Call license key check. (#7594) (#7704)

* Call license key check. (#7594) * Add CHANGELOG entry. * Fix super user JWT token behaviour with non-ex. db. (#7656)
2018-12-10 10:33:00 +01:00 · 2018-12-10 10:33:00 +01:00 · c78e3c89e0
parent 66ea1fd494
commit c78e3c89e0
4 changed files with 35 additions and 1 deletions
--- a/2
+++ b/2
@ -120,6 +120,8 @@ devel

 * use `-std=c++14` for ArangoDB compilation

+* Add license key checking to enterprise version in Docker containers.
+

 v3.4.0-rc.5 (XXXX-XX-XX)
 ------------------------
--- a/arangod/GeneralServer/GeneralCommTask.cpp
+++ b/arangod/GeneralServer/GeneralCommTask.cpp
@ -213,7 +213,10 @@ GeneralCommTask::RequestFlow GeneralCommTask::prepareExecution(GeneralRequest& r
      // prevent guessing database names (issue #5030)
      auth::Level lvl = auth::Level::NONE;
      if (req.authenticated()) {
-        if (_auth->userManager() != nullptr) {
+        // If we are authenticated and the user name is empty, then we must
+        // have been authenticated with a superuser JWT token. In this case,
+        // we must not check the databaseAuthLevel here.
+        if (_auth->userManager() != nullptr && !req.user().empty()) {
          lvl = _auth->userManager()->databaseAuthLevel(req.user(), req.databaseName());
        } else {
          lvl = auth::Level::RW;
--- a/arangod/RestServer/arangod.cpp
+++ b/arangod/RestServer/arangod.cpp
@ -307,6 +307,12 @@ static void WINAPI ServiceMain(DWORD dwArgc, LPSTR* lpszArgv) {
 #endif

 int main(int argc, char* argv[]) {
+#ifdef __linux__
+#if USE_ENTERPRISE
+  arangodb::checkLicenseKey();
+#endif
+#endif
+
  TRI_GET_ARGV(argc, argv);
 #if _WIN32
  if (argc > 1 && TRI_EqualString("--start-service", argv[1])) {
--- a/tests/js/client/authentication/auth.js
+++ b/tests/js/client/authentication/auth.js
@ -513,6 +513,29 @@ function AuthSuite() {
      expect(res).to.have.property('statusCode', 401);
    },

+    testDatabaseGuessingSuperUser: function() {
+      let jwt = crypto.jwtEncode(jwtSecret, {
+        "server_id": "foo",
+        "iss": "arangodb", "exp": Math.floor(Date.now() / 1000) + 3600
+      }, 'HS256');
+      // should respond with not-found because we are root
+      var res = request.get({
+        url: baseUrl() + "/_db/nonexisting/_api/version",
+        auth: {
+          bearer: jwt,
+        }
+      });
+      expect(res).to.be.an.instanceof(request.Response);
+      expect(res).to.have.property('statusCode', 404);
+
+      // should prevent name guessing by unauthorized users
+      res = request.get({
+        url: baseUrl() + "/_db/nonexisting/_api/version"
+      });
+      expect(res).to.be.an.instanceof(request.Response);
+      expect(res).to.have.property('statusCode', 401);
+    },
+
    testDatabaseListNonSystem: function() {
      let jwt = crypto.jwtEncode(jwtSecret, {
        "preferred_username": "root",