Fix deleting rocksdb views and dump_authentication (#5779)

* fix deleting rocksdb views and dump_authentication * fix changelog, fix test
2018-07-05 09:40:43 +02:00 · 2018-07-05 09:40:43 +02:00 · f699d32664
parent 222f77249f
commit f699d32664
4 changed files with 26 additions and 11 deletions
--- a/3
+++ b/3
@ -1,6 +1,9 @@
 devel
 -----

+* if authentication is turned on requests to databases by users with insufficient rights
+ will be answered with the HTTP forbidden (401) response.
+  
 * upgraded bundled RocksDB library version to 5.14

 * added key generators `uuid` and `padded`
--- a/arangod/GeneralServer/GeneralCommTask.cpp
+++ b/arangod/GeneralServer/GeneralCommTask.cpp
@ -136,16 +136,21 @@ bool resolveRequestContext(GeneralRequest& req) {
 /// response if execution is supposed to be aborted
 GeneralCommTask::RequestFlow GeneralCommTask::prepareExecution(
    GeneralRequest& req) {
-  if (!::resolveRequestContext(req)) {
+  if (!::resolveRequestContext(req)) { // false if db not found
    if (_auth->isActive()) {
-      // prevent guessing of database names (issue #5030)
-      addErrorResponse(rest::ResponseCode::UNAUTHORIZED,
-                       req.contentTypeResponse(), req.messageId(),
-                       TRI_ERROR_FORBIDDEN);
-    } else {
-      addErrorResponse(rest::ResponseCode::NOT_FOUND, req.contentTypeResponse(),
-                       req.messageId(), TRI_ERROR_ARANGO_DATABASE_NOT_FOUND);
+      // prevent guessing database names (issue #5030)
+      auth::Level lvl = auth::Level::NONE;
+      if (req.authenticated()) {
+        lvl = _auth->userManager()->databaseAuthLevel(req.user(), req.databaseName());
+      }
+      if (lvl == auth::Level::NONE) {
+        addErrorResponse(rest::ResponseCode::UNAUTHORIZED, req.contentTypeResponse(),
+                         req.messageId(), TRI_ERROR_FORBIDDEN);
+        return RequestFlow::Abort;
+      }
    }
+    addErrorResponse(rest::ResponseCode::NOT_FOUND, req.contentTypeResponse(),
+                      req.messageId(), TRI_ERROR_ARANGO_DATABASE_NOT_FOUND);
    return RequestFlow::Abort;
  }
  TRI_ASSERT(req.requestContext() != nullptr);
--- a/arangod/RocksDBEngine/RocksDBIndex.cpp
+++ b/arangod/RocksDBEngine/RocksDBIndex.cpp
@ -332,7 +332,7 @@ RocksDBKeyBounds RocksDBIndex::getBounds(Index::IndexType type,
      return RocksDBKeyBounds::GeoIndex(objectId);
 #ifdef USE_IRESEARCH
    case RocksDBIndex::TRI_IDX_TYPE_IRESEARCH_LINK:
-      return RocksDBKeyBounds::Empty();
+      return RocksDBKeyBounds::DatabaseViews(objectId);
 #endif
    case RocksDBIndex::TRI_IDX_TYPE_UNKNOWN:
    default:
--- a/js/client/tests/authentication/auth.js
+++ b/js/client/tests/authentication/auth.js
@ -495,7 +495,7 @@ function AuthSuite() {
        "preferred_username": "root",
        "iss": "arangodb", "exp": Math.floor(Date.now() / 1000) + 3600
      }, 'HS256');
-      // should respond with unauthorized name guessing
+      // should respond with not-found because we are root
      var res = request.get({
        url: baseUrl() + "/_db/nonexisting/_api/version",
        auth: {
@ -503,7 +503,14 @@ function AuthSuite() {
        }
      });
      expect(res).to.be.an.instanceof(request.Response);
-      expect(res).to.have.property('statusCode', 401);
+      expect(res).to.have.property('statusCode', 404);
+
+      // should prevent name guessing by unauthorized users
+      var res = request.get({
+        url: baseUrl() + "/_db/nonexisting/_api/version"
+      });
+      expect(res).to.be.an.instanceof(request.Response);
+      expect(res).to.have.property('statusCode', 404);
    },

    testDatabaseListNonSystem: function() {