Hawkin
/
arangodb
mirror of https://gitee.com/bigwinds/arangodb
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
arangodb/arangod/RestServer/VocbaseContext.cpp

124 lines
4.5 KiB
C++
Raw Permalink Blame History

////////////////////////////////////////////////////////////////////////////////
/// DISCLAIMER
///
/// Copyright 2014-2016 ArangoDB GmbH, Cologne, Germany
/// Copyright 2004-2014 triAGENS GmbH, Cologne, Germany
///
/// Licensed under the Apache License, Version 2.0 (the "License");
/// you may not use this file except in compliance with the License.
/// You may obtain a copy of the License at
///
/// http://www.apache.org/licenses/LICENSE-2.0
///
/// Unless required by applicable law or agreed to in writing, software
/// distributed under the License is distributed on an "AS IS" BASIS,
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
/// See the License for the specific language governing permissions and
/// limitations under the License.
///
/// Copyright holder is ArangoDB GmbH, Cologne, Germany
///
/// @author Dr. Frank Celler
////////////////////////////////////////////////////////////////////////////////
#include "VocbaseContext.h"
#include "Cluster/ServerState.h"
#include "GeneralServer/AuthenticationFeature.h"
#include "Logger/Logger.h"
#include "VocBase/vocbase.h"
using namespace arangodb::rest;
namespace arangodb {
VocbaseContext::VocbaseContext(GeneralRequest& req, TRI_vocbase_t& vocbase,
ExecContext::Type type, auth::Level systemLevel,
auth::Level dbLevel)
: ExecContext(type, req.user(), req.databaseName(), systemLevel, dbLevel),
_vocbase(vocbase) {
// _vocbase has already been refcounted for us
TRI_ASSERT(!_vocbase.isDangling());
}
VocbaseContext::~VocbaseContext() {
TRI_ASSERT(!_vocbase.isDangling());
_vocbase.release();
}
VocbaseContext* VocbaseContext::create(GeneralRequest& req, TRI_vocbase_t& vocbase) {
// _vocbase has already been refcounted for us
TRI_ASSERT(!vocbase.isDangling());
// superusers will have an empty username. This MUST be invalid
// for users authenticating with name / password
const bool isSuperUser = req.authenticated() && req.user().empty() &&
req.authenticationMethod() == AuthenticationMethod::JWT;
if (isSuperUser) {
return new VocbaseContext(req, vocbase, ExecContext::Type::Internal,
/*sysLevel*/ auth::Level::RW,
/*dbLevel*/ auth::Level::RW);
}
AuthenticationFeature* auth = AuthenticationFeature::instance();
TRI_ASSERT(auth != nullptr);
if (!auth->isActive()) {
if (ServerState::readOnly()) {
// special read-only case
return new VocbaseContext(req, vocbase, ExecContext::Type::Internal,
/*sysLevel*/ auth::Level::RO,
/*dbLevel*/ auth::Level::RO);
}
return new VocbaseContext(req, vocbase, ExecContext::Type::Default,
/*sysLevel*/ auth::Level::RW,
/*dbLevel*/ auth::Level::RW);
}
if (!req.authenticated()) {
return new VocbaseContext(req, vocbase, ExecContext::Type::Default,
/*sysLevel*/ auth::Level::NONE,
/*dbLevel*/ auth::Level::NONE);
} else if (req.user().empty()) {
std::string msg = "only jwt can be used to authenticate as superuser";
LOG_TOPIC("2d0f6", WARN, Logger::AUTHENTICATION) << msg;
THROW_ARANGO_EXCEPTION_MESSAGE(TRI_ERROR_BAD_PARAMETER, msg);
}
auth::UserManager* um = auth->userManager();
if (um == nullptr) {
LOG_TOPIC("aae8a", WARN, Logger::AUTHENTICATION)
<< "users are not supported on this server";
return nullptr;
}
auth::Level dbLvl = um->databaseAuthLevel(req.user(), req.databaseName());
auth::Level sysLvl = dbLvl;
if (req.databaseName() != TRI_VOC_SYSTEM_DATABASE) {
sysLvl = um->databaseAuthLevel(req.user(), TRI_VOC_SYSTEM_DATABASE);
}
return new VocbaseContext(req, vocbase, ExecContext::Type::Default,
/*sysLevel*/ sysLvl,
/*dbLevel*/ dbLvl);
}
void VocbaseContext::forceSuperuser() {
TRI_ASSERT(_type != ExecContext::Type::Internal || _user.empty());
_type = ExecContext::Type::Internal;
if (ServerState::readOnly()) {
_systemDbAuthLevel = auth::Level::RO;
_databaseAuthLevel = auth::Level::RO;
} else {
_systemDbAuthLevel = auth::Level::RW;
_databaseAuthLevel = auth::Level::RW;
}
}
void VocbaseContext::forceReadOnly() {
TRI_ASSERT(_type != ExecContext::Type::Internal || _user.empty());
_type = ExecContext::Type::Internal;
_systemDbAuthLevel = auth::Level::RO;
_databaseAuthLevel = auth::Level::RO;
}
} // namespace arangodb
Reference in New Issue View Git Blame Copy Permalink