Hawkin
/
arangodb
mirror of https://gitee.com/bigwinds/arangodb
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'devel' of github.com:triAGENS/ArangoDB into devel

This commit is contained in:
Heiko Kernbach 2014-08-20 18:53:44 +02:00
parent f352ca610a a4f40a26c0
commit 091d4cdf02
2 changed files with 179 additions and 229 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

404
arangod/VocBase/auth.cpp
View File

@ -32,6 +32,8 @@
#include "BasicsC/json.h" #include "BasicsC/json.h"
#include "BasicsC/logging.h" #include "BasicsC/logging.h"
#include "BasicsC/tri-strings.h" #include "BasicsC/tri-strings.h"
#include "Basics/JsonHelper.h"
#include "Rest/SslInterface.h"
#include "ShapedJson/shape-accessor.h" #include "ShapedJson/shape-accessor.h"
#include "VocBase/collection.h" #include "VocBase/collection.h"
#include "VocBase/document-collection.h" #include "VocBase/document-collection.h"
@ -104,106 +106,15 @@ static bool EqualKeyAuthCache (TRI_associative_pointer_t* array,
return TRI_EqualString(k, e->_hash); return TRI_EqualString(k, e->_hash);
} }
////////////////////////////////////////////////////////////////////////////////
/// @brief extracts a string
////////////////////////////////////////////////////////////////////////////////
static char* ExtractStringShapedJson (TRI_shaper_t* shaper,
TRI_shaped_json_t const* document,
char const* path) {
TRI_shape_t const* shape;
TRI_shaped_json_t shaped;
char* result;
TRI_shape_pid_t pid = shaper->lookupAttributePathByName(shaper, path);
if (pid == 0) {
return nullptr;
}
bool ok = TRI_ExtractShapedJsonVocShaper(shaper, document, 0, pid, &shaped, &shape);
if (! ok || shape == nullptr) {
return nullptr;
}
TRI_json_t* json = TRI_JsonShapedJson(shaper, &shaped);
if (json == nullptr) {
return nullptr;
}
if (! TRI_IsStringJson(json)) {
TRI_FreeJson(TRI_UNKNOWN_MEM_ZONE, json);
return nullptr;
}
result = TRI_DuplicateString2(json->_value._string.data,
json->_value._string.length - 1);
TRI_FreeJson(TRI_UNKNOWN_MEM_ZONE, json);
return result;
}
////////////////////////////////////////////////////////////////////////////////
/// @brief extracts a boolean
////////////////////////////////////////////////////////////////////////////////
static bool ExtractBooleanShapedJson (TRI_shaper_t* shaper,
TRI_shaped_json_t const* document,
char const* path,
bool* found) {
TRI_shape_t const* shape;
TRI_shaped_json_t shaped;
if (found != nullptr) {
*found = false;
}
TRI_shape_pid_t pid = shaper->lookupAttributePathByName(shaper, path);
if (pid == 0) {
return false;
}
bool ok = TRI_ExtractShapedJsonVocShaper(shaper, document, 0, pid, &shaped, &shape);
if (! ok || shape == nullptr) {
return false;
}
TRI_json_t* json = TRI_JsonShapedJson(shaper, &shaped);
if (json == nullptr) {
return false;
}
if (json->_type != TRI_JSON_BOOLEAN) {
TRI_FreeJson(TRI_UNKNOWN_MEM_ZONE, json);
return false;
}
if (found != nullptr) {
*found = true;
}
bool result = json->_value._boolean;
TRI_FreeJson(TRI_UNKNOWN_MEM_ZONE, json);
return result;
}
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
/// @brief frees the auth information /// @brief frees the auth information
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
static void FreeAuthInfo (TRI_vocbase_auth_t* auth) { static void FreeAuthInfo (TRI_vocbase_auth_t* auth) {
TRI_Free(TRI_CORE_MEM_ZONE, auth->_username); TRI_Free(TRI_CORE_MEM_ZONE, auth->_username);
TRI_Free(TRI_CORE_MEM_ZONE, auth->_password); TRI_Free(TRI_CORE_MEM_ZONE, auth->_passwordMethod);
TRI_Free(TRI_CORE_MEM_ZONE, auth->_passwordSalt);
TRI_Free(TRI_CORE_MEM_ZONE, auth->_passwordHash);
TRI_Free(TRI_UNKNOWN_MEM_ZONE, auth); TRI_Free(TRI_UNKNOWN_MEM_ZONE, auth);
} }
@ -224,67 +135,115 @@ static void FreeAuthCacheInfo (TRI_vocbase_auth_cache_t* cached) {
} }
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
/// @brief extracts the auth information /// @brief constructs auth information from JSON
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
static TRI_vocbase_auth_t* ConvertAuthInfo (TRI_vocbase_t* vocbase, static TRI_vocbase_auth_t* AuthFromJson (TRI_json_t const* json) {
TRI_document_collection_t* document, if (! TRI_IsArrayJson(json)) {
TRI_shaped_json_t const* shapedJson) { return nullptr;
TRI_shaper_t* shaper = document->getShaper(); // PROTECTED by trx in caller, checked by RUNTIME }
// extract username // extract "user" attribute
char* user = ExtractStringShapedJson(shaper, shapedJson, "user"); TRI_json_t const* userJson = TRI_LookupArrayJson(json, "user");
if (user == nullptr) { if (! TRI_IsStringJson(userJson)) {
LOG_DEBUG("cannot extract username"); LOG_DEBUG("cannot extract username");
return nullptr; return nullptr;
} }
// extract password TRI_json_t const* authDataJson = TRI_LookupArrayJson(json, "authData");
char* password = ExtractStringShapedJson(shaper, shapedJson, "password");
if (password == nullptr) { if (! TRI_IsArrayJson(authDataJson)) {
TRI_FreeString(TRI_CORE_MEM_ZONE, user); LOG_DEBUG("cannot extract authData");
LOG_DEBUG("cannot extract password");
return nullptr; return nullptr;
} }
// extract active flag TRI_json_t const* simpleJson = TRI_LookupArrayJson(authDataJson, "simple");
bool found;
bool active = ExtractBooleanShapedJson(shaper, shapedJson, "active", &found); if (! TRI_IsArrayJson(simpleJson)) {
LOG_DEBUG("cannot extract simple");
return nullptr;
}
if (! found) { TRI_json_t const* methodJson = TRI_LookupArrayJson(simpleJson, "method");
TRI_FreeString(TRI_CORE_MEM_ZONE, user); TRI_json_t const* saltJson = TRI_LookupArrayJson(simpleJson, "salt");
TRI_FreeString(TRI_CORE_MEM_ZONE, password); TRI_json_t const* hashJson = TRI_LookupArrayJson(simpleJson, "hash");
if (! TRI_IsStringJson(methodJson) ||
! TRI_IsStringJson(saltJson) ||
! TRI_IsStringJson(hashJson)) {
LOG_DEBUG("cannot extract password internals");
return nullptr;
}
// extract "active" attribute
bool active;
TRI_json_t const* activeJson = TRI_LookupArrayJson(authDataJson, "active");
if (! TRI_IsBooleanJson(activeJson)) {
LOG_DEBUG("cannot extract active flag"); LOG_DEBUG("cannot extract active flag");
return nullptr; return nullptr;
} }
active = activeJson->_value._boolean;
// extract must-change-password flag
bool mustChange = ExtractBooleanShapedJson(shaper, shapedJson, "changePassword", &found); // extract "changePassword" attribute
bool mustChange;
if (! found) { TRI_json_t const* mustChangeJson = TRI_LookupArrayJson(json, "changePassword");
if (TRI_IsBooleanJson(mustChangeJson)) {
mustChange = mustChangeJson->_value._boolean;
}
else {
// default value
mustChange = false; mustChange = false;
} }
TRI_vocbase_auth_t* result = static_cast<TRI_vocbase_auth_t*>(TRI_Allocate(TRI_UNKNOWN_MEM_ZONE, sizeof(TRI_vocbase_auth_t), true)); TRI_vocbase_auth_t* result = static_cast<TRI_vocbase_auth_t*>(TRI_Allocate(TRI_UNKNOWN_MEM_ZONE, sizeof(TRI_vocbase_auth_t), true));
if (result == nullptr) { if (result == nullptr) {
TRI_FreeString(TRI_CORE_MEM_ZONE, user);
TRI_FreeString(TRI_CORE_MEM_ZONE, password);
LOG_ERROR("couldn't load auth information - out of memory"); LOG_ERROR("couldn't load auth information - out of memory");
return nullptr; return nullptr;
} }
result->_username = user; result->_username = TRI_DuplicateString2Z(TRI_CORE_MEM_ZONE, userJson->_value._string.data, userJson->_value._string.length - 1);
result->_password = password; result->_passwordMethod = TRI_DuplicateString2Z(TRI_CORE_MEM_ZONE, methodJson->_value._string.data, methodJson->_value._string.length - 1);
result->_active = active; result->_passwordSalt = TRI_DuplicateString2Z(TRI_CORE_MEM_ZONE, saltJson->_value._string.data, saltJson->_value._string.length - 1);
result->_mustChange = mustChange; result->_passwordHash = TRI_DuplicateString2Z(TRI_CORE_MEM_ZONE, hashJson->_value._string.data, hashJson->_value._string.length - 1);
result->_active = active;
result->_mustChange = mustChange;
return result; return result;
} }
////////////////////////////////////////////////////////////////////////////////
/// @brief extracts the auth information
////////////////////////////////////////////////////////////////////////////////
static TRI_vocbase_auth_t* ConvertAuthInfo (TRI_vocbase_t* vocbase,
TRI_document_collection_t* document,
TRI_doc_mptr_t const* mptr) {
TRI_shaper_t* shaper = document->getShaper(); // PROTECTED by trx in caller, checked by RUNTIME
TRI_shaped_json_t shapedJson;
TRI_EXTRACT_SHAPED_JSON_MARKER(shapedJson, mptr->getDataPtr()); // ONLY IN INDEX, PROTECTED by RUNTIME
if (shapedJson._sid == TRI_SHAPE_ILLEGAL) {
return nullptr;
}
TRI_json_t* json = TRI_JsonShapedJson(shaper, &shapedJson);
if (json == nullptr) {
return nullptr;
}
TRI_vocbase_auth_t* auth = AuthFromJson(json);
TRI_FreeJson(TRI_UNKNOWN_MEM_ZONE, json);
return auth; // maybe a nullptr
}
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
/// @brief clears the authentication info /// @brief clears the authentication info
/// ///
@ -389,22 +348,46 @@ bool TRI_InsertInitialAuthInfo (TRI_vocbase_t* vocbase) {
"user", "user",
TRI_CreateStringCopyJson(TRI_UNKNOWN_MEM_ZONE, "root")); TRI_CreateStringCopyJson(TRI_UNKNOWN_MEM_ZONE, "root"));
// password TRI_json_t* authData = TRI_CreateArrayJson(TRI_UNKNOWN_MEM_ZONE);
TRI_Insert3ArrayJson(TRI_UNKNOWN_MEM_ZONE,
user,
"password",
TRI_CreateStringCopyJson(TRI_UNKNOWN_MEM_ZONE, "$1$c776f5f4$ef74bc6fd59ac713bf5929c5ac2f42233e50d4d58748178132ea46dec433bd5b"));
// active if (authData != nullptr) {
TRI_Insert3ArrayJson(TRI_UNKNOWN_MEM_ZONE, // simple
user, TRI_json_t* simple = TRI_CreateArrayJson(TRI_UNKNOWN_MEM_ZONE);
"active",
TRI_CreateBooleanJson(TRI_UNKNOWN_MEM_ZONE, true)); if (simple != nullptr) {
TRI_Insert3ArrayJson(TRI_UNKNOWN_MEM_ZONE,
simple,
"method",
TRI_CreateStringCopyJson(TRI_UNKNOWN_MEM_ZONE, "sha256"));
TRI_Insert3ArrayJson(TRI_UNKNOWN_MEM_ZONE,
simple,
"salt",
TRI_CreateStringCopyJson(TRI_UNKNOWN_MEM_ZONE, "c776f5f4"));
TRI_Insert3ArrayJson(TRI_UNKNOWN_MEM_ZONE,
simple,
"hash",
TRI_CreateStringCopyJson(TRI_UNKNOWN_MEM_ZONE, "ef74bc6fd59ac713bf5929c5ac2f42233e50d4d58748178132ea46dec433bd5b"));
TRI_Insert3ArrayJson(TRI_UNKNOWN_MEM_ZONE, authData, "simple", simple);
}
// active
TRI_Insert3ArrayJson(TRI_UNKNOWN_MEM_ZONE,
authData,
"active",
TRI_CreateBooleanJson(TRI_UNKNOWN_MEM_ZONE, true));
TRI_Insert3ArrayJson(TRI_UNKNOWN_MEM_ZONE, user, "authData", authData);
}
TRI_PushBack3ListJson(TRI_UNKNOWN_MEM_ZONE, json, user); TRI_PushBack3ListJson(TRI_UNKNOWN_MEM_ZONE, json, user);
TRI_PopulateAuthInfo(vocbase, json); TRI_PopulateAuthInfo(vocbase, json);
std::cout << triagens::basics::JsonHelper::toString(json) << "\n";
TRI_FreeJson(TRI_UNKNOWN_MEM_ZONE, json); TRI_FreeJson(TRI_UNKNOWN_MEM_ZONE, json);
return true; return true;
@ -444,14 +427,7 @@ bool TRI_LoadAuthInfo (TRI_vocbase_t* vocbase) {
for (; ptr < end; ++ptr) { for (; ptr < end; ++ptr) {
if (*ptr) { if (*ptr) {
TRI_vocbase_auth_t* auth; TRI_vocbase_auth_t* auth = ConvertAuthInfo(vocbase, document, (TRI_doc_mptr_t const*) *ptr);
TRI_shaped_json_t shapedJson;
TRI_doc_mptr_t const* d = (TRI_doc_mptr_t const*) *ptr;
TRI_EXTRACT_SHAPED_JSON_MARKER(shapedJson, d->getDataPtr()); // PROTECTED by trx here
auth = ConvertAuthInfo(vocbase, document, &shapedJson);
if (auth != nullptr) { if (auth != nullptr) {
TRI_vocbase_auth_t* old = static_cast<TRI_vocbase_auth_t*>(TRI_InsertKeyAssociativePointer(&vocbase->_authInfo, auth->_username, auth, true)); TRI_vocbase_auth_t* old = static_cast<TRI_vocbase_auth_t*>(TRI_InsertKeyAssociativePointer(&vocbase->_authInfo, auth->_username, auth, true));
@ -476,52 +452,19 @@ bool TRI_LoadAuthInfo (TRI_vocbase_t* vocbase) {
bool TRI_PopulateAuthInfo (TRI_vocbase_t* vocbase, bool TRI_PopulateAuthInfo (TRI_vocbase_t* vocbase,
TRI_json_t const* json) { TRI_json_t const* json) {
size_t i, n;
TRI_ASSERT(TRI_IsListJson(json)); TRI_ASSERT(TRI_IsListJson(json));
n = json->_value._objects._length;
TRI_WriteLockReadWriteLock(&vocbase->_authInfoLock); TRI_WriteLockReadWriteLock(&vocbase->_authInfoLock);
ClearAuthInfo(vocbase); ClearAuthInfo(vocbase);
for (i = 0; i < n; ++i) { size_t const n = json->_value._objects._length;
TRI_json_t const* user; for (size_t i = 0; i < n; ++i) {
TRI_json_t const* username; TRI_vocbase_auth_t* auth = AuthFromJson(TRI_LookupListJson(json, i));
TRI_json_t const* password;
TRI_json_t const* active;
user = TRI_LookupListJson(json, i);
if (! TRI_IsArrayJson(user)) {
continue;
}
username = TRI_LookupArrayJson(user, "user");
password = TRI_LookupArrayJson(user, "password");
active = TRI_LookupArrayJson(user, "active");
if (! TRI_IsStringJson(username) ||
! TRI_IsStringJson(password) ||
! TRI_IsBooleanJson(active)) {
continue;
}
TRI_vocbase_auth_t* auth = static_cast<TRI_vocbase_auth_t*>(TRI_Allocate(TRI_UNKNOWN_MEM_ZONE, sizeof(TRI_vocbase_auth_t), true));
if (auth == nullptr) { if (auth == nullptr) {
continue; continue;
} }
auth->_username = TRI_DuplicateString2Z(TRI_CORE_MEM_ZONE,
username->_value._string.data,
username->_value._string.length - 1);
auth->_password = TRI_DuplicateString2Z(TRI_CORE_MEM_ZONE,
password->_value._string.data,
password->_value._string.length - 1);
auth->_active = active->_value._boolean;
TRI_InsertKeyAssociativePointer(&vocbase->_authInfo, TRI_InsertKeyAssociativePointer(&vocbase->_authInfo,
auth->_username, auth->_username,
auth, auth,
@ -587,13 +530,6 @@ bool TRI_CheckAuthenticationAuthInfo (TRI_vocbase_t* vocbase,
char const* username, char const* username,
char const* password, char const* password,
bool* mustChange) { bool* mustChange) {
bool res;
char* hex;
char* sha256;
size_t hexLen;
size_t len;
size_t sha256Len;
TRI_ASSERT(vocbase != nullptr); TRI_ASSERT(vocbase != nullptr);
// look up username // look up username
@ -607,53 +543,65 @@ bool TRI_CheckAuthenticationAuthInfo (TRI_vocbase_t* vocbase,
*mustChange = auth->_mustChange; *mustChange = auth->_mustChange;
// convert password size_t const n = strlen(auth->_passwordSalt);
res = false; size_t const p = strlen(password);
char* salted = static_cast<char*>(TRI_Allocate(TRI_UNKNOWN_MEM_ZONE, n + p + 1, false));
// salted password if (salted == nullptr) {
if (TRI_IsPrefixString(auth->_password, "$1$")) { TRI_ReadUnlockReadWriteLock(&vocbase->_authInfoLock);
if (strlen(auth->_password) < 12 || auth->_password[11] != '$') { return false;
LOG_WARNING("found corrupted password for user '%s'", username); }
memcpy(salted, auth->_passwordSalt, n);
memcpy(salted + n, password, p);
salted[n + p] = '\0';
// default value is false
bool res = false;
char* crypted = nullptr;
size_t cryptedLength;
TRI_ASSERT(auth->_passwordMethod != nullptr);
try {
if (strcmp(auth->_passwordMethod, "sha1") == 0) {
triagens::rest::SslInterface::sslSHA1(salted, n + p, crypted, cryptedLength);
}
else if (strcmp(auth->_passwordMethod, "sha256") == 0) {
triagens::rest::SslInterface::sslSHA256(salted, n + p, crypted, cryptedLength);
}
else if (strcmp(auth->_passwordMethod, "sha224") == 0) {
triagens::rest::SslInterface::sslSHA224(salted, n + p, crypted, cryptedLength);
}
else if (strcmp(auth->_passwordMethod, "md5") == 0) {
triagens::rest::SslInterface::sslMD5(salted, n + p, crypted, cryptedLength);
} }
else { else {
len = 8 + strlen(password); // invalid algorithm...
char* salted = static_cast<char*>(TRI_Allocate(TRI_CORE_MEM_ZONE, len + 1, false)); res = false;
memcpy(salted, auth->_password + 3, 8);
memcpy(salted + 8, password, len - 8);
salted[len] = '\0';
sha256 = TRI_SHA256String(salted, len, &sha256Len);
TRI_FreeString(TRI_CORE_MEM_ZONE, salted);
hex = TRI_EncodeHexString(sha256, sha256Len, &hexLen);
TRI_FreeString(TRI_CORE_MEM_ZONE, sha256);
LOG_DEBUG("found active user '%s', expecting password '%s', got '%s'",
username,
auth->_password + 12,
hex);
res = TRI_EqualString(auth->_password + 12, hex);
TRI_FreeString(TRI_CORE_MEM_ZONE, hex);
} }
} }
catch (...) {
// unsalted password // SslInterface::ssl....() allocate strings with new, which might throw exceptions
else { // if we get one, we can ignore it because res is set to false anyway
len = strlen(password);
sha256 = TRI_SHA256String(password, len, &sha256Len);
hex = TRI_EncodeHexString(sha256, sha256Len, &hexLen);
TRI_FreeString(TRI_CORE_MEM_ZONE, sha256);
LOG_DEBUG("found active user '%s', expecting password '%s', got '%s'",
username,
auth->_password + 12,
hex);
res = TRI_EqualString(auth->_password, hex);
TRI_FreeString(TRI_CORE_MEM_ZONE, hex);
} }
if (crypted != nullptr) {
TRI_ASSERT(cryptedLength > 0);
size_t hexLen;
char* hex = TRI_EncodeHexString(crypted, cryptedLength, &hexLen);
if (hex != nullptr) {
res = TRI_EqualString(auth->_passwordHash, hex);
TRI_FreeString(TRI_CORE_MEM_ZONE, hex);
}
delete[] crypted;
}
TRI_FreeString(TRI_UNKNOWN_MEM_ZONE, salted);
TRI_ReadUnlockReadWriteLock(&vocbase->_authInfoLock); TRI_ReadUnlockReadWriteLock(&vocbase->_authInfoLock);

4
arangod/VocBase/auth.h
View File

@ -49,7 +49,9 @@ struct TRI_vocbase_s;
typedef struct TRI_vocbase_auth_s { typedef struct TRI_vocbase_auth_s {
char* _username; char* _username;
char* _password; char* _passwordMethod;
char* _passwordSalt;
char* _passwordHash;
bool _active; bool _active;
bool _mustChange; bool _mustChange;
} }