HPCC-31574 Add option in Dali LDAP support to ignore default file user

Added option to disable use of default user. Deny access if no user provided and default user is not defined. Do not automatically set user to authenticated. Signed-Off-By: Kenneth Rowland [email protected]
hpcc-systems · Apr 11, 2024 · 436bad2 · 436bad2
1 parent 0c66669
commit 436bad2
Showing 1 changed file with 17 additions and 8 deletions.
diff --git a/dali/server/daldap.cpp b/dali/server/daldap.cpp
@@ -54,6 +54,7 @@ class CDaliLdapConnection: implements IDaliLdapConnection, public CInterface
     Owned<ISecManager>      ldapsecurity;
     StringAttr              filesdefaultuser;
     StringAttr              filesdefaultpassword;
+    bool                    disableFilesDefaultUser;
     unsigned                ldapflags;
     IDigitalSignatureManager * pDSM = nullptr;
 
@@ -82,6 +83,7 @@ class CDaliLdapConnection: implements IDaliLdapConnection, public CInterface
             {
                 filesdefaultuser.set(ldapprops->queryProp("@filesDefaultUser"));
                 filesdefaultpassword.set(ldapprops->queryProp("@filesDefaultPassword"));
+                disableFilesDefaultUser = ldapprops->getPropBool("@disableDefaultUser", false);
 
                 try {
                     ignoreSigPipe(); // LDAP can generate
@@ -115,29 +117,36 @@ class CDaliLdapConnection: implements IDaliLdapConnection, public CInterface
             return SecAccess_Full;
 
 
+        Owned<ISecUser> user;
         StringBuffer username;
         StringBuffer password;
         if (udesc)
         {
             udesc->getUserName(username);
             udesc->getPassword(password);
+            user.setown(ldapsecurity->createUser(username));
+            user->setAuthenticateStatus(AS_AUTHENTICATED);  // treat caller passing user as trusted
         }
         else
         {
             DBGLOG("NULL UserDescriptor in daldap.cpp getPermissions('%s')", key);
-        }
+            logNullUser(nullptr);
+
+            // If no user was provided, try to use the default user
+            if (disableFilesDefaultUser || filesdefaultuser.isEmpty())
+            {
+                OWARNLOG("Default user missing or disabled, access denied for request %s %s", key, nullText(obj));
+                return SecAccess_None; // no access if no default user or disabled
+            }
 
-        if (0 == username.length())
-        {
             username.append(filesdefaultuser);
             decrypt(password, filesdefaultpassword);
-            OWARNLOG("Missing credentials, injecting deprecated filesdefaultuser for request %s %s", key, nullText(obj));
-            logNullUser(nullptr);
+            OWARNLOG("Missing credentials, injecting deprecated filesdefaultuser (%s) for request %s %s", filesdefaultuser.str(), key,
+                     nullText(obj));
+            user.setown(ldapsecurity->createUser(username));
+            user->credentials().setPassword(password);  // Force authentication of default user when used
         }
 
-        Owned<ISecUser> user = ldapsecurity->createUser(username);
-        user->setAuthenticateStatus(AS_AUTHENTICATED);
-
         SecAccessFlags perm = SecAccess_None;
         unsigned start = msTick();
         if (filescope)