Line data Source code
1 : use super::{ComputeCredentials, ComputeUserInfo, ComputeUserInfoNoEndpoint};
2 : use crate::{
3 : auth::{self, AuthFlow},
4 : config::AuthenticationConfig,
5 : console::AuthSecret,
6 : context::RequestMonitoring,
7 : intern::EndpointIdInt,
8 : sasl,
9 : stream::{self, Stream},
10 : };
11 : use tokio::io::{AsyncRead, AsyncWrite};
12 : use tracing::{info, warn};
13 :
14 : /// Compared to [SCRAM](crate::scram), cleartext password auth saves
15 : /// one round trip and *expensive* computations (>= 4096 HMAC iterations).
16 : /// These properties are benefical for serverless JS workers, so we
17 : /// use this mechanism for websocket connections.
18 1 : pub(crate) async fn authenticate_cleartext(
19 1 : ctx: &RequestMonitoring,
20 1 : info: ComputeUserInfo,
21 1 : client: &mut stream::PqStream<Stream<impl AsyncRead + AsyncWrite + Unpin>>,
22 1 : secret: AuthSecret,
23 1 : config: &'static AuthenticationConfig,
24 1 : ) -> auth::Result<ComputeCredentials> {
25 1 : warn!("cleartext auth flow override is enabled, proceeding");
26 1 : ctx.set_auth_method(crate::context::AuthMethod::Cleartext);
27 1 :
28 1 : // pause the timer while we communicate with the client
29 1 : let paused = ctx.latency_timer_pause(crate::metrics::Waiting::Client);
30 1 :
31 1 : let ep = EndpointIdInt::from(&info.endpoint);
32 :
33 1 : let auth_flow = AuthFlow::new(client)
34 1 : .begin(auth::CleartextPassword {
35 1 : secret,
36 1 : endpoint: ep,
37 1 : pool: config.thread_pool.clone(),
38 1 : })
39 0 : .await?;
40 1 : drop(paused);
41 : // cleartext auth is only allowed to the ws/http protocol.
42 : // If we're here, we already received the password in the first message.
43 : // Scram protocol will be executed on the proxy side.
44 2 : let auth_outcome = auth_flow.authenticate().await?;
45 :
46 1 : let keys = match auth_outcome {
47 1 : sasl::Outcome::Success(key) => key,
48 0 : sasl::Outcome::Failure(reason) => {
49 0 : info!("auth backend failed with an error: {reason}");
50 0 : return Err(auth::AuthError::auth_failed(&*info.user));
51 : }
52 : };
53 :
54 1 : Ok(ComputeCredentials { info, keys })
55 1 : }
56 :
57 : /// Workaround for clients which don't provide an endpoint (project) name.
58 : /// Similar to [`authenticate_cleartext`], but there's a specific password format,
59 : /// and passwords are not yet validated (we don't know how to validate them!)
60 1 : pub(crate) async fn password_hack_no_authentication(
61 1 : ctx: &RequestMonitoring,
62 1 : info: ComputeUserInfoNoEndpoint,
63 1 : client: &mut stream::PqStream<Stream<impl AsyncRead + AsyncWrite + Unpin>>,
64 1 : ) -> auth::Result<(ComputeUserInfo, Vec<u8>)> {
65 1 : warn!("project not specified, resorting to the password hack auth flow");
66 1 : ctx.set_auth_method(crate::context::AuthMethod::Cleartext);
67 1 :
68 1 : // pause the timer while we communicate with the client
69 1 : let _paused = ctx.latency_timer_pause(crate::metrics::Waiting::Client);
70 :
71 1 : let payload = AuthFlow::new(client)
72 1 : .begin(auth::PasswordHack)
73 0 : .await?
74 1 : .get_password()
75 1 : .await?;
76 :
77 1 : info!(project = &*payload.endpoint, "received missing parameter");
78 :
79 : // Report tentative success; compute node will check the password anyway.
80 1 : Ok((
81 1 : ComputeUserInfo {
82 1 : user: info.user,
83 1 : options: info.options,
84 1 : endpoint: payload.endpoint,
85 1 : },
86 1 : payload.password,
87 1 : ))
88 1 : }
|
