func (sc *ServerContext) installPrincipals(context *db.DatabaseContext, spec map[string]json.RawMessage, what string) error { for name, data := range spec { isUsers := (what == "user") if name == "GUEST" && isUsers { name = "" } authenticator := context.Authenticator() newPrincipal, err := authenticator.UnmarshalPrincipal(data, name, 1, isUsers) if err != nil { return fmt.Errorf("Invalid config for %s %q: %v", what, name, err) } oldPrincipal, err := authenticator.GetPrincipal(newPrincipal.Name(), isUsers) if oldPrincipal == nil || name == "" { if err == nil { err = authenticator.Save(newPrincipal) } if err != nil { return fmt.Errorf("Couldn't create %s %q: %v", what, name, err) } else if name == "" { base.Log(" Reset guest user to config") } else { base.Log(" Created %s %q", what, name) } } } return nil }
// Updates or creates a principal from a PrincipalConfig structure. func updatePrincipal(dbc *db.DatabaseContext, newInfo PrincipalConfig, isUser bool, allowReplace bool) (replaced bool, err error) { // Get the existing principal, or if this is a POST make sure there isn't one: var princ auth.Principal var user auth.User authenticator := dbc.Authenticator() if isUser { user, err = authenticator.GetUser(internalUserName(*newInfo.Name)) princ = user } else { princ, err = authenticator.GetRole(*newInfo.Name) } if err != nil { return } replaced = (princ != nil) if !replaced { // If user/role didn't exist already, instantiate a new one: if isUser { user, err = authenticator.NewUser(internalUserName(*newInfo.Name), "", nil) princ = user } else { princ, err = authenticator.NewRole(*newInfo.Name, nil) } if err != nil { return } } else if !allowReplace { err = base.HTTPErrorf(http.StatusConflict, "Already exists") return } // Now update the Principal object from the properties in the request, first the channels: updatedChannels := princ.ExplicitChannels() if updatedChannels == nil { updatedChannels = ch.TimedSet{} } lastSeq, err := dbc.LastSequence() if err != nil { return } updatedChannels.UpdateAtSequence(newInfo.ExplicitChannels, lastSeq+1) princ.SetExplicitChannels(updatedChannels) // Then the roles: if isUser { user.SetEmail(newInfo.Email) if newInfo.Password != nil { user.SetPassword(*newInfo.Password) } user.SetDisabled(newInfo.Disabled) user.SetExplicitRoleNames(newInfo.ExplicitRoleNames) } // And finally save the Principal: err = authenticator.Save(princ) return }
func (sc *ServerContext) applySyncFunction(dbcontext *db.DatabaseContext, syncFn string) error { changed, err := dbcontext.UpdateSyncFun(syncFn) if err != nil || !changed { return err } // Sync function has changed: base.Log("**NOTE:** %q's sync function has changed. The new function may assign different channels to documents, or permissions to users. You may want to re-sync the database to update these.", dbcontext.Name) return nil }
func (sc *ServerContext) installPrincipals(context *db.DatabaseContext, spec map[string]*db.PrincipalConfig, what string) error { for name, princ := range spec { isGuest := name == "GUEST" if isGuest { internalName := "" princ.Name = &internalName } else { princ.Name = &name } _, err := context.UpdatePrincipal(*princ, (what == "user"), isGuest) if err != nil { // A conflict error just means updatePrincipal didn't overwrite an existing user. if status, _ := base.ErrorAsHTTPStatus(err); status != http.StatusConflict { return fmt.Errorf("Couldn't create %s %q: %v", what, name, err) } } else if isGuest { base.Log(" Reset guest user to config") } else { base.Log(" Created %s %q", what, name) } } return nil }
func (sc *ServerContext) startShadowing(dbcontext *db.DatabaseContext, shadow *ShadowConfig) error { var pattern *regexp.Regexp if shadow.Doc_id_regex != nil { var err error pattern, err = regexp.Compile(*shadow.Doc_id_regex) if err != nil { base.Warn("Invalid shadow doc_id_regex: %s", *shadow.Doc_id_regex) return err } } spec := base.BucketSpec{ Server: shadow.Server, PoolName: "default", BucketName: shadow.Bucket, } if shadow.Pool != nil { spec.PoolName = *shadow.Pool } if shadow.Username != "" { spec.Auth = shadow } bucket, err := db.ConnectToBucket(spec) if err != nil { return err } shadower, err := db.NewShadower(dbcontext, bucket, pattern) if err != nil { bucket.Close() return err } dbcontext.Shadower = shadower //Remove credentials from server URL before logging url, err := couchbase.ParseURL(spec.Server) if err == nil { base.Log("Database %q shadowing remote bucket %q, pool %q, server <%s:%s/%s>", dbcontext.Name, spec.BucketName, spec.PoolName, url.Scheme, url.Host, url.Path) } return nil }
func (h *handler) checkAuth(context *db.DatabaseContext) error { h.user = nil if context == nil { return nil } // Check cookie first: var err error h.user, err = context.Authenticator().AuthenticateCookie(h.rq) if err != nil { return err } else if h.user != nil { base.LogTo("HTTP+", "#%03d: Authenticated as %q via cookie", h.serialNumber, h.user.Name()) return nil } // If no cookie, check HTTP auth: if userName, password := h.getBasicAuth(); userName != "" { h.user = context.Authenticator().AuthenticateUser(userName, password) if h.user == nil { base.Log("HTTP auth failed for username=%q", userName) h.response.Header().Set("WWW-Authenticate", `Basic realm="Couchbase Sync Gateway"`) return &base.HTTPError{http.StatusUnauthorized, "Invalid login"} } if h.user.Name() != "" { base.LogTo("HTTP+", "#%03d: Authenticated as %q", h.serialNumber, h.user.Name()) } return nil } // No auth given -- check guest access if h.user, err = context.Authenticator().GetUser(""); err != nil { return err } if h.privs == regularPrivs && h.user.Disabled() { h.response.Header().Set("WWW-Authenticate", `Basic realm="Couchbase Sync Gateway"`) return &base.HTTPError{http.StatusUnauthorized, "Login required"} } return nil }
// Updates or creates a principal from a PrincipalConfig structure. func updatePrincipal(dbc *db.DatabaseContext, newInfo PrincipalConfig, isUser bool, allowReplace bool) (replaced bool, err error) { // Get the existing principal, or if this is a POST make sure there isn't one: var princ auth.Principal var user auth.User authenticator := dbc.Authenticator() if isUser { user, err = authenticator.GetUser(internalUserName(*newInfo.Name)) princ = user } else { princ, err = authenticator.GetRole(*newInfo.Name) } if err != nil { return } replaced = (princ != nil) if !replaced { // If user/role didn't exist already, instantiate a new one: if isUser { user, err = authenticator.NewUser(internalUserName(*newInfo.Name), "", nil) princ = user } else { princ, err = authenticator.NewRole(*newInfo.Name, nil) } if err != nil { return } } else if !allowReplace { err = base.HTTPErrorf(http.StatusConflict, "Already exists") return } // Now update the Principal object from the properties in the request, first the channels: updatedChannels := princ.ExplicitChannels() if updatedChannels == nil { updatedChannels = ch.TimedSet{} } lastSeq, err := dbc.LastSequence() if err != nil { return } updatedChannels.UpdateAtSequence(newInfo.ExplicitChannels, lastSeq+1) princ.SetExplicitChannels(updatedChannels) // Then the user-specific fields like roles: if isUser { user.SetEmail(newInfo.Email) if newInfo.Password != nil { user.SetPassword(*newInfo.Password) } user.SetDisabled(newInfo.Disabled) // Convert the array of role strings into a TimedSet by reapplying the current sequences // for existing roles, and using the database's last sequence for any new roles. newRoles := ch.TimedSet{} oldRoles := user.ExplicitRoles() var currentSequence uint64 for _, roleName := range newInfo.ExplicitRoleNames { since, found := oldRoles[roleName] if !found { if currentSequence == 0 { currentSequence, _ = dbc.LastSequence() if currentSequence == 0 { currentSequence = 1 } } since = currentSequence } newRoles[roleName] = since } user.SetExplicitRoles(newRoles) } // And finally save the Principal: err = authenticator.Save(princ) return }