From a0ec19c547e43f0561eb6aabd7753c4019ecb078 Mon Sep 17 00:00:00 2001 From: Tim Klemm Date: Fri, 8 Nov 2024 06:10:21 -0500 Subject: [PATCH] HPCC-32711 Define LDAP security manager abstraction Replace platform references to CLdapSecManager with references to the ILdapSecManager abstraction. Signed-off-by: Tim Klemm --- dali/server/daldap.cpp | 2 +- esp/platform/espcontext.cpp | 2 +- .../espcontrol/ws_espcontrolservice.cpp | 12 +- .../ldapenvironmentService.hpp | 4 +- esp/services/ws_access/ws_accessService.cpp | 126 +++++++-------- esp/services/ws_access/ws_accessService.hpp | 20 +-- esp/services/ws_account/ws_accountService.cpp | 4 +- esp/services/ws_smc/ws_smcService.cpp | 4 +- .../ws_workunits/ws_workunitsHelpers.cpp | 2 +- system/security/LdapSecurity/ldapsecurity.ipp | 151 ++++++++++++------ tools/initldap/initldap.cpp | 4 +- 11 files changed, 194 insertions(+), 137 deletions(-) diff --git a/dali/server/daldap.cpp b/dali/server/daldap.cpp index 267eaf4f6dd..71e9ad0c72f 100644 --- a/dali/server/daldap.cpp +++ b/dali/server/daldap.cpp @@ -229,7 +229,7 @@ class CDaliLdapConnection: implements IDaliLdapConnection, public CInterface if (!authenticated) { - CLdapSecManager* ldapSecMgr = dynamic_cast(ldapsecurity.get()); + ILdapSecManager* ldapSecMgr = dynamic_cast(ldapsecurity.get()); if (!ldapSecMgr || !ldapSecMgr->isSuperUser(user)) { DBGLOG("LDAP: EnableScopeScans caller %s must be an LDAP HPCC Admin", username.str()); diff --git a/esp/platform/espcontext.cpp b/esp/platform/espcontext.cpp index e5016f6506e..08ce40f30e8 100755 --- a/esp/platform/espcontext.cpp +++ b/esp/platform/espcontext.cpp @@ -456,7 +456,7 @@ class CEspContext : public CInterface, implements IEspContext virtual void ensureSuperUser(unsigned excCode, const char* excMsg) { #ifdef _USE_OPENLDAP - CLdapSecManager* secmgr = dynamic_cast(m_secmgr.get()); + ILdapSecManager* secmgr = dynamic_cast(m_secmgr.get()); if (secmgr && !secmgr->isSuperUser(m_user.get())) { setAuthStatus(AUTH_STATUS_NOACCESS); diff --git a/esp/services/espcontrol/ws_espcontrolservice.cpp b/esp/services/espcontrol/ws_espcontrolservice.cpp index 96148e528df..3ea98ea082b 100644 --- a/esp/services/espcontrol/ws_espcontrolservice.cpp +++ b/esp/services/espcontrol/ws_espcontrolservice.cpp @@ -189,7 +189,7 @@ bool CWSESPControlEx::onSetLogging(IEspContext& context, IEspSetLoggingRequest& try { #ifdef _USE_OPENLDAP - CLdapSecManager* secmgr = dynamic_cast(context.querySecManager()); + ILdapSecManager* secmgr = dynamic_cast(context.querySecManager()); if(secmgr && !secmgr->isSuperUser(context.queryUser())) { context.setAuthStatus(AUTH_STATUS_NOACCESS); @@ -220,7 +220,7 @@ bool CWSESPControlEx::onGetLoggingSettings(IEspContext& context, IEspGetLoggingS try { #ifdef _USE_OPENLDAP - CLdapSecManager* secmgr = dynamic_cast(context.querySecManager()); + ILdapSecManager* secmgr = dynamic_cast(context.querySecManager()); if(secmgr && !secmgr->isSuperUser(context.queryUser())) { context.setAuthStatus(AUTH_STATUS_NOACCESS); @@ -264,7 +264,7 @@ bool CWSESPControlEx::onSessionQuery(IEspContext& context, IEspSessionQueryReque try { #ifdef _USE_OPENLDAP - CLdapSecManager* secmgr = dynamic_cast(context.querySecManager()); + ILdapSecManager* secmgr = dynamic_cast(context.querySecManager()); if(secmgr && !secmgr->isSuperUser(context.queryUser())) { context.setAuthStatus(AUTH_STATUS_NOACCESS); @@ -305,7 +305,7 @@ bool CWSESPControlEx::onSessionInfo(IEspContext& context, IEspSessionInfoRequest try { #ifdef _USE_OPENLDAP - CLdapSecManager* secmgr = dynamic_cast(context.querySecManager()); + ILdapSecManager* secmgr = dynamic_cast(context.querySecManager()); if(secmgr && !secmgr->isSuperUser(context.queryUser())) { context.setAuthStatus(AUTH_STATUS_NOACCESS); @@ -349,7 +349,7 @@ bool CWSESPControlEx::onCleanSession(IEspContext& context, IEspCleanSessionReque try { #ifdef _USE_OPENLDAP - CLdapSecManager* secmgr = dynamic_cast(context.querySecManager()); + ILdapSecManager* secmgr = dynamic_cast(context.querySecManager()); if(secmgr && !secmgr->isSuperUser(context.queryUser())) { context.setAuthStatus(AUTH_STATUS_NOACCESS); @@ -384,7 +384,7 @@ bool CWSESPControlEx::onSetSessionTimeout(IEspContext& context, IEspSetSessionTi try { #ifdef _USE_OPENLDAP - CLdapSecManager* secmgr = dynamic_cast(context.querySecManager()); + ILdapSecManager* secmgr = dynamic_cast(context.querySecManager()); if(secmgr && !secmgr->isSuperUser(context.queryUser())) { context.setAuthStatus(AUTH_STATUS_NOACCESS); diff --git a/esp/services/ldapenvironment/ldapenvironmentService.hpp b/esp/services/ldapenvironment/ldapenvironmentService.hpp index 56d61cfaeb8..40a354ac8c6 100644 --- a/esp/services/ldapenvironment/ldapenvironmentService.hpp +++ b/esp/services/ldapenvironment/ldapenvironmentService.hpp @@ -22,7 +22,7 @@ class CldapenvironmentEx : public Cldapenvironment //base class name built from { private: IPropertyTree * cfg; - CLdapSecManager* secmgr = nullptr; + ILdapSecManager* secmgr = nullptr; StringBuffer ldapRootOU; StringBuffer sharedFilesBaseDN; StringBuffer sharedGroupsBaseDN; @@ -52,7 +52,7 @@ class CldapenvironmentEx : public Cldapenvironment //base class name built from virtual void init(IPropertyTree *_cfg, const char *_process, const char *_service); bool onLDAPQueryDefaults(IEspContext &context, IEspLDAPQueryDefaultsRequest &req, IEspLDAPQueryDefaultsResponse &resp); bool onLDAPCreateEnvironment(IEspContext &context, IEspLDAPCreateEnvironmentRequest &req, IEspLDAPCreateEnvironmentResponse &resp); - void setSecMgr( ISecManager*sm) { secmgr = dynamic_cast(sm); } + void setSecMgr( ISecManager*sm) { secmgr = dynamic_cast(sm); } }; diff --git a/esp/services/ws_access/ws_accessService.cpp b/esp/services/ws_access/ws_accessService.cpp index 50f56575ad4..15de103690e 100644 --- a/esp/services/ws_access/ws_accessService.cpp +++ b/esp/services/ws_access/ws_accessService.cpp @@ -53,7 +53,7 @@ SecResourceType str2RType(const char* str) return RT_DEFAULT; } -void Cws_accessEx::checkUser(IEspContext& context, CLdapSecManager* secmgr, const char* rtype, const char* rtitle, unsigned int SecAccessFlags) +void Cws_accessEx::checkUser(IEspContext& context, ILdapSecManager* secmgr, const char* rtype, const char* rtitle, unsigned int SecAccessFlags) { if (secmgr == nullptr) secmgr = queryLDAPSecurityManager(context, true); @@ -75,9 +75,9 @@ void Cws_accessEx::checkUser(IEspContext& context, CLdapSecManager* secmgr, cons } } -CLdapSecManager* Cws_accessEx::queryLDAPSecurityManagerAndCheckUser(IEspContext& context, const char* rtype, const char* rtitle, unsigned int SecAccessFlags) +ILdapSecManager* Cws_accessEx::queryLDAPSecurityManagerAndCheckUser(IEspContext& context, const char* rtype, const char* rtitle, unsigned int SecAccessFlags) { - CLdapSecManager* ldapSecMgr = queryLDAPSecurityManager(context, true); + ILdapSecManager* ldapSecMgr = queryLDAPSecurityManager(context, true); checkUser(context, ldapSecMgr, rtype, rtitle, SecAccessFlags); return ldapSecMgr; } @@ -213,13 +213,13 @@ void Cws_accessEx::init(IPropertyTree *cfg, const char *process, const char *ser setMaxPageCacheItems(cfg->getPropInt(xpath.str())); } -CLdapSecManager* Cws_accessEx::queryLDAPSecurityManager(IEspContext &context, bool excpt) +ILdapSecManager* Cws_accessEx::queryLDAPSecurityManager(IEspContext &context, bool excpt) { ISecManager* secMgr = context.querySecManager(); if(secMgr && secMgr->querySecMgrType() != SMT_LDAP) throw makeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_ISNT_LDAP); - CLdapSecManager* ldapSecMgr = dynamic_cast(secMgr); + ILdapSecManager* ldapSecMgr = dynamic_cast(secMgr); if (!ldapSecMgr && excpt) throw makeStringException(ECLWATCH_INVALID_SEC_MANAGER, MSG_SEC_MANAGER_IS_NULL); @@ -266,7 +266,7 @@ void Cws_accessEx::getBasednReq(IEspContext &context, const char* name, const ch void Cws_accessEx::setBasedns(IEspContext &context) { - CLdapSecManager* secmgr = queryLDAPSecurityManager(context, true); + ILdapSecManager* secmgr = queryLDAPSecurityManager(context, true); CriticalBlock b(basednsCrit); if (m_basedns.length() > 0) @@ -312,7 +312,7 @@ void Cws_accessEx::setBasedns(IEspContext &context) //Parse a filescope "name" spec (fs1::fs2::fs3) and populate the "newResources" array with each sub filespec (fs1, fs1::fs2, fs1::fs2::fs3). //If any of the sub filespecs exist, return the deepest one as "existingResource", and remove it from the "newResources" array -bool Cws_accessEx::getNewFileScopeNames(CLdapSecManager* secmgr, const char* name, IEspDnStruct* basednReq, StringBuffer& existingResource, StringArray& newResources) +bool Cws_accessEx::getNewFileScopeNames(ILdapSecManager* secmgr, const char* name, IEspDnStruct* basednReq, StringBuffer& existingResource, StringArray& newResources) { if (!secmgr) return false; @@ -394,7 +394,7 @@ void Cws_accessEx::addAFileScope(const char* scope, StringBuffer& newFileScope, fileScopes.add(newFileScope, 0); } -bool Cws_accessEx::setNewFileScopePermissions(CLdapSecManager* secmgr, IEspDnStruct* basednReq, StringBuffer& existingResource, StringArray& newResources) +bool Cws_accessEx::setNewFileScopePermissions(ILdapSecManager* secmgr, IEspDnStruct* basednReq, StringBuffer& existingResource, StringArray& newResources) { if (!secmgr || !newResources.ordinality()) { @@ -471,7 +471,7 @@ bool Cws_accessEx::onUsers(IEspContext &context, IEspUserRequest &req, IEspUserR { try { - CLdapSecManager* secmgr = queryLDAPSecurityManager(context, false); + ILdapSecManager* secmgr = queryLDAPSecurityManager(context, false); double version = context.getClientVersion(); if (version > 1.03) @@ -577,7 +577,7 @@ bool Cws_accessEx::onUserQuery(IEspContext &context, IEspUserQueryRequest &req, { try { - CLdapSecManager* secmgr = queryLDAPSecurityManager(context, false); + ILdapSecManager* secmgr = queryLDAPSecurityManager(context, false); if(!secmgr) { resp.setNoSecMngr(true); @@ -662,7 +662,7 @@ bool Cws_accessEx::onUserEdit(IEspContext &context, IEspUserEditRequest &req, IE { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); resp.setUsername(req.getUsername()); double version = context.getClientVersion(); @@ -695,7 +695,7 @@ bool Cws_accessEx::onUserGroupEditInput(IEspContext &context, IEspUserGroupEditI { try { - CLdapSecManager* ldapsecmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* ldapsecmgr = queryLDAPSecurityManagerAndCheckUser(context); resp.setUsername(req.getUsername()); std::set ogrps; @@ -745,7 +745,7 @@ bool Cws_accessEx::onUserGroupEdit(IEspContext &context, IEspUserGroupEditReques { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* username = req.getUsername(); if(username == NULL || *username == '\0') @@ -796,7 +796,7 @@ bool Cws_accessEx::onGroups(IEspContext &context, IEspGroupRequest &req, IEspGro { try { - CLdapSecManager* secmgr0 = queryLDAPSecurityManager(context, false); + ILdapSecManager* secmgr0 = queryLDAPSecurityManager(context, false); double version = context.getClientVersion(); if (version > 1.03) @@ -861,7 +861,7 @@ bool Cws_accessEx::onGroupQuery(IEspContext &context, IEspGroupQueryRequest &req { try { - CLdapSecManager* secmgr = queryLDAPSecurityManager(context, false); + ILdapSecManager* secmgr = queryLDAPSecurityManager(context, false); if(!secmgr) { resp.setNoSecMngr(true); @@ -930,7 +930,7 @@ bool Cws_accessEx::onAddUser(IEspContext &context, IEspAddUserRequest &req, IEsp { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* username = req.getUsername(); if(username == NULL || *username == '\0') @@ -1015,7 +1015,7 @@ bool Cws_accessEx::onUserAction(IEspContext &context, IEspUserActionRequest &req { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* action = req.getActionType(); if (!action || !*action) @@ -1060,7 +1060,7 @@ bool Cws_accessEx::onGroupAdd(IEspContext &context, IEspGroupAddRequest &req, IE { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* groupname = req.getGroupname(); @@ -1115,7 +1115,7 @@ bool Cws_accessEx::onGroupAction(IEspContext &context, IEspGroupActionRequest &r { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* action = req.getActionType(); if (!action || !*action) @@ -1333,7 +1333,7 @@ bool Cws_accessEx::onGroupEdit(IEspContext &context, IEspGroupEditRequest &req, { try { - CLdapSecManager* ldapsecmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* ldapsecmgr = queryLDAPSecurityManagerAndCheckUser(context); resp.setGroupname(req.getGroupname()); @@ -1387,7 +1387,7 @@ bool Cws_accessEx::onGroupMemberQuery(IEspContext &context, IEspGroupMemberQuery { try { - CLdapSecManager* secmgr = queryLDAPSecurityManager(context, false); + ILdapSecManager* secmgr = queryLDAPSecurityManager(context, false); if(!secmgr) { resp.setNoSecMngr(true); @@ -1474,7 +1474,7 @@ bool Cws_accessEx::onGroupMemberEditInput(IEspContext &context, IEspGroupMemberE { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); resp.setGroupname(req.getGroupname()); @@ -1535,7 +1535,7 @@ bool Cws_accessEx::onGroupMemberEdit(IEspContext &context, IEspGroupMemberEditRe { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* groupname = req.getGroupname(); if(groupname == NULL || *groupname == '\0') @@ -1613,7 +1613,7 @@ bool Cws_accessEx::onPermissions(IEspContext &context, IEspBasednsRequest &req, { try { - CLdapSecManager* secmgr = queryLDAPSecurityManager(context, false); + ILdapSecManager* secmgr = queryLDAPSecurityManager(context, false); double version = context.getClientVersion(); if (version > 1.03) @@ -1649,7 +1649,7 @@ bool Cws_accessEx::onResources(IEspContext &context, IEspResourcesRequest &req, Owned basednReq = createDnStruct(); getBasednReq(context, req.getBasednName(), req.getBasedn(), req.getRtype(), req.getRtitle(), basednReq); - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context, basednReq->getRtype(), basednReq->getRtitle(), SecAccess_Read); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context, basednReq->getRtype(), basednReq->getRtitle(), SecAccess_Read); double version = context.getClientVersion(); const char* filterInput = req.getSearchinput(); @@ -1802,7 +1802,7 @@ bool Cws_accessEx::onResourceQuery(IEspContext &context, IEspResourceQueryReques { try { - CLdapSecManager* secmgr = queryLDAPSecurityManager(context, false); + ILdapSecManager* secmgr = queryLDAPSecurityManager(context, false); if(!secmgr) { resp.setNoSecMngr(true); @@ -1936,7 +1936,7 @@ bool Cws_accessEx::onResourceAdd(IEspContext &context, IEspResourceAddRequest &r Owned basednReq = createDnStruct(); getBasednReq(context, req.getBasednName(), req.getBasedn(), req.getRtype(), req.getRtitle(), basednReq); - CLdapSecManager *secmgr = queryLDAPSecurityManagerAndCheckUser(context, basednReq->getRtype(), basednReq->getRtitle(), SecAccess_Full); + ILdapSecManager *secmgr = queryLDAPSecurityManagerAndCheckUser(context, basednReq->getRtype(), basednReq->getRtitle(), SecAccess_Full); double version = context.getClientVersion(); if (version < 1.14) @@ -2047,7 +2047,7 @@ bool Cws_accessEx::onResourceDelete(IEspContext &context, IEspResourceDeleteRequ Owned basednReq = createDnStruct(); getBasednReq(context, req.getBasednName(), req.getBasedn(), req.getRtype(), req.getRtitle(), basednReq); - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context, basednReq->getRtype(), basednReq->getRtitle(), SecAccess_Full); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context, basednReq->getRtype(), basednReq->getRtitle(), SecAccess_Full); StringArray& names = req.getNames(); @@ -2157,7 +2157,7 @@ bool Cws_accessEx::onResourcePermissions(IEspContext &context, IEspResourcePermi Owned basednReq = createDnStruct(); getBasednReq(context, req.getBasednName(), req.getBasedn(), req.getRtype(), req.getRtitle(), basednReq); - CLdapSecManager* ldapsecmgr = queryLDAPSecurityManagerAndCheckUser(context, basednReq->getRtype(), basednReq->getRtitle(), SecAccess_Read); + ILdapSecManager* ldapsecmgr = queryLDAPSecurityManagerAndCheckUser(context, basednReq->getRtype(), basednReq->getRtitle(), SecAccess_Read); double version = context.getClientVersion(); SecResourceType rtype = str2type(basednReq->getRtype()); @@ -2217,7 +2217,7 @@ bool Cws_accessEx::onResourcePermissionQuery(IEspContext &context, IEspResourceP { try { - CLdapSecManager* ldapSecMgr = queryLDAPSecurityManager(context, false); + ILdapSecManager* ldapSecMgr = queryLDAPSecurityManager(context, false); if(!ldapSecMgr) { resp.setNoSecMngr(true); @@ -2283,7 +2283,7 @@ bool Cws_accessEx::onQueryViews(IEspContext &context, IEspQueryViewsRequest &req { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); IArrayOf views; StringArray names, descriptions, viewManagedBy; @@ -2312,7 +2312,7 @@ bool Cws_accessEx::onAddView(IEspContext &context, IEspAddViewRequest &req, IEsp { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* viewname = req.getViewname(); const char* description = req.getDescription(); @@ -2333,7 +2333,7 @@ bool Cws_accessEx::onDeleteView(IEspContext &context, IEspDeleteViewRequest &req { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* viewname = req.getViewname(); secmgr->deleteView(req.getViewname()); @@ -2352,7 +2352,7 @@ bool Cws_accessEx::onQueryViewColumns(IEspContext &context, IEspQueryViewColumns { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); IArrayOf viewColumns; StringArray files, columns; @@ -2385,7 +2385,7 @@ bool Cws_accessEx::onAddViewColumn(IEspContext &context, IEspAddViewColumnReques { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* filename = req.getFilename(); const char* columnname = req.getColumnname(); @@ -2424,7 +2424,7 @@ bool Cws_accessEx::onDeleteViewColumn(IEspContext &context, IEspDeleteViewColumn { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); StringArray files, columns; @@ -2453,7 +2453,7 @@ bool Cws_accessEx::onQueryViewMembers(IEspContext &context, IEspQueryViewMembers { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* reqViewname = req.getViewname(); StringArray users, groups; @@ -2494,7 +2494,7 @@ bool Cws_accessEx::onAddViewMember(IEspContext &context, IEspAddViewMemberReques { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); StringArray users, groups; const char* viewname = req.getViewname(); @@ -2532,7 +2532,7 @@ bool Cws_accessEx::onDeleteViewMember(IEspContext &context, IEspDeleteViewMember { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); StringArray users, groups; const char* viewname = req.getViewname(); @@ -2570,7 +2570,7 @@ bool Cws_accessEx::onQueryUserViewColumns(IEspContext &context, IEspQueryUserVie { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* username = req.getUsername(); @@ -2614,7 +2614,7 @@ bool Cws_accessEx::onPermissionAddInput(IEspContext &context, IEspPermissionAddR { try { - CLdapSecManager *secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager *secmgr = queryLDAPSecurityManagerAndCheckUser(context); resp.setBasedn(req.getBasedn()); resp.setRname(req.getRname()); @@ -2653,7 +2653,7 @@ bool Cws_accessEx::onPermissionsResetInput(IEspContext &context, IEspPermissions { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context, req.getRtype(), req.getRtitle(), SecAccess_Full); resp.setBasedn(req.getBasedn()); //resp.setRname(req.getRname()); @@ -2738,7 +2738,7 @@ bool Cws_accessEx::onPermissionsResetInput(IEspContext &context, IEspPermissions bool Cws_accessEx::onClearPermissionsCache(IEspContext &context, IEspClearPermissionsCacheRequest &req, IEspClearPermissionsCacheResponse &resp) { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); //Clear local cache Owned user = secmgr->createUser(context.queryUserId(), context.querySecureContext()); @@ -2783,7 +2783,7 @@ bool Cws_accessEx::onQueryScopeScansEnabled(IEspContext &context, IEspQueryScope bool Cws_accessEx::onEnableScopeScans(IEspContext &context, IEspEnableScopeScansRequest &req, IEspEnableScopeScansResponse &resp) { - CLdapSecManager *secmgr = queryLDAPSecurityManagerAndCheckUser(context, FILE_SCOPE_RTYPE, FILE_SCOPE_RTITLE, SecAccess_Full); + ILdapSecManager *secmgr = queryLDAPSecurityManagerAndCheckUser(context, FILE_SCOPE_RTYPE, FILE_SCOPE_RTITLE, SecAccess_Full); StringBuffer retMsg; int rc = enableDisableScopeScans(context, secmgr, true, retMsg); @@ -2795,7 +2795,7 @@ bool Cws_accessEx::onEnableScopeScans(IEspContext &context, IEspEnableScopeScans bool Cws_accessEx::onDisableScopeScans(IEspContext &context, IEspDisableScopeScansRequest &req, IEspDisableScopeScansResponse &resp) { - CLdapSecManager *secmgr = queryLDAPSecurityManagerAndCheckUser(context, FILE_SCOPE_RTYPE, FILE_SCOPE_RTITLE, SecAccess_Full); + ILdapSecManager *secmgr = queryLDAPSecurityManagerAndCheckUser(context, FILE_SCOPE_RTYPE, FILE_SCOPE_RTITLE, SecAccess_Full); StringBuffer retMsg; int rc = enableDisableScopeScans(context, secmgr, false, retMsg); @@ -2805,7 +2805,7 @@ bool Cws_accessEx::onDisableScopeScans(IEspContext &context, IEspDisableScopeSca return true; } -int Cws_accessEx::enableDisableScopeScans(IEspContext &context, CLdapSecManager *secmgr, bool doEnable, StringBuffer &retMsg) +int Cws_accessEx::enableDisableScopeScans(IEspContext &context, ILdapSecManager *secmgr, bool doEnable, StringBuffer &retMsg) { Owned userdesc; userdesc.setown(createUserDescriptor()); @@ -2817,7 +2817,7 @@ int Cws_accessEx::enableDisableScopeScans(IEspContext &context, CLdapSecManager return retCode; } -bool Cws_accessEx::permissionsReset(CLdapSecManager* ldapsecmgr, const char* basedn, const char* rtype0, const char* prefix, +bool Cws_accessEx::permissionsReset(ILdapSecManager* ldapsecmgr, const char* basedn, const char* rtype0, const char* prefix, const char* resourceName, ACT_TYPE accountType, const char* accountName, bool allow_access, bool allow_read, bool allow_write, bool allow_full, bool deny_access, bool deny_read, bool deny_write, bool deny_full) @@ -2871,7 +2871,7 @@ bool Cws_accessEx::onPermissionsReset(IEspContext &context, IEspPermissionsReset Owned basednReq = createDnStruct(); getBasednReq(context, req.getBasednName(), req.getBasedn(), req.getRtype(), req.getRtitle(), basednReq); - CLdapSecManager* ldapsecmgr = queryLDAPSecurityManagerAndCheckUser(context, basednReq->getRtype(), basednReq->getRtitle(), SecAccess_Full); + ILdapSecManager* ldapsecmgr = queryLDAPSecurityManagerAndCheckUser(context, basednReq->getRtype(), basednReq->getRtitle(), SecAccess_Full); double version = context.getClientVersion(); if (version < 1.14) @@ -2972,7 +2972,7 @@ bool Cws_accessEx::onPermissionsReset(IEspContext &context, IEspPermissionsReset } //For every resources inside a baseDN, if there is no permission for this account, add the baseDN name to the basednNames list -void Cws_accessEx::getBaseDNsForAddingPermssionToAccount(CLdapSecManager* secmgr, const char* prefix, const char* accountName, +void Cws_accessEx::getBaseDNsForAddingPermssionToAccount(ILdapSecManager* secmgr, const char* prefix, const char* accountName, int accountType, StringArray& basednNames) { if(secmgr == NULL) @@ -3047,7 +3047,7 @@ void Cws_accessEx::getBaseDNsForAddingPermssionToAccount(CLdapSecManager* secmgr return; } -bool Cws_accessEx::permissionAddInputOnResource(IEspContext &context, CLdapSecManager *secmgr, IEspPermissionAddRequest &req, IEspPermissionAddResponse &resp) +bool Cws_accessEx::permissionAddInputOnResource(IEspContext &context, ILdapSecManager *secmgr, IEspPermissionAddRequest &req, IEspPermissionAddResponse &resp) { int numusers = secmgr->countUsers("", MAX_USERS_DISPLAY); if(numusers == -1) @@ -3101,7 +3101,7 @@ bool Cws_accessEx::permissionAddInputOnResource(IEspContext &context, CLdapSecMa return true; } -bool Cws_accessEx::permissionAddInputOnAccount(IEspContext &context, CLdapSecManager *secmgr, const char* accountName, IEspPermissionAddRequest &req, IEspPermissionAddResponse &resp) +bool Cws_accessEx::permissionAddInputOnAccount(IEspContext &context, ILdapSecManager *secmgr, const char* accountName, IEspPermissionAddRequest &req, IEspPermissionAddResponse &resp) { double version = context.getClientVersion(); if (version < 1.14) @@ -3206,7 +3206,7 @@ bool Cws_accessEx::onPermissionAction(IEspContext &context, IEspPermissionAction Owned basednReq = createDnStruct(); getBasednReq(context, req.getBasednName(), req.getBasedn(), req.getRtype(), req.getRtitle(), basednReq); - CLdapSecManager* ldapsecmgr = queryLDAPSecurityManagerAndCheckUser(context, basednReq->getRtype(), basednReq->getRtitle(), SecAccess_Full); + ILdapSecManager* ldapsecmgr = queryLDAPSecurityManagerAndCheckUser(context, basednReq->getRtype(), basednReq->getRtitle(), SecAccess_Full); double version = context.getClientVersion(); if (version < 1.14) @@ -3397,7 +3397,7 @@ bool Cws_accessEx::onUserResetPass(IEspContext &context, IEspUserResetPassReques { try { - CLdapSecManager* ldapsecmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* ldapsecmgr = queryLDAPSecurityManagerAndCheckUser(context); resp.setUsername(req.getUsername()); const char* username = req.getUsername(); @@ -3449,7 +3449,7 @@ bool Cws_accessEx::onUserPosix(IEspContext &context, IEspUserPosixRequest &req, { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* username = req.getUsername(); if(username == NULL || *username == '\0') @@ -3522,7 +3522,7 @@ bool Cws_accessEx::onUserPosixInput(IEspContext &context, IEspUserPosixInputRequ { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* username = req.getUsername(); if(username == NULL || *username == '\0') @@ -3557,7 +3557,7 @@ bool Cws_accessEx::onUserInfoEdit(IEspContext &context, IEspUserInfoEditRequest { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* username = req.getUsername(); if(username == NULL || *username == '\0') @@ -3618,7 +3618,7 @@ bool Cws_accessEx::onUserInfoEditInput(IEspContext &context, IEspUserInfoEditInp { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); const char* username = req.getUsername(); if(username == NULL || *username == '\0') @@ -3687,7 +3687,7 @@ bool Cws_accessEx::onAccountPermissions(IEspContext &context, IEspAccountPermiss double version = context.getClientVersion(); - CLdapSecManager* ldapsecmgr = queryLDAPSecurityManager(context, true); + ILdapSecManager* ldapsecmgr = queryLDAPSecurityManager(context, true); bool bIncludeGroup = req.getIncludeGroup(); setBasedns(context); @@ -4033,7 +4033,7 @@ bool Cws_accessEx::onAccountPermissionsV2(IEspContext &context, IEspAccountPermi class CAccountPermissionsHelper : public CSimpleInterface { IEspContext *context = nullptr; - CLdapSecManager *secMGR = nullptr; + ILdapSecManager *secMGR = nullptr; StringBuffer accountNameReq; StringAttr baseDNNameReq; @@ -4363,7 +4363,7 @@ bool Cws_accessEx::onAccountPermissionsV2(IEspContext &context, IEspAccountPermi } public: - CAccountPermissionsHelper(IEspContext *ctx, CLdapSecManager *secmgr) : context(ctx), secMGR(secmgr) { } + CAccountPermissionsHelper(IEspContext *ctx, ILdapSecManager *secmgr) : context(ctx), secMGR(secmgr) { } void readReq(IEspAccountPermissionsV2Request &req, const char *accountReq, const char *userID) { @@ -4430,7 +4430,7 @@ bool Cws_accessEx::onAccountPermissionsV2(IEspContext &context, IEspAccountPermi try { - CLdapSecManager *secMGR = queryLDAPSecurityManager(context, true); + ILdapSecManager *secMGR = queryLDAPSecurityManager(context, true); //Check user and access StringBuffer userID; @@ -4460,7 +4460,7 @@ bool Cws_accessEx::onFilePermission(IEspContext &context, IEspFilePermissionRequ { try { - CLdapSecManager* secmgr = queryLDAPSecurityManager(context, false); + ILdapSecManager* secmgr = queryLDAPSecurityManager(context, false); double version = context.getClientVersion(); if (version > 1.03) { @@ -4665,7 +4665,7 @@ bool Cws_accessEx::onUserAccountExport(IEspContext &context, IEspUserAccountExpo { try { - CLdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); + ILdapSecManager* secmgr = queryLDAPSecurityManagerAndCheckUser(context); StringBuffer xls; xls.append(""); diff --git a/esp/services/ws_access/ws_accessService.hpp b/esp/services/ws_access/ws_accessService.hpp index f8ad3a6bd1f..6d2890094cd 100644 --- a/esp/services/ws_access/ws_accessService.hpp +++ b/esp/services/ws_access/ws_accessService.hpp @@ -76,22 +76,22 @@ class Cws_accessEx : public Cws_access void setBasedns(IEspContext &context); void getBasednReq(IEspContext &context, const char* name, const char* basedn, const char* rType, const char* rTitle, IEspDnStruct* dn); - bool permissionAddInputOnResource(IEspContext &context, CLdapSecManager *secmgr, IEspPermissionAddRequest &req, IEspPermissionAddResponse &resp); - bool permissionAddInputOnAccount(IEspContext &context, CLdapSecManager *secmgr, const char* accountName, IEspPermissionAddRequest &req, IEspPermissionAddResponse &resp); - bool getNewFileScopeNames(CLdapSecManager* secmgr, const char* name, IEspDnStruct* req, StringBuffer& existingResource, StringArray& newResources); - bool setNewFileScopePermissions(CLdapSecManager* secmgr, IEspDnStruct* req, StringBuffer& existingResource, StringArray& newResources); - bool permissionsReset(CLdapSecManager* ldapsecmgr, const char* basedn, const char* rtype, const char* prefix, + bool permissionAddInputOnResource(IEspContext &context, ILdapSecManager *secmgr, IEspPermissionAddRequest &req, IEspPermissionAddResponse &resp); + bool permissionAddInputOnAccount(IEspContext &context, ILdapSecManager *secmgr, const char* accountName, IEspPermissionAddRequest &req, IEspPermissionAddResponse &resp); + bool getNewFileScopeNames(ILdapSecManager* secmgr, const char* name, IEspDnStruct* req, StringBuffer& existingResource, StringArray& newResources); + bool setNewFileScopePermissions(ILdapSecManager* secmgr, IEspDnStruct* req, StringBuffer& existingResource, StringArray& newResources); + bool permissionsReset(ILdapSecManager* ldapsecmgr, const char* basedn, const char* rtype, const char* prefix, const char* resourceName, ACT_TYPE accountType, const char* accountName, bool allow_access, bool allow_read, bool allow_write, bool allow_full, bool deny_access, bool deny_read, bool deny_write, bool deny_full); - void getBaseDNsForAddingPermssionToAccount(CLdapSecManager* secmgr, const char* prefix, const char* accountName, + void getBaseDNsForAddingPermssionToAccount(ILdapSecManager* secmgr, const char* prefix, const char* accountName, int accountType, StringArray& basednNames); - int enableDisableScopeScans(IEspContext &context, CLdapSecManager *secmgr, bool doEnable, StringBuffer &retMsg); - CLdapSecManager* queryLDAPSecurityManager(IEspContext &context, bool excpt); + int enableDisableScopeScans(IEspContext &context, ILdapSecManager *secmgr, bool doEnable, StringBuffer &retMsg); + ILdapSecManager* queryLDAPSecurityManager(IEspContext &context, bool excpt); void addResourcePermission(const char *name, int type, int allows, int denies, IArrayOf &permissions); const char* getPasswordExpiration(ISecUser *usr, StringBuffer &passwordExpiration); - void checkUser(IEspContext &context, CLdapSecManager *ldapSecMgr, const char *rtype = nullptr, const char *rtitle = nullptr, unsigned int SecAccessFlags = SecAccess_Full); - CLdapSecManager* queryLDAPSecurityManagerAndCheckUser(IEspContext &context, const char *rtype = nullptr, const char *rtitle = nullptr, unsigned int SecAccessFlags = SecAccess_Full); + void checkUser(IEspContext &context, ILdapSecManager *ldapSecMgr, const char *rtype = nullptr, const char *rtitle = nullptr, unsigned int SecAccessFlags = SecAccess_Full); + ILdapSecManager* queryLDAPSecurityManagerAndCheckUser(IEspContext &context, const char *rtype = nullptr, const char *rtitle = nullptr, unsigned int SecAccessFlags = SecAccess_Full); void createResourceArrayForResources(const char *baseDN, SecResourceType rType, IArrayOf &resources, IArrayOf &resourceArray); void readFileScopesFromString(const char* str, StringArray& scopes, bool append); void addAFileScope(const char* scope, StringBuffer& newFileScope, StringArray& fileScopes, bool append); diff --git a/esp/services/ws_account/ws_accountService.cpp b/esp/services/ws_account/ws_accountService.cpp index 20da7971bcc..eb40206ecd0 100644 --- a/esp/services/ws_account/ws_accountService.cpp +++ b/esp/services/ws_account/ws_accountService.cpp @@ -35,7 +35,7 @@ bool Cws_accountEx::onUpdateUser(IEspContext &context, IEspUpdateUserRequest & r { try { - CLdapSecManager* secmgr = dynamic_cast(context.querySecManager()); + ILdapSecManager* secmgr = dynamic_cast(context.querySecManager()); if(secmgr == NULL) { throw MakeStringException(ECLWATCH_INVALID_SEC_MANAGER, "Security manager can't be converted to LdapSecManager. Only LdapSecManager supports this function."); @@ -161,7 +161,7 @@ bool Cws_accountEx::onMyAccount(IEspContext &context, IEspMyAccountRequest &req, try { ISecUser* userInContext = context.queryUser(); - CLdapSecManager* secmgr = dynamic_cast(context.querySecManager()); + ILdapSecManager* secmgr = dynamic_cast(context.querySecManager()); if (!userInContext) { if (secmgr || (context.getDomainAuthType() == AuthUserNameOnly)) diff --git a/esp/services/ws_smc/ws_smcService.cpp b/esp/services/ws_smc/ws_smcService.cpp index 89169dc29b9..e176172c5a0 100644 --- a/esp/services/ws_smc/ws_smcService.cpp +++ b/esp/services/ws_smc/ws_smcService.cpp @@ -1204,7 +1204,7 @@ bool CWsSMCEx::onActivity(IEspContext &context, IEspActivityRequest &req, IEspAc bool isSuperUser = true; #ifdef _USE_OPENLDAP - CLdapSecManager* secmgr = dynamic_cast(context.querySecManager()); + ILdapSecManager* secmgr = dynamic_cast(context.querySecManager()); if(secmgr && !secmgr->isSuperUser(context.queryUser())) isSuperUser = false; #endif @@ -1839,7 +1839,7 @@ bool CWsSMCEx::onSetBanner(IEspContext &context, IEspSetBannerRequest &req, IEsp try { #ifdef _USE_OPENLDAP - CLdapSecManager* secmgr = dynamic_cast(context.querySecManager()); + ILdapSecManager* secmgr = dynamic_cast(context.querySecManager()); if(secmgr && !secmgr->isSuperUser(context.queryUser())) { context.setAuthStatus(AUTH_STATUS_NOACCESS); diff --git a/esp/services/ws_workunits/ws_workunitsHelpers.cpp b/esp/services/ws_workunits/ws_workunitsHelpers.cpp index 30bf1715fe8..caa1fd0ba1c 100644 --- a/esp/services/ws_workunits/ws_workunitsHelpers.cpp +++ b/esp/services/ws_workunits/ws_workunitsHelpers.cpp @@ -3709,7 +3709,7 @@ void WsWuHelpers::submitWsWorkunit(IEspContext& context, IConstWorkUnit* cw, con ensureWsWorkunitAccess(context, *cw, SecAccess_Write); #ifndef _NO_LDAP - CLdapSecManager* secmgr = dynamic_cast(context.querySecManager()); + ILdapSecManager* secmgr = dynamic_cast(context.querySecManager()); // View Scope is checked only when LDAP secmgr is available AND checkViewPermissions config is also enabled. // Otherwise, the view permission check is skipped, and WU is submitted as normal. diff --git a/system/security/LdapSecurity/ldapsecurity.ipp b/system/security/LdapSecurity/ldapsecurity.ipp index a6f6240676f..660f6db0b58 100644 --- a/system/security/LdapSecurity/ldapsecurity.ipp +++ b/system/security/LdapSecurity/ldapsecurity.ipp @@ -304,7 +304,64 @@ public: } }; -class LDAPSECURITY_API CLdapSecManager : implements ISecManager, public CInterface +interface ILdapSecManager : extends ISecManager +{ + // Ensure reused names overload instead of hide base names. + using ISecManager::addUser; + using ISecManager::authorizeEx; + using ISecManager::getAllUsers; + using ISecManager::updateUserPassword; + + virtual bool authorizeViewScope(ISecUser & user, StringArray & filenames, StringArray & columnnames) = 0; + virtual void searchUsers(const char* searchstr, IUserArray& users) = 0; + virtual ISecItemIterator* getUsersSorted(const char* userName, UserField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint) = 0; + virtual void getAllUsers(IUserArray& users) = 0; + virtual bool updateUser(const char* type, ISecUser& user) = 0; + virtual bool updateUserPassword(const char* username, const char* newPassword) = 0; + virtual bool getResourcesEx(SecResourceType rtype, const char * basedn, const char * searchstr, IArrayOf& resources) = 0; + virtual ISecItemIterator* getResourcesSorted(SecResourceType rtype, const char* basedn, const char* resourceName, unsigned extraNameFilter, + ResourceField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint) = 0; + virtual ISecItemIterator* getResourcePermissionsSorted(const char* name, enum ACCOUNT_TYPE_REQ accountType, const char* baseDN, const char* rtype, const char* prefix, + ResourcePermissionField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint) = 0; + virtual bool getPermissionsArray(const char* basedn, SecResourceType rtype, const char* name, IArrayOf& permissions) = 0; + virtual ISecItemIterator* getGroupsSorted(GroupField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint) = 0; + virtual ISecItemIterator* getGroupMembersSorted(const char* groupName, UserField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint) = 0; + virtual void getGroups(const char* username, StringArray & groups) = 0; + virtual bool changePermission(CPermissionAction& action) = 0; + virtual void changeUserGroup(const char* action, const char* username, const char* groupname) = 0; + virtual void changeGroupMember(const char* action, const char* groupdn, const char* userdn) = 0; + virtual bool deleteUser(ISecUser* user) = 0; + virtual void addGroup(const char* groupname, const char * groupOwner, const char * groupDesc) = 0; + virtual void addGroup(const char* groupname, const char * groupOwner, const char * groupDesc, const char* basedn) = 0; + virtual void deleteGroup(const char* groupname) = 0; + virtual void getGroupMembers(const char* groupname, StringArray & users) = 0; + virtual bool authorizeEx(SecResourceType rtype, ISecUser& sec_user, ISecResourceList * Resources, bool doAuthentication) = 0; + virtual SecAccessFlags authorizeEx(SecResourceType rtype, ISecUser& sec_user, const char* resourcename, bool doAuthentication) = 0; + virtual void normalizeDn(const char* dn, StringBuffer& ndn) = 0; + virtual bool isSuperUser(ISecUser* user) = 0; + virtual ILdapConfig* queryConfig() = 0; + virtual int countResources(const char* basedn, const char* searchstr, int limit) = 0; + virtual int countUsers(const char* searchstr, int limit) = 0; + virtual bool getUserInfo(ISecUser& user, const char* infotype = NULL) = 0; + virtual LdapServerType getLdapServerType() = 0; + virtual const char* getPasswordStorageScheme() = 0; + virtual bool getCheckViewPermissions() = 0; + virtual void createLdapBasedn(ISecUser* user, const char* basedn, SecPermissionType ptype, const char* description) = 0; + virtual bool organizationalUnitExists(const char * ou) const = 0; + virtual bool addUser(ISecUser & user, const char* basedn) = 0; + virtual void createView(const char * viewName, const char * viewDescription) = 0; + virtual void deleteView(const char * viewName) = 0; + virtual void queryAllViews(StringArray & viewNames, StringArray & viewDescriptions, StringArray & viewManagedBy) = 0; + virtual void addViewColumns(const char * viewName, StringArray & files, StringArray & columns) = 0; + virtual void removeViewColumns(const char * viewName, StringArray & files, StringArray & columns) = 0; + virtual void queryViewColumns(const char * viewName, StringArray & files, StringArray & columns) = 0; + virtual void addViewMembers(const char * viewName, StringArray & viewUsers, StringArray & viewGroups) = 0; + virtual void removeViewMembers(const char * viewName, StringArray & viewUsers, StringArray & viewGroups) = 0; + virtual void queryViewMembers(const char * viewName, StringArray & viewUsers, StringArray & viewGroups) = 0; + virtual bool userInView(const char * user, const char* viewName) = 0; +}; + +class LDAPSECURITY_API CLdapSecManager : implements ILdapSecManager, public CInterface { private: Owned m_ldap_client; @@ -358,58 +415,58 @@ public: ISecUser * lookupUser(unsigned uid, IEspSecureContext* secureContext = nullptr) override; ISecUser * findUser(const char * username, IEspSecureContext* secureContext = nullptr) override; ISecUserIterator * getAllUsers(IEspSecureContext* secureContext = nullptr) override; - virtual void searchUsers(const char* searchstr, IUserArray& users); - virtual ISecItemIterator* getUsersSorted(const char* userName, UserField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint); - virtual void getAllUsers(IUserArray& users); + virtual void searchUsers(const char* searchstr, IUserArray& users) override; + virtual ISecItemIterator* getUsersSorted(const char* userName, UserField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint) override; + virtual void getAllUsers(IUserArray& users) override; void setExtraParam(const char * name, const char * value, IEspSecureContext* secureContext = nullptr) override; IAuthMap * createAuthMap(IPropertyTree * authconfig, IEspSecureContext* secureContext = nullptr) override; IAuthMap * createFeatureMap(IPropertyTree * authconfig, IEspSecureContext* secureContext = nullptr) override; IAuthMap * createSettingMap(struct IPropertyTree *, IEspSecureContext* secureContext = nullptr) override {return 0;} bool updateSettings(ISecUser & User,ISecPropertyList * settings, IEspSecureContext* secureContext = nullptr) override {return false;} bool updateUserPassword(ISecUser& user, const char* newPassword, const char* currPassword = nullptr, IEspSecureContext* secureContext = nullptr) override; - virtual bool updateUser(const char* type, ISecUser& user); - virtual bool updateUserPassword(const char* username, const char* newPassword); + virtual bool updateUser(const char* type, ISecUser& user) override; + virtual bool updateUserPassword(const char* username, const char* newPassword) override; bool initUser(ISecUser& user, IEspSecureContext* secureContext = nullptr) override {return false;} bool getResources(SecResourceType rtype, const char * basedn, IArrayOf& resources, IEspSecureContext* secureContext = nullptr) override; - virtual bool getResourcesEx(SecResourceType rtype, const char * basedn, const char * searchstr, IArrayOf& resources); + virtual bool getResourcesEx(SecResourceType rtype, const char * basedn, const char * searchstr, IArrayOf& resources) ; virtual ISecItemIterator* getResourcesSorted(SecResourceType rtype, const char* basedn, const char* resourceName, unsigned extraNameFilter, - ResourceField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint); + ResourceField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint) ; virtual ISecItemIterator* getResourcePermissionsSorted(const char* name, enum ACCOUNT_TYPE_REQ accountType, const char* baseDN, const char* rtype, const char* prefix, - ResourcePermissionField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint); + ResourcePermissionField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint) override; void cacheSwitch(SecResourceType rtype, bool on, IEspSecureContext* secureContext = nullptr) override; - virtual bool getPermissionsArray(const char* basedn, SecResourceType rtype, const char* name, IArrayOf& permissions); + virtual bool getPermissionsArray(const char* basedn, SecResourceType rtype, const char* name, IArrayOf& permissions) override; void getAllGroups(StringArray & groups, StringArray & managedBy, StringArray & descriptions, IEspSecureContext* secureContext = nullptr) override; - virtual ISecItemIterator* getGroupsSorted(GroupField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint); - virtual ISecItemIterator* getGroupMembersSorted(const char* groupName, UserField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint); - virtual void getGroups(const char* username, StringArray & groups); - virtual bool changePermission(CPermissionAction& action); - virtual void changeUserGroup(const char* action, const char* username, const char* groupname); - virtual void changeGroupMember(const char* action, const char* groupdn, const char* userdn); - virtual bool deleteUser(ISecUser* user); - virtual void addGroup(const char* groupname, const char * groupOwner, const char * groupDesc); - virtual void addGroup(const char* groupname, const char * groupOwner, const char * groupDesc, const char* basedn); - virtual void deleteGroup(const char* groupname); - virtual void getGroupMembers(const char* groupname, StringArray & users); + virtual ISecItemIterator* getGroupsSorted(GroupField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint) override; + virtual ISecItemIterator* getGroupMembersSorted(const char* groupName, UserField* sortOrder, const unsigned pageStartFrom, const unsigned pageSize, unsigned* total, __int64* cacheHint) override; + virtual void getGroups(const char* username, StringArray & groups) override; + virtual bool changePermission(CPermissionAction& action) override; + virtual void changeUserGroup(const char* action, const char* username, const char* groupname) override; + virtual void changeGroupMember(const char* action, const char* groupdn, const char* userdn) override; + virtual bool deleteUser(ISecUser* user) override; + virtual void addGroup(const char* groupname, const char * groupOwner, const char * groupDesc) override; + virtual void addGroup(const char* groupname, const char * groupOwner, const char * groupDesc, const char* basedn) override; + virtual void deleteGroup(const char* groupname) override; + virtual void getGroupMembers(const char* groupname, StringArray & users) override; void deleteResource(SecResourceType rtype, const char * name, const char * basedn, IEspSecureContext* secureContext = nullptr) override; void renameResource(SecResourceType rtype, const char * oldname, const char * newname, const char * basedn, IEspSecureContext* secureContext = nullptr) override; void copyResource(SecResourceType rtype, const char * oldname, const char * newname, const char * basedn, IEspSecureContext* secureContext = nullptr) override; - virtual bool authorizeEx(SecResourceType rtype, ISecUser& sec_user, ISecResourceList * Resources, bool doAuthentication); - virtual SecAccessFlags authorizeEx(SecResourceType rtype, ISecUser& sec_user, const char* resourcename, bool doAuthentication); + virtual bool authorizeEx(SecResourceType rtype, ISecUser& sec_user, ISecResourceList * Resources, bool doAuthentication) override; + virtual SecAccessFlags authorizeEx(SecResourceType rtype, ISecUser& sec_user, const char* resourcename, bool doAuthentication) override; - virtual void normalizeDn(const char* dn, StringBuffer& ndn); - virtual bool isSuperUser(ISecUser* user); - virtual ILdapConfig* queryConfig(); + virtual void normalizeDn(const char* dn, StringBuffer& ndn) override; + virtual bool isSuperUser(ISecUser* user) override; + virtual ILdapConfig* queryConfig() override; - virtual int countResources(const char* basedn, const char* searchstr, int limit); - virtual int countUsers(const char* searchstr, int limit); + virtual int countResources(const char* basedn, const char* searchstr, int limit) override; + virtual int countUsers(const char* searchstr, int limit) override; bool authTypeRequired(SecResourceType rtype, IEspSecureContext* secureContext = nullptr) override {return true;}; - virtual bool getUserInfo(ISecUser& user, const char* infotype = NULL); + virtual bool getUserInfo(ISecUser& user, const char* infotype = NULL) override; - virtual LdapServerType getLdapServerType() + virtual LdapServerType getLdapServerType() override { if(m_ldap_client) return m_ldap_client->getServerType(); @@ -417,7 +474,7 @@ public: return ACTIVE_DIRECTORY; } - virtual const char* getPasswordStorageScheme() + virtual const char* getPasswordStorageScheme() override { if(m_ldap_client) return m_ldap_client->getPasswordStorageScheme(); @@ -435,7 +492,7 @@ public: return m_passwordExpirationWarningDays; } - virtual bool getCheckViewPermissions() + virtual bool getCheckViewPermissions() override { return m_checkViewPermissions; } @@ -449,23 +506,23 @@ public: bool logoutUser(ISecUser & user, IEspSecureContext* secureContext = nullptr) override; bool retrieveUserData(ISecUser& requestedUser, ISecUser* requestingUser = nullptr, IEspSecureContext* secureContext = nullptr) override; bool removeResources(ISecUser& sec_user, ISecResourceList * resources, IEspSecureContext* secureContext = nullptr) override { return false; } - virtual void createLdapBasedn(ISecUser* user, const char* basedn, SecPermissionType ptype, const char* description); - virtual bool organizationalUnitExists(const char * ou) const; - virtual bool addUser(ISecUser & user, const char* basedn); + virtual void createLdapBasedn(ISecUser* user, const char* basedn, SecPermissionType ptype, const char* description) override; + virtual bool organizationalUnitExists(const char * ou) const override; + virtual bool addUser(ISecUser & user, const char* basedn) override; //Data View related interfaces - virtual void createView(const char * viewName, const char * viewDescription); - virtual void deleteView(const char * viewName); - virtual void queryAllViews(StringArray & viewNames, StringArray & viewDescriptions, StringArray & viewManagedBy); - - virtual void addViewColumns(const char * viewName, StringArray & files, StringArray & columns); - virtual void removeViewColumns(const char * viewName, StringArray & files, StringArray & columns); - virtual void queryViewColumns(const char * viewName, StringArray & files, StringArray & columns); - - virtual void addViewMembers(const char * viewName, StringArray & viewUsers, StringArray & viewGroups); - virtual void removeViewMembers(const char * viewName, StringArray & viewUsers, StringArray & viewGroups); - virtual void queryViewMembers(const char * viewName, StringArray & viewUsers, StringArray & viewGroups); - virtual bool userInView(const char * user, const char* viewName); + virtual void createView(const char * viewName, const char * viewDescription) override; + virtual void deleteView(const char * viewName) override; + virtual void queryAllViews(StringArray & viewNames, StringArray & viewDescriptions, StringArray & viewManagedBy) override; + + virtual void addViewColumns(const char * viewName, StringArray & files, StringArray & columns) override; + virtual void removeViewColumns(const char * viewName, StringArray & files, StringArray & columns) override; + virtual void queryViewColumns(const char * viewName, StringArray & files, StringArray & columns) override; + + virtual void addViewMembers(const char * viewName, StringArray & viewUsers, StringArray & viewGroups) override; + virtual void removeViewMembers(const char * viewName, StringArray & viewUsers, StringArray & viewGroups) override; + virtual void queryViewMembers(const char * viewName, StringArray & viewUsers, StringArray & viewGroups) override; + virtual bool userInView(const char * user, const char* viewName) override; }; #ifdef _MSC_VER diff --git a/tools/initldap/initldap.cpp b/tools/initldap/initldap.cpp index e763319a5f2..ef9d5145e70 100644 --- a/tools/initldap/initldap.cpp +++ b/tools/initldap/initldap.cpp @@ -133,10 +133,10 @@ bool initLDAP(IPropertyTree * ldapProps) catch(...) {}//user may already exist, so just move on //Add HPCC admin user to Administrators group - CLdapSecManager* ldapSecMgr = dynamic_cast(secMgr.get()); + ILdapSecManager* ldapSecMgr = dynamic_cast(secMgr.get()); if (!ldapSecMgr) { - fprintf(stderr, "\nERROR: Unable to access CLdapSecManager object"); + fprintf(stderr, "\nERROR: Unable to access ILdapSecManager object"); return false; } StringAttr adminGroup;