From 177504ed91295db144d573213917cfd041d5d02e Mon Sep 17 00:00:00 2001 From: Russ Whitehead Date: Tue, 15 Aug 2023 16:46:05 -0400 Subject: [PATCH] HPCC-30058 Handling of missing HPCCInternal:: scope Remove LDAP check for HpccInternal scopes. Instead, check with code that the requested username in scope (HpccInternal::) matches the username provided in the request. Users to be granted access to their scope and subscopes, anything else to be denied. Remove code to create HpccInteral root scope, and HpccInternal:: scopes, since these are no longer needed Also, remove the addScopes tool since, this is no longer needed Signed-off-by: Russ Whitehead --- dali/server/daldap.cpp | 18 --- .../security/LdapSecurity/ldapconnection.cpp | 27 ----- .../security/LdapSecurity/ldapconnection.hpp | 1 - system/security/LdapSecurity/ldapsecurity.cpp | 34 +++--- system/security/LdapSecurity/ldapsecurity.ipp | 2 +- system/security/shared/basesecurity.hpp | 5 - system/security/shared/seclib.hpp | 3 +- tools/CMakeLists.txt | 1 - tools/addScopes/CMakeLists.txt | 55 --------- tools/addScopes/addScopes.cpp | 108 ------------------ tools/addScopes/sourcedoc.xml | 26 ----- 11 files changed, 17 insertions(+), 263 deletions(-) delete mode 100644 tools/addScopes/CMakeLists.txt delete mode 100644 tools/addScopes/addScopes.cpp delete mode 100644 tools/addScopes/sourcedoc.xml diff --git a/dali/server/daldap.cpp b/dali/server/daldap.cpp index c5c6a8f9584..90e97132297 100644 --- a/dali/server/daldap.cpp +++ b/dali/server/daldap.cpp @@ -57,23 +57,6 @@ class CDaliLdapConnection: implements IDaliLdapConnection, public CInterface unsigned ldapflags; IDigitalSignatureManager * pDSM = nullptr; - void createDefaultScopes() - { - try { - Owned user = ldapsecurity->createUser(nullptr); - StringBuffer userTempFileScope(queryDfsXmlBranchName(DXB_Internal)); - if (ldapsecurity->addResourceEx(RT_FILE_SCOPE, *user, userTempFileScope.str(),PT_ADMINISTRATORS_ONLY, NULL)) - PROGLOG("LDAP: Created default '%s' scope", userTempFileScope.str()); - else - throw MakeStringException(-1, "Error adding LDAP resource '%s'",userTempFileScope.str()); - } - catch (IException *e) { - EXCLOG(e,"LDAP createDefaultScopes"); - throw; - } - } - - public: IMPLEMENT_IINTERFACE; @@ -113,7 +96,6 @@ class CDaliLdapConnection: implements IDaliLdapConnection, public CInterface EXCLOG(e,"LDAP server"); throw; } - createDefaultScopes(); } } } diff --git a/system/security/LdapSecurity/ldapconnection.cpp b/system/security/LdapSecurity/ldapconnection.cpp index 2f12fa5f48b..9b44281f289 100644 --- a/system/security/LdapSecurity/ldapconnection.cpp +++ b/system/security/LdapSecurity/ldapconnection.cpp @@ -4276,12 +4276,6 @@ class CLdapClient : implements ILdapClient, public CInterface continue; changeUserGroup("delete", username, grp); } - - //Remove tempfile scope for this user - StringBuffer resName(queryDfsXmlBranchName(DXB_Internal)); - resName.append("::").append(username); - deleteResource(RT_FILE_SCOPE, resName.str(), m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE)); - return true; } @@ -6299,30 +6293,9 @@ class CLdapClient : implements ILdapClient, public CInterface throw; } } - - //Add tempfile scope for this user (spill, paused and checkpoint - //will be created under this user specific scope) - StringBuffer resName(queryDfsXmlBranchName(DXB_Internal)); - resName.append("::").append(username); - Owned resource = new CLdapSecResource(resName.str()); - if (!addResource(RT_FILE_SCOPE, user, resource, PT_ADMINISTRATORS_AND_USER, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE))) - { - throw MakeStringException(-1, "Error adding temp file scope %s",resName.str()); - } - return true; } - bool createUserScope(ISecUser& user) - { - //Add tempfile scope for given user (spill, paused and checkpoint - //files will be created under this user specific scope) - StringBuffer resName(queryDfsXmlBranchName(DXB_Internal)); - resName.append("::").append(user.getName()); - Owned resource = new CLdapSecResource(resName.str()); - return addResource(RT_FILE_SCOPE, user, resource, PT_ADMINISTRATORS_AND_USER, m_ldapconfig->getResourceBasedn(RT_FILE_SCOPE)); - } - virtual aindex_t getManagedScopeTree(LDAP* ld, SecResourceType rtype, const char * basedn, IArrayOf& scopes) { Owned lconn; diff --git a/system/security/LdapSecurity/ldapconnection.hpp b/system/security/LdapSecurity/ldapconnection.hpp index ceb179a53ca..51d148e763d 100644 --- a/system/security/LdapSecurity/ldapconnection.hpp +++ b/system/security/LdapSecurity/ldapconnection.hpp @@ -318,7 +318,6 @@ interface ILdapClient : extends IInterface virtual int countResources(const char* basedn, const char* searchstr, int limit) = 0; virtual ILdapConfig* queryConfig() = 0; virtual const char* getPasswordStorageScheme() = 0; - virtual bool createUserScope(ISecUser& user) = 0; virtual aindex_t getManagedScopeTree(LDAP* ld, SecResourceType rtype, const char * basedn, IArrayOf& scopes) = 0; virtual SecAccessFlags queryDefaultPermission(ISecUser& user) = 0; diff --git a/system/security/LdapSecurity/ldapsecurity.cpp b/system/security/LdapSecurity/ldapsecurity.cpp index 96130a9b623..1827c6adc9d 100644 --- a/system/security/LdapSecurity/ldapsecurity.cpp +++ b/system/security/LdapSecurity/ldapsecurity.cpp @@ -22,6 +22,7 @@ #include "authmap.ipp" #include "digisign.hpp" #include "caching.hpp" +#include "dautils.hpp" using namespace cryptohelper; @@ -631,6 +632,7 @@ void CLdapSecManager::init(const char *serviceName, IPropertyTree* cfg) m_permissionsCache->setSecManager(this); m_passwordExpirationWarningDays = cfg->getPropInt(".//@passwordExpirationWarningDays", 10); //Default to 10 days m_checkViewPermissions = cfg->getPropBool(".//@checkViewPermissions", false); + m_hpccInternalScope.set(queryDfsXmlBranchName(DXB_Internal)).append("::");//HpccInternal:: }; @@ -1014,6 +1016,19 @@ SecAccessFlags CLdapSecManager::authorizeFileScope(ISecUser & user, const char * if(filescope == 0 || filescope[0] == '\0') return SecAccess_Full; + //Preprocess "HpccInternal::" scopes, since they are not managed by LDAP + //Grant user access to their own hpccinternal:: scope, deny if anything else + if(startsWithIgnoreCase(filescope, m_hpccInternalScope.str())) + { + StringBuffer userName; + for (const char * p = &filescope[m_hpccInternalScope.length()]; *p && *p != ':'; p++)//extract scope username + userName.append(*p); + if(strieq(userName.str(), user.getName())) + return SecAccess_Full; + PROGLOG("Access denied to scope %s for user %s", filescope, user.getName()); + return SecAccess_None; + } + StringBuffer managedFilescope; if(m_permissionsCache->isCacheEnabled() && !m_usercache_off) { @@ -1510,25 +1525,6 @@ bool CLdapSecManager::getUserInfo(ISecUser& user, const char* infotype) return m_ldap_client->getUserInfo(user, infotype); } -bool CLdapSecManager::createUserScopes(IEspSecureContext* secureContext) -{ - Owned it = getAllUsers(secureContext); - it->first(); - bool rc = true; - while(it->isValid()) - { - ISecUser &user = it->get(); - if (!m_ldap_client->createUserScope(user)) - { - PROGLOG("CLdapSecManager::createUserScopes Error creating user scope for user '%s'", user.getName()); - rc = false; - } - it->next(); - } - return rc; -} - - aindex_t CLdapSecManager::getManagedScopeTree(SecResourceType rtype, const char * basedn, IArrayOf& scopes, IEspSecureContext* secureContext) { return m_ldap_client->getManagedScopeTree(nullptr, rtype, basedn, scopes); diff --git a/system/security/LdapSecurity/ldapsecurity.ipp b/system/security/LdapSecurity/ldapsecurity.ipp index 6ee0bc1e7cd..fb84a7c5488 100644 --- a/system/security/LdapSecurity/ldapsecurity.ipp +++ b/system/security/LdapSecurity/ldapsecurity.ipp @@ -321,6 +321,7 @@ private: bool m_checkViewPermissions; static const SecFeatureSet s_safeFeatures = SMF_ALL_FEATURES; static const SecFeatureSet s_implementedFeatures = s_safeFeatures & ~(SMF_RetrieveUserData | SMF_RemoveResources); + StringBuffer m_hpccInternalScope; public: IMPLEMENT_IINTERFACE @@ -434,7 +435,6 @@ public: return m_checkViewPermissions; } - bool createUserScopes(IEspSecureContext* secureContext = nullptr) override; aindex_t getManagedScopeTree(SecResourceType rtype, const char * basedn, IArrayOf& scopes, IEspSecureContext* secureContext = nullptr) override; SecAccessFlags queryDefaultPermission(ISecUser& user, IEspSecureContext* secureContext = nullptr) override; bool clearPermissionsCache(ISecUser &user, IEspSecureContext* secureContext = nullptr) override; diff --git a/system/security/shared/basesecurity.hpp b/system/security/shared/basesecurity.hpp index 960718fb6e5..caa70397f6d 100644 --- a/system/security/shared/basesecurity.hpp +++ b/system/security/shared/basesecurity.hpp @@ -317,11 +317,6 @@ class CBaseSecurityManager : implements ISecManager, public CInterface throwUnexpected(); } - bool createUserScopes(IEspSecureContext* secureContext = nullptr) override - { - throwUnexpected(); - } - aindex_t getManagedScopeTree(SecResourceType rtype, const char * basedn, IArrayOf& scopes, IEspSecureContext* secureContext = nullptr) override { throwUnexpected(); diff --git a/system/security/shared/seclib.hpp b/system/security/shared/seclib.hpp index ed190dd6bf4..d410f874f3a 100644 --- a/system/security/shared/seclib.hpp +++ b/system/security/shared/seclib.hpp @@ -461,7 +461,7 @@ static const SecFeatureBit SMF_AuthorizeWorkUnitScope_List = 0x0100000000; static const SecFeatureBit SMF_AuthorizeWorkUnitScope_Named = 0x0200000000; static const SecFeatureBit SMF_GetDescription = 0x0400000000; static const SecFeatureBit SMF_GetPasswordExpirationDays = 0x0800000000; -static const SecFeatureBit SMF_CreateUserScopes = 0x1000000000; +//static const SecFeatureBit SMF_CreateUserScopes = 0x1000000000;//feature removed in 9.x static const SecFeatureBit SMF_GetManagedScopeTree = 0x2000000000; static const SecFeatureBit SMF_QueryDefaultPermission = 0x4000000000; static const SecFeatureBit SMF_ClearPermissionsCache = 0x8000000000; @@ -511,7 +511,6 @@ interface ISecManager : extends ISecObject virtual bool authorizeWorkunitScope(ISecUser & user, ISecResourceList * resources, IEspSecureContext* secureContext = nullptr) = 0; virtual const char * getDescription() = 0; virtual unsigned getPasswordExpirationWarningDays(IEspSecureContext* secureContext = nullptr) = 0; - virtual bool createUserScopes(IEspSecureContext* secureContext = nullptr) = 0; virtual aindex_t getManagedScopeTree(SecResourceType rtype, const char * basedn, IArrayOf& scopes, IEspSecureContext* secureContext = nullptr) = 0; virtual SecAccessFlags queryDefaultPermission(ISecUser& user, IEspSecureContext* secureContext = nullptr) = 0; virtual bool clearPermissionsCache(ISecUser & user, IEspSecureContext* secureContext = nullptr) = 0; diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt index 71faad2a68e..22cefa9f137 100644 --- a/tools/CMakeLists.txt +++ b/tools/CMakeLists.txt @@ -19,7 +19,6 @@ HPCC_ADD_SUBDIRECTORY (esdlcmd-xml) HPCC_ADD_SUBDIRECTORY (esdlcmd) HPCC_ADD_SUBDIRECTORY (backupnode "PLATFORM") IF (USE_OPENLDAP) -HPCC_ADD_SUBDIRECTORY (addScopes "PLATFORM") HPCC_ADD_SUBDIRECTORY (initldap "PLATFORM") ENDIF(USE_OPENLDAP) HPCC_ADD_SUBDIRECTORY (combine "PLATFORM") diff --git a/tools/addScopes/CMakeLists.txt b/tools/addScopes/CMakeLists.txt deleted file mode 100644 index 6fb5c8b3d23..00000000000 --- a/tools/addScopes/CMakeLists.txt +++ /dev/null @@ -1,55 +0,0 @@ -################################################################################ -# HPCC SYSTEMS software Copyright (C) 2012 HPCC Systems®. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################################ - -# Component: addScopes - -##################################################### -# Description: -# ------------ -# Cmake Input File for addScopes -##################################################### - - -project( addScopes ) - -set ( SRCS - addScopes.cpp - ./../../system/security/LdapSecurity/ldaputils.cpp - ) - -include_directories ( - ./../../system/security/LdapSecurity - ./../../system/security/shared - ./../../system/jlib - ./../../system/include - ./../../dali/base - ./../../system/mp - ) - -ADD_DEFINITIONS( -D_CONSOLE ) - - -HPCC_ADD_EXECUTABLE ( addScopes ${SRCS} ) -install ( TARGETS addScopes RUNTIME DESTINATION ${EXEC_DIR} ) - - - -target_link_libraries ( addScopes - jlib - LdapSecurity - ) - - diff --git a/tools/addScopes/addScopes.cpp b/tools/addScopes/addScopes.cpp deleted file mode 100644 index bddc099ebbc..00000000000 --- a/tools/addScopes/addScopes.cpp +++ /dev/null @@ -1,108 +0,0 @@ -/*############################################################################## - - HPCC SYSTEMS software Copyright (C) 2012 HPCC Systems®. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -############################################################################## */ - -#include "seclib.hpp" -#include "ldapsecurity.hpp" -#include "jliball.hpp" -#include "dasess.hpp" - -#ifndef _WIN32 -#include -#endif - -int main(int argc, char* argv[]) -{ - if(argc < 2 || argc > 3) - { - printf("usage: addScopes daliconf.xml [-c]\n"); - printf("\n\tCreates all user-specific LDAP private file scopes 'hpccinternal::'\n\tand grants users access to their scope. The configuration file\n\tdaliconf.xml is the dali configuration file, typically\n\tfound in /var/lib/HPCCSystems/mydali\n\tSpecify -c to make changes immediately visible by clearing permission caches\n\n"); - return -1; - } - - InitModuleObjects(); - - try - { - Owned cfg = createPTreeFromXMLFile(argv[1]); - Owned seccfg = cfg->getPropTree(".//ldapSecurity"); - if(seccfg == NULL) - { - printf("ldapSecurity not found\n"); - return -1; - } -#ifdef _NO_LDAP - printf("System was built with _NO_LDAP\n"); - return -1; -#else - Owned secmgr = newLdapSecManager("addScopes", *LINK(seccfg)); - if(secmgr == NULL) - { - printf("Security manager can't be created\n"); - releaseAtoms(); - return -1; - } - bool ok = secmgr->createUserScopes(); - printf(ok ? "User scopes added\n" : "Some scopes not added\n"); - - //Clear permission caches? - if (argc == 3 && 0==stricmp(argv[2], "-c")) - { - //Clear ESP Cache - StringBuffer sysuser; - StringBuffer passbuf; - seccfg->getProp(".//@systemUser", sysuser); - seccfg->getProp(".//@systemPassword", passbuf); - - if (0 == sysuser.length()) - { - printf("Error in configuration file %s - systemUser not specified", argv[1]); - releaseAtoms(); - return -1; - } - - if (0 == passbuf.length()) - { - printf("Error in configuration file %s - systemPassword not specified", argv[1]); - releaseAtoms(); - return -1; - } - - StringBuffer decPwd; - decrypt(decPwd, passbuf.str()); - - //Clear Dali cache - Owned userdesc(createUserDescriptor()); - userdesc->set(sysuser, decPwd); - ok = querySessionManager().clearPermissionsCache(userdesc); - printf(ok ? "Dali Cache cleared\n" : "Error clearing Dali Cache\n"); - } -#endif - } - catch(IException* e) - { - StringBuffer errmsg; - e->errorMessage(errmsg); - printf("%s\n", errmsg.str()); - } - catch(...) - { - printf("Unknown exception\n"); - } - - releaseAtoms(); - return 0; -} diff --git a/tools/addScopes/sourcedoc.xml b/tools/addScopes/sourcedoc.xml deleted file mode 100644 index 59994d81c14..00000000000 --- a/tools/addScopes/sourcedoc.xml +++ /dev/null @@ -1,26 +0,0 @@ - - - -
- tools/addScopes - - - The tools/addScopes directory contains the sources for the tools/addScopes tool. - -