Line data Source code
1 : mod classic;
2 : mod hacks;
3 : mod link;
4 :
5 : pub use link::LinkAuthError;
6 : use tokio_postgres::config::AuthKeys;
7 :
8 : use crate::auth::credentials::check_peer_addr_is_in_list;
9 : use crate::auth::validate_password_and_exchange;
10 : use crate::cache::Cached;
11 : use crate::console::errors::GetAuthInfoError;
12 : use crate::console::provider::{CachedRoleSecret, ConsoleBackend};
13 : use crate::console::{AuthSecret, NodeInfo};
14 : use crate::context::RequestMonitoring;
15 : use crate::proxy::connect_compute::ComputeConnectBackend;
16 : use crate::proxy::NeonOptions;
17 : use crate::stream::Stream;
18 : use crate::{
19 : auth::{self, ComputeUserInfoMaybeEndpoint},
20 : config::AuthenticationConfig,
21 : console::{
22 : self,
23 : provider::{CachedAllowedIps, CachedNodeInfo},
24 : Api,
25 : },
26 : stream, url,
27 : };
28 : use crate::{scram, EndpointCacheKey, EndpointId, RoleName};
29 : use std::sync::Arc;
30 : use tokio::io::{AsyncRead, AsyncWrite};
31 : use tracing::info;
32 :
33 : /// Alternative to [`std::borrow::Cow`] but doesn't need `T: ToOwned` as we don't need that functionality
34 : pub enum MaybeOwned<'a, T> {
35 : Owned(T),
36 : Borrowed(&'a T),
37 : }
38 :
39 : impl<T> std::ops::Deref for MaybeOwned<'_, T> {
40 : type Target = T;
41 :
42 26 : fn deref(&self) -> &Self::Target {
43 26 : match self {
44 26 : MaybeOwned::Owned(t) => t,
45 0 : MaybeOwned::Borrowed(t) => t,
46 : }
47 26 : }
48 : }
49 :
50 : /// This type serves two purposes:
51 : ///
52 : /// * When `T` is `()`, it's just a regular auth backend selector
53 : /// which we use in [`crate::config::ProxyConfig`].
54 : ///
55 : /// * However, when we substitute `T` with [`ComputeUserInfoMaybeEndpoint`],
56 : /// this helps us provide the credentials only to those auth
57 : /// backends which require them for the authentication process.
58 : pub enum BackendType<'a, T, D> {
59 : /// Cloud API (V2).
60 : Console(MaybeOwned<'a, ConsoleBackend>, T),
61 : /// Authentication via a web browser.
62 : Link(MaybeOwned<'a, url::ApiUrl>, D),
63 : }
64 :
65 : pub trait TestBackend: Send + Sync + 'static {
66 : fn wake_compute(&self) -> Result<CachedNodeInfo, console::errors::WakeComputeError>;
67 : fn get_allowed_ips_and_secret(
68 : &self,
69 : ) -> Result<(CachedAllowedIps, Option<CachedRoleSecret>), console::errors::GetAuthInfoError>;
70 : fn get_role_secret(&self) -> Result<CachedRoleSecret, console::errors::GetAuthInfoError>;
71 : }
72 :
73 : impl std::fmt::Display for BackendType<'_, (), ()> {
74 0 : fn fmt(&self, fmt: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
75 0 : use BackendType::*;
76 0 : match self {
77 0 : Console(api, _) => match &**api {
78 0 : ConsoleBackend::Console(endpoint) => {
79 0 : fmt.debug_tuple("Console").field(&endpoint.url()).finish()
80 : }
81 : #[cfg(any(test, feature = "testing"))]
82 0 : ConsoleBackend::Postgres(endpoint) => {
83 0 : fmt.debug_tuple("Postgres").field(&endpoint.url()).finish()
84 : }
85 : #[cfg(test)]
86 0 : ConsoleBackend::Test(_) => fmt.debug_tuple("Test").finish(),
87 : },
88 0 : Link(url, _) => fmt.debug_tuple("Link").field(&url.as_str()).finish(),
89 : }
90 0 : }
91 : }
92 :
93 : impl<T, D> BackendType<'_, T, D> {
94 : /// Very similar to [`std::option::Option::as_ref`].
95 : /// This helps us pass structured config to async tasks.
96 0 : pub fn as_ref(&self) -> BackendType<'_, &T, &D> {
97 0 : use BackendType::*;
98 0 : match self {
99 0 : Console(c, x) => Console(MaybeOwned::Borrowed(c), x),
100 0 : Link(c, x) => Link(MaybeOwned::Borrowed(c), x),
101 : }
102 0 : }
103 : }
104 :
105 : impl<'a, T, D> BackendType<'a, T, D> {
106 : /// Very similar to [`std::option::Option::map`].
107 : /// Maps [`BackendType<T>`] to [`BackendType<R>`] by applying
108 : /// a function to a contained value.
109 0 : pub fn map<R>(self, f: impl FnOnce(T) -> R) -> BackendType<'a, R, D> {
110 0 : use BackendType::*;
111 0 : match self {
112 0 : Console(c, x) => Console(c, f(x)),
113 0 : Link(c, x) => Link(c, x),
114 : }
115 0 : }
116 : }
117 : impl<'a, T, D, E> BackendType<'a, Result<T, E>, D> {
118 : /// Very similar to [`std::option::Option::transpose`].
119 : /// This is most useful for error handling.
120 0 : pub fn transpose(self) -> Result<BackendType<'a, T, D>, E> {
121 0 : use BackendType::*;
122 0 : match self {
123 0 : Console(c, x) => x.map(|x| Console(c, x)),
124 0 : Link(c, x) => Ok(Link(c, x)),
125 : }
126 0 : }
127 : }
128 :
129 : pub struct ComputeCredentials {
130 : pub info: ComputeUserInfo,
131 : pub keys: ComputeCredentialKeys,
132 : }
133 :
134 0 : #[derive(Debug, Clone)]
135 : pub struct ComputeUserInfoNoEndpoint {
136 : pub user: RoleName,
137 : pub options: NeonOptions,
138 : }
139 :
140 26 : #[derive(Debug, Clone)]
141 : pub struct ComputeUserInfo {
142 : pub endpoint: EndpointId,
143 : pub user: RoleName,
144 : pub options: NeonOptions,
145 : }
146 :
147 : impl ComputeUserInfo {
148 4 : pub fn endpoint_cache_key(&self) -> EndpointCacheKey {
149 4 : self.options.get_cache_key(&self.endpoint)
150 4 : }
151 : }
152 :
153 : pub enum ComputeCredentialKeys {
154 : Password(Vec<u8>),
155 : AuthKeys(AuthKeys),
156 : }
157 :
158 : impl TryFrom<ComputeUserInfoMaybeEndpoint> for ComputeUserInfo {
159 : // user name
160 : type Error = ComputeUserInfoNoEndpoint;
161 :
162 0 : fn try_from(user_info: ComputeUserInfoMaybeEndpoint) -> Result<Self, Self::Error> {
163 0 : match user_info.endpoint_id {
164 0 : None => Err(ComputeUserInfoNoEndpoint {
165 0 : user: user_info.user,
166 0 : options: user_info.options,
167 0 : }),
168 0 : Some(endpoint) => Ok(ComputeUserInfo {
169 0 : endpoint,
170 0 : user: user_info.user,
171 0 : options: user_info.options,
172 0 : }),
173 : }
174 0 : }
175 : }
176 :
177 : /// True to its name, this function encapsulates our current auth trade-offs.
178 : /// Here, we choose the appropriate auth flow based on circumstances.
179 : ///
180 : /// All authentication flows will emit an AuthenticationOk message if successful.
181 0 : async fn auth_quirks(
182 0 : ctx: &mut RequestMonitoring,
183 0 : api: &impl console::Api,
184 0 : user_info: ComputeUserInfoMaybeEndpoint,
185 0 : client: &mut stream::PqStream<Stream<impl AsyncRead + AsyncWrite + Unpin>>,
186 0 : allow_cleartext: bool,
187 0 : config: &'static AuthenticationConfig,
188 0 : ) -> auth::Result<ComputeCredentials> {
189 : // If there's no project so far, that entails that client doesn't
190 : // support SNI or other means of passing the endpoint (project) name.
191 : // We now expect to see a very specific payload in the place of password.
192 0 : let (info, unauthenticated_password) = match user_info.try_into() {
193 0 : Err(info) => {
194 0 : let res = hacks::password_hack_no_authentication(ctx, info, client).await?;
195 :
196 0 : ctx.set_endpoint_id(res.info.endpoint.clone());
197 0 : let password = match res.keys {
198 0 : ComputeCredentialKeys::Password(p) => p,
199 0 : _ => unreachable!("password hack should return a password"),
200 : };
201 0 : (res.info, Some(password))
202 : }
203 0 : Ok(info) => (info, None),
204 : };
205 :
206 0 : info!("fetching user's authentication info");
207 0 : let (allowed_ips, maybe_secret) = api.get_allowed_ips_and_secret(ctx, &info).await?;
208 :
209 : // check allowed list
210 0 : if !check_peer_addr_is_in_list(&ctx.peer_addr, &allowed_ips) {
211 0 : return Err(auth::AuthError::ip_address_not_allowed(ctx.peer_addr));
212 0 : }
213 0 : let cached_secret = match maybe_secret {
214 0 : Some(secret) => secret,
215 0 : None => api.get_role_secret(ctx, &info).await?,
216 : };
217 :
218 0 : let secret = cached_secret.value.clone().unwrap_or_else(|| {
219 0 : // If we don't have an authentication secret, we mock one to
220 0 : // prevent malicious probing (possible due to missing protocol steps).
221 0 : // This mocked secret will never lead to successful authentication.
222 0 : info!("authentication info not found, mocking it");
223 0 : AuthSecret::Scram(scram::ServerSecret::mock(&info.user, rand::random()))
224 0 : });
225 0 : match authenticate_with_secret(
226 0 : ctx,
227 0 : secret,
228 0 : info,
229 0 : client,
230 0 : unauthenticated_password,
231 0 : allow_cleartext,
232 0 : config,
233 0 : )
234 0 : .await
235 : {
236 0 : Ok(keys) => Ok(keys),
237 0 : Err(e) => {
238 0 : if e.is_auth_failed() {
239 0 : // The password could have been changed, so we invalidate the cache.
240 0 : cached_secret.invalidate();
241 0 : }
242 0 : Err(e)
243 : }
244 : }
245 0 : }
246 :
247 0 : async fn authenticate_with_secret(
248 0 : ctx: &mut RequestMonitoring,
249 0 : secret: AuthSecret,
250 0 : info: ComputeUserInfo,
251 0 : client: &mut stream::PqStream<Stream<impl AsyncRead + AsyncWrite + Unpin>>,
252 0 : unauthenticated_password: Option<Vec<u8>>,
253 0 : allow_cleartext: bool,
254 0 : config: &'static AuthenticationConfig,
255 0 : ) -> auth::Result<ComputeCredentials> {
256 0 : if let Some(password) = unauthenticated_password {
257 0 : let auth_outcome = validate_password_and_exchange(&password, secret)?;
258 0 : let keys = match auth_outcome {
259 0 : crate::sasl::Outcome::Success(key) => key,
260 0 : crate::sasl::Outcome::Failure(reason) => {
261 0 : info!("auth backend failed with an error: {reason}");
262 0 : return Err(auth::AuthError::auth_failed(&*info.user));
263 : }
264 : };
265 :
266 : // we have authenticated the password
267 0 : client.write_message_noflush(&pq_proto::BeMessage::AuthenticationOk)?;
268 :
269 0 : return Ok(ComputeCredentials { info, keys });
270 0 : }
271 0 :
272 0 : // -- the remaining flows are self-authenticating --
273 0 :
274 0 : // Perform cleartext auth if we're allowed to do that.
275 0 : // Currently, we use it for websocket connections (latency).
276 0 : if allow_cleartext {
277 0 : ctx.set_auth_method(crate::context::AuthMethod::Cleartext);
278 0 : return hacks::authenticate_cleartext(ctx, info, client, secret).await;
279 0 : }
280 0 :
281 0 : // Finally, proceed with the main auth flow (SCRAM-based).
282 0 : classic::authenticate(ctx, info, client, config, secret).await
283 0 : }
284 :
285 : impl<'a> BackendType<'a, ComputeUserInfoMaybeEndpoint, &()> {
286 : /// Get compute endpoint name from the credentials.
287 0 : pub fn get_endpoint(&self) -> Option<EndpointId> {
288 0 : use BackendType::*;
289 0 :
290 0 : match self {
291 0 : Console(_, user_info) => user_info.endpoint_id.clone(),
292 0 : Link(_, _) => Some("link".into()),
293 : }
294 0 : }
295 :
296 : /// Get username from the credentials.
297 0 : pub fn get_user(&self) -> &str {
298 0 : use BackendType::*;
299 0 :
300 0 : match self {
301 0 : Console(_, user_info) => &user_info.user,
302 0 : Link(_, _) => "link",
303 : }
304 0 : }
305 :
306 : /// Authenticate the client via the requested backend, possibly using credentials.
307 0 : #[tracing::instrument(fields(allow_cleartext = allow_cleartext), skip_all)]
308 : pub async fn authenticate(
309 : self,
310 : ctx: &mut RequestMonitoring,
311 : client: &mut stream::PqStream<Stream<impl AsyncRead + AsyncWrite + Unpin>>,
312 : allow_cleartext: bool,
313 : config: &'static AuthenticationConfig,
314 : ) -> auth::Result<BackendType<'a, ComputeCredentials, NodeInfo>> {
315 : use BackendType::*;
316 :
317 : let res = match self {
318 : Console(api, user_info) => {
319 0 : info!(
320 0 : user = &*user_info.user,
321 0 : project = user_info.endpoint(),
322 0 : "performing authentication using the console"
323 0 : );
324 :
325 : let credentials =
326 : auth_quirks(ctx, &*api, user_info, client, allow_cleartext, config).await?;
327 : BackendType::Console(api, credentials)
328 : }
329 : // NOTE: this auth backend doesn't use client credentials.
330 : Link(url, _) => {
331 0 : info!("performing link authentication");
332 :
333 : let info = link::authenticate(ctx, &url, client).await?;
334 :
335 : BackendType::Link(url, info)
336 : }
337 : };
338 :
339 0 : info!("user successfully authenticated");
340 : Ok(res)
341 : }
342 : }
343 :
344 : impl BackendType<'_, ComputeUserInfo, &()> {
345 0 : pub async fn get_role_secret(
346 0 : &self,
347 0 : ctx: &mut RequestMonitoring,
348 0 : ) -> Result<CachedRoleSecret, GetAuthInfoError> {
349 0 : use BackendType::*;
350 0 : match self {
351 0 : Console(api, user_info) => api.get_role_secret(ctx, user_info).await,
352 0 : Link(_, _) => Ok(Cached::new_uncached(None)),
353 : }
354 0 : }
355 :
356 0 : pub async fn get_allowed_ips_and_secret(
357 0 : &self,
358 0 : ctx: &mut RequestMonitoring,
359 0 : ) -> Result<(CachedAllowedIps, Option<CachedRoleSecret>), GetAuthInfoError> {
360 0 : use BackendType::*;
361 0 : match self {
362 0 : Console(api, user_info) => api.get_allowed_ips_and_secret(ctx, user_info).await,
363 0 : Link(_, _) => Ok((Cached::new_uncached(Arc::new(vec![])), None)),
364 : }
365 0 : }
366 : }
367 :
368 : #[async_trait::async_trait]
369 : impl ComputeConnectBackend for BackendType<'_, ComputeCredentials, NodeInfo> {
370 0 : async fn wake_compute(
371 0 : &self,
372 0 : ctx: &mut RequestMonitoring,
373 0 : ) -> Result<CachedNodeInfo, console::errors::WakeComputeError> {
374 : use BackendType::*;
375 :
376 0 : match self {
377 0 : Console(api, creds) => api.wake_compute(ctx, &creds.info).await,
378 0 : Link(_, info) => Ok(Cached::new_uncached(info.clone())),
379 : }
380 0 : }
381 :
382 0 : fn get_keys(&self) -> Option<&ComputeCredentialKeys> {
383 0 : match self {
384 0 : BackendType::Console(_, creds) => Some(&creds.keys),
385 0 : BackendType::Link(_, _) => None,
386 : }
387 0 : }
388 : }
389 :
390 : #[async_trait::async_trait]
391 : impl ComputeConnectBackend for BackendType<'_, ComputeCredentials, &()> {
392 26 : async fn wake_compute(
393 26 : &self,
394 26 : ctx: &mut RequestMonitoring,
395 26 : ) -> Result<CachedNodeInfo, console::errors::WakeComputeError> {
396 : use BackendType::*;
397 :
398 26 : match self {
399 26 : Console(api, creds) => api.wake_compute(ctx, &creds.info).await,
400 0 : Link(_, _) => unreachable!("link auth flow doesn't support waking the compute"),
401 : }
402 78 : }
403 :
404 12 : fn get_keys(&self) -> Option<&ComputeCredentialKeys> {
405 12 : match self {
406 12 : BackendType::Console(_, creds) => Some(&creds.keys),
407 0 : BackendType::Link(_, _) => None,
408 : }
409 12 : }
410 : }
|
