From f661e59f428066a63af169d0bc7daa852ad8d9de Mon Sep 17 00:00:00 2001
From: Tim Klemm <Tim.Klemm@lexisnexisrisk.com>
Date: Fri, 22 Nov 2024 13:25:04 -0500
Subject: [PATCH] HPCC-33032: Complete removal of obsolete security managers

- Fail when attempting to construct "Local" and "Default" security managers.
- Remove unused "local" authentication interface and implementation.
- Cleanup yaml to legacy configuration conversion around manager plugins.

Signed-off-by: Tim Klemm <tim.klemm@lexisnexisrisk.com>
---
 esp/bindings/http/platform/httpbinding.cpp |   7 +-
 esp/platform/application_config.cpp        |   4 +-
 system/jlib/jutil.cpp                      | 124 ---------------------
 system/jlib/jutil.hpp                      |  10 --
 4 files changed, 5 insertions(+), 140 deletions(-)

diff --git a/esp/bindings/http/platform/httpbinding.cpp b/esp/bindings/http/platform/httpbinding.cpp
index c5a9e831844..6145e2ec170 100644
--- a/esp/bindings/http/platform/httpbinding.cpp
+++ b/esp/bindings/http/platform/httpbinding.cpp
@@ -446,11 +446,8 @@ EspHttpBinding::EspHttpBinding(IPropertyTree* tree, const char *bindname, const
                         m_feature_authmap.setown(m_secmgr->createFeatureMap(authcfg));
                         m_setting_authmap.setown(m_secmgr->createSettingMap(authcfg));
                     }
-                    else if(stricmp(m_authmethod.str(), "Local") == 0)
-                    {
-                        m_secmgr.setown(SecLoader::loadSecManager("Local", "EspHttpBinding", NULL));
-                        m_authmap.setown(m_secmgr->createAuthMap(authcfg));
-                    }
+                    else if(strieq(m_authmethod.str(), "Local") || strieq(m_authmethod.str(), "Default"))
+                        throw makeStringExceptionV(-1, "obsolete auth method %s; update configuration", m_authmethod.str());
                     IRestartManager* restartManager = dynamic_cast<IRestartManager*>(m_secmgr.get());
                     if(restartManager!=NULL)
                     {
diff --git a/esp/platform/application_config.cpp b/esp/platform/application_config.cpp
index f999bc44203..ba8a3436071 100644
--- a/esp/platform/application_config.cpp
+++ b/esp/platform/application_config.cpp
@@ -156,6 +156,8 @@ bool addAuthNZSecurity(const char *name, IPropertyTree *legacyEsp, IPropertyTree
         appSecMgr = authNZ;
     }
     const char *method = appSecMgr->queryProp("@name");
+    if (isEmptyString(method))
+        throw MakeStringException(-1, "SecurityManager name attribute required.  To run without security set 'auth: none'");
     const char *tag = appSecMgr->queryProp("@type");
     if (isEmptyString(tag))
         throw MakeStringException(-1, "SecurityManager type attribute required.  To run without security set 'auth: none'");
@@ -167,7 +169,7 @@ bool addAuthNZSecurity(const char *name, IPropertyTree *legacyEsp, IPropertyTree
     mergePTree(legacy, authNZ); //extra info clean up later
     legacy->removeProp("SecurityManager"); //already copied these attributes above, don't need this as a child
 
-    bindAuth.setf("<Authenticate method='%s'/>", method ? method : "unknown");
+    bindAuth.setf("<Authenticate method='%s'/>", method);
     return true;
 }
 
diff --git a/system/jlib/jutil.cpp b/system/jlib/jutil.cpp
index d22fda4888d..daf6270d0e9 100644
--- a/system/jlib/jutil.cpp
+++ b/system/jlib/jutil.cpp
@@ -2062,130 +2062,6 @@ bool deduceMask(const char *fn, bool expandN, StringAttr &mask, unsigned &pret,
 }
 
 //==============================================================
-#ifdef _WIN32
-
-
-class CWindowsAuthenticatedUser: implements IAuthenticatedUser, public CInterface
-{
-    StringAttr name;
-    HANDLE usertoken;
-public:
-    IMPLEMENT_IINTERFACE;
-    CWindowsAuthenticatedUser()
-    {
-        usertoken = (HANDLE)-1;
-    }
-    ~CWindowsAuthenticatedUser()
-    {
-        if (usertoken != (HANDLE)-1)
-            CloseHandle(usertoken);
-    }
-    bool login(const char *user, const char *passwd)
-    {
-        name.clear();
-        if (usertoken != (HANDLE)-1)
-            CloseHandle(usertoken);
-        StringBuffer domain("");
-        const char *ut = strchr(user,'\\');
-        if (ut) {
-            domain.clear().append((size32_t)(ut-user),user);
-            user = ut+1;
-        }
-        BOOL res = LogonUser((LPTSTR)user,(LPTSTR)(domain.length()==0?NULL:domain.str()),(LPTSTR)passwd,LOGON32_LOGON_NETWORK,LOGON32_PROVIDER_DEFAULT,&usertoken);
-        if (res==0)
-            return false;
-        name.set(user);
-        return true;
-    }
-    void impersonate()
-    {
-        if (!ImpersonateLoggedOnUser(usertoken))
-            throw makeOsException(GetLastError());
-    }
-
-    void revert()
-    {
-        RevertToSelf();
-    }
-
-    const char *username()
-    {
-        return name.get();
-    }
-};
-
-IAuthenticatedUser *createAuthenticatedUser() { return new CWindowsAuthenticatedUser; }
-
-#elif defined(__linux__)
-
-class CLinuxAuthenticatedUser: implements IAuthenticatedUser, public CInterface
-{
-    StringAttr name;
-    uid_t uid;
-    gid_t gid;
-    uid_t saveuid;
-    gid_t savegid;
-
-public:
-    IMPLEMENT_IINTERFACE;
-    bool login(const char *user, const char *passwd)
-    {
-        name.clear();
-        const char *ut = strchr(user,'\\');
-        if (ut)
-            user = ut+1; // remove windows domain
-        struct passwd *pw;
-        char *epasswd;
-        if ((pw = getpwnam(user)) == NULL)
-            return false;
-        struct spwd *spwd = getspnam(user);
-        if (spwd)
-            epasswd = spwd->sp_pwdp;
-        else
-            epasswd = pw->pw_passwd;
-        if (!epasswd||!*epasswd)
-            return false;
-        if (strcmp(crypt(passwd,epasswd),epasswd)!=0)
-            return false;
-        uid = pw->pw_uid;
-        gid = pw->pw_gid;
-        name.set(pw->pw_name);
-        return true;
-    }
-    void impersonate()
-    {
-        saveuid = geteuid();
-        savegid = getegid();
-        if (setegid(gid) == -1)
-            throw makeOsException(errno, "Failed to set effective group id");
-        if (seteuid(uid) == -1)
-            throw makeOsException(errno, "Failed to set effective user id");
-    }
-
-    void revert()
-    {
-        if (seteuid(saveuid) == -1)
-            throw makeOsException(errno, "Failed to restore effective group id");
-        if (setegid(savegid) == -1)
-            throw makeOsException(errno, "Failed to restore effective user id");
-    }
-
-    const char *username()
-    {
-        return name.get();
-    }
-
-};
-
-
-
-IAuthenticatedUser *createAuthenticatedUser() { return new CLinuxAuthenticatedUser; }
-#elif defined(__FreeBSD__) || defined (__APPLE__)
-
-IAuthenticatedUser *createAuthenticatedUser() { UNIMPLEMENTED; }
-
-#endif
-
 
 extern jlib_decl void serializeAtom(MemoryBuffer & target, IAtom * name)
 {
diff --git a/system/jlib/jutil.hpp b/system/jlib/jutil.hpp
index 4841d61761b..af405735b95 100644
--- a/system/jlib/jutil.hpp
+++ b/system/jlib/jutil.hpp
@@ -373,17 +373,7 @@ class jlib_decl NamedCount
 
 extern jlib_decl StringBuffer &dumpNamedCounts(StringBuffer &str);
 
-
-interface IAuthenticatedUser: extends IInterface
-{
-    virtual bool login(const char *user, const char *passwd) = 0;
-    virtual void impersonate()=0;
-    virtual void revert()=0;
-    virtual const char *username()=0;
-};
-
 interface IAtom;
-extern jlib_decl IAuthenticatedUser *createAuthenticatedUser();
 extern jlib_decl void serializeAtom(MemoryBuffer & target, IAtom * name);
 extern jlib_decl IAtom * deserializeAtom(MemoryBuffer & source);