-
Notifications
You must be signed in to change notification settings - Fork 753
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: auth by refresh and session tokens.
- Loading branch information
1 parent
c5531ab
commit b506740
Showing
38 changed files
with
1,116 additions
and
86 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
// Copyright 2021 Datafuse Labs | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
use serde::Deserialize; | ||
use serde::Serialize; | ||
|
||
#[derive( | ||
serde::Serialize, serde::Deserialize, Clone, Debug, Eq, PartialEq, num_derive::FromPrimitive, | ||
)] | ||
pub enum TokenType { | ||
Refresh = 1, | ||
Session = 2, | ||
} | ||
|
||
#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, Eq)] | ||
pub struct QueryTokenInfo { | ||
pub token_type: TokenType, | ||
// used to delete refresh token when close session | ||
pub parent: Option<String>, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
// Copyright 2021 Datafuse Labs | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
use crate::tenant_key::ident::TIdent; | ||
|
||
/// Define the meta-service key for a user setting. | ||
pub type TokenIdent = TIdent<Resource>; | ||
|
||
pub use kvapi_impl::Resource; | ||
|
||
mod kvapi_impl { | ||
|
||
use databend_common_meta_kvapi::kvapi; | ||
|
||
use crate::principal::user_token::QueryTokenInfo; | ||
use crate::tenant_key::resource::TenantResource; | ||
|
||
pub struct Resource; | ||
impl TenantResource for Resource { | ||
const PREFIX: &'static str = "__fd_token"; | ||
const TYPE: &'static str = "TokenIdent"; | ||
const HAS_TENANT: bool = true; | ||
type ValueType = QueryTokenInfo; | ||
} | ||
|
||
impl kvapi::Value for QueryTokenInfo { | ||
fn dependency_keys(&self) -> impl IntoIterator<Item = String> { | ||
[] | ||
} | ||
} | ||
} | ||
|
||
#[cfg(test)] | ||
mod tests { | ||
use databend_common_meta_kvapi::kvapi::Key; | ||
|
||
use crate::principal::user_token_ident::TokenIdent; | ||
use crate::tenant::Tenant; | ||
|
||
#[test] | ||
fn test_setting_ident() { | ||
let tenant = Tenant::new_literal("tenant1"); | ||
let ident = TokenIdent::new(tenant.clone(), "test"); | ||
assert_eq!("__fd_token/tenant1/test", ident.to_string_key()); | ||
|
||
let got = TokenIdent::from_str_key(&ident.to_string_key()).unwrap(); | ||
assert_eq!(ident, got); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
// Copyright 2021 Datafuse Labs | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
//! This mod is the key point about compatibility. | ||
//! Everytime update anything in this file, update the `VER` and let the tests pass. | ||
use databend_common_meta_app::principal::user_token as mt; | ||
use databend_common_protos::pb; | ||
use num::FromPrimitive; | ||
|
||
use crate::reader_check_msg; | ||
use crate::FromToProto; | ||
use crate::Incompatible; | ||
use crate::MIN_READER_VER; | ||
use crate::VER; | ||
|
||
impl FromToProto for mt::QueryTokenInfo { | ||
type PB = pb::TokenInfo; | ||
|
||
fn get_pb_ver(p: &Self::PB) -> u64 { | ||
p.ver | ||
} | ||
|
||
fn from_pb(p: Self::PB) -> Result<Self, Incompatible> | ||
where Self: Sized { | ||
reader_check_msg(p.ver, p.min_reader_ver)?; | ||
|
||
let v = Self { | ||
token_type: FromPrimitive::from_i32(p.token_type).ok_or_else(|| Incompatible { | ||
reason: format!("invalid TokenType: {}", p.token_type), | ||
})?, | ||
parent: p.parent, | ||
}; | ||
Ok(v) | ||
} | ||
|
||
fn to_pb(&self) -> Result<Self::PB, Incompatible> { | ||
let p = pb::TokenInfo { | ||
ver: VER, | ||
min_reader_ver: MIN_READER_VER, | ||
token_type: self.token_type.clone() as i32, | ||
parent: self.parent.clone(), | ||
}; | ||
Ok(p) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
// Copyright 2023 Datafuse Labs. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
use databend_common_meta_app::principal::user_token::TokenType; | ||
use fastrace::func_name; | ||
|
||
use crate::common; | ||
|
||
// These bytes are built when a new version in introduced, | ||
// and are kept for backward compatibility test. | ||
// | ||
// ************************************************************* | ||
// * These messages should never be updated, * | ||
// * only be added when a new version is added, * | ||
// * or be removed when an old version is no longer supported. * | ||
// ************************************************************* | ||
// | ||
// The message bytes are built from the output of `test_pb_from_to()` | ||
#[test] | ||
fn test_v105_query_token_info() -> anyhow::Result<()> { | ||
let query_token_info_v105 = vec![ | ||
8, 1, 18, 17, 112, 97, 114, 101, 110, 116, 95, 116, 111, 107, 101, 110, 95, 104, 97, 115, | ||
104, 160, 6, 105, 168, 6, 24, | ||
]; | ||
|
||
let want = || databend_common_meta_app::principal::user_token::QueryTokenInfo { | ||
token_type: TokenType::Refresh, | ||
parent: Some("parent_token_hash".to_string()), | ||
}; | ||
|
||
common::test_pb_from_to(func_name!(), want())?; | ||
common::test_load_old(func_name!(), query_token_info_v105.as_slice(), 105, want()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
// Copyright 2021 Datafuse Labs | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
// The identifier of a database by name. Names can be changed. | ||
// There is no guarantee that two get-database request by name will return the | ||
// same instance. | ||
|
||
syntax = "proto3"; | ||
|
||
package databend_proto; | ||
|
||
message TokenInfo { | ||
uint64 ver = 100; | ||
uint64 min_reader_ver = 101; | ||
|
||
enum TokenType { | ||
Session = 0; | ||
Refresh = 2; | ||
} | ||
TokenType token_type = 1; | ||
optional string parent = 2; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
// Copyright 2021 Datafuse Labs | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
mod token_api; | ||
mod token_mgr; | ||
|
||
pub use token_api::TokenApi; | ||
pub use token_mgr::TokenMgr; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
// Copyright 2021 Datafuse Labs | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
use databend_common_exception::Result; | ||
use databend_common_meta_app::principal::user_token::QueryTokenInfo; | ||
|
||
#[async_trait::async_trait] | ||
pub trait TokenApi: Sync + Send { | ||
async fn upsert_token( | ||
&self, | ||
token_hash: &str, | ||
token_info: QueryTokenInfo, | ||
ttl_in_secs: u64, | ||
is_update: bool, | ||
) -> Result<bool>; | ||
|
||
async fn get_token(&self, token_hash: &str) -> Result<Option<QueryTokenInfo>>; | ||
|
||
async fn drop_token(&self, token_hash: &str) -> Result<()>; | ||
} |
Oops, something went wrong.