|             Line data    Source code 
       1              : use tokio::io::{AsyncRead, AsyncWrite};
       2              : use tracing::{debug, info, warn};
       3              : 
       4              : use super::{ComputeCredentials, ComputeUserInfo};
       5              : use crate::auth::backend::ComputeCredentialKeys;
       6              : use crate::auth::{self, AuthFlow};
       7              : use crate::config::AuthenticationConfig;
       8              : use crate::context::RequestContext;
       9              : use crate::control_plane::AuthSecret;
      10              : use crate::stream::{PqStream, Stream};
      11              : use crate::{compute, sasl};
      12              : 
      13            1 : pub(super) async fn authenticate(
      14            1 :     ctx: &RequestContext,
      15            1 :     creds: ComputeUserInfo,
      16            1 :     client: &mut PqStream<Stream<impl AsyncRead + AsyncWrite + Unpin>>,
      17            1 :     config: &'static AuthenticationConfig,
      18            1 :     secret: AuthSecret,
      19            1 : ) -> auth::Result<ComputeCredentials> {
      20            1 :     let scram_keys = match secret {
      21            1 :         AuthSecret::Scram(secret) => {
      22            1 :             debug!("auth endpoint chooses SCRAM");
      23              : 
      24            1 :             let auth_outcome = tokio::time::timeout(
      25            1 :                 config.scram_protocol_timeout,
      26            1 :                 AuthFlow::new(client, auth::Scram(&secret, ctx)).authenticate(),
      27            1 :             )
      28            1 :             .await
      29            1 :             .inspect_err(|_| warn!("error processing scram messages error = authentication timed out, execution time exceeded {} seconds", config.scram_protocol_timeout.as_secs()))
      30            1 :             .map_err(auth::AuthError::user_timeout)?
      31            1 :             .inspect_err(|error| warn!(?error, "error processing scram messages"))?;
      32              : 
      33            1 :             let client_key = match auth_outcome {
      34            1 :                 sasl::Outcome::Success(key) => key,
      35            0 :                 sasl::Outcome::Failure(reason) => {
      36              :                     // TODO: warnings?
      37              :                     // TODO: should we get rid of this because double logging?
      38            0 :                     info!("auth backend failed with an error: {reason}");
      39            0 :                     return Err(auth::AuthError::password_failed(&*creds.user));
      40              :                 }
      41              :             };
      42              : 
      43            1 :             compute::ScramKeys {
      44            1 :                 client_key: client_key.as_bytes(),
      45            1 :                 server_key: secret.server_key.as_bytes(),
      46            1 :             }
      47              :         }
      48              :     };
      49              : 
      50            1 :     Ok(ComputeCredentials {
      51            1 :         info: creds,
      52            1 :         keys: ComputeCredentialKeys::AuthKeys(postgres_client::config::AuthKeys::ScramSha256(
      53            1 :             scram_keys,
      54            1 :         )),
      55            1 :     })
      56            1 : }
         |