Line data Source code
1 : mod classic;
2 : mod hacks;
3 : mod link;
4 :
5 : pub use link::LinkAuthError;
6 : use tokio_postgres::config::AuthKeys;
7 :
8 : use crate::auth::credentials::check_peer_addr_is_in_list;
9 : use crate::auth::validate_password_and_exchange;
10 : use crate::cache::Cached;
11 : use crate::console::errors::GetAuthInfoError;
12 : use crate::console::provider::{CachedRoleSecret, ConsoleBackend};
13 : use crate::console::{AuthSecret, NodeInfo};
14 : use crate::context::RequestMonitoring;
15 : use crate::proxy::connect_compute::ComputeConnectBackend;
16 : use crate::proxy::NeonOptions;
17 : use crate::stream::Stream;
18 : use crate::{
19 : auth::{self, ComputeUserInfoMaybeEndpoint},
20 : config::AuthenticationConfig,
21 : console::{
22 : self,
23 : provider::{CachedAllowedIps, CachedNodeInfo},
24 : Api,
25 : },
26 : stream, url,
27 : };
28 : use crate::{scram, EndpointCacheKey, EndpointId, RoleName};
29 : use std::sync::Arc;
30 : use tokio::io::{AsyncRead, AsyncWrite};
31 : use tracing::info;
32 :
33 : /// Alternative to [`std::borrow::Cow`] but doesn't need `T: ToOwned` as we don't need that functionality
34 : pub enum MaybeOwned<'a, T> {
35 : Owned(T),
36 : Borrowed(&'a T),
37 : }
38 :
39 : impl<T> std::ops::Deref for MaybeOwned<'_, T> {
40 : type Target = T;
41 :
42 439 : fn deref(&self) -> &Self::Target {
43 439 : match self {
44 216 : MaybeOwned::Owned(t) => t,
45 223 : MaybeOwned::Borrowed(t) => t,
46 : }
47 439 : }
48 : }
49 :
50 : /// This type serves two purposes:
51 : ///
52 : /// * When `T` is `()`, it's just a regular auth backend selector
53 : /// which we use in [`crate::config::ProxyConfig`].
54 : ///
55 : /// * However, when we substitute `T` with [`ComputeUserInfoMaybeEndpoint`],
56 : /// this helps us provide the credentials only to those auth
57 : /// backends which require them for the authentication process.
58 : pub enum BackendType<'a, T, D> {
59 : /// Cloud API (V2).
60 : Console(MaybeOwned<'a, ConsoleBackend>, T),
61 : /// Authentication via a web browser.
62 : Link(MaybeOwned<'a, url::ApiUrl>, D),
63 : }
64 :
65 : pub trait TestBackend: Send + Sync + 'static {
66 : fn wake_compute(&self) -> Result<CachedNodeInfo, console::errors::WakeComputeError>;
67 : fn get_allowed_ips_and_secret(
68 : &self,
69 : ) -> Result<(CachedAllowedIps, Option<CachedRoleSecret>), console::errors::GetAuthInfoError>;
70 : fn get_role_secret(&self) -> Result<CachedRoleSecret, console::errors::GetAuthInfoError>;
71 : }
72 :
73 : impl std::fmt::Display for BackendType<'_, (), ()> {
74 25 : fn fmt(&self, fmt: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
75 25 : use BackendType::*;
76 25 : match self {
77 22 : Console(api, _) => match &**api {
78 1 : ConsoleBackend::Console(endpoint) => {
79 1 : fmt.debug_tuple("Console").field(&endpoint.url()).finish()
80 : }
81 : #[cfg(any(test, feature = "testing"))]
82 21 : ConsoleBackend::Postgres(endpoint) => {
83 21 : fmt.debug_tuple("Postgres").field(&endpoint.url()).finish()
84 : }
85 : #[cfg(test)]
86 0 : ConsoleBackend::Test(_) => fmt.debug_tuple("Test").finish(),
87 : },
88 3 : Link(url, _) => fmt.debug_tuple("Link").field(&url.as_str()).finish(),
89 : }
90 25 : }
91 : }
92 :
93 : impl<T, D> BackendType<'_, T, D> {
94 : /// Very similar to [`std::option::Option::as_ref`].
95 : /// This helps us pass structured config to async tasks.
96 139 : pub fn as_ref(&self) -> BackendType<'_, &T, &D> {
97 139 : use BackendType::*;
98 139 : match self {
99 136 : Console(c, x) => Console(MaybeOwned::Borrowed(c), x),
100 3 : Link(c, x) => Link(MaybeOwned::Borrowed(c), x),
101 : }
102 139 : }
103 : }
104 :
105 : impl<'a, T, D> BackendType<'a, T, D> {
106 : /// Very similar to [`std::option::Option::map`].
107 : /// Maps [`BackendType<T>`] to [`BackendType<R>`] by applying
108 : /// a function to a contained value.
109 139 : pub fn map<R>(self, f: impl FnOnce(T) -> R) -> BackendType<'a, R, D> {
110 139 : use BackendType::*;
111 139 : match self {
112 136 : Console(c, x) => Console(c, f(x)),
113 3 : Link(c, x) => Link(c, x),
114 : }
115 139 : }
116 : }
117 : impl<'a, T, D, E> BackendType<'a, Result<T, E>, D> {
118 : /// Very similar to [`std::option::Option::transpose`].
119 : /// This is most useful for error handling.
120 52 : pub fn transpose(self) -> Result<BackendType<'a, T, D>, E> {
121 52 : use BackendType::*;
122 52 : match self {
123 49 : Console(c, x) => x.map(|x| Console(c, x)),
124 3 : Link(c, x) => Ok(Link(c, x)),
125 : }
126 52 : }
127 : }
128 :
129 : pub struct ComputeCredentials {
130 : pub info: ComputeUserInfo,
131 : pub keys: ComputeCredentialKeys,
132 : }
133 :
134 0 : #[derive(Debug, Clone)]
135 : pub struct ComputeUserInfoNoEndpoint {
136 : pub user: RoleName,
137 : pub options: NeonOptions,
138 : }
139 :
140 208 : #[derive(Debug, Clone)]
141 : pub struct ComputeUserInfo {
142 : pub endpoint: EndpointId,
143 : pub user: RoleName,
144 : pub options: NeonOptions,
145 : }
146 :
147 : impl ComputeUserInfo {
148 68 : pub fn endpoint_cache_key(&self) -> EndpointCacheKey {
149 68 : self.options.get_cache_key(&self.endpoint)
150 68 : }
151 : }
152 :
153 : pub enum ComputeCredentialKeys {
154 : Password(Vec<u8>),
155 : AuthKeys(AuthKeys),
156 : }
157 :
158 : impl TryFrom<ComputeUserInfoMaybeEndpoint> for ComputeUserInfo {
159 : // user name
160 : type Error = ComputeUserInfoNoEndpoint;
161 :
162 49 : fn try_from(user_info: ComputeUserInfoMaybeEndpoint) -> Result<Self, Self::Error> {
163 49 : match user_info.endpoint_id {
164 3 : None => Err(ComputeUserInfoNoEndpoint {
165 3 : user: user_info.user,
166 3 : options: user_info.options,
167 3 : }),
168 46 : Some(endpoint) => Ok(ComputeUserInfo {
169 46 : endpoint,
170 46 : user: user_info.user,
171 46 : options: user_info.options,
172 46 : }),
173 : }
174 49 : }
175 : }
176 :
177 : /// True to its name, this function encapsulates our current auth trade-offs.
178 : /// Here, we choose the appropriate auth flow based on circumstances.
179 : ///
180 : /// All authentication flows will emit an AuthenticationOk message if successful.
181 49 : async fn auth_quirks(
182 49 : ctx: &mut RequestMonitoring,
183 49 : api: &impl console::Api,
184 49 : user_info: ComputeUserInfoMaybeEndpoint,
185 49 : client: &mut stream::PqStream<Stream<impl AsyncRead + AsyncWrite + Unpin>>,
186 49 : allow_cleartext: bool,
187 49 : config: &'static AuthenticationConfig,
188 49 : ) -> auth::Result<ComputeCredentials> {
189 : // If there's no project so far, that entails that client doesn't
190 : // support SNI or other means of passing the endpoint (project) name.
191 : // We now expect to see a very specific payload in the place of password.
192 49 : let (info, unauthenticated_password) = match user_info.try_into() {
193 3 : Err(info) => {
194 3 : let res = hacks::password_hack_no_authentication(ctx, info, client).await?;
195 :
196 2 : ctx.set_endpoint_id(res.info.endpoint.clone());
197 2 : tracing::Span::current().record("ep", &tracing::field::display(&res.info.endpoint));
198 2 : let password = match res.keys {
199 2 : ComputeCredentialKeys::Password(p) => p,
200 0 : _ => unreachable!("password hack should return a password"),
201 : };
202 2 : (res.info, Some(password))
203 : }
204 46 : Ok(info) => (info, None),
205 : };
206 :
207 48 : info!("fetching user's authentication info");
208 303 : let (allowed_ips, maybe_secret) = api.get_allowed_ips_and_secret(ctx, &info).await?;
209 :
210 : // check allowed list
211 44 : if !check_peer_addr_is_in_list(&ctx.peer_addr, &allowed_ips) {
212 3 : return Err(auth::AuthError::ip_address_not_allowed());
213 41 : }
214 41 : let cached_secret = match maybe_secret {
215 0 : Some(secret) => secret,
216 283 : None => api.get_role_secret(ctx, &info).await?,
217 : };
218 :
219 41 : let secret = cached_secret.value.clone().unwrap_or_else(|| {
220 1 : // If we don't have an authentication secret, we mock one to
221 1 : // prevent malicious probing (possible due to missing protocol steps).
222 1 : // This mocked secret will never lead to successful authentication.
223 1 : info!("authentication info not found, mocking it");
224 1 : AuthSecret::Scram(scram::ServerSecret::mock(&info.user, rand::random()))
225 41 : });
226 41 : match authenticate_with_secret(
227 41 : ctx,
228 41 : secret,
229 41 : info,
230 41 : client,
231 41 : unauthenticated_password,
232 41 : allow_cleartext,
233 41 : config,
234 41 : )
235 76 : .await
236 : {
237 38 : Ok(keys) => Ok(keys),
238 3 : Err(e) => {
239 3 : if e.is_auth_failed() {
240 3 : // The password could have been changed, so we invalidate the cache.
241 3 : cached_secret.invalidate();
242 3 : }
243 3 : Err(e)
244 : }
245 : }
246 49 : }
247 :
248 41 : async fn authenticate_with_secret(
249 41 : ctx: &mut RequestMonitoring,
250 41 : secret: AuthSecret,
251 41 : info: ComputeUserInfo,
252 41 : client: &mut stream::PqStream<Stream<impl AsyncRead + AsyncWrite + Unpin>>,
253 41 : unauthenticated_password: Option<Vec<u8>>,
254 41 : allow_cleartext: bool,
255 41 : config: &'static AuthenticationConfig,
256 41 : ) -> auth::Result<ComputeCredentials> {
257 41 : if let Some(password) = unauthenticated_password {
258 2 : let auth_outcome = validate_password_and_exchange(&password, secret)?;
259 2 : let keys = match auth_outcome {
260 2 : crate::sasl::Outcome::Success(key) => key,
261 0 : crate::sasl::Outcome::Failure(reason) => {
262 0 : info!("auth backend failed with an error: {reason}");
263 0 : return Err(auth::AuthError::auth_failed(&*info.user));
264 : }
265 : };
266 :
267 : // we have authenticated the password
268 2 : client.write_message_noflush(&pq_proto::BeMessage::AuthenticationOk)?;
269 :
270 2 : return Ok(ComputeCredentials { info, keys });
271 39 : }
272 39 :
273 39 : // -- the remaining flows are self-authenticating --
274 39 :
275 39 : // Perform cleartext auth if we're allowed to do that.
276 39 : // Currently, we use it for websocket connections (latency).
277 39 : if allow_cleartext {
278 0 : ctx.set_auth_method(crate::context::AuthMethod::Cleartext);
279 0 : return hacks::authenticate_cleartext(ctx, info, client, secret).await;
280 39 : }
281 39 :
282 39 : // Finally, proceed with the main auth flow (SCRAM-based).
283 76 : classic::authenticate(ctx, info, client, config, secret).await
284 41 : }
285 :
286 : impl<'a> BackendType<'a, ComputeUserInfoMaybeEndpoint, &()> {
287 : /// Get compute endpoint name from the credentials.
288 52 : pub fn get_endpoint(&self) -> Option<EndpointId> {
289 52 : use BackendType::*;
290 52 :
291 52 : match self {
292 49 : Console(_, user_info) => user_info.endpoint_id.clone(),
293 3 : Link(_, _) => Some("link".into()),
294 : }
295 52 : }
296 :
297 : /// Get username from the credentials.
298 52 : pub fn get_user(&self) -> &str {
299 52 : use BackendType::*;
300 52 :
301 52 : match self {
302 49 : Console(_, user_info) => &user_info.user,
303 3 : Link(_, _) => "link",
304 : }
305 52 : }
306 :
307 : /// Authenticate the client via the requested backend, possibly using credentials.
308 104 : #[tracing::instrument(fields(allow_cleartext = allow_cleartext), skip_all)]
309 : pub async fn authenticate(
310 : self,
311 : ctx: &mut RequestMonitoring,
312 : client: &mut stream::PqStream<Stream<impl AsyncRead + AsyncWrite + Unpin>>,
313 : allow_cleartext: bool,
314 : config: &'static AuthenticationConfig,
315 : ) -> auth::Result<BackendType<'a, ComputeCredentials, NodeInfo>> {
316 : use BackendType::*;
317 :
318 : let res = match self {
319 : Console(api, user_info) => {
320 49 : info!(
321 49 : user = &*user_info.user,
322 49 : project = user_info.endpoint(),
323 49 : "performing authentication using the console"
324 49 : );
325 :
326 : let credentials =
327 : auth_quirks(ctx, &*api, user_info, client, allow_cleartext, config).await?;
328 : BackendType::Console(api, credentials)
329 : }
330 : // NOTE: this auth backend doesn't use client credentials.
331 : Link(url, _) => {
332 3 : info!("performing link authentication");
333 :
334 : let info = link::authenticate(ctx, &url, client).await?;
335 :
336 : BackendType::Link(url, info)
337 : }
338 : };
339 :
340 41 : info!("user successfully authenticated");
341 : Ok(res)
342 : }
343 : }
344 :
345 : impl BackendType<'_, ComputeUserInfo, &()> {
346 46 : pub async fn get_role_secret(
347 46 : &self,
348 46 : ctx: &mut RequestMonitoring,
349 46 : ) -> Result<CachedRoleSecret, GetAuthInfoError> {
350 46 : use BackendType::*;
351 46 : match self {
352 320 : Console(api, user_info) => api.get_role_secret(ctx, user_info).await,
353 0 : Link(_, _) => Ok(Cached::new_uncached(None)),
354 : }
355 46 : }
356 :
357 47 : pub async fn get_allowed_ips_and_secret(
358 47 : &self,
359 47 : ctx: &mut RequestMonitoring,
360 47 : ) -> Result<(CachedAllowedIps, Option<CachedRoleSecret>), GetAuthInfoError> {
361 47 : use BackendType::*;
362 47 : match self {
363 372 : Console(api, user_info) => api.get_allowed_ips_and_secret(ctx, user_info).await,
364 0 : Link(_, _) => Ok((Cached::new_uncached(Arc::new(vec![])), None)),
365 : }
366 47 : }
367 : }
368 :
369 : #[async_trait::async_trait]
370 : impl ComputeConnectBackend for BackendType<'_, ComputeCredentials, NodeInfo> {
371 41 : async fn wake_compute(
372 41 : &self,
373 41 : ctx: &mut RequestMonitoring,
374 41 : ) -> Result<CachedNodeInfo, console::errors::WakeComputeError> {
375 : use BackendType::*;
376 :
377 41 : match self {
378 38 : Console(api, creds) => api.wake_compute(ctx, &creds.info).await,
379 3 : Link(_, info) => Ok(Cached::new_uncached(info.clone())),
380 : }
381 123 : }
382 :
383 41 : fn get_keys(&self) -> Option<&ComputeCredentialKeys> {
384 41 : match self {
385 38 : BackendType::Console(_, creds) => Some(&creds.keys),
386 3 : BackendType::Link(_, _) => None,
387 : }
388 41 : }
389 : }
390 :
391 : #[async_trait::async_trait]
392 : impl ComputeConnectBackend for BackendType<'_, ComputeCredentials, &()> {
393 70 : async fn wake_compute(
394 70 : &self,
395 70 : ctx: &mut RequestMonitoring,
396 70 : ) -> Result<CachedNodeInfo, console::errors::WakeComputeError> {
397 : use BackendType::*;
398 :
399 70 : match self {
400 70 : Console(api, creds) => api.wake_compute(ctx, &creds.info).await,
401 0 : Link(_, _) => unreachable!("link auth flow doesn't support waking the compute"),
402 : }
403 210 : }
404 :
405 56 : fn get_keys(&self) -> Option<&ComputeCredentialKeys> {
406 56 : match self {
407 56 : BackendType::Console(_, creds) => Some(&creds.keys),
408 0 : BackendType::Link(_, _) => None,
409 : }
410 56 : }
411 : }
|
