func (sc *ServerContext) installPrincipals(context *db.DatabaseContext, spec map[string]json.RawMessage, what string) error {
for name, data := range spec {
isUsers := (what == "user")
if name == "GUEST" && isUsers {
name = ""
}
authenticator := context.Authenticator()
newPrincipal, err := authenticator.UnmarshalPrincipal(data, name, 1, isUsers)
if err != nil {
return fmt.Errorf("Invalid config for %s %q: %v", what, name, err)
}
oldPrincipal, err := authenticator.GetPrincipal(newPrincipal.Name(), isUsers)
if oldPrincipal == nil || name == "" {
if err == nil {
err = authenticator.Save(newPrincipal)
}
if err != nil {
return fmt.Errorf("Couldn't create %s %q: %v", what, name, err)
} else if name == "" {
base.Log(" Reset guest user to config")
} else {
base.Log(" Created %s %q", what, name)
}
}
}
return nil
}
// Updates or creates a principal from a PrincipalConfig structure.
func updatePrincipal(dbc *db.DatabaseContext, newInfo PrincipalConfig, isUser bool, allowReplace bool) (replaced bool, err error) {
// Get the existing principal, or if this is a POST make sure there isn't one:
var princ auth.Principal
var user auth.User
authenticator := dbc.Authenticator()
if isUser {
user, err = authenticator.GetUser(internalUserName(*newInfo.Name))
princ = user
} else {
princ, err = authenticator.GetRole(*newInfo.Name)
}
if err != nil {
return
}
replaced = (princ != nil)
if !replaced {
// If user/role didn't exist already, instantiate a new one:
if isUser {
user, err = authenticator.NewUser(internalUserName(*newInfo.Name), "", nil)
princ = user
} else {
princ, err = authenticator.NewRole(*newInfo.Name, nil)
}
if err != nil {
return
}
} else if !allowReplace {
err = base.HTTPErrorf(http.StatusConflict, "Already exists")
return
}
// Now update the Principal object from the properties in the request, first the channels:
updatedChannels := princ.ExplicitChannels()
if updatedChannels == nil {
updatedChannels = ch.TimedSet{}
}
lastSeq, err := dbc.LastSequence()
if err != nil {
return
}
updatedChannels.UpdateAtSequence(newInfo.ExplicitChannels, lastSeq+1)
princ.SetExplicitChannels(updatedChannels)
// Then the roles:
if isUser {
user.SetEmail(newInfo.Email)
if newInfo.Password != nil {
user.SetPassword(*newInfo.Password)
}
user.SetDisabled(newInfo.Disabled)
user.SetExplicitRoleNames(newInfo.ExplicitRoleNames)
}
// And finally save the Principal:
err = authenticator.Save(princ)
return
}
func (sc *ServerContext) applySyncFunction(dbcontext *db.DatabaseContext, syncFn string) error {
changed, err := dbcontext.UpdateSyncFun(syncFn)
if err != nil || !changed {
return err
}
// Sync function has changed:
base.Log("**NOTE:** %q's sync function has changed. The new function may assign different channels to documents, or permissions to users. You may want to re-sync the database to update these.", dbcontext.Name)
return nil
}
func (sc *ServerContext) installPrincipals(context *db.DatabaseContext, spec map[string]*db.PrincipalConfig, what string) error {
for name, princ := range spec {
isGuest := name == "GUEST"
if isGuest {
internalName := ""
princ.Name = &internalName
} else {
princ.Name = &name
}
_, err := context.UpdatePrincipal(*princ, (what == "user"), isGuest)
if err != nil {
// A conflict error just means updatePrincipal didn't overwrite an existing user.
if status, _ := base.ErrorAsHTTPStatus(err); status != http.StatusConflict {
return fmt.Errorf("Couldn't create %s %q: %v", what, name, err)
}
} else if isGuest {
base.Log(" Reset guest user to config")
} else {
base.Log(" Created %s %q", what, name)
}
}
return nil
}
func (sc *ServerContext) startShadowing(dbcontext *db.DatabaseContext, shadow *ShadowConfig) error {
var pattern *regexp.Regexp
if shadow.Doc_id_regex != nil {
var err error
pattern, err = regexp.Compile(*shadow.Doc_id_regex)
if err != nil {
base.Warn("Invalid shadow doc_id_regex: %s", *shadow.Doc_id_regex)
return err
}
}
spec := base.BucketSpec{
Server: shadow.Server,
PoolName: "default",
BucketName: shadow.Bucket,
}
if shadow.Pool != nil {
spec.PoolName = *shadow.Pool
}
if shadow.Username != "" {
spec.Auth = shadow
}
bucket, err := db.ConnectToBucket(spec)
if err != nil {
return err
}
shadower, err := db.NewShadower(dbcontext, bucket, pattern)
if err != nil {
bucket.Close()
return err
}
dbcontext.Shadower = shadower
//Remove credentials from server URL before logging
url, err := couchbase.ParseURL(spec.Server)
if err == nil {
base.Log("Database %q shadowing remote bucket %q, pool %q, server <%s:%s/%s>", dbcontext.Name, spec.BucketName, spec.PoolName, url.Scheme, url.Host, url.Path)
}
return nil
}
func (h *handler) checkAuth(context *db.DatabaseContext) error {
h.user = nil
if context == nil {
return nil
}
// Check cookie first:
var err error
h.user, err = context.Authenticator().AuthenticateCookie(h.rq)
if err != nil {
return err
} else if h.user != nil {
base.LogTo("HTTP+", "#%03d: Authenticated as %q via cookie", h.serialNumber, h.user.Name())
return nil
}
// If no cookie, check HTTP auth:
if userName, password := h.getBasicAuth(); userName != "" {
h.user = context.Authenticator().AuthenticateUser(userName, password)
if h.user == nil {
base.Log("HTTP auth failed for username=%q", userName)
h.response.Header().Set("WWW-Authenticate", `Basic realm="Couchbase Sync Gateway"`)
return &base.HTTPError{http.StatusUnauthorized, "Invalid login"}
}
if h.user.Name() != "" {
base.LogTo("HTTP+", "#%03d: Authenticated as %q", h.serialNumber, h.user.Name())
}
return nil
}
// No auth given -- check guest access
if h.user, err = context.Authenticator().GetUser(""); err != nil {
return err
}
if h.privs == regularPrivs && h.user.Disabled() {
h.response.Header().Set("WWW-Authenticate", `Basic realm="Couchbase Sync Gateway"`)
return &base.HTTPError{http.StatusUnauthorized, "Login required"}
}
return nil
}
// Updates or creates a principal from a PrincipalConfig structure.
func updatePrincipal(dbc *db.DatabaseContext, newInfo PrincipalConfig, isUser bool, allowReplace bool) (replaced bool, err error) {
// Get the existing principal, or if this is a POST make sure there isn't one:
var princ auth.Principal
var user auth.User
authenticator := dbc.Authenticator()
if isUser {
user, err = authenticator.GetUser(internalUserName(*newInfo.Name))
princ = user
} else {
princ, err = authenticator.GetRole(*newInfo.Name)
}
if err != nil {
return
}
replaced = (princ != nil)
if !replaced {
// If user/role didn't exist already, instantiate a new one:
if isUser {
user, err = authenticator.NewUser(internalUserName(*newInfo.Name), "", nil)
princ = user
} else {
princ, err = authenticator.NewRole(*newInfo.Name, nil)
}
if err != nil {
return
}
} else if !allowReplace {
err = base.HTTPErrorf(http.StatusConflict, "Already exists")
return
}
// Now update the Principal object from the properties in the request, first the channels:
updatedChannels := princ.ExplicitChannels()
if updatedChannels == nil {
updatedChannels = ch.TimedSet{}
}
lastSeq, err := dbc.LastSequence()
if err != nil {
return
}
updatedChannels.UpdateAtSequence(newInfo.ExplicitChannels, lastSeq+1)
princ.SetExplicitChannels(updatedChannels)
// Then the user-specific fields like roles:
if isUser {
user.SetEmail(newInfo.Email)
if newInfo.Password != nil {
user.SetPassword(*newInfo.Password)
}
user.SetDisabled(newInfo.Disabled)
// Convert the array of role strings into a TimedSet by reapplying the current sequences
// for existing roles, and using the database's last sequence for any new roles.
newRoles := ch.TimedSet{}
oldRoles := user.ExplicitRoles()
var currentSequence uint64
for _, roleName := range newInfo.ExplicitRoleNames {
since, found := oldRoles[roleName]
if !found {
if currentSequence == 0 {
currentSequence, _ = dbc.LastSequence()
if currentSequence == 0 {
currentSequence = 1
}
}
since = currentSequence
}
newRoles[roleName] = since
}
user.SetExplicitRoles(newRoles)
}
// And finally save the Principal:
err = authenticator.Save(princ)
return
}