BUG#: 6485

TITLE: Missing authorization check

DESCRIPTION: Add auth check.

diff --git a/src/Pegasus/Common/SocketzOS_inline.h b/src/Pegasus/Common/SocketzOS_inline.h
index f796a6435999347e0be7d783cc7a36f9a610404c..a9991b5abf3809baf0ad596f66fe77e5af6a38dd 100644 (file)
--- a/src/Pegasus/Common/SocketzOS_inline.h
+++ b/src/Pegasus/Common/SocketzOS_inline.h
@@ -35,6 +35,11 @@
 #define SocketzOS_inline_h
 
 #include <Pegasus/Common/Logger.h>
+#ifdef PEGASUS_ZOS_SECURITY
+// This include file will not be provided in the OpenGroup CVS for now.
+// Do NOT try to include it in your compile
+#include <Pegasus/Common/safCheckzOS_inline.h>
+#endif
 #include <Pegasus/Common/AuditLogger.h>
 #include <sys/ioctl.h>
 #include <net/rtrouteh.h>
@@ -224,6 +229,20 @@ int MP_Socket::ATTLS_zOS_query()
            PEG_TRACE((TRC_SSL, Tracer::LEVEL2,
                "---> ATTLS Security Type is SAFCHK. Resolved user ID \'%s\'",
                _username));
+
+           // Check if the user is authorized to CIMSERV
+#ifdef PEGASUS_ZOS_SECURITY
+           if ( !CheckProfileCIMSERVclassWBEM(_username, __READ_RESOURCE) )
+           {
+               Logger::put_l(Logger::STANDARD_LOG, ZOS_SECURITY_NAME, 
+                   Logger::WARNING,
+                   "Pegasus.Common.SocketzOS_inline.NOREAD_CIMSERV_ACCESS",
+                   "Request UserID $0 doesn't have READ permission"
+                   " to profile CIMSERV CL(WBEM).",
+                   _username);
+               return -1;
+           }
+#endif
            // For audit loging, only the mapping of the client IP to the 
            // resolved user ID is from interest.
            // The SAF facility logs the certificate validation and the 

diff --git a/src/Pegasus/Security/Authentication/LocalAuthenticationHandler.cpp b/src/Pegasus/Security/Authentication/LocalAuthenticationHandler.cpp
index 01be60e4bff6de99815cb4583d93117133884083..f686f5b77bca77a6b8263f3b7b985b10e1cc1159 100644 (file)
--- a/src/Pegasus/Security/Authentication/LocalAuthenticationHandler.cpp
+++ b/src/Pegasus/Security/Authentication/LocalAuthenticationHandler.cpp
@@ -150,10 +150,11 @@ Boolean LocalAuthenticationHandler::authenticate(
 #ifdef PEGASUS_ZOS_SECURITY
     if ( !CheckProfileCIMSERVclassWBEM(userName, __READ_RESOURCE) )
     {
-        Logger::put_l(Logger::TRACE_LOG, ZOS_SECURITY_NAME, Logger::WARNING,
+        Logger::put_l(Logger::STANDARD_LOG, ZOS_SECURITY_NAME, Logger::WARNING,
             "Security.Authentication.LocalAuthenticationHandler"
             ".NOREAD_CIMSERV_ACCESS.PEGASUS_OS_ZOS",
-            "Request UserID $0 doesn't have READ permission to profile CIMSERV CL(WBEM).",
+            "Request UserID $0 doesn't have READ permission"
+            " to profile CIMSERV CL(WBEM).",
             userName);
         return false;
     }

diff --git a/src/Pegasus/msg/Server/pegasusServer_en.txt b/src/Pegasus/msg/Server/pegasusServer_en.txt
index e1ceec0462001948fba3070409dfa69b231131ec..8339e5a717a7a665c53340cf4080eff9e1538a47 100644 (file)
--- a/src/Pegasus/msg/Server/pegasusServer_en.txt
+++ b/src/Pegasus/msg/Server/pegasusServer_en.txt
@@ -4628,6 +4628,14 @@ CIM server listening on HTTPS port {0}."}
         Pegasus.Common.SocketzOS_inline.WRONG_ROLE:string {"PGS12544E: ATTLS policy specifies the wrong HandshakeRole for the CIM Server HTTPS port. Communication not secured. Connection closed."}
 
         
+        /**
+        * @note  PGS12567:
+        *    Substitution {0} is a user name (a string)
+        *    Do not translate 'READ', 'CIMSERV CL(WBEM)' as it are RACF names
+        */
+        Pegasus.Common.SocketzOS_inline.NOREAD_CIMSERV_ACCESS:string {"PGS12567W: Request UserID {0} doesn't have READ permission to profile CIMSERV CL(WBEM)."}
+
+        
         // End z/OS messages
 
         // ==========================================================