RubyGems - aerospike - Versions diffs - 2.20.1 → 2.22.0 - Mend

aerospike 2.20.1 → 2.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +22 -0
data/lib/aerospike/client.rb +46 -2
data/lib/aerospike/cluster/create_connection.rb +1 -1
data/lib/aerospike/cluster.rb +20 -4
data/lib/aerospike/command/admin_command.rb +362 -54
data/lib/aerospike/command/command.rb +0 -6
data/lib/aerospike/command/login_command.rb +164 -0
data/lib/aerospike/connection/authenticate.rb +36 -3
data/lib/aerospike/node_validator.rb +6 -1
data/lib/aerospike/policy/auth_mode.rb +36 -0
data/lib/aerospike/policy/client_policy.rb +4 -1
data/lib/aerospike/privilege.rb +133 -0
data/lib/aerospike/result_code.rb +4 -4
data/lib/aerospike/role.rb +55 -0
data/lib/aerospike/user_role.rb +25 -0
data/lib/aerospike/utils/buffer.rb +21 -0
data/lib/aerospike/version.rb +1 -1
data/lib/aerospike.rb +4 -0
metadata +6 -3
data/lib/aerospike/command/roles.rb +0 -39

data/lib/aerospike/command/admin_command.rb CHANGED Viewed

@@ -18,17 +18,22 @@ module Aerospike
   private
   # Commands
-  AUTHENTICATE    = 0
-  CREATE_USER     = 1
-  DROP_USER       = 2
-  SET_PASSWORD    = 3
-  CHANGE_PASSWORD = 4
-  GRANT_ROLES     = 5
-  REVOKE_ROLES    = 6
-  #CREATE_ROLE = 8
-  QUERY_USERS = 9
-  #QUERY_ROLES =  10
-  LOGIN = 20
+  AUTHENTICATE      = 0
+  CREATE_USER       = 1
+  DROP_USER         = 2
+  SET_PASSWORD      = 3
+  CHANGE_PASSWORD   = 4
+  GRANT_ROLES       = 5
+  REVOKE_ROLES      = 6
+  QUERY_USERS       = 9
+  CREATE_ROLE       = 10
+  DROP_ROLE         = 11
+  GRANT_PRIVILEGES  = 12
+  REVOKE_PRIVILEGES = 13
+  SET_WHITELIST     = 14
+  SET_QUOTAS        = 15
+  QUERY_ROLES       = 16
+  LOGIN             = 20
   # Field IDs
   USER           = 0
@@ -36,8 +41,17 @@ module Aerospike
   OLD_PASSWORD   = 2
   CREDENTIAL     = 3
   CLEAR_PASSWORD = 4
+  SESSION_TOKEN  = 5
+  SESSION_TTL    = 6
   ROLES          = 10
-  #PRIVILEGES =  11
+  ROLE           = 11
+  PRIVILEGES     = 12
+  ALLOWLIST      = 13
+  READ_QUOTA     = 14
+  WRITE_QUOTA    = 15
+  READ_INFO      = 16
+  WRITE_INFO     = 17
+  CONNECTIONS    = 18
   # Misc
   MSG_VERSION  = 2
@@ -55,34 +69,6 @@ module Aerospike
       @data_offset =  8
     end
-    def authenticate(conn, user, password)
-      begin
-        set_authenticate(user, password)
-        conn.write(@data_buffer, @data_offset)
-        conn.read(@data_buffer, HEADER_SIZE)
-        result = @data_buffer.read(RESULT_CODE)
-        # read the rest of the buffer
-        size = @data_buffer.read_int64(0)
-        length = (size & 0xFFFFFFFFFFFF) - HEADER_REMAINING
-        conn.read(@data_buffer, length)
-        raise Exceptions::Aerospike.new(result, "Authentication failed") if result != 0
-      ensure
-        Buffer.put(@data_buffer)
-      end
-    end
-    def set_authenticate(user, password)
-      write_header(LOGIN, 2)
-      write_field_str(USER, user)
-      write_field_bytes(CREDENTIAL, password)
-      write_size
-      return @data_offset
-    end
     def create_user(cluster, policy, user, password, roles)
       write_header(CREATE_USER, 3)
       write_field_str(USER, user)
@@ -126,6 +112,61 @@ module Aerospike
       execute_command(cluster, policy)
     end
+    def create_role(cluster, policy, role_name, privileges = [], allowlist = [], read_quota = 0, write_quota = 0)
+      field_count = 1
+      field_count += 1 if privileges.size > 0
+      field_count += 1 if allowlist.size > 0
+      field_count += 1 if read_quota > 0
+      field_count += 1 if write_quota > 0
+      write_header(CREATE_ROLE, field_count)
+      write_field_str(ROLE, role_name)
+      write_privileges(privileges) if privileges.size > 0
+      write_allowlist(allowlist) if allowlist.size > 0
+      write_field_uint32(READ_QUOTA, read_quota) if read_quota > 0
+      write_field_uint32(WRITE_QUOTA, write_quota) if write_quota > 0
+      execute_command(cluster, policy)
+    end
+    def drop_role(cluster, policy, role)
+      write_header(DROP_ROLE, 1)
+      write_field_str(ROLE, role)
+      execute_command(cluster, policy)
+    end
+    def grant_privileges(cluster, policy, role, privileges)
+      write_header(GRANT_PRIVILEGES, 2)
+      write_field_str(ROLE, role)
+      write_privileges(privileges)
+      execute_command(cluster, policy)
+    end
+    def revoke_privileges(cluster, policy, role, privileges)
+      write_header(REVOKE_PRIVILEGES, 2)
+      write_field_str(ROLE, role)
+      write_privileges(privileges)
+      execute_command(cluster, policy)
+    end
+    def set_allowlist(cluster, policy, role, allowlist = [])
+      field_count = 1
+      field_count += 1 if allowlist.size > 0
+      write_header(SET_WHITELIST, field_count)
+      write_allowlist(allowlist) if allowlist.size > 0
+      execute_command(cluster, policy)
+    end
+    def set_quotas(cluster, policy, role, read_quota, write_quota)
+      write_header(SET_QUOTAS, 3)
+      write_field_str(ROLE, role)
+      write_field_uint32(READ_QUOTA, read_quota)
+      write_field_uint32(WRITE_QUOTA, write_quota)
+      execute_command(cluster, policy)
+    end
     def query_user(cluster, policy, user)
       # TODO: Remove the workaround in the future
       sleep(0.010)
@@ -152,6 +193,32 @@ module Aerospike
       end
     end
+    def query_role(cluster, policy, role)
+      # TODO: Remove the workaround in the future
+      sleep(0.010)
+      list = []
+      begin
+        write_header(QUERY_ROLES, 1)
+        write_field_str(ROLE, role)
+        list = read_roles(cluster, policy)
+        return (list.is_a?(Array) && list.length > 0 ? list.first : nil)
+      ensure
+        Buffer.put(@data_buffer)
+      end
+    end
+    def query_roles(cluster, policy)
+      # TODO: Remove the workaround in the future
+      sleep(0.010)
+      begin
+        write_header(QUERY_ROLES, 0)
+        return read_roles(cluster, policy)
+      ensure
+        Buffer.put(@data_buffer)
+      end
+    end
     def write_roles(roles)
       offset = @data_offset + FIELD_HEADER_SIZE
       @data_buffer.write_byte(roles.length.ord, offset)
@@ -174,6 +241,54 @@ module Aerospike
       @data_buffer.write_int64(size, 0)
     end
+    def write_privileges(privileges)
+      offset = @data_offset
+      @data_offset += FIELD_HEADER_SIZE
+      write_byte(privileges.size)
+      for privilege in privileges
+        write_byte(privilege.to_code)
+        if privilege.can_scope?
+          if privilege.set_name.to_s.size > 0 && privilege.namespace.to_s.size == 0
+            raise Aerospike::Exceptions::Aerospike.new(Aerospike::ResultCode::INVALID_PRIVILEGE, "Admin privilege #{privilege.namespace} has a set scope with an empty namespace")
+          end
+          write_str(privilege.namespace.to_s)
+          write_str(privilege.set_name.to_s)
+        else
+          if privilege.set_name.to_s.bytesize > 0 || privilege.namespace.to_s.bytesize > 0
+            raise Aerospike::Exceptions::Aerospike.new(Aerospike::ResultCode::INVALID_PRIVILEGE, "Admin global privilege #{privilege} can't have a namespace or set")
+          end
+        end
+      end
+      size = @data_offset - offset - FIELD_HEADER_SIZE
+      @data_offset = offset
+      write_field_header(PRIVILEGES, size)
+      @data_offset += size
+    end
+    def write_allowlist(allowlist)
+      offset = @data_offset
+      @data_offset += FIELD_HEADER_SIZE
+      comma = false
+      for addr in allowlist
+        if comma
+          write_byte(",")
+        else
+          comma = true
+        end
+        @data_offset += @data_buffer.write_binary(addr, @data_offset)
+      end
+      size = @data_offset - offset - FIELD_HEADER_SIZE
+      @data_offset = offset
+      write_field_header(ALLOWLIST, size)
+      @data_offset += size
+    end
     def write_header(command, field_count)
       # Authenticate header is almost all zeros
       i = @data_offset
@@ -186,12 +301,27 @@ module Aerospike
       @data_offset += 16
     end
+    def write_byte(b)
+      @data_offset += @data_buffer.write_byte(b, @data_offset)
+    end
+    def write_str(str)
+      @data_offset += @data_buffer.write_byte(str.bytesize, @data_offset)
+      @data_offset += @data_buffer.write_binary(str, @data_offset)
+    end
     def write_field_str(id, str)
       len = @data_buffer.write_binary(str, @data_offset+FIELD_HEADER_SIZE)
       write_field_header(id, len)
       @data_offset += len
     end
+    def write_field_uint32(id, val)
+      len = @data_buffer.write_uint32(val, @data_offset+FIELD_HEADER_SIZE)
+      write_field_header(id, len)
+      @data_offset += len
+    end
     def write_field_bytes(id, bytes)
       @data_buffer.write_binary(bytes, @data_offset+FIELD_HEADER_SIZE)
       write_field_header(id, bytes.bytesize)
@@ -251,7 +381,7 @@ module Aerospike
         raise e
       end
-      raise Exceptions::Aerospike.new(result) if status > 0
+      raise Exceptions::Aerospike.new(status) if status > 0
       return list
     end
@@ -292,7 +422,7 @@ module Aerospike
           return (result_code == QUERY_END ? -1 : result_code)
         end
-        userRoles = UserRoles.new
+        user_roles = UserRoles.new
         field_count = @data_buffer.read(@data_offset+3)
         @data_offset += HEADER_REMAINING
@@ -306,10 +436,17 @@ module Aerospike
           case id
           when USER
-            userRoles.user = @data_buffer.read(@data_offset, len)
+            user_roles.user = @data_buffer.read(@data_offset, len)
             @data_offset += len
           when ROLES
-            parse_roles(userRoles)
+            parse_roles(user_roles)
+          when READ_INFO
+            user_roles.read_info = parse_info
+          when WRITE_INFO
+            user_roles.write_info = parse_info
+          when CONNECTIONS
+            user_roles.conns_in_use = @data_buffer.read_int32(@data_offset)
+            @data_offset += len
           else
             @data_offset += len
           end
@@ -317,19 +454,19 @@ module Aerospike
           i = i.succ
         end
-        next if userRoles.user == "" && userRoles.roles == nil
+        next if user_roles.user == "" && user_roles.roles == nil
-        userRoles.roles = [] if userRoles.roles == nil
-        list << userRoles
+        user_roles.roles = [] if user_roles.roles == nil
+        list << user_roles
       end
       return 0, list
     end
-    def parse_roles(userRoles)
+    def parse_roles(user_roles)
       size = @data_buffer.read(@data_offset)
       @data_offset += 1
-      userRoles.roles = []
+      user_roles.roles = []
       i = 0
       while i < size
@@ -337,17 +474,188 @@ module Aerospike
         @data_offset += 1
         role = @data_buffer.read(@data_offset, len)
         @data_offset += len
-        userRoles.roles << role
+        user_roles.roles << role
         i = i.succ
       end
     end
-    SALT = '$2a$10$7EqJtq98hPqEX7fNZaFWoO'
-    def self.hash_password(password)
-      # Hashing the password with the cost of 10, with a static salt
-      return BCrypt::Engine.hash_secret(password, SALT, :cost => 10)
+    def parse_info
+      size = @data_buffer.read(@data_offset)
+      @data_offset += 1
+      list = []
+      i = 0
+      while i < size
+        val = @data_buffer.read_int32(@data_offset)
+        @data_offset += 4
+        list << val
+        i = i.succ
+      end
+      list
     end
+    def read_roles(cluster, policy)
+      write_size
+      node = cluster.random_node
+      timeout = 1
+      timeout = policy.timeout if policy != nil && policy.timeout > 0
+      status = -1
+      list = []
+      begin
+        conn = node.get_connection(timeout)
+        conn.write(@data_buffer, @data_offset)
+        status, list = read_role_blocks(conn)
+        node.put_connection(conn)
+      rescue => e
+        conn.close if conn
+        raise e
+      end
+      raise Exceptions::Aerospike.new(status) if status > 0
+      return list
+    end
+    def read_role_blocks(conn)
+      rlist = []
+      status = 0
+      begin
+        while status == 0
+          conn.read(@data_buffer, 8)
+          size = @data_buffer.read_int64(0)
+          receive_size = (size & 0xFFFFFFFFFFFF)
+          if receive_size > 0
+            @data_buffer.resize(receive_size) if receive_size > @data_buffer.size
+            conn.read(@data_buffer, receive_size)
+            status, list = parse_roles_full(receive_size)
+            rlist.concat(list.to_a)
+          else
+            break
+          end
+        end
+        return status, rlist
+      rescue => e
+        return -1, []
+      end
+    end
+    def parse_roles_full(receive_size)
+      @data_offset = 0
+      list = []
+      while @data_offset < receive_size
+        result_code = @data_buffer.read(@data_offset+1)
+        if result_code != 0
+          return (result_code == QUERY_END ? -1 : result_code)
+        end
+        role = Role.new
+        field_count = @data_buffer.read(@data_offset+3)
+        @data_offset += HEADER_REMAINING
+        i = 0
+        while i  < field_count
+          len = @data_buffer.read_int32(@data_offset)
+          @data_offset += 4
+          id = @data_buffer.read(@data_offset)
+          @data_offset += 1
+          len -= 1
+          case id
+          when ROLE
+            role.name = @data_buffer.read(@data_offset, len).to_s
+            @data_offset += len
+          when PRIVILEGES
+            parse_privileges(role)
+          when ALLOWLIST
+            role.allowlist = parse_allowlist(len)
+          when READ_QUOTA
+            role.read_quota = @data_buffer.read_uint32(@data_offset)
+            @data_offset += len
+          when WRITE_QUOTA
+            role.write_quota = @data_buffer.read_uint32(@data_offset)
+            @data_offset += len
+          else
+            @data_offset += len
+          end
+          i = i.succ
+        end
+        next if role.name == "" && role.privileges == nil
+        role.privileges ||= []
+        list << role
+      end
+      return 0, list
+    end
+    def parse_privileges(role)
+      size = @data_buffer.read(@data_offset)
+      @data_offset += 1
+      role.privileges = []
+      i = 0
+      while i < size
+        priv = Privilege.new
+        priv.code = Privilege.from(@data_buffer.read(@data_offset))
+        @data_offset += 1
+        if priv.can_scope?
+          len = @data_buffer.read(@data_offset)
+          @data_offset += 1
+          priv.namespace = @data_buffer.read(@data_offset, len)
+          @data_offset += len
+          len = @data_buffer.read(@data_offset)
+          @data_offset += 1
+          priv.set_name = @data_buffer.read(@data_offset, len)
+          @data_offset += len
+        end
+        role.privileges << priv
+        i = i.succ
+      end
+    end
+    def parse_allowlist(len)
+      list = []
+      begn = @data_offset
+      max = begn + len
+      while @data_offset < max
+        if @data_buffer.read(@data_offset) == ','
+          l = @data_offset - begn
+          if l > 0
+            s = @data_buffer.read(begn, l)
+            list << s
+          end
+          @data_offset += 1
+          begn = @data_offset
+        else
+          @data_offset += 1
+        end
+      end
+      l = @data_offset - begn
+      if l > 0
+        s = @data_buffer.read(begn, l)
+        list << s
+      end
+      list
+    end
   end
 end

data/lib/aerospike/command/command.rb CHANGED Viewed

@@ -840,12 +840,6 @@ module Aerospike
     end
     def size_buffer_sz(size)
-      # Corrupted data streams can result in a hug.length.
-      # Do a sanity check here.
-      if size > Buffer::MAX_BUFFER_SIZE
-        raise Aerospike::Exceptions::Parse.new("Invalid size for buffer: #{size}")
-      end
       @data_buffer.resize(size)
     end

data/lib/aerospike/command/login_command.rb ADDED Viewed

@@ -0,0 +1,164 @@
+# encoding: utf-8
+# Copyright 2014-2020 Aerospike, Inc.
+#
+# Portions may be licensed to Aerospike, Inc. under one or more contributor
+# license agreements.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+require 'aerospike/command/admin_command'
+module Aerospike
+  private
+  attr_reader :session_token, :session_expiration
+  class LoginCommand < AdminCommand #:nodoc:
+    def login(conn, policy)
+        hashed_pass = LoginCommand.hash_password(policy.password)
+        authenticate(conn, policy, hashed_pass)
+    end
+    def authenticate(conn, user, hashed_pass)
+      write_header(LOGIN, 2)
+      write_field_str(USER, policy.user)
+      write_field_bytes(CREDENTIAL, hashed_pass)
+      parse_tokens(conn)
+    end
+    def authenticate_new(conn, cluster)
+      @data_offset = 8
+      policy = cluster.client_policy
+      case policy.auth_mode
+      when Aerospike::AuthMode::EXTERNAL
+        write_header(LOGIN, 3)
+        write_field_str(USER, policy.user)
+        write_field_bytes(CREDENTIAL, cluster.password)
+        write_field_str(CLEAR_PASSWORD, policy.password)
+      when Aerospike::AuthMode::INTERNAL
+        write_header(LOGIN, 2)
+        write_field_str(USER, policy.user)
+        write_field_bytes(CREDENTIAL, cluster.password)
+      when Aerospike::AuthMode::PKI
+        write_header(LOGIN, 0)
+      else
+        raise Exceptions::Aerospike.new(Aerospike::ResultCode::COMMAND_REJECTED, "Invalid client_policy#auth_mode.")
+      end
+      parse_tokens(conn)
+      cluster.session_token = @session_token
+      cluster.session_expiration = @session_expiration
+    end
+    def parse_tokens(conn)
+      begin
+        write_size
+        conn.write(@data_buffer, @data_offset)
+        conn.read(@data_buffer, HEADER_SIZE)
+        result = @data_buffer.read(RESULT_CODE)
+        if result != 0
+          return if result == Aerospike::ResultCode::SECURITY_NOT_ENABLED
+          raise Exceptions::Aerospike.new(result, "Authentication failed")
+        end
+        # read the rest of the buffer
+        size = @data_buffer.read_int64(0)
+        receive_size = (size & 0xFFFFFFFFFFFF) - HEADER_REMAINING
+        field_count = @data_buffer.read(11) & 0xFF
+        if receive_size <= 0 || receive_size > @data_buffer.size || field_count <= 0
+          raise Exceptions::Aerospike.new(result, "Node failed to retrieve session token")
+        end
+        if @data_buffer.size < receive_size
+          @data_buffer.resize(receive_size)
+        end
+        conn.read(@data_buffer, receive_size)
+        @data_offset = 0
+        for i in 0...field_count
+          mlen = @data_buffer.read_int32(@data_offset)
+          @data_offset += 4
+          id = @data_buffer.read(@data_offset)
+          @data_offset += 1
+          mlen -= 1
+          case id
+          when SESSION_TOKEN
+            # copy the contents of the buffer into a new byte slice
+            @session_token = @data_buffer.read(@data_offset, mlen)
+          when SESSION_TTL
+            # Subtract 60 seconds from TTL so client session expires before server session.
+            seconds = @data_buffer.read_int32(@data_offset) - 60
+            if seconds > 0
+              @session_expiration = Time.now + (seconds/86400)
+            else
+              Aerospike.logger.warn("Invalid session TTL: #{seconds}")
+              raise Exceptions::Aerospike.new(result, "Node failed to retrieve session token")
+            end
+          end
+          @data_offset += mlen
+        end
+        if !@session_token
+          raise Exceptions::Aerospike.new(result, "Node failed to retrieve session token")
+        end
+      ensure
+        Buffer.put(@data_buffer)
+      end
+    end
+    def authenticate_via_token(conn, cluster)
+      @data_offset = 8
+      policy = cluster.client_policy
+      if policy.auth_mode != Aerospike::AuthMode::PKI
+        write_header(AUTHENTICATE, 2)
+        write_field_str(USER, policy.user)
+      else
+        write_header(AUTHENTICATE, 1)
+      end
+      write_field_bytes(SESSION_TOKEN, cluster.session_token) if cluster.session_token
+      write_size
+      conn.write(@data_buffer, @data_offset)
+      conn.read(@data_buffer, HEADER_SIZE)
+      result = @data_buffer.read(RESULT_CODE)
+      size = @data_buffer.read_int64(0)
+      receive_size = (size & 0xFFFFFFFFFFFF) - HEADER_REMAINING
+      conn.read(@data_buffer, receive_size)
+      if result != 0
+        return if result == Aerospike::ResultCode::SECURITY_NOT_ENABLED
+        raise Exceptions::Aerospike.new(result, "Authentication failed")
+      end
+      nil
+    end
+    SALT = '$2a$10$7EqJtq98hPqEX7fNZaFWoO'
+    def self.hash_password(password)
+      # Hashing the password with the cost of 10, with a static salt
+      return BCrypt::Engine.hash_secret(password, SALT, :cost => 10)
+    end
+  end
+end