[GitHub] ashirvadgupta closed issue #1168: Database failed to load
ashirvadgupta closed issue #1168: Database failed to load URL: https://github.com/apache/couchdb/issues/1168 This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] ashirvadgupta commented on issue #1168: Database failed to load
ashirvadgupta commented on issue #1168: Database failed to load URL: https://github.com/apache/couchdb/issues/1168#issuecomment-366648300 I think I got the solution: If we are making any changes to either node name or IP address or hostname, we will get database corruption issue. To overcome the issue, one used to remember what exactly nodename or IPaddress or hostname was earlier given. For example, We will get this issue in following scenarios: 1) If it is earlier couchdb@docker-validation-3, and we change it to couchdb@, we will get this issue. And if we change it back, we will be able to see all databases with data. 2) If it is earlier couchdb@docker-validation-3, and we change it to ashirvad@docker-validation-3, we will get this issue. And if we change it back, we will be able to see all databases with data. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rnewson commented on issue #1174: shared secrete for proxy authentication
rnewson commented on issue #1174: shared secrete for proxy authentication URL: https://github.com/apache/couchdb/issues/1174#issuecomment-366729232 Are you working on a pull request? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] wohali commented on issue #1173: Update mochiweb to 2.17.0
wohali commented on issue #1173: Update mochiweb to 2.17.0 URL: https://github.com/apache/couchdb/pull/1173#issuecomment-366751801 This will close #1117 but not necessarily fix the out-of-memory problem. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] gramsa49 commented on issue #1174: shared secrete for proxy authentication
gramsa49 commented on issue #1174: shared secrete for proxy authentication URL: https://github.com/apache/couchdb/issues/1174#issuecomment-366753360 I have not started a pull request. My energy is focused on building a solution using CouchDB, but I can if that's needed. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rnewson commented on issue #1174: shared secrete for proxy authentication
rnewson commented on issue #1174: shared secrete for proxy authentication URL: https://github.com/apache/couchdb/issues/1174#issuecomment-366757230 I'm just saying that creating an issue here is unlikely to make this appear unless you do the work, though you'll also need to be clearer as to why the existing proxy authentication handler in CouchDB is unsuitable to your needs. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] gramsa49 commented on issue #1174: shared secrete for proxy authentication
gramsa49 commented on issue #1174: shared secrete for proxy authentication URL: https://github.com/apache/couchdb/issues/1174#issuecomment-366758522 Thanks for the guidance. I'll work on a pull request and refine the details. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] dch commented on issue #1154: win msi download identified as virus by Kaspersky Labs
dch commented on issue #1154: win msi download identified as virus by Kaspersky Labs URL: https://github.com/apache/couchdb/issues/1154#issuecomment-366763816 On Thu, 8 Feb 2018, at 04:51, Joan Touzet wrote: > Closed #1154. FWIW I submitted this as a false positive to Kapersky, and now we come up clean again: The link https://dl.bintray.com/apache/couchdb/win/2.1.1/couchdb-2.1.1.msi is safe according to the reputation data of Kaspersky VirusDesk. ? Dave Cottlehuber d...@apache.org Sent from my Couch This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] gramsa49 commented on issue #1174: shared secrete for proxy authentication
gramsa49 commented on issue #1174: shared secrete for proxy authentication URL: https://github.com/apache/couchdb/issues/1174#issuecomment-366766338 I updated the description. Let me know if this looks ok and is a useful enhancement. If all looks good, I wills start on a pull request. Thanks This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] abc3 opened a new pull request #1175: Update from original
abc3 opened a new pull request #1175: Update from original URL: https://github.com/apache/couchdb/pull/1175 ## Overview ## Testing recommendations ## Related Issues or Pull Requests ## Checklist - [ ] Code is written and works correctly; - [ ] Changes are covered by tests; - [ ] Documentation reflects the changes; This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] abc3 closed pull request #1175: Update from original
abc3 closed pull request #1175: Update from original URL: https://github.com/apache/couchdb/pull/1175 This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] dch commented on issue #1160: Add support for Bcrypt password hashing
dch commented on issue #1160: Add support for Bcrypt password hashing URL: https://github.com/apache/couchdb/pull/1160#issuecomment-366781960 @pierrekilly welcome & nice work on your first PR! Some background info which may be useful to help you understand what happens next, as your PR requires the project to include a 3rd party library. We already have quite a few of these, so it's fine to do this but we need to take a few precautions. Your tidy changes require a NIF (C code) addition to the CouchDB distribution, so we need to make sure of 3 things: 1. that this runs on all our common platforms, from linux, windows and BSDs 2. the NIF interface doesn't adversely impact the VM's behaviour 3. that the licensing of that code, and its provenance, meets our standards The Apache Software Foundation, as policy, releases sources artefact that contains *only* ALv2 licensed components, or those that fall under a sufficiently "free" licence that we can include it in a release -- there's a pre-approved list https://apache.org/legal/resolved.html#category-a here @dch is happy to do the IP clearance dance assuming we're OK on the NIF side of things. Can anybody look into that? the NIF is an R13B04 era style, does this need any changes? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] nickva opened a new pull request #1176: Implement pluggable authentication and session support for replicator
nickva opened a new pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176 ### Overview Previously replicator only used basic authentication. It was simple and straightforward. However with PBKDF2 hashing becoming the default it would be nice not to do all the password verification work with every single request, and instead take advantage of session (cookie) based authentication. ### Description This commit implements session based authentication via a plugin mechanism. This is somewhat similar to how server-side authentication plugins work. The list of available replicator auth modules is configurable: ``` [replicator] auth_plugins = couch_replicator_auth_session,couch_replicator_auth_basic ``` These plugins will be tried in order. The first one to successfully initialize will end up being used for that endpoint (source or target). A plugin can determine during initialization that it cannot be used and in that case it signals to the plugin framework to be "ignored" and that other plugins following in the list should be tried. `couch_replicator_auth_basic` effectively implements the current behavior. It is the simplest one and should normally be used as a default catch-all at the end of the plugin list. In some case, though it might be useful to enforce exclusive use of session-based auth fail replication jobs if it is not available. `couch_replicator_auth_session` does most of the work of handling session based authentication. On initialization it strips away basic auth credential from headers and url to avoid basic auth being used on the server. Then is in charge of issuing POST requests to `_session` periodically, updating the headers of each request with the latest cookie value. If it cannot find credentials for its url endpoint, it asks to be "ignored". As discussed in https://github.com/apache/couchdb/issues/1153 this work also removes OAuth 1.0 support. After server side support was removed, it had stopped working anyway since the main oauth app was removed. However with the plugin framework in place it would be possible for someone to implement it a fairly straightforward way. It also opens the posibility of having an OAuth 2.0 or other custom authentication methods. Fixes #1153 ### Checklist - [x] Code is written and works correctly; - [x] Changes are covered by tests; - [ ] Documentation reflects the changes[*]; [*] Will do it after the review stage. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] iilyak commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
iilyak commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169173107 ## File path: src/couch_replicator/src/couch_replicator_auth.erl ## @@ -0,0 +1,103 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth). + + +-export([ +initialize/1, +update_headers/2, +handle_response/4, +cleanup/1 +]). + + +-include("couch_replicator_api_wrap.hrl"). + + +-type headers() :: [{string(), string()}]. +-type code() :: non_neg_integer(). + + +-define(PLUGINS, "couch_replicator_auth_session,couch_replicator_auth_basic"). + + +% Behavior API + +-callback initialize(#httpdb{}) -> {ok, #httpdb{}, term()} | ignore. + +-callback update_headers(term(), headers()) -> {headers(), term()}. + +-callback handle_response(term(), code(), headers(), term()) -> +{continue | retry, term()}. + +-callback cleanup(term()) -> ok. + + +% Main API + +-spec initialize(#httpdb{}) -> {ok, #httpdb{}} | {error, term()}. +initialize(#httpdb{auth_context = nil} = HttpDb) -> +case try_initialize(get_plugin_modules(), HttpDb) of +{ok, Mod, HttpDb1, Context} -> +{ok, HttpDb1#httpdb{auth_context = {Mod, Context}}}; +{error, Error} -> +{error, Error} +end; +initialize(#httpdb{} = HttpDb) -> +{ok, HttpDb}. + + +-spec update_headers(#httpdb{}, headers()) -> {headers(), #httpdb{}}. +update_headers(#httpdb{auth_context = {Mod, Context}} = HttpDb, Headers) -> +{Headers1, Context1} = Mod:update_headers(Context, Headers), +{Headers1, HttpDb#httpdb{auth_context = {Mod, Context1}}}. + + +-spec handle_response(#httpdb{}, code(), headers(), term()) -> +{continue | retry, term()}. +handle_response(#httpdb{} = HttpDb, Code, Headers, Message) -> Review comment: Is it intentional that we don't handle the case `#httpdb.auth_context == nil`? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] iilyak commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
iilyak commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169173128 ## File path: src/couch_replicator/src/couch_replicator_auth.erl ## @@ -0,0 +1,103 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth). + + +-export([ +initialize/1, +update_headers/2, +handle_response/4, +cleanup/1 +]). + + +-include("couch_replicator_api_wrap.hrl"). + + +-type headers() :: [{string(), string()}]. +-type code() :: non_neg_integer(). + + +-define(PLUGINS, "couch_replicator_auth_session,couch_replicator_auth_basic"). + + +% Behavior API + +-callback initialize(#httpdb{}) -> {ok, #httpdb{}, term()} | ignore. + +-callback update_headers(term(), headers()) -> {headers(), term()}. + +-callback handle_response(term(), code(), headers(), term()) -> +{continue | retry, term()}. + +-callback cleanup(term()) -> ok. + + +% Main API + +-spec initialize(#httpdb{}) -> {ok, #httpdb{}} | {error, term()}. +initialize(#httpdb{auth_context = nil} = HttpDb) -> +case try_initialize(get_plugin_modules(), HttpDb) of +{ok, Mod, HttpDb1, Context} -> +{ok, HttpDb1#httpdb{auth_context = {Mod, Context}}}; +{error, Error} -> +{error, Error} +end; +initialize(#httpdb{} = HttpDb) -> +{ok, HttpDb}. + + +-spec update_headers(#httpdb{}, headers()) -> {headers(), #httpdb{}}. +update_headers(#httpdb{auth_context = {Mod, Context}} = HttpDb, Headers) -> Review comment: Is it intentional that we don't handle the case `#httpdb.auth_context == nil`? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] iilyak commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
iilyak commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169173128 ## File path: src/couch_replicator/src/couch_replicator_auth.erl ## @@ -0,0 +1,103 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth). + + +-export([ +initialize/1, +update_headers/2, +handle_response/4, +cleanup/1 +]). + + +-include("couch_replicator_api_wrap.hrl"). + + +-type headers() :: [{string(), string()}]. +-type code() :: non_neg_integer(). + + +-define(PLUGINS, "couch_replicator_auth_session,couch_replicator_auth_basic"). + + +% Behavior API + +-callback initialize(#httpdb{}) -> {ok, #httpdb{}, term()} | ignore. + +-callback update_headers(term(), headers()) -> {headers(), term()}. + +-callback handle_response(term(), code(), headers(), term()) -> +{continue | retry, term()}. + +-callback cleanup(term()) -> ok. + + +% Main API + +-spec initialize(#httpdb{}) -> {ok, #httpdb{}} | {error, term()}. +initialize(#httpdb{auth_context = nil} = HttpDb) -> +case try_initialize(get_plugin_modules(), HttpDb) of +{ok, Mod, HttpDb1, Context} -> +{ok, HttpDb1#httpdb{auth_context = {Mod, Context}}}; +{error, Error} -> +{error, Error} +end; +initialize(#httpdb{} = HttpDb) -> +{ok, HttpDb}. + + +-spec update_headers(#httpdb{}, headers()) -> {headers(), #httpdb{}}. +update_headers(#httpdb{auth_context = {Mod, Context}} = HttpDb, Headers) -> Review comment: Is it intentional that we don't handle the case `#httpdb.auth_context == nil` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] iilyak commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
iilyak commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169178743 ## File path: src/couch_replicator/src/couch_replicator_utils.erl ## @@ -174,3 +175,93 @@ filter_state(State, States, Info) -> false -> skip end. + + +remove_basic_auth_from_headers(Headers) -> +Headers1 = mochiweb_headers:make(Headers), +case mochiweb_headers:get_value("Authorization", Headers1) of +undefined -> +{{undefined, undefined}, Headers}; +Auth when length(Auth) =< 6 -> Review comment: What is the rationale for this approach. It seems rather complex. Here are the possible downsides of the code as it is written: * use of magic number 6 (I got it is the lenght("Basic ") but I have to stop for a minute) * unnecessary use of length/1 * subsequent use of lists:split/2 * what if we decide to use other types (Bearer or Digest or something else) If I understand the structure should be always `Authorization: ` This means that the same could be written as: ``` Auth -> case lists:splitwith(fun(X) -> X =/= $\s end, Auth) of {AType, " " ++ Base64} -> maybe_remove_basic_auth(string:to_lower(AType), Base64, Headers1) ``` OR if we use binaries ``` case binary:split(?l2b(Auth), <<" ">>) of {AType, Base64} -> maybe_remove_basic_auth(string:to_lower(?b2l(AType)), Base64, Headers1); ... ``` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] iilyak commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
iilyak commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169180999 ## File path: src/couch_replicator/src/couch_replicator_auth_session.erl ## @@ -0,0 +1,486 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth_session). + + +-behavior(couch_replicator_auth). + + +-export([ +initialize/1, +update_headers/2, +handle_response/4, +cleanup/1 +]). + +-export([ +init/1, +terminate/2, +handle_call/3, +handle_cast/2, +handle_info/2, +code_change/3, +format_status/2 +]). + + +-include_lib("ibrowse/include/ibrowse.hrl"). +-include("couch_replicator_api_wrap.hrl"). + + +-type headers() :: [{string(), string()}]. +-type code() :: non_neg_integer(). +-type creds() :: {string() | undefined, string() | undefined}. + + +% Behavior API callbacks + +-spec initialize(#httpdb{}) -> {ok, #httpdb{}, term()} | ignore. +initialize(#httpdb{} = HttpDb) -> +case remove_creds(HttpDb) of +{ok, User, Pass, HttpDb1} -> +case gen_server:start_link(?MODULE, [User, Pass, HttpDb1], []) of +{ok, Pid} -> +{ok, HttpDb1, {Pid, 0}}; +ignore -> +ignore; +{error, Error} -> +{error, Error} +end; +{error, missing_credentials} -> +ignore; +{error, Error} -> +{error, Error} +end. + + +-spec update_headers(term(), headers()) -> {headers(), term()}. +update_headers({Pid, Epoch}, Headers) -> +Args = {update_headers, Headers, Epoch}, +{Headers1, Epoch1} = gen_server:call(Pid, Args, infinity), +{Headers1, {Pid, Epoch1}}. + + +-spec handle_response(term(), code(), headers(), term()) -> +{continue | retry, term()}. +handle_response({Pid, Epoch}, Code, Headers, Body) -> +Args = {handle_response, Code, Headers, Body, Epoch}, +{Retry, Epoch1} = gen_server:call(Pid, Args, infinity), +{Retry, {Pid, Epoch1}}. + + +-spec cleanup(term()) -> ok. +cleanup({Pid, _Epoch}) -> +gen_server:call(Pid, stop, infinity). + + +%% Definitions + +-define(MIN_UPDATE_INTERVAL, 5). + + +%% gen_server state + +-record(state, { +epoch = 0 :: non_neg_integer(), +cookie :: string() | undefined, +user :: string() | undefined, +pass :: string() | undefined, +httpdb_timeout :: integer(), +httpdb_pool :: pid(), +httpdb_ibrowse_options = [] :: list(), +session_url :: string(), +next_refresh = infinity :: infinity | non_neg_integer(), +refresh_tstamp = 0 :: non_neg_integer() +}). + + +%% gen_server functions + +init([User, Pass, HttpDb]) -> +State = #state{ +user = User, +pass = Pass, +session_url = get_session_url(HttpDb#httpdb.url), +httpdb_pool = HttpDb#httpdb.httpc_pool, +httpdb_timeout = HttpDb#httpdb.timeout, +httpdb_ibrowse_options = HttpDb#httpdb.ibrowse_options +}, +case refresh(State) of +{ok, UpdatedState} -> +{ok, UpdatedState}; +{error, {session_not_supported, _, _}} -> +ignore; +{error, Error} -> +{stop, Error} +end. + + +terminate(_Reason, _State) -> +ok. + + +handle_call({update_headers, Headers, _Epoch}, _From, State) -> +case maybe_refresh(State) of +{ok, State1} -> +Cookie = "AuthSession=" ++ State1#state.cookie, +Headers1 = [{"Cookie", Cookie} | Headers], +{reply, {Headers1, State1#state.epoch}, State1}; +{error, Error} -> +LogMsg = "~p: Stopping session auth plugin because of error ~p", +couch_log:error(LogMsg, [?MODULE, Error]), +{stop, Error, State} +end; + +handle_call({handle_response, Code, Headers, _, Epoch}, _From, State) -> +{Retry, State1} = process_response(Code, Headers, Epoch, State), +{reply, {Retry, State1#state.epoch}, State1}; + +handle_call(stop, _From, State) -> +{stop, normal, ok, State}. + + +handle_cast(Msg, State) -> +couch_log:error("~p: Received un-expected cast ~p", [?MODULE, Msg]), +{noreply, State}. + + +handle_info(Msg, State) -> +couch_log:error("~p : Received un-expected message ~p", [?MODULE, Msg]), +{noreply, State}. + + +code_change(_OldVsn, State, _Extra) -> +{ok, State}. + + +format_status(_Opt, [_PDict, State])
[GitHub] nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169181543 ## File path: src/couch_replicator/src/couch_replicator_auth.erl ## @@ -0,0 +1,103 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth). + + +-export([ +initialize/1, +update_headers/2, +handle_response/4, +cleanup/1 +]). + + +-include("couch_replicator_api_wrap.hrl"). + + +-type headers() :: [{string(), string()}]. +-type code() :: non_neg_integer(). + + +-define(PLUGINS, "couch_replicator_auth_session,couch_replicator_auth_basic"). + + +% Behavior API + +-callback initialize(#httpdb{}) -> {ok, #httpdb{}, term()} | ignore. + +-callback update_headers(term(), headers()) -> {headers(), term()}. + +-callback handle_response(term(), code(), headers(), term()) -> +{continue | retry, term()}. + +-callback cleanup(term()) -> ok. + + +% Main API + +-spec initialize(#httpdb{}) -> {ok, #httpdb{}} | {error, term()}. +initialize(#httpdb{auth_context = nil} = HttpDb) -> +case try_initialize(get_plugin_modules(), HttpDb) of +{ok, Mod, HttpDb1, Context} -> +{ok, HttpDb1#httpdb{auth_context = {Mod, Context}}}; +{error, Error} -> +{error, Error} +end; +initialize(#httpdb{} = HttpDb) -> +{ok, HttpDb}. + + +-spec update_headers(#httpdb{}, headers()) -> {headers(), #httpdb{}}. +update_headers(#httpdb{auth_context = {Mod, Context}} = HttpDb, Headers) -> +{Headers1, Context1} = Mod:update_headers(Context, Headers), +{Headers1, HttpDb#httpdb{auth_context = {Mod, Context1}}}. + + +-spec handle_response(#httpdb{}, code(), headers(), term()) -> +{continue | retry, term()}. +handle_response(#httpdb{} = HttpDb, Code, Headers, Message) -> Review comment: Yeah we'd want the match to crash here. Initialization and cleanup is more forgiving, though maybe we don't want it to be. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169181570 ## File path: src/couch_replicator/src/couch_replicator_auth.erl ## @@ -0,0 +1,103 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth). + + +-export([ +initialize/1, +update_headers/2, +handle_response/4, +cleanup/1 +]). + + +-include("couch_replicator_api_wrap.hrl"). + + +-type headers() :: [{string(), string()}]. +-type code() :: non_neg_integer(). + + +-define(PLUGINS, "couch_replicator_auth_session,couch_replicator_auth_basic"). + + +% Behavior API + +-callback initialize(#httpdb{}) -> {ok, #httpdb{}, term()} | ignore. + +-callback update_headers(term(), headers()) -> {headers(), term()}. + +-callback handle_response(term(), code(), headers(), term()) -> +{continue | retry, term()}. + +-callback cleanup(term()) -> ok. + + +% Main API + +-spec initialize(#httpdb{}) -> {ok, #httpdb{}} | {error, term()}. +initialize(#httpdb{auth_context = nil} = HttpDb) -> +case try_initialize(get_plugin_modules(), HttpDb) of +{ok, Mod, HttpDb1, Context} -> +{ok, HttpDb1#httpdb{auth_context = {Mod, Context}}}; +{error, Error} -> +{error, Error} +end; +initialize(#httpdb{} = HttpDb) -> +{ok, HttpDb}. + + +-spec update_headers(#httpdb{}, headers()) -> {headers(), #httpdb{}}. +update_headers(#httpdb{auth_context = {Mod, Context}} = HttpDb, Headers) -> Review comment: (see the comment for handle_response) This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169182195 ## File path: src/couch_replicator/src/couch_replicator_auth_session.erl ## @@ -0,0 +1,486 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth_session). + + +-behavior(couch_replicator_auth). + + +-export([ +initialize/1, +update_headers/2, +handle_response/4, +cleanup/1 +]). + +-export([ +init/1, +terminate/2, +handle_call/3, +handle_cast/2, +handle_info/2, +code_change/3, +format_status/2 +]). + + +-include_lib("ibrowse/include/ibrowse.hrl"). +-include("couch_replicator_api_wrap.hrl"). + + +-type headers() :: [{string(), string()}]. +-type code() :: non_neg_integer(). +-type creds() :: {string() | undefined, string() | undefined}. + + +% Behavior API callbacks + +-spec initialize(#httpdb{}) -> {ok, #httpdb{}, term()} | ignore. +initialize(#httpdb{} = HttpDb) -> +case remove_creds(HttpDb) of +{ok, User, Pass, HttpDb1} -> +case gen_server:start_link(?MODULE, [User, Pass, HttpDb1], []) of +{ok, Pid} -> +{ok, HttpDb1, {Pid, 0}}; +ignore -> +ignore; +{error, Error} -> +{error, Error} +end; +{error, missing_credentials} -> +ignore; +{error, Error} -> +{error, Error} +end. + + +-spec update_headers(term(), headers()) -> {headers(), term()}. +update_headers({Pid, Epoch}, Headers) -> +Args = {update_headers, Headers, Epoch}, +{Headers1, Epoch1} = gen_server:call(Pid, Args, infinity), +{Headers1, {Pid, Epoch1}}. + + +-spec handle_response(term(), code(), headers(), term()) -> +{continue | retry, term()}. +handle_response({Pid, Epoch}, Code, Headers, Body) -> +Args = {handle_response, Code, Headers, Body, Epoch}, +{Retry, Epoch1} = gen_server:call(Pid, Args, infinity), +{Retry, {Pid, Epoch1}}. + + +-spec cleanup(term()) -> ok. +cleanup({Pid, _Epoch}) -> +gen_server:call(Pid, stop, infinity). + + +%% Definitions + +-define(MIN_UPDATE_INTERVAL, 5). + + +%% gen_server state + +-record(state, { +epoch = 0 :: non_neg_integer(), +cookie :: string() | undefined, +user :: string() | undefined, +pass :: string() | undefined, +httpdb_timeout :: integer(), +httpdb_pool :: pid(), +httpdb_ibrowse_options = [] :: list(), +session_url :: string(), +next_refresh = infinity :: infinity | non_neg_integer(), +refresh_tstamp = 0 :: non_neg_integer() +}). + + +%% gen_server functions + +init([User, Pass, HttpDb]) -> +State = #state{ +user = User, +pass = Pass, +session_url = get_session_url(HttpDb#httpdb.url), +httpdb_pool = HttpDb#httpdb.httpc_pool, +httpdb_timeout = HttpDb#httpdb.timeout, +httpdb_ibrowse_options = HttpDb#httpdb.ibrowse_options +}, +case refresh(State) of +{ok, UpdatedState} -> +{ok, UpdatedState}; +{error, {session_not_supported, _, _}} -> +ignore; +{error, Error} -> +{stop, Error} +end. + + +terminate(_Reason, _State) -> +ok. + + +handle_call({update_headers, Headers, _Epoch}, _From, State) -> +case maybe_refresh(State) of +{ok, State1} -> +Cookie = "AuthSession=" ++ State1#state.cookie, +Headers1 = [{"Cookie", Cookie} | Headers], +{reply, {Headers1, State1#state.epoch}, State1}; +{error, Error} -> +LogMsg = "~p: Stopping session auth plugin because of error ~p", +couch_log:error(LogMsg, [?MODULE, Error]), +{stop, Error, State} +end; + +handle_call({handle_response, Code, Headers, _, Epoch}, _From, State) -> +{Retry, State1} = process_response(Code, Headers, Epoch, State), +{reply, {Retry, State1#state.epoch}, State1}; + +handle_call(stop, _From, State) -> +{stop, normal, ok, State}. + + +handle_cast(Msg, State) -> +couch_log:error("~p: Received un-expected cast ~p", [?MODULE, Msg]), +{noreply, State}. + + +handle_info(Msg, State) -> +couch_log:error("~p : Received un-expected message ~p", [?MODULE, Msg]), +{noreply, State}. + + +code_change(_OldVsn, State, _Extra) -> +{ok, State}. + + +format_status(_Opt, [_PDict, State])
[GitHub] nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169185117 ## File path: src/couch_replicator/src/couch_replicator_utils.erl ## @@ -174,3 +175,93 @@ filter_state(State, States, Info) -> false -> skip end. + + +remove_basic_auth_from_headers(Headers) -> +Headers1 = mochiweb_headers:make(Headers), +case mochiweb_headers:get_value("Authorization", Headers1) of +undefined -> +{{undefined, undefined}, Headers}; +Auth when length(Auth) =< 6 -> Review comment: Good point! Let's use `splitwith/2`. As for other auth, in this case the function only deals with stripping out basic auth credentials so they don't get sent to endpoints, so it's specific to basic. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] iilyak commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
iilyak commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169185592 ## File path: src/couch_replicator/src/couch_replicator_auth_session.erl ## @@ -0,0 +1,486 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth_session). + + +-behavior(couch_replicator_auth). + + +-export([ +initialize/1, +update_headers/2, +handle_response/4, +cleanup/1 +]). + +-export([ +init/1, +terminate/2, +handle_call/3, +handle_cast/2, +handle_info/2, +code_change/3, +format_status/2 +]). + + +-include_lib("ibrowse/include/ibrowse.hrl"). +-include("couch_replicator_api_wrap.hrl"). + + +-type headers() :: [{string(), string()}]. +-type code() :: non_neg_integer(). +-type creds() :: {string() | undefined, string() | undefined}. + + +% Behavior API callbacks + +-spec initialize(#httpdb{}) -> {ok, #httpdb{}, term()} | ignore. +initialize(#httpdb{} = HttpDb) -> +case remove_creds(HttpDb) of +{ok, User, Pass, HttpDb1} -> +case gen_server:start_link(?MODULE, [User, Pass, HttpDb1], []) of +{ok, Pid} -> +{ok, HttpDb1, {Pid, 0}}; +ignore -> +ignore; +{error, Error} -> +{error, Error} +end; +{error, missing_credentials} -> +ignore; +{error, Error} -> +{error, Error} +end. + + +-spec update_headers(term(), headers()) -> {headers(), term()}. +update_headers({Pid, Epoch}, Headers) -> +Args = {update_headers, Headers, Epoch}, +{Headers1, Epoch1} = gen_server:call(Pid, Args, infinity), +{Headers1, {Pid, Epoch1}}. + + +-spec handle_response(term(), code(), headers(), term()) -> +{continue | retry, term()}. +handle_response({Pid, Epoch}, Code, Headers, Body) -> +Args = {handle_response, Code, Headers, Body, Epoch}, +{Retry, Epoch1} = gen_server:call(Pid, Args, infinity), +{Retry, {Pid, Epoch1}}. + + +-spec cleanup(term()) -> ok. +cleanup({Pid, _Epoch}) -> +gen_server:call(Pid, stop, infinity). + + +%% Definitions + +-define(MIN_UPDATE_INTERVAL, 5). + + +%% gen_server state + +-record(state, { +epoch = 0 :: non_neg_integer(), +cookie :: string() | undefined, +user :: string() | undefined, +pass :: string() | undefined, +httpdb_timeout :: integer(), +httpdb_pool :: pid(), +httpdb_ibrowse_options = [] :: list(), +session_url :: string(), +next_refresh = infinity :: infinity | non_neg_integer(), +refresh_tstamp = 0 :: non_neg_integer() +}). + + +%% gen_server functions + +init([User, Pass, HttpDb]) -> +State = #state{ +user = User, +pass = Pass, +session_url = get_session_url(HttpDb#httpdb.url), +httpdb_pool = HttpDb#httpdb.httpc_pool, +httpdb_timeout = HttpDb#httpdb.timeout, +httpdb_ibrowse_options = HttpDb#httpdb.ibrowse_options +}, +case refresh(State) of +{ok, UpdatedState} -> +{ok, UpdatedState}; +{error, {session_not_supported, _, _}} -> +ignore; +{error, Error} -> +{stop, Error} +end. + + +terminate(_Reason, _State) -> +ok. + + +handle_call({update_headers, Headers, _Epoch}, _From, State) -> +case maybe_refresh(State) of +{ok, State1} -> +Cookie = "AuthSession=" ++ State1#state.cookie, Review comment: I am a bit concerned with this. Cookie value is not escaped and can be manipulated. I followed the code we use for `maybe_update_cookie` and it looks like there is a possibility to inject new headers. ``` CookieKVs = mochiweb_cookies:parse_cookie("AuthSession=\"see\nInjected=hack\";baz; Version=1"). Cookie = mochiweb_headers:get_value("AuthSession", CaseInsKVs). 40> "AuthSession=" ++ Cookie. "AuthSession=see\nInjected=hack" ``` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169186695 ## File path: src/couch_replicator/src/couch_replicator_auth_session.erl ## @@ -0,0 +1,486 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth_session). + + +-behavior(couch_replicator_auth). + + +-export([ +initialize/1, +update_headers/2, +handle_response/4, +cleanup/1 +]). + +-export([ +init/1, +terminate/2, +handle_call/3, +handle_cast/2, +handle_info/2, +code_change/3, +format_status/2 +]). + + +-include_lib("ibrowse/include/ibrowse.hrl"). +-include("couch_replicator_api_wrap.hrl"). + + +-type headers() :: [{string(), string()}]. +-type code() :: non_neg_integer(). +-type creds() :: {string() | undefined, string() | undefined}. + + +% Behavior API callbacks + +-spec initialize(#httpdb{}) -> {ok, #httpdb{}, term()} | ignore. +initialize(#httpdb{} = HttpDb) -> +case remove_creds(HttpDb) of +{ok, User, Pass, HttpDb1} -> +case gen_server:start_link(?MODULE, [User, Pass, HttpDb1], []) of +{ok, Pid} -> +{ok, HttpDb1, {Pid, 0}}; +ignore -> +ignore; +{error, Error} -> +{error, Error} +end; +{error, missing_credentials} -> +ignore; +{error, Error} -> +{error, Error} +end. + + +-spec update_headers(term(), headers()) -> {headers(), term()}. +update_headers({Pid, Epoch}, Headers) -> +Args = {update_headers, Headers, Epoch}, +{Headers1, Epoch1} = gen_server:call(Pid, Args, infinity), +{Headers1, {Pid, Epoch1}}. + + +-spec handle_response(term(), code(), headers(), term()) -> +{continue | retry, term()}. +handle_response({Pid, Epoch}, Code, Headers, Body) -> +Args = {handle_response, Code, Headers, Body, Epoch}, +{Retry, Epoch1} = gen_server:call(Pid, Args, infinity), +{Retry, {Pid, Epoch1}}. + + +-spec cleanup(term()) -> ok. +cleanup({Pid, _Epoch}) -> +gen_server:call(Pid, stop, infinity). + + +%% Definitions + +-define(MIN_UPDATE_INTERVAL, 5). + + +%% gen_server state + +-record(state, { +epoch = 0 :: non_neg_integer(), +cookie :: string() | undefined, +user :: string() | undefined, +pass :: string() | undefined, +httpdb_timeout :: integer(), +httpdb_pool :: pid(), +httpdb_ibrowse_options = [] :: list(), +session_url :: string(), +next_refresh = infinity :: infinity | non_neg_integer(), +refresh_tstamp = 0 :: non_neg_integer() +}). + + +%% gen_server functions + +init([User, Pass, HttpDb]) -> +State = #state{ +user = User, +pass = Pass, +session_url = get_session_url(HttpDb#httpdb.url), +httpdb_pool = HttpDb#httpdb.httpc_pool, +httpdb_timeout = HttpDb#httpdb.timeout, +httpdb_ibrowse_options = HttpDb#httpdb.ibrowse_options +}, +case refresh(State) of +{ok, UpdatedState} -> +{ok, UpdatedState}; +{error, {session_not_supported, _, _}} -> +ignore; +{error, Error} -> +{stop, Error} +end. + + +terminate(_Reason, _State) -> +ok. + + +handle_call({update_headers, Headers, _Epoch}, _From, State) -> +case maybe_refresh(State) of +{ok, State1} -> +Cookie = "AuthSession=" ++ State1#state.cookie, Review comment: But wondering what the threat model is here. The server somehow injecting extra headers into its own session cookie? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169219750 ## File path: src/couch_replicator/src/couch_replicator_auth_session.erl ## @@ -0,0 +1,486 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth_session). + + +-behavior(couch_replicator_auth). + + +-export([ +initialize/1, +update_headers/2, +handle_response/4, +cleanup/1 +]). + +-export([ +init/1, +terminate/2, +handle_call/3, +handle_cast/2, +handle_info/2, +code_change/3, +format_status/2 +]). + + +-include_lib("ibrowse/include/ibrowse.hrl"). +-include("couch_replicator_api_wrap.hrl"). + + +-type headers() :: [{string(), string()}]. +-type code() :: non_neg_integer(). +-type creds() :: {string() | undefined, string() | undefined}. + + +% Behavior API callbacks + +-spec initialize(#httpdb{}) -> {ok, #httpdb{}, term()} | ignore. +initialize(#httpdb{} = HttpDb) -> +case remove_creds(HttpDb) of +{ok, User, Pass, HttpDb1} -> +case gen_server:start_link(?MODULE, [User, Pass, HttpDb1], []) of +{ok, Pid} -> +{ok, HttpDb1, {Pid, 0}}; +ignore -> +ignore; +{error, Error} -> +{error, Error} +end; +{error, missing_credentials} -> +ignore; +{error, Error} -> +{error, Error} +end. + + +-spec update_headers(term(), headers()) -> {headers(), term()}. +update_headers({Pid, Epoch}, Headers) -> +Args = {update_headers, Headers, Epoch}, +{Headers1, Epoch1} = gen_server:call(Pid, Args, infinity), +{Headers1, {Pid, Epoch1}}. + + +-spec handle_response(term(), code(), headers(), term()) -> +{continue | retry, term()}. +handle_response({Pid, Epoch}, Code, Headers, Body) -> +Args = {handle_response, Code, Headers, Body, Epoch}, +{Retry, Epoch1} = gen_server:call(Pid, Args, infinity), +{Retry, {Pid, Epoch1}}. + + +-spec cleanup(term()) -> ok. +cleanup({Pid, _Epoch}) -> +gen_server:call(Pid, stop, infinity). + + +%% Definitions + +-define(MIN_UPDATE_INTERVAL, 5). + + +%% gen_server state + +-record(state, { +epoch = 0 :: non_neg_integer(), +cookie :: string() | undefined, +user :: string() | undefined, +pass :: string() | undefined, +httpdb_timeout :: integer(), +httpdb_pool :: pid(), +httpdb_ibrowse_options = [] :: list(), +session_url :: string(), +next_refresh = infinity :: infinity | non_neg_integer(), +refresh_tstamp = 0 :: non_neg_integer() +}). + + +%% gen_server functions + +init([User, Pass, HttpDb]) -> +State = #state{ +user = User, +pass = Pass, +session_url = get_session_url(HttpDb#httpdb.url), +httpdb_pool = HttpDb#httpdb.httpc_pool, +httpdb_timeout = HttpDb#httpdb.timeout, +httpdb_ibrowse_options = HttpDb#httpdb.ibrowse_options +}, +case refresh(State) of +{ok, UpdatedState} -> +{ok, UpdatedState}; +{error, {session_not_supported, _, _}} -> +ignore; +{error, Error} -> +{stop, Error} +end. + + +terminate(_Reason, _State) -> +ok. + + +handle_call({update_headers, Headers, _Epoch}, _From, State) -> +case maybe_refresh(State) of +{ok, State1} -> +Cookie = "AuthSession=" ++ State1#state.cookie, +Headers1 = [{"Cookie", Cookie} | Headers], +{reply, {Headers1, State1#state.epoch}, State1}; +{error, Error} -> +LogMsg = "~p: Stopping session auth plugin because of error ~p", +couch_log:error(LogMsg, [?MODULE, Error]), +{stop, Error, State} +end; + +handle_call({handle_response, Code, Headers, _, Epoch}, _From, State) -> +{Retry, State1} = process_response(Code, Headers, Epoch, State), +{reply, {Retry, State1#state.epoch}, State1}; + +handle_call(stop, _From, State) -> +{stop, normal, ok, State}. + + +handle_cast(Msg, State) -> +couch_log:error("~p: Received un-expected cast ~p", [?MODULE, Msg]), +{noreply, State}. + + +handle_info(Msg, State) -> +couch_log:error("~p : Received un-expected message ~p", [?MODULE, Msg]), +{noreply, State}. + + +code_change(_OldVsn, State, _Extra) -> +{ok, State}. + + +format_status(_Opt, [_PDict, State])
[GitHub] nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169181543 ## File path: src/couch_replicator/src/couch_replicator_auth.erl ## @@ -0,0 +1,103 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth). + + +-export([ +initialize/1, +update_headers/2, +handle_response/4, +cleanup/1 +]). + + +-include("couch_replicator_api_wrap.hrl"). + + +-type headers() :: [{string(), string()}]. +-type code() :: non_neg_integer(). + + +-define(PLUGINS, "couch_replicator_auth_session,couch_replicator_auth_basic"). + + +% Behavior API + +-callback initialize(#httpdb{}) -> {ok, #httpdb{}, term()} | ignore. + +-callback update_headers(term(), headers()) -> {headers(), term()}. + +-callback handle_response(term(), code(), headers(), term()) -> +{continue | retry, term()}. + +-callback cleanup(term()) -> ok. + + +% Main API + +-spec initialize(#httpdb{}) -> {ok, #httpdb{}} | {error, term()}. +initialize(#httpdb{auth_context = nil} = HttpDb) -> +case try_initialize(get_plugin_modules(), HttpDb) of +{ok, Mod, HttpDb1, Context} -> +{ok, HttpDb1#httpdb{auth_context = {Mod, Context}}}; +{error, Error} -> +{error, Error} +end; +initialize(#httpdb{} = HttpDb) -> +{ok, HttpDb}. + + +-spec update_headers(#httpdb{}, headers()) -> {headers(), #httpdb{}}. +update_headers(#httpdb{auth_context = {Mod, Context}} = HttpDb, Headers) -> +{Headers1, Context1} = Mod:update_headers(Context, Headers), +{Headers1, HttpDb#httpdb{auth_context = {Mod, Context1}}}. + + +-spec handle_response(#httpdb{}, code(), headers(), term()) -> +{continue | retry, term()}. +handle_response(#httpdb{} = HttpDb, Code, Headers, Message) -> Review comment: Yeah we'd want the match to crash here. Initialization and cleanup is more forgiving, though maybe we don't want it to be. I think I'll remove the extra clauses around the init and cleanup as well. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] nickva commented on issue #1176: Implement pluggable authentication and session support for replicator
nickva commented on issue #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#issuecomment-366881239 Conducted a simple benchmark using couchdyno https://github.com/cloudant-labs/couchdyno Timed replicating 100k docs with PBKDF2 iterations set to 10k. ``` [couch_http_auth] iterations = 1 ``` ``` rep.replicate_1_to_n_and_compare(1, normal=True, num=10) ``` Master took **1133** seconds and this PR took **574** seconds. This should allow increasing the work factor to improve security without sacrificing replication performance. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] jaydoane commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
jaydoane commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169222008 ## File path: src/couch_replicator/src/couch_replicator_auth.erl ## @@ -0,0 +1,103 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth). + + +-export([ +initialize/1, +update_headers/2, +handle_response/4, +cleanup/1 +]). + + +-include("couch_replicator_api_wrap.hrl"). + + +-type headers() :: [{string(), string()}]. +-type code() :: non_neg_integer(). + + +-define(PLUGINS, "couch_replicator_auth_session,couch_replicator_auth_basic"). Review comment: what do you think of calling this `DEFAULT_PLUGINS`, which to me implies they can be overridden? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] jaydoane commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
jaydoane commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169226347 ## File path: src/couch_replicator/src/couch_replicator_auth_session.erl ## @@ -0,0 +1,486 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth_session). + + +-behavior(couch_replicator_auth). Review comment: Speaking of gen_servers, does this get added to a supervision tree? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] jaydoane commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
jaydoane commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169223363 ## File path: src/couch_replicator/src/couch_replicator_auth_session.erl ## @@ -0,0 +1,486 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth_session). + + +-behavior(couch_replicator_auth). Review comment: also add gen_server behavior? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169229686 ## File path: src/couch_replicator/src/couch_replicator_auth.erl ## @@ -0,0 +1,103 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth). + + +-export([ +initialize/1, +update_headers/2, +handle_response/4, +cleanup/1 +]). + + +-include("couch_replicator_api_wrap.hrl"). + + +-type headers() :: [{string(), string()}]. +-type code() :: non_neg_integer(). + + +-define(PLUGINS, "couch_replicator_auth_session,couch_replicator_auth_basic"). Review comment: Good call, Jay. Will make it DEFAULT_PLUGINS This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169229908 ## File path: src/couch_replicator/src/couch_replicator_auth_session.erl ## @@ -0,0 +1,486 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth_session). + + +-behavior(couch_replicator_auth). Review comment: Not it doesn't get added, if it crashes, it also crashes the spawning program since it does a start_link. The replication task is also in a way a poor-person's supervisor as it sets the `process_flag(trap_exit, true)` flag. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator
nickva commented on a change in pull request #1176: Implement pluggable authentication and session support for replicator URL: https://github.com/apache/couchdb/pull/1176#discussion_r169229908 ## File path: src/couch_replicator/src/couch_replicator_auth_session.erl ## @@ -0,0 +1,486 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(couch_replicator_auth_session). + + +-behavior(couch_replicator_auth). Review comment: No it doesn't get added. If it crashes, it also crashes the spawning program since it does a start_link. The replication task is also in a way a poor-person's supervisor as it sets the `process_flag(trap_exit, true)` flag. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services