fwAccessControl.ctl File Reference

Functions

void _fwAccessControl_exportDomain (dyn_string &expCmd, string domainName, dyn_string &exceptionInfo)
void _fwAccessControl_exportGroup (dyn_string &expCmd, string groupName, dyn_string &exceptionInfo)
void _fwAccessControl_exportSubGroup (dyn_string &expCmd, string groupName, dyn_string &exceptionInfo)
void _fwAccessControl_exportUser (dyn_string &expCmd, string userName, dyn_string &exceptionInfo)
string _fwAccessControl_encryptString (string s, anytype key)
string _fwAccessControl_decryptString (string encodedString, anytype key)
blob _fwAccessControl_xxTeaEncrypt (blob b, anytype key)
dyn_int _fwAccessControl_strToLong (string str)
dyn_int _fwAccessControl_blobToLong (blob b)
blob _fwAccessControl_longToBlob (dyn_int ar)
unsigned _fwAccessControl_rshift_pad (unsigned x, int n)
string _fwAccessControl_Base64EncodeBlob (blob str)
blob _fwAccessControl_Base64DecodeToBlob (string str)
blob _fwAccessControl_xxTeaDecrypt (blob b, anytype key)
dyn_string _fwAccessControl_sendCommandToServer (string cmd, dyn_string params="", int timeout=-1)
void _fwAccessControl_checkDoServerSync (dyn_string &exceptionInfo)
void _fwAccessControl_enableAccesControl (bool enabled, dyn_string &exceptionInfo)
bool _fwAccessControl_isAccessControlEnabled (dyn_string &exceptionInfo)
void fwAccessControl_cancelLogin ()
bool _fwAccessControl_ACServerAuthRoutine (string userName, string password, dyn_string &exceptionInfo)
bool _fwAccessControl_LDAPAuthRoutine (string userName, string password, dyn_string &exceptionInfo) synchronized(_fwAccessControl_mutex)
bool fwAccessControl_checkAuth (string userName, string password, dyn_string &exceptionInfo, bool tryLocal=TRUE)
bool _fwAccessControl_PVSSAuth (string userName, string password, dyn_string &exceptionInfo)
private bool _fwAccessControl_IsACServerRunning ()
void fwAccessControl_SuspendModifications (bool suspend, dyn_string &exceptionInfo)
void _fwAccessControl_SuspendACServer (dyn_string &exceptionInfo)
void _fwAccessControl_ResumeACServer (dyn_string &exceptionInfo)
void _fwAccessControl_SuspendEgroupSync (dyn_string &exceptionInfo)
void _fwAccessControl_ResumeEgroupSync (dyn_string &exceptionInfo)
void _fwAccessControl_setBatchMode (bool mode, dyn_string &exceptionInfo)
void _fwAccessControl_extAuth_authenticate (string userName, string deviceCookie)
void _fwAccessControl_extAuth_initDeviceDriver (string deviceType, string hostName, string cookie, dyn_string &exceptionInfo)
void fwAccessControl_checkWorkstationPermissions (string workstationName, string userName, bit32 &permissions, dyn_string &exceptionInfo)
void _fwAccessControl_checkWorkstationPermissions (string workstationName, string userName, bit32 &permissions, string &groupName, int &groupId, dyn_string &exceptionInfo)
void fwAccessControl_getWorkstationPermissions (dyn_string &workstationNames, dyn_string &groupNames, dyn_bit32 &permissions, dyn_string &exceptionInfo, string userName="*")
void fwAccessControl_setWorkstationPermissions (dyn_string workstationNames, dyn_string groupNames, dyn_bit32 permissions, dyn_string &exceptionInfo)
void fwAccessControl_genericNotify (string s1, string s2="", string s3="", int errcatEntry=2000, int prio=PRIO_INFO)
private bool _fwAccessControl_trustedManager ()
string _fwAccessControl_getManNameFromId (int manid)
string fwAccessControl_myDisplayName ()
General-Purpose functions

see also the module General-Purpose functions



void fwAccessControl_displayException (dyn_string &exceptionInfo)
void fwAccessControl_displayMessage (string message)
void fwAccessControl_raiseException (dyn_string &exceptionInfo, string title, string detail, string extraInfo="")
void fwAccessControl_help (string what)
void fwAccessControl_logout () synchronized(_fwAccessControl_mutex)
void _fwAccessControl_sudo (string function, mixed &params, dyn_string &exceptionInfo)
mixed _fwAccessControl_initializeHookWrapper (mixed dummyParams)
mixed _fwAccessControl_dpSetSudoWrapper (mixed params)
void fwAccessControl_login ()
bool _fwAccessControl_isUI ()
bool _fwAccessControl_integratedMode ()
void fwAccessControl_setupPanel (string callbackFunctionName, dyn_string &exceptionInfo) synchronized(_fwAccessControl_mutex)
void fwAccessControl_getUserName (string &userName)
void fwAccessControl_getCurrentRole (string &currentRole)
void fwAccessControl_setRole (string role, dyn_string &exceptionInfo)
string _fwAccessControl_getManagerTypeName (char mantype)
void fwAccessControl_getDisplayInfo (int manId, string &hostName, string &ip, int &manNum, time &startTime, dyn_string &exceptionInfo)
void fwAccessControl_getMyDisplay (string &hostName, string &ip, int &manNum, time &startTime, dyn_string &exceptionInfo)
void fwAccessControl_getConfiguration (dyn_mixed &configuration, dyn_string &exceptionInfo, string sysName="")
void fwAccessControl_setConfiguration (dyn_mixed configuration, dyn_string &exceptionInfo, string sysName="")
bool fwAccessControl_checkAddDomain (string domainName, dyn_string privileges, dyn_string &exceptionInfo, string domainFullName="", string domainComment="")
bool fwAccessControl_checkAddGroup (string groupName, dyn_string privileges, dyn_string &exceptionInfo, string groupFullName="", string groupComment="")
bool fwAccessControl_checkAddUser (string userName, dyn_string groups, dyn_string &exceptionInfo, string userFullName="", string userComment="", string userPassword="", bool enabled=TRUE, int userId=-1, bool passwordAlreadyCrypted=FALSE, bool localAccount=FALSE)
bool fwAccessControl_setUsers (dyn_string userNames, dyn_dyn_string userGroups, dyn_string userFullNames, dyn_string userComments, dyn_string userPasswords, dyn_bool usersEnabled, dyn_int &userIds, dyn_bool pwdsCrypted, dyn_bool localAccounts, int resetMode, dyn_string &exceptionInfo) synchronized(_fwAccessControl_mutex)
bool fwAccessControl_checkPassword (string userName, string password, dyn_string &exceptionInfo)
string _fwAccessControl_generateRandomPassword ()
bool fwAccessControl_changePassword (string userName, string currentPassword, string newPassword, dyn_string &exceptionInfo) synchronized(_fwAccessControl_mutex)
void fwAccessControl_getActiveUsers (dyn_string &users, dyn_string &uis, dyn_string &uiHosts, dyn_string &loginTimes, dyn_string &exceptionInfo, string sysName="")
void fwAccessControl_selectPrivileges (dyn_string &privileges, string text="", bool showSystemDomain=FALSE)
bool _fwAccessControl_exportToPostInstall (string fileName)
Domain-related functions

see also the module Domain manipulation functions



void fwAccessControl_getAllDomains (dyn_string &domainlist, dyn_string &fullDomainNames, dyn_string &exceptionInfo)
void fwAccessControl_deleteDomain (string domainName, dyn_string &exceptionInfo) synchronized(_fwAccessControl_mutex)
void fwAccessControl_getDomain (string domainName, string &domainFullName, string &domainComment, int &domainId, dyn_string &privilegeNames, dyn_int &privilegeIds, dyn_string &exceptionInfo)
void fwAccessControl_createDomain (string domainName, string domainFullName, string domainComment, dyn_string privileges, dyn_string &exceptionInfo) synchronized(_fwAccessControl_mutex)
void fwAccessControl_updateDomain (string domainName, string newDomainName, string domainFullName, string domainComment, dyn_string privileges, dyn_string &exceptionInfo) synchronized(_fwAccessControl_mutex)
Group-related functions

see also the module Group manipulation functions



void fwAccessControl_getAllGroups (dyn_string &grouplist, dyn_string &fullGroupNames, dyn_string &exceptionInfo)
void fwAccessControl_getGroup (string groupName, string &groupFullName, string &description, int &groupId, dyn_string &exceptionInfo)
void fwAccessControl_deleteGroup (string groupName, dyn_string &exceptionInfo) synchronized(_fwAccessControl_mutex)
void fwAccessControl_createGroup (string groupName, string groupFullName, string groupComment, dyn_string privileges, dyn_string &exceptionInfo) synchronized(_fwAccessControl_mutex)
void fwAccessControl_updateGroup (string groupName, string newGroupName, string groupFullName, string groupComment, dyn_string privileges, dyn_string &exceptionInfo) synchronized(_fwAccessControl_mutex)
void fwAccessControl_getGroupMembers (string groupName, dyn_string &members, dyn_string &exceptionInfo)
void fwAccessControl_resolveGroupsRecursively (dyn_string groupNames, dyn_string &includedGroups, dyn_string &includedBy, dyn_string &exceptionInfo, bool recursive=TRUE)
void fwAccessControl_getGroupsInGroup (string groupName, dyn_string &includedGroups, dyn_string &exceptionInfo, bool recursive=FALSE)
void fwAccessControl_setGroupsInGroup (string groupName, dyn_string includedGroups, dyn_string &exceptionInfo)
User-related functions

see also the module User manipulation functions



void fwAccessControl_getAllUsers (dyn_string &userlist, dyn_string &fullUserNames, dyn_string &exceptionInfo)
void fwAccessControl_getUser (string userName, string &userFullName, string &description, int &userId, bool &enabled, dyn_string &groupNames, dyn_string &exceptionInfo)
void fwAccessControl_deleteUser (string userName, dyn_string &exceptionInfo) synchronized(_fwAccessControl_mutex)
void fwAccessControl_createUser (string userName, string userFullName, string userComment, bool enabled, string password, dyn_string groupMembership, dyn_string &exceptionInfo, int userId=-1, bool passwordAlreadyCrypted=FALSE, bool localAccount=FALSE) synchronized(_fwAccessControl_mutex)
bool fwAccessControl_isUserAccountLocal (string userName, dyn_string &exceptionInfo)
void fwAccessControl_getUserRoles (string userName, dyn_string &userRoles, dyn_int &roleLevels, dyn_string &exceptionInfo)
void fwAccessControl_updateUser (string userName, string newUserName, string userFullName, string userComment, bool enabled, string password, dyn_string groupMembership, dyn_string &exceptionInfo, bool passwordAlreadyCrypted=FALSE, bool localAccount=FALSE) synchronized(_fwAccessControl_mutex)
void fwAccessControl_enableUserAccount (string userName, bool enabled, dyn_string &exceptionInfo) synchronized(_fwAccessControl_mutex)
Permission-related functions
bool fwAccessControl_HasUserAdminPrivilege (dyn_string &exceptionInfo, string user="", bool exceptionOnNotGranted=TRUE)
bool fwAccessControl_HasGroupAdminPrivilege (dyn_string &exceptionInfo, string user="", bool exceptionOnNotGranted=TRUE)
bool fwAccessControl_HasDomainAdminPrivilege (dyn_string &exceptionInfo, string user="", bool exceptionOnNotGranted=TRUE)
bool fwAccessControl_HasSystemAdminPrivilege (dyn_string &exceptionInfo, string user="", bool exceptionOnNotGranted=TRUE)
void fwAccessControl_getGroupPrivileges (string groupName, dyn_string domainNames, dyn_string &privileges, dyn_string &exceptionInfo, bool recursively=FALSE)
void fwAccessControl_updateGroupPrivileges (string groupName, dyn_string newPrivileges, dyn_string &exceptionInfo)
void fwAccessControl_getUserPrivileges (string userName, dyn_string domainNames, dyn_string &privileges, dyn_string &exceptionInfo, bool strictRoleChecking=FALSE)
void fwAccessControl_checkUserPrivilege (string userName, string domainName, string privilegeName, bool &granted, dyn_string &exceptionInfo)
void fwAccessControl_checkUserPrivilege_AuthFunc (string userName, string domainName, string privilegeName, bool &granted, dyn_string &exceptionInfo)
void fwAccessControl_checkUserPrivilege_AuthFastFunc (string userName, string domainName, string privilegeName, bool &granted, dyn_string &exceptionInfo)
void fwAccessControl_isGranted (string domain_privilege, bool &granted, dyn_string &exceptionInfo)
void fwAccessControl_getGroupsHavingPrivilege (string domainName, string privName, dyn_string &groups, dyn_string &exceptionInfo)
void fwAccessControl_getUsersHavingPrivilege (string domainName, string privName, dyn_string &users, dyn_string &exceptionInfo)
void fwAccessControl_getPrivilegeNames (string domainName, dyn_string &privilegeNames, dyn_int &privilegeIds, dyn_string &exceptionInfo)
dyn_string fwAccessControl_getAllAccessRightNames (dyn_string &exceptionInfo)
void fwAccessControl_setPrivilegeNames (string domainName, dyn_string privilegeNames, dyn_string &exceptionInfo)
Framework domain specific functions



void _fwAccessControl_checkInit ()

Variables

global string g_fwAccessControl_version = "5.2.1"
global bool g_fwAccessControl_initialised = FALSE
global string g_fwAccessControl_systemDomainName
global string g_fwAccessControl_systemDomainGenericName = "SYSTEM"
global string g_fwAccessControl_systemDomainFullName = "local system"
global string g_fwAccessControl_AreasDP
global string g_fwAccessControl_GroupsDP
global string g_fwAccessControl_UsersDP
global string g_fwAccessControl_WorkstationsDP
global mapping g_fwAccessControl_workstationAliases
global string g_fwAccessControl_ConfigurationDP
global string g_fwAccessControl_GroupHierarchyDP
global string g_fwAccessControl_egroupSyncDP
global string g_fwAccessControl_DefaultAdminPriv
global string g_fwAccessControl_CurrentRole
global float g_fwAccessControl_RequiredDpVersion = 3.0
const int GROUP_NAME_TO_IDX = 1
const int GROUP_IDX_TO_NAME = 2
const int DOMAIN_NAME_TO_IDX = 3
const int DOMAIN_IDX_TO_NAME = 4
const int USER_NAME_TO_IDX = 5
const int USER_IDX_TO_NAME = 6
global const bool g_fwAccessControl_ModeUNICOS = false
global string g_fwAccessControl_UnicosDP = "_fwAccessControl"
const int fwAccessControl_CONFIG_AccessRight_DomainAdmin = 1
const int fwAccessControl_CONFIG_AccessRight_GroupAdmin = 2
const int fwAccessControl_CONFIG_AccessRight_UserAdmin = 3
const int fwAccessControl_CONFIG_AccessRight_DPType = 4
const int fwAccessControl_CONFIG_AccessRight_DP = 5
const int fwAccessControl_CONFIG_AccessRight_DPAlias = 6
const int fwAccessControl_CONFIG_AccessRight_DPAuth = 7
const int fwAccessControl_CONFIG_Authentication_OsAutoLogin = 8
const int fwAccessControl_CONFIG_Authentication_ForceLogin = 9
const int fwAccessControl_CONFIG_Authentication_Configuration = 10
const int fwAccessControl_CONFIG_Authorization_StrictRoleChecking = 11
const int fwAccessControl_CONFIG_Authorization_Configuration = 12
const int fwAccessControl_CONFIG_MAX = 12
global dyn_string _fwAccessControl_currentUserAccessRights
global bool _fwAccessControl_batchMode = FALSE
global bool g_fwAccessControl_Command_Lock = FALSE
string _fwAccessControl_extAuth_myDatapoint

Detailed Description

JCOP Framework Access Control library

Author:
Piotr Golonka, CERN EN/ICE-SCD

Function Documentation

string _fwAccessControl_encryptString ( string  s,
anytype  key 
)

returns a string, in BASE64 encoding, containing the text passed in s , encoded with the key passed in key

string _fwAccessControl_decryptString ( string  encodedString,
anytype  key 
)
blob _fwAccessControl_xxTeaEncrypt ( blob  b,
anytype  key 
)
dyn_int _fwAccessControl_strToLong ( string  str  ) 
dyn_int _fwAccessControl_blobToLong ( blob  b  ) 
blob _fwAccessControl_longToBlob ( dyn_int  ar  ) 
unsigned _fwAccessControl_rshift_pad ( unsigned  x,
int  n 
)
string _fwAccessControl_Base64EncodeBlob ( blob  str  ) 
blob _fwAccessControl_Base64DecodeToBlob ( string  str  ) 
blob _fwAccessControl_xxTeaDecrypt ( blob  b,
anytype  key 
)
dyn_string _fwAccessControl_sendCommandToServer ( string  cmd,
dyn_string  params = "",
int  timeout = -1 
)
void _fwAccessControl_checkDoServerSync ( dyn_string &  exceptionInfo  ) 

WARNING! We cannot use _integratedMode() function! We need to test ourselves! because this is a special case where we should detect that server is running

void _fwAccessControl_enableAccesControl ( bool  enabled,
dyn_string &  exceptionInfo 
)

Enables or disables access control

When access control is disabled using this function, all users have effectively all privileges, i.e. the fwAccessControl_checkUserPrivilege and fwAccessControl_isGranted functions always indidate that the privilege is granted.

Parameters:
enabled indicated whether privilege checking should be enabled or disabled
exceptionInfo standard exception handling variable
bool _fwAccessControl_isAccessControlEnabled ( dyn_string &  exceptionInfo  ) 

checks if Access Control is enabled

Parameters:
exceptionInfo standard exception handling variable
See also:
_fwAccessControl_enableAccesControl
Returns:
TRUE if privilege-checking is active, FALSE otherwise
void fwAccessControl_cancelLogin (  ) 
bool _fwAccessControl_ACServerAuthRoutine ( string  userName,
string  password,
dyn_string &  exceptionInfo 
)
bool _fwAccessControl_LDAPAuthRoutine ( string  userName,
string  password,
dyn_string &  exceptionInfo 
)
bool fwAccessControl_checkAuth ( string  userName,
string  password,
dyn_string &  exceptionInfo,
bool  tryLocal = TRUE 
)
bool _fwAccessControl_PVSSAuth ( string  userName,
string  password,
dyn_string &  exceptionInfo 
)
private bool _fwAccessControl_IsACServerRunning (  ) 
void fwAccessControl_SuspendModifications ( bool  suspend,
dyn_string &  exceptionInfo 
)

Resume/suspend ACServer and Egroup Synchronization

The function allows to suspend various user-account synchronization mechanisms, for instance to guarantee that they are not affected during engineering processes.

Parameters:
suspend : set to TRUE to suspend and FALSE to resume
exceptionInfo standard exception handling variable
void _fwAccessControl_SuspendACServer ( dyn_string &  exceptionInfo  ) 
void _fwAccessControl_ResumeACServer ( dyn_string &  exceptionInfo  ) 
void _fwAccessControl_SuspendEgroupSync ( dyn_string &  exceptionInfo  ) 
void _fwAccessControl_ResumeEgroupSync ( dyn_string &  exceptionInfo  ) 
void _fwAccessControl_setBatchMode ( bool  mode,
dyn_string &  exceptionInfo 
)
void _fwAccessControl_extAuth_authenticate ( string  userName,
string  deviceCookie 
)
void _fwAccessControl_extAuth_initDeviceDriver ( string  deviceType,
string  hostName,
string  cookie,
dyn_string &  exceptionInfo 
)

to be used only from the "device drivers" at initialization step; it will set the _fwAccessControl_extAuth_myDatapoint variable to point to the DP that handles this devices.

void fwAccessControl_checkWorkstationPermissions ( string  workstationName,
string  userName,
bit32 &  permissions,
dyn_string &  exceptionInfo 
)
void _fwAccessControl_checkWorkstationPermissions ( string  workstationName,
string  userName,
bit32 &  permissions,
string &  groupName,
int &  groupId,
dyn_string &  exceptionInfo 
)
void fwAccessControl_getWorkstationPermissions ( dyn_string &  workstationNames,
dyn_string &  groupNames,
dyn_bit32 &  permissions,
dyn_string &  exceptionInfo,
string  userName = "*" 
)

Get configuration of workstation permissions

The function returns the current configuration of workstation permissions. The mechanism works by putting restriction on users' system permission, that are applied if a user logs into PVSS from a specified workstation.

This allows, in particular, to restrict the interactive logins of users from a certain console (by masking their "SYSTEM:Visualize" access right being the zero'th permission bit on certain machines), or limiting their privileges (e.g. masking-out all the privilege levels except the lowest, in all domains).

The mechanism is configured by specifying the permission mask that will be applied for a workstation and a group of users. A list of such entries is processed sequentially, and if a match is found (the workstation field matches the current workstation name, and the group has the specified user in it), then the processing stops, and the corresponding access right mask is used.

To allow for easier configuration, the workstation names could be specified using wildcards (using *,? and [] operators); they could also contain special "alias" combinations: "@ccc" (consoles in CCC) and "@localhost" (the UIs running on the same machine as the project).

The following example illustrates the use of workstation permissions

Workstation

Group

Permission

@ccc

cryo-expert

01111111111111111111111111111111

@ccc

cryo-operator

11111111111111111111111111111111

console*.cern.ch:*

cryo-admin

01111111111111111111111111111111

*

*

00000000000000000000000000000001

In the example above the following is specified. The first line tells that all the users from the "cryo-expert" group logging in from the CCC consoles have all their rights, except the "auto login" (bit 31 is zeroed).

The second line specifies that the members of cryo-operator group logging in from CCC consoles will conserve all the lines;

The third line specifies the rights for cryo-admin members logging in from all machines that match the "console*.cern.ch:*" pattern. Note that the ":*" substring will match the Linux consoles, which always have the colon and display number (X11 DISPLAY specification) in their workstation name.

Ultimately, the fourth line is a fallback for all the other cases - restrict everything and leave the rights to login only (SYSTEM:Visualize, bit 0).

As explained before, the list is processed one entry after the other until the first match occurs. Hence, for a user "joe" belonging to both "cryo-expert" and "cryo-operator", logging in from a CCC console, this is already the first line that will set the access right mask, hence the auto-logout will be disabled. However, for a user "jane" who is only a member of "cryo-operator", the second line will match, and she will have auto-login enabled.

Parameters:
workstationNames on return it will contain the list of workstation name pattern (or aliases). Empty list means that the feature is not configured, and no workstation restriction will apply.
groupNames on return it will contain the list of group names for the workstations; note that the "*" as the group name means "any group"
permissions on return it will contain the permission bitmask, for workstation and a group; note that bit 0 controls the permission to login, bit 31 controls the permission for auto-login and bits 20-27 mask the permissions for privilege levels 1-8 in all the domains.
exceptionInfo standard exception handling variable
userName (optional, default="*") if specified, then the permissions for specified user will be returned; otherwise, the complete configuration of permissions will be given
void fwAccessControl_setWorkstationPermissions ( dyn_string  workstationNames,
dyn_string  groupNames,
dyn_bit32  permissions,
dyn_string &  exceptionInfo 
)

set the workstation permission configuration

Please, see the documentation of fwAccessControl_getWorkstationPermissions

void fwAccessControl_genericNotify ( string  s1,
string  s2 = "",
string  s3 = "",
int  errcatEntry = 2000,
int  prio = PRIO_INFO 
)

Printout function that uses PVSS error messages.

private bool _fwAccessControl_trustedManager (  ) 
string _fwAccessControl_getManNameFromId ( int  manid  ) 

Converts numerical managerId into text description Note! There is duplication in _fwAccessControl_getManagerTypeName(char mantype) Should use the native function or something from fwManager lib

string fwAccessControl_myDisplayName (  ) 

Variable Documentation

global string g_fwAccessControl_version = "5.2.1"
const int GROUP_NAME_TO_IDX = 1
global const bool g_fwAccessControl_ModeUNICOS = false

for backward compatibility reason, yet deprecated

global string g_fwAccessControl_UnicosDP = "_fwAccessControl"
global bool _fwAccessControl_batchMode = FALSE
global bool g_fwAccessControl_Command_Lock = FALSE

Generated on 12 Feb 2016 for Access Control component by  doxygen 1.6.1