private bool DidWeAuthThisUser(SessionProperties properties, bool exclusiveOnly) { PluginActivityInformation pluginInfo = properties.GetTrackedSingle <PluginActivityInformation>(); if (!exclusiveOnly) { if (pluginInfo.GetAuthenticationPlugins().Contains(PluginUuid)) { return(pluginInfo.GetAuthenticationResult(PluginUuid).Success); } } else { if (!pluginInfo.GetAuthenticationPlugins().Contains(PluginUuid)) { return(false); } // We must be the only one foreach (Guid pluginId in pluginInfo.GetAuthenticationPlugins()) { if (pluginId != PluginUuid && pluginInfo.GetAuthenticationResult(pluginId).Success) { return(false); } } return(true); } return(false); }
public BooleanResult AuthenticateUser(SessionProperties properties) { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); Dictionary <string, List <notify> > settings = GetSettings(userInfo); List <notify> authe_sys = new List <notify>(); try { authe_sys = settings["authe_sys"]; } catch { } foreach (notify line in authe_sys) { if (!Run(userInfo.SessionID, line.script, userInfo, line.pwd, true, GetAuthenticationPluginResults(properties), "", "")) { return new BooleanResult { Success = false, Message = String.Format("failed to run:{0}", line.script) } } ; } // return false if no other plugin succeeded BooleanResult ret = new BooleanResult() { Success = false, Message = this.Name + " plugin can't authenticate a user on its own" }; PluginActivityInformation pluginInfo = properties.GetTrackedSingle <PluginActivityInformation>(); foreach (Guid uuid in pluginInfo.GetAuthenticationPlugins()) { if (pluginInfo.GetAuthenticationResult(uuid).Success) { return(new BooleanResult() { Success = true }); } else { ret.Message = pluginInfo.GetAuthenticationResult(uuid).Message; } } return(ret); }
public BooleanResult AuthenticatedUserGateway(SessionProperties properties) { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); Dictionary <string, Dictionary <bool, string> > settings = GetSettings(userInfo); Dictionary <bool, string> gateway_sys = settings["gateway_sys"]; foreach (KeyValuePair <bool, string> line in gateway_sys) { if (!Run(userInfo.SessionID, line.Value, userInfo, line.Key, true)) { return new BooleanResult { Success = false, Message = String.Format("failed to run:{0}", line.Value) } } ; } // return false if no other plugin succeeded BooleanResult ret = new BooleanResult() { Success = false }; PluginActivityInformation pluginInfo = properties.GetTrackedSingle <PluginActivityInformation>(); foreach (Guid uuid in pluginInfo.GetAuthenticationPlugins()) { if (pluginInfo.GetAuthenticationResult(uuid).Success) { return(new BooleanResult() { Success = true }); } else { ret.Message = pluginInfo.GetAuthenticationResult(uuid).Message; } } return(ret); }
private bool WeAuthedThisUser(PluginActivityInformation actInfo) { try { BooleanResult ldapResult = actInfo.GetAuthenticationResult(this.Uuid); return(ldapResult.Success); } catch (KeyNotFoundException) { // The plugin is not enabled for authentication return(false); } }
private bool HasUserAuthenticatedYet(SessionProperties properties) { PluginActivityInformation pluginInfo = properties.GetTrackedSingle <PluginActivityInformation>(); foreach (Guid uuid in pluginInfo.GetAuthenticationPlugins()) { if (pluginInfo.GetAuthenticationResult(uuid).Success) { return(true); } } return(false); }
private bool DidPluginAuth(string uuid, SessionProperties properties) { try { Guid pluginUuid = new Guid(uuid); PluginActivityInformation pluginInfo = properties.GetTrackedSingle <PluginActivityInformation>(); return(pluginInfo.GetAuthenticationResult(pluginUuid).Success); } catch (Exception e) { m_logger.ErrorFormat("Unable to validate that {0} authenticated user: {1}", uuid, e); return(false); } }
private bool WeAuthedThisUser(SessionProperties properties) { PluginActivityInformation actInfo = properties.GetTrackedSingle <PluginActivityInformation>(); try { BooleanResult ldapResult = actInfo.GetAuthenticationResult(this.Uuid); return(ldapResult.Success); } catch (KeyNotFoundException) { // The plugin is not enabled for authentication return(false); } }
internal string GetAuthenticationPluginResults(SessionProperties properties) { string authe = ""; try { PluginActivityInformation pluginInfo = properties.GetTrackedSingle <PluginActivityInformation>(); foreach (Guid uuid in pluginInfo.GetAuthenticationPlugins()) { if (pluginInfo.GetAuthenticationResult(uuid).Success) { authe += "{" + uuid + "}"; } } } catch (Exception ex) { m_logger.ErrorFormat("GetAuthenticationPluginResults Exception:", ex); } return(authe); }
public BooleanResult AuthorizeUser(SessionProperties properties) { m_logger.Debug("MySql Plugin Authorization"); bool requireAuth = Settings.Store.AuthzRequireMySqlAuth; // If we require authentication, and we failed to auth this user, then we // fail authorization. if (requireAuth) { PluginActivityInformation actInfo = properties.GetTrackedSingle <PluginActivityInformation>(); try { BooleanResult mySqlResult = actInfo.GetAuthenticationResult(this.Uuid); if (!mySqlResult.Success) { m_logger.InfoFormat("Deny because MySQL auth failed, and configured to require MySQL auth."); return(new BooleanResult() { Success = false, Message = "Deny because MySQL authentication failed." }); } } catch (KeyNotFoundException) { // The plugin is not enabled for authentication m_logger.ErrorFormat("MySQL is not enabled for authentication, and authz is configured to require auth."); return(new BooleanResult { Success = false, Message = "Deny because MySQL auth did not execute, and configured to require MySQL auth." }); } } // Get the authz rules from registry List <GroupAuthzRule> rules = GroupRuleLoader.GetAuthzRules(); if (rules.Count == 0) { throw new Exception("No authorization rules found."); } try { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); string user = userInfo.Username; using (MySqlUserDataSource dataSource = new MySqlUserDataSource()) { foreach (GroupAuthzRule rule in rules) { m_logger.DebugFormat("Checking rule: {0}", rule.ToString()); bool inGroup = false; if (rule.RuleCondition != GroupRule.Condition.ALWAYS) { inGroup = dataSource.IsMemberOfGroup(user, rule.Group); m_logger.DebugFormat("User '{0}' {1} a member of '{2}'", user, inGroup ? "is" : "is not", rule.Group); } if (rule.RuleMatch(inGroup)) { if (rule.AllowOnMatch) { return new BooleanResult { Success = true, Message = string.Format("Allow via rule '{0}'", rule.ToString()) } } ; else { return new BooleanResult { Success = false, Message = string.Format("Deny via rule '{0}'", rule.ToString()) } }; } } } // If we get this far, no rules matched. This should never happen since // the last rule should always match (the default). Throw. throw new Exception("Missing default authorization rule."); } catch (Exception e) { m_logger.ErrorFormat("Exception during authorization: {0}", e); throw; } }
public BooleanResult AuthorizeUser(SessionProperties properties) { m_logger.Debug("LDAP Plugin Authorization"); bool requireAuth = Settings.Store.AuthzRequireAuth; // Get the authz rules from registry List <GroupAuthzRule> rules = GroupRuleLoader.GetAuthzRules(); if (rules.Count == 0) { throw new Exception("No authorizaition rules found."); } // Get the LDAP server object LdapServer serv = properties.GetTrackedSingle <LdapServer>(); // If LDAP server object is not found, then something went wrong in authentication. // We allow or deny based on setting if (serv == null) { m_logger.ErrorFormat("AuthorizeUser: Internal error, LdapServer object not available."); // LdapServer is not available, allow or deny based on settings. return(new BooleanResult() { Success = Settings.Store.AuthzAllowOnError, Message = "LDAP server unavailable." }); } // If we require authentication, and we failed to auth this user, then we // fail authorization. Note that we do this AFTER checking the LDAP server object // because we may want to succeed if the authentication failed due to server // being unavailable. if (requireAuth) { PluginActivityInformation actInfo = properties.GetTrackedSingle <PluginActivityInformation>(); try { BooleanResult ldapResult = actInfo.GetAuthenticationResult(this.Uuid); if (!ldapResult.Success) { m_logger.InfoFormat("Deny because LDAP auth failed, and configured to require LDAP auth."); return(new BooleanResult() { Success = false, Message = "Deny because LDAP authentication failed." }); } } catch (KeyNotFoundException) { // The plugin is not enabled for authentication m_logger.ErrorFormat("LDAP is not enabled for authentication, and authz is configured to require authentication."); return(new BooleanResult { Success = false, Message = "Deny because LDAP auth did not execute, and configured to require LDAP auth." }); } } // Apply the authorization rules try { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); string user = userInfo.Username; // Bind for searching if we have rules to process. If there's only one, it's the // default rule which doesn't require searching the LDAP tree. if (rules.Count > 1) { serv.BindForSearch(); } foreach (GroupAuthzRule rule in rules) { bool inGroup = false; // Don't need to check membership if the condition is "always." This is the // case for the default rule only. which is the last rule in the list. if (rule.RuleCondition != GroupRule.Condition.ALWAYS) { inGroup = serv.MemberOfGroup(user, rule.Group); m_logger.DebugFormat("User {0} {1} member of group {2}", user, inGroup ? "is" : "is not", rule.Group); } if (rule.RuleMatch(inGroup)) { if (rule.AllowOnMatch) { return new BooleanResult() { Success = true, Message = string.Format("Allow via rule: \"{0}\"", rule.ToString()) } } ; else { return new BooleanResult() { Success = false, Message = string.Format("Deny via rule: \"{0}\"", rule.ToString()) } }; } } // We should never get this far because the last rule in the list should always be a match, // but if for some reason we do, return success. return(new BooleanResult() { Success = true, Message = "" }); } catch (Exception e) { if (e is LdapException) { LdapException ldapEx = (e as LdapException); if (ldapEx.ErrorCode == 81) { // Server can't be contacted, set server object to null m_logger.ErrorFormat("Server unavailable: {0}, {1}", ldapEx.ServerErrorMessage, e.Message); serv.Close(); properties.AddTrackedSingle <LdapServer>(null); return(new BooleanResult { Success = Settings.Store.AuthzAllowOnError, Message = "Failed to contact LDAP server." }); } else if (ldapEx.ErrorCode == 49) { // This is invalid credentials, return false, but server object should remain connected m_logger.ErrorFormat("LDAP bind failed: invalid credentials."); return(new BooleanResult { Success = false, Message = "Authorization via LDAP failed. Invalid credentials." }); } } // Unexpected error, let the PluginDriver catch m_logger.ErrorFormat("Error during authorization: {0}", e); throw; } }
//Processes accounting on logon/logoff public void SessionChange(System.ServiceProcess.SessionChangeDescription changeDescription, pGina.Shared.Types.SessionProperties properties) { if (changeDescription.Reason != System.ServiceProcess.SessionChangeReason.SessionLogon && changeDescription.Reason != System.ServiceProcess.SessionChangeReason.SessionLogoff) { //m_logger.DebugFormat("Not logging on or off for this session change call ({0})... exiting.", changeDescription.Reason); return; } if (properties == null) { //m_logger.DebugFormat("No session properties available. This account does not appear to be managed by pGina. Exiting SessionChange()"); return; } if (!(bool)Settings.Store.EnableAcct) { m_logger.Debug("Session Change stage set on RADIUS plugin but accounting is not enabled in plugin settings."); return; } //Determine username (may change depending on value of UseModifiedName setting) string username = null; UserInformation ui = properties.GetTrackedSingle <UserInformation>(); if (ui == null) { //m_logger.DebugFormat("No userinformation for this session logoff... exiting..."); return; } if ((bool)Settings.Store.UseModifiedName) { username = ui.Username; } else { username = ui.OriginalUsername; } Session session = null; //User is logging on if (changeDescription.Reason == System.ServiceProcess.SessionChangeReason.SessionLogon) { lock (m_sessionManager) { //Check if session information is already available for this id if (!m_sessionManager.Keys.Contains(properties.Id)) { //No session info - must have authed with something other than RADIUS. //m_logger.DebugFormat("RADIUS Accounting Logon: Unable to find session for {0} with GUID {1}", username, properties.Id); if (!(bool)Settings.Store.AcctingForAllUsers) { //m_logger.Debug("Accounting for non-RADIUS users is disabled. Exiting."); return; } RADIUSClient client = GetClient(); session = new Session(properties.Id, username, client); m_sessionManager.Add(properties.Id, session); //Check forced interim-update setting if ((bool)Settings.Store.SendInterimUpdates && (bool)Settings.Store.ForceInterimUpdates) { int interval = (int)Settings.Store.InterimUpdateTime; session.SetInterimUpdate(interval, InterimUpdatesCallback); } } else { session = m_sessionManager[properties.Id]; } } //Determine which plugin authenticated the user (if any) PluginActivityInformation pai = properties.GetTrackedSingle <PluginActivityInformation>(); Packet.Acct_Authentic authSource = Packet.Acct_Authentic.Not_Specified; IEnumerable <Guid> authPlugins = pai.GetAuthenticationPlugins(); Guid LocalMachinePluginGuid = new Guid("{12FA152D-A2E3-4C8D-9535-5DCD49DFCB6D}"); foreach (Guid guid in authPlugins) { if (pai.GetAuthenticationResult(guid).Success) { if (guid == SimpleUuid) { authSource = Packet.Acct_Authentic.RADIUS; } else if (guid == LocalMachinePluginGuid) { authSource = Packet.Acct_Authentic.Local; } else //Not RADIUS, not Local, must be some other auth plugin { authSource = Packet.Acct_Authentic.Remote; } break; } } //We can finally start the accounting process try { lock (session) { session.windowsSessionId = changeDescription.SessionId; //Grab session ID now that we're authenticated session.username = username; //Accting username may have changed depending on 'Use Modified username for accounting option' session.client.startAccounting(username, authSource); //m_logger.DebugFormat("Successfully completed accounting start process..."); } } catch (Exception e) { m_logger.Error("Error occurred while starting accounting.", e); } } //User is logging off else if (changeDescription.Reason == System.ServiceProcess.SessionChangeReason.SessionLogoff) { lock (m_sessionManager) { if (m_sessionManager.Keys.Contains(properties.Id)) { session = m_sessionManager[properties.Id]; } else { //m_logger.DebugFormat("Users {0} is logging off, but no RADIUS session information is available for session ID {1}.", username, properties.Id); return; } //Remove the session from the session manager m_sessionManager.Remove(properties.Id); } lock (session) { //Disbale any active callbacks for this session session.disableCallbacks(); session.active = false; //Assume normal logout if no other terminate reason is listed. if (session.terminate_cause == null) { session.terminate_cause = Packet.Acct_Terminate_Cause.User_Request; } try { //m_logger.DebugFormat("About to send accounting stop packet. Session has been active {0} seconds.", (DateTime.Now - session.client.accountingStartTime).TotalSeconds); session.client.stopAccounting(session.username, session.terminate_cause); } catch (RADIUSException re) { m_logger.DebugFormat("Unable to send accounting stop message for user {0} with ID {1}. Message: {2}", session.username, session.id, re.Message); } } } }
//Processes accounting on logon/logoff public void SessionChange(System.ServiceProcess.SessionChangeDescription changeDescription, pGina.Shared.Types.SessionProperties properties) { m_logger.DebugFormat("SessionChange({0})", properties.Id.ToString()); string username = null; if ((bool)Settings.Store.UseModifiedName) { username = properties.GetTrackedSingle <UserInformation>().Username; } else { username = properties.GetTrackedSingle <UserInformation>().OriginalUsername; } if (changeDescription.Reason == System.ServiceProcess.SessionChangeReason.SessionLogon) { //Create a new unique id for this accounting session and store it String sessionId = Guid.NewGuid().ToString(); lock (sessionIDLock) { sessionIDs.Add(username, sessionId); } //Determine which plugin authenticated the user (if any) PluginActivityInformation pai = properties.GetTrackedSingle <PluginActivityInformation>(); Packet.Acct_AuthenticType authSource = Packet.Acct_AuthenticType.Not_Specified; IEnumerable <Guid> authPlugins = pai.GetAuthenticationPlugins(); Guid LocalMachinePluginGuid = new Guid("{12FA152D-A2E3-4C8D-9535-5DCD49DFCB6D}"); foreach (Guid guid in authPlugins) { if (pai.GetAuthenticationResult(guid).Success) { if (guid == SimpleUuid) { authSource = Packet.Acct_AuthenticType.RADIUS; } else if (guid == LocalMachinePluginGuid) { authSource = Packet.Acct_AuthenticType.Local; } else { authSource = Packet.Acct_AuthenticType.Remote; } break; } } try { RADIUSClient client = GetClient(sessionId); client.startAccounting(username, authSource); } catch (Exception e) { m_logger.Error("Error occurred while starting accounting.", e); } } else if (changeDescription.Reason == System.ServiceProcess.SessionChangeReason.SessionLogoff) { //Check if guid was stored from accounting start request (if not, no point in sending a stop request) string sessionId = null; lock (sessionIDLock) { sessionId = sessionIDs.ContainsKey(username) ? sessionIDs[username] : null; if (sessionId == null) { m_logger.ErrorFormat("Error sending accounting stop request. No guid available for {0}", username); return; } //Remove the session id since we're logging off sessionIDs.Remove(username); } try { RADIUSClient client = GetClient(sessionId); client.stopAccounting(username, Packet.Acct_Terminate_CauseType.User_Request); } catch (Exception e) { m_logger.Error("Error occurred while stopping accounting.", e); return; } } }