372a4d1b79
since we do not rely on FMT_DEPRECATED_OSTREAM to define the
fmt::formatter for us anymore, let's stop defining `FMT_DEPRECATED_OSTREAM`.
in this change,
* utils: drop the range formatters in to_string.hh and to_string.c, as
we don't use them anymore. and the tests for them in
test/boost/string_format_test.cc are removed accordingly.
* utils: use fmt to print chunk_vector and small_vector. as
we are not able to print the elements using operator<< anymore
after switching to {fmt} formatters.
* test/boost: specialize fmt::details::is_std_string_like<bytes>
due to a bug in {fmt} v9, {fmt} fails to format a range whose
element type is `basic_sstring<uint8_t>`, as it considers it
as a string-like type, but `basic_sstring<uint8_t>`'s char type
is signed char, not char. this issue does not exist in {fmt} v10,
so, in this change, we add a workaround to explicitly specialize
the type trait to assure that {fmt} format this type using its
`fmt::formatter` specialization instead of trying to format it
as a string. also, {fmt}'s generic ranges formatter calls the
pair formatter's `set_brackets()` and `set_separator()` methods
when printing the range, but operator<< based formatter does not
provide these method, we have to include this change in the change
switching to {fmt}, otherwise the change specializing
`fmt::details::is_std_string_like<bytes>` won't compile.
* test/boost: in tests, we use `BOOST_REQUIRE_EQUAL()` and its friends
for comparing values. but without the operator<< based formatters,
Boost.Test would not be able to print them. after removing
the homebrew formatters, we need to use the generic
`boost_test_print_type()` helper to do this job. so we are
including `test_utils.hh` in tests so that we can print
the formattable types.
* treewide: add "#include "utils/to_string.hh" where
`fmt::formatter<optional<>>` is used.
* configure.py: do not define FMT_DEPRECATED_OSTREAM
* cmake: do not define FMT_DEPRECATED_OSTREAM
Refs #13245
Signed-off-by: Kefu Chai <kefu.chai@scylladb.com>
185 lines
6.1 KiB
C++
185 lines
6.1 KiB
C++
/*
|
|
* Copyright (C) 2022-present ScyllaDB
|
|
*
|
|
*/
|
|
|
|
/*
|
|
* SPDX-License-Identifier: AGPL-3.0-or-later
|
|
*/
|
|
|
|
#include "auth/certificate_authenticator.hh"
|
|
|
|
#include <regex>
|
|
#include <fmt/ranges.h>
|
|
|
|
#include "utils/class_registrator.hh"
|
|
#include "utils/to_string.hh"
|
|
#include "data_dictionary/data_dictionary.hh"
|
|
#include "cql3/query_processor.hh"
|
|
#include "db/config.hh"
|
|
|
|
static const auto CERT_AUTH_NAME = "com.scylladb.auth.CertificateAuthenticator";
|
|
const std::string_view auth::certificate_authenticator_name(CERT_AUTH_NAME);
|
|
|
|
static logging::logger clogger("certificate_authenticator");
|
|
|
|
static const std::string cfg_source_attr = "source";
|
|
static const std::string cfg_query_attr = "query";
|
|
|
|
static const std::string cfg_source_subject = "SUBJECT";
|
|
static const std::string cfg_source_altname = "ALTNAME";
|
|
|
|
static const class_registrator<auth::authenticator
|
|
, auth::certificate_authenticator
|
|
, cql3::query_processor&
|
|
, ::service::raft_group0_client&
|
|
, ::service::migration_manager&> cert_auth_reg(CERT_AUTH_NAME);
|
|
|
|
enum class auth::certificate_authenticator::query_source {
|
|
subject, altname
|
|
};
|
|
|
|
auth::certificate_authenticator::certificate_authenticator(cql3::query_processor& qp, ::service::raft_group0_client&, ::service::migration_manager&)
|
|
: _queries([&] {
|
|
auto& conf = qp.db().get_config();
|
|
auto queries = conf.auth_certificate_role_queries();
|
|
|
|
if (queries.empty()) {
|
|
throw std::invalid_argument("No role extraction queries specified.");
|
|
}
|
|
|
|
std::vector<std::pair<query_source, boost::regex>> res;
|
|
|
|
for (auto& map : queries) {
|
|
// first, check for any invalid config keys
|
|
if (map.size() == 2) {
|
|
try {
|
|
auto& source = map.at(cfg_source_attr);
|
|
std::string query = map.at(cfg_query_attr);
|
|
|
|
std::transform(source.begin(), source.end(), source.begin(), ::toupper);
|
|
|
|
boost::regex ex(query);
|
|
if (ex.mark_count() != 1) {
|
|
throw std::invalid_argument("Role query must have exactly one mark expression");
|
|
}
|
|
|
|
clogger.debug("Append role query: {} : {}", source, query);
|
|
|
|
if (source == cfg_source_subject) {
|
|
res.emplace_back(query_source::subject, std::move(ex));
|
|
} else if (source == cfg_source_altname) {
|
|
res.emplace_back(query_source::altname, std::move(ex));
|
|
} else {
|
|
throw std::invalid_argument(fmt::format("Invalid source: {}", map.at(cfg_source_attr)));
|
|
}
|
|
continue;
|
|
} catch (std::out_of_range&) {
|
|
// just fallthrough
|
|
} catch (std::regex_error&) {
|
|
std::throw_with_nested(std::invalid_argument(fmt::format("Invalid query expression: {}", map.at(cfg_query_attr))));
|
|
}
|
|
}
|
|
throw std::invalid_argument(fmt::format("Invalid query: {}", map));
|
|
}
|
|
return res;
|
|
}())
|
|
{}
|
|
|
|
auth::certificate_authenticator::~certificate_authenticator() = default;
|
|
|
|
future<> auth::certificate_authenticator::start() {
|
|
co_return;
|
|
}
|
|
|
|
future<> auth::certificate_authenticator::stop() {
|
|
co_return;
|
|
}
|
|
|
|
std::string_view auth::certificate_authenticator::qualified_java_name() const {
|
|
return certificate_authenticator_name;
|
|
}
|
|
|
|
bool auth::certificate_authenticator::require_authentication() const {
|
|
return true;
|
|
}
|
|
|
|
auth::authentication_option_set auth::certificate_authenticator::supported_options() const {
|
|
return {};
|
|
}
|
|
|
|
auth::authentication_option_set auth::certificate_authenticator::alterable_options() const {
|
|
return {};
|
|
}
|
|
|
|
future<std::optional<auth::authenticated_user>> auth::certificate_authenticator::authenticate(session_dn_func f) const {
|
|
if (!f) {
|
|
co_return std::nullopt;
|
|
}
|
|
auto dninfo = co_await f();
|
|
if (!dninfo) {
|
|
throw exceptions::authentication_exception("No valid certificate found");
|
|
}
|
|
|
|
auto& subject = dninfo->subject;
|
|
std::optional<std::string> altname ;
|
|
|
|
const std::string* source_str = nullptr;
|
|
|
|
for (auto& [source, expr] : _queries) {
|
|
switch (source) {
|
|
default:
|
|
case query_source::subject:
|
|
source_str = &subject;
|
|
break;
|
|
case query_source::altname:
|
|
if (!altname) {
|
|
altname = dninfo->get_alt_names ? co_await dninfo->get_alt_names() : std::string{};
|
|
}
|
|
source_str = &*altname;
|
|
break;
|
|
}
|
|
|
|
clogger.debug("Checking {}: {}", int(source), *source_str);
|
|
|
|
boost::smatch m;
|
|
if (boost::regex_search(*source_str, m, expr)) {
|
|
auto username = m[1].str();
|
|
clogger.debug("Return username: {}", username);
|
|
co_return username;
|
|
}
|
|
}
|
|
throw exceptions::authentication_exception(format("Subject '{}'/'{}' does not match any query expression", subject, altname));
|
|
}
|
|
|
|
|
|
future<auth::authenticated_user> auth::certificate_authenticator::authenticate(const credentials_map&) const {
|
|
throw exceptions::authentication_exception("Cannot authenticate using attribute map");
|
|
}
|
|
|
|
future<> auth::certificate_authenticator::create(std::string_view role_name, const authentication_options& options) {
|
|
// TODO: should we keep track of roles/enforce existence? Role manager should deal with this...
|
|
co_return;
|
|
}
|
|
|
|
future<> auth::certificate_authenticator::alter(std::string_view role_name, const authentication_options& options) {
|
|
co_return;
|
|
}
|
|
|
|
future<> auth::certificate_authenticator::drop(std::string_view role_name) {
|
|
co_return;
|
|
}
|
|
|
|
future<auth::custom_options> auth::certificate_authenticator::query_custom_options(std::string_view) const {
|
|
co_return auth::custom_options{};
|
|
}
|
|
|
|
const auth::resource_set& auth::certificate_authenticator::protected_resources() const {
|
|
static const resource_set resources;
|
|
return resources;
|
|
}
|
|
|
|
::shared_ptr<auth::sasl_challenge> auth::certificate_authenticator::new_sasl_challenge() const {
|
|
throw exceptions::authentication_exception("Login authentication not supported");
|
|
}
|