From dc310baa2ddff6da67f91b844e4b78a2e661d9a2 Mon Sep 17 00:00:00 2001
From: Piotr Sarna <sarna@scylladb.com>
Date: Wed, 16 Oct 2019 09:36:14 +0200
Subject: [PATCH] alternator: add extracting key from system_auth.roles

As a first step towards coupling alternator authorization with Scylla
authorization, a helper function for extracting the key (salted_hash)
belonging to the user is added.
---
 alternator/auth.cc | 25 +++++++++++++++++++++++++
 alternator/auth.hh |  6 ++++++
 2 files changed, 31 insertions(+)

diff --git a/alternator/auth.cc b/alternator/auth.cc
index bcdf69de10..4161604069 100644
--- a/alternator/auth.cc
+++ b/alternator/auth.cc
@@ -29,6 +29,11 @@
 #include "bytes.hh"
 #include "alternator/auth.hh"
 #include <fmt/format.h>
+#include "auth/common.hh"
+#include "auth/password_authenticator.hh"
+#include "auth/roles-metadata.hh"
+#include "cql3/query_processor.hh"
+#include "cql3/untyped_result_set.hh"
 
 namespace alternator {
 
@@ -85,4 +90,24 @@ std::string get_signature(std::string_view access_key_id, std::string_view secre
     return to_hex(bytes_view(reinterpret_cast<const int8_t*>(signature.data()), signature.size()));
 }
 
+future<std::string> get_key_from_roles(cql3::query_processor& qp, std::string username) {
+    static const sstring query = format("SELECT salted_hash FROM {} WHERE {} = ?",
+            auth::meta::roles_table::qualified_name(), auth::meta::roles_table::role_col_name);
+
+    auto cl = auth::password_authenticator::consistency_for_user(username);
+    auto timeout = auth::internal_distributed_timeout_config();
+    return qp.process(query, cl, timeout, {sstring(username)}, true).then_wrapped([username = std::move(username)] (future<::shared_ptr<cql3::untyped_result_set>> f) {
+        auto res = f.get0();
+        auto salted_hash = std::optional<sstring>();
+        if (res->empty()) {
+            throw api_error("UnrecognizedClientException", fmt::format("User not found: {}", username));
+        }
+        salted_hash = res->one().get_opt<sstring>("salted_hash");
+        if (!salted_hash) {
+            throw api_error("UnrecognizedClientException", fmt::format("No password found for user: {}", username));
+        }
+        return make_ready_future<std::string>(*salted_hash);
+    });
+}
+
 }
diff --git a/alternator/auth.hh b/alternator/auth.hh
index 9bc8370c45..0264e2e426 100644
--- a/alternator/auth.hh
+++ b/alternator/auth.hh
@@ -25,6 +25,10 @@
 #include <string_view>
 #include <array>
 
+namespace cql3 {
+class query_processor;
+}
+
 namespace alternator {
 
 using hmac_sha256_digest = std::array<char, 32>;
@@ -32,4 +36,6 @@ using hmac_sha256_digest = std::array<char, 32>;
 std::string get_signature(std::string_view access_key_id, std::string_view secret_access_key, std::string_view host, std::string_view method, std::string_view signed_headers_str,
         const std::map<std::string_view, std::string_view>& signed_headers_map, std::string_view body_content, std::string_view region, std::string_view service, std::string_view query_string);
 
+future<std::string> get_key_from_roles(cql3::query_processor& qp, std::string username);
+
 }