Merge pull request #18503 from kenrowland/HPCC-31574

HPCC-31574 Add option in Dali LDAP support to ignore default file user Reviewed-by: Jake Smith <[email protected]> Reviewed-by: Gavin Halliday <[email protected]> Merged-by: Gavin Halliday <[email protected]>
hpcc-systems · Apr 18, 2024 · 21ba84c · 21ba84c
2 parents b2854f2 + 436bad2
commit 21ba84c
Showing 1 changed file with 17 additions and 8 deletions.
diff --git a/dali/server/daldap.cpp b/dali/server/daldap.cpp
@@ -54,6 +54,7 @@ class CDaliLdapConnection: implements IDaliLdapConnection, public CInterface
     Owned<ISecManager>      ldapsecurity;
     StringAttr              filesdefaultuser;
     StringAttr              filesdefaultpassword;
+    bool                    disableFilesDefaultUser;
     unsigned                ldapflags;
     IDigitalSignatureManager * pDSM = nullptr;
 
@@ -82,6 +83,7 @@ class CDaliLdapConnection: implements IDaliLdapConnection, public CInterface
             {
                 filesdefaultuser.set(ldapprops->queryProp("@filesDefaultUser"));
                 filesdefaultpassword.set(ldapprops->queryProp("@filesDefaultPassword"));
+                disableFilesDefaultUser = ldapprops->getPropBool("@disableDefaultUser", false);
 
                 try {
                     ignoreSigPipe(); // LDAP can generate
@@ -115,29 +117,36 @@ class CDaliLdapConnection: implements IDaliLdapConnection, public CInterface
             return SecAccess_Full;
 
 
+        Owned<ISecUser> user;
         StringBuffer username;
         StringBuffer password;
         if (udesc)
         {
             udesc->getUserName(username);
             udesc->getPassword(password);
+            user.setown(ldapsecurity->createUser(username));
+            user->setAuthenticateStatus(AS_AUTHENTICATED);  // treat caller passing user as trusted
         }
         else
         {
             DBGLOG("NULL UserDescriptor in daldap.cpp getPermissions('%s')", key);
-        }
+            logNullUser(nullptr);
+
+            // If no user was provided, try to use the default user
+            if (disableFilesDefaultUser || filesdefaultuser.isEmpty())
+            {
+                OWARNLOG("Default user missing or disabled, access denied for request %s %s", key, nullText(obj));
+                return SecAccess_None; // no access if no default user or disabled
+            }
 
-        if (0 == username.length())
-        {
             username.append(filesdefaultuser);
             decrypt(password, filesdefaultpassword);
-            OWARNLOG("Missing credentials, injecting deprecated filesdefaultuser for request %s %s", key, nullText(obj));
-            logNullUser(nullptr);
+            OWARNLOG("Missing credentials, injecting deprecated filesdefaultuser (%s) for request %s %s", filesdefaultuser.str(), key,
+                     nullText(obj));
+            user.setown(ldapsecurity->createUser(username));
+            user->credentials().setPassword(password);  // Force authentication of default user when used
         }
 
-        Owned<ISecUser> user = ldapsecurity->createUser(username);
-        user->setAuthenticateStatus(AS_AUTHENTICATED);
-
         SecAccessFlags perm = SecAccess_None;
         unsigned start = msTick();
         if (filescope)