlBranchName(DXB_Internal));
-        resName.append("::").append(username);
-        deleteResource(RT_FILE_SCOPE, resName.str(), m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE));
-
         return true;
     }
 
@@ -6299,30 +6293,9 @@ class CLdapClient : implements ILdapClient, public CInterface
                 throw;
             }
         }
-
-        //Add tempfile scope for this user (spill, paused and checkpoint
-        //will be created under this user specific scope)
-        StringBuffer resName(queryDfsXmlBranchName(DXB_Internal));
-        resName.append("::").append(username);
-        Owned<ISecResource> resource = new CLdapSecResource(resName.str());
-        if (!addResource(RT_FILE_SCOPE, user, resource, PT_ADMINISTRATORS_AND_USER, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE)))
-        {
-            throw MakeStringException(-1, "Error adding temp file scope %s",resName.str());
-        }
-
         return true;
     }
 
-    bool createUserScope(ISecUser& user)
-    {
-        //Add tempfile scope for given user (spill, paused and checkpoint
-        //files will be created under this user specific scope)
-        StringBuffer resName(queryDfsXmlBranchName(DXB_Internal));
-        resName.append("::").append(user.getName());
-        Owned<ISecResource> resource = new CLdapSecResource(resName.str());
-        return addResource(RT_FILE_SCOPE, user, resource, PT_ADMINISTRATORS_AND_USER, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE));
-    }
-
     virtual aindex_t getManagedScopeTree(LDAP* ld, SecResourceType rtype, const char * basedn, IArrayOf<ISecResource>& scopes)
     {
         Owned<ILdapConnection> lconn;

system/security/LdapSecurity/ldapconnection.hpp

@@ -318,7 +318,6 @@ interface ILdapClient : extends IInterface
     virtual int countResources(const char* basedn, const char* searchstr, int limit) = 0;
     virtual ILdapConfig* queryConfig() = 0;
     virtual const char* getPasswordStorageScheme() = 0;
-    virtual bool createUserScope(ISecUser& user) = 0;
     virtual aindex_t getManagedScopeTree(LDAP* ld, SecResourceType rtype, const char * basedn, IArrayOf<ISecResource>& scopes) = 0;
     virtual SecAccessFlags queryDefaultPermission(ISecUser& user) = 0;
 

system/security/LdapSecurity/ldapsecurity.cpp

@@ -22,6 +22,7 @@
 #include "authmap.ipp"
 #include "digisign.hpp"
 #include "caching.hpp"
+#include "dautils.hpp"
 
 using namespace cryptohelper;
 
@@ -631,6 +632,7 @@ void CLdapSecManager::init(const char *serviceName, IPropertyTree* cfg)
     m_permissionsCache->setSecManager(this);
     m_passwordExpirationWarningDays = cfg->getPropInt(".//@passwordExpirationWarningDays", 10); //Default to 10 days
     m_checkViewPermissions = cfg->getPropBool(".//@checkViewPermissions", false);
+    m_hpccInternalScope.set(queryDfsXmlBranchName(DXB_Internal)).append("::");//HpccInternal::
 };
 
 
@@ -1014,6 +1016,19 @@ SecAccessFlags CLdapSecManager::authorizeFileScope(ISecUser & user, const char *
     if(filescope == 0 || filescope[0] == '\0')
         return SecAccess_Full;
 
+    //Preprocess "HpccInternal::" scopes, since they are not managed by LDAP
+    //Grant user access to their own hpccinternal::<user> scope, deny if anything else
+    if(startsWithIgnoreCase(filescope, m_hpccInternalScope.str()))
+    {
+        StringBuffer userName;
+        for (const char * p = &filescope[m_hpccInternalScope.length()]; *p && *p != ':'; p++)//extract scope username
+            userName.append(*p);
+        if(strieq(userName.str(), user.getName()))
+            return SecAccess_Full;
+        PROGLOG("Access denied to scope %s for user %s", filescope, user.getName());
+        return SecAccess_None;
+    }
+
     StringBuffer managedFilescope;
     if(m_permissionsCache->isCacheEnabled() && !m_usercache_off)
     {
@@ -1510,25 +1525,6 @@ bool CLdapSecManager::getUserInfo(ISecUser& user, const char* infotype)
     return m_ldap_client->getUserInfo(user, infotype);
 }
 
-bool CLdapSecManager::createUserScopes(IEspSecureContext* secureContext)
-{
-    Owned<ISecUserIterator> it = getAllUsers(secureContext);
-    it->first();
-    bool rc = true;
-    while(it->isValid())
-    {
-        ISecUser &user = it->get();
-        if (!m_ldap_client->createUserScope(user))
-        {
-            PROGLOG("CLdapSecManager::createUserScopes Error creating user scope for user '%s'", user.getName());
-            rc = false;
-        }
-        it->next();
-    }
-    return rc;
-}
-
-
 aindex_t CLdapSecManager::getManagedScopeTree(SecResourceType rtype, const char * basedn, IArrayOf<ISecResource>& scopes, IEspSecureContext* secureContext)
 {
     return m_ldap_client->getManagedScopeTree(nullptr, rtype, basedn, scopes);

system/security/LdapSecurity/ldapsecurity.ipp

@@ -321,6 +321,7 @@ private:
     bool m_checkViewPermissions;
     static const SecFeatureSet s_safeFeatures = SMF_ALL_FEATURES;
     static const SecFeatureSet s_implementedFeatures = s_safeFeatures & ~(SMF_RetrieveUserData | SMF_RemoveResources);
+    StringBuffer m_hpccInternalScope;
 
 public:
     IMPLEMENT_IINTERFACE
@@ -434,7 +435,6 @@ public:
         return m_checkViewPermissions;
     }
 
-    bool createUserScopes(IEspSecureContext* secureContext = nullptr) override;
     aindex_t getManagedScopeTree(SecResourceType rtype, const char * basedn, IArrayOf<ISecResource>& scopes, IEspSecureContext* secureContext = nullptr) override;
     SecAccessFlags queryDefaultPermission(ISecUser& user, IEspSecureContext* secureContext = nullptr) override;
     bool clearPermissionsCache(ISecUser &user, IEspSecureContext* secureContext = nullptr) override;

system/security/shared/basesecurity.hpp

@@ -317,11 +317,6 @@ class CBaseSecurityManager : implements ISecManager, public CInterface
         throwUnexpected();
     }
 
-    bool createUserScopes(IEspSecureContext* secureContext = nullptr) override
-    {
-        throwUnexpected();
-    }
-
     aindex_t getManagedScopeTree(SecResourceType rtype, const char * basedn, IArrayOf<ISecResource>& scopes, IEspSecureContext* secureContext = nullptr) override
     {
         throwUnexpected();

system/security/shared/seclib.hpp

@@ -461,7 +461,7 @@ static const SecFeatureBit SMF_AuthorizeWorkUnitScope_List    = 0x0100000000;
 static const SecFeatureBit SMF_AuthorizeWorkUnitScope_Named   = 0x0200000000;
 static const SecFeatureBit SMF_GetDescription                 = 0x0400000000;
 static const SecFeatureBit SMF_GetPasswordExpirationDays      = 0x0800000000;
-static const SecFeatureBit SMF_CreateUserScopes               = 0x1000000000;
+//static const SecFeatureBit SMF_CreateUserScopes               = 0x1000000000;//feature removed in 9.x
 static const SecFeatureBit SMF_GetManagedScopeTree            = 0x2000000000;
 static const SecFeatureBit SMF_QueryDefaultPermission         = 0x4000000000;
 static const SecFeatureBit SMF_ClearPermissionsCache          = 0x8000000000;
@@ -511,7 +511,6 @@ interface ISecManager : extends ISecObject
     virtual bool authorizeWorkunitScope(ISecUser & user, ISecResourceList * resources, IEspSecureContext* secureContext = nullptr) = 0;
     virtual const char * getDescription() = 0;
     virtual unsigned getPasswordExpirationWarningDays(IEspSecureContext* secureContext = nullptr) = 0;
-    virtual bool createUserScopes(IEspSecureContext* secureContext = nullptr) = 0;
     virtual aindex_t getManagedScopeTree(SecResourceType rtype, const char * basedn, IArrayOf<ISecResource>& scopes, IEspSecureContext* secureContext = nullptr) = 0;
     virtual SecAccessFlags queryDefaultPermission(ISecUser& user, IEspSecureContext* secureContext = nullptr) = 0;
     virtual bool clearPermissionsCache(ISecUser & user, IEspSecureContext* secureContext = nullptr) = 0;

tools/CMakeLists.txt

@@ -19,7 +19,6 @@ HPCC_ADD_SUBDIRECTORY (esdlcmd-xml)
 HPCC_ADD_SUBDIRECTORY (esdlcmd)
 HPCC_ADD_SUBDIRECTORY (backupnode "PLATFORM")
 IF (USE_OPENLDAP)
-HPCC_ADD_SUBDIRECTORY (addScopes "PLATFORM")
 HPCC_ADD_SUBDIRECTORY (initldap "PLATFORM")
 ENDIF(USE_OPENLDAP)
 HPCC_ADD_SUBDIRECTORY (combine "PLATFORM")