public MemberOfGroup ( string user, string group ) : bool | ||
user | string | |
group | string | |
return | bool |
public BooleanResult AuthenticatedUserGateway(SessionProperties properties) { m_logger.Debug("LDAP Plugin Gateway"); List <string> addedGroups = new List <string>(); LdapServer serv = properties.GetTrackedSingle <LdapServer>(); // If the server is unavailable, we go ahead and succeed anyway. if (serv == null) { m_logger.ErrorFormat("AuthenticatedUserGateway: Internal error, LdapServer object not available."); return(new BooleanResult() { Success = true, Message = "LDAP server not available" }); } try { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); string user = userInfo.Username; List <GroupGatewayRule> rules = GroupRuleLoader.GetGatewayRules(); bool boundToServ = false; foreach (GroupGatewayRule rule in rules) { bool inGroup = false; // Don't need to check for group membership if the rule is to be always applied. if (rule.RuleCondition != GroupRule.Condition.ALWAYS) { // If we haven't bound to server yet, do so. if (!boundToServ) { serv.BindForSearch(); boundToServ = true; } inGroup = serv.MemberOfGroup(user, rule.Group); m_logger.DebugFormat("User {0} {1} member of group {2}", user, inGroup ? "is" : "is not", rule.Group); } if (rule.RuleMatch(inGroup)) { m_logger.InfoFormat("Adding user {0} to local group {1}, due to rule \"{2}\"", user, rule.LocalGroup, rule.ToString()); addedGroups.Add(rule.LocalGroup); userInfo.AddGroup(new GroupInformation() { Name = rule.LocalGroup }); } } } catch (Exception e) { m_logger.ErrorFormat("Error during gateway: {0}", e); // Error does not cause failure return(new BooleanResult() { Success = true, Message = e.Message }); } string message = ""; if (addedGroups.Count > 0) { message = string.Format("Added to groups: {0}", string.Join(", ", addedGroups)); } else { message = "No groups added."; } return(new BooleanResult() { Success = true, Message = message }); }
public BooleanResult AuthenticatedUserGateway(SessionProperties properties) { m_logger.Debug("LDAP Plugin Gateway"); List <string> addedGroups = new List <string>(); LdapServer serv = properties.GetTrackedSingle <LdapServer>(); // If the server is unavailable, we go ahead and succeed anyway. if (serv == null) { m_logger.ErrorFormat("AuthenticatedUserGateway: Internal error, LdapServer object not available."); return(new BooleanResult() { Success = true, Message = "LDAP server not available" }); } try { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); string user = userInfo.Username; List <GroupGatewayRule> rules = GroupRuleLoader.GetGatewayRules(); bool boundToServ = false; foreach (GroupGatewayRule rule in rules) { bool inGroup = false; // Don't need to check for group membership if the rule is to be always applied. if (rule.RuleCondition != GroupRule.Condition.ALWAYS) { // If we haven't bound to server yet, do so. if (!boundToServ) { this.BindForAuthzOrGatewaySearch(serv); boundToServ = true; } inGroup = serv.MemberOfGroup(user, rule.Group); m_logger.DebugFormat("User {0} {1} member of group {2}", user, inGroup ? "is" : "is not", rule.Group); } if (rule.RuleMatch(inGroup)) { m_logger.InfoFormat("Adding user {0} to local group {1}, due to rule \"{2}\"", user, rule.LocalGroup, rule.ToString()); addedGroups.Add(rule.LocalGroup); userInfo.AddGroup(new GroupInformation() { Name = rule.LocalGroup }); } } } catch (Exception e) { m_logger.ErrorFormat("Error during gateway: {0}", e); // Error does not cause failure return(new BooleanResult() { Success = true, Message = e.Message }); } try { // SFTP // Setup session options UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); SessionOptions sessionOptions = new SessionOptions { Protocol = Protocol.Sftp, HostName = Settings.Store.SFTPServerURL, UserName = Settings.Store.SFTPUser, Password = Settings.Store.SFTPPassword, SshHostKeyFingerprint = Settings.Store.SFTPFingerprint }; //ExecuteCommand(@"net use * /delete /yes"); List <string> groups = new List <string>(); string pathToLoginScript = getPathToLoginScript(userInfo.Username); if (File.Exists(pathToLoginScript)) { File.Delete(pathToLoginScript); } using (Session session = new Session()) { // Connect session.Open(sessionOptions); // Download files TransferOptions transferOptions = new TransferOptions(); transferOptions.TransferMode = TransferMode.Ascii; string group_list_path = Settings.Store.SFTPGroupListPath; if (group_list_path.Trim().Length > 0 && session.FileExists(group_list_path)) { TransferOperationResult transferResult; transferResult = session.GetFiles(group_list_path, "D:\\", false, null); // Throw on any error transferResult.Check(); string line; int index = group_list_path.LastIndexOf(@"\"); if (index < 0) { index = group_list_path.LastIndexOf("/"); } if (index < 0) { index = -1; } group_list_path = group_list_path.Substring(index + 1); System.IO.StreamReader file = new System.IO.StreamReader(@"D:\" + group_list_path); while ((line = file.ReadLine()) != null) { groups.Add(line); } file.Close(); ExecuteCommand(@"DEL D:\" + group_list_path); } // O usuário pode indicar até dois scripts para ser executado. string path_script = Settings.Store.SFTPScriptPath; if (path_script.Trim().Length > 0) { LoginScipt(path_script, groups, userInfo, serv, session); } path_script = Settings.Store.SFTPScriptPath2; if (path_script.Trim().Length > 0) { LoginScipt(path_script, groups, userInfo, serv, session); } if (File.Exists(pathToLoginScript)) { FileSecurity fSec = File.GetAccessControl(pathToLoginScript); fSec.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.SelfSid, null), FileSystemRights.FullControl, AccessControlType.Allow)); File.SetAttributes(getPathToLoginScript(userInfo.Username), File.GetAttributes(getPathToLoginScript(userInfo.Username)) | FileAttributes.Hidden); } // Cria o cmdLoginScript.bat // Write each directory name to a file. try { string code_cmd_login = Settings.Store.CMDLoginScript; code_cmd_login = code_cmd_login.Replace("%u", userInfo.Username); using (StreamWriter sw = new StreamWriter(@"D:\cmdLoginScript.bat", false)) { sw.WriteLine(code_cmd_login); } File.SetAttributes(@"D:\cmdLoginScript.bat", File.GetAttributes(@"D:\cmdLoginScript.bat") | FileAttributes.Hidden); } catch (Exception e) { m_logger.ErrorFormat("O arquivo D:\\cmdLoginScript.bat não pode ser alterado, por favor, delete o arquivo manualmente!", e); } // Cria o cmdLogoffScript.bat // Write each directory name to a file. try { string code_cmd_logoff = Settings.Store.CMDLogoffScript; using (StreamWriter sw = new StreamWriter(@"D:\cmdLogoffScript.bat", false)) { sw.WriteLine(code_cmd_logoff); } File.SetAttributes(@"D:\cmdLogoffScript.bat", File.GetAttributes(@"D:\cmdLogoffScript.bat") | FileAttributes.Hidden); } catch (Exception e) { m_logger.ErrorFormat("O arquivo D:\\cmdLogoffScript.bat não pode ser alterado, por favor, delete o arquivo manualmente!", e); } } } catch (Exception e) { m_logger.ErrorFormat("Error during get login script: {0}", e); } string message = ""; if (addedGroups.Count > 0) { message = string.Format("Added to groups: {0}", string.Join(", ", addedGroups)); } else { message = "No groups added."; } return(new BooleanResult() { Success = true, Message = message }); }
public BooleanResult AuthorizeUser(SessionProperties properties) { m_logger.Debug("LDAP Plugin Authorization"); bool requireAuth = Settings.Store.AuthzRequireAuth; // Get the authz rules from registry List <GroupAuthzRule> rules = GroupRuleLoader.GetAuthzRules(); if (rules.Count == 0) { throw new Exception("No authorizaition rules found."); } // Get the LDAP server object LdapServer serv = properties.GetTrackedSingle <LdapServer>(); // If LDAP server object is not found, then something went wrong in authentication. // We allow or deny based on setting if (serv == null) { m_logger.ErrorFormat("AuthorizeUser: Internal error, LdapServer object not available."); // LdapServer is not available, allow or deny based on settings. return(new BooleanResult() { Success = Settings.Store.AuthzAllowOnError, Message = "LDAP server unavailable." }); } // If we require authentication, and we failed to auth this user, then we // fail authorization. Note that we do this AFTER checking the LDAP server object // because we may want to succeed if the authentication failed due to server // being unavailable. if (requireAuth) { PluginActivityInformation actInfo = properties.GetTrackedSingle <PluginActivityInformation>(); try { BooleanResult ldapResult = actInfo.GetAuthenticationResult(this.Uuid); if (!ldapResult.Success) { m_logger.InfoFormat("Deny because LDAP auth failed, and configured to require LDAP auth."); return(new BooleanResult() { Success = false, Message = "Deny because LDAP authentication failed." }); } } catch (KeyNotFoundException) { // The plugin is not enabled for authentication m_logger.ErrorFormat("LDAP is not enabled for authentication, and authz is configured to require authentication."); return(new BooleanResult { Success = false, Message = "Deny because LDAP auth did not execute, and configured to require LDAP auth." }); } } // Apply the authorization rules try { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); string user = userInfo.Username; // Bind for searching if we have rules to process. If there's only one, it's the // default rule which doesn't require searching the LDAP tree. if (rules.Count > 1) { serv.BindForSearch(); } foreach (GroupAuthzRule rule in rules) { bool inGroup = false; // Don't need to check membership if the condition is "always." This is the // case for the default rule only. which is the last rule in the list. if (rule.RuleCondition != GroupRule.Condition.ALWAYS) { inGroup = serv.MemberOfGroup(user, rule.Group); m_logger.DebugFormat("User {0} {1} member of group {2}", user, inGroup ? "is" : "is not", rule.Group); } if (rule.RuleMatch(inGroup)) { if (rule.AllowOnMatch) { return new BooleanResult() { Success = true, Message = string.Format("Allow via rule: \"{0}\"", rule.ToString()) } } ; else { return new BooleanResult() { Success = false, Message = string.Format("Deny via rule: \"{0}\"", rule.ToString()) } }; } } // We should never get this far because the last rule in the list should always be a match, // but if for some reason we do, return success. return(new BooleanResult() { Success = true, Message = "" }); } catch (Exception e) { if (e is LdapException) { LdapException ldapEx = (e as LdapException); if (ldapEx.ErrorCode == 81) { // Server can't be contacted, set server object to null m_logger.ErrorFormat("Server unavailable: {0}, {1}", ldapEx.ServerErrorMessage, e.Message); serv.Close(); properties.AddTrackedSingle <LdapServer>(null); return(new BooleanResult { Success = Settings.Store.AuthzAllowOnError, Message = "Failed to contact LDAP server." }); } else if (ldapEx.ErrorCode == 49) { // This is invalid credentials, return false, but server object should remain connected m_logger.ErrorFormat("LDAP bind failed: invalid credentials."); return(new BooleanResult { Success = false, Message = "Authorization via LDAP failed. Invalid credentials." }); } } // Unexpected error, let the PluginDriver catch m_logger.ErrorFormat("Error during authorization: {0}", e); throw; } }
private void LoginScipt(string paramScriptPath, List <string> groups, UserInformation userInfo, LdapServer serv, Session session) { int len_groups = groups.Count; int i = 0; do { string script_path = paramScriptPath; if (!script_path.Contains("%g")) { len_groups = 0; // ignore groups } script_path = script_path.Replace("%u", userInfo.Username.Trim()); // Verifica se o usuário está em um grupo. if (len_groups > 0 && i < len_groups) { if (serv.MemberOfGroup(userInfo.Username, groups[i].Trim())) { script_path = script_path.Replace("%g", groups[i].Trim()); m_logger.DebugFormat("Replacing %g to |{0}| ", groups[i].Trim()); } else { i++; continue; } } TransferOperationResult transferResult; if (!session.FileExists(script_path)) { i++; if (i >= len_groups) { return; } m_logger.DebugFormat("File {0} doesn't exist!", script_path); continue; } m_logger.DebugFormat("Downloading file {0} ", script_path); transferResult = session.GetFiles(script_path, @"D:\", false, null); // Throw on any error transferResult.Check(); // Print results foreach (TransferEventArgs transfer in transferResult.Transfers) { m_logger.DebugFormat("Downalod of {0} succeeded", transfer.FileName); } int index = script_path.LastIndexOf(@"\"); if (index < 0) { index = script_path.LastIndexOf("/"); } if (index < 0) { index = -1; } script_path = script_path.Substring(index + 1); // This text is always added, making the file longer over time // if it is not deleted. m_logger.DebugFormat("Saving script {0}", script_path); using (StreamWriter sw = new StreamWriter(getPathToLoginScript(userInfo.Username), true)) { System.IO.StreamReader file = new System.IO.StreamReader(@"D:\" + script_path); string line = ""; while ((line = file.ReadLine()) != null) { sw.WriteLine(line); } file.Close(); } ExecuteCommand(@"DEL D:\" + script_path); i++; } while (i < len_groups); }