mirror of https://gitee.com/bigwinds/arangodb
160 lines
5.2 KiB
C++
160 lines
5.2 KiB
C++
////////////////////////////////////////////////////////////////////////////////
|
|
/// DISCLAIMER
|
|
///
|
|
/// Copyright 2016 ArangoDB GmbH, Cologne, Germany
|
|
///
|
|
/// Licensed under the Apache License, Version 2.0 (the "License");
|
|
/// you may not use this file except in compliance with the License.
|
|
/// You may obtain a copy of the License at
|
|
///
|
|
/// http://www.apache.org/licenses/LICENSE-2.0
|
|
///
|
|
/// Unless required by applicable law or agreed to in writing, software
|
|
/// distributed under the License is distributed on an "AS IS" BASIS,
|
|
/// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
/// See the License for the specific language governing permissions and
|
|
/// limitations under the License.
|
|
///
|
|
/// Copyright holder is ArangoDB GmbH, Cologne, Germany
|
|
///
|
|
/// @author Andreas Streichardt <andreas@arangodb.com>
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
|
#include "AuthenticationFeature.h"
|
|
|
|
#include "ProgramOptions/ProgramOptions.h"
|
|
#include "RestServer/QueryRegistryFeature.h"
|
|
#include "Random/RandomGenerator.h"
|
|
|
|
using namespace arangodb;
|
|
using namespace arangodb::options;
|
|
|
|
AuthenticationFeature::AuthenticationFeature(
|
|
application_features::ApplicationServer* server)
|
|
: ApplicationFeature(server, "Authentication"),
|
|
_authenticationUnixSockets(true),
|
|
_authenticationSystemOnly(true),
|
|
_jwtSecretProgramOption(""),
|
|
_active(true) {
|
|
|
|
setOptional(true);
|
|
requiresElevatedPrivileges(false);
|
|
startsAfter("Random");
|
|
}
|
|
|
|
void AuthenticationFeature::collectOptions(
|
|
std::shared_ptr<ProgramOptions> options) {
|
|
options->addSection("server", "Server features");
|
|
|
|
options->addOldOption("server.disable-authentication",
|
|
"server.authentication");
|
|
options->addOldOption("server.disable-authentication-unix-sockets",
|
|
"server.authentication-unix-sockets");
|
|
options->addOldOption("server.authenticate-system-only",
|
|
"server.authentication-system-only");
|
|
options->addOldOption("server.allow-method-override",
|
|
"http.allow-method-override");
|
|
options->addOldOption("server.hide-product-header",
|
|
"http.hide-product-header");
|
|
options->addOldOption("server.keep-alive-timeout", "http.keep-alive-timeout");
|
|
options->addOldOption("server.default-api-compatibility", "");
|
|
options->addOldOption("no-server", "server.rest-server");
|
|
|
|
options->addOption("--server.authentication",
|
|
"enable or disable authentication for ALL client requests",
|
|
new BooleanParameter(&_active));
|
|
|
|
options->addOption(
|
|
"--server.authentication-system-only",
|
|
"use HTTP authentication only for requests to /_api and /_admin",
|
|
new BooleanParameter(&_authenticationSystemOnly));
|
|
|
|
#ifdef ARANGODB_HAVE_DOMAIN_SOCKETS
|
|
options->addOption("--server.authentication-unix-sockets",
|
|
"authentication for requests via UNIX domain sockets",
|
|
new BooleanParameter(&_authenticationUnixSockets));
|
|
#endif
|
|
|
|
options->addOption("--server.jwt-secret",
|
|
"secret to use when doing jwt authentication",
|
|
new StringParameter(&_jwtSecretProgramOption));
|
|
|
|
}
|
|
|
|
void AuthenticationFeature::validateOptions(std::shared_ptr<ProgramOptions>) {
|
|
if (!_active) {
|
|
forceDisable();
|
|
return;
|
|
}
|
|
if (!_jwtSecretProgramOption.empty()) {
|
|
if (_jwtSecretProgramOption.length() > _maxSecretLength) {
|
|
LOG(ERR) << "Given JWT secret too long. Max length is "
|
|
<< _maxSecretLength;
|
|
FATAL_ERROR_EXIT();
|
|
}
|
|
}
|
|
}
|
|
|
|
std::string AuthenticationFeature::generateNewJwtSecret() {
|
|
std::string jwtSecret = "";
|
|
uint16_t m = 254;
|
|
|
|
for (size_t i = 0; i < _maxSecretLength; i++) {
|
|
jwtSecret += (1 + RandomGenerator::interval(m));
|
|
}
|
|
return jwtSecret;
|
|
}
|
|
|
|
void AuthenticationFeature::start() {
|
|
LOG(INFO) << "Authentication is turned " << (_active ? "on" : "off");
|
|
|
|
if (!isEnabled()) {
|
|
return;
|
|
}
|
|
auto queryRegistryFeature =
|
|
application_features::ApplicationServer::getFeature<QueryRegistryFeature>("QueryRegistry");
|
|
authInfo()->setQueryRegistry(queryRegistryFeature->queryRegistry());
|
|
|
|
if (_authenticationSystemOnly) {
|
|
LOG(INFO) << "Authentication system only";
|
|
}
|
|
|
|
#ifdef ARANGODB_HAVE_DOMAIN_SOCKETS
|
|
LOG(INFO) << "Authentication for unix sockets is turned "
|
|
<< (_authenticationUnixSockets ? "on" : "off");
|
|
#endif
|
|
}
|
|
|
|
AuthLevel AuthenticationFeature::canUseDatabase(std::string const& username,
|
|
std::string const& dbname) {
|
|
if (!isEnabled()) {
|
|
return AuthLevel::RW;
|
|
}
|
|
|
|
return authInfo()->canUseDatabase(username, dbname);
|
|
}
|
|
|
|
AuthInfo* AuthenticationFeature::authInfo() {
|
|
// mop: catch misused stuff..authentication is disabled...why would you
|
|
// need any authentication info?
|
|
TRI_ASSERT(isEnabled());
|
|
return &_authInfo;
|
|
}
|
|
|
|
void AuthenticationFeature::unprepare() {
|
|
}
|
|
|
|
void AuthenticationFeature::prepare() {
|
|
if (!isEnabled()) {
|
|
return;
|
|
}
|
|
std::string jwtSecret = _jwtSecretProgramOption;
|
|
if (jwtSecret.empty()) {
|
|
jwtSecret = generateNewJwtSecret();
|
|
}
|
|
authInfo()->setJwtSecret(jwtSecret);
|
|
}
|
|
|
|
void AuthenticationFeature::stop() {
|
|
}
|