auth_requests.go 4.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166
  1. // Copyright 2015 The etcd Authors
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. package auth
  15. import (
  16. "encoding/json"
  17. "path"
  18. etcderr "github.com/coreos/etcd/error"
  19. "github.com/coreos/etcd/etcdserver"
  20. "github.com/coreos/etcd/etcdserver/etcdserverpb"
  21. "golang.org/x/net/context"
  22. )
  23. func (s *store) ensureAuthDirectories() error {
  24. if s.ensuredOnce {
  25. return nil
  26. }
  27. for _, res := range []string{StorePermsPrefix, StorePermsPrefix + "/users/", StorePermsPrefix + "/roles/"} {
  28. ctx, cancel := context.WithTimeout(context.Background(), s.timeout)
  29. defer cancel()
  30. pe := false
  31. rr := etcdserverpb.Request{
  32. Method: "PUT",
  33. Path: res,
  34. Dir: true,
  35. PrevExist: &pe,
  36. }
  37. _, err := s.server.Do(ctx, rr)
  38. if err != nil {
  39. if e, ok := err.(*etcderr.Error); ok {
  40. if e.ErrorCode == etcderr.EcodeNodeExist {
  41. continue
  42. }
  43. }
  44. plog.Errorf("failed to create auth directories in the store (%v)", err)
  45. return err
  46. }
  47. }
  48. ctx, cancel := context.WithTimeout(context.Background(), s.timeout)
  49. defer cancel()
  50. pe := false
  51. rr := etcdserverpb.Request{
  52. Method: "PUT",
  53. Path: StorePermsPrefix + "/enabled",
  54. Val: "false",
  55. PrevExist: &pe,
  56. }
  57. _, err := s.server.Do(ctx, rr)
  58. if err != nil {
  59. if e, ok := err.(*etcderr.Error); ok {
  60. if e.ErrorCode == etcderr.EcodeNodeExist {
  61. s.ensuredOnce = true
  62. return nil
  63. }
  64. }
  65. return err
  66. }
  67. s.ensuredOnce = true
  68. return nil
  69. }
  70. func (s *store) enableAuth() error {
  71. _, err := s.updateResource("/enabled", true)
  72. return err
  73. }
  74. func (s *store) disableAuth() error {
  75. _, err := s.updateResource("/enabled", false)
  76. return err
  77. }
  78. func (s *store) detectAuth() bool {
  79. if s.server == nil {
  80. return false
  81. }
  82. value, err := s.requestResource("/enabled", false, false)
  83. if err != nil {
  84. if e, ok := err.(*etcderr.Error); ok {
  85. if e.ErrorCode == etcderr.EcodeKeyNotFound {
  86. return false
  87. }
  88. }
  89. plog.Errorf("failed to detect auth settings (%s)", err)
  90. return false
  91. }
  92. var u bool
  93. err = json.Unmarshal([]byte(*value.Event.Node.Value), &u)
  94. if err != nil {
  95. plog.Errorf("internal bookkeeping value for enabled isn't valid JSON (%v)", err)
  96. return false
  97. }
  98. return u
  99. }
  100. func (s *store) requestResource(res string, dir, quorum bool) (etcdserver.Response, error) {
  101. ctx, cancel := context.WithTimeout(context.Background(), s.timeout)
  102. defer cancel()
  103. p := path.Join(StorePermsPrefix, res)
  104. method := "GET"
  105. if quorum {
  106. method = "QGET"
  107. }
  108. rr := etcdserverpb.Request{
  109. Method: method,
  110. Path: p,
  111. Dir: dir,
  112. }
  113. return s.server.Do(ctx, rr)
  114. }
  115. func (s *store) updateResource(res string, value interface{}) (etcdserver.Response, error) {
  116. return s.setResource(res, value, true)
  117. }
  118. func (s *store) createResource(res string, value interface{}) (etcdserver.Response, error) {
  119. return s.setResource(res, value, false)
  120. }
  121. func (s *store) setResource(res string, value interface{}, prevexist bool) (etcdserver.Response, error) {
  122. err := s.ensureAuthDirectories()
  123. if err != nil {
  124. return etcdserver.Response{}, err
  125. }
  126. ctx, cancel := context.WithTimeout(context.Background(), s.timeout)
  127. defer cancel()
  128. data, err := json.Marshal(value)
  129. if err != nil {
  130. return etcdserver.Response{}, err
  131. }
  132. p := path.Join(StorePermsPrefix, res)
  133. rr := etcdserverpb.Request{
  134. Method: "PUT",
  135. Path: p,
  136. Val: string(data),
  137. PrevExist: &prevexist,
  138. }
  139. return s.server.Do(ctx, rr)
  140. }
  141. func (s *store) deleteResource(res string) (etcdserver.Response, error) {
  142. err := s.ensureAuthDirectories()
  143. if err != nil {
  144. return etcdserver.Response{}, err
  145. }
  146. ctx, cancel := context.WithTimeout(context.Background(), s.timeout)
  147. defer cancel()
  148. pex := true
  149. p := path.Join(StorePermsPrefix, res)
  150. rr := etcdserverpb.Request{
  151. Method: "DELETE",
  152. Path: p,
  153. PrevExist: &pex,
  154. }
  155. return s.server.Do(ctx, rr)
  156. }