-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor(cubesql): Make Postgres authentication extensible
- Loading branch information
1 parent
e8d81f2
commit fb9ba98
Showing
8 changed files
with
268 additions
and
108 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
106 changes: 106 additions & 0 deletions
106
rust/cubesql/cubesql/src/sql/postgres/pg_auth_service.rs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
use std::{collections::HashMap, fmt::Debug, sync::Arc}; | ||
|
||
use async_trait::async_trait; | ||
|
||
use crate::{ | ||
sql::{AuthContextRef, SqlAuthService}, | ||
CubeError, | ||
}; | ||
|
||
pub use pg_srv::{ | ||
protocol::{AuthenticationRequest, FrontendMessage}, | ||
MessageTagParser, MessageTagParserDefaultImpl, | ||
}; | ||
|
||
#[derive(Debug)] | ||
pub enum AuthenticationStatus { | ||
UnexpectedFrontendMessage, | ||
Failed(String), | ||
// User name + auth context | ||
Success(String, AuthContextRef), | ||
} | ||
|
||
#[async_trait] | ||
pub trait PostgresAuthService: Sync + Send + Debug { | ||
fn get_auth_method(&self, parameters: &HashMap<String, String>) -> AuthenticationRequest; | ||
|
||
async fn authenticate( | ||
&self, | ||
service: Arc<dyn SqlAuthService>, | ||
request: AuthenticationRequest, | ||
secret: FrontendMessage, | ||
parameters: &HashMap<String, String>, | ||
) -> AuthenticationStatus; | ||
|
||
fn get_pg_message_tag_parser(&self) -> Arc<dyn MessageTagParser>; | ||
} | ||
|
||
#[derive(Debug)] | ||
pub struct PostgresAuthServiceDefaultImpl { | ||
pg_message_tag_parser: Arc<dyn MessageTagParser>, | ||
} | ||
|
||
impl PostgresAuthServiceDefaultImpl { | ||
pub fn new() -> Self { | ||
Self { | ||
pg_message_tag_parser: Arc::new(MessageTagParserDefaultImpl::default()), | ||
} | ||
} | ||
} | ||
|
||
#[async_trait] | ||
impl PostgresAuthService for PostgresAuthServiceDefaultImpl { | ||
fn get_auth_method(&self, _: &HashMap<String, String>) -> AuthenticationRequest { | ||
AuthenticationRequest::CleartextPassword | ||
} | ||
|
||
async fn authenticate( | ||
&self, | ||
service: Arc<dyn SqlAuthService>, | ||
request: AuthenticationRequest, | ||
secret: FrontendMessage, | ||
parameters: &HashMap<String, String>, | ||
) -> AuthenticationStatus { | ||
let FrontendMessage::PasswordMessage(password_message) = secret else { | ||
return AuthenticationStatus::UnexpectedFrontendMessage; | ||
}; | ||
|
||
if !matches!(request, AuthenticationRequest::CleartextPassword) { | ||
return AuthenticationStatus::UnexpectedFrontendMessage; | ||
} | ||
|
||
let user = parameters.get("user").unwrap().clone(); | ||
let authenticate_response = service | ||
.authenticate(Some(user.clone()), Some(password_message.password.clone())) | ||
.await; | ||
|
||
let auth_fail = || { | ||
AuthenticationStatus::Failed(format!( | ||
"password authentication failed for user \"{}\"", | ||
user | ||
)) | ||
}; | ||
|
||
let Ok(authenticate_response) = authenticate_response else { | ||
return auth_fail(); | ||
}; | ||
|
||
if !authenticate_response.skip_password_check { | ||
let is_password_correct = match authenticate_response.password { | ||
None => false, | ||
Some(password) => password == password_message.password, | ||
}; | ||
if !is_password_correct { | ||
return auth_fail(); | ||
} | ||
} | ||
|
||
AuthenticationStatus::Success(user, authenticate_response.context) | ||
} | ||
|
||
fn get_pg_message_tag_parser(&self) -> Arc<dyn MessageTagParser> { | ||
Arc::clone(&self.pg_message_tag_parser) | ||
} | ||
} | ||
|
||
crate::di_service!(PostgresAuthServiceDefaultImpl, [PostgresAuthService]); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.