From 1ac0cb9bb369c52df84bca7c4e8c557325434d2b Mon Sep 17 00:00:00 2001
From: Frank Celler <frank@arangodb.com>
Date: Sun, 8 Oct 2017 22:04:52 +0200
Subject: [PATCH] added --server.local-authentication

---
 CHANGELOG                                                | 4 +++-
 .../Administration/Configuration/GeneralArangod.md       | 9 +++++++++
 arangod/GeneralServer/AuthenticationFeature.cpp          | 5 +++++
 arangod/GeneralServer/AuthenticationFeature.h            | 2 ++
 arangod/VocBase/AuthInfo.cpp                             | 9 ++++++++-
 5 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 294c459192..7e73eac715 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,11 +1,13 @@
 v3.3.milestone1 (2017-10-06)
 ----------------------------
 
+* added option `--server.local-authentication`
+
 * UI: added user roles
 
 * added config option `--log.color` to toggle colorful logging to terminal
 
-* added config option `--log.thread-name` to additionally log thread names 
+* added config option `--log.thread-name` to additionally log thread names
 
 * usernames must not start with `:role:`, added new options:
     --server.authentication-timeout
diff --git a/Documentation/Books/Manual/Administration/Configuration/GeneralArangod.md b/Documentation/Books/Manual/Administration/Configuration/GeneralArangod.md
index 744fcd7b9d..fd5bab5c8e 100644
--- a/Documentation/Books/Manual/Administration/Configuration/GeneralArangod.md
+++ b/Documentation/Books/Manual/Administration/Configuration/GeneralArangod.md
@@ -233,6 +233,15 @@ domain sockets.
 Sets the cache timeout to *value* (in seconds). This is only necessary
 if you use an external authentication system like LDAP.
 
+### Enable local authentication
+
+`--server.local-authentication value`
+
+If set to *false* only use the external authentication system. If
+*true* also use the local *_users* collections.
+
+The default value is *true*.
+
 ### Enable/disable replication applier
 
 `--database.replication-applier flag`
diff --git a/arangod/GeneralServer/AuthenticationFeature.cpp b/arangod/GeneralServer/AuthenticationFeature.cpp
index 1d6b54d997..4649505c90 100644
--- a/arangod/GeneralServer/AuthenticationFeature.cpp
+++ b/arangod/GeneralServer/AuthenticationFeature.cpp
@@ -46,6 +46,7 @@ AuthenticationFeature::AuthenticationFeature(
       _authenticationUnixSockets(true),
       _authenticationSystemOnly(true),
       _authenticationTimeout(0.0),
+      _localAuthentication(true),
       _jwtSecretProgramOption(""),
       _active(true) {
   setOptional(true);
@@ -84,6 +85,10 @@ void AuthenticationFeature::collectOptions(
                      "timeout for the authentication cache (0 = indefinitely)",
                      new DoubleParameter(&_authenticationTimeout));
 
+  options->addOption("--server.local-authentication",
+                     "enable or disable authentication using the local user database",
+                     new BooleanParameter(&_localAuthentication));
+
   options->addOption(
       "--server.authentication-system-only",
       "use HTTP authentication only for requests to /_api and /_admin",
diff --git a/arangod/GeneralServer/AuthenticationFeature.h b/arangod/GeneralServer/AuthenticationFeature.h
index 53ec9681bf..6f9bf3bd8f 100644
--- a/arangod/GeneralServer/AuthenticationFeature.h
+++ b/arangod/GeneralServer/AuthenticationFeature.h
@@ -51,6 +51,7 @@ class AuthenticationFeature final
   bool _authenticationUnixSockets;
   bool _authenticationSystemOnly;
   double _authenticationTimeout;
+  bool _localAuthentication;
 
   std::string _jwtSecretProgramOption;
   bool _active;
@@ -65,6 +66,7 @@ class AuthenticationFeature final
     authInfo()->setJwtSecret(jwtSecret);
   }
   double authenticationTimeout() const { return _authenticationTimeout; }
+  bool localAuthentication() const { return _localAuthentication; }
 
   AuthInfo* authInfo();
   AuthLevel canUseDatabase(std::string const& username,
diff --git a/arangod/VocBase/AuthInfo.cpp b/arangod/VocBase/AuthInfo.cpp
index 8879951041..02a5af8cad 100644
--- a/arangod/VocBase/AuthInfo.cpp
+++ b/arangod/VocBase/AuthInfo.cpp
@@ -793,6 +793,12 @@ AuthResult AuthInfo::checkPassword(std::string const& username,
   READ_LOCKER(readLocker, _authInfoLock);
 
   auto it = _authInfo.find(username);
+  auto feature = AuthenticationFeature::INSTANCE;
+
+  if (it != _authInfo.end() && (it->second.source() == AuthSource::COLLECTION)
+      && feature != nullptr && ! feature->localAuthentication()) {
+    return result;
+  }
 
   if (it == _authInfo.end() || (it->second.source() == AuthSource::LDAP)) {
     TRI_ASSERT(_authenticationHandler);
@@ -843,10 +849,12 @@ AuthResult AuthInfo::checkPassword(std::string const& username,
 
   if (it != _authInfo.end()) {
     AuthUserEntry const& auth = it->second;
+
     if (auth.isActive()) {
       result._authorized = auth.checkPassword(password);
     }
   }
+
   return result;
 }
 
@@ -958,7 +966,6 @@ AuthResult AuthInfo::checkAuthenticationBasic(std::string const& secret) {
   std::string password = up.substr(n + 1);
 
   AuthResult result = checkPassword(username, password);
-
   double timeout = AuthenticationFeature::INSTANCE->authenticationTimeout();
 
   if (0 < timeout) {