public BooleanResult AuthorizeUser(SessionProperties properties) { m_logger.Debug("MySql Plugin Authorization"); bool requireAuth = Settings.Store.AuthzRequireMySqlAuth; // If we require authentication, and we failed to auth this user, then we // fail authorization. if (requireAuth) { PluginActivityInformation actInfo = properties.GetTrackedSingle <PluginActivityInformation>(); try { BooleanResult mySqlResult = actInfo.GetAuthenticationResult(this.Uuid); if (!mySqlResult.Success) { m_logger.InfoFormat("Deny because MySQL auth failed, and configured to require MySQL auth."); return(new BooleanResult() { Success = false, Message = "Deny because MySQL authentication failed." }); } } catch (KeyNotFoundException) { // The plugin is not enabled for authentication m_logger.ErrorFormat("MySQL is not enabled for authentication, and authz is configured to require auth."); return(new BooleanResult { Success = false, Message = "Deny because MySQL auth did not execute, and configured to require MySQL auth." }); } } // Get the authz rules from registry List <GroupAuthzRule> rules = GroupRuleLoader.GetAuthzRules(); if (rules.Count == 0) { throw new Exception("No authorization rules found."); } try { UserInformation userInfo = properties.GetTrackedSingle <UserInformation>(); string user = userInfo.Username; using (MySqlUserDataSource dataSource = new MySqlUserDataSource()) { foreach (GroupAuthzRule rule in rules) { m_logger.DebugFormat("Checking rule: {0}", rule.ToString()); bool inGroup = false; if (rule.RuleCondition != GroupRule.Condition.ALWAYS) { inGroup = dataSource.IsMemberOfGroup(user, rule.Group); m_logger.DebugFormat("User '{0}' {1} a member of '{2}'", user, inGroup ? "is" : "is not", rule.Group); } if (rule.RuleMatch(inGroup)) { if (rule.AllowOnMatch) { return new BooleanResult { Success = true, Message = string.Format("Allow via rule '{0}'", rule.ToString()) } } ; else { return new BooleanResult { Success = false, Message = string.Format("Deny via rule '{0}'", rule.ToString()) } }; } } } // If we get this far, no rules matched. This should never happen since // the last rule should always match (the default). Throw. throw new Exception("Missing default authorization rule."); } catch (Exception e) { m_logger.ErrorFormat("Exception during authorization: {0}", e); throw; } }
private void InitUI() { this.hostTB.Text = Settings.Store.Host; int port = Settings.Store.Port; this.portTB.Text = Convert.ToString(port); this.userTB.Text = Settings.Store.User; this.passwordTB.Text = Settings.Store.GetEncryptedSetting("Password"); this.dbTB.Text = Settings.Store.Database; bool useSsl = Settings.Store.UseSsl; this.useSslCB.Checked = useSsl; // User table schema settings this.userTableTB.Text = Settings.Store.Table; this.unameColTB.Text = Settings.Store.UsernameColumn; this.hashMethodColTB.Text = Settings.Store.HashMethodColumn; this.passwdColTB.Text = Settings.Store.PasswordColumn; this.userPrimaryKeyColTB.Text = Settings.Store.UserTablePrimaryKeyColumn; int encodingInt = Settings.Store.HashEncoding; Settings.HashEncoding encoding = (Settings.HashEncoding)encodingInt; if (encoding == Settings.HashEncoding.HEX) this.encHexRB.Checked = true; else this.encBase64RB.Checked = true; // Group table schema settings this.groupTableNameTB.Text = Settings.Store.GroupTableName; this.groupNameColTB.Text = Settings.Store.GroupNameColumn; this.groupTablePrimaryKeyColTB.Text = Settings.Store.GroupTablePrimaryKeyColumn; // User-Group table settings this.userGroupTableNameTB.Text = Settings.Store.UserGroupTableName; this.userGroupUserFKColTB.Text = Settings.Store.UserForeignKeyColumn; this.userGroupGroupFKColTB.Text = Settings.Store.GroupForeignKeyColumn; /////////////// Authorization tab ///////////////// this.cbAuthzMySqlGroupMemberOrNot.SelectedIndex = 0; this.cbAuthzGroupRuleAllowOrDeny.SelectedIndex = 0; this.ckDenyWhenMySqlAuthFails.Checked = Settings.Store.AuthzRequireMySqlAuth; List<GroupAuthzRule> lst = GroupRuleLoader.GetAuthzRules(); // The last one should be the default rule if (lst.Count > 0 && lst[lst.Count - 1].RuleCondition == GroupRule.Condition.ALWAYS) { GroupAuthzRule rule = lst[lst.Count - 1]; if (rule.AllowOnMatch) this.rbDefaultAllow.Checked = true; else this.rbDefaultDeny.Checked = true; lst.RemoveAt(lst.Count - 1); } else { // The list is empty or the last rule is not a default rule. throw new Exception("Default rule not found in rule list."); } // The rest of the rules foreach (GroupAuthzRule rule in lst) this.listBoxAuthzRules.Items.Add(rule); ///////////////// Gateway tab /////////////// List<GroupGatewayRule> gwLst = GroupRuleLoader.GetGatewayRules(); foreach (GroupGatewayRule rule in gwLst) this.gtwRulesListBox.Items.Add(rule); this.gtwRuleConditionCB.SelectedIndex = 0; this.m_preventLogonWhenServerUnreachableCb.Checked = Settings.Store.PreventLogonOnServerError; }