dse-driver 1.0.1

data/ext/gss_api_context/kerberosgss.h

@@ -0,0 +1,71 @@
+/**
+ * Copyright (c) 2006-2016 Apple Inc. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_generic.h>
+#include <gssapi/gssapi_krb5.h>
+
+#define krb5_get_err_text(context,code) error_message(code)
+
+#define AUTH_GSS_ERROR      -1
+#define AUTH_GSS_COMPLETE    1
+#define AUTH_GSS_CONTINUE    0
+
+#define GSS_AUTH_P_NONE         1
+#define GSS_AUTH_P_INTEGRITY    2
+#define GSS_AUTH_P_PRIVACY      4
+
+typedef struct {
+    gss_ctx_id_t     context;
+    gss_name_t       server_name;
+    gss_OID          mech_oid;
+    long int         gss_flags;
+    gss_cred_id_t    client_creds;
+    char*            username;
+    char*            response;
+    int              responseLen;
+    int              responseConf;
+} gss_client_state;
+
+typedef struct {
+    gss_ctx_id_t     context;
+    gss_name_t       server_name;
+    gss_name_t       client_name;
+    gss_cred_id_t    server_creds;
+    gss_cred_id_t    client_creds;
+    char*            username;
+    char*            targetname;
+    char*            response;
+    char*            ccname;
+} gss_server_state;
+
+void authenticate_gss_client_init(
+    const char* service, const char* principal, const char* ticket_cache, long int gss_flags,
+    gss_server_state* delegatestate, gss_OID mech_oid, gss_client_state* state
+);
+int authenticate_gss_client_clean(
+    gss_client_state *state
+);
+int authenticate_gss_client_step(
+    gss_client_state *state, const char *challenge, int challenge_len
+);
+int authenticate_gss_client_unwrap(
+    gss_client_state* state, const char* challenge, int challenge_len
+);
+int authenticate_gss_client_wrap(
+    gss_client_state* state, const char* challenge, int challenge_len
+);
+void clear_response(gss_client_state* state);

data/lib/dse.rb

@@ -0,0 +1,104 @@
+# encoding: utf-8
+
+#--
+#      Copyright (C) 2016 DataStax Inc.
+#
+#      This software can be used solely with DataStax Enterprise. Please consult the license at
+#      http://www.datastax.com/terms/datastax-dse-driver-license-terms
+#++
+
+require 'json'
+
+if RUBY_ENGINE == 'jruby'
+  require 'challenge_evaluator'
+else
+  require 'gss_api_context'
+end
+
+require 'cassandra'
+
+module Dse
+  # Creates a {Dse::Cluster Cluster instance}, which extends {http://dsdocs30/api/cassandra/cluster Cassandra::Cluster}.
+  # The API is identical, except that it returns a {Dse::Session Dse::Session} (see below). It takes all of the same
+  # options as Cassandra.cluster and the following extra options.
+  #
+  # @option options [Dse::Graph::Options] :graph_options options for the DSE graph statement handler. Takes
+  #    priority over other `:graph_*` options specified below.
+  # @option options [String] :graph_name name of graph to use in graph statements
+  # @option options [String] :graph_source graph traversal source
+  # @option options [String] :graph_language language used in graph queries
+  # @option options [Cassandra::CONSISTENCIES] :graph_read_consistency read consistency level for graph statements.
+  #    Overrides the standard statement consistency level
+  # @option options [Cassandra::CONSISTENCIES] :graph_write_consistency write consistency level for graph statements.
+  #    Overrides the standard statement consistency level
+  #
+  # @example Connecting to localhost
+  #   cluster = Dse.cluster
+  #
+  # @example Configuring {Dse::Cluster}
+  #   cluster = Dse.cluster(
+  #               username: username,
+  #               password: password,
+  #               hosts: ['10.0.1.1', '10.0.1.2', '10.0.1.3']
+  #             )
+  #
+  # @return [Dse::Cluster] a cluster instance
+  def self.cluster(options = {})
+    cluster_async(options).get
+  end
+
+  # Creates a {Dse::Cluster Cluster instance}.
+  #
+  # @see Dse.cluster
+  #
+  # @return [Cassandra::Future<Dse::Cluster>] a future resolving to the
+  #   cluster instance.
+  def self.cluster_async(options = {})
+    graph_options = if !options[:graph_options].nil?
+                      Cassandra::Util.assert_instance_of(Dse::Graph::Options, options[:graph_options])
+                      options[:graph_options]
+                    else
+                      Dse::Graph::Options.new(options)
+                    end
+    username = options[:username]
+    password = options[:password]
+    options[:custom_types] ||= []
+    options[:custom_types] << Dse::Geometry::Point << Dse::Geometry::LineString << Dse::Geometry::Polygon
+    options, hosts = Cassandra.validate_and_massage_options(options)
+
+    # Use the DSE plain text authenticator if we have a username and password. The above validation already
+    # raises an error if one is given without the other.
+    options[:auth_provider] = Auth::Providers::Password.new(username, password) if username && password
+  rescue => e
+    futures = options.fetch(:futures_factory) { return Cassandra::Future::Error.new(e) }
+    futures.error(e)
+  else
+    options[:cluster_klass] = Dse::Cluster
+    driver = ::Cassandra::Driver.new(options)
+
+    # Wrap the load-balancing policy that we'd otherwise run with, with a host-targeting policy.
+    # We do this before driver.connect because driver.connect saves off the policy in the cluster
+    # registry and does a few other things.
+
+    lbp = driver.load_balancing_policy
+    driver.load_balancing_policy = Dse::LoadBalancing::Policies::HostTargeting.new(lbp)
+    future = driver.connect(hosts)
+    future.then do |cluster|
+      cluster.graph_options.merge!(graph_options)
+      cluster
+    end
+  end
+end
+
+require 'dse/cluster'
+require 'dse/util/endian_buffer'
+require 'dse/geometry/line_string'
+require 'dse/geometry/point'
+require 'dse/geometry/polygon'
+require 'dse/session'
+require 'dse/version'
+require 'dse/graph'
+require 'dse/load_balancing/policies/host_targeting'
+require 'dse/statements'
+require 'dse/auth/providers/gss_api'
+require 'dse/auth/providers/password'

data/lib/dse/auth/providers/gss_api.rb

@@ -0,0 +1,160 @@
+# encoding: utf-8
+
+#--
+#      Copyright (C) 2016 DataStax Inc.
+#
+#      This software can be used solely with DataStax Enterprise. Please consult the license at
+#      http://www.datastax.com/terms/datastax-dse-driver-license-terms
+#++
+
+module Dse
+  module Auth
+    module Providers
+      # Auth provider to authenticate with Kerberos. Whenever the client connects to a DSE node,
+      # this provider will perform Kerberos authentication operations with it. By default, the provider
+      # takes the ip address of the node and uses `Socket#getnameinfo` to find its name in order to construct
+      # the full service address (e.g. service@host).
+      #
+      # @see #initialize
+      class GssApi < Cassandra::Auth::Provider
+        # @private
+        class NameInfoResolver
+          def resolve(host)
+            Socket.getnameinfo(['AF_INET', 0, host])[0]
+          end
+        end
+
+        # @private
+        class NoOpResolver
+          def resolve(host)
+            host
+          end
+        end
+
+        # @private
+        class Authenticator
+          # Copied from kerberosgss.h
+          AUTH_GSS_COMPLETE = 1
+
+          def initialize(authentication_class, host, service, principal, ticket_cache)
+            @authentication_class = authentication_class
+            @host = host
+            @service = service
+            @principal = principal
+            @ticket_cache = ticket_cache
+
+            if RUBY_ENGINE == 'jruby'
+              @sasl_client = javax.security.sasl.Sasl.createSaslClient(['GSSAPI'],
+                                                                       nil,
+                                                                       service,
+                                                                       host,
+                                                                       {javax.security.sasl.Sasl::SERVER_AUTH => 'true',
+                                                                        javax.security.sasl.Sasl::QOP => 'auth'},
+                                                                       nil)
+              config = Dse::Auth::Providers::ChallengeEvaluator.make_configuration(principal, ticket_cache)
+              login = javax.security.auth.login.LoginContext.new('DseClient', nil, nil, config)
+              login.login
+              @subject = login.getSubject
+            else
+              @gss_context = GssApiContext.new("#{@service}@#{@host}", @principal, @ticket_cache)
+            end
+          rescue => e
+            raise Cassandra::Errors::AuthenticationError.new(
+              "Failed to authenticate: #{e.message}",
+              nil,
+              nil,
+              nil,
+              nil,
+              nil,
+              nil,
+              :one,
+              0
+            )
+          end
+
+          def initial_response
+            @authentication_class == 'com.datastax.bdp.cassandra.auth.DseAuthenticator' ?
+                'GSSAPI' :
+                challenge_response('GSSAPI-START')
+          end
+
+          if RUBY_ENGINE == 'jruby'
+            def challenge_response(token)
+              if token == 'GSSAPI-START'
+                return '' unless @sasl_client.hasInitialResponse
+                token = ''
+              end
+
+              Dse::Auth::Providers::ChallengeEvaluator.evaluate(@sasl_client, @subject, token)
+            end
+          else
+            def challenge_response(token)
+              if token == 'GSSAPI-START'
+                response = @gss_context.step('')[1]
+              elsif !@is_gss_complete
+                # Process the challenge as a next step in authentication until we have gotten
+                # AUTH_GSS_COMPLETE.
+                rc, response = @gss_context.step(token)
+                @is_gss_complete = true if rc == AUTH_GSS_COMPLETE
+                response ||= ''
+              else
+                # Ok, we went through all initial phases of auth and now the server is giving us a message
+                # to decode.
+                data = @gss_context.unwrap(token)
+
+                raise 'Bad response from server' if data.length != 4
+                parsed = data.unpack('>L').first
+                max_length = [parsed & 0xffffff, 65536].min
+
+                # Set up a response like this:
+                # byte 0: the selected qop. 1==auth
+                # byte 1-3: the max length for any buffer sent back and forth on this connection. (big endian)
+                # the rest of the buffer: the authorization user name in UTF-8 - not null terminated.
+
+                user_name = @gss_context.user_name
+                out = [max_length | 1 << 24].pack('>L') + user_name
+                response = @gss_context.wrap(out)
+              end
+              response
+            end
+          end
+
+          def authentication_successful(token)
+          end
+        end
+
+        # @param service [String] name of the kerberos service; defaults to 'dse'.
+        # @param host_resolver [Boolean, Object] whether to use a host-resolver. By default,
+        #        `Socket#getnameinfo` is used. To disable host-resolution, specify a `false` value. You may also
+        #        provide a custom resolver, which is an object that implements the `resolve(host_ip)` method.
+        # @param principal [String] The principal whose cached credentials are used to authenticate. Defaults
+        #        to the first principal stored in the ticket cache.
+        # @param ticket_cache [String] The ticket cache containing the cached credential we seek. Defaults
+        #        *on Linux* to /tmp/krb5cc_&lt;uid&gt; (where uid is the numeric uid of the user running the
+        #        client program). In MRI only, the `KRB5CCNAME` environment variable supercedes this. On Mac,
+        #        the default is a symbolic reference to a ticket-cache server process.
+        def initialize(service = 'dse', host_resolver = true, principal = nil, ticket_cache = nil)
+          @service = service
+          @host_resolver = case host_resolver
+                           when false
+                             NoOpResolver.new
+                           when true
+                             NameInfoResolver.new
+                           else
+                             host_resolver
+                           end
+          Cassandra::Util.assert_responds_to(:resolve, @host_resolver,
+                                             'invalid host_resolver: it must have the :resolve method')
+          @principal = principal
+          @ticket_cache = ticket_cache
+        end
+
+        # @private
+        def create_authenticator(authentication_class, host)
+          Authenticator.new(authentication_class, @host_resolver.resolve(host.ip.to_s),
+                            @service, @principal, @ticket_cache)
+        end
+      end
+    end
+  end
+end

data/lib/dse/auth/providers/password.rb

@@ -0,0 +1,56 @@
+# encoding: utf-8
+
+#--
+#      Copyright (C) 2016 DataStax Inc.
+#
+#      This software can be used solely with DataStax Enterprise. Please consult the license at
+#      http://www.datastax.com/terms/datastax-dse-driver-license-terms
+#++
+
+module Dse
+  module Auth
+    module Providers
+      # Auth provider to authenticate with username/password for DSE's built-in authentication as well as LDAP.
+      #
+      # @note No need to instantiate this class manually, use `:username` and
+      #   `:password` options when calling {Dse.cluster} and one will be
+      #   created automatically for you.
+
+      class Password < Cassandra::Auth::Provider
+        # @private
+        class Authenticator
+          def initialize(authentication_class, username, password)
+            @authentication_class = authentication_class
+            @username = username
+            @password = password
+          end
+
+          def initial_response
+            @authentication_class == 'com.datastax.bdp.cassandra.auth.DseAuthenticator' ?
+                'PLAIN' :
+                challenge_response('PLAIN-START')
+          end
+
+          def challenge_response(token)
+            "\x00#{@username}\x00#{@password}"
+          end
+
+          def authentication_successful(token)
+          end
+        end
+
+        # @param username [String] username to use for authentication to Cassandra
+        # @param password [String] password to use for authentication to Cassandra
+        def initialize(username, password)
+          @username = username
+          @password = password
+        end
+
+        # @private
+        def create_authenticator(authentication_class, host)
+          Authenticator.new(authentication_class, @username, @password)
+        end
+      end
+    end
+  end
+end

data/lib/dse/cluster.rb

@@ -0,0 +1,99 @@
+# encoding: utf-8
+
+#--
+#      Copyright (C) 2016 DataStax Inc.
+#
+#      This software can be used solely with DataStax Enterprise. Please consult the license at
+#      http://www.datastax.com/terms/datastax-dse-driver-license-terms
+#++
+
+module Dse
+  # Cluster represents a DSE cluster. It serves as a {Dse::Session session factory} and a collection of metadata.
+  # It wraps a {http://dsdocs30/api/cassandra/cluster Cassandra::Cluster} and exposes all of its functionality.
+  class Cluster
+    # @return [Dse::Graph::Options] default graph options used by queries on this cluster.
+    attr_reader :graph_options
+
+    # @private
+    def initialize(logger,
+                   io_reactor,
+                   executor,
+                   control_connection,
+                   cluster_registry,
+                   cluster_schema,
+                   cluster_metadata,
+                   execution_options,
+                   connection_options,
+                   load_balancing_policy,
+                   reconnection_policy,
+                   retry_policy,
+                   address_resolution_policy,
+                   connector,
+                   futures_factory,
+                   timestamp_generator)
+      @delegate_cluster = Cassandra::Cluster.new(logger,
+                                                 io_reactor,
+                                                 executor,
+                                                 control_connection,
+                                                 cluster_registry,
+                                                 cluster_schema,
+                                                 cluster_metadata,
+                                                 execution_options,
+                                                 connection_options,
+                                                 load_balancing_policy,
+                                                 reconnection_policy,
+                                                 retry_policy,
+                                                 address_resolution_policy,
+                                                 connector,
+                                                 futures_factory,
+                                                 timestamp_generator)
+      @graph_options = Dse::Graph::Options.new
+
+      # We need the futures factory ourselves for async error reporting and potentially for our
+      # own async processing independent of the C* driver.
+      @futures = futures_factory
+    end
+
+    # Delegates to {http://docs.datastax.com/en/developer/ruby-driver/3.0/supplemental/api/cassandra/cluster/?local=true&nav=toc#connect_async-instance_method
+    # Cassandra::Cluster#connect_async}
+    # to connect asynchronously to a cluster, but returns a future that will resolve to a DSE session rather than
+    # Cassandra session.
+    #
+    # @param keyspace [String] optional keyspace to scope session to
+    #
+    # @return [Cassandra::Future<Dse::Session>]
+    def connect_async(keyspace = nil)
+      future = @delegate_cluster.connect_async(keyspace)
+      # We want to actually return a DSE session upon successful connection.
+      future.then do |cassandra_session|
+        Dse::Session.new(cassandra_session, @graph_options, @futures)
+      end
+    end
+
+    # Synchronous variant of {#connect_async}.
+    #
+    # @param keyspace [String] optional keyspace to scope the session to
+    #
+    # @return [Dse::Session]
+    def connect(keyspace = nil)
+      connect_async(keyspace).get
+    end
+
+    #### The following methods handle arbitrary delegation to the underlying cluster object. ####
+    protected
+
+    # @private
+    def method_missing(method_name, *args, &block)
+      # If we get here, we don't have a method of our own. Forward the request to the delegate_cluster.
+      # If it returns itself, we will coerce the result to return our *self* instead.
+
+      result = @delegate_cluster.send(method_name, *args, &block)
+      (result == @delegate_cluster) ? self : result
+    end
+
+    # @private
+    def respond_to?(method, include_private = false)
+      super || @delegate_cluster.respond_to?(method, include_private)
+    end
+  end
+end