Hawkin
/
arangodb
mirror of https://gitee.com/bigwinds/arangodb
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Feature/jwt keyfile (#7863) 

* Added jwt-keyfile option and warning for old option.
* CHANGELOG
* Add trimming to --auth.jwt-secret-keyfile
* Adjust some comments.
This commit is contained in:
Lars Maier 2019-01-02 14:38:38 +01:00 committed by Max Neunhöffer
parent 98ff9621bf
commit 5c53ebceb0
3 changed files with 66 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG
View File

@ -1,6 +1,8 @@
devel devel
----- -----
* Added --server.jwt-secret-keyfile option.
* speed up data-modification operations in exclusive transactions in the RocksDB * speed up data-modification operations in exclusive transactions in the RocksDB
storage engine storage engine

30
arangod/GeneralServer/AuthenticationFeature.cpp
View File

@ -30,6 +30,8 @@
#include "ProgramOptions/ProgramOptions.h" #include "ProgramOptions/ProgramOptions.h"
#include "Random/RandomGenerator.h" #include "Random/RandomGenerator.h"
#include "RestServer/QueryRegistryFeature.h" #include "RestServer/QueryRegistryFeature.h"
#include "Basics/FileUtils.h"
#include "Basics/StringUtils.h"
#if USE_ENTERPRISE #if USE_ENTERPRISE
#include "Enterprise/Ldap/LdapAuthenticationHandler.h" #include "Enterprise/Ldap/LdapAuthenticationHandler.h"
@ -101,13 +103,39 @@ void AuthenticationFeature::collectOptions(std::shared_ptr<ProgramOptions> optio
new BooleanParameter(&_authenticationUnixSockets)); new BooleanParameter(&_authenticationUnixSockets));
#endif #endif
// Maybe deprecate this option in devel
options->addOption("--server.jwt-secret", options->addOption("--server.jwt-secret",
"secret to use when doing jwt authentication", "secret to use when doing jwt authentication",
new StringParameter(&_jwtSecretProgramOption)); new StringParameter(&_jwtSecretProgramOption));
options->addOption("--server.jwt-secret-keyfile",
"file containing jwt secret to use when doing jwt authentication.",
new StringParameter(&_jwtSecretKeyfileProgramOption));
} }
void AuthenticationFeature::validateOptions(std::shared_ptr<ProgramOptions>) { void AuthenticationFeature::validateOptions(std::shared_ptr<ProgramOptions>) {
if (!_jwtSecretProgramOption.empty()) { if (!_jwtSecretKeyfileProgramOption.empty()) {
try {
// Note that the secret is trimmed for whitespace, because whitespace
// at the end of a file can easily happen. We do not base64-encode,
// though, so the bytes count as given. Zero bytes might be a problem
// here.
_jwtSecretProgramOption = basics::StringUtils::trim(
basics::FileUtils::slurp(_jwtSecretKeyfileProgramOption),
" \t\n\r");
} catch (std::exception const& ex) {
LOG_TOPIC(FATAL, Logger::STARTUP)
<< "unable to read content of jwt-secret file '"
<< _jwtSecretKeyfileProgramOption << "': " << ex.what()
<< ". please make sure the file/directory is readable for the "
"arangod process and user";
FATAL_ERROR_EXIT();
}
} else if (!_jwtSecretProgramOption.empty()) {
LOG_TOPIC(WARN, arangodb::Logger::FIXME)
<< "--server.jwt-secret is insecure. Use --server.jwt-secret-keyfile instead.";
if (_jwtSecretProgramOption.length() > _maxSecretLength) { if (_jwtSecretProgramOption.length() > _maxSecretLength) {
LOG_TOPIC(FATAL, arangodb::Logger::FIXME) LOG_TOPIC(FATAL, arangodb::Logger::FIXME)
<< "Given JWT secret too long. Max length is " << _maxSecretLength; << "Given JWT secret too long. Max length is " << _maxSecretLength;

1
arangod/GeneralServer/AuthenticationFeature.h
View File

@ -79,6 +79,7 @@ class AuthenticationFeature final : public application_features::ApplicationFeat
double _authenticationTimeout; double _authenticationTimeout;
std::string _jwtSecretProgramOption; std::string _jwtSecretProgramOption;
std::string _jwtSecretKeyfileProgramOption;
static AuthenticationFeature* INSTANCE; static AuthenticationFeature* INSTANCE;
}; };