mirror of https://gitee.com/bigwinds/arangodb
138 lines
4.9 KiB
C++
138 lines
4.9 KiB
C++
////////////////////////////////////////////////////////////////////////////////
|
|
/// DISCLAIMER
|
|
///
|
|
/// Copyright 2014-2017 ArangoDB GmbH, Cologne, Germany
|
|
/// Copyright 2004-2014 triAGENS GmbH, Cologne, Germany
|
|
///
|
|
/// Licensed under the Apache License, Version 2.0 (the "License");
|
|
/// you may not use this file except in compliance with the License.
|
|
/// You may obtain a copy of the License at
|
|
///
|
|
/// http://www.apache.org/licenses/LICENSE-2.0
|
|
///
|
|
/// Unless required by applicable law or agreed to in writing, software
|
|
/// distributed under the License is distributed on an "AS IS" BASIS,
|
|
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
/// See the License for the specific language governing permissions and
|
|
/// limitations under the License.
|
|
///
|
|
/// Copyright holder is ArangoDB GmbH, Cologne, Germany
|
|
///
|
|
/// @author Dr. Frank Celler
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
|
#ifndef ARANGOD_VOC_BASE_AUTH_USER_H
|
|
#define ARANGOD_VOC_BASE_AUTH_USER_H 1
|
|
|
|
#include "Basics/Common.h"
|
|
#include "Utils/Authentication.h"
|
|
|
|
#include <velocypack/Builder.h>
|
|
#include <velocypack/Slice.h>
|
|
|
|
namespace arangodb {
|
|
|
|
// This class represents a 'user' entry. It contains structures to
|
|
// store the access levels for databases and collections. The user
|
|
// object must be serialized via `toVPackBuilder()` and written to the
|
|
// _users collection after modifying it.
|
|
|
|
class AuthUserEntry {
|
|
friend class AuthInfo;
|
|
|
|
public:
|
|
static AuthUserEntry newUser(std::string const& user, std::string const& pass,
|
|
AuthSource source);
|
|
static AuthUserEntry fromDocument(velocypack::Slice const&);
|
|
|
|
private:
|
|
static void fromDocumentRoles(AuthUserEntry&, velocypack::Slice const&);
|
|
static void fromDocumentDatabases(AuthUserEntry&,
|
|
velocypack::Slice const& databases,
|
|
velocypack::Slice const& user);
|
|
|
|
public:
|
|
std::string const& key() const { return _key; }
|
|
std::string const& username() const { return _username; }
|
|
std::string const& passwordMethod() const { return _passwordMethod; }
|
|
std::string const& passwordSalt() const { return _passwordSalt; }
|
|
std::string const& passwordHash() const { return _passwordHash; }
|
|
bool isActive() const { return _active; }
|
|
AuthSource source() const { return _source; }
|
|
|
|
bool checkPassword(std::string const& password) const;
|
|
void updatePassword(std::string const& password);
|
|
|
|
velocypack::Builder toVPackBuilder() const;
|
|
|
|
void setActive(bool active) { _active = active; }
|
|
|
|
std::unordered_set<std::string> roles () const { return _roles; }
|
|
void setRoles(std::unordered_set<std::string> const& roles) { _roles = roles; }
|
|
|
|
// grant specific access rights for db. The default "*" is also a
|
|
// valid database name
|
|
void grantDatabase(std::string const& dbname, AuthLevel level);
|
|
|
|
// Removes the entry.
|
|
void removeDatabase(std::string const& dbname);
|
|
|
|
// Grant collection rights, "*" is a valid parameter for dbname and
|
|
// collection. The combination of "*"/"*" is automatically used for
|
|
// the root
|
|
void grantCollection(std::string const& dbname, std::string const& collection,
|
|
AuthLevel level);
|
|
|
|
void removeCollection(std::string const& dbname,
|
|
std::string const& collection);
|
|
|
|
// Resolve the access level for this database. Might fall back to
|
|
// the special '*' entry if the specific database is not found
|
|
AuthLevel databaseAuthLevel(std::string const& dbname) const;
|
|
|
|
// Resolve rights for the specified collection. Falls back to the
|
|
// special '*' entry if either the database or collection is not
|
|
// found.
|
|
AuthLevel collectionAuthLevel(std::string const& dbname,
|
|
std::string const& collectionName) const;
|
|
|
|
bool hasSpecificDatabase(std::string const& dbname) const;
|
|
bool hasSpecificCollection(std::string const& dbname,
|
|
std::string const& collectionName) const;
|
|
|
|
private:
|
|
AuthUserEntry() {}
|
|
|
|
struct DBAuthContext {
|
|
DBAuthContext(AuthLevel dbLvl,
|
|
std::unordered_map<std::string, AuthLevel> const& coll)
|
|
: _databaseAuthLevel(dbLvl), _collectionAccess(coll) {}
|
|
|
|
DBAuthContext(AuthLevel dbLvl,
|
|
std::unordered_map<std::string, AuthLevel>&& coll)
|
|
: _databaseAuthLevel(dbLvl), _collectionAccess(std::move(coll)) {}
|
|
|
|
AuthLevel collectionAuthLevel(std::string const& collectionName,
|
|
bool& notFound) const;
|
|
|
|
public:
|
|
AuthLevel _databaseAuthLevel;
|
|
std::unordered_map<std::string, AuthLevel> _collectionAccess;
|
|
};
|
|
|
|
private:
|
|
std::string _key;
|
|
bool _active = true;
|
|
AuthSource _source = AuthSource::COLLECTION;
|
|
|
|
std::string _username;
|
|
std::string _passwordMethod;
|
|
std::string _passwordSalt;
|
|
std::string _passwordHash;
|
|
std::unordered_map<std::string, DBAuthContext> _dbAccess;
|
|
std::unordered_set<std::string> _roles;
|
|
};
|
|
}
|
|
|
|
#endif
|