LCOV - code coverage report
Current view: top level - proxy/src/auth/backend - hacks.rs (source / functions) Coverage Total Hit
Test: f8d8f5b90fa487a9e82c42da223f012f5d4fece7.info Lines: 90.9 % 55 50
Test Date: 2024-09-19 20:36:02 Functions: 25.0 % 16 4

            Line data    Source code
       1              : use super::{ComputeCredentials, ComputeUserInfo, ComputeUserInfoNoEndpoint};
       2              : use crate::{
       3              :     auth::{self, AuthFlow},
       4              :     config::AuthenticationConfig,
       5              :     console::AuthSecret,
       6              :     context::RequestMonitoring,
       7              :     intern::EndpointIdInt,
       8              :     sasl,
       9              :     stream::{self, Stream},
      10              : };
      11              : use tokio::io::{AsyncRead, AsyncWrite};
      12              : use tracing::{info, warn};
      13              : 
      14              : /// Compared to [SCRAM](crate::scram), cleartext password auth saves
      15              : /// one round trip and *expensive* computations (>= 4096 HMAC iterations).
      16              : /// These properties are benefical for serverless JS workers, so we
      17              : /// use this mechanism for websocket connections.
      18            1 : pub(crate) async fn authenticate_cleartext(
      19            1 :     ctx: &RequestMonitoring,
      20            1 :     info: ComputeUserInfo,
      21            1 :     client: &mut stream::PqStream<Stream<impl AsyncRead + AsyncWrite + Unpin>>,
      22            1 :     secret: AuthSecret,
      23            1 :     config: &'static AuthenticationConfig,
      24            1 : ) -> auth::Result<ComputeCredentials> {
      25            1 :     warn!("cleartext auth flow override is enabled, proceeding");
      26            1 :     ctx.set_auth_method(crate::context::AuthMethod::Cleartext);
      27            1 : 
      28            1 :     // pause the timer while we communicate with the client
      29            1 :     let paused = ctx.latency_timer_pause(crate::metrics::Waiting::Client);
      30            1 : 
      31            1 :     let ep = EndpointIdInt::from(&info.endpoint);
      32              : 
      33            1 :     let auth_flow = AuthFlow::new(client)
      34            1 :         .begin(auth::CleartextPassword {
      35            1 :             secret,
      36            1 :             endpoint: ep,
      37            1 :             pool: config.thread_pool.clone(),
      38            1 :         })
      39            0 :         .await?;
      40            1 :     drop(paused);
      41              :     // cleartext auth is only allowed to the ws/http protocol.
      42              :     // If we're here, we already received the password in the first message.
      43              :     // Scram protocol will be executed on the proxy side.
      44            2 :     let auth_outcome = auth_flow.authenticate().await?;
      45              : 
      46            1 :     let keys = match auth_outcome {
      47            1 :         sasl::Outcome::Success(key) => key,
      48            0 :         sasl::Outcome::Failure(reason) => {
      49            0 :             info!("auth backend failed with an error: {reason}");
      50            0 :             return Err(auth::AuthError::auth_failed(&*info.user));
      51              :         }
      52              :     };
      53              : 
      54            1 :     Ok(ComputeCredentials { info, keys })
      55            1 : }
      56              : 
      57              : /// Workaround for clients which don't provide an endpoint (project) name.
      58              : /// Similar to [`authenticate_cleartext`], but there's a specific password format,
      59              : /// and passwords are not yet validated (we don't know how to validate them!)
      60            1 : pub(crate) async fn password_hack_no_authentication(
      61            1 :     ctx: &RequestMonitoring,
      62            1 :     info: ComputeUserInfoNoEndpoint,
      63            1 :     client: &mut stream::PqStream<Stream<impl AsyncRead + AsyncWrite + Unpin>>,
      64            1 : ) -> auth::Result<(ComputeUserInfo, Vec<u8>)> {
      65            1 :     warn!("project not specified, resorting to the password hack auth flow");
      66            1 :     ctx.set_auth_method(crate::context::AuthMethod::Cleartext);
      67            1 : 
      68            1 :     // pause the timer while we communicate with the client
      69            1 :     let _paused = ctx.latency_timer_pause(crate::metrics::Waiting::Client);
      70              : 
      71            1 :     let payload = AuthFlow::new(client)
      72            1 :         .begin(auth::PasswordHack)
      73            0 :         .await?
      74            1 :         .get_password()
      75            1 :         .await?;
      76              : 
      77            1 :     info!(project = &*payload.endpoint, "received missing parameter");
      78              : 
      79              :     // Report tentative success; compute node will check the password anyway.
      80            1 :     Ok((
      81            1 :         ComputeUserInfo {
      82            1 :             user: info.user,
      83            1 :             options: info.options,
      84            1 :             endpoint: payload.endpoint,
      85            1 :         },
      86            1 :         payload.password,
      87            1 :     ))
      88            1 : }
        

Generated by: LCOV version 2.1-beta