Line data    Source code

       1              : use super::AuthSuccess;
       2              : use crate::{
       3              :     auth::{self, AuthFlow, ClientCredentials},
       4              :     console::{
       5              :         self,
       6              :         provider::{CachedNodeInfo, ConsoleReqExtra},
       7              :     },
       8              :     stream,
       9              : };
      10              : use tokio::io::{AsyncRead, AsyncWrite};
      11              : use tracing::{info, warn};
      12              : 
      13              : /// Compared to [SCRAM](crate::scram), cleartext password auth saves
      14              : /// one round trip and *expensive* computations (>= 4096 HMAC iterations).
      15              : /// These properties are benefical for serverless JS workers, so we
      16              : /// use this mechanism for websocket connections.
      17            0 : pub async fn cleartext_hack(
      18            0 :     api: &impl console::Api,
      19            0 :     extra: &ConsoleReqExtra<'_>,
      20            0 :     creds: &mut ClientCredentials<'_>,
      21            0 :     client: &mut stream::PqStream<impl AsyncRead + AsyncWrite + Unpin>,
      22            0 : ) -> auth::Result<AuthSuccess<CachedNodeInfo>> {
      23            0 :     warn!("cleartext auth flow override is enabled, proceeding");
      24            0 :     let password = AuthFlow::new(client)
      25            0 :         .begin(auth::CleartextPassword)
      26            0 :         .await?
      27            0 :         .authenticate()
      28            0 :         .await?;
      29              : 
      30            0 :     let mut node = api.wake_compute(extra, creds).await?;
      31            0 :     node.config.password(password);
      32            0 : 
      33            0 :     // Report tentative success; compute node will check the password anyway.
      34            0 :     Ok(AuthSuccess {
      35            0 :         reported_auth_ok: false,
      36            0 :         value: node,
      37            0 :     })
      38            0 : }
      39              : 
      40              : /// Workaround for clients which don't provide an endpoint (project) name.
      41              : /// Very similar to [`cleartext_hack`], but there's a specific password format.
      42            3 : pub async fn password_hack(
      43            3 :     api: &impl console::Api,
      44            3 :     extra: &ConsoleReqExtra<'_>,
      45            3 :     creds: &mut ClientCredentials<'_>,
      46            3 :     client: &mut stream::PqStream<impl AsyncRead + AsyncWrite + Unpin>,
      47            3 : ) -> auth::Result<AuthSuccess<CachedNodeInfo>> {
      48            3 :     warn!("project not specified, resorting to the password hack auth flow");
      49            3 :     let payload = AuthFlow::new(client)
      50            3 :         .begin(auth::PasswordHack)
      51            0 :         .await?
      52            3 :         .authenticate()
      53            3 :         .await?;
      54              : 
      55            2 :     info!(project = &payload.endpoint, "received missing parameter");
      56            2 :     creds.project = Some(payload.endpoint);
      57              : 
      58            2 :     let mut node = api.wake_compute(extra, creds).await?;
      59            2 :     node.config.password(payload.password);
      60            2 : 
      61            2 :     // Report tentative success; compute node will check the password anyway.
      62            2 :     Ok(AuthSuccess {
      63            2 :         reported_auth_ok: false,
      64            2 :         value: node,
      65            2 :     })
      66            3 : }