Changeset: bc29cc9d1c25 for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB?cmd=changeset;node=bc29cc9d1c25
Modified Files:
        monetdb5/mal/mal_authorize.c
        monetdb5/mal/mal_authorize.h
        sql/server/rel_psm.c
        sql/server/rel_schema.c
        sql/server/rel_schema.h
Branch: remote_auth
Log Message:

Add functions to manage remote table credentials in vault

Added two temporary functions that add and read the credentials from
the vault. For now the functions just record the username and hashed
password in a fixed file in /tmp/.

The AUTHaddRemoteTableCredentials is currently used when a remote
table is created.


diffs (195 lines):

diff --git a/monetdb5/mal/mal_authorize.c b/monetdb5/mal/mal_authorize.c
--- a/monetdb5/mal/mal_authorize.c
+++ b/monetdb5/mal/mal_authorize.c
@@ -822,3 +822,55 @@ AUTHverifyPassword(const char *passwd)
                  MONETDB5_PASSWDHASH);
 #endif
 }
+
+str
+AUTHgetRemoteTableCredentials(const char *name, str *username, str *password)
+{
+       FILE *fp = fopen("/tmp/remote_table_auth.txt", "r");
+       char buf[BUFSIZ];
+       char *p, *q;
+
+       (void)name;
+       fread(buf, 1, BUFSIZ, fp);
+
+       p = strchr(buf, '\n');
+       *p = '\0';
+       *username = strdup(buf);
+       q = strchr(p + 1, '\n');
+       *q = '\0';
+       *password = strdup(p + 1);
+
+       fclose(fp);
+       return MAL_SUCCEED;
+}
+
+str
+AUTHaddRemoteTableCredentials(const char *name, const char *user, const char 
*pass, bool pw_encrypted)
+{
+       /* Work in Progress */
+       FILE *fp = fopen("/tmp/remote_table_auth.txt", "w");
+       char *password = NULL;
+       bool free_pw = false;
+
+       (void)name;
+
+       if (pass == NULL) {
+               AUTHgetPasswordHash(&password, NULL, user);
+       }
+       else {
+               free_pw = true;
+               if (pw_encrypted) {
+                       password = strdup(pass);
+               }
+               else {
+                       password = mcrypt_BackendSum(pass, strlen(pass));
+               }
+       }
+       fprintf(fp, "%s\n%s\n", user, password);
+       fclose(fp);
+
+       if (free_pw) {
+               free(password);
+       }
+       return MAL_SUCCEED;
+}
diff --git a/monetdb5/mal/mal_authorize.h b/monetdb5/mal/mal_authorize.h
--- a/monetdb5/mal/mal_authorize.h
+++ b/monetdb5/mal/mal_authorize.h
@@ -27,6 +27,9 @@ mal_export str AUTHgetPasswordHash(str *
 
 mal_export str AUTHinitTables(const char *passwd);
 
+mal_export str AUTHaddRemoteTableCredentials(const char *name, const char 
*user, const char *pass, bool pw_encrypted);
+mal_export str AUTHgetRemoteTableCredentials(const char *name, str *username, 
str *password);
+
 
 /*
  * Authorisation is based on a password.  The passwords are stored hashed
diff --git a/sql/server/rel_psm.c b/sql/server/rel_psm.c
--- a/sql/server/rel_psm.c
+++ b/sql/server/rel_psm.c
@@ -214,7 +214,7 @@ rel_psm_declare_table(mvc *sql, dnode *n
        
        assert(n->next->next->next->type == type_int);
        
-       rel = rel_create_table(sql, cur_schema(sql), SQL_DECLARED_TABLE, NULL, 
name, n->next->next->data.sym, n->next->next->next->data.i_val, NULL, NULL, 
NULL, 0);
+       rel = rel_create_table(sql, cur_schema(sql), SQL_DECLARED_TABLE, NULL, 
name, n->next->next->data.sym, n->next->next->next->data.i_val, NULL, NULL, 
NULL, false, 0);
 
        if (!rel || rel->op != op_ddl || rel->flag != DDL_CREATE_TABLE)
                return NULL;
diff --git a/sql/server/rel_schema.c b/sql/server/rel_schema.c
--- a/sql/server/rel_schema.c
+++ b/sql/server/rel_schema.c
@@ -18,6 +18,8 @@
 #include "sql_parser.h"
 #include "sql_privileges.h"
 
+#include "mal_authorize.h"
+
 #define qname_index(qname) qname_table(qname)
 #define qname_func(qname) qname_table(qname)
 #define qname_type(qname) qname_table(qname)
@@ -896,7 +898,7 @@ table_element(mvc *sql, symbol *s, sql_s
 }
 
 sql_rel *
-rel_create_table(mvc *sql, sql_schema *ss, int temp, const char *sname, const 
char *name, symbol *table_elements_or_subquery, int commit_action, const char 
*loc, const char *username, const char *password, int if_not_exists)
+rel_create_table(mvc *sql, sql_schema *ss, int temp, const char *sname, const 
char *name, symbol *table_elements_or_subquery, int commit_action, const char 
*loc, const char *username, const char *password, bool pw_encrypted, int 
if_not_exists)
 {
        sql_schema *s = NULL;
 
@@ -909,15 +911,13 @@ rel_create_table(mvc *sql, sql_schema *s
                 (temp == SQL_REPLICA_TABLE)?tt_replica_table:tt_table;
 
        (void)create;
-       (void)username;
-       (void)password;
        if (sname && !(s = mvc_bind_schema(sql, sname)))
                return sql_error(sql, 02, SQLSTATE(3F000) "CREATE TABLE: no 
such schema '%s'", sname);
 
-       if (temp != SQL_PERSIST && tt == tt_table && 
+       if (temp != SQL_PERSIST && tt == tt_table &&
                        commit_action == CA_COMMIT)
                commit_action = CA_DELETE;
-       
+
        if (temp != SQL_DECLARED_TABLE) {
                if (temp != SQL_PERSIST && tt == tt_table) {
                        s = mvc_bind_schema(sql, "tmp");
@@ -945,10 +945,13 @@ rel_create_table(mvc *sql, sql_schema *s
                dnode *n;
                dlist *columns = table_elements_or_subquery->data.lval;
                sql_table *t;
-              
+
                if (tt == tt_remote) {
                        if (!mapiuri_valid(loc))
                                return sql_error(sql, 02, SQLSTATE(42000) 
"CREATE TABLE: incorrect uri '%s' for remote table '%s'", loc, name);
+                       if (AUTHaddRemoteTableCredentials(name, username, 
password, pw_encrypted) != 0) {
+                               return sql_error(sql, 02, SQLSTATE(42000) 
"CREATE TABLE: cannot register credentials for remote table '%s' in vault", 
name);
+                       }
                        t = mvc_create_remote(sql, s, name, SQL_DECLARED_TABLE, 
loc);
                } else {
                        t = mvc_create_table(sql, s, name, tt, 0, 
SQL_DECLARED_TABLE, commit_action, -1);
@@ -960,7 +963,7 @@ rel_create_table(mvc *sql, sql_schema *s
                        symbol *sym = n->data.sym;
                        int res = table_element(sql, sym, s, t, 0);
 
-                       if (res == SQL_ERR) 
+                       if (res == SQL_ERR)
                                return NULL;
                }
                temp = (tt == tt_table)?temp:SQL_PERSIST;
@@ -2279,9 +2282,6 @@ credentials_password(dlist *credentials)
        assert(credentials->h);
 
        char *password = credentials->h->next->next->data.sval;;
-       if (password != NULL && credentials->h->next->data.i_val == 
SQL_PW_UNENCRYPTED) {
-               password = mcrypt_BackendSum(password, strlen(password));
-       }
 
        return password;
 }
@@ -2326,15 +2326,11 @@ rel_schemas(mvc *sql, symbol *s)
                dlist *credentials = 
l->h->next->next->next->next->next->data.lval;
                char *username = credentials_username(credentials);
                char *password = credentials_password(credentials);
+               bool pw_encrypted = credentials == NULL || 
credentials->h->next->data.i_val == SQL_PW_ENCRYPTED;
                if (username == NULL) {
                        // No username specified, get the current username
                        username = stack_get_string(sql, "current_user");
                }
-               if (password == NULL) {
-                       // No password specified, get the current user's 
password from the vault.
-                       // TODO
-                       password = NULL;
-               }
 
                assert(l->h->type == type_int);
                assert(l->h->next->next->next->type == type_int);
@@ -2342,7 +2338,7 @@ rel_schemas(mvc *sql, symbol *s)
                                       l->h->next->next->data.sym,              
     /* elements or subquery */
                                       l->h->next->next->next->data.i_val,      
     /* commit action */
                                       l->h->next->next->next->next->data.sval, 
     /* location */
-                                      username, password,
+                                      username, password, pw_encrypted,
                                       
l->h->next->next->next->next->next->data.i_val); /* if not exists */
        }       break;
        case SQL_CREATE_VIEW:
diff --git a/sql/server/rel_schema.h b/sql/server/rel_schema.h
--- a/sql/server/rel_schema.h
+++ b/sql/server/rel_schema.h
@@ -19,7 +19,7 @@ extern sql_rel *rel_create_table(mvc *sq
                                 symbol *table_elements_or_subquery,
                                 int commit_action, const char *loc,
                                 const char *username, const char *passwd,
-                                int if_not_exists);
+                                bool pw_encrypted, int if_not_exists);
 extern sql_rel *rel_list(sql_allocator *sa, sql_rel *l, sql_rel *r);
 extern sql_table * mvc_create_table_as_subquery( mvc *sql, sql_rel *sq, 
sql_schema *s, const char *tname, dlist *column_spec, int temp, int 
commit_action );
 
_______________________________________________
checkin-list mailing list
checkin-list@monetdb.org
https://www.monetdb.org/mailman/listinfo/checkin-list

Reply via email to