aerospike 2.19.0 → 2.21.0

data/lib/aerospike/command/login_command.rb

@@ -0,0 +1,162 @@
+# encoding: utf-8
+# Copyright 2014-2020 Aerospike, Inc.
+#
+# Portions may be licensed to Aerospike, Inc. under one or more contributor
+# license agreements.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+require 'aerospike/command/admin_command'
+
+module Aerospike
+
+  private
+
+  attr_reader :session_token, :session_expiration
+
+  class LoginCommand < AdminCommand #:nodoc:
+
+    def login(conn, policy)
+        hashed_pass = LoginCommand.hash_password(policy.password)
+        authenticate(conn, policy, hashed_pass)
+    end
+
+    def authenticate(conn, user, hashed_pass)
+      write_header(LOGIN, 2)
+      write_field_str(USER, policy.user)
+      write_field_bytes(CREDENTIAL, hashed_pass)
+
+      parse_tokens(conn)
+    end
+
+    def authenticate_new(conn, cluster)
+      policy = cluster.client_policy
+      case policy.auth_mode
+      when Aerospike::AuthMode::EXTERNAL
+        write_header(LOGIN, 3)
+        write_field_str(USER, policy.user)
+        write_field_bytes(CREDENTIAL, cluster.password)
+        write_field_str(CLEAR_PASSWORD, policy.password)
+      when Aerospike::AuthMode::INTERNAL
+        write_header(LOGIN, 2)
+        write_field_str(USER, policy.user)
+        write_field_bytes(CREDENTIAL, cluster.password)
+      when Aerospike::AuthMode::PKI
+        write_header(LOGIN, 0)
+      else
+        raise Exceptions::Aerospike.new(Aerospike::ResultCode::COMMAND_REJECTED, "Invalid client_policy#auth_mode.")
+      end
+
+      parse_tokens(conn)
+      cluster.session_token = @session_token
+      cluster.session_expiration = @session_expiration
+    end
+
+    def parse_tokens(conn)
+      begin
+        write_size
+        conn.write(@data_buffer, @data_offset)
+        conn.read(@data_buffer, HEADER_SIZE)
+
+        result = @data_buffer.read(RESULT_CODE)
+
+        if result != 0 
+          return if result == Aerospike::ResultCode::SECURITY_NOT_ENABLED
+          raise Exceptions::Aerospike.new(result, "Authentication failed")
+        end
+
+        # read the rest of the buffer
+        size = @data_buffer.read_int64(0)
+        receive_size = (size & 0xFFFFFFFFFFFF) - HEADER_REMAINING
+        field_count = @data_buffer.read(11) & 0xFF
+
+        if receive_size <= 0 || receive_size > @data_buffer.size || field_count <= 0
+          raise Exceptions::Aerospike.new(result, "Node failed to retrieve session token")
+        end
+
+        if @data_buffer.size < receive_size
+          @data_buffer.resize(receive_size)
+        end
+
+        conn.read(@data_buffer, receive_size)
+
+        @data_offset = 0
+        for i in 0...field_count
+          mlen = @data_buffer.read_int32(@data_offset)
+          @data_offset += 4
+          id = @data_buffer.read(@data_offset)
+          @data_offset += 1
+          mlen -= 1
+
+          case id
+          when SESSION_TOKEN
+            # copy the contents of the buffer into a new byte slice
+            @session_token = @data_buffer.read(@data_offset, mlen)
+
+          when SESSION_TTL
+            # Subtract 60 seconds from TTL so client session expires before server session.
+            seconds = @data_buffer.read_int32(@data_offset) - 60
+
+            if seconds > 0
+              @session_expiration = Time.now + (seconds/86400)
+            else
+              Aerospike.logger.warn("Invalid session TTL: #{seconds}")
+              raise Exceptions::Aerospike.new(result, "Node failed to retrieve session token")
+            end
+          end
+
+          @data_offset += mlen
+        end
+
+        if !@session_token
+          raise Exceptions::Aerospike.new(result, "Node failed to retrieve session token")
+        end
+      ensure
+        Buffer.put(@data_buffer)
+      end
+    end
+
+    def authenticate_via_token(conn, cluster)
+      policy = cluster.client_policy
+      if policy.auth_mode != Aerospike::AuthMode::PKI
+        write_header(AUTHENTICATE, 2)
+        write_field_str(USER, policy.user)
+      else
+        write_header(AUTHENTICATE, 1)
+      end
+
+      write_field_bytes(SESSION_TOKEN, cluster.session_token) if cluster.session_token
+      write_size
+
+      conn.write(@data_buffer, @data_offset)
+      conn.read(@data_buffer, HEADER_SIZE)
+
+      result = @data_buffer.read(RESULT_CODE)
+      size = @data_buffer.read_int64(0)
+      receive_size = (size & 0xFFFFFFFFFFFF) - HEADER_REMAINING
+      conn.read(@data_buffer, receive_size)
+
+      if result != 0 
+        return if result == Aerospike::ResultCode::SECURITY_NOT_ENABLED
+        raise Exceptions::Aerospike.new(result, "Authentication failed")
+      end
+
+      nil
+    end
+
+    SALT = '$2a$10$7EqJtq98hPqEX7fNZaFWoO'
+    def self.hash_password(password)
+      # Hashing the password with the cost of 10, with a static salt
+      return BCrypt::Engine.hash_secret(password, SALT, :cost => 10)
+    end
+  end
+end
+

data/lib/aerospike/command/multi_command.rb

@@ -150,6 +150,23 @@ module Aerospike
       Aerospike::Key.new(namespace, set_name, user_key, digest)
     end
 
+    def skip_key(field_count)
+      # in Stream queries, there are no keys
+      return unless field_count > 0
+
+      i = 0
+      while i < field_count
+        read_bytes(4)
+
+        fieldlen = @data_buffer.read_int32(0)
+        read_bytes(fieldlen)
+
+        i = i.succ
+      end
+
+      nil
+    end
+
     # Parses the given byte buffer and populate the result object.
     # Returns the number of bytes that were parsed from the given buffer.
     def parse_record(key, op_count, generation, expiration)

data/lib/aerospike/connection/authenticate.rb

@@ -21,9 +21,41 @@ module Aerospike
   module Connection # :nodoc:
     module Authenticate
       class << self
-        def call(conn, user, password)
-          command = AdminCommand.new
-          command.authenticate(conn, user, password)
+        def call(conn, user, hashed_pass)
+          command = LoginCommand.new
+          command.authenticate(conn, user, hashed_pass)
+          true
+        rescue ::Aerospike::Exceptions::Aerospike
+          conn.close if conn
+          raise ::Aerospike::Exceptions::InvalidCredentials
+        end
+      end
+    end
+    module AuthenticateNew
+      class << self
+        INVALID_SESSION_ERR = [ResultCode::INVALID_CREDENTIAL, 
+          ResultCode::EXPIRED_SESSION]
+
+        def call(conn, cluster)
+          command = LoginCommand.new
+          if !cluster.session_valid?
+            command.authenticate_new(conn, cluster)
+          else
+            begin
+              command.authenticate_via_token(conn, cluster)
+            rescue => ae
+              # always reset session info on errors to be on the safe side
+              cluster.reset_session_info
+              if ae.is_a?(Exceptions::Aerospike)
+                if INVALID_SESSION_ERR.include?(ae.result_code)
+                  command.authenticate(conn, cluster)
+                  return
+                end
+              end
+              raise ae
+            end
+          end
+
           true
         rescue ::Aerospike::Exceptions::Aerospike
           conn.close if conn

data/lib/aerospike/policy/auth_mode.rb

@@ -0,0 +1,36 @@
+# encoding: utf-8
+# Copyright 2014-2020 Aerospike, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Aerospike
+
+  module AuthMode
+
+    # INTERNAL uses internal authentication only when user/password defined. Hashed password is stored
+    # on the server. Do not send clear password. This is the default.
+    INTERNAL = 0
+
+    # EXTERNAL uses external authentication (like LDAP) when user/password defined. Specific external authentication is
+    # configured on server. If TLS is defined, sends clear password on node login via TLS.
+    # Will raise exception if TLS is not defined.
+    EXTERNAL = 1
+
+    # PKI allows authentication and authorization based on a certificate. No user name or
+    # password needs to be configured. Requires TLS and a client certificate.
+    # Requires server version 5.7.0+
+    PKI = 2
+
+  end # module
+
+end # module

data/lib/aerospike/policy/client_policy.rb

@@ -22,7 +22,7 @@ module Aerospike
   # Container object for client policy command.
   class ClientPolicy
 
-    attr_accessor :user, :password
+    attr_accessor :user, :password, :auth_mode
     attr_accessor :timeout, :connection_queue_size, :fail_if_not_connected, :tend_interval
     attr_accessor :cluster_name
     attr_accessor :tls
@@ -44,6 +44,9 @@ module Aerospike
       # which the client checks for cluster state changes. Minimum interval is 10ms.
       self.tend_interval = opt[:tend_interval] || 1000 # 1 second
 
+      # Authentication mode
+      @auth_mode = opt[:auth_mode] || AuthMode::INTERNAL
+
       # user name
       @user = opt[:user]
 

data/lib/aerospike/privilege.rb

@@ -0,0 +1,133 @@
+# encoding: utf-8
+# Copyright 2014-2022 Aerospike, Inc.
+#
+# Portions may be licensed to Aerospike, Inc. under one or more contributor
+# license agreements.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+module Aerospike
+
+	# Determines user access granularity.
+	class Privilege
+
+		# Role
+		attr_accessor :code
+
+		# Namespace determines namespace scope. Apply permission to this namespace only.
+		# If namespace is zero value, the privilege applies to all namespaces.
+		attr_accessor :namespace
+
+		# Set name scope. Apply permission to this set within namespace only.
+		# If set is zero value, the privilege applies to all sets within namespace.
+		attr_accessor :set_name
+
+	    # Manage users and their roles.
+	    USER_ADMIN = 'user-admin'
+
+	    # Manage indicies, user-defined functions and server configuration.
+	    SYS_ADMIN = 'sys-admin'
+
+	    # Manage indicies and user defined functions.
+	    DATA_ADMIN = 'data-admin'
+
+	    # Manage user defined functions.
+	    UDF_ADMIN = 'udf-admin'
+
+	    # Manage indicies.
+	    SINDEX_ADMIN = 'sindex-admin'
+
+	    # Allow read, write and UDF transactions with the database.
+	    READ_WRITE_UDF = "read-write-udf"
+
+	    # Allow read and write transactions with the database.
+	    READ_WRITE = 'read-write'
+
+	    # Allow read transactions with the database.
+	    READ = 'read'
+
+	    # Write allows write transactions with the database.
+	    WRITE = 'write'
+
+	    # Truncate allow issuing truncate commands.
+	    TRUNCATE = 'truncate'
+
+	    def initialize(opt={})
+	      @code = opt[:code]
+	      @namespace = opt[:namespace]
+	      @set_name = opt[:set_name]
+	    end
+
+		def to_s
+			"code: #{@code}, namespace: #{@namespace}, set_name: #{@set_name}"
+		end
+
+		def to_code
+			case @code
+			when USER_ADMIN
+				0
+			when SYS_ADMIN
+				1
+			when DATA_ADMIN
+				2
+			when UDF_ADMIN
+				3
+			when SINDEX_ADMIN
+				4
+			when READ
+				10
+			when READ_WRITE
+				11
+			when READ_WRITE_UDF
+				12
+			when WRITE
+				13
+			when TRUNCATE
+				14
+			else
+				raise Exceptions::Aerospike.new(Aerospike::ResultCode::INVALID_PRIVILEGE, "Invalid role #{@code}")
+			end # case
+		end # def
+
+		def self.from(code)
+			case code
+			when 0
+				USER_ADMIN
+			when 1
+				SYS_ADMIN
+			when 2
+				DATA_ADMIN
+			when 3
+				UDF_ADMIN
+			when 4
+				SINDEX_ADMIN
+			when 10
+				READ
+			when 11
+				READ_WRITE
+			when 12
+				READ_WRITE_UDF
+			when 13
+				WRITE
+			when 14
+				TRUNCATE
+			else
+				raise Exceptions::Aerospike.new(Aerospike::ResultCode::INVALID_PRIVILEGE, "Invalid code #{code}")
+			end # case
+		end # def
+
+		def can_scope?
+			to_code >= 10
+		end
+
+	end # class
+
+end

data/lib/aerospike/query/query_command.rb

@@ -23,12 +23,13 @@ module Aerospike
 
   class QueryCommand < StreamCommand #:nodoc:
 
-    def initialize(node, policy, statement, recordset)
+    def initialize(node, policy, statement, recordset, partitions)
       super(node)
 
       @policy = policy
       @statement = statement
       @recordset = recordset
+      @partitions = partitions
     end
 
     def write_buffer
@@ -81,7 +82,10 @@ module Aerospike
           @data_offset += binNameSize
           fieldCount+=1
         end
-      else
+      else    
+        @data_offset += @partitions.length * 2 + FIELD_HEADER_SIZE
+        fieldCount += 1
+
         if @policy.records_per_second > 0
           @data_offset += 4 + FIELD_HEADER_SIZE
           fieldCount += 1
@@ -89,8 +93,8 @@ module Aerospike
 
         # Calling query with no filters is more efficiently handled by a primary index scan.
         # Estimate scan options size.
-        @data_offset += (2 + FIELD_HEADER_SIZE)
-        fieldCount+=1
+        # @data_offset += (2 + FIELD_HEADER_SIZE)
+        # fieldCount+=1
       end
 
       @statement.set_task_id
@@ -177,18 +181,24 @@ module Aerospike
           end
         end
       else
+        write_field_header(@partitions.length * 2, Aerospike::FieldType::PID_ARRAY)
+        for pid in @partitions
+          @data_buffer.write_uint16_little_endian(pid, @data_offset)
+          @data_offset += 2
+        end
+
         if @policy.records_per_second > 0
           write_field_int(@policy.records_per_second, Aerospike::FieldType::RECORDS_PER_SECOND)
         end
 
         # Calling query with no filters is more efficiently handled by a primary index scan.
-        write_field_header(2, Aerospike::FieldType::SCAN_OPTIONS)
-        priority = @policy.priority.ord
-        priority = priority << 4
-        @data_buffer.write_byte(priority, @data_offset)
-        @data_offset+=1
-        @data_buffer.write_byte(100.ord, @data_offset)
-        @data_offset+=1
+        # write_field_header(2, Aerospike::FieldType::SCAN_OPTIONS)
+        # priority = @policy.priority.ord
+        # priority = priority << 4
+        # @data_buffer.write_byte(priority, @data_offset)
+        # @data_offset+=1
+        # @data_buffer.write_byte(100.ord, @data_offset)
+        # @data_offset+=1
       end
 
       write_field_header(8, Aerospike::FieldType::TRAN_ID)

data/lib/aerospike/query/scan_command.rb

@@ -23,7 +23,7 @@ module Aerospike
 
   class ScanCommand < StreamCommand #:nodoc:
 
-    def initialize(node, policy, namespace, set_name, bin_names, recordset)
+    def initialize(node, policy, namespace, set_name, bin_names, recordset, partitions)
       super(node)
 
       @policy = policy
@@ -31,10 +31,11 @@ module Aerospike
       @set_name = set_name
       @bin_names = bin_names
       @recordset = recordset
+      @partitions = partitions
     end
 
     def write_buffer
-      set_scan(@policy, @namespace, @set_name, @bin_names)
+      set_scan(@policy, @namespace, @set_name, @bin_names, @partitions)
     end
 
   end # class

data/lib/aerospike/query/stream_command.rb

@@ -58,6 +58,9 @@ module Aerospike
         op_count = @data_buffer.read_int16(20)
         key = parse_key(field_count)
 
+        # If cmd is the end marker of the response, do not proceed further
+        return true if (info3 & INFO3_PARTITION_DONE) != 0
+
         if result_code == 0
           if @recordset.active?
             @recordset.records.enq(parse_record(key, op_count, generation, expiration))

data/lib/aerospike/result_code.rb

@@ -182,7 +182,7 @@ module Aerospike
     # Privilege is invalid.
     INVALID_PRIVILEGE = 72
 
-    # Specified IP whitelist is invalid.
+    # Specified IP allowlist is invalid.
     INVALID_WHITELIST = 73
 
     # User must be authentication before performing database operations.
@@ -191,7 +191,7 @@ module Aerospike
     # User does not posses the required role to perform the database operation.
     ROLE_VIOLATION = 81
 
-    # Client IP address is not on the IP whitelist.
+    # Client IP address is not on the IP allowlist.
     NOT_WHITELISTED = 82
 
     # LDAP feature not enabled on server.
@@ -422,7 +422,7 @@ module Aerospike
         "Invalid privilege"
 
       when INVALID_WHITELIST
-        "Specified IP whitelist is invalid"
+        "Specified IP allowlist is invalid"
 
       when NOT_AUTHENTICATED
         "Not authenticated"
@@ -431,7 +431,7 @@ module Aerospike
         "Role violation"
 
       when NOT_WHITELISTED
-        "Client IP address is not on the IP whitelist"
+        "Client IP address is not on the IP allowlist"
 
       when LDAP_NOT_ENABLED
         "LDAP feature not enabled on server"

data/lib/aerospike/role.rb

@@ -0,0 +1,55 @@
+# encoding: utf-8
+# Copyright 2014-2020 Aerospike, Inc.
+#
+# Portions may be licensed to Aerospike, Inc. under one or more contributor
+# license agreements.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+module Aerospike
+
+  # Role provides granular access to database entities for users.
+  class Role
+
+    # Role name
+    attr_accessor :name
+
+    # List of assigned privileges
+    attr_accessor :privileges
+
+    # List of allowable IP addresses
+    attr_accessor :allowlist
+
+    # Maximum reads per second limit for the role
+    attr_accessor :read_quota
+
+    # Maximum writes per second limit for the role
+    attr_accessor :write_quota
+
+    # The following aliases are for backward compatibility reasons
+    USER_ADMIN = Privilege::USER_ADMIN # :nodoc:
+    SYS_ADMIN = Privilege::SYS_ADMIN # :nodoc:
+    DATA_ADMIN = Privilege::DATA_ADMIN # :nodoc:
+    UDF_ADMIN = Privilege::UDF_ADMIN # :nodoc:
+    SINDEX_ADMIN = Privilege::SINDEX_ADMIN # :nodoc:
+    READ_WRITE_UDF = Privilege::READ_WRITE_UDF # :nodoc:
+    READ_WRITE = Privilege::READ_WRITE # :nodoc:
+    READ = Privilege::READ # :nodoc:
+    WRITE = Privilege::WRITE # :nodoc:
+    TRUNCATE = Privilege::TRUNCATE # :nodoc:
+
+    def to_s
+      "Role [name=#{@name}, privileges=#{@privileges}, allowlist=#{@allowlist}, readQuota=#{@read_quota}, writeQuota=#{@write_quota}]";
+    end
+ 
+  end # class
+
+end # module

data/lib/aerospike/user_role.rb

@@ -25,6 +25,31 @@ module Aerospike
 		# List of assigned roles.
 		attr_accessor :roles
 
+		# List of read statistics. List may be nil.
+		# Current statistics by offset are:
+		#
+		# 0: read quota in records per second
+		# 1: single record read transaction rate (TPS)
+		# 2: read scan/query record per second rate (RPS)
+		# 3: number of limitless read scans/queries
+		#
+		# Future server releases may add additional statistics.
+		attr_accessor :read_info
+
+		# List of write statistics. List may be nil.
+		# Current statistics by offset are:
+		#
+		# 0: write quota in records per second
+		# 1: single record write transaction rate (TPS)
+		# 2: write scan/query record per second rate (RPS)
+		# 3: number of limitless write scans/queries
+		#
+		# Future server releases may add additional statistics.
+		attr_accessor :write_info
+
+		# Number of currently open connections for the user
+		attr_accessor :conns_in_use
+
 	end
 
 end