aerospike 2.20.1 → 2.21.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5453ee9475d4868e6b65ed5a13868dac07e0628538330da6b8f6f1a1a65624c7
-  data.tar.gz: 74044cf1e3c30af803c2d04e7e17989cc49e699b229c1cd08b0cfb384ee004a4
+  metadata.gz: 75981b3dd2a5778a1937b7c5cd77abd97487be03d95d98e64b0fad0fb8e62080
+  data.tar.gz: 728a4593e675c15923798c352b33f01c4b0349b630a4a210dd6661346ff47ca8
 SHA512:
-  metadata.gz: aea8982415b6f606822ab4648dc48fea6f13ca1984eb7f0ba7a1708da03a975dbd484aeb206ad3472af1c867f40623a6db4cb9fd35d80b0b65f54dfc4f10a059
-  data.tar.gz: bab0149d85d4b90232bc2a9fad68aeda837b175ea981d671690cddf26e7713d5d8c7ef732abd2f1445e8bf880fb595f1b9aafd9b1b1028dd7c0ada94d70ccc97
+  metadata.gz: 7daa97ca23927f6132ad3a939c003872f7c6a0de538f99aea28b4a9624b23452cfec82b1a4243db4efa4fbb2c9f10085b338ce84223d309dd6fd8645ab3b61af
+  data.tar.gz: 97951b75f58a8cd750c27c77c37949e0d49dbfea3688e353496822f354c93124bae4749241f24d9e5f6508a6f1fcf6213bdfdf3bba371fa0e3d2a734aed45d78

data/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to this project will be documented in this file.
 
+## [2.21.0] - 2022-06-07
+
+* **New Features**
+  * Add support for new user management features. Adds `Client#query_role`, `Client#query_roles`, `Client#create_role`, `Client#drop_role`, `Client#grant_privileges`, `Client#revoke_privileges`. Adds the 'Role' class. Adds `UserRoles#read_info`, `UserRoles#write_info`, `UserRoles#conns_in_use` to the `UserRoles` class.
+
+* **Improvements**
+  * Do not run PredExp tests for server v6+.
+
 ## [2.20.1] - 2022-05-11
 
 * **Improvements**

data/lib/aerospike/client.rb

@@ -764,7 +764,7 @@ module Aerospike
     # before sending to server.
     def create_user(user, password, roles, options = nil)
       policy = create_policy(options, AdminPolicy, default_admin_policy)
-      hash = AdminCommand.hash_password(password)
+      hash = LoginCommand.hash_password(password)
       command = AdminCommand.new
       command.create_user(@cluster, policy, user, hash, roles)
     end
@@ -781,7 +781,7 @@ module Aerospike
       raise Aerospike::Exceptions::Aerospike.new(INVALID_USER) unless @cluster.user && @cluster.user != ""
       policy = create_policy(options, AdminPolicy, default_admin_policy)
 
-      hash = AdminCommand.hash_password(password)
+      hash = LoginCommand.hash_password(password)
       command = AdminCommand.new
 
       if user == @cluster.user
@@ -823,6 +823,50 @@ module Aerospike
       command.query_users(@cluster, policy)
     end
 
+    # Retrieve privileges for a given role.
+    def query_role(role, options = nil)
+      policy = create_policy(options, AdminPolicy, default_admin_policy)
+      command = AdminCommand.new
+      command.query_role(@cluster, policy, role)
+    end
+
+    # Retrieve all roles and their privileges.
+    def query_roles(options = nil)
+      policy = create_policy(options, AdminPolicy, default_admin_policy)
+      command = AdminCommand.new
+      command.query_roles(@cluster, policy)
+    end
+
+    # Create a user-defined role.
+    # Quotas require server security configuration "enable-quotas" to be set to true.
+    # Pass 0 for quota values for no limit.
+    def create_role(role_name, privileges = [], allowlist = [], read_quota = 0, write_quota = 0, options = nil)
+      policy = create_policy(options, AdminPolicy, default_admin_policy)
+      command = AdminCommand.new
+      command.create_role(@cluster, policy, role_name, privileges, allowlist, read_quota, write_quota)
+    end
+
+    # Remove a user-defined role.
+    def drop_role(role_name, options = nil)
+      policy = create_policy(options, AdminPolicy, default_admin_policy)
+      command = AdminCommand.new
+      command.drop_role(@cluster, policy, role_name)
+    end
+
+    # Grant privileges to a user-defined role.
+    def grant_privileges(role_name, privileges, options = nil)
+      policy = create_policy(options, AdminPolicy, default_admin_policy)
+      command = AdminCommand.new
+      command.grant_privileges(@cluster, policy, role_name, privileges)
+    end
+
+    # Revoke privileges from a user-defined role.
+    def revoke_privileges(role_name, privileges, options = nil)
+      policy = create_policy(options, AdminPolicy, default_admin_policy)
+      command = AdminCommand.new
+      command.revoke_privileges(@cluster, policy, role_name, privileges)
+    end
+
     private
 
     def set_default_policies(policies)

data/lib/aerospike/cluster/create_connection.rb

@@ -32,7 +32,7 @@ module Aerospike
           ).tap do |conn|
             if cluster.credentials_given?
               # Authenticate will raise and close connection if invalid credentials
-              Connection::Authenticate.(conn, cluster.user, cluster.password)
+              Connection::AuthenticateNew.(conn, cluster)
             end
           end
         end

data/lib/aerospike/cluster.rb

@@ -27,9 +27,12 @@ module Aerospike
     attr_reader :features, :tls_options
     attr_reader :cluster_id, :aliases
     attr_reader :cluster_name
+    attr_reader :client_policy
     attr_accessor :rack_aware, :rack_id
+    attr_accessor :session_token, :session_expiration
 
     def initialize(policy, hosts)
+      @client_policy = policy
       @cluster_seeds = hosts
       @fail_if_not_connected = policy.fail_if_not_connected
       @connection_queue_size = policy.connection_queue_size
@@ -56,7 +59,7 @@ module Aerospike
       # setup auth info for cluster
       if policy.requires_authentication
         @user = policy.user
-        @password = AdminCommand.hash_password(policy.password)
+        @password = LoginCommand.hash_password(policy.password)
       end
 
       initialize_tls_host_names(hosts) if tls_enabled?
@@ -78,6 +81,15 @@ module Aerospike
       !(@user.nil? || @user.empty?)
     end
 
+    def session_valid?
+      @session_token && @session_expiration && @session_expiration.to_i < Time.now.to_i
+    end
+
+    def reset_session_info
+      @session_token = nil
+      @session_expiration = nil
+    end
+
     def tls_enabled?
       !tls_options.nil? && tls_options[:enable] != false
     end
@@ -436,6 +448,7 @@ module Aerospike
         cluster_config_changed = true
       end
 
+
       cluster_config_changed
     end
 

data/lib/aerospike/command/admin_command.rb

@@ -18,17 +18,22 @@ module Aerospike
 
   private
   # Commands
-  AUTHENTICATE    = 0
-  CREATE_USER     = 1
-  DROP_USER       = 2
-  SET_PASSWORD    = 3
-  CHANGE_PASSWORD = 4
-  GRANT_ROLES     = 5
-  REVOKE_ROLES    = 6
-  #CREATE_ROLE = 8
-  QUERY_USERS = 9
-  #QUERY_ROLES =  10
-  LOGIN = 20
+  AUTHENTICATE      = 0
+  CREATE_USER       = 1
+  DROP_USER         = 2
+  SET_PASSWORD      = 3
+  CHANGE_PASSWORD   = 4
+  GRANT_ROLES       = 5
+  REVOKE_ROLES      = 6
+  QUERY_USERS       = 9
+  CREATE_ROLE       = 10
+  DROP_ROLE         = 11
+  GRANT_PRIVILEGES  = 12
+  REVOKE_PRIVILEGES = 13
+  SET_WHITELIST     = 14
+  SET_QUOTAS        = 15
+  QUERY_ROLES       = 16
+  LOGIN             = 20
 
   # Field IDs
   USER           = 0
@@ -36,8 +41,17 @@ module Aerospike
   OLD_PASSWORD   = 2
   CREDENTIAL     = 3
   CLEAR_PASSWORD = 4
+  SESSION_TOKEN  = 5
+  SESSION_TTL    = 6
   ROLES          = 10
-  #PRIVILEGES =  11
+  ROLE           = 11
+  PRIVILEGES     = 12
+  ALLOWLIST      = 13
+  READ_QUOTA     = 14
+  WRITE_QUOTA    = 15
+  READ_INFO      = 16
+  WRITE_INFO     = 17
+  CONNECTIONS    = 18
 
   # Misc
   MSG_VERSION  = 2
@@ -55,34 +69,6 @@ module Aerospike
       @data_offset =  8
     end
 
-    def authenticate(conn, user, password)
-      begin
-        set_authenticate(user, password)
-        conn.write(@data_buffer, @data_offset)
-        conn.read(@data_buffer, HEADER_SIZE)
-
-        result = @data_buffer.read(RESULT_CODE)
-
-        # read the rest of the buffer
-        size = @data_buffer.read_int64(0)
-        length = (size & 0xFFFFFFFFFFFF) - HEADER_REMAINING
-        conn.read(@data_buffer, length)
-
-        raise Exceptions::Aerospike.new(result, "Authentication failed") if result != 0
-      ensure
-        Buffer.put(@data_buffer)
-      end
-    end
-
-    def set_authenticate(user, password)
-      write_header(LOGIN, 2)
-      write_field_str(USER, user)
-      write_field_bytes(CREDENTIAL, password)
-      write_size
-
-      return @data_offset
-    end
-
     def create_user(cluster, policy, user, password, roles)
       write_header(CREATE_USER, 3)
       write_field_str(USER, user)
@@ -126,6 +112,61 @@ module Aerospike
       execute_command(cluster, policy)
     end
 
+    def create_role(cluster, policy, role_name, privileges = [], allowlist = [], read_quota = 0, write_quota = 0)
+      field_count = 1
+      field_count += 1 if privileges.size > 0
+      field_count += 1 if allowlist.size > 0
+      field_count += 1 if read_quota > 0
+      field_count += 1 if write_quota > 0
+
+      write_header(CREATE_ROLE, field_count)
+      write_field_str(ROLE, role_name)
+
+      write_privileges(privileges) if privileges.size > 0
+      write_allowlist(allowlist) if allowlist.size > 0
+
+      write_field_uint32(READ_QUOTA, read_quota) if read_quota > 0
+      write_field_uint32(WRITE_QUOTA, write_quota) if write_quota > 0
+
+      execute_command(cluster, policy)
+    end
+
+    def drop_role(cluster, policy, role)
+      write_header(DROP_ROLE, 1)
+      write_field_str(ROLE, role)
+      execute_command(cluster, policy)
+    end
+
+    def grant_privileges(cluster, policy, role, privileges)
+      write_header(GRANT_PRIVILEGES, 2)
+      write_field_str(ROLE, role)
+      write_privileges(privileges)
+      execute_command(cluster, policy)
+    end
+
+    def revoke_privileges(cluster, policy, role, privileges)
+      write_header(REVOKE_PRIVILEGES, 2)
+      write_field_str(ROLE, role)
+      write_privileges(privileges)
+      execute_command(cluster, policy)
+    end
+
+    def set_allowlist(cluster, policy, role, allowlist = [])
+      field_count = 1
+      field_count += 1 if allowlist.size > 0
+      write_header(SET_WHITELIST, field_count)
+      write_allowlist(allowlist) if allowlist.size > 0
+      execute_command(cluster, policy)
+    end
+
+    def set_quotas(cluster, policy, role, read_quota, write_quota)
+      write_header(SET_QUOTAS, 3)
+      write_field_str(ROLE, role)
+      write_field_uint32(READ_QUOTA, read_quota)
+      write_field_uint32(WRITE_QUOTA, write_quota)
+      execute_command(cluster, policy)
+    end
+
     def query_user(cluster, policy, user)
       # TODO: Remove the workaround in the future
       sleep(0.010)
@@ -152,6 +193,32 @@ module Aerospike
       end
     end
 
+    def query_role(cluster, policy, role)
+      # TODO: Remove the workaround in the future
+      sleep(0.010)
+
+      list = []
+      begin
+        write_header(QUERY_ROLES, 1)
+        write_field_str(ROLE, role)
+        list = read_roles(cluster, policy)
+        return (list.is_a?(Array) && list.length > 0 ? list.first : nil)
+      ensure
+        Buffer.put(@data_buffer)
+      end
+    end
+
+    def query_roles(cluster, policy)
+      # TODO: Remove the workaround in the future
+      sleep(0.010)
+      begin
+        write_header(QUERY_ROLES, 0)
+        return read_roles(cluster, policy)
+      ensure
+        Buffer.put(@data_buffer)
+      end
+    end
+
     def write_roles(roles)
       offset = @data_offset + FIELD_HEADER_SIZE
       @data_buffer.write_byte(roles.length.ord, offset)
@@ -174,6 +241,54 @@ module Aerospike
       @data_buffer.write_int64(size, 0)
     end
 
+    def write_privileges(privileges)
+      offset = @data_offset
+      @data_offset += FIELD_HEADER_SIZE
+      write_byte(privileges.size)
+
+      for privilege in privileges
+        write_byte(privilege.to_code)
+        if privilege.can_scope?
+          if privilege.set_name.to_s.size > 0 && privilege.namespace.to_s.size == 0
+            raise Aerospike::Exceptions::Aerospike.new(Aerospike::ResultCode::INVALID_PRIVILEGE, "Admin privilege #{privilege.namespace} has a set scope with an empty namespace")
+          end
+
+          write_str(privilege.namespace.to_s)
+          write_str(privilege.set_name.to_s)
+        else
+          if privilege.set_name.to_s.bytesize > 0 || privilege.namespace.to_s.bytesize > 0
+            raise Aerospike::Exceptions::Aerospike.new(Aerospike::ResultCode::INVALID_PRIVILEGE, "Admin global privilege #{privilege} can't have a namespace or set")
+          end
+        end
+      end
+
+      size = @data_offset - offset - FIELD_HEADER_SIZE
+      @data_offset = offset
+      write_field_header(PRIVILEGES, size)
+      @data_offset += size
+    end
+
+    def write_allowlist(allowlist)
+      offset = @data_offset
+      @data_offset += FIELD_HEADER_SIZE
+
+      comma = false
+      for addr in allowlist
+        if comma
+          write_byte(",")
+        else
+          comma = true
+        end
+
+        @data_offset += @data_buffer.write_binary(addr, @data_offset)
+      end
+
+      size = @data_offset - offset - FIELD_HEADER_SIZE
+      @data_offset = offset
+      write_field_header(ALLOWLIST, size)
+      @data_offset += size
+    end
+
     def write_header(command, field_count)
       # Authenticate header is almost all zeros
       i = @data_offset
@@ -186,12 +301,27 @@ module Aerospike
       @data_offset += 16
     end
 
+    def write_byte(b)
+      @data_offset += @data_buffer.write_byte(b, @data_offset)
+    end
+
+    def write_str(str)
+      @data_offset += @data_buffer.write_byte(str.bytesize, @data_offset)
+      @data_offset += @data_buffer.write_binary(str, @data_offset)
+    end
+
     def write_field_str(id, str)
       len = @data_buffer.write_binary(str, @data_offset+FIELD_HEADER_SIZE)
       write_field_header(id, len)
       @data_offset += len
     end
 
+    def write_field_uint32(id, val)
+      len = @data_buffer.write_uint32(val, @data_offset+FIELD_HEADER_SIZE)
+      write_field_header(id, len)
+      @data_offset += len
+    end
+
     def write_field_bytes(id, bytes)
       @data_buffer.write_binary(bytes, @data_offset+FIELD_HEADER_SIZE)
       write_field_header(id, bytes.bytesize)
@@ -292,7 +422,7 @@ module Aerospike
           return (result_code == QUERY_END ? -1 : result_code)
         end
 
-        userRoles = UserRoles.new
+        user_roles = UserRoles.new
         field_count = @data_buffer.read(@data_offset+3)
         @data_offset += HEADER_REMAINING
 
@@ -306,10 +436,17 @@ module Aerospike
 
           case id
           when USER
-            userRoles.user = @data_buffer.read(@data_offset, len)
+            user_roles.user = @data_buffer.read(@data_offset, len)
             @data_offset += len
           when ROLES
-            parse_roles(userRoles)
+            parse_roles(user_roles)
+          when READ_INFO
+            user_roles.read_info = parse_info
+          when WRITE_INFO
+            user_roles.write_info = parse_info
+          when CONNECTIONS
+            user_roles.conns_in_use = @data_buffer.read_int32(@data_offset)
+            @data_offset += len
           else
             @data_offset += len
           end
@@ -317,19 +454,19 @@ module Aerospike
           i = i.succ
         end
 
-        next if userRoles.user == "" && userRoles.roles == nil
+        next if user_roles.user == "" && user_roles.roles == nil
 
-        userRoles.roles = [] if userRoles.roles == nil
-        list << userRoles
+        user_roles.roles = [] if user_roles.roles == nil
+        list << user_roles
       end
 
       return 0, list
     end
 
-    def parse_roles(userRoles)
+    def parse_roles(user_roles)
       size = @data_buffer.read(@data_offset)
       @data_offset += 1
-      userRoles.roles = []
+      user_roles.roles = []
 
       i = 0
       while i < size
@@ -337,17 +474,188 @@ module Aerospike
         @data_offset += 1
         role = @data_buffer.read(@data_offset, len)
         @data_offset += len
-        userRoles.roles << role
+        user_roles.roles << role
 
         i = i.succ
       end
     end
 
-    SALT = '$2a$10$7EqJtq98hPqEX7fNZaFWoO'
-    def self.hash_password(password)
-      # Hashing the password with the cost of 10, with a static salt
-      return BCrypt::Engine.hash_secret(password, SALT, :cost => 10)
+    def parse_info
+      size = @data_buffer.read(@data_offset)
+      @data_offset += 1
+      list = []
+
+      i = 0
+      while i < size
+        val = @data_buffer.read_int32(@data_offset)
+        @data_offset += 4
+        list << val
+
+        i = i.succ
+      end
+
+      list
     end
+
+    def read_roles(cluster, policy)
+      write_size
+      node = cluster.random_node
+
+      timeout = 1
+      timeout = policy.timeout if policy != nil && policy.timeout > 0
+
+      status = -1
+      list = []
+      begin
+        conn = node.get_connection(timeout)
+        conn.write(@data_buffer, @data_offset)
+        status, list = read_role_blocks(conn)
+        node.put_connection(conn)
+      rescue => e
+        conn.close if conn
+        raise e
+      end
+
+      raise Exceptions::Aerospike.new(status) if status > 0
+
+      return list
+    end
+
+    def read_role_blocks(conn)
+      rlist = []
+      status = 0
+      begin
+        while status == 0
+          conn.read(@data_buffer, 8)
+          size = @data_buffer.read_int64(0)
+          receive_size = (size & 0xFFFFFFFFFFFF)
+
+          if receive_size > 0
+            @data_buffer.resize(receive_size) if receive_size > @data_buffer.size
+
+            conn.read(@data_buffer, receive_size)
+            status, list = parse_roles_full(receive_size)
+            rlist.concat(list.to_a)
+          else
+            break
+          end
+        end
+        return status, rlist
+      rescue => e
+        return -1, []
+      end
+    end
+
+    def parse_roles_full(receive_size)
+      @data_offset = 0
+      list = []
+
+      while @data_offset < receive_size
+        result_code = @data_buffer.read(@data_offset+1)
+
+        if result_code != 0
+          return (result_code == QUERY_END ? -1 : result_code)
+        end
+
+        role = Role.new
+        field_count = @data_buffer.read(@data_offset+3)
+        @data_offset += HEADER_REMAINING
+
+        i = 0
+        while i  < field_count
+          len = @data_buffer.read_int32(@data_offset)
+          @data_offset += 4
+          id = @data_buffer.read(@data_offset)
+          @data_offset += 1
+          len -= 1
+
+          case id
+          when ROLE
+            role.name = @data_buffer.read(@data_offset, len).to_s
+            @data_offset += len
+          when PRIVILEGES
+            parse_privileges(role)
+          when ALLOWLIST
+            role.allowlist = parse_allowlist(len)
+          when READ_QUOTA
+            role.read_quota = @data_buffer.read_uint32(@data_offset)
+            @data_offset += len
+          when WRITE_QUOTA
+            role.write_quota = @data_buffer.read_uint32(@data_offset)
+            @data_offset += len
+          else
+            @data_offset += len
+          end
+
+          i = i.succ
+        end
+
+        next if role.name == "" && role.privileges == nil
+
+        role.privileges ||= []
+        list << role
+      end
+
+      return 0, list
+    end
+
+    def parse_privileges(role)
+      size = @data_buffer.read(@data_offset)
+      @data_offset += 1
+      role.privileges = []
+
+      i = 0
+      while i < size
+        priv = Privilege.new
+        priv.code = Privilege.from(@data_buffer.read(@data_offset))
+        @data_offset += 1
+
+        if priv.can_scope?
+          len = @data_buffer.read(@data_offset)
+          @data_offset += 1
+          priv.namespace = @data_buffer.read(@data_offset, len)
+          @data_offset += len
+
+          len = @data_buffer.read(@data_offset)
+          @data_offset += 1
+          priv.set_name = @data_buffer.read(@data_offset, len)
+          @data_offset += len
+        end
+
+        role.privileges << priv
+
+        i = i.succ
+      end
+    end
+
+    def parse_allowlist(len)
+      list = []
+      begn = @data_offset
+      max = begn + len
+
+      while @data_offset < max
+        if @data_buffer.read(@data_offset) == ','
+          l = @data_offset - begn
+          if l > 0
+            s = @data_buffer.read(begn, l)
+            list << s
+          end
+          @data_offset += 1
+          begn = @data_offset
+        else
+          @data_offset += 1
+        end
+      end
+
+      l = @data_offset - begn
+      if l > 0
+        s = @data_buffer.read(begn, l)
+        list << s
+      end
+
+      list      
+    end
+
   end
 end
 

data/lib/aerospike/command/login_command.rb

@@ -0,0 +1,162 @@
+# encoding: utf-8
+# Copyright 2014-2020 Aerospike, Inc.
+#
+# Portions may be licensed to Aerospike, Inc. under one or more contributor
+# license agreements.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+require 'aerospike/command/admin_command'
+
+module Aerospike
+
+  private
+
+  attr_reader :session_token, :session_expiration
+
+  class LoginCommand < AdminCommand #:nodoc:
+
+    def login(conn, policy)
+        hashed_pass = LoginCommand.hash_password(policy.password)
+        authenticate(conn, policy, hashed_pass)
+    end
+
+    def authenticate(conn, user, hashed_pass)
+      write_header(LOGIN, 2)
+      write_field_str(USER, policy.user)
+      write_field_bytes(CREDENTIAL, hashed_pass)
+
+      parse_tokens(conn)
+    end
+
+    def authenticate_new(conn, cluster)
+      policy = cluster.client_policy
+      case policy.auth_mode
+      when Aerospike::AuthMode::EXTERNAL
+        write_header(LOGIN, 3)
+        write_field_str(USER, policy.user)
+        write_field_bytes(CREDENTIAL, cluster.password)
+        write_field_str(CLEAR_PASSWORD, policy.password)
+      when Aerospike::AuthMode::INTERNAL
+        write_header(LOGIN, 2)
+        write_field_str(USER, policy.user)
+        write_field_bytes(CREDENTIAL, cluster.password)
+      when Aerospike::AuthMode::PKI
+        write_header(LOGIN, 0)
+      else
+        raise Exceptions::Aerospike.new(Aerospike::ResultCode::COMMAND_REJECTED, "Invalid client_policy#auth_mode.")
+      end
+
+      parse_tokens(conn)
+      cluster.session_token = @session_token
+      cluster.session_expiration = @session_expiration
+    end
+
+    def parse_tokens(conn)
+      begin
+        write_size
+        conn.write(@data_buffer, @data_offset)
+        conn.read(@data_buffer, HEADER_SIZE)
+
+        result = @data_buffer.read(RESULT_CODE)
+
+        if result != 0 
+          return if result == Aerospike::ResultCode::SECURITY_NOT_ENABLED
+          raise Exceptions::Aerospike.new(result, "Authentication failed")
+        end
+
+        # read the rest of the buffer
+        size = @data_buffer.read_int64(0)
+        receive_size = (size & 0xFFFFFFFFFFFF) - HEADER_REMAINING
+        field_count = @data_buffer.read(11) & 0xFF
+
+        if receive_size <= 0 || receive_size > @data_buffer.size || field_count <= 0
+          raise Exceptions::Aerospike.new(result, "Node failed to retrieve session token")
+        end
+
+        if @data_buffer.size < receive_size
+          @data_buffer.resize(receive_size)
+        end
+
+        conn.read(@data_buffer, receive_size)
+
+        @data_offset = 0
+        for i in 0...field_count
+          mlen = @data_buffer.read_int32(@data_offset)
+          @data_offset += 4
+          id = @data_buffer.read(@data_offset)
+          @data_offset += 1
+          mlen -= 1
+
+          case id
+          when SESSION_TOKEN
+            # copy the contents of the buffer into a new byte slice
+            @session_token = @data_buffer.read(@data_offset, mlen)
+
+          when SESSION_TTL
+            # Subtract 60 seconds from TTL so client session expires before server session.
+            seconds = @data_buffer.read_int32(@data_offset) - 60
+
+            if seconds > 0
+              @session_expiration = Time.now + (seconds/86400)
+            else
+              Aerospike.logger.warn("Invalid session TTL: #{seconds}")
+              raise Exceptions::Aerospike.new(result, "Node failed to retrieve session token")
+            end
+          end
+
+          @data_offset += mlen
+        end
+
+        if !@session_token
+          raise Exceptions::Aerospike.new(result, "Node failed to retrieve session token")
+        end
+      ensure
+        Buffer.put(@data_buffer)
+      end
+    end
+
+    def authenticate_via_token(conn, cluster)
+      policy = cluster.client_policy
+      if policy.auth_mode != Aerospike::AuthMode::PKI
+        write_header(AUTHENTICATE, 2)
+        write_field_str(USER, policy.user)
+      else
+        write_header(AUTHENTICATE, 1)
+      end
+
+      write_field_bytes(SESSION_TOKEN, cluster.session_token) if cluster.session_token
+      write_size
+
+      conn.write(@data_buffer, @data_offset)
+      conn.read(@data_buffer, HEADER_SIZE)
+
+      result = @data_buffer.read(RESULT_CODE)
+      size = @data_buffer.read_int64(0)
+      receive_size = (size & 0xFFFFFFFFFFFF) - HEADER_REMAINING
+      conn.read(@data_buffer, receive_size)
+
+      if result != 0 
+        return if result == Aerospike::ResultCode::SECURITY_NOT_ENABLED
+        raise Exceptions::Aerospike.new(result, "Authentication failed")
+      end
+
+      nil
+    end
+
+    SALT = '$2a$10$7EqJtq98hPqEX7fNZaFWoO'
+    def self.hash_password(password)
+      # Hashing the password with the cost of 10, with a static salt
+      return BCrypt::Engine.hash_secret(password, SALT, :cost => 10)
+    end
+  end
+end
+

data/lib/aerospike/connection/authenticate.rb

@@ -21,9 +21,41 @@ module Aerospike
   module Connection # :nodoc:
     module Authenticate
       class << self
-        def call(conn, user, password)
-          command = AdminCommand.new
-          command.authenticate(conn, user, password)
+        def call(conn, user, hashed_pass)
+          command = LoginCommand.new
+          command.authenticate(conn, user, hashed_pass)
+          true
+        rescue ::Aerospike::Exceptions::Aerospike
+          conn.close if conn
+          raise ::Aerospike::Exceptions::InvalidCredentials
+        end
+      end
+    end
+    module AuthenticateNew
+      class << self
+        INVALID_SESSION_ERR = [ResultCode::INVALID_CREDENTIAL, 
+          ResultCode::EXPIRED_SESSION]
+
+        def call(conn, cluster)
+          command = LoginCommand.new
+          if !cluster.session_valid?
+            command.authenticate_new(conn, cluster)
+          else
+            begin
+              command.authenticate_via_token(conn, cluster)
+            rescue => ae
+              # always reset session info on errors to be on the safe side
+              cluster.reset_session_info
+              if ae.is_a?(Exceptions::Aerospike)
+                if INVALID_SESSION_ERR.include?(ae.result_code)
+                  command.authenticate(conn, cluster)
+                  return
+                end
+              end
+              raise ae
+            end
+          end
+
           true
         rescue ::Aerospike::Exceptions::Aerospike
           conn.close if conn

data/lib/aerospike/policy/auth_mode.rb

@@ -0,0 +1,36 @@
+# encoding: utf-8
+# Copyright 2014-2020 Aerospike, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Aerospike
+
+  module AuthMode
+
+    # INTERNAL uses internal authentication only when user/password defined. Hashed password is stored
+    # on the server. Do not send clear password. This is the default.
+    INTERNAL = 0
+
+    # EXTERNAL uses external authentication (like LDAP) when user/password defined. Specific external authentication is
+    # configured on server. If TLS is defined, sends clear password on node login via TLS.
+    # Will raise exception if TLS is not defined.
+    EXTERNAL = 1
+
+    # PKI allows authentication and authorization based on a certificate. No user name or
+    # password needs to be configured. Requires TLS and a client certificate.
+    # Requires server version 5.7.0+
+    PKI = 2
+
+  end # module
+
+end # module

data/lib/aerospike/policy/client_policy.rb

@@ -22,7 +22,7 @@ module Aerospike
   # Container object for client policy command.
   class ClientPolicy
 
-    attr_accessor :user, :password
+    attr_accessor :user, :password, :auth_mode
     attr_accessor :timeout, :connection_queue_size, :fail_if_not_connected, :tend_interval
     attr_accessor :cluster_name
     attr_accessor :tls
@@ -44,6 +44,9 @@ module Aerospike
       # which the client checks for cluster state changes. Minimum interval is 10ms.
       self.tend_interval = opt[:tend_interval] || 1000 # 1 second
 
+      # Authentication mode
+      @auth_mode = opt[:auth_mode] || AuthMode::INTERNAL
+
       # user name
       @user = opt[:user]
 

data/lib/aerospike/privilege.rb

@@ -0,0 +1,133 @@
+# encoding: utf-8
+# Copyright 2014-2022 Aerospike, Inc.
+#
+# Portions may be licensed to Aerospike, Inc. under one or more contributor
+# license agreements.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+module Aerospike
+
+	# Determines user access granularity.
+	class Privilege
+
+		# Role
+		attr_accessor :code
+
+		# Namespace determines namespace scope. Apply permission to this namespace only.
+		# If namespace is zero value, the privilege applies to all namespaces.
+		attr_accessor :namespace
+
+		# Set name scope. Apply permission to this set within namespace only.
+		# If set is zero value, the privilege applies to all sets within namespace.
+		attr_accessor :set_name
+
+	    # Manage users and their roles.
+	    USER_ADMIN = 'user-admin'
+
+	    # Manage indicies, user-defined functions and server configuration.
+	    SYS_ADMIN = 'sys-admin'
+
+	    # Manage indicies and user defined functions.
+	    DATA_ADMIN = 'data-admin'
+
+	    # Manage user defined functions.
+	    UDF_ADMIN = 'udf-admin'
+
+	    # Manage indicies.
+	    SINDEX_ADMIN = 'sindex-admin'
+
+	    # Allow read, write and UDF transactions with the database.
+	    READ_WRITE_UDF = "read-write-udf"
+
+	    # Allow read and write transactions with the database.
+	    READ_WRITE = 'read-write'
+
+	    # Allow read transactions with the database.
+	    READ = 'read'
+
+	    # Write allows write transactions with the database.
+	    WRITE = 'write'
+
+	    # Truncate allow issuing truncate commands.
+	    TRUNCATE = 'truncate'
+
+	    def initialize(opt={})
+	      @code = opt[:code]
+	      @namespace = opt[:namespace]
+	      @set_name = opt[:set_name]
+	    end
+
+		def to_s
+			"code: #{@code}, namespace: #{@namespace}, set_name: #{@set_name}"
+		end
+
+		def to_code
+			case @code
+			when USER_ADMIN
+				0
+			when SYS_ADMIN
+				1
+			when DATA_ADMIN
+				2
+			when UDF_ADMIN
+				3
+			when SINDEX_ADMIN
+				4
+			when READ
+				10
+			when READ_WRITE
+				11
+			when READ_WRITE_UDF
+				12
+			when WRITE
+				13
+			when TRUNCATE
+				14
+			else
+				raise Exceptions::Aerospike.new(Aerospike::ResultCode::INVALID_PRIVILEGE, "Invalid role #{@code}")
+			end # case
+		end # def
+
+		def self.from(code)
+			case code
+			when 0
+				USER_ADMIN
+			when 1
+				SYS_ADMIN
+			when 2
+				DATA_ADMIN
+			when 3
+				UDF_ADMIN
+			when 4
+				SINDEX_ADMIN
+			when 10
+				READ
+			when 11
+				READ_WRITE
+			when 12
+				READ_WRITE_UDF
+			when 13
+				WRITE
+			when 14
+				TRUNCATE
+			else
+				raise Exceptions::Aerospike.new(Aerospike::ResultCode::INVALID_PRIVILEGE, "Invalid code #{code}")
+			end # case
+		end # def
+
+		def can_scope?
+			to_code >= 10
+		end
+
+	end # class
+
+end

data/lib/aerospike/result_code.rb

@@ -182,7 +182,7 @@ module Aerospike
     # Privilege is invalid.
     INVALID_PRIVILEGE = 72
 
-    # Specified IP whitelist is invalid.
+    # Specified IP allowlist is invalid.
     INVALID_WHITELIST = 73
 
     # User must be authentication before performing database operations.
@@ -191,7 +191,7 @@ module Aerospike
     # User does not posses the required role to perform the database operation.
     ROLE_VIOLATION = 81
 
-    # Client IP address is not on the IP whitelist.
+    # Client IP address is not on the IP allowlist.
     NOT_WHITELISTED = 82
 
     # LDAP feature not enabled on server.
@@ -422,7 +422,7 @@ module Aerospike
         "Invalid privilege"
 
       when INVALID_WHITELIST
-        "Specified IP whitelist is invalid"
+        "Specified IP allowlist is invalid"
 
       when NOT_AUTHENTICATED
         "Not authenticated"
@@ -431,7 +431,7 @@ module Aerospike
         "Role violation"
 
       when NOT_WHITELISTED
-        "Client IP address is not on the IP whitelist"
+        "Client IP address is not on the IP allowlist"
 
       when LDAP_NOT_ENABLED
         "LDAP feature not enabled on server"

data/lib/aerospike/role.rb

@@ -0,0 +1,55 @@
+# encoding: utf-8
+# Copyright 2014-2020 Aerospike, Inc.
+#
+# Portions may be licensed to Aerospike, Inc. under one or more contributor
+# license agreements.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+module Aerospike
+
+  # Role provides granular access to database entities for users.
+  class Role
+
+    # Role name
+    attr_accessor :name
+
+    # List of assigned privileges
+    attr_accessor :privileges
+
+    # List of allowable IP addresses
+    attr_accessor :allowlist
+
+    # Maximum reads per second limit for the role
+    attr_accessor :read_quota
+
+    # Maximum writes per second limit for the role
+    attr_accessor :write_quota
+
+    # The following aliases are for backward compatibility reasons
+    USER_ADMIN = Privilege::USER_ADMIN # :nodoc:
+    SYS_ADMIN = Privilege::SYS_ADMIN # :nodoc:
+    DATA_ADMIN = Privilege::DATA_ADMIN # :nodoc:
+    UDF_ADMIN = Privilege::UDF_ADMIN # :nodoc:
+    SINDEX_ADMIN = Privilege::SINDEX_ADMIN # :nodoc:
+    READ_WRITE_UDF = Privilege::READ_WRITE_UDF # :nodoc:
+    READ_WRITE = Privilege::READ_WRITE # :nodoc:
+    READ = Privilege::READ # :nodoc:
+    WRITE = Privilege::WRITE # :nodoc:
+    TRUNCATE = Privilege::TRUNCATE # :nodoc:
+
+    def to_s
+      "Role [name=#{@name}, privileges=#{@privileges}, allowlist=#{@allowlist}, readQuota=#{@read_quota}, writeQuota=#{@write_quota}]";
+    end
+ 
+  end # class
+
+end # module

data/lib/aerospike/user_role.rb

@@ -25,6 +25,31 @@ module Aerospike
 		# List of assigned roles.
 		attr_accessor :roles
 
+		# List of read statistics. List may be nil.
+		# Current statistics by offset are:
+		#
+		# 0: read quota in records per second
+		# 1: single record read transaction rate (TPS)
+		# 2: read scan/query record per second rate (RPS)
+		# 3: number of limitless read scans/queries
+		#
+		# Future server releases may add additional statistics.
+		attr_accessor :read_info
+
+		# List of write statistics. List may be nil.
+		# Current statistics by offset are:
+		#
+		# 0: write quota in records per second
+		# 1: single record write transaction rate (TPS)
+		# 2: write scan/query record per second rate (RPS)
+		# 3: number of limitless write scans/queries
+		#
+		# Future server releases may add additional statistics.
+		attr_accessor :write_info
+
+		# Number of currently open connections for the user
+		attr_accessor :conns_in_use
+
 	end
 
 end

data/lib/aerospike/utils/buffer.rb

@@ -136,16 +136,31 @@ module Aerospike
       vals.unpack(INT16)[0]
     end
 
+    def read_uint16(offset)
+      vals = @buf[offset..offset+1]
+      vals.unpack(UINT16)[0]
+    end
+
     def read_int32(offset)
       vals = @buf[offset..offset+3]
       vals.unpack(INT32)[0]
     end
 
+    def read_uint32(offset)
+      vals = @buf[offset..offset+3]
+      vals.unpack(UINT32)[0]
+    end
+
     def read_int64(offset)
       vals = @buf[offset..offset+7]
       vals.unpack(INT64)[0]
     end
 
+    def read_uint64(offset)
+      vals = @buf[offset..offset+7]
+      vals.unpack(UINT64)[0]
+    end
+
     def read_var_int64(offset, len)
       val = 0
       i = 0

data/lib/aerospike/version.rb

@@ -1,4 +1,4 @@
 # encoding: utf-8
 module Aerospike
-  VERSION = "2.20.1"
+  VERSION = "2.21.0"
 end

data/lib/aerospike.rb

@@ -62,6 +62,7 @@ require 'aerospike/command/touch_command'
 require 'aerospike/command/read_command'
 require 'aerospike/command/delete_command'
 require 'aerospike/command/admin_command'
+require 'aerospike/command/login_command'
 require 'aerospike/command/unsupported_particle_type_validator'
 require 'aerospike/key'
 require 'aerospike/operation'
@@ -101,6 +102,7 @@ require 'aerospike/policy/query_policy'
 require 'aerospike/policy/consistency_level'
 require 'aerospike/policy/commit_level'
 require 'aerospike/policy/admin_policy'
+require 'aerospike/policy/auth_mode'
 
 require 'aerospike/socket/base'
 require 'aerospike/socket/ssl'
@@ -141,6 +143,8 @@ require 'aerospike/udf'
 require 'aerospike/bin'
 require 'aerospike/aerospike_exception'
 require 'aerospike/user_role'
+require 'aerospike/privilege'
+require 'aerospike/role'
 
 require 'aerospike/task/index_task'
 require 'aerospike/task/execute_task'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aerospike
 version: !ruby/object:Gem::Version
-  version: 2.20.1
+  version: 2.21.0
 platform: ruby
 authors:
 - Khosrow Afroozeh
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-10 00:00:00.000000000 Z
+date: 2022-06-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: msgpack
@@ -97,11 +97,11 @@ files:
 - lib/aerospike/command/execute_command.rb
 - lib/aerospike/command/exists_command.rb
 - lib/aerospike/command/field_type.rb
+- lib/aerospike/command/login_command.rb
 - lib/aerospike/command/multi_command.rb
 - lib/aerospike/command/operate_command.rb
 - lib/aerospike/command/read_command.rb
 - lib/aerospike/command/read_header_command.rb
-- lib/aerospike/command/roles.rb
 - lib/aerospike/command/single_command.rb
 - lib/aerospike/command/touch_command.rb
 - lib/aerospike/command/unsupported_particle_type_validator.rb
@@ -138,6 +138,7 @@ files:
 - lib/aerospike/peers/fetch.rb
 - lib/aerospike/peers/parse.rb
 - lib/aerospike/policy/admin_policy.rb
+- lib/aerospike/policy/auth_mode.rb
 - lib/aerospike/policy/batch_policy.rb
 - lib/aerospike/policy/client_policy.rb
 - lib/aerospike/policy/commit_level.rb
@@ -152,6 +153,7 @@ files:
 - lib/aerospike/policy/replica.rb
 - lib/aerospike/policy/scan_policy.rb
 - lib/aerospike/policy/write_policy.rb
+- lib/aerospike/privilege.rb
 - lib/aerospike/query/filter.rb
 - lib/aerospike/query/pred_exp.rb
 - lib/aerospike/query/pred_exp/and_or.rb
@@ -168,6 +170,7 @@ files:
 - lib/aerospike/query/stream_command.rb
 - lib/aerospike/record.rb
 - lib/aerospike/result_code.rb
+- lib/aerospike/role.rb
 - lib/aerospike/socket/base.rb
 - lib/aerospike/socket/ssl.rb
 - lib/aerospike/socket/tcp.rb

data/lib/aerospike/command/roles.rb

@@ -1,39 +0,0 @@
-# encoding: utf-8
-# Copyright 2014-2020 Aerospike, Inc.
-#
-# Portions may be licensed to Aerospike, Inc. under one or more contributor
-# license agreements.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not
-# use this file except in compliance with the License. You may obtain a copy of
-# the License at http:#www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations under
-# the License.
-
-module Aerospike
-
-  # Pre-defined user roles.
-  module Role
-
-    # Manage users and their roles.
-    USER_ADMIN = 'user-admin'
-
-    # Manage indicies, user-defined functions and server configuration.
-    SYS_ADMIN = 'sys-admin'
-
-    # Allow read, write and UDF transactions with the database.
-    READ_WRITE_UDF = "read-write-udf"
-
-    # Allow read and write transactions with the database.
-    READ_WRITE = 'read-write'
-
-    # Allow read transactions with the database.
-    READ = 'read'
-
-  end # module
-
-end # module