Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Add a logout feature to ldap security manager #2198

Closed
wants to merge 1 commit into from

4 participants

@RussWhitehead
Collaborator

Need to provide an interface to log out a CLdapSecManager user,
which will be needed for gh-2174 ('ECLWatch should provide LOGOUT
feature')

@RussWhitehead RussWhitehead Add a logout feature to ldap security manager
Need to provide an interface to log out a CLdapSecManager user,
which will be needed for gh-2174 ('ECLWatch should provide LOGOUT
feature')

Signed-off-by: William Whitehead <william.whitehead@lexisnexis.com>
ac60cbe
@richardkchapman

If this is code that should never be reached, you should use throwUnexpected() rather than UNIMPLEMENTED;

If it's code that CAN be reached, you should really implement it before submitting the pull request (unless it's something we DO intend to implement sometime but NOT in the next release...

Collaborator

The reason I chose UNIMPLEMENTED was for consistency, since there are 13 other methods in this same class and file that use the same (I am guessing that you were not able to see them because the viewer by default only shows a few lines of code around the changes) . I suppose I could change them all to ThrowUnexpected, although it should be noted that both of these throw an exception

#define throwUnexpected() throw MakeStringException(9999, "Internal Error at %s(%d)", FILE, LINE)
#define UNIMPLEMENTED throw MakeStringException(-1, "UNIMPLEMENTED feature at %s(%d)", FILE, LINE)

I know they both throw an exception, but they imply different things. And I know we have in the past been a little sloppy about which one we use, on occasion. But I don't think that's a good reason for not correcting things when we spot that they are wrong.

If the others should also be considered as unexpected rather than unimplemented, then they should be changed too.

@richardkchapman

@afishbeck @wangkx Please review

@afishbeck
Collaborator

Is logout the right term for this functionality? Seems like its really just clearing the cache. The main reason I ask is because there may be a chance we would want to add real session type functionality to a security manager at some point.

Collaborator

I agree, since you don't really "log in" it doesn't make sense to log out. Now accepting nominations for a better name....

@wangkx
Collaborator

Should we have a better design of the login/logout processes? ESP sends requests for authentication check, login, and logout to a security manager. The security manager handles those requests by calling ldap related and/or non-ldap related functions. LDAP works for the security manager...

@afishbeck
Collaborator

I think the design should come out of a new issue, or the other issue that you have open (the one that talks about ESP log out support). We need to support the general concept of sessions... but I don't think it's the responsibility of the security managers to handle sessions. Even database security implementations would probably separate sessions from authentication and authorization.

To tell you the truth I don't think this functionality of removing someone from the cache is even needed.

@RussWhitehead
Collaborator

Closing pull request, since we need more discussion...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Apr 30, 2012
  1. @RussWhitehead

    Add a logout feature to ldap security manager

    RussWhitehead authored
    Need to provide an interface to log out a CLdapSecManager user,
    which will be needed for gh-2174 ('ECLWatch should provide LOGOUT
    feature')
    
    Signed-off-by: William Whitehead <william.whitehead@lexisnexis.com>
This page is out of date. Refresh to see the latest.
View
11 system/security/LdapSecurity/ldapsecurity.cpp
@@ -746,6 +746,17 @@ int CLdapSecManager::authorizeEx(SecResourceType rtype, ISecUser & user, const c
return -1;
}
+bool CLdapSecManager::logout(ISecUser& sec_user)
+{
+ sec_user.setAuthenticateStatus(AS_UNKNOWN);
+ if (m_permissionsCache.isCacheEnabled())
+ {
+ m_permissionsCache.removePermissions(sec_user);
+ m_permissionsCache.removeFromUserCache(sec_user);
+ }
+ return true;
+}
+
int CLdapSecManager::getAccessFlagsEx(SecResourceType rtype, ISecUser & user, const char * resourcename)
{
if(!resourcename || !*resourcename)
View
1  system/security/LdapSecurity/ldapsecurity.ipp
@@ -359,6 +359,7 @@ public:
bool authorize(ISecUser& sec_user, ISecResourceList * Resources);
bool authorizeEx(SecResourceType rtype, ISecUser& sec_user, ISecResourceList * Resources);
int authorizeEx(SecResourceType rtype, ISecUser& sec_user, const char* resourcename);
+ virtual bool logout(ISecUser& sec_user);
virtual int authorizeFileScope(ISecUser & user, const char * filescope);
virtual bool authorizeFileScope(ISecUser & user, ISecResourceList * resources);
virtual int authorizeWorkunitScope(ISecUser & user, const char * wuscope);
View
6 system/security/shared/basesecurity.hpp
@@ -160,7 +160,11 @@ class CBaseSecurityManager : public CInterface,
return rlist->queryResource(0)->getAccessFlags();
else
return -1;
- }
+ }
+ virtual bool logout(ISecUser& sec_user)
+ {
+ UNIMPLEMENTED;
+ }
virtual int getAccessFlagsEx(SecResourceType rtype, ISecUser& sec_user, const char* resourcename)
{
UNIMPLEMENTED;
View
1  system/security/shared/seclib.hpp
@@ -269,6 +269,7 @@ interface ISecManager : extends IInterface
virtual bool authorize(ISecUser & user, ISecResourceList * resources) = 0;
virtual bool authorizeEx(SecResourceType rtype, ISecUser & user, ISecResourceList * resources) = 0;
virtual int authorizeEx(SecResourceType rtype, ISecUser & user, const char * resourcename) = 0;
+ virtual bool logout(ISecUser & user) = 0;
virtual int getAccessFlagsEx(SecResourceType rtype, ISecUser & user, const char * resourcename) = 0;
virtual int authorizeFileScope(ISecUser & user, const char * filescope) = 0;
virtual bool authorizeFileScope(ISecUser & user, ISecResourceList * resources) = 0;
Something went wrong with that request. Please try again.