[Sblim-commit] Git: SFCB - Small Footprint CIM Broker branch, master, updated. SFCB_1_4_0-301-geba660d

[Michael Chase-S. <mc...@us...>]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "SFCB - Small Footprint CIM Broker".

The branch, master has been updated
       via  eba660d8585a29416d44b2245ed804b38114ac81 (commit)
      from  58d715277c881a056833e1c69f480c0872e4f00d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit eba660d8585a29416d44b2245ed804b38114ac81
Author: Michael Chase-Salerno <br...@li...>
Date:   Thu Aug 30 01:59:20 2012 -0400

    - 3555395 Additional auth lib return codes

-----------------------------------------------------------------------

Summary of changes:
diff --git a/Makefile.am b/Makefile.am
index 8ebf6e4..c244030 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -402,7 +402,7 @@ sfcbmofpp_SOURCES=mofpp.c
 sfcbdump_SOURCES=sfcbdump.c
 
 sfcbinst2mof_SOURCES=sfcbinst2mof.c
-sfcbinst2mof_LDADD = -lsfcFileRepository
+sfcbinst2mof_LDADD = -lsfcFileRepository -lsfcBrokerCore
 
 sfcbtrace_SOURCES=sfcbtrace.c
 sfcbtrace_LDADD = -lsfcBrokerCore
diff --git a/NEWS b/NEWS
index af1a090..c8667a5 100644
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,7 @@
 Changes in 1.4.3
 ================
 
-Everything in 1.3.13, 1.3.14, and 1.3.15 (see below), plus: 
+Everything in 1.3.13, 1.3.14, 1.3.15, and 1.3.16 (see below), plus: 
 
 New features:
 - 3441679 Add a feature to validate CMPI types
@@ -101,6 +101,7 @@ Changes in 1.3.16
 
 New Features: 
 - 3538858 custom routine to log indInst objinfo
+- 3555395 Additional auth lib return codes
 
 Bugs fixed:
 
diff --git a/cimRequest.c b/cimRequest.c
index bd8dbdb..6c98f86 100644
--- a/cimRequest.c
+++ b/cimRequest.c
@@ -324,7 +324,7 @@ methodErrResponse(RequestHdr * hdr, char *error)
 #ifdef ALLOW_UPDATE_EXPIRED_PW
 
 static char    *
-getErrExpiredSegment()
+getErrExpiredSegment(char * type)
 {
   char* msg = sfcb_snprintf("<ERROR CODE=\"2\" \
 DESCRIPTION=\"User Account Expired\">\n\
@@ -332,10 +332,10 @@ DESCRIPTION=\"User Account Expired\">\n\
 <PROPERTY NAME=\"ErrorType\" TYPE=\"uint16\">\
 <VALUE>1</VALUE></PROPERTY>\n\
 <PROPERTY NAME=\"OtherErrorType\" TYPE=\"string\">\
-<VALUE>Password Expired</VALUE></PROPERTY>\n\
+<VALUE>%s</VALUE></PROPERTY>\n\
 <PROPERTY NAME=\"ProbableCause\" TYPE=\"uint16\">\
 <VALUE>117</VALUE></PROPERTY>\n\
-</INSTANCE>\n</ERROR>\n");
+</INSTANCE>\n</ERROR>\n",type);
 
   return msg;
 }
@@ -1787,7 +1787,7 @@ static Scanner scanners[] = {
 static int scanner_count = sizeof(scanners) / sizeof(Scanner);
 
 RespSegments
-handleCimRequest(CimRequestContext * ctx, int flags)
+handleCimRequest(CimRequestContext * ctx, int flags, char * more)
 {
   RespSegments    rs;
   RequestHdr      hdr;
@@ -1867,9 +1867,9 @@ handleCimRequest(CimRequestContext * ctx, int flags)
       }
       else {    /* expired user tried to invoke non-UpdatePassword request */
 	if (hdr.methodCall) { 
-	  rs = methodErrResponse(&hdr, getErrExpiredSegment());
+	  rs = methodErrResponse(&hdr, getErrExpiredSegment(more));
 	} else {
-	  rs = iMethodErrResponse(&hdr, getErrExpiredSegment());
+	  rs = iMethodErrResponse(&hdr, getErrExpiredSegment(more));
 	}
       }
     }
diff --git a/cimRequest.h b/cimRequest.h
index e1512cc..c513528 100644
--- a/cimRequest.h
+++ b/cimRequest.h
@@ -87,7 +87,7 @@ typedef struct requestHdr {
   unsigned int    sessionId;
 } RequestHdr;
 
-extern RespSegments handleCimRequest(CimRequestContext * ctx, int flags);
+extern RespSegments handleCimRequest(CimRequestContext * ctx, int flags, char *more);
 extern int      cleanupCimXmlRequest(RespSegments * rs);
 
 #ifdef ALLOW_UPDATE_EXPIRED_PW
diff --git a/cimRsRequest.c b/cimRsRequest.c
index e02f71b..707abc2 100644
--- a/cimRsRequest.c
+++ b/cimRsRequest.c
@@ -448,8 +448,8 @@ RequestHdr
 scanCimRsRequest(CimRequestContext *ctx, char *cimRsData, int *rc)
 {
   //fprintf(stderr, "path is '%s'\nverb is '%s'\n", ctx->path, ctx->verb);
-  RequestHdr reqHdr = { NULL, 0, 0, 0, 0, 0, 0, 0,
-                        NULL, 0, 0, 0, NULL, 0, 0,
+  RequestHdr reqHdr = { NULL, 0, 0, 0, NULL, NULL, 0, 0,
+                        NULL, 0, NULL, NULL, NULL, NULL, NULL, 0,
                       };
 
   if (strncasecmp(ctx->path, "/cimrs", 6) != 0) {
diff --git a/cimXmlParser.c b/cimXmlParser.c
index 512a1bf..5ca7eec 100644
--- a/cimXmlParser.c
+++ b/cimXmlParser.c
@@ -1690,6 +1690,7 @@ scanCimXmlRequest(CimRequestContext *ctx, char *xmlData, int *rc)
   control.reqHdr.binCtx = calloc(1, sizeof(BinRequestContext));
   control.reqHdr.principal = ctx->principal;
   control.reqHdr.sessionId = ctx->sessionId;
+  control.reqHdr.role = NULL;
   control.paramValues.last = control.paramValues.first = NULL;
   control.properties.last = control.properties.first = NULL;
   control.qualifiers.last = control.qualifiers.first = NULL;
diff --git a/httpAdapter.c b/httpAdapter.c
index 47aa3cc..e7c5a4d 100644
--- a/httpAdapter.c
+++ b/httpAdapter.c
@@ -118,6 +118,8 @@ static void	print_cert(const char *cert_file, const STACK_OF(X509_NAME) *);
 #define AUTH_PASS 1
 #define AUTH_FAIL 0
 #define AUTH_EXPIRED -1
+#define AUTH_SERVTEMP -2
+#define AUTH_SERVPERM -3
 
 static key_t    httpProcSemKey;
 static key_t    httpWorkSemKey;
@@ -153,10 +155,11 @@ struct auth_extras {
   char* clientIp;
   void* authHandle;
   const char* role;
+  char* ErrorDetail;
 };
 typedef struct auth_extras AuthExtras;
 
-AuthExtras      extras = {NULL, NULL, NULL, NULL};
+AuthExtras      extras = {NULL, NULL, NULL, NULL, NULL};
 
 void releaseAuthHandle() {
   _SFCB_ENTER(TRACE_HTTPDAEMON, "releaseAuthHandle");
@@ -312,6 +315,8 @@ baValidate(char *cred, char **principal)
 
     if (ret == AUTH_PASS)  ret = AUTH_PASS;
     else if (ret == AUTH_EXPIRED)  ret = AUTH_EXPIRED;
+    else if (ret == AUTH_SERVTEMP)  ret = AUTH_SERVTEMP;
+    else if (ret == AUTH_SERVPERM)  ret = AUTH_SERVPERM;
     else  ret = AUTH_FAIL;
   }
 
@@ -620,7 +625,7 @@ writeChunkHeaders(BinRequestContext * ctx)
   static char     op[] = { "CIMOperation: MethodResponse\r\n" };
   static char     tenc[] = { "Transfer-encoding: chunked\r\n" };
   static char     trls[] =
-      { "Trailer: CIMError, CIMStatusCode, CIMStatusCodeDescription\r\n" };
+      { "Trailer: CIMError, CIMStatusCode, CIMStatusCodeDescription, SFCBErrorDetail\r\n" };
   static char     cclose[] = "Connection: close\r\n";
 
   _SFCB_ENTER(TRACE_HTTPDAEMON, "writeChunkHeaders");
@@ -1041,7 +1046,6 @@ doHttpRequest(CommHndl conn_fd)
     }
 #endif
   }
-
 #if defined USE_SSL
   if (doBa && sfcbSSLMode) {
     if (ccVerifyMode != CC_VERIFY_IGNORE) {
@@ -1068,6 +1072,9 @@ doHttpRequest(CommHndl conn_fd)
 
   int             authorized = 0;
   int             barc = 0;
+  // Reserve space for the additional headers
+  char * more=calloc(300,sizeof(char));
+
 #ifdef HAVE_UDS
   if (!discardInput && doUdsAuth) {
     struct sockaddr_un sun;
@@ -1101,28 +1108,50 @@ doHttpRequest(CommHndl conn_fd)
       //        fprintf(stderr, "client is: %s\n", ipstr);
 
       barc = baValidate(inBuf.authorization,&inBuf.principal);
+      if (extras.ErrorDetail) {
+        snprintf(more,256,"SFCBErrorDetail: %s\r\n",extras.ErrorDetail);
+      }
+
 
 #ifdef ALLOW_UPDATE_EXPIRED_PW
       if (barc == AUTH_EXPIRED) {
-	hcrFlags |= HCR_EXPIRED_PW;
-      }
-      else if (barc == AUTH_PASS) {
-	hcrFlags = 0; /* clear flags so non-expired user doesn't update pw */
-      }
-      else if (barc == AUTH_FAIL) {
+         hcrFlags |= HCR_EXPIRED_PW;
+         // Add the error detail to the CIM_Error instance
+         if (extras.ErrorDetail) {
+           snprintf(more,256,"%s",extras.ErrorDetail);
+         } else {
+           snprintf(more,256,"%s","Expired Password");
+         }
+       } else if (barc == AUTH_PASS) {
 #else
-      if (barc != AUTH_PASS) {
+       if (barc == AUTH_EXPIRED) {
+         strcat(more,"WWW-Authenticate: Basic realm=\"cimom\"\r\n");
+         genError(conn_fd, &inBuf, 401, "Unauthorized", more);
+         /* we continue to parse headers and empty the socket
+         to be graceful with the client */
+         discardInput=1;
+      } else if (barc == AUTH_PASS) {
 #endif
-	char            more[] =
-          "WWW-Authenticate: Basic realm=\"cimom\"\r\n";
-	genError(conn_fd, &inBuf, 401, "Unauthorized", more);
-	/*
-	 * we continue to parse headers and empty the socket to be graceful
-	 * with the client 
-	 */
-	discardInput = 1;
-      }
-  }
+        hcrFlags = 0; /* clear flags so non-expired user doesn't update pw */
+     } else if (barc == AUTH_SERVPERM) {
+        genError(conn_fd, &inBuf, 500, "Server Error", more);
+        /* we continue to parse headers and empty the socket
+        to be graceful with the client */
+        discardInput=1;
+     } else if (barc == AUTH_SERVTEMP) {
+        genError(conn_fd, &inBuf, 503, "Service Unavailable", more);
+        /* we continue to parse headers and empty the socket
+        to be graceful with the client */
+        discardInput=1;
+     } else if (barc == AUTH_FAIL) {
+        strcat(more,"WWW-Authenticate: Basic realm=\"cimom\"\r\n");
+        genError(conn_fd, &inBuf, 401, "Unauthorized", more);
+        /* we continue to parse headers and empty the socket
+        to be graceful with the client */
+        discardInput=1;
+    }
+   } // if (inBuf.authorization) {
+
 #if defined USE_SSL
     else if (sfcbSSLMode && ccVerifyMode != CC_VERIFY_IGNORE) {
       /*
@@ -1141,6 +1170,10 @@ doHttpRequest(CommHndl conn_fd)
     _SFCB_TRACE(1, ("--- exiting after missing content length."));
     commClose(conn_fd);
     freeBuffer(&inBuf);
+    if (more) {
+       free(more);
+       more=NULL;
+    }
     exit(1);
   }
 
@@ -1154,12 +1187,20 @@ doHttpRequest(CommHndl conn_fd)
     genError(conn_fd, &inBuf, 400, "Bad Request", NULL);
     _SFCB_TRACE(1, ("--- exiting after request timeout."));
     commClose(conn_fd);
+    if (more) {
+       free(more);
+       more=NULL;
+    }
     exit(1);
   }
   if (discardInput) {
     releaseAuthHandle();
     free(hdr);
     freeBuffer(&inBuf);
+    if (more) {
+       free(more);
+       more=NULL;
+    }
     _SFCB_RETURN(discardInput - 1);
   }
 
@@ -1203,10 +1244,14 @@ doHttpRequest(CommHndl conn_fd)
     }
 #endif
 
-    response = handleCimRequest(&ctx, hcrFlags);
+    response = handleCimRequest(&ctx, hcrFlags, more);
   } else {
     response = nullResponse;
   }
+  if (more) {
+     free(more);
+     more=NULL;
+  }
   free(hdr);
 
   _SFCB_TRACE(1, ("--- Generate http response"));
diff --git a/sfcBasicPAMAuthentication.c b/sfcBasicPAMAuthentication.c
index 1f7b111..d3554e0 100644
--- a/sfcBasicPAMAuthentication.c
+++ b/sfcBasicPAMAuthentication.c
@@ -32,6 +32,7 @@ struct auth_extras {
   char* clientIp;
   void* authHandle;
   const char* role;
+  char* ErrorDetail;
 };
 typedef struct auth_extras AuthExtras;
 
@@ -100,7 +101,19 @@ _sfcBasicAuthenticateRemote(char *user, char *pw, AuthExtras *extras)
     retval = 1;
   } 
   else if (rc == PAM_NEW_AUTHTOK_REQD || rc == PAM_ACCT_EXPIRED) {
-    retval = -1;
+    retval = -1; // Only valid if sfcb is built with --enable-expired-pw-update
+  }
+  else if (rc == PAM_AUTHINFO_UNAVAIL ) {
+    retval = -2; // Temporary server error
+    if (extras) {
+        extras->ErrorDetail="PAM info unavailable.";
+    }
+  }
+  else if (rc == PAM_SERVICE_ERR ) {
+    retval = -3; // Permanent server error
+    if (extras) {
+       extras->ErrorDetail="PAM server unreachable.";
+    }
   }
   else {
     retval = 0;


hooks/post-receive
-- 
SFCB - Small Footprint CIM Broker