Poco::OSP::Auth::Data

class AuthAdminServiceImpl

Library: OSP/Auth/Data
Package: Auth
Header: Poco/OSP/Auth/Data/AuthAdminServiceImpl.h

Description

This class implements the AuthAdminService using a SQL database accessed via the POCO Data library, and optionally LDAP for password verification and permissions.

Upon successful authentication of a user, the class will cache the permissions for the user so that further permission checks are very quick.

This implementation supports multiple variants/versions of storing password hashes.

  • Version 1 is the original mechanism, using MD5 with a global salt. This is no longer considered secure and should no longer be used.
  • Version 2 uses PBKDF2 with HMAC-SHA1 and per-user random salt.
  • Version 3 uses PBKDF2 with HMAC-SHA1 and per-user random salt with additional MD5 password hashing allowing implementation of secure challenge-response authentication mechanisms such as SCRAM-SHA1.

Version 3 is recommended for new deployments. Stored passwords using a lower version than the one configured will automatically be upgraded as soon as a user successfully authenticates.

Note that the getUserAttribute() method of this implementation supports the following special attributes:

  • $salt: Returns the salt used for hashing the given user's password. For Version 1, this will be the configured global salt string. For Version 2, this will be a string consisting entirely of hexadecimal digits. For Version 3, this will be a string containing binary data.
  • $iterations: Returns the number of PBKDF2 iterations used for hashing the given user's password.
  • $hash: Returns the password hash stored for the given user. For Versions 1 and 2, this will be a string consisting entirely of hexadecimal digits. For Version 3, this will be a string containing binary data.
  • $version: Returns the version of the hash used for the given user.

Inheritance

Direct Base Classes: Poco::OSP::Auth::AbstractLDAPAuthAdminService

All Base Classes: Poco::OSP::Auth::AbstractLDAPAuthAdminService, Poco::OSP::Auth::AuthAdminService, Poco::OSP::Auth::AuthService, Poco::OSP::Service, Poco::RefCountedObject

Member Summary

Member Functions: addRole, addUser, addUserImpl, assignRoleToUser, attributesForUser, authenticate, authenticateDB, authorize, changePassword, changePasswordImpl, checkDatabaseConnectivity, createOrUpdateUserImpl, discoverInlineAttributes, effectivePermissionsForUser, findUsersByAttribute, getUserAttribute, grantPermissionsToRole, grantPermissionsToUser, isA, isExternalUser, isUserLockedOut, lockOutUser, permissionsForRole, permissionsForUser, removeRole, removeRoleFromUser, removeUser, removeUserAttribute, removeUserImpl, replacePermissionsForRole, replacePermissionsForUser, replacePermissionsForUserImpl, replaceRolesForUser, replaceRolesForUserImpl, replaceUserAttributeImpl, replaceUserAttributes, reset, revokePermission, revokePermissionsFromRole, revokePermissionsFromUser, roleExists, roleExistsImpl, roles, rolesForUser, session, setUserAttribute, setupSession, type, uncacheUser, uncacheUserImpl, unlockOutUser, updateUserAttributes, userExists, userExistsImpl, users, usersWithAttribute, usersWithName, usersWithPermission, usersWithRole

Inherited Functions: addRole, addUser, assignRoleToUser, attributesForUser, authenticate, authenticateLDAP, authorize, changePassword, createOrUpdateUserImpl, duplicate, effectivePermissionsForUser, escapeLDAP, findUsersByAttribute, getUserAttribute, grantPermissionsToRole, grantPermissionsToUser, isA, isExternalUser, isExtraAttribute, isUserLockedOut, lockOutUser, permissionsForRole, permissionsForUser, referenceCount, release, removeRole, removeRoleFromUser, removeUser, removeUserAttribute, replacePermissionsForRole, replacePermissionsForUser, replacePermissionsForUserImpl, replaceRolesForUser, replaceRolesForUserImpl, replaceUserAttributeImpl, replaceUserAttributes, reset, revokePermission, revokePermissionsFromRole, revokePermissionsFromUser, roleExists, roles, rolesForUser, setUserAttribute, type, uncacheUser, unlockOutUser, updateUserAttributes, userExists, users, usersWithAttribute, usersWithName, usersWithPermission, usersWithRole

Nested Classes

struct AuthParams

 more...

Types Aliases

Ptr

using Ptr = Poco::AutoPtr < AuthAdminServiceImpl >;

Constructors

AuthAdminServiceImpl

AuthAdminServiceImpl(
    const Poco::Util::AbstractConfiguration & properties,
    Poco::Logger & logger,
    const AuthParams & authParams,
    const LDAPParams & ldapParams
);

Creates the AuthAdminServiceImpl using the given authentication and LDAP parameters.

Note: if ldapParams.uri is empty, LDAP authentication will be disabled.

See the Poco::Data::Session class for more information on connector names and connection strings.

Destructor

~AuthAdminServiceImpl virtual

~AuthAdminServiceImpl();

Destroys the AuthAdminServiceImpl.

Member Functions

addRole virtual

void addRole(
    const std::string & rolename
);

addUser virtual

void addUser(
    const std::string & username,
    const std::string & password
);

assignRoleToUser virtual

void assignRoleToUser(
    const std::string & username,
    const std::string & rolename
);

attributesForUser virtual

void attributesForUser(
    const std::string & username,
    std::set < std::string > & attributes
) const;

attributesForUser virtual

void attributesForUser(
    const std::string & username,
    std::map < std::string, std::string > & attributes
) const;

authenticate virtual

bool authenticate(
    const std::string & username,
    const std::string & credentials
) const;

authorize virtual

bool authorize(
    const std::string & username,
    const std::string & permission
) const;

changePassword virtual

void changePassword(
    const std::string & username,
    const std::string & password
);

checkDatabaseConnectivity static

static bool checkDatabaseConnectivity(
    const Poco::Util::AbstractConfiguration & properties,
    const AuthParams & authParams,
    Poco::Logger & logger
);

Checks whether the database connection is ok.

effectivePermissionsForUser virtual

void effectivePermissionsForUser(
    const std::string & username,
    std::set < std::string > & permissions
) const;

findUsersByAttribute virtual

std::vector < std::string > findUsersByAttribute(
    const std::string & attribute,
    const std::string & value
) const;

getUserAttribute virtual

std::string getUserAttribute(
    const std::string & username,
    const std::string & attribute,
    const std::string & deflt = std::string ()
) const;

grantPermissionsToRole virtual

void grantPermissionsToRole(
    const std::string & rolename,
    const std::set < std::string > & permissions
);

grantPermissionsToUser virtual

void grantPermissionsToUser(
    const std::string & username,
    const std::set < std::string > & permissions
);

isA virtual

bool isA(
    const std::type_info & otherType
) const;

isExternalUser virtual

bool isExternalUser(
    const std::string & username
) const;

isUserLockedOut virtual

bool isUserLockedOut(
    const std::string & username
) const;

lockOutUser virtual

void lockOutUser(
    const std::string & username,
    const Poco::DateTime & lockOutUntil
);

permissionsForRole virtual

void permissionsForRole(
    const std::string & rolename,
    std::set < std::string > & permissions
) const;

permissionsForUser virtual

void permissionsForUser(
    const std::string & username,
    std::set < std::string > & permissions
) const;

removeRole virtual

void removeRole(
    const std::string & rolename
);

removeRoleFromUser virtual

void removeRoleFromUser(
    const std::string & username,
    const std::string & rolename
);

removeUser virtual

void removeUser(
    const std::string & username
);

removeUserAttribute virtual

void removeUserAttribute(
    const std::string & username,
    const std::string & attribute
);

replacePermissionsForRole virtual

void replacePermissionsForRole(
    const std::string & rolename,
    const std::set < std::string > & permissions
);

replacePermissionsForUser virtual

void replacePermissionsForUser(
    const std::string & username,
    const std::set < std::string > & permissions
);

replaceRolesForUser virtual

void replaceRolesForUser(
    const std::string & username,
    const std::set < std::string > & permissions
);

replaceUserAttributes virtual

void replaceUserAttributes(
    const std::string & username,
    const std::map < std::string, std::string > & attributes
);

reset virtual

void reset();

revokePermission virtual

void revokePermission(
    const std::string & permission
);

revokePermissionsFromRole virtual

void revokePermissionsFromRole(
    const std::string & rolename,
    const std::set < std::string > & permissions
);

revokePermissionsFromUser virtual

void revokePermissionsFromUser(
    const std::string & username,
    const std::set < std::string > & permissions
);

roleExists virtual

bool roleExists(
    const std::string & rolename
) const;

roles virtual

void roles(
    std::set < std::string > & roles
) const;

rolesForUser virtual

void rolesForUser(
    const std::string & username,
    std::set < std::string > & roles
) const;

setUserAttribute virtual

void setUserAttribute(
    const std::string & username,
    const std::string & attribute,
    const std::string & value
);

type virtual

const std::type_info & type() const;

uncacheUser virtual

void uncacheUser(
    const std::string & username
);

unlockOutUser virtual

void unlockOutUser(
    const std::string & username
);

updateUserAttributes virtual

void updateUserAttributes(
    const std::string & username,
    const std::map < std::string, std::string > & attributes
);

userExists virtual

bool userExists(
    const std::string & username
) const;

users virtual

int users(
    std::set < std::string > & users,
    int first = 0,
    int limit = 0
) const;

usersWithAttribute virtual

int usersWithAttribute(
    std::set < std::string > & users,
    const std::string & attribute,
    const std::string & value,
    int first = 0,
    int limit = 0
) const;

usersWithName virtual

int usersWithName(
    std::set < std::string > & users,
    const std::string & pattern,
    int first = 0,
    int limit = 0
) const;

usersWithPermission virtual

int usersWithPermission(
    std::set < std::string > & users,
    const std::string & permission,
    int first = 0,
    int limit = 0
) const;

usersWithRole virtual

int usersWithRole(
    std::set < std::string > & users,
    const std::string & role,
    int first = 0,
    int limit = 0
) const;

addUserImpl protected

void addUserImpl(
    Poco::Data::Session & session,
    const std::string & username,
    const std::string & password
) const;

authenticateDB protected

bool authenticateDB(
    Poco::Data::Session & session,
    const std::string & username,
    const std::string & credentials
) const;

changePasswordImpl protected

void changePasswordImpl(
    Poco::Data::Session & session,
    const std::string & username,
    const std::string & hashedCredentials
) const;

createOrUpdateUserImpl protected

void createOrUpdateUserImpl(
    Poco::Data::Session & session,
    const std::string & username,
    const std::string & credentials
) const;

createOrUpdateUserImpl protected virtual

void createOrUpdateUserImpl(
    const std::string & username,
    const std::string & credentials
) const;

discoverInlineAttributes protected

void discoverInlineAttributes();

removeUserImpl protected

void removeUserImpl(
    Poco::Data::Session & session,
    const std::string & username
) const;

replacePermissionsForUserImpl protected

void replacePermissionsForUserImpl(
    Poco::Data::Session & session,
    const std::string & username,
    const std::set < std::string > & permissions
) const;

replacePermissionsForUserImpl protected virtual

void replacePermissionsForUserImpl(
    const std::string & username,
    const std::set < std::string > & permissions
) const;

replaceRolesForUserImpl protected

void replaceRolesForUserImpl(
    Poco::Data::Session & session,
    const std::string & username,
    const std::set < std::string > & permissions
) const;

replaceRolesForUserImpl protected virtual

void replaceRolesForUserImpl(
    const std::string & username,
    const std::set < std::string > & permissions
) const;

replaceUserAttributeImpl protected

void replaceUserAttributeImpl(
    Poco::Data::Session & session,
    const std::string & username,
    const std::string & attribute,
    const std::string & value
) const;

replaceUserAttributeImpl protected virtual

void replaceUserAttributeImpl(
    const std::string & username,
    const std::string & attribute,
    const std::string & value
) const;

roleExistsImpl protected

bool roleExistsImpl(
    Poco::Data::Session & session,
    const std::string & rolename
) const;

session protected

Poco::Data::Session & session() const;

setupSession protected

void setupSession() const;

uncacheUserImpl protected

void uncacheUserImpl(
    const std::string & username
) const;

userExistsImpl protected

bool userExistsImpl(
    Poco::Data::Session & session,
    const std::string & username
) const;

Variables

USER_ATTR_FAILURES static

static const std::string USER_ATTR_FAILURES;

USER_ATTR_LDAP static

static const std::string USER_ATTR_LDAP;

USER_ATTR_LOCKOUT static

static const std::string USER_ATTR_LOCKOUT;

Securely control IoT edge devices from anywhere   Connect a Device