LCOV - code coverage report
Current view: top level - proxy/src - auth.rs (source / functions) Coverage Total Hit
Test: f8d8f5b90fa487a9e82c42da223f012f5d4fece7.info Lines: 7.8 % 51 4
Test Date: 2024-09-19 20:36:02 Functions: 16.7 % 24 4

            Line data    Source code
       1              : //! Client authentication mechanisms.
       2              : 
       3              : pub mod backend;
       4              : pub use backend::Backend;
       5              : 
       6              : mod credentials;
       7              : pub(crate) use credentials::{
       8              :     check_peer_addr_is_in_list, endpoint_sni, ComputeUserInfoMaybeEndpoint,
       9              :     ComputeUserInfoParseError, IpPattern,
      10              : };
      11              : 
      12              : mod password_hack;
      13              : pub(crate) use password_hack::parse_endpoint_param;
      14              : use password_hack::PasswordHackPayload;
      15              : 
      16              : mod flow;
      17              : pub(crate) use flow::*;
      18              : use tokio::time::error::Elapsed;
      19              : 
      20              : use crate::{
      21              :     console,
      22              :     error::{ReportableError, UserFacingError},
      23              : };
      24              : use std::{io, net::IpAddr};
      25              : use thiserror::Error;
      26              : 
      27              : /// Convenience wrapper for the authentication error.
      28              : pub(crate) type Result<T> = std::result::Result<T, AuthError>;
      29              : 
      30              : /// Common authentication error.
      31            6 : #[derive(Debug, Error)]
      32              : pub(crate) enum AuthErrorImpl {
      33              :     #[error(transparent)]
      34              :     Web(#[from] backend::WebAuthError),
      35              : 
      36              :     #[error(transparent)]
      37              :     GetAuthInfo(#[from] console::errors::GetAuthInfoError),
      38              : 
      39              :     /// SASL protocol errors (includes [SCRAM](crate::scram)).
      40              :     #[error(transparent)]
      41              :     Sasl(#[from] crate::sasl::Error),
      42              : 
      43              :     #[error("Unsupported authentication method: {0}")]
      44              :     BadAuthMethod(Box<str>),
      45              : 
      46              :     #[error("Malformed password message: {0}")]
      47              :     MalformedPassword(&'static str),
      48              : 
      49              :     #[error(
      50              :         "Endpoint ID is not specified. \
      51              :         Either please upgrade the postgres client library (libpq) for SNI support \
      52              :         or pass the endpoint ID (first part of the domain name) as a parameter: '?options=endpoint%3D<endpoint-id>'. \
      53              :         See more at https://neon.tech/sni"
      54              :     )]
      55              :     MissingEndpointName,
      56              : 
      57              :     #[error("password authentication failed for user '{0}'")]
      58              :     AuthFailed(Box<str>),
      59              : 
      60              :     /// Errors produced by e.g. [`crate::stream::PqStream`].
      61              :     #[error(transparent)]
      62              :     Io(#[from] io::Error),
      63              : 
      64              :     #[error(
      65              :         "This IP address {0} is not allowed to connect to this endpoint. \
      66              :         Please add it to the allowed list in the Neon console. \
      67              :         Make sure to check for IPv4 or IPv6 addresses."
      68              :     )]
      69              :     IpAddressNotAllowed(IpAddr),
      70              : 
      71              :     #[error("Too many connections to this endpoint. Please try again later.")]
      72              :     TooManyConnections,
      73              : 
      74              :     #[error("Authentication timed out")]
      75              :     UserTimeout(Elapsed),
      76              : }
      77              : 
      78            0 : #[derive(Debug, Error)]
      79              : #[error(transparent)]
      80              : pub(crate) struct AuthError(Box<AuthErrorImpl>);
      81              : 
      82              : impl AuthError {
      83            0 :     pub(crate) fn bad_auth_method(name: impl Into<Box<str>>) -> Self {
      84            0 :         AuthErrorImpl::BadAuthMethod(name.into()).into()
      85            0 :     }
      86              : 
      87            0 :     pub(crate) fn auth_failed(user: impl Into<Box<str>>) -> Self {
      88            0 :         AuthErrorImpl::AuthFailed(user.into()).into()
      89            0 :     }
      90              : 
      91            0 :     pub(crate) fn ip_address_not_allowed(ip: IpAddr) -> Self {
      92            0 :         AuthErrorImpl::IpAddressNotAllowed(ip).into()
      93            0 :     }
      94              : 
      95            0 :     pub(crate) fn too_many_connections() -> Self {
      96            0 :         AuthErrorImpl::TooManyConnections.into()
      97            0 :     }
      98              : 
      99            0 :     pub(crate) fn is_auth_failed(&self) -> bool {
     100            0 :         matches!(self.0.as_ref(), AuthErrorImpl::AuthFailed(_))
     101            0 :     }
     102              : 
     103            0 :     pub(crate) fn user_timeout(elapsed: Elapsed) -> Self {
     104            0 :         AuthErrorImpl::UserTimeout(elapsed).into()
     105            0 :     }
     106              : }
     107              : 
     108              : impl<E: Into<AuthErrorImpl>> From<E> for AuthError {
     109            6 :     fn from(e: E) -> Self {
     110            6 :         Self(Box::new(e.into()))
     111            6 :     }
     112              : }
     113              : 
     114              : impl UserFacingError for AuthError {
     115            0 :     fn to_string_client(&self) -> String {
     116            0 :         match self.0.as_ref() {
     117            0 :             AuthErrorImpl::Web(e) => e.to_string_client(),
     118            0 :             AuthErrorImpl::GetAuthInfo(e) => e.to_string_client(),
     119            0 :             AuthErrorImpl::Sasl(e) => e.to_string_client(),
     120            0 :             AuthErrorImpl::AuthFailed(_) => self.to_string(),
     121            0 :             AuthErrorImpl::BadAuthMethod(_) => self.to_string(),
     122            0 :             AuthErrorImpl::MalformedPassword(_) => self.to_string(),
     123            0 :             AuthErrorImpl::MissingEndpointName => self.to_string(),
     124            0 :             AuthErrorImpl::Io(_) => "Internal error".to_string(),
     125            0 :             AuthErrorImpl::IpAddressNotAllowed(_) => self.to_string(),
     126            0 :             AuthErrorImpl::TooManyConnections => self.to_string(),
     127            0 :             AuthErrorImpl::UserTimeout(_) => self.to_string(),
     128              :         }
     129            0 :     }
     130              : }
     131              : 
     132              : impl ReportableError for AuthError {
     133            0 :     fn get_error_kind(&self) -> crate::error::ErrorKind {
     134            0 :         match self.0.as_ref() {
     135            0 :             AuthErrorImpl::Web(e) => e.get_error_kind(),
     136            0 :             AuthErrorImpl::GetAuthInfo(e) => e.get_error_kind(),
     137            0 :             AuthErrorImpl::Sasl(e) => e.get_error_kind(),
     138            0 :             AuthErrorImpl::AuthFailed(_) => crate::error::ErrorKind::User,
     139            0 :             AuthErrorImpl::BadAuthMethod(_) => crate::error::ErrorKind::User,
     140            0 :             AuthErrorImpl::MalformedPassword(_) => crate::error::ErrorKind::User,
     141            0 :             AuthErrorImpl::MissingEndpointName => crate::error::ErrorKind::User,
     142            0 :             AuthErrorImpl::Io(_) => crate::error::ErrorKind::ClientDisconnect,
     143            0 :             AuthErrorImpl::IpAddressNotAllowed(_) => crate::error::ErrorKind::User,
     144            0 :             AuthErrorImpl::TooManyConnections => crate::error::ErrorKind::RateLimit,
     145            0 :             AuthErrorImpl::UserTimeout(_) => crate::error::ErrorKind::User,
     146              :         }
     147            0 :     }
     148              : }
        

Generated by: LCOV version 2.1-beta