Hawkin
/
arangodb
mirror of https://gitee.com/bigwinds/arangodb
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Call license key check. (#7594) (#7704) 

* Call license key check. (#7594)

* Add CHANGELOG entry.

* Fix super user JWT token behaviour with non-ex. db. (#7656)
This commit is contained in:
Max Neunhöffer 2018-12-10 10:33:00 +01:00 committed by GitHub
parent 66ea1fd494
commit c78e3c89e0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG
View File

@ -120,6 +120,8 @@ devel
* use `-std=c++14` for ArangoDB compilation * use `-std=c++14` for ArangoDB compilation
* Add license key checking to enterprise version in Docker containers.
v3.4.0-rc.5 (XXXX-XX-XX) v3.4.0-rc.5 (XXXX-XX-XX)
------------------------ ------------------------

5
arangod/GeneralServer/GeneralCommTask.cpp
View File

@ -213,7 +213,10 @@ GeneralCommTask::RequestFlow GeneralCommTask::prepareExecution(GeneralRequest& r
// prevent guessing database names (issue #5030) // prevent guessing database names (issue #5030)
auth::Level lvl = auth::Level::NONE; auth::Level lvl = auth::Level::NONE;
if (req.authenticated()) { if (req.authenticated()) {
if (_auth->userManager() != nullptr) { // If we are authenticated and the user name is empty, then we must
// have been authenticated with a superuser JWT token. In this case,
// we must not check the databaseAuthLevel here.
if (_auth->userManager() != nullptr && !req.user().empty()) {
lvl = _auth->userManager()->databaseAuthLevel(req.user(), req.databaseName()); lvl = _auth->userManager()->databaseAuthLevel(req.user(), req.databaseName());
} else { } else {
lvl = auth::Level::RW; lvl = auth::Level::RW;

6
arangod/RestServer/arangod.cpp
View File

@ -307,6 +307,12 @@ static void WINAPI ServiceMain(DWORD dwArgc, LPSTR* lpszArgv) {
#endif #endif
int main(int argc, char* argv[]) { int main(int argc, char* argv[]) {
#ifdef __linux__
#if USE_ENTERPRISE
arangodb::checkLicenseKey();
#endif
#endif
TRI_GET_ARGV(argc, argv); TRI_GET_ARGV(argc, argv);
#if _WIN32 #if _WIN32
if (argc > 1 && TRI_EqualString("--start-service", argv[1])) { if (argc > 1 && TRI_EqualString("--start-service", argv[1])) {

23
tests/js/client/authentication/auth.js
View File

@ -513,6 +513,29 @@ function AuthSuite() {
expect(res).to.have.property('statusCode', 401); expect(res).to.have.property('statusCode', 401);
}, },
testDatabaseGuessingSuperUser: function() {
let jwt = crypto.jwtEncode(jwtSecret, {
"server_id": "foo",
"iss": "arangodb", "exp": Math.floor(Date.now() / 1000) + 3600
}, 'HS256');
// should respond with not-found because we are root
var res = request.get({
url: baseUrl() + "/_db/nonexisting/_api/version",
auth: {
bearer: jwt,
}
});
expect(res).to.be.an.instanceof(request.Response);
expect(res).to.have.property('statusCode', 404);
// should prevent name guessing by unauthorized users
res = request.get({
url: baseUrl() + "/_db/nonexisting/_api/version"
});
expect(res).to.be.an.instanceof(request.Response);
expect(res).to.have.property('statusCode', 401);
},
testDatabaseListNonSystem: function() { testDatabaseListNonSystem: function() {
let jwt = crypto.jwtEncode(jwtSecret, { let jwt = crypto.jwtEncode(jwtSecret, {
"preferred_username": "root", "preferred_username": "root",