mirror of https://gitee.com/bigwinds/arangodb
fix nullptr access to usermanager object (#7095)
This commit is contained in:
Jan
GitHub
parent
78af18dfd2
commit
8d88cb49df
|
|
@ -50,10 +50,10 @@ AuthenticationFeature::AuthenticationFeature(
|
||||||
_authCache(nullptr),
|
_authCache(nullptr),
|
||||||
_authenticationUnixSockets(true),
|
_authenticationUnixSockets(true),
|
||||||
_authenticationSystemOnly(true),
|
_authenticationSystemOnly(true),
|
||||||
_authenticationTimeout(0.0),
|
|
||||||
_localAuthentication(true),
|
_localAuthentication(true),
|
||||||
_jwtSecretProgramOption(""),
|
_active(true),
|
||||||
_active(true) {
|
_authenticationTimeout(0.0),
|
||||||
|
_jwtSecretProgramOption("") {
|
||||||
setOptional(false);
|
setOptional(false);
|
||||||
startsAfter("BasicsPhase");
|
startsAfter("BasicsPhase");
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -77,11 +77,11 @@ class AuthenticationFeature final
|
||||||
std::unique_ptr<auth::TokenCache> _authCache;
|
std::unique_ptr<auth::TokenCache> _authCache;
|
||||||
bool _authenticationUnixSockets;
|
bool _authenticationUnixSockets;
|
||||||
bool _authenticationSystemOnly;
|
bool _authenticationSystemOnly;
|
||||||
double _authenticationTimeout;
|
|
||||||
bool _localAuthentication;
|
bool _localAuthentication;
|
||||||
|
bool _active;
|
||||||
|
double _authenticationTimeout;
|
||||||
|
|
||||||
std::string _jwtSecretProgramOption;
|
std::string _jwtSecretProgramOption;
|
||||||
bool _active;
|
|
||||||
|
|
||||||
static AuthenticationFeature* INSTANCE;
|
static AuthenticationFeature* INSTANCE;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -214,7 +214,11 @@ GeneralCommTask::RequestFlow GeneralCommTask::prepareExecution(GeneralRequest& r
|
||||||
// prevent guessing database names (issue #5030)
|
// prevent guessing database names (issue #5030)
|
||||||
auth::Level lvl = auth::Level::NONE;
|
auth::Level lvl = auth::Level::NONE;
|
||||||
if (req.authenticated()) {
|
if (req.authenticated()) {
|
||||||
|
if (_auth->userManager() != nullptr) {
|
||||||
lvl = _auth->userManager()->databaseAuthLevel(req.user(), req.databaseName());
|
lvl = _auth->userManager()->databaseAuthLevel(req.user(), req.databaseName());
|
||||||
|
} else {
|
||||||
|
lvl = auth::Level::RW;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if (lvl == auth::Level::NONE) {
|
if (lvl == auth::Level::NONE) {
|
||||||
addErrorResponse(rest::ResponseCode::UNAUTHORIZED, req.contentTypeResponse(),
|
addErrorResponse(rest::ResponseCode::UNAUTHORIZED, req.contentTypeResponse(),
|
||||||
|
|
|
||||||
|
|
@ -154,8 +154,13 @@ void RestAdminServerHandler::handleMode() {
|
||||||
|
|
||||||
AuthenticationFeature* af = AuthenticationFeature::instance();
|
AuthenticationFeature* af = AuthenticationFeature::instance();
|
||||||
if (af->isEnabled() && !_request->user().empty()) {
|
if (af->isEnabled() && !_request->user().empty()) {
|
||||||
auth::Level lvl = af->userManager()->databaseAuthLevel(_request->user(),
|
auth::Level lvl = auth::Level::NONE;
|
||||||
|
if (af->userManager() != nullptr) {
|
||||||
|
lvl = af->userManager()->databaseAuthLevel(_request->user(),
|
||||||
TRI_VOC_SYSTEM_DATABASE, /*configured*/true);
|
TRI_VOC_SYSTEM_DATABASE, /*configured*/true);
|
||||||
|
} else {
|
||||||
|
lvl = auth::Level::RW;
|
||||||
|
}
|
||||||
if (lvl < auth::Level::RW) {
|
if (lvl < auth::Level::RW) {
|
||||||
generateError(rest::ResponseCode::FORBIDDEN, TRI_ERROR_FORBIDDEN);
|
generateError(rest::ResponseCode::FORBIDDEN, TRI_ERROR_FORBIDDEN);
|
||||||
return;
|
return;
|
||||||
|
|
|
||||||
|
|
@ -52,7 +52,12 @@ RestStatus RestShutdownHandler::execute() {
|
||||||
|
|
||||||
AuthenticationFeature* af = AuthenticationFeature::instance();
|
AuthenticationFeature* af = AuthenticationFeature::instance();
|
||||||
if (af->isEnabled() && !_request->user().empty()) {
|
if (af->isEnabled() && !_request->user().empty()) {
|
||||||
auth::Level lvl = af->userManager()->databaseAuthLevel(_request->user(), "_system", /*configured*/true);
|
auth::Level lvl = auth::Level::NONE;
|
||||||
|
if (af->userManager() != nullptr) {
|
||||||
|
lvl = af->userManager()->databaseAuthLevel(_request->user(), "_system", /*configured*/true);
|
||||||
|
} else {
|
||||||
|
lvl = auth::Level::RW;
|
||||||
|
}
|
||||||
if (lvl < auth::Level::RW) {
|
if (lvl < auth::Level::RW) {
|
||||||
generateError(rest::ResponseCode::FORBIDDEN, TRI_ERROR_HTTP_FORBIDDEN,
|
generateError(rest::ResponseCode::FORBIDDEN, TRI_ERROR_HTTP_FORBIDDEN,
|
||||||
"you need admin rights to trigger shutdown");
|
"you need admin rights to trigger shutdown");
|
||||||
|
|
|
||||||
|
|
@ -52,6 +52,9 @@ ExecContext* ExecContext::create(std::string const& user,
|
||||||
if (af->isActive()) {
|
if (af->isActive()) {
|
||||||
auth::UserManager* um = af->userManager();
|
auth::UserManager* um = af->userManager();
|
||||||
TRI_ASSERT(um != nullptr);
|
TRI_ASSERT(um != nullptr);
|
||||||
|
if (um == nullptr) {
|
||||||
|
THROW_ARANGO_EXCEPTION_MESSAGE(TRI_ERROR_INTERNAL, "unable to find userManager instance");
|
||||||
|
}
|
||||||
dbLvl = sysLvl = um->databaseAuthLevel(user, dbname);
|
dbLvl = sysLvl = um->databaseAuthLevel(user, dbname);
|
||||||
if (dbname != TRI_VOC_SYSTEM_DATABASE) {
|
if (dbname != TRI_VOC_SYSTEM_DATABASE) {
|
||||||
sysLvl = um->databaseAuthLevel(user, TRI_VOC_SYSTEM_DATABASE);
|
sysLvl = um->databaseAuthLevel(user, TRI_VOC_SYSTEM_DATABASE);
|
||||||
|
|
@ -70,7 +73,12 @@ bool ExecContext::canUseDatabase(std::string const& db,
|
||||||
AuthenticationFeature* af = AuthenticationFeature::instance();
|
AuthenticationFeature* af = AuthenticationFeature::instance();
|
||||||
TRI_ASSERT(af != nullptr);
|
TRI_ASSERT(af != nullptr);
|
||||||
if (af->isActive()) {
|
if (af->isActive()) {
|
||||||
auth::Level allowed = af->userManager()->databaseAuthLevel(_user, db);
|
auth::UserManager* um = af->userManager();
|
||||||
|
TRI_ASSERT(um != nullptr);
|
||||||
|
if (um == nullptr) {
|
||||||
|
THROW_ARANGO_EXCEPTION_MESSAGE(TRI_ERROR_INTERNAL, "unable to find userManager instance");
|
||||||
|
}
|
||||||
|
auth::Level allowed = um->databaseAuthLevel(_user, db);
|
||||||
return requested <= allowed;
|
return requested <= allowed;
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
|
|
@ -102,5 +110,8 @@ auth::Level ExecContext::collectionAuthLevel(std::string const& dbname,
|
||||||
|
|
||||||
auth::UserManager* um = af->userManager();
|
auth::UserManager* um = af->userManager();
|
||||||
TRI_ASSERT(um != nullptr);
|
TRI_ASSERT(um != nullptr);
|
||||||
|
if (um == nullptr) {
|
||||||
|
THROW_ARANGO_EXCEPTION_MESSAGE(TRI_ERROR_INTERNAL, "unable to find userManager instance");
|
||||||
|
}
|
||||||
return um->collectionAuthLevel(_user, dbname, coll);
|
return um->collectionAuthLevel(_user, dbname, coll);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -183,8 +183,12 @@ static void JS_UpdateUser(v8::FunctionCallbackInfo<v8::Value> const& args) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
AuthenticationFeature* af = AuthenticationFeature::instance();
|
auth::UserManager* um = AuthenticationFeature::instance()->userManager();
|
||||||
af->userManager()->updateUser(username, [&](auth::User& u) {
|
if (um == nullptr) {
|
||||||
|
TRI_V8_THROW_EXCEPTION_MESSAGE(TRI_ERROR_NOT_IMPLEMENTED,
|
||||||
|
"users are not supported on this server");
|
||||||
|
}
|
||||||
|
um->updateUser(username, [&](auth::User& u) {
|
||||||
if (args.Length() > 1 && args[1]->IsString()) {
|
if (args.Length() > 1 && args[1]->IsString()) {
|
||||||
u.updatePassword(TRI_ObjectToString(args[1]));
|
u.updatePassword(TRI_ObjectToString(args[1]));
|
||||||
}
|
}
|
||||||
|
|
@ -355,7 +359,6 @@ static void JS_GrantCollection(
|
||||||
}
|
}
|
||||||
|
|
||||||
auth::UserManager* um = AuthenticationFeature::instance()->userManager();
|
auth::UserManager* um = AuthenticationFeature::instance()->userManager();
|
||||||
|
|
||||||
if (um == nullptr) {
|
if (um == nullptr) {
|
||||||
TRI_V8_THROW_EXCEPTION_MESSAGE(TRI_ERROR_NOT_IMPLEMENTED,
|
TRI_V8_THROW_EXCEPTION_MESSAGE(TRI_ERROR_NOT_IMPLEMENTED,
|
||||||
"user are not supported on this server");
|
"user are not supported on this server");
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue