Line data Source code
1 : use super::{ComputeCredentials, ComputeUserInfo};
2 : use crate::{
3 : auth::{self, backend::ComputeCredentialKeys, AuthFlow},
4 : compute,
5 : config::AuthenticationConfig,
6 : console::AuthSecret,
7 : context::RequestMonitoring,
8 : sasl,
9 : stream::{PqStream, Stream},
10 : };
11 : use tokio::io::{AsyncRead, AsyncWrite};
12 : use tracing::{info, warn};
13 :
14 39 : pub(super) async fn authenticate(
15 39 : ctx: &mut RequestMonitoring,
16 39 : creds: ComputeUserInfo,
17 39 : client: &mut PqStream<Stream<impl AsyncRead + AsyncWrite + Unpin>>,
18 39 : config: &'static AuthenticationConfig,
19 39 : secret: AuthSecret,
20 39 : ) -> auth::Result<ComputeCredentials> {
21 39 : let flow = AuthFlow::new(client);
22 39 : let scram_keys = match secret {
23 : #[cfg(any(test, feature = "testing"))]
24 : AuthSecret::Md5(_) => {
25 0 : info!("auth endpoint chooses MD5");
26 0 : return Err(auth::AuthError::bad_auth_method("MD5"));
27 : }
28 39 : AuthSecret::Scram(secret) => {
29 39 : info!("auth endpoint chooses SCRAM");
30 39 : let scram = auth::Scram(&secret, &mut *ctx);
31 :
32 39 : let auth_outcome = tokio::time::timeout(
33 39 : config.scram_protocol_timeout,
34 39 : async {
35 39 :
36 39 : flow.begin(scram).await.map_err(|error| {
37 0 : warn!(?error, "error sending scram acknowledgement");
38 0 : error
39 76 : })?.authenticate().await.map_err(|error| {
40 0 : warn!(?error, "error processing scram messages");
41 0 : error
42 39 : })
43 39 : }
44 39 : )
45 76 : .await
46 39 : .map_err(|e| {
47 0 : warn!("error processing scram messages error = authentication timed out, execution time exeeded {} seconds", config.scram_protocol_timeout.as_secs());
48 0 : auth::AuthError::user_timeout(e)
49 39 : })??;
50 :
51 39 : let client_key = match auth_outcome {
52 36 : sasl::Outcome::Success(key) => key,
53 3 : sasl::Outcome::Failure(reason) => {
54 3 : info!("auth backend failed with an error: {reason}");
55 3 : return Err(auth::AuthError::auth_failed(&*creds.user));
56 : }
57 : };
58 :
59 36 : compute::ScramKeys {
60 36 : client_key: client_key.as_bytes(),
61 36 : server_key: secret.server_key.as_bytes(),
62 36 : }
63 36 : }
64 36 : };
65 36 :
66 36 : Ok(ComputeCredentials {
67 36 : info: creds,
68 36 : keys: ComputeCredentialKeys::AuthKeys(tokio_postgres::config::AuthKeys::ScramSha256(
69 36 : scram_keys,
70 36 : )),
71 36 : })
72 39 : }
|
